diff --git a/.github/workflows/k8s-deploy.yml b/.github/workflows/k8s-deploy.yml index 4809682..2a01a69 100644 --- a/.github/workflows/k8s-deploy.yml +++ b/.github/workflows/k8s-deploy.yml @@ -31,10 +31,14 @@ jobs: echo -n '' > /tmp/kube.err - name: 'Apply manifests: CRD resources' + # Server-side apply avoids the 256KB metadata.annotations limit hit by + # client-side apply's last-applied-configuration on large CRDs (e.g. + # cnpg's poolers.postgresql.cnpg.io). --force-conflicts lets us reclaim + # ownership from any prior client-side annotation during migration. run: | if [ -d ./_/CustomResourceDefinition ]; then # Capture errors and add context - dir_errors=$(kubectl apply -Rf ./_/CustomResourceDefinition 2>&1 1>>/tmp/kube.log || true) + dir_errors=$(kubectl apply --server-side --force-conflicts -Rf ./_/CustomResourceDefinition 2>&1 1>>/tmp/kube.log || true) # Filter and append errors with context if meaningful filtered_errors=$(echo "$dir_errors" | \ diff --git a/_/ClusterIssuer/letsencrypt-prod-gateway.yaml b/_/ClusterIssuer/letsencrypt-prod-gateway.yaml new file mode 100644 index 0000000..7bc3367 --- /dev/null +++ b/_/ClusterIssuer/letsencrypt-prod-gateway.yaml @@ -0,0 +1,18 @@ +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: letsencrypt-prod-gateway +spec: + acme: + email: services@codeforphilly.org + privateKeySecretRef: + name: letsencrypt-prod-gateway + server: https://acme-v02.api.letsencrypt.org/directory + solvers: + - http01: + gatewayHTTPRoute: + parentRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: main-gateway + namespace: envoy-gateway-system diff --git a/_/ClusterIssuer/letsencrypt-staging-gateway.yaml b/_/ClusterIssuer/letsencrypt-staging-gateway.yaml new file mode 100644 index 0000000..c58c844 --- /dev/null +++ b/_/ClusterIssuer/letsencrypt-staging-gateway.yaml @@ -0,0 +1,18 @@ +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: letsencrypt-staging-gateway +spec: + acme: + email: services@codeforphilly.org + privateKeySecretRef: + name: letsencrypt-staging-gateway + server: https://acme-staging-v02.api.letsencrypt.org/directory + solvers: + - http01: + gatewayHTTPRoute: + parentRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: main-gateway + namespace: envoy-gateway-system diff --git a/_/ClusterRole/cert-manager-cainjector.yaml b/_/ClusterRole/cert-manager-cainjector.yaml index 4e7fec6..a5b05e3 100644 --- a/_/ClusterRole/cert-manager-cainjector.yaml +++ b/_/ClusterRole/cert-manager-cainjector.yaml @@ -7,8 +7,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cainjector - app.kubernetes.io/version: v1.10.1 - helm.sh/chart: cert-manager-v1.10.1 + app.kubernetes.io/version: v1.20.2 + helm.sh/chart: cert-manager-v1.20.2 name: cert-manager-cainjector rules: - apiGroups: diff --git a/_/ClusterRole/cert-manager-cluster-view.yaml b/_/ClusterRole/cert-manager-cluster-view.yaml index becba24..497e123 100644 --- a/_/ClusterRole/cert-manager-cluster-view.yaml +++ b/_/ClusterRole/cert-manager-cluster-view.yaml @@ -7,8 +7,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.10.1 - helm.sh/chart: cert-manager-v1.10.1 + app.kubernetes.io/version: v1.20.2 + helm.sh/chart: cert-manager-v1.20.2 rbac.authorization.k8s.io/aggregate-to-cluster-reader: 'true' name: cert-manager-cluster-view rules: diff --git a/_/ClusterRole/cert-manager-controller-approve:cert-manager-io.yaml b/_/ClusterRole/cert-manager-controller-approve:cert-manager-io.yaml index 9a3bb4f..6939bbc 100644 --- a/_/ClusterRole/cert-manager-controller-approve:cert-manager-io.yaml +++ b/_/ClusterRole/cert-manager-controller-approve:cert-manager-io.yaml @@ -7,8 +7,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.10.1 - helm.sh/chart: cert-manager-v1.10.1 + app.kubernetes.io/version: v1.20.2 + helm.sh/chart: cert-manager-v1.20.2 name: cert-manager-controller-approve:cert-manager-io rules: - apiGroups: diff --git a/_/ClusterRole/cert-manager-controller-certificates.yaml b/_/ClusterRole/cert-manager-controller-certificates.yaml index bfe178e..cbe29f7 100644 --- a/_/ClusterRole/cert-manager-controller-certificates.yaml +++ b/_/ClusterRole/cert-manager-controller-certificates.yaml @@ -7,8 +7,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.10.1 - helm.sh/chart: cert-manager-v1.10.1 + app.kubernetes.io/version: v1.20.2 + helm.sh/chart: cert-manager-v1.20.2 name: cert-manager-controller-certificates rules: - apiGroups: diff --git a/_/ClusterRole/cert-manager-controller-certificatesigningrequests.yaml b/_/ClusterRole/cert-manager-controller-certificatesigningrequests.yaml index 9471492..26676d5 100644 --- a/_/ClusterRole/cert-manager-controller-certificatesigningrequests.yaml +++ b/_/ClusterRole/cert-manager-controller-certificatesigningrequests.yaml @@ -7,8 +7,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.10.1 - helm.sh/chart: cert-manager-v1.10.1 + app.kubernetes.io/version: v1.20.2 + helm.sh/chart: cert-manager-v1.20.2 name: cert-manager-controller-certificatesigningrequests rules: - apiGroups: diff --git a/_/ClusterRole/cert-manager-controller-challenges.yaml b/_/ClusterRole/cert-manager-controller-challenges.yaml index 50e6175..d976088 100644 --- a/_/ClusterRole/cert-manager-controller-challenges.yaml +++ b/_/ClusterRole/cert-manager-controller-challenges.yaml @@ -7,8 +7,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.10.1 - helm.sh/chart: cert-manager-v1.10.1 + app.kubernetes.io/version: v1.20.2 + helm.sh/chart: cert-manager-v1.20.2 name: cert-manager-controller-challenges rules: - apiGroups: diff --git a/_/ClusterRole/cert-manager-controller-clusterissuers.yaml b/_/ClusterRole/cert-manager-controller-clusterissuers.yaml index 9c24e3e..1609202 100644 --- a/_/ClusterRole/cert-manager-controller-clusterissuers.yaml +++ b/_/ClusterRole/cert-manager-controller-clusterissuers.yaml @@ -7,8 +7,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.10.1 - helm.sh/chart: cert-manager-v1.10.1 + app.kubernetes.io/version: v1.20.2 + helm.sh/chart: cert-manager-v1.20.2 name: cert-manager-controller-clusterissuers rules: - apiGroups: diff --git a/_/ClusterRole/cert-manager-controller-ingress-shim.yaml b/_/ClusterRole/cert-manager-controller-ingress-shim.yaml index 114fa3d..f93b0d7 100644 --- a/_/ClusterRole/cert-manager-controller-ingress-shim.yaml +++ b/_/ClusterRole/cert-manager-controller-ingress-shim.yaml @@ -7,8 +7,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.10.1 - helm.sh/chart: cert-manager-v1.10.1 + app.kubernetes.io/version: v1.20.2 + helm.sh/chart: cert-manager-v1.20.2 name: cert-manager-controller-ingress-shim rules: - apiGroups: @@ -50,6 +50,7 @@ rules: resources: - gateways - httproutes + - listenersets verbs: - get - list @@ -59,6 +60,7 @@ rules: resources: - gateways/finalizers - httproutes/finalizers + - listenersets/finalizers verbs: - update - apiGroups: diff --git a/_/ClusterRole/cert-manager-controller-issuers.yaml b/_/ClusterRole/cert-manager-controller-issuers.yaml index 9062995..68d49ac 100644 --- a/_/ClusterRole/cert-manager-controller-issuers.yaml +++ b/_/ClusterRole/cert-manager-controller-issuers.yaml @@ -7,8 +7,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.10.1 - helm.sh/chart: cert-manager-v1.10.1 + app.kubernetes.io/version: v1.20.2 + helm.sh/chart: cert-manager-v1.20.2 name: cert-manager-controller-issuers rules: - apiGroups: diff --git a/_/ClusterRole/cert-manager-controller-orders.yaml b/_/ClusterRole/cert-manager-controller-orders.yaml index 77cfc14..1856dc5 100644 --- a/_/ClusterRole/cert-manager-controller-orders.yaml +++ b/_/ClusterRole/cert-manager-controller-orders.yaml @@ -7,8 +7,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.10.1 - helm.sh/chart: cert-manager-v1.10.1 + app.kubernetes.io/version: v1.20.2 + helm.sh/chart: cert-manager-v1.20.2 name: cert-manager-controller-orders rules: - apiGroups: @@ -50,6 +50,13 @@ rules: - orders/finalizers verbs: - update + - apiGroups: + - cert-manager.io + resources: + - clusterissuers/finalizers + - issuers/finalizers + verbs: + - update - apiGroups: - '' resources: diff --git a/_/ClusterRole/cert-manager-edit.yaml b/_/ClusterRole/cert-manager-edit.yaml index 43bc488..5730851 100644 --- a/_/ClusterRole/cert-manager-edit.yaml +++ b/_/ClusterRole/cert-manager-edit.yaml @@ -7,8 +7,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.10.1 - helm.sh/chart: cert-manager-v1.10.1 + app.kubernetes.io/version: v1.20.2 + helm.sh/chart: cert-manager-v1.20.2 rbac.authorization.k8s.io/aggregate-to-admin: 'true' rbac.authorization.k8s.io/aggregate-to-edit: 'true' name: cert-manager-edit diff --git a/_/ClusterRole/cert-manager-view.yaml b/_/ClusterRole/cert-manager-view.yaml index 257e1ea..e0a615a 100644 --- a/_/ClusterRole/cert-manager-view.yaml +++ b/_/ClusterRole/cert-manager-view.yaml @@ -7,8 +7,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.10.1 - helm.sh/chart: cert-manager-v1.10.1 + app.kubernetes.io/version: v1.20.2 + helm.sh/chart: cert-manager-v1.20.2 rbac.authorization.k8s.io/aggregate-to-admin: 'true' rbac.authorization.k8s.io/aggregate-to-cluster-reader: 'true' rbac.authorization.k8s.io/aggregate-to-edit: 'true' diff --git a/_/ClusterRole/cert-manager-webhook:subjectaccessreviews.yaml b/_/ClusterRole/cert-manager-webhook:subjectaccessreviews.yaml index 6c68b43..8922623 100644 --- a/_/ClusterRole/cert-manager-webhook:subjectaccessreviews.yaml +++ b/_/ClusterRole/cert-manager-webhook:subjectaccessreviews.yaml @@ -7,8 +7,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: webhook - app.kubernetes.io/version: v1.10.1 - helm.sh/chart: cert-manager-v1.10.1 + app.kubernetes.io/version: v1.20.2 + helm.sh/chart: cert-manager-v1.20.2 name: cert-manager-webhook:subjectaccessreviews rules: - apiGroups: diff --git a/_/ClusterRole/envoy-gateway-gateway-helm-certgen:envoy-gateway-system.yaml b/_/ClusterRole/envoy-gateway-gateway-helm-certgen:envoy-gateway-system.yaml new file mode 100644 index 0000000..37b38dd --- /dev/null +++ b/_/ClusterRole/envoy-gateway-gateway-helm-certgen:envoy-gateway-system.yaml @@ -0,0 +1,31 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: + helm.sh/hook: pre-install, pre-upgrade + helm.sh/hook-weight: '-1' + labels: + app.kubernetes.io/instance: envoy-gateway + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/version: v1.7.3 + helm.sh/chart: gateway-helm-v1.7.3 + name: envoy-gateway-gateway-helm-certgen:envoy-gateway-system +rules: + - apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + verbs: + - get + - list + - watch + - apiGroups: + - admissionregistration.k8s.io + resourceNames: + - envoy-gateway-topology-injector.envoy-gateway-system + resources: + - mutatingwebhookconfigurations + verbs: + - update + - patch diff --git a/_/ClusterRole/envoy-gateway-gateway-helm-envoy-gateway-role.yaml b/_/ClusterRole/envoy-gateway-gateway-helm-envoy-gateway-role.yaml new file mode 100644 index 0000000..131b58e --- /dev/null +++ b/_/ClusterRole/envoy-gateway-gateway-helm-envoy-gateway-role.yaml @@ -0,0 +1,144 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + name: envoy-gateway-gateway-helm-envoy-gateway-role +rules: + - apiGroups: + - '' + resources: + - nodes + - namespaces + verbs: + - get + - list + - watch + - apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses + verbs: + - get + - list + - patch + - update + - watch + - apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses/status + verbs: + - update + - apiGroups: + - multicluster.x-k8s.io + resources: + - serviceimports + verbs: + - get + - list + - watch + - apiGroups: + - '' + resources: + - configmaps + - secrets + - services + verbs: + - get + - list + - watch + - apiGroups: + - apps + resources: + - deployments + - daemonsets + verbs: + - get + - list + - watch + - apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch + - apiGroups: + - gateway.envoyproxy.io + resources: + - envoyproxies + - envoypatchpolicies + - clienttrafficpolicies + - backendtrafficpolicies + - securitypolicies + - envoyextensionpolicies + - backends + - httproutefilters + verbs: + - get + - list + - watch + - apiGroups: + - gateway.envoyproxy.io + resources: + - envoypatchpolicies/status + - clienttrafficpolicies/status + - backendtrafficpolicies/status + - securitypolicies/status + - envoyextensionpolicies/status + - backends/status + verbs: + - update + - apiGroups: + - gateway.networking.k8s.io + resources: + - gateways + - grpcroutes + - httproutes + - referencegrants + - tcproutes + - tlsroutes + - udproutes + - backendtlspolicies + verbs: + - get + - list + - watch + - apiGroups: + - gateway.networking.k8s.io + resources: + - gateways/status + - grpcroutes/status + - httproutes/status + - tcproutes/status + - tlsroutes/status + - udproutes/status + - backendtlspolicies/status + verbs: + - update + - apiGroups: + - gateway.networking.x-k8s.io + resources: + - xlistenersets + verbs: + - get + - list + - watch + - apiGroups: + - gateway.networking.x-k8s.io + resources: + - xlistenersets/status + verbs: + - update + - apiGroups: + - '' + resources: + - pods + - pods/binding + verbs: + - get + - list + - patch + - update + - watch diff --git a/_/ClusterRole/hairpin-proxy-controller-cr.yaml b/_/ClusterRole/hairpin-proxy-controller-cr.yaml deleted file mode 100644 index bb7d88b..0000000 --- a/_/ClusterRole/hairpin-proxy-controller-cr.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: hairpin-proxy-controller-cr -rules: - - apiGroups: - - extensions - - networking.k8s.io - resources: - - ingresses - verbs: - - get - - list - - watch diff --git a/_/ClusterRoleBinding/cert-manager-cainjector.yaml b/_/ClusterRoleBinding/cert-manager-cainjector.yaml index c1ff93b..05dce68 100644 --- a/_/ClusterRoleBinding/cert-manager-cainjector.yaml +++ b/_/ClusterRoleBinding/cert-manager-cainjector.yaml @@ -7,8 +7,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cainjector - app.kubernetes.io/version: v1.10.1 - helm.sh/chart: cert-manager-v1.10.1 + app.kubernetes.io/version: v1.20.2 + helm.sh/chart: cert-manager-v1.20.2 name: cert-manager-cainjector roleRef: apiGroup: rbac.authorization.k8s.io diff --git a/_/ClusterRoleBinding/cert-manager-controller-approve:cert-manager-io.yaml b/_/ClusterRoleBinding/cert-manager-controller-approve:cert-manager-io.yaml index 7834974..d10b7df 100644 --- a/_/ClusterRoleBinding/cert-manager-controller-approve:cert-manager-io.yaml +++ b/_/ClusterRoleBinding/cert-manager-controller-approve:cert-manager-io.yaml @@ -7,8 +7,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.10.1 - helm.sh/chart: cert-manager-v1.10.1 + app.kubernetes.io/version: v1.20.2 + helm.sh/chart: cert-manager-v1.20.2 name: cert-manager-controller-approve:cert-manager-io roleRef: apiGroup: rbac.authorization.k8s.io diff --git a/_/ClusterRoleBinding/cert-manager-controller-certificates.yaml b/_/ClusterRoleBinding/cert-manager-controller-certificates.yaml index dc2cd5d..3174fe3 100644 --- a/_/ClusterRoleBinding/cert-manager-controller-certificates.yaml +++ b/_/ClusterRoleBinding/cert-manager-controller-certificates.yaml @@ -7,8 +7,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.10.1 - helm.sh/chart: cert-manager-v1.10.1 + app.kubernetes.io/version: v1.20.2 + helm.sh/chart: cert-manager-v1.20.2 name: cert-manager-controller-certificates roleRef: apiGroup: rbac.authorization.k8s.io diff --git a/_/ClusterRoleBinding/cert-manager-controller-certificatesigningrequests.yaml b/_/ClusterRoleBinding/cert-manager-controller-certificatesigningrequests.yaml index 15a5af3..fc7e5e0 100644 --- a/_/ClusterRoleBinding/cert-manager-controller-certificatesigningrequests.yaml +++ b/_/ClusterRoleBinding/cert-manager-controller-certificatesigningrequests.yaml @@ -7,8 +7,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.10.1 - helm.sh/chart: cert-manager-v1.10.1 + app.kubernetes.io/version: v1.20.2 + helm.sh/chart: cert-manager-v1.20.2 name: cert-manager-controller-certificatesigningrequests roleRef: apiGroup: rbac.authorization.k8s.io diff --git a/_/ClusterRoleBinding/cert-manager-controller-challenges.yaml b/_/ClusterRoleBinding/cert-manager-controller-challenges.yaml index 0761705..3defdc7 100644 --- a/_/ClusterRoleBinding/cert-manager-controller-challenges.yaml +++ b/_/ClusterRoleBinding/cert-manager-controller-challenges.yaml @@ -7,8 +7,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.10.1 - helm.sh/chart: cert-manager-v1.10.1 + app.kubernetes.io/version: v1.20.2 + helm.sh/chart: cert-manager-v1.20.2 name: cert-manager-controller-challenges roleRef: apiGroup: rbac.authorization.k8s.io diff --git a/_/ClusterRoleBinding/cert-manager-controller-clusterissuers.yaml b/_/ClusterRoleBinding/cert-manager-controller-clusterissuers.yaml index cf3edda..701f7de 100644 --- a/_/ClusterRoleBinding/cert-manager-controller-clusterissuers.yaml +++ b/_/ClusterRoleBinding/cert-manager-controller-clusterissuers.yaml @@ -7,8 +7,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.10.1 - helm.sh/chart: cert-manager-v1.10.1 + app.kubernetes.io/version: v1.20.2 + helm.sh/chart: cert-manager-v1.20.2 name: cert-manager-controller-clusterissuers roleRef: apiGroup: rbac.authorization.k8s.io diff --git a/_/ClusterRoleBinding/cert-manager-controller-ingress-shim.yaml b/_/ClusterRoleBinding/cert-manager-controller-ingress-shim.yaml index e928ee7..2f84e4f 100644 --- a/_/ClusterRoleBinding/cert-manager-controller-ingress-shim.yaml +++ b/_/ClusterRoleBinding/cert-manager-controller-ingress-shim.yaml @@ -7,8 +7,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.10.1 - helm.sh/chart: cert-manager-v1.10.1 + app.kubernetes.io/version: v1.20.2 + helm.sh/chart: cert-manager-v1.20.2 name: cert-manager-controller-ingress-shim roleRef: apiGroup: rbac.authorization.k8s.io diff --git a/_/ClusterRoleBinding/cert-manager-controller-issuers.yaml b/_/ClusterRoleBinding/cert-manager-controller-issuers.yaml index 25157f6..d07ed6b 100644 --- a/_/ClusterRoleBinding/cert-manager-controller-issuers.yaml +++ b/_/ClusterRoleBinding/cert-manager-controller-issuers.yaml @@ -7,8 +7,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.10.1 - helm.sh/chart: cert-manager-v1.10.1 + app.kubernetes.io/version: v1.20.2 + helm.sh/chart: cert-manager-v1.20.2 name: cert-manager-controller-issuers roleRef: apiGroup: rbac.authorization.k8s.io diff --git a/_/ClusterRoleBinding/cert-manager-controller-orders.yaml b/_/ClusterRoleBinding/cert-manager-controller-orders.yaml index 520c42a..e61db89 100644 --- a/_/ClusterRoleBinding/cert-manager-controller-orders.yaml +++ b/_/ClusterRoleBinding/cert-manager-controller-orders.yaml @@ -7,8 +7,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.10.1 - helm.sh/chart: cert-manager-v1.10.1 + app.kubernetes.io/version: v1.20.2 + helm.sh/chart: cert-manager-v1.20.2 name: cert-manager-controller-orders roleRef: apiGroup: rbac.authorization.k8s.io diff --git a/_/ClusterRoleBinding/cert-manager-webhook:subjectaccessreviews.yaml b/_/ClusterRoleBinding/cert-manager-webhook:subjectaccessreviews.yaml index a13e167..48270df 100644 --- a/_/ClusterRoleBinding/cert-manager-webhook:subjectaccessreviews.yaml +++ b/_/ClusterRoleBinding/cert-manager-webhook:subjectaccessreviews.yaml @@ -7,15 +7,14 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: webhook - app.kubernetes.io/version: v1.10.1 - helm.sh/chart: cert-manager-v1.10.1 + app.kubernetes.io/version: v1.20.2 + helm.sh/chart: cert-manager-v1.20.2 name: cert-manager-webhook:subjectaccessreviews roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cert-manager-webhook:subjectaccessreviews subjects: - - apiGroup: '' - kind: ServiceAccount + - kind: ServiceAccount name: cert-manager-webhook namespace: cert-manager diff --git a/_/ClusterRoleBinding/envoy-gateway-gateway-helm-certgen:envoy-gateway-system.yaml b/_/ClusterRoleBinding/envoy-gateway-gateway-helm-certgen:envoy-gateway-system.yaml new file mode 100644 index 0000000..83636c6 --- /dev/null +++ b/_/ClusterRoleBinding/envoy-gateway-gateway-helm-certgen:envoy-gateway-system.yaml @@ -0,0 +1,21 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + annotations: + helm.sh/hook: pre-install, pre-upgrade + helm.sh/hook-weight: '-1' + labels: + app.kubernetes.io/instance: envoy-gateway + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/version: v1.7.3 + helm.sh/chart: gateway-helm-v1.7.3 + name: envoy-gateway-gateway-helm-certgen:envoy-gateway-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: envoy-gateway-gateway-helm-certgen:envoy-gateway-system +subjects: + - kind: ServiceAccount + name: envoy-gateway-gateway-helm-certgen + namespace: envoy-gateway-system diff --git a/_/ClusterRoleBinding/hairpin-proxy-controller-crb.yaml b/_/ClusterRoleBinding/envoy-gateway-gateway-helm-envoy-gateway-rolebinding.yaml similarity index 50% rename from _/ClusterRoleBinding/hairpin-proxy-controller-crb.yaml rename to _/ClusterRoleBinding/envoy-gateway-gateway-helm-envoy-gateway-rolebinding.yaml index a01ce2e..951264e 100644 --- a/_/ClusterRoleBinding/hairpin-proxy-controller-crb.yaml +++ b/_/ClusterRoleBinding/envoy-gateway-gateway-helm-envoy-gateway-rolebinding.yaml @@ -1,12 +1,12 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: hairpin-proxy-controller-crb + name: envoy-gateway-gateway-helm-envoy-gateway-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: hairpin-proxy-controller-cr + name: envoy-gateway-gateway-helm-envoy-gateway-role subjects: - kind: ServiceAccount - name: hairpin-proxy-controller-sa - namespace: hairpin-proxy + name: envoy-gateway + namespace: envoy-gateway-system diff --git a/_/CustomResourceDefinition/backends.gateway.envoyproxy.io.yaml b/_/CustomResourceDefinition/backends.gateway.envoyproxy.io.yaml new file mode 100644 index 0000000..8cb3e1f --- /dev/null +++ b/_/CustomResourceDefinition/backends.gateway.envoyproxy.io.yaml @@ -0,0 +1,669 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.18.0 + name: backends.gateway.envoyproxy.io +spec: + group: gateway.envoyproxy.io + names: + categories: + - envoy-gateway + kind: Backend + listKind: BackendList + plural: backends + shortNames: + - be + singular: backend + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .status.conditions[?(@.type=="Accepted")].reason + name: Status + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + Backend allows the user to configure the endpoints of a backend and + the behavior of the connection from Envoy Proxy to the backend. + properties: + apiVersion: + description: >- + APIVersion defines the versioned schema of this representation + of an object. + + Servers should convert recognized schemas to the latest internal + value, and + + may reject unrecognized values. + + More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: >- + Kind is a string value representing the REST resource this + object represents. + + Servers may infer this from the endpoint the client submits + requests to. + + Cannot be updated. + + In CamelCase. + + More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of Backend. + properties: + appProtocols: + description: >- + AppProtocols defines the application protocols to be + supported when connecting to the backend. + items: + description: >- + AppProtocolType defines various backend applications + protocols supported by Envoy Gateway + enum: + - gateway.envoyproxy.io/h2c + - gateway.envoyproxy.io/ws + - gateway.envoyproxy.io/wss + type: string + type: array + endpoints: + description: >- + Endpoints defines the endpoints to be used when connecting + to the backend. + items: + description: >- + BackendEndpoint describes a backend endpoint, which can be + either a fully-qualified domain name, IP address or unix + domain socket + + corresponding to Envoy's Address: + https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/address.proto#config-core-v3-address + properties: + fqdn: + description: FQDN defines a FQDN endpoint + properties: + hostname: + description: >- + Hostname defines the FQDN hostname of the backend + endpoint. + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + port: + description: Port defines the port of the backend endpoint. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + required: + - hostname + - port + type: object + hostname: + description: >- + Hostname defines an optional hostname for the backend + endpoint. + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + ip: + description: >- + IP defines an IP endpoint. Supports both IPv4 and IPv6 + addresses. + properties: + address: + description: >- + Address defines the IP address of the backend + endpoint. + + Supports both IPv4 and IPv6 addresses. + maxLength: 45 + minLength: 3 + pattern: >- + ^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$|^(([0-9a-fA-F]{1,4}:){1,7}[0-9a-fA-F]{1,4}|::|(([0-9a-fA-F]{1,4}:){0,5})?(:[0-9a-fA-F]{1,4}){1,2})$ + type: string + port: + description: Port defines the port of the backend endpoint. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + required: + - address + - port + type: object + unix: + description: Unix defines the unix domain socket endpoint + properties: + path: + description: >- + Path defines the unix domain socket path of the + backend endpoint. + + The path length must not exceed 108 characters. + type: string + x-kubernetes-validations: + - message: >- + unix domain socket path must not exceed 108 + characters + rule: size(self) <= 108 + required: + - path + type: object + zone: + description: Zone defines the service zone of the backend endpoint. + type: string + type: object + x-kubernetes-validations: + - message: one of fqdn, ip or unix must be specified + rule: (has(self.fqdn) || has(self.ip) || has(self.unix)) + - message: only one of fqdn, ip or unix can be specified + rule: >- + ((has(self.fqdn) && !(has(self.ip) || has(self.unix))) + || (has(self.ip) && !(has(self.fqdn) || + has(self.unix))) || (has(self.unix) && !(has(self.ip) + || has(self.fqdn)))) + maxItems: 256 + minItems: 1 + type: array + x-kubernetes-validations: + - message: fqdn addresses cannot be mixed with other address types + rule: self.all(f, has(f.fqdn)) || !self.exists(f, has(f.fqdn)) + fallback: + description: >- + Fallback indicates whether the backend is designated as a + fallback. + + It is highly recommended to configure active or passive + health checks to ensure that failover can be detected + + when the active backends become unhealthy and to + automatically readjust once the primary backends are healthy + again. + + The overprovisioning factor is set to 1.4, meaning the + fallback backends will only start receiving traffic when + + the health of the active backends falls below 72%. + type: boolean + tls: + description: >- + TLS defines the TLS settings for the backend. + + If TLS is specified here and a BackendTLSPolicy is also + configured for the backend, the final TLS settings will + + be a merge of both configurations. In case of overlapping + fields, the values defined in the BackendTLSPolicy will + + take precedence. + properties: + alpnProtocols: + description: >- + ALPNProtocols supplies the list of ALPN protocols that + should be + + exposed by the listener or used by the proxy to connect + to the backend. + + Defaults: + + 1. HTTPS Routes: h2 and http/1.1 are enabled in listener + context. + + 2. Other Routes: ALPN is disabled. + + 3. Backends: proxy uses the appropriate ALPN options for + the backend protocol. + + When an empty list is provided, the ALPN TLS extension + is disabled. + + + Defaults to [h2, http/1.1] if not specified. + + + Typical Supported values are: + + - http/1.0 + + - http/1.1 + + - h2 + items: + description: >- + ALPNProtocol specifies the protocol to be negotiated + using ALPN + type: string + type: array + caCertificateRefs: + description: >- + CACertificateRefs contains one or more references to + Kubernetes objects that + + contain TLS certificates of the Certificate Authorities + that can be used + + as a trust anchor to validate the certificates presented + by the backend. + + + A single reference to a Kubernetes ConfigMap or a + Kubernetes Secret, + + with the CA certificate in a key named `ca.crt` is + currently supported. + + + If CACertificateRefs is empty or unspecified, then + WellKnownCACertificates must be + + specified. Only one of CACertificateRefs or + WellKnownCACertificates may be specified, + + not both. + items: + description: >- + LocalObjectReference identifies an API object within + the namespace of the + + referrer. + + The API object must be valid in the cluster; the Group + and Kind must + + be registered in the cluster for this reference to be + valid. + + + References to objects with invalid Group and Kind are + not valid, and must + + be rejected by the implementation, with appropriate + Conditions set + + on the containing object. + properties: + group: + description: >- + Group is the group of the referent. For example, + "gateway.networking.k8s.io". + + When unspecified or empty string, core API group + is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: >- + Kind is kind of the referent. For example + "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + maxItems: 8 + type: array + ciphers: + description: >- + Ciphers specifies the set of cipher suites supported + when + + negotiating TLS 1.0 - 1.2. This setting has no effect + for TLS 1.3. + + In non-FIPS Envoy Proxy builds the default cipher list + is: + + - + [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305] + + - + [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305] + + - ECDHE-ECDSA-AES256-GCM-SHA384 + + - ECDHE-RSA-AES256-GCM-SHA384 + + In builds using BoringSSL FIPS the default cipher list + is: + + - ECDHE-ECDSA-AES128-GCM-SHA256 + + - ECDHE-RSA-AES128-GCM-SHA256 + + - ECDHE-ECDSA-AES256-GCM-SHA384 + + - ECDHE-RSA-AES256-GCM-SHA384 + items: + type: string + type: array + clientCertificateRef: + description: >- + ClientCertificateRef defines the reference to a + Kubernetes Secret that contains + + the client certificate and private key for Envoy to use + when connecting to + + backend services and external services, such as ExtAuth, + ALS, OpenTelemetry, etc. + + This secret should be located within the same namespace + as the Envoy proxy resource that references it. + properties: + group: + default: '' + description: >- + Group is the group of the referent. For example, + "gateway.networking.k8s.io". + + When unspecified or empty string, core API group is + inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Secret + description: Kind is kind of the referent. For example "Secret". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the referenced object. + When unspecified, the local + + namespace is inferred. + + + Note that when a namespace different than the local + namespace is specified, + + a ReferenceGrant object is required in the referent + namespace to allow that + + namespace's owner to accept the reference. See the + ReferenceGrant + + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + ecdhCurves: + description: |- + ECDHCurves specifies the set of supported ECDH curves. + In non-FIPS Envoy Proxy builds the default curves are: + - X25519 + - P-256 + In builds using BoringSSL FIPS the default curve is: + - P-256 + items: + type: string + type: array + insecureSkipVerify: + default: false + description: >- + InsecureSkipVerify indicates whether the upstream's + certificate verification + + should be skipped. Defaults to "false". + type: boolean + maxVersion: + description: |- + Max specifies the maximal TLS protocol version to allow + The default is TLS 1.3 if this is not specified. + enum: + - Auto + - '1.0' + - '1.1' + - '1.2' + - '1.3' + type: string + minVersion: + description: |- + Min specifies the minimal TLS protocol version to allow. + The default is TLS 1.2 if this is not specified. + enum: + - Auto + - '1.0' + - '1.1' + - '1.2' + - '1.3' + type: string + signatureAlgorithms: + description: >- + SignatureAlgorithms specifies which signature algorithms + the listener should + + support. + items: + type: string + type: array + sni: + description: >- + SNI is specifies the SNI value used when establishing an + upstream TLS connection to the backend. + + + Envoy Gateway will use the HTTP host header value for + SNI, when all resources referenced in BackendRefs are: + + 1. Backend resources that do not set SNI, or + + 2. Service/ServiceImport resources that do not have a + BackendTLSPolicy attached to them + + + When a BackendTLSPolicy attaches to a Backend resource, + the BackendTLSPolicy's Hostname value takes precedence + + over this value. + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + wellKnownCACertificates: + description: >- + WellKnownCACertificates specifies whether system CA + certificates may be used in + + the TLS handshake between the gateway and backend pod. + + + If WellKnownCACertificates is unspecified or empty (""), + then CACertificateRefs + + must be specified with at least one entry for a valid + configuration. Only one of + + CACertificateRefs or WellKnownCACertificates may be + specified, not both. + enum: + - System + type: string + type: object + x-kubernetes-validations: + - message: >- + must not contain both CACertificateRefs and + WellKnownCACertificates + rule: >- + !(has(self.caCertificateRefs) && + size(self.caCertificateRefs) > 0 && + has(self.wellKnownCACertificates) && + self.wellKnownCACertificates != "") + - message: >- + must not contain either CACertificateRefs or + WellKnownCACertificates when InsecureSkipVerify is + enabled + rule: >- + !((has(self.insecureSkipVerify) && + self.insecureSkipVerify) && + ((has(self.caCertificateRefs) && + size(self.caCertificateRefs) > 0) || + (has(self.wellKnownCACertificates) && + self.wellKnownCACertificates != ""))) + - message: >- + setting ciphers has no effect if the minimum possible + TLS version is 1.3 + rule: >- + has(self.minVersion) && self.minVersion == '1.3' ? + !has(self.ciphers) : true + - message: minVersion must be smaller or equal to maxVersion + rule: >- + has(self.minVersion) && has(self.maxVersion) ? + {"Auto":0,"1.0":1,"1.1":2,"1.2":3,"1.3":4}[self.minVersion] + <= + {"1.0":1,"1.1":2,"1.2":3,"1.3":4,"Auto":5}[self.maxVersion] + : !has(self.minVersion) && has(self.maxVersion) ? 3 <= + {"1.0":1,"1.1":2,"1.2":3,"1.3":4,"Auto":5}[self.maxVersion] + : true + type: + default: Endpoints + description: >- + Type defines the type of the backend. Defaults to + "Endpoints" + enum: + - Endpoints + - DynamicResolver + type: string + type: object + x-kubernetes-validations: + - message: DynamicResolver type cannot have endpoints specified + rule: self.type != 'DynamicResolver' || !has(self.endpoints) + status: + description: Status defines the current status of Backend. + properties: + conditions: + description: Conditions describe the current conditions of the Backend. + items: + description: >- + Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: >- + lastTransitionTime is the last time the condition + transitioned from one status to another. + + This should be when the underlying condition changed. + If that is not known, then using the time when the API + field changed is acceptable. + format: date-time + type: string + message: + description: >- + message is a human readable message indicating details + about the transition. + + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: >- + observedGeneration represents the .metadata.generation + that the condition was set based upon. + + For instance, if .metadata.generation is currently 12, + but the .status.conditions[x].observedGeneration is 9, + the condition is out of date + + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: >- + reason contains a programmatic identifier indicating + the reason for the condition's last transition. + + Producers of specific condition types may define + expected values and meanings for this field, + + and whether the values are considered a guaranteed + API. + + The value should be a CamelCase string. + + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - 'True' + - 'False' + - Unknown + type: string + type: + description: >- + type of condition in CamelCase or in + foo.example.com/CamelCase. + maxLength: 316 + pattern: >- + ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/_/CustomResourceDefinition/backendtlspolicies.gateway.networking.k8s.io.yaml b/_/CustomResourceDefinition/backendtlspolicies.gateway.networking.k8s.io.yaml new file mode 100644 index 0000000..bde649a --- /dev/null +++ b/_/CustomResourceDefinition/backendtlspolicies.gateway.networking.k8s.io.yaml @@ -0,0 +1,2323 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/4530 + gateway.networking.k8s.io/bundle-version: v1.5.1 + gateway.networking.k8s.io/channel: standard + labels: + gateway.networking.k8s.io/policy: Direct + name: backendtlspolicies.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: BackendTLSPolicy + listKind: BackendTLSPolicyList + plural: backendtlspolicies + shortNames: + - btlspolicy + singular: backendtlspolicy + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + BackendTLSPolicy provides a way to configure how a Gateway + connects to a Backend via TLS. + properties: + apiVersion: + description: >- + APIVersion defines the versioned schema of this representation + of an object. + + Servers should convert recognized schemas to the latest internal + value, and + + may reject unrecognized values. + + More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: >- + Kind is a string value representing the REST resource this + object represents. + + Servers may infer this from the endpoint the client submits + requests to. + + Cannot be updated. + + In CamelCase. + + More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of BackendTLSPolicy. + properties: + options: + additionalProperties: + description: >- + AnnotationValue is the value of an annotation in Gateway + API. This is used + + for validation of maps such as TLS options. This roughly + matches Kubernetes + + annotation validation, although the length validation in + that case is based + + on the entire size of the annotations struct. + maxLength: 4096 + minLength: 0 + type: string + description: >- + Options are a list of key/value pairs to enable extended TLS + + configuration for each implementation. For example, + configuring the + + minimum TLS version or supported cipher suites. + + + A set of common keys MAY be defined by the API in the + future. To avoid + + any ambiguity, implementation-specific definitions MUST use + + domain-prefixed names, such as + `example.com/my-custom-option`. + + Un-prefixed names are reserved for key names defined by + Gateway API. + + + Support: Implementation-specific + maxProperties: 16 + type: object + targetRefs: + description: >- + TargetRefs identifies an API object to apply the policy to. + + Note that this config applies to the entire referenced + resource + + by default, but this default may change in the future to + provide + + a more granular application of the policy. + + + TargetRefs must be _distinct_. This means either that: + + + * They select different targets. If this is the case, then + targetRef + entries are distinct. In terms of fields, this means that the + multi-part key defined by `group`, `kind`, and `name` must + be unique across all targetRef entries in the BackendTLSPolicy. + * They select different sectionNames in the same target. + + + When more than one BackendTLSPolicy selects the same target + and + + sectionName, implementations MUST determine precedence using + the + + following criteria, continuing on ties: + + + * The older policy by creation timestamp takes precedence. + For + example, a policy with a creation timestamp of "2021-07-15 + 01:02:03" MUST be given precedence over a policy with a + creation timestamp of "2021-07-15 01:02:04". + * The policy appearing first in alphabetical order by + {namespace}/{name}. + For example, a policy named `foo/bar` is given precedence over a + policy named `foo/baz`. + + For any BackendTLSPolicy that does not take precedence, the + + implementation MUST ensure the `Accepted` Condition is set + to + + `status: False`, with Reason `Conflicted`. + + + Implementations SHOULD NOT support more than one targetRef + at this + + time. Although the API technically allows for this, the + current guidance + + for conflict resolution and status handling is lacking. + Until that can be + + clarified in a future release, the safest approach is to + support a single + + targetRef. + + + Support Levels: + + + * Extended: Kubernetes Service referenced by HTTPRoute + backendRefs. + + + * Implementation-Specific: Services not connected via + HTTPRoute, and any + other kind of backend. Implementations MAY use BackendTLSPolicy for: + - Services not referenced by any Route (e.g., infrastructure services) + - Gateway feature backends (e.g., ExternalAuth, rate-limiting services) + - Service mesh workload-to-service communication + - Other resource types beyond Service + + Implementations SHOULD aim to ensure that BackendTLSPolicy + behavior is consistent, + + even outside of the extended HTTPRoute -(backendRef) -> + Service path. + + They SHOULD clearly document how BackendTLSPolicy is + interpreted in these + + scenarios, including: + - Which resources beyond Service are supported + - How the policy is discovered and applied + - Any implementation-specific semantics or restrictions + + Note that this config applies to the entire referenced + resource + + by default, but this default may change in the future to + provide + + a more granular application of the policy. + items: + description: >- + LocalPolicyTargetReferenceWithSectionName identifies an + API object to apply a + + direct policy to. This should be used as part of Policy + resources that can + + target single resources. For more information on how this + policy attachment + + mode works, and a sample Policy resource, refer to the + policy attachment + + documentation for Gateway API. + + + Note: This should only be used for direct policy + attachment when references + + to SectionName are actually needed. In all other cases, + + LocalPolicyTargetReference should be used. + properties: + group: + description: Group is the group of the target resource. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + sectionName: + description: >- + SectionName is the name of a section within the target + resource. When + + unspecified, this targetRef targets the entire + resource. In the following + + resources, SectionName is interpreted as the + following: + + + * Gateway: Listener name + + * HTTPRoute: HTTPRouteRule name + + * Service: Port name + + + If a SectionName is specified, but does not exist on + the targeted object, + + the Policy must fail to attach, and the policy + implementation should record + + a `ResolvedRefs` or similar Condition in the Policy's + status. + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - group + - kind + - name + type: object + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: >- + sectionName must be specified when targetRefs includes 2 + or more references to the same target + rule: >- + self.all(p1, self.all(p2, p1.group == p2.group && + p1.kind == p2.kind && p1.name == p2.name ? + ((!has(p1.sectionName) || p1.sectionName == '') == + (!has(p2.sectionName) || p2.sectionName == '')) : true)) + - message: >- + sectionName must be unique when targetRefs includes 2 or + more references to the same target + rule: >- + self.all(p1, self.exists_one(p2, p1.group == p2.group && + p1.kind == p2.kind && p1.name == p2.name && + (((!has(p1.sectionName) || p1.sectionName == '') && + (!has(p2.sectionName) || p2.sectionName == '')) || + (has(p1.sectionName) && has(p2.sectionName) && + p1.sectionName == p2.sectionName)))) + validation: + description: Validation contains backend TLS validation configuration. + properties: + caCertificateRefs: + description: >- + CACertificateRefs contains one or more references to + Kubernetes objects that + + contain a PEM-encoded TLS CA certificate bundle, which + is used to + + validate a TLS handshake between the Gateway and backend + Pod. + + + If CACertificateRefs is empty or unspecified, then + WellKnownCACertificates must be + + specified. Only one of CACertificateRefs or + WellKnownCACertificates may be specified, + + not both. If CACertificateRefs is empty or unspecified, + the configuration for + + WellKnownCACertificates MUST be honored instead if + supported by the implementation. + + + A CACertificateRef is invalid if: + + + * It refers to a resource that cannot be resolved (e.g., + the referenced resource + does not exist) or is misconfigured (e.g., a ConfigMap does not contain a key + named `ca.crt`). In this case, the Reason must be set to `InvalidCACertificateRef` + and the Message of the Condition must indicate which reference is invalid and why. + + * It refers to an unknown or unsupported kind of + resource. In this case, the Reason + must be set to `InvalidKind` and the Message of the Condition must explain which + kind of resource is unknown or unsupported. + + * It refers to a resource in another namespace. This may + change in future + spec updates. + + Implementations MAY choose to perform further validation + of the certificate + + content (e.g., checking expiry or enforcing specific + formats). In such cases, + + an implementation-specific Reason and Message must be + set for the invalid reference. + + + In all cases, the implementation MUST ensure the + `ResolvedRefs` Condition on + + the BackendTLSPolicy is set to `status: False`, with a + Reason and Message + + that indicate the cause of the error. Connections using + an invalid + + CACertificateRef MUST fail, and the client MUST receive + an HTTP 5xx error + + response. If ALL CACertificateRefs are invalid, the + implementation MUST also + + ensure the `Accepted` Condition on the BackendTLSPolicy + is set to + + `status: False`, with a Reason `NoValidCACertificate`. + + + A single CACertificateRef to a Kubernetes ConfigMap kind + has "Core" support. + + Implementations MAY choose to support attaching multiple + certificates to + + a backend, but this behavior is implementation-specific. + + + Support: Core - An optional single reference to a + Kubernetes ConfigMap, + + with the CA certificate in a key named `ca.crt`. + + + Support: Implementation-specific - More than one + reference, other kinds + + of resources, or a single reference that includes + multiple certificates. + items: + description: >- + LocalObjectReference identifies an API object within + the namespace of the + + referrer. + + The API object must be valid in the cluster; the Group + and Kind must + + be registered in the cluster for this reference to be + valid. + + + References to objects with invalid Group and Kind are + not valid, and must + + be rejected by the implementation, with appropriate + Conditions set + + on the containing object. + properties: + group: + description: >- + Group is the group of the referent. For example, + "gateway.networking.k8s.io". + + When unspecified or empty string, core API group + is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: >- + Kind is kind of the referent. For example + "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + maxItems: 8 + type: array + x-kubernetes-list-type: atomic + hostname: + description: >- + Hostname is used for two purposes in the connection + between Gateways and + + backends: + + + 1. Hostname MUST be used as the SNI to connect to the + backend (RFC 6066). + + 2. Hostname MUST be used for authentication and MUST + match the certificate + served by the matching backend, unless SubjectAltNames is specified. + 3. If SubjectAltNames are specified, Hostname can be + used for certificate selection + but MUST NOT be used for authentication. If you want to use the value + of the Hostname field for authentication, you MUST add it to the SubjectAltNames list. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + subjectAltNames: + description: >- + SubjectAltNames contains one or more Subject Alternative + Names. + + When specified the certificate served from the backend + MUST + + have at least one Subject Alternate Name matching one of + the specified SubjectAltNames. + + + Support: Extended + items: + description: SubjectAltName represents Subject Alternative Name. + properties: + hostname: + description: >- + Hostname contains Subject Alternative Name + specified in DNS name format. + + Required when Type is set to Hostname, ignored + otherwise. + + + Support: Core + maxLength: 253 + minLength: 1 + pattern: >- + ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + type: + description: >- + Type determines the format of the Subject + Alternative Name. Always required. + + + Support: Core + enum: + - Hostname + - URI + type: string + uri: + description: >- + URI contains Subject Alternative Name specified in + a full URI format. + + It MUST include both a scheme (e.g., "http" or + "ftp") and a scheme-specific-part. + + Common values include SPIFFE IDs like + "spiffe://mycluster.example.com/ns/myns/sa/svc1sa". + + Required when Type is set to URI, ignored + otherwise. + + + Support: Core + maxLength: 253 + minLength: 1 + pattern: >- + ^(([^:/?#]+):)(//([^/?#]*))([^?#]*)(\?([^#]*))?(#(.*))? + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + SubjectAltName element must contain Hostname, if + Type is set to Hostname + rule: >- + !(self.type == "Hostname" && (!has(self.hostname) + || self.hostname == "")) + - message: >- + SubjectAltName element must not contain Hostname, + if Type is not set to Hostname + rule: >- + !(self.type != "Hostname" && has(self.hostname) && + self.hostname != "") + - message: >- + SubjectAltName element must contain URI, if Type + is set to URI + rule: >- + !(self.type == "URI" && (!has(self.uri) || + self.uri == "")) + - message: >- + SubjectAltName element must not contain URI, if + Type is not set to URI + rule: >- + !(self.type != "URI" && has(self.uri) && self.uri + != "") + maxItems: 5 + type: array + x-kubernetes-list-type: atomic + wellKnownCACertificates: + description: >- + WellKnownCACertificates specifies whether a well-known + set of CA certificates + + may be used in the TLS handshake between the gateway and + backend pod. + + + If WellKnownCACertificates is unspecified or empty (""), + then CACertificateRefs + + must be specified with at least one entry for a valid + configuration. Only one of + + CACertificateRefs or WellKnownCACertificates may be + specified, not both. + + If an implementation does not support the + WellKnownCACertificates field, or + + the supplied value is not recognized, the implementation + MUST ensure the + + `Accepted` Condition on the BackendTLSPolicy is set to + `status: False`, with + + a Reason `Invalid`. + + + Valid values include: + + * "System" - indicates that well-known system CA + certificates should be used. + + + Implementations MAY define their own sets of CA + certificates. Such definitions + + MUST use an implementation-specific, prefixed name, such + as + + `mycompany.com/my-custom-ca-certificates`. + + + Support: Implementation-specific + maxLength: 253 + minLength: 1 + pattern: >- + ^(System|([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9]))$ + type: string + required: + - hostname + type: object + x-kubernetes-validations: + - message: >- + must not contain both CACertificateRefs and + WellKnownCACertificates + rule: >- + !(has(self.caCertificateRefs) && + size(self.caCertificateRefs) > 0 && + has(self.wellKnownCACertificates) && + self.wellKnownCACertificates != "") + - message: >- + must specify either CACertificateRefs or + WellKnownCACertificates + rule: >- + (has(self.caCertificateRefs) && + size(self.caCertificateRefs) > 0 || + has(self.wellKnownCACertificates) && + self.wellKnownCACertificates != "") + required: + - targetRefs + - validation + type: object + status: + description: Status defines the current state of BackendTLSPolicy. + properties: + ancestors: + description: >- + Ancestors is a list of ancestor resources (usually Gateways) + that are + + associated with the policy, and the status of the policy + with respect to + + each ancestor. When this policy attaches to a parent, the + controller that + + manages the parent and the ancestors MUST add an entry to + this list when + + the controller first sees the policy and SHOULD update the + entry as + + appropriate when the relevant ancestor is modified. + + + Note that choosing the relevant ancestor is left to the + Policy designers; + + an important part of Policy design is designing the right + object level at + + which to namespace this status. + + + Note also that implementations MUST ONLY populate ancestor + status for + + the Ancestor resources they are responsible for. + Implementations MUST + + use the ControllerName field to uniquely identify the + entries in this list + + that they are responsible for. + + + Note that to achieve this, the list of PolicyAncestorStatus + structs + + MUST be treated as a map with a composite key, made up of + the AncestorRef + + and ControllerName fields combined. + + + A maximum of 16 ancestors will be represented in this list. + An empty list + + means the Policy is not relevant for any ancestors. + + + If this slice is full, implementations MUST NOT add further + entries. + + Instead they MUST consider the policy unimplementable and + signal that + + on any related resources such as the ancestor that would be + referenced + + here. For example, if this list was full on + BackendTLSPolicy, no + + additional Gateways would be able to reference the Service + targeted by + + the BackendTLSPolicy. + items: + description: >- + PolicyAncestorStatus describes the status of a route with + respect to an + + associated Ancestor. + + + Ancestors refer to objects that are either the Target of a + policy or above it + + in terms of object hierarchy. For example, if a policy + targets a Service, the + + Policy's Ancestors are, in order, the Service, the + HTTPRoute, the Gateway, and + + the GatewayClass. Almost always, in this hierarchy, the + Gateway will be the most + + useful object to place Policy status on, so we recommend + that implementations + + SHOULD use Gateway as the PolicyAncestorStatus object + unless the designers + + have a _very_ good reason otherwise. + + + In the context of policy attachment, the Ancestor is used + to distinguish which + + resource results in a distinct application of this policy. + For example, if a policy + + targets a Service, it may have a distinct result per + attached Gateway. + + + Policies targeting the same resource may have different + effects depending on the + + ancestors of those resources. For example, different + Gateways targeting the same + + Service may have different capabilities, especially if + they have different underlying + + implementations. + + + For example, in BackendTLSPolicy, the Policy attaches to a + Service that is + + used as a backend in a HTTPRoute that is itself attached + to a Gateway. + + In this case, the relevant object for status is the + Gateway, and that is the + + ancestor object referred to in this status. + + + Note that a parent is also an ancestor, so for objects + where the parent is the + + relevant object for status, this struct SHOULD still be + used. + + + This struct is intended to be used in a slice that's + effectively a map, + + with a composite key made up of the AncestorRef and the + ControllerName. + properties: + ancestorRef: + description: >- + AncestorRef corresponds with a ParentRef in the spec + that this + + PolicyAncestorStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: >- + Group is the group of the referent. + + When unspecified, "gateway.networking.k8s.io" is + inferred. + + To set the core API group (such as for a "Service" + kind referent), + + Group must be explicitly set to "" (empty string). + + + Support: Core + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: >- + Kind is kind of the referent. + + + There are two kinds of parent resources with + "Core" support: + + + * Gateway (Gateway conformance profile) + + * Service (Mesh conformance profile, ClusterIP + Services only) + + + Support for other resources is + Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the referent. When + unspecified, this refers + + to the local namespace of the Route. + + + Note that there are specific rules for ParentRefs + which cross namespace + + boundaries. Cross-namespace references are only + valid if they are explicitly + + allowed by something in the namespace they are + referring to. For example: + + Gateway has the AllowedRoutes field, and + ReferenceGrant provides a + + generic way to enable any other kind of + cross-namespace reference. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: >- + Port is the network port this Route targets. It + can be interpreted + + differently based on the type of parent resource. + + + When the parent resource is a Gateway, this + targets all listeners + + listening on the specified port that also support + this kind of Route(and + + select this Route). It's not recommended to set + `Port` unless the + + networking behaviors specified in a Route must + apply to a specific port + + as opposed to a listener(s) whose port(s) may be + changed. When both Port + + and SectionName are specified, the name and port + of the selected listener + + must match both specified values. + + + Implementations MAY choose to support other parent + resources. + + Implementations supporting other types of parent + resources MUST clearly + + document how/if Port is interpreted. + + + For the purpose of status, an attachment is + considered successful as + + long as the parent resource accepts it partially. + For example, Gateway + + listeners can restrict which Routes can attach to + them by Route kind, + + namespace, or hostname. If 1 of 2 Gateway + listeners accept attachment + + from the referencing Route, the Route MUST be + considered successfully + + attached. If no Gateway listeners accept + attachment from this Route, + + the Route MUST be considered detached from the + Gateway. + + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: >- + SectionName is the name of a section within the + target resource. In the + + following resources, SectionName is interpreted as + the following: + + + * Gateway: Listener name. When both Port + (experimental) and SectionName + + are specified, the name and port of the selected + listener must match + + both specified values. + + * Service: Port name. When both Port + (experimental) and SectionName + + are specified, the name and port of the selected + listener must match + + both specified values. + + + Implementations MAY choose to support attaching + Routes to other resources. + + If that is the case, they MUST clearly document + how SectionName is + + interpreted. + + + When unspecified (empty string), this will + reference the entire resource. + + For the purpose of status, an attachment is + considered successful if at + + least one section in the parent resource accepts + it. For example, Gateway + + listeners can restrict which Routes can attach to + them by Route kind, + + namespace, or hostname. If 1 of 2 Gateway + listeners accept attachment from + + the referencing Route, the Route MUST be + considered successfully + + attached. If no Gateway listeners accept + attachment from this Route, the + + Route MUST be considered detached from the + Gateway. + + + Support: Core + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + conditions: + description: >- + Conditions describes the status of the Policy with + respect to the given Ancestor. + items: + description: >- + Condition contains details for one aspect of the + current state of this API Resource. + properties: + lastTransitionTime: + description: >- + lastTransitionTime is the last time the + condition transitioned from one status to + another. + + This should be when the underlying condition + changed. If that is not known, then using the + time when the API field changed is acceptable. + format: date-time + type: string + message: + description: >- + message is a human readable message indicating + details about the transition. + + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: >- + observedGeneration represents the + .metadata.generation that the condition was set + based upon. + + For instance, if .metadata.generation is + currently 12, but the + .status.conditions[x].observedGeneration is 9, + the condition is out of date + + with respect to the current state of the + instance. + format: int64 + minimum: 0 + type: integer + reason: + description: >- + reason contains a programmatic identifier + indicating the reason for the condition's last + transition. + + Producers of specific condition types may define + expected values and meanings for this field, + + and whether the values are considered a + guaranteed API. + + The value should be a CamelCase string. + + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: >- + status of the condition, one of True, False, + Unknown. + enum: + - 'True' + - 'False' + - Unknown + type: string + type: + description: >- + type of condition in CamelCase or in + foo.example.com/CamelCase. + maxLength: 316 + pattern: >- + ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: >- + ControllerName is a domain/path string that indicates + the name of the + + controller that wrote this status. This corresponds + with the + + controllerName field on GatewayClass. + + + Example: "example.net/gateway-controller". + + + The format of this field is DOMAIN "/" PATH, where + DOMAIN and PATH are + + valid Kubernetes names + + (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + + + Controllers MUST populate this field when writing + status. Controllers should ensure that + + entries to status populated with their ControllerName + are cleaned up when they are no + + longer necessary. + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + required: + - ancestorRef + - conditions + - controllerName + type: object + maxItems: 16 + type: array + x-kubernetes-list-type: atomic + required: + - ancestors + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} + - deprecated: true + deprecationWarning: >- + The v1alpha3 version of BackendTLSPolicy has been deprecated and will be + removed in a future release of the API. Please upgrade to v1. + name: v1alpha3 + schema: + openAPIV3Schema: + description: |- + BackendTLSPolicy provides a way to configure how a Gateway + connects to a Backend via TLS. + properties: + apiVersion: + description: >- + APIVersion defines the versioned schema of this representation + of an object. + + Servers should convert recognized schemas to the latest internal + value, and + + may reject unrecognized values. + + More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: >- + Kind is a string value representing the REST resource this + object represents. + + Servers may infer this from the endpoint the client submits + requests to. + + Cannot be updated. + + In CamelCase. + + More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of BackendTLSPolicy. + properties: + options: + additionalProperties: + description: >- + AnnotationValue is the value of an annotation in Gateway + API. This is used + + for validation of maps such as TLS options. This roughly + matches Kubernetes + + annotation validation, although the length validation in + that case is based + + on the entire size of the annotations struct. + maxLength: 4096 + minLength: 0 + type: string + description: >- + Options are a list of key/value pairs to enable extended TLS + + configuration for each implementation. For example, + configuring the + + minimum TLS version or supported cipher suites. + + + A set of common keys MAY be defined by the API in the + future. To avoid + + any ambiguity, implementation-specific definitions MUST use + + domain-prefixed names, such as + `example.com/my-custom-option`. + + Un-prefixed names are reserved for key names defined by + Gateway API. + + + Support: Implementation-specific + maxProperties: 16 + type: object + targetRefs: + description: >- + TargetRefs identifies an API object to apply the policy to. + + Note that this config applies to the entire referenced + resource + + by default, but this default may change in the future to + provide + + a more granular application of the policy. + + + TargetRefs must be _distinct_. This means either that: + + + * They select different targets. If this is the case, then + targetRef + entries are distinct. In terms of fields, this means that the + multi-part key defined by `group`, `kind`, and `name` must + be unique across all targetRef entries in the BackendTLSPolicy. + * They select different sectionNames in the same target. + + + When more than one BackendTLSPolicy selects the same target + and + + sectionName, implementations MUST determine precedence using + the + + following criteria, continuing on ties: + + + * The older policy by creation timestamp takes precedence. + For + example, a policy with a creation timestamp of "2021-07-15 + 01:02:03" MUST be given precedence over a policy with a + creation timestamp of "2021-07-15 01:02:04". + * The policy appearing first in alphabetical order by + {namespace}/{name}. + For example, a policy named `foo/bar` is given precedence over a + policy named `foo/baz`. + + For any BackendTLSPolicy that does not take precedence, the + + implementation MUST ensure the `Accepted` Condition is set + to + + `status: False`, with Reason `Conflicted`. + + + Implementations SHOULD NOT support more than one targetRef + at this + + time. Although the API technically allows for this, the + current guidance + + for conflict resolution and status handling is lacking. + Until that can be + + clarified in a future release, the safest approach is to + support a single + + targetRef. + + + Support Levels: + + + * Extended: Kubernetes Service referenced by HTTPRoute + backendRefs. + + + * Implementation-Specific: Services not connected via + HTTPRoute, and any + other kind of backend. Implementations MAY use BackendTLSPolicy for: + - Services not referenced by any Route (e.g., infrastructure services) + - Gateway feature backends (e.g., ExternalAuth, rate-limiting services) + - Service mesh workload-to-service communication + - Other resource types beyond Service + + Implementations SHOULD aim to ensure that BackendTLSPolicy + behavior is consistent, + + even outside of the extended HTTPRoute -(backendRef) -> + Service path. + + They SHOULD clearly document how BackendTLSPolicy is + interpreted in these + + scenarios, including: + - Which resources beyond Service are supported + - How the policy is discovered and applied + - Any implementation-specific semantics or restrictions + + Note that this config applies to the entire referenced + resource + + by default, but this default may change in the future to + provide + + a more granular application of the policy. + items: + description: >- + LocalPolicyTargetReferenceWithSectionName identifies an + API object to apply a + + direct policy to. This should be used as part of Policy + resources that can + + target single resources. For more information on how this + policy attachment + + mode works, and a sample Policy resource, refer to the + policy attachment + + documentation for Gateway API. + + + Note: This should only be used for direct policy + attachment when references + + to SectionName are actually needed. In all other cases, + + LocalPolicyTargetReference should be used. + properties: + group: + description: Group is the group of the target resource. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + sectionName: + description: >- + SectionName is the name of a section within the target + resource. When + + unspecified, this targetRef targets the entire + resource. In the following + + resources, SectionName is interpreted as the + following: + + + * Gateway: Listener name + + * HTTPRoute: HTTPRouteRule name + + * Service: Port name + + + If a SectionName is specified, but does not exist on + the targeted object, + + the Policy must fail to attach, and the policy + implementation should record + + a `ResolvedRefs` or similar Condition in the Policy's + status. + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - group + - kind + - name + type: object + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: >- + sectionName must be specified when targetRefs includes 2 + or more references to the same target + rule: >- + self.all(p1, self.all(p2, p1.group == p2.group && + p1.kind == p2.kind && p1.name == p2.name ? + ((!has(p1.sectionName) || p1.sectionName == '') == + (!has(p2.sectionName) || p2.sectionName == '')) : true)) + - message: >- + sectionName must be unique when targetRefs includes 2 or + more references to the same target + rule: >- + self.all(p1, self.exists_one(p2, p1.group == p2.group && + p1.kind == p2.kind && p1.name == p2.name && + (((!has(p1.sectionName) || p1.sectionName == '') && + (!has(p2.sectionName) || p2.sectionName == '')) || + (has(p1.sectionName) && has(p2.sectionName) && + p1.sectionName == p2.sectionName)))) + validation: + description: Validation contains backend TLS validation configuration. + properties: + caCertificateRefs: + description: >- + CACertificateRefs contains one or more references to + Kubernetes objects that + + contain a PEM-encoded TLS CA certificate bundle, which + is used to + + validate a TLS handshake between the Gateway and backend + Pod. + + + If CACertificateRefs is empty or unspecified, then + WellKnownCACertificates must be + + specified. Only one of CACertificateRefs or + WellKnownCACertificates may be specified, + + not both. If CACertificateRefs is empty or unspecified, + the configuration for + + WellKnownCACertificates MUST be honored instead if + supported by the implementation. + + + A CACertificateRef is invalid if: + + + * It refers to a resource that cannot be resolved (e.g., + the referenced resource + does not exist) or is misconfigured (e.g., a ConfigMap does not contain a key + named `ca.crt`). In this case, the Reason must be set to `InvalidCACertificateRef` + and the Message of the Condition must indicate which reference is invalid and why. + + * It refers to an unknown or unsupported kind of + resource. In this case, the Reason + must be set to `InvalidKind` and the Message of the Condition must explain which + kind of resource is unknown or unsupported. + + * It refers to a resource in another namespace. This may + change in future + spec updates. + + Implementations MAY choose to perform further validation + of the certificate + + content (e.g., checking expiry or enforcing specific + formats). In such cases, + + an implementation-specific Reason and Message must be + set for the invalid reference. + + + In all cases, the implementation MUST ensure the + `ResolvedRefs` Condition on + + the BackendTLSPolicy is set to `status: False`, with a + Reason and Message + + that indicate the cause of the error. Connections using + an invalid + + CACertificateRef MUST fail, and the client MUST receive + an HTTP 5xx error + + response. If ALL CACertificateRefs are invalid, the + implementation MUST also + + ensure the `Accepted` Condition on the BackendTLSPolicy + is set to + + `status: False`, with a Reason `NoValidCACertificate`. + + + A single CACertificateRef to a Kubernetes ConfigMap kind + has "Core" support. + + Implementations MAY choose to support attaching multiple + certificates to + + a backend, but this behavior is implementation-specific. + + + Support: Core - An optional single reference to a + Kubernetes ConfigMap, + + with the CA certificate in a key named `ca.crt`. + + + Support: Implementation-specific - More than one + reference, other kinds + + of resources, or a single reference that includes + multiple certificates. + items: + description: >- + LocalObjectReference identifies an API object within + the namespace of the + + referrer. + + The API object must be valid in the cluster; the Group + and Kind must + + be registered in the cluster for this reference to be + valid. + + + References to objects with invalid Group and Kind are + not valid, and must + + be rejected by the implementation, with appropriate + Conditions set + + on the containing object. + properties: + group: + description: >- + Group is the group of the referent. For example, + "gateway.networking.k8s.io". + + When unspecified or empty string, core API group + is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: >- + Kind is kind of the referent. For example + "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + maxItems: 8 + type: array + x-kubernetes-list-type: atomic + hostname: + description: >- + Hostname is used for two purposes in the connection + between Gateways and + + backends: + + + 1. Hostname MUST be used as the SNI to connect to the + backend (RFC 6066). + + 2. Hostname MUST be used for authentication and MUST + match the certificate + served by the matching backend, unless SubjectAltNames is specified. + 3. If SubjectAltNames are specified, Hostname can be + used for certificate selection + but MUST NOT be used for authentication. If you want to use the value + of the Hostname field for authentication, you MUST add it to the SubjectAltNames list. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + subjectAltNames: + description: >- + SubjectAltNames contains one or more Subject Alternative + Names. + + When specified the certificate served from the backend + MUST + + have at least one Subject Alternate Name matching one of + the specified SubjectAltNames. + + + Support: Extended + items: + description: SubjectAltName represents Subject Alternative Name. + properties: + hostname: + description: >- + Hostname contains Subject Alternative Name + specified in DNS name format. + + Required when Type is set to Hostname, ignored + otherwise. + + + Support: Core + maxLength: 253 + minLength: 1 + pattern: >- + ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + type: + description: >- + Type determines the format of the Subject + Alternative Name. Always required. + + + Support: Core + enum: + - Hostname + - URI + type: string + uri: + description: >- + URI contains Subject Alternative Name specified in + a full URI format. + + It MUST include both a scheme (e.g., "http" or + "ftp") and a scheme-specific-part. + + Common values include SPIFFE IDs like + "spiffe://mycluster.example.com/ns/myns/sa/svc1sa". + + Required when Type is set to URI, ignored + otherwise. + + + Support: Core + maxLength: 253 + minLength: 1 + pattern: >- + ^(([^:/?#]+):)(//([^/?#]*))([^?#]*)(\?([^#]*))?(#(.*))? + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + SubjectAltName element must contain Hostname, if + Type is set to Hostname + rule: >- + !(self.type == "Hostname" && (!has(self.hostname) + || self.hostname == "")) + - message: >- + SubjectAltName element must not contain Hostname, + if Type is not set to Hostname + rule: >- + !(self.type != "Hostname" && has(self.hostname) && + self.hostname != "") + - message: >- + SubjectAltName element must contain URI, if Type + is set to URI + rule: >- + !(self.type == "URI" && (!has(self.uri) || + self.uri == "")) + - message: >- + SubjectAltName element must not contain URI, if + Type is not set to URI + rule: >- + !(self.type != "URI" && has(self.uri) && self.uri + != "") + maxItems: 5 + type: array + x-kubernetes-list-type: atomic + wellKnownCACertificates: + description: >- + WellKnownCACertificates specifies whether a well-known + set of CA certificates + + may be used in the TLS handshake between the gateway and + backend pod. + + + If WellKnownCACertificates is unspecified or empty (""), + then CACertificateRefs + + must be specified with at least one entry for a valid + configuration. Only one of + + CACertificateRefs or WellKnownCACertificates may be + specified, not both. + + If an implementation does not support the + WellKnownCACertificates field, or + + the supplied value is not recognized, the implementation + MUST ensure the + + `Accepted` Condition on the BackendTLSPolicy is set to + `status: False`, with + + a Reason `Invalid`. + + + Valid values include: + + * "System" - indicates that well-known system CA + certificates should be used. + + + Implementations MAY define their own sets of CA + certificates. Such definitions + + MUST use an implementation-specific, prefixed name, such + as + + `mycompany.com/my-custom-ca-certificates`. + + + Support: Implementation-specific + maxLength: 253 + minLength: 1 + pattern: >- + ^(System|([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9]))$ + type: string + required: + - hostname + type: object + x-kubernetes-validations: + - message: >- + must not contain both CACertificateRefs and + WellKnownCACertificates + rule: >- + !(has(self.caCertificateRefs) && + size(self.caCertificateRefs) > 0 && + has(self.wellKnownCACertificates) && + self.wellKnownCACertificates != "") + - message: >- + must specify either CACertificateRefs or + WellKnownCACertificates + rule: >- + (has(self.caCertificateRefs) && + size(self.caCertificateRefs) > 0 || + has(self.wellKnownCACertificates) && + self.wellKnownCACertificates != "") + required: + - targetRefs + - validation + type: object + status: + description: Status defines the current state of BackendTLSPolicy. + properties: + ancestors: + description: >- + Ancestors is a list of ancestor resources (usually Gateways) + that are + + associated with the policy, and the status of the policy + with respect to + + each ancestor. When this policy attaches to a parent, the + controller that + + manages the parent and the ancestors MUST add an entry to + this list when + + the controller first sees the policy and SHOULD update the + entry as + + appropriate when the relevant ancestor is modified. + + + Note that choosing the relevant ancestor is left to the + Policy designers; + + an important part of Policy design is designing the right + object level at + + which to namespace this status. + + + Note also that implementations MUST ONLY populate ancestor + status for + + the Ancestor resources they are responsible for. + Implementations MUST + + use the ControllerName field to uniquely identify the + entries in this list + + that they are responsible for. + + + Note that to achieve this, the list of PolicyAncestorStatus + structs + + MUST be treated as a map with a composite key, made up of + the AncestorRef + + and ControllerName fields combined. + + + A maximum of 16 ancestors will be represented in this list. + An empty list + + means the Policy is not relevant for any ancestors. + + + If this slice is full, implementations MUST NOT add further + entries. + + Instead they MUST consider the policy unimplementable and + signal that + + on any related resources such as the ancestor that would be + referenced + + here. For example, if this list was full on + BackendTLSPolicy, no + + additional Gateways would be able to reference the Service + targeted by + + the BackendTLSPolicy. + items: + description: >- + PolicyAncestorStatus describes the status of a route with + respect to an + + associated Ancestor. + + + Ancestors refer to objects that are either the Target of a + policy or above it + + in terms of object hierarchy. For example, if a policy + targets a Service, the + + Policy's Ancestors are, in order, the Service, the + HTTPRoute, the Gateway, and + + the GatewayClass. Almost always, in this hierarchy, the + Gateway will be the most + + useful object to place Policy status on, so we recommend + that implementations + + SHOULD use Gateway as the PolicyAncestorStatus object + unless the designers + + have a _very_ good reason otherwise. + + + In the context of policy attachment, the Ancestor is used + to distinguish which + + resource results in a distinct application of this policy. + For example, if a policy + + targets a Service, it may have a distinct result per + attached Gateway. + + + Policies targeting the same resource may have different + effects depending on the + + ancestors of those resources. For example, different + Gateways targeting the same + + Service may have different capabilities, especially if + they have different underlying + + implementations. + + + For example, in BackendTLSPolicy, the Policy attaches to a + Service that is + + used as a backend in a HTTPRoute that is itself attached + to a Gateway. + + In this case, the relevant object for status is the + Gateway, and that is the + + ancestor object referred to in this status. + + + Note that a parent is also an ancestor, so for objects + where the parent is the + + relevant object for status, this struct SHOULD still be + used. + + + This struct is intended to be used in a slice that's + effectively a map, + + with a composite key made up of the AncestorRef and the + ControllerName. + properties: + ancestorRef: + description: >- + AncestorRef corresponds with a ParentRef in the spec + that this + + PolicyAncestorStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: >- + Group is the group of the referent. + + When unspecified, "gateway.networking.k8s.io" is + inferred. + + To set the core API group (such as for a "Service" + kind referent), + + Group must be explicitly set to "" (empty string). + + + Support: Core + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: >- + Kind is kind of the referent. + + + There are two kinds of parent resources with + "Core" support: + + + * Gateway (Gateway conformance profile) + + * Service (Mesh conformance profile, ClusterIP + Services only) + + + Support for other resources is + Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the referent. When + unspecified, this refers + + to the local namespace of the Route. + + + Note that there are specific rules for ParentRefs + which cross namespace + + boundaries. Cross-namespace references are only + valid if they are explicitly + + allowed by something in the namespace they are + referring to. For example: + + Gateway has the AllowedRoutes field, and + ReferenceGrant provides a + + generic way to enable any other kind of + cross-namespace reference. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: >- + Port is the network port this Route targets. It + can be interpreted + + differently based on the type of parent resource. + + + When the parent resource is a Gateway, this + targets all listeners + + listening on the specified port that also support + this kind of Route(and + + select this Route). It's not recommended to set + `Port` unless the + + networking behaviors specified in a Route must + apply to a specific port + + as opposed to a listener(s) whose port(s) may be + changed. When both Port + + and SectionName are specified, the name and port + of the selected listener + + must match both specified values. + + + Implementations MAY choose to support other parent + resources. + + Implementations supporting other types of parent + resources MUST clearly + + document how/if Port is interpreted. + + + For the purpose of status, an attachment is + considered successful as + + long as the parent resource accepts it partially. + For example, Gateway + + listeners can restrict which Routes can attach to + them by Route kind, + + namespace, or hostname. If 1 of 2 Gateway + listeners accept attachment + + from the referencing Route, the Route MUST be + considered successfully + + attached. If no Gateway listeners accept + attachment from this Route, + + the Route MUST be considered detached from the + Gateway. + + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: >- + SectionName is the name of a section within the + target resource. In the + + following resources, SectionName is interpreted as + the following: + + + * Gateway: Listener name. When both Port + (experimental) and SectionName + + are specified, the name and port of the selected + listener must match + + both specified values. + + * Service: Port name. When both Port + (experimental) and SectionName + + are specified, the name and port of the selected + listener must match + + both specified values. + + + Implementations MAY choose to support attaching + Routes to other resources. + + If that is the case, they MUST clearly document + how SectionName is + + interpreted. + + + When unspecified (empty string), this will + reference the entire resource. + + For the purpose of status, an attachment is + considered successful if at + + least one section in the parent resource accepts + it. For example, Gateway + + listeners can restrict which Routes can attach to + them by Route kind, + + namespace, or hostname. If 1 of 2 Gateway + listeners accept attachment from + + the referencing Route, the Route MUST be + considered successfully + + attached. If no Gateway listeners accept + attachment from this Route, the + + Route MUST be considered detached from the + Gateway. + + + Support: Core + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + conditions: + description: >- + Conditions describes the status of the Policy with + respect to the given Ancestor. + items: + description: >- + Condition contains details for one aspect of the + current state of this API Resource. + properties: + lastTransitionTime: + description: >- + lastTransitionTime is the last time the + condition transitioned from one status to + another. + + This should be when the underlying condition + changed. If that is not known, then using the + time when the API field changed is acceptable. + format: date-time + type: string + message: + description: >- + message is a human readable message indicating + details about the transition. + + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: >- + observedGeneration represents the + .metadata.generation that the condition was set + based upon. + + For instance, if .metadata.generation is + currently 12, but the + .status.conditions[x].observedGeneration is 9, + the condition is out of date + + with respect to the current state of the + instance. + format: int64 + minimum: 0 + type: integer + reason: + description: >- + reason contains a programmatic identifier + indicating the reason for the condition's last + transition. + + Producers of specific condition types may define + expected values and meanings for this field, + + and whether the values are considered a + guaranteed API. + + The value should be a CamelCase string. + + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: >- + status of the condition, one of True, False, + Unknown. + enum: + - 'True' + - 'False' + - Unknown + type: string + type: + description: >- + type of condition in CamelCase or in + foo.example.com/CamelCase. + maxLength: 316 + pattern: >- + ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: >- + ControllerName is a domain/path string that indicates + the name of the + + controller that wrote this status. This corresponds + with the + + controllerName field on GatewayClass. + + + Example: "example.net/gateway-controller". + + + The format of this field is DOMAIN "/" PATH, where + DOMAIN and PATH are + + valid Kubernetes names + + (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + + + Controllers MUST populate this field when writing + status. Controllers should ensure that + + entries to status populated with their ControllerName + are cleaned up when they are no + + longer necessary. + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + required: + - ancestorRef + - conditions + - controllerName + type: object + maxItems: 16 + type: array + x-kubernetes-list-type: atomic + required: + - ancestors + type: object + required: + - spec + type: object + served: false + storage: false + subresources: + status: {} +status: + acceptedNames: + kind: '' + plural: '' + conditions: null + storedVersions: null diff --git a/_/CustomResourceDefinition/backendtrafficpolicies.gateway.envoyproxy.io.yaml b/_/CustomResourceDefinition/backendtrafficpolicies.gateway.envoyproxy.io.yaml new file mode 100644 index 0000000..0cbc79e --- /dev/null +++ b/_/CustomResourceDefinition/backendtrafficpolicies.gateway.envoyproxy.io.yaml @@ -0,0 +1,4316 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.18.0 + name: backendtrafficpolicies.gateway.envoyproxy.io +spec: + group: gateway.envoyproxy.io + names: + categories: + - envoy-gateway + kind: BackendTrafficPolicy + listKind: BackendTrafficPolicyList + plural: backendtrafficpolicies + shortNames: + - btp + singular: backendtrafficpolicy + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: >- + BackendTrafficPolicy allows the user to configure the behavior of + the connection + + between the Envoy Proxy listener and the backend service. + properties: + apiVersion: + description: >- + APIVersion defines the versioned schema of this representation + of an object. + + Servers should convert recognized schemas to the latest internal + value, and + + may reject unrecognized values. + + More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: >- + Kind is a string value representing the REST resource this + object represents. + + Servers may infer this from the endpoint the client submits + requests to. + + Cannot be updated. + + In CamelCase. + + More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec defines the desired state of BackendTrafficPolicy. + properties: + circuitBreaker: + description: >- + Circuit Breaker settings for the upstream connections and + requests. + + If not set, circuit breakers will be enabled with the + default thresholds + properties: + maxConnections: + default: 1024 + description: >- + The maximum number of connections that Envoy will + establish to the referenced backend defined within a + xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxParallelRequests: + default: 1024 + description: >- + The maximum number of parallel requests that Envoy will + make to the referenced backend defined within a xRoute + rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxParallelRetries: + default: 1024 + description: >- + The maximum number of parallel retries that Envoy will + make to the referenced backend defined within a xRoute + rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxPendingRequests: + default: 1024 + description: >- + The maximum number of pending requests that Envoy will + queue to the referenced backend defined within a xRoute + rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxRequestsPerConnection: + description: >- + The maximum number of requests that Envoy will make over + a single connection to the referenced backend defined + within a xRoute rule. + + Default: unlimited. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + perEndpoint: + description: >- + PerEndpoint defines Circuit Breakers that will apply + per-endpoint for an upstream cluster + properties: + maxConnections: + default: 1024 + description: >- + MaxConnections configures the maximum number of + connections that Envoy will establish per-endpoint + to the referenced backend defined within a xRoute + rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + type: object + type: object + compression: + description: |- + The compression config for the http streams. + Deprecated: Use Compressor instead. + items: + description: >- + Compression defines the config of enabling compression. + + This can help reduce the bandwidth at the expense of + higher CPU. + properties: + brotli: + description: The configuration for Brotli compressor. + type: object + gzip: + description: The configuration for GZIP compressor. + type: object + minContentLength: + allOf: + - pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: >- + MinContentLength defines the minimum response size in + bytes to apply compression. + + Responses smaller than this threshold will not be + compressed. + + Must be at least 30 bytes as enforced by Envoy Proxy. + + Note that when the suffix is not provided, the value + is interpreted as bytes. + + Default: 30 bytes + x-kubernetes-int-or-string: true + type: + description: >- + CompressorType defines the compressor type to use for + compression. + enum: + - Gzip + - Brotli + - Zstd + type: string + zstd: + description: The configuration for Zstd compressor. + type: object + required: + - type + type: object + type: array + compressor: + description: >- + The compressor config for the http streams. + + This provides more granular control over compression + configuration. + + Order matters: The first compressor in the list is preferred + when q-values in Accept-Encoding are equal. + items: + description: >- + Compression defines the config of enabling compression. + + This can help reduce the bandwidth at the expense of + higher CPU. + properties: + brotli: + description: The configuration for Brotli compressor. + type: object + gzip: + description: The configuration for GZIP compressor. + type: object + minContentLength: + allOf: + - pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: >- + MinContentLength defines the minimum response size in + bytes to apply compression. + + Responses smaller than this threshold will not be + compressed. + + Must be at least 30 bytes as enforced by Envoy Proxy. + + Note that when the suffix is not provided, the value + is interpreted as bytes. + + Default: 30 bytes + x-kubernetes-int-or-string: true + type: + description: >- + CompressorType defines the compressor type to use for + compression. + enum: + - Gzip + - Brotli + - Zstd + type: string + zstd: + description: The configuration for Zstd compressor. + type: object + required: + - type + type: object + type: array + connection: + description: Connection includes backend connection settings. + properties: + bufferLimit: + allOf: + - pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: >- + BufferLimit Soft limit on size of the cluster’s + connections read and write buffers. + + BufferLimit applies to connection streaming (maybe + non-streaming) channel between processes, it's in user + space. + + If unspecified, an implementation defined default is + applied (32768 bytes). + + For example, 20Mi, 1Gi, 256Ki etc. + + Note: that when the suffix is not provided, the value is + interpreted as bytes. + x-kubernetes-int-or-string: true + preconnect: + description: >- + Preconnect configures proactive upstream connections to + reduce latency by establishing + + connections before they’re needed and avoiding + connection establishment overhead. + + + If unset, Envoy will fetch connections as needed to + serve in-flight requests. + properties: + perEndpointPercent: + description: >- + PerEndpointPercent configures how many additional + connections to maintain per + + upstream endpoint, useful for high-QPS or latency + sensitive services. Expressed as a + + percentage of the connections required by active + streams + + (e.g. 100 = preconnect disabled, 105 = 1.05x + connections per-endpoint, 200 = 2.00×). + + + Allowed value range is between 100-300. When both + PerEndpointPercent and + + PredictivePercent are set, Envoy ensures both are + satisfied (max of the two). + format: int32 + maximum: 300 + minimum: 100 + type: integer + predictivePercent: + description: >- + PredictivePercent configures how many additional + connections to maintain + + across the cluster by anticipating which upstream + endpoint the load balancer + + will select next, useful for low-QPS services. + Relies on deterministic + + loadbalancing and is only supported with Random or + RoundRobin. + + Expressed as a percentage of the connections + required by active streams + + (e.g. 100 = 1.0 (no preconnect), 105 = 1.05× + connections across the cluster, 200 = 2.00×). + + + Minimum allowed value is 100. When both + PerEndpointPercent and PredictivePercent are + + set Envoy ensures both are satisfied per host (max + of the two). + format: int32 + minimum: 100 + type: integer + type: object + socketBufferLimit: + allOf: + - pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: >- + SocketBufferLimit provides configuration for the maximum + buffer size in bytes for each socket + + to backend. + + SocketBufferLimit applies to socket streaming channel + between TCP/IP stacks, it's in kernel space. + + For example, 20Mi, 1Gi, 256Ki etc. + + Note that when the suffix is not provided, the value is + interpreted as bytes. + x-kubernetes-int-or-string: true + type: object + dns: + description: DNS includes dns resolution settings. + properties: + dnsRefreshRate: + description: >- + DNSRefreshRate specifies the rate at which DNS records + should be refreshed. + + Defaults to 30 seconds. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + lookupFamily: + description: >- + LookupFamily determines how Envoy would resolve DNS for + Routes where the backend is specified as a fully + qualified domain name (FQDN). + + If set, this configuration overrides other defaults. + enum: + - IPv4 + - IPv6 + - IPv4Preferred + - IPv6Preferred + - IPv4AndIPv6 + type: string + respectDnsTtl: + description: >- + RespectDNSTTL indicates whether the DNS Time-To-Live + (TTL) should be respected. + + If the value is set to true, the DNS refresh rate will + be set to the resource record’s TTL. + + Defaults to true. + type: boolean + type: object + faultInjection: + description: >- + FaultInjection defines the fault injection policy to be + applied. This configuration can be used to + + inject delays and abort requests to mimic failure scenarios + such as service failures and overloads + properties: + abort: + description: >- + If specified, the request will be aborted if it meets + the configuration criteria. + properties: + grpcStatus: + description: >- + GrpcStatus specifies the GRPC status code to be + returned + format: int32 + type: integer + httpStatus: + description: >- + StatusCode specifies the HTTP status code to be + returned + format: int32 + maximum: 600 + minimum: 200 + type: integer + percentage: + default: 100 + description: >- + Percentage specifies the percentage of requests to + be aborted. Default 100%, if set 0, no requests will + be aborted. Accuracy to 0.0001%. + type: number + type: object + x-kubernetes-validations: + - message: >- + httpStatus and grpcStatus cannot be simultaneously + defined. + rule: ' !(has(self.httpStatus) && has(self.grpcStatus)) ' + - message: httpStatus and grpcStatus are set at least one. + rule: ' has(self.httpStatus) || has(self.grpcStatus) ' + delay: + description: If specified, a delay will be injected into the request. + properties: + fixedDelay: + description: FixedDelay specifies the fixed delay duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + percentage: + default: 100 + description: >- + Percentage specifies the percentage of requests to + be delayed. Default 100%, if set 0, no requests will + be delayed. Accuracy to 0.0001%. + type: number + required: + - fixedDelay + type: object + type: object + x-kubernetes-validations: + - message: Delay and abort faults are set at least one. + rule: ' has(self.delay) || has(self.abort) ' + healthCheck: + description: >- + HealthCheck allows gateway to perform active health checking + on backends. + properties: + active: + description: Active health check configuration + properties: + grpc: + description: >- + GRPC defines the configuration of the GRPC health + checker. + + It's optional, and can only be used if the specified + type is GRPC. + properties: + service: + description: >- + Service to send in the health check request. + + If this is not specified, then the health check + request applies to the entire + + server and not to a specific service. + type: string + type: object + healthyThreshold: + default: 1 + description: >- + HealthyThreshold defines the number of healthy + health checks required before a backend host is + marked healthy. + format: int32 + minimum: 1 + type: integer + http: + description: >- + HTTP defines the configuration of http health + checker. + + It's required while the health checker type is HTTP. + properties: + expectedResponse: + description: >- + ExpectedResponse defines a list of HTTP expected + responses to match. + properties: + binary: + description: Binary payload base64 encoded. + format: byte + type: string + text: + description: Text payload in plain text. + type: string + type: + allOf: + - enum: + - Text + - Binary + - enum: + - Text + - Binary + description: Type defines the type of the payload. + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If payload type is Text, text field needs to + be set. + rule: >- + self.type == 'Text' ? has(self.text) : + !has(self.text) + - message: >- + If payload type is Binary, binary field + needs to be set. + rule: >- + self.type == 'Binary' ? has(self.binary) : + !has(self.binary) + expectedStatuses: + description: >- + ExpectedStatuses defines a list of HTTP response + statuses considered healthy. + + Defaults to 200 only + items: + description: HTTPStatus defines the http status code. + maximum: 599 + minimum: 100 + type: integer + type: array + hostname: + description: >- + Hostname defines the HTTP Host header used for + active HTTP health checks. + + Host selection uses this order: this field, the + associated Backend endpoint + + hostname if available, then the effective Route + hostname. + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + method: + description: >- + Method defines the HTTP method used for health + checking. + + Defaults to GET + type: string + path: + description: >- + Path defines the HTTP path that will be + requested during health checking. + maxLength: 1024 + minLength: 1 + type: string + required: + - path + type: object + initialJitter: + description: >- + InitialJitter defines the maximum time Envoy will + wait before the first health check. + + Envoy will randomly select a value between 0 and the + initial jitter value. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + interval: + default: 3s + description: >- + Interval defines the time between active health + checks. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + tcp: + description: |- + TCP defines the configuration of tcp health checker. + It's required while the health checker type is TCP. + properties: + receive: + description: Receive defines the expected response payload. + properties: + binary: + description: Binary payload base64 encoded. + format: byte + type: string + text: + description: Text payload in plain text. + type: string + type: + allOf: + - enum: + - Text + - Binary + - enum: + - Text + - Binary + description: Type defines the type of the payload. + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If payload type is Text, text field needs to + be set. + rule: >- + self.type == 'Text' ? has(self.text) : + !has(self.text) + - message: >- + If payload type is Binary, binary field + needs to be set. + rule: >- + self.type == 'Binary' ? has(self.binary) : + !has(self.binary) + send: + description: Send defines the request payload. + properties: + binary: + description: Binary payload base64 encoded. + format: byte + type: string + text: + description: Text payload in plain text. + type: string + type: + allOf: + - enum: + - Text + - Binary + - enum: + - Text + - Binary + description: Type defines the type of the payload. + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If payload type is Text, text field needs to + be set. + rule: >- + self.type == 'Text' ? has(self.text) : + !has(self.text) + - message: >- + If payload type is Binary, binary field + needs to be set. + rule: >- + self.type == 'Binary' ? has(self.binary) : + !has(self.binary) + type: object + timeout: + default: 1s + description: >- + Timeout defines the time to wait for a health check + response. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: + allOf: + - enum: + - HTTP + - TCP + - GRPC + - enum: + - HTTP + - TCP + - GRPC + description: Type defines the type of health checker. + type: string + unhealthyThreshold: + default: 3 + description: >- + UnhealthyThreshold defines the number of unhealthy + health checks required before a backend host is + marked unhealthy. + format: int32 + minimum: 1 + type: integer + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If Health Checker type is HTTP, http field needs to + be set. + rule: >- + self.type == 'HTTP' ? has(self.http) : + !has(self.http) + - message: >- + If Health Checker type is TCP, tcp field needs to be + set. + rule: 'self.type == ''TCP'' ? has(self.tcp) : !has(self.tcp)' + - message: >- + The grpc field can only be set if the Health Checker + type is GRPC. + rule: 'has(self.grpc) ? self.type == ''GRPC'' : true' + panicThreshold: + description: >- + When number of unhealthy endpoints for a backend reaches + this threshold + + Envoy will disregard health status and balance across + all endpoints. + + It's designed to prevent a situation in which host + failures cascade throughout the cluster + + as load increases. If not set, the default value is 50%. + To disable panic mode, set value to `0`. + format: int32 + maximum: 100 + minimum: 0 + type: integer + passive: + description: Passive passive check configuration + properties: + baseEjectionTime: + default: 30s + description: >- + BaseEjectionTime defines the base duration for which + a host will be ejected on consecutive failures. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + consecutive5XxErrors: + default: 5 + description: >- + Consecutive5xxErrors sets the number of consecutive + 5xx errors triggering ejection. + format: int32 + type: integer + consecutiveGatewayErrors: + description: >- + ConsecutiveGatewayErrors sets the number of + consecutive gateway errors triggering ejection. + format: int32 + type: integer + consecutiveLocalOriginFailures: + default: 5 + description: >- + ConsecutiveLocalOriginFailures sets the number of + consecutive local origin failures triggering + ejection. + + Parameter takes effect only when + split_external_local_origin_errors is set to true. + format: int32 + type: integer + failurePercentageThreshold: + description: >- + FailurePercentageThreshold sets the failure + percentage threshold for outlier detection. + + If the failure percentage of a given host is greater + than or equal to this value, it will be ejected. + + Defaults to 85. + format: int32 + maximum: 100 + minimum: 0 + type: integer + interval: + default: 3s + description: >- + Interval defines the time between passive health + checks. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + maxEjectionPercent: + default: 10 + description: >- + MaxEjectionPercent sets the maximum percentage of + hosts in a cluster that can be ejected. + format: int32 + type: integer + splitExternalLocalOriginErrors: + default: false + description: >- + SplitExternalLocalOriginErrors enables splitting of + errors between external and local origin. + type: boolean + type: object + type: object + http2: + description: HTTP2 provides HTTP/2 configuration for backend connections. + properties: + initialConnectionWindowSize: + allOf: + - pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: >- + InitialConnectionWindowSize sets the initial window size + for HTTP/2 connections. + + If not set, the default value is 1 MiB. + x-kubernetes-int-or-string: true + initialStreamWindowSize: + allOf: + - pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: >- + InitialStreamWindowSize sets the initial window size for + HTTP/2 streams. + + If not set, the default value is 64 KiB(64*1024). + x-kubernetes-int-or-string: true + maxConcurrentStreams: + description: >- + MaxConcurrentStreams sets the maximum number of + concurrent streams allowed per connection. + + If not set, the default value is 100. + format: int32 + maximum: 2147483647 + minimum: 1 + type: integer + onInvalidMessage: + description: >- + OnInvalidMessage determines if Envoy will terminate the + connection or just the offending stream in the event of + HTTP messaging error + + It's recommended for L2 Envoy deployments to set this + value to TerminateStream. + + https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/level_two + + Default: TerminateConnection + type: string + type: object + httpUpgrade: + description: >- + HTTPUpgrade defines the configuration for HTTP protocol + upgrades. + + If not specified, the default upgrade + configuration(websocket) will be used. + items: + description: >- + ProtocolUpgradeConfig specifies the configuration for + protocol upgrades. + properties: + connect: + description: >- + Connect specifies the configuration for the CONNECT + config. + + This is allowed only when type is CONNECT. + properties: + terminate: + description: >- + Terminate the CONNECT request, and forwards the + payload as raw TCP data. + type: boolean + type: object + type: + description: |- + Type is the case-insensitive type of protocol upgrade. + e.g. `websocket`, `CONNECT`, `spdy/3.1` etc. + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + The connect configuration is only allowed when the + type is CONNECT. + rule: '!has(self.connect) || self.type == ''CONNECT''' + type: array + loadBalancer: + description: >- + LoadBalancer policy to apply when routing traffic from the + gateway to + + the backend endpoints. Defaults to `LeastRequest`. + properties: + consistentHash: + description: >- + ConsistentHash defines the configuration when the load + balancer type is + + set to ConsistentHash + properties: + cookie: + description: >- + Cookie configures the cookie hash policy when the + consistent hash type is set to Cookie. + properties: + attributes: + additionalProperties: + type: string + description: >- + Additional Attributes to set for the generated + cookie. + type: object + name: + description: >- + Name of the cookie to hash. + + If this cookie does not exist in the request, + Envoy will generate a cookie and set + + the TTL on the response back to the client based + on Layer 4 + + attributes of the backend endpoint, to ensure + that these future requests + + go to the same backend endpoint. Make sure to + set the TTL field for this case. + type: string + ttl: + description: >- + TTL of the generated cookie if the cookie is not + present. This value sets the + + Max-Age attribute value. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + required: + - name + type: object + header: + description: >- + Header configures the header hash policy when the + consistent hash type is set to Header. + + + Deprecated: use Headers instead + properties: + name: + description: Name of the header to hash. + type: string + required: + - name + type: object + headers: + description: >- + Headers configures the header hash policy for each + header, when the consistent hash type is set to + Headers. + items: + description: >- + Header defines the header hashing configuration + for consistent hash based + + load balancing. + properties: + name: + description: Name of the header to hash. + type: string + required: + - name + type: object + type: array + queryParams: + description: >- + QueryParams configures the query parameter hash + policy when the consistent hash type is set to + QueryParams. + items: + description: >- + QueryParam defines the query parameter name + hashing configuration for consistent hash based + + load balancing. + properties: + name: + description: Name of the query param to hash. + type: string + required: + - name + type: object + type: array + tableSize: + default: 65537 + description: >- + The table size for consistent hashing, must be prime + number limited to 5000011. + format: int64 + maximum: 5000011 + minimum: 2 + type: integer + type: + description: >- + ConsistentHashType defines the type of input to hash + on. Valid Type values are + + "SourceIP", + + "Header", + + "Headers", + + "Cookie". + + "QueryParams". + enum: + - SourceIP + - Header + - Headers + - Cookie + - QueryParams + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If consistent hash type is header, the header field + must be set. + rule: >- + self.type == 'Header' ? has(self.header) : + !has(self.header) + - message: >- + If consistent hash type is headers, the headers + field must be set. + rule: >- + self.type == 'Headers' ? has(self.headers) : + !has(self.headers) + - message: >- + If consistent hash type is cookie, the cookie field + must be set. + rule: >- + self.type == 'Cookie' ? has(self.cookie) : + !has(self.cookie) + - message: >- + If consistent hash type is queryParams, the + queryParams field must be set. + rule: >- + self.type == 'QueryParams' ? has(self.queryParams) : + !has(self.queryParams) + endpointOverride: + description: >- + EndpointOverride defines the configuration for endpoint + override. + + When specified, the load balancer will attempt to route + requests to endpoints + + based on the override information extracted from request + headers or metadata. + If the override endpoints are not available, the configured load balancer policy will be used as fallback. + properties: + extractFrom: + description: >- + ExtractFrom defines the sources to extract endpoint + override information from. + items: + description: >- + EndpointOverrideExtractFrom defines a source to + extract endpoint override information from. + properties: + header: + description: >- + Header defines the header to get the override + endpoint addresses. + + The header value must specify at least one + endpoint in `IP:Port` format or multiple + endpoints in `IP:Port,IP:Port,...` format. + + For example `10.0.0.5:8080` or + `[2600:4040:5204::1574:24ae]:80`. + + The IPv6 address is enclosed in square + brackets. + type: string + type: object + maxItems: 10 + minItems: 1 + type: array + required: + - extractFrom + type: object + slowStart: + description: >- + SlowStart defines the configuration related to the slow + start load balancer policy. + + If set, during slow start window, traffic sent to the + newly added hosts will gradually increase. + + Currently this is only supported for RoundRobin and + LeastRequest load balancers + properties: + window: + description: >- + Window defines the duration of the warm up period + for newly added host. + + During slow start window, traffic sent to the newly + added hosts will gradually increase. + + Currently only supports linear growth of traffic. + For additional details, + + see + https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + required: + - window + type: object + type: + description: |- + Type decides the type of Load Balancer policy. + Valid LoadBalancerType values are + "ConsistentHash", + "LeastRequest", + "Random", + "RoundRobin". + enum: + - ConsistentHash + - LeastRequest + - Random + - RoundRobin + type: string + zoneAware: + description: >- + ZoneAware defines the configuration related to the + distribution of requests between locality zones. + properties: + preferLocal: + description: >- + PreferLocalZone configures zone-aware routing to + prefer sending traffic to the local locality zone. + properties: + force: + description: >- + ForceLocalZone defines override configuration + for forcing all traffic to stay within the local + zone instead of the default behavior + + which maintains equal distribution among + upstream endpoints while sending as much traffic + as possible locally. + properties: + minEndpointsInZoneThreshold: + description: >- + MinEndpointsInZoneThreshold is the minimum + number of upstream endpoints in the local + zone required to honor the forceLocalZone + + override. This is useful for protecting + zones with fewer endpoints. + format: int32 + type: integer + type: object + minEndpointsThreshold: + description: >- + MinEndpointsThreshold is the minimum number of + total upstream endpoints across all zones + required to enable zone-aware routing. + format: int64 + type: integer + percentageEnabled: + description: >- + Configures percentage of requests that will be + considered for zone aware routing if zone aware + routing is configured. If not specified, Envoy + defaults to 100%. + format: int32 + maximum: 100 + minimum: 0 + type: integer + type: object + type: object + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If LoadBalancer type is consistentHash, consistentHash + field needs to be set. + rule: >- + self.type == 'ConsistentHash' ? has(self.consistentHash) + : !has(self.consistentHash) + - message: >- + Currently SlowStart is only supported for RoundRobin and + LeastRequest load balancers. + rule: >- + self.type in ['Random', 'ConsistentHash'] ? + !has(self.slowStart) : true + - message: >- + Currently ZoneAware is only supported for LeastRequest, + Random, and RoundRobin load balancers. + rule: >- + self.type == 'ConsistentHash' ? !has(self.zoneAware) : + true + mergeType: + description: >- + MergeType determines how this configuration is merged with + existing BackendTrafficPolicy + + configurations targeting a parent resource. When set, this + configuration will be merged + + into a parent BackendTrafficPolicy (i.e. the one targeting a + Gateway or Listener). + + This field cannot be set when targeting a parent resource + (Gateway). + + If unset, no merging occurs, and only the most specific + configuration takes effect. + type: string + proxyProtocol: + description: >- + ProxyProtocol enables the Proxy Protocol when communicating + with the backend. + properties: + version: + description: |- + Version of ProxyProtol + Valid ProxyProtocolVersion values are + "V1" + "V2" + enum: + - V1 + - V2 + type: string + required: + - version + type: object + rateLimit: + description: >- + RateLimit allows the user to limit the number of incoming + requests + + to a predefined value based on attributes within the traffic + flow. + properties: + global: + description: Global defines global rate limit configuration. + properties: + rules: + description: >- + Rules are a list of RateLimit selectors and limits. + Each rule and its + + associated limit is applied in a mutually exclusive + way. If a request + + matches multiple rules, each of their associated + limits get applied, so a + + single request might increase the rate limit + counters for multiple rules + + if selected. The rate limit service will return a + logical OR of the individual + + rate limit decisions of all matching rules. For + example, if a request + + matches two rules, one rate limited and one not, the + final decision will be + + to rate limit the request. + items: + description: >- + RateLimitRule defines the semantics for matching + attributes + + from the incoming requests, and setting limits for + them. + properties: + clientSelectors: + description: >- + ClientSelectors holds the list of select + conditions to select + + specific clients using attributes from the + traffic flow. + + All individual select conditions must hold + True for this rule + + and its limit to be applied. + + + If no client selectors are specified, the rule + applies to all traffic of + + the targeted Route. + + + If the policy targets a Gateway, the rule + applies to each Route of the Gateway. + + Please note that each Route has its own rate + limit counters. For example, + + if a Gateway has two Routes, and the policy + has a rule with limit 10rps, + + each Route will have its own 10rps limit. + items: + description: >- + RateLimitSelectCondition specifies the + attributes within the traffic flow that can + + be used to select a subset of clients to be + ratelimited. + + All the individual conditions must hold True + for the overall condition to hold True. + + And, at least one of headers or methods or + path or sourceCIDR or queryParams condition + must be specified. + properties: + headers: + description: >- + Headers is a list of request headers to + match. Multiple header values are ANDed + together, + + meaning, a request MUST match all the + specified headers. + items: + description: >- + HeaderMatch defines the match attributes + within the HTTP Headers of the request. + properties: + invert: + default: false + description: >- + Invert specifies whether the value match + result will be inverted. + + Do not set this field when + Type="Distinct", implying matching on + any/all unique + + values within the header. + type: boolean + name: + description: >- + Name of the HTTP header. + + The header name is case-insensitive + unless PreserveHeaderCase is set to + true. + + For example, "Foo" and "foo" are + considered the same header. + maxLength: 256 + minLength: 1 + type: string + type: + default: Exact + description: >- + Type specifies how to match against the + value of the header. + enum: + - Exact + - RegularExpression + - Distinct + type: string + value: + description: >- + Value within the HTTP header. + + Do not set this field when + Type="Distinct", implying matching on + any/all unique + + values within the header. + maxLength: 1024 + type: string + required: + - name + type: object + maxItems: 16 + type: array + methods: + description: >- + Methods is a list of request methods to + match. Multiple method values are ORed + together, + + meaning, a request can match any one of + the specified methods. If not specified, + it matches all methods. + items: + description: >- + MethodMatch defines the matching + criteria for the HTTP method of a + request. + properties: + invert: + default: false + description: >- + Invert specifies whether the value match + result will be inverted. + type: boolean + value: + description: Value specifies the HTTP method. + enum: + - GET + - HEAD + - POST + - PUT + - DELETE + - CONNECT + - OPTIONS + - TRACE + - PATCH + type: string + required: + - value + type: object + type: array + path: + description: >- + Path is the request path to match. + + Support Exact, PathPrefix and + RegularExpression match types. + properties: + invert: + default: false + description: >- + Invert specifies whether the value match + result will be inverted. + type: boolean + type: + default: PathPrefix + description: >- + Type specifies how to match against the + value of the path. + enum: + - Exact + - PathPrefix + - RegularExpression + type: string + value: + default: / + description: Value specifies the HTTP path. + maxLength: 1024 + type: string + required: + - value + type: object + queryParams: + description: >- + QueryParams is a list of query + parameters to match. Multiple query + parameter values are ANDed together, + + meaning, a request MUST match all the + specified query parameters. + items: + description: >- + QueryParamMatch defines the match + attributes within the query parameters + of the request. + properties: + invert: + default: false + description: >- + Invert specifies whether the value match + result will be inverted. + + Do not set this field when + Type="Distinct", implying matching on + any/all unique + + values within the query parameter. + type: boolean + name: + description: Name of the query parameter. + maxLength: 256 + minLength: 1 + type: string + type: + default: Exact + description: >- + Type specifies how to match against the + value of the query parameter. + enum: + - Exact + - RegularExpression + - Distinct + type: string + value: + description: >- + Value of the query parameter. + + Do not set this field when + Type="Distinct", implying matching on + any/all unique + + values within the query parameter. + maxLength: 1024 + type: string + required: + - name + type: object + maxItems: 16 + type: array + sourceCIDR: + description: >- + SourceCIDR is the client IP Address + range to match on. + properties: + type: + default: Exact + enum: + - Exact + - Distinct + type: string + value: + description: >- + Value is the IP CIDR that represents the + range of Source IP Addresses of the + client. + + These could also be the intermediate + addresses through which the request has + flown through and is part of the + `X-Forwarded-For` header. + + For example, `192.168.0.1/32`, + `192.168.0.0/24`, `001:db8::/64`. + maxLength: 256 + minLength: 1 + type: string + required: + - value + type: object + type: object + x-kubernetes-validations: + - message: >- + at least one of headers, methods, path, + sourceCIDR or queryParams must be + specified + rule: >- + has(self.headers) || has(self.methods) + || has(self.path) || + has(self.sourceCIDR) || + has(self.queryParams) + maxItems: 8 + type: array + cost: + description: >- + Cost specifies the cost of requests and + responses for the rule. + + + This is optional and if not specified, the + default behavior is to reduce the rate limit + counters by 1 on + + the request path and do not reduce the rate + limit counters on the response path. + properties: + request: + description: >- + Request specifies the number to reduce the + rate limit counters + + on the request path. If this is not + specified, the default behavior + + is to reduce the rate limit counters by 1. + + + When Envoy receives a request that matches + the rule, it tries to reduce the + + rate limit counters by the specified + number. If the counter doesn't have + + enough capacity, the request is rate + limited. + properties: + from: + description: >- + From specifies where to get the rate + limit cost. Currently, only "Number" and + "Metadata" are supported. + enum: + - Number + - Metadata + type: string + metadata: + description: >- + Metadata specifies the per-request + metadata to retrieve the usage number + from. + properties: + key: + description: >- + Key is the key to retrieve the usage + number from the filter metadata. + type: string + namespace: + description: >- + Namespace is the namespace of the + dynamic metadata. + type: string + required: + - key + - namespace + type: object + number: + description: >- + Number specifies the fixed usage number + to reduce the rate limit counters. + + Using zero can be used to only check the + rate limit counters without reducing + them. + format: int64 + type: integer + required: + - from + type: object + x-kubernetes-validations: + - message: >- + only one of number or metadata can be + specified + rule: >- + !(has(self.number) && + has(self.metadata)) + response: + description: >- + Response specifies the number to reduce + the rate limit counters + + after the response is sent back to the + client or the request stream is closed. + + + The cost is used to reduce the rate limit + counters for the matching requests. + + Since the reduction happens after the + request stream is complete, the rate limit + + won't be enforced for the current request, + but for the subsequent matching requests. + + + This is optional and if not specified, the + rate limit counters are not reduced + + on the response path. + + + Currently, this is only supported for HTTP + Global Rate Limits. + properties: + from: + description: >- + From specifies where to get the rate + limit cost. Currently, only "Number" and + "Metadata" are supported. + enum: + - Number + - Metadata + type: string + metadata: + description: >- + Metadata specifies the per-request + metadata to retrieve the usage number + from. + properties: + key: + description: >- + Key is the key to retrieve the usage + number from the filter metadata. + type: string + namespace: + description: >- + Namespace is the namespace of the + dynamic metadata. + type: string + required: + - key + - namespace + type: object + number: + description: >- + Number specifies the fixed usage number + to reduce the rate limit counters. + + Using zero can be used to only check the + rate limit counters without reducing + them. + format: int64 + type: integer + required: + - from + type: object + x-kubernetes-validations: + - message: >- + only one of number or metadata can be + specified + rule: >- + !(has(self.number) && + has(self.metadata)) + type: object + limit: + description: >- + Limit holds the rate limit values. + + This limit is applied for traffic flows when + the selectors + + compute to True, causing the request to be + counted towards the limit. + + The limit is enforced and the request is + ratelimited, i.e. a response with + + 429 HTTP status code is sent back to the + client when + + the selected requests have reached the limit. + properties: + requests: + type: integer + unit: + description: >- + RateLimitUnit specifies the intervals for + setting rate limits. + + Valid RateLimitUnit values are "Second", + "Minute", "Hour", "Day", "Month" and + "Year". + enum: + - Second + - Minute + - Hour + - Day + - Month + - Year + type: string + required: + - requests + - unit + type: object + shadowMode: + description: >- + ShadowMode indicates whether this rate-limit + rule runs in shadow mode. + + When enabled, all rate-limiting operations are + performed (cache lookups, + + counter updates, telemetry generation), but + the outcome is never enforced. + + The request always succeeds, even if the + configured limit is exceeded. + + + Only supported for Global Rate Limits. + type: boolean + shared: + description: >- + Shared determines whether this rate limit rule + applies across all the policy targets. + + If set to true, the rule is treated as a + common bucket and is shared across all policy + targets (xRoutes). + + Default: false. + type: boolean + required: + - limit + type: object + maxItems: 128 + type: array + required: + - rules + type: object + local: + description: Local defines local rate limit configuration. + properties: + rules: + description: >- + Rules are a list of RateLimit selectors and limits. + If a request matches + + multiple rules, the strictest limit is applied. For + example, if a request + + matches two rules, one with 10rps and one with + 20rps, the final limit will + + be based on the rule with 10rps. + items: + description: >- + RateLimitRule defines the semantics for matching + attributes + + from the incoming requests, and setting limits for + them. + properties: + clientSelectors: + description: >- + ClientSelectors holds the list of select + conditions to select + + specific clients using attributes from the + traffic flow. + + All individual select conditions must hold + True for this rule + + and its limit to be applied. + + + If no client selectors are specified, the rule + applies to all traffic of + + the targeted Route. + + + If the policy targets a Gateway, the rule + applies to each Route of the Gateway. + + Please note that each Route has its own rate + limit counters. For example, + + if a Gateway has two Routes, and the policy + has a rule with limit 10rps, + + each Route will have its own 10rps limit. + items: + description: >- + RateLimitSelectCondition specifies the + attributes within the traffic flow that can + + be used to select a subset of clients to be + ratelimited. + + All the individual conditions must hold True + for the overall condition to hold True. + + And, at least one of headers or methods or + path or sourceCIDR or queryParams condition + must be specified. + properties: + headers: + description: >- + Headers is a list of request headers to + match. Multiple header values are ANDed + together, + + meaning, a request MUST match all the + specified headers. + items: + description: >- + HeaderMatch defines the match attributes + within the HTTP Headers of the request. + properties: + invert: + default: false + description: >- + Invert specifies whether the value match + result will be inverted. + + Do not set this field when + Type="Distinct", implying matching on + any/all unique + + values within the header. + type: boolean + name: + description: >- + Name of the HTTP header. + + The header name is case-insensitive + unless PreserveHeaderCase is set to + true. + + For example, "Foo" and "foo" are + considered the same header. + maxLength: 256 + minLength: 1 + type: string + type: + default: Exact + description: >- + Type specifies how to match against the + value of the header. + enum: + - Exact + - RegularExpression + - Distinct + type: string + value: + description: >- + Value within the HTTP header. + + Do not set this field when + Type="Distinct", implying matching on + any/all unique + + values within the header. + maxLength: 1024 + type: string + required: + - name + type: object + maxItems: 16 + type: array + methods: + description: >- + Methods is a list of request methods to + match. Multiple method values are ORed + together, + + meaning, a request can match any one of + the specified methods. If not specified, + it matches all methods. + items: + description: >- + MethodMatch defines the matching + criteria for the HTTP method of a + request. + properties: + invert: + default: false + description: >- + Invert specifies whether the value match + result will be inverted. + type: boolean + value: + description: Value specifies the HTTP method. + enum: + - GET + - HEAD + - POST + - PUT + - DELETE + - CONNECT + - OPTIONS + - TRACE + - PATCH + type: string + required: + - value + type: object + type: array + path: + description: >- + Path is the request path to match. + + Support Exact, PathPrefix and + RegularExpression match types. + properties: + invert: + default: false + description: >- + Invert specifies whether the value match + result will be inverted. + type: boolean + type: + default: PathPrefix + description: >- + Type specifies how to match against the + value of the path. + enum: + - Exact + - PathPrefix + - RegularExpression + type: string + value: + default: / + description: Value specifies the HTTP path. + maxLength: 1024 + type: string + required: + - value + type: object + queryParams: + description: >- + QueryParams is a list of query + parameters to match. Multiple query + parameter values are ANDed together, + + meaning, a request MUST match all the + specified query parameters. + items: + description: >- + QueryParamMatch defines the match + attributes within the query parameters + of the request. + properties: + invert: + default: false + description: >- + Invert specifies whether the value match + result will be inverted. + + Do not set this field when + Type="Distinct", implying matching on + any/all unique + + values within the query parameter. + type: boolean + name: + description: Name of the query parameter. + maxLength: 256 + minLength: 1 + type: string + type: + default: Exact + description: >- + Type specifies how to match against the + value of the query parameter. + enum: + - Exact + - RegularExpression + - Distinct + type: string + value: + description: >- + Value of the query parameter. + + Do not set this field when + Type="Distinct", implying matching on + any/all unique + + values within the query parameter. + maxLength: 1024 + type: string + required: + - name + type: object + maxItems: 16 + type: array + sourceCIDR: + description: >- + SourceCIDR is the client IP Address + range to match on. + properties: + type: + default: Exact + enum: + - Exact + - Distinct + type: string + value: + description: >- + Value is the IP CIDR that represents the + range of Source IP Addresses of the + client. + + These could also be the intermediate + addresses through which the request has + flown through and is part of the + `X-Forwarded-For` header. + + For example, `192.168.0.1/32`, + `192.168.0.0/24`, `001:db8::/64`. + maxLength: 256 + minLength: 1 + type: string + required: + - value + type: object + type: object + x-kubernetes-validations: + - message: >- + at least one of headers, methods, path, + sourceCIDR or queryParams must be + specified + rule: >- + has(self.headers) || has(self.methods) + || has(self.path) || + has(self.sourceCIDR) || + has(self.queryParams) + maxItems: 8 + type: array + cost: + description: >- + Cost specifies the cost of requests and + responses for the rule. + + + This is optional and if not specified, the + default behavior is to reduce the rate limit + counters by 1 on + + the request path and do not reduce the rate + limit counters on the response path. + properties: + request: + description: >- + Request specifies the number to reduce the + rate limit counters + + on the request path. If this is not + specified, the default behavior + + is to reduce the rate limit counters by 1. + + + When Envoy receives a request that matches + the rule, it tries to reduce the + + rate limit counters by the specified + number. If the counter doesn't have + + enough capacity, the request is rate + limited. + properties: + from: + description: >- + From specifies where to get the rate + limit cost. Currently, only "Number" and + "Metadata" are supported. + enum: + - Number + - Metadata + type: string + metadata: + description: >- + Metadata specifies the per-request + metadata to retrieve the usage number + from. + properties: + key: + description: >- + Key is the key to retrieve the usage + number from the filter metadata. + type: string + namespace: + description: >- + Namespace is the namespace of the + dynamic metadata. + type: string + required: + - key + - namespace + type: object + number: + description: >- + Number specifies the fixed usage number + to reduce the rate limit counters. + + Using zero can be used to only check the + rate limit counters without reducing + them. + format: int64 + type: integer + required: + - from + type: object + x-kubernetes-validations: + - message: >- + only one of number or metadata can be + specified + rule: >- + !(has(self.number) && + has(self.metadata)) + response: + description: >- + Response specifies the number to reduce + the rate limit counters + + after the response is sent back to the + client or the request stream is closed. + + + The cost is used to reduce the rate limit + counters for the matching requests. + + Since the reduction happens after the + request stream is complete, the rate limit + + won't be enforced for the current request, + but for the subsequent matching requests. + + + This is optional and if not specified, the + rate limit counters are not reduced + + on the response path. + + + Currently, this is only supported for HTTP + Global Rate Limits. + properties: + from: + description: >- + From specifies where to get the rate + limit cost. Currently, only "Number" and + "Metadata" are supported. + enum: + - Number + - Metadata + type: string + metadata: + description: >- + Metadata specifies the per-request + metadata to retrieve the usage number + from. + properties: + key: + description: >- + Key is the key to retrieve the usage + number from the filter metadata. + type: string + namespace: + description: >- + Namespace is the namespace of the + dynamic metadata. + type: string + required: + - key + - namespace + type: object + number: + description: >- + Number specifies the fixed usage number + to reduce the rate limit counters. + + Using zero can be used to only check the + rate limit counters without reducing + them. + format: int64 + type: integer + required: + - from + type: object + x-kubernetes-validations: + - message: >- + only one of number or metadata can be + specified + rule: >- + !(has(self.number) && + has(self.metadata)) + type: object + limit: + description: >- + Limit holds the rate limit values. + + This limit is applied for traffic flows when + the selectors + + compute to True, causing the request to be + counted towards the limit. + + The limit is enforced and the request is + ratelimited, i.e. a response with + + 429 HTTP status code is sent back to the + client when + + the selected requests have reached the limit. + properties: + requests: + type: integer + unit: + description: >- + RateLimitUnit specifies the intervals for + setting rate limits. + + Valid RateLimitUnit values are "Second", + "Minute", "Hour", "Day", "Month" and + "Year". + enum: + - Second + - Minute + - Hour + - Day + - Month + - Year + type: string + required: + - requests + - unit + type: object + shadowMode: + description: >- + ShadowMode indicates whether this rate-limit + rule runs in shadow mode. + + When enabled, all rate-limiting operations are + performed (cache lookups, + + counter updates, telemetry generation), but + the outcome is never enforced. + + The request always succeeds, even if the + configured limit is exceeded. + + + Only supported for Global Rate Limits. + type: boolean + shared: + description: >- + Shared determines whether this rate limit rule + applies across all the policy targets. + + If set to true, the rule is treated as a + common bucket and is shared across all policy + targets (xRoutes). + + Default: false. + type: boolean + required: + - limit + type: object + maxItems: 16 + type: array + x-kubernetes-validations: + - message: >- + response cost is not supported for Local Rate + Limits + rule: >- + self.all(foo, !has(foo.cost) || + !has(foo.cost.response)) + - message: >- + shadow mode is not supported for Local Rate + Limits + rule: self.all(foo, !has(foo.shadowMode)) + type: object + type: + description: >- + Type decides the scope for the RateLimits. + + Valid RateLimitType values are "Global" or "Local". + + + Deprecated: Use Global and/or Local fields directly + instead. Both can be specified simultaneously for + combined rate limiting. + enum: + - Global + - Local + type: string + type: object + requestBuffer: + description: >- + RequestBuffer allows the gateway to buffer and fully receive + each request from a client before continuing to send the + request + + upstream to the backends. This can be helpful to shield your + backend servers from slow clients, and also to enforce a + maximum size per request + + as any requests larger than the buffer size will be + rejected. + + + This can have a negative performance impact so should only + be enabled when necessary. + + + When enabling this option, you should also configure your + connection buffer size to account for these request buffers. + There will also be an + + increase in memory usage for Envoy that should be accounted + for in your deployment settings. + properties: + limit: + allOf: + - pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: >- + Limit specifies the maximum allowed size in bytes for + each incoming request buffer. + + If exceeded, the request will be rejected with HTTP 413 + Content Too Large. + + + Accepts values in resource.Quantity format (e.g., + "10Mi", "500Ki"). + x-kubernetes-int-or-string: true + type: object + responseOverride: + description: >- + ResponseOverride defines the configuration to override + specific responses with a custom one. + + If multiple configurations are specified, the first one to + match wins. + items: + description: >- + ResponseOverride defines the configuration to override + specific responses with a custom one. + properties: + match: + description: Match configuration. + properties: + statusCodes: + description: >- + Status code to match on. The match evaluates to + true if any of the matches are successful. + items: + description: >- + StatusCodeMatch defines the configuration for + matching a status code. + properties: + range: + description: Range contains the range of status codes. + properties: + end: + description: >- + End of the range, including the end + value. + type: integer + start: + description: >- + Start of the range, including the start + value. + type: integer + required: + - end + - start + type: object + x-kubernetes-validations: + - message: end must be greater than start + rule: self.end > self.start + type: + allOf: + - enum: + - Value + - Range + - enum: + - Value + - Range + default: Value + description: >- + Type is the type of value. + + Valid values are Value and Range, default is + Value. + type: string + value: + description: Value contains the value of the status code. + type: integer + required: + - type + type: object + x-kubernetes-validations: + - message: value must be set for type Value + rule: >- + (!has(self.type) || self.type == 'Value')? + has(self.value) : true + - message: range must be set for type Range + rule: >- + (has(self.type) && self.type == 'Range')? + has(self.range) : true + maxItems: 50 + minItems: 1 + type: array + required: + - statusCodes + type: object + redirect: + description: Redirect configuration + properties: + hostname: + description: >- + Hostname is the hostname to be used in the value + of the `Location` + + header in the response. + + When empty, the hostname in the `Host` header of + the request is used. + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: >- + Path defines parameters used to modify the path of + the incoming request. + + The modified path is then used to construct the + `Location` header. When + + empty, the request path is used as-is. + + Only ReplaceFullPath path modifier is supported + currently. + properties: + replaceFullPath: + description: >- + ReplaceFullPath specifies the value with which + to replace the full path + + of a request during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: >- + ReplacePrefixMatch specifies the value with + which to replace the prefix + + match of a request during a rewrite or + redirect. For example, a request + + to "/foo/bar" with a prefix match of "/foo" + and a ReplacePrefixMatch + + of "/xyz" would be modified to "/xyz/bar". + + + Note that this matches the behavior of the + PathPrefix match type. This + + matches full path elements. A path element + refers to the list of labels + + in the path split by the `/` separator. When + specified, a trailing `/` is + + ignored. For example, the paths `/abc`, + `/abc/`, and `/abc/def` would all + + match the prefix `/abc`, but the path `/abcd` + would not. + + + ReplacePrefixMatch is only compatible with a + `PathPrefix` HTTPRouteMatch. + + Using any other HTTPRouteMatch type on the + same HTTPRouteRule will result in + + the implementation setting the Accepted + Condition for the Route to `status: False`. + + + Request Path | Prefix Match | Replace Prefix | + Modified Path + maxLength: 1024 + type: string + type: + description: >- + Type defines the type of path modifier. + Additional types may be + + added in a future release of the API. + + + Note that values may be added to this enum, + implementations + + must ensure that unknown values will not cause + a crash. + + + Unknown values here must result in the + implementation setting the + + Accepted Condition for the Route to `status: + False`, with a + + Reason of `UnsupportedValue`. + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + only ReplaceFullPath is supported for + path.type + rule: self.type == 'ReplaceFullPath' + - message: >- + replaceFullPath must be specified when type is + set to 'ReplaceFullPath' + rule: >- + self.type == 'ReplaceFullPath' ? + has(self.replaceFullPath) : true + - message: >- + type must be 'ReplaceFullPath' when + replaceFullPath is set + rule: >- + has(self.replaceFullPath) ? self.type == + 'ReplaceFullPath' : true + - message: >- + replacePrefixMatch must be specified when type + is set to 'ReplacePrefixMatch' + rule: >- + self.type == 'ReplacePrefixMatch' ? + has(self.replacePrefixMatch) : true + - message: >- + type must be 'ReplacePrefixMatch' when + replacePrefixMatch is set + rule: >- + has(self.replacePrefixMatch) ? self.type == + 'ReplacePrefixMatch' : true + port: + description: >- + Port is the port to be used in the value of the + `Location` + + header in the response. + + + If redirect scheme is not-empty, the well-known + port associated with the redirect scheme will be + used. + + Specifically "http" to port 80 and "https" to port + 443. If the redirect scheme does not have a + + well-known port or redirect scheme is empty, the + listener port of the Gateway will be used. + + + Port will not be added in the 'Location' header if + scheme is HTTP and port is 80 + + or scheme is HTTPS and port is 443. + format: int32 + type: integer + scheme: + description: >- + Scheme is the scheme to be used in the value of + the `Location` header in + + the response. When empty, the scheme of the + request is used. + enum: + - http + - https + type: string + statusCode: + default: 302 + description: >- + StatusCode is the HTTP status code to be used in + response. + enum: + - 301 + - 302 + type: integer + type: object + response: + description: Response configuration. + properties: + body: + description: >- + Body of the Custom Response + + Supports Envoy command operators for dynamic + content (see + https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators). + properties: + inline: + description: Inline contains the value as an inline string. + type: string + type: + allOf: + - enum: + - Inline + - ValueRef + - enum: + - Inline + - ValueRef + default: Inline + description: >- + Type is the type of method to use to read the + body value. + + Valid values are Inline and ValueRef, default + is Inline. + type: string + valueRef: + description: >- + ValueRef contains the contents of the body + + specified as a local object reference. + + Only a reference to ConfigMap is supported. + + + The value of key `response.body` in the + ConfigMap will be used as the response body. + + If the key is not found, the first value in + the ConfigMap will be used. + properties: + group: + description: >- + Group is the group of the referent. For + example, "gateway.networking.k8s.io". + + When unspecified or empty string, core API + group is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: >- + Kind is kind of the referent. For example + "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + required: + - type + type: object + x-kubernetes-validations: + - message: inline must be set for type Inline + rule: >- + (!has(self.type) || self.type == 'Inline')? + has(self.inline) : true + - message: valueRef must be set for type ValueRef + rule: >- + (has(self.type) && self.type == 'ValueRef')? + has(self.valueRef) : true + - message: only ConfigMap is supported for ValueRef + rule: >- + has(self.valueRef) ? self.valueRef.kind == + 'ConfigMap' : true + contentType: + description: >- + Content Type of the response. This will be set in + the Content-Type header. + type: string + header: + description: >- + Header defines headers to add, set or remove from + the response. + + This allows the response policy to append, add or + override headers + + of the final response before it is sent to a + downstream client. + + Note: Header removal is not supported for + responseOverride. + properties: + add: + description: >- + Add adds the given header(s) (name, value) to + the request + + before the action. It appends to any existing + values associated + + with the header name. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + add: + - name: "my-header" + value: "bar,baz" + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: >- + HTTPHeader represents an HTTP Header name + and value as defined by RFC 7230. + properties: + name: + description: >- + Name is the name of the HTTP Header to + be matched. Name matching MUST be + + case-insensitive. (See + https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent + header names, the first entry with + + an equivalent name MUST be considered + for a match. Subsequent entries + + with an equivalent header name MUST be + ignored. Due to the + + case-insensitivity of header names, + "foo" and "Foo" are considered + + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: >- + Value is the value of HTTP Header to be + matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: >- + Remove the given header(s) from the HTTP + request before the action. The + + value of Remove is a list of HTTP header + names. Note that the header + + names are case-insensitive (see + + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + Config: + remove: ["my-header1", "my-header3"] + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: >- + Set overwrites the request with the given + header (name, value) + + before the action. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + set: + - name: "my-header" + value: "bar" + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: >- + HTTPHeader represents an HTTP Header name + and value as defined by RFC 7230. + properties: + name: + description: >- + Name is the name of the HTTP Header to + be matched. Name matching MUST be + + case-insensitive. (See + https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent + header names, the first entry with + + an equivalent name MUST be considered + for a match. Subsequent entries + + with an equivalent header name MUST be + ignored. Due to the + + case-insensitivity of header names, + "foo" and "Foo" are considered + + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: >- + Value is the value of HTTP Header to be + matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + x-kubernetes-validations: + - message: >- + Remove is not supported for header in + CustomResponse + rule: '!has(self.remove) || size(self.remove) == 0' + statusCode: + description: >- + Status Code of the Custom Response + + If unset, does not override the status of + response. + type: integer + type: object + required: + - match + type: object + x-kubernetes-validations: + - message: exactly one of response or redirect must be specified + rule: >- + (has(self.response) && !has(self.redirect)) || + (!has(self.response) && has(self.redirect)) + type: array + retry: + description: >- + Retry provides more advanced usage, allowing users to + customize the number of retries, retry fallback strategy, + and retry triggering conditions. + + If not set, retry will be disabled. + properties: + numAttemptsPerPriority: + description: >- + NumAttemptsPerPriority defines the number of requests + (initial attempt + retries) + + that should be sent to the same priority before + switching to a different one. + + If not specified or set to 0, all requests are sent to + the highest priority that is healthy. + format: int32 + type: integer + numRetries: + default: 2 + description: >- + NumRetries is the number of retries to be attempted. + Defaults to 2. + format: int32 + minimum: 0 + type: integer + perRetry: + description: >- + PerRetry is the retry policy to be applied per retry + attempt. + properties: + backOff: + description: >- + Backoff is the backoff policy to be applied per + retry attempt. gateway uses a fully jittered + exponential + + back-off algorithm for retries. For additional + details, + + see + https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#config-http-filters-router-x-envoy-max-retries + properties: + baseInterval: + description: >- + BaseInterval is the base interval between + retries. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + maxInterval: + description: >- + MaxInterval is the maximum interval between + retries. This parameter is optional, but must be + greater than or equal to the base_interval if + set. + + The default is 10 times the base_interval + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + timeout: + description: Timeout is the timeout per retry attempt. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + retryOn: + description: >- + RetryOn specifies the retry trigger condition. + + + If not specified, the default is to retry on + connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes(503). + properties: + httpStatusCodes: + description: >- + HttpStatusCodes specifies the http status codes to + be retried. + + The retriable-status-codes trigger must also be + configured for these status codes to trigger a + retry. + items: + description: HTTPStatus defines the http status code. + maximum: 599 + minimum: 100 + type: integer + type: array + triggers: + description: >- + Triggers specifies the retry trigger + condition(Http/Grpc). + items: + description: >- + TriggerEnum specifies the conditions that trigger + retries. + enum: + - 5xx + - gateway-error + - reset + - reset-before-request + - connect-failure + - retriable-4xx + - refused-stream + - retriable-status-codes + - cancelled + - deadline-exceeded + - internal + - resource-exhausted + - unavailable + type: string + type: array + type: object + type: object + routingType: + description: >- + RoutingType can be set to "Service" to use the Service + Cluster IP for routing to the backend, + + or it can be set to "Endpoint" to use Endpoint routing. + + When specified, this overrides the EnvoyProxy-level setting + for the relevant targeRefs. + + If not specified, the EnvoyProxy-level setting is used. + type: string + targetRef: + description: >- + TargetRef is the name of the resource this policy is being + attached to. + + This policy and the TargetRef MUST be in the same namespace + for this + + Policy to have effect + + + Deprecated: use targetRefs/targetSelectors instead + properties: + group: + description: Group is the group of the target resource. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + sectionName: + description: >- + SectionName is the name of a section within the target + resource. When + + unspecified, this targetRef targets the entire resource. + In the following + + resources, SectionName is interpreted as the following: + + + * Gateway: Listener name + + * HTTPRoute: HTTPRouteRule name + + * Service: Port name + + + If a SectionName is specified, but does not exist on the + targeted object, + + the Policy must fail to attach, and the policy + implementation should record + + a `ResolvedRefs` or similar Condition in the Policy's + status. + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - group + - kind + - name + type: object + targetRefs: + description: >- + TargetRefs are the names of the Gateway resources this + policy + + is being attached to. + items: + description: >- + LocalPolicyTargetReferenceWithSectionName identifies an + API object to apply a + + direct policy to. This should be used as part of Policy + resources that can + + target single resources. For more information on how this + policy attachment + + mode works, and a sample Policy resource, refer to the + policy attachment + + documentation for Gateway API. + + + Note: This should only be used for direct policy + attachment when references + + to SectionName are actually needed. In all other cases, + + LocalPolicyTargetReference should be used. + properties: + group: + description: Group is the group of the target resource. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + sectionName: + description: >- + SectionName is the name of a section within the target + resource. When + + unspecified, this targetRef targets the entire + resource. In the following + + resources, SectionName is interpreted as the + following: + + + * Gateway: Listener name + + * HTTPRoute: HTTPRouteRule name + + * Service: Port name + + + If a SectionName is specified, but does not exist on + the targeted object, + + the Policy must fail to attach, and the policy + implementation should record + + a `ResolvedRefs` or similar Condition in the Policy's + status. + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - group + - kind + - name + type: object + type: array + targetSelectors: + description: >- + TargetSelectors allow targeting resources for this policy + based on labels + items: + properties: + group: + default: gateway.networking.k8s.io + description: >- + Group is the group that this selector targets. + Defaults to gateway.networking.k8s.io + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is the resource kind that this selector targets. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + matchExpressions: + description: >- + MatchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: >- + A label selector requirement is a selector that + contains values, a key, and an operator that + + relates the key and values. + properties: + key: + description: >- + key is the label key that the selector applies + to. + type: string + operator: + description: >- + operator represents a key's relationship to a + set of values. + + Valid operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: >- + values is an array of string values. If the + operator is In or NotIn, + + the values array must be non-empty. If the + operator is Exists or DoesNotExist, + + the values array must be empty. This array is + replaced during a strategic + + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: >- + MatchLabels are the set of label selectors for + identifying the targeted resource + type: object + required: + - kind + type: object + x-kubernetes-validations: + - message: group must be gateway.networking.k8s.io + rule: >- + has(self.group) ? self.group == + 'gateway.networking.k8s.io' : true + type: array + tcpKeepalive: + description: >- + TcpKeepalive settings associated with the upstream client + connection. + + Disabled by default. + properties: + idleTime: + description: >- + The duration a connection needs to be idle before + keep-alive + + probes start being sent. + + The duration format is + + Defaults to `7200s`. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + interval: + description: |- + The duration between keep-alive probes. + Defaults to `75s`. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + probes: + description: >- + The total number of unacknowledged probes to send before + deciding + + the connection is dead. + + Defaults to 9. + format: int32 + type: integer + type: object + telemetry: + description: >- + Telemetry configures the telemetry settings for the policy + target (Gateway or xRoute). + + This will override the telemetry settings in the EnvoyProxy + resource. + properties: + metrics: + description: >- + Metrics defines metrics configuration for the backend or + Route. + properties: + routeStatName: + description: >- + RouteStatName defines the value of the Route + stat_prefix, determining how the route stats are + named. + + For more details, see envoy docs: + https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#config-route-v3-route + + The supported operators for this pattern are: + + %ROUTE_NAME%: name of Gateway API xRoute resource + + %ROUTE_NAMESPACE%: namespace of Gateway API xRoute + resource + + %ROUTE_KIND%: kind of Gateway API xRoute resource + + Example: %ROUTE_KIND%/%ROUTE_NAMESPACE%/%ROUTE_NAME% + => httproute/my-ns/my-route + + Disabled by default. + type: string + type: object + tracing: + description: >- + Tracing configures the tracing settings for the backend + or HTTPRoute. + + + This takes precedence over EnvoyProxy tracing when set. + properties: + customTags: + additionalProperties: + properties: + environment: + description: >- + Environment adds value from environment + variable to each span. + + It's required when the type is "Environment". + properties: + defaultValue: + description: >- + DefaultValue defines the default value to + use if the environment variable is not + set. + type: string + name: + description: >- + Name defines the name of the environment + variable which to extract the value from. + type: string + required: + - name + type: object + literal: + description: |- + Literal adds hard-coded value to each span. + It's required when the type is "Literal". + properties: + value: + description: >- + Value defines the hard-coded value to add + to each span. + type: string + required: + - value + type: object + requestHeader: + description: >- + RequestHeader adds value from request header + to each span. + + It's required when the type is + "RequestHeader". + properties: + defaultValue: + description: >- + DefaultValue defines the default value to + use if the request header is not set. + type: string + name: + description: >- + Name defines the name of the request + header which to extract the value from. + type: string + required: + - name + type: object + type: + default: Literal + description: Type defines the type of custom tag. + enum: + - Literal + - Environment + - RequestHeader + type: string + required: + - type + type: object + description: >- + CustomTags defines the custom tags to add to each + span. + + If provider is kubernetes, pod name and namespace + are added by default. + + + Deprecated: Use Tags instead. + type: object + samplingFraction: + description: >- + SamplingFraction represents the fraction of requests + that should be + + selected for tracing if no prior sampling decision + has been made. + properties: + denominator: + default: 100 + format: int32 + minimum: 1 + type: integer + numerator: + format: int32 + minimum: 0 + type: integer + required: + - numerator + type: object + x-kubernetes-validations: + - message: >- + numerator must be less than or equal to + denominator + rule: self.numerator <= self.denominator + spanName: + description: >- + SpanName defines the name of the span which will be + used for tracing. + + Envoy [command + operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators) + may be used in the value. + + The [format string + documentation](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-strings) + provides more information. + + + If not set, the span name is provider specific. + + e.g. Datadog use `ingress` as the default client + span name, + + and `router egress` as the server + span name. + properties: + client: + description: >- + Client defines operation name of the span which + will be used for tracing. + type: string + server: + description: >- + Server defines the operation name of the + upstream span which will be used for tracing. + type: string + required: + - client + - server + type: object + tags: + additionalProperties: + type: string + description: >- + Tags defines the custom tags to add to each span. + + Envoy [command + operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators) + may be used in the value. + + The [format string + documentation](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-strings) + provides more information. + + If provider is kubernetes, pod name and namespace + are added by default. + + + Same keys take precedence over CustomTags. + type: object + type: object + type: object + timeout: + description: Timeout settings for the backend connections. + properties: + http: + description: Timeout settings for HTTP. + properties: + connectionIdleTimeout: + description: >- + The idle timeout for an HTTP connection. Idle time + is defined as a period in which there are no active + requests in the connection. + + Default: 1 hour. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + maxConnectionDuration: + description: |- + The maximum duration of an HTTP connection. + Default: unlimited. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + maxStreamDuration: + description: >- + MaxStreamDuration is the maximum duration for a + stream to complete. This timeout measures the time + + from when the request is sent until the response + stream is fully consumed and does not apply to + + non-streaming requests. + + When set to "0s", no max duration is applied and + streams can run indefinitely. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + requestTimeout: + description: >- + RequestTimeout is the time until which entire + response is received from the upstream. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + tcp: + description: Timeout settings for TCP. + properties: + connectTimeout: + description: >- + The timeout for network connection establishment, + including TCP and TLS handshakes. + + Default: 10 seconds. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + type: object + useClientProtocol: + description: >- + UseClientProtocol configures Envoy to prefer sending + requests to backends using + + the same HTTP protocol that the incoming request used. + Defaults to false, which means + + that Envoy will use the protocol indicated by the attached + BackendRef. + type: boolean + type: object + x-kubernetes-validations: + - message: either targetRef or targetRefs must be used + rule: >- + (has(self.targetRef) && !has(self.targetRefs)) || + (!has(self.targetRef) && has(self.targetRefs)) || + (has(self.targetSelectors) && self.targetSelectors.size() > + 0) + - message: >- + this policy can only have a targetRef.group of + gateway.networking.k8s.io + rule: >- + has(self.targetRef) ? self.targetRef.group == + 'gateway.networking.k8s.io' : true + - message: >- + this policy can only have a targetRef.kind of + Gateway/HTTPRoute/GRPCRoute/TCPRoute/UDPRoute/TLSRoute + rule: >- + has(self.targetRef) ? self.targetRef.kind in ['Gateway', + 'HTTPRoute', 'GRPCRoute', 'UDPRoute', 'TCPRoute', + 'TLSRoute'] : true + - message: >- + this policy can only have a targetRefs[*].group of + gateway.networking.k8s.io + rule: >- + has(self.targetRefs) ? self.targetRefs.all(ref, ref.group == + 'gateway.networking.k8s.io') : true + - message: >- + this policy can only have a targetRefs[*].kind of + Gateway/HTTPRoute/GRPCRoute/TCPRoute/UDPRoute/TLSRoute + rule: >- + has(self.targetRefs) ? self.targetRefs.all(ref, ref.kind in + ['Gateway', 'HTTPRoute', 'GRPCRoute', 'UDPRoute', + 'TCPRoute', 'TLSRoute']) : true + - message: either compression or compressor can be set, not both + rule: '!has(self.compression) || !has(self.compressor)' + - message: >- + predictivePercent in preconnect policy only works with + RoundRobin or Random load balancers + rule: >- + !((has(self.connection) && has(self.connection.preconnect) + && has(self.connection.preconnect.predictivePercent)) && + !(has(self.loadBalancer) && has(self.loadBalancer.type) && + self.loadBalancer.type in ['Random', 'RoundRobin'])) + status: + description: status defines the current status of BackendTrafficPolicy. + properties: + ancestors: + description: >- + Ancestors is a list of ancestor resources (usually Gateways) + that are + + associated with the policy, and the status of the policy + with respect to + + each ancestor. When this policy attaches to a parent, the + controller that + + manages the parent and the ancestors MUST add an entry to + this list when + + the controller first sees the policy and SHOULD update the + entry as + + appropriate when the relevant ancestor is modified. + + + Note that choosing the relevant ancestor is left to the + Policy designers; + + an important part of Policy design is designing the right + object level at + + which to namespace this status. + + + Note also that implementations MUST ONLY populate ancestor + status for + + the Ancestor resources they are responsible for. + Implementations MUST + + use the ControllerName field to uniquely identify the + entries in this list + + that they are responsible for. + + + Note that to achieve this, the list of PolicyAncestorStatus + structs + + MUST be treated as a map with a composite key, made up of + the AncestorRef + + and ControllerName fields combined. + + + A maximum of 16 ancestors will be represented in this list. + An empty list + + means the Policy is not relevant for any ancestors. + + + If this slice is full, implementations MUST NOT add further + entries. + + Instead they MUST consider the policy unimplementable and + signal that + + on any related resources such as the ancestor that would be + referenced + + here. For example, if this list was full on + BackendTLSPolicy, no + + additional Gateways would be able to reference the Service + targeted by + + the BackendTLSPolicy. + items: + description: >- + PolicyAncestorStatus describes the status of a route with + respect to an + + associated Ancestor. + + + Ancestors refer to objects that are either the Target of a + policy or above it + + in terms of object hierarchy. For example, if a policy + targets a Service, the + + Policy's Ancestors are, in order, the Service, the + HTTPRoute, the Gateway, and + + the GatewayClass. Almost always, in this hierarchy, the + Gateway will be the most + + useful object to place Policy status on, so we recommend + that implementations + + SHOULD use Gateway as the PolicyAncestorStatus object + unless the designers + + have a _very_ good reason otherwise. + + + In the context of policy attachment, the Ancestor is used + to distinguish which + + resource results in a distinct application of this policy. + For example, if a policy + + targets a Service, it may have a distinct result per + attached Gateway. + + + Policies targeting the same resource may have different + effects depending on the + + ancestors of those resources. For example, different + Gateways targeting the same + + Service may have different capabilities, especially if + they have different underlying + + implementations. + + + For example, in BackendTLSPolicy, the Policy attaches to a + Service that is + + used as a backend in a HTTPRoute that is itself attached + to a Gateway. + + In this case, the relevant object for status is the + Gateway, and that is the + + ancestor object referred to in this status. + + + Note that a parent is also an ancestor, so for objects + where the parent is the + + relevant object for status, this struct SHOULD still be + used. + + + This struct is intended to be used in a slice that's + effectively a map, + + with a composite key made up of the AncestorRef and the + ControllerName. + properties: + ancestorRef: + description: >- + AncestorRef corresponds with a ParentRef in the spec + that this + + PolicyAncestorStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: >- + Group is the group of the referent. + + When unspecified, "gateway.networking.k8s.io" is + inferred. + + To set the core API group (such as for a "Service" + kind referent), + + Group must be explicitly set to "" (empty string). + + + Support: Core + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: >- + Kind is kind of the referent. + + + There are two kinds of parent resources with + "Core" support: + + + * Gateway (Gateway conformance profile) + + * Service (Mesh conformance profile, ClusterIP + Services only) + + + Support for other resources is + Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the referent. When + unspecified, this refers + + to the local namespace of the Route. + + + Note that there are specific rules for ParentRefs + which cross namespace + + boundaries. Cross-namespace references are only + valid if they are explicitly + + allowed by something in the namespace they are + referring to. For example: + + Gateway has the AllowedRoutes field, and + ReferenceGrant provides a + + generic way to enable any other kind of + cross-namespace reference. + + + + + ParentRefs from a Route to a Service in the same + namespace are "producer" + + routes, which apply default routing rules to + inbound connections from + + any namespace to the Service. + + + ParentRefs from a Route to a Service in a + different namespace are + + "consumer" routes, and these routing rules are + only applied to outbound + + connections originating from the same namespace as + the Route, for which + + the intended destination of the connections are a + Service targeted as a + + ParentRef of the Route. + + + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: >- + Port is the network port this Route targets. It + can be interpreted + + differently based on the type of parent resource. + + + When the parent resource is a Gateway, this + targets all listeners + + listening on the specified port that also support + this kind of Route(and + + select this Route). It's not recommended to set + `Port` unless the + + networking behaviors specified in a Route must + apply to a specific port + + as opposed to a listener(s) whose port(s) may be + changed. When both Port + + and SectionName are specified, the name and port + of the selected listener + + must match both specified values. + + + + + When the parent resource is a Service, this + targets a specific port in the + + Service spec. When both Port (experimental) and + SectionName are specified, + + the name and port of the selected port must match + both specified values. + + + + + Implementations MAY choose to support other parent + resources. + + Implementations supporting other types of parent + resources MUST clearly + + document how/if Port is interpreted. + + + For the purpose of status, an attachment is + considered successful as + + long as the parent resource accepts it partially. + For example, Gateway + + listeners can restrict which Routes can attach to + them by Route kind, + + namespace, or hostname. If 1 of 2 Gateway + listeners accept attachment + + from the referencing Route, the Route MUST be + considered successfully + + attached. If no Gateway listeners accept + attachment from this Route, + + the Route MUST be considered detached from the + Gateway. + + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: >- + SectionName is the name of a section within the + target resource. In the + + following resources, SectionName is interpreted as + the following: + + + * Gateway: Listener name. When both Port + (experimental) and SectionName + + are specified, the name and port of the selected + listener must match + + both specified values. + + * Service: Port name. When both Port + (experimental) and SectionName + + are specified, the name and port of the selected + listener must match + + both specified values. + + + Implementations MAY choose to support attaching + Routes to other resources. + + If that is the case, they MUST clearly document + how SectionName is + + interpreted. + + + When unspecified (empty string), this will + reference the entire resource. + + For the purpose of status, an attachment is + considered successful if at + + least one section in the parent resource accepts + it. For example, Gateway + + listeners can restrict which Routes can attach to + them by Route kind, + + namespace, or hostname. If 1 of 2 Gateway + listeners accept attachment from + + the referencing Route, the Route MUST be + considered successfully + + attached. If no Gateway listeners accept + attachment from this Route, the + + Route MUST be considered detached from the + Gateway. + + + Support: Core + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + conditions: + description: >- + Conditions describes the status of the Policy with + respect to the given Ancestor. + + + + + + Notes for implementors: + + + Conditions are a listType `map`, which means that they + function like a + + map with a key of the `type` field _in the k8s + apiserver_. + + + This means that implementations must obey some rules + when updating this + + section. + + + * Implementations MUST perform a read-modify-write + cycle on this field + before modifying it. That is, when modifying this field, implementations + must be confident they have fetched the most recent version of this field, + and ensure that changes they make are on that recent version. + * Implementations MUST NOT remove or reorder + Conditions that they are not + directly responsible for. For example, if an implementation sees a Condition + with type `special.io/SomeField`, it MUST NOT remove, change or update that + Condition. + * Implementations MUST always _merge_ changes into + Conditions of the same Type, + rather than creating more than one Condition of the same Type. + * Implementations MUST always update the + `observedGeneration` field of the + Condition to the `metadata.generation` of the Gateway at the time of update creation. + * If the `observedGeneration` of a Condition is + _greater than_ the value the + implementation knows about, then it MUST NOT perform the update on that Condition, + but must wait for a future reconciliation and status update. (The assumption is that + the implementation's copy of the object is stale and an update will be re-triggered + if relevant.) + + + items: + description: >- + Condition contains details for one aspect of the + current state of this API Resource. + properties: + lastTransitionTime: + description: >- + lastTransitionTime is the last time the + condition transitioned from one status to + another. + + This should be when the underlying condition + changed. If that is not known, then using the + time when the API field changed is acceptable. + format: date-time + type: string + message: + description: >- + message is a human readable message indicating + details about the transition. + + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: >- + observedGeneration represents the + .metadata.generation that the condition was set + based upon. + + For instance, if .metadata.generation is + currently 12, but the + .status.conditions[x].observedGeneration is 9, + the condition is out of date + + with respect to the current state of the + instance. + format: int64 + minimum: 0 + type: integer + reason: + description: >- + reason contains a programmatic identifier + indicating the reason for the condition's last + transition. + + Producers of specific condition types may define + expected values and meanings for this field, + + and whether the values are considered a + guaranteed API. + + The value should be a CamelCase string. + + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: >- + status of the condition, one of True, False, + Unknown. + enum: + - 'True' + - 'False' + - Unknown + type: string + type: + description: >- + type of condition in CamelCase or in + foo.example.com/CamelCase. + maxLength: 316 + pattern: >- + ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: >- + ControllerName is a domain/path string that indicates + the name of the + + controller that wrote this status. This corresponds + with the + + controllerName field on GatewayClass. + + + Example: "example.net/gateway-controller". + + + The format of this field is DOMAIN "/" PATH, where + DOMAIN and PATH are + + valid Kubernetes names + + (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + + + Controllers MUST populate this field when writing + status. Controllers should ensure that + + entries to status populated with their ControllerName + are cleaned up when they are no + + longer necessary. + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + required: + - ancestorRef + - conditions + - controllerName + type: object + maxItems: 16 + type: array + x-kubernetes-list-type: atomic + required: + - ancestors + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/_/CustomResourceDefinition/certificaterequests.cert-manager.io.yaml b/_/CustomResourceDefinition/certificaterequests.cert-manager.io.yaml index 24b6ff3..2da8e59 100644 --- a/_/CustomResourceDefinition/certificaterequests.cert-manager.io.yaml +++ b/_/CustomResourceDefinition/certificaterequests.cert-manager.io.yaml @@ -1,13 +1,8 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - labels: - app: cert-manager - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.10.1 - helm.sh/chart: cert-manager-v1.10.1 + annotations: + controller-gen.kubebuilder.io/version: v0.20.1 name: certificaterequests.cert-manager.io spec: group: cert-manager.io @@ -24,22 +19,22 @@ spec: scope: Namespaced versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=="Approved")].status + - jsonPath: .status.conditions[?(@.type == "Approved")].status name: Approved type: string - - jsonPath: .status.conditions[?(@.type=="Denied")].status + - jsonPath: .status.conditions[?(@.type == "Denied")].status name: Denied type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].status + - jsonPath: .status.conditions[?(@.type == "Ready")].status name: Ready type: string - jsonPath: .spec.issuerRef.name name: Issuer type: string - jsonPath: .spec.username - name: Requestor + name: Requester type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message + - jsonPath: .status.conditions[?(@.type == "Ready")].message name: Status priority: 1 type: string @@ -56,23 +51,50 @@ spec: openAPIV3Schema: description: >- A CertificateRequest is used to request a signed certificate from - one of the configured issuers. - All fields within the CertificateRequest's `spec` are immutable after creation. A CertificateRequest will either succeed or fail, as denoted by its `Ready` status condition and its `status.failureTime` field. - A CertificateRequest is a one-shot resource, meaning it represents a single point in time request for a certificate and cannot be re-used. + one of the + + configured issuers. + + + All fields within the CertificateRequest's `spec` are immutable + after creation. + + A CertificateRequest will either succeed or fail, as denoted by its + `Ready` status + + condition and its `status.failureTime` field. + + + A CertificateRequest is a one-shot resource, meaning it represents a + single + + point in time request for a certificate and cannot be re-used. properties: apiVersion: description: >- APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the - latest internal value, and may reject unrecognized values. More - info: + of an object. + + Servers should convert recognized schemas to the latest internal + value, and + + may reject unrecognized values. + + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: description: >- Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the - client submits requests to. Cannot be updated. In CamelCase. + object represents. + + Servers may infer this from the endpoint the client submits + requests to. + + Cannot be updated. + + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string @@ -82,13 +104,18 @@ spec: description: >- Specification of the desired state of the CertificateRequest resource. + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status properties: duration: description: >- Requested 'duration' (i.e. lifetime) of the Certificate. - Note that the issuer may choose to ignore the requested - duration, just like any other requested attribute. + Note that the + + issuer may choose to ignore the requested duration, just + like any other + + requested attribute. type: string extra: additionalProperties: @@ -97,14 +124,18 @@ spec: type: array description: >- Extra contains extra attributes of the user that created the - CertificateRequest. Populated by the cert-manager webhook on - creation and immutable. + CertificateRequest. + + Populated by the cert-manager webhook on creation and + immutable. type: object groups: description: >- Groups contains group membership of the user that created - the CertificateRequest. Populated by the cert-manager - webhook on creation and immutable. + the CertificateRequest. + + Populated by the cert-manager webhook on creation and + immutable. items: type: string type: array @@ -112,27 +143,51 @@ spec: isCA: description: >- Requested basic constraints isCA value. Note that the issuer - may choose to ignore the requested isCA value, just like any - other requested attribute. - NOTE: If the CSR in the `Request` field has a BasicConstraints extension, it must have the same isCA value as specified here. - If true, this will automatically add the `cert sign` usage to the list of requested `usages`. + may choose + + to ignore the requested isCA value, just like any other + requested attribute. + + + NOTE: If the CSR in the `Request` field has a + BasicConstraints extension, + + it must have the same isCA value as specified here. + + + If true, this will automatically add the `cert sign` usage + to the list + + of requested `usages`. type: boolean issuerRef: description: >- Reference to the issuer responsible for issuing the - certificate. If the issuer is namespace-scoped, it must be - in the same namespace as the Certificate. If the issuer is - cluster-scoped, it can be used from any namespace. - The `name` field of the reference must always be specified. + certificate. + + If the issuer is namespace-scoped, it must be in the same + namespace + + as the Certificate. If the issuer is cluster-scoped, it can + be used + + from any namespace. + + + The `name` field of the reference must always be specified. properties: group: - description: Group of the resource being referred to. + description: |- + Group of the issuer being referred to. + Defaults to 'cert-manager.io'. type: string kind: - description: Kind of the resource being referred to. + description: |- + Kind of the issuer being referred to. + Defaults to 'Issuer'. type: string name: - description: Name of the resource being referred to. + description: Name of the issuer being referred to. type: string required: - name @@ -140,27 +195,85 @@ spec: request: description: >- The PEM-encoded X.509 certificate signing request to be - submitted to the issuer for signing. - If the CSR has a BasicConstraints extension, its isCA attribute must match the `isCA` value of this CertificateRequest. If the CSR has a KeyUsage extension, its key usages must match the key usages in the `usages` field of this CertificateRequest. If the CSR has a ExtKeyUsage extension, its extended key usages must match the extended key usages in the `usages` field of this CertificateRequest. + submitted to the + + issuer for signing. + + + If the CSR has a BasicConstraints extension, its isCA + attribute must + + match the `isCA` value of this CertificateRequest. + + If the CSR has a KeyUsage extension, its key usages must + match the + + key usages in the `usages` field of this CertificateRequest. + + If the CSR has a ExtKeyUsage extension, its extended key + usages + + must match the extended key usages in the `usages` field of + this + + CertificateRequest. format: byte type: string uid: description: >- UID contains the uid of the user that created the - CertificateRequest. Populated by the cert-manager webhook on - creation and immutable. + CertificateRequest. + + Populated by the cert-manager webhook on creation and + immutable. type: string usages: - description: |- - Requested key usages and extended key usages. - NOTE: If the CSR in the `Request` field has uses the KeyUsage or ExtKeyUsage extension, these extensions must have the same values as specified here without any additional values. - If unset, defaults to `digital signature` and `key encipherment`. + description: >- + Requested key usages and extended key usages. + + + NOTE: If the CSR in the `Request` field has uses the + KeyUsage or + + ExtKeyUsage extension, these extensions must have the same + values + + as specified here without any additional values. + + + If unset, defaults to `digital signature` and `key + encipherment`. items: - description: >- - KeyUsage specifies valid usage contexts for keys. See: + description: |- + KeyUsage specifies valid usage contexts for keys. + See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 - https://tools.ietf.org/html/rfc5280#section-4.2.1.12 - Valid KeyUsage values are as follows: "signing", "digital signature", "content commitment", "key encipherment", "key agreement", "data encipherment", "cert sign", "crl sign", "encipher only", "decipher only", "any", "server auth", "client auth", "code signing", "email protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec user", "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc" + https://tools.ietf.org/html/rfc5280#section-4.2.1.12 + + Valid KeyUsage values are as follows: + "signing", + "digital signature", + "content commitment", + "key encipherment", + "key agreement", + "data encipherment", + "cert sign", + "crl sign", + "encipher only", + "decipher only", + "any", + "server auth", + "client auth", + "code signing", + "email protection", + "s/mime", + "ipsec end system", + "ipsec tunnel", + "ipsec user", + "timestamping", + "ocsp signing", + "microsoft sgc", + "netscape sgc" enum: - signing - digital signature @@ -187,11 +300,14 @@ spec: - netscape sgc type: string type: array + x-kubernetes-list-type: atomic username: description: >- Username contains the name of the user that created the - CertificateRequest. Populated by the cert-manager webhook on - creation and immutable. + CertificateRequest. + + Populated by the cert-manager webhook on creation and + immutable. type: string required: - issuerRef @@ -199,32 +315,50 @@ spec: type: object status: description: >- - Status of the CertificateRequest. This is set and managed - automatically. Read-only. More info: + Status of the CertificateRequest. + + This is set and managed automatically. + + Read-only. + + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status properties: ca: description: >- The PEM encoded X.509 certificate of the signer, also known - as the CA (Certificate Authority). This is set on a - best-effort basis by different issuers. If not set, the CA - is assumed to be unknown/not available. + as the CA + + (Certificate Authority). + + This is set on a best-effort basis by different issuers. + + If not set, the CA is assumed to be unknown/not available. format: byte type: string certificate: description: >- The PEM encoded X.509 certificate resulting from the - certificate signing request. If not set, the - CertificateRequest has either not been completed or has + certificate + + signing request. + + If not set, the CertificateRequest has either not been + completed or has + failed. More information on failure can be found by checking - the `conditions` field. + the + + `conditions` field. format: byte type: string conditions: description: >- List of status conditions to indicate the status of a - CertificateRequest. Known condition types are `Ready`, - `InvalidRequest`, `Approved` and `Denied`. + CertificateRequest. + + Known condition types are `Ready`, `InvalidRequest`, + `Approved` and `Denied`. items: description: >- CertificateRequestCondition contains condition information @@ -233,18 +367,24 @@ spec: lastTransitionTime: description: >- LastTransitionTime is the timestamp corresponding to - the last status change of this condition. + the last status + + change of this condition. format: date-time type: string message: description: >- Message is a human readable description of the details - of the last transition, complementing reason. + of the last + + transition, complementing reason. type: string reason: description: >- Reason is a brief machine readable explanation for the - condition's last transition. + condition's last + + transition. type: string status: description: >- @@ -258,7 +398,9 @@ spec: type: description: >- Type of the condition, known values are (`Ready`, - `InvalidRequest`, `Approved`, `Denied`). + `InvalidRequest`, + + `Approved`, `Denied`). type: string required: - status @@ -271,12 +413,17 @@ spec: failureTime: description: >- FailureTime stores the time that this CertificateRequest - failed. This is used to influence garbage collection and - back-off. + failed. This is + + used to influence garbage collection and back-off. format: date-time type: string type: object type: object + selectableFields: + - jsonPath: .spec.issuerRef.group + - jsonPath: .spec.issuerRef.kind + - jsonPath: .spec.issuerRef.name served: true storage: true subresources: diff --git a/_/CustomResourceDefinition/certificates.cert-manager.io.yaml b/_/CustomResourceDefinition/certificates.cert-manager.io.yaml index 4423c39..bf0cac3 100644 --- a/_/CustomResourceDefinition/certificates.cert-manager.io.yaml +++ b/_/CustomResourceDefinition/certificates.cert-manager.io.yaml @@ -1,13 +1,8 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - labels: - app: cert-manager - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.10.1 - helm.sh/chart: cert-manager-v1.10.1 + annotations: + controller-gen.kubebuilder.io/version: v0.20.1 name: certificates.cert-manager.io spec: group: cert-manager.io @@ -24,7 +19,7 @@ spec: scope: Namespaced versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=="Ready")].status + - jsonPath: .status.conditions[?(@.type == "Ready")].status name: Ready type: string - jsonPath: .spec.secretName @@ -34,7 +29,7 @@ spec: name: Issuer priority: 1 type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message + - jsonPath: .status.conditions[?(@.type == "Ready")].message name: Status priority: 1 type: string @@ -51,23 +46,40 @@ spec: openAPIV3Schema: description: >- A Certificate resource should be created to ensure an up to date and - signed X.509 certificate is stored in the Kubernetes Secret resource - named in `spec.secretName`. - The stored certificate will be renewed before it expires (as configured by `spec.renewBefore`). + signed + + X.509 certificate is stored in the Kubernetes Secret resource named + in `spec.secretName`. + + + The stored certificate will be renewed before it expires (as + configured by `spec.renewBefore`). properties: apiVersion: description: >- APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the - latest internal value, and may reject unrecognized values. More - info: + of an object. + + Servers should convert recognized schemas to the latest internal + value, and + + may reject unrecognized values. + + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: description: >- Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the - client submits requests to. Cannot be updated. In CamelCase. + object represents. + + Servers may infer this from the endpoint the client submits + requests to. + + Cannot be updated. + + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string @@ -76,25 +88,31 @@ spec: spec: description: >- Specification of the desired state of the Certificate resource. + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status properties: additionalOutputFormats: description: >- Defines extra output formats of the private key and signed - certificate chain to be written to this Certificate's target - Secret. - This is an Alpha Feature and is only enabled with the `--feature-gates=AdditionalCertificateOutputFormats=true` option set on both the controller and webhook components. + certificate chain + + to be written to this Certificate's target Secret. items: description: >- CertificateAdditionalOutputFormat defines an additional - output format of a Certificate resource. These contain - supplementary data formats of the signed certificate chain - and paired private key. + output format of a + + Certificate resource. These contain supplementary data + formats of the signed + + certificate chain and paired private key. properties: type: description: >- Type is the name of the format type that should be - written to the Certificate's target Secret. + written to the + + Certificate's target Secret. enum: - DER - CombinedPEM @@ -103,69 +121,119 @@ spec: - type type: object type: array + x-kubernetes-list-type: atomic commonName: description: >- Requested common name X509 certificate subject attribute. + More info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6 + NOTE: TLS clients will ignore this value when any subject - alternative name is set (see - https://tools.ietf.org/html/rfc6125#section-6.4.4). - Should have a length of 64 characters or fewer to avoid generating invalid CSRs. Cannot be set if the `literalSubject` field is set. + alternative name is + + set (see https://tools.ietf.org/html/rfc6125#section-6.4.4). + + + Should have a length of 64 characters or fewer to avoid + generating invalid CSRs. + + Cannot be set if the `literalSubject` field is set. type: string dnsNames: description: Requested DNS subject alternative names. items: type: string type: array + x-kubernetes-list-type: atomic duration: description: >- Requested 'duration' (i.e. lifetime) of the Certificate. - Note that the issuer may choose to ignore the requested - duration, just like any other requested attribute. - If unset, this defaults to 90 days. Minimum accepted duration is 1 hour. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration. + Note that the + + issuer may choose to ignore the requested duration, just + like any other + + requested attribute. + + + If unset, this defaults to 90 days. + + Minimum accepted duration is 1 hour. + + Value must be in units accepted by Go time.ParseDuration + https://golang.org/pkg/time/#ParseDuration. type: string emailAddresses: description: Requested email subject alternative names. items: type: string type: array + x-kubernetes-list-type: atomic encodeUsagesInRequest: description: >- Whether the KeyUsage and ExtKeyUsage extensions should be - set in the encoded CSR. - This option defaults to true, and should only be disabled if the target issuer does not support CSRs with these X509 KeyUsage/ ExtKeyUsage extensions. + set in the encoded CSR. + + + This option defaults to true, and should only be disabled if + the target + + issuer does not support CSRs with these X509 KeyUsage/ + ExtKeyUsage extensions. type: boolean ipAddresses: description: Requested IP address subject alternative names. items: type: string type: array + x-kubernetes-list-type: atomic isCA: description: >- - Requested basic constraints isCA value. The isCA value is - used to set the `isCA` field on the created - CertificateRequest resources. Note that the issuer may - choose to ignore the requested isCA value, just like any - other requested attribute. - If true, this will automatically add the `cert sign` usage to the list of requested `usages`. + Requested basic constraints isCA value. + + The isCA value is used to set the `isCA` field on the + created CertificateRequest + + resources. Note that the issuer may choose to ignore the + requested isCA value, just + + like any other requested attribute. + + + If true, this will automatically add the `cert sign` usage + to the list + + of requested `usages`. type: boolean issuerRef: description: >- Reference to the issuer responsible for issuing the - certificate. If the issuer is namespace-scoped, it must be - in the same namespace as the Certificate. If the issuer is - cluster-scoped, it can be used from any namespace. - The `name` field of the reference must always be specified. + certificate. + + If the issuer is namespace-scoped, it must be in the same + namespace + + as the Certificate. If the issuer is cluster-scoped, it can + be used + + from any namespace. + + + The `name` field of the reference must always be specified. properties: group: - description: Group of the resource being referred to. + description: |- + Group of the issuer being referred to. + Defaults to 'cert-manager.io'. type: string kind: - description: Kind of the resource being referred to. + description: |- + Kind of the issuer being referred to. + Defaults to 'Issuer'. type: string name: - description: Name of the resource being referred to. + description: Name of the issuer being referred to. type: string required: - name @@ -176,40 +244,81 @@ spec: Certificate's Secret. properties: jks: - description: >- + description: |- JKS configures options for storing a JKS keystore in the `spec.secretName` Secret resource. properties: + alias: + description: >- + Alias specifies the alias of the key in the + keystore, required by the JKS format. + + If not provided, the default alias `certificate` + will be used. + type: string create: description: >- Create enables JKS keystore creation for the - Certificate. If true, a file named `keystore.jks` - will be created in the target Secret resource, - encrypted using the password stored in - `passwordSecretRef`. The keystore file will be - updated immediately. If the issuer provided a CA - certificate, a file named `truststore.jks` will also - be created in the target Secret resource, encrypted - using the password stored in `passwordSecretRef` + Certificate. + + If true, a file named `keystore.jks` will be created + in the target + + Secret resource, encrypted using the password stored + in + + `passwordSecretRef` or `password`. + + The keystore file will be updated immediately. + + If the issuer provided a CA certificate, a file + named `truststore.jks` + + will also be created in the target Secret resource, + encrypted using the + + password stored in `passwordSecretRef` + containing the issuing Certificate Authority type: boolean + password: + description: >- + Password provides a literal password used to encrypt + the JKS keystore. + + Mutually exclusive with passwordSecretRef. + + One of password or passwordSecretRef must provide a + password with a non-zero length. + type: string passwordSecretRef: description: >- - PasswordSecretRef is a reference to a key in a - Secret resource containing the password used to - encrypt the JKS keystore. + PasswordSecretRef is a reference to a non-empty key + in a Secret resource + + containing the password used to encrypt the JKS + keystore. + + Mutually exclusive with password. + + One of password or passwordSecretRef must provide a + password with a non-zero length. properties: key: description: >- The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be + `data` field to be used. + + Some instances of this field may be defaulted, + in others it may be + required. type: string name: description: >- - Name of the resource being referred to. More - info: + Name of the resource being referred to. + + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string required: @@ -217,77 +326,309 @@ spec: type: object required: - create - - passwordSecretRef type: object pkcs12: description: >- PKCS12 configures options for storing a PKCS12 keystore - in the `spec.secretName` Secret resource. + in the + + `spec.secretName` Secret resource. properties: create: description: >- Create enables PKCS12 keystore creation for the - Certificate. If true, a file named `keystore.p12` - will be created in the target Secret resource, - encrypted using the password stored in - `passwordSecretRef`. The keystore file will be - updated immediately. If the issuer provided a CA - certificate, a file named `truststore.p12` will also - be created in the target Secret resource, encrypted - using the password stored in `passwordSecretRef` - containing the issuing Certificate Authority + Certificate. + + If true, a file named `keystore.p12` will be created + in the target + + Secret resource, encrypted using the password stored + in + + `passwordSecretRef` or in `password`. + + The keystore file will be updated immediately. + + If the issuer provided a CA certificate, a file + named `truststore.p12` will + + also be created in the target Secret resource, + encrypted using the + + password stored in `passwordSecretRef` containing + the issuing Certificate + + Authority type: boolean + password: + description: >- + Password provides a literal password used to encrypt + the PKCS#12 keystore. + + Mutually exclusive with passwordSecretRef. + + One of password or passwordSecretRef must provide a + password with a non-zero length. + type: string passwordSecretRef: description: >- - PasswordSecretRef is a reference to a key in a - Secret resource containing the password used to - encrypt the PKCS12 keystore. + PasswordSecretRef is a reference to a non-empty key + in a Secret resource + + containing the password used to encrypt the PKCS#12 + keystore. + + Mutually exclusive with password. + + One of password or passwordSecretRef must provide a + password with a non-zero length. properties: key: description: >- The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be + `data` field to be used. + + Some instances of this field may be defaulted, + in others it may be + required. type: string name: description: >- - Name of the resource being referred to. More - info: + Name of the resource being referred to. + + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string required: - name type: object + profile: + description: >- + Profile specifies the key and certificate encryption + algorithms and the HMAC algorithm + + used to create the PKCS12 keystore. Default value is + `LegacyRC2` for backward compatibility. + + + If provided, allowed values are: + + `LegacyRC2`: Deprecated. Not supported by default in + OpenSSL 3 or Java 20. + + `LegacyDES`: Less secure algorithm. Use this option + for maximal compatibility. + + `Modern2023`: Secure algorithm. Use this option in + case you have to always use secure algorithms + + (e.g., because of company policy). Please note that + the security of the algorithm is not that important + + in reality, because the unencrypted certificate and + private key are also stored in the Secret. + enum: + - LegacyRC2 + - LegacyDES + - Modern2023 + type: string required: - create - - passwordSecretRef type: object type: object literalSubject: description: >- Requested X.509 certificate subject, represented using the - LDAP "String Representation of a Distinguished Name" [1]. + LDAP "String + + Representation of a Distinguished Name" [1]. + Important: the LDAP string format also specifies the order - of the attributes in the subject, this is important when - issuing certs for LDAP authentication. Example: - `CN=foo,DC=corp,DC=example,DC=com` More info [1]: - https://datatracker.ietf.org/doc/html/rfc4514 More info: + of the attributes + + in the subject, this is important when issuing certs for + LDAP authentication. + + Example: `CN=foo,DC=corp,DC=example,DC=com` + + More info [1]: https://datatracker.ietf.org/doc/html/rfc4514 + + More info: https://github.com/cert-manager/cert-manager/issues/3203 + More info: - https://github.com/cert-manager/cert-manager/issues/4424 - Cannot be set if the `subject` or `commonName` field is set. This is an Alpha Feature and is only enabled with the `--feature-gates=LiteralCertificateSubject=true` option set on both the controller and webhook components. + https://github.com/cert-manager/cert-manager/issues/4424 + + + Cannot be set if the `subject` or `commonName` field is set. type: string + nameConstraints: + description: >- + x.509 certificate NameConstraint extension which MUST NOT be + used in a non-CA certificate. + + More Info: + https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10 + + + This is an Alpha Feature and is only enabled with the + + `--feature-gates=NameConstraints=true` option set on both + + the controller and webhook components. + properties: + critical: + description: if true then the name constraints are marked critical. + type: boolean + excluded: + description: >- + Excluded contains the constraints which must be + disallowed. Any name matching a + + restriction in the excluded field is invalid regardless + + of information appearing in the permitted + properties: + dnsDomains: + description: >- + DNSDomains is a list of DNS domains that are + permitted or excluded. + items: + type: string + type: array + x-kubernetes-list-type: atomic + emailAddresses: + description: >- + EmailAddresses is a list of Email Addresses that are + permitted or excluded. + items: + type: string + type: array + x-kubernetes-list-type: atomic + ipRanges: + description: >- + IPRanges is a list of IP Ranges that are permitted + or excluded. + + This should be a valid CIDR notation. + items: + type: string + type: array + x-kubernetes-list-type: atomic + uriDomains: + description: >- + URIDomains is a list of URI domains that are + permitted or excluded. + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + permitted: + description: >- + Permitted contains the constraints in which the names + must be located. + properties: + dnsDomains: + description: >- + DNSDomains is a list of DNS domains that are + permitted or excluded. + items: + type: string + type: array + x-kubernetes-list-type: atomic + emailAddresses: + description: >- + EmailAddresses is a list of Email Addresses that are + permitted or excluded. + items: + type: string + type: array + x-kubernetes-list-type: atomic + ipRanges: + description: >- + IPRanges is a list of IP Ranges that are permitted + or excluded. + + This should be a valid CIDR notation. + items: + type: string + type: array + x-kubernetes-list-type: atomic + uriDomains: + description: >- + URIDomains is a list of URI domains that are + permitted or excluded. + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + type: object + otherNames: + description: >- + `otherNames` is an escape hatch for SAN that allows any + type. We currently restrict the support to string like + otherNames, cf RFC 5280 p 37 + + Any UTF8 String valued otherName can be passed with by + setting the keys oid: x.x.x.x and UTF8Value: somevalue for + `otherName`. + + Most commonly this would be UPN set with oid: + 1.3.6.1.4.1.311.20.2.3 + + You should ensure that any OID passed is valid for the + UTF8String type as we do not explicitly validate this. + items: + properties: + oid: + description: >- + OID is the object identifier for the otherName SAN. + + The object identifier must be expressed as a dotted + string, for + + example, "1.2.840.113556.1.4.221". + type: string + utf8Value: + description: >- + utf8Value is the string value of the otherName SAN. + + The utf8Value accepts any valid UTF8 string to set as + value for the otherName SAN. + type: string + type: object + type: array + x-kubernetes-list-type: atomic privateKey: description: >- Private key options. These include the key algorithm and - size, the used encoding and the rotation policy. + size, the used + + encoding and the rotation policy. properties: algorithm: description: >- Algorithm is the private key algorithm of the - corresponding private key for this certificate. - If provided, allowed values are either `RSA`, `ECDSA` or `Ed25519`. If `algorithm` is specified and `size` is not provided, key size of 2048 will be used for `RSA` key algorithm and key size of 256 will be used for `ECDSA` key algorithm. key size is ignored when using the `Ed25519` key algorithm. + corresponding private key + + for this certificate. + + + If provided, allowed values are either `RSA`, `ECDSA` or + `Ed25519`. + + If `algorithm` is specified and `size` is not provided, + + key size of 2048 will be used for `RSA` key algorithm + and + + key size of 256 will be used for `ECDSA` key algorithm. + + key size is ignored when using the `Ed25519` key + algorithm. enum: - RSA - ECDSA @@ -296,8 +637,17 @@ spec: encoding: description: >- The private key cryptography standards (PKCS) encoding - for this certificate's private key to be encoded in. - If provided, allowed values are `PKCS1` and `PKCS8` standing for PKCS#1 and PKCS#8, respectively. Defaults to `PKCS1` if not specified. + for this + + certificate's private key to be encoded in. + + + If provided, allowed values are `PKCS1` and `PKCS8` + standing for PKCS#1 + + and PKCS#8, respectively. + + Defaults to `PKCS1` if not specified. enum: - PKCS1 - PKCS8 @@ -305,8 +655,31 @@ spec: rotationPolicy: description: >- RotationPolicy controls how private keys should be - regenerated when a re-issuance is being processed. - If set to `Never`, a private key will only be generated if one does not already exist in the target `spec.secretName`. If one does exists but it does not have the correct algorithm or size, a warning will be raised to await user intervention. If set to `Always`, a private key matching the specified requirements will be generated whenever a re-issuance occurs. Default is `Never` for backward compatibility. + regenerated when a + + re-issuance is being processed. + + + If set to `Never`, a private key will only be generated + if one does not + + already exist in the target `spec.secretName`. If one + does exist but it + + does not have the correct algorithm or size, a warning + will be raised + + to await user intervention. + + If set to `Always`, a private key matching the specified + requirements + + will be generated whenever a re-issuance occurs. + + Default is `Always`. + + The default was changed from `Never` to `Always` in + cert-manager >=v1.18.0. enum: - Never - Always @@ -314,49 +687,152 @@ spec: size: description: >- Size is the key bit size of the corresponding private - key for this certificate. - If `algorithm` is set to `RSA`, valid values are `2048`, `4096` or `8192`, and will default to `2048` if not specified. If `algorithm` is set to `ECDSA`, valid values are `256`, `384` or `521`, and will default to `256` if not specified. If `algorithm` is set to `Ed25519`, Size is ignored. No other values are allowed. + key for this certificate. + + + If `algorithm` is set to `RSA`, valid values are `2048`, + `4096` or `8192`, + + and will default to `2048` if not specified. + + If `algorithm` is set to `ECDSA`, valid values are + `256`, `384` or `521`, + + and will default to `256` if not specified. + + If `algorithm` is set to `Ed25519`, Size is ignored. + + No other values are allowed. type: integer type: object renewBefore: description: >- How long before the currently issued certificate's expiry - cert-manager should renew the certificate. For example, if a - certificate is valid for 60 minutes, and `renewBefore=10m`, - cert-manager will begin to attempt to renew the certificate + cert-manager should + + renew the certificate. For example, if a certificate is + valid for 60 minutes, + + and `renewBefore=10m`, cert-manager will begin to attempt to + renew the certificate + 50 minutes after it was issued (i.e. when there are 10 - minutes remaining until the certificate is no longer - valid). - NOTE: The actual lifetime of the issued certificate is used to determine the renewal time. If an issuer returns a certificate with a different lifetime than the one requested, cert-manager will use the lifetime of the issued certificate. - If unset, this defaults to 1/3 of the issued certificate's lifetime. Minimum accepted value is 5 minutes. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration. + minutes remaining until + + the certificate is no longer valid). + + + NOTE: The actual lifetime of the issued certificate is used + to determine the + + renewal time. If an issuer returns a certificate with a + different lifetime than + + the one requested, cert-manager will use the lifetime of the + issued certificate. + + + If unset, this defaults to 1/3 of the issued certificate's + lifetime. + + Minimum accepted value is 5 minutes. + + Value must be in units accepted by Go time.ParseDuration + https://golang.org/pkg/time/#ParseDuration. + + Cannot be set if the `renewBeforePercentage` field is set. type: string + renewBeforePercentage: + description: >- + `renewBeforePercentage` is like `renewBefore`, except it is + a relative percentage + + rather than an absolute duration. For example, if a + certificate is valid for 60 + + minutes, and `renewBeforePercentage=25`, cert-manager will + begin to attempt to + + renew the certificate 45 minutes after it was issued (i.e. + when there are 15 + + minutes (25%) remaining until the certificate is no longer + valid). + + + NOTE: The actual lifetime of the issued certificate is used + to determine the + + renewal time. If an issuer returns a certificate with a + different lifetime than + + the one requested, cert-manager will use the lifetime of the + issued certificate. + + + Value must be an integer in the range (0,100). The minimum + effective + + `renewBefore` derived from the `renewBeforePercentage` and + `duration` fields is 5 + + minutes. + + Cannot be set if the `renewBefore` field is set. + format: int32 + type: integer revisionHistoryLimit: description: >- The maximum number of CertificateRequest revisions that are - maintained in the Certificate's history. Each revision - represents a single `CertificateRequest` created by this - Certificate, either when it was created, renewed, or Spec + maintained in + + the Certificate's history. Each revision represents a single + `CertificateRequest` + + created by this Certificate, either when it was created, + renewed, or Spec + was changed. Revisions will be removed by oldest first if - the number of revisions exceeds this number. - If set, revisionHistoryLimit must be a value of `1` or greater. If unset (`nil`), revisions will not be garbage collected. Default value is `nil`. + the number of + + revisions exceeds this number. + + + If set, revisionHistoryLimit must be a value of `1` or + greater. + + Default value is `1`. format: int32 type: integer secretName: description: >- Name of the Secret resource that will be automatically - created and managed by this Certificate resource. It will be - populated with a private key and certificate, signed by the - denoted issuer. The Secret resource lives in the same - namespace as the Certificate resource. + created and + + managed by this Certificate resource. It will be populated + with a + + private key and certificate, signed by the denoted issuer. + The Secret + + resource lives in the same namespace as the Certificate + resource. type: string secretTemplate: description: >- Defines annotations and labels to be copied to the - Certificate's Secret. Labels and annotations on the Secret - will be changed as they appear on the SecretTemplate when - added or removed. SecretTemplate annotations are added in - conjunction with, and cannot overwrite, the base set of - annotations cert-manager sets on the Certificate's Secret. + Certificate's Secret. + + Labels and annotations on the Secret will be changed as they + appear on the + + SecretTemplate when added or removed. SecretTemplate + annotations are added + + in conjunction with, and cannot overwrite, the base set of + annotations + + cert-manager sets on the Certificate's Secret. properties: annotations: additionalProperties: @@ -373,43 +849,75 @@ spec: Kubernetes Secret. type: object type: object + signatureAlgorithm: + description: >- + Signature algorithm to use. + + Allowed values for RSA keys: SHA256WithRSA, SHA384WithRSA, + SHA512WithRSA. + + Allowed values for ECDSA keys: ECDSAWithSHA256, + ECDSAWithSHA384, ECDSAWithSHA512. + + Allowed values for Ed25519 keys: PureEd25519. + enum: + - SHA256WithRSA + - SHA384WithRSA + - SHA512WithRSA + - ECDSAWithSHA256 + - ECDSAWithSHA384 + - ECDSAWithSHA512 + - PureEd25519 + type: string subject: description: >- - Requested set of X509 certificate subject attributes. More - info: - https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6 - The common name attribute is specified separately in the `commonName` field. Cannot be set if the `literalSubject` field is set. + Requested set of X509 certificate subject attributes. + + More info: + https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6 + + + The common name attribute is specified separately in the + `commonName` field. + + Cannot be set if the `literalSubject` field is set. properties: countries: description: Countries to be used on the Certificate. items: type: string type: array + x-kubernetes-list-type: atomic localities: description: Cities to be used on the Certificate. items: type: string type: array + x-kubernetes-list-type: atomic organizationalUnits: description: Organizational Units to be used on the Certificate. items: type: string type: array + x-kubernetes-list-type: atomic organizations: description: Organizations to be used on the Certificate. items: type: string type: array + x-kubernetes-list-type: atomic postalCodes: description: Postal codes to be used on the Certificate. items: type: string type: array + x-kubernetes-list-type: atomic provinces: description: State/Provinces to be used on the Certificate. items: type: string type: array + x-kubernetes-list-type: atomic serialNumber: description: Serial number to be used on the Certificate. type: string @@ -418,26 +926,61 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic type: object uris: description: Requested URI subject alternative names. items: type: string type: array + x-kubernetes-list-type: atomic usages: description: >- - Requested key usages and extended key usages. These usages - are used to set the `usages` field on the created - CertificateRequest resources. If `encodeUsagesInRequest` is - unset or set to `true`, the usages will additionally be - encoded in the `request` field which contains the CSR blob. - If unset, defaults to `digital signature` and `key encipherment`. + Requested key usages and extended key usages. + + These usages are used to set the `usages` field on the + created CertificateRequest + + resources. If `encodeUsagesInRequest` is unset or set to + `true`, the usages + + will additionally be encoded in the `request` field which + contains the CSR blob. + + + If unset, defaults to `digital signature` and `key + encipherment`. items: - description: >- - KeyUsage specifies valid usage contexts for keys. See: + description: |- + KeyUsage specifies valid usage contexts for keys. + See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 - https://tools.ietf.org/html/rfc5280#section-4.2.1.12 - Valid KeyUsage values are as follows: "signing", "digital signature", "content commitment", "key encipherment", "key agreement", "data encipherment", "cert sign", "crl sign", "encipher only", "decipher only", "any", "server auth", "client auth", "code signing", "email protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec user", "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc" + https://tools.ietf.org/html/rfc5280#section-4.2.1.12 + + Valid KeyUsage values are as follows: + "signing", + "digital signature", + "content commitment", + "key encipherment", + "key agreement", + "data encipherment", + "cert sign", + "crl sign", + "encipher only", + "decipher only", + "any", + "server auth", + "client auth", + "code signing", + "email protection", + "s/mime", + "ipsec end system", + "ipsec tunnel", + "ipsec user", + "timestamping", + "ocsp signing", + "microsoft sgc", + "netscape sgc" enum: - signing - digital signature @@ -464,51 +1007,70 @@ spec: - netscape sgc type: string type: array + x-kubernetes-list-type: atomic required: - issuerRef - secretName type: object status: description: >- - Status of the Certificate. This is set and managed - automatically. Read-only. More info: + Status of the Certificate. + + This is set and managed automatically. + + Read-only. + + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status properties: conditions: description: >- List of status conditions to indicate the status of - certificates. Known condition types are `Ready` and - `Issuing`. + certificates. + + Known condition types are `Ready` and `Issuing`. items: description: >- - CertificateCondition contains condition information for an + CertificateCondition contains condition information for a Certificate. properties: lastTransitionTime: description: >- LastTransitionTime is the timestamp corresponding to - the last status change of this condition. + the last status + + change of this condition. format: date-time type: string message: description: >- Message is a human readable description of the details - of the last transition, complementing reason. + of the last + + transition, complementing reason. type: string observedGeneration: description: >- If set, this represents the .metadata.generation that - the condition was set based upon. For instance, if - .metadata.generation is currently 12, but the + the condition was + + set based upon. + + For instance, if .metadata.generation is currently 12, + but the + .status.condition[x].observedGeneration is 9, the - condition is out of date with respect to the current - state of the Certificate. + condition is out of date + + with respect to the current state of the Certificate. format: int64 type: integer reason: description: >- Reason is a brief machine readable explanation for the - condition's last transition. + condition's last + + transition. type: string status: description: >- @@ -535,58 +1097,120 @@ spec: failedIssuanceAttempts: description: >- The number of continuous failed issuance attempts up till - now. This field gets removed (if set) on a successful - issuance and gets set to 1 if unset and an issuance has - failed. If an issuance has failed, the delay till the next - issuance will be calculated using formula time.Hour * 2 ^ - (failedIssuanceAttempts - 1). + now. This + + field gets removed (if set) on a successful issuance and + gets set to + + 1 if unset and an issuance has failed. If an issuance has + failed, the + + delay till the next issuance will be calculated using + formula + + time.Hour * 2 ^ (failedIssuanceAttempts - 1). type: integer lastFailureTime: description: >- - LastFailureTime is set only if the lastest issuance for this + LastFailureTime is set only if the latest issuance for this + Certificate failed and contains the time of the failure. If - an issuance has failed, the delay till the next issuance - will be calculated using formula time.Hour * 2 ^ - (failedIssuanceAttempts - 1). If the latest issuance has - succeeded this field will be unset. + an + + issuance has failed, the delay till the next issuance will + be + + calculated using formula time.Hour * 2 ^ + (failedIssuanceAttempts - + + 1). If the latest issuance has succeeded this field will be + unset. format: date-time type: string nextPrivateKeySecretName: description: >- The name of the Secret resource containing the private key - to be used for the next certificate iteration. The - keymanager controller will automatically set this field if - the `Issuing` condition is set to `True`. It will - automatically unset this field when the Issuing condition is + to be used + + for the next certificate iteration. + + The keymanager controller will automatically set this field + if the + + `Issuing` condition is set to `True`. + + It will automatically unset this field when the Issuing + condition is + not set or False. type: string notAfter: description: >- The expiration time of the certificate stored in the secret - named by this resource in `spec.secretName`. + named + + by this resource in `spec.secretName`. format: date-time type: string notBefore: description: >- The time after which the certificate stored in the secret - named by this resource in `spec.secretName` is valid. + named + + by this resource in `spec.secretName` is valid. format: date-time type: string renewalTime: description: >- RenewalTime is the time at which the certificate will be - next renewed. If not set, no upcoming renewal is scheduled. + next + + renewed. + + If not set, no upcoming renewal is scheduled. format: date-time type: string revision: - description: |- - The current 'revision' of the certificate as issued. - When a CertificateRequest resource is created, it will have the `cert-manager.io/certificate-revision` set to one greater than the current value of this field. - Upon issuance, this field will be set to the value of the annotation on the CertificateRequest resource used to issue the certificate. - Persisting the value on the CertificateRequest resource allows the certificates controller to know whether a request is part of an old issuance or if it is part of the ongoing revision's issuance by checking if the revision value in the annotation is greater than this field. + description: >- + The current 'revision' of the certificate as issued. + + + When a CertificateRequest resource is created, it will have + the + + `cert-manager.io/certificate-revision` set to one greater + than the + + current value of this field. + + + Upon issuance, this field will be set to the value of the + annotation + + on the CertificateRequest resource used to issue the + certificate. + + + Persisting the value on the CertificateRequest resource + allows the + + certificates controller to know whether a request is part of + an old + + issuance or if it is part of the ongoing revision's issuance + by + + checking if the revision value in the annotation is greater + than this + + field. type: integer type: object type: object + selectableFields: + - jsonPath: .spec.issuerRef.group + - jsonPath: .spec.issuerRef.kind + - jsonPath: .spec.issuerRef.name served: true storage: true subresources: diff --git a/_/CustomResourceDefinition/challenges.acme.cert-manager.io.yaml b/_/CustomResourceDefinition/challenges.acme.cert-manager.io.yaml index ce5e9fe..dbe76cf 100644 --- a/_/CustomResourceDefinition/challenges.acme.cert-manager.io.yaml +++ b/_/CustomResourceDefinition/challenges.acme.cert-manager.io.yaml @@ -1,13 +1,8 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - labels: - app: cert-manager - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.10.1 - helm.sh/chart: cert-manager-v1.10.1 + annotations: + controller-gen.kubebuilder.io/version: v0.20.1 name: challenges.acme.cert-manager.io spec: group: acme.cert-manager.io @@ -50,16 +45,28 @@ spec: apiVersion: description: >- APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the - latest internal value, and may reject unrecognized values. More - info: + of an object. + + Servers should convert recognized schemas to the latest internal + value, and + + may reject unrecognized values. + + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: description: >- Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the - client submits requests to. Cannot be updated. In CamelCase. + object represents. + + Servers may infer this from the endpoint the client submits + requests to. + + Cannot be updated. + + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string @@ -68,80 +75,114 @@ spec: spec: properties: authorizationURL: - description: >- + description: |- The URL to the ACME Authorization resource that this challenge is a part of. type: string dnsName: description: >- - dnsName is the identifier that this challenge is for, e.g. - example.com. If the requested DNSName is a 'wildcard', this - field MUST be set to the non-wildcard domain, e.g. for - `*.example.com`, it must be `example.com`. + dnsName is the identifier that this challenge is for, e.g., + example.com. + + If the requested DNSName is a 'wildcard', this field MUST be + set to the + + non-wildcard domain, e.g., for `*.example.com`, it must be + `example.com`. type: string issuerRef: description: >- References a properly configured ACME-type Issuer which - should be used to create this Challenge. If the Issuer does - not exist, processing will be retried. If the Issuer is not - an 'ACME' Issuer, an error will be returned and the + should + + be used to create this Challenge. + + If the Issuer does not exist, processing will be retried. + + If the Issuer is not an 'ACME' Issuer, an error will be + returned and the + Challenge will be marked as failed. properties: group: - description: Group of the resource being referred to. + description: |- + Group of the issuer being referred to. + Defaults to 'cert-manager.io'. type: string kind: - description: Kind of the resource being referred to. + description: |- + Kind of the issuer being referred to. + Defaults to 'Issuer'. type: string name: - description: Name of the resource being referred to. + description: Name of the issuer being referred to. type: string required: - name type: object key: description: >- - The ACME challenge key for this challenge For HTTP01 - challenges, this is the value that must be responded with to - complete the HTTP01 challenge in the format: `.`. For - DNS01 challenges, this is the base64 encoded SHA256 sum of - the `.` text that must be set as the TXT record content. + The ACME challenge key for this challenge + + For HTTP01 challenges, this is the value that must be + responded with to + + complete the HTTP01 challenge in the format: + + `.`. + + For DNS01 challenges, this is the base64 encoded SHA256 sum + of the + + `.` + + text that must be set as the TXT record content. type: string solver: description: >- Contains the domain solving configuration that should be - used to solve this challenge resource. + used to + + solve this challenge resource. properties: dns01: description: >- Configures cert-manager to attempt to complete - authorizations by performing the DNS01 challenge flow. + authorizations by + + performing the DNS01 challenge flow. properties: acmeDNS: description: >- Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage + DNS01 challenge records. properties: accountSecretRef: description: >- A reference to a specific 'key' within a Secret - resource. In some instances, `key` is a required - field. + resource. + + In some instances, `key` is a required field. properties: key: description: >- The key of the entry in the Secret - resource's `data` field to be used. Some - instances of this field may be defaulted, in - others it may be required. + resource's `data` field to be used. + + Some instances of this field may be + defaulted, in others it may be + + required. type: string name: description: >- - Name of the resource being referred to. More - info: + Name of the resource being referred to. + + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string required: @@ -161,20 +202,25 @@ spec: accessTokenSecretRef: description: >- A reference to a specific 'key' within a Secret - resource. In some instances, `key` is a required - field. + resource. + + In some instances, `key` is a required field. properties: key: description: >- The key of the entry in the Secret - resource's `data` field to be used. Some - instances of this field may be defaulted, in - others it may be required. + resource's `data` field to be used. + + Some instances of this field may be + defaulted, in others it may be + + required. type: string name: description: >- - Name of the resource being referred to. More - info: + Name of the resource being referred to. + + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string required: @@ -183,20 +229,25 @@ spec: clientSecretSecretRef: description: >- A reference to a specific 'key' within a Secret - resource. In some instances, `key` is a required - field. + resource. + + In some instances, `key` is a required field. properties: key: description: >- The key of the entry in the Secret - resource's `data` field to be used. Some - instances of this field may be defaulted, in - others it may be required. + resource's `data` field to be used. + + Some instances of this field may be + defaulted, in others it may be + + required. type: string name: description: >- - Name of the resource being referred to. More - info: + Name of the resource being referred to. + + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string required: @@ -205,20 +256,25 @@ spec: clientTokenSecretRef: description: >- A reference to a specific 'key' within a Secret - resource. In some instances, `key` is a required - field. + resource. + + In some instances, `key` is a required field. properties: key: description: >- The key of the entry in the Secret - resource's `data` field to be used. Some - instances of this field may be defaulted, in - others it may be required. + resource's `data` field to be used. + + Some instances of this field may be + defaulted, in others it may be + + required. type: string name: description: >- - Name of the resource being referred to. More - info: + Name of the resource being referred to. + + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string required: @@ -239,25 +295,38 @@ spec: properties: clientID: description: >- - if both this and ClientSecret are left unset MSI - will be used + Auth: Azure Service Principal: + + The ClientID of the Azure Service Principal used + to authenticate with Azure DNS. + + If set, ClientSecret and TenantID must also be + set. type: string clientSecretSecretRef: description: >- - if both this and ClientID are left unset MSI - will be used + Auth: Azure Service Principal: + + A reference to a Secret containing the password + associated with the Service Principal. + + If set, ClientID and TenantID must also be set. properties: key: description: >- The key of the entry in the Secret - resource's `data` field to be used. Some - instances of this field may be defaulted, in - others it may be required. + resource's `data` field to be used. + + Some instances of this field may be + defaulted, in others it may be + + required. type: string name: description: >- - Name of the resource being referred to. More - info: + Name of the resource being referred to. + + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string required: @@ -278,19 +347,32 @@ spec: type: string managedIdentity: description: >- - managed identity configuration, can not be used - at the same time as clientID, - clientSecretSecretRef or tenantID + Auth: Azure Workload Identity or Azure Managed + Service Identity: + + Settings to enable Azure Workload Identity or + Azure Managed Service Identity + + If set, ClientID, ClientSecret and TenantID must + not be set. properties: clientID: description: >- - client ID of the managed identity, can not - be used at the same time as resourceID + client ID of the managed identity, cannot be + used at the same time as resourceID type: string resourceID: description: >- - resource ID of the managed identity, can not + resource ID of the managed identity, cannot be used at the same time as clientID + + Cannot be used for Azure Managed Service + Identity + type: string + tenantID: + description: >- + tenant ID of the managed identity, cannot be + used at the same time as resourceID type: string type: object resourceGroupName: @@ -301,8 +383,33 @@ spec: type: string tenantID: description: >- - when specifying ClientID and ClientSecret then - this field is also needed + Auth: Azure Service Principal: + + The TenantID of the Azure Service Principal used + to authenticate with Azure DNS. + + If set, ClientID and ClientSecret must also be + set. + type: string + zoneType: + description: >- + ZoneType determines which type of Azure DNS zone + to use. + + + Valid values are: + - AzurePublicZone (default): Use a public Azure DNS zone. + - AzurePrivateZone: Use an Azure Private DNS zone. + + If not specified, AzurePublicZone is used. + + + Support for Azure Private DNS zones is currently + + experimental and may change in future releases. + enum: + - AzurePublicZone + - AzurePrivateZone type: string required: - resourceGroupName @@ -316,30 +423,38 @@ spec: hostedZoneName: description: >- HostedZoneName is an optional field that tells - cert-manager in which Cloud DNS zone the - challenge record has to be created. If left - empty cert-manager will automatically choose a - zone. + cert-manager in which + + Cloud DNS zone the challenge record has to be + created. + + If left empty cert-manager will automatically + choose a zone. type: string project: type: string serviceAccountSecretRef: description: >- A reference to a specific 'key' within a Secret - resource. In some instances, `key` is a required - field. + resource. + + In some instances, `key` is a required field. properties: key: description: >- The key of the entry in the Secret - resource's `data` field to be used. Some - instances of this field may be defaulted, in - others it may be required. + resource's `data` field to be used. + + Some instances of this field may be + defaulted, in others it may be + + required. type: string name: description: >- - Name of the resource being referred to. More - info: + Name of the resource being referred to. + + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string required: @@ -356,21 +471,27 @@ spec: apiKeySecretRef: description: >- API key to use to authenticate with Cloudflare. + Note: using an API token to authenticate is now - the recommended method as it allows greater - control of permissions. + the recommended method + + as it allows greater control of permissions. properties: key: description: >- The key of the entry in the Secret - resource's `data` field to be used. Some - instances of this field may be defaulted, in - others it may be required. + resource's `data` field to be used. + + Some instances of this field may be + defaulted, in others it may be + + required. type: string name: description: >- - Name of the resource being referred to. More - info: + Name of the resource being referred to. + + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string required: @@ -382,14 +503,18 @@ spec: key: description: >- The key of the entry in the Secret - resource's `data` field to be used. Some - instances of this field may be defaulted, in - others it may be required. + resource's `data` field to be used. + + Some instances of this field may be + defaulted, in others it may be + + required. type: string name: description: >- - Name of the resource being referred to. More - info: + Name of the resource being referred to. + + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string required: @@ -404,7 +529,9 @@ spec: cnameStrategy: description: >- CNAMEStrategy configures how the DNS01 provider - should handle CNAME records when found in DNS zones. + should handle CNAME + + records when found in DNS zones. enum: - None - Follow @@ -417,20 +544,25 @@ spec: tokenSecretRef: description: >- A reference to a specific 'key' within a Secret - resource. In some instances, `key` is a required - field. + resource. + + In some instances, `key` is a required field. properties: key: description: >- The key of the entry in the Secret - resource's `data` field to be used. Some - instances of this field may be defaulted, in - others it may be required. + resource's `data` field to be used. + + Some instances of this field may be + defaulted, in others it may be + + required. type: string name: description: >- - Name of the resource being referred to. More - info: + Name of the resource being referred to. + + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string required: @@ -443,43 +575,74 @@ spec: description: >- Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) + to manage DNS01 challenge records. properties: nameserver: - description: "The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1])\_; port is optional. This field is required." + description: >- + The IP address or hostname of an authoritative + DNS server supporting + + RFC2136 in the form host:port. If the host is an + IPv6 address it must be + + enclosed in square brackets (e.g [2001:db8::1]); + port is optional. + + This field is required. + type: string + protocol: + description: >- + Protocol to use for dynamic DNS update queries. + Valid values are (case-sensitive) ``TCP`` and + ``UDP``; ``UDP`` (default). + enum: + - TCP + - UDP type: string tsigAlgorithm: description: >- The TSIG Algorithm configured in the DNS - supporting RFC2136. Used only when - ``tsigSecretSecretRef`` and ``tsigKeyName`` are - defined. Supported values are - (case-insensitive): ``HMACMD5`` (default), + supporting RFC2136. Used only + + when ``tsigSecretSecretRef`` and ``tsigKeyName`` + are defined. + + Supported values are (case-insensitive): + ``HMACMD5`` (default), + ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``. type: string tsigKeyName: description: >- - The TSIG Key name configured in the DNS. If - ``tsigSecretSecretRef`` is defined, this field - is required. + The TSIG Key name configured in the DNS. + + If ``tsigSecretSecretRef`` is defined, this + field is required. type: string tsigSecretSecretRef: description: >- The name of the secret containing the TSIG - value. If ``tsigKeyName`` is defined, this field - is required. + value. + + If ``tsigKeyName`` is defined, this field is + required. properties: key: description: >- The key of the entry in the Secret - resource's `data` field to be used. Some - instances of this field may be defaulted, in - others it may be required. + resource's `data` field to be used. + + Some instances of this field may be + defaulted, in others it may be + + required. type: string name: description: >- - Name of the resource being referred to. More - info: + Name of the resource being referred to. + + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string required: @@ -496,117 +659,268 @@ spec: accessKeyID: description: >- The AccessKeyID is used for authentication. - Cannot be set when SecretAccessKeyID is set. If - neither the Access Key nor Key ID are set, we - fall-back to using env vars, shared credentials - file or AWS Instance metadata, see: + + Cannot be set when SecretAccessKeyID is set. + + If neither the Access Key nor Key ID are set, we + fall back to using env + + vars, shared credentials file, or AWS Instance + metadata, + + see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials type: string accessKeyIDSecretRef: description: >- The SecretAccessKey is used for authentication. - If set, pull the AWS access key ID from a key - within a Kubernetes Secret. Cannot be set when - AccessKeyID is set. If neither the Access Key - nor Key ID are set, we fall-back to using env - vars, shared credentials file or AWS Instance - metadata, see: + If set, pull the AWS + + access key ID from a key within a Kubernetes + Secret. + + Cannot be set when AccessKeyID is set. + + If neither the Access Key nor Key ID are set, we + fall back to using env + + vars, shared credentials file, or AWS Instance + metadata, + + see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials properties: key: description: >- The key of the entry in the Secret - resource's `data` field to be used. Some - instances of this field may be defaulted, in - others it may be required. + resource's `data` field to be used. + + Some instances of this field may be + defaulted, in others it may be + + required. type: string name: description: >- - Name of the resource being referred to. More - info: + Name of the resource being referred to. + + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string required: - name type: object + auth: + description: Auth configures how cert-manager authenticates. + properties: + kubernetes: + description: >- + Kubernetes authenticates with Route53 using + AssumeRoleWithWebIdentity + + by passing a bound ServiceAccount token. + properties: + serviceAccountRef: + description: >- + A reference to a service account that + will be used to request a bound + + token (also known as "projected token"). + To use this field, you must + + configure an RBAC rule to let + cert-manager request a token. + properties: + audiences: + description: >- + TokenAudiences is an optional list of + audiences to include in the + + token passed to AWS. The default token + consisting of the issuer's namespace + + and name is always included. + + If unset the audience defaults to + `sts.amazonaws.com`. + items: + type: string + type: array + x-kubernetes-list-type: atomic + name: + description: >- + Name of the ServiceAccount used to + request a token. + type: string + required: + - name + type: object + required: + - serviceAccountRef + type: object + required: + - kubernetes + type: object hostedZoneID: description: >- If set, the provider will manage only this zone - in Route53 and will not do an lookup using the + in Route53 and will not do a lookup using the route53:ListHostedZonesByName api call. type: string region: description: >- - Always set the region when using AccessKeyID and - SecretAccessKey + Override the AWS region. + + + Route53 is a global service and does not have + regional endpoints but the + + region specified here (or via environment + variables) is used as a hint to + + help compute the correct AWS credential scope + and partition when it + + connects to Route53. See: + + - [Amazon Route 53 endpoints and + quotas](https://docs.aws.amazon.com/general/latest/gr/r53.html) + + - [Global + services](https://docs.aws.amazon.com/whitepapers/latest/aws-fault-isolation-boundaries/global-services.html) + + + If you omit this region field, cert-manager will + use the region from + + AWS_REGION and AWS_DEFAULT_REGION environment + variables, if they are set + + in the cert-manager controller Pod. + + + The `region` field is not needed if you use [IAM + Roles for Service Accounts + (IRSA)](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html). + + Instead an AWS_REGION environment variable is + added to the cert-manager controller Pod by: + + [Amazon EKS Pod Identity + Webhook](https://github.com/aws/amazon-eks-pod-identity-webhook). + + In this case this `region` field value is + ignored. + + + The `region` field is not needed if you use [EKS + Pod + Identities](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html). + + Instead an AWS_REGION environment variable is + added to the cert-manager controller Pod by: + + [Amazon EKS Pod Identity + Agent](https://github.com/aws/eks-pod-identity-agent), + + In this case this `region` field value is + ignored. type: string role: description: >- Role is a Role ARN which the Route53 provider will assume using either the explicit - credentials AccessKeyID/SecretAccessKey or the - inferred credentials from environment variables, - shared credentials file or AWS Instance metadata + credentials AccessKeyID/SecretAccessKey + + or the inferred credentials from environment + variables, shared credentials file or AWS + Instance metadata type: string secretAccessKeySecretRef: description: >- The SecretAccessKey is used for authentication. + If neither the Access Key nor Key ID are set, we - fall-back to using env vars, shared credentials - file or AWS Instance metadata, see: + fall back to using env + + vars, shared credentials file, or AWS Instance + metadata, + + see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials properties: key: description: >- The key of the entry in the Secret - resource's `data` field to be used. Some - instances of this field may be defaulted, in - others it may be required. + resource's `data` field to be used. + + Some instances of this field may be + defaulted, in others it may be + + required. type: string name: description: >- - Name of the resource being referred to. More - info: + Name of the resource being referred to. + + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string required: - name type: object - required: - - region type: object webhook: description: >- Configure an external webhook based DNS01 challenge - solver to manage DNS01 challenge records. + solver to manage + + DNS01 challenge records. properties: config: description: >- Additional configuration that should be passed - to the webhook apiserver when challenges are - processed. This can contain arbitrary JSON data. + to the webhook apiserver + + when challenges are processed. + + This can contain arbitrary JSON data. + Secret values should not be specified in this - stanza. If secret values are needed (e.g. - credentials for a DNS service), you should use a - SecretKeySelector to reference a Secret - resource. For details on the schema of this - field, consult the webhook provider + stanza. + + If secret values are needed (e.g., credentials + for a DNS service), you + + should use a SecretKeySelector to reference a + Secret resource. + + For details on the schema of this field, consult + the webhook provider + implementation's documentation. x-kubernetes-preserve-unknown-fields: true groupName: description: >- The API group name that should be used when - POSTing ChallengePayload resources to the - webhook apiserver. This should be the same as - the GroupName specified in the webhook provider - implementation. + POSTing ChallengePayload + + resources to the webhook apiserver. + + This should be the same as the GroupName + specified in the webhook + + provider implementation. type: string solverName: description: >- The name of the solver to use, as defined in the - webhook provider implementation. This will - typically be the name of the provider, e.g. - 'cloudflare'. + webhook provider + + implementation. + + This will typically be the name of the provider, + e.g., 'cloudflare'. type: string required: - groupName @@ -616,89 +930,183 @@ spec: http01: description: >- Configures cert-manager to attempt to complete - authorizations by performing the HTTP01 challenge flow. + authorizations by + + performing the HTTP01 challenge flow. + It is not possible to obtain certificates for wildcard - domain names (e.g. `*.example.com`) using the HTTP01 - challenge mechanism. + domain names + + (e.g., `*.example.com`) using the HTTP01 challenge + mechanism. properties: gatewayHTTPRoute: description: >- The Gateway API is a sig-network community API that - models service networking in Kubernetes - (https://gateway-api.sigs.k8s.io/). The Gateway - solver will create HTTPRoutes with the specified - labels in the same namespace as the challenge. This - solver is experimental, and fields / behaviour may - change in the future. + models service networking + + in Kubernetes (https://gateway-api.sigs.k8s.io/). + The Gateway solver will + + create HTTPRoutes with the specified labels in the + same namespace as the challenge. + + This solver is experimental, and fields / behaviour + may change in the future. properties: labels: additionalProperties: type: string description: >- Custom labels that will be applied to HTTPRoutes - created by cert-manager while solving HTTP-01 - challenges. + created by cert-manager + + while solving HTTP-01 challenges. type: object parentRefs: description: >- When solving an HTTP-01 challenge, cert-manager - creates an HTTPRoute. cert-manager needs to know - which parentRefs should be used when creating + creates an HTTPRoute. + + cert-manager needs to know which parentRefs + should be used when creating + the HTTPRoute. Usually, the parentRef references a Gateway. See: + https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways items: description: >- ParentReference identifies an API object - (usually a Gateway) that can be considered a - parent of this resource (usually a route). - There are two kinds of parent resources with - "Core" support: - * Gateway (Gateway conformance profile) * Service (Mesh conformance profile, experimental, ClusterIP Services only) - This API may be extended in the future to support additional kinds of parent resources. - The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid. + (usually a Gateway) that can be considered + + a parent of this resource (usually a route). + There are two kinds of parent resources + + with "Core" support: + + + * Gateway (Gateway conformance profile) + + * Service (Mesh conformance profile, ClusterIP + Services only) + + + This API may be extended in the future to + support additional kinds of parent + + resources. + + + The API object must be valid in the cluster; + the Group and Kind must + + be registered in the cluster for this + reference to be valid. properties: group: default: gateway.networking.k8s.io description: >- - Group is the group of the referent. When - unspecified, "gateway.networking.k8s.io" - is inferred. To set the core API group - (such as for a "Service" kind referent), + Group is the group of the referent. + + When unspecified, + "gateway.networking.k8s.io" is inferred. + + To set the core API group (such as for a + "Service" kind referent), + Group must be explicitly set to "" (empty - string). - Support: Core + string). + + + Support: Core maxLength: 253 pattern: >- ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string kind: default: Gateway - description: |- - Kind is kind of the referent. - There are two kinds of parent resources with "Core" support: - * Gateway (Gateway conformance profile) * Service (Mesh conformance profile, experimental, ClusterIP Services only) - Support for other resources is Implementation-Specific. + description: >- + Kind is kind of the referent. + + + There are two kinds of parent resources + with "Core" support: + + + * Gateway (Gateway conformance profile) + + * Service (Mesh conformance profile, + ClusterIP Services only) + + + Support for other resources is + Implementation-Specific. maxLength: 63 minLength: 1 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ type: string name: description: |- - Name is the name of the referent. - Support: Core + Name is the name of the referent. + + Support: Core maxLength: 253 minLength: 1 type: string namespace: description: >- Namespace is the namespace of the - referent. When unspecified, this refers to - the local namespace of the Route. - Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. - ParentRefs from a Route to a Service in the same namespace are "producer" routes, which apply default routing rules to inbound connections from any namespace to the Service. - ParentRefs from a Route to a Service in a different namespace are "consumer" routes, and these routing rules are only applied to outbound connections originating from the same namespace as the Route, for which the intended destination of the connections are a Service targeted as a ParentRef of the Route. - Support: Core + referent. When unspecified, this refers + + to the local namespace of the Route. + + + Note that there are specific rules for + ParentRefs which cross namespace + + boundaries. Cross-namespace references are + only valid if they are explicitly + + allowed by something in the namespace they + are referring to. For example: + + Gateway has the AllowedRoutes field, and + ReferenceGrant provides a + + generic way to enable any other kind of + cross-namespace reference. + + + + + ParentRefs from a Route to a Service in + the same namespace are "producer" + + routes, which apply default routing rules + to inbound connections from + + any namespace to the Service. + + + ParentRefs from a Route to a Service in a + different namespace are + + "consumer" routes, and these routing rules + are only applied to outbound + + connections originating from the same + namespace as the Route, for which + + the intended destination of the + connections are a Service targeted as a + + ParentRef of the Route. + + + + + Support: Core maxLength: 63 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ @@ -706,14 +1114,80 @@ spec: port: description: >- Port is the network port this Route - targets. It can be interpreted differently - based on the type of parent resource. - When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. - When the parent resource is a Service, this targets a specific port in the Service spec. When both Port (experimental) and SectionName are specified, the name and port of the selected port must match both specified values. - Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. - For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. - Support: Extended - + targets. It can be interpreted + + differently based on the type of parent + resource. + + + When the parent resource is a Gateway, + this targets all listeners + + listening on the specified port that also + support this kind of Route(and + + select this Route). It's not recommended + to set `Port` unless the + + networking behaviors specified in a Route + must apply to a specific port + + as opposed to a listener(s) whose port(s) + may be changed. When both Port + + and SectionName are specified, the name + and port of the selected listener + + must match both specified values. + + + + + When the parent resource is a Service, + this targets a specific port in the + + Service spec. When both Port + (experimental) and SectionName are + specified, + + the name and port of the selected port + must match both specified values. + + + + + Implementations MAY choose to support + other parent resources. + + Implementations supporting other types of + parent resources MUST clearly + + document how/if Port is interpreted. + + + For the purpose of status, an attachment + is considered successful as + + long as the parent resource accepts it + partially. For example, Gateway + + listeners can restrict which Routes can + attach to them by Route kind, + + namespace, or hostname. If 1 of 2 Gateway + listeners accept attachment + + from the referencing Route, the Route MUST + be considered successfully + + attached. If no Gateway listeners accept + attachment from this Route, + + the Route MUST be considered detached from + the Gateway. + + + Support: Extended format: int32 maximum: 65535 minimum: 1 @@ -722,12 +1196,63 @@ spec: description: >- SectionName is the name of a section within the target resource. In the + following resources, SectionName is - interpreted as the following: - * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. * Service: Port Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. Note that attaching Routes to Services as Parents is part of experimental Mesh support and is not supported for any other purpose. - Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. - When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. - Support: Core + interpreted as the following: + + + * Gateway: Listener name. When both Port + (experimental) and SectionName + + are specified, the name and port of the + selected listener must match + + both specified values. + + * Service: Port name. When both Port + (experimental) and SectionName + + are specified, the name and port of the + selected listener must match + + both specified values. + + + Implementations MAY choose to support + attaching Routes to other resources. + + If that is the case, they MUST clearly + document how SectionName is + + interpreted. + + + When unspecified (empty string), this will + reference the entire resource. + + For the purpose of status, an attachment + is considered successful if at + + least one section in the parent resource + accepts it. For example, Gateway + + listeners can restrict which Routes can + attach to them by Route kind, + + namespace, or hostname. If 1 of 2 Gateway + listeners accept attachment from + + the referencing Route, the Route MUST be + considered successfully + + attached. If no Gateway listeners accept + attachment from this Route, the + + Route MUST be considered detached from the + Gateway. + + + Support: Core maxLength: 253 minLength: 1 pattern: >- @@ -737,103 +1262,33 @@ spec: - name type: object type: array - serviceType: - description: >- - Optional service type for Kubernetes solver - service. Supported values are NodePort or - ClusterIP. If unset, defaults to NodePort. - type: string - type: object - ingress: - description: >- - The ingress based HTTP01 challenge solver will solve - challenges by creating or modifying Ingress - resources in order to route requests for - '/.well-known/acme-challenge/XYZ' to 'challenge - solver' pods that are provisioned by cert-manager - for each Challenge to be completed. - properties: - class: - description: >- - This field configures the annotation - `kubernetes.io/ingress.class` when creating - Ingress resources to solve ACME challenges that - use this challenge solver. Only one of `class`, - `name` or `ingressClassName` may be specified. - type: string - ingressClassName: - description: >- - This field configures the field - `ingressClassName` on the created Ingress - resources used to solve ACME challenges that use - this challenge solver. This is the recommended - way of configuring the ingress class. Only one - of `class`, `name` or `ingressClassName` may be - specified. - type: string - ingressTemplate: - description: >- - Optional ingress template used to configure the - ACME challenge solver ingress used for HTTP01 - challenges. - properties: - metadata: - description: >- - ObjectMeta overrides for the ingress used to - solve HTTP01 challenges. Only the 'labels' - and 'annotations' fields may be set. If - labels or annotations overlap with in-built - values, the values here will override the - in-built values. - properties: - annotations: - additionalProperties: - type: string - description: >- - Annotations that should be added to the - created ACME HTTP01 solver ingress. - type: object - labels: - additionalProperties: - type: string - description: >- - Labels that should be added to the - created ACME HTTP01 solver ingress. - type: object - type: object - type: object - name: - description: >- - The name of the ingress resource that should - have ACME challenge solving routes inserted into - it in order to solve HTTP01 challenges. This is - typically used in conjunction with ingress - controllers like ingress-gce, which maintains a - 1:1 mapping between external IPs and ingress - resources. Only one of `class`, `name` or - `ingressClassName` may be specified. - type: string + x-kubernetes-list-type: atomic podTemplate: description: >- Optional pod template used to configure the ACME - challenge solver pods used for HTTP01 - challenges. + challenge solver pods + + used for HTTP01 challenges. properties: metadata: description: >- ObjectMeta overrides for the pod used to - solve HTTP01 challenges. Only the 'labels' - and 'annotations' fields may be set. If - labels or annotations overlap with in-built - values, the values here will override the - in-built values. + solve HTTP01 challenges. + + Only the 'labels' and 'annotations' fields + may be set. + + If labels or annotations overlap with + in-built values, the values here + + will override the in-built values. properties: annotations: additionalProperties: type: string description: >- Annotations that should be added to the - create ACME HTTP01 solver pods. + created ACME HTTP01 solver pods. type: object labels: additionalProperties: @@ -846,10 +1301,13 @@ spec: spec: description: >- PodSpec defines overrides for the HTTP01 - challenge solver pod. Check + challenge solver pod. + + Check ACMEChallengeSolverHTTP01IngressPodSpec to - find out currently supported fields. All - other fields will be ignored. + find out currently supported fields. + + All other fields will be ignored. properties: affinity: description: >- @@ -864,27 +1322,38 @@ spec: preferredDuringSchedulingIgnoredDuringExecution: description: >- The scheduler will prefer to schedule - pods to nodes that satisfy the affinity - expressions specified by this field, but - it may choose a node that violates one - or more of the expressions. The node - that is most preferred is the one with - the greatest sum of weights, i.e. for - each node that meets all of the + pods to nodes that satisfy + + the affinity expressions specified by + this field, but it may choose + + a node that violates one or more of the + expressions. The node that is + + most preferred is the one with the + greatest sum of weights, i.e. + + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling - affinity expressions, etc.), compute a - sum by iterating through the elements of - this field and adding "weight" to the - sum if the node matches the - corresponding matchExpressions; the + affinity expressions, etc.), + + compute a sum by iterating through the + elements of this field and adding + + "weight" to the sum if the node matches + the corresponding matchExpressions; the + node(s) with the highest sum are the most preferred. items: description: >- An empty preferred scheduling term matches all objects with implicit weight - 0 (i.e. it's a no-op). A null preferred + 0 + + (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). properties: @@ -901,8 +1370,9 @@ spec: description: >- A node selector requirement is a selector that contains values, a key, - and an operator that relates the key and - values. + and an operator + + that relates the key and values. properties: key: description: >- @@ -912,28 +1382,37 @@ spec: operator: description: >- Represents a key's relationship to a set - of values. Valid operators are In, - NotIn, Exists, DoesNotExist. Gt, and Lt. + of values. + + Valid operators are In, NotIn, Exists, + DoesNotExist. Gt, and Lt. type: string values: description: >- An array of string values. If the - operator is In or NotIn, the values - array must be non-empty. If the operator - is Exists or DoesNotExist, the values - array must be empty. If the operator is - Gt or Lt, the values array must have a - single element, which will be - interpreted as an integer. This array is - replaced during a strategic merge patch. + operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. If the + operator is Gt or Lt, the values + + array must have a single element, which + will be interpreted as an integer. + + This array is replaced during a + strategic merge patch. items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchFields: description: >- A list of node selector requirements by @@ -942,8 +1421,9 @@ spec: description: >- A node selector requirement is a selector that contains values, a key, - and an operator that relates the key and - values. + and an operator + + that relates the key and values. properties: key: description: >- @@ -953,28 +1433,37 @@ spec: operator: description: >- Represents a key's relationship to a set - of values. Valid operators are In, - NotIn, Exists, DoesNotExist. Gt, and Lt. + of values. + + Valid operators are In, NotIn, Exists, + DoesNotExist. Gt, and Lt. type: string values: description: >- An array of string values. If the - operator is In or NotIn, the values - array must be non-empty. If the operator - is Exists or DoesNotExist, the values - array must be empty. If the operator is - Gt or Lt, the values array must have a - single element, which will be - interpreted as an integer. This array is - replaced during a strategic merge patch. + operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. If the + operator is Gt or Lt, the values + + array must have a single element, which + will be interpreted as an integer. + + This array is replaced during a + strategic merge patch. items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic type: object x-kubernetes-map-type: atomic weight: @@ -989,17 +1478,23 @@ spec: - weight type: object type: array + x-kubernetes-list-type: atomic requiredDuringSchedulingIgnoredDuringExecution: description: >- If the affinity requirements specified - by this field are not met at scheduling - time, the pod will not be scheduled onto - the node. If the affinity requirements - specified by this field cease to be met + by this field are not met at + + scheduling time, the pod will not be + scheduled onto the node. + + If the affinity requirements specified + by this field cease to be met + at some point during pod execution (e.g. - due to an update), the system may or may - not try to eventually evict the pod from - its node. + due to an update), the system + + may or may not try to eventually evict + the pod from its node. properties: nodeSelectorTerms: description: >- @@ -1009,9 +1504,11 @@ spec: description: >- A null or empty node selector term matches no objects. The requirements of - them are ANDed. The TopologySelectorTerm - type implements a subset of the - NodeSelectorTerm. + + them are ANDed. + + The TopologySelectorTerm type implements + a subset of the NodeSelectorTerm. properties: matchExpressions: description: >- @@ -1021,8 +1518,9 @@ spec: description: >- A node selector requirement is a selector that contains values, a key, - and an operator that relates the key and - values. + and an operator + + that relates the key and values. properties: key: description: >- @@ -1032,28 +1530,37 @@ spec: operator: description: >- Represents a key's relationship to a set - of values. Valid operators are In, - NotIn, Exists, DoesNotExist. Gt, and Lt. + of values. + + Valid operators are In, NotIn, Exists, + DoesNotExist. Gt, and Lt. type: string values: description: >- An array of string values. If the - operator is In or NotIn, the values - array must be non-empty. If the operator - is Exists or DoesNotExist, the values - array must be empty. If the operator is - Gt or Lt, the values array must have a - single element, which will be - interpreted as an integer. This array is - replaced during a strategic merge patch. + operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. If the + operator is Gt or Lt, the values + + array must have a single element, which + will be interpreted as an integer. + + This array is replaced during a + strategic merge patch. items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchFields: description: >- A list of node selector requirements by @@ -1062,8 +1569,9 @@ spec: description: >- A node selector requirement is a selector that contains values, a key, - and an operator that relates the key and - values. + and an operator + + that relates the key and values. properties: key: description: >- @@ -1073,31 +1581,41 @@ spec: operator: description: >- Represents a key's relationship to a set - of values. Valid operators are In, - NotIn, Exists, DoesNotExist. Gt, and Lt. + of values. + + Valid operators are In, NotIn, Exists, + DoesNotExist. Gt, and Lt. type: string values: description: >- An array of string values. If the - operator is In or NotIn, the values - array must be non-empty. If the operator - is Exists or DoesNotExist, the values - array must be empty. If the operator is - Gt or Lt, the values array must have a - single element, which will be - interpreted as an integer. This array is - replaced during a strategic merge patch. + operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. If the + operator is Gt or Lt, the values + + array must have a single element, which + will be interpreted as an integer. + + This array is replaced during a + strategic merge patch. items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic type: object x-kubernetes-map-type: atomic type: array + x-kubernetes-list-type: atomic required: - nodeSelectorTerms type: object @@ -1112,20 +1630,30 @@ spec: preferredDuringSchedulingIgnoredDuringExecution: description: >- The scheduler will prefer to schedule - pods to nodes that satisfy the affinity - expressions specified by this field, but - it may choose a node that violates one - or more of the expressions. The node - that is most preferred is the one with - the greatest sum of weights, i.e. for - each node that meets all of the + pods to nodes that satisfy + + the affinity expressions specified by + this field, but it may choose + + a node that violates one or more of the + expressions. The node that is + + most preferred is the one with the + greatest sum of weights, i.e. + + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling - affinity expressions, etc.), compute a - sum by iterating through the elements of - this field and adding "weight" to the - sum if the node has pods which matches - the corresponding podAffinityTerm; the + affinity expressions, etc.), + + compute a sum by iterating through the + elements of this field and adding + + "weight" to the sum if the node has pods + which matches the corresponding + podAffinityTerm; the + node(s) with the highest sum are the most preferred. items: @@ -1145,6 +1673,9 @@ spec: description: >- A label query over a set of resources, in this case pods. + + If it's null, this PodAffinityTerm + matches with no Pods. properties: matchExpressions: description: >- @@ -1155,8 +1686,9 @@ spec: description: >- A label selector requirement is a selector that contains values, a key, - and an operator that relates the key and - values. + and an operator that + + relates the key and values. properties: key: description: >- @@ -1166,49 +1698,132 @@ spec: operator: description: >- operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist. type: string values: description: >- values is an array of string values. If - the operator is In or NotIn, the values - array must be non-empty. If the operator - is Exists or DoesNotExist, the values - array must be empty. This array is - replaced during a strategic merge patch. + the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch. items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string description: >- matchLabels is a map of {key,value} pairs. A single {key,value} in the - matchLabels map is equivalent to an - element of matchExpressions, whose key - field is "key", the operator is "In", - and the values array contains only - "value". The requirements are ANDed. + matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is + "key", the + + operator is "In", and the values array + contains only "value". The requirements + are ANDed. type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: >- + MatchLabelKeys is a set of pod label + keys to select which pods will + + be taken into consideration. The keys + are used to lookup values from the + + incoming pod labels, those key-value + labels are merged with `labelSelector` + as `key in (value)` + + to select the group of existing pods + which pods will be taken into + consideration + + for the incoming pod's pod (anti) + affinity. Keys that don't exist in the + incoming + + pod labels will be ignored. The default + value is empty. + + The same key is forbidden to exist in + both matchLabelKeys and labelSelector. + + Also, matchLabelKeys cannot be set when + labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: >- + MismatchLabelKeys is a set of pod label + keys to select which pods will + + be taken into consideration. The keys + are used to lookup values from the + + incoming pod labels, those key-value + labels are merged with `labelSelector` + as `key notin (value)` + + to select the group of existing pods + which pods will be taken into + consideration + + for the incoming pod's pod (anti) + affinity. Keys that don't exist in the + incoming + + pod labels will be ignored. The default + value is empty. + + The same key is forbidden to exist in + both mismatchLabelKeys and + labelSelector. + + Also, mismatchLabelKeys cannot be set + when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: description: >- A label query over the set of namespaces - that the term applies to. The term is - applied to the union of the namespaces - selected by this field and the ones - listed in the namespaces field. null - selector and null or empty namespaces - list means "this pod's namespace". An - empty selector ({}) matches all + that the term applies to. + + The term is applied to the union of the + namespaces selected by this field + + and the ones listed in the namespaces + field. + + null selector and null or empty + namespaces list means "this pod's + namespace". + + An empty selector ({}) matches all namespaces. properties: matchExpressions: @@ -1220,8 +1835,9 @@ spec: description: >- A label selector requirement is a selector that contains values, a key, - and an operator that relates the key and - values. + and an operator that + + relates the key and values. properties: key: description: >- @@ -1231,36 +1847,48 @@ spec: operator: description: >- operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist. type: string values: description: >- values is an array of string values. If - the operator is In or NotIn, the values - array must be non-empty. If the operator - is Exists or DoesNotExist, the values - array must be empty. This array is - replaced during a strategic merge patch. + the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch. items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string description: >- matchLabels is a map of {key,value} pairs. A single {key,value} in the - matchLabels map is equivalent to an - element of matchExpressions, whose key - field is "key", the operator is "In", - and the values array contains only - "value". The requirements are ANDed. + matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is + "key", the + + operator is "In", and the values array + contains only "value". The requirements + are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -1268,27 +1896,38 @@ spec: description: >- namespaces specifies a static list of namespace names that the term applies - to. The term is applied to the union of - the namespaces listed in this field and - the ones selected by namespaceSelector. + to. + + The term is applied to the union of the + namespaces listed in this field + + and the ones selected by + namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array + x-kubernetes-list-type: atomic topologyKey: description: >- This pod should be co-located (affinity) or not co-located (anti-affinity) with - the pods matching the labelSelector in - the specified namespaces, where - co-located is defined as running on a - node whose value of the label with key + the pods matching + + the labelSelector in the specified + namespaces, where co-located is defined + as running on a node + + whose value of the label with key topologyKey matches that of any node on - which any of the selected pods is - running. Empty topologyKey is not - allowed. + which any of the + + selected pods is running. + + Empty topologyKey is not allowed. type: string required: - topologyKey @@ -1296,8 +1935,9 @@ spec: weight: description: >- weight associated with matching the - corresponding podAffinityTerm, in the - range 1-100. + corresponding podAffinityTerm, + + in the range 1-100. format: int32 type: integer required: @@ -1305,38 +1945,55 @@ spec: - weight type: object type: array + x-kubernetes-list-type: atomic requiredDuringSchedulingIgnoredDuringExecution: description: >- If the affinity requirements specified - by this field are not met at scheduling - time, the pod will not be scheduled onto - the node. If the affinity requirements - specified by this field cease to be met + by this field are not met at + + scheduling time, the pod will not be + scheduled onto the node. + + If the affinity requirements specified + by this field cease to be met + at some point during pod execution (e.g. - due to a pod label update), the system - may or may not try to eventually evict - the pod from its node. When there are - multiple elements, the lists of nodes - corresponding to each podAffinityTerm - are intersected, i.e. all terms must be - satisfied. + due to a pod label update), the + + system may or may not try to eventually + evict the pod from its node. + + When there are multiple elements, the + lists of nodes corresponding to each + + podAffinityTerm are intersected, i.e. + all terms must be satisfied. items: description: >- Defines a set of pods (namely those - matching the labelSelector relative to - the given namespace(s)) that this pod - should be co-located (affinity) or not - co-located (anti-affinity) with, where - co-located is defined as running on a - node whose value of the label with key - matches that of any node - on which a pod of the set of pods is - running + matching the labelSelector + + relative to the given namespace(s)) that + this pod should be + + co-located (affinity) or not co-located + (anti-affinity) with, + + where co-located is defined as running + on a node whose value of + + the label with key matches + that of any node on which + + a pod of the set of pods is running properties: labelSelector: description: >- A label query over a set of resources, in this case pods. + + If it's null, this PodAffinityTerm + matches with no Pods. properties: matchExpressions: description: >- @@ -1347,8 +2004,9 @@ spec: description: >- A label selector requirement is a selector that contains values, a key, - and an operator that relates the key and - values. + and an operator that + + relates the key and values. properties: key: description: >- @@ -1358,49 +2016,132 @@ spec: operator: description: >- operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist. type: string values: description: >- values is an array of string values. If - the operator is In or NotIn, the values - array must be non-empty. If the operator - is Exists or DoesNotExist, the values - array must be empty. This array is - replaced during a strategic merge patch. + the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch. items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string description: >- matchLabels is a map of {key,value} pairs. A single {key,value} in the - matchLabels map is equivalent to an - element of matchExpressions, whose key - field is "key", the operator is "In", - and the values array contains only - "value". The requirements are ANDed. + matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is + "key", the + + operator is "In", and the values array + contains only "value". The requirements + are ANDed. type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: >- + MatchLabelKeys is a set of pod label + keys to select which pods will + + be taken into consideration. The keys + are used to lookup values from the + + incoming pod labels, those key-value + labels are merged with `labelSelector` + as `key in (value)` + + to select the group of existing pods + which pods will be taken into + consideration + + for the incoming pod's pod (anti) + affinity. Keys that don't exist in the + incoming + + pod labels will be ignored. The default + value is empty. + + The same key is forbidden to exist in + both matchLabelKeys and labelSelector. + + Also, matchLabelKeys cannot be set when + labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: >- + MismatchLabelKeys is a set of pod label + keys to select which pods will + + be taken into consideration. The keys + are used to lookup values from the + + incoming pod labels, those key-value + labels are merged with `labelSelector` + as `key notin (value)` + + to select the group of existing pods + which pods will be taken into + consideration + + for the incoming pod's pod (anti) + affinity. Keys that don't exist in the + incoming + + pod labels will be ignored. The default + value is empty. + + The same key is forbidden to exist in + both mismatchLabelKeys and + labelSelector. + + Also, mismatchLabelKeys cannot be set + when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: description: >- A label query over the set of namespaces - that the term applies to. The term is - applied to the union of the namespaces - selected by this field and the ones - listed in the namespaces field. null - selector and null or empty namespaces - list means "this pod's namespace". An - empty selector ({}) matches all + that the term applies to. + + The term is applied to the union of the + namespaces selected by this field + + and the ones listed in the namespaces + field. + + null selector and null or empty + namespaces list means "this pod's + namespace". + + An empty selector ({}) matches all namespaces. properties: matchExpressions: @@ -1412,8 +2153,9 @@ spec: description: >- A label selector requirement is a selector that contains values, a key, - and an operator that relates the key and - values. + and an operator that + + relates the key and values. properties: key: description: >- @@ -1423,36 +2165,48 @@ spec: operator: description: >- operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist. type: string values: description: >- values is an array of string values. If - the operator is In or NotIn, the values - array must be non-empty. If the operator - is Exists or DoesNotExist, the values - array must be empty. This array is - replaced during a strategic merge patch. + the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch. items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string description: >- matchLabels is a map of {key,value} pairs. A single {key,value} in the - matchLabels map is equivalent to an - element of matchExpressions, whose key - field is "key", the operator is "In", - and the values array contains only - "value". The requirements are ANDed. + matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is + "key", the + + operator is "In", and the values array + contains only "value". The requirements + are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -1460,32 +2214,44 @@ spec: description: >- namespaces specifies a static list of namespace names that the term applies - to. The term is applied to the union of - the namespaces listed in this field and - the ones selected by namespaceSelector. + to. + + The term is applied to the union of the + namespaces listed in this field + + and the ones selected by + namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array + x-kubernetes-list-type: atomic topologyKey: description: >- This pod should be co-located (affinity) or not co-located (anti-affinity) with - the pods matching the labelSelector in - the specified namespaces, where - co-located is defined as running on a - node whose value of the label with key + the pods matching + + the labelSelector in the specified + namespaces, where co-located is defined + as running on a node + + whose value of the label with key topologyKey matches that of any node on - which any of the selected pods is - running. Empty topologyKey is not - allowed. + which any of the + + selected pods is running. + + Empty topologyKey is not allowed. type: string required: - topologyKey type: object type: array + x-kubernetes-list-type: atomic type: object podAntiAffinity: description: >- @@ -1497,21 +2263,30 @@ spec: preferredDuringSchedulingIgnoredDuringExecution: description: >- The scheduler will prefer to schedule - pods to nodes that satisfy the - anti-affinity expressions specified by - this field, but it may choose a node - that violates one or more of the - expressions. The node that is most - preferred is the one with the greatest - sum of weights, i.e. for each node that - meets all of the scheduling requirements - (resource request, - requiredDuringScheduling anti-affinity - expressions, etc.), compute a sum by - iterating through the elements of this - field and adding "weight" to the sum if - the node has pods which matches the - corresponding podAffinityTerm; the + pods to nodes that satisfy + + the anti-affinity expressions specified + by this field, but it may choose + + a node that violates one or more of the + expressions. The node that is + + most preferred is the one with the + greatest sum of weights, i.e. + + for each node that meets all of the + scheduling requirements (resource + + request, requiredDuringScheduling + anti-affinity expressions, etc.), + + compute a sum by iterating through the + elements of this field and subtracting + + "weight" from the sum if the node has + pods which matches the corresponding + podAffinityTerm; the + node(s) with the highest sum are the most preferred. items: @@ -1531,6 +2306,9 @@ spec: description: >- A label query over a set of resources, in this case pods. + + If it's null, this PodAffinityTerm + matches with no Pods. properties: matchExpressions: description: >- @@ -1541,8 +2319,9 @@ spec: description: >- A label selector requirement is a selector that contains values, a key, - and an operator that relates the key and - values. + and an operator that + + relates the key and values. properties: key: description: >- @@ -1552,49 +2331,132 @@ spec: operator: description: >- operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist. type: string values: description: >- values is an array of string values. If - the operator is In or NotIn, the values - array must be non-empty. If the operator - is Exists or DoesNotExist, the values - array must be empty. This array is - replaced during a strategic merge patch. + the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch. items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string description: >- matchLabels is a map of {key,value} pairs. A single {key,value} in the - matchLabels map is equivalent to an - element of matchExpressions, whose key - field is "key", the operator is "In", - and the values array contains only - "value". The requirements are ANDed. + matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is + "key", the + + operator is "In", and the values array + contains only "value". The requirements + are ANDed. type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: >- + MatchLabelKeys is a set of pod label + keys to select which pods will + + be taken into consideration. The keys + are used to lookup values from the + + incoming pod labels, those key-value + labels are merged with `labelSelector` + as `key in (value)` + + to select the group of existing pods + which pods will be taken into + consideration + + for the incoming pod's pod (anti) + affinity. Keys that don't exist in the + incoming + + pod labels will be ignored. The default + value is empty. + + The same key is forbidden to exist in + both matchLabelKeys and labelSelector. + + Also, matchLabelKeys cannot be set when + labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: >- + MismatchLabelKeys is a set of pod label + keys to select which pods will + + be taken into consideration. The keys + are used to lookup values from the + + incoming pod labels, those key-value + labels are merged with `labelSelector` + as `key notin (value)` + + to select the group of existing pods + which pods will be taken into + consideration + + for the incoming pod's pod (anti) + affinity. Keys that don't exist in the + incoming + + pod labels will be ignored. The default + value is empty. + + The same key is forbidden to exist in + both mismatchLabelKeys and + labelSelector. + + Also, mismatchLabelKeys cannot be set + when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: description: >- A label query over the set of namespaces - that the term applies to. The term is - applied to the union of the namespaces - selected by this field and the ones - listed in the namespaces field. null - selector and null or empty namespaces - list means "this pod's namespace". An - empty selector ({}) matches all + that the term applies to. + + The term is applied to the union of the + namespaces selected by this field + + and the ones listed in the namespaces + field. + + null selector and null or empty + namespaces list means "this pod's + namespace". + + An empty selector ({}) matches all namespaces. properties: matchExpressions: @@ -1606,8 +2468,9 @@ spec: description: >- A label selector requirement is a selector that contains values, a key, - and an operator that relates the key and - values. + and an operator that + + relates the key and values. properties: key: description: >- @@ -1617,36 +2480,48 @@ spec: operator: description: >- operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist. type: string values: description: >- values is an array of string values. If - the operator is In or NotIn, the values - array must be non-empty. If the operator - is Exists or DoesNotExist, the values - array must be empty. This array is - replaced during a strategic merge patch. + the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch. items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string description: >- matchLabels is a map of {key,value} pairs. A single {key,value} in the - matchLabels map is equivalent to an - element of matchExpressions, whose key - field is "key", the operator is "In", - and the values array contains only - "value". The requirements are ANDed. + matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is + "key", the + + operator is "In", and the values array + contains only "value". The requirements + are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -1654,27 +2529,38 @@ spec: description: >- namespaces specifies a static list of namespace names that the term applies - to. The term is applied to the union of - the namespaces listed in this field and - the ones selected by namespaceSelector. + to. + + The term is applied to the union of the + namespaces listed in this field + + and the ones selected by + namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array + x-kubernetes-list-type: atomic topologyKey: description: >- This pod should be co-located (affinity) or not co-located (anti-affinity) with - the pods matching the labelSelector in - the specified namespaces, where - co-located is defined as running on a - node whose value of the label with key + the pods matching + + the labelSelector in the specified + namespaces, where co-located is defined + as running on a node + + whose value of the label with key topologyKey matches that of any node on - which any of the selected pods is - running. Empty topologyKey is not - allowed. + which any of the + + selected pods is running. + + Empty topologyKey is not allowed. type: string required: - topologyKey @@ -1682,8 +2568,9 @@ spec: weight: description: >- weight associated with matching the - corresponding podAffinityTerm, in the - range 1-100. + corresponding podAffinityTerm, + + in the range 1-100. format: int32 type: integer required: @@ -1691,38 +2578,55 @@ spec: - weight type: object type: array + x-kubernetes-list-type: atomic requiredDuringSchedulingIgnoredDuringExecution: description: >- If the anti-affinity requirements specified by this field are not met at + scheduling time, the pod will not be - scheduled onto the node. If the - anti-affinity requirements specified by - this field cease to be met at some point - during pod execution (e.g. due to a pod - label update), the system may or may not - try to eventually evict the pod from its - node. When there are multiple elements, - the lists of nodes corresponding to each + scheduled onto the node. + + If the anti-affinity requirements + specified by this field cease to be met + + at some point during pod execution (e.g. + due to a pod label update), the + + system may or may not try to eventually + evict the pod from its node. + + When there are multiple elements, the + lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. items: description: >- Defines a set of pods (namely those - matching the labelSelector relative to - the given namespace(s)) that this pod - should be co-located (affinity) or not - co-located (anti-affinity) with, where - co-located is defined as running on a - node whose value of the label with key - matches that of any node - on which a pod of the set of pods is - running + matching the labelSelector + + relative to the given namespace(s)) that + this pod should be + + co-located (affinity) or not co-located + (anti-affinity) with, + + where co-located is defined as running + on a node whose value of + + the label with key matches + that of any node on which + + a pod of the set of pods is running properties: labelSelector: description: >- A label query over a set of resources, in this case pods. + + If it's null, this PodAffinityTerm + matches with no Pods. properties: matchExpressions: description: >- @@ -1733,8 +2637,9 @@ spec: description: >- A label selector requirement is a selector that contains values, a key, - and an operator that relates the key and - values. + and an operator that + + relates the key and values. properties: key: description: >- @@ -1744,49 +2649,132 @@ spec: operator: description: >- operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist. type: string values: description: >- values is an array of string values. If - the operator is In or NotIn, the values - array must be non-empty. If the operator - is Exists or DoesNotExist, the values - array must be empty. This array is - replaced during a strategic merge patch. + the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch. items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string description: >- matchLabels is a map of {key,value} pairs. A single {key,value} in the - matchLabels map is equivalent to an - element of matchExpressions, whose key - field is "key", the operator is "In", - and the values array contains only - "value". The requirements are ANDed. + matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is + "key", the + + operator is "In", and the values array + contains only "value". The requirements + are ANDed. type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: >- + MatchLabelKeys is a set of pod label + keys to select which pods will + + be taken into consideration. The keys + are used to lookup values from the + + incoming pod labels, those key-value + labels are merged with `labelSelector` + as `key in (value)` + + to select the group of existing pods + which pods will be taken into + consideration + + for the incoming pod's pod (anti) + affinity. Keys that don't exist in the + incoming + + pod labels will be ignored. The default + value is empty. + + The same key is forbidden to exist in + both matchLabelKeys and labelSelector. + + Also, matchLabelKeys cannot be set when + labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: >- + MismatchLabelKeys is a set of pod label + keys to select which pods will + + be taken into consideration. The keys + are used to lookup values from the + + incoming pod labels, those key-value + labels are merged with `labelSelector` + as `key notin (value)` + + to select the group of existing pods + which pods will be taken into + consideration + + for the incoming pod's pod (anti) + affinity. Keys that don't exist in the + incoming + + pod labels will be ignored. The default + value is empty. + + The same key is forbidden to exist in + both mismatchLabelKeys and + labelSelector. + + Also, mismatchLabelKeys cannot be set + when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: description: >- A label query over the set of namespaces - that the term applies to. The term is - applied to the union of the namespaces - selected by this field and the ones - listed in the namespaces field. null - selector and null or empty namespaces - list means "this pod's namespace". An - empty selector ({}) matches all + that the term applies to. + + The term is applied to the union of the + namespaces selected by this field + + and the ones listed in the namespaces + field. + + null selector and null or empty + namespaces list means "this pod's + namespace". + + An empty selector ({}) matches all namespaces. properties: matchExpressions: @@ -1798,8 +2786,9 @@ spec: description: >- A label selector requirement is a selector that contains values, a key, - and an operator that relates the key and - values. + and an operator that + + relates the key and values. properties: key: description: >- @@ -1809,36 +2798,48 @@ spec: operator: description: >- operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist. type: string values: description: >- values is an array of string values. If - the operator is In or NotIn, the values - array must be non-empty. If the operator - is Exists or DoesNotExist, the values - array must be empty. This array is - replaced during a strategic merge patch. + the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch. items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string description: >- matchLabels is a map of {key,value} pairs. A single {key,value} in the - matchLabels map is equivalent to an - element of matchExpressions, whose key - field is "key", the operator is "In", - and the values array contains only - "value". The requirements are ANDed. + matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is + "key", the + + operator is "In", and the values array + contains only "value". The requirements + are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -1846,32 +2847,44 @@ spec: description: >- namespaces specifies a static list of namespace names that the term applies - to. The term is applied to the union of - the namespaces listed in this field and - the ones selected by namespaceSelector. + to. + + The term is applied to the union of the + namespaces listed in this field + + and the ones selected by + namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array + x-kubernetes-list-type: atomic topologyKey: description: >- This pod should be co-located (affinity) or not co-located (anti-affinity) with - the pods matching the labelSelector in - the specified namespaces, where - co-located is defined as running on a - node whose value of the label with key + the pods matching + + the labelSelector in the specified + namespaces, where co-located is defined + as running on a node + + whose value of the label with key topologyKey matches that of any node on - which any of the selected pods is - running. Empty topologyKey is not - allowed. + which any of the + + selected pods is running. + + Empty topologyKey is not allowed. type: string required: - topologyKey type: object type: array + x-kubernetes-list-type: atomic type: object type: object imagePullSecrets: @@ -1880,28 +2893,44 @@ spec: description: >- LocalObjectReference contains enough information to let you locate the + referenced object inside the same namespace. properties: name: + default: '' description: >- - Name of the referent. More info: + Name of the referent. + + This field is effectively required, but + due to backwards compatibility is + + allowed to be empty. Instances of this + type with an empty value here are + + almost certainly wrong. + + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. - apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map nodeSelector: additionalProperties: type: string description: >- NodeSelector is a selector which must be true for the pod to fit on a node. + Selector which must match a node's labels for the pod to be scheduled on - that node. More info: + that node. + + More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ type: object priorityClassName: @@ -1909,6 +2938,328 @@ spec: If specified, the pod's priorityClassName. type: string + resources: + description: >- + If specified, the pod's resource + requirements. + + These values override the global + resource configuration flags. + + Note that when only specifying resource + limits, ensure they are greater than or + equal + + to the corresponding global resource + requests configured via controller flags + + (--acme-http01-solver-resource-request-cpu, + --acme-http01-solver-resource-request-memory). + + Kubernetes will reject pod creation if + limits are lower than requests, causing + challenge failures. + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: >- + Limits describes the maximum amount of + compute resources allowed. + + More info: + https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: >- + Requests describes the minimum amount of + compute resources required. + + If Requests is omitted for a container, + it defaults to Limits if that is + explicitly specified, + + otherwise to the global values + configured via controller flags. + Requests cannot exceed Limits. + + More info: + https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + type: object + securityContext: + description: If specified, the pod's security context + properties: + fsGroup: + description: >- + A special supplemental group that + applies to all containers in a pod. + + Some volume types allow the Kubelet to + change the ownership of that volume + + to be owned by the pod: + + + 1. The owning GID will be the FSGroup + + 2. The setgid bit is set (new files + created in the volume will be owned by + FSGroup) + + 3. The permission bits are OR'd with + rw-rw---- + + + If unset, the Kubelet will not modify + the ownership and permissions of any + volume. + + Note that this field cannot be set when + spec.os.name is windows. + format: int64 + type: integer + fsGroupChangePolicy: + description: >- + fsGroupChangePolicy defines behavior of + changing ownership and permission of the + volume + + before being exposed inside Pod. This + field will only apply to + + volume types which support fsGroup based + ownership(and permissions). + + It will have no effect on ephemeral + volume types such as: secret, configmaps + + and emptydir. + + Valid values are "OnRootMismatch" and + "Always". If not specified, "Always" is + used. + + Note that this field cannot be set when + spec.os.name is windows. + type: string + runAsGroup: + description: >- + The GID to run the entrypoint of the + container process. + + Uses runtime default if unset. + + May also be set in SecurityContext. If + set in both SecurityContext and + + PodSecurityContext, the value specified + in SecurityContext takes precedence + + for that container. + + Note that this field cannot be set when + spec.os.name is windows. + format: int64 + type: integer + runAsNonRoot: + description: >- + Indicates that the container must run as + a non-root user. + + If true, the Kubelet will validate the + image at runtime to ensure that it + + does not run as UID 0 (root) and fail to + start the container if it does. + + If unset or false, no such validation + will be performed. + + May also be set in SecurityContext. If + set in both SecurityContext and + + PodSecurityContext, the value specified + in SecurityContext takes precedence. + type: boolean + runAsUser: + description: >- + The UID to run the entrypoint of the + container process. + + Defaults to user specified in image + metadata if unspecified. + + May also be set in SecurityContext. If + set in both SecurityContext and + + PodSecurityContext, the value specified + in SecurityContext takes precedence + + for that container. + + Note that this field cannot be set when + spec.os.name is windows. + format: int64 + type: integer + seLinuxOptions: + description: >- + The SELinux context to be applied to all + containers. + + If unspecified, the container runtime + will allocate a random SELinux context + for each + + container. May also be set in + SecurityContext. If set in + + both SecurityContext and + PodSecurityContext, the value specified + in SecurityContext + + takes precedence for that container. + + Note that this field cannot be set when + spec.os.name is windows. + properties: + level: + description: >- + Level is SELinux level label that + applies to the container. + type: string + role: + description: >- + Role is a SELinux role label that + applies to the container. + type: string + type: + description: >- + Type is a SELinux type label that + applies to the container. + type: string + user: + description: >- + User is a SELinux user label that + applies to the container. + type: string + type: object + seccompProfile: + description: >- + The seccomp options to use by the + containers in this pod. + + Note that this field cannot be set when + spec.os.name is windows. + properties: + localhostProfile: + description: >- + localhostProfile indicates a profile + defined in a file on the node should be + used. + + The profile must be preconfigured on the + node to work. + + Must be a descending path, relative to + the kubelet's configured seccomp profile + location. + + Must be set if type is "Localhost". Must + NOT be set for any other type. + type: string + type: + description: >- + type indicates which kind of seccomp + profile will be applied. + + Valid options are: + + + Localhost - a profile defined in a file + on the node should be used. + + RuntimeDefault - the container runtime + default profile should be used. + + Unconfined - no profile should be + applied. + type: string + required: + - type + type: object + supplementalGroups: + description: >- + A list of groups applied to the first + process run in each container, in + addition + + to the container's primary GID, the + fsGroup (if specified), and group + memberships + + defined in the container image for the + uid of the container process. If + unspecified, + + no additional groups are added to any + container. Note that group memberships + + defined in the container image for the + uid of the container process are still + effective, + + even if they are not included in this + list. + + Note that this field cannot be set when + spec.os.name is windows. + items: + format: int64 + type: integer + type: array + x-kubernetes-list-type: atomic + sysctls: + description: >- + Sysctls hold a list of namespaced + sysctls used for the pod. Pods with + unsupported + + sysctls (by the container runtime) might + fail to launch. + + Note that this field cannot be set when + spec.os.name is windows. + items: + description: >- + Sysctl defines a kernel parameter to be + set + properties: + name: + description: Name of a property to set + type: string + value: + description: Value of a property to set + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + type: object serviceAccountName: description: If specified, the pod's service account type: string @@ -1917,177 +3268,2438 @@ spec: items: description: >- The pod this Toleration is attached to - tolerates any taint that matches the - triple using the + tolerates any taint that matches + + the triple using the matching operator . properties: effect: description: >- Effect indicates the taint effect to match. Empty means match all taint - effects. When specified, allowed values - are NoSchedule, PreferNoSchedule and + effects. + + When specified, allowed values are + NoSchedule, PreferNoSchedule and NoExecute. type: string key: description: >- Key is the taint key that the toleration applies to. Empty means match all taint - keys. If the key is empty, operator must - be Exists; this combination means to - match all values and all keys. + keys. + + If the key is empty, operator must be + Exists; this combination means to match + all values and all keys. type: string operator: description: >- Operator represents a key's relationship - to the value. Valid operators are Exists - and Equal. Defaults to Equal. Exists is - equivalent to wildcard for value, so - that a pod can tolerate all taints of a - particular category. + to the value. + + Valid operators are Exists, Equal, Lt, + and Gt. Defaults to Equal. + + Exists is equivalent to wildcard for + value, so that a pod can + + tolerate all taints of a particular + category. + + Lt and Gt perform numeric comparisons + (requires feature gate + TaintTolerationComparisonOperators). type: string tolerationSeconds: description: >- TolerationSeconds represents the period - of time the toleration (which must be of - effect NoExecute, otherwise this field - is ignored) tolerates the taint. By - default, it is not set, which means - tolerate the taint forever (do not - evict). Zero and negative values will be - treated as 0 (evict immediately) by the - system. + of time the toleration (which must be + + of effect NoExecute, otherwise this + field is ignored) tolerates the taint. + By default, + + it is not set, which means tolerate the + taint forever (do not evict). Zero and + + negative values will be treated as 0 + (evict immediately) by the system. format: int64 type: integer value: description: >- Value is the taint value the toleration - matches to. If the operator is Exists, - the value should be empty, otherwise - just a regular string. + matches to. + + If the operator is Exists, the value + should be empty, otherwise just a + regular string. type: string type: object type: array + x-kubernetes-list-type: atomic type: object type: object serviceType: description: >- Optional service type for Kubernetes solver - service. Supported values are NodePort or - ClusterIP. If unset, defaults to NodePort. + service. Supported values + + are NodePort or ClusterIP. If unset, defaults to + NodePort. type: string type: object - type: object - selector: - description: >- - Selector selects a set of DNSNames on the Certificate - resource that should be solved using this challenge - solver. If not specified, the solver will be treated as - the 'default' solver with the lowest priority, i.e. if - any other solver has a more specific match, it will be - used instead. - properties: - dnsNames: - description: >- - List of DNSNames that this solver will be used to - solve. If specified and a match is found, a dnsNames - selector will take precedence over a dnsZones - selector. If multiple solvers match with the same - dnsNames value, the solver with the most matching - labels in matchLabels will be selected. If neither - has more matches, the solver defined earlier in the - list will be selected. - items: - type: string - type: array - dnsZones: - description: >- - List of DNSZones that this solver will be used to - solve. The most specific DNS zone match specified - here will take precedence over other DNS zone - matches, so a solver specifying sys.example.com will - be selected over one specifying example.com for the - domain www.sys.example.com. If multiple solvers - match with the same dnsZones value, the solver with - the most matching labels in matchLabels will be - selected. If neither has more matches, the solver - defined earlier in the list will be selected. - items: - type: string - type: array - matchLabels: - additionalProperties: - type: string + ingress: description: >- - A label selector that is used to refine the set of - certificate's that this challenge solver will apply - to. - type: object - type: object - type: object - token: - description: >- - The ACME challenge token for this challenge. This is the raw - value returned from the ACME server. - type: string - type: - description: >- - The type of ACME challenge this resource represents. One of - "HTTP-01" or "DNS-01". - enum: - - HTTP-01 - - DNS-01 - type: string - url: - description: >- - The URL of the ACME Challenge resource for this challenge. - This can be used to lookup details about the status of this - challenge. - type: string - wildcard: - description: >- - wildcard will be true if this challenge is for a wildcard - identifier, for example '*.example.com'. - type: boolean - required: - - authorizationURL - - dnsName - - issuerRef - - key - - solver - - token - - type - - url - type: object - status: - properties: - presented: - description: >- - presented will be set to true if the challenge values for - this challenge are currently 'presented'. This *does not* - imply the self check is passing. Only that the values have - been 'submitted' for the appropriate challenge mechanism - (i.e. the DNS01 TXT record has been presented, or the HTTP01 - configuration has been configured). - type: boolean - processing: - description: >- - Used to denote whether this challenge should be processed or - not. This field will only be set to true by the 'scheduling' - component. It will only be set to false by the 'challenges' - controller, after the challenge has reached a final state or - timed out. If this field is set to false, the challenge - controller will not take any more action. - type: boolean - reason: - description: >- - Contains human readable information on why the Challenge is - in the current state. - type: string - state: - description: >- - Contains the current 'state' of the challenge. If not set, - the state of the challenge is unknown. + The ingress based HTTP01 challenge solver will solve + challenges by + + creating or modifying Ingress resources in order to + route requests for + + '/.well-known/acme-challenge/XYZ' to 'challenge + solver' pods that are + + provisioned by cert-manager for each Challenge to be + completed. + properties: + class: + description: >- + This field configures the annotation + `kubernetes.io/ingress.class` when + + creating Ingress resources to solve ACME + challenges that use this + + challenge solver. Only one of `class`, `name` or + `ingressClassName` may + + be specified. + type: string + ingressClassName: + description: >- + This field configures the field + `ingressClassName` on the created Ingress + + resources used to solve ACME challenges that use + this challenge solver. + + This is the recommended way of configuring the + ingress class. Only one of + + `class`, `name` or `ingressClassName` may be + specified. + type: string + ingressTemplate: + description: >- + Optional ingress template used to configure the + ACME challenge solver + + ingress used for HTTP01 challenges. + properties: + metadata: + description: >- + ObjectMeta overrides for the ingress used to + solve HTTP01 challenges. + + Only the 'labels' and 'annotations' fields + may be set. + + If labels or annotations overlap with + in-built values, the values here + + will override the in-built values. + properties: + annotations: + additionalProperties: + type: string + description: >- + Annotations that should be added to the + created ACME HTTP01 solver ingress. + type: object + labels: + additionalProperties: + type: string + description: >- + Labels that should be added to the + created ACME HTTP01 solver ingress. + type: object + type: object + type: object + name: + description: >- + The name of the ingress resource that should + have ACME challenge solving + + routes inserted into it in order to solve HTTP01 + challenges. + + This is typically used in conjunction with + ingress controllers like + + ingress-gce, which maintains a 1:1 mapping + between external IPs and + + ingress resources. Only one of `class`, `name` + or `ingressClassName` may + + be specified. + type: string + podTemplate: + description: >- + Optional pod template used to configure the ACME + challenge solver pods + + used for HTTP01 challenges. + properties: + metadata: + description: >- + ObjectMeta overrides for the pod used to + solve HTTP01 challenges. + + Only the 'labels' and 'annotations' fields + may be set. + + If labels or annotations overlap with + in-built values, the values here + + will override the in-built values. + properties: + annotations: + additionalProperties: + type: string + description: >- + Annotations that should be added to the + created ACME HTTP01 solver pods. + type: object + labels: + additionalProperties: + type: string + description: >- + Labels that should be added to the + created ACME HTTP01 solver pods. + type: object + type: object + spec: + description: >- + PodSpec defines overrides for the HTTP01 + challenge solver pod. + + Check + ACMEChallengeSolverHTTP01IngressPodSpec to + find out currently supported fields. + + All other fields will be ignored. + properties: + affinity: + description: >- + If specified, the pod's scheduling + constraints + properties: + nodeAffinity: + description: >- + Describes node affinity scheduling rules + for the pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: >- + The scheduler will prefer to schedule + pods to nodes that satisfy + + the affinity expressions specified by + this field, but it may choose + + a node that violates one or more of the + expressions. The node that is + + most preferred is the one with the + greatest sum of weights, i.e. + + for each node that meets all of the + scheduling requirements (resource + + request, requiredDuringScheduling + affinity expressions, etc.), + + compute a sum by iterating through the + elements of this field and adding + + "weight" to the sum if the node matches + the corresponding matchExpressions; the + + node(s) with the highest sum are the + most preferred. + items: + description: >- + An empty preferred scheduling term + matches all objects with implicit weight + 0 + + (i.e. it's a no-op). A null preferred + scheduling term matches no objects (i.e. + is also a no-op). + properties: + preference: + description: >- + A node selector term, associated with + the corresponding weight. + properties: + matchExpressions: + description: >- + A list of node selector requirements by + node's labels. + items: + description: >- + A node selector requirement is a + selector that contains values, a key, + and an operator + + that relates the key and values. + properties: + key: + description: >- + The label key that the selector applies + to. + type: string + operator: + description: >- + Represents a key's relationship to a set + of values. + + Valid operators are In, NotIn, Exists, + DoesNotExist. Gt, and Lt. + type: string + values: + description: >- + An array of string values. If the + operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. If the + operator is Gt or Lt, the values + + array must have a single element, which + will be interpreted as an integer. + + This array is replaced during a + strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + description: >- + A list of node selector requirements by + node's fields. + items: + description: >- + A node selector requirement is a + selector that contains values, a key, + and an operator + + that relates the key and values. + properties: + key: + description: >- + The label key that the selector applies + to. + type: string + operator: + description: >- + Represents a key's relationship to a set + of values. + + Valid operators are In, NotIn, Exists, + DoesNotExist. Gt, and Lt. + type: string + values: + description: >- + An array of string values. If the + operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. If the + operator is Gt or Lt, the values + + array must have a single element, which + will be interpreted as an integer. + + This array is replaced during a + strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + weight: + description: >- + Weight associated with matching the + corresponding nodeSelectorTerm, in the + range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: >- + If the affinity requirements specified + by this field are not met at + + scheduling time, the pod will not be + scheduled onto the node. + + If the affinity requirements specified + by this field cease to be met + + at some point during pod execution (e.g. + due to an update), the system + + may or may not try to eventually evict + the pod from its node. + properties: + nodeSelectorTerms: + description: >- + Required. A list of node selector terms. + The terms are ORed. + items: + description: >- + A null or empty node selector term + matches no objects. The requirements of + + them are ANDed. + + The TopologySelectorTerm type implements + a subset of the NodeSelectorTerm. + properties: + matchExpressions: + description: >- + A list of node selector requirements by + node's labels. + items: + description: >- + A node selector requirement is a + selector that contains values, a key, + and an operator + + that relates the key and values. + properties: + key: + description: >- + The label key that the selector applies + to. + type: string + operator: + description: >- + Represents a key's relationship to a set + of values. + + Valid operators are In, NotIn, Exists, + DoesNotExist. Gt, and Lt. + type: string + values: + description: >- + An array of string values. If the + operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. If the + operator is Gt or Lt, the values + + array must have a single element, which + will be interpreted as an integer. + + This array is replaced during a + strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + description: >- + A list of node selector requirements by + node's fields. + items: + description: >- + A node selector requirement is a + selector that contains values, a key, + and an operator + + that relates the key and values. + properties: + key: + description: >- + The label key that the selector applies + to. + type: string + operator: + description: >- + Represents a key's relationship to a set + of values. + + Valid operators are In, NotIn, Exists, + DoesNotExist. Gt, and Lt. + type: string + values: + description: >- + An array of string values. If the + operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. If the + operator is Gt or Lt, the values + + array must have a single element, which + will be interpreted as an integer. + + This array is replaced during a + strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + type: array + x-kubernetes-list-type: atomic + required: + - nodeSelectorTerms + type: object + x-kubernetes-map-type: atomic + type: object + podAffinity: + description: >- + Describes pod affinity scheduling rules + (e.g. co-locate this pod in the same + node, zone, etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: >- + The scheduler will prefer to schedule + pods to nodes that satisfy + + the affinity expressions specified by + this field, but it may choose + + a node that violates one or more of the + expressions. The node that is + + most preferred is the one with the + greatest sum of weights, i.e. + + for each node that meets all of the + scheduling requirements (resource + + request, requiredDuringScheduling + affinity expressions, etc.), + + compute a sum by iterating through the + elements of this field and adding + + "weight" to the sum if the node has pods + which matches the corresponding + podAffinityTerm; the + + node(s) with the highest sum are the + most preferred. + items: + description: >- + The weights of all of the matched + WeightedPodAffinityTerm fields are added + per-node to find the most preferred + node(s) + properties: + podAffinityTerm: + description: >- + Required. A pod affinity term, + associated with the corresponding + weight. + properties: + labelSelector: + description: >- + A label query over a set of resources, + in this case pods. + + If it's null, this PodAffinityTerm + matches with no Pods. + properties: + matchExpressions: + description: >- + matchExpressions is a list of label + selector requirements. The requirements + are ANDed. + items: + description: >- + A label selector requirement is a + selector that contains values, a key, + and an operator that + + relates the key and values. + properties: + key: + description: >- + key is the label key that the selector + applies to. + type: string + operator: + description: >- + operator represents a key's relationship + to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: >- + values is an array of string values. If + the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: >- + matchLabels is a map of {key,value} + pairs. A single {key,value} in the + matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is + "key", the + + operator is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: >- + MatchLabelKeys is a set of pod label + keys to select which pods will + + be taken into consideration. The keys + are used to lookup values from the + + incoming pod labels, those key-value + labels are merged with `labelSelector` + as `key in (value)` + + to select the group of existing pods + which pods will be taken into + consideration + + for the incoming pod's pod (anti) + affinity. Keys that don't exist in the + incoming + + pod labels will be ignored. The default + value is empty. + + The same key is forbidden to exist in + both matchLabelKeys and labelSelector. + + Also, matchLabelKeys cannot be set when + labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: >- + MismatchLabelKeys is a set of pod label + keys to select which pods will + + be taken into consideration. The keys + are used to lookup values from the + + incoming pod labels, those key-value + labels are merged with `labelSelector` + as `key notin (value)` + + to select the group of existing pods + which pods will be taken into + consideration + + for the incoming pod's pod (anti) + affinity. Keys that don't exist in the + incoming + + pod labels will be ignored. The default + value is empty. + + The same key is forbidden to exist in + both mismatchLabelKeys and + labelSelector. + + Also, mismatchLabelKeys cannot be set + when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: >- + A label query over the set of namespaces + that the term applies to. + + The term is applied to the union of the + namespaces selected by this field + + and the ones listed in the namespaces + field. + + null selector and null or empty + namespaces list means "this pod's + namespace". + + An empty selector ({}) matches all + namespaces. + properties: + matchExpressions: + description: >- + matchExpressions is a list of label + selector requirements. The requirements + are ANDed. + items: + description: >- + A label selector requirement is a + selector that contains values, a key, + and an operator that + + relates the key and values. + properties: + key: + description: >- + key is the label key that the selector + applies to. + type: string + operator: + description: >- + operator represents a key's relationship + to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: >- + values is an array of string values. If + the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: >- + matchLabels is a map of {key,value} + pairs. A single {key,value} in the + matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is + "key", the + + operator is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: >- + namespaces specifies a static list of + namespace names that the term applies + to. + + The term is applied to the union of the + namespaces listed in this field + + and the ones selected by + namespaceSelector. + + null or empty namespaces list and null + namespaceSelector means "this pod's + namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: >- + This pod should be co-located (affinity) + or not co-located (anti-affinity) with + the pods matching + + the labelSelector in the specified + namespaces, where co-located is defined + as running on a node + + whose value of the label with key + topologyKey matches that of any node on + which any of the + + selected pods is running. + + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: >- + weight associated with matching the + corresponding podAffinityTerm, + + in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: >- + If the affinity requirements specified + by this field are not met at + + scheduling time, the pod will not be + scheduled onto the node. + + If the affinity requirements specified + by this field cease to be met + + at some point during pod execution (e.g. + due to a pod label update), the + + system may or may not try to eventually + evict the pod from its node. + + When there are multiple elements, the + lists of nodes corresponding to each + + podAffinityTerm are intersected, i.e. + all terms must be satisfied. + items: + description: >- + Defines a set of pods (namely those + matching the labelSelector + + relative to the given namespace(s)) that + this pod should be + + co-located (affinity) or not co-located + (anti-affinity) with, + + where co-located is defined as running + on a node whose value of + + the label with key matches + that of any node on which + + a pod of the set of pods is running + properties: + labelSelector: + description: >- + A label query over a set of resources, + in this case pods. + + If it's null, this PodAffinityTerm + matches with no Pods. + properties: + matchExpressions: + description: >- + matchExpressions is a list of label + selector requirements. The requirements + are ANDed. + items: + description: >- + A label selector requirement is a + selector that contains values, a key, + and an operator that + + relates the key and values. + properties: + key: + description: >- + key is the label key that the selector + applies to. + type: string + operator: + description: >- + operator represents a key's relationship + to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: >- + values is an array of string values. If + the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: >- + matchLabels is a map of {key,value} + pairs. A single {key,value} in the + matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is + "key", the + + operator is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: >- + MatchLabelKeys is a set of pod label + keys to select which pods will + + be taken into consideration. The keys + are used to lookup values from the + + incoming pod labels, those key-value + labels are merged with `labelSelector` + as `key in (value)` + + to select the group of existing pods + which pods will be taken into + consideration + + for the incoming pod's pod (anti) + affinity. Keys that don't exist in the + incoming + + pod labels will be ignored. The default + value is empty. + + The same key is forbidden to exist in + both matchLabelKeys and labelSelector. + + Also, matchLabelKeys cannot be set when + labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: >- + MismatchLabelKeys is a set of pod label + keys to select which pods will + + be taken into consideration. The keys + are used to lookup values from the + + incoming pod labels, those key-value + labels are merged with `labelSelector` + as `key notin (value)` + + to select the group of existing pods + which pods will be taken into + consideration + + for the incoming pod's pod (anti) + affinity. Keys that don't exist in the + incoming + + pod labels will be ignored. The default + value is empty. + + The same key is forbidden to exist in + both mismatchLabelKeys and + labelSelector. + + Also, mismatchLabelKeys cannot be set + when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: >- + A label query over the set of namespaces + that the term applies to. + + The term is applied to the union of the + namespaces selected by this field + + and the ones listed in the namespaces + field. + + null selector and null or empty + namespaces list means "this pod's + namespace". + + An empty selector ({}) matches all + namespaces. + properties: + matchExpressions: + description: >- + matchExpressions is a list of label + selector requirements. The requirements + are ANDed. + items: + description: >- + A label selector requirement is a + selector that contains values, a key, + and an operator that + + relates the key and values. + properties: + key: + description: >- + key is the label key that the selector + applies to. + type: string + operator: + description: >- + operator represents a key's relationship + to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: >- + values is an array of string values. If + the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: >- + matchLabels is a map of {key,value} + pairs. A single {key,value} in the + matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is + "key", the + + operator is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: >- + namespaces specifies a static list of + namespace names that the term applies + to. + + The term is applied to the union of the + namespaces listed in this field + + and the ones selected by + namespaceSelector. + + null or empty namespaces list and null + namespaceSelector means "this pod's + namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: >- + This pod should be co-located (affinity) + or not co-located (anti-affinity) with + the pods matching + + the labelSelector in the specified + namespaces, where co-located is defined + as running on a node + + whose value of the label with key + topologyKey matches that of any node on + which any of the + + selected pods is running. + + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + podAntiAffinity: + description: >- + Describes pod anti-affinity scheduling + rules (e.g. avoid putting this pod in + the same node, zone, etc. as some other + pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: >- + The scheduler will prefer to schedule + pods to nodes that satisfy + + the anti-affinity expressions specified + by this field, but it may choose + + a node that violates one or more of the + expressions. The node that is + + most preferred is the one with the + greatest sum of weights, i.e. + + for each node that meets all of the + scheduling requirements (resource + + request, requiredDuringScheduling + anti-affinity expressions, etc.), + + compute a sum by iterating through the + elements of this field and subtracting + + "weight" from the sum if the node has + pods which matches the corresponding + podAffinityTerm; the + + node(s) with the highest sum are the + most preferred. + items: + description: >- + The weights of all of the matched + WeightedPodAffinityTerm fields are added + per-node to find the most preferred + node(s) + properties: + podAffinityTerm: + description: >- + Required. A pod affinity term, + associated with the corresponding + weight. + properties: + labelSelector: + description: >- + A label query over a set of resources, + in this case pods. + + If it's null, this PodAffinityTerm + matches with no Pods. + properties: + matchExpressions: + description: >- + matchExpressions is a list of label + selector requirements. The requirements + are ANDed. + items: + description: >- + A label selector requirement is a + selector that contains values, a key, + and an operator that + + relates the key and values. + properties: + key: + description: >- + key is the label key that the selector + applies to. + type: string + operator: + description: >- + operator represents a key's relationship + to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: >- + values is an array of string values. If + the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: >- + matchLabels is a map of {key,value} + pairs. A single {key,value} in the + matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is + "key", the + + operator is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: >- + MatchLabelKeys is a set of pod label + keys to select which pods will + + be taken into consideration. The keys + are used to lookup values from the + + incoming pod labels, those key-value + labels are merged with `labelSelector` + as `key in (value)` + + to select the group of existing pods + which pods will be taken into + consideration + + for the incoming pod's pod (anti) + affinity. Keys that don't exist in the + incoming + + pod labels will be ignored. The default + value is empty. + + The same key is forbidden to exist in + both matchLabelKeys and labelSelector. + + Also, matchLabelKeys cannot be set when + labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: >- + MismatchLabelKeys is a set of pod label + keys to select which pods will + + be taken into consideration. The keys + are used to lookup values from the + + incoming pod labels, those key-value + labels are merged with `labelSelector` + as `key notin (value)` + + to select the group of existing pods + which pods will be taken into + consideration + + for the incoming pod's pod (anti) + affinity. Keys that don't exist in the + incoming + + pod labels will be ignored. The default + value is empty. + + The same key is forbidden to exist in + both mismatchLabelKeys and + labelSelector. + + Also, mismatchLabelKeys cannot be set + when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: >- + A label query over the set of namespaces + that the term applies to. + + The term is applied to the union of the + namespaces selected by this field + + and the ones listed in the namespaces + field. + + null selector and null or empty + namespaces list means "this pod's + namespace". + + An empty selector ({}) matches all + namespaces. + properties: + matchExpressions: + description: >- + matchExpressions is a list of label + selector requirements. The requirements + are ANDed. + items: + description: >- + A label selector requirement is a + selector that contains values, a key, + and an operator that + + relates the key and values. + properties: + key: + description: >- + key is the label key that the selector + applies to. + type: string + operator: + description: >- + operator represents a key's relationship + to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: >- + values is an array of string values. If + the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: >- + matchLabels is a map of {key,value} + pairs. A single {key,value} in the + matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is + "key", the + + operator is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: >- + namespaces specifies a static list of + namespace names that the term applies + to. + + The term is applied to the union of the + namespaces listed in this field + + and the ones selected by + namespaceSelector. + + null or empty namespaces list and null + namespaceSelector means "this pod's + namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: >- + This pod should be co-located (affinity) + or not co-located (anti-affinity) with + the pods matching + + the labelSelector in the specified + namespaces, where co-located is defined + as running on a node + + whose value of the label with key + topologyKey matches that of any node on + which any of the + + selected pods is running. + + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: >- + weight associated with matching the + corresponding podAffinityTerm, + + in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: >- + If the anti-affinity requirements + specified by this field are not met at + + scheduling time, the pod will not be + scheduled onto the node. + + If the anti-affinity requirements + specified by this field cease to be met + + at some point during pod execution (e.g. + due to a pod label update), the + + system may or may not try to eventually + evict the pod from its node. + + When there are multiple elements, the + lists of nodes corresponding to each + + podAffinityTerm are intersected, i.e. + all terms must be satisfied. + items: + description: >- + Defines a set of pods (namely those + matching the labelSelector + + relative to the given namespace(s)) that + this pod should be + + co-located (affinity) or not co-located + (anti-affinity) with, + + where co-located is defined as running + on a node whose value of + + the label with key matches + that of any node on which + + a pod of the set of pods is running + properties: + labelSelector: + description: >- + A label query over a set of resources, + in this case pods. + + If it's null, this PodAffinityTerm + matches with no Pods. + properties: + matchExpressions: + description: >- + matchExpressions is a list of label + selector requirements. The requirements + are ANDed. + items: + description: >- + A label selector requirement is a + selector that contains values, a key, + and an operator that + + relates the key and values. + properties: + key: + description: >- + key is the label key that the selector + applies to. + type: string + operator: + description: >- + operator represents a key's relationship + to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: >- + values is an array of string values. If + the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: >- + matchLabels is a map of {key,value} + pairs. A single {key,value} in the + matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is + "key", the + + operator is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: >- + MatchLabelKeys is a set of pod label + keys to select which pods will + + be taken into consideration. The keys + are used to lookup values from the + + incoming pod labels, those key-value + labels are merged with `labelSelector` + as `key in (value)` + + to select the group of existing pods + which pods will be taken into + consideration + + for the incoming pod's pod (anti) + affinity. Keys that don't exist in the + incoming + + pod labels will be ignored. The default + value is empty. + + The same key is forbidden to exist in + both matchLabelKeys and labelSelector. + + Also, matchLabelKeys cannot be set when + labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: >- + MismatchLabelKeys is a set of pod label + keys to select which pods will + + be taken into consideration. The keys + are used to lookup values from the + + incoming pod labels, those key-value + labels are merged with `labelSelector` + as `key notin (value)` + + to select the group of existing pods + which pods will be taken into + consideration + + for the incoming pod's pod (anti) + affinity. Keys that don't exist in the + incoming + + pod labels will be ignored. The default + value is empty. + + The same key is forbidden to exist in + both mismatchLabelKeys and + labelSelector. + + Also, mismatchLabelKeys cannot be set + when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: >- + A label query over the set of namespaces + that the term applies to. + + The term is applied to the union of the + namespaces selected by this field + + and the ones listed in the namespaces + field. + + null selector and null or empty + namespaces list means "this pod's + namespace". + + An empty selector ({}) matches all + namespaces. + properties: + matchExpressions: + description: >- + matchExpressions is a list of label + selector requirements. The requirements + are ANDed. + items: + description: >- + A label selector requirement is a + selector that contains values, a key, + and an operator that + + relates the key and values. + properties: + key: + description: >- + key is the label key that the selector + applies to. + type: string + operator: + description: >- + operator represents a key's relationship + to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: >- + values is an array of string values. If + the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: >- + matchLabels is a map of {key,value} + pairs. A single {key,value} in the + matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is + "key", the + + operator is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: >- + namespaces specifies a static list of + namespace names that the term applies + to. + + The term is applied to the union of the + namespaces listed in this field + + and the ones selected by + namespaceSelector. + + null or empty namespaces list and null + namespaceSelector means "this pod's + namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: >- + This pod should be co-located (affinity) + or not co-located (anti-affinity) with + the pods matching + + the labelSelector in the specified + namespaces, where co-located is defined + as running on a node + + whose value of the label with key + topologyKey matches that of any node on + which any of the + + selected pods is running. + + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + type: object + imagePullSecrets: + description: If specified, the pod's imagePullSecrets + items: + description: >- + LocalObjectReference contains enough + information to let you locate the + + referenced object inside the same + namespace. + properties: + name: + default: '' + description: >- + Name of the referent. + + This field is effectively required, but + due to backwards compatibility is + + allowed to be empty. Instances of this + type with an empty value here are + + almost certainly wrong. + + More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + nodeSelector: + additionalProperties: + type: string + description: >- + NodeSelector is a selector which must be + true for the pod to fit on a node. + + Selector which must match a node's + labels for the pod to be scheduled on + that node. + + More info: + https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + type: object + priorityClassName: + description: >- + If specified, the pod's + priorityClassName. + type: string + resources: + description: >- + If specified, the pod's resource + requirements. + + These values override the global + resource configuration flags. + + Note that when only specifying resource + limits, ensure they are greater than or + equal + + to the corresponding global resource + requests configured via controller flags + + (--acme-http01-solver-resource-request-cpu, + --acme-http01-solver-resource-request-memory). + + Kubernetes will reject pod creation if + limits are lower than requests, causing + challenge failures. + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: >- + Limits describes the maximum amount of + compute resources allowed. + + More info: + https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: >- + Requests describes the minimum amount of + compute resources required. + + If Requests is omitted for a container, + it defaults to Limits if that is + explicitly specified, + + otherwise to the global values + configured via controller flags. + Requests cannot exceed Limits. + + More info: + https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + type: object + securityContext: + description: If specified, the pod's security context + properties: + fsGroup: + description: >- + A special supplemental group that + applies to all containers in a pod. + + Some volume types allow the Kubelet to + change the ownership of that volume + + to be owned by the pod: + + + 1. The owning GID will be the FSGroup + + 2. The setgid bit is set (new files + created in the volume will be owned by + FSGroup) + + 3. The permission bits are OR'd with + rw-rw---- + + + If unset, the Kubelet will not modify + the ownership and permissions of any + volume. + + Note that this field cannot be set when + spec.os.name is windows. + format: int64 + type: integer + fsGroupChangePolicy: + description: >- + fsGroupChangePolicy defines behavior of + changing ownership and permission of the + volume + + before being exposed inside Pod. This + field will only apply to + + volume types which support fsGroup based + ownership(and permissions). + + It will have no effect on ephemeral + volume types such as: secret, configmaps + + and emptydir. + + Valid values are "OnRootMismatch" and + "Always". If not specified, "Always" is + used. + + Note that this field cannot be set when + spec.os.name is windows. + type: string + runAsGroup: + description: >- + The GID to run the entrypoint of the + container process. + + Uses runtime default if unset. + + May also be set in SecurityContext. If + set in both SecurityContext and + + PodSecurityContext, the value specified + in SecurityContext takes precedence + + for that container. + + Note that this field cannot be set when + spec.os.name is windows. + format: int64 + type: integer + runAsNonRoot: + description: >- + Indicates that the container must run as + a non-root user. + + If true, the Kubelet will validate the + image at runtime to ensure that it + + does not run as UID 0 (root) and fail to + start the container if it does. + + If unset or false, no such validation + will be performed. + + May also be set in SecurityContext. If + set in both SecurityContext and + + PodSecurityContext, the value specified + in SecurityContext takes precedence. + type: boolean + runAsUser: + description: >- + The UID to run the entrypoint of the + container process. + + Defaults to user specified in image + metadata if unspecified. + + May also be set in SecurityContext. If + set in both SecurityContext and + + PodSecurityContext, the value specified + in SecurityContext takes precedence + + for that container. + + Note that this field cannot be set when + spec.os.name is windows. + format: int64 + type: integer + seLinuxOptions: + description: >- + The SELinux context to be applied to all + containers. + + If unspecified, the container runtime + will allocate a random SELinux context + for each + + container. May also be set in + SecurityContext. If set in + + both SecurityContext and + PodSecurityContext, the value specified + in SecurityContext + + takes precedence for that container. + + Note that this field cannot be set when + spec.os.name is windows. + properties: + level: + description: >- + Level is SELinux level label that + applies to the container. + type: string + role: + description: >- + Role is a SELinux role label that + applies to the container. + type: string + type: + description: >- + Type is a SELinux type label that + applies to the container. + type: string + user: + description: >- + User is a SELinux user label that + applies to the container. + type: string + type: object + seccompProfile: + description: >- + The seccomp options to use by the + containers in this pod. + + Note that this field cannot be set when + spec.os.name is windows. + properties: + localhostProfile: + description: >- + localhostProfile indicates a profile + defined in a file on the node should be + used. + + The profile must be preconfigured on the + node to work. + + Must be a descending path, relative to + the kubelet's configured seccomp profile + location. + + Must be set if type is "Localhost". Must + NOT be set for any other type. + type: string + type: + description: >- + type indicates which kind of seccomp + profile will be applied. + + Valid options are: + + + Localhost - a profile defined in a file + on the node should be used. + + RuntimeDefault - the container runtime + default profile should be used. + + Unconfined - no profile should be + applied. + type: string + required: + - type + type: object + supplementalGroups: + description: >- + A list of groups applied to the first + process run in each container, in + addition + + to the container's primary GID, the + fsGroup (if specified), and group + memberships + + defined in the container image for the + uid of the container process. If + unspecified, + + no additional groups are added to any + container. Note that group memberships + + defined in the container image for the + uid of the container process are still + effective, + + even if they are not included in this + list. + + Note that this field cannot be set when + spec.os.name is windows. + items: + format: int64 + type: integer + type: array + x-kubernetes-list-type: atomic + sysctls: + description: >- + Sysctls hold a list of namespaced + sysctls used for the pod. Pods with + unsupported + + sysctls (by the container runtime) might + fail to launch. + + Note that this field cannot be set when + spec.os.name is windows. + items: + description: >- + Sysctl defines a kernel parameter to be + set + properties: + name: + description: Name of a property to set + type: string + value: + description: Value of a property to set + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + type: object + serviceAccountName: + description: If specified, the pod's service account + type: string + tolerations: + description: If specified, the pod's tolerations. + items: + description: >- + The pod this Toleration is attached to + tolerates any taint that matches + + the triple using the + matching operator . + properties: + effect: + description: >- + Effect indicates the taint effect to + match. Empty means match all taint + effects. + + When specified, allowed values are + NoSchedule, PreferNoSchedule and + NoExecute. + type: string + key: + description: >- + Key is the taint key that the toleration + applies to. Empty means match all taint + keys. + + If the key is empty, operator must be + Exists; this combination means to match + all values and all keys. + type: string + operator: + description: >- + Operator represents a key's relationship + to the value. + + Valid operators are Exists, Equal, Lt, + and Gt. Defaults to Equal. + + Exists is equivalent to wildcard for + value, so that a pod can + + tolerate all taints of a particular + category. + + Lt and Gt perform numeric comparisons + (requires feature gate + TaintTolerationComparisonOperators). + type: string + tolerationSeconds: + description: >- + TolerationSeconds represents the period + of time the toleration (which must be + + of effect NoExecute, otherwise this + field is ignored) tolerates the taint. + By default, + + it is not set, which means tolerate the + taint forever (do not evict). Zero and + + negative values will be treated as 0 + (evict immediately) by the system. + format: int64 + type: integer + value: + description: >- + Value is the taint value the toleration + matches to. + + If the operator is Exists, the value + should be empty, otherwise just a + regular string. + type: string + type: object + type: array + x-kubernetes-list-type: atomic + type: object + type: object + serviceType: + description: >- + Optional service type for Kubernetes solver + service. Supported values + + are NodePort or ClusterIP. If unset, defaults to + NodePort. + type: string + type: object + type: object + selector: + description: >- + Selector selects a set of DNSNames on the Certificate + resource that + + should be solved using this challenge solver. + + If not specified, the solver will be treated as the + 'default' solver + + with the lowest priority, i.e. if any other solver has a + more specific + + match, it will be used instead. + properties: + dnsNames: + description: >- + List of DNSNames that this solver will be used to + solve. + + If specified and a match is found, a dnsNames + selector will take + + precedence over a dnsZones selector. + + If multiple solvers match with the same dnsNames + value, the solver + + with the most matching labels in matchLabels will be + selected. + + If neither has more matches, the solver defined + earlier in the list + + will be selected. + items: + type: string + type: array + x-kubernetes-list-type: atomic + dnsZones: + description: >- + List of DNSZones that this solver will be used to + solve. + + The most specific DNS zone match specified here will + take precedence + + over other DNS zone matches, so a solver specifying + sys.example.com + + will be selected over one specifying example.com for + the domain + + www.sys.example.com. + + If multiple solvers match with the same dnsZones + value, the solver + + with the most matching labels in matchLabels will be + selected. + + If neither has more matches, the solver defined + earlier in the list + + will be selected. + items: + type: string + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: >- + A label selector that is used to refine the set of + certificate's that + + this challenge solver will apply to. + type: object + type: object + type: object + token: + description: |- + The ACME challenge token for this challenge. + This is the raw value returned from the ACME server. + type: string + type: + description: |- + The type of ACME challenge this resource represents. + One of "HTTP-01" or "DNS-01". + enum: + - HTTP-01 + - DNS-01 + type: string + url: + description: >- + The URL of the ACME Challenge resource for this challenge. + + This can be used to lookup details about the status of this + challenge. + type: string + wildcard: + description: >- + wildcard will be true if this challenge is for a wildcard + identifier, + + for example '*.example.com'. + type: boolean + required: + - authorizationURL + - dnsName + - issuerRef + - key + - solver + - token + - type + - url + type: object + status: + properties: + presented: + description: >- + presented will be set to true if the challenge values for + this challenge + + are currently 'presented'. + + This *does not* imply the self check is passing. Only that + the values + + have been 'submitted' for the appropriate challenge + mechanism (i.e. the + + DNS01 TXT record has been presented, or the HTTP01 + configuration has been + + configured). + type: boolean + processing: + description: >- + Used to denote whether this challenge should be processed or + not. + + This field will only be set to true by the 'scheduling' + component. + + It will only be set to false by the 'challenges' controller, + after the + + challenge has reached a final state or timed out. + + If this field is set to false, the challenge controller will + not take + + any more action. + type: boolean + reason: + description: >- + Contains human readable information on why the Challenge is + in the + + current state. + type: string + state: + description: |- + Contains the current 'state' of the challenge. + If not set, the state of the challenge is unknown. enum: - valid - ready @@ -2102,6 +5714,10 @@ spec: - metadata - spec type: object + selectableFields: + - jsonPath: .spec.issuerRef.group + - jsonPath: .spec.issuerRef.kind + - jsonPath: .spec.issuerRef.name served: true storage: true subresources: diff --git a/_/CustomResourceDefinition/clienttrafficpolicies.gateway.envoyproxy.io.yaml b/_/CustomResourceDefinition/clienttrafficpolicies.gateway.envoyproxy.io.yaml new file mode 100644 index 0000000..92d224d --- /dev/null +++ b/_/CustomResourceDefinition/clienttrafficpolicies.gateway.envoyproxy.io.yaml @@ -0,0 +1,2803 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.18.0 + name: clienttrafficpolicies.gateway.envoyproxy.io +spec: + group: gateway.envoyproxy.io + names: + categories: + - envoy-gateway + kind: ClientTrafficPolicy + listKind: ClientTrafficPolicyList + plural: clienttrafficpolicies + shortNames: + - ctp + singular: clienttrafficpolicy + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: >- + ClientTrafficPolicy allows the user to configure the behavior of the + connection + + between the downstream client and Envoy Proxy listener. + properties: + apiVersion: + description: >- + APIVersion defines the versioned schema of this representation + of an object. + + Servers should convert recognized schemas to the latest internal + value, and + + may reject unrecognized values. + + More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: >- + Kind is a string value representing the REST resource this + object represents. + + Servers may infer this from the endpoint the client submits + requests to. + + Cannot be updated. + + In CamelCase. + + More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of ClientTrafficPolicy. + properties: + clientIPDetection: + description: >- + ClientIPDetectionSettings provides configuration for + determining the original client IP address for requests. + properties: + customHeader: + description: >- + CustomHeader provides configuration for determining the + client IP address for a request based on + + a trusted custom HTTP header. This uses the + custom_header original IP detection extension. + + Refer to + https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/http/original_ip_detection/custom_header/v3/custom_header.proto + + for more details. + properties: + failClosed: + description: >- + FailClosed is a switch used to control the flow of + traffic when client IP detection + + fails. If set to true, the listener will respond + with 403 Forbidden when the client + + IP address cannot be determined. + type: boolean + name: + description: >- + Name of the header containing the original + downstream remote address, if present. + maxLength: 255 + minLength: 1 + pattern: ^[A-Za-z0-9-]+$ + type: string + required: + - name + type: object + xForwardedFor: + description: >- + XForwardedForSettings provides configuration for using + X-Forwarded-For headers for determining the client IP + address. + properties: + numTrustedHops: + description: >- + NumTrustedHops specifies how many trusted hops to + count from the rightmost side of + + the X-Forwarded-For (XFF) header when determining + the original client’s IP address. + + + If NumTrustedHops is set to N, the client IP is + taken from the Nth address from the + + right end of the XFF header. + + + Example: + XFF = "203.0.113.128, 203.0.113.10, 203.0.113.1" + NumTrustedHops = 2 + → Trusted client address = 203.0.113.10 + + Only one of NumTrustedHops or TrustedCIDRs should be + configured. + format: int32 + type: integer + trustedCIDRs: + description: >- + TrustedCIDRs is a list of CIDR ranges to trust when + evaluating + + the remote IP address to determine the original + client’s IP address. + + When the remote IP address matches a trusted CIDR + and the x-forwarded-for header was sent, + + each entry in the x-forwarded-for header is + evaluated from right to left + + and the first public non-trusted address is used as + the original client address. + + If all addresses in x-forwarded-for are within the + trusted list, the first (leftmost) entry is used. + + Only one of NumTrustedHops and TrustedCIDRs must be + set. + items: + description: >- + CIDR defines a CIDR Address range. + + A CIDR can be an IPv4 address range such as + "192.168.1.0/24" or an IPv6 address range such as + "2001:0db8:11a3:09d7::/64". + pattern: >- + ((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([0-9]+))|((([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))\/([0-9]+)) + type: string + minItems: 1 + type: array + type: object + x-kubernetes-validations: + - message: >- + only one of numTrustedHops or trustedCIDRs must be + set + rule: >- + (has(self.numTrustedHops) && + !has(self.trustedCIDRs)) || + (!has(self.numTrustedHops) && + has(self.trustedCIDRs)) + type: object + x-kubernetes-validations: + - message: >- + customHeader cannot be used in conjunction with + xForwardedFor + rule: '!(has(self.xForwardedFor) && has(self.customHeader))' + connection: + description: Connection includes client connection settings. + properties: + bufferLimit: + allOf: + - pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: >- + BufferLimit provides configuration for the maximum + buffer size in bytes for each incoming connection. + + BufferLimit applies to connection streaming (maybe + non-streaming) channel between processes, it's in user + space. + + For example, 20Mi, 1Gi, 256Ki etc. + + Note that when the suffix is not provided, the value is + interpreted as bytes. + + Default: 32768 bytes. + x-kubernetes-int-or-string: true + connectionLimit: + description: ConnectionLimit defines limits related to connections + properties: + closeDelay: + description: >- + CloseDelay defines the delay to use before closing + connections that are rejected + + once the limit value is reached. + + Default: none. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + maxConnectionDuration: + description: >- + MaxConnectionDuration is the maximum amount of time + a connection can remain established + + (usually via TCP/HTTP Keepalive packets) before + being drained and/or closed. + + If not specified, there is no limit. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + maxRequestsPerConnection: + description: >- + MaxRequestsPerConnection defines the maximum number + of requests allowed over a single connection. + + If not specified, there is no limit. Setting this + parameter to 1 will effectively disable keep alive. + format: int32 + type: integer + maxStreamDuration: + description: >- + MaxStreamDuration is the maximum amount of time to + keep alive an http stream. When the limit is reached + + the stream will be reset independent of any other + timeouts. If not specified, no value is set. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + value: + description: >- + Value of the maximum concurrent connections limit. + + When the limit is reached, incoming connections will + be closed after the CloseDelay duration. + format: int64 + minimum: 1 + type: integer + type: object + x-kubernetes-validations: + - message: closeDelay can only be configured when value is set + rule: '!has(self.closeDelay) || has(self.value)' + maxAcceptPerSocketEvent: + default: 1 + description: >- + MaxAcceptPerSocketEvent provides configuration for the + maximum number of connections to accept from the kernel + + per socket event. If there are more than + MaxAcceptPerSocketEvent connections pending accept, + connections over + + this threshold will be accepted in later event loop + iterations. + + Defaults to 1 and can be disabled by setting to 0 for + allowing unlimited accepted connections. + format: int32 + type: integer + socketBufferLimit: + allOf: + - pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: >- + SocketBufferLimit provides configuration for the maximum + buffer size in bytes for each incoming socket. + + SocketBufferLimit applies to socket streaming channel + between TCP/IP stacks, it's in kernel space. + + For example, 20Mi, 1Gi, 256Ki etc. + + Note that when the suffix is not provided, the value is + interpreted as bytes. + x-kubernetes-int-or-string: true + type: object + enableProxyProtocol: + description: >- + EnableProxyProtocol interprets the ProxyProtocol header and + adds the + + Client Address into the X-Forwarded-For header. + + Note Proxy Protocol must be present when this field is set, + else the connection + + is closed. + + + Deprecated: Use ProxyProtocol instead. + type: boolean + headers: + description: HeaderSettings provides configuration for header management. + properties: + disableRateLimitHeaders: + description: >- + DisableRateLimitHeaders configures Envoy Proxy to omit + the "X-RateLimit-" response headers + + when rate limiting is enabled. + type: boolean + earlyRequestHeaders: + description: >- + EarlyRequestHeaders defines settings for early request + header modification, before envoy performs + + routing, tracing and built-in header manipulation. + properties: + add: + description: >- + Add adds the given header(s) (name, value) to the + request + + before the action. It appends to any existing values + associated + + with the header name. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + add: + - name: "my-header" + value: "bar,baz" + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: >- + HTTPHeader represents an HTTP Header name and + value as defined by RFC 7230. + properties: + name: + description: >- + Name is the name of the HTTP Header to be + matched. Name matching MUST be + + case-insensitive. (See + https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent header + names, the first entry with + + an equivalent name MUST be considered for a + match. Subsequent entries + + with an equivalent header name MUST be + ignored. Due to the + + case-insensitivity of header names, "foo" and + "Foo" are considered + + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: >- + Value is the value of HTTP Header to be + matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 64 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + addIfAbsent: + description: >- + AddIfAbsent adds the given header(s) (name, value) + to the request/response + + only if the header does not already exist. Unlike + Add which appends to + + existing values, this is a no-op if the header is + already present. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + addIfAbsent: + - name: "my-header" + value: "bar" + + Output: + GET /foo HTTP/1.1 + my-header: foo + items: + description: >- + HTTPHeader represents an HTTP Header name and + value as defined by RFC 7230. + properties: + name: + description: >- + Name is the name of the HTTP Header to be + matched. Name matching MUST be + + case-insensitive. (See + https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent header + names, the first entry with + + an equivalent name MUST be considered for a + match. Subsequent entries + + with an equivalent header name MUST be + ignored. Due to the + + case-insensitivity of header names, "foo" and + "Foo" are considered + + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: >- + Value is the value of HTTP Header to be + matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 64 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: >- + Remove the given header(s) from the HTTP request + before the action. The + + value of Remove is a list of HTTP header names. Note + that the header + + names are case-insensitive (see + + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + Config: + remove: ["my-header1", "my-header3"] + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 64 + minItems: 1 + type: array + x-kubernetes-list-type: set + removeOnMatch: + description: >- + RemoveOnMatch removes headers whose names match the + specified string matchers. + + Matching is performed on the header name + (case-insensitive). + items: + description: >- + StringMatch defines how to match any strings. + + This is a general purpose match condition that can + be used by other EG APIs + + that need to match against a string. + properties: + type: + default: Exact + description: Type specifies how to match against a string. + enum: + - Exact + - Prefix + - Suffix + - RegularExpression + type: string + value: + description: >- + Value specifies the string value that the + match must have. + maxLength: 1024 + minLength: 1 + type: string + required: + - value + type: object + maxItems: 64 + minItems: 1 + type: array + set: + description: >- + Set overwrites the request with the given header + (name, value) + + before the action. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + set: + - name: "my-header" + value: "bar" + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: >- + HTTPHeader represents an HTTP Header name and + value as defined by RFC 7230. + properties: + name: + description: >- + Name is the name of the HTTP Header to be + matched. Name matching MUST be + + case-insensitive. (See + https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent header + names, the first entry with + + an equivalent name MUST be considered for a + match. Subsequent entries + + with an equivalent header name MUST be + ignored. Due to the + + case-insensitivity of header names, "foo" and + "Foo" are considered + + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: >- + Value is the value of HTTP Header to be + matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 64 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + enableEnvoyHeaders: + description: >- + EnableEnvoyHeaders configures Envoy Proxy to add the + "X-Envoy-" headers to requests + + and responses. + type: boolean + lateResponseHeaders: + description: >- + LateResponseHeaders defines settings for global response + header modification. + properties: + add: + description: >- + Add adds the given header(s) (name, value) to the + request + + before the action. It appends to any existing values + associated + + with the header name. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + add: + - name: "my-header" + value: "bar,baz" + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: >- + HTTPHeader represents an HTTP Header name and + value as defined by RFC 7230. + properties: + name: + description: >- + Name is the name of the HTTP Header to be + matched. Name matching MUST be + + case-insensitive. (See + https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent header + names, the first entry with + + an equivalent name MUST be considered for a + match. Subsequent entries + + with an equivalent header name MUST be + ignored. Due to the + + case-insensitivity of header names, "foo" and + "Foo" are considered + + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: >- + Value is the value of HTTP Header to be + matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 64 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + addIfAbsent: + description: >- + AddIfAbsent adds the given header(s) (name, value) + to the request/response + + only if the header does not already exist. Unlike + Add which appends to + + existing values, this is a no-op if the header is + already present. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + addIfAbsent: + - name: "my-header" + value: "bar" + + Output: + GET /foo HTTP/1.1 + my-header: foo + items: + description: >- + HTTPHeader represents an HTTP Header name and + value as defined by RFC 7230. + properties: + name: + description: >- + Name is the name of the HTTP Header to be + matched. Name matching MUST be + + case-insensitive. (See + https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent header + names, the first entry with + + an equivalent name MUST be considered for a + match. Subsequent entries + + with an equivalent header name MUST be + ignored. Due to the + + case-insensitivity of header names, "foo" and + "Foo" are considered + + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: >- + Value is the value of HTTP Header to be + matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 64 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: >- + Remove the given header(s) from the HTTP request + before the action. The + + value of Remove is a list of HTTP header names. Note + that the header + + names are case-insensitive (see + + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + Config: + remove: ["my-header1", "my-header3"] + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 64 + minItems: 1 + type: array + x-kubernetes-list-type: set + removeOnMatch: + description: >- + RemoveOnMatch removes headers whose names match the + specified string matchers. + + Matching is performed on the header name + (case-insensitive). + items: + description: >- + StringMatch defines how to match any strings. + + This is a general purpose match condition that can + be used by other EG APIs + + that need to match against a string. + properties: + type: + default: Exact + description: Type specifies how to match against a string. + enum: + - Exact + - Prefix + - Suffix + - RegularExpression + type: string + value: + description: >- + Value specifies the string value that the + match must have. + maxLength: 1024 + minLength: 1 + type: string + required: + - value + type: object + maxItems: 64 + minItems: 1 + type: array + set: + description: >- + Set overwrites the request with the given header + (name, value) + + before the action. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + set: + - name: "my-header" + value: "bar" + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: >- + HTTPHeader represents an HTTP Header name and + value as defined by RFC 7230. + properties: + name: + description: >- + Name is the name of the HTTP Header to be + matched. Name matching MUST be + + case-insensitive. (See + https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent header + names, the first entry with + + an equivalent name MUST be considered for a + match. Subsequent entries + + with an equivalent header name MUST be + ignored. Due to the + + case-insensitivity of header names, "foo" and + "Foo" are considered + + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: >- + Value is the value of HTTP Header to be + matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 64 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + preserveXRequestID: + description: >- + PreserveXRequestID configures Envoy to keep the + X-Request-ID header if passed for a request that is edge + + (Edge request is the request from external clients to + front Envoy) and not reset it, which is the current + Envoy behaviour. + + Defaults to false and cannot be combined with RequestID. + + Deprecated: use RequestID=PreserveOrGenerate instead + type: boolean + requestID: + description: >- + RequestID configures Envoy's behavior for handling the + `X-Request-ID` header. + + When omitted default behavior is `Generate` which builds + the `X-Request-ID` for every request + and ignores pre-existing values from the edge. + (An "edge request" refers to a request from an external + client to the Envoy entrypoint.) + enum: + - PreserveOrGenerate + - Preserve + - Generate + - Disable + type: string + withUnderscoresAction: + description: >- + WithUnderscoresAction configures the action to take when + an HTTP header with underscores + + is encountered. The default action is to reject the + request. + enum: + - Allow + - RejectRequest + - DropHeader + type: string + xForwardedClientCert: + description: >- + XForwardedClientCert configures how Envoy Proxy handle + the x-forwarded-client-cert (XFCC) HTTP header. + + + x-forwarded-client-cert (XFCC) is an HTTP header used to + forward the certificate + + information of part or all of the clients or proxies + that a request has flowed through, + + on its way from the client to the server. + + + Envoy proxy may choose to sanitize/append/forward the + XFCC header before proxying the request. + + + If not set, the default behavior is sanitizing the XFCC + header. + properties: + certDetailsToAdd: + description: >- + CertDetailsToAdd specifies the fields in the client + certificate to be forwarded in the XFCC header. + + + Hash(the SHA 256 digest of the current client + certificate) and By(the Subject Alternative Name) + + are always included if the client certificate is + forwarded. + + + This field is only applicable when the mode is set + to `AppendForward` or + + `SanitizeSet` and the client connection is mTLS. + items: + description: >- + XFCCCertData specifies the fields in the client + certificate to be forwarded in the XFCC header. + enum: + - Subject + - Cert + - Chain + - DNS + - URI + type: string + maxItems: 5 + type: array + mode: + description: >- + Mode defines how XFCC header is handled by Envoy + Proxy. + + If not set, the default mode is `Sanitize`. + enum: + - Sanitize + - ForwardOnly + - AppendForward + - SanitizeSet + - AlwaysForwardOnly + type: string + type: object + x-kubernetes-validations: + - message: >- + certDetailsToAdd can only be set when mode is + AppendForward or SanitizeSet + rule: >- + (has(self.certDetailsToAdd) && + self.certDetailsToAdd.size() > 0) ? (self.mode == + 'AppendForward' || self.mode == 'SanitizeSet') : + true + type: object + x-kubernetes-validations: + - message: preserveXRequestID and requestID cannot both be set. + rule: '!(has(self.preserveXRequestID) && has(self.requestID))' + healthCheck: + description: >- + HealthCheck provides configuration for determining whether + the HTTP/HTTPS listener is healthy. + properties: + path: + description: >- + Path specifies the HTTP path to match on for health + check requests. + maxLength: 1024 + minLength: 1 + type: string + required: + - path + type: object + http1: + description: HTTP1 provides HTTP/1 configuration on the listener. + properties: + disableSafeMaxConnectionDuration: + description: >- + DisableSafeMaxConnectionDuration controls the close + behavior for HTTP/1 connections. + + By default, connection closure is delayed until the next + request arrives after maxConnectionDuration is exceeded. + + It then adds a Connection: close header and gracefully + closes the connection after the response completes. + + When set to true (disabled), Envoy uses its default + drain behavior, closing the connection shortly after + maxConnectionDuration elapses. + + Has no effect unless maxConnectionDuration is set. + type: boolean + enableTrailers: + description: >- + EnableTrailers defines if HTTP/1 trailers should be + proxied by Envoy. + type: boolean + http10: + description: >- + HTTP10 turns on support for HTTP/1.0 and HTTP/0.9 + requests. + properties: + useDefaultHost: + description: >- + UseDefaultHost specifies whether a default Host + header should be injected + + into HTTP/1.0 requests that do not include one. + + + When set to true, Envoy Gateway injects the hostname + associated with the + + listener or route into the request, in the following + order: + + 1. If the targeted listener has a non-wildcard hostname, use that hostname. + 2. If there is exactly one HTTPRoute with a non-wildcard hostname under + the targeted listener, use that hostname. + + Note: Setting this field to true without a non-wildcard hostname makes the + ClientTrafficPolicy invalid. + type: boolean + type: object + preserveHeaderCase: + description: >- + PreserveHeaderCase defines if Envoy should preserve the + letter case of headers. + + By default, Envoy will lowercase all the headers. + type: boolean + type: object + http2: + description: HTTP2 provides HTTP/2 configuration on the listener. + properties: + initialConnectionWindowSize: + allOf: + - pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: >- + InitialConnectionWindowSize sets the initial window size + for HTTP/2 connections. + + If not set, the default value is 1 MiB. + x-kubernetes-int-or-string: true + initialStreamWindowSize: + allOf: + - pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: >- + InitialStreamWindowSize sets the initial window size for + HTTP/2 streams. + + If not set, the default value is 64 KiB(64*1024). + x-kubernetes-int-or-string: true + maxConcurrentStreams: + description: >- + MaxConcurrentStreams sets the maximum number of + concurrent streams allowed per connection. + + If not set, the default value is 100. + format: int32 + maximum: 2147483647 + minimum: 1 + type: integer + onInvalidMessage: + description: >- + OnInvalidMessage determines if Envoy will terminate the + connection or just the offending stream in the event of + HTTP messaging error + + It's recommended for L2 Envoy deployments to set this + value to TerminateStream. + + https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/level_two + + Default: TerminateConnection + type: string + type: object + http3: + description: HTTP3 provides HTTP/3 configuration on the listener. + type: object + path: + description: >- + Path enables managing how the incoming path set by clients + can be normalized. + properties: + disableMergeSlashes: + description: >- + DisableMergeSlashes allows disabling the default + configuration of merging adjacent + + slashes in the path. + + Note that slash merging is not part of the HTTP spec and + is provided for convenience. + type: boolean + escapedSlashesAction: + description: >- + EscapedSlashesAction determines how %2f, %2F, %5c, or + %5C sequences in the path URI + + should be handled. + + The default is UnescapeAndRedirect. + enum: + - KeepUnchanged + - RejectRequest + - UnescapeAndForward + - UnescapeAndRedirect + type: string + type: object + proxyProtocol: + description: >- + ProxyProtocol configures the Proxy Protocol settings. When + configured, + + the Proxy Protocol header will be interpreted and the Client + Address + + will be added into the X-Forwarded-For header. + + If both EnableProxyProtocol and ProxyProtocol are set, + ProxyProtocol takes precedence. + minProperties: 0 + properties: + optional: + description: >- + Optional allows requests without a Proxy Protocol header + to be proxied. + + If set to true, the listener will accept requests + without a Proxy Protocol header. + + If set to false, the listener will reject requests + without a Proxy Protocol header. + + If not set, the default behavior is to reject requests + without a Proxy Protocol header. + + Warning: Optional breaks conformance with the + specification. Only enable if ALL traffic to the + listener comes from a trusted source. + + For more information on security implications, see + haproxy.org/download/2.1/doc/proxy-protocol.txt + type: boolean + type: object + scheme: + description: >- + Scheme configures how the :scheme pseudo-header is set for + requests forwarded to backends. + + + - Preserve (default): Preserves the :scheme from the + original client request. + Use this when backends need to know the original client scheme for URL generation or redirects. + + - MatchBackend: Sets the :scheme to match the backend + transport protocol. + If the backend uses TLS, the scheme is "https", otherwise "http". + Use this when backends require the scheme to match the actual transport protocol, + such as strictly HTTPS services that validate the :scheme header. + enum: + - Preserve + - MatchBackend + type: string + targetRef: + description: >- + TargetRef is the name of the resource this policy is being + attached to. + + This policy and the TargetRef MUST be in the same namespace + for this + + Policy to have effect + + + Deprecated: use targetRefs/targetSelectors instead + properties: + group: + description: Group is the group of the target resource. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + sectionName: + description: >- + SectionName is the name of a section within the target + resource. When + + unspecified, this targetRef targets the entire resource. + In the following + + resources, SectionName is interpreted as the following: + + + * Gateway: Listener name + + * HTTPRoute: HTTPRouteRule name + + * Service: Port name + + + If a SectionName is specified, but does not exist on the + targeted object, + + the Policy must fail to attach, and the policy + implementation should record + + a `ResolvedRefs` or similar Condition in the Policy's + status. + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - group + - kind + - name + type: object + targetRefs: + description: >- + TargetRefs are the names of the Gateway resources this + policy + + is being attached to. + items: + description: >- + LocalPolicyTargetReferenceWithSectionName identifies an + API object to apply a + + direct policy to. This should be used as part of Policy + resources that can + + target single resources. For more information on how this + policy attachment + + mode works, and a sample Policy resource, refer to the + policy attachment + + documentation for Gateway API. + + + Note: This should only be used for direct policy + attachment when references + + to SectionName are actually needed. In all other cases, + + LocalPolicyTargetReference should be used. + properties: + group: + description: Group is the group of the target resource. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + sectionName: + description: >- + SectionName is the name of a section within the target + resource. When + + unspecified, this targetRef targets the entire + resource. In the following + + resources, SectionName is interpreted as the + following: + + + * Gateway: Listener name + + * HTTPRoute: HTTPRouteRule name + + * Service: Port name + + + If a SectionName is specified, but does not exist on + the targeted object, + + the Policy must fail to attach, and the policy + implementation should record + + a `ResolvedRefs` or similar Condition in the Policy's + status. + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - group + - kind + - name + type: object + type: array + targetSelectors: + description: >- + TargetSelectors allow targeting resources for this policy + based on labels + items: + properties: + group: + default: gateway.networking.k8s.io + description: >- + Group is the group that this selector targets. + Defaults to gateway.networking.k8s.io + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is the resource kind that this selector targets. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + matchExpressions: + description: >- + MatchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: >- + A label selector requirement is a selector that + contains values, a key, and an operator that + + relates the key and values. + properties: + key: + description: >- + key is the label key that the selector applies + to. + type: string + operator: + description: >- + operator represents a key's relationship to a + set of values. + + Valid operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: >- + values is an array of string values. If the + operator is In or NotIn, + + the values array must be non-empty. If the + operator is Exists or DoesNotExist, + + the values array must be empty. This array is + replaced during a strategic + + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: >- + MatchLabels are the set of label selectors for + identifying the targeted resource + type: object + required: + - kind + type: object + x-kubernetes-validations: + - message: group must be gateway.networking.k8s.io + rule: >- + has(self.group) ? self.group == + 'gateway.networking.k8s.io' : true + type: array + tcpKeepalive: + description: >- + TcpKeepalive settings associated with the downstream client + connection. + + If defined, sets SO_KEEPALIVE on the listener socket to + enable TCP Keepalives. + + Disabled by default. + properties: + idleTime: + description: >- + The duration a connection needs to be idle before + keep-alive + + probes start being sent. + + The duration format is + + Defaults to `7200s`. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + interval: + description: |- + The duration between keep-alive probes. + Defaults to `75s`. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + probes: + description: >- + The total number of unacknowledged probes to send before + deciding + + the connection is dead. + + Defaults to 9. + format: int32 + type: integer + type: object + timeout: + description: Timeout settings for the client connections. + properties: + http: + description: Timeout settings for HTTP. + properties: + idleTimeout: + description: >- + IdleTimeout for an HTTP connection. Idle time is + defined as a period in which there are no active + requests in the connection. + + Default: 1 hour. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + requestReceivedTimeout: + description: >- + RequestReceivedTimeout is the duration envoy waits + for the complete request reception. This timer + starts upon request + + initiation and stops when either the last byte of + the request is sent upstream or when the response + begins. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + streamIdleTimeout: + description: |2- + The stream idle timeout defines the amount of time a stream can exist without any upstream or downstream activity. + Default: 5 minutes. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + tcp: + description: Timeout settings for TCP. + properties: + idleTimeout: + description: >- + IdleTimeout for a TCP connection. Idle time is + defined as a period in which there are no + + bytes sent or received on either the upstream or + downstream connection. + + Default: 1 hour. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + type: object + tls: + description: >- + TLS settings configure TLS termination settings with the + downstream client. + properties: + alpnProtocols: + description: >- + ALPNProtocols supplies the list of ALPN protocols that + should be + + exposed by the listener or used by the proxy to connect + to the backend. + + Defaults: + + 1. HTTPS Routes: h2 and http/1.1 are enabled in listener + context. + + 2. Other Routes: ALPN is disabled. + + 3. Backends: proxy uses the appropriate ALPN options for + the backend protocol. + + When an empty list is provided, the ALPN TLS extension + is disabled. + + + Defaults to [h2, http/1.1] if not specified. + + + Typical Supported values are: + + - http/1.0 + + - http/1.1 + + - h2 + items: + description: >- + ALPNProtocol specifies the protocol to be negotiated + using ALPN + type: string + type: array + ciphers: + description: >- + Ciphers specifies the set of cipher suites supported + when + + negotiating TLS 1.0 - 1.2. This setting has no effect + for TLS 1.3. + + In non-FIPS Envoy Proxy builds the default cipher list + is: + + - + [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305] + + - + [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305] + + - ECDHE-ECDSA-AES256-GCM-SHA384 + + - ECDHE-RSA-AES256-GCM-SHA384 + + In builds using BoringSSL FIPS the default cipher list + is: + + - ECDHE-ECDSA-AES128-GCM-SHA256 + + - ECDHE-RSA-AES128-GCM-SHA256 + + - ECDHE-ECDSA-AES256-GCM-SHA384 + + - ECDHE-RSA-AES256-GCM-SHA384 + items: + type: string + type: array + clientValidation: + description: >- + ClientValidation specifies the configuration to validate + the client + + initiating the TLS connection to the Gateway listener. + properties: + caCertificateRefs: + description: >- + CACertificateRefs contains one or more references to + + Kubernetes objects that contain TLS certificates of + + the Certificate Authorities that can be used + + as a trust anchor to validate the certificates + presented by the client. + + + A single reference to a Kubernetes ConfigMap or a + Kubernetes Secret, + + with the CA certificate in a key named `ca.crt` is + currently supported. + + + References to a resource in different namespace are + invalid UNLESS there + + is a ReferenceGrant in the target namespace that + allows the certificate + + to be attached. + items: + description: >- + SecretObjectReference identifies an API object + including its namespace, + + defaulting to Secret. + + + The API object must be valid in the cluster; the + Group and Kind must + + be registered in the cluster for this reference to + be valid. + + + References to objects with invalid Group and Kind + are not valid, and must + + be rejected by the implementation, with + appropriate Conditions set + + on the containing object. + properties: + group: + default: '' + description: >- + Group is the group of the referent. For + example, "gateway.networking.k8s.io". + + When unspecified or empty string, core API + group is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Secret + description: >- + Kind is kind of the referent. For example + "Secret". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the referenced + object. When unspecified, the local + + namespace is inferred. + + + Note that when a namespace different than the + local namespace is specified, + + a ReferenceGrant object is required in the + referent namespace to allow that + + namespace's owner to accept the reference. See + the ReferenceGrant + + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + maxItems: 8 + type: array + certificateHashes: + description: >- + An optional list of hex-encoded SHA-256 hashes. If + specified, Envoy will + + verify that the SHA-256 of the DER-encoded presented + certificate matches + + one of the specified values. + items: + type: string + type: array + crl: + description: >- + Crl specifies the crl configuration that can be used + to validate the client initiating the TLS connection + properties: + onlyVerifyLeafCertificate: + description: >- + If this option is set to true, Envoy will only + verify the certificate at the end of the + certificate chain against the CRL. + + Defaults to false, which will verify the entire + certificate chain against the CRL. + type: boolean + refs: + description: >- + Refs contains one or more references to a + Kubernetes ConfigMap or a Kubernetes Secret, + + containing the certificate revocation list in + PEM format + + Expects the content in a key named `ca.crl`. + + + References to a resource in different namespace + are invalid UNLESS there + + is a ReferenceGrant in the target namespace that + allows the crl + + to be attached. + items: + description: >- + SecretObjectReference identifies an API object + including its namespace, + + defaulting to Secret. + + + The API object must be valid in the cluster; + the Group and Kind must + + be registered in the cluster for this + reference to be valid. + + + References to objects with invalid Group and + Kind are not valid, and must + + be rejected by the implementation, with + appropriate Conditions set + + on the containing object. + properties: + group: + default: '' + description: >- + Group is the group of the referent. For + example, "gateway.networking.k8s.io". + + When unspecified or empty string, core API + group is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Secret + description: >- + Kind is kind of the referent. For example + "Secret". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the + referenced object. When unspecified, the + local + + namespace is inferred. + + + Note that when a namespace different than + the local namespace is specified, + + a ReferenceGrant object is required in the + referent namespace to allow that + + namespace's owner to accept the reference. + See the ReferenceGrant + + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + maxItems: 8 + minItems: 1 + type: array + required: + - refs + type: object + optional: + description: >- + Optional set to true accepts connections even when a + client doesn't present a certificate. + + Defaults to false, which rejects connections without + a valid client certificate. + type: boolean + spkiHashes: + description: >- + An optional list of base64-encoded SHA-256 hashes. + If specified, Envoy will + + verify that the SHA-256 of the DER-encoded Subject + Public Key Information + + (SPKI) of the presented certificate matches one of + the specified values. + items: + type: string + type: array + subjectAltNames: + description: >- + An optional list of Subject Alternative name + matchers. If specified, Envoy + + will verify that the Subject Alternative Name of the + presented certificate + + matches one of the specified matchers + properties: + dnsNames: + description: DNS names matchers + items: + description: >- + StringMatch defines how to match any strings. + + This is a general purpose match condition that + can be used by other EG APIs + + that need to match against a string. + properties: + type: + default: Exact + description: >- + Type specifies how to match against a + string. + enum: + - Exact + - Prefix + - Suffix + - RegularExpression + type: string + value: + description: >- + Value specifies the string value that the + match must have. + maxLength: 1024 + minLength: 1 + type: string + required: + - value + type: object + type: array + emailAddresses: + description: Email addresses matchers + items: + description: >- + StringMatch defines how to match any strings. + + This is a general purpose match condition that + can be used by other EG APIs + + that need to match against a string. + properties: + type: + default: Exact + description: >- + Type specifies how to match against a + string. + enum: + - Exact + - Prefix + - Suffix + - RegularExpression + type: string + value: + description: >- + Value specifies the string value that the + match must have. + maxLength: 1024 + minLength: 1 + type: string + required: + - value + type: object + type: array + ipAddresses: + description: IP addresses matchers + items: + description: >- + StringMatch defines how to match any strings. + + This is a general purpose match condition that + can be used by other EG APIs + + that need to match against a string. + properties: + type: + default: Exact + description: >- + Type specifies how to match against a + string. + enum: + - Exact + - Prefix + - Suffix + - RegularExpression + type: string + value: + description: >- + Value specifies the string value that the + match must have. + maxLength: 1024 + minLength: 1 + type: string + required: + - value + type: object + type: array + otherNames: + description: Other names matchers + items: + properties: + oid: + description: OID Value + type: string + type: + default: Exact + description: >- + Type specifies how to match against a + string. + enum: + - Exact + - Prefix + - Suffix + - RegularExpression + type: string + value: + description: >- + Value specifies the string value that the + match must have. + maxLength: 1024 + minLength: 1 + type: string + required: + - oid + - value + type: object + type: array + uris: + description: URIs matchers + items: + description: >- + StringMatch defines how to match any strings. + + This is a general purpose match condition that + can be used by other EG APIs + + that need to match against a string. + properties: + type: + default: Exact + description: >- + Type specifies how to match against a + string. + enum: + - Exact + - Prefix + - Suffix + - RegularExpression + type: string + value: + description: >- + Value specifies the string value that the + match must have. + maxLength: 1024 + minLength: 1 + type: string + required: + - value + type: object + type: array + type: object + type: object + ecdhCurves: + description: |- + ECDHCurves specifies the set of supported ECDH curves. + In non-FIPS Envoy Proxy builds the default curves are: + - X25519 + - P-256 + In builds using BoringSSL FIPS the default curve is: + - P-256 + items: + type: string + type: array + maxVersion: + description: |- + Max specifies the maximal TLS protocol version to allow + The default is TLS 1.3 if this is not specified. + enum: + - Auto + - '1.0' + - '1.1' + - '1.2' + - '1.3' + type: string + minVersion: + description: |- + Min specifies the minimal TLS protocol version to allow. + The default is TLS 1.2 if this is not specified. + enum: + - Auto + - '1.0' + - '1.1' + - '1.2' + - '1.3' + type: string + session: + description: >- + Session defines settings related to TLS session + management. + properties: + resumption: + description: >- + Resumption determines the proxy's supported TLS + session resumption option. + + By default, Envoy Gateway does not enable session + resumption. Use sessionResumption to + + enable stateful and stateless session resumption. + Users should consider security impacts + + of different resumption methods. Performance gains + from resumption are diminished when + + Envoy proxy is deployed with more than one replica. + properties: + stateful: + description: >- + Stateful defines setting for stateful + (session-id based) session resumption + type: object + stateless: + description: >- + Stateless defines setting for stateless + (session-ticket based) session resumption + type: object + type: object + type: object + signatureAlgorithms: + description: >- + SignatureAlgorithms specifies which signature algorithms + the listener should + + support. + items: + type: string + type: array + type: object + x-kubernetes-validations: + - message: >- + setting ciphers has no effect if the minimum possible + TLS version is 1.3 + rule: >- + has(self.minVersion) && self.minVersion == '1.3' ? + !has(self.ciphers) : true + - message: minVersion must be smaller or equal to maxVersion + rule: >- + has(self.minVersion) && has(self.maxVersion) ? + {"Auto":0,"1.0":1,"1.1":2,"1.2":3,"1.3":4}[self.minVersion] + <= + {"1.0":1,"1.1":2,"1.2":3,"1.3":4,"Auto":5}[self.maxVersion] + : !has(self.minVersion) && has(self.maxVersion) ? 3 <= + {"1.0":1,"1.1":2,"1.2":3,"1.3":4,"Auto":5}[self.maxVersion] + : true + type: object + x-kubernetes-validations: + - message: either targetRef or targetRefs must be used + rule: >- + (has(self.targetRef) && !has(self.targetRefs)) || + (!has(self.targetRef) && has(self.targetRefs)) || + (has(self.targetSelectors) && self.targetSelectors.size() > + 0) + - message: >- + this policy can only have a targetRef.group of + gateway.networking.k8s.io + rule: >- + has(self.targetRef) ? self.targetRef.group == + 'gateway.networking.k8s.io' : true + - message: this policy can only have a targetRef.kind of Gateway + rule: >- + has(self.targetRef) ? self.targetRef.kind == 'Gateway' : + true + - message: >- + this policy can only have a targetRefs[*].group of + gateway.networking.k8s.io + rule: >- + has(self.targetRefs) ? self.targetRefs.all(ref, ref.group == + 'gateway.networking.k8s.io') : true + - message: this policy can only have a targetRefs[*].kind of Gateway + rule: >- + has(self.targetRefs) ? self.targetRefs.all(ref, ref.kind == + 'Gateway') : true + status: + description: Status defines the current status of ClientTrafficPolicy. + properties: + ancestors: + description: >- + Ancestors is a list of ancestor resources (usually Gateways) + that are + + associated with the policy, and the status of the policy + with respect to + + each ancestor. When this policy attaches to a parent, the + controller that + + manages the parent and the ancestors MUST add an entry to + this list when + + the controller first sees the policy and SHOULD update the + entry as + + appropriate when the relevant ancestor is modified. + + + Note that choosing the relevant ancestor is left to the + Policy designers; + + an important part of Policy design is designing the right + object level at + + which to namespace this status. + + + Note also that implementations MUST ONLY populate ancestor + status for + + the Ancestor resources they are responsible for. + Implementations MUST + + use the ControllerName field to uniquely identify the + entries in this list + + that they are responsible for. + + + Note that to achieve this, the list of PolicyAncestorStatus + structs + + MUST be treated as a map with a composite key, made up of + the AncestorRef + + and ControllerName fields combined. + + + A maximum of 16 ancestors will be represented in this list. + An empty list + + means the Policy is not relevant for any ancestors. + + + If this slice is full, implementations MUST NOT add further + entries. + + Instead they MUST consider the policy unimplementable and + signal that + + on any related resources such as the ancestor that would be + referenced + + here. For example, if this list was full on + BackendTLSPolicy, no + + additional Gateways would be able to reference the Service + targeted by + + the BackendTLSPolicy. + items: + description: >- + PolicyAncestorStatus describes the status of a route with + respect to an + + associated Ancestor. + + + Ancestors refer to objects that are either the Target of a + policy or above it + + in terms of object hierarchy. For example, if a policy + targets a Service, the + + Policy's Ancestors are, in order, the Service, the + HTTPRoute, the Gateway, and + + the GatewayClass. Almost always, in this hierarchy, the + Gateway will be the most + + useful object to place Policy status on, so we recommend + that implementations + + SHOULD use Gateway as the PolicyAncestorStatus object + unless the designers + + have a _very_ good reason otherwise. + + + In the context of policy attachment, the Ancestor is used + to distinguish which + + resource results in a distinct application of this policy. + For example, if a policy + + targets a Service, it may have a distinct result per + attached Gateway. + + + Policies targeting the same resource may have different + effects depending on the + + ancestors of those resources. For example, different + Gateways targeting the same + + Service may have different capabilities, especially if + they have different underlying + + implementations. + + + For example, in BackendTLSPolicy, the Policy attaches to a + Service that is + + used as a backend in a HTTPRoute that is itself attached + to a Gateway. + + In this case, the relevant object for status is the + Gateway, and that is the + + ancestor object referred to in this status. + + + Note that a parent is also an ancestor, so for objects + where the parent is the + + relevant object for status, this struct SHOULD still be + used. + + + This struct is intended to be used in a slice that's + effectively a map, + + with a composite key made up of the AncestorRef and the + ControllerName. + properties: + ancestorRef: + description: >- + AncestorRef corresponds with a ParentRef in the spec + that this + + PolicyAncestorStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: >- + Group is the group of the referent. + + When unspecified, "gateway.networking.k8s.io" is + inferred. + + To set the core API group (such as for a "Service" + kind referent), + + Group must be explicitly set to "" (empty string). + + + Support: Core + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: >- + Kind is kind of the referent. + + + There are two kinds of parent resources with + "Core" support: + + + * Gateway (Gateway conformance profile) + + * Service (Mesh conformance profile, ClusterIP + Services only) + + + Support for other resources is + Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the referent. When + unspecified, this refers + + to the local namespace of the Route. + + + Note that there are specific rules for ParentRefs + which cross namespace + + boundaries. Cross-namespace references are only + valid if they are explicitly + + allowed by something in the namespace they are + referring to. For example: + + Gateway has the AllowedRoutes field, and + ReferenceGrant provides a + + generic way to enable any other kind of + cross-namespace reference. + + + + + ParentRefs from a Route to a Service in the same + namespace are "producer" + + routes, which apply default routing rules to + inbound connections from + + any namespace to the Service. + + + ParentRefs from a Route to a Service in a + different namespace are + + "consumer" routes, and these routing rules are + only applied to outbound + + connections originating from the same namespace as + the Route, for which + + the intended destination of the connections are a + Service targeted as a + + ParentRef of the Route. + + + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: >- + Port is the network port this Route targets. It + can be interpreted + + differently based on the type of parent resource. + + + When the parent resource is a Gateway, this + targets all listeners + + listening on the specified port that also support + this kind of Route(and + + select this Route). It's not recommended to set + `Port` unless the + + networking behaviors specified in a Route must + apply to a specific port + + as opposed to a listener(s) whose port(s) may be + changed. When both Port + + and SectionName are specified, the name and port + of the selected listener + + must match both specified values. + + + + + When the parent resource is a Service, this + targets a specific port in the + + Service spec. When both Port (experimental) and + SectionName are specified, + + the name and port of the selected port must match + both specified values. + + + + + Implementations MAY choose to support other parent + resources. + + Implementations supporting other types of parent + resources MUST clearly + + document how/if Port is interpreted. + + + For the purpose of status, an attachment is + considered successful as + + long as the parent resource accepts it partially. + For example, Gateway + + listeners can restrict which Routes can attach to + them by Route kind, + + namespace, or hostname. If 1 of 2 Gateway + listeners accept attachment + + from the referencing Route, the Route MUST be + considered successfully + + attached. If no Gateway listeners accept + attachment from this Route, + + the Route MUST be considered detached from the + Gateway. + + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: >- + SectionName is the name of a section within the + target resource. In the + + following resources, SectionName is interpreted as + the following: + + + * Gateway: Listener name. When both Port + (experimental) and SectionName + + are specified, the name and port of the selected + listener must match + + both specified values. + + * Service: Port name. When both Port + (experimental) and SectionName + + are specified, the name and port of the selected + listener must match + + both specified values. + + + Implementations MAY choose to support attaching + Routes to other resources. + + If that is the case, they MUST clearly document + how SectionName is + + interpreted. + + + When unspecified (empty string), this will + reference the entire resource. + + For the purpose of status, an attachment is + considered successful if at + + least one section in the parent resource accepts + it. For example, Gateway + + listeners can restrict which Routes can attach to + them by Route kind, + + namespace, or hostname. If 1 of 2 Gateway + listeners accept attachment from + + the referencing Route, the Route MUST be + considered successfully + + attached. If no Gateway listeners accept + attachment from this Route, the + + Route MUST be considered detached from the + Gateway. + + + Support: Core + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + conditions: + description: >- + Conditions describes the status of the Policy with + respect to the given Ancestor. + + + + + + Notes for implementors: + + + Conditions are a listType `map`, which means that they + function like a + + map with a key of the `type` field _in the k8s + apiserver_. + + + This means that implementations must obey some rules + when updating this + + section. + + + * Implementations MUST perform a read-modify-write + cycle on this field + before modifying it. That is, when modifying this field, implementations + must be confident they have fetched the most recent version of this field, + and ensure that changes they make are on that recent version. + * Implementations MUST NOT remove or reorder + Conditions that they are not + directly responsible for. For example, if an implementation sees a Condition + with type `special.io/SomeField`, it MUST NOT remove, change or update that + Condition. + * Implementations MUST always _merge_ changes into + Conditions of the same Type, + rather than creating more than one Condition of the same Type. + * Implementations MUST always update the + `observedGeneration` field of the + Condition to the `metadata.generation` of the Gateway at the time of update creation. + * If the `observedGeneration` of a Condition is + _greater than_ the value the + implementation knows about, then it MUST NOT perform the update on that Condition, + but must wait for a future reconciliation and status update. (The assumption is that + the implementation's copy of the object is stale and an update will be re-triggered + if relevant.) + + + items: + description: >- + Condition contains details for one aspect of the + current state of this API Resource. + properties: + lastTransitionTime: + description: >- + lastTransitionTime is the last time the + condition transitioned from one status to + another. + + This should be when the underlying condition + changed. If that is not known, then using the + time when the API field changed is acceptable. + format: date-time + type: string + message: + description: >- + message is a human readable message indicating + details about the transition. + + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: >- + observedGeneration represents the + .metadata.generation that the condition was set + based upon. + + For instance, if .metadata.generation is + currently 12, but the + .status.conditions[x].observedGeneration is 9, + the condition is out of date + + with respect to the current state of the + instance. + format: int64 + minimum: 0 + type: integer + reason: + description: >- + reason contains a programmatic identifier + indicating the reason for the condition's last + transition. + + Producers of specific condition types may define + expected values and meanings for this field, + + and whether the values are considered a + guaranteed API. + + The value should be a CamelCase string. + + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: >- + status of the condition, one of True, False, + Unknown. + enum: + - 'True' + - 'False' + - Unknown + type: string + type: + description: >- + type of condition in CamelCase or in + foo.example.com/CamelCase. + maxLength: 316 + pattern: >- + ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: >- + ControllerName is a domain/path string that indicates + the name of the + + controller that wrote this status. This corresponds + with the + + controllerName field on GatewayClass. + + + Example: "example.net/gateway-controller". + + + The format of this field is DOMAIN "/" PATH, where + DOMAIN and PATH are + + valid Kubernetes names + + (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + + + Controllers MUST populate this field when writing + status. Controllers should ensure that + + entries to status populated with their ControllerName + are cleaned up when they are no + + longer necessary. + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + required: + - ancestorRef + - conditions + - controllerName + type: object + maxItems: 16 + type: array + x-kubernetes-list-type: atomic + required: + - ancestors + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/_/CustomResourceDefinition/clusterissuers.cert-manager.io.yaml b/_/CustomResourceDefinition/clusterissuers.cert-manager.io.yaml index 3169e55..84f4843 100644 --- a/_/CustomResourceDefinition/clusterissuers.cert-manager.io.yaml +++ b/_/CustomResourceDefinition/clusterissuers.cert-manager.io.yaml @@ -1,13 +1,8 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - labels: - app: cert-manager - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.10.1 - helm.sh/chart: cert-manager-v1.10.1 + annotations: + controller-gen.kubebuilder.io/version: v0.20.1 name: clusterissuers.cert-manager.io spec: group: cert-manager.io @@ -17,14 +12,16 @@ spec: kind: ClusterIssuer listKind: ClusterIssuerList plural: clusterissuers + shortNames: + - ciss singular: clusterissuer scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=="Ready")].status + - jsonPath: .status.conditions[?(@.type == "Ready")].status name: Ready type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message + - jsonPath: .status.conditions[?(@.type == "Ready")].message name: Status priority: 1 type: string @@ -41,24 +38,43 @@ spec: openAPIV3Schema: description: >- A ClusterIssuer represents a certificate issuing authority which can - be referenced as part of `issuerRef` fields. It is similar to an - Issuer, however it is cluster-scoped and therefore can be referenced - by resources that exist in *any* namespace, not just the same + be + + referenced as part of `issuerRef` fields. + + It is similar to an Issuer, however it is cluster-scoped and + therefore can + + be referenced by resources that exist in *any* namespace, not just + the same + namespace as the referent. properties: apiVersion: description: >- APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the - latest internal value, and may reject unrecognized values. More - info: + of an object. + + Servers should convert recognized schemas to the latest internal + value, and + + may reject unrecognized values. + + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: description: >- Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the - client submits requests to. Cannot be updated. In CamelCase. + object represents. + + Servers may infer this from the endpoint the client submits + requests to. + + Cannot be updated. + + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string @@ -70,59 +86,97 @@ spec: acme: description: >- ACME configures this issuer to communicate with a RFC8555 - (ACME) server to obtain signed x509 certificates. + (ACME) server + + to obtain signed x509 certificates. properties: caBundle: description: >- Base64-encoded bundle of PEM CAs which can be used to - validate the certificate chain presented by the ACME - server. Mutually exclusive with SkipTLSVerify; prefer - using CABundle to prevent various kinds of security - vulnerabilities. If CABundle and SkipTLSVerify are - unset, the system certificate bundle inside the - container is used to validate the TLS connection. + validate the certificate + + chain presented by the ACME server. + + Mutually exclusive with SkipTLSVerify; prefer using + CABundle to prevent various + + kinds of security vulnerabilities. + + If CABundle and SkipTLSVerify are unset, the system + certificate bundle inside + + the container is used to validate the TLS connection. format: byte type: string disableAccountKeyGeneration: description: >- Enables or disables generating a new ACME account key. + If true, the Issuer resource will *not* request a new - account but will expect the account key to be supplied - via an existing secret. If false, the cert-manager - system will generate a new ACME account key for the - Issuer. Defaults to false. + account but will expect + + the account key to be supplied via an existing secret. + + If false, the cert-manager system will generate a new + ACME account key + + for the Issuer. + + Defaults to false. type: boolean email: description: >- Email is the email address to be associated with the - ACME account. This field is optional, but it is strongly - recommended to be set. It will be used to contact you in - case of issues with your account or certificates, - including expiry notification emails. This field may be - updated after the account is initially registered. + ACME account. + + This field is optional, but it is strongly recommended + to be set. + + It will be used to contact you in case of issues with + your account or + + certificates, including expiry notification emails. + + This field may be updated after the account is initially + registered. type: string enableDurationFeature: description: >- Enables requesting a Not After date on certificates that - matches the duration of the certificate. This is not - supported by all ACME servers like Let's Encrypt. If set - to true when the ACME server does not support it it will - create an error on the Order. Defaults to false. + matches the + + duration of the certificate. This is not supported by + all ACME servers + + like Let's Encrypt. If set to true when the ACME server + does not support + + it, it will create an error on the Order. + + Defaults to false. type: boolean externalAccountBinding: description: >- ExternalAccountBinding is a reference to a CA external - account of the ACME server. If set, upon registration - cert-manager will attempt to associate the given + account of the ACME + + server. + + If set, upon registration cert-manager will attempt to + associate the given + external account credentials with the registered ACME account. properties: keyAlgorithm: description: >- Deprecated: keyAlgorithm field exists for historical - compatibility reasons and should not be used. The - algorithm is now hardcoded to HS256 in - golang/x/crypto/acme. + compatibility + + reasons and should not be used. The algorithm is now + hardcoded to HS256 + + in golang/x/crypto/acme. enum: - HS256 - HS384 @@ -136,26 +190,39 @@ spec: keySecretRef: description: >- keySecretRef is a Secret Key Selector referencing a - data item in a Kubernetes Secret which holds the - symmetric MAC key of the External Account Binding. + data item in a Kubernetes + + Secret which holds the symmetric MAC key of the + External Account Binding. + The `key` is the index string that is paired with - the key data in the Secret and should not be - confused with the key data itself, or indeed with - the External Account Binding keyID above. The secret - key stored in the Secret **must** be un-padded, - base64 URL encoded data. + the key data in the + + Secret and should not be confused with the key data + itself, or indeed with + + the External Account Binding keyID above. + + The secret key stored in the Secret **must** be + un-padded, base64 URL + + encoded data. properties: key: description: >- The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be + `data` field to be used. + + Some instances of this field may be defaulted, + in others it may be + required. type: string name: description: >- - Name of the resource being referred to. More - info: + Name of the resource being referred to. + + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string required: @@ -168,102 +235,169 @@ spec: preferredChain: description: >- PreferredChain is the chain to use if the ACME server - outputs multiple. PreferredChain is no guarantee that - this one gets delivered by the ACME endpoint. For - example, for Let's Encrypt's DST crosssign you would - use: "DST Root CA X3" or "ISRG Root X1" for the newer - Let's Encrypt root CA. This value picks the first - certificate bundle in the ACME alternative chains that - has a certificate with this value as its issuer's CN + outputs multiple. + + PreferredChain is no guarantee that this one gets + delivered by the ACME + + endpoint. + + For example, for Let's Encrypt's DST cross-sign you + would use: + + "DST Root CA X3" or "ISRG Root X1" for the newer Let's + Encrypt root CA. + + This value picks the first certificate bundle in the + combined set of + + ACME default and alternative chains that has a root-most + certificate with + + this value as its issuer's commonname. maxLength: 64 type: string privateKeySecretRef: description: >- PrivateKey is the name of a Kubernetes Secret resource - that will be used to store the automatically generated - ACME account private key. Optionally, a `key` may be - specified to select a specific entry within the named - Secret resource. If `key` is not specified, a default of - `tls.key` will be used. + that will be used to + + store the automatically generated ACME account private + key. + + Optionally, a `key` may be specified to select a + specific entry within + + the named Secret resource. + + If `key` is not specified, a default of `tls.key` will + be used. properties: key: description: >- The key of the entry in the Secret resource's `data` - field to be used. Some instances of this field may - be defaulted, in others it may be required. + field to be used. + + Some instances of this field may be defaulted, in + others it may be + + required. type: string name: description: >- - Name of the resource being referred to. More info: + Name of the resource being referred to. + + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string required: - name type: object + profile: + description: >- + Profile allows requesting a certificate profile from the + ACME server. + + Supported profiles are listed by the server's ACME + directory URL. + type: string server: description: >- Server is the URL used to access the ACME server's - 'directory' endpoint. For example, for Let's Encrypt's - staging endpoint, you would use: + 'directory' endpoint. + + For example, for Let's Encrypt's staging endpoint, you + would use: + "https://acme-staging-v02.api.letsencrypt.org/directory". + Only ACME v2 endpoints (i.e. RFC 8555) are supported. type: string skipTLSVerify: description: >- INSECURE: Enables or disables validation of the ACME - server TLS certificate. If true, requests to the ACME - server will not have the TLS certificate chain - validated. Mutually exclusive with CABundle; prefer - using CABundle to prevent various kinds of security - vulnerabilities. Only enable this option in development - environments. If CABundle and SkipTLSVerify are unset, - the system certificate bundle inside the container is - used to validate the TLS connection. Defaults to false. + server TLS certificate. + + If true, requests to the ACME server will not have the + TLS certificate chain + + validated. + + Mutually exclusive with CABundle; prefer using CABundle + to prevent various + + kinds of security vulnerabilities. + + Only enable this option in development environments. + + If CABundle and SkipTLSVerify are unset, the system + certificate bundle inside + + the container is used to validate the TLS connection. + + Defaults to false. type: boolean solvers: description: >- Solvers is a list of challenge solvers that will be used - to solve ACME challenges for the matching domains. + to solve + + ACME challenges for the matching domains. + Solver configurations must be provided in order to - obtain certificates from an ACME server. For more - information, see: + obtain certificates + + from an ACME server. + + For more information, see: https://cert-manager.io/docs/configuration/acme/ items: description: >- An ACMEChallengeSolver describes how to solve ACME - challenges for the issuer it is part of. A selector - may be provided to use different solving strategies - for different DNS names. Only one of HTTP01 or DNS01 - must be provided. + challenges for the issuer it is part of. + + A selector may be provided to use different solving + strategies for different DNS names. + + Only one of HTTP01 or DNS01 must be provided. properties: dns01: description: >- Configures cert-manager to attempt to complete - authorizations by performing the DNS01 challenge - flow. + authorizations by + + performing the DNS01 challenge flow. properties: acmeDNS: description: >- Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to - manage DNS01 challenge records. + manage + + DNS01 challenge records. properties: accountSecretRef: description: >- A reference to a specific 'key' within a - Secret resource. In some instances, `key` - is a required field. + Secret resource. + + In some instances, `key` is a required + field. properties: key: description: >- The key of the entry in the Secret - resource's `data` field to be used. Some - instances of this field may be - defaulted, in others it may be required. + resource's `data` field to be used. + + Some instances of this field may be + defaulted, in others it may be + + required. type: string name: description: >- Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string @@ -284,19 +418,25 @@ spec: accessTokenSecretRef: description: >- A reference to a specific 'key' within a - Secret resource. In some instances, `key` - is a required field. + Secret resource. + + In some instances, `key` is a required + field. properties: key: description: >- The key of the entry in the Secret - resource's `data` field to be used. Some - instances of this field may be - defaulted, in others it may be required. + resource's `data` field to be used. + + Some instances of this field may be + defaulted, in others it may be + + required. type: string name: description: >- Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string @@ -306,19 +446,25 @@ spec: clientSecretSecretRef: description: >- A reference to a specific 'key' within a - Secret resource. In some instances, `key` - is a required field. + Secret resource. + + In some instances, `key` is a required + field. properties: key: description: >- The key of the entry in the Secret - resource's `data` field to be used. Some - instances of this field may be - defaulted, in others it may be required. + resource's `data` field to be used. + + Some instances of this field may be + defaulted, in others it may be + + required. type: string name: description: >- Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string @@ -328,19 +474,25 @@ spec: clientTokenSecretRef: description: >- A reference to a specific 'key' within a - Secret resource. In some instances, `key` - is a required field. + Secret resource. + + In some instances, `key` is a required + field. properties: key: description: >- The key of the entry in the Secret - resource's `data` field to be used. Some - instances of this field may be - defaulted, in others it may be required. + resource's `data` field to be used. + + Some instances of this field may be + defaulted, in others it may be + + required. type: string name: description: >- Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string @@ -362,24 +514,40 @@ spec: properties: clientID: description: >- - if both this and ClientSecret are left - unset MSI will be used + Auth: Azure Service Principal: + + The ClientID of the Azure Service + Principal used to authenticate with Azure + DNS. + + If set, ClientSecret and TenantID must + also be set. type: string clientSecretSecretRef: description: >- - if both this and ClientID are left unset - MSI will be used + Auth: Azure Service Principal: + + A reference to a Secret containing the + password associated with the Service + Principal. + + If set, ClientID and TenantID must also be + set. properties: key: description: >- The key of the entry in the Secret - resource's `data` field to be used. Some - instances of this field may be - defaulted, in others it may be required. + resource's `data` field to be used. + + Some instances of this field may be + defaulted, in others it may be + + required. type: string name: description: >- Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string @@ -401,20 +569,35 @@ spec: type: string managedIdentity: description: >- - managed identity configuration, can not be - used at the same time as clientID, - clientSecretSecretRef or tenantID + Auth: Azure Workload Identity or Azure + Managed Service Identity: + + Settings to enable Azure Workload Identity + or Azure Managed Service Identity + + If set, ClientID, ClientSecret and + TenantID must not be set. properties: clientID: description: >- - client ID of the managed identity, can - not be used at the same time as + client ID of the managed identity, + cannot be used at the same time as resourceID type: string resourceID: description: >- - resource ID of the managed identity, can - not be used at the same time as clientID + resource ID of the managed identity, + cannot be used at the same time as + clientID + + Cannot be used for Azure Managed Service + Identity + type: string + tenantID: + description: >- + tenant ID of the managed identity, + cannot be used at the same time as + resourceID type: string type: object resourceGroupName: @@ -425,8 +608,36 @@ spec: type: string tenantID: description: >- - when specifying ClientID and ClientSecret - then this field is also needed + Auth: Azure Service Principal: + + The TenantID of the Azure Service + Principal used to authenticate with Azure + DNS. + + If set, ClientID and ClientSecret must + also be set. + type: string + zoneType: + description: >- + ZoneType determines which type of Azure + DNS zone to use. + + + Valid values are: + - AzurePublicZone (default): Use a public Azure DNS zone. + - AzurePrivateZone: Use an Azure Private DNS zone. + + If not specified, AzurePublicZone is used. + + + Support for Azure Private DNS zones is + currently + + experimental and may change in future + releases. + enum: + - AzurePublicZone + - AzurePrivateZone type: string required: - resourceGroupName @@ -440,29 +651,38 @@ spec: hostedZoneName: description: >- HostedZoneName is an optional field that - tells cert-manager in which Cloud DNS zone - the challenge record has to be created. If - left empty cert-manager will automatically - choose a zone. + tells cert-manager in which + + Cloud DNS zone the challenge record has to + be created. + + If left empty cert-manager will + automatically choose a zone. type: string project: type: string serviceAccountSecretRef: description: >- A reference to a specific 'key' within a - Secret resource. In some instances, `key` - is a required field. + Secret resource. + + In some instances, `key` is a required + field. properties: key: description: >- The key of the entry in the Secret - resource's `data` field to be used. Some - instances of this field may be - defaulted, in others it may be required. + resource's `data` field to be used. + + Some instances of this field may be + defaulted, in others it may be + + required. type: string name: description: >- Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string @@ -480,21 +700,28 @@ spec: apiKeySecretRef: description: >- API key to use to authenticate with - Cloudflare. Note: using an API token to - authenticate is now the recommended method + Cloudflare. + + Note: using an API token to authenticate + is now the recommended method + as it allows greater control of permissions. properties: key: description: >- The key of the entry in the Secret - resource's `data` field to be used. Some - instances of this field may be - defaulted, in others it may be required. + resource's `data` field to be used. + + Some instances of this field may be + defaulted, in others it may be + + required. type: string name: description: >- Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string @@ -509,13 +736,17 @@ spec: key: description: >- The key of the entry in the Secret - resource's `data` field to be used. Some - instances of this field may be - defaulted, in others it may be required. + resource's `data` field to be used. + + Some instances of this field may be + defaulted, in others it may be + + required. type: string name: description: >- Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string @@ -531,8 +762,9 @@ spec: cnameStrategy: description: >- CNAMEStrategy configures how the DNS01 - provider should handle CNAME records when - found in DNS zones. + provider should handle CNAME + + records when found in DNS zones. enum: - None - Follow @@ -545,19 +777,25 @@ spec: tokenSecretRef: description: >- A reference to a specific 'key' within a - Secret resource. In some instances, `key` - is a required field. + Secret resource. + + In some instances, `key` is a required + field. properties: key: description: >- The key of the entry in the Secret - resource's `data` field to be used. Some - instances of this field may be - defaulted, in others it may be required. + resource's `data` field to be used. + + Some instances of this field may be + defaulted, in others it may be + + required. type: string name: description: >- Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string @@ -571,44 +809,75 @@ spec: description: >- Use RFC2136 ("Dynamic Updates in the Domain Name System") - (https://datatracker.ietf.org/doc/rfc2136/) to - manage DNS01 challenge records. + (https://datatracker.ietf.org/doc/rfc2136/) + + to manage DNS01 challenge records. properties: nameserver: - description: "The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1])\_; port is optional. This field is required." + description: >- + The IP address or hostname of an + authoritative DNS server supporting + + RFC2136 in the form host:port. If the host + is an IPv6 address it must be + + enclosed in square brackets (e.g + [2001:db8::1]); port is optional. + + This field is required. + type: string + protocol: + description: >- + Protocol to use for dynamic DNS update + queries. Valid values are (case-sensitive) + ``TCP`` and ``UDP``; ``UDP`` (default). + enum: + - TCP + - UDP type: string tsigAlgorithm: description: >- The TSIG Algorithm configured in the DNS - supporting RFC2136. Used only when - ``tsigSecretSecretRef`` and - ``tsigKeyName`` are defined. Supported - values are (case-insensitive): ``HMACMD5`` - (default), ``HMACSHA1``, ``HMACSHA256`` or + supporting RFC2136. Used only + + when ``tsigSecretSecretRef`` and + ``tsigKeyName`` are defined. + + Supported values are (case-insensitive): + ``HMACMD5`` (default), + + ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``. type: string tsigKeyName: description: >- The TSIG Key name configured in the DNS. + If ``tsigSecretSecretRef`` is defined, this field is required. type: string tsigSecretSecretRef: description: >- The name of the secret containing the TSIG - value. If ``tsigKeyName`` is defined, this - field is required. + value. + + If ``tsigKeyName`` is defined, this field + is required. properties: key: description: >- The key of the entry in the Secret - resource's `data` field to be used. Some - instances of this field may be - defaulted, in others it may be required. + resource's `data` field to be used. + + Some instances of this field may be + defaulted, in others it may be + + required. type: string name: description: >- Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string @@ -626,11 +895,17 @@ spec: accessKeyID: description: >- The AccessKeyID is used for - authentication. Cannot be set when - SecretAccessKeyID is set. If neither the - Access Key nor Key ID are set, we - fall-back to using env vars, shared - credentials file or AWS Instance metadata, + authentication. + + Cannot be set when SecretAccessKeyID is + set. + + If neither the Access Key nor Key ID are + set, we fall back to using env + + vars, shared credentials file, or AWS + Instance metadata, + see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials type: string @@ -638,114 +913,259 @@ spec: description: >- The SecretAccessKey is used for authentication. If set, pull the AWS + access key ID from a key within a - Kubernetes Secret. Cannot be set when - AccessKeyID is set. If neither the Access - Key nor Key ID are set, we fall-back to - using env vars, shared credentials file or - AWS Instance metadata, see: + Kubernetes Secret. + + Cannot be set when AccessKeyID is set. + + If neither the Access Key nor Key ID are + set, we fall back to using env + + vars, shared credentials file, or AWS + Instance metadata, + + see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials properties: key: description: >- The key of the entry in the Secret - resource's `data` field to be used. Some - instances of this field may be - defaulted, in others it may be required. + resource's `data` field to be used. + + Some instances of this field may be + defaulted, in others it may be + + required. type: string name: description: >- Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string required: - name type: object + auth: + description: >- + Auth configures how cert-manager + authenticates. + properties: + kubernetes: + description: >- + Kubernetes authenticates with Route53 + using AssumeRoleWithWebIdentity + + by passing a bound ServiceAccount token. + properties: + serviceAccountRef: + description: >- + A reference to a service account that + will be used to request a bound + + token (also known as "projected token"). + To use this field, you must + + configure an RBAC rule to let + cert-manager request a token. + properties: + audiences: + description: >- + TokenAudiences is an optional list of + audiences to include in the + + token passed to AWS. The default token + consisting of the issuer's namespace + + and name is always included. + + If unset the audience defaults to + `sts.amazonaws.com`. + items: + type: string + type: array + x-kubernetes-list-type: atomic + name: + description: >- + Name of the ServiceAccount used to + request a token. + type: string + required: + - name + type: object + required: + - serviceAccountRef + type: object + required: + - kubernetes + type: object hostedZoneID: description: >- If set, the provider will manage only this - zone in Route53 and will not do an lookup + zone in Route53 and will not do a lookup using the route53:ListHostedZonesByName api call. type: string region: description: >- - Always set the region when using - AccessKeyID and SecretAccessKey + Override the AWS region. + + + Route53 is a global service and does not + have regional endpoints but the + + region specified here (or via environment + variables) is used as a hint to + + help compute the correct AWS credential + scope and partition when it + + connects to Route53. See: + + - [Amazon Route 53 endpoints and + quotas](https://docs.aws.amazon.com/general/latest/gr/r53.html) + + - [Global + services](https://docs.aws.amazon.com/whitepapers/latest/aws-fault-isolation-boundaries/global-services.html) + + + If you omit this region field, + cert-manager will use the region from + + AWS_REGION and AWS_DEFAULT_REGION + environment variables, if they are set + + in the cert-manager controller Pod. + + + The `region` field is not needed if you + use [IAM Roles for Service Accounts + (IRSA)](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html). + + Instead an AWS_REGION environment variable + is added to the cert-manager controller + Pod by: + + [Amazon EKS Pod Identity + Webhook](https://github.com/aws/amazon-eks-pod-identity-webhook). + + In this case this `region` field value is + ignored. + + + The `region` field is not needed if you + use [EKS Pod + Identities](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html). + + Instead an AWS_REGION environment variable + is added to the cert-manager controller + Pod by: + + [Amazon EKS Pod Identity + Agent](https://github.com/aws/eks-pod-identity-agent), + + In this case this `region` field value is + ignored. type: string role: description: >- Role is a Role ARN which the Route53 provider will assume using either the explicit credentials - AccessKeyID/SecretAccessKey or the - inferred credentials from environment - variables, shared credentials file or AWS - Instance metadata + AccessKeyID/SecretAccessKey + + or the inferred credentials from + environment variables, shared credentials + file or AWS Instance metadata type: string secretAccessKeySecretRef: description: >- The SecretAccessKey is used for - authentication. If neither the Access Key - nor Key ID are set, we fall-back to using - env vars, shared credentials file or AWS - Instance metadata, see: + authentication. + + If neither the Access Key nor Key ID are + set, we fall back to using env + + vars, shared credentials file, or AWS + Instance metadata, + + see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials properties: key: description: >- The key of the entry in the Secret - resource's `data` field to be used. Some - instances of this field may be - defaulted, in others it may be required. + resource's `data` field to be used. + + Some instances of this field may be + defaulted, in others it may be + + required. type: string name: description: >- Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string required: - name type: object - required: - - region type: object webhook: description: >- Configure an external webhook based DNS01 - challenge solver to manage DNS01 challenge - records. + challenge solver to manage + + DNS01 challenge records. properties: config: description: >- Additional configuration that should be - passed to the webhook apiserver when - challenges are processed. This can contain - arbitrary JSON data. Secret values should - not be specified in this stanza. If secret - values are needed (e.g. credentials for a - DNS service), you should use a - SecretKeySelector to reference a Secret - resource. For details on the schema of - this field, consult the webhook provider + passed to the webhook apiserver + + when challenges are processed. + + This can contain arbitrary JSON data. + + Secret values should not be specified in + this stanza. + + If secret values are needed (e.g., + credentials for a DNS service), you + + should use a SecretKeySelector to + reference a Secret resource. + + For details on the schema of this field, + consult the webhook provider + implementation's documentation. x-kubernetes-preserve-unknown-fields: true groupName: description: >- The API group name that should be used - when POSTing ChallengePayload resources to - the webhook apiserver. This should be the - same as the GroupName specified in the - webhook provider implementation. + when POSTing ChallengePayload + + resources to the webhook apiserver. + + This should be the same as the GroupName + specified in the webhook + + provider implementation. type: string solverName: description: >- The name of the solver to use, as defined - in the webhook provider implementation. + in the webhook provider + + implementation. + This will typically be the name of the - provider, e.g. 'cloudflare'. + provider, e.g., 'cloudflare'. type: string required: - groupName @@ -755,79 +1175,130 @@ spec: http01: description: >- Configures cert-manager to attempt to complete - authorizations by performing the HTTP01 challenge - flow. It is not possible to obtain certificates - for wildcard domain names (e.g. `*.example.com`) - using the HTTP01 challenge mechanism. + authorizations by + + performing the HTTP01 challenge flow. + + It is not possible to obtain certificates for + wildcard domain names + + (e.g., `*.example.com`) using the HTTP01 challenge + mechanism. properties: gatewayHTTPRoute: description: >- The Gateway API is a sig-network community API - that models service networking in Kubernetes + that models service networking + + in Kubernetes (https://gateway-api.sigs.k8s.io/). The - Gateway solver will create HTTPRoutes with the - specified labels in the same namespace as the - challenge. This solver is experimental, and - fields / behaviour may change in the future. + Gateway solver will + + create HTTPRoutes with the specified labels in + the same namespace as the challenge. + + This solver is experimental, and fields / + behaviour may change in the future. properties: labels: additionalProperties: type: string description: >- Custom labels that will be applied to - HTTPRoutes created by cert-manager while - solving HTTP-01 challenges. + HTTPRoutes created by cert-manager + + while solving HTTP-01 challenges. type: object parentRefs: description: >- When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute. + cert-manager needs to know which parentRefs should be used when creating + the HTTPRoute. Usually, the parentRef references a Gateway. See: + https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways items: description: >- ParentReference identifies an API object (usually a Gateway) that can be - considered a parent of this resource - (usually a route). There are two kinds - of parent resources with "Core" - support: - * Gateway (Gateway conformance profile) * Service (Mesh conformance profile, experimental, ClusterIP Services only) - This API may be extended in the future to support additional kinds of parent resources. - The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid. + considered + + a parent of this resource (usually a + route). There are two kinds of parent + resources + + with "Core" support: + + + * Gateway (Gateway conformance profile) + + * Service (Mesh conformance profile, + ClusterIP Services only) + + + This API may be extended in the future + to support additional kinds of parent + + resources. + + + The API object must be valid in the + cluster; the Group and Kind must + + be registered in the cluster for this + reference to be valid. properties: group: default: gateway.networking.k8s.io description: >- - Group is the group of the referent. When - unspecified, "gateway.networking.k8s.io" - is inferred. To set the core API group - (such as for a "Service" kind referent), + Group is the group of the referent. + + When unspecified, + "gateway.networking.k8s.io" is inferred. + + To set the core API group (such as for a + "Service" kind referent), + Group must be explicitly set to "" - (empty string). - Support: Core + (empty string). + + + Support: Core maxLength: 253 pattern: >- ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string kind: default: Gateway - description: |- - Kind is kind of the referent. - There are two kinds of parent resources with "Core" support: - * Gateway (Gateway conformance profile) * Service (Mesh conformance profile, experimental, ClusterIP Services only) - Support for other resources is Implementation-Specific. + description: >- + Kind is kind of the referent. + + + There are two kinds of parent resources + with "Core" support: + + + * Gateway (Gateway conformance profile) + + * Service (Mesh conformance profile, + ClusterIP Services only) + + + Support for other resources is + Implementation-Specific. maxLength: 63 minLength: 1 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ type: string name: description: |- - Name is the name of the referent. - Support: Core + Name is the name of the referent. + + Support: Core maxLength: 253 minLength: 1 type: string @@ -835,11 +1306,55 @@ spec: description: >- Namespace is the namespace of the referent. When unspecified, this refers - to the local namespace of the Route. - Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. - ParentRefs from a Route to a Service in the same namespace are "producer" routes, which apply default routing rules to inbound connections from any namespace to the Service. - ParentRefs from a Route to a Service in a different namespace are "consumer" routes, and these routing rules are only applied to outbound connections originating from the same namespace as the Route, for which the intended destination of the connections are a Service targeted as a ParentRef of the Route. - Support: Core + + to the local namespace of the Route. + + + Note that there are specific rules for + ParentRefs which cross namespace + + boundaries. Cross-namespace references + are only valid if they are explicitly + + allowed by something in the namespace + they are referring to. For example: + + Gateway has the AllowedRoutes field, and + ReferenceGrant provides a + + generic way to enable any other kind of + cross-namespace reference. + + + + + ParentRefs from a Route to a Service in + the same namespace are "producer" + + routes, which apply default routing + rules to inbound connections from + + any namespace to the Service. + + + ParentRefs from a Route to a Service in + a different namespace are + + "consumer" routes, and these routing + rules are only applied to outbound + + connections originating from the same + namespace as the Route, for which + + the intended destination of the + connections are a Service targeted as a + + ParentRef of the Route. + + + + + Support: Core maxLength: 63 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ @@ -848,14 +1363,79 @@ spec: description: >- Port is the network port this Route targets. It can be interpreted + differently based on the type of parent - resource. - When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. - When the parent resource is a Service, this targets a specific port in the Service spec. When both Port (experimental) and SectionName are specified, the name and port of the selected port must match both specified values. - Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. - For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. - Support: Extended - + resource. + + + When the parent resource is a Gateway, + this targets all listeners + + listening on the specified port that + also support this kind of Route(and + + select this Route). It's not recommended + to set `Port` unless the + + networking behaviors specified in a + Route must apply to a specific port + + as opposed to a listener(s) whose + port(s) may be changed. When both Port + + and SectionName are specified, the name + and port of the selected listener + + must match both specified values. + + + + + When the parent resource is a Service, + this targets a specific port in the + + Service spec. When both Port + (experimental) and SectionName are + specified, + + the name and port of the selected port + must match both specified values. + + + + + Implementations MAY choose to support + other parent resources. + + Implementations supporting other types + of parent resources MUST clearly + + document how/if Port is interpreted. + + + For the purpose of status, an attachment + is considered successful as + + long as the parent resource accepts it + partially. For example, Gateway + + listeners can restrict which Routes can + attach to them by Route kind, + + namespace, or hostname. If 1 of 2 + Gateway listeners accept attachment + + from the referencing Route, the Route + MUST be considered successfully + + attached. If no Gateway listeners accept + attachment from this Route, + + the Route MUST be considered detached + from the Gateway. + + + Support: Extended format: int32 maximum: 65535 minimum: 1 @@ -864,12 +1444,63 @@ spec: description: >- SectionName is the name of a section within the target resource. In the + following resources, SectionName is - interpreted as the following: - * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. * Service: Port Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. Note that attaching Routes to Services as Parents is part of experimental Mesh support and is not supported for any other purpose. - Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. - When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. - Support: Core + interpreted as the following: + + + * Gateway: Listener name. When both Port + (experimental) and SectionName + + are specified, the name and port of the + selected listener must match + + both specified values. + + * Service: Port name. When both Port + (experimental) and SectionName + + are specified, the name and port of the + selected listener must match + + both specified values. + + + Implementations MAY choose to support + attaching Routes to other resources. + + If that is the case, they MUST clearly + document how SectionName is + + interpreted. + + + When unspecified (empty string), this + will reference the entire resource. + + For the purpose of status, an attachment + is considered successful if at + + least one section in the parent resource + accepts it. For example, Gateway + + listeners can restrict which Routes can + attach to them by Route kind, + + namespace, or hostname. If 1 of 2 + Gateway listeners accept attachment from + + the referencing Route, the Route MUST be + considered successfully + + attached. If no Gateway listeners accept + attachment from this Route, the + + Route MUST be considered detached from + the Gateway. + + + Support: Core maxLength: 253 minLength: 1 pattern: >- @@ -879,99 +1510,25 @@ spec: - name type: object type: array - serviceType: - description: >- - Optional service type for Kubernetes - solver service. Supported values are - NodePort or ClusterIP. If unset, defaults - to NodePort. - type: string - type: object - ingress: - description: >- - The ingress based HTTP01 challenge solver will - solve challenges by creating or modifying - Ingress resources in order to route requests - for '/.well-known/acme-challenge/XYZ' to - 'challenge solver' pods that are provisioned - by cert-manager for each Challenge to be - completed. - properties: - class: - description: >- - This field configures the annotation - `kubernetes.io/ingress.class` when - creating Ingress resources to solve ACME - challenges that use this challenge solver. - Only one of `class`, `name` or - `ingressClassName` may be specified. - type: string - ingressClassName: - description: >- - This field configures the field - `ingressClassName` on the created Ingress - resources used to solve ACME challenges - that use this challenge solver. This is - the recommended way of configuring the - ingress class. Only one of `class`, `name` - or `ingressClassName` may be specified. - type: string - ingressTemplate: - description: >- - Optional ingress template used to - configure the ACME challenge solver - ingress used for HTTP01 challenges. - properties: - metadata: - description: >- - ObjectMeta overrides for the ingress - used to solve HTTP01 challenges. Only - the 'labels' and 'annotations' fields - may be set. If labels or annotations - overlap with in-built values, the values - here will override the in-built values. - properties: - annotations: - additionalProperties: - type: string - description: >- - Annotations that should be added to the - created ACME HTTP01 solver ingress. - type: object - labels: - additionalProperties: - type: string - description: >- - Labels that should be added to the - created ACME HTTP01 solver ingress. - type: object - type: object - type: object - name: - description: >- - The name of the ingress resource that - should have ACME challenge solving routes - inserted into it in order to solve HTTP01 - challenges. This is typically used in - conjunction with ingress controllers like - ingress-gce, which maintains a 1:1 mapping - between external IPs and ingress - resources. Only one of `class`, `name` or - `ingressClassName` may be specified. - type: string + x-kubernetes-list-type: atomic podTemplate: description: >- Optional pod template used to configure - the ACME challenge solver pods used for - HTTP01 challenges. + the ACME challenge solver pods + + used for HTTP01 challenges. properties: metadata: description: >- ObjectMeta overrides for the pod used to - solve HTTP01 challenges. Only the - 'labels' and 'annotations' fields may be - set. If labels or annotations overlap - with in-built values, the values here + solve HTTP01 challenges. + + Only the 'labels' and 'annotations' + fields may be set. + + If labels or annotations overlap with + in-built values, the values here + will override the in-built values. properties: annotations: @@ -979,7 +1536,7 @@ spec: type: string description: >- Annotations that should be added to the - create ACME HTTP01 solver pods. + created ACME HTTP01 solver pods. type: object labels: additionalProperties: @@ -992,9 +1549,12 @@ spec: spec: description: >- PodSpec defines overrides for the HTTP01 - challenge solver pod. Check + challenge solver pod. + + Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields. + All other fields will be ignored. properties: affinity: @@ -1010,27 +1570,38 @@ spec: preferredDuringSchedulingIgnoredDuringExecution: description: >- The scheduler will prefer to schedule - pods to nodes that satisfy the affinity - expressions specified by this field, but - it may choose a node that violates one - or more of the expressions. The node - that is most preferred is the one with - the greatest sum of weights, i.e. for - each node that meets all of the + pods to nodes that satisfy + + the affinity expressions specified by + this field, but it may choose + + a node that violates one or more of the + expressions. The node that is + + most preferred is the one with the + greatest sum of weights, i.e. + + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling - affinity expressions, etc.), compute a - sum by iterating through the elements of - this field and adding "weight" to the - sum if the node matches the - corresponding matchExpressions; the + affinity expressions, etc.), + + compute a sum by iterating through the + elements of this field and adding + + "weight" to the sum if the node matches + the corresponding matchExpressions; the + node(s) with the highest sum are the most preferred. items: description: >- An empty preferred scheduling term matches all objects with implicit weight - 0 (i.e. it's a no-op). A null preferred + 0 + + (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). properties: @@ -1047,8 +1618,9 @@ spec: description: >- A node selector requirement is a selector that contains values, a key, - and an operator that relates the key and - values. + and an operator + + that relates the key and values. properties: key: description: >- @@ -1058,28 +1630,37 @@ spec: operator: description: >- Represents a key's relationship to a set - of values. Valid operators are In, - NotIn, Exists, DoesNotExist. Gt, and Lt. + of values. + + Valid operators are In, NotIn, Exists, + DoesNotExist. Gt, and Lt. type: string values: description: >- An array of string values. If the - operator is In or NotIn, the values - array must be non-empty. If the operator - is Exists or DoesNotExist, the values - array must be empty. If the operator is - Gt or Lt, the values array must have a - single element, which will be - interpreted as an integer. This array is - replaced during a strategic merge patch. + operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. If the + operator is Gt or Lt, the values + + array must have a single element, which + will be interpreted as an integer. + + This array is replaced during a + strategic merge patch. items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchFields: description: >- A list of node selector requirements by @@ -1088,8 +1669,9 @@ spec: description: >- A node selector requirement is a selector that contains values, a key, - and an operator that relates the key and - values. + and an operator + + that relates the key and values. properties: key: description: >- @@ -1099,28 +1681,37 @@ spec: operator: description: >- Represents a key's relationship to a set - of values. Valid operators are In, - NotIn, Exists, DoesNotExist. Gt, and Lt. + of values. + + Valid operators are In, NotIn, Exists, + DoesNotExist. Gt, and Lt. type: string values: description: >- An array of string values. If the - operator is In or NotIn, the values - array must be non-empty. If the operator - is Exists or DoesNotExist, the values - array must be empty. If the operator is - Gt or Lt, the values array must have a - single element, which will be - interpreted as an integer. This array is - replaced during a strategic merge patch. + operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. If the + operator is Gt or Lt, the values + + array must have a single element, which + will be interpreted as an integer. + + This array is replaced during a + strategic merge patch. items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic type: object x-kubernetes-map-type: atomic weight: @@ -1135,17 +1726,23 @@ spec: - weight type: object type: array + x-kubernetes-list-type: atomic requiredDuringSchedulingIgnoredDuringExecution: description: >- If the affinity requirements specified - by this field are not met at scheduling - time, the pod will not be scheduled onto - the node. If the affinity requirements - specified by this field cease to be met + by this field are not met at + + scheduling time, the pod will not be + scheduled onto the node. + + If the affinity requirements specified + by this field cease to be met + at some point during pod execution (e.g. - due to an update), the system may or may - not try to eventually evict the pod from - its node. + due to an update), the system + + may or may not try to eventually evict + the pod from its node. properties: nodeSelectorTerms: description: >- @@ -1155,9 +1752,11 @@ spec: description: >- A null or empty node selector term matches no objects. The requirements of - them are ANDed. The TopologySelectorTerm - type implements a subset of the - NodeSelectorTerm. + + them are ANDed. + + The TopologySelectorTerm type implements + a subset of the NodeSelectorTerm. properties: matchExpressions: description: >- @@ -1167,8 +1766,9 @@ spec: description: >- A node selector requirement is a selector that contains values, a key, - and an operator that relates the key and - values. + and an operator + + that relates the key and values. properties: key: description: >- @@ -1178,28 +1778,37 @@ spec: operator: description: >- Represents a key's relationship to a set - of values. Valid operators are In, - NotIn, Exists, DoesNotExist. Gt, and Lt. + of values. + + Valid operators are In, NotIn, Exists, + DoesNotExist. Gt, and Lt. type: string values: description: >- An array of string values. If the - operator is In or NotIn, the values - array must be non-empty. If the operator - is Exists or DoesNotExist, the values - array must be empty. If the operator is - Gt or Lt, the values array must have a - single element, which will be - interpreted as an integer. This array is - replaced during a strategic merge patch. + operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. If the + operator is Gt or Lt, the values + + array must have a single element, which + will be interpreted as an integer. + + This array is replaced during a + strategic merge patch. items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchFields: description: >- A list of node selector requirements by @@ -1208,8 +1817,9 @@ spec: description: >- A node selector requirement is a selector that contains values, a key, - and an operator that relates the key and - values. + and an operator + + that relates the key and values. properties: key: description: >- @@ -1219,31 +1829,41 @@ spec: operator: description: >- Represents a key's relationship to a set - of values. Valid operators are In, - NotIn, Exists, DoesNotExist. Gt, and Lt. + of values. + + Valid operators are In, NotIn, Exists, + DoesNotExist. Gt, and Lt. type: string values: description: >- An array of string values. If the - operator is In or NotIn, the values - array must be non-empty. If the operator - is Exists or DoesNotExist, the values - array must be empty. If the operator is - Gt or Lt, the values array must have a - single element, which will be - interpreted as an integer. This array is - replaced during a strategic merge patch. + operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. If the + operator is Gt or Lt, the values + + array must have a single element, which + will be interpreted as an integer. + + This array is replaced during a + strategic merge patch. items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic type: object x-kubernetes-map-type: atomic type: array + x-kubernetes-list-type: atomic required: - nodeSelectorTerms type: object @@ -1258,20 +1878,30 @@ spec: preferredDuringSchedulingIgnoredDuringExecution: description: >- The scheduler will prefer to schedule - pods to nodes that satisfy the affinity - expressions specified by this field, but - it may choose a node that violates one - or more of the expressions. The node - that is most preferred is the one with - the greatest sum of weights, i.e. for - each node that meets all of the + pods to nodes that satisfy + + the affinity expressions specified by + this field, but it may choose + + a node that violates one or more of the + expressions. The node that is + + most preferred is the one with the + greatest sum of weights, i.e. + + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling - affinity expressions, etc.), compute a - sum by iterating through the elements of - this field and adding "weight" to the - sum if the node has pods which matches - the corresponding podAffinityTerm; the + affinity expressions, etc.), + + compute a sum by iterating through the + elements of this field and adding + + "weight" to the sum if the node has pods + which matches the corresponding + podAffinityTerm; the + node(s) with the highest sum are the most preferred. items: @@ -1291,6 +1921,9 @@ spec: description: >- A label query over a set of resources, in this case pods. + + If it's null, this PodAffinityTerm + matches with no Pods. properties: matchExpressions: description: >- @@ -1301,8 +1934,9 @@ spec: description: >- A label selector requirement is a selector that contains values, a key, - and an operator that relates the key and - values. + and an operator that + + relates the key and values. properties: key: description: >- @@ -1312,49 +1946,132 @@ spec: operator: description: >- operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist. type: string values: description: >- values is an array of string values. If - the operator is In or NotIn, the values - array must be non-empty. If the operator - is Exists or DoesNotExist, the values - array must be empty. This array is - replaced during a strategic merge patch. + the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch. items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string description: >- matchLabels is a map of {key,value} pairs. A single {key,value} in the - matchLabels map is equivalent to an - element of matchExpressions, whose key - field is "key", the operator is "In", - and the values array contains only - "value". The requirements are ANDed. + matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is + "key", the + + operator is "In", and the values array + contains only "value". The requirements + are ANDed. type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: >- + MatchLabelKeys is a set of pod label + keys to select which pods will + + be taken into consideration. The keys + are used to lookup values from the + + incoming pod labels, those key-value + labels are merged with `labelSelector` + as `key in (value)` + + to select the group of existing pods + which pods will be taken into + consideration + + for the incoming pod's pod (anti) + affinity. Keys that don't exist in the + incoming + + pod labels will be ignored. The default + value is empty. + + The same key is forbidden to exist in + both matchLabelKeys and labelSelector. + + Also, matchLabelKeys cannot be set when + labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: >- + MismatchLabelKeys is a set of pod label + keys to select which pods will + + be taken into consideration. The keys + are used to lookup values from the + + incoming pod labels, those key-value + labels are merged with `labelSelector` + as `key notin (value)` + + to select the group of existing pods + which pods will be taken into + consideration + + for the incoming pod's pod (anti) + affinity. Keys that don't exist in the + incoming + + pod labels will be ignored. The default + value is empty. + + The same key is forbidden to exist in + both mismatchLabelKeys and + labelSelector. + + Also, mismatchLabelKeys cannot be set + when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: description: >- A label query over the set of namespaces - that the term applies to. The term is - applied to the union of the namespaces - selected by this field and the ones - listed in the namespaces field. null - selector and null or empty namespaces - list means "this pod's namespace". An - empty selector ({}) matches all + that the term applies to. + + The term is applied to the union of the + namespaces selected by this field + + and the ones listed in the namespaces + field. + + null selector and null or empty + namespaces list means "this pod's + namespace". + + An empty selector ({}) matches all namespaces. properties: matchExpressions: @@ -1366,8 +2083,9 @@ spec: description: >- A label selector requirement is a selector that contains values, a key, - and an operator that relates the key and - values. + and an operator that + + relates the key and values. properties: key: description: >- @@ -1377,36 +2095,48 @@ spec: operator: description: >- operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist. type: string values: description: >- values is an array of string values. If - the operator is In or NotIn, the values - array must be non-empty. If the operator - is Exists or DoesNotExist, the values - array must be empty. This array is - replaced during a strategic merge patch. + the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch. items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string description: >- matchLabels is a map of {key,value} pairs. A single {key,value} in the - matchLabels map is equivalent to an - element of matchExpressions, whose key - field is "key", the operator is "In", - and the values array contains only - "value". The requirements are ANDed. + matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is + "key", the + + operator is "In", and the values array + contains only "value". The requirements + are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -1414,27 +2144,38 @@ spec: description: >- namespaces specifies a static list of namespace names that the term applies - to. The term is applied to the union of - the namespaces listed in this field and - the ones selected by namespaceSelector. + to. + + The term is applied to the union of the + namespaces listed in this field + + and the ones selected by + namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array + x-kubernetes-list-type: atomic topologyKey: description: >- This pod should be co-located (affinity) or not co-located (anti-affinity) with - the pods matching the labelSelector in - the specified namespaces, where - co-located is defined as running on a - node whose value of the label with key + the pods matching + + the labelSelector in the specified + namespaces, where co-located is defined + as running on a node + + whose value of the label with key topologyKey matches that of any node on - which any of the selected pods is - running. Empty topologyKey is not - allowed. + which any of the + + selected pods is running. + + Empty topologyKey is not allowed. type: string required: - topologyKey @@ -1442,8 +2183,9 @@ spec: weight: description: >- weight associated with matching the - corresponding podAffinityTerm, in the - range 1-100. + corresponding podAffinityTerm, + + in the range 1-100. format: int32 type: integer required: @@ -1451,38 +2193,55 @@ spec: - weight type: object type: array + x-kubernetes-list-type: atomic requiredDuringSchedulingIgnoredDuringExecution: description: >- If the affinity requirements specified - by this field are not met at scheduling - time, the pod will not be scheduled onto - the node. If the affinity requirements - specified by this field cease to be met + by this field are not met at + + scheduling time, the pod will not be + scheduled onto the node. + + If the affinity requirements specified + by this field cease to be met + at some point during pod execution (e.g. - due to a pod label update), the system - may or may not try to eventually evict - the pod from its node. When there are - multiple elements, the lists of nodes - corresponding to each podAffinityTerm - are intersected, i.e. all terms must be - satisfied. + due to a pod label update), the + + system may or may not try to eventually + evict the pod from its node. + + When there are multiple elements, the + lists of nodes corresponding to each + + podAffinityTerm are intersected, i.e. + all terms must be satisfied. items: description: >- Defines a set of pods (namely those - matching the labelSelector relative to - the given namespace(s)) that this pod - should be co-located (affinity) or not - co-located (anti-affinity) with, where - co-located is defined as running on a - node whose value of the label with key - matches that of any node - on which a pod of the set of pods is - running + matching the labelSelector + + relative to the given namespace(s)) that + this pod should be + + co-located (affinity) or not co-located + (anti-affinity) with, + + where co-located is defined as running + on a node whose value of + + the label with key matches + that of any node on which + + a pod of the set of pods is running properties: labelSelector: description: >- A label query over a set of resources, in this case pods. + + If it's null, this PodAffinityTerm + matches with no Pods. properties: matchExpressions: description: >- @@ -1493,8 +2252,9 @@ spec: description: >- A label selector requirement is a selector that contains values, a key, - and an operator that relates the key and - values. + and an operator that + + relates the key and values. properties: key: description: >- @@ -1504,49 +2264,132 @@ spec: operator: description: >- operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist. type: string values: description: >- values is an array of string values. If - the operator is In or NotIn, the values - array must be non-empty. If the operator - is Exists or DoesNotExist, the values - array must be empty. This array is - replaced during a strategic merge patch. + the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch. items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string description: >- matchLabels is a map of {key,value} pairs. A single {key,value} in the - matchLabels map is equivalent to an - element of matchExpressions, whose key - field is "key", the operator is "In", - and the values array contains only - "value". The requirements are ANDed. + matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is + "key", the + + operator is "In", and the values array + contains only "value". The requirements + are ANDed. type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: >- + MatchLabelKeys is a set of pod label + keys to select which pods will + + be taken into consideration. The keys + are used to lookup values from the + + incoming pod labels, those key-value + labels are merged with `labelSelector` + as `key in (value)` + + to select the group of existing pods + which pods will be taken into + consideration + + for the incoming pod's pod (anti) + affinity. Keys that don't exist in the + incoming + + pod labels will be ignored. The default + value is empty. + + The same key is forbidden to exist in + both matchLabelKeys and labelSelector. + + Also, matchLabelKeys cannot be set when + labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: >- + MismatchLabelKeys is a set of pod label + keys to select which pods will + + be taken into consideration. The keys + are used to lookup values from the + + incoming pod labels, those key-value + labels are merged with `labelSelector` + as `key notin (value)` + + to select the group of existing pods + which pods will be taken into + consideration + + for the incoming pod's pod (anti) + affinity. Keys that don't exist in the + incoming + + pod labels will be ignored. The default + value is empty. + + The same key is forbidden to exist in + both mismatchLabelKeys and + labelSelector. + + Also, mismatchLabelKeys cannot be set + when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: description: >- A label query over the set of namespaces - that the term applies to. The term is - applied to the union of the namespaces - selected by this field and the ones - listed in the namespaces field. null - selector and null or empty namespaces - list means "this pod's namespace". An - empty selector ({}) matches all + that the term applies to. + + The term is applied to the union of the + namespaces selected by this field + + and the ones listed in the namespaces + field. + + null selector and null or empty + namespaces list means "this pod's + namespace". + + An empty selector ({}) matches all namespaces. properties: matchExpressions: @@ -1558,8 +2401,9 @@ spec: description: >- A label selector requirement is a selector that contains values, a key, - and an operator that relates the key and - values. + and an operator that + + relates the key and values. properties: key: description: >- @@ -1569,36 +2413,48 @@ spec: operator: description: >- operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist. type: string values: description: >- values is an array of string values. If - the operator is In or NotIn, the values - array must be non-empty. If the operator - is Exists or DoesNotExist, the values - array must be empty. This array is - replaced during a strategic merge patch. + the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch. items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string description: >- matchLabels is a map of {key,value} pairs. A single {key,value} in the - matchLabels map is equivalent to an - element of matchExpressions, whose key - field is "key", the operator is "In", - and the values array contains only - "value". The requirements are ANDed. + matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is + "key", the + + operator is "In", and the values array + contains only "value". The requirements + are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -1606,32 +2462,44 @@ spec: description: >- namespaces specifies a static list of namespace names that the term applies - to. The term is applied to the union of - the namespaces listed in this field and - the ones selected by namespaceSelector. + to. + + The term is applied to the union of the + namespaces listed in this field + + and the ones selected by + namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array + x-kubernetes-list-type: atomic topologyKey: description: >- This pod should be co-located (affinity) or not co-located (anti-affinity) with - the pods matching the labelSelector in - the specified namespaces, where - co-located is defined as running on a - node whose value of the label with key + the pods matching + + the labelSelector in the specified + namespaces, where co-located is defined + as running on a node + + whose value of the label with key topologyKey matches that of any node on - which any of the selected pods is - running. Empty topologyKey is not - allowed. + which any of the + + selected pods is running. + + Empty topologyKey is not allowed. type: string required: - topologyKey type: object type: array + x-kubernetes-list-type: atomic type: object podAntiAffinity: description: >- @@ -1643,21 +2511,30 @@ spec: preferredDuringSchedulingIgnoredDuringExecution: description: >- The scheduler will prefer to schedule - pods to nodes that satisfy the - anti-affinity expressions specified by - this field, but it may choose a node - that violates one or more of the - expressions. The node that is most - preferred is the one with the greatest - sum of weights, i.e. for each node that - meets all of the scheduling requirements - (resource request, - requiredDuringScheduling anti-affinity - expressions, etc.), compute a sum by - iterating through the elements of this - field and adding "weight" to the sum if - the node has pods which matches the - corresponding podAffinityTerm; the + pods to nodes that satisfy + + the anti-affinity expressions specified + by this field, but it may choose + + a node that violates one or more of the + expressions. The node that is + + most preferred is the one with the + greatest sum of weights, i.e. + + for each node that meets all of the + scheduling requirements (resource + + request, requiredDuringScheduling + anti-affinity expressions, etc.), + + compute a sum by iterating through the + elements of this field and subtracting + + "weight" from the sum if the node has + pods which matches the corresponding + podAffinityTerm; the + node(s) with the highest sum are the most preferred. items: @@ -1677,6 +2554,9 @@ spec: description: >- A label query over a set of resources, in this case pods. + + If it's null, this PodAffinityTerm + matches with no Pods. properties: matchExpressions: description: >- @@ -1687,8 +2567,9 @@ spec: description: >- A label selector requirement is a selector that contains values, a key, - and an operator that relates the key and - values. + and an operator that + + relates the key and values. properties: key: description: >- @@ -1698,49 +2579,132 @@ spec: operator: description: >- operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist. type: string values: description: >- values is an array of string values. If - the operator is In or NotIn, the values - array must be non-empty. If the operator - is Exists or DoesNotExist, the values - array must be empty. This array is - replaced during a strategic merge patch. + the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch. items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string description: >- matchLabels is a map of {key,value} pairs. A single {key,value} in the - matchLabels map is equivalent to an - element of matchExpressions, whose key - field is "key", the operator is "In", - and the values array contains only - "value". The requirements are ANDed. + matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is + "key", the + + operator is "In", and the values array + contains only "value". The requirements + are ANDed. type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: >- + MatchLabelKeys is a set of pod label + keys to select which pods will + + be taken into consideration. The keys + are used to lookup values from the + + incoming pod labels, those key-value + labels are merged with `labelSelector` + as `key in (value)` + + to select the group of existing pods + which pods will be taken into + consideration + + for the incoming pod's pod (anti) + affinity. Keys that don't exist in the + incoming + + pod labels will be ignored. The default + value is empty. + + The same key is forbidden to exist in + both matchLabelKeys and labelSelector. + + Also, matchLabelKeys cannot be set when + labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: >- + MismatchLabelKeys is a set of pod label + keys to select which pods will + + be taken into consideration. The keys + are used to lookup values from the + + incoming pod labels, those key-value + labels are merged with `labelSelector` + as `key notin (value)` + + to select the group of existing pods + which pods will be taken into + consideration + + for the incoming pod's pod (anti) + affinity. Keys that don't exist in the + incoming + + pod labels will be ignored. The default + value is empty. + + The same key is forbidden to exist in + both mismatchLabelKeys and + labelSelector. + + Also, mismatchLabelKeys cannot be set + when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: description: >- A label query over the set of namespaces - that the term applies to. The term is - applied to the union of the namespaces - selected by this field and the ones - listed in the namespaces field. null - selector and null or empty namespaces - list means "this pod's namespace". An - empty selector ({}) matches all + that the term applies to. + + The term is applied to the union of the + namespaces selected by this field + + and the ones listed in the namespaces + field. + + null selector and null or empty + namespaces list means "this pod's + namespace". + + An empty selector ({}) matches all namespaces. properties: matchExpressions: @@ -1752,8 +2716,9 @@ spec: description: >- A label selector requirement is a selector that contains values, a key, - and an operator that relates the key and - values. + and an operator that + + relates the key and values. properties: key: description: >- @@ -1763,36 +2728,48 @@ spec: operator: description: >- operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist. type: string values: description: >- values is an array of string values. If - the operator is In or NotIn, the values - array must be non-empty. If the operator - is Exists or DoesNotExist, the values - array must be empty. This array is - replaced during a strategic merge patch. + the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch. items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string description: >- matchLabels is a map of {key,value} pairs. A single {key,value} in the - matchLabels map is equivalent to an - element of matchExpressions, whose key - field is "key", the operator is "In", - and the values array contains only - "value". The requirements are ANDed. + matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is + "key", the + + operator is "In", and the values array + contains only "value". The requirements + are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -1800,27 +2777,38 @@ spec: description: >- namespaces specifies a static list of namespace names that the term applies - to. The term is applied to the union of - the namespaces listed in this field and - the ones selected by namespaceSelector. + to. + + The term is applied to the union of the + namespaces listed in this field + + and the ones selected by + namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array + x-kubernetes-list-type: atomic topologyKey: description: >- This pod should be co-located (affinity) or not co-located (anti-affinity) with - the pods matching the labelSelector in - the specified namespaces, where - co-located is defined as running on a - node whose value of the label with key + the pods matching + + the labelSelector in the specified + namespaces, where co-located is defined + as running on a node + + whose value of the label with key topologyKey matches that of any node on - which any of the selected pods is - running. Empty topologyKey is not - allowed. + which any of the + + selected pods is running. + + Empty topologyKey is not allowed. type: string required: - topologyKey @@ -1828,8 +2816,9 @@ spec: weight: description: >- weight associated with matching the - corresponding podAffinityTerm, in the - range 1-100. + corresponding podAffinityTerm, + + in the range 1-100. format: int32 type: integer required: @@ -1837,38 +2826,55 @@ spec: - weight type: object type: array + x-kubernetes-list-type: atomic requiredDuringSchedulingIgnoredDuringExecution: description: >- If the anti-affinity requirements specified by this field are not met at + scheduling time, the pod will not be - scheduled onto the node. If the - anti-affinity requirements specified by - this field cease to be met at some point - during pod execution (e.g. due to a pod - label update), the system may or may not - try to eventually evict the pod from its - node. When there are multiple elements, - the lists of nodes corresponding to each + scheduled onto the node. + + If the anti-affinity requirements + specified by this field cease to be met + + at some point during pod execution (e.g. + due to a pod label update), the + + system may or may not try to eventually + evict the pod from its node. + + When there are multiple elements, the + lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. items: description: >- Defines a set of pods (namely those - matching the labelSelector relative to - the given namespace(s)) that this pod - should be co-located (affinity) or not - co-located (anti-affinity) with, where - co-located is defined as running on a - node whose value of the label with key - matches that of any node - on which a pod of the set of pods is - running + matching the labelSelector + + relative to the given namespace(s)) that + this pod should be + + co-located (affinity) or not co-located + (anti-affinity) with, + + where co-located is defined as running + on a node whose value of + + the label with key matches + that of any node on which + + a pod of the set of pods is running properties: labelSelector: description: >- A label query over a set of resources, in this case pods. + + If it's null, this PodAffinityTerm + matches with no Pods. properties: matchExpressions: description: >- @@ -1879,8 +2885,9 @@ spec: description: >- A label selector requirement is a selector that contains values, a key, - and an operator that relates the key and - values. + and an operator that + + relates the key and values. properties: key: description: >- @@ -1890,49 +2897,132 @@ spec: operator: description: >- operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist. type: string values: description: >- values is an array of string values. If - the operator is In or NotIn, the values - array must be non-empty. If the operator - is Exists or DoesNotExist, the values - array must be empty. This array is - replaced during a strategic merge patch. + the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch. items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string description: >- matchLabels is a map of {key,value} pairs. A single {key,value} in the - matchLabels map is equivalent to an - element of matchExpressions, whose key - field is "key", the operator is "In", - and the values array contains only - "value". The requirements are ANDed. + matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is + "key", the + + operator is "In", and the values array + contains only "value". The requirements + are ANDed. type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: >- + MatchLabelKeys is a set of pod label + keys to select which pods will + + be taken into consideration. The keys + are used to lookup values from the + + incoming pod labels, those key-value + labels are merged with `labelSelector` + as `key in (value)` + + to select the group of existing pods + which pods will be taken into + consideration + + for the incoming pod's pod (anti) + affinity. Keys that don't exist in the + incoming + + pod labels will be ignored. The default + value is empty. + + The same key is forbidden to exist in + both matchLabelKeys and labelSelector. + + Also, matchLabelKeys cannot be set when + labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: >- + MismatchLabelKeys is a set of pod label + keys to select which pods will + + be taken into consideration. The keys + are used to lookup values from the + + incoming pod labels, those key-value + labels are merged with `labelSelector` + as `key notin (value)` + + to select the group of existing pods + which pods will be taken into + consideration + + for the incoming pod's pod (anti) + affinity. Keys that don't exist in the + incoming + + pod labels will be ignored. The default + value is empty. + + The same key is forbidden to exist in + both mismatchLabelKeys and + labelSelector. + + Also, mismatchLabelKeys cannot be set + when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: description: >- A label query over the set of namespaces - that the term applies to. The term is - applied to the union of the namespaces - selected by this field and the ones - listed in the namespaces field. null - selector and null or empty namespaces - list means "this pod's namespace". An - empty selector ({}) matches all + that the term applies to. + + The term is applied to the union of the + namespaces selected by this field + + and the ones listed in the namespaces + field. + + null selector and null or empty + namespaces list means "this pod's + namespace". + + An empty selector ({}) matches all namespaces. properties: matchExpressions: @@ -1944,8 +3034,9 @@ spec: description: >- A label selector requirement is a selector that contains values, a key, - and an operator that relates the key and - values. + and an operator that + + relates the key and values. properties: key: description: >- @@ -1955,36 +3046,48 @@ spec: operator: description: >- operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist. type: string values: description: >- values is an array of string values. If - the operator is In or NotIn, the values - array must be non-empty. If the operator - is Exists or DoesNotExist, the values - array must be empty. This array is - replaced during a strategic merge patch. + the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch. items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string description: >- matchLabels is a map of {key,value} pairs. A single {key,value} in the - matchLabels map is equivalent to an - element of matchExpressions, whose key - field is "key", the operator is "In", - and the values array contains only - "value". The requirements are ANDed. + matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is + "key", the + + operator is "In", and the values array + contains only "value". The requirements + are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -1992,32 +3095,44 @@ spec: description: >- namespaces specifies a static list of namespace names that the term applies - to. The term is applied to the union of - the namespaces listed in this field and - the ones selected by namespaceSelector. + to. + + The term is applied to the union of the + namespaces listed in this field + + and the ones selected by + namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array + x-kubernetes-list-type: atomic topologyKey: description: >- This pod should be co-located (affinity) or not co-located (anti-affinity) with - the pods matching the labelSelector in - the specified namespaces, where - co-located is defined as running on a - node whose value of the label with key + the pods matching + + the labelSelector in the specified + namespaces, where co-located is defined + as running on a node + + whose value of the label with key topologyKey matches that of any node on - which any of the selected pods is - running. Empty topologyKey is not - allowed. + which any of the + + selected pods is running. + + Empty topologyKey is not allowed. type: string required: - topologyKey type: object type: array + x-kubernetes-list-type: atomic type: object type: object imagePullSecrets: @@ -2026,28 +3141,44 @@ spec: description: >- LocalObjectReference contains enough information to let you locate the + referenced object inside the same namespace. properties: name: + default: '' description: >- - Name of the referent. More info: + Name of the referent. + + This field is effectively required, but + due to backwards compatibility is + + allowed to be empty. Instances of this + type with an empty value here are + + almost certainly wrong. + + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. - apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map nodeSelector: additionalProperties: type: string description: >- NodeSelector is a selector which must be true for the pod to fit on a node. + Selector which must match a node's labels for the pod to be scheduled on - that node. More info: + that node. + + More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ type: object priorityClassName: @@ -2055,6 +3186,328 @@ spec: If specified, the pod's priorityClassName. type: string + resources: + description: >- + If specified, the pod's resource + requirements. + + These values override the global + resource configuration flags. + + Note that when only specifying resource + limits, ensure they are greater than or + equal + + to the corresponding global resource + requests configured via controller flags + + (--acme-http01-solver-resource-request-cpu, + --acme-http01-solver-resource-request-memory). + + Kubernetes will reject pod creation if + limits are lower than requests, causing + challenge failures. + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: >- + Limits describes the maximum amount of + compute resources allowed. + + More info: + https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: >- + Requests describes the minimum amount of + compute resources required. + + If Requests is omitted for a container, + it defaults to Limits if that is + explicitly specified, + + otherwise to the global values + configured via controller flags. + Requests cannot exceed Limits. + + More info: + https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + type: object + securityContext: + description: If specified, the pod's security context + properties: + fsGroup: + description: >- + A special supplemental group that + applies to all containers in a pod. + + Some volume types allow the Kubelet to + change the ownership of that volume + + to be owned by the pod: + + + 1. The owning GID will be the FSGroup + + 2. The setgid bit is set (new files + created in the volume will be owned by + FSGroup) + + 3. The permission bits are OR'd with + rw-rw---- + + + If unset, the Kubelet will not modify + the ownership and permissions of any + volume. + + Note that this field cannot be set when + spec.os.name is windows. + format: int64 + type: integer + fsGroupChangePolicy: + description: >- + fsGroupChangePolicy defines behavior of + changing ownership and permission of the + volume + + before being exposed inside Pod. This + field will only apply to + + volume types which support fsGroup based + ownership(and permissions). + + It will have no effect on ephemeral + volume types such as: secret, configmaps + + and emptydir. + + Valid values are "OnRootMismatch" and + "Always". If not specified, "Always" is + used. + + Note that this field cannot be set when + spec.os.name is windows. + type: string + runAsGroup: + description: >- + The GID to run the entrypoint of the + container process. + + Uses runtime default if unset. + + May also be set in SecurityContext. If + set in both SecurityContext and + + PodSecurityContext, the value specified + in SecurityContext takes precedence + + for that container. + + Note that this field cannot be set when + spec.os.name is windows. + format: int64 + type: integer + runAsNonRoot: + description: >- + Indicates that the container must run as + a non-root user. + + If true, the Kubelet will validate the + image at runtime to ensure that it + + does not run as UID 0 (root) and fail to + start the container if it does. + + If unset or false, no such validation + will be performed. + + May also be set in SecurityContext. If + set in both SecurityContext and + + PodSecurityContext, the value specified + in SecurityContext takes precedence. + type: boolean + runAsUser: + description: >- + The UID to run the entrypoint of the + container process. + + Defaults to user specified in image + metadata if unspecified. + + May also be set in SecurityContext. If + set in both SecurityContext and + + PodSecurityContext, the value specified + in SecurityContext takes precedence + + for that container. + + Note that this field cannot be set when + spec.os.name is windows. + format: int64 + type: integer + seLinuxOptions: + description: >- + The SELinux context to be applied to all + containers. + + If unspecified, the container runtime + will allocate a random SELinux context + for each + + container. May also be set in + SecurityContext. If set in + + both SecurityContext and + PodSecurityContext, the value specified + in SecurityContext + + takes precedence for that container. + + Note that this field cannot be set when + spec.os.name is windows. + properties: + level: + description: >- + Level is SELinux level label that + applies to the container. + type: string + role: + description: >- + Role is a SELinux role label that + applies to the container. + type: string + type: + description: >- + Type is a SELinux type label that + applies to the container. + type: string + user: + description: >- + User is a SELinux user label that + applies to the container. + type: string + type: object + seccompProfile: + description: >- + The seccomp options to use by the + containers in this pod. + + Note that this field cannot be set when + spec.os.name is windows. + properties: + localhostProfile: + description: >- + localhostProfile indicates a profile + defined in a file on the node should be + used. + + The profile must be preconfigured on the + node to work. + + Must be a descending path, relative to + the kubelet's configured seccomp profile + location. + + Must be set if type is "Localhost". Must + NOT be set for any other type. + type: string + type: + description: >- + type indicates which kind of seccomp + profile will be applied. + + Valid options are: + + + Localhost - a profile defined in a file + on the node should be used. + + RuntimeDefault - the container runtime + default profile should be used. + + Unconfined - no profile should be + applied. + type: string + required: + - type + type: object + supplementalGroups: + description: >- + A list of groups applied to the first + process run in each container, in + addition + + to the container's primary GID, the + fsGroup (if specified), and group + memberships + + defined in the container image for the + uid of the container process. If + unspecified, + + no additional groups are added to any + container. Note that group memberships + + defined in the container image for the + uid of the container process are still + effective, + + even if they are not included in this + list. + + Note that this field cannot be set when + spec.os.name is windows. + items: + format: int64 + type: integer + type: array + x-kubernetes-list-type: atomic + sysctls: + description: >- + Sysctls hold a list of namespaced + sysctls used for the pod. Pods with + unsupported + + sysctls (by the container runtime) might + fail to launch. + + Note that this field cannot be set when + spec.os.name is windows. + items: + description: >- + Sysctl defines a kernel parameter to be + set + properties: + name: + description: Name of a property to set + type: string + value: + description: Value of a property to set + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + type: object serviceAccountName: description: If specified, the pod's service account type: string @@ -2063,182 +3516,2456 @@ spec: items: description: >- The pod this Toleration is attached to - tolerates any taint that matches the - triple using the + tolerates any taint that matches + + the triple using the matching operator . properties: effect: description: >- Effect indicates the taint effect to match. Empty means match all taint - effects. When specified, allowed values - are NoSchedule, PreferNoSchedule and + effects. + + When specified, allowed values are + NoSchedule, PreferNoSchedule and NoExecute. type: string key: description: >- Key is the taint key that the toleration applies to. Empty means match all taint - keys. If the key is empty, operator must - be Exists; this combination means to - match all values and all keys. + keys. + + If the key is empty, operator must be + Exists; this combination means to match + all values and all keys. type: string operator: description: >- Operator represents a key's relationship - to the value. Valid operators are Exists - and Equal. Defaults to Equal. Exists is - equivalent to wildcard for value, so - that a pod can tolerate all taints of a - particular category. + to the value. + + Valid operators are Exists, Equal, Lt, + and Gt. Defaults to Equal. + + Exists is equivalent to wildcard for + value, so that a pod can + + tolerate all taints of a particular + category. + + Lt and Gt perform numeric comparisons + (requires feature gate + TaintTolerationComparisonOperators). type: string tolerationSeconds: description: >- TolerationSeconds represents the period - of time the toleration (which must be of - effect NoExecute, otherwise this field - is ignored) tolerates the taint. By - default, it is not set, which means - tolerate the taint forever (do not - evict). Zero and negative values will be - treated as 0 (evict immediately) by the - system. + of time the toleration (which must be + + of effect NoExecute, otherwise this + field is ignored) tolerates the taint. + By default, + + it is not set, which means tolerate the + taint forever (do not evict). Zero and + + negative values will be treated as 0 + (evict immediately) by the system. format: int64 type: integer value: description: >- Value is the taint value the toleration - matches to. If the operator is Exists, - the value should be empty, otherwise - just a regular string. + matches to. + + If the operator is Exists, the value + should be empty, otherwise just a + regular string. type: string type: object type: array + x-kubernetes-list-type: atomic type: object type: object serviceType: description: >- Optional service type for Kubernetes - solver service. Supported values are - NodePort or ClusterIP. If unset, defaults - to NodePort. + solver service. Supported values + + are NodePort or ClusterIP. If unset, + defaults to NodePort. type: string type: object - type: object - selector: - description: >- - Selector selects a set of DNSNames on the - Certificate resource that should be solved using - this challenge solver. If not specified, the - solver will be treated as the 'default' solver - with the lowest priority, i.e. if any other solver - has a more specific match, it will be used - instead. - properties: - dnsNames: - description: >- - List of DNSNames that this solver will be used - to solve. If specified and a match is found, a - dnsNames selector will take precedence over a - dnsZones selector. If multiple solvers match - with the same dnsNames value, the solver with - the most matching labels in matchLabels will - be selected. If neither has more matches, the - solver defined earlier in the list will be - selected. - items: - type: string - type: array - dnsZones: - description: >- - List of DNSZones that this solver will be used - to solve. The most specific DNS zone match - specified here will take precedence over other - DNS zone matches, so a solver specifying - sys.example.com will be selected over one - specifying example.com for the domain - www.sys.example.com. If multiple solvers match - with the same dnsZones value, the solver with - the most matching labels in matchLabels will - be selected. If neither has more matches, the - solver defined earlier in the list will be - selected. - items: - type: string - type: array - matchLabels: - additionalProperties: - type: string + ingress: description: >- - A label selector that is used to refine the - set of certificate's that this challenge - solver will apply to. - type: object - type: object - type: object - type: array - required: - - privateKeySecretRef - - server - type: object - ca: - description: >- - CA configures this issuer to sign certificates using a - signing CA keypair stored in a Secret resource. This is used - to build internal PKIs that are managed by cert-manager. - properties: - crlDistributionPoints: - description: >- - The CRL distribution points is an X.509 v3 certificate - extension which identifies the location of the CRL from - which the revocation of this certificate can be checked. - If not set, certificates will be issued without - distribution points set. - items: - type: string - type: array - ocspServers: - description: >- - The OCSP server list is an X.509 v3 extension that - defines a list of URLs of OCSP responders. The OCSP - responders can be queried for the revocation status of - an issued certificate. If not set, the certificate will - be issued with no OCSP servers set. For example, an OCSP - server URL could be - "http://ocsp.int-x3.letsencrypt.org". - items: - type: string - type: array - secretName: - description: >- - SecretName is the name of the secret used to sign - Certificates issued by this Issuer. - type: string - required: - - secretName - type: object - selfSigned: - description: >- - SelfSigned configures this issuer to 'self sign' - certificates using the private key used to create the - CertificateRequest object. - properties: - crlDistributionPoints: - description: >- - The CRL distribution points is an X.509 v3 certificate - extension which identifies the location of the CRL from - which the revocation of this certificate can be checked. - If not set certificate will be issued without CDP. - Values are strings. - items: - type: string - type: array - type: object - vault: - description: >- - Vault configures this issuer to sign certificates using a - HashiCorp Vault PKI backend. - properties: + The ingress based HTTP01 challenge solver will + solve challenges by + + creating or modifying Ingress resources in + order to route requests for + + '/.well-known/acme-challenge/XYZ' to + 'challenge solver' pods that are + + provisioned by cert-manager for each Challenge + to be completed. + properties: + class: + description: >- + This field configures the annotation + `kubernetes.io/ingress.class` when + + creating Ingress resources to solve ACME + challenges that use this + + challenge solver. Only one of `class`, + `name` or `ingressClassName` may + + be specified. + type: string + ingressClassName: + description: >- + This field configures the field + `ingressClassName` on the created Ingress + + resources used to solve ACME challenges + that use this challenge solver. + + This is the recommended way of configuring + the ingress class. Only one of + + `class`, `name` or `ingressClassName` may + be specified. + type: string + ingressTemplate: + description: >- + Optional ingress template used to + configure the ACME challenge solver + + ingress used for HTTP01 challenges. + properties: + metadata: + description: >- + ObjectMeta overrides for the ingress + used to solve HTTP01 challenges. + + Only the 'labels' and 'annotations' + fields may be set. + + If labels or annotations overlap with + in-built values, the values here + + will override the in-built values. + properties: + annotations: + additionalProperties: + type: string + description: >- + Annotations that should be added to the + created ACME HTTP01 solver ingress. + type: object + labels: + additionalProperties: + type: string + description: >- + Labels that should be added to the + created ACME HTTP01 solver ingress. + type: object + type: object + type: object + name: + description: >- + The name of the ingress resource that + should have ACME challenge solving + + routes inserted into it in order to solve + HTTP01 challenges. + + This is typically used in conjunction with + ingress controllers like + + ingress-gce, which maintains a 1:1 mapping + between external IPs and + + ingress resources. Only one of `class`, + `name` or `ingressClassName` may + + be specified. + type: string + podTemplate: + description: >- + Optional pod template used to configure + the ACME challenge solver pods + + used for HTTP01 challenges. + properties: + metadata: + description: >- + ObjectMeta overrides for the pod used to + solve HTTP01 challenges. + + Only the 'labels' and 'annotations' + fields may be set. + + If labels or annotations overlap with + in-built values, the values here + + will override the in-built values. + properties: + annotations: + additionalProperties: + type: string + description: >- + Annotations that should be added to the + created ACME HTTP01 solver pods. + type: object + labels: + additionalProperties: + type: string + description: >- + Labels that should be added to the + created ACME HTTP01 solver pods. + type: object + type: object + spec: + description: >- + PodSpec defines overrides for the HTTP01 + challenge solver pod. + + Check + ACMEChallengeSolverHTTP01IngressPodSpec + to find out currently supported fields. + + All other fields will be ignored. + properties: + affinity: + description: >- + If specified, the pod's scheduling + constraints + properties: + nodeAffinity: + description: >- + Describes node affinity scheduling rules + for the pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: >- + The scheduler will prefer to schedule + pods to nodes that satisfy + + the affinity expressions specified by + this field, but it may choose + + a node that violates one or more of the + expressions. The node that is + + most preferred is the one with the + greatest sum of weights, i.e. + + for each node that meets all of the + scheduling requirements (resource + + request, requiredDuringScheduling + affinity expressions, etc.), + + compute a sum by iterating through the + elements of this field and adding + + "weight" to the sum if the node matches + the corresponding matchExpressions; the + + node(s) with the highest sum are the + most preferred. + items: + description: >- + An empty preferred scheduling term + matches all objects with implicit weight + 0 + + (i.e. it's a no-op). A null preferred + scheduling term matches no objects (i.e. + is also a no-op). + properties: + preference: + description: >- + A node selector term, associated with + the corresponding weight. + properties: + matchExpressions: + description: >- + A list of node selector requirements by + node's labels. + items: + description: >- + A node selector requirement is a + selector that contains values, a key, + and an operator + + that relates the key and values. + properties: + key: + description: >- + The label key that the selector applies + to. + type: string + operator: + description: >- + Represents a key's relationship to a set + of values. + + Valid operators are In, NotIn, Exists, + DoesNotExist. Gt, and Lt. + type: string + values: + description: >- + An array of string values. If the + operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. If the + operator is Gt or Lt, the values + + array must have a single element, which + will be interpreted as an integer. + + This array is replaced during a + strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + description: >- + A list of node selector requirements by + node's fields. + items: + description: >- + A node selector requirement is a + selector that contains values, a key, + and an operator + + that relates the key and values. + properties: + key: + description: >- + The label key that the selector applies + to. + type: string + operator: + description: >- + Represents a key's relationship to a set + of values. + + Valid operators are In, NotIn, Exists, + DoesNotExist. Gt, and Lt. + type: string + values: + description: >- + An array of string values. If the + operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. If the + operator is Gt or Lt, the values + + array must have a single element, which + will be interpreted as an integer. + + This array is replaced during a + strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + weight: + description: >- + Weight associated with matching the + corresponding nodeSelectorTerm, in the + range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: >- + If the affinity requirements specified + by this field are not met at + + scheduling time, the pod will not be + scheduled onto the node. + + If the affinity requirements specified + by this field cease to be met + + at some point during pod execution (e.g. + due to an update), the system + + may or may not try to eventually evict + the pod from its node. + properties: + nodeSelectorTerms: + description: >- + Required. A list of node selector terms. + The terms are ORed. + items: + description: >- + A null or empty node selector term + matches no objects. The requirements of + + them are ANDed. + + The TopologySelectorTerm type implements + a subset of the NodeSelectorTerm. + properties: + matchExpressions: + description: >- + A list of node selector requirements by + node's labels. + items: + description: >- + A node selector requirement is a + selector that contains values, a key, + and an operator + + that relates the key and values. + properties: + key: + description: >- + The label key that the selector applies + to. + type: string + operator: + description: >- + Represents a key's relationship to a set + of values. + + Valid operators are In, NotIn, Exists, + DoesNotExist. Gt, and Lt. + type: string + values: + description: >- + An array of string values. If the + operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. If the + operator is Gt or Lt, the values + + array must have a single element, which + will be interpreted as an integer. + + This array is replaced during a + strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + description: >- + A list of node selector requirements by + node's fields. + items: + description: >- + A node selector requirement is a + selector that contains values, a key, + and an operator + + that relates the key and values. + properties: + key: + description: >- + The label key that the selector applies + to. + type: string + operator: + description: >- + Represents a key's relationship to a set + of values. + + Valid operators are In, NotIn, Exists, + DoesNotExist. Gt, and Lt. + type: string + values: + description: >- + An array of string values. If the + operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. If the + operator is Gt or Lt, the values + + array must have a single element, which + will be interpreted as an integer. + + This array is replaced during a + strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + type: array + x-kubernetes-list-type: atomic + required: + - nodeSelectorTerms + type: object + x-kubernetes-map-type: atomic + type: object + podAffinity: + description: >- + Describes pod affinity scheduling rules + (e.g. co-locate this pod in the same + node, zone, etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: >- + The scheduler will prefer to schedule + pods to nodes that satisfy + + the affinity expressions specified by + this field, but it may choose + + a node that violates one or more of the + expressions. The node that is + + most preferred is the one with the + greatest sum of weights, i.e. + + for each node that meets all of the + scheduling requirements (resource + + request, requiredDuringScheduling + affinity expressions, etc.), + + compute a sum by iterating through the + elements of this field and adding + + "weight" to the sum if the node has pods + which matches the corresponding + podAffinityTerm; the + + node(s) with the highest sum are the + most preferred. + items: + description: >- + The weights of all of the matched + WeightedPodAffinityTerm fields are added + per-node to find the most preferred + node(s) + properties: + podAffinityTerm: + description: >- + Required. A pod affinity term, + associated with the corresponding + weight. + properties: + labelSelector: + description: >- + A label query over a set of resources, + in this case pods. + + If it's null, this PodAffinityTerm + matches with no Pods. + properties: + matchExpressions: + description: >- + matchExpressions is a list of label + selector requirements. The requirements + are ANDed. + items: + description: >- + A label selector requirement is a + selector that contains values, a key, + and an operator that + + relates the key and values. + properties: + key: + description: >- + key is the label key that the selector + applies to. + type: string + operator: + description: >- + operator represents a key's relationship + to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: >- + values is an array of string values. If + the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: >- + matchLabels is a map of {key,value} + pairs. A single {key,value} in the + matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is + "key", the + + operator is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: >- + MatchLabelKeys is a set of pod label + keys to select which pods will + + be taken into consideration. The keys + are used to lookup values from the + + incoming pod labels, those key-value + labels are merged with `labelSelector` + as `key in (value)` + + to select the group of existing pods + which pods will be taken into + consideration + + for the incoming pod's pod (anti) + affinity. Keys that don't exist in the + incoming + + pod labels will be ignored. The default + value is empty. + + The same key is forbidden to exist in + both matchLabelKeys and labelSelector. + + Also, matchLabelKeys cannot be set when + labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: >- + MismatchLabelKeys is a set of pod label + keys to select which pods will + + be taken into consideration. The keys + are used to lookup values from the + + incoming pod labels, those key-value + labels are merged with `labelSelector` + as `key notin (value)` + + to select the group of existing pods + which pods will be taken into + consideration + + for the incoming pod's pod (anti) + affinity. Keys that don't exist in the + incoming + + pod labels will be ignored. The default + value is empty. + + The same key is forbidden to exist in + both mismatchLabelKeys and + labelSelector. + + Also, mismatchLabelKeys cannot be set + when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: >- + A label query over the set of namespaces + that the term applies to. + + The term is applied to the union of the + namespaces selected by this field + + and the ones listed in the namespaces + field. + + null selector and null or empty + namespaces list means "this pod's + namespace". + + An empty selector ({}) matches all + namespaces. + properties: + matchExpressions: + description: >- + matchExpressions is a list of label + selector requirements. The requirements + are ANDed. + items: + description: >- + A label selector requirement is a + selector that contains values, a key, + and an operator that + + relates the key and values. + properties: + key: + description: >- + key is the label key that the selector + applies to. + type: string + operator: + description: >- + operator represents a key's relationship + to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: >- + values is an array of string values. If + the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: >- + matchLabels is a map of {key,value} + pairs. A single {key,value} in the + matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is + "key", the + + operator is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: >- + namespaces specifies a static list of + namespace names that the term applies + to. + + The term is applied to the union of the + namespaces listed in this field + + and the ones selected by + namespaceSelector. + + null or empty namespaces list and null + namespaceSelector means "this pod's + namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: >- + This pod should be co-located (affinity) + or not co-located (anti-affinity) with + the pods matching + + the labelSelector in the specified + namespaces, where co-located is defined + as running on a node + + whose value of the label with key + topologyKey matches that of any node on + which any of the + + selected pods is running. + + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: >- + weight associated with matching the + corresponding podAffinityTerm, + + in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: >- + If the affinity requirements specified + by this field are not met at + + scheduling time, the pod will not be + scheduled onto the node. + + If the affinity requirements specified + by this field cease to be met + + at some point during pod execution (e.g. + due to a pod label update), the + + system may or may not try to eventually + evict the pod from its node. + + When there are multiple elements, the + lists of nodes corresponding to each + + podAffinityTerm are intersected, i.e. + all terms must be satisfied. + items: + description: >- + Defines a set of pods (namely those + matching the labelSelector + + relative to the given namespace(s)) that + this pod should be + + co-located (affinity) or not co-located + (anti-affinity) with, + + where co-located is defined as running + on a node whose value of + + the label with key matches + that of any node on which + + a pod of the set of pods is running + properties: + labelSelector: + description: >- + A label query over a set of resources, + in this case pods. + + If it's null, this PodAffinityTerm + matches with no Pods. + properties: + matchExpressions: + description: >- + matchExpressions is a list of label + selector requirements. The requirements + are ANDed. + items: + description: >- + A label selector requirement is a + selector that contains values, a key, + and an operator that + + relates the key and values. + properties: + key: + description: >- + key is the label key that the selector + applies to. + type: string + operator: + description: >- + operator represents a key's relationship + to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: >- + values is an array of string values. If + the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: >- + matchLabels is a map of {key,value} + pairs. A single {key,value} in the + matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is + "key", the + + operator is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: >- + MatchLabelKeys is a set of pod label + keys to select which pods will + + be taken into consideration. The keys + are used to lookup values from the + + incoming pod labels, those key-value + labels are merged with `labelSelector` + as `key in (value)` + + to select the group of existing pods + which pods will be taken into + consideration + + for the incoming pod's pod (anti) + affinity. Keys that don't exist in the + incoming + + pod labels will be ignored. The default + value is empty. + + The same key is forbidden to exist in + both matchLabelKeys and labelSelector. + + Also, matchLabelKeys cannot be set when + labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: >- + MismatchLabelKeys is a set of pod label + keys to select which pods will + + be taken into consideration. The keys + are used to lookup values from the + + incoming pod labels, those key-value + labels are merged with `labelSelector` + as `key notin (value)` + + to select the group of existing pods + which pods will be taken into + consideration + + for the incoming pod's pod (anti) + affinity. Keys that don't exist in the + incoming + + pod labels will be ignored. The default + value is empty. + + The same key is forbidden to exist in + both mismatchLabelKeys and + labelSelector. + + Also, mismatchLabelKeys cannot be set + when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: >- + A label query over the set of namespaces + that the term applies to. + + The term is applied to the union of the + namespaces selected by this field + + and the ones listed in the namespaces + field. + + null selector and null or empty + namespaces list means "this pod's + namespace". + + An empty selector ({}) matches all + namespaces. + properties: + matchExpressions: + description: >- + matchExpressions is a list of label + selector requirements. The requirements + are ANDed. + items: + description: >- + A label selector requirement is a + selector that contains values, a key, + and an operator that + + relates the key and values. + properties: + key: + description: >- + key is the label key that the selector + applies to. + type: string + operator: + description: >- + operator represents a key's relationship + to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: >- + values is an array of string values. If + the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: >- + matchLabels is a map of {key,value} + pairs. A single {key,value} in the + matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is + "key", the + + operator is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: >- + namespaces specifies a static list of + namespace names that the term applies + to. + + The term is applied to the union of the + namespaces listed in this field + + and the ones selected by + namespaceSelector. + + null or empty namespaces list and null + namespaceSelector means "this pod's + namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: >- + This pod should be co-located (affinity) + or not co-located (anti-affinity) with + the pods matching + + the labelSelector in the specified + namespaces, where co-located is defined + as running on a node + + whose value of the label with key + topologyKey matches that of any node on + which any of the + + selected pods is running. + + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + podAntiAffinity: + description: >- + Describes pod anti-affinity scheduling + rules (e.g. avoid putting this pod in + the same node, zone, etc. as some other + pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: >- + The scheduler will prefer to schedule + pods to nodes that satisfy + + the anti-affinity expressions specified + by this field, but it may choose + + a node that violates one or more of the + expressions. The node that is + + most preferred is the one with the + greatest sum of weights, i.e. + + for each node that meets all of the + scheduling requirements (resource + + request, requiredDuringScheduling + anti-affinity expressions, etc.), + + compute a sum by iterating through the + elements of this field and subtracting + + "weight" from the sum if the node has + pods which matches the corresponding + podAffinityTerm; the + + node(s) with the highest sum are the + most preferred. + items: + description: >- + The weights of all of the matched + WeightedPodAffinityTerm fields are added + per-node to find the most preferred + node(s) + properties: + podAffinityTerm: + description: >- + Required. A pod affinity term, + associated with the corresponding + weight. + properties: + labelSelector: + description: >- + A label query over a set of resources, + in this case pods. + + If it's null, this PodAffinityTerm + matches with no Pods. + properties: + matchExpressions: + description: >- + matchExpressions is a list of label + selector requirements. The requirements + are ANDed. + items: + description: >- + A label selector requirement is a + selector that contains values, a key, + and an operator that + + relates the key and values. + properties: + key: + description: >- + key is the label key that the selector + applies to. + type: string + operator: + description: >- + operator represents a key's relationship + to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: >- + values is an array of string values. If + the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: >- + matchLabels is a map of {key,value} + pairs. A single {key,value} in the + matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is + "key", the + + operator is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: >- + MatchLabelKeys is a set of pod label + keys to select which pods will + + be taken into consideration. The keys + are used to lookup values from the + + incoming pod labels, those key-value + labels are merged with `labelSelector` + as `key in (value)` + + to select the group of existing pods + which pods will be taken into + consideration + + for the incoming pod's pod (anti) + affinity. Keys that don't exist in the + incoming + + pod labels will be ignored. The default + value is empty. + + The same key is forbidden to exist in + both matchLabelKeys and labelSelector. + + Also, matchLabelKeys cannot be set when + labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: >- + MismatchLabelKeys is a set of pod label + keys to select which pods will + + be taken into consideration. The keys + are used to lookup values from the + + incoming pod labels, those key-value + labels are merged with `labelSelector` + as `key notin (value)` + + to select the group of existing pods + which pods will be taken into + consideration + + for the incoming pod's pod (anti) + affinity. Keys that don't exist in the + incoming + + pod labels will be ignored. The default + value is empty. + + The same key is forbidden to exist in + both mismatchLabelKeys and + labelSelector. + + Also, mismatchLabelKeys cannot be set + when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: >- + A label query over the set of namespaces + that the term applies to. + + The term is applied to the union of the + namespaces selected by this field + + and the ones listed in the namespaces + field. + + null selector and null or empty + namespaces list means "this pod's + namespace". + + An empty selector ({}) matches all + namespaces. + properties: + matchExpressions: + description: >- + matchExpressions is a list of label + selector requirements. The requirements + are ANDed. + items: + description: >- + A label selector requirement is a + selector that contains values, a key, + and an operator that + + relates the key and values. + properties: + key: + description: >- + key is the label key that the selector + applies to. + type: string + operator: + description: >- + operator represents a key's relationship + to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: >- + values is an array of string values. If + the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: >- + matchLabels is a map of {key,value} + pairs. A single {key,value} in the + matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is + "key", the + + operator is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: >- + namespaces specifies a static list of + namespace names that the term applies + to. + + The term is applied to the union of the + namespaces listed in this field + + and the ones selected by + namespaceSelector. + + null or empty namespaces list and null + namespaceSelector means "this pod's + namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: >- + This pod should be co-located (affinity) + or not co-located (anti-affinity) with + the pods matching + + the labelSelector in the specified + namespaces, where co-located is defined + as running on a node + + whose value of the label with key + topologyKey matches that of any node on + which any of the + + selected pods is running. + + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: >- + weight associated with matching the + corresponding podAffinityTerm, + + in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: >- + If the anti-affinity requirements + specified by this field are not met at + + scheduling time, the pod will not be + scheduled onto the node. + + If the anti-affinity requirements + specified by this field cease to be met + + at some point during pod execution (e.g. + due to a pod label update), the + + system may or may not try to eventually + evict the pod from its node. + + When there are multiple elements, the + lists of nodes corresponding to each + + podAffinityTerm are intersected, i.e. + all terms must be satisfied. + items: + description: >- + Defines a set of pods (namely those + matching the labelSelector + + relative to the given namespace(s)) that + this pod should be + + co-located (affinity) or not co-located + (anti-affinity) with, + + where co-located is defined as running + on a node whose value of + + the label with key matches + that of any node on which + + a pod of the set of pods is running + properties: + labelSelector: + description: >- + A label query over a set of resources, + in this case pods. + + If it's null, this PodAffinityTerm + matches with no Pods. + properties: + matchExpressions: + description: >- + matchExpressions is a list of label + selector requirements. The requirements + are ANDed. + items: + description: >- + A label selector requirement is a + selector that contains values, a key, + and an operator that + + relates the key and values. + properties: + key: + description: >- + key is the label key that the selector + applies to. + type: string + operator: + description: >- + operator represents a key's relationship + to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: >- + values is an array of string values. If + the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: >- + matchLabels is a map of {key,value} + pairs. A single {key,value} in the + matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is + "key", the + + operator is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: >- + MatchLabelKeys is a set of pod label + keys to select which pods will + + be taken into consideration. The keys + are used to lookup values from the + + incoming pod labels, those key-value + labels are merged with `labelSelector` + as `key in (value)` + + to select the group of existing pods + which pods will be taken into + consideration + + for the incoming pod's pod (anti) + affinity. Keys that don't exist in the + incoming + + pod labels will be ignored. The default + value is empty. + + The same key is forbidden to exist in + both matchLabelKeys and labelSelector. + + Also, matchLabelKeys cannot be set when + labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: >- + MismatchLabelKeys is a set of pod label + keys to select which pods will + + be taken into consideration. The keys + are used to lookup values from the + + incoming pod labels, those key-value + labels are merged with `labelSelector` + as `key notin (value)` + + to select the group of existing pods + which pods will be taken into + consideration + + for the incoming pod's pod (anti) + affinity. Keys that don't exist in the + incoming + + pod labels will be ignored. The default + value is empty. + + The same key is forbidden to exist in + both mismatchLabelKeys and + labelSelector. + + Also, mismatchLabelKeys cannot be set + when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: >- + A label query over the set of namespaces + that the term applies to. + + The term is applied to the union of the + namespaces selected by this field + + and the ones listed in the namespaces + field. + + null selector and null or empty + namespaces list means "this pod's + namespace". + + An empty selector ({}) matches all + namespaces. + properties: + matchExpressions: + description: >- + matchExpressions is a list of label + selector requirements. The requirements + are ANDed. + items: + description: >- + A label selector requirement is a + selector that contains values, a key, + and an operator that + + relates the key and values. + properties: + key: + description: >- + key is the label key that the selector + applies to. + type: string + operator: + description: >- + operator represents a key's relationship + to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: >- + values is an array of string values. If + the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: >- + matchLabels is a map of {key,value} + pairs. A single {key,value} in the + matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is + "key", the + + operator is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: >- + namespaces specifies a static list of + namespace names that the term applies + to. + + The term is applied to the union of the + namespaces listed in this field + + and the ones selected by + namespaceSelector. + + null or empty namespaces list and null + namespaceSelector means "this pod's + namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: >- + This pod should be co-located (affinity) + or not co-located (anti-affinity) with + the pods matching + + the labelSelector in the specified + namespaces, where co-located is defined + as running on a node + + whose value of the label with key + topologyKey matches that of any node on + which any of the + + selected pods is running. + + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + type: object + imagePullSecrets: + description: If specified, the pod's imagePullSecrets + items: + description: >- + LocalObjectReference contains enough + information to let you locate the + + referenced object inside the same + namespace. + properties: + name: + default: '' + description: >- + Name of the referent. + + This field is effectively required, but + due to backwards compatibility is + + allowed to be empty. Instances of this + type with an empty value here are + + almost certainly wrong. + + More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + nodeSelector: + additionalProperties: + type: string + description: >- + NodeSelector is a selector which must be + true for the pod to fit on a node. + + Selector which must match a node's + labels for the pod to be scheduled on + that node. + + More info: + https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + type: object + priorityClassName: + description: >- + If specified, the pod's + priorityClassName. + type: string + resources: + description: >- + If specified, the pod's resource + requirements. + + These values override the global + resource configuration flags. + + Note that when only specifying resource + limits, ensure they are greater than or + equal + + to the corresponding global resource + requests configured via controller flags + + (--acme-http01-solver-resource-request-cpu, + --acme-http01-solver-resource-request-memory). + + Kubernetes will reject pod creation if + limits are lower than requests, causing + challenge failures. + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: >- + Limits describes the maximum amount of + compute resources allowed. + + More info: + https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: >- + Requests describes the minimum amount of + compute resources required. + + If Requests is omitted for a container, + it defaults to Limits if that is + explicitly specified, + + otherwise to the global values + configured via controller flags. + Requests cannot exceed Limits. + + More info: + https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + type: object + securityContext: + description: If specified, the pod's security context + properties: + fsGroup: + description: >- + A special supplemental group that + applies to all containers in a pod. + + Some volume types allow the Kubelet to + change the ownership of that volume + + to be owned by the pod: + + + 1. The owning GID will be the FSGroup + + 2. The setgid bit is set (new files + created in the volume will be owned by + FSGroup) + + 3. The permission bits are OR'd with + rw-rw---- + + + If unset, the Kubelet will not modify + the ownership and permissions of any + volume. + + Note that this field cannot be set when + spec.os.name is windows. + format: int64 + type: integer + fsGroupChangePolicy: + description: >- + fsGroupChangePolicy defines behavior of + changing ownership and permission of the + volume + + before being exposed inside Pod. This + field will only apply to + + volume types which support fsGroup based + ownership(and permissions). + + It will have no effect on ephemeral + volume types such as: secret, configmaps + + and emptydir. + + Valid values are "OnRootMismatch" and + "Always". If not specified, "Always" is + used. + + Note that this field cannot be set when + spec.os.name is windows. + type: string + runAsGroup: + description: >- + The GID to run the entrypoint of the + container process. + + Uses runtime default if unset. + + May also be set in SecurityContext. If + set in both SecurityContext and + + PodSecurityContext, the value specified + in SecurityContext takes precedence + + for that container. + + Note that this field cannot be set when + spec.os.name is windows. + format: int64 + type: integer + runAsNonRoot: + description: >- + Indicates that the container must run as + a non-root user. + + If true, the Kubelet will validate the + image at runtime to ensure that it + + does not run as UID 0 (root) and fail to + start the container if it does. + + If unset or false, no such validation + will be performed. + + May also be set in SecurityContext. If + set in both SecurityContext and + + PodSecurityContext, the value specified + in SecurityContext takes precedence. + type: boolean + runAsUser: + description: >- + The UID to run the entrypoint of the + container process. + + Defaults to user specified in image + metadata if unspecified. + + May also be set in SecurityContext. If + set in both SecurityContext and + + PodSecurityContext, the value specified + in SecurityContext takes precedence + + for that container. + + Note that this field cannot be set when + spec.os.name is windows. + format: int64 + type: integer + seLinuxOptions: + description: >- + The SELinux context to be applied to all + containers. + + If unspecified, the container runtime + will allocate a random SELinux context + for each + + container. May also be set in + SecurityContext. If set in + + both SecurityContext and + PodSecurityContext, the value specified + in SecurityContext + + takes precedence for that container. + + Note that this field cannot be set when + spec.os.name is windows. + properties: + level: + description: >- + Level is SELinux level label that + applies to the container. + type: string + role: + description: >- + Role is a SELinux role label that + applies to the container. + type: string + type: + description: >- + Type is a SELinux type label that + applies to the container. + type: string + user: + description: >- + User is a SELinux user label that + applies to the container. + type: string + type: object + seccompProfile: + description: >- + The seccomp options to use by the + containers in this pod. + + Note that this field cannot be set when + spec.os.name is windows. + properties: + localhostProfile: + description: >- + localhostProfile indicates a profile + defined in a file on the node should be + used. + + The profile must be preconfigured on the + node to work. + + Must be a descending path, relative to + the kubelet's configured seccomp profile + location. + + Must be set if type is "Localhost". Must + NOT be set for any other type. + type: string + type: + description: >- + type indicates which kind of seccomp + profile will be applied. + + Valid options are: + + + Localhost - a profile defined in a file + on the node should be used. + + RuntimeDefault - the container runtime + default profile should be used. + + Unconfined - no profile should be + applied. + type: string + required: + - type + type: object + supplementalGroups: + description: >- + A list of groups applied to the first + process run in each container, in + addition + + to the container's primary GID, the + fsGroup (if specified), and group + memberships + + defined in the container image for the + uid of the container process. If + unspecified, + + no additional groups are added to any + container. Note that group memberships + + defined in the container image for the + uid of the container process are still + effective, + + even if they are not included in this + list. + + Note that this field cannot be set when + spec.os.name is windows. + items: + format: int64 + type: integer + type: array + x-kubernetes-list-type: atomic + sysctls: + description: >- + Sysctls hold a list of namespaced + sysctls used for the pod. Pods with + unsupported + + sysctls (by the container runtime) might + fail to launch. + + Note that this field cannot be set when + spec.os.name is windows. + items: + description: >- + Sysctl defines a kernel parameter to be + set + properties: + name: + description: Name of a property to set + type: string + value: + description: Value of a property to set + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + type: object + serviceAccountName: + description: If specified, the pod's service account + type: string + tolerations: + description: If specified, the pod's tolerations. + items: + description: >- + The pod this Toleration is attached to + tolerates any taint that matches + + the triple using the + matching operator . + properties: + effect: + description: >- + Effect indicates the taint effect to + match. Empty means match all taint + effects. + + When specified, allowed values are + NoSchedule, PreferNoSchedule and + NoExecute. + type: string + key: + description: >- + Key is the taint key that the toleration + applies to. Empty means match all taint + keys. + + If the key is empty, operator must be + Exists; this combination means to match + all values and all keys. + type: string + operator: + description: >- + Operator represents a key's relationship + to the value. + + Valid operators are Exists, Equal, Lt, + and Gt. Defaults to Equal. + + Exists is equivalent to wildcard for + value, so that a pod can + + tolerate all taints of a particular + category. + + Lt and Gt perform numeric comparisons + (requires feature gate + TaintTolerationComparisonOperators). + type: string + tolerationSeconds: + description: >- + TolerationSeconds represents the period + of time the toleration (which must be + + of effect NoExecute, otherwise this + field is ignored) tolerates the taint. + By default, + + it is not set, which means tolerate the + taint forever (do not evict). Zero and + + negative values will be treated as 0 + (evict immediately) by the system. + format: int64 + type: integer + value: + description: >- + Value is the taint value the toleration + matches to. + + If the operator is Exists, the value + should be empty, otherwise just a + regular string. + type: string + type: object + type: array + x-kubernetes-list-type: atomic + type: object + type: object + serviceType: + description: >- + Optional service type for Kubernetes + solver service. Supported values + + are NodePort or ClusterIP. If unset, + defaults to NodePort. + type: string + type: object + type: object + selector: + description: >- + Selector selects a set of DNSNames on the + Certificate resource that + + should be solved using this challenge solver. + + If not specified, the solver will be treated as + the 'default' solver + + with the lowest priority, i.e. if any other solver + has a more specific + + match, it will be used instead. + properties: + dnsNames: + description: >- + List of DNSNames that this solver will be used + to solve. + + If specified and a match is found, a dnsNames + selector will take + + precedence over a dnsZones selector. + + If multiple solvers match with the same + dnsNames value, the solver + + with the most matching labels in matchLabels + will be selected. + + If neither has more matches, the solver + defined earlier in the list + + will be selected. + items: + type: string + type: array + x-kubernetes-list-type: atomic + dnsZones: + description: >- + List of DNSZones that this solver will be used + to solve. + + The most specific DNS zone match specified + here will take precedence + + over other DNS zone matches, so a solver + specifying sys.example.com + + will be selected over one specifying + example.com for the domain + + www.sys.example.com. + + If multiple solvers match with the same + dnsZones value, the solver + + with the most matching labels in matchLabels + will be selected. + + If neither has more matches, the solver + defined earlier in the list + + will be selected. + items: + type: string + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: >- + A label selector that is used to refine the + set of certificate's that + + this challenge solver will apply to. + type: object + type: object + type: object + type: array + x-kubernetes-list-type: atomic + required: + - privateKeySecretRef + - server + type: object + ca: + description: >- + CA configures this issuer to sign certificates using a + signing CA keypair + + stored in a Secret resource. + + This is used to build internal PKIs that are managed by + cert-manager. + properties: + crlDistributionPoints: + description: >- + The CRL distribution points is an X.509 v3 certificate + extension which identifies + + the location of the CRL from which the revocation of + this certificate can be checked. + + If not set, certificates will be issued without + distribution points set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + issuingCertificateURLs: + description: >- + IssuingCertificateURLs is a list of URLs which this + issuer should embed into certificates + + it creates. See + https://www.rfc-editor.org/rfc/rfc5280#section-4.2.2.1 + for more details. + + As an example, such a URL might be + "http://ca.domain.com/ca.crt". + items: + type: string + type: array + x-kubernetes-list-type: atomic + ocspServers: + description: >- + The OCSP server list is an X.509 v3 extension that + defines a list of + + URLs of OCSP responders. The OCSP responders can be + queried for the + + revocation status of an issued certificate. If not set, + the + + certificate will be issued with no OCSP servers set. For + example, an + + OCSP server URL could be + "http://ocsp.int-x3.letsencrypt.org". + items: + type: string + type: array + x-kubernetes-list-type: atomic + secretName: + description: >- + SecretName is the name of the secret used to sign + Certificates issued + + by this Issuer. + type: string + required: + - secretName + type: object + selfSigned: + description: >- + SelfSigned configures this issuer to 'self sign' + certificates using the + + private key used to create the CertificateRequest object. + properties: + crlDistributionPoints: + description: >- + The CRL distribution points is an X.509 v3 certificate + extension which identifies + + the location of the CRL from which the revocation of + this certificate can be checked. + + If not set certificate will be issued without CDP. + Values are strings. + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + vault: + description: >- + Vault configures this issuer to sign certificates using a + HashiCorp Vault + + PKI backend. + properties: auth: description: >- Auth configures how cert-manager authenticates with the @@ -2247,39 +5974,52 @@ spec: appRole: description: >- AppRole authenticates with Vault using the App Role - auth mechanism, with the role and secret stored in a - Kubernetes Secret resource. + auth mechanism, + + with the role and secret stored in a Kubernetes + Secret resource. properties: path: description: >- Path where the App Role authentication backend - is mounted in Vault, e.g: "approle" + is mounted in Vault, e.g: + + "approle" type: string roleId: description: >- RoleID configured in the App Role authentication - backend when setting up the authentication - backend in Vault. + backend when setting + + up the authentication backend in Vault. type: string secretRef: description: >- Reference to a key in a Secret that contains the - App Role secret used to authenticate with Vault. + App Role secret used + + to authenticate with Vault. + The `key` field must be specified and denotes - which entry within the Secret resource is used - as the app role secret. + which entry within the Secret + + resource is used as the app role secret. properties: key: description: >- The key of the entry in the Secret - resource's `data` field to be used. Some - instances of this field may be defaulted, in - others it may be required. + resource's `data` field to be used. + + Some instances of this field may be + defaulted, in others it may be + + required. type: string name: description: >- - Name of the resource being referred to. More - info: + Name of the resource being referred to. + + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string required: @@ -2290,45 +6030,102 @@ spec: - roleId - secretRef type: object + clientCertificate: + description: >- + ClientCertificate authenticates with Vault by + presenting a client + + certificate during the request's TLS handshake. + + Works only when using HTTPS protocol. + properties: + mountPath: + description: >- + The Vault mountPath here is the mount path to + use when authenticating with + + Vault. For example, setting a value to + `/v1/auth/foo`, will use the path + + `/v1/auth/foo/login` to authenticate with Vault. + If unspecified, the + + default value "/v1/auth/cert" will be used. + type: string + name: + description: >- + Name of the certificate role to authenticate + against. + + If not set, matching any certificate role, if + available. + type: string + secretName: + description: >- + Reference to Kubernetes Secret of type + "kubernetes.io/tls" (hence containing + + tls.crt and tls.key) used to authenticate to + Vault using TLS client + + authentication. + type: string + type: object kubernetes: description: >- Kubernetes authenticates with Vault by passing the - ServiceAccount token stored in the named Secret - resource to the Vault server. + ServiceAccount + + token stored in the named Secret resource to the + Vault server. properties: mountPath: description: >- The Vault mountPath here is the mount path to - use when authenticating with Vault. For example, - setting a value to `/v1/auth/foo`, will use the - path `/v1/auth/foo/login` to authenticate with - Vault. If unspecified, the default value - "/v1/auth/kubernetes" will be used. + use when authenticating with + + Vault. For example, setting a value to + `/v1/auth/foo`, will use the path + + `/v1/auth/foo/login` to authenticate with Vault. + If unspecified, the + + default value "/v1/auth/kubernetes" will be + used. type: string role: description: >- A required field containing the Vault Role to - assume. A Role binds a Kubernetes ServiceAccount - with a set of Vault policies. + assume. A Role binds a + + Kubernetes ServiceAccount with a set of Vault + policies. type: string secretRef: description: >- The required Secret field containing a - Kubernetes ServiceAccount JWT used for - authenticating with Vault. Use of 'ambient - credentials' is not supported. + Kubernetes ServiceAccount JWT used + + for authenticating with Vault. Use of 'ambient + credentials' is not + + supported. properties: key: description: >- The key of the entry in the Secret - resource's `data` field to be used. Some - instances of this field may be defaulted, in - others it may be required. + resource's `data` field to be used. + + Some instances of this field may be + defaulted, in others it may be + + required. type: string name: description: >- - Name of the resource being referred to. More - info: + Name of the resource being referred to. + + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string required: @@ -2337,13 +6134,31 @@ spec: serviceAccountRef: description: >- A reference to a service account that will be - used to request a bound token (also known as - "projected token"). Compared to using - "secretRef", using this field means that you - don't rely on statically bound tokens. To use - this field, you must configure an RBAC rule to - let cert-manager request a token. + used to request a bound + + token (also known as "projected token"). + Compared to using "secretRef", + + using this field means that you don't rely on + statically bound tokens. To + + use this field, you must configure an RBAC rule + to let cert-manager + + request a token. properties: + audiences: + description: >- + TokenAudiences is an optional list of extra + audiences to include in the token passed to + Vault. + + The default audiences are always included in + the token. + items: + type: string + type: array + x-kubernetes-list-type: atomic name: description: >- Name of the ServiceAccount used to request a @@ -2363,14 +6178,18 @@ spec: key: description: >- The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be + `data` field to be used. + + Some instances of this field may be defaulted, + in others it may be + required. type: string name: description: >- - Name of the resource being referred to. More - info: + Name of the resource being referred to. + + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string required: @@ -2380,11 +6199,18 @@ spec: caBundle: description: >- Base64-encoded bundle of PEM CAs which will be used to - validate the certificate chain presented by Vault. Only - used if using HTTPS to connect to Vault and ignored for - HTTP connections. Mutually exclusive with - CABundleSecretRef. If neither CABundle nor - CABundleSecretRef are defined, the certificate bundle in + validate the certificate + + chain presented by Vault. Only used if using HTTPS to + connect to Vault and + + ignored for HTTP connections. + + Mutually exclusive with CABundleSecretRef. + + If neither CABundle nor CABundleSecretRef are defined, + the certificate bundle in + the cert-manager controller container is used to validate the TLS connection. format: byte @@ -2392,23 +6218,91 @@ spec: caBundleSecretRef: description: >- Reference to a Secret containing a bundle of PEM-encoded - CAs to use when verifying the certificate chain - presented by Vault when using HTTPS. Mutually exclusive - with CABundle. If neither CABundle nor CABundleSecretRef - are defined, the certificate bundle in the cert-manager - controller container is used to validate the TLS - connection. If no key for the Secret is specified, - cert-manager will default to 'ca.crt'. + CAs to use when + + verifying the certificate chain presented by Vault when + using HTTPS. + + Mutually exclusive with CABundle. + + If neither CABundle nor CABundleSecretRef are defined, + the certificate bundle in + + the cert-manager controller container is used to + validate the TLS connection. + + If no key for the Secret is specified, cert-manager will + default to 'ca.crt'. + properties: + key: + description: >- + The key of the entry in the Secret resource's `data` + field to be used. + + Some instances of this field may be defaulted, in + others it may be + + required. + type: string + name: + description: >- + Name of the resource being referred to. + + More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + required: + - name + type: object + clientCertSecretRef: + description: >- + Reference to a Secret containing a PEM-encoded Client + Certificate to use when the + + Vault server requires mTLS. + properties: + key: + description: >- + The key of the entry in the Secret resource's `data` + field to be used. + + Some instances of this field may be defaulted, in + others it may be + + required. + type: string + name: + description: >- + Name of the resource being referred to. + + More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + required: + - name + type: object + clientKeySecretRef: + description: >- + Reference to a Secret containing a PEM-encoded Client + Private Key to use when the + + Vault server requires mTLS. properties: key: description: >- The key of the entry in the Secret resource's `data` - field to be used. Some instances of this field may - be defaulted, in others it may be required. + field to be used. + + Some instances of this field may be defaulted, in + others it may be + + required. type: string name: description: >- - Name of the resource being referred to. More info: + Name of the resource being referred to. + + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string required: @@ -2419,19 +6313,29 @@ spec: Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1" + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces type: string path: description: >- Path is the mount path of the Vault PKI backend's `sign` - endpoint, e.g: "my_pki_mount/sign/my-role-name". + endpoint, e.g: + + "my_pki_mount/sign/my-role-name". type: string server: description: >- Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200". type: string + serverName: + description: >- + ServerName is used to verify the hostname on the + returned certificates + + by the Vault server. + type: string required: - auth - path @@ -2440,29 +6344,38 @@ spec: venafi: description: >- Venafi configures this issuer to sign certificates using a - Venafi TPP or Venafi Cloud policy zone. + CyberArk Certificate Manager Self-Hosted + + or SaaS policy zone. properties: cloud: description: >- - Cloud specifies the Venafi cloud configuration settings. - Only one of TPP or Cloud may be specified. + Cloud specifies the CyberArk Certificate Manager SaaS + configuration settings. + + Only one of CyberArk Certificate Manager may be + specified. properties: apiTokenSecretRef: description: >- APITokenSecretRef is a secret key selector for the - Venafi Cloud API token. + CyberArk Certificate Manager SaaS API token. properties: key: description: >- The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be + `data` field to be used. + + Some instances of this field may be defaulted, + in others it may be + required. type: string name: description: >- - Name of the resource being referred to. More - info: + Name of the resource being referred to. + + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string required: @@ -2470,38 +6383,92 @@ spec: type: object url: description: >- - URL is the base URL for Venafi Cloud. Defaults to - "https://api.venafi.cloud/v1". + URL is the base URL for CyberArk Certificate Manager + SaaS. + + Defaults to "https://api.venafi.cloud/". type: string required: - apiTokenSecretRef type: object tpp: description: >- - TPP specifies Trust Protection Platform configuration - settings. Only one of TPP or Cloud may be specified. + TPP specifies CyberArk Certificate Manager Self-Hosted + configuration settings. + + Only one of CyberArk Certificate Manager may be + specified. properties: caBundle: description: >- Base64-encoded bundle of PEM CAs which will be used - to validate the certificate chain presented by the - TPP server. Only used if using HTTPS; ignored for - HTTP. If undefined, the certificate bundle in the - cert-manager controller container is used to - validate the chain. + to validate the certificate + + chain presented by the CyberArk Certificate Manager + Self-Hosted server. Only used if using HTTPS; + ignored for HTTP. + + If undefined, the certificate bundle in the + cert-manager controller container + + is used to validate the chain. format: byte type: string + caBundleSecretRef: + description: >- + Reference to a Secret containing a base64-encoded + bundle of PEM CAs + + which will be used to validate the certificate chain + presented by the CyberArk Certificate Manager + Self-Hosted server. + + Only used if using HTTPS; ignored for HTTP. Mutually + exclusive with CABundle. + + If neither CABundle nor CABundleSecretRef is + defined, the certificate bundle in + + the cert-manager controller container is used to + validate the TLS connection. + properties: + key: + description: >- + The key of the entry in the Secret resource's + `data` field to be used. + + Some instances of this field may be defaulted, + in others it may be + + required. + type: string + name: + description: >- + Name of the resource being referred to. + + More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + required: + - name + type: object credentialsRef: description: >- CredentialsRef is a reference to a Secret containing - the username and password for the TPP server. The - secret must contain two keys, 'username' and - 'password'. + the CyberArk Certificate Manager Self-Hosted API + credentials. + + The secret must contain the key 'access-token' for + the Access Token Authentication, + + or two keys, 'username' and 'password' for the API + Keys Authentication. properties: name: description: >- - Name of the resource being referred to. More - info: + Name of the resource being referred to. + + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string required: @@ -2510,8 +6477,9 @@ spec: url: description: >- URL is the base URL for the vedsdk endpoint of the - Venafi TPP instance, for example: - "https://tpp.example.com/vedsdk". + CyberArk Certificate Manager Self-Hosted instance, + + for example: "https://tpp.example.com/vedsdk". type: string required: - credentialsRef @@ -2519,10 +6487,15 @@ spec: type: object zone: description: >- - Zone is the Venafi Policy Zone to use for this issuer. - All requests made to the Venafi platform will be - restricted by the named zone policy. This field is - required. + Zone is the Certificate Manager Policy Zone to use for + this issuer. + + All requests made to the Certificate Manager platform + will be restricted by the named + + zone policy. + + This field is required. type: string required: - zone @@ -2535,34 +6508,47 @@ spec: properties: acme: description: >- - ACME specific status options. This field should only be set - if the Issuer is configured to use an ACME server to issue - certificates. + ACME specific status options. + + This field should only be set if the Issuer is configured to + use an ACME + + server to issue certificates. properties: lastPrivateKeyHash: description: >- LastPrivateKeyHash is a hash of the private key - associated with the latest registered ACME account, in - order to track changes made to registered account + associated with the latest + + registered ACME account, in order to track changes made + to registered account + associated with the Issuer type: string lastRegisteredEmail: description: >- LastRegisteredEmail is the email associated with the - latest registered ACME account, in order to track - changes made to registered account associated with the - Issuer + latest registered + + ACME account, in order to track changes made to + registered account + + associated with the Issuer type: string uri: description: >- URI is the unique account identifier, which can also be - used to retrieve account details from the CA + used to retrieve + + account details from the CA type: string type: object conditions: description: >- List of status conditions to indicate the status of a - CertificateRequest. Known condition types are `Ready`. + CertificateRequest. + + Known condition types are `Ready`. items: description: >- IssuerCondition contains condition information for an @@ -2571,28 +6557,40 @@ spec: lastTransitionTime: description: >- LastTransitionTime is the timestamp corresponding to - the last status change of this condition. + the last status + + change of this condition. format: date-time type: string message: description: >- Message is a human readable description of the details - of the last transition, complementing reason. + of the last + + transition, complementing reason. type: string observedGeneration: description: >- If set, this represents the .metadata.generation that - the condition was set based upon. For instance, if - .metadata.generation is currently 12, but the + the condition was + + set based upon. + + For instance, if .metadata.generation is currently 12, + but the + .status.condition[x].observedGeneration is 9, the - condition is out of date with respect to the current - state of the Issuer. + condition is out of date + + with respect to the current state of the Issuer. format: int64 type: integer reason: description: >- Reason is a brief machine readable explanation for the - condition's last transition. + condition's last + + transition. type: string status: description: >- diff --git a/_/CustomResourceDefinition/envoyextensionpolicies.gateway.envoyproxy.io.yaml b/_/CustomResourceDefinition/envoyextensionpolicies.gateway.envoyproxy.io.yaml new file mode 100644 index 0000000..06eb445 --- /dev/null +++ b/_/CustomResourceDefinition/envoyextensionpolicies.gateway.envoyproxy.io.yaml @@ -0,0 +1,3222 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.18.0 + name: envoyextensionpolicies.gateway.envoyproxy.io +spec: + group: gateway.envoyproxy.io + names: + kind: EnvoyExtensionPolicy + listKind: EnvoyExtensionPolicyList + plural: envoyextensionpolicies + shortNames: + - eep + singular: envoyextensionpolicy + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: >- + EnvoyExtensionPolicy allows the user to configure various envoy + extensibility options for the Gateway. + properties: + apiVersion: + description: >- + APIVersion defines the versioned schema of this representation + of an object. + + Servers should convert recognized schemas to the latest internal + value, and + + may reject unrecognized values. + + More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: >- + Kind is a string value representing the REST resource this + object represents. + + Servers may infer this from the endpoint the client submits + requests to. + + Cannot be updated. + + In CamelCase. + + More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of EnvoyExtensionPolicy. + properties: + extProc: + description: |- + ExtProc is an ordered list of external processing filters + that should be added to the envoy filter chain + items: + description: >- + ExtProc defines the configuration for External Processing + filter. + properties: + backendRef: + description: >- + BackendRef references a Kubernetes object that + represents the + + backend server to which the authorization request will + be sent. + + + Deprecated: Use BackendRefs instead. + properties: + group: + default: '' + description: >- + Group is the group of the referent. For example, + "gateway.networking.k8s.io". + + When unspecified or empty string, core API group + is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: >- + Kind is the Kubernetes resource kind of the + referent. For example + + "Service". + + + Defaults to "Service" when not specified. + + + ExternalName services can refer to CNAME DNS + records that may live + + outside of the cluster and as such are difficult + to reason about in + + terms of conformance. They also may not be safe to + forward to (see + + CVE-2021-25740 for more information). + Implementations SHOULD NOT + + support ExternalName Services. + + + Support: Core (Services with a type other than + ExternalName) + + + Support: Implementation-specific (Services with + type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the backend. When + unspecified, the local + + namespace is inferred. + + + Note that when a namespace different than the + local namespace is specified, + + a ReferenceGrant object is required in the + referent namespace to allow that + + namespace's owner to accept the reference. See the + ReferenceGrant + + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: >- + Port specifies the destination port number to use + for this resource. + + Port is required when the referent is a Kubernetes + Service. In this + + case, the port number is the service port number, + not the target port. + + For other resources, destination port might be + derived from the referent + + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: >- + (size(self.group) == 0 && self.kind == 'Service') + ? has(self.port) : true + backendRefs: + description: >- + BackendRefs references a Kubernetes object that + represents the + + backend server to which the authorization request will + be sent. + items: + description: >- + BackendRef defines how an ObjectReference that is + specific to BackendRef. + properties: + fallback: + description: >- + Fallback indicates whether the backend is + designated as a fallback. + + Multiple fallback backends can be configured. + + It is highly recommended to configure active or + passive health checks to ensure that failover + can be detected + + when the active backends become unhealthy and to + automatically readjust once the primary backends + are healthy again. + + The overprovisioning factor is set to 1.4, + meaning the fallback backends will only start + receiving traffic when + + the health of the active backends falls below + 72%. + type: boolean + group: + default: '' + description: >- + Group is the group of the referent. For example, + "gateway.networking.k8s.io". + + When unspecified or empty string, core API group + is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: >- + Kind is the Kubernetes resource kind of the + referent. For example + + "Service". + + + Defaults to "Service" when not specified. + + + ExternalName services can refer to CNAME DNS + records that may live + + outside of the cluster and as such are difficult + to reason about in + + terms of conformance. They also may not be safe + to forward to (see + + CVE-2021-25740 for more information). + Implementations SHOULD NOT + + support ExternalName Services. + + + Support: Core (Services with a type other than + ExternalName) + + + Support: Implementation-specific (Services with + type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the backend. When + unspecified, the local + + namespace is inferred. + + + Note that when a namespace different than the + local namespace is specified, + + a ReferenceGrant object is required in the + referent namespace to allow that + + namespace's owner to accept the reference. See + the ReferenceGrant + + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: >- + Port specifies the destination port number to + use for this resource. + + Port is required when the referent is a + Kubernetes Service. In this + + case, the port number is the service port + number, not the target port. + + For other resources, destination port might be + derived from the referent + + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: >- + Weight specifies the proportion of requests + forwarded to the referenced + + backend. This is computed as weight/(sum of all + weights in this + + BackendRefs list). For non-zero values, there + may be some epsilon from + + the exact proportion defined here depending on + the precision an + + implementation supports. Weight is not a + percentage and the sum of + + weights does not need to equal 100. + + + If only one backend is specified and it has a + weight greater than 0, 100% + + of the traffic is forwarded to that backend. If + weight is set to 0, no + + traffic should be forwarded for this entry. If + unspecified, weight + + defaults to 1. + + + Support for this field varies based on the + context where used. + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: >- + (size(self.group) == 0 && self.kind == + 'Service') ? has(self.port) : true + maxItems: 16 + type: array + backendSettings: + description: >- + BackendSettings holds configuration for managing the + connection + + to the backend. + properties: + circuitBreaker: + description: >- + Circuit Breaker settings for the upstream + connections and requests. + + If not set, circuit breakers will be enabled with + the default thresholds + properties: + maxConnections: + default: 1024 + description: >- + The maximum number of connections that Envoy + will establish to the referenced backend + defined within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxParallelRequests: + default: 1024 + description: >- + The maximum number of parallel requests that + Envoy will make to the referenced backend + defined within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxParallelRetries: + default: 1024 + description: >- + The maximum number of parallel retries that + Envoy will make to the referenced backend + defined within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxPendingRequests: + default: 1024 + description: >- + The maximum number of pending requests that + Envoy will queue to the referenced backend + defined within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxRequestsPerConnection: + description: >- + The maximum number of requests that Envoy will + make over a single connection to the + referenced backend defined within a xRoute + rule. + + Default: unlimited. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + perEndpoint: + description: >- + PerEndpoint defines Circuit Breakers that will + apply per-endpoint for an upstream cluster + properties: + maxConnections: + default: 1024 + description: >- + MaxConnections configures the maximum + number of connections that Envoy will + establish per-endpoint to the referenced + backend defined within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + type: object + type: object + connection: + description: Connection includes backend connection settings. + properties: + bufferLimit: + allOf: + - pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: >- + BufferLimit Soft limit on size of the + cluster’s connections read and write buffers. + + BufferLimit applies to connection streaming + (maybe non-streaming) channel between + processes, it's in user space. + + If unspecified, an implementation defined + default is applied (32768 bytes). + + For example, 20Mi, 1Gi, 256Ki etc. + + Note: that when the suffix is not provided, + the value is interpreted as bytes. + x-kubernetes-int-or-string: true + preconnect: + description: >- + Preconnect configures proactive upstream + connections to reduce latency by establishing + + connections before they’re needed and avoiding + connection establishment overhead. + + + If unset, Envoy will fetch connections as + needed to serve in-flight requests. + properties: + perEndpointPercent: + description: >- + PerEndpointPercent configures how many + additional connections to maintain per + + upstream endpoint, useful for high-QPS or + latency sensitive services. Expressed as a + + percentage of the connections required by + active streams + + (e.g. 100 = preconnect disabled, 105 = + 1.05x connections per-endpoint, 200 = + 2.00×). + + + Allowed value range is between 100-300. + When both PerEndpointPercent and + + PredictivePercent are set, Envoy ensures + both are satisfied (max of the two). + format: int32 + maximum: 300 + minimum: 100 + type: integer + predictivePercent: + description: >- + PredictivePercent configures how many + additional connections to maintain + + across the cluster by anticipating which + upstream endpoint the load balancer + + will select next, useful for low-QPS + services. Relies on deterministic + + loadbalancing and is only supported with + Random or RoundRobin. + + Expressed as a percentage of the + connections required by active streams + + (e.g. 100 = 1.0 (no preconnect), 105 = + 1.05× connections across the cluster, 200 + = 2.00×). + + + Minimum allowed value is 100. When both + PerEndpointPercent and PredictivePercent + are + + set Envoy ensures both are satisfied per + host (max of the two). + format: int32 + minimum: 100 + type: integer + type: object + socketBufferLimit: + allOf: + - pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: >- + SocketBufferLimit provides configuration for + the maximum buffer size in bytes for each + socket + + to backend. + + SocketBufferLimit applies to socket streaming + channel between TCP/IP stacks, it's in kernel + space. + + For example, 20Mi, 1Gi, 256Ki etc. + + Note that when the suffix is not provided, the + value is interpreted as bytes. + x-kubernetes-int-or-string: true + type: object + dns: + description: DNS includes dns resolution settings. + properties: + dnsRefreshRate: + description: >- + DNSRefreshRate specifies the rate at which DNS + records should be refreshed. + + Defaults to 30 seconds. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + lookupFamily: + description: >- + LookupFamily determines how Envoy would + resolve DNS for Routes where the backend is + specified as a fully qualified domain name + (FQDN). + + If set, this configuration overrides other + defaults. + enum: + - IPv4 + - IPv6 + - IPv4Preferred + - IPv6Preferred + - IPv4AndIPv6 + type: string + respectDnsTtl: + description: >- + RespectDNSTTL indicates whether the DNS + Time-To-Live (TTL) should be respected. + + If the value is set to true, the DNS refresh + rate will be set to the resource record’s TTL. + + Defaults to true. + type: boolean + type: object + healthCheck: + description: >- + HealthCheck allows gateway to perform active + health checking on backends. + properties: + active: + description: Active health check configuration + properties: + grpc: + description: >- + GRPC defines the configuration of the GRPC + health checker. + + It's optional, and can only be used if the + specified type is GRPC. + properties: + service: + description: >- + Service to send in the health check + request. + + If this is not specified, then the + health check request applies to the + entire + + server and not to a specific service. + type: string + type: object + healthyThreshold: + default: 1 + description: >- + HealthyThreshold defines the number of + healthy health checks required before a + backend host is marked healthy. + format: int32 + minimum: 1 + type: integer + http: + description: >- + HTTP defines the configuration of http + health checker. + + It's required while the health checker + type is HTTP. + properties: + expectedResponse: + description: >- + ExpectedResponse defines a list of HTTP + expected responses to match. + properties: + binary: + description: Binary payload base64 encoded. + format: byte + type: string + text: + description: Text payload in plain text. + type: string + type: + allOf: + - enum: + - Text + - Binary + - enum: + - Text + - Binary + description: Type defines the type of the payload. + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If payload type is Text, text field + needs to be set. + rule: >- + self.type == 'Text' ? has(self.text) : + !has(self.text) + - message: >- + If payload type is Binary, binary field + needs to be set. + rule: >- + self.type == 'Binary' ? has(self.binary) + : !has(self.binary) + expectedStatuses: + description: >- + ExpectedStatuses defines a list of HTTP + response statuses considered healthy. + + Defaults to 200 only + items: + description: HTTPStatus defines the http status code. + maximum: 599 + minimum: 100 + type: integer + type: array + hostname: + description: >- + Hostname defines the HTTP Host header + used for active HTTP health checks. + + Host selection uses this order: this + field, the associated Backend endpoint + + hostname if available, then the + effective Route hostname. + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + method: + description: >- + Method defines the HTTP method used for + health checking. + + Defaults to GET + type: string + path: + description: >- + Path defines the HTTP path that will be + requested during health checking. + maxLength: 1024 + minLength: 1 + type: string + required: + - path + type: object + initialJitter: + description: >- + InitialJitter defines the maximum time + Envoy will wait before the first health + check. + + Envoy will randomly select a value between + 0 and the initial jitter value. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + interval: + default: 3s + description: >- + Interval defines the time between active + health checks. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + tcp: + description: >- + TCP defines the configuration of tcp + health checker. + + It's required while the health checker + type is TCP. + properties: + receive: + description: >- + Receive defines the expected response + payload. + properties: + binary: + description: Binary payload base64 encoded. + format: byte + type: string + text: + description: Text payload in plain text. + type: string + type: + allOf: + - enum: + - Text + - Binary + - enum: + - Text + - Binary + description: Type defines the type of the payload. + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If payload type is Text, text field + needs to be set. + rule: >- + self.type == 'Text' ? has(self.text) : + !has(self.text) + - message: >- + If payload type is Binary, binary field + needs to be set. + rule: >- + self.type == 'Binary' ? has(self.binary) + : !has(self.binary) + send: + description: Send defines the request payload. + properties: + binary: + description: Binary payload base64 encoded. + format: byte + type: string + text: + description: Text payload in plain text. + type: string + type: + allOf: + - enum: + - Text + - Binary + - enum: + - Text + - Binary + description: Type defines the type of the payload. + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If payload type is Text, text field + needs to be set. + rule: >- + self.type == 'Text' ? has(self.text) : + !has(self.text) + - message: >- + If payload type is Binary, binary field + needs to be set. + rule: >- + self.type == 'Binary' ? has(self.binary) + : !has(self.binary) + type: object + timeout: + default: 1s + description: >- + Timeout defines the time to wait for a + health check response. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: + allOf: + - enum: + - HTTP + - TCP + - GRPC + - enum: + - HTTP + - TCP + - GRPC + description: Type defines the type of health checker. + type: string + unhealthyThreshold: + default: 3 + description: >- + UnhealthyThreshold defines the number of + unhealthy health checks required before a + backend host is marked unhealthy. + format: int32 + minimum: 1 + type: integer + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If Health Checker type is HTTP, http field + needs to be set. + rule: >- + self.type == 'HTTP' ? has(self.http) : + !has(self.http) + - message: >- + If Health Checker type is TCP, tcp field + needs to be set. + rule: >- + self.type == 'TCP' ? has(self.tcp) : + !has(self.tcp) + - message: >- + The grpc field can only be set if the + Health Checker type is GRPC. + rule: >- + has(self.grpc) ? self.type == 'GRPC' : + true + panicThreshold: + description: >- + When number of unhealthy endpoints for a + backend reaches this threshold + + Envoy will disregard health status and balance + across all endpoints. + + It's designed to prevent a situation in which + host failures cascade throughout the cluster + + as load increases. If not set, the default + value is 50%. To disable panic mode, set value + to `0`. + format: int32 + maximum: 100 + minimum: 0 + type: integer + passive: + description: Passive passive check configuration + properties: + baseEjectionTime: + default: 30s + description: >- + BaseEjectionTime defines the base duration + for which a host will be ejected on + consecutive failures. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + consecutive5XxErrors: + default: 5 + description: >- + Consecutive5xxErrors sets the number of + consecutive 5xx errors triggering + ejection. + format: int32 + type: integer + consecutiveGatewayErrors: + description: >- + ConsecutiveGatewayErrors sets the number + of consecutive gateway errors triggering + ejection. + format: int32 + type: integer + consecutiveLocalOriginFailures: + default: 5 + description: >- + ConsecutiveLocalOriginFailures sets the + number of consecutive local origin + failures triggering ejection. + + Parameter takes effect only when + split_external_local_origin_errors is set + to true. + format: int32 + type: integer + failurePercentageThreshold: + description: >- + FailurePercentageThreshold sets the + failure percentage threshold for outlier + detection. + + If the failure percentage of a given host + is greater than or equal to this value, it + will be ejected. + + Defaults to 85. + format: int32 + maximum: 100 + minimum: 0 + type: integer + interval: + default: 3s + description: >- + Interval defines the time between passive + health checks. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + maxEjectionPercent: + default: 10 + description: >- + MaxEjectionPercent sets the maximum + percentage of hosts in a cluster that can + be ejected. + format: int32 + type: integer + splitExternalLocalOriginErrors: + default: false + description: >- + SplitExternalLocalOriginErrors enables + splitting of errors between external and + local origin. + type: boolean + type: object + type: object + http2: + description: >- + HTTP2 provides HTTP/2 configuration for backend + connections. + properties: + initialConnectionWindowSize: + allOf: + - pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: >- + InitialConnectionWindowSize sets the initial + window size for HTTP/2 connections. + + If not set, the default value is 1 MiB. + x-kubernetes-int-or-string: true + initialStreamWindowSize: + allOf: + - pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: >- + InitialStreamWindowSize sets the initial + window size for HTTP/2 streams. + + If not set, the default value is 64 + KiB(64*1024). + x-kubernetes-int-or-string: true + maxConcurrentStreams: + description: >- + MaxConcurrentStreams sets the maximum number + of concurrent streams allowed per connection. + + If not set, the default value is 100. + format: int32 + maximum: 2147483647 + minimum: 1 + type: integer + onInvalidMessage: + description: >- + OnInvalidMessage determines if Envoy will + terminate the connection or just the offending + stream in the event of HTTP messaging error + + It's recommended for L2 Envoy deployments to + set this value to TerminateStream. + + https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/level_two + + Default: TerminateConnection + type: string + type: object + loadBalancer: + description: >- + LoadBalancer policy to apply when routing traffic + from the gateway to + + the backend endpoints. Defaults to `LeastRequest`. + properties: + consistentHash: + description: >- + ConsistentHash defines the configuration when + the load balancer type is + + set to ConsistentHash + properties: + cookie: + description: >- + Cookie configures the cookie hash policy + when the consistent hash type is set to + Cookie. + properties: + attributes: + additionalProperties: + type: string + description: >- + Additional Attributes to set for the + generated cookie. + type: object + name: + description: >- + Name of the cookie to hash. + + If this cookie does not exist in the + request, Envoy will generate a cookie + and set + + the TTL on the response back to the + client based on Layer 4 + + attributes of the backend endpoint, to + ensure that these future requests + + go to the same backend endpoint. Make + sure to set the TTL field for this case. + type: string + ttl: + description: >- + TTL of the generated cookie if the + cookie is not present. This value sets + the + + Max-Age attribute value. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + required: + - name + type: object + header: + description: >- + Header configures the header hash policy + when the consistent hash type is set to + Header. + + + Deprecated: use Headers instead + properties: + name: + description: Name of the header to hash. + type: string + required: + - name + type: object + headers: + description: >- + Headers configures the header hash policy + for each header, when the consistent hash + type is set to Headers. + items: + description: >- + Header defines the header hashing + configuration for consistent hash based + + load balancing. + properties: + name: + description: Name of the header to hash. + type: string + required: + - name + type: object + type: array + queryParams: + description: >- + QueryParams configures the query parameter + hash policy when the consistent hash type + is set to QueryParams. + items: + description: >- + QueryParam defines the query parameter + name hashing configuration for + consistent hash based + + load balancing. + properties: + name: + description: Name of the query param to hash. + type: string + required: + - name + type: object + type: array + tableSize: + default: 65537 + description: >- + The table size for consistent hashing, + must be prime number limited to 5000011. + format: int64 + maximum: 5000011 + minimum: 2 + type: integer + type: + description: >- + ConsistentHashType defines the type of + input to hash on. Valid Type values are + + "SourceIP", + + "Header", + + "Headers", + + "Cookie". + + "QueryParams". + enum: + - SourceIP + - Header + - Headers + - Cookie + - QueryParams + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If consistent hash type is header, the + header field must be set. + rule: >- + self.type == 'Header' ? has(self.header) : + !has(self.header) + - message: >- + If consistent hash type is headers, the + headers field must be set. + rule: >- + self.type == 'Headers' ? has(self.headers) + : !has(self.headers) + - message: >- + If consistent hash type is cookie, the + cookie field must be set. + rule: >- + self.type == 'Cookie' ? has(self.cookie) : + !has(self.cookie) + - message: >- + If consistent hash type is queryParams, + the queryParams field must be set. + rule: >- + self.type == 'QueryParams' ? + has(self.queryParams) : + !has(self.queryParams) + endpointOverride: + description: >- + EndpointOverride defines the configuration for + endpoint override. + + When specified, the load balancer will attempt + to route requests to endpoints + + based on the override information extracted + from request headers or metadata. + If the override endpoints are not available, the configured load balancer policy will be used as fallback. + properties: + extractFrom: + description: >- + ExtractFrom defines the sources to extract + endpoint override information from. + items: + description: >- + EndpointOverrideExtractFrom defines a + source to extract endpoint override + information from. + properties: + header: + description: >- + Header defines the header to get the + override endpoint addresses. + + The header value must specify at least + one endpoint in `IP:Port` format or + multiple endpoints in + `IP:Port,IP:Port,...` format. + + For example `10.0.0.5:8080` or + `[2600:4040:5204::1574:24ae]:80`. + + The IPv6 address is enclosed in square + brackets. + type: string + type: object + maxItems: 10 + minItems: 1 + type: array + required: + - extractFrom + type: object + slowStart: + description: >- + SlowStart defines the configuration related to + the slow start load balancer policy. + + If set, during slow start window, traffic sent + to the newly added hosts will gradually + increase. + + Currently this is only supported for + RoundRobin and LeastRequest load balancers + properties: + window: + description: >- + Window defines the duration of the warm up + period for newly added host. + + During slow start window, traffic sent to + the newly added hosts will gradually + increase. + + Currently only supports linear growth of + traffic. For additional details, + + see + https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + required: + - window + type: object + type: + description: |- + Type decides the type of Load Balancer policy. + Valid LoadBalancerType values are + "ConsistentHash", + "LeastRequest", + "Random", + "RoundRobin". + enum: + - ConsistentHash + - LeastRequest + - Random + - RoundRobin + type: string + zoneAware: + description: >- + ZoneAware defines the configuration related to + the distribution of requests between locality + zones. + properties: + preferLocal: + description: >- + PreferLocalZone configures zone-aware + routing to prefer sending traffic to the + local locality zone. + properties: + force: + description: >- + ForceLocalZone defines override + configuration for forcing all traffic to + stay within the local zone instead of + the default behavior + + which maintains equal distribution among + upstream endpoints while sending as much + traffic as possible locally. + properties: + minEndpointsInZoneThreshold: + description: >- + MinEndpointsInZoneThreshold is the + minimum number of upstream endpoints in + the local zone required to honor the + forceLocalZone + + override. This is useful for protecting + zones with fewer endpoints. + format: int32 + type: integer + type: object + minEndpointsThreshold: + description: >- + MinEndpointsThreshold is the minimum + number of total upstream endpoints + across all zones required to enable + zone-aware routing. + format: int64 + type: integer + percentageEnabled: + description: >- + Configures percentage of requests that + will be considered for zone aware + routing if zone aware routing is + configured. If not specified, Envoy + defaults to 100%. + format: int32 + maximum: 100 + minimum: 0 + type: integer + type: object + type: object + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If LoadBalancer type is consistentHash, + consistentHash field needs to be set. + rule: >- + self.type == 'ConsistentHash' ? + has(self.consistentHash) : + !has(self.consistentHash) + - message: >- + Currently SlowStart is only supported for + RoundRobin and LeastRequest load balancers. + rule: >- + self.type in ['Random', 'ConsistentHash'] ? + !has(self.slowStart) : true + - message: >- + Currently ZoneAware is only supported for + LeastRequest, Random, and RoundRobin load + balancers. + rule: >- + self.type == 'ConsistentHash' ? + !has(self.zoneAware) : true + proxyProtocol: + description: >- + ProxyProtocol enables the Proxy Protocol when + communicating with the backend. + properties: + version: + description: |- + Version of ProxyProtol + Valid ProxyProtocolVersion values are + "V1" + "V2" + enum: + - V1 + - V2 + type: string + required: + - version + type: object + retry: + description: >- + Retry provides more advanced usage, allowing users + to customize the number of retries, retry fallback + strategy, and retry triggering conditions. + + If not set, retry will be disabled. + properties: + numAttemptsPerPriority: + description: >- + NumAttemptsPerPriority defines the number of + requests (initial attempt + retries) + + that should be sent to the same priority + before switching to a different one. + + If not specified or set to 0, all requests are + sent to the highest priority that is healthy. + format: int32 + type: integer + numRetries: + default: 2 + description: >- + NumRetries is the number of retries to be + attempted. Defaults to 2. + format: int32 + minimum: 0 + type: integer + perRetry: + description: >- + PerRetry is the retry policy to be applied per + retry attempt. + properties: + backOff: + description: >- + Backoff is the backoff policy to be + applied per retry attempt. gateway uses a + fully jittered exponential + + back-off algorithm for retries. For + additional details, + + see + https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#config-http-filters-router-x-envoy-max-retries + properties: + baseInterval: + description: >- + BaseInterval is the base interval + between retries. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + maxInterval: + description: >- + MaxInterval is the maximum interval + between retries. This parameter is + optional, but must be greater than or + equal to the base_interval if set. + + The default is 10 times the + base_interval + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + timeout: + description: Timeout is the timeout per retry attempt. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + retryOn: + description: >- + RetryOn specifies the retry trigger condition. + + + If not specified, the default is to retry on + connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes(503). + properties: + httpStatusCodes: + description: >- + HttpStatusCodes specifies the http status + codes to be retried. + + The retriable-status-codes trigger must + also be configured for these status codes + to trigger a retry. + items: + description: HTTPStatus defines the http status code. + maximum: 599 + minimum: 100 + type: integer + type: array + triggers: + description: >- + Triggers specifies the retry trigger + condition(Http/Grpc). + items: + description: >- + TriggerEnum specifies the conditions + that trigger retries. + enum: + - 5xx + - gateway-error + - reset + - reset-before-request + - connect-failure + - retriable-4xx + - refused-stream + - retriable-status-codes + - cancelled + - deadline-exceeded + - internal + - resource-exhausted + - unavailable + type: string + type: array + type: object + type: object + tcpKeepalive: + description: >- + TcpKeepalive settings associated with the upstream + client connection. + + Disabled by default. + properties: + idleTime: + description: >- + The duration a connection needs to be idle + before keep-alive + + probes start being sent. + + The duration format is + + Defaults to `7200s`. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + interval: + description: |- + The duration between keep-alive probes. + Defaults to `75s`. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + probes: + description: >- + The total number of unacknowledged probes to + send before deciding + + the connection is dead. + + Defaults to 9. + format: int32 + type: integer + type: object + timeout: + description: Timeout settings for the backend connections. + properties: + http: + description: Timeout settings for HTTP. + properties: + connectionIdleTimeout: + description: >- + The idle timeout for an HTTP connection. + Idle time is defined as a period in which + there are no active requests in the + connection. + + Default: 1 hour. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + maxConnectionDuration: + description: >- + The maximum duration of an HTTP + connection. + + Default: unlimited. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + maxStreamDuration: + description: >- + MaxStreamDuration is the maximum duration + for a stream to complete. This timeout + measures the time + + from when the request is sent until the + response stream is fully consumed and does + not apply to + + non-streaming requests. + + When set to "0s", no max duration is + applied and streams can run indefinitely. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + requestTimeout: + description: >- + RequestTimeout is the time until which + entire response is received from the + upstream. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + tcp: + description: Timeout settings for TCP. + properties: + connectTimeout: + description: >- + The timeout for network connection + establishment, including TCP and TLS + handshakes. + + Default: 10 seconds. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + type: object + type: object + x-kubernetes-validations: + - message: >- + predictivePercent in preconnect policy only works + with RoundRobin or Random load balancers + rule: >- + !((has(self.connection) && + has(self.connection.preconnect) && + has(self.connection.preconnect.predictivePercent)) + && !(has(self.loadBalancer) && + has(self.loadBalancer.type) && + self.loadBalancer.type in ['Random', + 'RoundRobin'])) + failOpen: + default: false + description: >- + FailOpen is a switch used to control the behavior when + failing to call the external processor. + + + If FailOpen is set to true, the system bypasses the + ExtProc extension and + + allows the traffic to pass through. If it is set to + false or + + not set (defaulting to false), the system blocks the + traffic and returns + + an HTTP 5xx error. + + + If set to true, the ExtProc extension will also be + bypassed if the configuration is invalid. + type: boolean + messageTimeout: + description: >- + MessageTimeout is the timeout for a response to be + returned from the external processor + + Default: 200ms + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + metadata: + description: >- + Metadata defines options related to the sending and + receiving of dynamic metadata. + + These options define which metadata namespaces would + be sent to the processor and which dynamic metadata + + namespaces the processor would be permitted to emit + metadata to. + + Users can specify custom namespaces or well-known + envoy metadata namespace (such as + envoy.filters.http.ext_authz) + + documented here: + https://www.envoyproxy.io/docs/envoy/latest/configuration/advanced/well_known_dynamic_metadata#well-known-dynamic-metadata + + Default: no metadata context is sent or received from + the external processor + properties: + accessibleNamespaces: + description: >- + AccessibleNamespaces are metadata namespaces that + are sent to the external processor as context + items: + type: string + type: array + writableNamespaces: + description: >- + WritableNamespaces are metadata namespaces that + the external processor can write to + items: + type: string + maxItems: 8 + type: array + x-kubernetes-validations: + - message: >- + writableNamespaces cannot contain well-known + Envoy HTTP filter namespaces + rule: >- + self.all(f, + !f.startsWith('envoy.filters.http')) + type: object + processingMode: + description: >- + ProcessingMode defines how request and response body + is processed + + Default: header and body are not sent to the external + processor + properties: + allowModeOverride: + description: >- + AllowModeOverride allows the external processor to + override the processing mode set via the + + `mode_override` field in the gRPC response + message. This defaults to false. + type: boolean + request: + description: >- + Defines processing mode for requests. If present, + request headers are sent. Request body is + processed according + + to the specified mode. + properties: + attributes: + description: >- + Defines which attributes are sent to the + external processor. Envoy Gateway currently + + supports only the following attribute + prefixes: connection, source, destination, + + request, response, upstream and xds.route. + + https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/advanced/attributes + items: + pattern: >- + ^(connection\.|source\.|destination\.|request\.|response\.|upstream\.|xds\.route_)[a-z_1-9]*$ + type: string + type: array + body: + description: Defines body processing mode + enum: + - Streamed + - Buffered + - BufferedPartial + - FullDuplexStreamed + type: string + type: object + response: + description: >- + Defines processing mode for responses. If present, + response headers are sent. Response body is + processed according + + to the specified mode. + properties: + attributes: + description: >- + Defines which attributes are sent to the + external processor. Envoy Gateway currently + + supports only the following attribute + prefixes: connection, source, destination, + + request, response, upstream and xds.route. + + https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/advanced/attributes + items: + pattern: >- + ^(connection\.|source\.|destination\.|request\.|response\.|upstream\.|xds\.route_)[a-z_1-9]*$ + type: string + type: array + body: + description: Defines body processing mode + enum: + - Streamed + - Buffered + - BufferedPartial + - FullDuplexStreamed + type: string + type: object + type: object + type: object + x-kubernetes-validations: + - message: BackendRefs must be used, backendRef is not supported. + rule: '!has(self.backendRef)' + - message: >- + BackendRefs only supports Service, ServiceImport, and + Backend kind. + rule: >- + has(self.backendRefs) ? self.backendRefs.all(f, f.kind + == 'Service' || f.kind == 'ServiceImport' || f.kind == + 'Backend') : true + - message: >- + BackendRefs only supports Core, multicluster.x-k8s.io, + and gateway.envoyproxy.io groups. + rule: >- + has(self.backendRefs) ? (self.backendRefs.all(f, + f.group == "" || f.group == 'multicluster.x-k8s.io' || + f.group == 'gateway.envoyproxy.io')) : true + - message: >- + If FullDuplexStreamed body processing mode is used, + FailOpen must be false. + rule: >- + !(has(self.failOpen) && self.failOpen == true && + has(self.processingMode) && + ((has(self.processingMode.request) && + has(self.processingMode.request.body) && + self.processingMode.request.body == + 'FullDuplexStreamed') || + (has(self.processingMode.response) && + has(self.processingMode.response.body) && + self.processingMode.response.body == + 'FullDuplexStreamed'))) + maxItems: 16 + type: array + lua: + description: |- + Lua is an ordered list of Lua filters + that should be added to the envoy filter chain + items: + description: |- + Lua defines a Lua extension + Only one of Inline or ValueRef must be set + properties: + inline: + description: Inline contains the source code as an inline string. + type: string + type: + default: Inline + description: >- + Type is the type of method to use to read the Lua + value. + + Valid values are Inline and ValueRef, default is + Inline. + enum: + - Inline + - ValueRef + type: string + valueRef: + description: >- + ValueRef has the source code specified as a local + object reference. + + Only a reference to ConfigMap is supported. + + The value of key `lua` in the ConfigMap will be used. + + If the key is not found, the first value in the + ConfigMap will be used. + properties: + group: + description: >- + Group is the group of the referent. For example, + "gateway.networking.k8s.io". + + When unspecified or empty string, core API group + is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: >- + Kind is kind of the referent. For example + "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + x-kubernetes-validations: + - message: >- + Only a reference to an object of kind ConfigMap + belonging to default v1 API group is supported. + rule: >- + self.kind == 'ConfigMap' && (self.group == 'v1' || + self.group == '') + required: + - type + type: object + x-kubernetes-validations: + - message: >- + Exactly one of inline or valueRef must be set with + correct type. + rule: >- + (self.type == 'Inline' && has(self.inline) && + !has(self.valueRef)) || (self.type == 'ValueRef' && + !has(self.inline) && has(self.valueRef)) + maxItems: 16 + type: array + targetRef: + description: >- + TargetRef is the name of the resource this policy is being + attached to. + + This policy and the TargetRef MUST be in the same namespace + for this + + Policy to have effect + + + Deprecated: use targetRefs/targetSelectors instead + properties: + group: + description: Group is the group of the target resource. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + sectionName: + description: >- + SectionName is the name of a section within the target + resource. When + + unspecified, this targetRef targets the entire resource. + In the following + + resources, SectionName is interpreted as the following: + + + * Gateway: Listener name + + * HTTPRoute: HTTPRouteRule name + + * Service: Port name + + + If a SectionName is specified, but does not exist on the + targeted object, + + the Policy must fail to attach, and the policy + implementation should record + + a `ResolvedRefs` or similar Condition in the Policy's + status. + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - group + - kind + - name + type: object + targetRefs: + description: >- + TargetRefs are the names of the Gateway resources this + policy + + is being attached to. + items: + description: >- + LocalPolicyTargetReferenceWithSectionName identifies an + API object to apply a + + direct policy to. This should be used as part of Policy + resources that can + + target single resources. For more information on how this + policy attachment + + mode works, and a sample Policy resource, refer to the + policy attachment + + documentation for Gateway API. + + + Note: This should only be used for direct policy + attachment when references + + to SectionName are actually needed. In all other cases, + + LocalPolicyTargetReference should be used. + properties: + group: + description: Group is the group of the target resource. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + sectionName: + description: >- + SectionName is the name of a section within the target + resource. When + + unspecified, this targetRef targets the entire + resource. In the following + + resources, SectionName is interpreted as the + following: + + + * Gateway: Listener name + + * HTTPRoute: HTTPRouteRule name + + * Service: Port name + + + If a SectionName is specified, but does not exist on + the targeted object, + + the Policy must fail to attach, and the policy + implementation should record + + a `ResolvedRefs` or similar Condition in the Policy's + status. + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - group + - kind + - name + type: object + type: array + targetSelectors: + description: >- + TargetSelectors allow targeting resources for this policy + based on labels + items: + properties: + group: + default: gateway.networking.k8s.io + description: >- + Group is the group that this selector targets. + Defaults to gateway.networking.k8s.io + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is the resource kind that this selector targets. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + matchExpressions: + description: >- + MatchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: >- + A label selector requirement is a selector that + contains values, a key, and an operator that + + relates the key and values. + properties: + key: + description: >- + key is the label key that the selector applies + to. + type: string + operator: + description: >- + operator represents a key's relationship to a + set of values. + + Valid operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: >- + values is an array of string values. If the + operator is In or NotIn, + + the values array must be non-empty. If the + operator is Exists or DoesNotExist, + + the values array must be empty. This array is + replaced during a strategic + + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: >- + MatchLabels are the set of label selectors for + identifying the targeted resource + type: object + required: + - kind + type: object + x-kubernetes-validations: + - message: group must be gateway.networking.k8s.io + rule: >- + has(self.group) ? self.group == + 'gateway.networking.k8s.io' : true + type: array + wasm: + description: >- + Wasm is a list of Wasm extensions to be loaded by the + Gateway. + + Order matters, as the extensions will be loaded in the order + they are + + defined in this list. + items: + description: >- + Wasm defines a Wasm extension. + + + Note: at the moment, Envoy Gateway does not support + configuring Wasm runtime. + + v8 is used as the VM runtime for the Wasm extensions. + properties: + code: + description: Code is the Wasm code for the extension. + properties: + http: + description: >- + HTTP is the HTTP URL containing the Wasm code. + + + Note that the HTTP server must be accessible from + the Envoy proxy. + properties: + sha256: + description: >- + SHA256 checksum that will be used to verify + the Wasm code. + + + If not specified, Envoy Gateway will not + verify the downloaded Wasm code. + + kubebuilder:validation:Pattern=`^[a-f0-9]{64}$` + type: string + tls: + description: >- + TLS configuration when connecting to the Wasm + code source. + properties: + caCertificateRef: + description: >- + CACertificateRef contains a references to + + Kubernetes objects that contain TLS + certificates of + + the Certificate Authorities that can be + used + + as a trust anchor to validate the + certificates presented by the Wasm code + source. + + + Kubernetes ConfigMap and Kubernetes Secret + are supported. + + Note: The ConfigMap or Secret must be in + the same namespace as the + EnvoyExtensionPolicy. + properties: + group: + default: '' + description: >- + Group is the group of the referent. For + example, "gateway.networking.k8s.io". + + When unspecified or empty string, core + API group is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Secret + description: >- + Kind is kind of the referent. For + example "Secret". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the + referenced object. When unspecified, the + local + + namespace is inferred. + + + Note that when a namespace different + than the local namespace is specified, + + a ReferenceGrant object is required in + the referent namespace to allow that + + namespace's owner to accept the + reference. See the ReferenceGrant + + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + required: + - caCertificateRef + type: object + url: + description: URL is the URL containing the Wasm code. + pattern: >- + ^((https?:)(\/\/\/?)([\w]*(?::[\w]*)?@)?([\d\w\.-]+)(?::(\d+))?)?([\/\\\w\.()-]*)?(?:([?][^#]*)?(#.*)?)* + type: string + required: + - url + type: object + image: + description: >- + Image is the OCI image containing the Wasm code. + + + Note that the image must be accessible from the + Envoy Gateway. + properties: + pullSecretRef: + description: >- + PullSecretRef is a reference to the secret + containing the credentials to pull the image. + + Only support Kubernetes Secret resource from + the same namespace. + properties: + group: + default: '' + description: >- + Group is the group of the referent. For + example, "gateway.networking.k8s.io". + + When unspecified or empty string, core API + group is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Secret + description: >- + Kind is kind of the referent. For example + "Secret". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the + referenced object. When unspecified, the + local + + namespace is inferred. + + + Note that when a namespace different than + the local namespace is specified, + + a ReferenceGrant object is required in the + referent namespace to allow that + + namespace's owner to accept the reference. + See the ReferenceGrant + + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + x-kubernetes-validations: + - message: only support Secret kind. + rule: self.kind == 'Secret' + sha256: + description: >- + SHA256 checksum that will be used to verify + the OCI image. + + + It must match the digest of the OCI image. + + + If not specified, Envoy Gateway will not + verify the downloaded OCI image. + + kubebuilder:validation:Pattern=`^[a-f0-9]{64}$` + type: string + tls: + description: >- + TLS configuration when connecting to the Wasm + code source. + properties: + caCertificateRef: + description: >- + CACertificateRef contains a references to + + Kubernetes objects that contain TLS + certificates of + + the Certificate Authorities that can be + used + + as a trust anchor to validate the + certificates presented by the Wasm code + source. + + + Kubernetes ConfigMap and Kubernetes Secret + are supported. + + Note: The ConfigMap or Secret must be in + the same namespace as the + EnvoyExtensionPolicy. + properties: + group: + default: '' + description: >- + Group is the group of the referent. For + example, "gateway.networking.k8s.io". + + When unspecified or empty string, core + API group is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Secret + description: >- + Kind is kind of the referent. For + example "Secret". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the + referenced object. When unspecified, the + local + + namespace is inferred. + + + Note that when a namespace different + than the local namespace is specified, + + a ReferenceGrant object is required in + the referent namespace to allow that + + namespace's owner to accept the + reference. See the ReferenceGrant + + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + required: + - caCertificateRef + type: object + url: + description: >- + URL is the URL of the OCI image. + + URL can be in the format of + `registry/image:tag` or + `registry/image@sha256:digest`. + type: string + required: + - url + type: object + pullPolicy: + description: >- + PullPolicy is the policy to use when pulling the + Wasm module by either the HTTP or Image source. + + This field is only applicable when the SHA256 + field is not set. + + + If not specified, the default policy is + IfNotPresent except for OCI images whose tag is + latest. + + + Note: EG does not update the Wasm module every + time an Envoy proxy requests + + the Wasm module even if the pull policy is set to + Always. + + It only updates the Wasm module when the + EnvoyExtension resource version changes. + enum: + - IfNotPresent + - Always + type: string + type: + allOf: + - enum: + - HTTP + - Image + - enum: + - HTTP + - Image + - ConfigMap + description: >- + Type is the type of the source of the Wasm code. + + Valid WasmCodeSourceType values are "HTTP" or + "Image". + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: If type is HTTP, http field needs to be set. + rule: >- + self.type == 'HTTP' ? has(self.http) : + !has(self.http) + - message: If type is Image, image field needs to be set. + rule: >- + self.type == 'Image' ? has(self.image) : + !has(self.image) + config: + description: >- + Config is the configuration for the Wasm extension. + + This configuration will be passed as a JSON string to + the Wasm extension. + x-kubernetes-preserve-unknown-fields: true + env: + description: Env configures the environment for the Wasm extension + properties: + hostKeys: + description: >- + HostKeys is a list of keys for environment + variables from the host envoy process + + that should be passed into the Wasm VM. This is + useful for passing secrets to to Wasm extensions. + items: + type: string + type: array + type: object + failOpen: + default: false + description: >- + FailOpen is a switch used to control the behavior when + a fatal error occurs + + during the initialization or the execution of the Wasm + extension. + + + If FailOpen is set to true, the system bypasses the + Wasm extension and + + allows the traffic to pass through. If it is set to + false or + + not set (defaulting to false), the system blocks the + traffic and returns + + an HTTP 5xx error. + + + If set to true, the Wasm extension will also be + bypassed if the configuration is invalid. + type: boolean + name: + description: >- + Name is a unique name for this Wasm extension. It is + used to identify the + + Wasm extension if multiple extensions are handled by + the same vm_id and root_id. + + It's also used for logging/debugging. + + If not specified, EG will generate a unique name for + the Wasm extension. + type: string + rootID: + description: >- + RootID is a unique ID for a set of extensions in a VM + which will share a + + RootContext and Contexts if applicable (e.g., an Wasm + HttpFilter and an Wasm AccessLog). + + If left blank, all extensions with a blank root_id + with the same vm_id will share Context(s). + + + Note: RootID must match the root_id parameter used to + register the Context in the Wasm code. + type: string + required: + - code + type: object + maxItems: 16 + type: array + type: object + x-kubernetes-validations: + - message: either targetRef or targetRefs must be used + rule: >- + (has(self.targetRef) && !has(self.targetRefs)) || + (!has(self.targetRef) && has(self.targetRefs)) || + (has(self.targetSelectors) && self.targetSelectors.size() > + 0) + - message: >- + this policy can only have a targetRef.group of + gateway.networking.k8s.io + rule: >- + has(self.targetRef) ? self.targetRef.group == + 'gateway.networking.k8s.io' : true + - message: >- + this policy can only have a targetRef.kind of + Gateway/HTTPRoute/GRPCRoute/TCPRoute/UDPRoute/TLSRoute + rule: >- + has(self.targetRef) ? self.targetRef.kind in ['Gateway', + 'HTTPRoute', 'GRPCRoute', 'UDPRoute', 'TCPRoute', + 'TLSRoute'] : true + - message: >- + this policy can only have a targetRefs[*].group of + gateway.networking.k8s.io + rule: >- + has(self.targetRefs) ? self.targetRefs.all(ref, ref.group == + 'gateway.networking.k8s.io') : true + - message: >- + this policy can only have a targetRefs[*].kind of + Gateway/HTTPRoute/GRPCRoute/TCPRoute/UDPRoute/TLSRoute + rule: >- + has(self.targetRefs) ? self.targetRefs.all(ref, ref.kind in + ['Gateway', 'HTTPRoute', 'GRPCRoute', 'UDPRoute', + 'TCPRoute', 'TLSRoute']) : true + status: + description: Status defines the current status of EnvoyExtensionPolicy. + properties: + ancestors: + description: >- + Ancestors is a list of ancestor resources (usually Gateways) + that are + + associated with the policy, and the status of the policy + with respect to + + each ancestor. When this policy attaches to a parent, the + controller that + + manages the parent and the ancestors MUST add an entry to + this list when + + the controller first sees the policy and SHOULD update the + entry as + + appropriate when the relevant ancestor is modified. + + + Note that choosing the relevant ancestor is left to the + Policy designers; + + an important part of Policy design is designing the right + object level at + + which to namespace this status. + + + Note also that implementations MUST ONLY populate ancestor + status for + + the Ancestor resources they are responsible for. + Implementations MUST + + use the ControllerName field to uniquely identify the + entries in this list + + that they are responsible for. + + + Note that to achieve this, the list of PolicyAncestorStatus + structs + + MUST be treated as a map with a composite key, made up of + the AncestorRef + + and ControllerName fields combined. + + + A maximum of 16 ancestors will be represented in this list. + An empty list + + means the Policy is not relevant for any ancestors. + + + If this slice is full, implementations MUST NOT add further + entries. + + Instead they MUST consider the policy unimplementable and + signal that + + on any related resources such as the ancestor that would be + referenced + + here. For example, if this list was full on + BackendTLSPolicy, no + + additional Gateways would be able to reference the Service + targeted by + + the BackendTLSPolicy. + items: + description: >- + PolicyAncestorStatus describes the status of a route with + respect to an + + associated Ancestor. + + + Ancestors refer to objects that are either the Target of a + policy or above it + + in terms of object hierarchy. For example, if a policy + targets a Service, the + + Policy's Ancestors are, in order, the Service, the + HTTPRoute, the Gateway, and + + the GatewayClass. Almost always, in this hierarchy, the + Gateway will be the most + + useful object to place Policy status on, so we recommend + that implementations + + SHOULD use Gateway as the PolicyAncestorStatus object + unless the designers + + have a _very_ good reason otherwise. + + + In the context of policy attachment, the Ancestor is used + to distinguish which + + resource results in a distinct application of this policy. + For example, if a policy + + targets a Service, it may have a distinct result per + attached Gateway. + + + Policies targeting the same resource may have different + effects depending on the + + ancestors of those resources. For example, different + Gateways targeting the same + + Service may have different capabilities, especially if + they have different underlying + + implementations. + + + For example, in BackendTLSPolicy, the Policy attaches to a + Service that is + + used as a backend in a HTTPRoute that is itself attached + to a Gateway. + + In this case, the relevant object for status is the + Gateway, and that is the + + ancestor object referred to in this status. + + + Note that a parent is also an ancestor, so for objects + where the parent is the + + relevant object for status, this struct SHOULD still be + used. + + + This struct is intended to be used in a slice that's + effectively a map, + + with a composite key made up of the AncestorRef and the + ControllerName. + properties: + ancestorRef: + description: >- + AncestorRef corresponds with a ParentRef in the spec + that this + + PolicyAncestorStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: >- + Group is the group of the referent. + + When unspecified, "gateway.networking.k8s.io" is + inferred. + + To set the core API group (such as for a "Service" + kind referent), + + Group must be explicitly set to "" (empty string). + + + Support: Core + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: >- + Kind is kind of the referent. + + + There are two kinds of parent resources with + "Core" support: + + + * Gateway (Gateway conformance profile) + + * Service (Mesh conformance profile, ClusterIP + Services only) + + + Support for other resources is + Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the referent. When + unspecified, this refers + + to the local namespace of the Route. + + + Note that there are specific rules for ParentRefs + which cross namespace + + boundaries. Cross-namespace references are only + valid if they are explicitly + + allowed by something in the namespace they are + referring to. For example: + + Gateway has the AllowedRoutes field, and + ReferenceGrant provides a + + generic way to enable any other kind of + cross-namespace reference. + + + + + ParentRefs from a Route to a Service in the same + namespace are "producer" + + routes, which apply default routing rules to + inbound connections from + + any namespace to the Service. + + + ParentRefs from a Route to a Service in a + different namespace are + + "consumer" routes, and these routing rules are + only applied to outbound + + connections originating from the same namespace as + the Route, for which + + the intended destination of the connections are a + Service targeted as a + + ParentRef of the Route. + + + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: >- + Port is the network port this Route targets. It + can be interpreted + + differently based on the type of parent resource. + + + When the parent resource is a Gateway, this + targets all listeners + + listening on the specified port that also support + this kind of Route(and + + select this Route). It's not recommended to set + `Port` unless the + + networking behaviors specified in a Route must + apply to a specific port + + as opposed to a listener(s) whose port(s) may be + changed. When both Port + + and SectionName are specified, the name and port + of the selected listener + + must match both specified values. + + + + + When the parent resource is a Service, this + targets a specific port in the + + Service spec. When both Port (experimental) and + SectionName are specified, + + the name and port of the selected port must match + both specified values. + + + + + Implementations MAY choose to support other parent + resources. + + Implementations supporting other types of parent + resources MUST clearly + + document how/if Port is interpreted. + + + For the purpose of status, an attachment is + considered successful as + + long as the parent resource accepts it partially. + For example, Gateway + + listeners can restrict which Routes can attach to + them by Route kind, + + namespace, or hostname. If 1 of 2 Gateway + listeners accept attachment + + from the referencing Route, the Route MUST be + considered successfully + + attached. If no Gateway listeners accept + attachment from this Route, + + the Route MUST be considered detached from the + Gateway. + + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: >- + SectionName is the name of a section within the + target resource. In the + + following resources, SectionName is interpreted as + the following: + + + * Gateway: Listener name. When both Port + (experimental) and SectionName + + are specified, the name and port of the selected + listener must match + + both specified values. + + * Service: Port name. When both Port + (experimental) and SectionName + + are specified, the name and port of the selected + listener must match + + both specified values. + + + Implementations MAY choose to support attaching + Routes to other resources. + + If that is the case, they MUST clearly document + how SectionName is + + interpreted. + + + When unspecified (empty string), this will + reference the entire resource. + + For the purpose of status, an attachment is + considered successful if at + + least one section in the parent resource accepts + it. For example, Gateway + + listeners can restrict which Routes can attach to + them by Route kind, + + namespace, or hostname. If 1 of 2 Gateway + listeners accept attachment from + + the referencing Route, the Route MUST be + considered successfully + + attached. If no Gateway listeners accept + attachment from this Route, the + + Route MUST be considered detached from the + Gateway. + + + Support: Core + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + conditions: + description: >- + Conditions describes the status of the Policy with + respect to the given Ancestor. + + + + + + Notes for implementors: + + + Conditions are a listType `map`, which means that they + function like a + + map with a key of the `type` field _in the k8s + apiserver_. + + + This means that implementations must obey some rules + when updating this + + section. + + + * Implementations MUST perform a read-modify-write + cycle on this field + before modifying it. That is, when modifying this field, implementations + must be confident they have fetched the most recent version of this field, + and ensure that changes they make are on that recent version. + * Implementations MUST NOT remove or reorder + Conditions that they are not + directly responsible for. For example, if an implementation sees a Condition + with type `special.io/SomeField`, it MUST NOT remove, change or update that + Condition. + * Implementations MUST always _merge_ changes into + Conditions of the same Type, + rather than creating more than one Condition of the same Type. + * Implementations MUST always update the + `observedGeneration` field of the + Condition to the `metadata.generation` of the Gateway at the time of update creation. + * If the `observedGeneration` of a Condition is + _greater than_ the value the + implementation knows about, then it MUST NOT perform the update on that Condition, + but must wait for a future reconciliation and status update. (The assumption is that + the implementation's copy of the object is stale and an update will be re-triggered + if relevant.) + + + items: + description: >- + Condition contains details for one aspect of the + current state of this API Resource. + properties: + lastTransitionTime: + description: >- + lastTransitionTime is the last time the + condition transitioned from one status to + another. + + This should be when the underlying condition + changed. If that is not known, then using the + time when the API field changed is acceptable. + format: date-time + type: string + message: + description: >- + message is a human readable message indicating + details about the transition. + + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: >- + observedGeneration represents the + .metadata.generation that the condition was set + based upon. + + For instance, if .metadata.generation is + currently 12, but the + .status.conditions[x].observedGeneration is 9, + the condition is out of date + + with respect to the current state of the + instance. + format: int64 + minimum: 0 + type: integer + reason: + description: >- + reason contains a programmatic identifier + indicating the reason for the condition's last + transition. + + Producers of specific condition types may define + expected values and meanings for this field, + + and whether the values are considered a + guaranteed API. + + The value should be a CamelCase string. + + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: >- + status of the condition, one of True, False, + Unknown. + enum: + - 'True' + - 'False' + - Unknown + type: string + type: + description: >- + type of condition in CamelCase or in + foo.example.com/CamelCase. + maxLength: 316 + pattern: >- + ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: >- + ControllerName is a domain/path string that indicates + the name of the + + controller that wrote this status. This corresponds + with the + + controllerName field on GatewayClass. + + + Example: "example.net/gateway-controller". + + + The format of this field is DOMAIN "/" PATH, where + DOMAIN and PATH are + + valid Kubernetes names + + (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + + + Controllers MUST populate this field when writing + status. Controllers should ensure that + + entries to status populated with their ControllerName + are cleaned up when they are no + + longer necessary. + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + required: + - ancestorRef + - conditions + - controllerName + type: object + maxItems: 16 + type: array + x-kubernetes-list-type: atomic + required: + - ancestors + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/_/CustomResourceDefinition/envoypatchpolicies.gateway.envoyproxy.io.yaml b/_/CustomResourceDefinition/envoypatchpolicies.gateway.envoyproxy.io.yaml new file mode 100644 index 0000000..4e9003a --- /dev/null +++ b/_/CustomResourceDefinition/envoypatchpolicies.gateway.envoyproxy.io.yaml @@ -0,0 +1,830 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.18.0 + name: envoypatchpolicies.gateway.envoyproxy.io +spec: + group: gateway.envoyproxy.io + names: + categories: + - envoy-gateway + kind: EnvoyPatchPolicy + listKind: EnvoyPatchPolicyList + plural: envoypatchpolicies + shortNames: + - epp + singular: envoypatchpolicy + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .status.ancestors[0].conditions[?(@.type=="Accepted")].status + name: Accepted + type: string + - jsonPath: .status.ancestors[0].conditions[?(@.type=="Programmed")].status + name: Programmed + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + EnvoyPatchPolicy allows the user to modify the generated Envoy xDS + resources by Envoy Gateway using this patch API + properties: + apiVersion: + description: >- + APIVersion defines the versioned schema of this representation + of an object. + + Servers should convert recognized schemas to the latest internal + value, and + + may reject unrecognized values. + + More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: >- + Kind is a string value representing the REST resource this + object represents. + + Servers may infer this from the endpoint the client submits + requests to. + + Cannot be updated. + + In CamelCase. + + More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of EnvoyPatchPolicy. + properties: + jsonPatches: + description: JSONPatch defines the JSONPatch configuration. + items: + description: >- + EnvoyJSONPatchConfig defines the configuration for + patching a Envoy xDS Resource + + using JSONPatch semantic + properties: + name: + description: Name is the name of the resource + type: string + operation: + description: Patch defines the JSON Patch Operation + properties: + from: + description: >- + From is the source location of the value to be + copied or moved. Only valid + + for move or copy operations + + Refer to + https://datatracker.ietf.org/doc/html/rfc6901 for + more details. + type: string + jsonPath: + description: >- + JSONPath is a JSONPath expression. Refer to + https://datatracker.ietf.org/doc/rfc9535/ for more + details. + + It produces one or more JSONPointer expressions + based on the given JSON document. + + If no JSONPointer is found, it will result in an + error. + + If the 'Path' property is also set, it will be + appended to the resulting JSONPointer expressions + from the JSONPath evaluation. + + This is useful when creating a property that does + not yet exist in the JSON document. + + The final JSONPointer expressions specifies the + locations in the target document/field where the + operation will be applied. + type: string + op: + description: Op is the type of operation to perform + enum: + - add + - remove + - replace + - move + - copy + - test + type: string + path: + description: >- + Path is a JSONPointer expression. Refer to + https://datatracker.ietf.org/doc/html/rfc6901 for + more details. + + It specifies the location of the target + document/field where the operation will be + performed + type: string + value: + description: >- + Value is the new value of the path location. The + value is only used by + + the `add` and `replace` operations. + x-kubernetes-preserve-unknown-fields: true + required: + - op + type: object + type: + description: Type is the typed URL of the Envoy xDS Resource + enum: + - >- + type.googleapis.com/envoy.config.listener.v3.Listener + - >- + type.googleapis.com/envoy.config.route.v3.RouteConfiguration + - type.googleapis.com/envoy.config.cluster.v3.Cluster + - >- + type.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment + - >- + type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret + type: string + required: + - name + - operation + - type + type: object + type: array + priority: + description: |- + Priority of the EnvoyPatchPolicy. + If multiple EnvoyPatchPolicies are applied to the same + TargetRef, they will be applied in the ascending order of + the priority i.e. int32.min has the highest priority and + int32.max has the lowest priority. + Defaults to 0. + format: int32 + type: integer + targetRef: + description: >- + TargetRef is the name of the Gateway API resource this + policy + + is being attached to. + + By default, attaching to Gateway is supported and + + when mergeGateways is enabled it should attach to + GatewayClass. + + This Policy and the TargetRef MUST be in the same namespace + + for this Policy to have effect and be applied to the Gateway + + TargetRef + properties: + group: + description: Group is the group of the target resource. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + type: + description: |- + Type decides the type of patch. + Valid EnvoyPatchType values are "JSONPatch". + enum: + - JSONPatch + type: string + required: + - targetRef + - type + type: object + status: + description: Status defines the current status of EnvoyPatchPolicy. + properties: + ancestors: + description: >- + Ancestors is a list of ancestor resources (usually Gateways) + that are + + associated with the policy, and the status of the policy + with respect to + + each ancestor. When this policy attaches to a parent, the + controller that + + manages the parent and the ancestors MUST add an entry to + this list when + + the controller first sees the policy and SHOULD update the + entry as + + appropriate when the relevant ancestor is modified. + + + Note that choosing the relevant ancestor is left to the + Policy designers; + + an important part of Policy design is designing the right + object level at + + which to namespace this status. + + + Note also that implementations MUST ONLY populate ancestor + status for + + the Ancestor resources they are responsible for. + Implementations MUST + + use the ControllerName field to uniquely identify the + entries in this list + + that they are responsible for. + + + Note that to achieve this, the list of PolicyAncestorStatus + structs + + MUST be treated as a map with a composite key, made up of + the AncestorRef + + and ControllerName fields combined. + + + A maximum of 16 ancestors will be represented in this list. + An empty list + + means the Policy is not relevant for any ancestors. + + + If this slice is full, implementations MUST NOT add further + entries. + + Instead they MUST consider the policy unimplementable and + signal that + + on any related resources such as the ancestor that would be + referenced + + here. For example, if this list was full on + BackendTLSPolicy, no + + additional Gateways would be able to reference the Service + targeted by + + the BackendTLSPolicy. + items: + description: >- + PolicyAncestorStatus describes the status of a route with + respect to an + + associated Ancestor. + + + Ancestors refer to objects that are either the Target of a + policy or above it + + in terms of object hierarchy. For example, if a policy + targets a Service, the + + Policy's Ancestors are, in order, the Service, the + HTTPRoute, the Gateway, and + + the GatewayClass. Almost always, in this hierarchy, the + Gateway will be the most + + useful object to place Policy status on, so we recommend + that implementations + + SHOULD use Gateway as the PolicyAncestorStatus object + unless the designers + + have a _very_ good reason otherwise. + + + In the context of policy attachment, the Ancestor is used + to distinguish which + + resource results in a distinct application of this policy. + For example, if a policy + + targets a Service, it may have a distinct result per + attached Gateway. + + + Policies targeting the same resource may have different + effects depending on the + + ancestors of those resources. For example, different + Gateways targeting the same + + Service may have different capabilities, especially if + they have different underlying + + implementations. + + + For example, in BackendTLSPolicy, the Policy attaches to a + Service that is + + used as a backend in a HTTPRoute that is itself attached + to a Gateway. + + In this case, the relevant object for status is the + Gateway, and that is the + + ancestor object referred to in this status. + + + Note that a parent is also an ancestor, so for objects + where the parent is the + + relevant object for status, this struct SHOULD still be + used. + + + This struct is intended to be used in a slice that's + effectively a map, + + with a composite key made up of the AncestorRef and the + ControllerName. + properties: + ancestorRef: + description: >- + AncestorRef corresponds with a ParentRef in the spec + that this + + PolicyAncestorStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: >- + Group is the group of the referent. + + When unspecified, "gateway.networking.k8s.io" is + inferred. + + To set the core API group (such as for a "Service" + kind referent), + + Group must be explicitly set to "" (empty string). + + + Support: Core + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: >- + Kind is kind of the referent. + + + There are two kinds of parent resources with + "Core" support: + + + * Gateway (Gateway conformance profile) + + * Service (Mesh conformance profile, ClusterIP + Services only) + + + Support for other resources is + Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the referent. When + unspecified, this refers + + to the local namespace of the Route. + + + Note that there are specific rules for ParentRefs + which cross namespace + + boundaries. Cross-namespace references are only + valid if they are explicitly + + allowed by something in the namespace they are + referring to. For example: + + Gateway has the AllowedRoutes field, and + ReferenceGrant provides a + + generic way to enable any other kind of + cross-namespace reference. + + + + + ParentRefs from a Route to a Service in the same + namespace are "producer" + + routes, which apply default routing rules to + inbound connections from + + any namespace to the Service. + + + ParentRefs from a Route to a Service in a + different namespace are + + "consumer" routes, and these routing rules are + only applied to outbound + + connections originating from the same namespace as + the Route, for which + + the intended destination of the connections are a + Service targeted as a + + ParentRef of the Route. + + + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: >- + Port is the network port this Route targets. It + can be interpreted + + differently based on the type of parent resource. + + + When the parent resource is a Gateway, this + targets all listeners + + listening on the specified port that also support + this kind of Route(and + + select this Route). It's not recommended to set + `Port` unless the + + networking behaviors specified in a Route must + apply to a specific port + + as opposed to a listener(s) whose port(s) may be + changed. When both Port + + and SectionName are specified, the name and port + of the selected listener + + must match both specified values. + + + + + When the parent resource is a Service, this + targets a specific port in the + + Service spec. When both Port (experimental) and + SectionName are specified, + + the name and port of the selected port must match + both specified values. + + + + + Implementations MAY choose to support other parent + resources. + + Implementations supporting other types of parent + resources MUST clearly + + document how/if Port is interpreted. + + + For the purpose of status, an attachment is + considered successful as + + long as the parent resource accepts it partially. + For example, Gateway + + listeners can restrict which Routes can attach to + them by Route kind, + + namespace, or hostname. If 1 of 2 Gateway + listeners accept attachment + + from the referencing Route, the Route MUST be + considered successfully + + attached. If no Gateway listeners accept + attachment from this Route, + + the Route MUST be considered detached from the + Gateway. + + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: >- + SectionName is the name of a section within the + target resource. In the + + following resources, SectionName is interpreted as + the following: + + + * Gateway: Listener name. When both Port + (experimental) and SectionName + + are specified, the name and port of the selected + listener must match + + both specified values. + + * Service: Port name. When both Port + (experimental) and SectionName + + are specified, the name and port of the selected + listener must match + + both specified values. + + + Implementations MAY choose to support attaching + Routes to other resources. + + If that is the case, they MUST clearly document + how SectionName is + + interpreted. + + + When unspecified (empty string), this will + reference the entire resource. + + For the purpose of status, an attachment is + considered successful if at + + least one section in the parent resource accepts + it. For example, Gateway + + listeners can restrict which Routes can attach to + them by Route kind, + + namespace, or hostname. If 1 of 2 Gateway + listeners accept attachment from + + the referencing Route, the Route MUST be + considered successfully + + attached. If no Gateway listeners accept + attachment from this Route, the + + Route MUST be considered detached from the + Gateway. + + + Support: Core + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + conditions: + description: >- + Conditions describes the status of the Policy with + respect to the given Ancestor. + + + + + + Notes for implementors: + + + Conditions are a listType `map`, which means that they + function like a + + map with a key of the `type` field _in the k8s + apiserver_. + + + This means that implementations must obey some rules + when updating this + + section. + + + * Implementations MUST perform a read-modify-write + cycle on this field + before modifying it. That is, when modifying this field, implementations + must be confident they have fetched the most recent version of this field, + and ensure that changes they make are on that recent version. + * Implementations MUST NOT remove or reorder + Conditions that they are not + directly responsible for. For example, if an implementation sees a Condition + with type `special.io/SomeField`, it MUST NOT remove, change or update that + Condition. + * Implementations MUST always _merge_ changes into + Conditions of the same Type, + rather than creating more than one Condition of the same Type. + * Implementations MUST always update the + `observedGeneration` field of the + Condition to the `metadata.generation` of the Gateway at the time of update creation. + * If the `observedGeneration` of a Condition is + _greater than_ the value the + implementation knows about, then it MUST NOT perform the update on that Condition, + but must wait for a future reconciliation and status update. (The assumption is that + the implementation's copy of the object is stale and an update will be re-triggered + if relevant.) + + + items: + description: >- + Condition contains details for one aspect of the + current state of this API Resource. + properties: + lastTransitionTime: + description: >- + lastTransitionTime is the last time the + condition transitioned from one status to + another. + + This should be when the underlying condition + changed. If that is not known, then using the + time when the API field changed is acceptable. + format: date-time + type: string + message: + description: >- + message is a human readable message indicating + details about the transition. + + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: >- + observedGeneration represents the + .metadata.generation that the condition was set + based upon. + + For instance, if .metadata.generation is + currently 12, but the + .status.conditions[x].observedGeneration is 9, + the condition is out of date + + with respect to the current state of the + instance. + format: int64 + minimum: 0 + type: integer + reason: + description: >- + reason contains a programmatic identifier + indicating the reason for the condition's last + transition. + + Producers of specific condition types may define + expected values and meanings for this field, + + and whether the values are considered a + guaranteed API. + + The value should be a CamelCase string. + + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: >- + status of the condition, one of True, False, + Unknown. + enum: + - 'True' + - 'False' + - Unknown + type: string + type: + description: >- + type of condition in CamelCase or in + foo.example.com/CamelCase. + maxLength: 316 + pattern: >- + ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: >- + ControllerName is a domain/path string that indicates + the name of the + + controller that wrote this status. This corresponds + with the + + controllerName field on GatewayClass. + + + Example: "example.net/gateway-controller". + + + The format of this field is DOMAIN "/" PATH, where + DOMAIN and PATH are + + valid Kubernetes names + + (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + + + Controllers MUST populate this field when writing + status. Controllers should ensure that + + entries to status populated with their ControllerName + are cleaned up when they are no + + longer necessary. + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + required: + - ancestorRef + - conditions + - controllerName + type: object + maxItems: 16 + type: array + x-kubernetes-list-type: atomic + required: + - ancestors + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/_/CustomResourceDefinition/envoyproxies.gateway.envoyproxy.io.yaml b/_/CustomResourceDefinition/envoyproxies.gateway.envoyproxy.io.yaml new file mode 100644 index 0000000..c799f2b --- /dev/null +++ b/_/CustomResourceDefinition/envoyproxies.gateway.envoyproxy.io.yaml @@ -0,0 +1,26210 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.18.0 + name: envoyproxies.gateway.envoyproxy.io +spec: + group: gateway.envoyproxy.io + names: + categories: + - envoy-gateway + kind: EnvoyProxy + listKind: EnvoyProxyList + plural: envoyproxies + shortNames: + - eproxy + singular: envoyproxy + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: EnvoyProxy is the schema for the envoyproxies API. + properties: + apiVersion: + description: >- + APIVersion defines the versioned schema of this representation + of an object. + + Servers should convert recognized schemas to the latest internal + value, and + + may reject unrecognized values. + + More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: >- + Kind is a string value representing the REST resource this + object represents. + + Servers may infer this from the endpoint the client submits + requests to. + + Cannot be updated. + + In CamelCase. + + More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: EnvoyProxySpec defines the desired state of EnvoyProxy. + properties: + backendTLS: + description: >- + BackendTLS is the TLS configuration for the Envoy proxy to + use when connecting to backends. + + These settings are applied on backends for which TLS + policies are specified. + properties: + alpnProtocols: + description: >- + ALPNProtocols supplies the list of ALPN protocols that + should be + + exposed by the listener or used by the proxy to connect + to the backend. + + Defaults: + + 1. HTTPS Routes: h2 and http/1.1 are enabled in listener + context. + + 2. Other Routes: ALPN is disabled. + + 3. Backends: proxy uses the appropriate ALPN options for + the backend protocol. + + When an empty list is provided, the ALPN TLS extension + is disabled. + + + Defaults to [h2, http/1.1] if not specified. + + + Typical Supported values are: + + - http/1.0 + + - http/1.1 + + - h2 + items: + description: >- + ALPNProtocol specifies the protocol to be negotiated + using ALPN + type: string + type: array + ciphers: + description: >- + Ciphers specifies the set of cipher suites supported + when + + negotiating TLS 1.0 - 1.2. This setting has no effect + for TLS 1.3. + + In non-FIPS Envoy Proxy builds the default cipher list + is: + + - + [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305] + + - + [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305] + + - ECDHE-ECDSA-AES256-GCM-SHA384 + + - ECDHE-RSA-AES256-GCM-SHA384 + + In builds using BoringSSL FIPS the default cipher list + is: + + - ECDHE-ECDSA-AES128-GCM-SHA256 + + - ECDHE-RSA-AES128-GCM-SHA256 + + - ECDHE-ECDSA-AES256-GCM-SHA384 + + - ECDHE-RSA-AES256-GCM-SHA384 + items: + type: string + type: array + clientCertificateRef: + description: >- + ClientCertificateRef defines the reference to a + Kubernetes Secret that contains + + the client certificate and private key for Envoy to use + when connecting to + + backend services and external services, such as ExtAuth, + ALS, OpenTelemetry, etc. + + This secret should be located within the same namespace + as the Envoy proxy resource that references it. + properties: + group: + default: '' + description: >- + Group is the group of the referent. For example, + "gateway.networking.k8s.io". + + When unspecified or empty string, core API group is + inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Secret + description: Kind is kind of the referent. For example "Secret". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the referenced object. + When unspecified, the local + + namespace is inferred. + + + Note that when a namespace different than the local + namespace is specified, + + a ReferenceGrant object is required in the referent + namespace to allow that + + namespace's owner to accept the reference. See the + ReferenceGrant + + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + ecdhCurves: + description: |- + ECDHCurves specifies the set of supported ECDH curves. + In non-FIPS Envoy Proxy builds the default curves are: + - X25519 + - P-256 + In builds using BoringSSL FIPS the default curve is: + - P-256 + items: + type: string + type: array + maxVersion: + description: |- + Max specifies the maximal TLS protocol version to allow + The default is TLS 1.3 if this is not specified. + enum: + - Auto + - '1.0' + - '1.1' + - '1.2' + - '1.3' + type: string + minVersion: + description: |- + Min specifies the minimal TLS protocol version to allow. + The default is TLS 1.2 if this is not specified. + enum: + - Auto + - '1.0' + - '1.1' + - '1.2' + - '1.3' + type: string + signatureAlgorithms: + description: >- + SignatureAlgorithms specifies which signature algorithms + the listener should + + support. + items: + type: string + type: array + type: object + x-kubernetes-validations: + - message: >- + setting ciphers has no effect if the minimum possible + TLS version is 1.3 + rule: >- + has(self.minVersion) && self.minVersion == '1.3' ? + !has(self.ciphers) : true + - message: minVersion must be smaller or equal to maxVersion + rule: >- + has(self.minVersion) && has(self.maxVersion) ? + {"Auto":0,"1.0":1,"1.1":2,"1.2":3,"1.3":4}[self.minVersion] + <= + {"1.0":1,"1.1":2,"1.2":3,"1.3":4,"Auto":5}[self.maxVersion] + : !has(self.minVersion) && has(self.maxVersion) ? 3 <= + {"1.0":1,"1.1":2,"1.2":3,"1.3":4,"Auto":5}[self.maxVersion] + : true + bootstrap: + description: >- + Bootstrap defines the Envoy Bootstrap as a YAML string. + + Visit + https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/bootstrap/v3/bootstrap.proto#envoy-v3-api-msg-config-bootstrap-v3-bootstrap + + to learn more about the syntax. + + If set, this is the Bootstrap configuration used for the + managed Envoy Proxy fleet instead of the default Bootstrap + configuration + + set by Envoy Gateway. + + Some fields within the Bootstrap that are required to + communicate with the xDS Server (Envoy Gateway) and receive + xDS resources + + from it are not configurable and will result in the + `EnvoyProxy` resource being rejected. + + Backward compatibility across minor versions is not + guaranteed. + + We strongly recommend using `egctl x translate` to generate + a `EnvoyProxy` resource with the `Bootstrap` field set to + the default + + Bootstrap configuration used. You can edit this + configuration, and rerun `egctl x translate` to ensure there + are no validation errors. + properties: + jsonPatches: + description: >- + JSONPatches is an array of JSONPatches to be applied to + the default bootstrap. Patches are + + applied in the order in which they are defined. + items: + description: >- + JSONPatchOperation defines the JSON Patch Operation as + defined in + + https://datatracker.ietf.org/doc/html/rfc6902 + properties: + from: + description: >- + From is the source location of the value to be + copied or moved. Only valid + + for move or copy operations + + Refer to + https://datatracker.ietf.org/doc/html/rfc6901 for + more details. + type: string + jsonPath: + description: >- + JSONPath is a JSONPath expression. Refer to + https://datatracker.ietf.org/doc/rfc9535/ for more + details. + + It produces one or more JSONPointer expressions + based on the given JSON document. + + If no JSONPointer is found, it will result in an + error. + + If the 'Path' property is also set, it will be + appended to the resulting JSONPointer expressions + from the JSONPath evaluation. + + This is useful when creating a property that does + not yet exist in the JSON document. + + The final JSONPointer expressions specifies the + locations in the target document/field where the + operation will be applied. + type: string + op: + description: Op is the type of operation to perform + enum: + - add + - remove + - replace + - move + - copy + - test + type: string + path: + description: >- + Path is a JSONPointer expression. Refer to + https://datatracker.ietf.org/doc/html/rfc6901 for + more details. + + It specifies the location of the target + document/field where the operation will be + performed + type: string + value: + description: >- + Value is the new value of the path location. The + value is only used by + + the `add` and `replace` operations. + x-kubernetes-preserve-unknown-fields: true + required: + - op + type: object + type: array + type: + default: Replace + description: >- + Type is the type of the bootstrap configuration, it + should be either **Replace**, **Merge**, or + **JSONPatch**. + + If unspecified, it defaults to Replace. + enum: + - Merge + - Replace + - JSONPatch + type: string + value: + description: Value is a YAML string of the bootstrap. + type: string + type: object + x-kubernetes-validations: + - message: >- + provided bootstrap patch doesn't match the configured + patch type + rule: >- + self.type == 'JSONPatch' ? self.jsonPatches.size() > 0 : + has(self.value) + concurrency: + description: >- + Concurrency defines the number of worker threads to run. If + unset, it defaults to + + the number of cpuset threads on the platform. + format: int32 + type: integer + extraArgs: + description: >- + ExtraArgs defines additional command line options that are + provided to Envoy. + + More info: + https://www.envoyproxy.io/docs/envoy/latest/operations/cli#command-line-options + + Note: some command line options are used internally(e.g. + --log-level) so they cannot be provided here. + items: + type: string + type: array + filterOrder: + description: >- + FilterOrder defines the order of filters in the Envoy + proxy's HTTP filter chain. + + The FilterPosition in the list will be applied in the order + they are defined. + + If unspecified, the default filter order is applied. + + Default filter order is: + + + - envoy.filters.http.custom_response + + + - envoy.filters.http.health_check + + + - envoy.filters.http.fault + + + - envoy.filters.http.cors + + + - envoy.filters.http.header_mutation + + + - envoy.filters.http.ext_authz + + + - envoy.filters.http.api_key_auth + + + - envoy.filters.http.basic_auth + + + - envoy.filters.http.oauth2 + + + - envoy.filters.http.jwt_authn + + + - envoy.filters.http.stateful_session + + + - envoy.filters.http.buffer + + + - envoy.filters.http.lua + + + - envoy.filters.http.ext_proc + + + - envoy.filters.http.wasm + + + - envoy.filters.http.rbac + + + - envoy.filters.http.local_ratelimit + + + - envoy.filters.http.ratelimit + + + - envoy.filters.http.grpc_web + + + - envoy.filters.http.grpc_stats + + + - envoy.filters.http.credential_injector + + + - envoy.filters.http.compressor + + + - envoy.filters.http.dynamic_forward_proxy + + + - envoy.filters.http.router + + + Note: "envoy.filters.http.router" cannot be reordered, it's + always the last filter in the chain. + items: + description: >- + FilterPosition defines the position of an Envoy HTTP + filter in the filter chain. + properties: + after: + description: >- + After defines the filter that should come after the + filter. + + Only one of Before or After must be set. + enum: + - envoy.filters.http.custom_response + - envoy.filters.http.health_check + - envoy.filters.http.fault + - envoy.filters.http.cors + - envoy.filters.http.header_mutation + - envoy.filters.http.ext_authz + - envoy.filters.http.api_key_auth + - envoy.filters.http.basic_auth + - envoy.filters.http.oauth2 + - envoy.filters.http.jwt_authn + - envoy.filters.http.stateful_session + - envoy.filters.http.buffer + - envoy.filters.http.lua + - envoy.filters.http.ext_proc + - envoy.filters.http.wasm + - envoy.filters.http.rbac + - envoy.filters.http.local_ratelimit + - envoy.filters.http.ratelimit + - envoy.filters.http.grpc_web + - envoy.filters.http.grpc_stats + - envoy.filters.http.credential_injector + - envoy.filters.http.compressor + - envoy.filters.http.dynamic_forward_proxy + type: string + before: + description: >- + Before defines the filter that should come before the + filter. + + Only one of Before or After must be set. + enum: + - envoy.filters.http.custom_response + - envoy.filters.http.health_check + - envoy.filters.http.fault + - envoy.filters.http.cors + - envoy.filters.http.header_mutation + - envoy.filters.http.ext_authz + - envoy.filters.http.api_key_auth + - envoy.filters.http.basic_auth + - envoy.filters.http.oauth2 + - envoy.filters.http.jwt_authn + - envoy.filters.http.stateful_session + - envoy.filters.http.buffer + - envoy.filters.http.lua + - envoy.filters.http.ext_proc + - envoy.filters.http.wasm + - envoy.filters.http.rbac + - envoy.filters.http.local_ratelimit + - envoy.filters.http.ratelimit + - envoy.filters.http.grpc_web + - envoy.filters.http.grpc_stats + - envoy.filters.http.credential_injector + - envoy.filters.http.compressor + - envoy.filters.http.dynamic_forward_proxy + type: string + name: + description: Name of the filter. + enum: + - envoy.filters.http.custom_response + - envoy.filters.http.health_check + - envoy.filters.http.fault + - envoy.filters.http.cors + - envoy.filters.http.header_mutation + - envoy.filters.http.ext_authz + - envoy.filters.http.api_key_auth + - envoy.filters.http.basic_auth + - envoy.filters.http.oauth2 + - envoy.filters.http.jwt_authn + - envoy.filters.http.stateful_session + - envoy.filters.http.buffer + - envoy.filters.http.lua + - envoy.filters.http.ext_proc + - envoy.filters.http.wasm + - envoy.filters.http.rbac + - envoy.filters.http.local_ratelimit + - envoy.filters.http.ratelimit + - envoy.filters.http.grpc_web + - envoy.filters.http.grpc_stats + - envoy.filters.http.credential_injector + - envoy.filters.http.compressor + - envoy.filters.http.dynamic_forward_proxy + type: string + required: + - name + type: object + x-kubernetes-validations: + - message: one of before or after must be specified + rule: (has(self.before) || has(self.after)) + - message: only one of before or after can be specified + rule: >- + (has(self.before) && !has(self.after)) || + (!has(self.before) && has(self.after)) + type: array + ipFamily: + description: >- + IPFamily specifies the IP family for the EnvoyProxy fleet. + + This setting only affects the Gateway listener port and does + not impact + + other aspects of the Envoy proxy configuration. + + If not specified, the system will operate as follows: + + - It defaults to IPv4 only. + + - IPv6 and dual-stack environments are not supported in this + default configuration. + + Note: To enable IPv6 or dual-stack functionality, explicit + configuration is required. + enum: + - IPv4 + - IPv6 + - DualStack + type: string + logging: + default: + level: + default: warn + description: Logging defines logging parameters for managed proxies. + properties: + level: + additionalProperties: + description: >- + LogLevel defines a log level for Envoy Gateway and + EnvoyProxy system logs. + enum: + - trace + - debug + - info + - warn + - error + type: string + default: + default: warn + description: >- + Level is a map of logging level per component, where the + component is the key + + and the log level is the value. If unspecified, defaults + to "default: warn". + type: object + type: object + luaValidation: + description: >- + LuaValidation determines strictness of the Lua script + validation for Lua EnvoyExtensionPolicies + + Default: Strict + enum: + - Strict + - InsecureSyntax + - Disabled + type: string + mergeGateways: + description: >- + MergeGateways defines if Gateway resources should be merged + onto the same Envoy Proxy Infrastructure. + + Setting this field to true would merge all Gateway Listeners + under the parent Gateway Class. + + This means that the port, protocol and hostname tuple must + be unique for every listener. + + If a duplicate listener is detected, the newer listener + (based on timestamp) will be rejected and its status will be + updated with a "Accepted=False" condition. + type: boolean + preserveRouteOrder: + description: >- + PreserveRouteOrder determines if the order of matching for + HTTPRoutes is determined by Gateway-API + + specification + (https://gateway-api.sigs.k8s.io/reference/1.4/spec/#httprouterule) + + or preserves the order defined by users in the HTTPRoute's + HTTPRouteRule list. + + Default: False + type: boolean + provider: + description: >- + Provider defines the desired resource provider and + provider-specific configuration. + + If unspecified, the "Kubernetes" resource provider is used + with default configuration + + parameters. + properties: + host: + description: >- + Host provides runtime deployment of the data plane as a + child process on the + + host environment. + + If unspecified and type is "Host", default settings for + the custom provider + + are applied. + properties: + envoyVersion: + description: >- + EnvoyVersion is the version of Envoy to use. If + unspecified, the version + + against which Envoy Gateway is built will be used. + type: string + type: object + kubernetes: + description: >- + Kubernetes defines the desired state of the Kubernetes + resource provider. + + Kubernetes provides infrastructure resources for running + the data plane, + + e.g. Envoy proxy. If unspecified and type is + "Kubernetes", default settings + + for managed Kubernetes resources are applied. + properties: + envoyDaemonSet: + description: >- + EnvoyDaemonSet defines the desired state of the + Envoy daemonset resource. + + Disabled by default, a deployment resource is used + instead to provision the Envoy Proxy fleet + properties: + container: + description: >- + Container defines the desired specification of + main container. + properties: + env: + description: >- + List of environment variables to set in the + container. + items: + description: >- + EnvVar represents an environment variable + present in a Container. + properties: + name: + description: >- + Name of the environment variable. + + May consist of any printable ASCII + characters except '='. + type: string + value: + description: >- + Variable references $(VAR_NAME) are + expanded + + using the previously defined environment + variables in the container and + + any service environment variables. If a + variable cannot be resolved, + + the reference in the input string will + be unchanged. Double $$ are reduced + + to a single $, which allows for escaping + the $(VAR_NAME) syntax: i.e. + + "$$(VAR_NAME)" will produce the string + literal "$(VAR_NAME)". + + Escaped references will never be + expanded, regardless of whether the + variable + + exists or not. + + Defaults to "". + type: string + valueFrom: + description: >- + Source for the environment variable's + value. Cannot be used if value is not + empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + default: '' + description: >- + Name of the referent. + + This field is effectively required, but + due to backwards compatibility is + + allowed to be empty. Instances of this + type with an empty value here are + + almost certainly wrong. + + More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: >- + Specify whether the ConfigMap or its key + must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + description: >- + Selects a field of the pod: supports + metadata.name, metadata.namespace, + `metadata.labels['']`, + `metadata.annotations['']`, + + spec.nodeName, spec.serviceAccountName, + status.hostIP, status.podIP, + status.podIPs. + properties: + apiVersion: + description: >- + Version of the schema the FieldPath is + written in terms of, defaults to "v1". + type: string + fieldPath: + description: >- + Path of the field to select in the + specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + fileKeyRef: + description: >- + FileKeyRef selects a key of the env + file. + + Requires the EnvFiles feature gate to be + enabled. + properties: + key: + description: >- + The key within the env file. An invalid + key will prevent the pod from starting. + + The keys defined within a source may + consist of any printable ASCII + characters except '='. + + During Alpha stage of the EnvFiles + feature gate, the key size is limited to + 128 characters. + type: string + optional: + default: false + description: >- + Specify whether the file or its key must + be defined. If the file or key + + does not exist, then the env var is not + published. + + If optional is set to true and the + specified key does not exist, + + the environment variable will not be set + in the Pod's containers. + + + If optional is set to false and the + specified key does not exist, + + an error will be returned during Pod + creation. + type: boolean + path: + description: >- + The path within the volume from which to + select the file. + + Must be relative and may not contain the + '..' path or start with '..'. + type: string + volumeName: + description: >- + The name of the volume mount containing + the env file. + type: string + required: + - key + - path + - volumeName + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + description: >- + Selects a resource of the container: + only resources limits and requests + + (limits.cpu, limits.memory, + limits.ephemeral-storage, requests.cpu, + requests.memory and + requests.ephemeral-storage) are + currently supported. + properties: + containerName: + description: >- + Container name: required for volumes, + optional for env vars + type: string + divisor: + anyOf: + - type: integer + - type: string + description: >- + Specifies the output format of the + exposed resources, defaults to "1" + pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + description: >- + Selects a key of a secret in the pod's + namespace + properties: + key: + description: >- + The key of the secret to select from. + Must be a valid secret key. + type: string + name: + default: '' + description: >- + Name of the referent. + + This field is effectively required, but + due to backwards compatibility is + + allowed to be empty. Instances of this + type with an empty value here are + + almost certainly wrong. + + More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: >- + Specify whether the Secret or its key + must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + image: + description: >- + Image specifies the EnvoyProxy container + image to be used including a tag, instead of + the default image. + + This field is mutually exclusive with + ImageRepository. + type: string + x-kubernetes-validations: + - message: >- + Image must include a tag and allowed + characters only (e.g., 'repo:tag'). + rule: >- + self.matches('^[a-zA-Z0-9._-]+(:[0-9]+)?(/[a-zA-Z0-9._/-]+)?(:[a-zA-Z0-9._-]+)?(@sha256:[a-z0-9]+)?$') + imageRepository: + description: >- + ImageRepository specifies the container + image repository to be used without + specifying a tag. + + The default tag will be used. + + This field is mutually exclusive with Image. + type: string + x-kubernetes-validations: + - message: >- + ImageRepository must contain only + allowed characters and must not include + a tag. + rule: >- + self.matches('^[a-zA-Z0-9._-]+(:[0-9]+)?[a-zA-Z0-9._/-]+$') + resources: + description: >- + Resources required by this container. + + More info: + https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + properties: + claims: + description: >- + Claims lists the names of resources, + defined in spec.resourceClaims, + + that are used by this container. + + + This field depends on the + + DynamicResourceAllocation feature gate. + + + This field is immutable. It can only be + set for containers. + items: + description: >- + ResourceClaim references one entry in + PodSpec.ResourceClaims. + properties: + name: + description: >- + Name must match the name of one entry in + pod.spec.resourceClaims of + + the Pod where this field is used. It + makes that resource available + + inside a container. + type: string + request: + description: >- + Request is the name chosen for a request + in the referenced claim. + + If empty, everything from the claim is + made available, otherwise + + only the result of this request. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: >- + Limits describes the maximum amount of + compute resources allowed. + + More info: + https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: >- + Requests describes the minimum amount of + compute resources required. + + If Requests is omitted for a container, + it defaults to Limits if that is + explicitly specified, + + otherwise to an implementation-defined + value. Requests cannot exceed Limits. + + More info: + https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + type: object + securityContext: + description: >- + SecurityContext defines the security options + the container should be run with. + + If set, the fields of SecurityContext + override the equivalent fields of + PodSecurityContext. + + More info: + https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + properties: + allowPrivilegeEscalation: + description: >- + AllowPrivilegeEscalation controls + whether a process can gain more + + privileges than its parent process. This + bool directly controls if + + the no_new_privs flag will be set on the + container process. + + AllowPrivilegeEscalation is true always + when the container is: + + 1) run as Privileged + + 2) has CAP_SYS_ADMIN + + Note that this field cannot be set when + spec.os.name is windows. + type: boolean + appArmorProfile: + description: >- + appArmorProfile is the AppArmor options + to use by this container. If set, this + profile + + overrides the pod's appArmorProfile. + + Note that this field cannot be set when + spec.os.name is windows. + properties: + localhostProfile: + description: >- + localhostProfile indicates a profile + loaded on the node that should be used. + + The profile must be preconfigured on the + node to work. + + Must match the loaded name of the + profile. + + Must be set if and only if type is + "Localhost". + type: string + type: + description: >- + type indicates which kind of AppArmor + profile will be applied. + + Valid options are: + Localhost - a profile pre-loaded on the node. + RuntimeDefault - the container runtime's default profile. + Unconfined - no AppArmor enforcement. + type: string + required: + - type + type: object + capabilities: + description: >- + The capabilities to add/drop when + running containers. + + Defaults to the default set of + capabilities granted by the container + runtime. + + Note that this field cannot be set when + spec.os.name is windows. + properties: + add: + description: Added capabilities + items: + description: >- + Capability represent POSIX capabilities + type + type: string + type: array + x-kubernetes-list-type: atomic + drop: + description: Removed capabilities + items: + description: >- + Capability represent POSIX capabilities + type + type: string + type: array + x-kubernetes-list-type: atomic + type: object + privileged: + description: >- + Run container in privileged mode. + + Processes in privileged containers are + essentially equivalent to root on the + host. + + Defaults to false. + + Note that this field cannot be set when + spec.os.name is windows. + type: boolean + procMount: + description: >- + procMount denotes the type of proc mount + to use for the containers. + + The default value is Default which uses + the container runtime defaults for + + readonly paths and masked paths. + + This requires the ProcMountType feature + flag to be enabled. + + Note that this field cannot be set when + spec.os.name is windows. + type: string + readOnlyRootFilesystem: + description: >- + Whether this container has a read-only + root filesystem. + + Default is false. + + Note that this field cannot be set when + spec.os.name is windows. + type: boolean + runAsGroup: + description: >- + The GID to run the entrypoint of the + container process. + + Uses runtime default if unset. + + May also be set in PodSecurityContext. + If set in both SecurityContext and + + PodSecurityContext, the value specified + in SecurityContext takes precedence. + + Note that this field cannot be set when + spec.os.name is windows. + format: int64 + type: integer + runAsNonRoot: + description: >- + Indicates that the container must run as + a non-root user. + + If true, the Kubelet will validate the + image at runtime to ensure that it + + does not run as UID 0 (root) and fail to + start the container if it does. + + If unset or false, no such validation + will be performed. + + May also be set in PodSecurityContext. + If set in both SecurityContext and + + PodSecurityContext, the value specified + in SecurityContext takes precedence. + type: boolean + runAsUser: + description: >- + The UID to run the entrypoint of the + container process. + + Defaults to user specified in image + metadata if unspecified. + + May also be set in PodSecurityContext. + If set in both SecurityContext and + + PodSecurityContext, the value specified + in SecurityContext takes precedence. + + Note that this field cannot be set when + spec.os.name is windows. + format: int64 + type: integer + seLinuxOptions: + description: >- + The SELinux context to be applied to the + container. + + If unspecified, the container runtime + will allocate a random SELinux context + for each + + container. May also be set in + PodSecurityContext. If set in both + SecurityContext and + + PodSecurityContext, the value specified + in SecurityContext takes precedence. + + Note that this field cannot be set when + spec.os.name is windows. + properties: + level: + description: >- + Level is SELinux level label that + applies to the container. + type: string + role: + description: >- + Role is a SELinux role label that + applies to the container. + type: string + type: + description: >- + Type is a SELinux type label that + applies to the container. + type: string + user: + description: >- + User is a SELinux user label that + applies to the container. + type: string + type: object + seccompProfile: + description: >- + The seccomp options to use by this + container. If seccomp options are + + provided at both the pod & container + level, the container options + + override the pod options. + + Note that this field cannot be set when + spec.os.name is windows. + properties: + localhostProfile: + description: >- + localhostProfile indicates a profile + defined in a file on the node should be + used. + + The profile must be preconfigured on the + node to work. + + Must be a descending path, relative to + the kubelet's configured seccomp profile + location. + + Must be set if type is "Localhost". Must + NOT be set for any other type. + type: string + type: + description: >- + type indicates which kind of seccomp + profile will be applied. + + Valid options are: + + + Localhost - a profile defined in a file + on the node should be used. + + RuntimeDefault - the container runtime + default profile should be used. + + Unconfined - no profile should be + applied. + type: string + required: + - type + type: object + windowsOptions: + description: >- + The Windows specific settings applied to + all containers. + + If unspecified, the options from the + PodSecurityContext will be used. + + If set in both SecurityContext and + PodSecurityContext, the value specified + in SecurityContext takes precedence. + + Note that this field cannot be set when + spec.os.name is linux. + properties: + gmsaCredentialSpec: + description: >- + GMSACredentialSpec is where the GMSA + admission webhook + + (https://github.com/kubernetes-sigs/windows-gmsa) + inlines the contents of the + + GMSA credential spec named by the + GMSACredentialSpecName field. + type: string + gmsaCredentialSpecName: + description: >- + GMSACredentialSpecName is the name of + the GMSA credential spec to use. + type: string + hostProcess: + description: >- + HostProcess determines if a container + should be run as a 'Host Process' + container. + + All of a Pod's containers must have the + same effective HostProcess value + + (it is not allowed to have a mix of + HostProcess containers and + non-HostProcess containers). + + In addition, if HostProcess is true then + HostNetwork must also be set to true. + type: boolean + runAsUserName: + description: >- + The UserName in Windows to run the + entrypoint of the container process. + + Defaults to the user specified in image + metadata if unspecified. + + May also be set in PodSecurityContext. + If set in both SecurityContext and + + PodSecurityContext, the value specified + in SecurityContext takes precedence. + type: string + type: object + type: object + volumeMounts: + description: >- + VolumeMounts are volumes to mount into the + container's filesystem. + + Cannot be updated. + items: + description: >- + VolumeMount describes a mounting of a + Volume within a container. + properties: + mountPath: + description: >- + Path within the container at which the + volume should be mounted. Must + + not contain ':'. + type: string + mountPropagation: + description: >- + mountPropagation determines how mounts + are propagated from the host + + to container and the other way around. + + When not set, MountPropagationNone is + used. + + This field is beta in 1.10. + + When RecursiveReadOnly is set to + IfPossible or to Enabled, + MountPropagation must be None or + unspecified + + (which defaults to None). + type: string + name: + description: This must match the Name of a Volume. + type: string + readOnly: + description: >- + Mounted read-only if true, read-write + otherwise (false or unspecified). + + Defaults to false. + type: boolean + recursiveReadOnly: + description: >- + RecursiveReadOnly specifies whether + read-only mounts should be handled + + recursively. + + + If ReadOnly is false, this field has no + meaning and must be unspecified. + + + If ReadOnly is true, and this field is + set to Disabled, the mount is not made + + recursively read-only. If this field is + set to IfPossible, the mount is made + + recursively read-only, if it is + supported by the container runtime. If + this + + field is set to Enabled, the mount is + made recursively read-only if it is + + supported by the container runtime, + otherwise the pod will not be started + and + + an error will be generated to indicate + the reason. + + + If this field is set to IfPossible or + Enabled, MountPropagation must be set to + + None (or be unspecified, which defaults + to None). + + + If this field is not specified, it is + treated as an equivalent of Disabled. + type: string + subPath: + description: >- + Path within the volume from which the + container's volume should be mounted. + + Defaults to "" (volume's root). + type: string + subPathExpr: + description: >- + Expanded path within the volume from + which the container's volume should be + mounted. + + Behaves similarly to SubPath but + environment variable references + $(VAR_NAME) are expanded using the + container's environment. + + Defaults to "" (volume's root). + + SubPathExpr and SubPath are mutually + exclusive. + type: string + required: + - mountPath + - name + type: object + type: array + type: object + x-kubernetes-validations: + - message: Either image or imageRepository can be set. + rule: >- + !has(self.image) || + !has(self.imageRepository) + name: + description: >- + Name of the daemonSet. + + When unset, this defaults to an autogenerated + name. + type: string + patch: + description: >- + Patch defines how to perform the patch operation + to daemonset + properties: + type: + description: >- + Type is the type of merge operation to + perform + + + By default, StrategicMerge is used as the + patch type. + type: string + value: + description: >- + Object contains the raw configuration for + merged object + x-kubernetes-preserve-unknown-fields: true + required: + - value + type: object + pod: + description: Pod defines the desired specification of pod. + properties: + affinity: + description: >- + If specified, the pod's scheduling + constraints. + properties: + nodeAffinity: + description: >- + Describes node affinity scheduling rules + for the pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: >- + The scheduler will prefer to schedule + pods to nodes that satisfy + + the affinity expressions specified by + this field, but it may choose + + a node that violates one or more of the + expressions. The node that is + + most preferred is the one with the + greatest sum of weights, i.e. + + for each node that meets all of the + scheduling requirements (resource + + request, requiredDuringScheduling + affinity expressions, etc.), + + compute a sum by iterating through the + elements of this field and adding + + "weight" to the sum if the node matches + the corresponding matchExpressions; the + + node(s) with the highest sum are the + most preferred. + items: + description: >- + An empty preferred scheduling term + matches all objects with implicit weight + 0 + + (i.e. it's a no-op). A null preferred + scheduling term matches no objects (i.e. + is also a no-op). + properties: + preference: + description: >- + A node selector term, associated with + the corresponding weight. + properties: + matchExpressions: + description: >- + A list of node selector requirements by + node's labels. + items: + description: >- + A node selector requirement is a + selector that contains values, a key, + and an operator + + that relates the key and values. + properties: + key: + description: >- + The label key that the selector applies + to. + type: string + operator: + description: >- + Represents a key's relationship to a set + of values. + + Valid operators are In, NotIn, Exists, + DoesNotExist. Gt, and Lt. + type: string + values: + description: >- + An array of string values. If the + operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. If the + operator is Gt or Lt, the values + + array must have a single element, which + will be interpreted as an integer. + + This array is replaced during a + strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + description: >- + A list of node selector requirements by + node's fields. + items: + description: >- + A node selector requirement is a + selector that contains values, a key, + and an operator + + that relates the key and values. + properties: + key: + description: >- + The label key that the selector applies + to. + type: string + operator: + description: >- + Represents a key's relationship to a set + of values. + + Valid operators are In, NotIn, Exists, + DoesNotExist. Gt, and Lt. + type: string + values: + description: >- + An array of string values. If the + operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. If the + operator is Gt or Lt, the values + + array must have a single element, which + will be interpreted as an integer. + + This array is replaced during a + strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + weight: + description: >- + Weight associated with matching the + corresponding nodeSelectorTerm, in the + range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: >- + If the affinity requirements specified + by this field are not met at + + scheduling time, the pod will not be + scheduled onto the node. + + If the affinity requirements specified + by this field cease to be met + + at some point during pod execution (e.g. + due to an update), the system + + may or may not try to eventually evict + the pod from its node. + properties: + nodeSelectorTerms: + description: >- + Required. A list of node selector terms. + The terms are ORed. + items: + description: >- + A null or empty node selector term + matches no objects. The requirements of + + them are ANDed. + + The TopologySelectorTerm type implements + a subset of the NodeSelectorTerm. + properties: + matchExpressions: + description: >- + A list of node selector requirements by + node's labels. + items: + description: >- + A node selector requirement is a + selector that contains values, a key, + and an operator + + that relates the key and values. + properties: + key: + description: >- + The label key that the selector applies + to. + type: string + operator: + description: >- + Represents a key's relationship to a set + of values. + + Valid operators are In, NotIn, Exists, + DoesNotExist. Gt, and Lt. + type: string + values: + description: >- + An array of string values. If the + operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. If the + operator is Gt or Lt, the values + + array must have a single element, which + will be interpreted as an integer. + + This array is replaced during a + strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + description: >- + A list of node selector requirements by + node's fields. + items: + description: >- + A node selector requirement is a + selector that contains values, a key, + and an operator + + that relates the key and values. + properties: + key: + description: >- + The label key that the selector applies + to. + type: string + operator: + description: >- + Represents a key's relationship to a set + of values. + + Valid operators are In, NotIn, Exists, + DoesNotExist. Gt, and Lt. + type: string + values: + description: >- + An array of string values. If the + operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. If the + operator is Gt or Lt, the values + + array must have a single element, which + will be interpreted as an integer. + + This array is replaced during a + strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + type: array + x-kubernetes-list-type: atomic + required: + - nodeSelectorTerms + type: object + x-kubernetes-map-type: atomic + type: object + podAffinity: + description: >- + Describes pod affinity scheduling rules + (e.g. co-locate this pod in the same + node, zone, etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: >- + The scheduler will prefer to schedule + pods to nodes that satisfy + + the affinity expressions specified by + this field, but it may choose + + a node that violates one or more of the + expressions. The node that is + + most preferred is the one with the + greatest sum of weights, i.e. + + for each node that meets all of the + scheduling requirements (resource + + request, requiredDuringScheduling + affinity expressions, etc.), + + compute a sum by iterating through the + elements of this field and adding + + "weight" to the sum if the node has pods + which matches the corresponding + podAffinityTerm; the + + node(s) with the highest sum are the + most preferred. + items: + description: >- + The weights of all of the matched + WeightedPodAffinityTerm fields are added + per-node to find the most preferred + node(s) + properties: + podAffinityTerm: + description: >- + Required. A pod affinity term, + associated with the corresponding + weight. + properties: + labelSelector: + description: >- + A label query over a set of resources, + in this case pods. + + If it's null, this PodAffinityTerm + matches with no Pods. + properties: + matchExpressions: + description: >- + matchExpressions is a list of label + selector requirements. The requirements + are ANDed. + items: + description: >- + A label selector requirement is a + selector that contains values, a key, + and an operator that + + relates the key and values. + properties: + key: + description: >- + key is the label key that the selector + applies to. + type: string + operator: + description: >- + operator represents a key's relationship + to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: >- + values is an array of string values. If + the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: >- + matchLabels is a map of {key,value} + pairs. A single {key,value} in the + matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is + "key", the + + operator is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: >- + MatchLabelKeys is a set of pod label + keys to select which pods will + + be taken into consideration. The keys + are used to lookup values from the + + incoming pod labels, those key-value + labels are merged with `labelSelector` + as `key in (value)` + + to select the group of existing pods + which pods will be taken into + consideration + + for the incoming pod's pod (anti) + affinity. Keys that don't exist in the + incoming + + pod labels will be ignored. The default + value is empty. + + The same key is forbidden to exist in + both matchLabelKeys and labelSelector. + + Also, matchLabelKeys cannot be set when + labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: >- + MismatchLabelKeys is a set of pod label + keys to select which pods will + + be taken into consideration. The keys + are used to lookup values from the + + incoming pod labels, those key-value + labels are merged with `labelSelector` + as `key notin (value)` + + to select the group of existing pods + which pods will be taken into + consideration + + for the incoming pod's pod (anti) + affinity. Keys that don't exist in the + incoming + + pod labels will be ignored. The default + value is empty. + + The same key is forbidden to exist in + both mismatchLabelKeys and + labelSelector. + + Also, mismatchLabelKeys cannot be set + when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: >- + A label query over the set of namespaces + that the term applies to. + + The term is applied to the union of the + namespaces selected by this field + + and the ones listed in the namespaces + field. + + null selector and null or empty + namespaces list means "this pod's + namespace". + + An empty selector ({}) matches all + namespaces. + properties: + matchExpressions: + description: >- + matchExpressions is a list of label + selector requirements. The requirements + are ANDed. + items: + description: >- + A label selector requirement is a + selector that contains values, a key, + and an operator that + + relates the key and values. + properties: + key: + description: >- + key is the label key that the selector + applies to. + type: string + operator: + description: >- + operator represents a key's relationship + to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: >- + values is an array of string values. If + the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: >- + matchLabels is a map of {key,value} + pairs. A single {key,value} in the + matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is + "key", the + + operator is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: >- + namespaces specifies a static list of + namespace names that the term applies + to. + + The term is applied to the union of the + namespaces listed in this field + + and the ones selected by + namespaceSelector. + + null or empty namespaces list and null + namespaceSelector means "this pod's + namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: >- + This pod should be co-located (affinity) + or not co-located (anti-affinity) with + the pods matching + + the labelSelector in the specified + namespaces, where co-located is defined + as running on a node + + whose value of the label with key + topologyKey matches that of any node on + which any of the + + selected pods is running. + + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: >- + weight associated with matching the + corresponding podAffinityTerm, + + in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: >- + If the affinity requirements specified + by this field are not met at + + scheduling time, the pod will not be + scheduled onto the node. + + If the affinity requirements specified + by this field cease to be met + + at some point during pod execution (e.g. + due to a pod label update), the + + system may or may not try to eventually + evict the pod from its node. + + When there are multiple elements, the + lists of nodes corresponding to each + + podAffinityTerm are intersected, i.e. + all terms must be satisfied. + items: + description: >- + Defines a set of pods (namely those + matching the labelSelector + + relative to the given namespace(s)) that + this pod should be + + co-located (affinity) or not co-located + (anti-affinity) with, + + where co-located is defined as running + on a node whose value of + + the label with key matches + that of any node on which + + a pod of the set of pods is running + properties: + labelSelector: + description: >- + A label query over a set of resources, + in this case pods. + + If it's null, this PodAffinityTerm + matches with no Pods. + properties: + matchExpressions: + description: >- + matchExpressions is a list of label + selector requirements. The requirements + are ANDed. + items: + description: >- + A label selector requirement is a + selector that contains values, a key, + and an operator that + + relates the key and values. + properties: + key: + description: >- + key is the label key that the selector + applies to. + type: string + operator: + description: >- + operator represents a key's relationship + to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: >- + values is an array of string values. If + the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: >- + matchLabels is a map of {key,value} + pairs. A single {key,value} in the + matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is + "key", the + + operator is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: >- + MatchLabelKeys is a set of pod label + keys to select which pods will + + be taken into consideration. The keys + are used to lookup values from the + + incoming pod labels, those key-value + labels are merged with `labelSelector` + as `key in (value)` + + to select the group of existing pods + which pods will be taken into + consideration + + for the incoming pod's pod (anti) + affinity. Keys that don't exist in the + incoming + + pod labels will be ignored. The default + value is empty. + + The same key is forbidden to exist in + both matchLabelKeys and labelSelector. + + Also, matchLabelKeys cannot be set when + labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: >- + MismatchLabelKeys is a set of pod label + keys to select which pods will + + be taken into consideration. The keys + are used to lookup values from the + + incoming pod labels, those key-value + labels are merged with `labelSelector` + as `key notin (value)` + + to select the group of existing pods + which pods will be taken into + consideration + + for the incoming pod's pod (anti) + affinity. Keys that don't exist in the + incoming + + pod labels will be ignored. The default + value is empty. + + The same key is forbidden to exist in + both mismatchLabelKeys and + labelSelector. + + Also, mismatchLabelKeys cannot be set + when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: >- + A label query over the set of namespaces + that the term applies to. + + The term is applied to the union of the + namespaces selected by this field + + and the ones listed in the namespaces + field. + + null selector and null or empty + namespaces list means "this pod's + namespace". + + An empty selector ({}) matches all + namespaces. + properties: + matchExpressions: + description: >- + matchExpressions is a list of label + selector requirements. The requirements + are ANDed. + items: + description: >- + A label selector requirement is a + selector that contains values, a key, + and an operator that + + relates the key and values. + properties: + key: + description: >- + key is the label key that the selector + applies to. + type: string + operator: + description: >- + operator represents a key's relationship + to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: >- + values is an array of string values. If + the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: >- + matchLabels is a map of {key,value} + pairs. A single {key,value} in the + matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is + "key", the + + operator is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: >- + namespaces specifies a static list of + namespace names that the term applies + to. + + The term is applied to the union of the + namespaces listed in this field + + and the ones selected by + namespaceSelector. + + null or empty namespaces list and null + namespaceSelector means "this pod's + namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: >- + This pod should be co-located (affinity) + or not co-located (anti-affinity) with + the pods matching + + the labelSelector in the specified + namespaces, where co-located is defined + as running on a node + + whose value of the label with key + topologyKey matches that of any node on + which any of the + + selected pods is running. + + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + podAntiAffinity: + description: >- + Describes pod anti-affinity scheduling + rules (e.g. avoid putting this pod in + the same node, zone, etc. as some other + pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: >- + The scheduler will prefer to schedule + pods to nodes that satisfy + + the anti-affinity expressions specified + by this field, but it may choose + + a node that violates one or more of the + expressions. The node that is + + most preferred is the one with the + greatest sum of weights, i.e. + + for each node that meets all of the + scheduling requirements (resource + + request, requiredDuringScheduling + anti-affinity expressions, etc.), + + compute a sum by iterating through the + elements of this field and subtracting + + "weight" from the sum if the node has + pods which matches the corresponding + podAffinityTerm; the + + node(s) with the highest sum are the + most preferred. + items: + description: >- + The weights of all of the matched + WeightedPodAffinityTerm fields are added + per-node to find the most preferred + node(s) + properties: + podAffinityTerm: + description: >- + Required. A pod affinity term, + associated with the corresponding + weight. + properties: + labelSelector: + description: >- + A label query over a set of resources, + in this case pods. + + If it's null, this PodAffinityTerm + matches with no Pods. + properties: + matchExpressions: + description: >- + matchExpressions is a list of label + selector requirements. The requirements + are ANDed. + items: + description: >- + A label selector requirement is a + selector that contains values, a key, + and an operator that + + relates the key and values. + properties: + key: + description: >- + key is the label key that the selector + applies to. + type: string + operator: + description: >- + operator represents a key's relationship + to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: >- + values is an array of string values. If + the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: >- + matchLabels is a map of {key,value} + pairs. A single {key,value} in the + matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is + "key", the + + operator is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: >- + MatchLabelKeys is a set of pod label + keys to select which pods will + + be taken into consideration. The keys + are used to lookup values from the + + incoming pod labels, those key-value + labels are merged with `labelSelector` + as `key in (value)` + + to select the group of existing pods + which pods will be taken into + consideration + + for the incoming pod's pod (anti) + affinity. Keys that don't exist in the + incoming + + pod labels will be ignored. The default + value is empty. + + The same key is forbidden to exist in + both matchLabelKeys and labelSelector. + + Also, matchLabelKeys cannot be set when + labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: >- + MismatchLabelKeys is a set of pod label + keys to select which pods will + + be taken into consideration. The keys + are used to lookup values from the + + incoming pod labels, those key-value + labels are merged with `labelSelector` + as `key notin (value)` + + to select the group of existing pods + which pods will be taken into + consideration + + for the incoming pod's pod (anti) + affinity. Keys that don't exist in the + incoming + + pod labels will be ignored. The default + value is empty. + + The same key is forbidden to exist in + both mismatchLabelKeys and + labelSelector. + + Also, mismatchLabelKeys cannot be set + when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: >- + A label query over the set of namespaces + that the term applies to. + + The term is applied to the union of the + namespaces selected by this field + + and the ones listed in the namespaces + field. + + null selector and null or empty + namespaces list means "this pod's + namespace". + + An empty selector ({}) matches all + namespaces. + properties: + matchExpressions: + description: >- + matchExpressions is a list of label + selector requirements. The requirements + are ANDed. + items: + description: >- + A label selector requirement is a + selector that contains values, a key, + and an operator that + + relates the key and values. + properties: + key: + description: >- + key is the label key that the selector + applies to. + type: string + operator: + description: >- + operator represents a key's relationship + to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: >- + values is an array of string values. If + the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: >- + matchLabels is a map of {key,value} + pairs. A single {key,value} in the + matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is + "key", the + + operator is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: >- + namespaces specifies a static list of + namespace names that the term applies + to. + + The term is applied to the union of the + namespaces listed in this field + + and the ones selected by + namespaceSelector. + + null or empty namespaces list and null + namespaceSelector means "this pod's + namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: >- + This pod should be co-located (affinity) + or not co-located (anti-affinity) with + the pods matching + + the labelSelector in the specified + namespaces, where co-located is defined + as running on a node + + whose value of the label with key + topologyKey matches that of any node on + which any of the + + selected pods is running. + + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: >- + weight associated with matching the + corresponding podAffinityTerm, + + in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: >- + If the anti-affinity requirements + specified by this field are not met at + + scheduling time, the pod will not be + scheduled onto the node. + + If the anti-affinity requirements + specified by this field cease to be met + + at some point during pod execution (e.g. + due to a pod label update), the + + system may or may not try to eventually + evict the pod from its node. + + When there are multiple elements, the + lists of nodes corresponding to each + + podAffinityTerm are intersected, i.e. + all terms must be satisfied. + items: + description: >- + Defines a set of pods (namely those + matching the labelSelector + + relative to the given namespace(s)) that + this pod should be + + co-located (affinity) or not co-located + (anti-affinity) with, + + where co-located is defined as running + on a node whose value of + + the label with key matches + that of any node on which + + a pod of the set of pods is running + properties: + labelSelector: + description: >- + A label query over a set of resources, + in this case pods. + + If it's null, this PodAffinityTerm + matches with no Pods. + properties: + matchExpressions: + description: >- + matchExpressions is a list of label + selector requirements. The requirements + are ANDed. + items: + description: >- + A label selector requirement is a + selector that contains values, a key, + and an operator that + + relates the key and values. + properties: + key: + description: >- + key is the label key that the selector + applies to. + type: string + operator: + description: >- + operator represents a key's relationship + to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: >- + values is an array of string values. If + the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: >- + matchLabels is a map of {key,value} + pairs. A single {key,value} in the + matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is + "key", the + + operator is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: >- + MatchLabelKeys is a set of pod label + keys to select which pods will + + be taken into consideration. The keys + are used to lookup values from the + + incoming pod labels, those key-value + labels are merged with `labelSelector` + as `key in (value)` + + to select the group of existing pods + which pods will be taken into + consideration + + for the incoming pod's pod (anti) + affinity. Keys that don't exist in the + incoming + + pod labels will be ignored. The default + value is empty. + + The same key is forbidden to exist in + both matchLabelKeys and labelSelector. + + Also, matchLabelKeys cannot be set when + labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: >- + MismatchLabelKeys is a set of pod label + keys to select which pods will + + be taken into consideration. The keys + are used to lookup values from the + + incoming pod labels, those key-value + labels are merged with `labelSelector` + as `key notin (value)` + + to select the group of existing pods + which pods will be taken into + consideration + + for the incoming pod's pod (anti) + affinity. Keys that don't exist in the + incoming + + pod labels will be ignored. The default + value is empty. + + The same key is forbidden to exist in + both mismatchLabelKeys and + labelSelector. + + Also, mismatchLabelKeys cannot be set + when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: >- + A label query over the set of namespaces + that the term applies to. + + The term is applied to the union of the + namespaces selected by this field + + and the ones listed in the namespaces + field. + + null selector and null or empty + namespaces list means "this pod's + namespace". + + An empty selector ({}) matches all + namespaces. + properties: + matchExpressions: + description: >- + matchExpressions is a list of label + selector requirements. The requirements + are ANDed. + items: + description: >- + A label selector requirement is a + selector that contains values, a key, + and an operator that + + relates the key and values. + properties: + key: + description: >- + key is the label key that the selector + applies to. + type: string + operator: + description: >- + operator represents a key's relationship + to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: >- + values is an array of string values. If + the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: >- + matchLabels is a map of {key,value} + pairs. A single {key,value} in the + matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is + "key", the + + operator is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: >- + namespaces specifies a static list of + namespace names that the term applies + to. + + The term is applied to the union of the + namespaces listed in this field + + and the ones selected by + namespaceSelector. + + null or empty namespaces list and null + namespaceSelector means "this pod's + namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: >- + This pod should be co-located (affinity) + or not co-located (anti-affinity) with + the pods matching + + the labelSelector in the specified + namespaces, where co-located is defined + as running on a node + + whose value of the label with key + topologyKey matches that of any node on + which any of the + + selected pods is running. + + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + type: object + annotations: + additionalProperties: + type: string + description: >- + Annotations are the annotations that should + be appended to the pods. + + By default, no pod annotations are appended. + type: object + imagePullSecrets: + description: >- + ImagePullSecrets is an optional list of + references to secrets + + in the same namespace to use for pulling any + of the images used by this PodSpec. + + If specified, these secrets will be passed + to individual puller implementations for + them to use. + + More info: + https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod + items: + description: >- + LocalObjectReference contains enough + information to let you locate the + + referenced object inside the same + namespace. + properties: + name: + default: '' + description: >- + Name of the referent. + + This field is effectively required, but + due to backwards compatibility is + + allowed to be empty. Instances of this + type with an empty value here are + + almost certainly wrong. + + More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + type: array + labels: + additionalProperties: + type: string + description: >- + Labels are the additional labels that should + be tagged to the pods. + + By default, no additional pod labels are + tagged. + type: object + nodeSelector: + additionalProperties: + type: string + description: >- + NodeSelector is a selector which must be + true for the pod to fit on a node. + + Selector which must match a node's labels + for the pod to be scheduled on that node. + + More info: + https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + type: object + priorityClassName: + description: >- + PriorityClassName indicates the importance + of a Pod relative to other Pods. + + If a PriorityClassName is not specified, the + pod priority will be default or zero if + there is no default. + + More info: + https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/ + type: string + securityContext: + description: >- + SecurityContext holds pod-level security + attributes and common container settings. + + Optional: Defaults to empty. See type + description for default values of each + field. + properties: + appArmorProfile: + description: >- + appArmorProfile is the AppArmor options + to use by the containers in this pod. + + Note that this field cannot be set when + spec.os.name is windows. + properties: + localhostProfile: + description: >- + localhostProfile indicates a profile + loaded on the node that should be used. + + The profile must be preconfigured on the + node to work. + + Must match the loaded name of the + profile. + + Must be set if and only if type is + "Localhost". + type: string + type: + description: >- + type indicates which kind of AppArmor + profile will be applied. + + Valid options are: + Localhost - a profile pre-loaded on the node. + RuntimeDefault - the container runtime's default profile. + Unconfined - no AppArmor enforcement. + type: string + required: + - type + type: object + fsGroup: + description: >- + A special supplemental group that + applies to all containers in a pod. + + Some volume types allow the Kubelet to + change the ownership of that volume + + to be owned by the pod: + + + 1. The owning GID will be the FSGroup + + 2. The setgid bit is set (new files + created in the volume will be owned by + FSGroup) + + 3. The permission bits are OR'd with + rw-rw---- + + + If unset, the Kubelet will not modify + the ownership and permissions of any + volume. + + Note that this field cannot be set when + spec.os.name is windows. + format: int64 + type: integer + fsGroupChangePolicy: + description: >- + fsGroupChangePolicy defines behavior of + changing ownership and permission of the + volume + + before being exposed inside Pod. This + field will only apply to + + volume types which support fsGroup based + ownership(and permissions). + + It will have no effect on ephemeral + volume types such as: secret, configmaps + + and emptydir. + + Valid values are "OnRootMismatch" and + "Always". If not specified, "Always" is + used. + + Note that this field cannot be set when + spec.os.name is windows. + type: string + runAsGroup: + description: >- + The GID to run the entrypoint of the + container process. + + Uses runtime default if unset. + + May also be set in SecurityContext. If + set in both SecurityContext and + + PodSecurityContext, the value specified + in SecurityContext takes precedence + + for that container. + + Note that this field cannot be set when + spec.os.name is windows. + format: int64 + type: integer + runAsNonRoot: + description: >- + Indicates that the container must run as + a non-root user. + + If true, the Kubelet will validate the + image at runtime to ensure that it + + does not run as UID 0 (root) and fail to + start the container if it does. + + If unset or false, no such validation + will be performed. + + May also be set in SecurityContext. If + set in both SecurityContext and + + PodSecurityContext, the value specified + in SecurityContext takes precedence. + type: boolean + runAsUser: + description: >- + The UID to run the entrypoint of the + container process. + + Defaults to user specified in image + metadata if unspecified. + + May also be set in SecurityContext. If + set in both SecurityContext and + + PodSecurityContext, the value specified + in SecurityContext takes precedence + + for that container. + + Note that this field cannot be set when + spec.os.name is windows. + format: int64 + type: integer + seLinuxChangePolicy: + description: >- + seLinuxChangePolicy defines how the + container's SELinux label is applied to + all volumes used by the Pod. + + It has no effect on nodes that do not + support SELinux or to volumes does not + support SELinux. + + Valid values are "MountOption" and + "Recursive". + + + "Recursive" means relabeling of all + files on all Pod volumes by the + container runtime. + + This may be slow for large volumes, but + allows mixing privileged and + unprivileged Pods sharing the same + volume on the same node. + + + "MountOption" mounts all eligible Pod + volumes with `-o context` mount option. + + This requires all Pods that share the + same volume to use the same SELinux + label. + + It is not possible to share the same + volume among privileged and unprivileged + Pods. + + Eligible volumes are in-tree + FibreChannel and iSCSI volumes, and all + CSI volumes + + whose CSI driver announces SELinux + support by setting spec.seLinuxMount: + true in their + + CSIDriver instance. Other volumes are + always re-labelled recursively. + + "MountOption" value is allowed only when + SELinuxMount feature gate is enabled. + + + If not specified and SELinuxMount + feature gate is enabled, "MountOption" + is used. + + If not specified and SELinuxMount + feature gate is disabled, "MountOption" + is used for ReadWriteOncePod volumes + + and "Recursive" for all other volumes. + + + This field affects only Pods that have + SELinux label set, either in + PodSecurityContext or in SecurityContext + of all containers. + + + All Pods that use the same volume should + use the same seLinuxChangePolicy, + otherwise some pods can get stuck in + ContainerCreating state. + + Note that this field cannot be set when + spec.os.name is windows. + type: string + seLinuxOptions: + description: >- + The SELinux context to be applied to all + containers. + + If unspecified, the container runtime + will allocate a random SELinux context + for each + + container. May also be set in + SecurityContext. If set in + + both SecurityContext and + PodSecurityContext, the value specified + in SecurityContext + + takes precedence for that container. + + Note that this field cannot be set when + spec.os.name is windows. + properties: + level: + description: >- + Level is SELinux level label that + applies to the container. + type: string + role: + description: >- + Role is a SELinux role label that + applies to the container. + type: string + type: + description: >- + Type is a SELinux type label that + applies to the container. + type: string + user: + description: >- + User is a SELinux user label that + applies to the container. + type: string + type: object + seccompProfile: + description: >- + The seccomp options to use by the + containers in this pod. + + Note that this field cannot be set when + spec.os.name is windows. + properties: + localhostProfile: + description: >- + localhostProfile indicates a profile + defined in a file on the node should be + used. + + The profile must be preconfigured on the + node to work. + + Must be a descending path, relative to + the kubelet's configured seccomp profile + location. + + Must be set if type is "Localhost". Must + NOT be set for any other type. + type: string + type: + description: >- + type indicates which kind of seccomp + profile will be applied. + + Valid options are: + + + Localhost - a profile defined in a file + on the node should be used. + + RuntimeDefault - the container runtime + default profile should be used. + + Unconfined - no profile should be + applied. + type: string + required: + - type + type: object + supplementalGroups: + description: >- + A list of groups applied to the first + process run in each container, in + + addition to the container's primary GID + and fsGroup (if specified). If + + the SupplementalGroupsPolicy feature is + enabled, the + + supplementalGroupsPolicy field + determines whether these are in addition + + to or instead of any group memberships + defined in the container image. + + If unspecified, no additional groups are + added, though group memberships + + defined in the container image may still + be used, depending on the + + supplementalGroupsPolicy field. + + Note that this field cannot be set when + spec.os.name is windows. + items: + format: int64 + type: integer + type: array + x-kubernetes-list-type: atomic + supplementalGroupsPolicy: + description: >- + Defines how supplemental groups of the + first container processes are + calculated. + + Valid values are "Merge" and "Strict". + If not specified, "Merge" is used. + + (Alpha) Using the field requires the + SupplementalGroupsPolicy feature gate to + be enabled + + and the container runtime must implement + support for this feature. + + Note that this field cannot be set when + spec.os.name is windows. + type: string + sysctls: + description: >- + Sysctls hold a list of namespaced + sysctls used for the pod. Pods with + unsupported + + sysctls (by the container runtime) might + fail to launch. + + Note that this field cannot be set when + spec.os.name is windows. + items: + description: >- + Sysctl defines a kernel parameter to be + set + properties: + name: + description: Name of a property to set + type: string + value: + description: Value of a property to set + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + windowsOptions: + description: >- + The Windows specific settings applied to + all containers. + + If unspecified, the options within a + container's SecurityContext will be + used. + + If set in both SecurityContext and + PodSecurityContext, the value specified + in SecurityContext takes precedence. + + Note that this field cannot be set when + spec.os.name is linux. + properties: + gmsaCredentialSpec: + description: >- + GMSACredentialSpec is where the GMSA + admission webhook + + (https://github.com/kubernetes-sigs/windows-gmsa) + inlines the contents of the + + GMSA credential spec named by the + GMSACredentialSpecName field. + type: string + gmsaCredentialSpecName: + description: >- + GMSACredentialSpecName is the name of + the GMSA credential spec to use. + type: string + hostProcess: + description: >- + HostProcess determines if a container + should be run as a 'Host Process' + container. + + All of a Pod's containers must have the + same effective HostProcess value + + (it is not allowed to have a mix of + HostProcess containers and + non-HostProcess containers). + + In addition, if HostProcess is true then + HostNetwork must also be set to true. + type: boolean + runAsUserName: + description: >- + The UserName in Windows to run the + entrypoint of the container process. + + Defaults to the user specified in image + metadata if unspecified. + + May also be set in PodSecurityContext. + If set in both SecurityContext and + + PodSecurityContext, the value specified + in SecurityContext takes precedence. + type: string + type: object + type: object + tolerations: + description: If specified, the pod's tolerations. + items: + description: >- + The pod this Toleration is attached to + tolerates any taint that matches + + the triple using the + matching operator . + properties: + effect: + description: >- + Effect indicates the taint effect to + match. Empty means match all taint + effects. + + When specified, allowed values are + NoSchedule, PreferNoSchedule and + NoExecute. + type: string + key: + description: >- + Key is the taint key that the toleration + applies to. Empty means match all taint + keys. + + If the key is empty, operator must be + Exists; this combination means to match + all values and all keys. + type: string + operator: + description: >- + Operator represents a key's relationship + to the value. + + Valid operators are Exists, Equal, Lt, + and Gt. Defaults to Equal. + + Exists is equivalent to wildcard for + value, so that a pod can + + tolerate all taints of a particular + category. + + Lt and Gt perform numeric comparisons + (requires feature gate + TaintTolerationComparisonOperators). + type: string + tolerationSeconds: + description: >- + TolerationSeconds represents the period + of time the toleration (which must be + + of effect NoExecute, otherwise this + field is ignored) tolerates the taint. + By default, + + it is not set, which means tolerate the + taint forever (do not evict). Zero and + + negative values will be treated as 0 + (evict immediately) by the system. + format: int64 + type: integer + value: + description: >- + Value is the taint value the toleration + matches to. + + If the operator is Exists, the value + should be empty, otherwise just a + regular string. + type: string + type: object + type: array + topologySpreadConstraints: + description: >- + TopologySpreadConstraints describes how a + group of pods ought to spread across + topology + + domains. Scheduler will schedule pods in a + way which abides by the constraints. + + All topologySpreadConstraints are ANDed. + items: + description: >- + TopologySpreadConstraint specifies how to + spread matching pods among the given + topology. + properties: + labelSelector: + description: >- + LabelSelector is used to find matching + pods. + + Pods that match this label selector are + counted to determine the number of pods + + in their corresponding topology domain. + properties: + matchExpressions: + description: >- + matchExpressions is a list of label + selector requirements. The requirements + are ANDed. + items: + description: >- + A label selector requirement is a + selector that contains values, a key, + and an operator that + + relates the key and values. + properties: + key: + description: >- + key is the label key that the selector + applies to. + type: string + operator: + description: >- + operator represents a key's relationship + to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: >- + values is an array of string values. If + the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: >- + matchLabels is a map of {key,value} + pairs. A single {key,value} in the + matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is + "key", the + + operator is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: >- + MatchLabelKeys is a set of pod label + keys to select the pods over which + + spreading will be calculated. The keys + are used to lookup values from the + + incoming pod labels, those key-value + labels are ANDed with labelSelector + + to select the group of existing pods + over which spreading will be calculated + + for the incoming pod. The same key is + forbidden to exist in both + MatchLabelKeys and LabelSelector. + + MatchLabelKeys cannot be set when + LabelSelector isn't set. + + Keys that don't exist in the incoming + pod labels will + + be ignored. A null or empty list means + only match against labelSelector. + + + This is a beta field and requires the + MatchLabelKeysInPodTopologySpread + feature gate to be enabled (enabled by + default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + maxSkew: + description: >- + MaxSkew describes the degree to which + pods may be unevenly distributed. + + When `whenUnsatisfiable=DoNotSchedule`, + it is the maximum permitted difference + + between the number of matching pods in + the target topology and the global + minimum. + + The global minimum is the minimum number + of matching pods in an eligible domain + + or zero if the number of eligible + domains is less than MinDomains. + + For example, in a 3-zone cluster, + MaxSkew is set to 1, and pods with the + same + + labelSelector spread as 2/2/1: + + In this case, the global minimum is 1. + + | zone1 | zone2 | zone3 | + + | P P | P P | P | + + - if MaxSkew is 1, incoming pod can only + be scheduled to zone3 to become 2/2/2; + + scheduling it onto zone1(zone2) would + make the ActualSkew(3-1) on zone1(zone2) + + violate MaxSkew(1). + + - if MaxSkew is 2, incoming pod can be + scheduled onto any zone. + + When `whenUnsatisfiable=ScheduleAnyway`, + it is used to give higher precedence + + to topologies that satisfy it. + + It's a required field. Default value is + 1 and 0 is not allowed. + format: int32 + type: integer + minDomains: + description: >- + MinDomains indicates a minimum number of + eligible domains. + + When the number of eligible domains with + matching topology keys is less than + minDomains, + + Pod Topology Spread treats "global + minimum" as 0, and then the calculation + of Skew is performed. + + And when the number of eligible domains + with matching topology keys equals or + greater than minDomains, + + this value has no effect on scheduling. + + As a result, when the number of eligible + domains is less than minDomains, + + scheduler won't schedule more than + maxSkew Pods to those domains. + + If value is nil, the constraint behaves + as if MinDomains is equal to 1. + + Valid values are integers greater than + 0. + + When value is not nil, WhenUnsatisfiable + must be DoNotSchedule. + + + For example, in a 3-zone cluster, + MaxSkew is set to 2, MinDomains is set + to 5 and pods with the same + + labelSelector spread as 2/2/2: + + | zone1 | zone2 | zone3 | + + | P P | P P | P P | + + The number of domains is less than + 5(MinDomains), so "global minimum" is + treated as 0. + + In this situation, new pod with the same + labelSelector cannot be scheduled, + + because computed skew will be 3(3 - 0) + if new Pod is scheduled to any of the + three zones, + + it will violate MaxSkew. + format: int32 + type: integer + nodeAffinityPolicy: + description: >- + NodeAffinityPolicy indicates how we will + treat Pod's nodeAffinity/nodeSelector + + when calculating pod topology spread + skew. Options are: + + - Honor: only nodes matching + nodeAffinity/nodeSelector are included + in the calculations. + + - Ignore: nodeAffinity/nodeSelector are + ignored. All nodes are included in the + calculations. + + + If this value is nil, the behavior is + equivalent to the Honor policy. + type: string + nodeTaintsPolicy: + description: >- + NodeTaintsPolicy indicates how we will + treat node taints when calculating + + pod topology spread skew. Options are: + + - Honor: nodes without taints, along + with tainted nodes for which the + incoming pod + + has a toleration, are included. + + - Ignore: node taints are ignored. All + nodes are included. + + + If this value is nil, the behavior is + equivalent to the Ignore policy. + type: string + topologyKey: + description: >- + TopologyKey is the key of node labels. + Nodes that have a label with this key + + and identical values are considered to + be in the same topology. + + We consider each as a + "bucket", and try to put balanced number + + of pods into each bucket. + + We define a domain as a particular + instance of a topology. + + Also, we define an eligible domain as a + domain whose nodes meet the requirements + of + + nodeAffinityPolicy and nodeTaintsPolicy. + + e.g. If TopologyKey is + "kubernetes.io/hostname", each Node is a + domain of that topology. + + And, if TopologyKey is + "topology.kubernetes.io/zone", each zone + is a domain of that topology. + + It's a required field. + type: string + whenUnsatisfiable: + description: >- + WhenUnsatisfiable indicates how to deal + with a pod if it doesn't satisfy + + the spread constraint. + + - DoNotSchedule (default) tells the + scheduler not to schedule it. + + - ScheduleAnyway tells the scheduler to + schedule the pod in any location, + but giving higher precedence to topologies that would help reduce the + skew. + A constraint is considered + "Unsatisfiable" for an incoming pod + + if and only if every possible node + assignment for that pod would violate + + "MaxSkew" on some topology. + + For example, in a 3-zone cluster, + MaxSkew is set to 1, and pods with the + same + + labelSelector spread as 3/1/1: + + | zone1 | zone2 | zone3 | + + | P P P | P | P | + + If WhenUnsatisfiable is set to + DoNotSchedule, incoming pod can only be + scheduled + + to zone2(zone3) to become 3/2/1(3/1/2) + as ActualSkew(2-1) on zone2(zone3) + satisfies + + MaxSkew(1). In other words, the cluster + can still be imbalanced, but scheduler + + won't make it *more* imbalanced. + + It's a required field. + type: string + required: + - maxSkew + - topologyKey + - whenUnsatisfiable + type: object + type: array + volumes: + description: >- + Volumes that can be mounted by containers + belonging to the pod. + + More info: + https://kubernetes.io/docs/concepts/storage/volumes + items: + description: >- + Volume represents a named volume in a pod + that may be accessed by any container in + the pod. + properties: + awsElasticBlockStore: + description: >- + awsElasticBlockStore represents an AWS + Disk resource that is attached to a + + kubelet's host machine and then exposed + to the pod. + + Deprecated: AWSElasticBlockStore is + deprecated. All operations for the + in-tree + + awsElasticBlockStore type are redirected + to the ebs.csi.aws.com CSI driver. + + More info: + https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + properties: + fsType: + description: >- + fsType is the filesystem type of the + volume that you want to mount. + + Tip: Ensure that the filesystem type is + supported by the host operating system. + + Examples: "ext4", "xfs", "ntfs". + Implicitly inferred to be "ext4" if + unspecified. + + More info: + https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + type: string + partition: + description: >- + partition is the partition in the volume + that you want to mount. + + If omitted, the default is to mount by + volume name. + + Examples: For volume /dev/sda1, you + specify the partition as "1". + + Similarly, the volume partition for + /dev/sda is "0" (or you can leave the + property empty). + format: int32 + type: integer + readOnly: + description: >- + readOnly value true will force the + readOnly setting in VolumeMounts. + + More info: + https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + type: boolean + volumeID: + description: >- + volumeID is unique ID of the persistent + disk resource in AWS (Amazon EBS + volume). + + More info: + https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + type: string + required: + - volumeID + type: object + azureDisk: + description: >- + azureDisk represents an Azure Data Disk + mount on the host and bind mount to the + pod. + + Deprecated: AzureDisk is deprecated. All + operations for the in-tree azureDisk + type + + are redirected to the disk.csi.azure.com + CSI driver. + properties: + cachingMode: + description: >- + cachingMode is the Host Caching mode: + None, Read Only, Read Write. + type: string + diskName: + description: >- + diskName is the Name of the data disk in + the blob storage + type: string + diskURI: + description: >- + diskURI is the URI of data disk in the + blob storage + type: string + fsType: + default: ext4 + description: >- + fsType is Filesystem type to mount. + + Must be a filesystem type supported by + the host operating system. + + Ex. "ext4", "xfs", "ntfs". Implicitly + inferred to be "ext4" if unspecified. + type: string + kind: + description: >- + kind expected values are Shared: + multiple blob disks per storage account + Dedicated: single blob disk per storage + account Managed: azure managed data + disk (only in managed availability set). + defaults to shared + type: string + readOnly: + default: false + description: >- + readOnly Defaults to false (read/write). + ReadOnly here will force + + the ReadOnly setting in VolumeMounts. + type: boolean + required: + - diskName + - diskURI + type: object + azureFile: + description: >- + azureFile represents an Azure File + Service mount on the host and bind mount + to the pod. + + Deprecated: AzureFile is deprecated. All + operations for the in-tree azureFile + type + + are redirected to the file.csi.azure.com + CSI driver. + properties: + readOnly: + description: >- + readOnly defaults to false (read/write). + ReadOnly here will force + + the ReadOnly setting in VolumeMounts. + type: boolean + secretName: + description: >- + secretName is the name of secret that + contains Azure Storage Account Name and + Key + type: string + shareName: + description: shareName is the azure share Name + type: string + required: + - secretName + - shareName + type: object + cephfs: + description: >- + cephFS represents a Ceph FS mount on the + host that shares a pod's lifetime. + + Deprecated: CephFS is deprecated and the + in-tree cephfs type is no longer + supported. + properties: + monitors: + description: >- + monitors is Required: Monitors is a + collection of Ceph monitors + + More info: + https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + items: + type: string + type: array + x-kubernetes-list-type: atomic + path: + description: >- + path is Optional: Used as the mounted + root, rather than the full Ceph tree, + default is / + type: string + readOnly: + description: >- + readOnly is Optional: Defaults to false + (read/write). ReadOnly here will force + + the ReadOnly setting in VolumeMounts. + + More info: + https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + type: boolean + secretFile: + description: >- + secretFile is Optional: SecretFile is + the path to key ring for User, default + is /etc/ceph/user.secret + + More info: + https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + type: string + secretRef: + description: >- + secretRef is Optional: SecretRef is + reference to the authentication secret + for User, default is empty. + + More info: + https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + properties: + name: + default: '' + description: >- + Name of the referent. + + This field is effectively required, but + due to backwards compatibility is + + allowed to be empty. Instances of this + type with an empty value here are + + almost certainly wrong. + + More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + user: + description: >- + user is optional: User is the rados user + name, default is admin + + More info: + https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + type: string + required: + - monitors + type: object + cinder: + description: >- + cinder represents a cinder volume + attached and mounted on kubelets host + machine. + + Deprecated: Cinder is deprecated. All + operations for the in-tree cinder type + + are redirected to the + cinder.csi.openstack.org CSI driver. + + More info: + https://examples.k8s.io/mysql-cinder-pd/README.md + properties: + fsType: + description: >- + fsType is the filesystem type to mount. + + Must be a filesystem type supported by + the host operating system. + + Examples: "ext4", "xfs", "ntfs". + Implicitly inferred to be "ext4" if + unspecified. + + More info: + https://examples.k8s.io/mysql-cinder-pd/README.md + type: string + readOnly: + description: >- + readOnly defaults to false (read/write). + ReadOnly here will force + + the ReadOnly setting in VolumeMounts. + + More info: + https://examples.k8s.io/mysql-cinder-pd/README.md + type: boolean + secretRef: + description: >- + secretRef is optional: points to a + secret object containing parameters used + to connect + + to OpenStack. + properties: + name: + default: '' + description: >- + Name of the referent. + + This field is effectively required, but + due to backwards compatibility is + + allowed to be empty. Instances of this + type with an empty value here are + + almost certainly wrong. + + More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + volumeID: + description: >- + volumeID used to identify the volume in + cinder. + + More info: + https://examples.k8s.io/mysql-cinder-pd/README.md + type: string + required: + - volumeID + type: object + configMap: + description: >- + configMap represents a configMap that + should populate this volume + properties: + defaultMode: + description: >- + defaultMode is optional: mode bits used + to set permissions on created files by + default. + + Must be an octal value between 0000 and + 0777 or a decimal value between 0 and + 511. + + YAML accepts both octal and decimal + values, JSON requires decimal values for + mode bits. + + Defaults to 0644. + + Directories within the path are not + affected by this setting. + + This might be in conflict with other + options that affect the file + + mode, like fsGroup, and the result can + be other mode bits set. + format: int32 + type: integer + items: + description: >- + items if unspecified, each key-value + pair in the Data field of the referenced + + ConfigMap will be projected into the + volume as a file whose name is the + + key and content is the value. If + specified, the listed keys will be + + projected into the specified paths, and + unlisted keys will not be + + present. If a key is specified which is + not present in the ConfigMap, + + the volume setup will error unless it is + marked optional. Paths must be + + relative and may not contain the '..' + path or start with '..'. + items: + description: >- + Maps a string key to a path within a + volume. + properties: + key: + description: key is the key to project. + type: string + mode: + description: >- + mode is Optional: mode bits used to set + permissions on this file. + + Must be an octal value between 0000 and + 0777 or a decimal value between 0 and + 511. + + YAML accepts both octal and decimal + values, JSON requires decimal values for + mode bits. + + If not specified, the volume defaultMode + will be used. + + This might be in conflict with other + options that affect the file + + mode, like fsGroup, and the result can + be other mode bits set. + format: int32 + type: integer + path: + description: >- + path is the relative path of the file to + map the key to. + + May not be an absolute path. + + May not contain the path element '..'. + + May not start with the string '..'. + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + name: + default: '' + description: >- + Name of the referent. + + This field is effectively required, but + due to backwards compatibility is + + allowed to be empty. Instances of this + type with an empty value here are + + almost certainly wrong. + + More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: >- + optional specify whether the ConfigMap + or its keys must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + csi: + description: >- + csi (Container Storage Interface) + represents ephemeral storage that is + handled by certain external CSI drivers. + properties: + driver: + description: >- + driver is the name of the CSI driver + that handles this volume. + + Consult with your admin for the correct + name as registered in the cluster. + type: string + fsType: + description: >- + fsType to mount. Ex. "ext4", "xfs", + "ntfs". + + If not provided, the empty value is + passed to the associated CSI driver + + which will determine the default + filesystem to apply. + type: string + nodePublishSecretRef: + description: >- + nodePublishSecretRef is a reference to + the secret object containing + + sensitive information to pass to the CSI + driver to complete the CSI + + NodePublishVolume and + NodeUnpublishVolume calls. + + This field is optional, and may be + empty if no secret is required. If the + + secret object contains more than one + secret, all secret references are + passed. + properties: + name: + default: '' + description: >- + Name of the referent. + + This field is effectively required, but + due to backwards compatibility is + + allowed to be empty. Instances of this + type with an empty value here are + + almost certainly wrong. + + More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + readOnly: + description: >- + readOnly specifies a read-only + configuration for the volume. + + Defaults to false (read/write). + type: boolean + volumeAttributes: + additionalProperties: + type: string + description: >- + volumeAttributes stores driver-specific + properties that are passed to the CSI + + driver. Consult your driver's + documentation for supported values. + type: object + required: + - driver + type: object + downwardAPI: + description: >- + downwardAPI represents downward API + about the pod that should populate this + volume + properties: + defaultMode: + description: >- + Optional: mode bits to use on created + files by default. Must be a + + Optional: mode bits used to set + permissions on created files by default. + + Must be an octal value between 0000 and + 0777 or a decimal value between 0 and + 511. + + YAML accepts both octal and decimal + values, JSON requires decimal values for + mode bits. + + Defaults to 0644. + + Directories within the path are not + affected by this setting. + + This might be in conflict with other + options that affect the file + + mode, like fsGroup, and the result can + be other mode bits set. + format: int32 + type: integer + items: + description: >- + Items is a list of downward API volume + file + items: + description: >- + DownwardAPIVolumeFile represents + information to create the file + containing the pod field + properties: + fieldRef: + description: >- + Required: Selects a field of the pod: + only annotations, labels, name, + namespace and uid are supported. + properties: + apiVersion: + description: >- + Version of the schema the FieldPath is + written in terms of, defaults to "v1". + type: string + fieldPath: + description: >- + Path of the field to select in the + specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + mode: + description: >- + Optional: mode bits used to set + permissions on this file, must be an + octal value + + between 0000 and 0777 or a decimal value + between 0 and 511. + + YAML accepts both octal and decimal + values, JSON requires decimal values for + mode bits. + + If not specified, the volume defaultMode + will be used. + + This might be in conflict with other + options that affect the file + + mode, like fsGroup, and the result can + be other mode bits set. + format: int32 + type: integer + path: + description: >- + Required: Path is the relative path + name of the file to be created. Must not + be absolute or contain the '..' path. + Must be utf-8 encoded. The first item of + the relative path must not start with + '..' + type: string + resourceFieldRef: + description: >- + Selects a resource of the container: + only resources limits and requests + + (limits.cpu, limits.memory, requests.cpu + and requests.memory) are currently + supported. + properties: + containerName: + description: >- + Container name: required for volumes, + optional for env vars + type: string + divisor: + anyOf: + - type: integer + - type: string + description: >- + Specifies the output format of the + exposed resources, defaults to "1" + pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + required: + - path + type: object + type: array + x-kubernetes-list-type: atomic + type: object + emptyDir: + description: >- + emptyDir represents a temporary + directory that shares a pod's lifetime. + + More info: + https://kubernetes.io/docs/concepts/storage/volumes#emptydir + properties: + medium: + description: >- + medium represents what type of storage + medium should back this directory. + + The default is "" which means to use the + node's default medium. + + Must be an empty string (default) or + Memory. + + More info: + https://kubernetes.io/docs/concepts/storage/volumes#emptydir + type: string + sizeLimit: + anyOf: + - type: integer + - type: string + description: >- + sizeLimit is the total amount of local + storage required for this EmptyDir + volume. + + The size limit is also applicable for + memory medium. + + The maximum usage on memory medium + EmptyDir would be the minimum value + between + + the SizeLimit specified here and the sum + of memory limits of all containers in a + pod. + + The default is nil which means that the + limit is undefined. + + More info: + https://kubernetes.io/docs/concepts/storage/volumes#emptydir + pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + ephemeral: + description: >- + ephemeral represents a volume that is + handled by a cluster storage driver. + + The volume's lifecycle is tied to the + pod that defines it - it will be created + before the pod starts, + + and deleted when the pod is removed. + + + Use this if: + + a) the volume is only needed while the + pod runs, + + b) features of normal volumes like + restoring from snapshot or capacity + tracking are needed, + c) the storage driver is specified + through a storage class, and + + d) the storage driver supports dynamic + volume provisioning through + a PersistentVolumeClaim (see EphemeralVolumeSource for more + information on the connection between this volume type + and PersistentVolumeClaim). + + Use PersistentVolumeClaim or one of the + vendor-specific + + APIs for volumes that persist for longer + than the lifecycle + + of an individual pod. + + + Use CSI for light-weight local ephemeral + volumes if the CSI driver is meant to + + be used that way - see the documentation + of the driver for + + more information. + + + A pod can use both types of ephemeral + volumes and + + persistent volumes at the same time. + properties: + volumeClaimTemplate: + description: >- + Will be used to create a stand-alone PVC + to provision the volume. + + The pod in which this + EphemeralVolumeSource is embedded will + be the + + owner of the PVC, i.e. the PVC will be + deleted together with the + + pod. The name of the PVC will be `-` where + + `` is the name from the + `PodSpec.Volumes` array + + entry. Pod validation will reject the + pod if the concatenated name + + is not valid for a PVC (for example, too + long). + + + An existing PVC with that name that is + not owned by the pod + + will *not* be used for the pod to avoid + using an unrelated + + volume by mistake. Starting the pod is + then blocked until + + the unrelated PVC is removed. If such a + pre-created PVC is + + meant to be used by the pod, the PVC has + to updated with an + + owner reference to the pod once the pod + exists. Normally + + this should not be necessary, but it may + be useful when + + manually reconstructing a broken + cluster. + + + This field is read-only and no changes + will be made by Kubernetes + + to the PVC after it has been created. + + + Required, must not be nil. + properties: + metadata: + description: >- + May contain labels and annotations that + will be copied into the PVC + + when creating it. No other fields are + allowed and will be rejected during + + validation. + type: object + spec: + description: >- + The specification for the + PersistentVolumeClaim. The entire + content is + + copied unchanged into the PVC that gets + created from this + + template. The same fields as in a + PersistentVolumeClaim + + are also valid here. + properties: + accessModes: + description: >- + accessModes contains the desired access + modes the volume should have. + + More info: + https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1 + items: + type: string + type: array + x-kubernetes-list-type: atomic + dataSource: + description: >- + dataSource field can be used to specify + either: + + * An existing VolumeSnapshot object + (snapshot.storage.k8s.io/VolumeSnapshot) + + * An existing PVC + (PersistentVolumeClaim) + + If the provisioner or an external + controller can support the specified + data source, + + it will create a new volume based on the + contents of the specified data source. + + When the AnyVolumeDataSource feature + gate is enabled, dataSource contents + will be copied to dataSourceRef, + + and dataSourceRef contents will be + copied to dataSource when + dataSourceRef.namespace is not + specified. + + If the namespace is specified, then + dataSourceRef will not be copied to + dataSource. + properties: + apiGroup: + description: >- + APIGroup is the group for the resource + being referenced. + + If APIGroup is not specified, the + specified Kind must be in the core API + group. + + For any other third-party types, + APIGroup is required. + type: string + kind: + description: >- + Kind is the type of resource being + referenced + type: string + name: + description: >- + Name is the name of resource being + referenced + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + dataSourceRef: + description: >- + dataSourceRef specifies the object from + which to populate the volume with data, + if a non-empty + + volume is desired. This may be any + object from a non-empty API group (non + + core object) or a PersistentVolumeClaim + object. + + When this field is specified, volume + binding will only succeed if the type of + + the specified object matches some + installed volume populator or dynamic + + provisioner. + + This field will replace the + functionality of the dataSource field + and as such + + if both fields are non-empty, they must + have the same value. For backwards + + compatibility, when namespace isn't + specified in dataSourceRef, + + both fields (dataSource and + dataSourceRef) will be set to the same + + value automatically if one of them is + empty and the other is non-empty. + + When namespace is specified in + dataSourceRef, + + dataSource isn't set to the same value + and must be empty. + + There are three important differences + between dataSource and dataSourceRef: + + * While dataSource only allows two + specific types of objects, dataSourceRef + allows any non-core object, as well as PersistentVolumeClaim objects. + * While dataSource ignores disallowed + values (dropping them), dataSourceRef + preserves all values, and generates an error if a disallowed value is + specified. + * While dataSource only allows local + objects, dataSourceRef allows objects + in any namespaces. + (Beta) Using this field requires the + AnyVolumeDataSource feature gate to be + enabled. + + (Alpha) Using the namespace field of + dataSourceRef requires the + CrossNamespaceVolumeDataSource feature + gate to be enabled. + properties: + apiGroup: + description: >- + APIGroup is the group for the resource + being referenced. + + If APIGroup is not specified, the + specified Kind must be in the core API + group. + + For any other third-party types, + APIGroup is required. + type: string + kind: + description: >- + Kind is the type of resource being + referenced + type: string + name: + description: >- + Name is the name of resource being + referenced + type: string + namespace: + description: >- + Namespace is the namespace of resource + being referenced + + Note that when a namespace is specified, + a + gateway.networking.k8s.io/ReferenceGrant + object is required in the referent + namespace to allow that namespace's + owner to accept the reference. See the + ReferenceGrant documentation for + details. + + (Alpha) This field requires the + CrossNamespaceVolumeDataSource feature + gate to be enabled. + type: string + required: + - kind + - name + type: object + resources: + description: >- + resources represents the minimum + resources the volume should have. + + Users are allowed to specify resource + requirements + + that are lower than previous value but + must still be higher than capacity + recorded in the + + status field of the claim. + + More info: + https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: >- + Limits describes the maximum amount of + compute resources allowed. + + More info: + https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: >- + Requests describes the minimum amount of + compute resources required. + + If Requests is omitted for a container, + it defaults to Limits if that is + explicitly specified, + + otherwise to an implementation-defined + value. Requests cannot exceed Limits. + + More info: + https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + type: object + selector: + description: >- + selector is a label query over volumes + to consider for binding. + properties: + matchExpressions: + description: >- + matchExpressions is a list of label + selector requirements. The requirements + are ANDed. + items: + description: >- + A label selector requirement is a + selector that contains values, a key, + and an operator that + + relates the key and values. + properties: + key: + description: >- + key is the label key that the selector + applies to. + type: string + operator: + description: >- + operator represents a key's relationship + to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: >- + values is an array of string values. If + the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: >- + matchLabels is a map of {key,value} + pairs. A single {key,value} in the + matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is + "key", the + + operator is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + storageClassName: + description: >- + storageClassName is the name of the + StorageClass required by the claim. + + More info: + https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1 + type: string + volumeAttributesClassName: + description: >- + volumeAttributesClassName may be used to + set the VolumeAttributesClass used by + this claim. + + If specified, the CSI driver will create + or update the volume with the attributes + defined + + in the corresponding + VolumeAttributesClass. This has a + different purpose than storageClassName, + + it can be changed after the claim is + created. An empty string or nil value + indicates that no + + VolumeAttributesClass will be applied to + the claim. If the claim enters an + Infeasible error state, + + this field can be reset to its previous + value (including nil) to cancel the + modification. + + If the resource referred to by + volumeAttributesClass does not exist, + this PersistentVolumeClaim will be + + set to a Pending state, as reflected by + the modifyVolumeStatus field, until such + as a resource + + exists. + + More info: + https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/ + type: string + volumeMode: + description: >- + volumeMode defines what type of volume + is required by the claim. + + Value of Filesystem is implied when not + included in claim spec. + type: string + volumeName: + description: >- + volumeName is the binding reference to + the PersistentVolume backing this claim. + type: string + type: object + required: + - spec + type: object + type: object + fc: + description: >- + fc represents a Fibre Channel resource + that is attached to a kubelet's host + machine and then exposed to the pod. + properties: + fsType: + description: >- + fsType is the filesystem type to mount. + + Must be a filesystem type supported by + the host operating system. + + Ex. "ext4", "xfs", "ntfs". Implicitly + inferred to be "ext4" if unspecified. + type: string + lun: + description: 'lun is Optional: FC target lun number' + format: int32 + type: integer + readOnly: + description: >- + readOnly is Optional: Defaults to false + (read/write). ReadOnly here will force + + the ReadOnly setting in VolumeMounts. + type: boolean + targetWWNs: + description: >- + targetWWNs is Optional: FC target + worldwide names (WWNs) + items: + type: string + type: array + x-kubernetes-list-type: atomic + wwids: + description: >- + wwids Optional: FC volume world wide + identifiers (wwids) + + Either wwids or combination of + targetWWNs and lun must be set, but not + both simultaneously. + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + flexVolume: + description: >- + flexVolume represents a generic volume + resource that is + + provisioned/attached using an exec based + plugin. + + Deprecated: FlexVolume is deprecated. + Consider using a CSIDriver instead. + properties: + driver: + description: >- + driver is the name of the driver to use + for this volume. + type: string + fsType: + description: >- + fsType is the filesystem type to mount. + + Must be a filesystem type supported by + the host operating system. + + Ex. "ext4", "xfs", "ntfs". The default + filesystem depends on FlexVolume script. + type: string + options: + additionalProperties: + type: string + description: >- + options is Optional: this field holds + extra command options if any. + type: object + readOnly: + description: >- + readOnly is Optional: defaults to false + (read/write). ReadOnly here will force + + the ReadOnly setting in VolumeMounts. + type: boolean + secretRef: + description: >- + secretRef is Optional: secretRef is + reference to the secret object + containing + + sensitive information to pass to the + plugin scripts. This may be + + empty if no secret object is specified. + If the secret object + + contains more than one secret, all + secrets are passed to the plugin + + scripts. + properties: + name: + default: '' + description: >- + Name of the referent. + + This field is effectively required, but + due to backwards compatibility is + + allowed to be empty. Instances of this + type with an empty value here are + + almost certainly wrong. + + More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + required: + - driver + type: object + flocker: + description: >- + flocker represents a Flocker volume + attached to a kubelet's host machine. + This depends on the Flocker control + service being running. + + Deprecated: Flocker is deprecated and + the in-tree flocker type is no longer + supported. + properties: + datasetName: + description: >- + datasetName is Name of the dataset + stored as metadata -> name on the + dataset for Flocker + + should be considered as deprecated + type: string + datasetUUID: + description: >- + datasetUUID is the UUID of the dataset. + This is unique identifier of a Flocker + dataset + type: string + type: object + gcePersistentDisk: + description: >- + gcePersistentDisk represents a GCE Disk + resource that is attached to a + + kubelet's host machine and then exposed + to the pod. + + Deprecated: GCEPersistentDisk is + deprecated. All operations for the + in-tree + + gcePersistentDisk type are redirected to + the pd.csi.storage.gke.io CSI driver. + + More info: + https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + properties: + fsType: + description: >- + fsType is filesystem type of the volume + that you want to mount. + + Tip: Ensure that the filesystem type is + supported by the host operating system. + + Examples: "ext4", "xfs", "ntfs". + Implicitly inferred to be "ext4" if + unspecified. + + More info: + https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + type: string + partition: + description: >- + partition is the partition in the volume + that you want to mount. + + If omitted, the default is to mount by + volume name. + + Examples: For volume /dev/sda1, you + specify the partition as "1". + + Similarly, the volume partition for + /dev/sda is "0" (or you can leave the + property empty). + + More info: + https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + format: int32 + type: integer + pdName: + description: >- + pdName is unique name of the PD resource + in GCE. Used to identify the disk in + GCE. + + More info: + https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + type: string + readOnly: + description: >- + readOnly here will force the ReadOnly + setting in VolumeMounts. + + Defaults to false. + + More info: + https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + type: boolean + required: + - pdName + type: object + gitRepo: + description: >- + gitRepo represents a git repository at a + particular revision. + + Deprecated: GitRepo is deprecated. To + provision a container with a git repo, + mount an + + EmptyDir into an InitContainer that + clones the repo using git, then mount + the EmptyDir + + into the Pod's container. + properties: + directory: + description: >- + directory is the target directory name. + + Must not contain or start with '..'. If + '.' is supplied, the volume directory + will be the + + git repository. Otherwise, if + specified, the volume will contain the + git repository in + + the subdirectory with the given name. + type: string + repository: + description: repository is the URL + type: string + revision: + description: >- + revision is the commit hash for the + specified revision. + type: string + required: + - repository + type: object + glusterfs: + description: >- + glusterfs represents a Glusterfs mount + on the host that shares a pod's + lifetime. + + Deprecated: Glusterfs is deprecated and + the in-tree glusterfs type is no longer + supported. + properties: + endpoints: + description: >- + endpoints is the endpoint name that + details Glusterfs topology. + type: string + path: + description: >- + path is the Glusterfs volume path. + + More info: + https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod + type: string + readOnly: + description: >- + readOnly here will force the Glusterfs + volume to be mounted with read-only + permissions. + + Defaults to false. + + More info: + https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod + type: boolean + required: + - endpoints + - path + type: object + hostPath: + description: >- + hostPath represents a pre-existing file + or directory on the host + + machine that is directly exposed to the + container. This is generally + + used for system agents or other + privileged things that are allowed + + to see the host machine. Most containers + will NOT need this. + + More info: + https://kubernetes.io/docs/concepts/storage/volumes#hostpath + properties: + path: + description: >- + path of the directory on the host. + + If the path is a symlink, it will follow + the link to the real path. + + More info: + https://kubernetes.io/docs/concepts/storage/volumes#hostpath + type: string + type: + description: >- + type for HostPath Volume + + Defaults to "" + + More info: + https://kubernetes.io/docs/concepts/storage/volumes#hostpath + type: string + required: + - path + type: object + image: + description: >- + image represents an OCI object (a + container image or artifact) pulled and + mounted on the kubelet's host machine. + + The volume is resolved at pod startup + depending on which PullPolicy value is + provided: + + + - Always: the kubelet always attempts to + pull the reference. Container creation + will fail If the pull fails. + + - Never: the kubelet never pulls the + reference and only uses a local image or + artifact. Container creation will fail + if the reference isn't present. + + - IfNotPresent: the kubelet pulls if the + reference isn't already present on disk. + Container creation will fail if the + reference isn't present and the pull + fails. + + + The volume gets re-resolved if the pod + gets deleted and recreated, which means + that new remote content will become + available on pod recreation. + + A failure to resolve or pull the image + during pod startup will block containers + from starting and may add significant + latency. Failures will be retried using + normal volume backoff and will be + reported on the pod reason and message. + + The types of objects that may be mounted + by this volume are defined by the + container runtime implementation on a + host machine and at minimum must include + all valid types supported by the + container image field. + + The OCI object gets mounted in a single + directory + (spec.containers[*].volumeMounts.mountPath) + by merging the manifest layers in the + same way as for container images. + + The volume will be mounted read-only + (ro) and non-executable files (noexec). + + Sub path mounts for containers are not + supported + (spec.containers[*].volumeMounts.subpath) + before 1.33. + + The field + spec.securityContext.fsGroupChangePolicy + has no effect on this volume type. + properties: + pullPolicy: + description: >- + Policy for pulling OCI objects. Possible + values are: + + Always: the kubelet always attempts to + pull the reference. Container creation + will fail If the pull fails. + + Never: the kubelet never pulls the + reference and only uses a local image or + artifact. Container creation will fail + if the reference isn't present. + + IfNotPresent: the kubelet pulls if the + reference isn't already present on disk. + Container creation will fail if the + reference isn't present and the pull + fails. + + Defaults to Always if :latest tag is + specified, or IfNotPresent otherwise. + type: string + reference: + description: >- + Required: Image or artifact reference to + be used. + + Behaves in the same way as + pod.spec.containers[*].image. + + Pull secrets will be assembled in the + same way as for the container image by + looking up node credentials, SA image + pull secrets, and pod spec image pull + secrets. + + More info: + https://kubernetes.io/docs/concepts/containers/images + + This field is optional to allow higher + level config management to default or + override + + container images in workload controllers + like Deployments and StatefulSets. + type: string + type: object + iscsi: + description: >- + iscsi represents an ISCSI Disk resource + that is attached to a + + kubelet's host machine and then exposed + to the pod. + + More info: + https://kubernetes.io/docs/concepts/storage/volumes/#iscsi + properties: + chapAuthDiscovery: + description: >- + chapAuthDiscovery defines whether + support iSCSI Discovery CHAP + authentication + type: boolean + chapAuthSession: + description: >- + chapAuthSession defines whether support + iSCSI Session CHAP authentication + type: boolean + fsType: + description: >- + fsType is the filesystem type of the + volume that you want to mount. + + Tip: Ensure that the filesystem type is + supported by the host operating system. + + Examples: "ext4", "xfs", "ntfs". + Implicitly inferred to be "ext4" if + unspecified. + + More info: + https://kubernetes.io/docs/concepts/storage/volumes#iscsi + type: string + initiatorName: + description: >- + initiatorName is the custom iSCSI + Initiator Name. + + If initiatorName is specified with + iscsiInterface simultaneously, new iSCSI + interface + + : will be + created for the connection. + type: string + iqn: + description: iqn is the target iSCSI Qualified Name. + type: string + iscsiInterface: + default: default + description: >- + iscsiInterface is the interface Name + that uses an iSCSI transport. + + Defaults to 'default' (tcp). + type: string + lun: + description: lun represents iSCSI Target Lun number. + format: int32 + type: integer + portals: + description: >- + portals is the iSCSI Target Portal List. + The portal is either an IP or + ip_addr:port if the port + + is other than default (typically TCP + ports 860 and 3260). + items: + type: string + type: array + x-kubernetes-list-type: atomic + readOnly: + description: >- + readOnly here will force the ReadOnly + setting in VolumeMounts. + + Defaults to false. + type: boolean + secretRef: + description: >- + secretRef is the CHAP Secret for iSCSI + target and initiator authentication + properties: + name: + default: '' + description: >- + Name of the referent. + + This field is effectively required, but + due to backwards compatibility is + + allowed to be empty. Instances of this + type with an empty value here are + + almost certainly wrong. + + More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + targetPortal: + description: >- + targetPortal is iSCSI Target Portal. The + Portal is either an IP or ip_addr:port + if the port + + is other than default (typically TCP + ports 860 and 3260). + type: string + required: + - iqn + - lun + - targetPortal + type: object + name: + description: >- + name of the volume. + + Must be a DNS_LABEL and unique within + the pod. + + More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + nfs: + description: >- + nfs represents an NFS mount on the host + that shares a pod's lifetime + + More info: + https://kubernetes.io/docs/concepts/storage/volumes#nfs + properties: + path: + description: >- + path that is exported by the NFS server. + + More info: + https://kubernetes.io/docs/concepts/storage/volumes#nfs + type: string + readOnly: + description: >- + readOnly here will force the NFS export + to be mounted with read-only + permissions. + + Defaults to false. + + More info: + https://kubernetes.io/docs/concepts/storage/volumes#nfs + type: boolean + server: + description: >- + server is the hostname or IP address of + the NFS server. + + More info: + https://kubernetes.io/docs/concepts/storage/volumes#nfs + type: string + required: + - path + - server + type: object + persistentVolumeClaim: + description: >- + persistentVolumeClaimVolumeSource + represents a reference to a + + PersistentVolumeClaim in the same + namespace. + + More info: + https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims + properties: + claimName: + description: >- + claimName is the name of a + PersistentVolumeClaim in the same + namespace as the pod using this volume. + + More info: + https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims + type: string + readOnly: + description: >- + readOnly Will force the ReadOnly setting + in VolumeMounts. + + Default false. + type: boolean + required: + - claimName + type: object + photonPersistentDisk: + description: >- + photonPersistentDisk represents a + PhotonController persistent disk + attached and mounted on kubelets host + machine. + + Deprecated: PhotonPersistentDisk is + deprecated and the in-tree + photonPersistentDisk type is no longer + supported. + properties: + fsType: + description: >- + fsType is the filesystem type to mount. + + Must be a filesystem type supported by + the host operating system. + + Ex. "ext4", "xfs", "ntfs". Implicitly + inferred to be "ext4" if unspecified. + type: string + pdID: + description: >- + pdID is the ID that identifies Photon + Controller persistent disk + type: string + required: + - pdID + type: object + portworxVolume: + description: >- + portworxVolume represents a portworx + volume attached and mounted on kubelets + host machine. + + Deprecated: PortworxVolume is + deprecated. All operations for the + in-tree portworxVolume type + + are redirected to the pxd.portworx.com + CSI driver when the CSIMigrationPortworx + feature-gate + + is on. + properties: + fsType: + description: >- + fSType represents the filesystem type to + mount + + Must be a filesystem type supported by + the host operating system. + + Ex. "ext4", "xfs". Implicitly inferred + to be "ext4" if unspecified. + type: string + readOnly: + description: >- + readOnly defaults to false (read/write). + ReadOnly here will force + + the ReadOnly setting in VolumeMounts. + type: boolean + volumeID: + description: >- + volumeID uniquely identifies a Portworx + volume + type: string + required: + - volumeID + type: object + projected: + description: >- + projected items for all in one resources + secrets, configmaps, and downward API + properties: + defaultMode: + description: >- + defaultMode are the mode bits used to + set permissions on created files by + default. + + Must be an octal value between 0000 and + 0777 or a decimal value between 0 and + 511. + + YAML accepts both octal and decimal + values, JSON requires decimal values for + mode bits. + + Directories within the path are not + affected by this setting. + + This might be in conflict with other + options that affect the file + + mode, like fsGroup, and the result can + be other mode bits set. + format: int32 + type: integer + sources: + description: >- + sources is the list of volume + projections. Each entry in this list + + handles one source. + items: + description: >- + Projection that may be projected along + with other supported volume types. + + Exactly one of these fields must be set. + properties: + clusterTrustBundle: + description: >- + ClusterTrustBundle allows a pod to + access the `.spec.trustBundle` field + + of ClusterTrustBundle objects in an + auto-updating file. + + + Alpha, gated by the + ClusterTrustBundleProjection feature + gate. + + + ClusterTrustBundle objects can either be + selected by name, or by the + + combination of signer name and a label + selector. + + + Kubelet performs aggressive + normalization of the PEM contents + written + + into the pod filesystem. Esoteric PEM + features such as inter-block + + comments and block headers are + stripped. Certificates are + deduplicated. + + The ordering of certificates within the + file is arbitrary, and Kubelet + + may change the order over time. + properties: + labelSelector: + description: >- + Select all ClusterTrustBundles that + match this label selector. Only has + + effect if signerName is set. + Mutually-exclusive with name. If unset, + + interpreted as "match nothing". If set + but empty, interpreted as "match + + everything". + properties: + matchExpressions: + description: >- + matchExpressions is a list of label + selector requirements. The requirements + are ANDed. + items: + description: >- + A label selector requirement is a + selector that contains values, a key, + and an operator that + + relates the key and values. + properties: + key: + description: >- + key is the label key that the selector + applies to. + type: string + operator: + description: >- + operator represents a key's relationship + to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: >- + values is an array of string values. If + the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: >- + matchLabels is a map of {key,value} + pairs. A single {key,value} in the + matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is + "key", the + + operator is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + name: + description: >- + Select a single ClusterTrustBundle by + object name. Mutually-exclusive + + with signerName and labelSelector. + type: string + optional: + description: >- + If true, don't block pod startup if the + referenced ClusterTrustBundle(s) + + aren't available. If using name, then + the named ClusterTrustBundle is + + allowed not to exist. If using + signerName, then the combination of + + signerName and labelSelector is allowed + to match zero + + ClusterTrustBundles. + type: boolean + path: + description: >- + Relative path from the volume root to + write the bundle. + type: string + signerName: + description: >- + Select all ClusterTrustBundles that + match this signer name. + + Mutually-exclusive with name. The + contents of all selected + + ClusterTrustBundles will be unified and + deduplicated. + type: string + required: + - path + type: object + configMap: + description: >- + configMap information about the + configMap data to project + properties: + items: + description: >- + items if unspecified, each key-value + pair in the Data field of the referenced + + ConfigMap will be projected into the + volume as a file whose name is the + + key and content is the value. If + specified, the listed keys will be + + projected into the specified paths, and + unlisted keys will not be + + present. If a key is specified which is + not present in the ConfigMap, + + the volume setup will error unless it is + marked optional. Paths must be + + relative and may not contain the '..' + path or start with '..'. + items: + description: >- + Maps a string key to a path within a + volume. + properties: + key: + description: key is the key to project. + type: string + mode: + description: >- + mode is Optional: mode bits used to set + permissions on this file. + + Must be an octal value between 0000 and + 0777 or a decimal value between 0 and + 511. + + YAML accepts both octal and decimal + values, JSON requires decimal values for + mode bits. + + If not specified, the volume defaultMode + will be used. + + This might be in conflict with other + options that affect the file + + mode, like fsGroup, and the result can + be other mode bits set. + format: int32 + type: integer + path: + description: >- + path is the relative path of the file to + map the key to. + + May not be an absolute path. + + May not contain the path element '..'. + + May not start with the string '..'. + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + name: + default: '' + description: >- + Name of the referent. + + This field is effectively required, but + due to backwards compatibility is + + allowed to be empty. Instances of this + type with an empty value here are + + almost certainly wrong. + + More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: >- + optional specify whether the ConfigMap + or its keys must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + downwardAPI: + description: >- + downwardAPI information about the + downwardAPI data to project + properties: + items: + description: >- + Items is a list of DownwardAPIVolume + file + items: + description: >- + DownwardAPIVolumeFile represents + information to create the file + containing the pod field + properties: + fieldRef: + description: >- + Required: Selects a field of the pod: + only annotations, labels, name, + namespace and uid are supported. + properties: + apiVersion: + description: >- + Version of the schema the FieldPath is + written in terms of, defaults to "v1". + type: string + fieldPath: + description: >- + Path of the field to select in the + specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + mode: + description: >- + Optional: mode bits used to set + permissions on this file, must be an + octal value + + between 0000 and 0777 or a decimal value + between 0 and 511. + + YAML accepts both octal and decimal + values, JSON requires decimal values for + mode bits. + + If not specified, the volume defaultMode + will be used. + + This might be in conflict with other + options that affect the file + + mode, like fsGroup, and the result can + be other mode bits set. + format: int32 + type: integer + path: + description: >- + Required: Path is the relative path + name of the file to be created. Must not + be absolute or contain the '..' path. + Must be utf-8 encoded. The first item of + the relative path must not start with + '..' + type: string + resourceFieldRef: + description: >- + Selects a resource of the container: + only resources limits and requests + + (limits.cpu, limits.memory, requests.cpu + and requests.memory) are currently + supported. + properties: + containerName: + description: >- + Container name: required for volumes, + optional for env vars + type: string + divisor: + anyOf: + - type: integer + - type: string + description: >- + Specifies the output format of the + exposed resources, defaults to "1" + pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + required: + - path + type: object + type: array + x-kubernetes-list-type: atomic + type: object + podCertificate: + description: >- + Projects an auto-rotating credential + bundle (private key and certificate + + chain) that the pod can use either as a + TLS client or server. + + + Kubelet generates a private key and uses + it to send a + + PodCertificateRequest to the named + signer. Once the signer approves the + + request and issues a certificate chain, + Kubelet writes the key and + + certificate chain to the pod + filesystem. The pod does not start + until + + certificates have been issued for each + podCertificate projected volume + + source in its spec. + + + Kubelet will begin trying to rotate the + certificate at the time indicated + + by the signer using the + PodCertificateRequest.Status.BeginRefreshAt + + timestamp. + + + Kubelet can write a single file, + indicated by the credentialBundlePath + + field, or separate files, indicated by + the keyPath and + + certificateChainPath fields. + + + The credential bundle is a single file + in PEM format. The first PEM + + entry is the private key (in PKCS#8 + format), and the remaining PEM + + entries are the certificate chain issued + by the signer (typically, + + signers will return their certificate + chain in leaf-to-root order). + + + Prefer using the credential bundle + format, since your application code + + can read it atomically. If you use + keyPath and certificateChainPath, + + your application must make two separate + file reads. If these coincide + + with a certificate rotation, it is + possible that the private key and leaf + + certificate you read may not correspond + to each other. Your application + + will need to check for this condition, + and re-read until they are + + consistent. + + + The named signer controls chooses the + format of the certificate it + + issues; consult the signer + implementation's documentation to learn + how to + + use the certificates it issues. + properties: + certificateChainPath: + description: >- + Write the certificate chain at this path + in the projected volume. + + + Most applications should use + credentialBundlePath. When using + keyPath + + and certificateChainPath, your + application needs to check that the key + + and leaf certificate are consistent, + because it is possible to read the + + files mid-rotation. + type: string + credentialBundlePath: + description: >- + Write the credential bundle at this path + in the projected volume. + + + The credential bundle is a single file + that contains multiple PEM blocks. + + The first PEM block is a PRIVATE KEY + block, containing a PKCS#8 private + + key. + + + The remaining blocks are CERTIFICATE + blocks, containing the issued + + certificate chain from the signer (leaf + and any intermediates). + + + Using credentialBundlePath lets your + Pod's application code make a single + + atomic read that retrieves a consistent + key and certificate chain. If you + + project them to separate files, your + application code will need to + + additionally check that the leaf + certificate was issued to the key. + type: string + keyPath: + description: >- + Write the key at this path in the + projected volume. + + + Most applications should use + credentialBundlePath. When using + keyPath + + and certificateChainPath, your + application needs to check that the key + + and leaf certificate are consistent, + because it is possible to read the + + files mid-rotation. + type: string + keyType: + description: >- + The type of keypair Kubelet will + generate for the pod. + + + Valid values are "RSA3072", "RSA4096", + "ECDSAP256", "ECDSAP384", + + "ECDSAP521", and "ED25519". + type: string + maxExpirationSeconds: + description: >- + maxExpirationSeconds is the maximum + lifetime permitted for the + + certificate. + + + Kubelet copies this value verbatim into + the PodCertificateRequests it + + generates for this projection. + + + If omitted, kube-apiserver will set it + to 86400(24 hours). kube-apiserver + + will reject values shorter than 3600 (1 + hour). The maximum allowable + + value is 7862400 (91 days). + + + The signer implementation is then free + to issue a certificate with any + + lifetime *shorter* than + MaxExpirationSeconds, but no shorter + than 3600 + + seconds (1 hour). This constraint is + enforced by kube-apiserver. + + `kubernetes.io` signers will never issue + certificates with a lifetime + + longer than 24 hours. + format: int32 + type: integer + signerName: + description: >- + Kubelet's generated CSRs will be + addressed to this signer. + type: string + userAnnotations: + additionalProperties: + type: string + description: >- + userAnnotations allow pod authors to + pass additional information to + + the signer implementation. Kubernetes + does not restrict or validate this + + metadata in any way. + + + These values are copied verbatim into + the `spec.unverifiedUserAnnotations` + field of + + the PodCertificateRequest objects that + Kubelet creates. + + + Entries are subject to the same + validation as object metadata + annotations, + + with the addition that all keys must be + domain-prefixed. No restrictions + + are placed on values, except an overall + size limitation on the entire field. + + + Signers should document the keys and + values they support. Signers should + + deny requests that contain keys they do + not recognize. + type: object + required: + - keyType + - signerName + type: object + secret: + description: >- + secret information about the secret data + to project + properties: + items: + description: >- + items if unspecified, each key-value + pair in the Data field of the referenced + + Secret will be projected into the volume + as a file whose name is the + + key and content is the value. If + specified, the listed keys will be + + projected into the specified paths, and + unlisted keys will not be + + present. If a key is specified which is + not present in the Secret, + + the volume setup will error unless it is + marked optional. Paths must be + + relative and may not contain the '..' + path or start with '..'. + items: + description: >- + Maps a string key to a path within a + volume. + properties: + key: + description: key is the key to project. + type: string + mode: + description: >- + mode is Optional: mode bits used to set + permissions on this file. + + Must be an octal value between 0000 and + 0777 or a decimal value between 0 and + 511. + + YAML accepts both octal and decimal + values, JSON requires decimal values for + mode bits. + + If not specified, the volume defaultMode + will be used. + + This might be in conflict with other + options that affect the file + + mode, like fsGroup, and the result can + be other mode bits set. + format: int32 + type: integer + path: + description: >- + path is the relative path of the file to + map the key to. + + May not be an absolute path. + + May not contain the path element '..'. + + May not start with the string '..'. + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + name: + default: '' + description: >- + Name of the referent. + + This field is effectively required, but + due to backwards compatibility is + + allowed to be empty. Instances of this + type with an empty value here are + + almost certainly wrong. + + More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: >- + optional field specify whether the + Secret or its key must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + serviceAccountToken: + description: >- + serviceAccountToken is information about + the serviceAccountToken data to project + properties: + audience: + description: >- + audience is the intended audience of the + token. A recipient of a token + + must identify itself with an identifier + specified in the audience of the + + token, and otherwise should reject the + token. The audience defaults to the + + identifier of the apiserver. + type: string + expirationSeconds: + description: >- + expirationSeconds is the requested + duration of validity of the service + + account token. As the token approaches + expiration, the kubelet volume + + plugin will proactively rotate the + service account token. The kubelet will + + start trying to rotate the token if the + token is older than 80 percent of + + its time to live or if the token is + older than 24 hours.Defaults to 1 hour + + and must be at least 10 minutes. + format: int64 + type: integer + path: + description: >- + path is the path relative to the mount + point of the file to project the + + token into. + type: string + required: + - path + type: object + type: object + type: array + x-kubernetes-list-type: atomic + type: object + quobyte: + description: >- + quobyte represents a Quobyte mount on + the host that shares a pod's lifetime. + + Deprecated: Quobyte is deprecated and + the in-tree quobyte type is no longer + supported. + properties: + group: + description: |- + group to map volume access to + Default is no group + type: string + readOnly: + description: >- + readOnly here will force the Quobyte + volume to be mounted with read-only + permissions. + + Defaults to false. + type: boolean + registry: + description: >- + registry represents a single or multiple + Quobyte Registry services + + specified as a string as host:port pair + (multiple entries are separated with + commas) + + which acts as the central registry for + volumes + type: string + tenant: + description: >- + tenant owning the given Quobyte volume + in the Backend + + Used with dynamically provisioned + Quobyte volumes, value is set by the + plugin + type: string + user: + description: |- + user to map volume access to + Defaults to serivceaccount user + type: string + volume: + description: >- + volume is a string that references an + already created Quobyte volume by name. + type: string + required: + - registry + - volume + type: object + rbd: + description: >- + rbd represents a Rados Block Device + mount on the host that shares a pod's + lifetime. + + Deprecated: RBD is deprecated and the + in-tree rbd type is no longer supported. + properties: + fsType: + description: >- + fsType is the filesystem type of the + volume that you want to mount. + + Tip: Ensure that the filesystem type is + supported by the host operating system. + + Examples: "ext4", "xfs", "ntfs". + Implicitly inferred to be "ext4" if + unspecified. + + More info: + https://kubernetes.io/docs/concepts/storage/volumes#rbd + type: string + image: + description: >- + image is the rados image name. + + More info: + https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + type: string + keyring: + default: /etc/ceph/keyring + description: >- + keyring is the path to key ring for + RBDUser. + + Default is /etc/ceph/keyring. + + More info: + https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + type: string + monitors: + description: >- + monitors is a collection of Ceph + monitors. + + More info: + https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + items: + type: string + type: array + x-kubernetes-list-type: atomic + pool: + default: rbd + description: >- + pool is the rados pool name. + + Default is rbd. + + More info: + https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + type: string + readOnly: + description: >- + readOnly here will force the ReadOnly + setting in VolumeMounts. + + Defaults to false. + + More info: + https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + type: boolean + secretRef: + description: >- + secretRef is name of the authentication + secret for RBDUser. If provided + + overrides keyring. + + Default is nil. + + More info: + https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + properties: + name: + default: '' + description: >- + Name of the referent. + + This field is effectively required, but + due to backwards compatibility is + + allowed to be empty. Instances of this + type with an empty value here are + + almost certainly wrong. + + More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + user: + default: admin + description: >- + user is the rados user name. + + Default is admin. + + More info: + https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + type: string + required: + - image + - monitors + type: object + scaleIO: + description: >- + scaleIO represents a ScaleIO persistent + volume attached and mounted on + Kubernetes nodes. + + Deprecated: ScaleIO is deprecated and + the in-tree scaleIO type is no longer + supported. + properties: + fsType: + default: xfs + description: >- + fsType is the filesystem type to mount. + + Must be a filesystem type supported by + the host operating system. + + Ex. "ext4", "xfs", "ntfs". + + Default is "xfs". + type: string + gateway: + description: >- + gateway is the host address of the + ScaleIO API Gateway. + type: string + protectionDomain: + description: >- + protectionDomain is the name of the + ScaleIO Protection Domain for the + configured storage. + type: string + readOnly: + description: >- + readOnly Defaults to false (read/write). + ReadOnly here will force + + the ReadOnly setting in VolumeMounts. + type: boolean + secretRef: + description: >- + secretRef references to the secret for + ScaleIO user and other + + sensitive information. If this is not + provided, Login operation will fail. + properties: + name: + default: '' + description: >- + Name of the referent. + + This field is effectively required, but + due to backwards compatibility is + + allowed to be empty. Instances of this + type with an empty value here are + + almost certainly wrong. + + More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + sslEnabled: + description: >- + sslEnabled Flag enable/disable SSL + communication with Gateway, default + false + type: boolean + storageMode: + default: ThinProvisioned + description: >- + storageMode indicates whether the + storage for a volume should be + ThickProvisioned or ThinProvisioned. + + Default is ThinProvisioned. + type: string + storagePool: + description: >- + storagePool is the ScaleIO Storage Pool + associated with the protection domain. + type: string + system: + description: >- + system is the name of the storage system + as configured in ScaleIO. + type: string + volumeName: + description: >- + volumeName is the name of a volume + already created in the ScaleIO system + + that is associated with this volume + source. + type: string + required: + - gateway + - secretRef + - system + type: object + secret: + description: >- + secret represents a secret that should + populate this volume. + + More info: + https://kubernetes.io/docs/concepts/storage/volumes#secret + properties: + defaultMode: + description: >- + defaultMode is Optional: mode bits used + to set permissions on created files by + default. + + Must be an octal value between 0000 and + 0777 or a decimal value between 0 and + 511. + + YAML accepts both octal and decimal + values, JSON requires decimal values + + for mode bits. Defaults to 0644. + + Directories within the path are not + affected by this setting. + + This might be in conflict with other + options that affect the file + + mode, like fsGroup, and the result can + be other mode bits set. + format: int32 + type: integer + items: + description: >- + items If unspecified, each key-value + pair in the Data field of the referenced + + Secret will be projected into the volume + as a file whose name is the + + key and content is the value. If + specified, the listed keys will be + + projected into the specified paths, and + unlisted keys will not be + + present. If a key is specified which is + not present in the Secret, + + the volume setup will error unless it is + marked optional. Paths must be + + relative and may not contain the '..' + path or start with '..'. + items: + description: >- + Maps a string key to a path within a + volume. + properties: + key: + description: key is the key to project. + type: string + mode: + description: >- + mode is Optional: mode bits used to set + permissions on this file. + + Must be an octal value between 0000 and + 0777 or a decimal value between 0 and + 511. + + YAML accepts both octal and decimal + values, JSON requires decimal values for + mode bits. + + If not specified, the volume defaultMode + will be used. + + This might be in conflict with other + options that affect the file + + mode, like fsGroup, and the result can + be other mode bits set. + format: int32 + type: integer + path: + description: >- + path is the relative path of the file to + map the key to. + + May not be an absolute path. + + May not contain the path element '..'. + + May not start with the string '..'. + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + optional: + description: >- + optional field specify whether the + Secret or its keys must be defined + type: boolean + secretName: + description: >- + secretName is the name of the secret in + the pod's namespace to use. + + More info: + https://kubernetes.io/docs/concepts/storage/volumes#secret + type: string + type: object + storageos: + description: >- + storageOS represents a StorageOS volume + attached and mounted on Kubernetes + nodes. + + Deprecated: StorageOS is deprecated and + the in-tree storageos type is no longer + supported. + properties: + fsType: + description: >- + fsType is the filesystem type to mount. + + Must be a filesystem type supported by + the host operating system. + + Ex. "ext4", "xfs", "ntfs". Implicitly + inferred to be "ext4" if unspecified. + type: string + readOnly: + description: >- + readOnly defaults to false (read/write). + ReadOnly here will force + + the ReadOnly setting in VolumeMounts. + type: boolean + secretRef: + description: >- + secretRef specifies the secret to use + for obtaining the StorageOS API + + credentials. If not specified, default + values will be attempted. + properties: + name: + default: '' + description: >- + Name of the referent. + + This field is effectively required, but + due to backwards compatibility is + + allowed to be empty. Instances of this + type with an empty value here are + + almost certainly wrong. + + More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + volumeName: + description: >- + volumeName is the human-readable name of + the StorageOS volume. Volume + + names are only unique within a + namespace. + type: string + volumeNamespace: + description: >- + volumeNamespace specifies the scope of + the volume within StorageOS. If no + + namespace is specified then the Pod's + namespace will be used. This allows the + + Kubernetes name scoping to be mirrored + within StorageOS for tighter + integration. + + Set VolumeName to any name to override + the default behaviour. + + Set to "default" if you are not using + namespaces within StorageOS. + + Namespaces that do not pre-exist within + StorageOS will be created. + type: string + type: object + vsphereVolume: + description: >- + vsphereVolume represents a vSphere + volume attached and mounted on kubelets + host machine. + + Deprecated: VsphereVolume is deprecated. + All operations for the in-tree + vsphereVolume type + + are redirected to the + csi.vsphere.vmware.com CSI driver. + properties: + fsType: + description: >- + fsType is filesystem type to mount. + + Must be a filesystem type supported by + the host operating system. + + Ex. "ext4", "xfs", "ntfs". Implicitly + inferred to be "ext4" if unspecified. + type: string + storagePolicyID: + description: >- + storagePolicyID is the storage Policy + Based Management (SPBM) profile ID + associated with the StoragePolicyName. + type: string + storagePolicyName: + description: >- + storagePolicyName is the storage Policy + Based Management (SPBM) profile name. + type: string + volumePath: + description: >- + volumePath is the path that identifies + vSphere volume vmdk + type: string + required: + - volumePath + type: object + required: + - name + type: object + type: array + type: object + strategy: + description: >- + The daemonset strategy to use to replace + existing pods with new ones. + properties: + rollingUpdate: + description: >- + Rolling update config params. Present only + if type = "RollingUpdate". + properties: + maxSurge: + anyOf: + - type: integer + - type: string + description: >- + The maximum number of nodes with an + existing available DaemonSet pod that + + can have an updated DaemonSet pod during + during an update. + + Value can be an absolute number (ex: 5) + or a percentage of desired pods (ex: + 10%). + + This can not be 0 if MaxUnavailable is + 0. + + Absolute number is calculated from + percentage by rounding up to a minimum + of 1. + + Default value is 0. + + Example: when this is set to 30%, at + most 30% of the total number of nodes + + that should be running the daemon pod + (i.e. status.desiredNumberScheduled) + + can have their a new pod created before + the old pod is marked as deleted. + + The update starts by launching new pods + on 30% of nodes. Once an updated + + pod is available (Ready for at least + minReadySeconds) the old DaemonSet pod + + on that node is marked deleted. If the + old pod becomes unavailable for any + + reason (Ready transitions to false, is + evicted, or is drained) an updated + + pod is immediately created on that node + without considering surge limits. + + Allowing surge implies the possibility + that the resources consumed by the + + daemonset on any given node can double + if the readiness check fails, and + + so resource intensive daemonsets should + take into account that they may + + cause evictions during disruption. + x-kubernetes-int-or-string: true + maxUnavailable: + anyOf: + - type: integer + - type: string + description: >- + The maximum number of DaemonSet pods + that can be unavailable during the + + update. Value can be an absolute number + (ex: 5) or a percentage of total + + number of DaemonSet pods at the start of + the update (ex: 10%). Absolute + + number is calculated from percentage by + rounding up. + + This cannot be 0 if MaxSurge is 0 + + Default value is 1. + + Example: when this is set to 30%, at + most 30% of the total number of nodes + + that should be running the daemon pod + (i.e. status.desiredNumberScheduled) + + can have their pods stopped for an + update at any given time. The update + + starts by stopping at most 30% of those + DaemonSet pods and then brings + + up new DaemonSet pods in their place. + Once the new pods are available, + + it then proceeds onto other DaemonSet + pods, thus ensuring that at least + + 70% of original number of DaemonSet pods + are available at all times during + + the update. + x-kubernetes-int-or-string: true + type: object + type: + description: >- + Type of daemon set update. Can be + "RollingUpdate" or "OnDelete". Default is + RollingUpdate. + type: string + type: object + type: object + envoyDeployment: + description: >- + EnvoyDeployment defines the desired state of the + Envoy deployment resource. + + If unspecified, default settings for the managed + Envoy deployment resource + + are applied. + properties: + container: + description: >- + Container defines the desired specification of + main container. + properties: + env: + description: >- + List of environment variables to set in the + container. + items: + description: >- + EnvVar represents an environment variable + present in a Container. + properties: + name: + description: >- + Name of the environment variable. + + May consist of any printable ASCII + characters except '='. + type: string + value: + description: >- + Variable references $(VAR_NAME) are + expanded + + using the previously defined environment + variables in the container and + + any service environment variables. If a + variable cannot be resolved, + + the reference in the input string will + be unchanged. Double $$ are reduced + + to a single $, which allows for escaping + the $(VAR_NAME) syntax: i.e. + + "$$(VAR_NAME)" will produce the string + literal "$(VAR_NAME)". + + Escaped references will never be + expanded, regardless of whether the + variable + + exists or not. + + Defaults to "". + type: string + valueFrom: + description: >- + Source for the environment variable's + value. Cannot be used if value is not + empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + default: '' + description: >- + Name of the referent. + + This field is effectively required, but + due to backwards compatibility is + + allowed to be empty. Instances of this + type with an empty value here are + + almost certainly wrong. + + More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: >- + Specify whether the ConfigMap or its key + must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + description: >- + Selects a field of the pod: supports + metadata.name, metadata.namespace, + `metadata.labels['']`, + `metadata.annotations['']`, + + spec.nodeName, spec.serviceAccountName, + status.hostIP, status.podIP, + status.podIPs. + properties: + apiVersion: + description: >- + Version of the schema the FieldPath is + written in terms of, defaults to "v1". + type: string + fieldPath: + description: >- + Path of the field to select in the + specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + fileKeyRef: + description: >- + FileKeyRef selects a key of the env + file. + + Requires the EnvFiles feature gate to be + enabled. + properties: + key: + description: >- + The key within the env file. An invalid + key will prevent the pod from starting. + + The keys defined within a source may + consist of any printable ASCII + characters except '='. + + During Alpha stage of the EnvFiles + feature gate, the key size is limited to + 128 characters. + type: string + optional: + default: false + description: >- + Specify whether the file or its key must + be defined. If the file or key + + does not exist, then the env var is not + published. + + If optional is set to true and the + specified key does not exist, + + the environment variable will not be set + in the Pod's containers. + + + If optional is set to false and the + specified key does not exist, + + an error will be returned during Pod + creation. + type: boolean + path: + description: >- + The path within the volume from which to + select the file. + + Must be relative and may not contain the + '..' path or start with '..'. + type: string + volumeName: + description: >- + The name of the volume mount containing + the env file. + type: string + required: + - key + - path + - volumeName + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + description: >- + Selects a resource of the container: + only resources limits and requests + + (limits.cpu, limits.memory, + limits.ephemeral-storage, requests.cpu, + requests.memory and + requests.ephemeral-storage) are + currently supported. + properties: + containerName: + description: >- + Container name: required for volumes, + optional for env vars + type: string + divisor: + anyOf: + - type: integer + - type: string + description: >- + Specifies the output format of the + exposed resources, defaults to "1" + pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + description: >- + Selects a key of a secret in the pod's + namespace + properties: + key: + description: >- + The key of the secret to select from. + Must be a valid secret key. + type: string + name: + default: '' + description: >- + Name of the referent. + + This field is effectively required, but + due to backwards compatibility is + + allowed to be empty. Instances of this + type with an empty value here are + + almost certainly wrong. + + More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: >- + Specify whether the Secret or its key + must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + image: + description: >- + Image specifies the EnvoyProxy container + image to be used including a tag, instead of + the default image. + + This field is mutually exclusive with + ImageRepository. + type: string + x-kubernetes-validations: + - message: >- + Image must include a tag and allowed + characters only (e.g., 'repo:tag'). + rule: >- + self.matches('^[a-zA-Z0-9._-]+(:[0-9]+)?(/[a-zA-Z0-9._/-]+)?(:[a-zA-Z0-9._-]+)?(@sha256:[a-z0-9]+)?$') + imageRepository: + description: >- + ImageRepository specifies the container + image repository to be used without + specifying a tag. + + The default tag will be used. + + This field is mutually exclusive with Image. + type: string + x-kubernetes-validations: + - message: >- + ImageRepository must contain only + allowed characters and must not include + a tag. + rule: >- + self.matches('^[a-zA-Z0-9._-]+(:[0-9]+)?[a-zA-Z0-9._/-]+$') + resources: + description: >- + Resources required by this container. + + More info: + https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + properties: + claims: + description: >- + Claims lists the names of resources, + defined in spec.resourceClaims, + + that are used by this container. + + + This field depends on the + + DynamicResourceAllocation feature gate. + + + This field is immutable. It can only be + set for containers. + items: + description: >- + ResourceClaim references one entry in + PodSpec.ResourceClaims. + properties: + name: + description: >- + Name must match the name of one entry in + pod.spec.resourceClaims of + + the Pod where this field is used. It + makes that resource available + + inside a container. + type: string + request: + description: >- + Request is the name chosen for a request + in the referenced claim. + + If empty, everything from the claim is + made available, otherwise + + only the result of this request. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: >- + Limits describes the maximum amount of + compute resources allowed. + + More info: + https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: >- + Requests describes the minimum amount of + compute resources required. + + If Requests is omitted for a container, + it defaults to Limits if that is + explicitly specified, + + otherwise to an implementation-defined + value. Requests cannot exceed Limits. + + More info: + https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + type: object + securityContext: + description: >- + SecurityContext defines the security options + the container should be run with. + + If set, the fields of SecurityContext + override the equivalent fields of + PodSecurityContext. + + More info: + https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + properties: + allowPrivilegeEscalation: + description: >- + AllowPrivilegeEscalation controls + whether a process can gain more + + privileges than its parent process. This + bool directly controls if + + the no_new_privs flag will be set on the + container process. + + AllowPrivilegeEscalation is true always + when the container is: + + 1) run as Privileged + + 2) has CAP_SYS_ADMIN + + Note that this field cannot be set when + spec.os.name is windows. + type: boolean + appArmorProfile: + description: >- + appArmorProfile is the AppArmor options + to use by this container. If set, this + profile + + overrides the pod's appArmorProfile. + + Note that this field cannot be set when + spec.os.name is windows. + properties: + localhostProfile: + description: >- + localhostProfile indicates a profile + loaded on the node that should be used. + + The profile must be preconfigured on the + node to work. + + Must match the loaded name of the + profile. + + Must be set if and only if type is + "Localhost". + type: string + type: + description: >- + type indicates which kind of AppArmor + profile will be applied. + + Valid options are: + Localhost - a profile pre-loaded on the node. + RuntimeDefault - the container runtime's default profile. + Unconfined - no AppArmor enforcement. + type: string + required: + - type + type: object + capabilities: + description: >- + The capabilities to add/drop when + running containers. + + Defaults to the default set of + capabilities granted by the container + runtime. + + Note that this field cannot be set when + spec.os.name is windows. + properties: + add: + description: Added capabilities + items: + description: >- + Capability represent POSIX capabilities + type + type: string + type: array + x-kubernetes-list-type: atomic + drop: + description: Removed capabilities + items: + description: >- + Capability represent POSIX capabilities + type + type: string + type: array + x-kubernetes-list-type: atomic + type: object + privileged: + description: >- + Run container in privileged mode. + + Processes in privileged containers are + essentially equivalent to root on the + host. + + Defaults to false. + + Note that this field cannot be set when + spec.os.name is windows. + type: boolean + procMount: + description: >- + procMount denotes the type of proc mount + to use for the containers. + + The default value is Default which uses + the container runtime defaults for + + readonly paths and masked paths. + + This requires the ProcMountType feature + flag to be enabled. + + Note that this field cannot be set when + spec.os.name is windows. + type: string + readOnlyRootFilesystem: + description: >- + Whether this container has a read-only + root filesystem. + + Default is false. + + Note that this field cannot be set when + spec.os.name is windows. + type: boolean + runAsGroup: + description: >- + The GID to run the entrypoint of the + container process. + + Uses runtime default if unset. + + May also be set in PodSecurityContext. + If set in both SecurityContext and + + PodSecurityContext, the value specified + in SecurityContext takes precedence. + + Note that this field cannot be set when + spec.os.name is windows. + format: int64 + type: integer + runAsNonRoot: + description: >- + Indicates that the container must run as + a non-root user. + + If true, the Kubelet will validate the + image at runtime to ensure that it + + does not run as UID 0 (root) and fail to + start the container if it does. + + If unset or false, no such validation + will be performed. + + May also be set in PodSecurityContext. + If set in both SecurityContext and + + PodSecurityContext, the value specified + in SecurityContext takes precedence. + type: boolean + runAsUser: + description: >- + The UID to run the entrypoint of the + container process. + + Defaults to user specified in image + metadata if unspecified. + + May also be set in PodSecurityContext. + If set in both SecurityContext and + + PodSecurityContext, the value specified + in SecurityContext takes precedence. + + Note that this field cannot be set when + spec.os.name is windows. + format: int64 + type: integer + seLinuxOptions: + description: >- + The SELinux context to be applied to the + container. + + If unspecified, the container runtime + will allocate a random SELinux context + for each + + container. May also be set in + PodSecurityContext. If set in both + SecurityContext and + + PodSecurityContext, the value specified + in SecurityContext takes precedence. + + Note that this field cannot be set when + spec.os.name is windows. + properties: + level: + description: >- + Level is SELinux level label that + applies to the container. + type: string + role: + description: >- + Role is a SELinux role label that + applies to the container. + type: string + type: + description: >- + Type is a SELinux type label that + applies to the container. + type: string + user: + description: >- + User is a SELinux user label that + applies to the container. + type: string + type: object + seccompProfile: + description: >- + The seccomp options to use by this + container. If seccomp options are + + provided at both the pod & container + level, the container options + + override the pod options. + + Note that this field cannot be set when + spec.os.name is windows. + properties: + localhostProfile: + description: >- + localhostProfile indicates a profile + defined in a file on the node should be + used. + + The profile must be preconfigured on the + node to work. + + Must be a descending path, relative to + the kubelet's configured seccomp profile + location. + + Must be set if type is "Localhost". Must + NOT be set for any other type. + type: string + type: + description: >- + type indicates which kind of seccomp + profile will be applied. + + Valid options are: + + + Localhost - a profile defined in a file + on the node should be used. + + RuntimeDefault - the container runtime + default profile should be used. + + Unconfined - no profile should be + applied. + type: string + required: + - type + type: object + windowsOptions: + description: >- + The Windows specific settings applied to + all containers. + + If unspecified, the options from the + PodSecurityContext will be used. + + If set in both SecurityContext and + PodSecurityContext, the value specified + in SecurityContext takes precedence. + + Note that this field cannot be set when + spec.os.name is linux. + properties: + gmsaCredentialSpec: + description: >- + GMSACredentialSpec is where the GMSA + admission webhook + + (https://github.com/kubernetes-sigs/windows-gmsa) + inlines the contents of the + + GMSA credential spec named by the + GMSACredentialSpecName field. + type: string + gmsaCredentialSpecName: + description: >- + GMSACredentialSpecName is the name of + the GMSA credential spec to use. + type: string + hostProcess: + description: >- + HostProcess determines if a container + should be run as a 'Host Process' + container. + + All of a Pod's containers must have the + same effective HostProcess value + + (it is not allowed to have a mix of + HostProcess containers and + non-HostProcess containers). + + In addition, if HostProcess is true then + HostNetwork must also be set to true. + type: boolean + runAsUserName: + description: >- + The UserName in Windows to run the + entrypoint of the container process. + + Defaults to the user specified in image + metadata if unspecified. + + May also be set in PodSecurityContext. + If set in both SecurityContext and + + PodSecurityContext, the value specified + in SecurityContext takes precedence. + type: string + type: object + type: object + volumeMounts: + description: >- + VolumeMounts are volumes to mount into the + container's filesystem. + + Cannot be updated. + items: + description: >- + VolumeMount describes a mounting of a + Volume within a container. + properties: + mountPath: + description: >- + Path within the container at which the + volume should be mounted. Must + + not contain ':'. + type: string + mountPropagation: + description: >- + mountPropagation determines how mounts + are propagated from the host + + to container and the other way around. + + When not set, MountPropagationNone is + used. + + This field is beta in 1.10. + + When RecursiveReadOnly is set to + IfPossible or to Enabled, + MountPropagation must be None or + unspecified + + (which defaults to None). + type: string + name: + description: This must match the Name of a Volume. + type: string + readOnly: + description: >- + Mounted read-only if true, read-write + otherwise (false or unspecified). + + Defaults to false. + type: boolean + recursiveReadOnly: + description: >- + RecursiveReadOnly specifies whether + read-only mounts should be handled + + recursively. + + + If ReadOnly is false, this field has no + meaning and must be unspecified. + + + If ReadOnly is true, and this field is + set to Disabled, the mount is not made + + recursively read-only. If this field is + set to IfPossible, the mount is made + + recursively read-only, if it is + supported by the container runtime. If + this + + field is set to Enabled, the mount is + made recursively read-only if it is + + supported by the container runtime, + otherwise the pod will not be started + and + + an error will be generated to indicate + the reason. + + + If this field is set to IfPossible or + Enabled, MountPropagation must be set to + + None (or be unspecified, which defaults + to None). + + + If this field is not specified, it is + treated as an equivalent of Disabled. + type: string + subPath: + description: >- + Path within the volume from which the + container's volume should be mounted. + + Defaults to "" (volume's root). + type: string + subPathExpr: + description: >- + Expanded path within the volume from + which the container's volume should be + mounted. + + Behaves similarly to SubPath but + environment variable references + $(VAR_NAME) are expanded using the + container's environment. + + Defaults to "" (volume's root). + + SubPathExpr and SubPath are mutually + exclusive. + type: string + required: + - mountPath + - name + type: object + type: array + type: object + x-kubernetes-validations: + - message: Either image or imageRepository can be set. + rule: >- + !has(self.image) || + !has(self.imageRepository) + initContainers: + description: >- + List of initialization containers belonging to + the pod. + + More info: + https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ + items: + description: >- + A single application container that you want + to run within a pod. + properties: + args: + description: >- + Arguments to the entrypoint. + + The container image's CMD is used if this + is not provided. + + Variable references $(VAR_NAME) are + expanded using the container's + environment. If a variable + + cannot be resolved, the reference in the + input string will be unchanged. Double $$ + are reduced + + to a single $, which allows for escaping + the $(VAR_NAME) syntax: i.e. + "$$(VAR_NAME)" will + + produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, + regardless + + of whether the variable exists or not. + Cannot be updated. + + More info: + https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell + items: + type: string + type: array + x-kubernetes-list-type: atomic + command: + description: >- + Entrypoint array. Not executed within a + shell. + + The container image's ENTRYPOINT is used + if this is not provided. + + Variable references $(VAR_NAME) are + expanded using the container's + environment. If a variable + + cannot be resolved, the reference in the + input string will be unchanged. Double $$ + are reduced + + to a single $, which allows for escaping + the $(VAR_NAME) syntax: i.e. + "$$(VAR_NAME)" will + + produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, + regardless + + of whether the variable exists or not. + Cannot be updated. + + More info: + https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell + items: + type: string + type: array + x-kubernetes-list-type: atomic + env: + description: >- + List of environment variables to set in + the container. + + Cannot be updated. + items: + description: >- + EnvVar represents an environment + variable present in a Container. + properties: + name: + description: >- + Name of the environment variable. + + May consist of any printable ASCII + characters except '='. + type: string + value: + description: >- + Variable references $(VAR_NAME) are + expanded + + using the previously defined environment + variables in the container and + + any service environment variables. If a + variable cannot be resolved, + + the reference in the input string will + be unchanged. Double $$ are reduced + + to a single $, which allows for escaping + the $(VAR_NAME) syntax: i.e. + + "$$(VAR_NAME)" will produce the string + literal "$(VAR_NAME)". + + Escaped references will never be + expanded, regardless of whether the + variable + + exists or not. + + Defaults to "". + type: string + valueFrom: + description: >- + Source for the environment variable's + value. Cannot be used if value is not + empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + default: '' + description: >- + Name of the referent. + + This field is effectively required, but + due to backwards compatibility is + + allowed to be empty. Instances of this + type with an empty value here are + + almost certainly wrong. + + More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: >- + Specify whether the ConfigMap or its key + must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + description: >- + Selects a field of the pod: supports + metadata.name, metadata.namespace, + `metadata.labels['']`, + `metadata.annotations['']`, + + spec.nodeName, spec.serviceAccountName, + status.hostIP, status.podIP, + status.podIPs. + properties: + apiVersion: + description: >- + Version of the schema the FieldPath is + written in terms of, defaults to "v1". + type: string + fieldPath: + description: >- + Path of the field to select in the + specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + fileKeyRef: + description: >- + FileKeyRef selects a key of the env + file. + + Requires the EnvFiles feature gate to be + enabled. + properties: + key: + description: >- + The key within the env file. An invalid + key will prevent the pod from starting. + + The keys defined within a source may + consist of any printable ASCII + characters except '='. + + During Alpha stage of the EnvFiles + feature gate, the key size is limited to + 128 characters. + type: string + optional: + default: false + description: >- + Specify whether the file or its key must + be defined. If the file or key + + does not exist, then the env var is not + published. + + If optional is set to true and the + specified key does not exist, + + the environment variable will not be set + in the Pod's containers. + + + If optional is set to false and the + specified key does not exist, + + an error will be returned during Pod + creation. + type: boolean + path: + description: >- + The path within the volume from which to + select the file. + + Must be relative and may not contain the + '..' path or start with '..'. + type: string + volumeName: + description: >- + The name of the volume mount containing + the env file. + type: string + required: + - key + - path + - volumeName + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + description: >- + Selects a resource of the container: + only resources limits and requests + + (limits.cpu, limits.memory, + limits.ephemeral-storage, requests.cpu, + requests.memory and + requests.ephemeral-storage) are + currently supported. + properties: + containerName: + description: >- + Container name: required for volumes, + optional for env vars + type: string + divisor: + anyOf: + - type: integer + - type: string + description: >- + Specifies the output format of the + exposed resources, defaults to "1" + pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + description: >- + Selects a key of a secret in the pod's + namespace + properties: + key: + description: >- + The key of the secret to select from. + Must be a valid secret key. + type: string + name: + default: '' + description: >- + Name of the referent. + + This field is effectively required, but + due to backwards compatibility is + + allowed to be empty. Instances of this + type with an empty value here are + + almost certainly wrong. + + More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: >- + Specify whether the Secret or its key + must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + envFrom: + description: >- + List of sources to populate environment + variables in the container. + + The keys defined within a source may + consist of any printable ASCII characters + except '='. + + When a key exists in multiple + + sources, the value associated with the + last source will take precedence. + + Values defined by an Env with a duplicate + key will take precedence. + + Cannot be updated. + items: + description: >- + EnvFromSource represents the source of a + set of ConfigMaps or Secrets + properties: + configMapRef: + description: The ConfigMap to select from + properties: + name: + default: '' + description: >- + Name of the referent. + + This field is effectively required, but + due to backwards compatibility is + + allowed to be empty. Instances of this + type with an empty value here are + + almost certainly wrong. + + More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: >- + Specify whether the ConfigMap must be + defined + type: boolean + type: object + x-kubernetes-map-type: atomic + prefix: + description: >- + Optional text to prepend to the name of + each environment variable. + + May consist of any printable ASCII + characters except '='. + type: string + secretRef: + description: The Secret to select from + properties: + name: + default: '' + description: >- + Name of the referent. + + This field is effectively required, but + due to backwards compatibility is + + allowed to be empty. Instances of this + type with an empty value here are + + almost certainly wrong. + + More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: >- + Specify whether the Secret must be + defined + type: boolean + type: object + x-kubernetes-map-type: atomic + type: object + type: array + x-kubernetes-list-type: atomic + image: + description: >- + Container image name. + + More info: + https://kubernetes.io/docs/concepts/containers/images + + This field is optional to allow higher + level config management to default or + override + + container images in workload controllers + like Deployments and StatefulSets. + type: string + imagePullPolicy: + description: >- + Image pull policy. + + One of Always, Never, IfNotPresent. + + Defaults to Always if :latest tag is + specified, or IfNotPresent otherwise. + + Cannot be updated. + + More info: + https://kubernetes.io/docs/concepts/containers/images#updating-images + type: string + lifecycle: + description: >- + Actions that the management system should + take in response to container lifecycle + events. + + Cannot be updated. + properties: + postStart: + description: >- + PostStart is called immediately after a + container is created. If the handler + fails, + + the container is terminated and + restarted according to its restart + policy. + + Other management of the container blocks + until the hook completes. + + More info: + https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks + properties: + exec: + description: >- + Exec specifies a command to execute in + the container. + properties: + command: + description: >- + Command is the command line to execute + inside the container, the working + directory for the + + command is root ('/') in the + container's filesystem. The command is + simply exec'd, it is + + not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use + + a shell, you need to explicitly call out + to that shell. + + Exit status of 0 is treated as + live/healthy and non-zero is unhealthy. + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + httpGet: + description: >- + HTTPGet specifies an HTTP GET request to + perform. + properties: + host: + description: >- + Host name to connect to, defaults to the + pod IP. You probably want to set + + "Host" in httpHeaders instead. + type: string + httpHeaders: + description: >- + Custom headers to set in the request. + HTTP allows repeated headers. + items: + description: >- + HTTPHeader describes a custom header to + be used in HTTP probes + properties: + name: + description: >- + The header field name. + + This will be canonicalized upon output, + so case-variant names will be understood + as the same header. + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: >- + Name or number of the port to access on + the container. + + Number must be in the range 1 to 65535. + + Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: >- + Scheme to use for connecting to the + host. + + Defaults to HTTP. + type: string + required: + - port + type: object + sleep: + description: >- + Sleep represents a duration that the + container should sleep. + properties: + seconds: + description: >- + Seconds is the number of seconds to + sleep. + format: int64 + type: integer + required: + - seconds + type: object + tcpSocket: + description: >- + Deprecated. TCPSocket is NOT supported + as a LifecycleHandler and kept + + for backward compatibility. There is no + validation of this field and + + lifecycle hooks will fail at runtime + when it is specified. + properties: + host: + description: >- + Optional: Host name to connect to, + defaults to the pod IP. + type: string + port: + anyOf: + - type: integer + - type: string + description: >- + Number or name of the port to access on + the container. + + Number must be in the range 1 to 65535. + + Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + preStop: + description: >- + PreStop is called immediately before a + container is terminated due to an + + API request or management event such as + liveness/startup probe failure, + + preemption, resource contention, etc. + The handler is not called if the + + container crashes or exits. The Pod's + termination grace period countdown + begins before the + + PreStop hook is executed. Regardless of + the outcome of the handler, the + + container will eventually terminate + within the Pod's termination grace + + period (unless delayed by finalizers). + Other management of the container blocks + until the hook completes + + or until the termination grace period is + reached. + + More info: + https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks + properties: + exec: + description: >- + Exec specifies a command to execute in + the container. + properties: + command: + description: >- + Command is the command line to execute + inside the container, the working + directory for the + + command is root ('/') in the + container's filesystem. The command is + simply exec'd, it is + + not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use + + a shell, you need to explicitly call out + to that shell. + + Exit status of 0 is treated as + live/healthy and non-zero is unhealthy. + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + httpGet: + description: >- + HTTPGet specifies an HTTP GET request to + perform. + properties: + host: + description: >- + Host name to connect to, defaults to the + pod IP. You probably want to set + + "Host" in httpHeaders instead. + type: string + httpHeaders: + description: >- + Custom headers to set in the request. + HTTP allows repeated headers. + items: + description: >- + HTTPHeader describes a custom header to + be used in HTTP probes + properties: + name: + description: >- + The header field name. + + This will be canonicalized upon output, + so case-variant names will be understood + as the same header. + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: >- + Name or number of the port to access on + the container. + + Number must be in the range 1 to 65535. + + Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: >- + Scheme to use for connecting to the + host. + + Defaults to HTTP. + type: string + required: + - port + type: object + sleep: + description: >- + Sleep represents a duration that the + container should sleep. + properties: + seconds: + description: >- + Seconds is the number of seconds to + sleep. + format: int64 + type: integer + required: + - seconds + type: object + tcpSocket: + description: >- + Deprecated. TCPSocket is NOT supported + as a LifecycleHandler and kept + + for backward compatibility. There is no + validation of this field and + + lifecycle hooks will fail at runtime + when it is specified. + properties: + host: + description: >- + Optional: Host name to connect to, + defaults to the pod IP. + type: string + port: + anyOf: + - type: integer + - type: string + description: >- + Number or name of the port to access on + the container. + + Number must be in the range 1 to 65535. + + Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + stopSignal: + description: >- + StopSignal defines which signal will be + sent to a container when it is being + stopped. + + If not specified, the default is defined + by the container runtime in use. + + StopSignal can only be set for Pods with + a non-empty .spec.os.name + type: string + type: object + livenessProbe: + description: >- + Periodic probe of container liveness. + + Container will be restarted if the probe + fails. + + Cannot be updated. + + More info: + https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes + properties: + exec: + description: >- + Exec specifies a command to execute in + the container. + properties: + command: + description: >- + Command is the command line to execute + inside the container, the working + directory for the + + command is root ('/') in the + container's filesystem. The command is + simply exec'd, it is + + not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use + + a shell, you need to explicitly call out + to that shell. + + Exit status of 0 is treated as + live/healthy and non-zero is unhealthy. + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + failureThreshold: + description: >- + Minimum consecutive failures for the + probe to be considered failed after + having succeeded. + + Defaults to 3. Minimum value is 1. + format: int32 + type: integer + grpc: + description: >- + GRPC specifies a GRPC + HealthCheckRequest. + properties: + port: + description: >- + Port number of the gRPC service. Number + must be in the range 1 to 65535. + format: int32 + type: integer + service: + default: '' + description: >- + Service is the name of the service to + place in the gRPC HealthCheckRequest + + (see + https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + + + If this is not specified, the default + behavior is defined by gRPC. + type: string + required: + - port + type: object + httpGet: + description: >- + HTTPGet specifies an HTTP GET request to + perform. + properties: + host: + description: >- + Host name to connect to, defaults to the + pod IP. You probably want to set + + "Host" in httpHeaders instead. + type: string + httpHeaders: + description: >- + Custom headers to set in the request. + HTTP allows repeated headers. + items: + description: >- + HTTPHeader describes a custom header to + be used in HTTP probes + properties: + name: + description: >- + The header field name. + + This will be canonicalized upon output, + so case-variant names will be understood + as the same header. + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: >- + Name or number of the port to access on + the container. + + Number must be in the range 1 to 65535. + + Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: >- + Scheme to use for connecting to the + host. + + Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: >- + Number of seconds after the container + has started before liveness probes are + initiated. + + More info: + https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes + format: int32 + type: integer + periodSeconds: + description: >- + How often (in seconds) to perform the + probe. + + Default to 10 seconds. Minimum value is + 1. + format: int32 + type: integer + successThreshold: + description: >- + Minimum consecutive successes for the + probe to be considered successful after + having failed. + + Defaults to 1. Must be 1 for liveness + and startup. Minimum value is 1. + format: int32 + type: integer + tcpSocket: + description: >- + TCPSocket specifies a connection to a + TCP port. + properties: + host: + description: >- + Optional: Host name to connect to, + defaults to the pod IP. + type: string + port: + anyOf: + - type: integer + - type: string + description: >- + Number or name of the port to access on + the container. + + Number must be in the range 1 to 65535. + + Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: >- + Optional duration in seconds the pod + needs to terminate gracefully upon probe + failure. + + The grace period is the duration in + seconds after the processes running in + the pod are sent + + a termination signal and the time when + the processes are forcibly halted with a + kill signal. + + Set this value longer than the expected + cleanup time for your process. + + If this value is nil, the pod's + terminationGracePeriodSeconds will be + used. Otherwise, this + + value overrides the value provided by + the pod spec. + + Value must be non-negative integer. The + value zero indicates stop immediately + via + + the kill signal (no opportunity to shut + down). + + This is a beta field and requires + enabling ProbeTerminationGracePeriod + feature gate. + + Minimum value is 1. + spec.terminationGracePeriodSeconds is + used if unset. + format: int64 + type: integer + timeoutSeconds: + description: >- + Number of seconds after which the probe + times out. + + Defaults to 1 second. Minimum value is + 1. + + More info: + https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes + format: int32 + type: integer + type: object + name: + description: >- + Name of the container specified as a + DNS_LABEL. + + Each container in a pod must have a unique + name (DNS_LABEL). + + Cannot be updated. + type: string + ports: + description: >- + List of ports to expose from the + container. Not specifying a port here + + DOES NOT prevent that port from being + exposed. Any port which is + + listening on the default "0.0.0.0" address + inside a container will be + + accessible from the network. + + Modifying this array with strategic merge + patch may corrupt the data. + + For more information See + https://github.com/kubernetes/kubernetes/issues/108255. + + Cannot be updated. + items: + description: >- + ContainerPort represents a network port + in a single container. + properties: + containerPort: + description: >- + Number of port to expose on the pod's IP + address. + + This must be a valid port number, 0 < x + < 65536. + format: int32 + type: integer + hostIP: + description: >- + What host IP to bind the external port + to. + type: string + hostPort: + description: >- + Number of port to expose on the host. + + If specified, this must be a valid port + number, 0 < x < 65536. + + If HostNetwork is specified, this must + match ContainerPort. + + Most containers do not need this. + format: int32 + type: integer + name: + description: >- + If specified, this must be an + IANA_SVC_NAME and unique within the pod. + Each + + named port in a pod must have a unique + name. Name for the port that can be + + referred to by services. + type: string + protocol: + default: TCP + description: >- + Protocol for port. Must be UDP, TCP, or + SCTP. + + Defaults to "TCP". + type: string + required: + - containerPort + type: object + type: array + x-kubernetes-list-map-keys: + - containerPort + - protocol + x-kubernetes-list-type: map + readinessProbe: + description: >- + Periodic probe of container service + readiness. + + Container will be removed from service + endpoints if the probe fails. + + Cannot be updated. + + More info: + https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes + properties: + exec: + description: >- + Exec specifies a command to execute in + the container. + properties: + command: + description: >- + Command is the command line to execute + inside the container, the working + directory for the + + command is root ('/') in the + container's filesystem. The command is + simply exec'd, it is + + not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use + + a shell, you need to explicitly call out + to that shell. + + Exit status of 0 is treated as + live/healthy and non-zero is unhealthy. + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + failureThreshold: + description: >- + Minimum consecutive failures for the + probe to be considered failed after + having succeeded. + + Defaults to 3. Minimum value is 1. + format: int32 + type: integer + grpc: + description: >- + GRPC specifies a GRPC + HealthCheckRequest. + properties: + port: + description: >- + Port number of the gRPC service. Number + must be in the range 1 to 65535. + format: int32 + type: integer + service: + default: '' + description: >- + Service is the name of the service to + place in the gRPC HealthCheckRequest + + (see + https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + + + If this is not specified, the default + behavior is defined by gRPC. + type: string + required: + - port + type: object + httpGet: + description: >- + HTTPGet specifies an HTTP GET request to + perform. + properties: + host: + description: >- + Host name to connect to, defaults to the + pod IP. You probably want to set + + "Host" in httpHeaders instead. + type: string + httpHeaders: + description: >- + Custom headers to set in the request. + HTTP allows repeated headers. + items: + description: >- + HTTPHeader describes a custom header to + be used in HTTP probes + properties: + name: + description: >- + The header field name. + + This will be canonicalized upon output, + so case-variant names will be understood + as the same header. + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: >- + Name or number of the port to access on + the container. + + Number must be in the range 1 to 65535. + + Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: >- + Scheme to use for connecting to the + host. + + Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: >- + Number of seconds after the container + has started before liveness probes are + initiated. + + More info: + https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes + format: int32 + type: integer + periodSeconds: + description: >- + How often (in seconds) to perform the + probe. + + Default to 10 seconds. Minimum value is + 1. + format: int32 + type: integer + successThreshold: + description: >- + Minimum consecutive successes for the + probe to be considered successful after + having failed. + + Defaults to 1. Must be 1 for liveness + and startup. Minimum value is 1. + format: int32 + type: integer + tcpSocket: + description: >- + TCPSocket specifies a connection to a + TCP port. + properties: + host: + description: >- + Optional: Host name to connect to, + defaults to the pod IP. + type: string + port: + anyOf: + - type: integer + - type: string + description: >- + Number or name of the port to access on + the container. + + Number must be in the range 1 to 65535. + + Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: >- + Optional duration in seconds the pod + needs to terminate gracefully upon probe + failure. + + The grace period is the duration in + seconds after the processes running in + the pod are sent + + a termination signal and the time when + the processes are forcibly halted with a + kill signal. + + Set this value longer than the expected + cleanup time for your process. + + If this value is nil, the pod's + terminationGracePeriodSeconds will be + used. Otherwise, this + + value overrides the value provided by + the pod spec. + + Value must be non-negative integer. The + value zero indicates stop immediately + via + + the kill signal (no opportunity to shut + down). + + This is a beta field and requires + enabling ProbeTerminationGracePeriod + feature gate. + + Minimum value is 1. + spec.terminationGracePeriodSeconds is + used if unset. + format: int64 + type: integer + timeoutSeconds: + description: >- + Number of seconds after which the probe + times out. + + Defaults to 1 second. Minimum value is + 1. + + More info: + https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes + format: int32 + type: integer + type: object + resizePolicy: + description: >- + Resources resize policy for the container. + + This field cannot be set on ephemeral + containers. + items: + description: >- + ContainerResizePolicy represents + resource resize policy for the + container. + properties: + resourceName: + description: >- + Name of the resource to which this + resource resize policy applies. + + Supported values: cpu, memory. + type: string + restartPolicy: + description: >- + Restart policy to apply when specified + resource is resized. + + If not specified, it defaults to + NotRequired. + type: string + required: + - resourceName + - restartPolicy + type: object + type: array + x-kubernetes-list-type: atomic + resources: + description: >- + Compute Resources required by this + container. + + Cannot be updated. + + More info: + https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + properties: + claims: + description: >- + Claims lists the names of resources, + defined in spec.resourceClaims, + + that are used by this container. + + + This field depends on the + + DynamicResourceAllocation feature gate. + + + This field is immutable. It can only be + set for containers. + items: + description: >- + ResourceClaim references one entry in + PodSpec.ResourceClaims. + properties: + name: + description: >- + Name must match the name of one entry in + pod.spec.resourceClaims of + + the Pod where this field is used. It + makes that resource available + + inside a container. + type: string + request: + description: >- + Request is the name chosen for a request + in the referenced claim. + + If empty, everything from the claim is + made available, otherwise + + only the result of this request. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: >- + Limits describes the maximum amount of + compute resources allowed. + + More info: + https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: >- + Requests describes the minimum amount of + compute resources required. + + If Requests is omitted for a container, + it defaults to Limits if that is + explicitly specified, + + otherwise to an implementation-defined + value. Requests cannot exceed Limits. + + More info: + https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + type: object + restartPolicy: + description: >- + RestartPolicy defines the restart behavior + of individual containers in a pod. + + This overrides the pod-level restart + policy. When this field is not specified, + + the restart behavior is defined by the + Pod's restart policy and the container + type. + + Additionally, setting the RestartPolicy as + "Always" for the init container will + + have the following effect: + + this init container will be continually + restarted on + + exit until all regular containers have + terminated. Once all regular + + containers have completed, all init + containers with restartPolicy "Always" + + will be shut down. This lifecycle differs + from normal init containers and + + is often referred to as a "sidecar" + container. Although this init + + container still starts in the init + container sequence, it does not wait + + for the container to complete before + proceeding to the next init + + container. Instead, the next init + container starts immediately after this + + init container is started, or after any + startupProbe has successfully + + completed. + type: string + restartPolicyRules: + description: >- + Represents a list of rules to be checked + to determine if the + + container should be restarted on exit. The + rules are evaluated in + + order. Once a rule matches a container + exit condition, the remaining + + rules are ignored. If no rule matches the + container exit condition, + + the Container-level restart policy + determines the whether the container + + is restarted or not. Constraints on the + rules: + + - At most 20 rules are allowed. + + - Rules can have the same action. + + - Identical rules are not forbidden in + validations. + + When rules are specified, container MUST + set RestartPolicy explicitly + + even it if matches the Pod's + RestartPolicy. + items: + description: >- + ContainerRestartRule describes how a + container exit is handled. + properties: + action: + description: >- + Specifies the action taken on a + container exit if the requirements + + are satisfied. The only possible value + is "Restart" to restart the + + container. + type: string + exitCodes: + description: >- + Represents the exit codes to check on + container exits. + properties: + operator: + description: >- + Represents the relationship between the + container exit code(s) and the + + specified values. Possible values are: + + - In: the requirement is satisfied if + the container exit code is in the + set of specified values. + - NotIn: the requirement is satisfied if + the container exit code is + not in the set of specified values. + type: string + values: + description: >- + Specifies the set of values to check for + container exit codes. + + At most 255 elements are allowed. + items: + format: int32 + type: integer + type: array + x-kubernetes-list-type: set + required: + - operator + type: object + required: + - action + type: object + type: array + x-kubernetes-list-type: atomic + securityContext: + description: >- + SecurityContext defines the security + options the container should be run with. + + If set, the fields of SecurityContext + override the equivalent fields of + PodSecurityContext. + + More info: + https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + properties: + allowPrivilegeEscalation: + description: >- + AllowPrivilegeEscalation controls + whether a process can gain more + + privileges than its parent process. This + bool directly controls if + + the no_new_privs flag will be set on the + container process. + + AllowPrivilegeEscalation is true always + when the container is: + + 1) run as Privileged + + 2) has CAP_SYS_ADMIN + + Note that this field cannot be set when + spec.os.name is windows. + type: boolean + appArmorProfile: + description: >- + appArmorProfile is the AppArmor options + to use by this container. If set, this + profile + + overrides the pod's appArmorProfile. + + Note that this field cannot be set when + spec.os.name is windows. + properties: + localhostProfile: + description: >- + localhostProfile indicates a profile + loaded on the node that should be used. + + The profile must be preconfigured on the + node to work. + + Must match the loaded name of the + profile. + + Must be set if and only if type is + "Localhost". + type: string + type: + description: >- + type indicates which kind of AppArmor + profile will be applied. + + Valid options are: + Localhost - a profile pre-loaded on the node. + RuntimeDefault - the container runtime's default profile. + Unconfined - no AppArmor enforcement. + type: string + required: + - type + type: object + capabilities: + description: >- + The capabilities to add/drop when + running containers. + + Defaults to the default set of + capabilities granted by the container + runtime. + + Note that this field cannot be set when + spec.os.name is windows. + properties: + add: + description: Added capabilities + items: + description: >- + Capability represent POSIX capabilities + type + type: string + type: array + x-kubernetes-list-type: atomic + drop: + description: Removed capabilities + items: + description: >- + Capability represent POSIX capabilities + type + type: string + type: array + x-kubernetes-list-type: atomic + type: object + privileged: + description: >- + Run container in privileged mode. + + Processes in privileged containers are + essentially equivalent to root on the + host. + + Defaults to false. + + Note that this field cannot be set when + spec.os.name is windows. + type: boolean + procMount: + description: >- + procMount denotes the type of proc mount + to use for the containers. + + The default value is Default which uses + the container runtime defaults for + + readonly paths and masked paths. + + This requires the ProcMountType feature + flag to be enabled. + + Note that this field cannot be set when + spec.os.name is windows. + type: string + readOnlyRootFilesystem: + description: >- + Whether this container has a read-only + root filesystem. + + Default is false. + + Note that this field cannot be set when + spec.os.name is windows. + type: boolean + runAsGroup: + description: >- + The GID to run the entrypoint of the + container process. + + Uses runtime default if unset. + + May also be set in PodSecurityContext. + If set in both SecurityContext and + + PodSecurityContext, the value specified + in SecurityContext takes precedence. + + Note that this field cannot be set when + spec.os.name is windows. + format: int64 + type: integer + runAsNonRoot: + description: >- + Indicates that the container must run as + a non-root user. + + If true, the Kubelet will validate the + image at runtime to ensure that it + + does not run as UID 0 (root) and fail to + start the container if it does. + + If unset or false, no such validation + will be performed. + + May also be set in PodSecurityContext. + If set in both SecurityContext and + + PodSecurityContext, the value specified + in SecurityContext takes precedence. + type: boolean + runAsUser: + description: >- + The UID to run the entrypoint of the + container process. + + Defaults to user specified in image + metadata if unspecified. + + May also be set in PodSecurityContext. + If set in both SecurityContext and + + PodSecurityContext, the value specified + in SecurityContext takes precedence. + + Note that this field cannot be set when + spec.os.name is windows. + format: int64 + type: integer + seLinuxOptions: + description: >- + The SELinux context to be applied to the + container. + + If unspecified, the container runtime + will allocate a random SELinux context + for each + + container. May also be set in + PodSecurityContext. If set in both + SecurityContext and + + PodSecurityContext, the value specified + in SecurityContext takes precedence. + + Note that this field cannot be set when + spec.os.name is windows. + properties: + level: + description: >- + Level is SELinux level label that + applies to the container. + type: string + role: + description: >- + Role is a SELinux role label that + applies to the container. + type: string + type: + description: >- + Type is a SELinux type label that + applies to the container. + type: string + user: + description: >- + User is a SELinux user label that + applies to the container. + type: string + type: object + seccompProfile: + description: >- + The seccomp options to use by this + container. If seccomp options are + + provided at both the pod & container + level, the container options + + override the pod options. + + Note that this field cannot be set when + spec.os.name is windows. + properties: + localhostProfile: + description: >- + localhostProfile indicates a profile + defined in a file on the node should be + used. + + The profile must be preconfigured on the + node to work. + + Must be a descending path, relative to + the kubelet's configured seccomp profile + location. + + Must be set if type is "Localhost". Must + NOT be set for any other type. + type: string + type: + description: >- + type indicates which kind of seccomp + profile will be applied. + + Valid options are: + + + Localhost - a profile defined in a file + on the node should be used. + + RuntimeDefault - the container runtime + default profile should be used. + + Unconfined - no profile should be + applied. + type: string + required: + - type + type: object + windowsOptions: + description: >- + The Windows specific settings applied to + all containers. + + If unspecified, the options from the + PodSecurityContext will be used. + + If set in both SecurityContext and + PodSecurityContext, the value specified + in SecurityContext takes precedence. + + Note that this field cannot be set when + spec.os.name is linux. + properties: + gmsaCredentialSpec: + description: >- + GMSACredentialSpec is where the GMSA + admission webhook + + (https://github.com/kubernetes-sigs/windows-gmsa) + inlines the contents of the + + GMSA credential spec named by the + GMSACredentialSpecName field. + type: string + gmsaCredentialSpecName: + description: >- + GMSACredentialSpecName is the name of + the GMSA credential spec to use. + type: string + hostProcess: + description: >- + HostProcess determines if a container + should be run as a 'Host Process' + container. + + All of a Pod's containers must have the + same effective HostProcess value + + (it is not allowed to have a mix of + HostProcess containers and + non-HostProcess containers). + + In addition, if HostProcess is true then + HostNetwork must also be set to true. + type: boolean + runAsUserName: + description: >- + The UserName in Windows to run the + entrypoint of the container process. + + Defaults to the user specified in image + metadata if unspecified. + + May also be set in PodSecurityContext. + If set in both SecurityContext and + + PodSecurityContext, the value specified + in SecurityContext takes precedence. + type: string + type: object + type: object + startupProbe: + description: >- + StartupProbe indicates that the Pod has + successfully initialized. + + If specified, no other probes are executed + until this completes successfully. + + If this probe fails, the Pod will be + restarted, just as if the livenessProbe + failed. + + This can be used to provide different + probe parameters at the beginning of a + Pod's lifecycle, + + when it might take a long time to load + data or warm a cache, than during + steady-state operation. + + This cannot be updated. + + More info: + https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes + properties: + exec: + description: >- + Exec specifies a command to execute in + the container. + properties: + command: + description: >- + Command is the command line to execute + inside the container, the working + directory for the + + command is root ('/') in the + container's filesystem. The command is + simply exec'd, it is + + not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use + + a shell, you need to explicitly call out + to that shell. + + Exit status of 0 is treated as + live/healthy and non-zero is unhealthy. + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + failureThreshold: + description: >- + Minimum consecutive failures for the + probe to be considered failed after + having succeeded. + + Defaults to 3. Minimum value is 1. + format: int32 + type: integer + grpc: + description: >- + GRPC specifies a GRPC + HealthCheckRequest. + properties: + port: + description: >- + Port number of the gRPC service. Number + must be in the range 1 to 65535. + format: int32 + type: integer + service: + default: '' + description: >- + Service is the name of the service to + place in the gRPC HealthCheckRequest + + (see + https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + + + If this is not specified, the default + behavior is defined by gRPC. + type: string + required: + - port + type: object + httpGet: + description: >- + HTTPGet specifies an HTTP GET request to + perform. + properties: + host: + description: >- + Host name to connect to, defaults to the + pod IP. You probably want to set + + "Host" in httpHeaders instead. + type: string + httpHeaders: + description: >- + Custom headers to set in the request. + HTTP allows repeated headers. + items: + description: >- + HTTPHeader describes a custom header to + be used in HTTP probes + properties: + name: + description: >- + The header field name. + + This will be canonicalized upon output, + so case-variant names will be understood + as the same header. + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: >- + Name or number of the port to access on + the container. + + Number must be in the range 1 to 65535. + + Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: >- + Scheme to use for connecting to the + host. + + Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: >- + Number of seconds after the container + has started before liveness probes are + initiated. + + More info: + https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes + format: int32 + type: integer + periodSeconds: + description: >- + How often (in seconds) to perform the + probe. + + Default to 10 seconds. Minimum value is + 1. + format: int32 + type: integer + successThreshold: + description: >- + Minimum consecutive successes for the + probe to be considered successful after + having failed. + + Defaults to 1. Must be 1 for liveness + and startup. Minimum value is 1. + format: int32 + type: integer + tcpSocket: + description: >- + TCPSocket specifies a connection to a + TCP port. + properties: + host: + description: >- + Optional: Host name to connect to, + defaults to the pod IP. + type: string + port: + anyOf: + - type: integer + - type: string + description: >- + Number or name of the port to access on + the container. + + Number must be in the range 1 to 65535. + + Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: >- + Optional duration in seconds the pod + needs to terminate gracefully upon probe + failure. + + The grace period is the duration in + seconds after the processes running in + the pod are sent + + a termination signal and the time when + the processes are forcibly halted with a + kill signal. + + Set this value longer than the expected + cleanup time for your process. + + If this value is nil, the pod's + terminationGracePeriodSeconds will be + used. Otherwise, this + + value overrides the value provided by + the pod spec. + + Value must be non-negative integer. The + value zero indicates stop immediately + via + + the kill signal (no opportunity to shut + down). + + This is a beta field and requires + enabling ProbeTerminationGracePeriod + feature gate. + + Minimum value is 1. + spec.terminationGracePeriodSeconds is + used if unset. + format: int64 + type: integer + timeoutSeconds: + description: >- + Number of seconds after which the probe + times out. + + Defaults to 1 second. Minimum value is + 1. + + More info: + https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes + format: int32 + type: integer + type: object + stdin: + description: >- + Whether this container should allocate a + buffer for stdin in the container runtime. + If this + + is not set, reads from stdin in the + container will always result in EOF. + + Default is false. + type: boolean + stdinOnce: + description: >- + Whether the container runtime should close + the stdin channel after it has been opened + by + + a single attach. When stdin is true the + stdin stream will remain open across + multiple attach + + sessions. If stdinOnce is set to true, + stdin is opened on container start, is + empty until the + + first client attaches to stdin, and then + remains open and accepts data until the + client disconnects, + + at which time stdin is closed and remains + closed until the container is restarted. + If this + + flag is false, a container processes that + reads from stdin will never receive an + EOF. + + Default is false + type: boolean + terminationMessagePath: + description: >- + Optional: Path at which the file to which + the container's termination message + + will be written is mounted into the + container's filesystem. + + Message written is intended to be brief + final status, such as an assertion failure + message. + + Will be truncated by the node if greater + than 4096 bytes. The total message length + across + + all containers will be limited to 12kb. + + Defaults to /dev/termination-log. + + Cannot be updated. + type: string + terminationMessagePolicy: + description: >- + Indicate how the termination message + should be populated. File will use the + contents of + + terminationMessagePath to populate the + container status message on both success + and failure. + + FallbackToLogsOnError will use the last + chunk of container log output if the + termination + + message file is empty and the container + exited with an error. + + The log output is limited to 2048 bytes or + 80 lines, whichever is smaller. + + Defaults to File. + + Cannot be updated. + type: string + tty: + description: >- + Whether this container should allocate a + TTY for itself, also requires 'stdin' to + be true. + + Default is false. + type: boolean + volumeDevices: + description: >- + volumeDevices is the list of block devices + to be used by the container. + items: + description: >- + volumeDevice describes a mapping of a + raw block device within a container. + properties: + devicePath: + description: >- + devicePath is the path inside of the + container that the device will be mapped + to. + type: string + name: + description: >- + name must match the name of a + persistentVolumeClaim in the pod + type: string + required: + - devicePath + - name + type: object + type: array + x-kubernetes-list-map-keys: + - devicePath + x-kubernetes-list-type: map + volumeMounts: + description: >- + Pod volumes to mount into the container's + filesystem. + + Cannot be updated. + items: + description: >- + VolumeMount describes a mounting of a + Volume within a container. + properties: + mountPath: + description: >- + Path within the container at which the + volume should be mounted. Must + + not contain ':'. + type: string + mountPropagation: + description: >- + mountPropagation determines how mounts + are propagated from the host + + to container and the other way around. + + When not set, MountPropagationNone is + used. + + This field is beta in 1.10. + + When RecursiveReadOnly is set to + IfPossible or to Enabled, + MountPropagation must be None or + unspecified + + (which defaults to None). + type: string + name: + description: This must match the Name of a Volume. + type: string + readOnly: + description: >- + Mounted read-only if true, read-write + otherwise (false or unspecified). + + Defaults to false. + type: boolean + recursiveReadOnly: + description: >- + RecursiveReadOnly specifies whether + read-only mounts should be handled + + recursively. + + + If ReadOnly is false, this field has no + meaning and must be unspecified. + + + If ReadOnly is true, and this field is + set to Disabled, the mount is not made + + recursively read-only. If this field is + set to IfPossible, the mount is made + + recursively read-only, if it is + supported by the container runtime. If + this + + field is set to Enabled, the mount is + made recursively read-only if it is + + supported by the container runtime, + otherwise the pod will not be started + and + + an error will be generated to indicate + the reason. + + + If this field is set to IfPossible or + Enabled, MountPropagation must be set to + + None (or be unspecified, which defaults + to None). + + + If this field is not specified, it is + treated as an equivalent of Disabled. + type: string + subPath: + description: >- + Path within the volume from which the + container's volume should be mounted. + + Defaults to "" (volume's root). + type: string + subPathExpr: + description: >- + Expanded path within the volume from + which the container's volume should be + mounted. + + Behaves similarly to SubPath but + environment variable references + $(VAR_NAME) are expanded using the + container's environment. + + Defaults to "" (volume's root). + + SubPathExpr and SubPath are mutually + exclusive. + type: string + required: + - mountPath + - name + type: object + type: array + x-kubernetes-list-map-keys: + - mountPath + x-kubernetes-list-type: map + workingDir: + description: >- + Container's working directory. + + If not specified, the container runtime's + default will be used, which + + might be configured in the container + image. + + Cannot be updated. + type: string + required: + - name + type: object + type: array + name: + description: >- + Name of the deployment. + + When unset, this defaults to an autogenerated + name. + type: string + patch: + description: >- + Patch defines how to perform the patch operation + to deployment + properties: + type: + description: >- + Type is the type of merge operation to + perform + + + By default, StrategicMerge is used as the + patch type. + type: string + value: + description: >- + Object contains the raw configuration for + merged object + x-kubernetes-preserve-unknown-fields: true + required: + - value + type: object + pod: + description: Pod defines the desired specification of pod. + properties: + affinity: + description: >- + If specified, the pod's scheduling + constraints. + properties: + nodeAffinity: + description: >- + Describes node affinity scheduling rules + for the pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: >- + The scheduler will prefer to schedule + pods to nodes that satisfy + + the affinity expressions specified by + this field, but it may choose + + a node that violates one or more of the + expressions. The node that is + + most preferred is the one with the + greatest sum of weights, i.e. + + for each node that meets all of the + scheduling requirements (resource + + request, requiredDuringScheduling + affinity expressions, etc.), + + compute a sum by iterating through the + elements of this field and adding + + "weight" to the sum if the node matches + the corresponding matchExpressions; the + + node(s) with the highest sum are the + most preferred. + items: + description: >- + An empty preferred scheduling term + matches all objects with implicit weight + 0 + + (i.e. it's a no-op). A null preferred + scheduling term matches no objects (i.e. + is also a no-op). + properties: + preference: + description: >- + A node selector term, associated with + the corresponding weight. + properties: + matchExpressions: + description: >- + A list of node selector requirements by + node's labels. + items: + description: >- + A node selector requirement is a + selector that contains values, a key, + and an operator + + that relates the key and values. + properties: + key: + description: >- + The label key that the selector applies + to. + type: string + operator: + description: >- + Represents a key's relationship to a set + of values. + + Valid operators are In, NotIn, Exists, + DoesNotExist. Gt, and Lt. + type: string + values: + description: >- + An array of string values. If the + operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. If the + operator is Gt or Lt, the values + + array must have a single element, which + will be interpreted as an integer. + + This array is replaced during a + strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + description: >- + A list of node selector requirements by + node's fields. + items: + description: >- + A node selector requirement is a + selector that contains values, a key, + and an operator + + that relates the key and values. + properties: + key: + description: >- + The label key that the selector applies + to. + type: string + operator: + description: >- + Represents a key's relationship to a set + of values. + + Valid operators are In, NotIn, Exists, + DoesNotExist. Gt, and Lt. + type: string + values: + description: >- + An array of string values. If the + operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. If the + operator is Gt or Lt, the values + + array must have a single element, which + will be interpreted as an integer. + + This array is replaced during a + strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + weight: + description: >- + Weight associated with matching the + corresponding nodeSelectorTerm, in the + range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: >- + If the affinity requirements specified + by this field are not met at + + scheduling time, the pod will not be + scheduled onto the node. + + If the affinity requirements specified + by this field cease to be met + + at some point during pod execution (e.g. + due to an update), the system + + may or may not try to eventually evict + the pod from its node. + properties: + nodeSelectorTerms: + description: >- + Required. A list of node selector terms. + The terms are ORed. + items: + description: >- + A null or empty node selector term + matches no objects. The requirements of + + them are ANDed. + + The TopologySelectorTerm type implements + a subset of the NodeSelectorTerm. + properties: + matchExpressions: + description: >- + A list of node selector requirements by + node's labels. + items: + description: >- + A node selector requirement is a + selector that contains values, a key, + and an operator + + that relates the key and values. + properties: + key: + description: >- + The label key that the selector applies + to. + type: string + operator: + description: >- + Represents a key's relationship to a set + of values. + + Valid operators are In, NotIn, Exists, + DoesNotExist. Gt, and Lt. + type: string + values: + description: >- + An array of string values. If the + operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. If the + operator is Gt or Lt, the values + + array must have a single element, which + will be interpreted as an integer. + + This array is replaced during a + strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + description: >- + A list of node selector requirements by + node's fields. + items: + description: >- + A node selector requirement is a + selector that contains values, a key, + and an operator + + that relates the key and values. + properties: + key: + description: >- + The label key that the selector applies + to. + type: string + operator: + description: >- + Represents a key's relationship to a set + of values. + + Valid operators are In, NotIn, Exists, + DoesNotExist. Gt, and Lt. + type: string + values: + description: >- + An array of string values. If the + operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. If the + operator is Gt or Lt, the values + + array must have a single element, which + will be interpreted as an integer. + + This array is replaced during a + strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + type: array + x-kubernetes-list-type: atomic + required: + - nodeSelectorTerms + type: object + x-kubernetes-map-type: atomic + type: object + podAffinity: + description: >- + Describes pod affinity scheduling rules + (e.g. co-locate this pod in the same + node, zone, etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: >- + The scheduler will prefer to schedule + pods to nodes that satisfy + + the affinity expressions specified by + this field, but it may choose + + a node that violates one or more of the + expressions. The node that is + + most preferred is the one with the + greatest sum of weights, i.e. + + for each node that meets all of the + scheduling requirements (resource + + request, requiredDuringScheduling + affinity expressions, etc.), + + compute a sum by iterating through the + elements of this field and adding + + "weight" to the sum if the node has pods + which matches the corresponding + podAffinityTerm; the + + node(s) with the highest sum are the + most preferred. + items: + description: >- + The weights of all of the matched + WeightedPodAffinityTerm fields are added + per-node to find the most preferred + node(s) + properties: + podAffinityTerm: + description: >- + Required. A pod affinity term, + associated with the corresponding + weight. + properties: + labelSelector: + description: >- + A label query over a set of resources, + in this case pods. + + If it's null, this PodAffinityTerm + matches with no Pods. + properties: + matchExpressions: + description: >- + matchExpressions is a list of label + selector requirements. The requirements + are ANDed. + items: + description: >- + A label selector requirement is a + selector that contains values, a key, + and an operator that + + relates the key and values. + properties: + key: + description: >- + key is the label key that the selector + applies to. + type: string + operator: + description: >- + operator represents a key's relationship + to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: >- + values is an array of string values. If + the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: >- + matchLabels is a map of {key,value} + pairs. A single {key,value} in the + matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is + "key", the + + operator is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: >- + MatchLabelKeys is a set of pod label + keys to select which pods will + + be taken into consideration. The keys + are used to lookup values from the + + incoming pod labels, those key-value + labels are merged with `labelSelector` + as `key in (value)` + + to select the group of existing pods + which pods will be taken into + consideration + + for the incoming pod's pod (anti) + affinity. Keys that don't exist in the + incoming + + pod labels will be ignored. The default + value is empty. + + The same key is forbidden to exist in + both matchLabelKeys and labelSelector. + + Also, matchLabelKeys cannot be set when + labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: >- + MismatchLabelKeys is a set of pod label + keys to select which pods will + + be taken into consideration. The keys + are used to lookup values from the + + incoming pod labels, those key-value + labels are merged with `labelSelector` + as `key notin (value)` + + to select the group of existing pods + which pods will be taken into + consideration + + for the incoming pod's pod (anti) + affinity. Keys that don't exist in the + incoming + + pod labels will be ignored. The default + value is empty. + + The same key is forbidden to exist in + both mismatchLabelKeys and + labelSelector. + + Also, mismatchLabelKeys cannot be set + when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: >- + A label query over the set of namespaces + that the term applies to. + + The term is applied to the union of the + namespaces selected by this field + + and the ones listed in the namespaces + field. + + null selector and null or empty + namespaces list means "this pod's + namespace". + + An empty selector ({}) matches all + namespaces. + properties: + matchExpressions: + description: >- + matchExpressions is a list of label + selector requirements. The requirements + are ANDed. + items: + description: >- + A label selector requirement is a + selector that contains values, a key, + and an operator that + + relates the key and values. + properties: + key: + description: >- + key is the label key that the selector + applies to. + type: string + operator: + description: >- + operator represents a key's relationship + to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: >- + values is an array of string values. If + the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: >- + matchLabels is a map of {key,value} + pairs. A single {key,value} in the + matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is + "key", the + + operator is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: >- + namespaces specifies a static list of + namespace names that the term applies + to. + + The term is applied to the union of the + namespaces listed in this field + + and the ones selected by + namespaceSelector. + + null or empty namespaces list and null + namespaceSelector means "this pod's + namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: >- + This pod should be co-located (affinity) + or not co-located (anti-affinity) with + the pods matching + + the labelSelector in the specified + namespaces, where co-located is defined + as running on a node + + whose value of the label with key + topologyKey matches that of any node on + which any of the + + selected pods is running. + + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: >- + weight associated with matching the + corresponding podAffinityTerm, + + in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: >- + If the affinity requirements specified + by this field are not met at + + scheduling time, the pod will not be + scheduled onto the node. + + If the affinity requirements specified + by this field cease to be met + + at some point during pod execution (e.g. + due to a pod label update), the + + system may or may not try to eventually + evict the pod from its node. + + When there are multiple elements, the + lists of nodes corresponding to each + + podAffinityTerm are intersected, i.e. + all terms must be satisfied. + items: + description: >- + Defines a set of pods (namely those + matching the labelSelector + + relative to the given namespace(s)) that + this pod should be + + co-located (affinity) or not co-located + (anti-affinity) with, + + where co-located is defined as running + on a node whose value of + + the label with key matches + that of any node on which + + a pod of the set of pods is running + properties: + labelSelector: + description: >- + A label query over a set of resources, + in this case pods. + + If it's null, this PodAffinityTerm + matches with no Pods. + properties: + matchExpressions: + description: >- + matchExpressions is a list of label + selector requirements. The requirements + are ANDed. + items: + description: >- + A label selector requirement is a + selector that contains values, a key, + and an operator that + + relates the key and values. + properties: + key: + description: >- + key is the label key that the selector + applies to. + type: string + operator: + description: >- + operator represents a key's relationship + to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: >- + values is an array of string values. If + the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: >- + matchLabels is a map of {key,value} + pairs. A single {key,value} in the + matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is + "key", the + + operator is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: >- + MatchLabelKeys is a set of pod label + keys to select which pods will + + be taken into consideration. The keys + are used to lookup values from the + + incoming pod labels, those key-value + labels are merged with `labelSelector` + as `key in (value)` + + to select the group of existing pods + which pods will be taken into + consideration + + for the incoming pod's pod (anti) + affinity. Keys that don't exist in the + incoming + + pod labels will be ignored. The default + value is empty. + + The same key is forbidden to exist in + both matchLabelKeys and labelSelector. + + Also, matchLabelKeys cannot be set when + labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: >- + MismatchLabelKeys is a set of pod label + keys to select which pods will + + be taken into consideration. The keys + are used to lookup values from the + + incoming pod labels, those key-value + labels are merged with `labelSelector` + as `key notin (value)` + + to select the group of existing pods + which pods will be taken into + consideration + + for the incoming pod's pod (anti) + affinity. Keys that don't exist in the + incoming + + pod labels will be ignored. The default + value is empty. + + The same key is forbidden to exist in + both mismatchLabelKeys and + labelSelector. + + Also, mismatchLabelKeys cannot be set + when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: >- + A label query over the set of namespaces + that the term applies to. + + The term is applied to the union of the + namespaces selected by this field + + and the ones listed in the namespaces + field. + + null selector and null or empty + namespaces list means "this pod's + namespace". + + An empty selector ({}) matches all + namespaces. + properties: + matchExpressions: + description: >- + matchExpressions is a list of label + selector requirements. The requirements + are ANDed. + items: + description: >- + A label selector requirement is a + selector that contains values, a key, + and an operator that + + relates the key and values. + properties: + key: + description: >- + key is the label key that the selector + applies to. + type: string + operator: + description: >- + operator represents a key's relationship + to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: >- + values is an array of string values. If + the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: >- + matchLabels is a map of {key,value} + pairs. A single {key,value} in the + matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is + "key", the + + operator is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: >- + namespaces specifies a static list of + namespace names that the term applies + to. + + The term is applied to the union of the + namespaces listed in this field + + and the ones selected by + namespaceSelector. + + null or empty namespaces list and null + namespaceSelector means "this pod's + namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: >- + This pod should be co-located (affinity) + or not co-located (anti-affinity) with + the pods matching + + the labelSelector in the specified + namespaces, where co-located is defined + as running on a node + + whose value of the label with key + topologyKey matches that of any node on + which any of the + + selected pods is running. + + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + podAntiAffinity: + description: >- + Describes pod anti-affinity scheduling + rules (e.g. avoid putting this pod in + the same node, zone, etc. as some other + pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: >- + The scheduler will prefer to schedule + pods to nodes that satisfy + + the anti-affinity expressions specified + by this field, but it may choose + + a node that violates one or more of the + expressions. The node that is + + most preferred is the one with the + greatest sum of weights, i.e. + + for each node that meets all of the + scheduling requirements (resource + + request, requiredDuringScheduling + anti-affinity expressions, etc.), + + compute a sum by iterating through the + elements of this field and subtracting + + "weight" from the sum if the node has + pods which matches the corresponding + podAffinityTerm; the + + node(s) with the highest sum are the + most preferred. + items: + description: >- + The weights of all of the matched + WeightedPodAffinityTerm fields are added + per-node to find the most preferred + node(s) + properties: + podAffinityTerm: + description: >- + Required. A pod affinity term, + associated with the corresponding + weight. + properties: + labelSelector: + description: >- + A label query over a set of resources, + in this case pods. + + If it's null, this PodAffinityTerm + matches with no Pods. + properties: + matchExpressions: + description: >- + matchExpressions is a list of label + selector requirements. The requirements + are ANDed. + items: + description: >- + A label selector requirement is a + selector that contains values, a key, + and an operator that + + relates the key and values. + properties: + key: + description: >- + key is the label key that the selector + applies to. + type: string + operator: + description: >- + operator represents a key's relationship + to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: >- + values is an array of string values. If + the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: >- + matchLabels is a map of {key,value} + pairs. A single {key,value} in the + matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is + "key", the + + operator is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: >- + MatchLabelKeys is a set of pod label + keys to select which pods will + + be taken into consideration. The keys + are used to lookup values from the + + incoming pod labels, those key-value + labels are merged with `labelSelector` + as `key in (value)` + + to select the group of existing pods + which pods will be taken into + consideration + + for the incoming pod's pod (anti) + affinity. Keys that don't exist in the + incoming + + pod labels will be ignored. The default + value is empty. + + The same key is forbidden to exist in + both matchLabelKeys and labelSelector. + + Also, matchLabelKeys cannot be set when + labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: >- + MismatchLabelKeys is a set of pod label + keys to select which pods will + + be taken into consideration. The keys + are used to lookup values from the + + incoming pod labels, those key-value + labels are merged with `labelSelector` + as `key notin (value)` + + to select the group of existing pods + which pods will be taken into + consideration + + for the incoming pod's pod (anti) + affinity. Keys that don't exist in the + incoming + + pod labels will be ignored. The default + value is empty. + + The same key is forbidden to exist in + both mismatchLabelKeys and + labelSelector. + + Also, mismatchLabelKeys cannot be set + when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: >- + A label query over the set of namespaces + that the term applies to. + + The term is applied to the union of the + namespaces selected by this field + + and the ones listed in the namespaces + field. + + null selector and null or empty + namespaces list means "this pod's + namespace". + + An empty selector ({}) matches all + namespaces. + properties: + matchExpressions: + description: >- + matchExpressions is a list of label + selector requirements. The requirements + are ANDed. + items: + description: >- + A label selector requirement is a + selector that contains values, a key, + and an operator that + + relates the key and values. + properties: + key: + description: >- + key is the label key that the selector + applies to. + type: string + operator: + description: >- + operator represents a key's relationship + to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: >- + values is an array of string values. If + the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: >- + matchLabels is a map of {key,value} + pairs. A single {key,value} in the + matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is + "key", the + + operator is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: >- + namespaces specifies a static list of + namespace names that the term applies + to. + + The term is applied to the union of the + namespaces listed in this field + + and the ones selected by + namespaceSelector. + + null or empty namespaces list and null + namespaceSelector means "this pod's + namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: >- + This pod should be co-located (affinity) + or not co-located (anti-affinity) with + the pods matching + + the labelSelector in the specified + namespaces, where co-located is defined + as running on a node + + whose value of the label with key + topologyKey matches that of any node on + which any of the + + selected pods is running. + + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: >- + weight associated with matching the + corresponding podAffinityTerm, + + in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: >- + If the anti-affinity requirements + specified by this field are not met at + + scheduling time, the pod will not be + scheduled onto the node. + + If the anti-affinity requirements + specified by this field cease to be met + + at some point during pod execution (e.g. + due to a pod label update), the + + system may or may not try to eventually + evict the pod from its node. + + When there are multiple elements, the + lists of nodes corresponding to each + + podAffinityTerm are intersected, i.e. + all terms must be satisfied. + items: + description: >- + Defines a set of pods (namely those + matching the labelSelector + + relative to the given namespace(s)) that + this pod should be + + co-located (affinity) or not co-located + (anti-affinity) with, + + where co-located is defined as running + on a node whose value of + + the label with key matches + that of any node on which + + a pod of the set of pods is running + properties: + labelSelector: + description: >- + A label query over a set of resources, + in this case pods. + + If it's null, this PodAffinityTerm + matches with no Pods. + properties: + matchExpressions: + description: >- + matchExpressions is a list of label + selector requirements. The requirements + are ANDed. + items: + description: >- + A label selector requirement is a + selector that contains values, a key, + and an operator that + + relates the key and values. + properties: + key: + description: >- + key is the label key that the selector + applies to. + type: string + operator: + description: >- + operator represents a key's relationship + to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: >- + values is an array of string values. If + the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: >- + matchLabels is a map of {key,value} + pairs. A single {key,value} in the + matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is + "key", the + + operator is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: >- + MatchLabelKeys is a set of pod label + keys to select which pods will + + be taken into consideration. The keys + are used to lookup values from the + + incoming pod labels, those key-value + labels are merged with `labelSelector` + as `key in (value)` + + to select the group of existing pods + which pods will be taken into + consideration + + for the incoming pod's pod (anti) + affinity. Keys that don't exist in the + incoming + + pod labels will be ignored. The default + value is empty. + + The same key is forbidden to exist in + both matchLabelKeys and labelSelector. + + Also, matchLabelKeys cannot be set when + labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: >- + MismatchLabelKeys is a set of pod label + keys to select which pods will + + be taken into consideration. The keys + are used to lookup values from the + + incoming pod labels, those key-value + labels are merged with `labelSelector` + as `key notin (value)` + + to select the group of existing pods + which pods will be taken into + consideration + + for the incoming pod's pod (anti) + affinity. Keys that don't exist in the + incoming + + pod labels will be ignored. The default + value is empty. + + The same key is forbidden to exist in + both mismatchLabelKeys and + labelSelector. + + Also, mismatchLabelKeys cannot be set + when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: >- + A label query over the set of namespaces + that the term applies to. + + The term is applied to the union of the + namespaces selected by this field + + and the ones listed in the namespaces + field. + + null selector and null or empty + namespaces list means "this pod's + namespace". + + An empty selector ({}) matches all + namespaces. + properties: + matchExpressions: + description: >- + matchExpressions is a list of label + selector requirements. The requirements + are ANDed. + items: + description: >- + A label selector requirement is a + selector that contains values, a key, + and an operator that + + relates the key and values. + properties: + key: + description: >- + key is the label key that the selector + applies to. + type: string + operator: + description: >- + operator represents a key's relationship + to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: >- + values is an array of string values. If + the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: >- + matchLabels is a map of {key,value} + pairs. A single {key,value} in the + matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is + "key", the + + operator is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: >- + namespaces specifies a static list of + namespace names that the term applies + to. + + The term is applied to the union of the + namespaces listed in this field + + and the ones selected by + namespaceSelector. + + null or empty namespaces list and null + namespaceSelector means "this pod's + namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: >- + This pod should be co-located (affinity) + or not co-located (anti-affinity) with + the pods matching + + the labelSelector in the specified + namespaces, where co-located is defined + as running on a node + + whose value of the label with key + topologyKey matches that of any node on + which any of the + + selected pods is running. + + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + type: object + annotations: + additionalProperties: + type: string + description: >- + Annotations are the annotations that should + be appended to the pods. + + By default, no pod annotations are appended. + type: object + imagePullSecrets: + description: >- + ImagePullSecrets is an optional list of + references to secrets + + in the same namespace to use for pulling any + of the images used by this PodSpec. + + If specified, these secrets will be passed + to individual puller implementations for + them to use. + + More info: + https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod + items: + description: >- + LocalObjectReference contains enough + information to let you locate the + + referenced object inside the same + namespace. + properties: + name: + default: '' + description: >- + Name of the referent. + + This field is effectively required, but + due to backwards compatibility is + + allowed to be empty. Instances of this + type with an empty value here are + + almost certainly wrong. + + More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + type: array + labels: + additionalProperties: + type: string + description: >- + Labels are the additional labels that should + be tagged to the pods. + + By default, no additional pod labels are + tagged. + type: object + nodeSelector: + additionalProperties: + type: string + description: >- + NodeSelector is a selector which must be + true for the pod to fit on a node. + + Selector which must match a node's labels + for the pod to be scheduled on that node. + + More info: + https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + type: object + priorityClassName: + description: >- + PriorityClassName indicates the importance + of a Pod relative to other Pods. + + If a PriorityClassName is not specified, the + pod priority will be default or zero if + there is no default. + + More info: + https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/ + type: string + securityContext: + description: >- + SecurityContext holds pod-level security + attributes and common container settings. + + Optional: Defaults to empty. See type + description for default values of each + field. + properties: + appArmorProfile: + description: >- + appArmorProfile is the AppArmor options + to use by the containers in this pod. + + Note that this field cannot be set when + spec.os.name is windows. + properties: + localhostProfile: + description: >- + localhostProfile indicates a profile + loaded on the node that should be used. + + The profile must be preconfigured on the + node to work. + + Must match the loaded name of the + profile. + + Must be set if and only if type is + "Localhost". + type: string + type: + description: >- + type indicates which kind of AppArmor + profile will be applied. + + Valid options are: + Localhost - a profile pre-loaded on the node. + RuntimeDefault - the container runtime's default profile. + Unconfined - no AppArmor enforcement. + type: string + required: + - type + type: object + fsGroup: + description: >- + A special supplemental group that + applies to all containers in a pod. + + Some volume types allow the Kubelet to + change the ownership of that volume + + to be owned by the pod: + + + 1. The owning GID will be the FSGroup + + 2. The setgid bit is set (new files + created in the volume will be owned by + FSGroup) + + 3. The permission bits are OR'd with + rw-rw---- + + + If unset, the Kubelet will not modify + the ownership and permissions of any + volume. + + Note that this field cannot be set when + spec.os.name is windows. + format: int64 + type: integer + fsGroupChangePolicy: + description: >- + fsGroupChangePolicy defines behavior of + changing ownership and permission of the + volume + + before being exposed inside Pod. This + field will only apply to + + volume types which support fsGroup based + ownership(and permissions). + + It will have no effect on ephemeral + volume types such as: secret, configmaps + + and emptydir. + + Valid values are "OnRootMismatch" and + "Always". If not specified, "Always" is + used. + + Note that this field cannot be set when + spec.os.name is windows. + type: string + runAsGroup: + description: >- + The GID to run the entrypoint of the + container process. + + Uses runtime default if unset. + + May also be set in SecurityContext. If + set in both SecurityContext and + + PodSecurityContext, the value specified + in SecurityContext takes precedence + + for that container. + + Note that this field cannot be set when + spec.os.name is windows. + format: int64 + type: integer + runAsNonRoot: + description: >- + Indicates that the container must run as + a non-root user. + + If true, the Kubelet will validate the + image at runtime to ensure that it + + does not run as UID 0 (root) and fail to + start the container if it does. + + If unset or false, no such validation + will be performed. + + May also be set in SecurityContext. If + set in both SecurityContext and + + PodSecurityContext, the value specified + in SecurityContext takes precedence. + type: boolean + runAsUser: + description: >- + The UID to run the entrypoint of the + container process. + + Defaults to user specified in image + metadata if unspecified. + + May also be set in SecurityContext. If + set in both SecurityContext and + + PodSecurityContext, the value specified + in SecurityContext takes precedence + + for that container. + + Note that this field cannot be set when + spec.os.name is windows. + format: int64 + type: integer + seLinuxChangePolicy: + description: >- + seLinuxChangePolicy defines how the + container's SELinux label is applied to + all volumes used by the Pod. + + It has no effect on nodes that do not + support SELinux or to volumes does not + support SELinux. + + Valid values are "MountOption" and + "Recursive". + + + "Recursive" means relabeling of all + files on all Pod volumes by the + container runtime. + + This may be slow for large volumes, but + allows mixing privileged and + unprivileged Pods sharing the same + volume on the same node. + + + "MountOption" mounts all eligible Pod + volumes with `-o context` mount option. + + This requires all Pods that share the + same volume to use the same SELinux + label. + + It is not possible to share the same + volume among privileged and unprivileged + Pods. + + Eligible volumes are in-tree + FibreChannel and iSCSI volumes, and all + CSI volumes + + whose CSI driver announces SELinux + support by setting spec.seLinuxMount: + true in their + + CSIDriver instance. Other volumes are + always re-labelled recursively. + + "MountOption" value is allowed only when + SELinuxMount feature gate is enabled. + + + If not specified and SELinuxMount + feature gate is enabled, "MountOption" + is used. + + If not specified and SELinuxMount + feature gate is disabled, "MountOption" + is used for ReadWriteOncePod volumes + + and "Recursive" for all other volumes. + + + This field affects only Pods that have + SELinux label set, either in + PodSecurityContext or in SecurityContext + of all containers. + + + All Pods that use the same volume should + use the same seLinuxChangePolicy, + otherwise some pods can get stuck in + ContainerCreating state. + + Note that this field cannot be set when + spec.os.name is windows. + type: string + seLinuxOptions: + description: >- + The SELinux context to be applied to all + containers. + + If unspecified, the container runtime + will allocate a random SELinux context + for each + + container. May also be set in + SecurityContext. If set in + + both SecurityContext and + PodSecurityContext, the value specified + in SecurityContext + + takes precedence for that container. + + Note that this field cannot be set when + spec.os.name is windows. + properties: + level: + description: >- + Level is SELinux level label that + applies to the container. + type: string + role: + description: >- + Role is a SELinux role label that + applies to the container. + type: string + type: + description: >- + Type is a SELinux type label that + applies to the container. + type: string + user: + description: >- + User is a SELinux user label that + applies to the container. + type: string + type: object + seccompProfile: + description: >- + The seccomp options to use by the + containers in this pod. + + Note that this field cannot be set when + spec.os.name is windows. + properties: + localhostProfile: + description: >- + localhostProfile indicates a profile + defined in a file on the node should be + used. + + The profile must be preconfigured on the + node to work. + + Must be a descending path, relative to + the kubelet's configured seccomp profile + location. + + Must be set if type is "Localhost". Must + NOT be set for any other type. + type: string + type: + description: >- + type indicates which kind of seccomp + profile will be applied. + + Valid options are: + + + Localhost - a profile defined in a file + on the node should be used. + + RuntimeDefault - the container runtime + default profile should be used. + + Unconfined - no profile should be + applied. + type: string + required: + - type + type: object + supplementalGroups: + description: >- + A list of groups applied to the first + process run in each container, in + + addition to the container's primary GID + and fsGroup (if specified). If + + the SupplementalGroupsPolicy feature is + enabled, the + + supplementalGroupsPolicy field + determines whether these are in addition + + to or instead of any group memberships + defined in the container image. + + If unspecified, no additional groups are + added, though group memberships + + defined in the container image may still + be used, depending on the + + supplementalGroupsPolicy field. + + Note that this field cannot be set when + spec.os.name is windows. + items: + format: int64 + type: integer + type: array + x-kubernetes-list-type: atomic + supplementalGroupsPolicy: + description: >- + Defines how supplemental groups of the + first container processes are + calculated. + + Valid values are "Merge" and "Strict". + If not specified, "Merge" is used. + + (Alpha) Using the field requires the + SupplementalGroupsPolicy feature gate to + be enabled + + and the container runtime must implement + support for this feature. + + Note that this field cannot be set when + spec.os.name is windows. + type: string + sysctls: + description: >- + Sysctls hold a list of namespaced + sysctls used for the pod. Pods with + unsupported + + sysctls (by the container runtime) might + fail to launch. + + Note that this field cannot be set when + spec.os.name is windows. + items: + description: >- + Sysctl defines a kernel parameter to be + set + properties: + name: + description: Name of a property to set + type: string + value: + description: Value of a property to set + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + windowsOptions: + description: >- + The Windows specific settings applied to + all containers. + + If unspecified, the options within a + container's SecurityContext will be + used. + + If set in both SecurityContext and + PodSecurityContext, the value specified + in SecurityContext takes precedence. + + Note that this field cannot be set when + spec.os.name is linux. + properties: + gmsaCredentialSpec: + description: >- + GMSACredentialSpec is where the GMSA + admission webhook + + (https://github.com/kubernetes-sigs/windows-gmsa) + inlines the contents of the + + GMSA credential spec named by the + GMSACredentialSpecName field. + type: string + gmsaCredentialSpecName: + description: >- + GMSACredentialSpecName is the name of + the GMSA credential spec to use. + type: string + hostProcess: + description: >- + HostProcess determines if a container + should be run as a 'Host Process' + container. + + All of a Pod's containers must have the + same effective HostProcess value + + (it is not allowed to have a mix of + HostProcess containers and + non-HostProcess containers). + + In addition, if HostProcess is true then + HostNetwork must also be set to true. + type: boolean + runAsUserName: + description: >- + The UserName in Windows to run the + entrypoint of the container process. + + Defaults to the user specified in image + metadata if unspecified. + + May also be set in PodSecurityContext. + If set in both SecurityContext and + + PodSecurityContext, the value specified + in SecurityContext takes precedence. + type: string + type: object + type: object + tolerations: + description: If specified, the pod's tolerations. + items: + description: >- + The pod this Toleration is attached to + tolerates any taint that matches + + the triple using the + matching operator . + properties: + effect: + description: >- + Effect indicates the taint effect to + match. Empty means match all taint + effects. + + When specified, allowed values are + NoSchedule, PreferNoSchedule and + NoExecute. + type: string + key: + description: >- + Key is the taint key that the toleration + applies to. Empty means match all taint + keys. + + If the key is empty, operator must be + Exists; this combination means to match + all values and all keys. + type: string + operator: + description: >- + Operator represents a key's relationship + to the value. + + Valid operators are Exists, Equal, Lt, + and Gt. Defaults to Equal. + + Exists is equivalent to wildcard for + value, so that a pod can + + tolerate all taints of a particular + category. + + Lt and Gt perform numeric comparisons + (requires feature gate + TaintTolerationComparisonOperators). + type: string + tolerationSeconds: + description: >- + TolerationSeconds represents the period + of time the toleration (which must be + + of effect NoExecute, otherwise this + field is ignored) tolerates the taint. + By default, + + it is not set, which means tolerate the + taint forever (do not evict). Zero and + + negative values will be treated as 0 + (evict immediately) by the system. + format: int64 + type: integer + value: + description: >- + Value is the taint value the toleration + matches to. + + If the operator is Exists, the value + should be empty, otherwise just a + regular string. + type: string + type: object + type: array + topologySpreadConstraints: + description: >- + TopologySpreadConstraints describes how a + group of pods ought to spread across + topology + + domains. Scheduler will schedule pods in a + way which abides by the constraints. + + All topologySpreadConstraints are ANDed. + items: + description: >- + TopologySpreadConstraint specifies how to + spread matching pods among the given + topology. + properties: + labelSelector: + description: >- + LabelSelector is used to find matching + pods. + + Pods that match this label selector are + counted to determine the number of pods + + in their corresponding topology domain. + properties: + matchExpressions: + description: >- + matchExpressions is a list of label + selector requirements. The requirements + are ANDed. + items: + description: >- + A label selector requirement is a + selector that contains values, a key, + and an operator that + + relates the key and values. + properties: + key: + description: >- + key is the label key that the selector + applies to. + type: string + operator: + description: >- + operator represents a key's relationship + to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: >- + values is an array of string values. If + the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: >- + matchLabels is a map of {key,value} + pairs. A single {key,value} in the + matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is + "key", the + + operator is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: >- + MatchLabelKeys is a set of pod label + keys to select the pods over which + + spreading will be calculated. The keys + are used to lookup values from the + + incoming pod labels, those key-value + labels are ANDed with labelSelector + + to select the group of existing pods + over which spreading will be calculated + + for the incoming pod. The same key is + forbidden to exist in both + MatchLabelKeys and LabelSelector. + + MatchLabelKeys cannot be set when + LabelSelector isn't set. + + Keys that don't exist in the incoming + pod labels will + + be ignored. A null or empty list means + only match against labelSelector. + + + This is a beta field and requires the + MatchLabelKeysInPodTopologySpread + feature gate to be enabled (enabled by + default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + maxSkew: + description: >- + MaxSkew describes the degree to which + pods may be unevenly distributed. + + When `whenUnsatisfiable=DoNotSchedule`, + it is the maximum permitted difference + + between the number of matching pods in + the target topology and the global + minimum. + + The global minimum is the minimum number + of matching pods in an eligible domain + + or zero if the number of eligible + domains is less than MinDomains. + + For example, in a 3-zone cluster, + MaxSkew is set to 1, and pods with the + same + + labelSelector spread as 2/2/1: + + In this case, the global minimum is 1. + + | zone1 | zone2 | zone3 | + + | P P | P P | P | + + - if MaxSkew is 1, incoming pod can only + be scheduled to zone3 to become 2/2/2; + + scheduling it onto zone1(zone2) would + make the ActualSkew(3-1) on zone1(zone2) + + violate MaxSkew(1). + + - if MaxSkew is 2, incoming pod can be + scheduled onto any zone. + + When `whenUnsatisfiable=ScheduleAnyway`, + it is used to give higher precedence + + to topologies that satisfy it. + + It's a required field. Default value is + 1 and 0 is not allowed. + format: int32 + type: integer + minDomains: + description: >- + MinDomains indicates a minimum number of + eligible domains. + + When the number of eligible domains with + matching topology keys is less than + minDomains, + + Pod Topology Spread treats "global + minimum" as 0, and then the calculation + of Skew is performed. + + And when the number of eligible domains + with matching topology keys equals or + greater than minDomains, + + this value has no effect on scheduling. + + As a result, when the number of eligible + domains is less than minDomains, + + scheduler won't schedule more than + maxSkew Pods to those domains. + + If value is nil, the constraint behaves + as if MinDomains is equal to 1. + + Valid values are integers greater than + 0. + + When value is not nil, WhenUnsatisfiable + must be DoNotSchedule. + + + For example, in a 3-zone cluster, + MaxSkew is set to 2, MinDomains is set + to 5 and pods with the same + + labelSelector spread as 2/2/2: + + | zone1 | zone2 | zone3 | + + | P P | P P | P P | + + The number of domains is less than + 5(MinDomains), so "global minimum" is + treated as 0. + + In this situation, new pod with the same + labelSelector cannot be scheduled, + + because computed skew will be 3(3 - 0) + if new Pod is scheduled to any of the + three zones, + + it will violate MaxSkew. + format: int32 + type: integer + nodeAffinityPolicy: + description: >- + NodeAffinityPolicy indicates how we will + treat Pod's nodeAffinity/nodeSelector + + when calculating pod topology spread + skew. Options are: + + - Honor: only nodes matching + nodeAffinity/nodeSelector are included + in the calculations. + + - Ignore: nodeAffinity/nodeSelector are + ignored. All nodes are included in the + calculations. + + + If this value is nil, the behavior is + equivalent to the Honor policy. + type: string + nodeTaintsPolicy: + description: >- + NodeTaintsPolicy indicates how we will + treat node taints when calculating + + pod topology spread skew. Options are: + + - Honor: nodes without taints, along + with tainted nodes for which the + incoming pod + + has a toleration, are included. + + - Ignore: node taints are ignored. All + nodes are included. + + + If this value is nil, the behavior is + equivalent to the Ignore policy. + type: string + topologyKey: + description: >- + TopologyKey is the key of node labels. + Nodes that have a label with this key + + and identical values are considered to + be in the same topology. + + We consider each as a + "bucket", and try to put balanced number + + of pods into each bucket. + + We define a domain as a particular + instance of a topology. + + Also, we define an eligible domain as a + domain whose nodes meet the requirements + of + + nodeAffinityPolicy and nodeTaintsPolicy. + + e.g. If TopologyKey is + "kubernetes.io/hostname", each Node is a + domain of that topology. + + And, if TopologyKey is + "topology.kubernetes.io/zone", each zone + is a domain of that topology. + + It's a required field. + type: string + whenUnsatisfiable: + description: >- + WhenUnsatisfiable indicates how to deal + with a pod if it doesn't satisfy + + the spread constraint. + + - DoNotSchedule (default) tells the + scheduler not to schedule it. + + - ScheduleAnyway tells the scheduler to + schedule the pod in any location, + but giving higher precedence to topologies that would help reduce the + skew. + A constraint is considered + "Unsatisfiable" for an incoming pod + + if and only if every possible node + assignment for that pod would violate + + "MaxSkew" on some topology. + + For example, in a 3-zone cluster, + MaxSkew is set to 1, and pods with the + same + + labelSelector spread as 3/1/1: + + | zone1 | zone2 | zone3 | + + | P P P | P | P | + + If WhenUnsatisfiable is set to + DoNotSchedule, incoming pod can only be + scheduled + + to zone2(zone3) to become 3/2/1(3/1/2) + as ActualSkew(2-1) on zone2(zone3) + satisfies + + MaxSkew(1). In other words, the cluster + can still be imbalanced, but scheduler + + won't make it *more* imbalanced. + + It's a required field. + type: string + required: + - maxSkew + - topologyKey + - whenUnsatisfiable + type: object + type: array + volumes: + description: >- + Volumes that can be mounted by containers + belonging to the pod. + + More info: + https://kubernetes.io/docs/concepts/storage/volumes + items: + description: >- + Volume represents a named volume in a pod + that may be accessed by any container in + the pod. + properties: + awsElasticBlockStore: + description: >- + awsElasticBlockStore represents an AWS + Disk resource that is attached to a + + kubelet's host machine and then exposed + to the pod. + + Deprecated: AWSElasticBlockStore is + deprecated. All operations for the + in-tree + + awsElasticBlockStore type are redirected + to the ebs.csi.aws.com CSI driver. + + More info: + https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + properties: + fsType: + description: >- + fsType is the filesystem type of the + volume that you want to mount. + + Tip: Ensure that the filesystem type is + supported by the host operating system. + + Examples: "ext4", "xfs", "ntfs". + Implicitly inferred to be "ext4" if + unspecified. + + More info: + https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + type: string + partition: + description: >- + partition is the partition in the volume + that you want to mount. + + If omitted, the default is to mount by + volume name. + + Examples: For volume /dev/sda1, you + specify the partition as "1". + + Similarly, the volume partition for + /dev/sda is "0" (or you can leave the + property empty). + format: int32 + type: integer + readOnly: + description: >- + readOnly value true will force the + readOnly setting in VolumeMounts. + + More info: + https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + type: boolean + volumeID: + description: >- + volumeID is unique ID of the persistent + disk resource in AWS (Amazon EBS + volume). + + More info: + https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + type: string + required: + - volumeID + type: object + azureDisk: + description: >- + azureDisk represents an Azure Data Disk + mount on the host and bind mount to the + pod. + + Deprecated: AzureDisk is deprecated. All + operations for the in-tree azureDisk + type + + are redirected to the disk.csi.azure.com + CSI driver. + properties: + cachingMode: + description: >- + cachingMode is the Host Caching mode: + None, Read Only, Read Write. + type: string + diskName: + description: >- + diskName is the Name of the data disk in + the blob storage + type: string + diskURI: + description: >- + diskURI is the URI of data disk in the + blob storage + type: string + fsType: + default: ext4 + description: >- + fsType is Filesystem type to mount. + + Must be a filesystem type supported by + the host operating system. + + Ex. "ext4", "xfs", "ntfs". Implicitly + inferred to be "ext4" if unspecified. + type: string + kind: + description: >- + kind expected values are Shared: + multiple blob disks per storage account + Dedicated: single blob disk per storage + account Managed: azure managed data + disk (only in managed availability set). + defaults to shared + type: string + readOnly: + default: false + description: >- + readOnly Defaults to false (read/write). + ReadOnly here will force + + the ReadOnly setting in VolumeMounts. + type: boolean + required: + - diskName + - diskURI + type: object + azureFile: + description: >- + azureFile represents an Azure File + Service mount on the host and bind mount + to the pod. + + Deprecated: AzureFile is deprecated. All + operations for the in-tree azureFile + type + + are redirected to the file.csi.azure.com + CSI driver. + properties: + readOnly: + description: >- + readOnly defaults to false (read/write). + ReadOnly here will force + + the ReadOnly setting in VolumeMounts. + type: boolean + secretName: + description: >- + secretName is the name of secret that + contains Azure Storage Account Name and + Key + type: string + shareName: + description: shareName is the azure share Name + type: string + required: + - secretName + - shareName + type: object + cephfs: + description: >- + cephFS represents a Ceph FS mount on the + host that shares a pod's lifetime. + + Deprecated: CephFS is deprecated and the + in-tree cephfs type is no longer + supported. + properties: + monitors: + description: >- + monitors is Required: Monitors is a + collection of Ceph monitors + + More info: + https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + items: + type: string + type: array + x-kubernetes-list-type: atomic + path: + description: >- + path is Optional: Used as the mounted + root, rather than the full Ceph tree, + default is / + type: string + readOnly: + description: >- + readOnly is Optional: Defaults to false + (read/write). ReadOnly here will force + + the ReadOnly setting in VolumeMounts. + + More info: + https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + type: boolean + secretFile: + description: >- + secretFile is Optional: SecretFile is + the path to key ring for User, default + is /etc/ceph/user.secret + + More info: + https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + type: string + secretRef: + description: >- + secretRef is Optional: SecretRef is + reference to the authentication secret + for User, default is empty. + + More info: + https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + properties: + name: + default: '' + description: >- + Name of the referent. + + This field is effectively required, but + due to backwards compatibility is + + allowed to be empty. Instances of this + type with an empty value here are + + almost certainly wrong. + + More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + user: + description: >- + user is optional: User is the rados user + name, default is admin + + More info: + https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + type: string + required: + - monitors + type: object + cinder: + description: >- + cinder represents a cinder volume + attached and mounted on kubelets host + machine. + + Deprecated: Cinder is deprecated. All + operations for the in-tree cinder type + + are redirected to the + cinder.csi.openstack.org CSI driver. + + More info: + https://examples.k8s.io/mysql-cinder-pd/README.md + properties: + fsType: + description: >- + fsType is the filesystem type to mount. + + Must be a filesystem type supported by + the host operating system. + + Examples: "ext4", "xfs", "ntfs". + Implicitly inferred to be "ext4" if + unspecified. + + More info: + https://examples.k8s.io/mysql-cinder-pd/README.md + type: string + readOnly: + description: >- + readOnly defaults to false (read/write). + ReadOnly here will force + + the ReadOnly setting in VolumeMounts. + + More info: + https://examples.k8s.io/mysql-cinder-pd/README.md + type: boolean + secretRef: + description: >- + secretRef is optional: points to a + secret object containing parameters used + to connect + + to OpenStack. + properties: + name: + default: '' + description: >- + Name of the referent. + + This field is effectively required, but + due to backwards compatibility is + + allowed to be empty. Instances of this + type with an empty value here are + + almost certainly wrong. + + More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + volumeID: + description: >- + volumeID used to identify the volume in + cinder. + + More info: + https://examples.k8s.io/mysql-cinder-pd/README.md + type: string + required: + - volumeID + type: object + configMap: + description: >- + configMap represents a configMap that + should populate this volume + properties: + defaultMode: + description: >- + defaultMode is optional: mode bits used + to set permissions on created files by + default. + + Must be an octal value between 0000 and + 0777 or a decimal value between 0 and + 511. + + YAML accepts both octal and decimal + values, JSON requires decimal values for + mode bits. + + Defaults to 0644. + + Directories within the path are not + affected by this setting. + + This might be in conflict with other + options that affect the file + + mode, like fsGroup, and the result can + be other mode bits set. + format: int32 + type: integer + items: + description: >- + items if unspecified, each key-value + pair in the Data field of the referenced + + ConfigMap will be projected into the + volume as a file whose name is the + + key and content is the value. If + specified, the listed keys will be + + projected into the specified paths, and + unlisted keys will not be + + present. If a key is specified which is + not present in the ConfigMap, + + the volume setup will error unless it is + marked optional. Paths must be + + relative and may not contain the '..' + path or start with '..'. + items: + description: >- + Maps a string key to a path within a + volume. + properties: + key: + description: key is the key to project. + type: string + mode: + description: >- + mode is Optional: mode bits used to set + permissions on this file. + + Must be an octal value between 0000 and + 0777 or a decimal value between 0 and + 511. + + YAML accepts both octal and decimal + values, JSON requires decimal values for + mode bits. + + If not specified, the volume defaultMode + will be used. + + This might be in conflict with other + options that affect the file + + mode, like fsGroup, and the result can + be other mode bits set. + format: int32 + type: integer + path: + description: >- + path is the relative path of the file to + map the key to. + + May not be an absolute path. + + May not contain the path element '..'. + + May not start with the string '..'. + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + name: + default: '' + description: >- + Name of the referent. + + This field is effectively required, but + due to backwards compatibility is + + allowed to be empty. Instances of this + type with an empty value here are + + almost certainly wrong. + + More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: >- + optional specify whether the ConfigMap + or its keys must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + csi: + description: >- + csi (Container Storage Interface) + represents ephemeral storage that is + handled by certain external CSI drivers. + properties: + driver: + description: >- + driver is the name of the CSI driver + that handles this volume. + + Consult with your admin for the correct + name as registered in the cluster. + type: string + fsType: + description: >- + fsType to mount. Ex. "ext4", "xfs", + "ntfs". + + If not provided, the empty value is + passed to the associated CSI driver + + which will determine the default + filesystem to apply. + type: string + nodePublishSecretRef: + description: >- + nodePublishSecretRef is a reference to + the secret object containing + + sensitive information to pass to the CSI + driver to complete the CSI + + NodePublishVolume and + NodeUnpublishVolume calls. + + This field is optional, and may be + empty if no secret is required. If the + + secret object contains more than one + secret, all secret references are + passed. + properties: + name: + default: '' + description: >- + Name of the referent. + + This field is effectively required, but + due to backwards compatibility is + + allowed to be empty. Instances of this + type with an empty value here are + + almost certainly wrong. + + More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + readOnly: + description: >- + readOnly specifies a read-only + configuration for the volume. + + Defaults to false (read/write). + type: boolean + volumeAttributes: + additionalProperties: + type: string + description: >- + volumeAttributes stores driver-specific + properties that are passed to the CSI + + driver. Consult your driver's + documentation for supported values. + type: object + required: + - driver + type: object + downwardAPI: + description: >- + downwardAPI represents downward API + about the pod that should populate this + volume + properties: + defaultMode: + description: >- + Optional: mode bits to use on created + files by default. Must be a + + Optional: mode bits used to set + permissions on created files by default. + + Must be an octal value between 0000 and + 0777 or a decimal value between 0 and + 511. + + YAML accepts both octal and decimal + values, JSON requires decimal values for + mode bits. + + Defaults to 0644. + + Directories within the path are not + affected by this setting. + + This might be in conflict with other + options that affect the file + + mode, like fsGroup, and the result can + be other mode bits set. + format: int32 + type: integer + items: + description: >- + Items is a list of downward API volume + file + items: + description: >- + DownwardAPIVolumeFile represents + information to create the file + containing the pod field + properties: + fieldRef: + description: >- + Required: Selects a field of the pod: + only annotations, labels, name, + namespace and uid are supported. + properties: + apiVersion: + description: >- + Version of the schema the FieldPath is + written in terms of, defaults to "v1". + type: string + fieldPath: + description: >- + Path of the field to select in the + specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + mode: + description: >- + Optional: mode bits used to set + permissions on this file, must be an + octal value + + between 0000 and 0777 or a decimal value + between 0 and 511. + + YAML accepts both octal and decimal + values, JSON requires decimal values for + mode bits. + + If not specified, the volume defaultMode + will be used. + + This might be in conflict with other + options that affect the file + + mode, like fsGroup, and the result can + be other mode bits set. + format: int32 + type: integer + path: + description: >- + Required: Path is the relative path + name of the file to be created. Must not + be absolute or contain the '..' path. + Must be utf-8 encoded. The first item of + the relative path must not start with + '..' + type: string + resourceFieldRef: + description: >- + Selects a resource of the container: + only resources limits and requests + + (limits.cpu, limits.memory, requests.cpu + and requests.memory) are currently + supported. + properties: + containerName: + description: >- + Container name: required for volumes, + optional for env vars + type: string + divisor: + anyOf: + - type: integer + - type: string + description: >- + Specifies the output format of the + exposed resources, defaults to "1" + pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + required: + - path + type: object + type: array + x-kubernetes-list-type: atomic + type: object + emptyDir: + description: >- + emptyDir represents a temporary + directory that shares a pod's lifetime. + + More info: + https://kubernetes.io/docs/concepts/storage/volumes#emptydir + properties: + medium: + description: >- + medium represents what type of storage + medium should back this directory. + + The default is "" which means to use the + node's default medium. + + Must be an empty string (default) or + Memory. + + More info: + https://kubernetes.io/docs/concepts/storage/volumes#emptydir + type: string + sizeLimit: + anyOf: + - type: integer + - type: string + description: >- + sizeLimit is the total amount of local + storage required for this EmptyDir + volume. + + The size limit is also applicable for + memory medium. + + The maximum usage on memory medium + EmptyDir would be the minimum value + between + + the SizeLimit specified here and the sum + of memory limits of all containers in a + pod. + + The default is nil which means that the + limit is undefined. + + More info: + https://kubernetes.io/docs/concepts/storage/volumes#emptydir + pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + ephemeral: + description: >- + ephemeral represents a volume that is + handled by a cluster storage driver. + + The volume's lifecycle is tied to the + pod that defines it - it will be created + before the pod starts, + + and deleted when the pod is removed. + + + Use this if: + + a) the volume is only needed while the + pod runs, + + b) features of normal volumes like + restoring from snapshot or capacity + tracking are needed, + c) the storage driver is specified + through a storage class, and + + d) the storage driver supports dynamic + volume provisioning through + a PersistentVolumeClaim (see EphemeralVolumeSource for more + information on the connection between this volume type + and PersistentVolumeClaim). + + Use PersistentVolumeClaim or one of the + vendor-specific + + APIs for volumes that persist for longer + than the lifecycle + + of an individual pod. + + + Use CSI for light-weight local ephemeral + volumes if the CSI driver is meant to + + be used that way - see the documentation + of the driver for + + more information. + + + A pod can use both types of ephemeral + volumes and + + persistent volumes at the same time. + properties: + volumeClaimTemplate: + description: >- + Will be used to create a stand-alone PVC + to provision the volume. + + The pod in which this + EphemeralVolumeSource is embedded will + be the + + owner of the PVC, i.e. the PVC will be + deleted together with the + + pod. The name of the PVC will be `-` where + + `` is the name from the + `PodSpec.Volumes` array + + entry. Pod validation will reject the + pod if the concatenated name + + is not valid for a PVC (for example, too + long). + + + An existing PVC with that name that is + not owned by the pod + + will *not* be used for the pod to avoid + using an unrelated + + volume by mistake. Starting the pod is + then blocked until + + the unrelated PVC is removed. If such a + pre-created PVC is + + meant to be used by the pod, the PVC has + to updated with an + + owner reference to the pod once the pod + exists. Normally + + this should not be necessary, but it may + be useful when + + manually reconstructing a broken + cluster. + + + This field is read-only and no changes + will be made by Kubernetes + + to the PVC after it has been created. + + + Required, must not be nil. + properties: + metadata: + description: >- + May contain labels and annotations that + will be copied into the PVC + + when creating it. No other fields are + allowed and will be rejected during + + validation. + type: object + spec: + description: >- + The specification for the + PersistentVolumeClaim. The entire + content is + + copied unchanged into the PVC that gets + created from this + + template. The same fields as in a + PersistentVolumeClaim + + are also valid here. + properties: + accessModes: + description: >- + accessModes contains the desired access + modes the volume should have. + + More info: + https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1 + items: + type: string + type: array + x-kubernetes-list-type: atomic + dataSource: + description: >- + dataSource field can be used to specify + either: + + * An existing VolumeSnapshot object + (snapshot.storage.k8s.io/VolumeSnapshot) + + * An existing PVC + (PersistentVolumeClaim) + + If the provisioner or an external + controller can support the specified + data source, + + it will create a new volume based on the + contents of the specified data source. + + When the AnyVolumeDataSource feature + gate is enabled, dataSource contents + will be copied to dataSourceRef, + + and dataSourceRef contents will be + copied to dataSource when + dataSourceRef.namespace is not + specified. + + If the namespace is specified, then + dataSourceRef will not be copied to + dataSource. + properties: + apiGroup: + description: >- + APIGroup is the group for the resource + being referenced. + + If APIGroup is not specified, the + specified Kind must be in the core API + group. + + For any other third-party types, + APIGroup is required. + type: string + kind: + description: >- + Kind is the type of resource being + referenced + type: string + name: + description: >- + Name is the name of resource being + referenced + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + dataSourceRef: + description: >- + dataSourceRef specifies the object from + which to populate the volume with data, + if a non-empty + + volume is desired. This may be any + object from a non-empty API group (non + + core object) or a PersistentVolumeClaim + object. + + When this field is specified, volume + binding will only succeed if the type of + + the specified object matches some + installed volume populator or dynamic + + provisioner. + + This field will replace the + functionality of the dataSource field + and as such + + if both fields are non-empty, they must + have the same value. For backwards + + compatibility, when namespace isn't + specified in dataSourceRef, + + both fields (dataSource and + dataSourceRef) will be set to the same + + value automatically if one of them is + empty and the other is non-empty. + + When namespace is specified in + dataSourceRef, + + dataSource isn't set to the same value + and must be empty. + + There are three important differences + between dataSource and dataSourceRef: + + * While dataSource only allows two + specific types of objects, dataSourceRef + allows any non-core object, as well as PersistentVolumeClaim objects. + * While dataSource ignores disallowed + values (dropping them), dataSourceRef + preserves all values, and generates an error if a disallowed value is + specified. + * While dataSource only allows local + objects, dataSourceRef allows objects + in any namespaces. + (Beta) Using this field requires the + AnyVolumeDataSource feature gate to be + enabled. + + (Alpha) Using the namespace field of + dataSourceRef requires the + CrossNamespaceVolumeDataSource feature + gate to be enabled. + properties: + apiGroup: + description: >- + APIGroup is the group for the resource + being referenced. + + If APIGroup is not specified, the + specified Kind must be in the core API + group. + + For any other third-party types, + APIGroup is required. + type: string + kind: + description: >- + Kind is the type of resource being + referenced + type: string + name: + description: >- + Name is the name of resource being + referenced + type: string + namespace: + description: >- + Namespace is the namespace of resource + being referenced + + Note that when a namespace is specified, + a + gateway.networking.k8s.io/ReferenceGrant + object is required in the referent + namespace to allow that namespace's + owner to accept the reference. See the + ReferenceGrant documentation for + details. + + (Alpha) This field requires the + CrossNamespaceVolumeDataSource feature + gate to be enabled. + type: string + required: + - kind + - name + type: object + resources: + description: >- + resources represents the minimum + resources the volume should have. + + Users are allowed to specify resource + requirements + + that are lower than previous value but + must still be higher than capacity + recorded in the + + status field of the claim. + + More info: + https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: >- + Limits describes the maximum amount of + compute resources allowed. + + More info: + https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: >- + Requests describes the minimum amount of + compute resources required. + + If Requests is omitted for a container, + it defaults to Limits if that is + explicitly specified, + + otherwise to an implementation-defined + value. Requests cannot exceed Limits. + + More info: + https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + type: object + selector: + description: >- + selector is a label query over volumes + to consider for binding. + properties: + matchExpressions: + description: >- + matchExpressions is a list of label + selector requirements. The requirements + are ANDed. + items: + description: >- + A label selector requirement is a + selector that contains values, a key, + and an operator that + + relates the key and values. + properties: + key: + description: >- + key is the label key that the selector + applies to. + type: string + operator: + description: >- + operator represents a key's relationship + to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: >- + values is an array of string values. If + the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: >- + matchLabels is a map of {key,value} + pairs. A single {key,value} in the + matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is + "key", the + + operator is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + storageClassName: + description: >- + storageClassName is the name of the + StorageClass required by the claim. + + More info: + https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1 + type: string + volumeAttributesClassName: + description: >- + volumeAttributesClassName may be used to + set the VolumeAttributesClass used by + this claim. + + If specified, the CSI driver will create + or update the volume with the attributes + defined + + in the corresponding + VolumeAttributesClass. This has a + different purpose than storageClassName, + + it can be changed after the claim is + created. An empty string or nil value + indicates that no + + VolumeAttributesClass will be applied to + the claim. If the claim enters an + Infeasible error state, + + this field can be reset to its previous + value (including nil) to cancel the + modification. + + If the resource referred to by + volumeAttributesClass does not exist, + this PersistentVolumeClaim will be + + set to a Pending state, as reflected by + the modifyVolumeStatus field, until such + as a resource + + exists. + + More info: + https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/ + type: string + volumeMode: + description: >- + volumeMode defines what type of volume + is required by the claim. + + Value of Filesystem is implied when not + included in claim spec. + type: string + volumeName: + description: >- + volumeName is the binding reference to + the PersistentVolume backing this claim. + type: string + type: object + required: + - spec + type: object + type: object + fc: + description: >- + fc represents a Fibre Channel resource + that is attached to a kubelet's host + machine and then exposed to the pod. + properties: + fsType: + description: >- + fsType is the filesystem type to mount. + + Must be a filesystem type supported by + the host operating system. + + Ex. "ext4", "xfs", "ntfs". Implicitly + inferred to be "ext4" if unspecified. + type: string + lun: + description: 'lun is Optional: FC target lun number' + format: int32 + type: integer + readOnly: + description: >- + readOnly is Optional: Defaults to false + (read/write). ReadOnly here will force + + the ReadOnly setting in VolumeMounts. + type: boolean + targetWWNs: + description: >- + targetWWNs is Optional: FC target + worldwide names (WWNs) + items: + type: string + type: array + x-kubernetes-list-type: atomic + wwids: + description: >- + wwids Optional: FC volume world wide + identifiers (wwids) + + Either wwids or combination of + targetWWNs and lun must be set, but not + both simultaneously. + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + flexVolume: + description: >- + flexVolume represents a generic volume + resource that is + + provisioned/attached using an exec based + plugin. + + Deprecated: FlexVolume is deprecated. + Consider using a CSIDriver instead. + properties: + driver: + description: >- + driver is the name of the driver to use + for this volume. + type: string + fsType: + description: >- + fsType is the filesystem type to mount. + + Must be a filesystem type supported by + the host operating system. + + Ex. "ext4", "xfs", "ntfs". The default + filesystem depends on FlexVolume script. + type: string + options: + additionalProperties: + type: string + description: >- + options is Optional: this field holds + extra command options if any. + type: object + readOnly: + description: >- + readOnly is Optional: defaults to false + (read/write). ReadOnly here will force + + the ReadOnly setting in VolumeMounts. + type: boolean + secretRef: + description: >- + secretRef is Optional: secretRef is + reference to the secret object + containing + + sensitive information to pass to the + plugin scripts. This may be + + empty if no secret object is specified. + If the secret object + + contains more than one secret, all + secrets are passed to the plugin + + scripts. + properties: + name: + default: '' + description: >- + Name of the referent. + + This field is effectively required, but + due to backwards compatibility is + + allowed to be empty. Instances of this + type with an empty value here are + + almost certainly wrong. + + More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + required: + - driver + type: object + flocker: + description: >- + flocker represents a Flocker volume + attached to a kubelet's host machine. + This depends on the Flocker control + service being running. + + Deprecated: Flocker is deprecated and + the in-tree flocker type is no longer + supported. + properties: + datasetName: + description: >- + datasetName is Name of the dataset + stored as metadata -> name on the + dataset for Flocker + + should be considered as deprecated + type: string + datasetUUID: + description: >- + datasetUUID is the UUID of the dataset. + This is unique identifier of a Flocker + dataset + type: string + type: object + gcePersistentDisk: + description: >- + gcePersistentDisk represents a GCE Disk + resource that is attached to a + + kubelet's host machine and then exposed + to the pod. + + Deprecated: GCEPersistentDisk is + deprecated. All operations for the + in-tree + + gcePersistentDisk type are redirected to + the pd.csi.storage.gke.io CSI driver. + + More info: + https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + properties: + fsType: + description: >- + fsType is filesystem type of the volume + that you want to mount. + + Tip: Ensure that the filesystem type is + supported by the host operating system. + + Examples: "ext4", "xfs", "ntfs". + Implicitly inferred to be "ext4" if + unspecified. + + More info: + https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + type: string + partition: + description: >- + partition is the partition in the volume + that you want to mount. + + If omitted, the default is to mount by + volume name. + + Examples: For volume /dev/sda1, you + specify the partition as "1". + + Similarly, the volume partition for + /dev/sda is "0" (or you can leave the + property empty). + + More info: + https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + format: int32 + type: integer + pdName: + description: >- + pdName is unique name of the PD resource + in GCE. Used to identify the disk in + GCE. + + More info: + https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + type: string + readOnly: + description: >- + readOnly here will force the ReadOnly + setting in VolumeMounts. + + Defaults to false. + + More info: + https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + type: boolean + required: + - pdName + type: object + gitRepo: + description: >- + gitRepo represents a git repository at a + particular revision. + + Deprecated: GitRepo is deprecated. To + provision a container with a git repo, + mount an + + EmptyDir into an InitContainer that + clones the repo using git, then mount + the EmptyDir + + into the Pod's container. + properties: + directory: + description: >- + directory is the target directory name. + + Must not contain or start with '..'. If + '.' is supplied, the volume directory + will be the + + git repository. Otherwise, if + specified, the volume will contain the + git repository in + + the subdirectory with the given name. + type: string + repository: + description: repository is the URL + type: string + revision: + description: >- + revision is the commit hash for the + specified revision. + type: string + required: + - repository + type: object + glusterfs: + description: >- + glusterfs represents a Glusterfs mount + on the host that shares a pod's + lifetime. + + Deprecated: Glusterfs is deprecated and + the in-tree glusterfs type is no longer + supported. + properties: + endpoints: + description: >- + endpoints is the endpoint name that + details Glusterfs topology. + type: string + path: + description: >- + path is the Glusterfs volume path. + + More info: + https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod + type: string + readOnly: + description: >- + readOnly here will force the Glusterfs + volume to be mounted with read-only + permissions. + + Defaults to false. + + More info: + https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod + type: boolean + required: + - endpoints + - path + type: object + hostPath: + description: >- + hostPath represents a pre-existing file + or directory on the host + + machine that is directly exposed to the + container. This is generally + + used for system agents or other + privileged things that are allowed + + to see the host machine. Most containers + will NOT need this. + + More info: + https://kubernetes.io/docs/concepts/storage/volumes#hostpath + properties: + path: + description: >- + path of the directory on the host. + + If the path is a symlink, it will follow + the link to the real path. + + More info: + https://kubernetes.io/docs/concepts/storage/volumes#hostpath + type: string + type: + description: >- + type for HostPath Volume + + Defaults to "" + + More info: + https://kubernetes.io/docs/concepts/storage/volumes#hostpath + type: string + required: + - path + type: object + image: + description: >- + image represents an OCI object (a + container image or artifact) pulled and + mounted on the kubelet's host machine. + + The volume is resolved at pod startup + depending on which PullPolicy value is + provided: + + + - Always: the kubelet always attempts to + pull the reference. Container creation + will fail If the pull fails. + + - Never: the kubelet never pulls the + reference and only uses a local image or + artifact. Container creation will fail + if the reference isn't present. + + - IfNotPresent: the kubelet pulls if the + reference isn't already present on disk. + Container creation will fail if the + reference isn't present and the pull + fails. + + + The volume gets re-resolved if the pod + gets deleted and recreated, which means + that new remote content will become + available on pod recreation. + + A failure to resolve or pull the image + during pod startup will block containers + from starting and may add significant + latency. Failures will be retried using + normal volume backoff and will be + reported on the pod reason and message. + + The types of objects that may be mounted + by this volume are defined by the + container runtime implementation on a + host machine and at minimum must include + all valid types supported by the + container image field. + + The OCI object gets mounted in a single + directory + (spec.containers[*].volumeMounts.mountPath) + by merging the manifest layers in the + same way as for container images. + + The volume will be mounted read-only + (ro) and non-executable files (noexec). + + Sub path mounts for containers are not + supported + (spec.containers[*].volumeMounts.subpath) + before 1.33. + + The field + spec.securityContext.fsGroupChangePolicy + has no effect on this volume type. + properties: + pullPolicy: + description: >- + Policy for pulling OCI objects. Possible + values are: + + Always: the kubelet always attempts to + pull the reference. Container creation + will fail If the pull fails. + + Never: the kubelet never pulls the + reference and only uses a local image or + artifact. Container creation will fail + if the reference isn't present. + + IfNotPresent: the kubelet pulls if the + reference isn't already present on disk. + Container creation will fail if the + reference isn't present and the pull + fails. + + Defaults to Always if :latest tag is + specified, or IfNotPresent otherwise. + type: string + reference: + description: >- + Required: Image or artifact reference to + be used. + + Behaves in the same way as + pod.spec.containers[*].image. + + Pull secrets will be assembled in the + same way as for the container image by + looking up node credentials, SA image + pull secrets, and pod spec image pull + secrets. + + More info: + https://kubernetes.io/docs/concepts/containers/images + + This field is optional to allow higher + level config management to default or + override + + container images in workload controllers + like Deployments and StatefulSets. + type: string + type: object + iscsi: + description: >- + iscsi represents an ISCSI Disk resource + that is attached to a + + kubelet's host machine and then exposed + to the pod. + + More info: + https://kubernetes.io/docs/concepts/storage/volumes/#iscsi + properties: + chapAuthDiscovery: + description: >- + chapAuthDiscovery defines whether + support iSCSI Discovery CHAP + authentication + type: boolean + chapAuthSession: + description: >- + chapAuthSession defines whether support + iSCSI Session CHAP authentication + type: boolean + fsType: + description: >- + fsType is the filesystem type of the + volume that you want to mount. + + Tip: Ensure that the filesystem type is + supported by the host operating system. + + Examples: "ext4", "xfs", "ntfs". + Implicitly inferred to be "ext4" if + unspecified. + + More info: + https://kubernetes.io/docs/concepts/storage/volumes#iscsi + type: string + initiatorName: + description: >- + initiatorName is the custom iSCSI + Initiator Name. + + If initiatorName is specified with + iscsiInterface simultaneously, new iSCSI + interface + + : will be + created for the connection. + type: string + iqn: + description: iqn is the target iSCSI Qualified Name. + type: string + iscsiInterface: + default: default + description: >- + iscsiInterface is the interface Name + that uses an iSCSI transport. + + Defaults to 'default' (tcp). + type: string + lun: + description: lun represents iSCSI Target Lun number. + format: int32 + type: integer + portals: + description: >- + portals is the iSCSI Target Portal List. + The portal is either an IP or + ip_addr:port if the port + + is other than default (typically TCP + ports 860 and 3260). + items: + type: string + type: array + x-kubernetes-list-type: atomic + readOnly: + description: >- + readOnly here will force the ReadOnly + setting in VolumeMounts. + + Defaults to false. + type: boolean + secretRef: + description: >- + secretRef is the CHAP Secret for iSCSI + target and initiator authentication + properties: + name: + default: '' + description: >- + Name of the referent. + + This field is effectively required, but + due to backwards compatibility is + + allowed to be empty. Instances of this + type with an empty value here are + + almost certainly wrong. + + More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + targetPortal: + description: >- + targetPortal is iSCSI Target Portal. The + Portal is either an IP or ip_addr:port + if the port + + is other than default (typically TCP + ports 860 and 3260). + type: string + required: + - iqn + - lun + - targetPortal + type: object + name: + description: >- + name of the volume. + + Must be a DNS_LABEL and unique within + the pod. + + More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + nfs: + description: >- + nfs represents an NFS mount on the host + that shares a pod's lifetime + + More info: + https://kubernetes.io/docs/concepts/storage/volumes#nfs + properties: + path: + description: >- + path that is exported by the NFS server. + + More info: + https://kubernetes.io/docs/concepts/storage/volumes#nfs + type: string + readOnly: + description: >- + readOnly here will force the NFS export + to be mounted with read-only + permissions. + + Defaults to false. + + More info: + https://kubernetes.io/docs/concepts/storage/volumes#nfs + type: boolean + server: + description: >- + server is the hostname or IP address of + the NFS server. + + More info: + https://kubernetes.io/docs/concepts/storage/volumes#nfs + type: string + required: + - path + - server + type: object + persistentVolumeClaim: + description: >- + persistentVolumeClaimVolumeSource + represents a reference to a + + PersistentVolumeClaim in the same + namespace. + + More info: + https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims + properties: + claimName: + description: >- + claimName is the name of a + PersistentVolumeClaim in the same + namespace as the pod using this volume. + + More info: + https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims + type: string + readOnly: + description: >- + readOnly Will force the ReadOnly setting + in VolumeMounts. + + Default false. + type: boolean + required: + - claimName + type: object + photonPersistentDisk: + description: >- + photonPersistentDisk represents a + PhotonController persistent disk + attached and mounted on kubelets host + machine. + + Deprecated: PhotonPersistentDisk is + deprecated and the in-tree + photonPersistentDisk type is no longer + supported. + properties: + fsType: + description: >- + fsType is the filesystem type to mount. + + Must be a filesystem type supported by + the host operating system. + + Ex. "ext4", "xfs", "ntfs". Implicitly + inferred to be "ext4" if unspecified. + type: string + pdID: + description: >- + pdID is the ID that identifies Photon + Controller persistent disk + type: string + required: + - pdID + type: object + portworxVolume: + description: >- + portworxVolume represents a portworx + volume attached and mounted on kubelets + host machine. + + Deprecated: PortworxVolume is + deprecated. All operations for the + in-tree portworxVolume type + + are redirected to the pxd.portworx.com + CSI driver when the CSIMigrationPortworx + feature-gate + + is on. + properties: + fsType: + description: >- + fSType represents the filesystem type to + mount + + Must be a filesystem type supported by + the host operating system. + + Ex. "ext4", "xfs". Implicitly inferred + to be "ext4" if unspecified. + type: string + readOnly: + description: >- + readOnly defaults to false (read/write). + ReadOnly here will force + + the ReadOnly setting in VolumeMounts. + type: boolean + volumeID: + description: >- + volumeID uniquely identifies a Portworx + volume + type: string + required: + - volumeID + type: object + projected: + description: >- + projected items for all in one resources + secrets, configmaps, and downward API + properties: + defaultMode: + description: >- + defaultMode are the mode bits used to + set permissions on created files by + default. + + Must be an octal value between 0000 and + 0777 or a decimal value between 0 and + 511. + + YAML accepts both octal and decimal + values, JSON requires decimal values for + mode bits. + + Directories within the path are not + affected by this setting. + + This might be in conflict with other + options that affect the file + + mode, like fsGroup, and the result can + be other mode bits set. + format: int32 + type: integer + sources: + description: >- + sources is the list of volume + projections. Each entry in this list + + handles one source. + items: + description: >- + Projection that may be projected along + with other supported volume types. + + Exactly one of these fields must be set. + properties: + clusterTrustBundle: + description: >- + ClusterTrustBundle allows a pod to + access the `.spec.trustBundle` field + + of ClusterTrustBundle objects in an + auto-updating file. + + + Alpha, gated by the + ClusterTrustBundleProjection feature + gate. + + + ClusterTrustBundle objects can either be + selected by name, or by the + + combination of signer name and a label + selector. + + + Kubelet performs aggressive + normalization of the PEM contents + written + + into the pod filesystem. Esoteric PEM + features such as inter-block + + comments and block headers are + stripped. Certificates are + deduplicated. + + The ordering of certificates within the + file is arbitrary, and Kubelet + + may change the order over time. + properties: + labelSelector: + description: >- + Select all ClusterTrustBundles that + match this label selector. Only has + + effect if signerName is set. + Mutually-exclusive with name. If unset, + + interpreted as "match nothing". If set + but empty, interpreted as "match + + everything". + properties: + matchExpressions: + description: >- + matchExpressions is a list of label + selector requirements. The requirements + are ANDed. + items: + description: >- + A label selector requirement is a + selector that contains values, a key, + and an operator that + + relates the key and values. + properties: + key: + description: >- + key is the label key that the selector + applies to. + type: string + operator: + description: >- + operator represents a key's relationship + to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: >- + values is an array of string values. If + the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: >- + matchLabels is a map of {key,value} + pairs. A single {key,value} in the + matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is + "key", the + + operator is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + name: + description: >- + Select a single ClusterTrustBundle by + object name. Mutually-exclusive + + with signerName and labelSelector. + type: string + optional: + description: >- + If true, don't block pod startup if the + referenced ClusterTrustBundle(s) + + aren't available. If using name, then + the named ClusterTrustBundle is + + allowed not to exist. If using + signerName, then the combination of + + signerName and labelSelector is allowed + to match zero + + ClusterTrustBundles. + type: boolean + path: + description: >- + Relative path from the volume root to + write the bundle. + type: string + signerName: + description: >- + Select all ClusterTrustBundles that + match this signer name. + + Mutually-exclusive with name. The + contents of all selected + + ClusterTrustBundles will be unified and + deduplicated. + type: string + required: + - path + type: object + configMap: + description: >- + configMap information about the + configMap data to project + properties: + items: + description: >- + items if unspecified, each key-value + pair in the Data field of the referenced + + ConfigMap will be projected into the + volume as a file whose name is the + + key and content is the value. If + specified, the listed keys will be + + projected into the specified paths, and + unlisted keys will not be + + present. If a key is specified which is + not present in the ConfigMap, + + the volume setup will error unless it is + marked optional. Paths must be + + relative and may not contain the '..' + path or start with '..'. + items: + description: >- + Maps a string key to a path within a + volume. + properties: + key: + description: key is the key to project. + type: string + mode: + description: >- + mode is Optional: mode bits used to set + permissions on this file. + + Must be an octal value between 0000 and + 0777 or a decimal value between 0 and + 511. + + YAML accepts both octal and decimal + values, JSON requires decimal values for + mode bits. + + If not specified, the volume defaultMode + will be used. + + This might be in conflict with other + options that affect the file + + mode, like fsGroup, and the result can + be other mode bits set. + format: int32 + type: integer + path: + description: >- + path is the relative path of the file to + map the key to. + + May not be an absolute path. + + May not contain the path element '..'. + + May not start with the string '..'. + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + name: + default: '' + description: >- + Name of the referent. + + This field is effectively required, but + due to backwards compatibility is + + allowed to be empty. Instances of this + type with an empty value here are + + almost certainly wrong. + + More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: >- + optional specify whether the ConfigMap + or its keys must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + downwardAPI: + description: >- + downwardAPI information about the + downwardAPI data to project + properties: + items: + description: >- + Items is a list of DownwardAPIVolume + file + items: + description: >- + DownwardAPIVolumeFile represents + information to create the file + containing the pod field + properties: + fieldRef: + description: >- + Required: Selects a field of the pod: + only annotations, labels, name, + namespace and uid are supported. + properties: + apiVersion: + description: >- + Version of the schema the FieldPath is + written in terms of, defaults to "v1". + type: string + fieldPath: + description: >- + Path of the field to select in the + specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + mode: + description: >- + Optional: mode bits used to set + permissions on this file, must be an + octal value + + between 0000 and 0777 or a decimal value + between 0 and 511. + + YAML accepts both octal and decimal + values, JSON requires decimal values for + mode bits. + + If not specified, the volume defaultMode + will be used. + + This might be in conflict with other + options that affect the file + + mode, like fsGroup, and the result can + be other mode bits set. + format: int32 + type: integer + path: + description: >- + Required: Path is the relative path + name of the file to be created. Must not + be absolute or contain the '..' path. + Must be utf-8 encoded. The first item of + the relative path must not start with + '..' + type: string + resourceFieldRef: + description: >- + Selects a resource of the container: + only resources limits and requests + + (limits.cpu, limits.memory, requests.cpu + and requests.memory) are currently + supported. + properties: + containerName: + description: >- + Container name: required for volumes, + optional for env vars + type: string + divisor: + anyOf: + - type: integer + - type: string + description: >- + Specifies the output format of the + exposed resources, defaults to "1" + pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + required: + - path + type: object + type: array + x-kubernetes-list-type: atomic + type: object + podCertificate: + description: >- + Projects an auto-rotating credential + bundle (private key and certificate + + chain) that the pod can use either as a + TLS client or server. + + + Kubelet generates a private key and uses + it to send a + + PodCertificateRequest to the named + signer. Once the signer approves the + + request and issues a certificate chain, + Kubelet writes the key and + + certificate chain to the pod + filesystem. The pod does not start + until + + certificates have been issued for each + podCertificate projected volume + + source in its spec. + + + Kubelet will begin trying to rotate the + certificate at the time indicated + + by the signer using the + PodCertificateRequest.Status.BeginRefreshAt + + timestamp. + + + Kubelet can write a single file, + indicated by the credentialBundlePath + + field, or separate files, indicated by + the keyPath and + + certificateChainPath fields. + + + The credential bundle is a single file + in PEM format. The first PEM + + entry is the private key (in PKCS#8 + format), and the remaining PEM + + entries are the certificate chain issued + by the signer (typically, + + signers will return their certificate + chain in leaf-to-root order). + + + Prefer using the credential bundle + format, since your application code + + can read it atomically. If you use + keyPath and certificateChainPath, + + your application must make two separate + file reads. If these coincide + + with a certificate rotation, it is + possible that the private key and leaf + + certificate you read may not correspond + to each other. Your application + + will need to check for this condition, + and re-read until they are + + consistent. + + + The named signer controls chooses the + format of the certificate it + + issues; consult the signer + implementation's documentation to learn + how to + + use the certificates it issues. + properties: + certificateChainPath: + description: >- + Write the certificate chain at this path + in the projected volume. + + + Most applications should use + credentialBundlePath. When using + keyPath + + and certificateChainPath, your + application needs to check that the key + + and leaf certificate are consistent, + because it is possible to read the + + files mid-rotation. + type: string + credentialBundlePath: + description: >- + Write the credential bundle at this path + in the projected volume. + + + The credential bundle is a single file + that contains multiple PEM blocks. + + The first PEM block is a PRIVATE KEY + block, containing a PKCS#8 private + + key. + + + The remaining blocks are CERTIFICATE + blocks, containing the issued + + certificate chain from the signer (leaf + and any intermediates). + + + Using credentialBundlePath lets your + Pod's application code make a single + + atomic read that retrieves a consistent + key and certificate chain. If you + + project them to separate files, your + application code will need to + + additionally check that the leaf + certificate was issued to the key. + type: string + keyPath: + description: >- + Write the key at this path in the + projected volume. + + + Most applications should use + credentialBundlePath. When using + keyPath + + and certificateChainPath, your + application needs to check that the key + + and leaf certificate are consistent, + because it is possible to read the + + files mid-rotation. + type: string + keyType: + description: >- + The type of keypair Kubelet will + generate for the pod. + + + Valid values are "RSA3072", "RSA4096", + "ECDSAP256", "ECDSAP384", + + "ECDSAP521", and "ED25519". + type: string + maxExpirationSeconds: + description: >- + maxExpirationSeconds is the maximum + lifetime permitted for the + + certificate. + + + Kubelet copies this value verbatim into + the PodCertificateRequests it + + generates for this projection. + + + If omitted, kube-apiserver will set it + to 86400(24 hours). kube-apiserver + + will reject values shorter than 3600 (1 + hour). The maximum allowable + + value is 7862400 (91 days). + + + The signer implementation is then free + to issue a certificate with any + + lifetime *shorter* than + MaxExpirationSeconds, but no shorter + than 3600 + + seconds (1 hour). This constraint is + enforced by kube-apiserver. + + `kubernetes.io` signers will never issue + certificates with a lifetime + + longer than 24 hours. + format: int32 + type: integer + signerName: + description: >- + Kubelet's generated CSRs will be + addressed to this signer. + type: string + userAnnotations: + additionalProperties: + type: string + description: >- + userAnnotations allow pod authors to + pass additional information to + + the signer implementation. Kubernetes + does not restrict or validate this + + metadata in any way. + + + These values are copied verbatim into + the `spec.unverifiedUserAnnotations` + field of + + the PodCertificateRequest objects that + Kubelet creates. + + + Entries are subject to the same + validation as object metadata + annotations, + + with the addition that all keys must be + domain-prefixed. No restrictions + + are placed on values, except an overall + size limitation on the entire field. + + + Signers should document the keys and + values they support. Signers should + + deny requests that contain keys they do + not recognize. + type: object + required: + - keyType + - signerName + type: object + secret: + description: >- + secret information about the secret data + to project + properties: + items: + description: >- + items if unspecified, each key-value + pair in the Data field of the referenced + + Secret will be projected into the volume + as a file whose name is the + + key and content is the value. If + specified, the listed keys will be + + projected into the specified paths, and + unlisted keys will not be + + present. If a key is specified which is + not present in the Secret, + + the volume setup will error unless it is + marked optional. Paths must be + + relative and may not contain the '..' + path or start with '..'. + items: + description: >- + Maps a string key to a path within a + volume. + properties: + key: + description: key is the key to project. + type: string + mode: + description: >- + mode is Optional: mode bits used to set + permissions on this file. + + Must be an octal value between 0000 and + 0777 or a decimal value between 0 and + 511. + + YAML accepts both octal and decimal + values, JSON requires decimal values for + mode bits. + + If not specified, the volume defaultMode + will be used. + + This might be in conflict with other + options that affect the file + + mode, like fsGroup, and the result can + be other mode bits set. + format: int32 + type: integer + path: + description: >- + path is the relative path of the file to + map the key to. + + May not be an absolute path. + + May not contain the path element '..'. + + May not start with the string '..'. + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + name: + default: '' + description: >- + Name of the referent. + + This field is effectively required, but + due to backwards compatibility is + + allowed to be empty. Instances of this + type with an empty value here are + + almost certainly wrong. + + More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: >- + optional field specify whether the + Secret or its key must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + serviceAccountToken: + description: >- + serviceAccountToken is information about + the serviceAccountToken data to project + properties: + audience: + description: >- + audience is the intended audience of the + token. A recipient of a token + + must identify itself with an identifier + specified in the audience of the + + token, and otherwise should reject the + token. The audience defaults to the + + identifier of the apiserver. + type: string + expirationSeconds: + description: >- + expirationSeconds is the requested + duration of validity of the service + + account token. As the token approaches + expiration, the kubelet volume + + plugin will proactively rotate the + service account token. The kubelet will + + start trying to rotate the token if the + token is older than 80 percent of + + its time to live or if the token is + older than 24 hours.Defaults to 1 hour + + and must be at least 10 minutes. + format: int64 + type: integer + path: + description: >- + path is the path relative to the mount + point of the file to project the + + token into. + type: string + required: + - path + type: object + type: object + type: array + x-kubernetes-list-type: atomic + type: object + quobyte: + description: >- + quobyte represents a Quobyte mount on + the host that shares a pod's lifetime. + + Deprecated: Quobyte is deprecated and + the in-tree quobyte type is no longer + supported. + properties: + group: + description: |- + group to map volume access to + Default is no group + type: string + readOnly: + description: >- + readOnly here will force the Quobyte + volume to be mounted with read-only + permissions. + + Defaults to false. + type: boolean + registry: + description: >- + registry represents a single or multiple + Quobyte Registry services + + specified as a string as host:port pair + (multiple entries are separated with + commas) + + which acts as the central registry for + volumes + type: string + tenant: + description: >- + tenant owning the given Quobyte volume + in the Backend + + Used with dynamically provisioned + Quobyte volumes, value is set by the + plugin + type: string + user: + description: |- + user to map volume access to + Defaults to serivceaccount user + type: string + volume: + description: >- + volume is a string that references an + already created Quobyte volume by name. + type: string + required: + - registry + - volume + type: object + rbd: + description: >- + rbd represents a Rados Block Device + mount on the host that shares a pod's + lifetime. + + Deprecated: RBD is deprecated and the + in-tree rbd type is no longer supported. + properties: + fsType: + description: >- + fsType is the filesystem type of the + volume that you want to mount. + + Tip: Ensure that the filesystem type is + supported by the host operating system. + + Examples: "ext4", "xfs", "ntfs". + Implicitly inferred to be "ext4" if + unspecified. + + More info: + https://kubernetes.io/docs/concepts/storage/volumes#rbd + type: string + image: + description: >- + image is the rados image name. + + More info: + https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + type: string + keyring: + default: /etc/ceph/keyring + description: >- + keyring is the path to key ring for + RBDUser. + + Default is /etc/ceph/keyring. + + More info: + https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + type: string + monitors: + description: >- + monitors is a collection of Ceph + monitors. + + More info: + https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + items: + type: string + type: array + x-kubernetes-list-type: atomic + pool: + default: rbd + description: >- + pool is the rados pool name. + + Default is rbd. + + More info: + https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + type: string + readOnly: + description: >- + readOnly here will force the ReadOnly + setting in VolumeMounts. + + Defaults to false. + + More info: + https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + type: boolean + secretRef: + description: >- + secretRef is name of the authentication + secret for RBDUser. If provided + + overrides keyring. + + Default is nil. + + More info: + https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + properties: + name: + default: '' + description: >- + Name of the referent. + + This field is effectively required, but + due to backwards compatibility is + + allowed to be empty. Instances of this + type with an empty value here are + + almost certainly wrong. + + More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + user: + default: admin + description: >- + user is the rados user name. + + Default is admin. + + More info: + https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + type: string + required: + - image + - monitors + type: object + scaleIO: + description: >- + scaleIO represents a ScaleIO persistent + volume attached and mounted on + Kubernetes nodes. + + Deprecated: ScaleIO is deprecated and + the in-tree scaleIO type is no longer + supported. + properties: + fsType: + default: xfs + description: >- + fsType is the filesystem type to mount. + + Must be a filesystem type supported by + the host operating system. + + Ex. "ext4", "xfs", "ntfs". + + Default is "xfs". + type: string + gateway: + description: >- + gateway is the host address of the + ScaleIO API Gateway. + type: string + protectionDomain: + description: >- + protectionDomain is the name of the + ScaleIO Protection Domain for the + configured storage. + type: string + readOnly: + description: >- + readOnly Defaults to false (read/write). + ReadOnly here will force + + the ReadOnly setting in VolumeMounts. + type: boolean + secretRef: + description: >- + secretRef references to the secret for + ScaleIO user and other + + sensitive information. If this is not + provided, Login operation will fail. + properties: + name: + default: '' + description: >- + Name of the referent. + + This field is effectively required, but + due to backwards compatibility is + + allowed to be empty. Instances of this + type with an empty value here are + + almost certainly wrong. + + More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + sslEnabled: + description: >- + sslEnabled Flag enable/disable SSL + communication with Gateway, default + false + type: boolean + storageMode: + default: ThinProvisioned + description: >- + storageMode indicates whether the + storage for a volume should be + ThickProvisioned or ThinProvisioned. + + Default is ThinProvisioned. + type: string + storagePool: + description: >- + storagePool is the ScaleIO Storage Pool + associated with the protection domain. + type: string + system: + description: >- + system is the name of the storage system + as configured in ScaleIO. + type: string + volumeName: + description: >- + volumeName is the name of a volume + already created in the ScaleIO system + + that is associated with this volume + source. + type: string + required: + - gateway + - secretRef + - system + type: object + secret: + description: >- + secret represents a secret that should + populate this volume. + + More info: + https://kubernetes.io/docs/concepts/storage/volumes#secret + properties: + defaultMode: + description: >- + defaultMode is Optional: mode bits used + to set permissions on created files by + default. + + Must be an octal value between 0000 and + 0777 or a decimal value between 0 and + 511. + + YAML accepts both octal and decimal + values, JSON requires decimal values + + for mode bits. Defaults to 0644. + + Directories within the path are not + affected by this setting. + + This might be in conflict with other + options that affect the file + + mode, like fsGroup, and the result can + be other mode bits set. + format: int32 + type: integer + items: + description: >- + items If unspecified, each key-value + pair in the Data field of the referenced + + Secret will be projected into the volume + as a file whose name is the + + key and content is the value. If + specified, the listed keys will be + + projected into the specified paths, and + unlisted keys will not be + + present. If a key is specified which is + not present in the Secret, + + the volume setup will error unless it is + marked optional. Paths must be + + relative and may not contain the '..' + path or start with '..'. + items: + description: >- + Maps a string key to a path within a + volume. + properties: + key: + description: key is the key to project. + type: string + mode: + description: >- + mode is Optional: mode bits used to set + permissions on this file. + + Must be an octal value between 0000 and + 0777 or a decimal value between 0 and + 511. + + YAML accepts both octal and decimal + values, JSON requires decimal values for + mode bits. + + If not specified, the volume defaultMode + will be used. + + This might be in conflict with other + options that affect the file + + mode, like fsGroup, and the result can + be other mode bits set. + format: int32 + type: integer + path: + description: >- + path is the relative path of the file to + map the key to. + + May not be an absolute path. + + May not contain the path element '..'. + + May not start with the string '..'. + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + optional: + description: >- + optional field specify whether the + Secret or its keys must be defined + type: boolean + secretName: + description: >- + secretName is the name of the secret in + the pod's namespace to use. + + More info: + https://kubernetes.io/docs/concepts/storage/volumes#secret + type: string + type: object + storageos: + description: >- + storageOS represents a StorageOS volume + attached and mounted on Kubernetes + nodes. + + Deprecated: StorageOS is deprecated and + the in-tree storageos type is no longer + supported. + properties: + fsType: + description: >- + fsType is the filesystem type to mount. + + Must be a filesystem type supported by + the host operating system. + + Ex. "ext4", "xfs", "ntfs". Implicitly + inferred to be "ext4" if unspecified. + type: string + readOnly: + description: >- + readOnly defaults to false (read/write). + ReadOnly here will force + + the ReadOnly setting in VolumeMounts. + type: boolean + secretRef: + description: >- + secretRef specifies the secret to use + for obtaining the StorageOS API + + credentials. If not specified, default + values will be attempted. + properties: + name: + default: '' + description: >- + Name of the referent. + + This field is effectively required, but + due to backwards compatibility is + + allowed to be empty. Instances of this + type with an empty value here are + + almost certainly wrong. + + More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + volumeName: + description: >- + volumeName is the human-readable name of + the StorageOS volume. Volume + + names are only unique within a + namespace. + type: string + volumeNamespace: + description: >- + volumeNamespace specifies the scope of + the volume within StorageOS. If no + + namespace is specified then the Pod's + namespace will be used. This allows the + + Kubernetes name scoping to be mirrored + within StorageOS for tighter + integration. + + Set VolumeName to any name to override + the default behaviour. + + Set to "default" if you are not using + namespaces within StorageOS. + + Namespaces that do not pre-exist within + StorageOS will be created. + type: string + type: object + vsphereVolume: + description: >- + vsphereVolume represents a vSphere + volume attached and mounted on kubelets + host machine. + + Deprecated: VsphereVolume is deprecated. + All operations for the in-tree + vsphereVolume type + + are redirected to the + csi.vsphere.vmware.com CSI driver. + properties: + fsType: + description: >- + fsType is filesystem type to mount. + + Must be a filesystem type supported by + the host operating system. + + Ex. "ext4", "xfs", "ntfs". Implicitly + inferred to be "ext4" if unspecified. + type: string + storagePolicyID: + description: >- + storagePolicyID is the storage Policy + Based Management (SPBM) profile ID + associated with the StoragePolicyName. + type: string + storagePolicyName: + description: >- + storagePolicyName is the storage Policy + Based Management (SPBM) profile name. + type: string + volumePath: + description: >- + volumePath is the path that identifies + vSphere volume vmdk + type: string + required: + - volumePath + type: object + required: + - name + type: object + type: array + type: object + replicas: + description: >- + Replicas is the number of desired pods. Defaults + to 1. + format: int32 + type: integer + strategy: + description: >- + The deployment strategy to use to replace + existing pods with new ones. + properties: + rollingUpdate: + description: >- + Rolling update config params. Present only + if DeploymentStrategyType = + + RollingUpdate. + properties: + maxSurge: + anyOf: + - type: integer + - type: string + description: >- + The maximum number of pods that can be + scheduled above the desired number of + + pods. + + Value can be an absolute number (ex: 5) + or a percentage of desired pods (ex: + 10%). + + This can not be 0 if MaxUnavailable is + 0. + + Absolute number is calculated from + percentage by rounding up. + + Defaults to 25%. + + Example: when this is set to 30%, the + new ReplicaSet can be scaled up + immediately when + + the rolling update starts, such that the + total number of old and new pods do not + exceed + + 130% of desired pods. Once old pods have + been killed, + + new ReplicaSet can be scaled up further, + ensuring that total number of pods + running + + at any time during the update is at most + 130% of desired pods. + x-kubernetes-int-or-string: true + maxUnavailable: + anyOf: + - type: integer + - type: string + description: >- + The maximum number of pods that can be + unavailable during the update. + + Value can be an absolute number (ex: 5) + or a percentage of desired pods (ex: + 10%). + + Absolute number is calculated from + percentage by rounding down. + + This can not be 0 if MaxSurge is 0. + + Defaults to 25%. + + Example: when this is set to 30%, the + old ReplicaSet can be scaled down to 70% + of desired pods + + immediately when the rolling update + starts. Once new pods are ready, old + ReplicaSet + + can be scaled down further, followed by + scaling up the new ReplicaSet, ensuring + + that the total number of pods available + at all times during the update is at + + least 70% of desired pods. + x-kubernetes-int-or-string: true + type: object + type: + description: >- + Type of deployment. Can be "Recreate" or + "RollingUpdate". Default is RollingUpdate. + type: string + type: object + type: object + envoyHpa: + description: >- + EnvoyHpa defines the Horizontal Pod Autoscaler + settings for Envoy Proxy Deployment. + properties: + behavior: + description: >- + behavior configures the scaling behavior of the + target + + in both Up and Down directions (scaleUp and + scaleDown fields respectively). + + If not set, the default HPAScalingRules for + scale up and scale down are used. + + See + k8s.io.autoscaling.v2.HorizontalPodAutoScalerBehavior. + properties: + scaleDown: + description: >- + scaleDown is scaling policy for scaling + Down. + + If not set, the default value is to allow to + scale down to minReplicas pods, with a + + 300 second stabilization window (i.e., the + highest recommendation for + + the last 300sec is used). + properties: + policies: + description: >- + policies is a list of potential scaling + polices which can be used during + scaling. + + If not set, use the default values: + + - For scale up: allow doubling the + number of pods, or an absolute change of + 4 pods in a 15s window. + + - For scale down: allow all pods to be + removed in a 15s window. + items: + description: >- + HPAScalingPolicy is a single policy + which must hold true for a specified + past interval. + properties: + periodSeconds: + description: >- + periodSeconds specifies the window of + time for which the policy should hold + true. + + PeriodSeconds must be greater than zero + and less than or equal to 1800 (30 min). + format: int32 + type: integer + type: + description: >- + type is used to specify the scaling + policy. + type: string + value: + description: >- + value contains the amount of change + which is permitted by the policy. + + It must be greater than zero + format: int32 + type: integer + required: + - periodSeconds + - type + - value + type: object + type: array + x-kubernetes-list-type: atomic + selectPolicy: + description: >- + selectPolicy is used to specify which + policy should be used. + + If not set, the default value Max is + used. + type: string + stabilizationWindowSeconds: + description: >- + stabilizationWindowSeconds is the number + of seconds for which past + recommendations should be + + considered while scaling up or scaling + down. + + StabilizationWindowSeconds must be + greater than or equal to zero and less + than or equal to 3600 (one hour). + + If not set, use the default values: + + - For scale up: 0 (i.e. no stabilization + is done). + + - For scale down: 300 (i.e. the + stabilization window is 300 seconds + long). + format: int32 + type: integer + tolerance: + anyOf: + - type: integer + - type: string + description: >- + tolerance is the tolerance on the ratio + between the current and desired + + metric value under which no updates are + made to the desired number of + + replicas (e.g. 0.01 for 1%). Must be + greater than or equal to zero. If not + + set, the default cluster-wide tolerance + is applied (by default 10%). + + + For example, if autoscaling is + configured with a memory consumption + target of 100Mi, + + and scale-down and scale-up tolerances + of 5% and 1% respectively, scaling will + be + + triggered when the actual consumption + falls below 95Mi or exceeds 101Mi. + + + This is an beta field and requires the + HPAConfigurableTolerance feature + + gate to be enabled. + pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + scaleUp: + description: >- + scaleUp is scaling policy for scaling Up. + + If not set, the default value is the higher + of: + * increase no more than 4 pods per 60 seconds + * double the number of pods per 60 seconds + No stabilization is used. + properties: + policies: + description: >- + policies is a list of potential scaling + polices which can be used during + scaling. + + If not set, use the default values: + + - For scale up: allow doubling the + number of pods, or an absolute change of + 4 pods in a 15s window. + + - For scale down: allow all pods to be + removed in a 15s window. + items: + description: >- + HPAScalingPolicy is a single policy + which must hold true for a specified + past interval. + properties: + periodSeconds: + description: >- + periodSeconds specifies the window of + time for which the policy should hold + true. + + PeriodSeconds must be greater than zero + and less than or equal to 1800 (30 min). + format: int32 + type: integer + type: + description: >- + type is used to specify the scaling + policy. + type: string + value: + description: >- + value contains the amount of change + which is permitted by the policy. + + It must be greater than zero + format: int32 + type: integer + required: + - periodSeconds + - type + - value + type: object + type: array + x-kubernetes-list-type: atomic + selectPolicy: + description: >- + selectPolicy is used to specify which + policy should be used. + + If not set, the default value Max is + used. + type: string + stabilizationWindowSeconds: + description: >- + stabilizationWindowSeconds is the number + of seconds for which past + recommendations should be + + considered while scaling up or scaling + down. + + StabilizationWindowSeconds must be + greater than or equal to zero and less + than or equal to 3600 (one hour). + + If not set, use the default values: + + - For scale up: 0 (i.e. no stabilization + is done). + + - For scale down: 300 (i.e. the + stabilization window is 300 seconds + long). + format: int32 + type: integer + tolerance: + anyOf: + - type: integer + - type: string + description: >- + tolerance is the tolerance on the ratio + between the current and desired + + metric value under which no updates are + made to the desired number of + + replicas (e.g. 0.01 for 1%). Must be + greater than or equal to zero. If not + + set, the default cluster-wide tolerance + is applied (by default 10%). + + + For example, if autoscaling is + configured with a memory consumption + target of 100Mi, + + and scale-down and scale-up tolerances + of 5% and 1% respectively, scaling will + be + + triggered when the actual consumption + falls below 95Mi or exceeds 101Mi. + + + This is an beta field and requires the + HPAConfigurableTolerance feature + + gate to be enabled. + pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + type: object + maxReplicas: + description: >- + maxReplicas is the upper limit for the number of + replicas to which the autoscaler can scale up. + + It cannot be less that minReplicas. + format: int32 + type: integer + x-kubernetes-validations: + - message: maxReplicas must be greater than 0 + rule: self > 0 + metrics: + description: >- + metrics contains the specifications for which to + use to calculate the + + desired replica count (the maximum replica count + across all metrics will + + be used). + + If left empty, it defaults to being based on CPU + utilization with average on 80% usage. + items: + description: >- + MetricSpec specifies how to scale based on a + single metric + + (only `type` and one other matching field + should be set at once). + properties: + containerResource: + description: >- + containerResource refers to a resource + metric (such as those specified in + + requests and limits) known to Kubernetes + describing a single container in + + each pod of the current scale target (e.g. + CPU or memory). Such metrics are + + built in to Kubernetes, and have special + scaling options on top of those + + available to normal per-pod metrics using + the "pods" source. + properties: + container: + description: >- + container is the name of the container + in the pods of the scaling target + type: string + name: + description: >- + name is the name of the resource in + question. + type: string + target: + description: >- + target specifies the target value for + the given metric + properties: + averageUtilization: + description: >- + averageUtilization is the target value + of the average of the + + resource metric across all relevant + pods, represented as a percentage of + + the requested value of the resource for + the pods. + + Currently only valid for Resource metric + source type + format: int32 + type: integer + averageValue: + anyOf: + - type: integer + - type: string + description: >- + averageValue is the target value of the + average of the + + metric across all relevant pods (as a + quantity) + pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: + description: >- + type represents whether the metric type + is Utilization, Value, or AverageValue + type: string + value: + anyOf: + - type: integer + - type: string + description: >- + value is the target value of the metric + (as a quantity). + pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + required: + - type + type: object + required: + - container + - name + - target + type: object + external: + description: >- + external refers to a global metric that is + not associated + + with any Kubernetes object. It allows + autoscaling based on information + + coming from components running outside of + cluster + + (for example length of queue in cloud + messaging service, or + + QPS from loadbalancer running outside of + cluster). + properties: + metric: + description: >- + metric identifies the target metric by + name and selector + properties: + name: + description: name is the name of the given metric + type: string + selector: + description: >- + selector is the string-encoded form of a + standard kubernetes label selector for + the given metric + + When set, it is passed as an additional + parameter to the metrics server for more + specific metrics scoping. + + When unset, just the metricName will be + used to gather metrics. + properties: + matchExpressions: + description: >- + matchExpressions is a list of label + selector requirements. The requirements + are ANDed. + items: + description: >- + A label selector requirement is a + selector that contains values, a key, + and an operator that + + relates the key and values. + properties: + key: + description: >- + key is the label key that the selector + applies to. + type: string + operator: + description: >- + operator represents a key's relationship + to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: >- + values is an array of string values. If + the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: >- + matchLabels is a map of {key,value} + pairs. A single {key,value} in the + matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is + "key", the + + operator is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + required: + - name + type: object + target: + description: >- + target specifies the target value for + the given metric + properties: + averageUtilization: + description: >- + averageUtilization is the target value + of the average of the + + resource metric across all relevant + pods, represented as a percentage of + + the requested value of the resource for + the pods. + + Currently only valid for Resource metric + source type + format: int32 + type: integer + averageValue: + anyOf: + - type: integer + - type: string + description: >- + averageValue is the target value of the + average of the + + metric across all relevant pods (as a + quantity) + pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: + description: >- + type represents whether the metric type + is Utilization, Value, or AverageValue + type: string + value: + anyOf: + - type: integer + - type: string + description: >- + value is the target value of the metric + (as a quantity). + pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + required: + - type + type: object + required: + - metric + - target + type: object + object: + description: >- + object refers to a metric describing a + single kubernetes object + + (for example, hits-per-second on an + Ingress object). + properties: + describedObject: + description: >- + describedObject specifies the + descriptions of a object,such as + kind,name apiVersion + properties: + apiVersion: + description: >- + apiVersion is the API version of the + referent + type: string + kind: + description: >- + kind is the kind of the referent; More + info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + name: + description: >- + name is the name of the referent; More + info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + required: + - kind + - name + type: object + metric: + description: >- + metric identifies the target metric by + name and selector + properties: + name: + description: name is the name of the given metric + type: string + selector: + description: >- + selector is the string-encoded form of a + standard kubernetes label selector for + the given metric + + When set, it is passed as an additional + parameter to the metrics server for more + specific metrics scoping. + + When unset, just the metricName will be + used to gather metrics. + properties: + matchExpressions: + description: >- + matchExpressions is a list of label + selector requirements. The requirements + are ANDed. + items: + description: >- + A label selector requirement is a + selector that contains values, a key, + and an operator that + + relates the key and values. + properties: + key: + description: >- + key is the label key that the selector + applies to. + type: string + operator: + description: >- + operator represents a key's relationship + to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: >- + values is an array of string values. If + the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: >- + matchLabels is a map of {key,value} + pairs. A single {key,value} in the + matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is + "key", the + + operator is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + required: + - name + type: object + target: + description: >- + target specifies the target value for + the given metric + properties: + averageUtilization: + description: >- + averageUtilization is the target value + of the average of the + + resource metric across all relevant + pods, represented as a percentage of + + the requested value of the resource for + the pods. + + Currently only valid for Resource metric + source type + format: int32 + type: integer + averageValue: + anyOf: + - type: integer + - type: string + description: >- + averageValue is the target value of the + average of the + + metric across all relevant pods (as a + quantity) + pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: + description: >- + type represents whether the metric type + is Utilization, Value, or AverageValue + type: string + value: + anyOf: + - type: integer + - type: string + description: >- + value is the target value of the metric + (as a quantity). + pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + required: + - type + type: object + required: + - describedObject + - metric + - target + type: object + pods: + description: >- + pods refers to a metric describing each + pod in the current scale target + + (for example, + transactions-processed-per-second). The + values will be + + averaged together before being compared to + the target value. + properties: + metric: + description: >- + metric identifies the target metric by + name and selector + properties: + name: + description: name is the name of the given metric + type: string + selector: + description: >- + selector is the string-encoded form of a + standard kubernetes label selector for + the given metric + + When set, it is passed as an additional + parameter to the metrics server for more + specific metrics scoping. + + When unset, just the metricName will be + used to gather metrics. + properties: + matchExpressions: + description: >- + matchExpressions is a list of label + selector requirements. The requirements + are ANDed. + items: + description: >- + A label selector requirement is a + selector that contains values, a key, + and an operator that + + relates the key and values. + properties: + key: + description: >- + key is the label key that the selector + applies to. + type: string + operator: + description: >- + operator represents a key's relationship + to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: >- + values is an array of string values. If + the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: >- + matchLabels is a map of {key,value} + pairs. A single {key,value} in the + matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is + "key", the + + operator is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + required: + - name + type: object + target: + description: >- + target specifies the target value for + the given metric + properties: + averageUtilization: + description: >- + averageUtilization is the target value + of the average of the + + resource metric across all relevant + pods, represented as a percentage of + + the requested value of the resource for + the pods. + + Currently only valid for Resource metric + source type + format: int32 + type: integer + averageValue: + anyOf: + - type: integer + - type: string + description: >- + averageValue is the target value of the + average of the + + metric across all relevant pods (as a + quantity) + pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: + description: >- + type represents whether the metric type + is Utilization, Value, or AverageValue + type: string + value: + anyOf: + - type: integer + - type: string + description: >- + value is the target value of the metric + (as a quantity). + pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + required: + - type + type: object + required: + - metric + - target + type: object + resource: + description: >- + resource refers to a resource metric (such + as those specified in + + requests and limits) known to Kubernetes + describing each pod in the + + current scale target (e.g. CPU or memory). + Such metrics are built in to + + Kubernetes, and have special scaling + options on top of those available + + to normal per-pod metrics using the "pods" + source. + properties: + name: + description: >- + name is the name of the resource in + question. + type: string + target: + description: >- + target specifies the target value for + the given metric + properties: + averageUtilization: + description: >- + averageUtilization is the target value + of the average of the + + resource metric across all relevant + pods, represented as a percentage of + + the requested value of the resource for + the pods. + + Currently only valid for Resource metric + source type + format: int32 + type: integer + averageValue: + anyOf: + - type: integer + - type: string + description: >- + averageValue is the target value of the + average of the + + metric across all relevant pods (as a + quantity) + pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: + description: >- + type represents whether the metric type + is Utilization, Value, or AverageValue + type: string + value: + anyOf: + - type: integer + - type: string + description: >- + value is the target value of the metric + (as a quantity). + pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + required: + - type + type: object + required: + - name + - target + type: object + type: + description: >- + type is the type of metric source. It + should be one of "ContainerResource", + "External", + + "Object", "Pods" or "Resource", each + mapping to a matching field in the object. + type: string + required: + - type + type: object + type: array + minReplicas: + description: >- + minReplicas is the lower limit for the number of + replicas to which the autoscaler + + can scale down. It defaults to 1 replica. + format: int32 + type: integer + x-kubernetes-validations: + - message: minReplicas must be greater than 0 + rule: self > 0 + name: + description: >- + Name of the horizontalPodAutoScaler. + + When unset, this defaults to an autogenerated + name. + type: string + patch: + description: >- + Patch defines how to perform the patch operation + to the HorizontalPodAutoscaler + properties: + type: + description: >- + Type is the type of merge operation to + perform + + + By default, StrategicMerge is used as the + patch type. + type: string + value: + description: >- + Object contains the raw configuration for + merged object + x-kubernetes-preserve-unknown-fields: true + required: + - value + type: object + required: + - maxReplicas + type: object + x-kubernetes-validations: + - message: maxReplicas cannot be less than minReplicas + rule: >- + !has(self.minReplicas) || self.maxReplicas >= + self.minReplicas + envoyPDB: + description: >- + EnvoyPDB allows to control the pod disruption budget + of an Envoy Proxy. + properties: + maxUnavailable: + anyOf: + - type: integer + - type: string + description: >- + MaxUnavailable specifies the maximum amount of + pods (can be expressed as integers or as a + percentage) that can be unavailable at all times + during voluntary disruptions, + + such as node drains or updates. This setting + ensures that your envoy proxy maintains a + certain level of availability + + and resilience during maintenance operations. + Cannot be combined with minAvailable. + x-kubernetes-int-or-string: true + minAvailable: + anyOf: + - type: integer + - type: string + description: >- + MinAvailable specifies the minimum amount of + pods (can be expressed as integers or as a + percentage) that must be available at all times + during voluntary disruptions, + + such as node drains or updates. This setting + ensures that your envoy proxy maintains a + certain level of availability + + and resilience during maintenance operations. + Cannot be combined with maxUnavailable. + x-kubernetes-int-or-string: true + name: + description: >- + Name of the podDisruptionBudget. + + When unset, this defaults to an autogenerated + name. + type: string + patch: + description: >- + Patch defines how to perform the patch operation + to the PodDisruptionBudget + properties: + type: + description: >- + Type is the type of merge operation to + perform + + + By default, StrategicMerge is used as the + patch type. + type: string + value: + description: >- + Object contains the raw configuration for + merged object + x-kubernetes-preserve-unknown-fields: true + required: + - value + type: object + type: object + x-kubernetes-validations: + - message: >- + only one of minAvailable or maxUnavailable can + be specified + rule: >- + (has(self.minAvailable) && + !has(self.maxUnavailable)) || + (!has(self.minAvailable) && + has(self.maxUnavailable)) + envoyService: + description: >- + EnvoyService defines the desired state of the Envoy + service resource. + + If unspecified, default settings for the managed + Envoy service resource + + are applied. + properties: + allocateLoadBalancerNodePorts: + description: >- + AllocateLoadBalancerNodePorts defines if + NodePorts will be automatically allocated for + + services with type LoadBalancer. Default is + "true". It may be set to "false" if the cluster + + load-balancer does not rely on NodePorts. If the + caller requests specific NodePorts (by + specifying a + + value), those requests will be respected, + regardless of this field. This field may only be + set for + + services with type LoadBalancer and will be + cleared if the type is changed to any other + type. + type: boolean + annotations: + additionalProperties: + type: string + description: >- + Annotations that should be appended to the + service. + + By default, no annotations are appended. + type: object + externalTrafficPolicy: + default: Local + description: >- + ExternalTrafficPolicy determines the + externalTrafficPolicy for the Envoy Service. + Valid options + + are Local and Cluster. Default is "Local". + "Local" means traffic will only go to pods on + the node + + receiving the traffic. "Cluster" means + connections are loadbalanced to all pods in the + cluster. + enum: + - Local + - Cluster + type: string + labels: + additionalProperties: + type: string + description: |- + Labels that should be appended to the service. + By default, no labels are appended. + type: object + loadBalancerClass: + description: >- + LoadBalancerClass, when specified, allows for + choosing the LoadBalancer provider + + implementation if more than one are available or + is otherwise expected to be specified + type: string + loadBalancerIP: + description: >- + LoadBalancerIP defines the IP Address of the + underlying load balancer service. This field + + may be ignored if the load balancer provider + does not support this feature. + + This field has been deprecated in Kubernetes, + but it is still used for setting the IP Address + in some cloud + + providers such as GCP. + type: string + x-kubernetes-validations: + - message: loadBalancerIP must be a valid IPv4 address + rule: >- + self.matches(r"^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$") + loadBalancerSourceRanges: + description: >- + LoadBalancerSourceRanges defines a list of + allowed IP addresses which will be configured as + + firewall rules on the platform providers load + balancer. This is not guaranteed to be working + as + + it happens outside of kubernetes and has to be + supported and handled by the platform provider. + + This field may only be set for services with + type LoadBalancer and will be cleared if the + type + + is changed to any other type. + items: + type: string + type: array + name: + description: >- + Name of the service. + + When unset, this defaults to an autogenerated + name. + type: string + patch: + description: >- + Patch defines how to perform the patch operation + to the service + properties: + type: + description: >- + Type is the type of merge operation to + perform + + + By default, StrategicMerge is used as the + patch type. + type: string + value: + description: >- + Object contains the raw configuration for + merged object + x-kubernetes-preserve-unknown-fields: true + required: + - value + type: object + type: + default: LoadBalancer + description: >- + Type determines how the Service is exposed. + Defaults to LoadBalancer. + + Valid options are ClusterIP, LoadBalancer and + NodePort. + + "LoadBalancer" means a service will be exposed + via an external load balancer (if the cloud + provider supports it). + + "ClusterIP" means a service will only be + accessible inside the cluster, via the cluster + IP. + + "NodePort" means a service will be exposed on a + static Port on all Nodes of the cluster. + enum: + - ClusterIP + - LoadBalancer + - NodePort + type: string + type: object + x-kubernetes-validations: + - message: >- + allocateLoadBalancerNodePorts can only be set + for LoadBalancer type + rule: >- + !has(self.allocateLoadBalancerNodePorts) || + self.type == 'LoadBalancer' + - message: >- + loadBalancerSourceRanges can only be set for + LoadBalancer type + rule: >- + !has(self.loadBalancerSourceRanges) || self.type + == 'LoadBalancer' + - message: >- + loadBalancerIP can only be set for LoadBalancer + type + rule: >- + !has(self.loadBalancerIP) || self.type == + 'LoadBalancer' + envoyServiceAccount: + description: >- + EnvoyServiceAccount defines the desired state of the + Envoy service account resource. + properties: + name: + description: >- + Name of the Service Account. + + When unset, this defaults to an autogenerated + name. + type: string + type: object + useListenerPortAsContainerPort: + description: >- + UseListenerPortAsContainerPort disables the port + shifting feature in the Envoy Proxy. + + When set to false (default value), if the service + port is a privileged port (1-1023), add a constant + to the value converting it into an ephemeral port. + + This allows the container to bind to the port + without needing a CAP_NET_BIND_SERVICE capability. + type: boolean + type: object + x-kubernetes-validations: + - message: >- + only one of envoyDeployment or envoyDaemonSet can be + specified + rule: >- + ((has(self.envoyDeployment) && + !has(self.envoyDaemonSet)) || + (!has(self.envoyDeployment) && + has(self.envoyDaemonSet))) || + (!has(self.envoyDeployment) && + !has(self.envoyDaemonSet)) + - message: cannot use envoyHpa if envoyDaemonSet is used + rule: >- + ((has(self.envoyHpa) && !has(self.envoyDaemonSet)) + || (!has(self.envoyHpa) && + has(self.envoyDaemonSet))) || (!has(self.envoyHpa) + && !has(self.envoyDaemonSet)) + type: + description: >- + Type is the type of resource provider to use. A resource + provider provides + + infrastructure resources for running the data plane, + e.g. Envoy proxy, and + + optional auxiliary control planes. Supported types are + "Kubernetes"and "Host". + enum: + - Kubernetes + - Host + type: string + required: + - type + type: object + routingType: + description: >- + RoutingType can be set to "Service" to use the Service + Cluster IP for routing to the backend, + + or it can be set to "Endpoint" to use Endpoint routing. The + default is "Endpoint". + type: string + shutdown: + description: >- + Shutdown defines configuration for graceful envoy shutdown + process. + properties: + drainTimeout: + description: >- + DrainTimeout defines the graceful drain timeout. This + should be less than the pod's + terminationGracePeriodSeconds. + + If unspecified, defaults to 60 seconds. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + minDrainDuration: + description: >- + MinDrainDuration defines the minimum drain duration + allowing time for endpoint deprogramming to complete. + + If unspecified, defaults to 10 seconds. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + telemetry: + description: Telemetry defines telemetry parameters for managed proxies. + properties: + accessLog: + description: >- + AccessLogs defines accesslog parameters for managed + proxies. + + If unspecified, will send default format to stdout. + properties: + disable: + description: >- + Disable disables access logging for managed proxies + if set to true. + type: boolean + settings: + description: >- + Settings defines accesslog settings for managed + proxies. + + If unspecified, will send default format to stdout. + items: + properties: + format: + description: |- + Format defines the format of accesslog. + This will be ignored if sink type is ALS. + properties: + json: + additionalProperties: + type: string + description: >- + JSON is additional attributes that + describe the specific event occurrence. + + Structured format for the envoy access + logs. Envoy [command + operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators) + + can be used as values for fields within + the Struct. + + It's required when the format type is + "JSON". + type: object + text: + description: >- + Text defines the text accesslog format, + following Envoy accesslog formatting, + + It's required when the format type is + "Text". + + Envoy [command + operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators) + may be used in the format. + + The [format string + documentation](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-strings) + provides more information. + type: string + type: + description: >- + Type defines the type of accesslog format. + + When unset, both text and json can be + specified. + enum: + - Text + - JSON + type: string + type: object + x-kubernetes-validations: + - message: >- + If AccessLogFormat type is Text, text + field needs to be set. + rule: >- + has(self.type) && self.type == 'Text' ? + has(self.text) : true + - message: >- + If AccessLogFormat type is Text, json + field must not be set. + rule: >- + has(self.type) && self.type == 'Text' ? + !has(self.json) : true + - message: >- + If AccessLogFormat type is JSON, json + field needs to be set. + rule: >- + has(self.type) && self.type == 'JSON' ? + has(self.json) : true + - message: >- + If AccessLogFormat type is JSON, text + field must not be set. + rule: >- + has(self.type) && self.type == 'JSON' ? + !has(self.text) : true + - message: >- + If AccessLogFormat type is unset, at least + one of text or json must be set. + rule: >- + !has(self.type) ? (has(self.text) || + has(self.json)) : true + matches: + description: >- + Matches defines the match conditions for + accesslog in CEL expression. + + An accesslog will be emitted only when one or + more match conditions are evaluated to true. + + Invalid + [CEL](https://www.envoyproxy.io/docs/envoy/latest/xds/type/v3/cel.proto.html#common-expression-language-cel-proto) + expressions will be ignored. + items: + type: string + maxItems: 10 + type: array + sinks: + description: Sinks defines the sinks of accesslog. + items: + description: >- + ProxyAccessLogSink defines the sink of + accesslog. + properties: + als: + description: >- + ALS defines the gRPC Access Log Service + (ALS) sink. + properties: + backendRef: + description: >- + BackendRef references a Kubernetes + object that represents the + + backend server to which the + authorization request will be sent. + + + Deprecated: Use BackendRefs instead. + properties: + group: + default: '' + description: >- + Group is the group of the referent. For + example, "gateway.networking.k8s.io". + + When unspecified or empty string, core + API group is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: >- + Kind is the Kubernetes resource kind of + the referent. For example + + "Service". + + + Defaults to "Service" when not + specified. + + + ExternalName services can refer to CNAME + DNS records that may live + + outside of the cluster and as such are + difficult to reason about in + + terms of conformance. They also may not + be safe to forward to (see + + CVE-2021-25740 for more information). + Implementations SHOULD NOT + + support ExternalName Services. + + + Support: Core (Services with a type + other than ExternalName) + + + Support: Implementation-specific + (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the + backend. When unspecified, the local + + namespace is inferred. + + + Note that when a namespace different + than the local namespace is specified, + + a ReferenceGrant object is required in + the referent namespace to allow that + + namespace's owner to accept the + reference. See the ReferenceGrant + + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: >- + Port specifies the destination port + number to use for this resource. + + Port is required when the referent is a + Kubernetes Service. In this + + case, the port number is the service + port number, not the target port. + + For other resources, destination port + might be derived from the referent + + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: >- + (size(self.group) == 0 && self.kind == + 'Service') ? has(self.port) : true + backendRefs: + description: >- + BackendRefs references a Kubernetes + object that represents the + + backend server to which the + authorization request will be sent. + items: + description: >- + BackendRef defines how an + ObjectReference that is specific to + BackendRef. + properties: + fallback: + description: >- + Fallback indicates whether the backend + is designated as a fallback. + + Multiple fallback backends can be + configured. + + It is highly recommended to configure + active or passive health checks to + ensure that failover can be detected + + when the active backends become + unhealthy and to automatically readjust + once the primary backends are healthy + again. + + The overprovisioning factor is set to + 1.4, meaning the fallback backends will + only start receiving traffic when + + the health of the active backends falls + below 72%. + type: boolean + group: + default: '' + description: >- + Group is the group of the referent. For + example, "gateway.networking.k8s.io". + + When unspecified or empty string, core + API group is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: >- + Kind is the Kubernetes resource kind of + the referent. For example + + "Service". + + + Defaults to "Service" when not + specified. + + + ExternalName services can refer to CNAME + DNS records that may live + + outside of the cluster and as such are + difficult to reason about in + + terms of conformance. They also may not + be safe to forward to (see + + CVE-2021-25740 for more information). + Implementations SHOULD NOT + + support ExternalName Services. + + + Support: Core (Services with a type + other than ExternalName) + + + Support: Implementation-specific + (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the + backend. When unspecified, the local + + namespace is inferred. + + + Note that when a namespace different + than the local namespace is specified, + + a ReferenceGrant object is required in + the referent namespace to allow that + + namespace's owner to accept the + reference. See the ReferenceGrant + + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: >- + Port specifies the destination port + number to use for this resource. + + Port is required when the referent is a + Kubernetes Service. In this + + case, the port number is the service + port number, not the target port. + + For other resources, destination port + might be derived from the referent + + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: >- + Weight specifies the proportion of + requests forwarded to the referenced + + backend. This is computed as weight/(sum + of all weights in this + + BackendRefs list). For non-zero values, + there may be some epsilon from + + the exact proportion defined here + depending on the precision an + + implementation supports. Weight is not a + percentage and the sum of + + weights does not need to equal 100. + + + If only one backend is specified and it + has a weight greater than 0, 100% + + of the traffic is forwarded to that + backend. If weight is set to 0, no + + traffic should be forwarded for this + entry. If unspecified, weight + + defaults to 1. + + + Support for this field varies based on + the context where used. + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: >- + (size(self.group) == 0 && self.kind == + 'Service') ? has(self.port) : true + maxItems: 16 + type: array + backendSettings: + description: >- + BackendSettings holds configuration for + managing the connection + + to the backend. + properties: + circuitBreaker: + description: >- + Circuit Breaker settings for the + upstream connections and requests. + + If not set, circuit breakers will be + enabled with the default thresholds + properties: + maxConnections: + default: 1024 + description: >- + The maximum number of connections that + Envoy will establish to the referenced + backend defined within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxParallelRequests: + default: 1024 + description: >- + The maximum number of parallel requests + that Envoy will make to the referenced + backend defined within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxParallelRetries: + default: 1024 + description: >- + The maximum number of parallel retries + that Envoy will make to the referenced + backend defined within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxPendingRequests: + default: 1024 + description: >- + The maximum number of pending requests + that Envoy will queue to the referenced + backend defined within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxRequestsPerConnection: + description: >- + The maximum number of requests that + Envoy will make over a single connection + to the referenced backend defined within + a xRoute rule. + + Default: unlimited. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + perEndpoint: + description: >- + PerEndpoint defines Circuit Breakers + that will apply per-endpoint for an + upstream cluster + properties: + maxConnections: + default: 1024 + description: >- + MaxConnections configures the maximum + number of connections that Envoy will + establish per-endpoint to the referenced + backend defined within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + type: object + type: object + connection: + description: >- + Connection includes backend connection + settings. + properties: + bufferLimit: + allOf: + - pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: >- + BufferLimit Soft limit on size of the + cluster’s connections read and write + buffers. + + BufferLimit applies to connection + streaming (maybe non-streaming) channel + between processes, it's in user space. + + If unspecified, an implementation + defined default is applied (32768 + bytes). + + For example, 20Mi, 1Gi, 256Ki etc. + + Note: that when the suffix is not + provided, the value is interpreted as + bytes. + x-kubernetes-int-or-string: true + preconnect: + description: >- + Preconnect configures proactive upstream + connections to reduce latency by + establishing + + connections before they’re needed and + avoiding connection establishment + overhead. + + + If unset, Envoy will fetch connections + as needed to serve in-flight requests. + properties: + perEndpointPercent: + description: >- + PerEndpointPercent configures how many + additional connections to maintain per + + upstream endpoint, useful for high-QPS + or latency sensitive services. Expressed + as a + + percentage of the connections required + by active streams + + (e.g. 100 = preconnect disabled, 105 = + 1.05x connections per-endpoint, 200 = + 2.00×). + + + Allowed value range is between 100-300. + When both PerEndpointPercent and + + PredictivePercent are set, Envoy ensures + both are satisfied (max of the two). + format: int32 + maximum: 300 + minimum: 100 + type: integer + predictivePercent: + description: >- + PredictivePercent configures how many + additional connections to maintain + + across the cluster by anticipating which + upstream endpoint the load balancer + + will select next, useful for low-QPS + services. Relies on deterministic + + loadbalancing and is only supported with + Random or RoundRobin. + + Expressed as a percentage of the + connections required by active streams + + (e.g. 100 = 1.0 (no preconnect), 105 = + 1.05× connections across the cluster, + 200 = 2.00×). + + + Minimum allowed value is 100. When both + PerEndpointPercent and PredictivePercent + are + + set Envoy ensures both are satisfied per + host (max of the two). + format: int32 + minimum: 100 + type: integer + type: object + socketBufferLimit: + allOf: + - pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: >- + SocketBufferLimit provides configuration + for the maximum buffer size in bytes for + each socket + + to backend. + + SocketBufferLimit applies to socket + streaming channel between TCP/IP stacks, + it's in kernel space. + + For example, 20Mi, 1Gi, 256Ki etc. + + Note that when the suffix is not + provided, the value is interpreted as + bytes. + x-kubernetes-int-or-string: true + type: object + dns: + description: DNS includes dns resolution settings. + properties: + dnsRefreshRate: + description: >- + DNSRefreshRate specifies the rate at + which DNS records should be refreshed. + + Defaults to 30 seconds. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + lookupFamily: + description: >- + LookupFamily determines how Envoy would + resolve DNS for Routes where the backend + is specified as a fully qualified domain + name (FQDN). + + If set, this configuration overrides + other defaults. + enum: + - IPv4 + - IPv6 + - IPv4Preferred + - IPv6Preferred + - IPv4AndIPv6 + type: string + respectDnsTtl: + description: >- + RespectDNSTTL indicates whether the DNS + Time-To-Live (TTL) should be respected. + + If the value is set to true, the DNS + refresh rate will be set to the resource + record’s TTL. + + Defaults to true. + type: boolean + type: object + healthCheck: + description: >- + HealthCheck allows gateway to perform + active health checking on backends. + properties: + active: + description: Active health check configuration + properties: + grpc: + description: >- + GRPC defines the configuration of the + GRPC health checker. + + It's optional, and can only be used if + the specified type is GRPC. + properties: + service: + description: >- + Service to send in the health check + request. + + If this is not specified, then the + health check request applies to the + entire + + server and not to a specific service. + type: string + type: object + healthyThreshold: + default: 1 + description: >- + HealthyThreshold defines the number of + healthy health checks required before a + backend host is marked healthy. + format: int32 + minimum: 1 + type: integer + http: + description: >- + HTTP defines the configuration of http + health checker. + + It's required while the health checker + type is HTTP. + properties: + expectedResponse: + description: >- + ExpectedResponse defines a list of HTTP + expected responses to match. + properties: + binary: + description: Binary payload base64 encoded. + format: byte + type: string + text: + description: Text payload in plain text. + type: string + type: + allOf: + - enum: + - Text + - Binary + - enum: + - Text + - Binary + description: Type defines the type of the payload. + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If payload type is Text, text field + needs to be set. + rule: >- + self.type == 'Text' ? has(self.text) : + !has(self.text) + - message: >- + If payload type is Binary, binary field + needs to be set. + rule: >- + self.type == 'Binary' ? has(self.binary) + : !has(self.binary) + expectedStatuses: + description: >- + ExpectedStatuses defines a list of HTTP + response statuses considered healthy. + + Defaults to 200 only + items: + description: HTTPStatus defines the http status code. + maximum: 599 + minimum: 100 + type: integer + type: array + hostname: + description: >- + Hostname defines the HTTP Host header + used for active HTTP health checks. + + Host selection uses this order: this + field, the associated Backend endpoint + + hostname if available, then the + effective Route hostname. + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + method: + description: >- + Method defines the HTTP method used for + health checking. + + Defaults to GET + type: string + path: + description: >- + Path defines the HTTP path that will be + requested during health checking. + maxLength: 1024 + minLength: 1 + type: string + required: + - path + type: object + initialJitter: + description: >- + InitialJitter defines the maximum time + Envoy will wait before the first health + check. + + Envoy will randomly select a value + between 0 and the initial jitter value. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + interval: + default: 3s + description: >- + Interval defines the time between active + health checks. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + tcp: + description: >- + TCP defines the configuration of tcp + health checker. + + It's required while the health checker + type is TCP. + properties: + receive: + description: >- + Receive defines the expected response + payload. + properties: + binary: + description: Binary payload base64 encoded. + format: byte + type: string + text: + description: Text payload in plain text. + type: string + type: + allOf: + - enum: + - Text + - Binary + - enum: + - Text + - Binary + description: Type defines the type of the payload. + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If payload type is Text, text field + needs to be set. + rule: >- + self.type == 'Text' ? has(self.text) : + !has(self.text) + - message: >- + If payload type is Binary, binary field + needs to be set. + rule: >- + self.type == 'Binary' ? has(self.binary) + : !has(self.binary) + send: + description: Send defines the request payload. + properties: + binary: + description: Binary payload base64 encoded. + format: byte + type: string + text: + description: Text payload in plain text. + type: string + type: + allOf: + - enum: + - Text + - Binary + - enum: + - Text + - Binary + description: Type defines the type of the payload. + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If payload type is Text, text field + needs to be set. + rule: >- + self.type == 'Text' ? has(self.text) : + !has(self.text) + - message: >- + If payload type is Binary, binary field + needs to be set. + rule: >- + self.type == 'Binary' ? has(self.binary) + : !has(self.binary) + type: object + timeout: + default: 1s + description: >- + Timeout defines the time to wait for a + health check response. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: + allOf: + - enum: + - HTTP + - TCP + - GRPC + - enum: + - HTTP + - TCP + - GRPC + description: Type defines the type of health checker. + type: string + unhealthyThreshold: + default: 3 + description: >- + UnhealthyThreshold defines the number of + unhealthy health checks required before + a backend host is marked unhealthy. + format: int32 + minimum: 1 + type: integer + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If Health Checker type is HTTP, http + field needs to be set. + rule: >- + self.type == 'HTTP' ? has(self.http) : + !has(self.http) + - message: >- + If Health Checker type is TCP, tcp field + needs to be set. + rule: >- + self.type == 'TCP' ? has(self.tcp) : + !has(self.tcp) + - message: >- + The grpc field can only be set if the + Health Checker type is GRPC. + rule: >- + has(self.grpc) ? self.type == 'GRPC' : + true + panicThreshold: + description: >- + When number of unhealthy endpoints for a + backend reaches this threshold + + Envoy will disregard health status and + balance across all endpoints. + + It's designed to prevent a situation in + which host failures cascade throughout + the cluster + + as load increases. If not set, the + default value is 50%. To disable panic + mode, set value to `0`. + format: int32 + maximum: 100 + minimum: 0 + type: integer + passive: + description: Passive passive check configuration + properties: + baseEjectionTime: + default: 30s + description: >- + BaseEjectionTime defines the base + duration for which a host will be + ejected on consecutive failures. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + consecutive5XxErrors: + default: 5 + description: >- + Consecutive5xxErrors sets the number of + consecutive 5xx errors triggering + ejection. + format: int32 + type: integer + consecutiveGatewayErrors: + description: >- + ConsecutiveGatewayErrors sets the number + of consecutive gateway errors triggering + ejection. + format: int32 + type: integer + consecutiveLocalOriginFailures: + default: 5 + description: >- + ConsecutiveLocalOriginFailures sets the + number of consecutive local origin + failures triggering ejection. + + Parameter takes effect only when + split_external_local_origin_errors is + set to true. + format: int32 + type: integer + failurePercentageThreshold: + description: >- + FailurePercentageThreshold sets the + failure percentage threshold for outlier + detection. + + If the failure percentage of a given + host is greater than or equal to this + value, it will be ejected. + + Defaults to 85. + format: int32 + maximum: 100 + minimum: 0 + type: integer + interval: + default: 3s + description: >- + Interval defines the time between + passive health checks. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + maxEjectionPercent: + default: 10 + description: >- + MaxEjectionPercent sets the maximum + percentage of hosts in a cluster that + can be ejected. + format: int32 + type: integer + splitExternalLocalOriginErrors: + default: false + description: >- + SplitExternalLocalOriginErrors enables + splitting of errors between external and + local origin. + type: boolean + type: object + type: object + http2: + description: >- + HTTP2 provides HTTP/2 configuration for + backend connections. + properties: + initialConnectionWindowSize: + allOf: + - pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: >- + InitialConnectionWindowSize sets the + initial window size for HTTP/2 + connections. + + If not set, the default value is 1 MiB. + x-kubernetes-int-or-string: true + initialStreamWindowSize: + allOf: + - pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: >- + InitialStreamWindowSize sets the initial + window size for HTTP/2 streams. + + If not set, the default value is 64 + KiB(64*1024). + x-kubernetes-int-or-string: true + maxConcurrentStreams: + description: >- + MaxConcurrentStreams sets the maximum + number of concurrent streams allowed per + connection. + + If not set, the default value is 100. + format: int32 + maximum: 2147483647 + minimum: 1 + type: integer + onInvalidMessage: + description: >- + OnInvalidMessage determines if Envoy + will terminate the connection or just + the offending stream in the event of + HTTP messaging error + + It's recommended for L2 Envoy + deployments to set this value to + TerminateStream. + + https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/level_two + + Default: TerminateConnection + type: string + type: object + loadBalancer: + description: >- + LoadBalancer policy to apply when + routing traffic from the gateway to + + the backend endpoints. Defaults to + `LeastRequest`. + properties: + consistentHash: + description: >- + ConsistentHash defines the configuration + when the load balancer type is + + set to ConsistentHash + properties: + cookie: + description: >- + Cookie configures the cookie hash policy + when the consistent hash type is set to + Cookie. + properties: + attributes: + additionalProperties: + type: string + description: >- + Additional Attributes to set for the + generated cookie. + type: object + name: + description: >- + Name of the cookie to hash. + + If this cookie does not exist in the + request, Envoy will generate a cookie + and set + + the TTL on the response back to the + client based on Layer 4 + + attributes of the backend endpoint, to + ensure that these future requests + + go to the same backend endpoint. Make + sure to set the TTL field for this case. + type: string + ttl: + description: >- + TTL of the generated cookie if the + cookie is not present. This value sets + the + + Max-Age attribute value. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + required: + - name + type: object + header: + description: >- + Header configures the header hash policy + when the consistent hash type is set to + Header. + + + Deprecated: use Headers instead + properties: + name: + description: Name of the header to hash. + type: string + required: + - name + type: object + headers: + description: >- + Headers configures the header hash + policy for each header, when the + consistent hash type is set to Headers. + items: + description: >- + Header defines the header hashing + configuration for consistent hash based + + load balancing. + properties: + name: + description: Name of the header to hash. + type: string + required: + - name + type: object + type: array + queryParams: + description: >- + QueryParams configures the query + parameter hash policy when the + consistent hash type is set to + QueryParams. + items: + description: >- + QueryParam defines the query parameter + name hashing configuration for + consistent hash based + + load balancing. + properties: + name: + description: Name of the query param to hash. + type: string + required: + - name + type: object + type: array + tableSize: + default: 65537 + description: >- + The table size for consistent hashing, + must be prime number limited to 5000011. + format: int64 + maximum: 5000011 + minimum: 2 + type: integer + type: + description: >- + ConsistentHashType defines the type of + input to hash on. Valid Type values are + + "SourceIP", + + "Header", + + "Headers", + + "Cookie". + + "QueryParams". + enum: + - SourceIP + - Header + - Headers + - Cookie + - QueryParams + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If consistent hash type is header, the + header field must be set. + rule: >- + self.type == 'Header' ? has(self.header) + : !has(self.header) + - message: >- + If consistent hash type is headers, the + headers field must be set. + rule: >- + self.type == 'Headers' ? + has(self.headers) : !has(self.headers) + - message: >- + If consistent hash type is cookie, the + cookie field must be set. + rule: >- + self.type == 'Cookie' ? has(self.cookie) + : !has(self.cookie) + - message: >- + If consistent hash type is queryParams, + the queryParams field must be set. + rule: >- + self.type == 'QueryParams' ? + has(self.queryParams) : + !has(self.queryParams) + endpointOverride: + description: >- + EndpointOverride defines the + configuration for endpoint override. + + When specified, the load balancer will + attempt to route requests to endpoints + + based on the override information + extracted from request headers or + metadata. + If the override endpoints are not available, the configured load balancer policy will be used as fallback. + properties: + extractFrom: + description: >- + ExtractFrom defines the sources to + extract endpoint override information + from. + items: + description: >- + EndpointOverrideExtractFrom defines a + source to extract endpoint override + information from. + properties: + header: + description: >- + Header defines the header to get the + override endpoint addresses. + + The header value must specify at least + one endpoint in `IP:Port` format or + multiple endpoints in + `IP:Port,IP:Port,...` format. + + For example `10.0.0.5:8080` or + `[2600:4040:5204::1574:24ae]:80`. + + The IPv6 address is enclosed in square + brackets. + type: string + type: object + maxItems: 10 + minItems: 1 + type: array + required: + - extractFrom + type: object + slowStart: + description: >- + SlowStart defines the configuration + related to the slow start load balancer + policy. + + If set, during slow start window, + traffic sent to the newly added hosts + will gradually increase. + + Currently this is only supported for + RoundRobin and LeastRequest load + balancers + properties: + window: + description: >- + Window defines the duration of the warm + up period for newly added host. + + During slow start window, traffic sent + to the newly added hosts will gradually + increase. + + Currently only supports linear growth of + traffic. For additional details, + + see + https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + required: + - window + type: object + type: + description: >- + Type decides the type of Load Balancer + policy. + + Valid LoadBalancerType values are + + "ConsistentHash", + + "LeastRequest", + + "Random", + + "RoundRobin". + enum: + - ConsistentHash + - LeastRequest + - Random + - RoundRobin + type: string + zoneAware: + description: >- + ZoneAware defines the configuration + related to the distribution of requests + between locality zones. + properties: + preferLocal: + description: >- + PreferLocalZone configures zone-aware + routing to prefer sending traffic to the + local locality zone. + properties: + force: + description: >- + ForceLocalZone defines override + configuration for forcing all traffic to + stay within the local zone instead of + the default behavior + + which maintains equal distribution among + upstream endpoints while sending as much + traffic as possible locally. + properties: + minEndpointsInZoneThreshold: + description: >- + MinEndpointsInZoneThreshold is the + minimum number of upstream endpoints in + the local zone required to honor the + forceLocalZone + + override. This is useful for protecting + zones with fewer endpoints. + format: int32 + type: integer + type: object + minEndpointsThreshold: + description: >- + MinEndpointsThreshold is the minimum + number of total upstream endpoints + across all zones required to enable + zone-aware routing. + format: int64 + type: integer + percentageEnabled: + description: >- + Configures percentage of requests that + will be considered for zone aware + routing if zone aware routing is + configured. If not specified, Envoy + defaults to 100%. + format: int32 + maximum: 100 + minimum: 0 + type: integer + type: object + type: object + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If LoadBalancer type is consistentHash, + consistentHash field needs to be set. + rule: >- + self.type == 'ConsistentHash' ? + has(self.consistentHash) : + !has(self.consistentHash) + - message: >- + Currently SlowStart is only supported + for RoundRobin and LeastRequest load + balancers. + rule: >- + self.type in ['Random', + 'ConsistentHash'] ? !has(self.slowStart) + : true + - message: >- + Currently ZoneAware is only supported + for LeastRequest, Random, and RoundRobin + load balancers. + rule: >- + self.type == 'ConsistentHash' ? + !has(self.zoneAware) : true + proxyProtocol: + description: >- + ProxyProtocol enables the Proxy Protocol + when communicating with the backend. + properties: + version: + description: |- + Version of ProxyProtol + Valid ProxyProtocolVersion values are + "V1" + "V2" + enum: + - V1 + - V2 + type: string + required: + - version + type: object + retry: + description: >- + Retry provides more advanced usage, + allowing users to customize the number + of retries, retry fallback strategy, and + retry triggering conditions. + + If not set, retry will be disabled. + properties: + numAttemptsPerPriority: + description: >- + NumAttemptsPerPriority defines the + number of requests (initial attempt + + retries) + + that should be sent to the same priority + before switching to a different one. + + If not specified or set to 0, all + requests are sent to the highest + priority that is healthy. + format: int32 + type: integer + numRetries: + default: 2 + description: >- + NumRetries is the number of retries to + be attempted. Defaults to 2. + format: int32 + minimum: 0 + type: integer + perRetry: + description: >- + PerRetry is the retry policy to be + applied per retry attempt. + properties: + backOff: + description: >- + Backoff is the backoff policy to be + applied per retry attempt. gateway uses + a fully jittered exponential + + back-off algorithm for retries. For + additional details, + + see + https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#config-http-filters-router-x-envoy-max-retries + properties: + baseInterval: + description: >- + BaseInterval is the base interval + between retries. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + maxInterval: + description: >- + MaxInterval is the maximum interval + between retries. This parameter is + optional, but must be greater than or + equal to the base_interval if set. + + The default is 10 times the + base_interval + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + timeout: + description: >- + Timeout is the timeout per retry + attempt. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + retryOn: + description: >- + RetryOn specifies the retry trigger + condition. + + + If not specified, the default is to + retry on + connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes(503). + properties: + httpStatusCodes: + description: >- + HttpStatusCodes specifies the http + status codes to be retried. + + The retriable-status-codes trigger must + also be configured for these status + codes to trigger a retry. + items: + description: HTTPStatus defines the http status code. + maximum: 599 + minimum: 100 + type: integer + type: array + triggers: + description: >- + Triggers specifies the retry trigger + condition(Http/Grpc). + items: + description: >- + TriggerEnum specifies the conditions + that trigger retries. + enum: + - 5xx + - gateway-error + - reset + - reset-before-request + - connect-failure + - retriable-4xx + - refused-stream + - retriable-status-codes + - cancelled + - deadline-exceeded + - internal + - resource-exhausted + - unavailable + type: string + type: array + type: object + type: object + tcpKeepalive: + description: >- + TcpKeepalive settings associated with + the upstream client connection. + + Disabled by default. + properties: + idleTime: + description: >- + The duration a connection needs to be + idle before keep-alive + + probes start being sent. + + The duration format is + + Defaults to `7200s`. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + interval: + description: |- + The duration between keep-alive probes. + Defaults to `75s`. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + probes: + description: >- + The total number of unacknowledged + probes to send before deciding + + the connection is dead. + + Defaults to 9. + format: int32 + type: integer + type: object + timeout: + description: >- + Timeout settings for the backend + connections. + properties: + http: + description: Timeout settings for HTTP. + properties: + connectionIdleTimeout: + description: >- + The idle timeout for an HTTP connection. + Idle time is defined as a period in + which there are no active requests in + the connection. + + Default: 1 hour. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + maxConnectionDuration: + description: >- + The maximum duration of an HTTP + connection. + + Default: unlimited. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + maxStreamDuration: + description: >- + MaxStreamDuration is the maximum + duration for a stream to complete. This + timeout measures the time + + from when the request is sent until the + response stream is fully consumed and + does not apply to + + non-streaming requests. + + When set to "0s", no max duration is + applied and streams can run + indefinitely. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + requestTimeout: + description: >- + RequestTimeout is the time until which + entire response is received from the + upstream. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + tcp: + description: Timeout settings for TCP. + properties: + connectTimeout: + description: >- + The timeout for network connection + establishment, including TCP and TLS + handshakes. + + Default: 10 seconds. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + type: object + type: object + x-kubernetes-validations: + - message: >- + predictivePercent in preconnect policy + only works with RoundRobin or Random + load balancers + rule: >- + !((has(self.connection) && + has(self.connection.preconnect) && + has(self.connection.preconnect.predictivePercent)) + && !(has(self.loadBalancer) && + has(self.loadBalancer.type) && + self.loadBalancer.type in ['Random', + 'RoundRobin'])) + http: + description: >- + HTTP defines additional configuration + specific to HTTP access logs. + properties: + requestHeaders: + description: >- + RequestHeaders defines request headers + to include in log entries sent to the + access log service. + items: + type: string + type: array + responseHeaders: + description: >- + ResponseHeaders defines response headers + to include in log entries sent to the + access log service. + items: + type: string + type: array + responseTrailers: + description: >- + ResponseTrailers defines response + trailers to include in log entries sent + to the access log service. + items: + type: string + type: array + type: object + logName: + description: >- + LogName defines the friendly name of the + access log to be returned in + + StreamAccessLogsMessage.Identifier. This + allows the access log server + + to differentiate between different + access logs coming from the same Envoy. + minLength: 1 + type: string + type: + description: >- + Type defines the type of accesslog. + Supported types are "HTTP" and "TCP". + enum: + - HTTP + - TCP + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + The http field may only be set when type + is HTTP. + rule: self.type == 'HTTP' || !has(self.http) + - message: >- + BackendRefs must be used, backendRef is + not supported. + rule: '!has(self.backendRef)' + - message: >- + must have at least one backend in + backendRefs + rule: >- + has(self.backendRefs) && + self.backendRefs.size() > 0 + - message: >- + BackendRefs only support Service and + Backend kind. + rule: >- + has(self.backendRefs) ? + self.backendRefs.all(f, f.kind == + 'Service' || f.kind == 'Backend') : true + - message: >- + BackendRefs only support Core and + gateway.envoyproxy.io group. + rule: >- + has(self.backendRefs) ? + (self.backendRefs.all(f, f.group == "" + || f.group == 'gateway.envoyproxy.io')) + : true + file: + description: File defines the file accesslog sink. + properties: + path: + description: >- + Path defines the file path used to + expose envoy access log(e.g. + /dev/stdout). + minLength: 1 + type: string + type: object + openTelemetry: + description: >- + OpenTelemetry defines the OpenTelemetry + accesslog sink. + properties: + backendRef: + description: >- + BackendRef references a Kubernetes + object that represents the + + backend server to which the + authorization request will be sent. + + + Deprecated: Use BackendRefs instead. + properties: + group: + default: '' + description: >- + Group is the group of the referent. For + example, "gateway.networking.k8s.io". + + When unspecified or empty string, core + API group is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: >- + Kind is the Kubernetes resource kind of + the referent. For example + + "Service". + + + Defaults to "Service" when not + specified. + + + ExternalName services can refer to CNAME + DNS records that may live + + outside of the cluster and as such are + difficult to reason about in + + terms of conformance. They also may not + be safe to forward to (see + + CVE-2021-25740 for more information). + Implementations SHOULD NOT + + support ExternalName Services. + + + Support: Core (Services with a type + other than ExternalName) + + + Support: Implementation-specific + (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the + backend. When unspecified, the local + + namespace is inferred. + + + Note that when a namespace different + than the local namespace is specified, + + a ReferenceGrant object is required in + the referent namespace to allow that + + namespace's owner to accept the + reference. See the ReferenceGrant + + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: >- + Port specifies the destination port + number to use for this resource. + + Port is required when the referent is a + Kubernetes Service. In this + + case, the port number is the service + port number, not the target port. + + For other resources, destination port + might be derived from the referent + + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: >- + (size(self.group) == 0 && self.kind == + 'Service') ? has(self.port) : true + backendRefs: + description: >- + BackendRefs references a Kubernetes + object that represents the + + backend server to which the + authorization request will be sent. + items: + description: >- + BackendRef defines how an + ObjectReference that is specific to + BackendRef. + properties: + fallback: + description: >- + Fallback indicates whether the backend + is designated as a fallback. + + Multiple fallback backends can be + configured. + + It is highly recommended to configure + active or passive health checks to + ensure that failover can be detected + + when the active backends become + unhealthy and to automatically readjust + once the primary backends are healthy + again. + + The overprovisioning factor is set to + 1.4, meaning the fallback backends will + only start receiving traffic when + + the health of the active backends falls + below 72%. + type: boolean + group: + default: '' + description: >- + Group is the group of the referent. For + example, "gateway.networking.k8s.io". + + When unspecified or empty string, core + API group is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: >- + Kind is the Kubernetes resource kind of + the referent. For example + + "Service". + + + Defaults to "Service" when not + specified. + + + ExternalName services can refer to CNAME + DNS records that may live + + outside of the cluster and as such are + difficult to reason about in + + terms of conformance. They also may not + be safe to forward to (see + + CVE-2021-25740 for more information). + Implementations SHOULD NOT + + support ExternalName Services. + + + Support: Core (Services with a type + other than ExternalName) + + + Support: Implementation-specific + (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the + backend. When unspecified, the local + + namespace is inferred. + + + Note that when a namespace different + than the local namespace is specified, + + a ReferenceGrant object is required in + the referent namespace to allow that + + namespace's owner to accept the + reference. See the ReferenceGrant + + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: >- + Port specifies the destination port + number to use for this resource. + + Port is required when the referent is a + Kubernetes Service. In this + + case, the port number is the service + port number, not the target port. + + For other resources, destination port + might be derived from the referent + + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: >- + Weight specifies the proportion of + requests forwarded to the referenced + + backend. This is computed as weight/(sum + of all weights in this + + BackendRefs list). For non-zero values, + there may be some epsilon from + + the exact proportion defined here + depending on the precision an + + implementation supports. Weight is not a + percentage and the sum of + + weights does not need to equal 100. + + + If only one backend is specified and it + has a weight greater than 0, 100% + + of the traffic is forwarded to that + backend. If weight is set to 0, no + + traffic should be forwarded for this + entry. If unspecified, weight + + defaults to 1. + + + Support for this field varies based on + the context where used. + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: >- + (size(self.group) == 0 && self.kind == + 'Service') ? has(self.port) : true + maxItems: 16 + type: array + backendSettings: + description: >- + BackendSettings holds configuration for + managing the connection + + to the backend. + properties: + circuitBreaker: + description: >- + Circuit Breaker settings for the + upstream connections and requests. + + If not set, circuit breakers will be + enabled with the default thresholds + properties: + maxConnections: + default: 1024 + description: >- + The maximum number of connections that + Envoy will establish to the referenced + backend defined within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxParallelRequests: + default: 1024 + description: >- + The maximum number of parallel requests + that Envoy will make to the referenced + backend defined within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxParallelRetries: + default: 1024 + description: >- + The maximum number of parallel retries + that Envoy will make to the referenced + backend defined within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxPendingRequests: + default: 1024 + description: >- + The maximum number of pending requests + that Envoy will queue to the referenced + backend defined within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxRequestsPerConnection: + description: >- + The maximum number of requests that + Envoy will make over a single connection + to the referenced backend defined within + a xRoute rule. + + Default: unlimited. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + perEndpoint: + description: >- + PerEndpoint defines Circuit Breakers + that will apply per-endpoint for an + upstream cluster + properties: + maxConnections: + default: 1024 + description: >- + MaxConnections configures the maximum + number of connections that Envoy will + establish per-endpoint to the referenced + backend defined within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + type: object + type: object + connection: + description: >- + Connection includes backend connection + settings. + properties: + bufferLimit: + allOf: + - pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: >- + BufferLimit Soft limit on size of the + cluster’s connections read and write + buffers. + + BufferLimit applies to connection + streaming (maybe non-streaming) channel + between processes, it's in user space. + + If unspecified, an implementation + defined default is applied (32768 + bytes). + + For example, 20Mi, 1Gi, 256Ki etc. + + Note: that when the suffix is not + provided, the value is interpreted as + bytes. + x-kubernetes-int-or-string: true + preconnect: + description: >- + Preconnect configures proactive upstream + connections to reduce latency by + establishing + + connections before they’re needed and + avoiding connection establishment + overhead. + + + If unset, Envoy will fetch connections + as needed to serve in-flight requests. + properties: + perEndpointPercent: + description: >- + PerEndpointPercent configures how many + additional connections to maintain per + + upstream endpoint, useful for high-QPS + or latency sensitive services. Expressed + as a + + percentage of the connections required + by active streams + + (e.g. 100 = preconnect disabled, 105 = + 1.05x connections per-endpoint, 200 = + 2.00×). + + + Allowed value range is between 100-300. + When both PerEndpointPercent and + + PredictivePercent are set, Envoy ensures + both are satisfied (max of the two). + format: int32 + maximum: 300 + minimum: 100 + type: integer + predictivePercent: + description: >- + PredictivePercent configures how many + additional connections to maintain + + across the cluster by anticipating which + upstream endpoint the load balancer + + will select next, useful for low-QPS + services. Relies on deterministic + + loadbalancing and is only supported with + Random or RoundRobin. + + Expressed as a percentage of the + connections required by active streams + + (e.g. 100 = 1.0 (no preconnect), 105 = + 1.05× connections across the cluster, + 200 = 2.00×). + + + Minimum allowed value is 100. When both + PerEndpointPercent and PredictivePercent + are + + set Envoy ensures both are satisfied per + host (max of the two). + format: int32 + minimum: 100 + type: integer + type: object + socketBufferLimit: + allOf: + - pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: >- + SocketBufferLimit provides configuration + for the maximum buffer size in bytes for + each socket + + to backend. + + SocketBufferLimit applies to socket + streaming channel between TCP/IP stacks, + it's in kernel space. + + For example, 20Mi, 1Gi, 256Ki etc. + + Note that when the suffix is not + provided, the value is interpreted as + bytes. + x-kubernetes-int-or-string: true + type: object + dns: + description: DNS includes dns resolution settings. + properties: + dnsRefreshRate: + description: >- + DNSRefreshRate specifies the rate at + which DNS records should be refreshed. + + Defaults to 30 seconds. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + lookupFamily: + description: >- + LookupFamily determines how Envoy would + resolve DNS for Routes where the backend + is specified as a fully qualified domain + name (FQDN). + + If set, this configuration overrides + other defaults. + enum: + - IPv4 + - IPv6 + - IPv4Preferred + - IPv6Preferred + - IPv4AndIPv6 + type: string + respectDnsTtl: + description: >- + RespectDNSTTL indicates whether the DNS + Time-To-Live (TTL) should be respected. + + If the value is set to true, the DNS + refresh rate will be set to the resource + record’s TTL. + + Defaults to true. + type: boolean + type: object + healthCheck: + description: >- + HealthCheck allows gateway to perform + active health checking on backends. + properties: + active: + description: Active health check configuration + properties: + grpc: + description: >- + GRPC defines the configuration of the + GRPC health checker. + + It's optional, and can only be used if + the specified type is GRPC. + properties: + service: + description: >- + Service to send in the health check + request. + + If this is not specified, then the + health check request applies to the + entire + + server and not to a specific service. + type: string + type: object + healthyThreshold: + default: 1 + description: >- + HealthyThreshold defines the number of + healthy health checks required before a + backend host is marked healthy. + format: int32 + minimum: 1 + type: integer + http: + description: >- + HTTP defines the configuration of http + health checker. + + It's required while the health checker + type is HTTP. + properties: + expectedResponse: + description: >- + ExpectedResponse defines a list of HTTP + expected responses to match. + properties: + binary: + description: Binary payload base64 encoded. + format: byte + type: string + text: + description: Text payload in plain text. + type: string + type: + allOf: + - enum: + - Text + - Binary + - enum: + - Text + - Binary + description: Type defines the type of the payload. + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If payload type is Text, text field + needs to be set. + rule: >- + self.type == 'Text' ? has(self.text) : + !has(self.text) + - message: >- + If payload type is Binary, binary field + needs to be set. + rule: >- + self.type == 'Binary' ? has(self.binary) + : !has(self.binary) + expectedStatuses: + description: >- + ExpectedStatuses defines a list of HTTP + response statuses considered healthy. + + Defaults to 200 only + items: + description: HTTPStatus defines the http status code. + maximum: 599 + minimum: 100 + type: integer + type: array + hostname: + description: >- + Hostname defines the HTTP Host header + used for active HTTP health checks. + + Host selection uses this order: this + field, the associated Backend endpoint + + hostname if available, then the + effective Route hostname. + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + method: + description: >- + Method defines the HTTP method used for + health checking. + + Defaults to GET + type: string + path: + description: >- + Path defines the HTTP path that will be + requested during health checking. + maxLength: 1024 + minLength: 1 + type: string + required: + - path + type: object + initialJitter: + description: >- + InitialJitter defines the maximum time + Envoy will wait before the first health + check. + + Envoy will randomly select a value + between 0 and the initial jitter value. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + interval: + default: 3s + description: >- + Interval defines the time between active + health checks. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + tcp: + description: >- + TCP defines the configuration of tcp + health checker. + + It's required while the health checker + type is TCP. + properties: + receive: + description: >- + Receive defines the expected response + payload. + properties: + binary: + description: Binary payload base64 encoded. + format: byte + type: string + text: + description: Text payload in plain text. + type: string + type: + allOf: + - enum: + - Text + - Binary + - enum: + - Text + - Binary + description: Type defines the type of the payload. + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If payload type is Text, text field + needs to be set. + rule: >- + self.type == 'Text' ? has(self.text) : + !has(self.text) + - message: >- + If payload type is Binary, binary field + needs to be set. + rule: >- + self.type == 'Binary' ? has(self.binary) + : !has(self.binary) + send: + description: Send defines the request payload. + properties: + binary: + description: Binary payload base64 encoded. + format: byte + type: string + text: + description: Text payload in plain text. + type: string + type: + allOf: + - enum: + - Text + - Binary + - enum: + - Text + - Binary + description: Type defines the type of the payload. + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If payload type is Text, text field + needs to be set. + rule: >- + self.type == 'Text' ? has(self.text) : + !has(self.text) + - message: >- + If payload type is Binary, binary field + needs to be set. + rule: >- + self.type == 'Binary' ? has(self.binary) + : !has(self.binary) + type: object + timeout: + default: 1s + description: >- + Timeout defines the time to wait for a + health check response. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: + allOf: + - enum: + - HTTP + - TCP + - GRPC + - enum: + - HTTP + - TCP + - GRPC + description: Type defines the type of health checker. + type: string + unhealthyThreshold: + default: 3 + description: >- + UnhealthyThreshold defines the number of + unhealthy health checks required before + a backend host is marked unhealthy. + format: int32 + minimum: 1 + type: integer + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If Health Checker type is HTTP, http + field needs to be set. + rule: >- + self.type == 'HTTP' ? has(self.http) : + !has(self.http) + - message: >- + If Health Checker type is TCP, tcp field + needs to be set. + rule: >- + self.type == 'TCP' ? has(self.tcp) : + !has(self.tcp) + - message: >- + The grpc field can only be set if the + Health Checker type is GRPC. + rule: >- + has(self.grpc) ? self.type == 'GRPC' : + true + panicThreshold: + description: >- + When number of unhealthy endpoints for a + backend reaches this threshold + + Envoy will disregard health status and + balance across all endpoints. + + It's designed to prevent a situation in + which host failures cascade throughout + the cluster + + as load increases. If not set, the + default value is 50%. To disable panic + mode, set value to `0`. + format: int32 + maximum: 100 + minimum: 0 + type: integer + passive: + description: Passive passive check configuration + properties: + baseEjectionTime: + default: 30s + description: >- + BaseEjectionTime defines the base + duration for which a host will be + ejected on consecutive failures. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + consecutive5XxErrors: + default: 5 + description: >- + Consecutive5xxErrors sets the number of + consecutive 5xx errors triggering + ejection. + format: int32 + type: integer + consecutiveGatewayErrors: + description: >- + ConsecutiveGatewayErrors sets the number + of consecutive gateway errors triggering + ejection. + format: int32 + type: integer + consecutiveLocalOriginFailures: + default: 5 + description: >- + ConsecutiveLocalOriginFailures sets the + number of consecutive local origin + failures triggering ejection. + + Parameter takes effect only when + split_external_local_origin_errors is + set to true. + format: int32 + type: integer + failurePercentageThreshold: + description: >- + FailurePercentageThreshold sets the + failure percentage threshold for outlier + detection. + + If the failure percentage of a given + host is greater than or equal to this + value, it will be ejected. + + Defaults to 85. + format: int32 + maximum: 100 + minimum: 0 + type: integer + interval: + default: 3s + description: >- + Interval defines the time between + passive health checks. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + maxEjectionPercent: + default: 10 + description: >- + MaxEjectionPercent sets the maximum + percentage of hosts in a cluster that + can be ejected. + format: int32 + type: integer + splitExternalLocalOriginErrors: + default: false + description: >- + SplitExternalLocalOriginErrors enables + splitting of errors between external and + local origin. + type: boolean + type: object + type: object + http2: + description: >- + HTTP2 provides HTTP/2 configuration for + backend connections. + properties: + initialConnectionWindowSize: + allOf: + - pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: >- + InitialConnectionWindowSize sets the + initial window size for HTTP/2 + connections. + + If not set, the default value is 1 MiB. + x-kubernetes-int-or-string: true + initialStreamWindowSize: + allOf: + - pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: >- + InitialStreamWindowSize sets the initial + window size for HTTP/2 streams. + + If not set, the default value is 64 + KiB(64*1024). + x-kubernetes-int-or-string: true + maxConcurrentStreams: + description: >- + MaxConcurrentStreams sets the maximum + number of concurrent streams allowed per + connection. + + If not set, the default value is 100. + format: int32 + maximum: 2147483647 + minimum: 1 + type: integer + onInvalidMessage: + description: >- + OnInvalidMessage determines if Envoy + will terminate the connection or just + the offending stream in the event of + HTTP messaging error + + It's recommended for L2 Envoy + deployments to set this value to + TerminateStream. + + https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/level_two + + Default: TerminateConnection + type: string + type: object + loadBalancer: + description: >- + LoadBalancer policy to apply when + routing traffic from the gateway to + + the backend endpoints. Defaults to + `LeastRequest`. + properties: + consistentHash: + description: >- + ConsistentHash defines the configuration + when the load balancer type is + + set to ConsistentHash + properties: + cookie: + description: >- + Cookie configures the cookie hash policy + when the consistent hash type is set to + Cookie. + properties: + attributes: + additionalProperties: + type: string + description: >- + Additional Attributes to set for the + generated cookie. + type: object + name: + description: >- + Name of the cookie to hash. + + If this cookie does not exist in the + request, Envoy will generate a cookie + and set + + the TTL on the response back to the + client based on Layer 4 + + attributes of the backend endpoint, to + ensure that these future requests + + go to the same backend endpoint. Make + sure to set the TTL field for this case. + type: string + ttl: + description: >- + TTL of the generated cookie if the + cookie is not present. This value sets + the + + Max-Age attribute value. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + required: + - name + type: object + header: + description: >- + Header configures the header hash policy + when the consistent hash type is set to + Header. + + + Deprecated: use Headers instead + properties: + name: + description: Name of the header to hash. + type: string + required: + - name + type: object + headers: + description: >- + Headers configures the header hash + policy for each header, when the + consistent hash type is set to Headers. + items: + description: >- + Header defines the header hashing + configuration for consistent hash based + + load balancing. + properties: + name: + description: Name of the header to hash. + type: string + required: + - name + type: object + type: array + queryParams: + description: >- + QueryParams configures the query + parameter hash policy when the + consistent hash type is set to + QueryParams. + items: + description: >- + QueryParam defines the query parameter + name hashing configuration for + consistent hash based + + load balancing. + properties: + name: + description: Name of the query param to hash. + type: string + required: + - name + type: object + type: array + tableSize: + default: 65537 + description: >- + The table size for consistent hashing, + must be prime number limited to 5000011. + format: int64 + maximum: 5000011 + minimum: 2 + type: integer + type: + description: >- + ConsistentHashType defines the type of + input to hash on. Valid Type values are + + "SourceIP", + + "Header", + + "Headers", + + "Cookie". + + "QueryParams". + enum: + - SourceIP + - Header + - Headers + - Cookie + - QueryParams + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If consistent hash type is header, the + header field must be set. + rule: >- + self.type == 'Header' ? has(self.header) + : !has(self.header) + - message: >- + If consistent hash type is headers, the + headers field must be set. + rule: >- + self.type == 'Headers' ? + has(self.headers) : !has(self.headers) + - message: >- + If consistent hash type is cookie, the + cookie field must be set. + rule: >- + self.type == 'Cookie' ? has(self.cookie) + : !has(self.cookie) + - message: >- + If consistent hash type is queryParams, + the queryParams field must be set. + rule: >- + self.type == 'QueryParams' ? + has(self.queryParams) : + !has(self.queryParams) + endpointOverride: + description: >- + EndpointOverride defines the + configuration for endpoint override. + + When specified, the load balancer will + attempt to route requests to endpoints + + based on the override information + extracted from request headers or + metadata. + If the override endpoints are not available, the configured load balancer policy will be used as fallback. + properties: + extractFrom: + description: >- + ExtractFrom defines the sources to + extract endpoint override information + from. + items: + description: >- + EndpointOverrideExtractFrom defines a + source to extract endpoint override + information from. + properties: + header: + description: >- + Header defines the header to get the + override endpoint addresses. + + The header value must specify at least + one endpoint in `IP:Port` format or + multiple endpoints in + `IP:Port,IP:Port,...` format. + + For example `10.0.0.5:8080` or + `[2600:4040:5204::1574:24ae]:80`. + + The IPv6 address is enclosed in square + brackets. + type: string + type: object + maxItems: 10 + minItems: 1 + type: array + required: + - extractFrom + type: object + slowStart: + description: >- + SlowStart defines the configuration + related to the slow start load balancer + policy. + + If set, during slow start window, + traffic sent to the newly added hosts + will gradually increase. + + Currently this is only supported for + RoundRobin and LeastRequest load + balancers + properties: + window: + description: >- + Window defines the duration of the warm + up period for newly added host. + + During slow start window, traffic sent + to the newly added hosts will gradually + increase. + + Currently only supports linear growth of + traffic. For additional details, + + see + https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + required: + - window + type: object + type: + description: >- + Type decides the type of Load Balancer + policy. + + Valid LoadBalancerType values are + + "ConsistentHash", + + "LeastRequest", + + "Random", + + "RoundRobin". + enum: + - ConsistentHash + - LeastRequest + - Random + - RoundRobin + type: string + zoneAware: + description: >- + ZoneAware defines the configuration + related to the distribution of requests + between locality zones. + properties: + preferLocal: + description: >- + PreferLocalZone configures zone-aware + routing to prefer sending traffic to the + local locality zone. + properties: + force: + description: >- + ForceLocalZone defines override + configuration for forcing all traffic to + stay within the local zone instead of + the default behavior + + which maintains equal distribution among + upstream endpoints while sending as much + traffic as possible locally. + properties: + minEndpointsInZoneThreshold: + description: >- + MinEndpointsInZoneThreshold is the + minimum number of upstream endpoints in + the local zone required to honor the + forceLocalZone + + override. This is useful for protecting + zones with fewer endpoints. + format: int32 + type: integer + type: object + minEndpointsThreshold: + description: >- + MinEndpointsThreshold is the minimum + number of total upstream endpoints + across all zones required to enable + zone-aware routing. + format: int64 + type: integer + percentageEnabled: + description: >- + Configures percentage of requests that + will be considered for zone aware + routing if zone aware routing is + configured. If not specified, Envoy + defaults to 100%. + format: int32 + maximum: 100 + minimum: 0 + type: integer + type: object + type: object + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If LoadBalancer type is consistentHash, + consistentHash field needs to be set. + rule: >- + self.type == 'ConsistentHash' ? + has(self.consistentHash) : + !has(self.consistentHash) + - message: >- + Currently SlowStart is only supported + for RoundRobin and LeastRequest load + balancers. + rule: >- + self.type in ['Random', + 'ConsistentHash'] ? !has(self.slowStart) + : true + - message: >- + Currently ZoneAware is only supported + for LeastRequest, Random, and RoundRobin + load balancers. + rule: >- + self.type == 'ConsistentHash' ? + !has(self.zoneAware) : true + proxyProtocol: + description: >- + ProxyProtocol enables the Proxy Protocol + when communicating with the backend. + properties: + version: + description: |- + Version of ProxyProtol + Valid ProxyProtocolVersion values are + "V1" + "V2" + enum: + - V1 + - V2 + type: string + required: + - version + type: object + retry: + description: >- + Retry provides more advanced usage, + allowing users to customize the number + of retries, retry fallback strategy, and + retry triggering conditions. + + If not set, retry will be disabled. + properties: + numAttemptsPerPriority: + description: >- + NumAttemptsPerPriority defines the + number of requests (initial attempt + + retries) + + that should be sent to the same priority + before switching to a different one. + + If not specified or set to 0, all + requests are sent to the highest + priority that is healthy. + format: int32 + type: integer + numRetries: + default: 2 + description: >- + NumRetries is the number of retries to + be attempted. Defaults to 2. + format: int32 + minimum: 0 + type: integer + perRetry: + description: >- + PerRetry is the retry policy to be + applied per retry attempt. + properties: + backOff: + description: >- + Backoff is the backoff policy to be + applied per retry attempt. gateway uses + a fully jittered exponential + + back-off algorithm for retries. For + additional details, + + see + https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#config-http-filters-router-x-envoy-max-retries + properties: + baseInterval: + description: >- + BaseInterval is the base interval + between retries. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + maxInterval: + description: >- + MaxInterval is the maximum interval + between retries. This parameter is + optional, but must be greater than or + equal to the base_interval if set. + + The default is 10 times the + base_interval + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + timeout: + description: >- + Timeout is the timeout per retry + attempt. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + retryOn: + description: >- + RetryOn specifies the retry trigger + condition. + + + If not specified, the default is to + retry on + connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes(503). + properties: + httpStatusCodes: + description: >- + HttpStatusCodes specifies the http + status codes to be retried. + + The retriable-status-codes trigger must + also be configured for these status + codes to trigger a retry. + items: + description: HTTPStatus defines the http status code. + maximum: 599 + minimum: 100 + type: integer + type: array + triggers: + description: >- + Triggers specifies the retry trigger + condition(Http/Grpc). + items: + description: >- + TriggerEnum specifies the conditions + that trigger retries. + enum: + - 5xx + - gateway-error + - reset + - reset-before-request + - connect-failure + - retriable-4xx + - refused-stream + - retriable-status-codes + - cancelled + - deadline-exceeded + - internal + - resource-exhausted + - unavailable + type: string + type: array + type: object + type: object + tcpKeepalive: + description: >- + TcpKeepalive settings associated with + the upstream client connection. + + Disabled by default. + properties: + idleTime: + description: >- + The duration a connection needs to be + idle before keep-alive + + probes start being sent. + + The duration format is + + Defaults to `7200s`. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + interval: + description: |- + The duration between keep-alive probes. + Defaults to `75s`. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + probes: + description: >- + The total number of unacknowledged + probes to send before deciding + + the connection is dead. + + Defaults to 9. + format: int32 + type: integer + type: object + timeout: + description: >- + Timeout settings for the backend + connections. + properties: + http: + description: Timeout settings for HTTP. + properties: + connectionIdleTimeout: + description: >- + The idle timeout for an HTTP connection. + Idle time is defined as a period in + which there are no active requests in + the connection. + + Default: 1 hour. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + maxConnectionDuration: + description: >- + The maximum duration of an HTTP + connection. + + Default: unlimited. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + maxStreamDuration: + description: >- + MaxStreamDuration is the maximum + duration for a stream to complete. This + timeout measures the time + + from when the request is sent until the + response stream is fully consumed and + does not apply to + + non-streaming requests. + + When set to "0s", no max duration is + applied and streams can run + indefinitely. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + requestTimeout: + description: >- + RequestTimeout is the time until which + entire response is received from the + upstream. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + tcp: + description: Timeout settings for TCP. + properties: + connectTimeout: + description: >- + The timeout for network connection + establishment, including TCP and TLS + handshakes. + + Default: 10 seconds. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + type: object + type: object + x-kubernetes-validations: + - message: >- + predictivePercent in preconnect policy + only works with RoundRobin or Random + load balancers + rule: >- + !((has(self.connection) && + has(self.connection.preconnect) && + has(self.connection.preconnect.predictivePercent)) + && !(has(self.loadBalancer) && + has(self.loadBalancer.type) && + self.loadBalancer.type in ['Random', + 'RoundRobin'])) + headers: + description: >- + Headers is a list of additional headers + to send with OTLP export requests. + + These headers are added as gRPC initial + metadata for the OTLP gRPC service. + items: + description: >- + HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: >- + Name is the name of the HTTP Header to + be matched. Name matching MUST be + + case-insensitive. (See + https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent + header names, the first entry with + + an equivalent name MUST be considered + for a match. Subsequent entries + + with an equivalent header name MUST be + ignored. Due to the + + case-insensitivity of header names, + "foo" and "Foo" are considered + + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: >- + Value is the value of HTTP Header to be + matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 32 + minItems: 1 + type: array + host: + description: >- + Host define the extension service + hostname. + + Deprecated: Use BackendRefs instead. + type: string + port: + default: 4317 + description: >- + Port defines the port the extension + service is exposed on. + + Deprecated: Use BackendRefs instead. + format: int32 + minimum: 0 + type: integer + resourceAttributes: + additionalProperties: + type: string + description: >- + ResourceAttributes is a set of labels + that describe the source of a log entry, + including envoy node info. + + It's recommended to follow [semantic + conventions](https://opentelemetry.io/docs/reference/specification/resource/semantic_conventions/). + type: object + resources: + additionalProperties: + type: string + description: >- + Resources is a set of labels that + describe the source of a log entry, + including envoy node info. + + It's recommended to follow [semantic + conventions](https://opentelemetry.io/docs/reference/specification/resource/semantic_conventions/). + + + Deprecated: Use ResourceAttributes + instead. + type: object + type: object + x-kubernetes-validations: + - message: host or backendRefs needs to be set + rule: >- + has(self.host) || + self.backendRefs.size() > 0 + - message: >- + BackendRefs must be used, backendRef is + not supported. + rule: '!has(self.backendRef)' + - message: >- + BackendRefs only support Service and + Backend kind. + rule: >- + has(self.backendRefs) ? + self.backendRefs.all(f, f.kind == + 'Service' || f.kind == 'Backend') : true + - message: >- + BackendRefs only support Core and + gateway.envoyproxy.io group. + rule: >- + has(self.backendRefs) ? + (self.backendRefs.all(f, f.group == "" + || f.group == 'gateway.envoyproxy.io')) + : true + - message: >- + either resources or resourceAttributes + can be set, not both + rule: >- + !has(self.resources) || + !has(self.resourceAttributes) + type: + description: Type defines the type of accesslog sink. + enum: + - ALS + - File + - OpenTelemetry + type: string + type: object + x-kubernetes-validations: + - message: >- + If AccessLogSink type is ALS, als field + needs to be set. + rule: >- + self.type == 'ALS' ? has(self.als) : + !has(self.als) + - message: >- + If AccessLogSink type is File, file + field needs to be set. + rule: >- + self.type == 'File' ? has(self.file) : + !has(self.file) + - message: >- + If AccessLogSink type is OpenTelemetry, + openTelemetry field needs to be set. + rule: >- + self.type == 'OpenTelemetry' ? + has(self.openTelemetry) : + !has(self.openTelemetry) + maxItems: 50 + minItems: 1 + type: array + type: + description: >- + Type defines the component emitting the + accesslog, such as Listener and Route. + + If type not defined, the setting would apply + to: + + (1) All Routes. + + (2) Listeners if and only if Envoy does not + find a matching route for a request. + + If type is defined, the accesslog settings + would apply to the relevant component (as-is). + enum: + - Listener + - Route + type: string + required: + - sinks + type: object + maxItems: 50 + minItems: 1 + type: array + type: object + metrics: + description: >- + Metrics defines metrics configuration for managed + proxies. + properties: + clusterStatName: + description: >- + ClusterStatName defines the value of cluster + alt_stat_name, determining how cluster stats are + named. + + For more details, see envoy docs: + https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto.html + + The supported operators for this pattern are: + + `%ROUTE_NAME%`: name of Gateway API xRoute resource + + `%ROUTE_NAMESPACE%`: namespace of Gateway API xRoute + resource + + `%ROUTE_KIND%`: kind of Gateway API xRoute resource + + `%ROUTE_RULE_NAME%`: name of the Gateway API xRoute + section + + `%ROUTE_RULE_NUMBER%`: name of the Gateway API + xRoute section + + `%BACKEND_REFS%`: names of all backends referenced + in `/|/|...` + format + + Only xDS Clusters created for HTTPRoute and + GRPCRoute are currently supported. + + Default: + `%ROUTE_KIND%/%ROUTE_NAMESPACE%/%ROUTE_NAME%/rule/%ROUTE_RULE_NUMBER%` + + Example: `httproute/my-ns/my-route/rule/0` + type: string + enablePerEndpointStats: + description: >- + EnablePerEndpointStats enables per endpoint envoy + stats metrics. + + Please use with caution. + type: boolean + enableRequestResponseSizesStats: + description: >- + EnableRequestResponseSizesStats enables publishing + of histograms tracking header and body sizes of + requests and responses. + type: boolean + enableVirtualHostStats: + description: >- + EnableVirtualHostStats enables envoy stat metrics + for virtual hosts. + type: boolean + matches: + description: >- + Matches defines configuration for selecting specific + metrics instead of generating all metrics stats + + that are enabled by default. This helps reduce CPU + and memory overhead in Envoy, but eliminating some + stats + + may after critical functionality. Here are the stats + that we strongly recommend not disabling: + + `cluster_manager.warming_clusters`, + `cluster..membership_total`,`cluster..membership_healthy`, + + `cluster..membership_degraded`,reference + https://github.com/envoyproxy/envoy/issues/9856, + + https://github.com/envoyproxy/envoy/issues/14610 + items: + description: >- + StringMatch defines how to match any strings. + + This is a general purpose match condition that can + be used by other EG APIs + + that need to match against a string. + properties: + type: + default: Exact + description: Type specifies how to match against a string. + enum: + - Exact + - Prefix + - Suffix + - RegularExpression + type: string + value: + description: >- + Value specifies the string value that the + match must have. + maxLength: 1024 + minLength: 1 + type: string + required: + - value + type: object + type: array + prometheus: + description: >- + Prometheus defines the configuration for Admin + endpoint `/stats/prometheus`. + properties: + compression: + description: >- + Configure the compression on Prometheus + endpoint. Compression is useful in situations + when bandwidth is scarce and large payloads can + be effectively compressed at the expense of + higher CPU load. + properties: + brotli: + description: The configuration for Brotli compressor. + type: object + gzip: + description: The configuration for GZIP compressor. + type: object + minContentLength: + allOf: + - pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: >- + MinContentLength defines the minimum + response size in bytes to apply compression. + + Responses smaller than this threshold will + not be compressed. + + Must be at least 30 bytes as enforced by + Envoy Proxy. + + Note that when the suffix is not provided, + the value is interpreted as bytes. + + Default: 30 bytes + x-kubernetes-int-or-string: true + type: + description: >- + CompressorType defines the compressor type + to use for compression. + enum: + - Gzip + - Brotli + - Zstd + type: string + zstd: + description: The configuration for Zstd compressor. + type: object + required: + - type + type: object + disable: + description: Disable the Prometheus endpoint. + type: boolean + type: object + sinks: + description: >- + Sinks defines the metric sinks where metrics are + sent to. + items: + description: |- + ProxyMetricSink defines the sink of metrics. + Default metrics sink is OpenTelemetry. + properties: + openTelemetry: + description: >- + OpenTelemetry defines the configuration for + OpenTelemetry sink. + + It's required if the sink type is + OpenTelemetry. + properties: + backendRef: + description: >- + BackendRef references a Kubernetes object + that represents the + + backend server to which the authorization + request will be sent. + + + Deprecated: Use BackendRefs instead. + properties: + group: + default: '' + description: >- + Group is the group of the referent. For + example, "gateway.networking.k8s.io". + + When unspecified or empty string, core + API group is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: >- + Kind is the Kubernetes resource kind of + the referent. For example + + "Service". + + + Defaults to "Service" when not + specified. + + + ExternalName services can refer to CNAME + DNS records that may live + + outside of the cluster and as such are + difficult to reason about in + + terms of conformance. They also may not + be safe to forward to (see + + CVE-2021-25740 for more information). + Implementations SHOULD NOT + + support ExternalName Services. + + + Support: Core (Services with a type + other than ExternalName) + + + Support: Implementation-specific + (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the + backend. When unspecified, the local + + namespace is inferred. + + + Note that when a namespace different + than the local namespace is specified, + + a ReferenceGrant object is required in + the referent namespace to allow that + + namespace's owner to accept the + reference. See the ReferenceGrant + + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: >- + Port specifies the destination port + number to use for this resource. + + Port is required when the referent is a + Kubernetes Service. In this + + case, the port number is the service + port number, not the target port. + + For other resources, destination port + might be derived from the referent + + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: >- + (size(self.group) == 0 && self.kind == + 'Service') ? has(self.port) : true + backendRefs: + description: >- + BackendRefs references a Kubernetes object + that represents the + + backend server to which the authorization + request will be sent. + items: + description: >- + BackendRef defines how an + ObjectReference that is specific to + BackendRef. + properties: + fallback: + description: >- + Fallback indicates whether the backend + is designated as a fallback. + + Multiple fallback backends can be + configured. + + It is highly recommended to configure + active or passive health checks to + ensure that failover can be detected + + when the active backends become + unhealthy and to automatically readjust + once the primary backends are healthy + again. + + The overprovisioning factor is set to + 1.4, meaning the fallback backends will + only start receiving traffic when + + the health of the active backends falls + below 72%. + type: boolean + group: + default: '' + description: >- + Group is the group of the referent. For + example, "gateway.networking.k8s.io". + + When unspecified or empty string, core + API group is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: >- + Kind is the Kubernetes resource kind of + the referent. For example + + "Service". + + + Defaults to "Service" when not + specified. + + + ExternalName services can refer to CNAME + DNS records that may live + + outside of the cluster and as such are + difficult to reason about in + + terms of conformance. They also may not + be safe to forward to (see + + CVE-2021-25740 for more information). + Implementations SHOULD NOT + + support ExternalName Services. + + + Support: Core (Services with a type + other than ExternalName) + + + Support: Implementation-specific + (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the + backend. When unspecified, the local + + namespace is inferred. + + + Note that when a namespace different + than the local namespace is specified, + + a ReferenceGrant object is required in + the referent namespace to allow that + + namespace's owner to accept the + reference. See the ReferenceGrant + + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: >- + Port specifies the destination port + number to use for this resource. + + Port is required when the referent is a + Kubernetes Service. In this + + case, the port number is the service + port number, not the target port. + + For other resources, destination port + might be derived from the referent + + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: >- + Weight specifies the proportion of + requests forwarded to the referenced + + backend. This is computed as weight/(sum + of all weights in this + + BackendRefs list). For non-zero values, + there may be some epsilon from + + the exact proportion defined here + depending on the precision an + + implementation supports. Weight is not a + percentage and the sum of + + weights does not need to equal 100. + + + If only one backend is specified and it + has a weight greater than 0, 100% + + of the traffic is forwarded to that + backend. If weight is set to 0, no + + traffic should be forwarded for this + entry. If unspecified, weight + + defaults to 1. + + + Support for this field varies based on + the context where used. + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: >- + (size(self.group) == 0 && self.kind == + 'Service') ? has(self.port) : true + maxItems: 16 + type: array + backendSettings: + description: >- + BackendSettings holds configuration for + managing the connection + + to the backend. + properties: + circuitBreaker: + description: >- + Circuit Breaker settings for the + upstream connections and requests. + + If not set, circuit breakers will be + enabled with the default thresholds + properties: + maxConnections: + default: 1024 + description: >- + The maximum number of connections that + Envoy will establish to the referenced + backend defined within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxParallelRequests: + default: 1024 + description: >- + The maximum number of parallel requests + that Envoy will make to the referenced + backend defined within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxParallelRetries: + default: 1024 + description: >- + The maximum number of parallel retries + that Envoy will make to the referenced + backend defined within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxPendingRequests: + default: 1024 + description: >- + The maximum number of pending requests + that Envoy will queue to the referenced + backend defined within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxRequestsPerConnection: + description: >- + The maximum number of requests that + Envoy will make over a single connection + to the referenced backend defined within + a xRoute rule. + + Default: unlimited. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + perEndpoint: + description: >- + PerEndpoint defines Circuit Breakers + that will apply per-endpoint for an + upstream cluster + properties: + maxConnections: + default: 1024 + description: >- + MaxConnections configures the maximum + number of connections that Envoy will + establish per-endpoint to the referenced + backend defined within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + type: object + type: object + connection: + description: >- + Connection includes backend connection + settings. + properties: + bufferLimit: + allOf: + - pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: >- + BufferLimit Soft limit on size of the + cluster’s connections read and write + buffers. + + BufferLimit applies to connection + streaming (maybe non-streaming) channel + between processes, it's in user space. + + If unspecified, an implementation + defined default is applied (32768 + bytes). + + For example, 20Mi, 1Gi, 256Ki etc. + + Note: that when the suffix is not + provided, the value is interpreted as + bytes. + x-kubernetes-int-or-string: true + preconnect: + description: >- + Preconnect configures proactive upstream + connections to reduce latency by + establishing + + connections before they’re needed and + avoiding connection establishment + overhead. + + + If unset, Envoy will fetch connections + as needed to serve in-flight requests. + properties: + perEndpointPercent: + description: >- + PerEndpointPercent configures how many + additional connections to maintain per + + upstream endpoint, useful for high-QPS + or latency sensitive services. Expressed + as a + + percentage of the connections required + by active streams + + (e.g. 100 = preconnect disabled, 105 = + 1.05x connections per-endpoint, 200 = + 2.00×). + + + Allowed value range is between 100-300. + When both PerEndpointPercent and + + PredictivePercent are set, Envoy ensures + both are satisfied (max of the two). + format: int32 + maximum: 300 + minimum: 100 + type: integer + predictivePercent: + description: >- + PredictivePercent configures how many + additional connections to maintain + + across the cluster by anticipating which + upstream endpoint the load balancer + + will select next, useful for low-QPS + services. Relies on deterministic + + loadbalancing and is only supported with + Random or RoundRobin. + + Expressed as a percentage of the + connections required by active streams + + (e.g. 100 = 1.0 (no preconnect), 105 = + 1.05× connections across the cluster, + 200 = 2.00×). + + + Minimum allowed value is 100. When both + PerEndpointPercent and PredictivePercent + are + + set Envoy ensures both are satisfied per + host (max of the two). + format: int32 + minimum: 100 + type: integer + type: object + socketBufferLimit: + allOf: + - pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: >- + SocketBufferLimit provides configuration + for the maximum buffer size in bytes for + each socket + + to backend. + + SocketBufferLimit applies to socket + streaming channel between TCP/IP stacks, + it's in kernel space. + + For example, 20Mi, 1Gi, 256Ki etc. + + Note that when the suffix is not + provided, the value is interpreted as + bytes. + x-kubernetes-int-or-string: true + type: object + dns: + description: DNS includes dns resolution settings. + properties: + dnsRefreshRate: + description: >- + DNSRefreshRate specifies the rate at + which DNS records should be refreshed. + + Defaults to 30 seconds. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + lookupFamily: + description: >- + LookupFamily determines how Envoy would + resolve DNS for Routes where the backend + is specified as a fully qualified domain + name (FQDN). + + If set, this configuration overrides + other defaults. + enum: + - IPv4 + - IPv6 + - IPv4Preferred + - IPv6Preferred + - IPv4AndIPv6 + type: string + respectDnsTtl: + description: >- + RespectDNSTTL indicates whether the DNS + Time-To-Live (TTL) should be respected. + + If the value is set to true, the DNS + refresh rate will be set to the resource + record’s TTL. + + Defaults to true. + type: boolean + type: object + healthCheck: + description: >- + HealthCheck allows gateway to perform + active health checking on backends. + properties: + active: + description: Active health check configuration + properties: + grpc: + description: >- + GRPC defines the configuration of the + GRPC health checker. + + It's optional, and can only be used if + the specified type is GRPC. + properties: + service: + description: >- + Service to send in the health check + request. + + If this is not specified, then the + health check request applies to the + entire + + server and not to a specific service. + type: string + type: object + healthyThreshold: + default: 1 + description: >- + HealthyThreshold defines the number of + healthy health checks required before a + backend host is marked healthy. + format: int32 + minimum: 1 + type: integer + http: + description: >- + HTTP defines the configuration of http + health checker. + + It's required while the health checker + type is HTTP. + properties: + expectedResponse: + description: >- + ExpectedResponse defines a list of HTTP + expected responses to match. + properties: + binary: + description: Binary payload base64 encoded. + format: byte + type: string + text: + description: Text payload in plain text. + type: string + type: + allOf: + - enum: + - Text + - Binary + - enum: + - Text + - Binary + description: Type defines the type of the payload. + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If payload type is Text, text field + needs to be set. + rule: >- + self.type == 'Text' ? has(self.text) : + !has(self.text) + - message: >- + If payload type is Binary, binary field + needs to be set. + rule: >- + self.type == 'Binary' ? has(self.binary) + : !has(self.binary) + expectedStatuses: + description: >- + ExpectedStatuses defines a list of HTTP + response statuses considered healthy. + + Defaults to 200 only + items: + description: HTTPStatus defines the http status code. + maximum: 599 + minimum: 100 + type: integer + type: array + hostname: + description: >- + Hostname defines the HTTP Host header + used for active HTTP health checks. + + Host selection uses this order: this + field, the associated Backend endpoint + + hostname if available, then the + effective Route hostname. + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + method: + description: >- + Method defines the HTTP method used for + health checking. + + Defaults to GET + type: string + path: + description: >- + Path defines the HTTP path that will be + requested during health checking. + maxLength: 1024 + minLength: 1 + type: string + required: + - path + type: object + initialJitter: + description: >- + InitialJitter defines the maximum time + Envoy will wait before the first health + check. + + Envoy will randomly select a value + between 0 and the initial jitter value. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + interval: + default: 3s + description: >- + Interval defines the time between active + health checks. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + tcp: + description: >- + TCP defines the configuration of tcp + health checker. + + It's required while the health checker + type is TCP. + properties: + receive: + description: >- + Receive defines the expected response + payload. + properties: + binary: + description: Binary payload base64 encoded. + format: byte + type: string + text: + description: Text payload in plain text. + type: string + type: + allOf: + - enum: + - Text + - Binary + - enum: + - Text + - Binary + description: Type defines the type of the payload. + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If payload type is Text, text field + needs to be set. + rule: >- + self.type == 'Text' ? has(self.text) : + !has(self.text) + - message: >- + If payload type is Binary, binary field + needs to be set. + rule: >- + self.type == 'Binary' ? has(self.binary) + : !has(self.binary) + send: + description: Send defines the request payload. + properties: + binary: + description: Binary payload base64 encoded. + format: byte + type: string + text: + description: Text payload in plain text. + type: string + type: + allOf: + - enum: + - Text + - Binary + - enum: + - Text + - Binary + description: Type defines the type of the payload. + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If payload type is Text, text field + needs to be set. + rule: >- + self.type == 'Text' ? has(self.text) : + !has(self.text) + - message: >- + If payload type is Binary, binary field + needs to be set. + rule: >- + self.type == 'Binary' ? has(self.binary) + : !has(self.binary) + type: object + timeout: + default: 1s + description: >- + Timeout defines the time to wait for a + health check response. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: + allOf: + - enum: + - HTTP + - TCP + - GRPC + - enum: + - HTTP + - TCP + - GRPC + description: Type defines the type of health checker. + type: string + unhealthyThreshold: + default: 3 + description: >- + UnhealthyThreshold defines the number of + unhealthy health checks required before + a backend host is marked unhealthy. + format: int32 + minimum: 1 + type: integer + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If Health Checker type is HTTP, http + field needs to be set. + rule: >- + self.type == 'HTTP' ? has(self.http) : + !has(self.http) + - message: >- + If Health Checker type is TCP, tcp field + needs to be set. + rule: >- + self.type == 'TCP' ? has(self.tcp) : + !has(self.tcp) + - message: >- + The grpc field can only be set if the + Health Checker type is GRPC. + rule: >- + has(self.grpc) ? self.type == 'GRPC' : + true + panicThreshold: + description: >- + When number of unhealthy endpoints for a + backend reaches this threshold + + Envoy will disregard health status and + balance across all endpoints. + + It's designed to prevent a situation in + which host failures cascade throughout + the cluster + + as load increases. If not set, the + default value is 50%. To disable panic + mode, set value to `0`. + format: int32 + maximum: 100 + minimum: 0 + type: integer + passive: + description: Passive passive check configuration + properties: + baseEjectionTime: + default: 30s + description: >- + BaseEjectionTime defines the base + duration for which a host will be + ejected on consecutive failures. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + consecutive5XxErrors: + default: 5 + description: >- + Consecutive5xxErrors sets the number of + consecutive 5xx errors triggering + ejection. + format: int32 + type: integer + consecutiveGatewayErrors: + description: >- + ConsecutiveGatewayErrors sets the number + of consecutive gateway errors triggering + ejection. + format: int32 + type: integer + consecutiveLocalOriginFailures: + default: 5 + description: >- + ConsecutiveLocalOriginFailures sets the + number of consecutive local origin + failures triggering ejection. + + Parameter takes effect only when + split_external_local_origin_errors is + set to true. + format: int32 + type: integer + failurePercentageThreshold: + description: >- + FailurePercentageThreshold sets the + failure percentage threshold for outlier + detection. + + If the failure percentage of a given + host is greater than or equal to this + value, it will be ejected. + + Defaults to 85. + format: int32 + maximum: 100 + minimum: 0 + type: integer + interval: + default: 3s + description: >- + Interval defines the time between + passive health checks. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + maxEjectionPercent: + default: 10 + description: >- + MaxEjectionPercent sets the maximum + percentage of hosts in a cluster that + can be ejected. + format: int32 + type: integer + splitExternalLocalOriginErrors: + default: false + description: >- + SplitExternalLocalOriginErrors enables + splitting of errors between external and + local origin. + type: boolean + type: object + type: object + http2: + description: >- + HTTP2 provides HTTP/2 configuration for + backend connections. + properties: + initialConnectionWindowSize: + allOf: + - pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: >- + InitialConnectionWindowSize sets the + initial window size for HTTP/2 + connections. + + If not set, the default value is 1 MiB. + x-kubernetes-int-or-string: true + initialStreamWindowSize: + allOf: + - pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: >- + InitialStreamWindowSize sets the initial + window size for HTTP/2 streams. + + If not set, the default value is 64 + KiB(64*1024). + x-kubernetes-int-or-string: true + maxConcurrentStreams: + description: >- + MaxConcurrentStreams sets the maximum + number of concurrent streams allowed per + connection. + + If not set, the default value is 100. + format: int32 + maximum: 2147483647 + minimum: 1 + type: integer + onInvalidMessage: + description: >- + OnInvalidMessage determines if Envoy + will terminate the connection or just + the offending stream in the event of + HTTP messaging error + + It's recommended for L2 Envoy + deployments to set this value to + TerminateStream. + + https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/level_two + + Default: TerminateConnection + type: string + type: object + loadBalancer: + description: >- + LoadBalancer policy to apply when + routing traffic from the gateway to + + the backend endpoints. Defaults to + `LeastRequest`. + properties: + consistentHash: + description: >- + ConsistentHash defines the configuration + when the load balancer type is + + set to ConsistentHash + properties: + cookie: + description: >- + Cookie configures the cookie hash policy + when the consistent hash type is set to + Cookie. + properties: + attributes: + additionalProperties: + type: string + description: >- + Additional Attributes to set for the + generated cookie. + type: object + name: + description: >- + Name of the cookie to hash. + + If this cookie does not exist in the + request, Envoy will generate a cookie + and set + + the TTL on the response back to the + client based on Layer 4 + + attributes of the backend endpoint, to + ensure that these future requests + + go to the same backend endpoint. Make + sure to set the TTL field for this case. + type: string + ttl: + description: >- + TTL of the generated cookie if the + cookie is not present. This value sets + the + + Max-Age attribute value. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + required: + - name + type: object + header: + description: >- + Header configures the header hash policy + when the consistent hash type is set to + Header. + + + Deprecated: use Headers instead + properties: + name: + description: Name of the header to hash. + type: string + required: + - name + type: object + headers: + description: >- + Headers configures the header hash + policy for each header, when the + consistent hash type is set to Headers. + items: + description: >- + Header defines the header hashing + configuration for consistent hash based + + load balancing. + properties: + name: + description: Name of the header to hash. + type: string + required: + - name + type: object + type: array + queryParams: + description: >- + QueryParams configures the query + parameter hash policy when the + consistent hash type is set to + QueryParams. + items: + description: >- + QueryParam defines the query parameter + name hashing configuration for + consistent hash based + + load balancing. + properties: + name: + description: Name of the query param to hash. + type: string + required: + - name + type: object + type: array + tableSize: + default: 65537 + description: >- + The table size for consistent hashing, + must be prime number limited to 5000011. + format: int64 + maximum: 5000011 + minimum: 2 + type: integer + type: + description: >- + ConsistentHashType defines the type of + input to hash on. Valid Type values are + + "SourceIP", + + "Header", + + "Headers", + + "Cookie". + + "QueryParams". + enum: + - SourceIP + - Header + - Headers + - Cookie + - QueryParams + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If consistent hash type is header, the + header field must be set. + rule: >- + self.type == 'Header' ? has(self.header) + : !has(self.header) + - message: >- + If consistent hash type is headers, the + headers field must be set. + rule: >- + self.type == 'Headers' ? + has(self.headers) : !has(self.headers) + - message: >- + If consistent hash type is cookie, the + cookie field must be set. + rule: >- + self.type == 'Cookie' ? has(self.cookie) + : !has(self.cookie) + - message: >- + If consistent hash type is queryParams, + the queryParams field must be set. + rule: >- + self.type == 'QueryParams' ? + has(self.queryParams) : + !has(self.queryParams) + endpointOverride: + description: >- + EndpointOverride defines the + configuration for endpoint override. + + When specified, the load balancer will + attempt to route requests to endpoints + + based on the override information + extracted from request headers or + metadata. + If the override endpoints are not available, the configured load balancer policy will be used as fallback. + properties: + extractFrom: + description: >- + ExtractFrom defines the sources to + extract endpoint override information + from. + items: + description: >- + EndpointOverrideExtractFrom defines a + source to extract endpoint override + information from. + properties: + header: + description: >- + Header defines the header to get the + override endpoint addresses. + + The header value must specify at least + one endpoint in `IP:Port` format or + multiple endpoints in + `IP:Port,IP:Port,...` format. + + For example `10.0.0.5:8080` or + `[2600:4040:5204::1574:24ae]:80`. + + The IPv6 address is enclosed in square + brackets. + type: string + type: object + maxItems: 10 + minItems: 1 + type: array + required: + - extractFrom + type: object + slowStart: + description: >- + SlowStart defines the configuration + related to the slow start load balancer + policy. + + If set, during slow start window, + traffic sent to the newly added hosts + will gradually increase. + + Currently this is only supported for + RoundRobin and LeastRequest load + balancers + properties: + window: + description: >- + Window defines the duration of the warm + up period for newly added host. + + During slow start window, traffic sent + to the newly added hosts will gradually + increase. + + Currently only supports linear growth of + traffic. For additional details, + + see + https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + required: + - window + type: object + type: + description: >- + Type decides the type of Load Balancer + policy. + + Valid LoadBalancerType values are + + "ConsistentHash", + + "LeastRequest", + + "Random", + + "RoundRobin". + enum: + - ConsistentHash + - LeastRequest + - Random + - RoundRobin + type: string + zoneAware: + description: >- + ZoneAware defines the configuration + related to the distribution of requests + between locality zones. + properties: + preferLocal: + description: >- + PreferLocalZone configures zone-aware + routing to prefer sending traffic to the + local locality zone. + properties: + force: + description: >- + ForceLocalZone defines override + configuration for forcing all traffic to + stay within the local zone instead of + the default behavior + + which maintains equal distribution among + upstream endpoints while sending as much + traffic as possible locally. + properties: + minEndpointsInZoneThreshold: + description: >- + MinEndpointsInZoneThreshold is the + minimum number of upstream endpoints in + the local zone required to honor the + forceLocalZone + + override. This is useful for protecting + zones with fewer endpoints. + format: int32 + type: integer + type: object + minEndpointsThreshold: + description: >- + MinEndpointsThreshold is the minimum + number of total upstream endpoints + across all zones required to enable + zone-aware routing. + format: int64 + type: integer + percentageEnabled: + description: >- + Configures percentage of requests that + will be considered for zone aware + routing if zone aware routing is + configured. If not specified, Envoy + defaults to 100%. + format: int32 + maximum: 100 + minimum: 0 + type: integer + type: object + type: object + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If LoadBalancer type is consistentHash, + consistentHash field needs to be set. + rule: >- + self.type == 'ConsistentHash' ? + has(self.consistentHash) : + !has(self.consistentHash) + - message: >- + Currently SlowStart is only supported + for RoundRobin and LeastRequest load + balancers. + rule: >- + self.type in ['Random', + 'ConsistentHash'] ? !has(self.slowStart) + : true + - message: >- + Currently ZoneAware is only supported + for LeastRequest, Random, and RoundRobin + load balancers. + rule: >- + self.type == 'ConsistentHash' ? + !has(self.zoneAware) : true + proxyProtocol: + description: >- + ProxyProtocol enables the Proxy Protocol + when communicating with the backend. + properties: + version: + description: |- + Version of ProxyProtol + Valid ProxyProtocolVersion values are + "V1" + "V2" + enum: + - V1 + - V2 + type: string + required: + - version + type: object + retry: + description: >- + Retry provides more advanced usage, + allowing users to customize the number + of retries, retry fallback strategy, and + retry triggering conditions. + + If not set, retry will be disabled. + properties: + numAttemptsPerPriority: + description: >- + NumAttemptsPerPriority defines the + number of requests (initial attempt + + retries) + + that should be sent to the same priority + before switching to a different one. + + If not specified or set to 0, all + requests are sent to the highest + priority that is healthy. + format: int32 + type: integer + numRetries: + default: 2 + description: >- + NumRetries is the number of retries to + be attempted. Defaults to 2. + format: int32 + minimum: 0 + type: integer + perRetry: + description: >- + PerRetry is the retry policy to be + applied per retry attempt. + properties: + backOff: + description: >- + Backoff is the backoff policy to be + applied per retry attempt. gateway uses + a fully jittered exponential + + back-off algorithm for retries. For + additional details, + + see + https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#config-http-filters-router-x-envoy-max-retries + properties: + baseInterval: + description: >- + BaseInterval is the base interval + between retries. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + maxInterval: + description: >- + MaxInterval is the maximum interval + between retries. This parameter is + optional, but must be greater than or + equal to the base_interval if set. + + The default is 10 times the + base_interval + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + timeout: + description: >- + Timeout is the timeout per retry + attempt. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + retryOn: + description: >- + RetryOn specifies the retry trigger + condition. + + + If not specified, the default is to + retry on + connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes(503). + properties: + httpStatusCodes: + description: >- + HttpStatusCodes specifies the http + status codes to be retried. + + The retriable-status-codes trigger must + also be configured for these status + codes to trigger a retry. + items: + description: HTTPStatus defines the http status code. + maximum: 599 + minimum: 100 + type: integer + type: array + triggers: + description: >- + Triggers specifies the retry trigger + condition(Http/Grpc). + items: + description: >- + TriggerEnum specifies the conditions + that trigger retries. + enum: + - 5xx + - gateway-error + - reset + - reset-before-request + - connect-failure + - retriable-4xx + - refused-stream + - retriable-status-codes + - cancelled + - deadline-exceeded + - internal + - resource-exhausted + - unavailable + type: string + type: array + type: object + type: object + tcpKeepalive: + description: >- + TcpKeepalive settings associated with + the upstream client connection. + + Disabled by default. + properties: + idleTime: + description: >- + The duration a connection needs to be + idle before keep-alive + + probes start being sent. + + The duration format is + + Defaults to `7200s`. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + interval: + description: |- + The duration between keep-alive probes. + Defaults to `75s`. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + probes: + description: >- + The total number of unacknowledged + probes to send before deciding + + the connection is dead. + + Defaults to 9. + format: int32 + type: integer + type: object + timeout: + description: >- + Timeout settings for the backend + connections. + properties: + http: + description: Timeout settings for HTTP. + properties: + connectionIdleTimeout: + description: >- + The idle timeout for an HTTP connection. + Idle time is defined as a period in + which there are no active requests in + the connection. + + Default: 1 hour. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + maxConnectionDuration: + description: >- + The maximum duration of an HTTP + connection. + + Default: unlimited. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + maxStreamDuration: + description: >- + MaxStreamDuration is the maximum + duration for a stream to complete. This + timeout measures the time + + from when the request is sent until the + response stream is fully consumed and + does not apply to + + non-streaming requests. + + When set to "0s", no max duration is + applied and streams can run + indefinitely. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + requestTimeout: + description: >- + RequestTimeout is the time until which + entire response is received from the + upstream. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + tcp: + description: Timeout settings for TCP. + properties: + connectTimeout: + description: >- + The timeout for network connection + establishment, including TCP and TLS + handshakes. + + Default: 10 seconds. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + type: object + type: object + x-kubernetes-validations: + - message: >- + predictivePercent in preconnect policy + only works with RoundRobin or Random + load balancers + rule: >- + !((has(self.connection) && + has(self.connection.preconnect) && + has(self.connection.preconnect.predictivePercent)) + && !(has(self.loadBalancer) && + has(self.loadBalancer.type) && + self.loadBalancer.type in ['Random', + 'RoundRobin'])) + headers: + description: >- + Headers is a list of additional headers to + send with OTLP export requests. + + These headers are added as gRPC initial + metadata for the OTLP gRPC service. + items: + description: >- + HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: >- + Name is the name of the HTTP Header to + be matched. Name matching MUST be + + case-insensitive. (See + https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent + header names, the first entry with + + an equivalent name MUST be considered + for a match. Subsequent entries + + with an equivalent header name MUST be + ignored. Due to the + + case-insensitivity of header names, + "foo" and "Foo" are considered + + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: >- + Value is the value of HTTP Header to be + matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 32 + minItems: 1 + type: array + host: + description: |- + Host define the service hostname. + Deprecated: Use BackendRefs instead. + type: string + port: + default: 4317 + description: >- + Port defines the port the service is + exposed on. + + Deprecated: Use BackendRefs instead. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + reportCountersAsDeltas: + description: >- + ReportCountersAsDeltas configures the + OpenTelemetry sink to report + + counters as delta temporality instead of + cumulative. + type: boolean + reportHistogramsAsDeltas: + description: >- + ReportHistogramsAsDeltas configures the + OpenTelemetry sink to report + + histograms as delta temporality instead of + cumulative. + + Required for backends like Elastic that + drop cumulative histograms. + type: boolean + resourceAttributes: + additionalProperties: + type: string + description: >- + ResourceAttributes is a set of labels that + describe the source of metrics. + + It's recommended to follow semantic + conventions: + https://opentelemetry.io/docs/reference/specification/resource/semantic_conventions/ + type: object + type: object + x-kubernetes-validations: + - message: host or backendRefs needs to be set + rule: >- + has(self.host) || self.backendRefs.size() + > 0 + - message: >- + BackendRefs must be used, backendRef is + not supported. + rule: '!has(self.backendRef)' + - message: >- + BackendRefs only support Service and + Backend kind. + rule: >- + has(self.backendRefs) ? + self.backendRefs.all(f, f.kind == + 'Service' || f.kind == 'Backend') : true + - message: >- + BackendRefs only support Core and + gateway.envoyproxy.io group. + rule: >- + has(self.backendRefs) ? + (self.backendRefs.all(f, f.group == "" || + f.group == 'gateway.envoyproxy.io')) : + true + type: + default: OpenTelemetry + description: |- + Type defines the metric sink type. + EG currently only supports OpenTelemetry. + enum: + - OpenTelemetry + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If MetricSink type is OpenTelemetry, + openTelemetry field needs to be set. + rule: >- + self.type == 'OpenTelemetry' ? + has(self.openTelemetry) : + !has(self.openTelemetry) + maxItems: 16 + type: array + type: object + requestID: + description: RequestID configures Envoy request ID behavior. + properties: + tracing: + description: >- + Tracing configures Envoy's behavior for the UUID + request ID extension, + + including whether the trace sampling decision is + packed into the UUID and + + whether `X-Request-ID` is used for trace sampling + decisions. + + + When omitted, the default behavior is + `PackAndSample`, which alters the UUID + + to contain the trace sampling decision and uses + `X-Request-ID` for stable + + trace sampling. + enum: + - PackAndSample + - Sample + - Pack + - Disable + type: string + type: object + tracing: + description: >- + Tracing defines tracing configuration for managed + proxies. + + If unspecified, will not send tracing data. + properties: + customTags: + additionalProperties: + properties: + environment: + description: >- + Environment adds value from environment + variable to each span. + + It's required when the type is "Environment". + properties: + defaultValue: + description: >- + DefaultValue defines the default value to + use if the environment variable is not + set. + type: string + name: + description: >- + Name defines the name of the environment + variable which to extract the value from. + type: string + required: + - name + type: object + literal: + description: |- + Literal adds hard-coded value to each span. + It's required when the type is "Literal". + properties: + value: + description: >- + Value defines the hard-coded value to add + to each span. + type: string + required: + - value + type: object + requestHeader: + description: >- + RequestHeader adds value from request header + to each span. + + It's required when the type is + "RequestHeader". + properties: + defaultValue: + description: >- + DefaultValue defines the default value to + use if the request header is not set. + type: string + name: + description: >- + Name defines the name of the request + header which to extract the value from. + type: string + required: + - name + type: object + type: + default: Literal + description: Type defines the type of custom tag. + enum: + - Literal + - Environment + - RequestHeader + type: string + required: + - type + type: object + description: >- + CustomTags defines the custom tags to add to each + span. + + If provider is kubernetes, pod name and namespace + are added by default. + + + Deprecated: Use Tags instead. + type: object + provider: + description: Provider defines the tracing provider. + properties: + backendRef: + description: >- + BackendRef references a Kubernetes object that + represents the + + backend server to which the authorization + request will be sent. + + + Deprecated: Use BackendRefs instead. + properties: + group: + default: '' + description: >- + Group is the group of the referent. For + example, "gateway.networking.k8s.io". + + When unspecified or empty string, core API + group is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: >- + Kind is the Kubernetes resource kind of the + referent. For example + + "Service". + + + Defaults to "Service" when not specified. + + + ExternalName services can refer to CNAME DNS + records that may live + + outside of the cluster and as such are + difficult to reason about in + + terms of conformance. They also may not be + safe to forward to (see + + CVE-2021-25740 for more information). + Implementations SHOULD NOT + + support ExternalName Services. + + + Support: Core (Services with a type other + than ExternalName) + + + Support: Implementation-specific (Services + with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the backend. + When unspecified, the local + + namespace is inferred. + + + Note that when a namespace different than + the local namespace is specified, + + a ReferenceGrant object is required in the + referent namespace to allow that + + namespace's owner to accept the reference. + See the ReferenceGrant + + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: >- + Port specifies the destination port number + to use for this resource. + + Port is required when the referent is a + Kubernetes Service. In this + + case, the port number is the service port + number, not the target port. + + For other resources, destination port might + be derived from the referent + + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: >- + (size(self.group) == 0 && self.kind == + 'Service') ? has(self.port) : true + backendRefs: + description: >- + BackendRefs references a Kubernetes object that + represents the + + backend server to which the authorization + request will be sent. + items: + description: >- + BackendRef defines how an ObjectReference that + is specific to BackendRef. + properties: + fallback: + description: >- + Fallback indicates whether the backend is + designated as a fallback. + + Multiple fallback backends can be + configured. + + It is highly recommended to configure + active or passive health checks to ensure + that failover can be detected + + when the active backends become unhealthy + and to automatically readjust once the + primary backends are healthy again. + + The overprovisioning factor is set to 1.4, + meaning the fallback backends will only + start receiving traffic when + + the health of the active backends falls + below 72%. + type: boolean + group: + default: '' + description: >- + Group is the group of the referent. For + example, "gateway.networking.k8s.io". + + When unspecified or empty string, core API + group is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: >- + Kind is the Kubernetes resource kind of + the referent. For example + + "Service". + + + Defaults to "Service" when not specified. + + + ExternalName services can refer to CNAME + DNS records that may live + + outside of the cluster and as such are + difficult to reason about in + + terms of conformance. They also may not be + safe to forward to (see + + CVE-2021-25740 for more information). + Implementations SHOULD NOT + + support ExternalName Services. + + + Support: Core (Services with a type other + than ExternalName) + + + Support: Implementation-specific (Services + with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the backend. + When unspecified, the local + + namespace is inferred. + + + Note that when a namespace different than + the local namespace is specified, + + a ReferenceGrant object is required in the + referent namespace to allow that + + namespace's owner to accept the reference. + See the ReferenceGrant + + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: >- + Port specifies the destination port number + to use for this resource. + + Port is required when the referent is a + Kubernetes Service. In this + + case, the port number is the service port + number, not the target port. + + For other resources, destination port + might be derived from the referent + + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: >- + Weight specifies the proportion of + requests forwarded to the referenced + + backend. This is computed as weight/(sum + of all weights in this + + BackendRefs list). For non-zero values, + there may be some epsilon from + + the exact proportion defined here + depending on the precision an + + implementation supports. Weight is not a + percentage and the sum of + + weights does not need to equal 100. + + + If only one backend is specified and it + has a weight greater than 0, 100% + + of the traffic is forwarded to that + backend. If weight is set to 0, no + + traffic should be forwarded for this + entry. If unspecified, weight + + defaults to 1. + + + Support for this field varies based on the + context where used. + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: >- + (size(self.group) == 0 && self.kind == + 'Service') ? has(self.port) : true + maxItems: 16 + type: array + backendSettings: + description: >- + BackendSettings holds configuration for managing + the connection + + to the backend. + properties: + circuitBreaker: + description: >- + Circuit Breaker settings for the upstream + connections and requests. + + If not set, circuit breakers will be enabled + with the default thresholds + properties: + maxConnections: + default: 1024 + description: >- + The maximum number of connections that + Envoy will establish to the referenced + backend defined within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxParallelRequests: + default: 1024 + description: >- + The maximum number of parallel requests + that Envoy will make to the referenced + backend defined within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxParallelRetries: + default: 1024 + description: >- + The maximum number of parallel retries + that Envoy will make to the referenced + backend defined within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxPendingRequests: + default: 1024 + description: >- + The maximum number of pending requests + that Envoy will queue to the referenced + backend defined within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxRequestsPerConnection: + description: >- + The maximum number of requests that + Envoy will make over a single connection + to the referenced backend defined within + a xRoute rule. + + Default: unlimited. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + perEndpoint: + description: >- + PerEndpoint defines Circuit Breakers + that will apply per-endpoint for an + upstream cluster + properties: + maxConnections: + default: 1024 + description: >- + MaxConnections configures the maximum + number of connections that Envoy will + establish per-endpoint to the referenced + backend defined within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + type: object + type: object + connection: + description: >- + Connection includes backend connection + settings. + properties: + bufferLimit: + allOf: + - pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: >- + BufferLimit Soft limit on size of the + cluster’s connections read and write + buffers. + + BufferLimit applies to connection + streaming (maybe non-streaming) channel + between processes, it's in user space. + + If unspecified, an implementation + defined default is applied (32768 + bytes). + + For example, 20Mi, 1Gi, 256Ki etc. + + Note: that when the suffix is not + provided, the value is interpreted as + bytes. + x-kubernetes-int-or-string: true + preconnect: + description: >- + Preconnect configures proactive upstream + connections to reduce latency by + establishing + + connections before they’re needed and + avoiding connection establishment + overhead. + + + If unset, Envoy will fetch connections + as needed to serve in-flight requests. + properties: + perEndpointPercent: + description: >- + PerEndpointPercent configures how many + additional connections to maintain per + + upstream endpoint, useful for high-QPS + or latency sensitive services. Expressed + as a + + percentage of the connections required + by active streams + + (e.g. 100 = preconnect disabled, 105 = + 1.05x connections per-endpoint, 200 = + 2.00×). + + + Allowed value range is between 100-300. + When both PerEndpointPercent and + + PredictivePercent are set, Envoy ensures + both are satisfied (max of the two). + format: int32 + maximum: 300 + minimum: 100 + type: integer + predictivePercent: + description: >- + PredictivePercent configures how many + additional connections to maintain + + across the cluster by anticipating which + upstream endpoint the load balancer + + will select next, useful for low-QPS + services. Relies on deterministic + + loadbalancing and is only supported with + Random or RoundRobin. + + Expressed as a percentage of the + connections required by active streams + + (e.g. 100 = 1.0 (no preconnect), 105 = + 1.05× connections across the cluster, + 200 = 2.00×). + + + Minimum allowed value is 100. When both + PerEndpointPercent and PredictivePercent + are + + set Envoy ensures both are satisfied per + host (max of the two). + format: int32 + minimum: 100 + type: integer + type: object + socketBufferLimit: + allOf: + - pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: >- + SocketBufferLimit provides configuration + for the maximum buffer size in bytes for + each socket + + to backend. + + SocketBufferLimit applies to socket + streaming channel between TCP/IP stacks, + it's in kernel space. + + For example, 20Mi, 1Gi, 256Ki etc. + + Note that when the suffix is not + provided, the value is interpreted as + bytes. + x-kubernetes-int-or-string: true + type: object + dns: + description: DNS includes dns resolution settings. + properties: + dnsRefreshRate: + description: >- + DNSRefreshRate specifies the rate at + which DNS records should be refreshed. + + Defaults to 30 seconds. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + lookupFamily: + description: >- + LookupFamily determines how Envoy would + resolve DNS for Routes where the backend + is specified as a fully qualified domain + name (FQDN). + + If set, this configuration overrides + other defaults. + enum: + - IPv4 + - IPv6 + - IPv4Preferred + - IPv6Preferred + - IPv4AndIPv6 + type: string + respectDnsTtl: + description: >- + RespectDNSTTL indicates whether the DNS + Time-To-Live (TTL) should be respected. + + If the value is set to true, the DNS + refresh rate will be set to the resource + record’s TTL. + + Defaults to true. + type: boolean + type: object + healthCheck: + description: >- + HealthCheck allows gateway to perform active + health checking on backends. + properties: + active: + description: Active health check configuration + properties: + grpc: + description: >- + GRPC defines the configuration of the + GRPC health checker. + + It's optional, and can only be used if + the specified type is GRPC. + properties: + service: + description: >- + Service to send in the health check + request. + + If this is not specified, then the + health check request applies to the + entire + + server and not to a specific service. + type: string + type: object + healthyThreshold: + default: 1 + description: >- + HealthyThreshold defines the number of + healthy health checks required before a + backend host is marked healthy. + format: int32 + minimum: 1 + type: integer + http: + description: >- + HTTP defines the configuration of http + health checker. + + It's required while the health checker + type is HTTP. + properties: + expectedResponse: + description: >- + ExpectedResponse defines a list of HTTP + expected responses to match. + properties: + binary: + description: Binary payload base64 encoded. + format: byte + type: string + text: + description: Text payload in plain text. + type: string + type: + allOf: + - enum: + - Text + - Binary + - enum: + - Text + - Binary + description: Type defines the type of the payload. + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If payload type is Text, text field + needs to be set. + rule: >- + self.type == 'Text' ? has(self.text) : + !has(self.text) + - message: >- + If payload type is Binary, binary field + needs to be set. + rule: >- + self.type == 'Binary' ? has(self.binary) + : !has(self.binary) + expectedStatuses: + description: >- + ExpectedStatuses defines a list of HTTP + response statuses considered healthy. + + Defaults to 200 only + items: + description: HTTPStatus defines the http status code. + maximum: 599 + minimum: 100 + type: integer + type: array + hostname: + description: >- + Hostname defines the HTTP Host header + used for active HTTP health checks. + + Host selection uses this order: this + field, the associated Backend endpoint + + hostname if available, then the + effective Route hostname. + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + method: + description: >- + Method defines the HTTP method used for + health checking. + + Defaults to GET + type: string + path: + description: >- + Path defines the HTTP path that will be + requested during health checking. + maxLength: 1024 + minLength: 1 + type: string + required: + - path + type: object + initialJitter: + description: >- + InitialJitter defines the maximum time + Envoy will wait before the first health + check. + + Envoy will randomly select a value + between 0 and the initial jitter value. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + interval: + default: 3s + description: >- + Interval defines the time between active + health checks. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + tcp: + description: >- + TCP defines the configuration of tcp + health checker. + + It's required while the health checker + type is TCP. + properties: + receive: + description: >- + Receive defines the expected response + payload. + properties: + binary: + description: Binary payload base64 encoded. + format: byte + type: string + text: + description: Text payload in plain text. + type: string + type: + allOf: + - enum: + - Text + - Binary + - enum: + - Text + - Binary + description: Type defines the type of the payload. + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If payload type is Text, text field + needs to be set. + rule: >- + self.type == 'Text' ? has(self.text) : + !has(self.text) + - message: >- + If payload type is Binary, binary field + needs to be set. + rule: >- + self.type == 'Binary' ? has(self.binary) + : !has(self.binary) + send: + description: Send defines the request payload. + properties: + binary: + description: Binary payload base64 encoded. + format: byte + type: string + text: + description: Text payload in plain text. + type: string + type: + allOf: + - enum: + - Text + - Binary + - enum: + - Text + - Binary + description: Type defines the type of the payload. + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If payload type is Text, text field + needs to be set. + rule: >- + self.type == 'Text' ? has(self.text) : + !has(self.text) + - message: >- + If payload type is Binary, binary field + needs to be set. + rule: >- + self.type == 'Binary' ? has(self.binary) + : !has(self.binary) + type: object + timeout: + default: 1s + description: >- + Timeout defines the time to wait for a + health check response. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: + allOf: + - enum: + - HTTP + - TCP + - GRPC + - enum: + - HTTP + - TCP + - GRPC + description: Type defines the type of health checker. + type: string + unhealthyThreshold: + default: 3 + description: >- + UnhealthyThreshold defines the number of + unhealthy health checks required before + a backend host is marked unhealthy. + format: int32 + minimum: 1 + type: integer + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If Health Checker type is HTTP, http + field needs to be set. + rule: >- + self.type == 'HTTP' ? has(self.http) : + !has(self.http) + - message: >- + If Health Checker type is TCP, tcp field + needs to be set. + rule: >- + self.type == 'TCP' ? has(self.tcp) : + !has(self.tcp) + - message: >- + The grpc field can only be set if the + Health Checker type is GRPC. + rule: >- + has(self.grpc) ? self.type == 'GRPC' : + true + panicThreshold: + description: >- + When number of unhealthy endpoints for a + backend reaches this threshold + + Envoy will disregard health status and + balance across all endpoints. + + It's designed to prevent a situation in + which host failures cascade throughout + the cluster + + as load increases. If not set, the + default value is 50%. To disable panic + mode, set value to `0`. + format: int32 + maximum: 100 + minimum: 0 + type: integer + passive: + description: Passive passive check configuration + properties: + baseEjectionTime: + default: 30s + description: >- + BaseEjectionTime defines the base + duration for which a host will be + ejected on consecutive failures. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + consecutive5XxErrors: + default: 5 + description: >- + Consecutive5xxErrors sets the number of + consecutive 5xx errors triggering + ejection. + format: int32 + type: integer + consecutiveGatewayErrors: + description: >- + ConsecutiveGatewayErrors sets the number + of consecutive gateway errors triggering + ejection. + format: int32 + type: integer + consecutiveLocalOriginFailures: + default: 5 + description: >- + ConsecutiveLocalOriginFailures sets the + number of consecutive local origin + failures triggering ejection. + + Parameter takes effect only when + split_external_local_origin_errors is + set to true. + format: int32 + type: integer + failurePercentageThreshold: + description: >- + FailurePercentageThreshold sets the + failure percentage threshold for outlier + detection. + + If the failure percentage of a given + host is greater than or equal to this + value, it will be ejected. + + Defaults to 85. + format: int32 + maximum: 100 + minimum: 0 + type: integer + interval: + default: 3s + description: >- + Interval defines the time between + passive health checks. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + maxEjectionPercent: + default: 10 + description: >- + MaxEjectionPercent sets the maximum + percentage of hosts in a cluster that + can be ejected. + format: int32 + type: integer + splitExternalLocalOriginErrors: + default: false + description: >- + SplitExternalLocalOriginErrors enables + splitting of errors between external and + local origin. + type: boolean + type: object + type: object + http2: + description: >- + HTTP2 provides HTTP/2 configuration for + backend connections. + properties: + initialConnectionWindowSize: + allOf: + - pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: >- + InitialConnectionWindowSize sets the + initial window size for HTTP/2 + connections. + + If not set, the default value is 1 MiB. + x-kubernetes-int-or-string: true + initialStreamWindowSize: + allOf: + - pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: >- + InitialStreamWindowSize sets the initial + window size for HTTP/2 streams. + + If not set, the default value is 64 + KiB(64*1024). + x-kubernetes-int-or-string: true + maxConcurrentStreams: + description: >- + MaxConcurrentStreams sets the maximum + number of concurrent streams allowed per + connection. + + If not set, the default value is 100. + format: int32 + maximum: 2147483647 + minimum: 1 + type: integer + onInvalidMessage: + description: >- + OnInvalidMessage determines if Envoy + will terminate the connection or just + the offending stream in the event of + HTTP messaging error + + It's recommended for L2 Envoy + deployments to set this value to + TerminateStream. + + https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/level_two + + Default: TerminateConnection + type: string + type: object + loadBalancer: + description: >- + LoadBalancer policy to apply when routing + traffic from the gateway to + + the backend endpoints. Defaults to + `LeastRequest`. + properties: + consistentHash: + description: >- + ConsistentHash defines the configuration + when the load balancer type is + + set to ConsistentHash + properties: + cookie: + description: >- + Cookie configures the cookie hash policy + when the consistent hash type is set to + Cookie. + properties: + attributes: + additionalProperties: + type: string + description: >- + Additional Attributes to set for the + generated cookie. + type: object + name: + description: >- + Name of the cookie to hash. + + If this cookie does not exist in the + request, Envoy will generate a cookie + and set + + the TTL on the response back to the + client based on Layer 4 + + attributes of the backend endpoint, to + ensure that these future requests + + go to the same backend endpoint. Make + sure to set the TTL field for this case. + type: string + ttl: + description: >- + TTL of the generated cookie if the + cookie is not present. This value sets + the + + Max-Age attribute value. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + required: + - name + type: object + header: + description: >- + Header configures the header hash policy + when the consistent hash type is set to + Header. + + + Deprecated: use Headers instead + properties: + name: + description: Name of the header to hash. + type: string + required: + - name + type: object + headers: + description: >- + Headers configures the header hash + policy for each header, when the + consistent hash type is set to Headers. + items: + description: >- + Header defines the header hashing + configuration for consistent hash based + + load balancing. + properties: + name: + description: Name of the header to hash. + type: string + required: + - name + type: object + type: array + queryParams: + description: >- + QueryParams configures the query + parameter hash policy when the + consistent hash type is set to + QueryParams. + items: + description: >- + QueryParam defines the query parameter + name hashing configuration for + consistent hash based + + load balancing. + properties: + name: + description: Name of the query param to hash. + type: string + required: + - name + type: object + type: array + tableSize: + default: 65537 + description: >- + The table size for consistent hashing, + must be prime number limited to 5000011. + format: int64 + maximum: 5000011 + minimum: 2 + type: integer + type: + description: >- + ConsistentHashType defines the type of + input to hash on. Valid Type values are + + "SourceIP", + + "Header", + + "Headers", + + "Cookie". + + "QueryParams". + enum: + - SourceIP + - Header + - Headers + - Cookie + - QueryParams + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If consistent hash type is header, the + header field must be set. + rule: >- + self.type == 'Header' ? has(self.header) + : !has(self.header) + - message: >- + If consistent hash type is headers, the + headers field must be set. + rule: >- + self.type == 'Headers' ? + has(self.headers) : !has(self.headers) + - message: >- + If consistent hash type is cookie, the + cookie field must be set. + rule: >- + self.type == 'Cookie' ? has(self.cookie) + : !has(self.cookie) + - message: >- + If consistent hash type is queryParams, + the queryParams field must be set. + rule: >- + self.type == 'QueryParams' ? + has(self.queryParams) : + !has(self.queryParams) + endpointOverride: + description: >- + EndpointOverride defines the + configuration for endpoint override. + + When specified, the load balancer will + attempt to route requests to endpoints + + based on the override information + extracted from request headers or + metadata. + If the override endpoints are not available, the configured load balancer policy will be used as fallback. + properties: + extractFrom: + description: >- + ExtractFrom defines the sources to + extract endpoint override information + from. + items: + description: >- + EndpointOverrideExtractFrom defines a + source to extract endpoint override + information from. + properties: + header: + description: >- + Header defines the header to get the + override endpoint addresses. + + The header value must specify at least + one endpoint in `IP:Port` format or + multiple endpoints in + `IP:Port,IP:Port,...` format. + + For example `10.0.0.5:8080` or + `[2600:4040:5204::1574:24ae]:80`. + + The IPv6 address is enclosed in square + brackets. + type: string + type: object + maxItems: 10 + minItems: 1 + type: array + required: + - extractFrom + type: object + slowStart: + description: >- + SlowStart defines the configuration + related to the slow start load balancer + policy. + + If set, during slow start window, + traffic sent to the newly added hosts + will gradually increase. + + Currently this is only supported for + RoundRobin and LeastRequest load + balancers + properties: + window: + description: >- + Window defines the duration of the warm + up period for newly added host. + + During slow start window, traffic sent + to the newly added hosts will gradually + increase. + + Currently only supports linear growth of + traffic. For additional details, + + see + https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + required: + - window + type: object + type: + description: >- + Type decides the type of Load Balancer + policy. + + Valid LoadBalancerType values are + + "ConsistentHash", + + "LeastRequest", + + "Random", + + "RoundRobin". + enum: + - ConsistentHash + - LeastRequest + - Random + - RoundRobin + type: string + zoneAware: + description: >- + ZoneAware defines the configuration + related to the distribution of requests + between locality zones. + properties: + preferLocal: + description: >- + PreferLocalZone configures zone-aware + routing to prefer sending traffic to the + local locality zone. + properties: + force: + description: >- + ForceLocalZone defines override + configuration for forcing all traffic to + stay within the local zone instead of + the default behavior + + which maintains equal distribution among + upstream endpoints while sending as much + traffic as possible locally. + properties: + minEndpointsInZoneThreshold: + description: >- + MinEndpointsInZoneThreshold is the + minimum number of upstream endpoints in + the local zone required to honor the + forceLocalZone + + override. This is useful for protecting + zones with fewer endpoints. + format: int32 + type: integer + type: object + minEndpointsThreshold: + description: >- + MinEndpointsThreshold is the minimum + number of total upstream endpoints + across all zones required to enable + zone-aware routing. + format: int64 + type: integer + percentageEnabled: + description: >- + Configures percentage of requests that + will be considered for zone aware + routing if zone aware routing is + configured. If not specified, Envoy + defaults to 100%. + format: int32 + maximum: 100 + minimum: 0 + type: integer + type: object + type: object + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If LoadBalancer type is consistentHash, + consistentHash field needs to be set. + rule: >- + self.type == 'ConsistentHash' ? + has(self.consistentHash) : + !has(self.consistentHash) + - message: >- + Currently SlowStart is only supported + for RoundRobin and LeastRequest load + balancers. + rule: >- + self.type in ['Random', + 'ConsistentHash'] ? !has(self.slowStart) + : true + - message: >- + Currently ZoneAware is only supported + for LeastRequest, Random, and RoundRobin + load balancers. + rule: >- + self.type == 'ConsistentHash' ? + !has(self.zoneAware) : true + proxyProtocol: + description: >- + ProxyProtocol enables the Proxy Protocol + when communicating with the backend. + properties: + version: + description: |- + Version of ProxyProtol + Valid ProxyProtocolVersion values are + "V1" + "V2" + enum: + - V1 + - V2 + type: string + required: + - version + type: object + retry: + description: >- + Retry provides more advanced usage, allowing + users to customize the number of retries, + retry fallback strategy, and retry + triggering conditions. + + If not set, retry will be disabled. + properties: + numAttemptsPerPriority: + description: >- + NumAttemptsPerPriority defines the + number of requests (initial attempt + + retries) + + that should be sent to the same priority + before switching to a different one. + + If not specified or set to 0, all + requests are sent to the highest + priority that is healthy. + format: int32 + type: integer + numRetries: + default: 2 + description: >- + NumRetries is the number of retries to + be attempted. Defaults to 2. + format: int32 + minimum: 0 + type: integer + perRetry: + description: >- + PerRetry is the retry policy to be + applied per retry attempt. + properties: + backOff: + description: >- + Backoff is the backoff policy to be + applied per retry attempt. gateway uses + a fully jittered exponential + + back-off algorithm for retries. For + additional details, + + see + https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#config-http-filters-router-x-envoy-max-retries + properties: + baseInterval: + description: >- + BaseInterval is the base interval + between retries. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + maxInterval: + description: >- + MaxInterval is the maximum interval + between retries. This parameter is + optional, but must be greater than or + equal to the base_interval if set. + + The default is 10 times the + base_interval + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + timeout: + description: >- + Timeout is the timeout per retry + attempt. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + retryOn: + description: >- + RetryOn specifies the retry trigger + condition. + + + If not specified, the default is to + retry on + connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes(503). + properties: + httpStatusCodes: + description: >- + HttpStatusCodes specifies the http + status codes to be retried. + + The retriable-status-codes trigger must + also be configured for these status + codes to trigger a retry. + items: + description: HTTPStatus defines the http status code. + maximum: 599 + minimum: 100 + type: integer + type: array + triggers: + description: >- + Triggers specifies the retry trigger + condition(Http/Grpc). + items: + description: >- + TriggerEnum specifies the conditions + that trigger retries. + enum: + - 5xx + - gateway-error + - reset + - reset-before-request + - connect-failure + - retriable-4xx + - refused-stream + - retriable-status-codes + - cancelled + - deadline-exceeded + - internal + - resource-exhausted + - unavailable + type: string + type: array + type: object + type: object + tcpKeepalive: + description: >- + TcpKeepalive settings associated with the + upstream client connection. + + Disabled by default. + properties: + idleTime: + description: >- + The duration a connection needs to be + idle before keep-alive + + probes start being sent. + + The duration format is + + Defaults to `7200s`. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + interval: + description: |- + The duration between keep-alive probes. + Defaults to `75s`. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + probes: + description: >- + The total number of unacknowledged + probes to send before deciding + + the connection is dead. + + Defaults to 9. + format: int32 + type: integer + type: object + timeout: + description: >- + Timeout settings for the backend + connections. + properties: + http: + description: Timeout settings for HTTP. + properties: + connectionIdleTimeout: + description: >- + The idle timeout for an HTTP connection. + Idle time is defined as a period in + which there are no active requests in + the connection. + + Default: 1 hour. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + maxConnectionDuration: + description: >- + The maximum duration of an HTTP + connection. + + Default: unlimited. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + maxStreamDuration: + description: >- + MaxStreamDuration is the maximum + duration for a stream to complete. This + timeout measures the time + + from when the request is sent until the + response stream is fully consumed and + does not apply to + + non-streaming requests. + + When set to "0s", no max duration is + applied and streams can run + indefinitely. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + requestTimeout: + description: >- + RequestTimeout is the time until which + entire response is received from the + upstream. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + tcp: + description: Timeout settings for TCP. + properties: + connectTimeout: + description: >- + The timeout for network connection + establishment, including TCP and TLS + handshakes. + + Default: 10 seconds. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + type: object + type: object + x-kubernetes-validations: + - message: >- + predictivePercent in preconnect policy only + works with RoundRobin or Random load + balancers + rule: >- + !((has(self.connection) && + has(self.connection.preconnect) && + has(self.connection.preconnect.predictivePercent)) + && !(has(self.loadBalancer) && + has(self.loadBalancer.type) && + self.loadBalancer.type in ['Random', + 'RoundRobin'])) + host: + description: |- + Host define the provider service hostname. + Deprecated: Use BackendRefs instead. + type: string + openTelemetry: + description: >- + OpenTelemetry defines the OpenTelemetry tracing + provider configuration + properties: + headers: + description: >- + Headers is a list of additional headers to + send with OTLP export requests. + + These headers are added as gRPC initial + metadata for the OTLP gRPC service. + items: + description: >- + HTTPHeader represents an HTTP Header name + and value as defined by RFC 7230. + properties: + name: + description: >- + Name is the name of the HTTP Header to + be matched. Name matching MUST be + + case-insensitive. (See + https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent + header names, the first entry with + + an equivalent name MUST be considered + for a match. Subsequent entries + + with an equivalent header name MUST be + ignored. Due to the + + case-insensitivity of header names, + "foo" and "Foo" are considered + + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: >- + Value is the value of HTTP Header to be + matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 32 + minItems: 1 + type: array + resourceAttributes: + additionalProperties: + type: string + description: >- + ResourceAttributes is a set of labels that + describe the source of traces. + + It's recommended to follow semantic + conventions: + https://opentelemetry.io/docs/reference/specification/resource/semantic_conventions/ + type: object + type: object + port: + default: 4317 + description: >- + Port defines the port the provider service is + exposed on. + + Deprecated: Use BackendRefs instead. + format: int32 + minimum: 0 + type: integer + serviceName: + description: >- + ServiceName defines the service name to use in + tracing configuration. + + If not set, Envoy Gateway will use a default + service name set as + + "name.namespace" (e.g., "my-gateway.default"). + + Note: This field is only supported for + OpenTelemetry and Datadog tracing providers. + + For Zipkin, the service name in traces is always + derived from the Envoy --service-cluster flag + + (typically "namespace/name" format). Setting + this field has no effect for Zipkin. + type: string + x-kubernetes-validations: + - message: serviceName cannot be empty if provided + rule: self != "" + type: + default: OpenTelemetry + description: Type defines the tracing provider type. + enum: + - OpenTelemetry + - Zipkin + - Datadog + type: string + zipkin: + description: >- + Zipkin defines the Zipkin tracing provider + configuration + properties: + disableSharedSpanContext: + description: >- + DisableSharedSpanContext determines whether + the default Envoy behaviour of + + client and server spans sharing the same + span context should be disabled. + type: boolean + enable128BitTraceId: + description: >- + Enable128BitTraceID determines whether a + 128bit trace id will be used + + when creating a new trace instance. If set + to false, a 64bit trace + + id will be used. + type: boolean + type: object + required: + - type + type: object + x-kubernetes-validations: + - message: host or backendRefs needs to be set + rule: has(self.host) || self.backendRefs.size() > 0 + - message: >- + BackendRefs must be used, backendRef is not + supported. + rule: '!has(self.backendRef)' + - message: >- + BackendRefs only support Service and Backend + kind. + rule: >- + has(self.backendRefs) ? self.backendRefs.all(f, + f.kind == 'Service' || f.kind == 'Backend') : + true + - message: >- + BackendRefs only support Core and + gateway.envoyproxy.io group. + rule: >- + has(self.backendRefs) ? (self.backendRefs.all(f, + f.group == "" || f.group == + 'gateway.envoyproxy.io')) : true + - message: >- + openTelemetry can only be used with type + OpenTelemetry + rule: >- + has(self.openTelemetry) ? self.type == + 'OpenTelemetry' : true + samplingFraction: + description: >- + SamplingFraction represents the fraction of requests + that should be + + selected for tracing if no prior sampling decision + has been made. + properties: + denominator: + default: 100 + format: int32 + minimum: 1 + type: integer + numerator: + format: int32 + minimum: 0 + type: integer + required: + - numerator + type: object + x-kubernetes-validations: + - message: >- + numerator must be less than or equal to + denominator + rule: self.numerator <= self.denominator + samplingRate: + description: >- + SamplingRate controls the rate at which traffic will + be + + selected for tracing if no prior sampling decision + has been made. + + Defaults to 100, valid values [0-100]. 100 indicates + 100% sampling. + + + Only one of SamplingRate or SamplingFraction may be + specified. + + If neither field is specified, all requests will be + sampled. + format: int32 + maximum: 100 + minimum: 0 + type: integer + spanName: + description: >- + SpanName defines the name of the span which will be + used for tracing. + + Envoy [command + operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators) + may be used in the value. + + The [format string + documentation](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-strings) + provides more information. + + + If not set, the span name is provider specific. + + e.g. Datadog use `ingress` as the default client + span name, + + and `router egress` as the server + span name. + properties: + client: + description: >- + Client defines operation name of the span which + will be used for tracing. + type: string + server: + description: >- + Server defines the operation name of the + upstream span which will be used for tracing. + type: string + required: + - client + - server + type: object + tags: + additionalProperties: + type: string + description: >- + Tags defines the custom tags to add to each span. + + Envoy [command + operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators) + may be used in the value. + + The [format string + documentation](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-strings) + provides more information. + + If provider is kubernetes, pod name and namespace + are added by default. + + + Same keys take precedence over CustomTags. + type: object + required: + - provider + type: object + x-kubernetes-validations: + - message: >- + only one of SamplingRate or SamplingFraction can be + specified + rule: >- + !(has(self.samplingRate) && + has(self.samplingFraction)) + type: object + type: object + status: + description: EnvoyProxyStatus defines the actual state of EnvoyProxy. + properties: + ancestors: + description: >- + Ancestors represent the status information for all the + GatewayClass or Gateway + + reference this EnvoyProxy with ParametersReference. + items: + properties: + ancestorRef: + description: >- + AncestorRef corresponds a GatewayClass or Gateway use + this EnvoyProxy with ParametersReference. + properties: + group: + default: gateway.networking.k8s.io + description: >- + Group is the group of the referent. + + When unspecified, "gateway.networking.k8s.io" is + inferred. + + To set the core API group (such as for a "Service" + kind referent), + + Group must be explicitly set to "" (empty string). + + + Support: Core + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: >- + Kind is kind of the referent. + + + There are two kinds of parent resources with + "Core" support: + + + * Gateway (Gateway conformance profile) + + * Service (Mesh conformance profile, ClusterIP + Services only) + + + Support for other resources is + Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the referent. When + unspecified, this refers + + to the local namespace of the Route. + + + Note that there are specific rules for ParentRefs + which cross namespace + + boundaries. Cross-namespace references are only + valid if they are explicitly + + allowed by something in the namespace they are + referring to. For example: + + Gateway has the AllowedRoutes field, and + ReferenceGrant provides a + + generic way to enable any other kind of + cross-namespace reference. + + + + + ParentRefs from a Route to a Service in the same + namespace are "producer" + + routes, which apply default routing rules to + inbound connections from + + any namespace to the Service. + + + ParentRefs from a Route to a Service in a + different namespace are + + "consumer" routes, and these routing rules are + only applied to outbound + + connections originating from the same namespace as + the Route, for which + + the intended destination of the connections are a + Service targeted as a + + ParentRef of the Route. + + + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: >- + Port is the network port this Route targets. It + can be interpreted + + differently based on the type of parent resource. + + + When the parent resource is a Gateway, this + targets all listeners + + listening on the specified port that also support + this kind of Route(and + + select this Route). It's not recommended to set + `Port` unless the + + networking behaviors specified in a Route must + apply to a specific port + + as opposed to a listener(s) whose port(s) may be + changed. When both Port + + and SectionName are specified, the name and port + of the selected listener + + must match both specified values. + + + + + When the parent resource is a Service, this + targets a specific port in the + + Service spec. When both Port (experimental) and + SectionName are specified, + + the name and port of the selected port must match + both specified values. + + + + + Implementations MAY choose to support other parent + resources. + + Implementations supporting other types of parent + resources MUST clearly + + document how/if Port is interpreted. + + + For the purpose of status, an attachment is + considered successful as + + long as the parent resource accepts it partially. + For example, Gateway + + listeners can restrict which Routes can attach to + them by Route kind, + + namespace, or hostname. If 1 of 2 Gateway + listeners accept attachment + + from the referencing Route, the Route MUST be + considered successfully + + attached. If no Gateway listeners accept + attachment from this Route, + + the Route MUST be considered detached from the + Gateway. + + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: >- + SectionName is the name of a section within the + target resource. In the + + following resources, SectionName is interpreted as + the following: + + + * Gateway: Listener name. When both Port + (experimental) and SectionName + + are specified, the name and port of the selected + listener must match + + both specified values. + + * Service: Port name. When both Port + (experimental) and SectionName + + are specified, the name and port of the selected + listener must match + + both specified values. + + + Implementations MAY choose to support attaching + Routes to other resources. + + If that is the case, they MUST clearly document + how SectionName is + + interpreted. + + + When unspecified (empty string), this will + reference the entire resource. + + For the purpose of status, an attachment is + considered successful if at + + least one section in the parent resource accepts + it. For example, Gateway + + listeners can restrict which Routes can attach to + them by Route kind, + + namespace, or hostname. If 1 of 2 Gateway + listeners accept attachment from + + the referencing Route, the Route MUST be + considered successfully + + attached. If no Gateway listeners accept + attachment from this Route, the + + Route MUST be considered detached from the + Gateway. + + + Support: Core + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + conditions: + description: >- + Conditions describes the status of the Policy with + respect to the given Ancestor. + items: + description: >- + Condition contains details for one aspect of the + current state of this API Resource. + properties: + lastTransitionTime: + description: >- + lastTransitionTime is the last time the + condition transitioned from one status to + another. + + This should be when the underlying condition + changed. If that is not known, then using the + time when the API field changed is acceptable. + format: date-time + type: string + message: + description: >- + message is a human readable message indicating + details about the transition. + + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: >- + observedGeneration represents the + .metadata.generation that the condition was set + based upon. + + For instance, if .metadata.generation is + currently 12, but the + .status.conditions[x].observedGeneration is 9, + the condition is out of date + + with respect to the current state of the + instance. + format: int64 + minimum: 0 + type: integer + reason: + description: >- + reason contains a programmatic identifier + indicating the reason for the condition's last + transition. + + Producers of specific condition types may define + expected values and meanings for this field, + + and whether the values are considered a + guaranteed API. + + The value should be a CamelCase string. + + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: >- + status of the condition, one of True, False, + Unknown. + enum: + - 'True' + - 'False' + - Unknown + type: string + type: + description: >- + type of condition in CamelCase or in + foo.example.com/CamelCase. + maxLength: 316 + pattern: >- + ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + required: + - ancestorRef + type: object + type: array + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/_/CustomResourceDefinition/gatewayclasses.gateway.networking.k8s.io.yaml b/_/CustomResourceDefinition/gatewayclasses.gateway.networking.k8s.io.yaml new file mode 100644 index 0000000..f66d025 --- /dev/null +++ b/_/CustomResourceDefinition/gatewayclasses.gateway.networking.k8s.io.yaml @@ -0,0 +1,715 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/4530 + gateway.networking.k8s.io/bundle-version: v1.5.1 + gateway.networking.k8s.io/channel: standard + name: gatewayclasses.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: GatewayClass + listKind: GatewayClassList + plural: gatewayclasses + shortNames: + - gc + singular: gatewayclass + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.controllerName + name: Controller + type: string + - jsonPath: .status.conditions[?(@.type=="Accepted")].status + name: Accepted + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .spec.description + name: Description + priority: 1 + type: string + name: v1 + schema: + openAPIV3Schema: + description: >- + GatewayClass describes a class of Gateways available to the user for + creating + + Gateway resources. + + + It is recommended that this resource be used as a template for + Gateways. This + + means that a Gateway is based on the state of the GatewayClass at + the time it + + was created and changes to the GatewayClass or associated parameters + are not + + propagated down to existing Gateways. This recommendation is + intended to + + limit the blast radius of changes to GatewayClass or associated + parameters. + + If implementations choose to propagate GatewayClass changes to + existing + + Gateways, that MUST be clearly documented by the implementation. + + + Whenever one or more Gateways are using a GatewayClass, + implementations SHOULD + + add the `gateway-exists-finalizer.gateway.networking.k8s.io` + finalizer on the + + associated GatewayClass. This ensures that a GatewayClass associated + with a + + Gateway is not deleted while in use. + + + GatewayClass is a Cluster level resource. + properties: + apiVersion: + description: >- + APIVersion defines the versioned schema of this representation + of an object. + + Servers should convert recognized schemas to the latest internal + value, and + + may reject unrecognized values. + + More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: >- + Kind is a string value representing the REST resource this + object represents. + + Servers may infer this from the endpoint the client submits + requests to. + + Cannot be updated. + + In CamelCase. + + More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of GatewayClass. + properties: + controllerName: + description: >- + ControllerName is the name of the controller that is + managing Gateways of + + this class. The value of this field MUST be a domain + prefixed path. + + + Example: "example.net/gateway-controller". + + + This field is not mutable and cannot be empty. + + + Support: Core + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + x-kubernetes-validations: + - message: Value is immutable + rule: self == oldSelf + description: + description: Description helps describe a GatewayClass with more details. + maxLength: 64 + type: string + parametersRef: + description: >- + ParametersRef is a reference to a resource that contains the + configuration + + parameters corresponding to the GatewayClass. This is + optional if the + + controller does not require any additional configuration. + + + ParametersRef can reference a standard Kubernetes resource, + i.e. ConfigMap, + + or an implementation-specific custom resource. The resource + can be + + cluster-scoped or namespace-scoped. + + + If the referent cannot be found, refers to an unsupported + kind, or when + + the data within that resource is malformed, the GatewayClass + SHOULD be + + rejected with the "Accepted" status condition set to "False" + and an + + "InvalidParameters" reason. + + + A Gateway for this GatewayClass may provide its own + `parametersRef`. When both are specified, + + the merging behavior is implementation specific. + + It is generally recommended that GatewayClass provides + defaults that can be overridden by a Gateway. + + + Support: Implementation-specific + properties: + group: + description: Group is the group of the referent. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the referent. + + This field is required when referring to a + Namespace-scoped resource and + + MUST be unset when referring to a Cluster-scoped + resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - name + type: object + required: + - controllerName + type: object + status: + default: + conditions: + - lastTransitionTime: '1970-01-01T00:00:00Z' + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + description: >- + Status defines the current state of GatewayClass. + + + Implementations MUST populate status on all GatewayClass + resources which + + specify their controller name. + properties: + conditions: + default: + - lastTransitionTime: '1970-01-01T00:00:00Z' + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + description: |- + Conditions is the current status from the controller for + this GatewayClass. + + Controllers should prefer to publish conditions using values + of GatewayClassConditionType for the type of each Condition. + items: + description: >- + Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: >- + lastTransitionTime is the last time the condition + transitioned from one status to another. + + This should be when the underlying condition changed. + If that is not known, then using the time when the API + field changed is acceptable. + format: date-time + type: string + message: + description: >- + message is a human readable message indicating details + about the transition. + + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: >- + observedGeneration represents the .metadata.generation + that the condition was set based upon. + + For instance, if .metadata.generation is currently 12, + but the .status.conditions[x].observedGeneration is 9, + the condition is out of date + + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: >- + reason contains a programmatic identifier indicating + the reason for the condition's last transition. + + Producers of specific condition types may define + expected values and meanings for this field, + + and whether the values are considered a guaranteed + API. + + The value should be a CamelCase string. + + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - 'True' + - 'False' + - Unknown + type: string + type: + description: >- + type of condition in CamelCase or in + foo.example.com/CamelCase. + maxLength: 316 + pattern: >- + ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + supportedFeatures: + description: >- + SupportedFeatures is the set of features the GatewayClass + support. + + It MUST be sorted in ascending alphabetical order by the + Name key. + items: + properties: + name: + description: >- + FeatureName is used to describe distinct features that + are covered by + + conformance tests. + type: string + required: + - name + type: object + maxItems: 64 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.controllerName + name: Controller + type: string + - jsonPath: .status.conditions[?(@.type=="Accepted")].status + name: Accepted + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .spec.description + name: Description + priority: 1 + type: string + name: v1beta1 + schema: + openAPIV3Schema: + description: >- + GatewayClass describes a class of Gateways available to the user for + creating + + Gateway resources. + + + It is recommended that this resource be used as a template for + Gateways. This + + means that a Gateway is based on the state of the GatewayClass at + the time it + + was created and changes to the GatewayClass or associated parameters + are not + + propagated down to existing Gateways. This recommendation is + intended to + + limit the blast radius of changes to GatewayClass or associated + parameters. + + If implementations choose to propagate GatewayClass changes to + existing + + Gateways, that MUST be clearly documented by the implementation. + + + Whenever one or more Gateways are using a GatewayClass, + implementations SHOULD + + add the `gateway-exists-finalizer.gateway.networking.k8s.io` + finalizer on the + + associated GatewayClass. This ensures that a GatewayClass associated + with a + + Gateway is not deleted while in use. + + + GatewayClass is a Cluster level resource. + properties: + apiVersion: + description: >- + APIVersion defines the versioned schema of this representation + of an object. + + Servers should convert recognized schemas to the latest internal + value, and + + may reject unrecognized values. + + More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: >- + Kind is a string value representing the REST resource this + object represents. + + Servers may infer this from the endpoint the client submits + requests to. + + Cannot be updated. + + In CamelCase. + + More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of GatewayClass. + properties: + controllerName: + description: >- + ControllerName is the name of the controller that is + managing Gateways of + + this class. The value of this field MUST be a domain + prefixed path. + + + Example: "example.net/gateway-controller". + + + This field is not mutable and cannot be empty. + + + Support: Core + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + x-kubernetes-validations: + - message: Value is immutable + rule: self == oldSelf + description: + description: Description helps describe a GatewayClass with more details. + maxLength: 64 + type: string + parametersRef: + description: >- + ParametersRef is a reference to a resource that contains the + configuration + + parameters corresponding to the GatewayClass. This is + optional if the + + controller does not require any additional configuration. + + + ParametersRef can reference a standard Kubernetes resource, + i.e. ConfigMap, + + or an implementation-specific custom resource. The resource + can be + + cluster-scoped or namespace-scoped. + + + If the referent cannot be found, refers to an unsupported + kind, or when + + the data within that resource is malformed, the GatewayClass + SHOULD be + + rejected with the "Accepted" status condition set to "False" + and an + + "InvalidParameters" reason. + + + A Gateway for this GatewayClass may provide its own + `parametersRef`. When both are specified, + + the merging behavior is implementation specific. + + It is generally recommended that GatewayClass provides + defaults that can be overridden by a Gateway. + + + Support: Implementation-specific + properties: + group: + description: Group is the group of the referent. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the referent. + + This field is required when referring to a + Namespace-scoped resource and + + MUST be unset when referring to a Cluster-scoped + resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - name + type: object + required: + - controllerName + type: object + status: + default: + conditions: + - lastTransitionTime: '1970-01-01T00:00:00Z' + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + description: >- + Status defines the current state of GatewayClass. + + + Implementations MUST populate status on all GatewayClass + resources which + + specify their controller name. + properties: + conditions: + default: + - lastTransitionTime: '1970-01-01T00:00:00Z' + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + description: |- + Conditions is the current status from the controller for + this GatewayClass. + + Controllers should prefer to publish conditions using values + of GatewayClassConditionType for the type of each Condition. + items: + description: >- + Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: >- + lastTransitionTime is the last time the condition + transitioned from one status to another. + + This should be when the underlying condition changed. + If that is not known, then using the time when the API + field changed is acceptable. + format: date-time + type: string + message: + description: >- + message is a human readable message indicating details + about the transition. + + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: >- + observedGeneration represents the .metadata.generation + that the condition was set based upon. + + For instance, if .metadata.generation is currently 12, + but the .status.conditions[x].observedGeneration is 9, + the condition is out of date + + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: >- + reason contains a programmatic identifier indicating + the reason for the condition's last transition. + + Producers of specific condition types may define + expected values and meanings for this field, + + and whether the values are considered a guaranteed + API. + + The value should be a CamelCase string. + + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - 'True' + - 'False' + - Unknown + type: string + type: + description: >- + type of condition in CamelCase or in + foo.example.com/CamelCase. + maxLength: 316 + pattern: >- + ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + supportedFeatures: + description: >- + SupportedFeatures is the set of features the GatewayClass + support. + + It MUST be sorted in ascending alphabetical order by the + Name key. + items: + properties: + name: + description: >- + FeatureName is used to describe distinct features that + are covered by + + conformance tests. + type: string + required: + - name + type: object + maxItems: 64 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} +status: + acceptedNames: + kind: '' + plural: '' + conditions: null + storedVersions: null diff --git a/_/CustomResourceDefinition/gateways.gateway.networking.k8s.io.yaml b/_/CustomResourceDefinition/gateways.gateway.networking.k8s.io.yaml new file mode 100644 index 0000000..a333eda --- /dev/null +++ b/_/CustomResourceDefinition/gateways.gateway.networking.k8s.io.yaml @@ -0,0 +1,5235 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/4530 + gateway.networking.k8s.io/bundle-version: v1.5.1 + gateway.networking.k8s.io/channel: standard + name: gateways.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: Gateway + listKind: GatewayList + plural: gateways + shortNames: + - gtw + singular: gateway + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.gatewayClassName + name: Class + type: string + - jsonPath: .status.addresses[*].value + name: Address + type: string + - jsonPath: .status.conditions[?(@.type=="Programmed")].status + name: Programmed + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: >- + Gateway represents an instance of a service-traffic handling + infrastructure + + by binding Listeners to a set of IP addresses. + properties: + apiVersion: + description: >- + APIVersion defines the versioned schema of this representation + of an object. + + Servers should convert recognized schemas to the latest internal + value, and + + may reject unrecognized values. + + More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: >- + Kind is a string value representing the REST resource this + object represents. + + Servers may infer this from the endpoint the client submits + requests to. + + Cannot be updated. + + In CamelCase. + + More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of Gateway. + properties: + addresses: + description: >- + Addresses requested for this Gateway. This is optional and + behavior can + + depend on the implementation. If a value is set in the spec + and the + + requested address is invalid or unavailable, the + implementation MUST + + indicate this in an associated entry in + GatewayStatus.Conditions. + + + The Addresses field represents a request for the address(es) + on the + + "outside of the Gateway", that traffic bound for this + Gateway will use. + + This could be the IP address or hostname of an external load + balancer or + + other networking infrastructure, or some other address that + traffic will + + be sent to. + + + If no Addresses are specified, the implementation MAY + schedule the + + Gateway in an implementation-specific manner, assigning an + appropriate + + set of Addresses. + + + The implementation MUST bind all Listeners to every + GatewayAddress that + + it assigns to the Gateway and add a corresponding entry in + + GatewayStatus.Addresses. + + + Support: Extended + items: + description: >- + GatewaySpecAddress describes an address that can be bound + to a Gateway. + oneOf: + - properties: + type: + enum: + - IPAddress + value: + anyOf: + - format: ipv4 + - format: ipv6 + - properties: + type: + not: + enum: + - IPAddress + properties: + type: + default: IPAddress + description: Type of the address. + maxLength: 253 + minLength: 1 + pattern: >- + ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + value: + description: >- + When a value is unspecified, an implementation SHOULD + automatically + + assign an address matching the requested type if + possible. + + + If an implementation does not support an empty value, + they MUST set the + + "Programmed" condition in status to False with a + reason of "AddressNotAssigned". + + + Examples: `1.2.3.4`, `128::1`, `my-ip-address`. + maxLength: 253 + type: string + type: object + x-kubernetes-validations: + - message: >- + Hostname value must be empty or contain only valid + characters (matching + ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$) + rule: >- + self.type == 'Hostname' ? (!has(self.value) || + self.value.matches(r"""^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$""")): + true + maxItems: 16 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: IPAddress values must be unique + rule: >- + self.all(a1, a1.type == 'IPAddress' && has(a1.value) ? + self.exists_one(a2, a2.type == a1.type && has(a2.value) + && a2.value == a1.value) : true ) + - message: Hostname values must be unique + rule: >- + self.all(a1, a1.type == 'Hostname' && has(a1.value) ? + self.exists_one(a2, a2.type == a1.type && has(a2.value) + && a2.value == a1.value) : true ) + allowedListeners: + description: >- + AllowedListeners defines which ListenerSets can be attached + to this Gateway. + + The default value is to allow no ListenerSets. + properties: + namespaces: + default: + from: None + description: >- + Namespaces defines which namespaces ListenerSets can be + attached to this Gateway. + + The default value is to allow no ListenerSets. + properties: + from: + default: None + description: >- + From indicates where ListenerSets can attach to this + Gateway. Possible + + values are: + + + * Same: Only ListenerSets in the same namespace may + be attached to this Gateway. + + * Selector: ListenerSets in namespaces selected by + the selector may be attached to this Gateway. + + * All: ListenerSets in all namespaces may be + attached to this Gateway. + + * None: Only listeners defined in the Gateway's spec + are allowed + + + The default value None + enum: + - All + - Selector + - Same + - None + type: string + selector: + description: >- + Selector must be specified when From is set to + "Selector". In that case, + + only ListenerSets in Namespaces matching this + Selector will be selected by this + + Gateway. This field is ignored for other values of + "From". + properties: + matchExpressions: + description: >- + matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: >- + A label selector requirement is a selector + that contains values, a key, and an operator + that + + relates the key and values. + properties: + key: + description: >- + key is the label key that the selector + applies to. + type: string + operator: + description: >- + operator represents a key's relationship + to a set of values. + + Valid operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: >- + values is an array of string values. If + the operator is In or NotIn, + + the values array must be non-empty. If the + operator is Exists or DoesNotExist, + + the values array must be empty. This array + is replaced during a strategic + + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: >- + matchLabels is a map of {key,value} pairs. A + single {key,value} in the matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is "key", the + + operator is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + type: object + gatewayClassName: + description: >- + GatewayClassName used for this Gateway. This is the name of + a + + GatewayClass resource. + maxLength: 253 + minLength: 1 + type: string + infrastructure: + description: >- + Infrastructure defines infrastructure level attributes about + this Gateway instance. + + + Support: Extended + properties: + annotations: + additionalProperties: + description: >- + AnnotationValue is the value of an annotation in + Gateway API. This is used + + for validation of maps such as TLS options. This + roughly matches Kubernetes + + annotation validation, although the length validation + in that case is based + + on the entire size of the annotations struct. + maxLength: 4096 + minLength: 0 + type: string + description: >- + Annotations that SHOULD be applied to any resources + created in response to this Gateway. + + + For implementations creating other Kubernetes objects, + this should be the `metadata.annotations` field on + resources. + + For other implementations, this refers to any relevant + (implementation specific) "annotations" concepts. + + + An implementation may chose to add additional + implementation-specific annotations as they see fit. + + + Support: Extended + maxProperties: 8 + type: object + x-kubernetes-validations: + - message: >- + Annotation keys must be in the form of an optional + DNS subdomain prefix followed by a required name + segment of up to 63 characters. + rule: >- + self.all(key, + key.matches(r"""^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9]$""")) + - message: >- + If specified, the annotation key's prefix must be a + DNS subdomain not longer than 253 characters in + total. + rule: self.all(key, key.split("/")[0].size() < 253) + labels: + additionalProperties: + description: >- + LabelValue is the value of a label in the Gateway API. + This is used for validation + + of maps such as Gateway infrastructure labels. This + matches the Kubernetes + + label validation rules: + + * must be 63 characters or less (can be empty), + + * unless empty, must begin and end with an + alphanumeric character ([a-z0-9A-Z]), + + * could contain dashes (-), underscores (_), dots (.), + and alphanumerics between. + + + Valid values include: + + + * MyValue + + * my.name + + * 123-my-value + maxLength: 63 + minLength: 0 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: >- + Labels that SHOULD be applied to any resources created + in response to this Gateway. + + + For implementations creating other Kubernetes objects, + this should be the `metadata.labels` field on resources. + + For other implementations, this refers to any relevant + (implementation specific) "labels" concepts. + + + An implementation may chose to add additional + implementation-specific labels as they see fit. + + + If an implementation maps these labels to Pods, or any + other resource that would need to be recreated when + labels + + change, it SHOULD clearly warn about this behavior in + documentation. + + + Support: Extended + maxProperties: 8 + type: object + x-kubernetes-validations: + - message: >- + Label keys must be in the form of an optional DNS + subdomain prefix followed by a required name segment + of up to 63 characters. + rule: >- + self.all(key, + key.matches(r"""^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9]$""")) + - message: >- + If specified, the label key's prefix must be a DNS + subdomain not longer than 253 characters in total. + rule: self.all(key, key.split("/")[0].size() < 253) + parametersRef: + description: >- + ParametersRef is a reference to a resource that contains + the configuration + + parameters corresponding to the Gateway. This is + optional if the + + controller does not require any additional + configuration. + + + This follows the same semantics as GatewayClass's + `parametersRef`, but on a per-Gateway basis + + + The Gateway's GatewayClass may provide its own + `parametersRef`. When both are specified, + + the merging behavior is implementation specific. + + It is generally recommended that GatewayClass provides + defaults that can be overridden by a Gateway. + + + If the referent cannot be found, refers to an + unsupported kind, or when + + the data within that resource is malformed, the Gateway + SHOULD be + + rejected with the "Accepted" status condition set to + "False" and an + + "InvalidParameters" reason. + + + Support: Implementation-specific + properties: + group: + description: Group is the group of the referent. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + type: object + listeners: + description: >- + Listeners associated with this Gateway. Listeners define + + logical endpoints that are bound on this Gateway's + addresses. + + At least one Listener MUST be specified. + + + ## Distinct Listeners + + + Each Listener in a set of Listeners (for example, in a + single Gateway) + + MUST be _distinct_, in that a traffic flow MUST be able to + be assigned to + + exactly one listener. (This section uses "set of Listeners" + rather than + + "Listeners in a single Gateway" because implementations MAY + merge configuration + + from multiple Gateways onto a single data plane, and these + rules _also_ + + apply in that case). + + + Practically, this means that each listener in a set MUST + have a unique + + combination of Port, Protocol, and, if supported by the + protocol, Hostname. + + + Some combinations of port, protocol, and TLS settings are + considered + + Core support and MUST be supported by implementations based + on the objects + + they support: + + + HTTPRoute + + + 1. HTTPRoute, Port: 80, Protocol: HTTP + + 2. HTTPRoute, Port: 443, Protocol: HTTPS, TLS Mode: + Terminate, TLS keypair provided + + + TLSRoute + + + 1. TLSRoute, Port: 443, Protocol: TLS, TLS Mode: Passthrough + + + "Distinct" Listeners have the following property: + + + **The implementation can match inbound requests to a single + distinct + + Listener**. + + + When multiple Listeners share values for fields (for + + example, two Listeners with the same Port value), the + implementation + + can match requests to only one of the Listeners using other + + Listener fields. + + + When multiple listeners have the same value for the Protocol + field, then + + each of the Listeners with matching Protocol values MUST + have different + + values for other fields. + + + The set of fields that MUST be different for a Listener + differs per protocol. + + The following rules define the rules for what fields MUST be + considered for + + Listeners to be distinct with each protocol currently + defined in the + + Gateway API spec. + + + The set of listeners that all share a protocol value MUST + have _different_ + + values for _at least one_ of these fields to be distinct: + + + * **HTTP, HTTPS, TLS**: Port, Hostname + + * **TCP, UDP**: Port + + + One **very** important rule to call out involves what + happens when an + + implementation: + + + * Supports TCP protocol Listeners, as well as HTTP, HTTPS, + or TLS protocol + Listeners, and + * sees HTTP, HTTPS, or TLS protocols with the same `port` as + one with TCP + Protocol. + + In this case all the Listeners that share a port with the + + TCP Listener are not distinct and so MUST NOT be accepted. + + + If an implementation does not support TCP Protocol + Listeners, then the + + previous rule does not apply, and the TCP Listeners SHOULD + NOT be + + accepted. + + + Note that the `tls` field is not used for determining if a + listener is distinct, because + + Listeners that _only_ differ on TLS config will still + conflict in all cases. + + + ### Listeners that are distinct only by Hostname + + + When the Listeners are distinct based only on Hostname, + inbound request + + hostnames MUST match from the most specific to least + specific Hostname + + values to choose the correct Listener and its associated set + of Routes. + + + Exact matches MUST be processed before wildcard matches, and + wildcard + + matches MUST be processed before fallback (empty Hostname + value) + + matches. For example, `"foo.example.com"` takes precedence + over + + `"*.example.com"`, and `"*.example.com"` takes precedence + over `""`. + + + Additionally, if there are multiple wildcard entries, more + specific + + wildcard entries must be processed before less specific + wildcard entries. + + For example, `"*.foo.example.com"` takes precedence over + `"*.example.com"`. + + + The precise definition here is that the higher the number of + dots in the + + hostname to the right of the wildcard character, the higher + the precedence. + + + The wildcard character will match any number of characters + _and dots_ to + + the left, however, so `"*.example.com"` will match both + + `"foo.bar.example.com"` _and_ `"bar.example.com"`. + + + ## Handling indistinct Listeners + + + If a set of Listeners contains Listeners that are not + distinct, then those + + Listeners are _Conflicted_, and the implementation MUST set + the "Conflicted" + + condition in the Listener Status to "True". + + + The words "indistinct" and "conflicted" are considered + equivalent for the + + purpose of this documentation. + + + Implementations MAY choose to accept a Gateway with some + Conflicted + + Listeners only if they only accept the partial Listener set + that contains + + no Conflicted Listeners. + + + Specifically, an implementation MAY accept a partial + Listener set subject to + + the following rules: + + + * The implementation MUST NOT pick one conflicting Listener + as the winner. + ALL indistinct Listeners must not be accepted for processing. + * At least one distinct Listener MUST be present, or else + the Gateway effectively + contains _no_ Listeners, and must be rejected from processing as a whole. + + The implementation MUST set a "ListenersNotValid" condition + on the + + Gateway Status when the Gateway contains Conflicted + Listeners whether or + + not they accept the Gateway. That Condition SHOULD clearly + + indicate in the Message which Listeners are conflicted, and + which are + + Accepted. Additionally, the Listener status for those + listeners SHOULD + + indicate which Listeners are conflicted and not Accepted. + + + ## General Listener behavior + + + Note that, for all distinct Listeners, requests SHOULD match + at most one Listener. + + For example, if Listeners are defined for "foo.example.com" + and "*.example.com", a + + request to "foo.example.com" SHOULD only be routed using + routes attached + + to the "foo.example.com" Listener (and not the + "*.example.com" Listener). + + + This concept is known as "Listener Isolation", and it is an + Extended feature + + of Gateway API. Implementations that do not support Listener + Isolation MUST + + clearly document this, and MUST NOT claim support for the + + `GatewayHTTPListenerIsolation` feature. + + + Implementations that _do_ support Listener Isolation SHOULD + claim support + + for the Extended `GatewayHTTPListenerIsolation` feature and + pass the associated + + conformance tests. + + + ## Compatible Listeners + + + A Gateway's Listeners are considered _compatible_ if: + + + 1. They are distinct. + + 2. The implementation can serve them in compliance with the + Addresses + requirement that all Listeners are available on all assigned + addresses. + + Compatible combinations in Extended support are expected to + vary across + + implementations. A combination that is compatible for one + implementation + + may not be compatible for another. + + + For example, an implementation that cannot serve both TCP + and UDP listeners + + on the same address, or cannot mix HTTPS and generic TLS + listens on the same port + + would not consider those cases compatible, even though they + are distinct. + + + Implementations MAY merge separate Gateways onto a single + set of + + Addresses if all Listeners across all Gateways are + compatible. + + + In a future release the MinItems=1 requirement MAY be + dropped. + + + Support: Core + items: + description: >- + Listener embodies the concept of a logical endpoint where + a Gateway accepts + + network connections. + properties: + allowedRoutes: + default: + namespaces: + from: Same + description: >- + AllowedRoutes defines the types of routes that MAY be + attached to a + + Listener and the trusted namespaces where those Route + resources MAY be + + present. + + + Although a client request may match multiple route + rules, only one rule + + may ultimately receive the request. Matching + precedence MUST be + + determined in order of the following criteria: + + + * The most specific match as defined by the Route + type. + + * The oldest Route based on creation timestamp. For + example, a Route with + a creation timestamp of "2020-09-08 01:02:03" is given precedence over + a Route with a creation timestamp of "2020-09-08 01:02:04". + * If everything else is equivalent, the Route + appearing first in + alphabetical order (namespace/name) should be given precedence. For + example, foo/bar is given precedence over foo/baz. + + All valid rules within a Route attached to this + Listener should be + + implemented. Invalid Route rules can be ignored + (sometimes that will mean + + the full Route). If a Route rule transitions from + valid to invalid, + + support for that Route rule should be dropped to + ensure consistency. For + + example, even if a filter specified by a Route rule is + invalid, the rest + + of the rules within that Route should still be + supported. + + + Support: Core + properties: + kinds: + description: >- + Kinds specifies the groups and kinds of Routes + that are allowed to bind + + to this Gateway Listener. When unspecified or + empty, the kinds of Routes + + selected are determined using the Listener + protocol. + + + A RouteGroupKind MUST correspond to kinds of + Routes that are compatible + + with the application protocol specified in the + Listener's Protocol field. + + If an implementation does not support or recognize + this resource type, it + + MUST set the "ResolvedRefs" condition to False for + this Listener with the + + "InvalidRouteKinds" reason. + + + Support: Core + items: + description: >- + RouteGroupKind indicates the group and kind of a + Route resource. + properties: + group: + default: gateway.networking.k8s.io + description: Group is the group of the Route. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is the kind of the Route. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + required: + - kind + type: object + maxItems: 8 + type: array + x-kubernetes-list-type: atomic + namespaces: + default: + from: Same + description: >- + Namespaces indicates namespaces from which Routes + may be attached to this + + Listener. This is restricted to the namespace of + this Gateway by default. + + + Support: Core + properties: + from: + default: Same + description: >- + From indicates where Routes will be selected + for this Gateway. Possible + + values are: + + + * All: Routes in all namespaces may be used by + this Gateway. + + * Selector: Routes in namespaces selected by + the selector may be used by + this Gateway. + * Same: Only Routes in the same namespace may + be used by this Gateway. + + + Support: Core + enum: + - All + - Selector + - Same + type: string + selector: + description: >- + Selector must be specified when From is set to + "Selector". In that case, + + only Routes in Namespaces matching this + Selector will be selected by this + + Gateway. This field is ignored for other + values of "From". + + + Support: Core + properties: + matchExpressions: + description: >- + matchExpressions is a list of label + selector requirements. The requirements + are ANDed. + items: + description: >- + A label selector requirement is a + selector that contains values, a key, + and an operator that + + relates the key and values. + properties: + key: + description: >- + key is the label key that the selector + applies to. + type: string + operator: + description: >- + operator represents a key's relationship + to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: >- + values is an array of string values. If + the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: >- + matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is + "key", the + + operator is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + type: object + hostname: + description: >- + Hostname specifies the virtual hostname to match for + protocol types that + + define this concept. When unspecified, all hostnames + are matched. This + + field is ignored for protocols that don't require + hostname based + + matching. + + + Implementations MUST apply Hostname matching + appropriately for each of + + the following protocols: + + + * TLS: The Listener Hostname MUST match the SNI. + + * HTTP: The Listener Hostname MUST match the Host + header of the request. + + * HTTPS: The Listener Hostname SHOULD match both the + SNI and Host header. + Note that this does not require the SNI and Host header to be the same. + The semantics of this are described in more detail below. + + To ensure security, Section 11.1 of RFC-6066 + emphasizes that server + + implementations that rely on SNI hostname matching + MUST also verify + + hostnames within the application protocol. + + + Section 9.1.2 of RFC-7540 provides a mechanism for + servers to reject the + + reuse of a connection by responding with the HTTP 421 + Misdirected Request + + status code. This indicates that the origin server has + rejected the + + request because it appears to have been misdirected. + + + To detect misdirected requests, Gateways SHOULD match + the authority of + + the requests with all the SNI hostname(s) configured + across all the + + Gateway Listeners on the same port and protocol: + + + * If another Listener has an exact match or more + specific wildcard entry, + the Gateway SHOULD return a 421. + * If the current Listener (selected by SNI matching + during ClientHello) + does not match the Host: + * If another Listener does match the Host, the Gateway SHOULD return a + 421. + * If no other Listener matches the Host, the Gateway MUST return a + 404. + + For HTTPRoute and TLSRoute resources, there is an + interaction with the + + `spec.hostnames` array. When both listener and route + specify hostnames, + + there MUST be an intersection between the values for a + Route to be + + accepted. For more information, refer to the Route + specific Hostnames + + documentation. + + + Hostnames that are prefixed with a wildcard label + (`*.`) are interpreted + + as a suffix match. That means that a match for + `*.example.com` would match + + both `test.example.com`, and `foo.test.example.com`, + but not `example.com`. + + + Support: Core + maxLength: 253 + minLength: 1 + pattern: >- + ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + name: + description: >- + Name is the name of the Listener. This name MUST be + unique within a + + Gateway. + + + Support: Core + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + port: + description: >- + Port is the network port. Multiple listeners may use + the + + same port, subject to the Listener compatibility + rules. + + + Support: Core + format: int32 + maximum: 65535 + minimum: 1 + type: integer + protocol: + description: >- + Protocol specifies the network protocol this listener + expects to receive. + + + Support: Core + maxLength: 255 + minLength: 1 + pattern: >- + ^[a-zA-Z0-9]([-a-zA-Z0-9]*[a-zA-Z0-9])?$|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9]+$ + type: string + tls: + description: >- + TLS is the TLS configuration for the Listener. This + field is required if + + the Protocol field is "HTTPS" or "TLS". It is invalid + to set this field + + if the Protocol field is "HTTP", "TCP", or "UDP". + + + The association of SNIs to Certificate defined in + ListenerTLSConfig is + + defined based on the Hostname field for this listener. + + + The GatewayClass MUST use the longest matching SNI out + of all + + available certificates for any TLS handshake. + + + Support: Core + properties: + certificateRefs: + description: >- + CertificateRefs contains a series of references to + Kubernetes objects that + + contains TLS certificates and private keys. These + certificates are used to + + establish a TLS handshake for requests that match + the hostname of the + + associated listener. + + + A single CertificateRef to a Kubernetes Secret has + "Core" support. + + Implementations MAY choose to support attaching + multiple certificates to + + a Listener, but this behavior is + implementation-specific. + + + References to a resource in different namespace + are invalid UNLESS there + + is a ReferenceGrant in the target namespace that + allows the certificate + + to be attached. If a ReferenceGrant does not allow + this reference, the + + "ResolvedRefs" condition MUST be set to False for + this listener with the + + "RefNotPermitted" reason. + + + This field is required to have at least one + element when the mode is set + + to "Terminate" (default) and is optional + otherwise. + + + CertificateRefs can reference to standard + Kubernetes resources, i.e. + + Secret, or implementation-specific custom + resources. + + + Support: Core - A single reference to a Kubernetes + Secret of type kubernetes.io/tls + + + Support: Implementation-specific (More than one + reference or other resource types) + items: + description: >- + SecretObjectReference identifies an API object + including its namespace, + + defaulting to Secret. + + + The API object must be valid in the cluster; the + Group and Kind must + + be registered in the cluster for this reference + to be valid. + + + References to objects with invalid Group and + Kind are not valid, and must + + be rejected by the implementation, with + appropriate Conditions set + + on the containing object. + properties: + group: + default: '' + description: >- + Group is the group of the referent. For + example, "gateway.networking.k8s.io". + + When unspecified or empty string, core API + group is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Secret + description: >- + Kind is kind of the referent. For example + "Secret". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the referenced + object. When unspecified, the local + + namespace is inferred. + + + Note that when a namespace different than + the local namespace is specified, + + a ReferenceGrant object is required in the + referent namespace to allow that + + namespace's owner to accept the reference. + See the ReferenceGrant + + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + maxItems: 64 + type: array + x-kubernetes-list-type: atomic + mode: + default: Terminate + description: >- + Mode defines the TLS behavior for the TLS session + initiated by the client. + + There are two possible modes: + + + - Terminate: The TLS session between the + downstream client and the + Gateway is terminated at the Gateway. This mode requires certificates + to be specified in some way, such as populating the certificateRefs + field. + - Passthrough: The TLS session is NOT terminated + by the Gateway. This + implies that the Gateway can't decipher the TLS stream except for + the ClientHello message of the TLS protocol. The certificateRefs field + is ignored in this mode. + + Support: Core + enum: + - Terminate + - Passthrough + type: string + options: + additionalProperties: + description: >- + AnnotationValue is the value of an annotation in + Gateway API. This is used + + for validation of maps such as TLS options. This + roughly matches Kubernetes + + annotation validation, although the length + validation in that case is based + + on the entire size of the annotations struct. + maxLength: 4096 + minLength: 0 + type: string + description: >- + Options are a list of key/value pairs to enable + extended TLS + + configuration for each implementation. For + example, configuring the + + minimum TLS version or supported cipher suites. + + + A set of common keys MAY be defined by the API in + the future. To avoid + + any ambiguity, implementation-specific definitions + MUST use + + domain-prefixed names, such as + `example.com/my-custom-option`. + + Un-prefixed names are reserved for key names + defined by Gateway API. + + + Support: Implementation-specific + maxProperties: 16 + type: object + type: object + x-kubernetes-validations: + - message: >- + certificateRefs or options must be specified when + mode is Terminate + rule: >- + self.mode == 'Terminate' ? + size(self.certificateRefs) > 0 || + size(self.options) > 0 : true + required: + - name + - port + - protocol + type: object + maxItems: 64 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: >- + tls must not be specified for protocols ['HTTP', 'TCP', + 'UDP'] + rule: >- + self.all(l, l.protocol in ['HTTP', 'TCP', 'UDP'] ? + !has(l.tls) : true) + - message: tls mode must be Terminate for protocol HTTPS + rule: >- + self.all(l, (l.protocol == 'HTTPS' && has(l.tls)) ? + (l.tls.mode == '' || l.tls.mode == 'Terminate') : true) + - message: tls mode must be set for protocol TLS + rule: >- + self.all(l, (l.protocol == 'TLS' ? has(l.tls) && + has(l.tls.mode) && l.tls.mode != '' : true)) + - message: >- + hostname must not be specified for protocols ['TCP', + 'UDP'] + rule: >- + self.all(l, l.protocol in ['TCP', 'UDP'] ? + (!has(l.hostname) || l.hostname == '') : true) + - message: Listener name must be unique within the Gateway + rule: self.all(l1, self.exists_one(l2, l1.name == l2.name)) + - message: >- + Combination of port, protocol and hostname must be + unique for each listener + rule: >- + self.all(l1, self.exists_one(l2, l1.port == l2.port && + l1.protocol == l2.protocol && (has(l1.hostname) && + has(l2.hostname) ? l1.hostname == l2.hostname : + !has(l1.hostname) && !has(l2.hostname)))) + tls: + description: >- + TLS specifies frontend and backend tls configuration for + entire gateway. + + + Support: Extended + properties: + backend: + description: >- + Backend describes TLS configuration for gateway when + connecting + + to backends. + + + Note that this contains only details for the Gateway as + a TLS client, + + and does _not_ imply behavior about how to choose which + backend should + + get a TLS connection. That is determined by the presence + of a BackendTLSPolicy. + + + Support: Core + properties: + clientCertificateRef: + description: >- + ClientCertificateRef references an object that + contains a client certificate + + and its associated private key. It can reference + standard Kubernetes resources, + + i.e., Secret, or implementation-specific custom + resources. + + + A ClientCertificateRef is considered invalid if: + + + * It refers to a resource that cannot be resolved + (e.g., the referenced resource + does not exist) or is misconfigured (e.g., a Secret does not contain the keys + named `tls.crt` and `tls.key`). In this case, the `ResolvedRefs` condition + on the Gateway MUST be set to False with the Reason `InvalidClientCertificateRef` + and the Message of the Condition MUST indicate why the reference is invalid. + + * It refers to a resource in another namespace + UNLESS there is a ReferenceGrant + in the target namespace that allows the certificate to be attached. + If a ReferenceGrant does not allow this reference, the `ResolvedRefs` condition + on the Gateway MUST be set to False with the Reason `RefNotPermitted`. + + Implementations MAY choose to perform further + validation of the certificate + + content (e.g., checking expiry or enforcing specific + formats). In such cases, + + an implementation-specific Reason and Message MUST + be set. + + + Support: Core - Reference to a Kubernetes TLS Secret + (with the type `kubernetes.io/tls`). + + Support: Implementation-specific - Other resource + kinds or Secrets with a + + different type (e.g., `Opaque`). + properties: + group: + default: '' + description: >- + Group is the group of the referent. For example, + "gateway.networking.k8s.io". + + When unspecified or empty string, core API group + is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Secret + description: >- + Kind is kind of the referent. For example + "Secret". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the referenced + object. When unspecified, the local + + namespace is inferred. + + + Note that when a namespace different than the + local namespace is specified, + + a ReferenceGrant object is required in the + referent namespace to allow that + + namespace's owner to accept the reference. See + the ReferenceGrant + + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + type: object + frontend: + description: >- + Frontend describes TLS config when client connects to + Gateway. + + Support: Core + properties: + default: + description: >- + Default specifies the default client certificate + validation configuration + + for all Listeners handling HTTPS traffic, unless a + per-port configuration + + is defined. + + + support: Core + properties: + validation: + description: >- + Validation holds configuration information for + validating the frontend (client). + + Setting this field will result in mutual + authentication when connecting to the gateway. + + In browsers this may result in a dialog + appearing + + that requests a user to specify the client + certificate. + + The maximum depth of a certificate chain + accepted in verification is Implementation + specific. + + + Support: Core + properties: + caCertificateRefs: + description: >- + CACertificateRefs contains one or more + references to Kubernetes + + objects that contain a PEM-encoded TLS CA + certificate bundle, which + + is used as a trust anchor to validate the + certificates presented by + + the client. + + + A CACertificateRef is invalid if: + + + * It refers to a resource that cannot be + resolved (e.g., the + referenced resource does not exist) or is misconfigured (e.g., a + ConfigMap does not contain a key named `ca.crt`). In this case, the + Reason on all matching HTTPS listeners must be set to `InvalidCACertificateRef` + and the Message of the Condition must indicate which reference is invalid and why. + + * It refers to an unknown or unsupported + kind of resource. In this + case, the Reason on all matching HTTPS listeners must be set to + `InvalidCACertificateKind` and the Message of the Condition must explain + which kind of resource is unknown or unsupported. + + * It refers to a resource in another + namespace UNLESS there is a + ReferenceGrant in the target namespace that allows the CA + certificate to be attached. If a ReferenceGrant does not allow this + reference, the `ResolvedRefs` on all matching HTTPS listeners condition + MUST be set with the Reason `RefNotPermitted`. + + Implementations MAY choose to perform + further validation of the + + certificate content (e.g., checking expiry + or enforcing specific formats). + + In such cases, an implementation-specific + Reason and Message MUST be set. + + + In all cases, the implementation MUST ensure + that the `ResolvedRefs` + + condition is set to `status: False` on all + targeted listeners (i.e., + + listeners serving HTTPS on a matching port). + The condition MUST + + include a Reason and Message that indicate + the cause of the error. If + + ALL CACertificateRefs are invalid, the + implementation MUST also ensure + + the `Accepted` condition on the listener is + set to `status: False`, with + + the Reason `NoValidCACertificate`. + + Implementations MAY choose to support + attaching multiple CA certificates + + to a listener, but this behavior is + implementation-specific. + + + Support: Core - A single reference to a + Kubernetes ConfigMap, with the + + CA certificate in a key named `ca.crt`. + + + Support: Implementation-specific - More than + one reference, other kinds + + of resources, or a single reference that + includes multiple certificates. + items: + description: >- + ObjectReference identifies an API object + including its namespace. + + + The API object must be valid in the + cluster; the Group and Kind must + + be registered in the cluster for this + reference to be valid. + + + References to objects with invalid Group + and Kind are not valid, and must + + be rejected by the implementation, with + appropriate Conditions set + + on the containing object. + properties: + group: + description: >- + Group is the group of the referent. For + example, "gateway.networking.k8s.io". + + When set to the empty string, core API + group is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: >- + Kind is kind of the referent. For + example "ConfigMap" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the + referenced object. When unspecified, the + local + + namespace is inferred. + + + Note that when a namespace different + than the local namespace is specified, + + a ReferenceGrant object is required in + the referent namespace to allow that + + namespace's owner to accept the + reference. See the ReferenceGrant + + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - name + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + mode: + default: AllowValidOnly + description: >- + FrontendValidationMode defines the mode for + validating the client certificate. + + There are two possible modes: + + + - AllowValidOnly: In this mode, the gateway + will accept connections only if + the client presents a valid certificate. This certificate must successfully + pass validation against the CA certificates specified in `CACertificateRefs`. + - AllowInsecureFallback: In this mode, the + gateway will accept connections + even if the client certificate is not presented or fails verification. + + This approach delegates client authorization to the backend and introduce + a significant security risk. It should be used in testing environments or + on a temporary basis in non-testing environments. + + Defaults to AllowValidOnly. + + + Support: Core + enum: + - AllowValidOnly + - AllowInsecureFallback + type: string + required: + - caCertificateRefs + type: object + type: object + perPort: + description: >- + PerPort specifies tls configuration assigned per + port. + + Per port configuration is optional. Once set this + configuration overrides + + the default configuration for all Listeners handling + HTTPS traffic + + that match this port. + + Each override port requires a unique TLS + configuration. + + + support: Core + items: + properties: + port: + description: >- + The Port indicates the Port Number to which + the TLS configuration will be + + applied. This configuration will be applied to + all Listeners handling HTTPS + + traffic that match this port. + + + Support: Core + format: int32 + maximum: 65535 + minimum: 1 + type: integer + tls: + description: >- + TLS store the configuration that will be + applied to all Listeners handling + + HTTPS traffic and matching given port. + + + Support: Core + properties: + validation: + description: >- + Validation holds configuration information + for validating the frontend (client). + + Setting this field will result in mutual + authentication when connecting to the + gateway. + + In browsers this may result in a dialog + appearing + + that requests a user to specify the client + certificate. + + The maximum depth of a certificate chain + accepted in verification is Implementation + specific. + + + Support: Core + properties: + caCertificateRefs: + description: >- + CACertificateRefs contains one or more + references to Kubernetes + + objects that contain a PEM-encoded TLS + CA certificate bundle, which + + is used as a trust anchor to validate + the certificates presented by + + the client. + + + A CACertificateRef is invalid if: + + + * It refers to a resource that cannot be + resolved (e.g., the + referenced resource does not exist) or is misconfigured (e.g., a + ConfigMap does not contain a key named `ca.crt`). In this case, the + Reason on all matching HTTPS listeners must be set to `InvalidCACertificateRef` + and the Message of the Condition must indicate which reference is invalid and why. + + * It refers to an unknown or unsupported + kind of resource. In this + case, the Reason on all matching HTTPS listeners must be set to + `InvalidCACertificateKind` and the Message of the Condition must explain + which kind of resource is unknown or unsupported. + + * It refers to a resource in another + namespace UNLESS there is a + ReferenceGrant in the target namespace that allows the CA + certificate to be attached. If a ReferenceGrant does not allow this + reference, the `ResolvedRefs` on all matching HTTPS listeners condition + MUST be set with the Reason `RefNotPermitted`. + + Implementations MAY choose to perform + further validation of the + + certificate content (e.g., checking + expiry or enforcing specific formats). + + In such cases, an + implementation-specific Reason and + Message MUST be set. + + + In all cases, the implementation MUST + ensure that the `ResolvedRefs` + + condition is set to `status: False` on + all targeted listeners (i.e., + + listeners serving HTTPS on a matching + port). The condition MUST + + include a Reason and Message that + indicate the cause of the error. If + + ALL CACertificateRefs are invalid, the + implementation MUST also ensure + + the `Accepted` condition on the listener + is set to `status: False`, with + + the Reason `NoValidCACertificate`. + + Implementations MAY choose to support + attaching multiple CA certificates + + to a listener, but this behavior is + implementation-specific. + + + Support: Core - A single reference to a + Kubernetes ConfigMap, with the + + CA certificate in a key named `ca.crt`. + + + Support: Implementation-specific - More + than one reference, other kinds + + of resources, or a single reference that + includes multiple certificates. + items: + description: >- + ObjectReference identifies an API object + including its namespace. + + + The API object must be valid in the + cluster; the Group and Kind must + + be registered in the cluster for this + reference to be valid. + + + References to objects with invalid Group + and Kind are not valid, and must + + be rejected by the implementation, with + appropriate Conditions set + + on the containing object. + properties: + group: + description: >- + Group is the group of the referent. For + example, "gateway.networking.k8s.io". + + When set to the empty string, core API + group is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: >- + Kind is kind of the referent. For + example "ConfigMap" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the + referenced object. When unspecified, the + local + + namespace is inferred. + + + Note that when a namespace different + than the local namespace is specified, + + a ReferenceGrant object is required in + the referent namespace to allow that + + namespace's owner to accept the + reference. See the ReferenceGrant + + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - name + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + mode: + default: AllowValidOnly + description: >- + FrontendValidationMode defines the mode + for validating the client certificate. + + There are two possible modes: + + + - AllowValidOnly: In this mode, the + gateway will accept connections only if + the client presents a valid certificate. This certificate must successfully + pass validation against the CA certificates specified in `CACertificateRefs`. + - AllowInsecureFallback: In this mode, + the gateway will accept connections + even if the client certificate is not presented or fails verification. + + This approach delegates client authorization to the backend and introduce + a significant security risk. It should be used in testing environments or + on a temporary basis in non-testing environments. + + Defaults to AllowValidOnly. + + + Support: Core + enum: + - AllowValidOnly + - AllowInsecureFallback + type: string + required: + - caCertificateRefs + type: object + type: object + required: + - port + - tls + type: object + maxItems: 64 + type: array + x-kubernetes-list-map-keys: + - port + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: >- + Port for TLS configuration must be unique within + the Gateway + rule: >- + self.all(t1, self.exists_one(t2, t1.port == + t2.port)) + required: + - default + type: object + type: object + required: + - gatewayClassName + - listeners + type: object + status: + default: + conditions: + - lastTransitionTime: '1970-01-01T00:00:00Z' + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + - lastTransitionTime: '1970-01-01T00:00:00Z' + message: Waiting for controller + reason: Pending + status: Unknown + type: Programmed + description: Status defines the current state of Gateway. + properties: + addresses: + description: >- + Addresses lists the network addresses that have been bound + to the + + Gateway. + + + This list may differ from the addresses provided in the spec + under some + + conditions: + + * no addresses are specified, all addresses are dynamically assigned + * a combination of specified and dynamic addresses are assigned + * a specified address was unusable (e.g. already in use) + items: + description: >- + GatewayStatusAddress describes a network address that is + bound to a Gateway. + oneOf: + - properties: + type: + enum: + - IPAddress + value: + anyOf: + - format: ipv4 + - format: ipv6 + - properties: + type: + not: + enum: + - IPAddress + properties: + type: + default: IPAddress + description: Type of the address. + maxLength: 253 + minLength: 1 + pattern: >- + ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + value: + description: >- + Value of the address. The validity of the values will + depend + + on the type and support by the controller. + + + Examples: `1.2.3.4`, `128::1`, `my-ip-address`. + maxLength: 253 + minLength: 1 + type: string + required: + - value + type: object + x-kubernetes-validations: + - message: >- + Hostname value must only contain valid characters + (matching + ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$) + rule: >- + self.type == 'Hostname' ? + self.value.matches(r"""^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$"""): + true + maxItems: 16 + type: array + x-kubernetes-list-type: atomic + attachedListenerSets: + description: >- + AttachedListenerSets represents the total number of + ListenerSets that have been + + successfully attached to this Gateway. + + + A ListenerSet is successfully attached to a Gateway when all + the following conditions are met: + + - The ListenerSet is selected by the Gateway's + AllowedListeners field + + - The ListenerSet has a valid ParentRef selecting the + Gateway + + - The ListenerSet's status has the condition "Accepted: + true" + + + Uses for this field include troubleshooting + AttachedListenerSets attachment and + + measuring blast radius/impact of changes to a Gateway. + format: int32 + type: integer + conditions: + default: + - lastTransitionTime: '1970-01-01T00:00:00Z' + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + - lastTransitionTime: '1970-01-01T00:00:00Z' + message: Waiting for controller + reason: Pending + status: Unknown + type: Programmed + description: >- + Conditions describe the current conditions of the Gateway. + + + Implementations should prefer to express Gateway conditions + + using the `GatewayConditionType` and + `GatewayConditionReason` + + constants so that operators and tools can converge on a + common + + vocabulary to describe Gateway state. + + + Known condition types are: + + + * "Accepted" + + * "Programmed" + + * "Ready" + items: + description: >- + Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: >- + lastTransitionTime is the last time the condition + transitioned from one status to another. + + This should be when the underlying condition changed. + If that is not known, then using the time when the API + field changed is acceptable. + format: date-time + type: string + message: + description: >- + message is a human readable message indicating details + about the transition. + + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: >- + observedGeneration represents the .metadata.generation + that the condition was set based upon. + + For instance, if .metadata.generation is currently 12, + but the .status.conditions[x].observedGeneration is 9, + the condition is out of date + + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: >- + reason contains a programmatic identifier indicating + the reason for the condition's last transition. + + Producers of specific condition types may define + expected values and meanings for this field, + + and whether the values are considered a guaranteed + API. + + The value should be a CamelCase string. + + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - 'True' + - 'False' + - Unknown + type: string + type: + description: >- + type of condition in CamelCase or in + foo.example.com/CamelCase. + maxLength: 316 + pattern: >- + ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + listeners: + description: >- + Listeners provide status for each unique listener port + defined in the Spec. + items: + description: ListenerStatus is the status associated with a Listener. + properties: + attachedRoutes: + description: >- + AttachedRoutes represents the total number of Routes + that have been + + successfully attached to this Listener. + + + Successful attachment of a Route to a Listener is + based solely on the + + combination of the AllowedRoutes field on the + corresponding Listener + + and the Route's ParentRefs field. A Route is + successfully attached to + + a Listener when it is selected by the Listener's + AllowedRoutes field + + AND the Route has a valid ParentRef selecting the + whole Gateway + + resource or a specific Listener as a parent resource + (more detail on + + attachment semantics can be found in the documentation + on the various + + Route kinds ParentRefs fields). Listener or Route + status does not impact + + successful attachment, i.e. the AttachedRoutes field + count MUST be set + + for Listeners, even if the Accepted condition of an + individual Listener is set + + to "False". The AttachedRoutes number represents the + number of Routes with + + the Accepted condition set to "True" that have been + attached to this Listener. + + Routes with any other value for the Accepted condition + MUST NOT be included + + in this count. + + + Uses for this field include troubleshooting Route + attachment and + + measuring blast radius/impact of changes to a + Listener. + format: int32 + type: integer + conditions: + description: >- + Conditions describe the current condition of this + listener. + items: + description: >- + Condition contains details for one aspect of the + current state of this API Resource. + properties: + lastTransitionTime: + description: >- + lastTransitionTime is the last time the + condition transitioned from one status to + another. + + This should be when the underlying condition + changed. If that is not known, then using the + time when the API field changed is acceptable. + format: date-time + type: string + message: + description: >- + message is a human readable message indicating + details about the transition. + + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: >- + observedGeneration represents the + .metadata.generation that the condition was set + based upon. + + For instance, if .metadata.generation is + currently 12, but the + .status.conditions[x].observedGeneration is 9, + the condition is out of date + + with respect to the current state of the + instance. + format: int64 + minimum: 0 + type: integer + reason: + description: >- + reason contains a programmatic identifier + indicating the reason for the condition's last + transition. + + Producers of specific condition types may define + expected values and meanings for this field, + + and whether the values are considered a + guaranteed API. + + The value should be a CamelCase string. + + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: >- + status of the condition, one of True, False, + Unknown. + enum: + - 'True' + - 'False' + - Unknown + type: string + type: + description: >- + type of condition in CamelCase or in + foo.example.com/CamelCase. + maxLength: 316 + pattern: >- + ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + name: + description: >- + Name is the name of the Listener that this status + corresponds to. + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + supportedKinds: + description: >- + SupportedKinds is the list indicating the Kinds + supported by this + + listener. This MUST represent the kinds supported by + an implementation for + + that Listener configuration. + + + If kinds are specified in Spec that are not supported, + they MUST NOT + + appear in this list and an implementation MUST set the + "ResolvedRefs" + + condition to "False" with the "InvalidRouteKinds" + reason. If both valid + + and invalid Route kinds are specified, the + implementation MUST + + reference the valid Route kinds that have been + specified. + items: + description: >- + RouteGroupKind indicates the group and kind of a + Route resource. + properties: + group: + default: gateway.networking.k8s.io + description: Group is the group of the Route. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is the kind of the Route. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + required: + - kind + type: object + maxItems: 8 + type: array + x-kubernetes-list-type: atomic + required: + - attachedRoutes + - conditions + - name + type: object + maxItems: 64 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.gatewayClassName + name: Class + type: string + - jsonPath: .status.addresses[*].value + name: Address + type: string + - jsonPath: .status.conditions[?(@.type=="Programmed")].status + name: Programmed + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: >- + Gateway represents an instance of a service-traffic handling + infrastructure + + by binding Listeners to a set of IP addresses. + properties: + apiVersion: + description: >- + APIVersion defines the versioned schema of this representation + of an object. + + Servers should convert recognized schemas to the latest internal + value, and + + may reject unrecognized values. + + More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: >- + Kind is a string value representing the REST resource this + object represents. + + Servers may infer this from the endpoint the client submits + requests to. + + Cannot be updated. + + In CamelCase. + + More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of Gateway. + properties: + addresses: + description: >- + Addresses requested for this Gateway. This is optional and + behavior can + + depend on the implementation. If a value is set in the spec + and the + + requested address is invalid or unavailable, the + implementation MUST + + indicate this in an associated entry in + GatewayStatus.Conditions. + + + The Addresses field represents a request for the address(es) + on the + + "outside of the Gateway", that traffic bound for this + Gateway will use. + + This could be the IP address or hostname of an external load + balancer or + + other networking infrastructure, or some other address that + traffic will + + be sent to. + + + If no Addresses are specified, the implementation MAY + schedule the + + Gateway in an implementation-specific manner, assigning an + appropriate + + set of Addresses. + + + The implementation MUST bind all Listeners to every + GatewayAddress that + + it assigns to the Gateway and add a corresponding entry in + + GatewayStatus.Addresses. + + + Support: Extended + items: + description: >- + GatewaySpecAddress describes an address that can be bound + to a Gateway. + oneOf: + - properties: + type: + enum: + - IPAddress + value: + anyOf: + - format: ipv4 + - format: ipv6 + - properties: + type: + not: + enum: + - IPAddress + properties: + type: + default: IPAddress + description: Type of the address. + maxLength: 253 + minLength: 1 + pattern: >- + ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + value: + description: >- + When a value is unspecified, an implementation SHOULD + automatically + + assign an address matching the requested type if + possible. + + + If an implementation does not support an empty value, + they MUST set the + + "Programmed" condition in status to False with a + reason of "AddressNotAssigned". + + + Examples: `1.2.3.4`, `128::1`, `my-ip-address`. + maxLength: 253 + type: string + type: object + x-kubernetes-validations: + - message: >- + Hostname value must be empty or contain only valid + characters (matching + ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$) + rule: >- + self.type == 'Hostname' ? (!has(self.value) || + self.value.matches(r"""^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$""")): + true + maxItems: 16 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: IPAddress values must be unique + rule: >- + self.all(a1, a1.type == 'IPAddress' && has(a1.value) ? + self.exists_one(a2, a2.type == a1.type && has(a2.value) + && a2.value == a1.value) : true ) + - message: Hostname values must be unique + rule: >- + self.all(a1, a1.type == 'Hostname' && has(a1.value) ? + self.exists_one(a2, a2.type == a1.type && has(a2.value) + && a2.value == a1.value) : true ) + allowedListeners: + description: >- + AllowedListeners defines which ListenerSets can be attached + to this Gateway. + + The default value is to allow no ListenerSets. + properties: + namespaces: + default: + from: None + description: >- + Namespaces defines which namespaces ListenerSets can be + attached to this Gateway. + + The default value is to allow no ListenerSets. + properties: + from: + default: None + description: >- + From indicates where ListenerSets can attach to this + Gateway. Possible + + values are: + + + * Same: Only ListenerSets in the same namespace may + be attached to this Gateway. + + * Selector: ListenerSets in namespaces selected by + the selector may be attached to this Gateway. + + * All: ListenerSets in all namespaces may be + attached to this Gateway. + + * None: Only listeners defined in the Gateway's spec + are allowed + + + The default value None + enum: + - All + - Selector + - Same + - None + type: string + selector: + description: >- + Selector must be specified when From is set to + "Selector". In that case, + + only ListenerSets in Namespaces matching this + Selector will be selected by this + + Gateway. This field is ignored for other values of + "From". + properties: + matchExpressions: + description: >- + matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: >- + A label selector requirement is a selector + that contains values, a key, and an operator + that + + relates the key and values. + properties: + key: + description: >- + key is the label key that the selector + applies to. + type: string + operator: + description: >- + operator represents a key's relationship + to a set of values. + + Valid operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: >- + values is an array of string values. If + the operator is In or NotIn, + + the values array must be non-empty. If the + operator is Exists or DoesNotExist, + + the values array must be empty. This array + is replaced during a strategic + + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: >- + matchLabels is a map of {key,value} pairs. A + single {key,value} in the matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is "key", the + + operator is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + type: object + gatewayClassName: + description: >- + GatewayClassName used for this Gateway. This is the name of + a + + GatewayClass resource. + maxLength: 253 + minLength: 1 + type: string + infrastructure: + description: >- + Infrastructure defines infrastructure level attributes about + this Gateway instance. + + + Support: Extended + properties: + annotations: + additionalProperties: + description: >- + AnnotationValue is the value of an annotation in + Gateway API. This is used + + for validation of maps such as TLS options. This + roughly matches Kubernetes + + annotation validation, although the length validation + in that case is based + + on the entire size of the annotations struct. + maxLength: 4096 + minLength: 0 + type: string + description: >- + Annotations that SHOULD be applied to any resources + created in response to this Gateway. + + + For implementations creating other Kubernetes objects, + this should be the `metadata.annotations` field on + resources. + + For other implementations, this refers to any relevant + (implementation specific) "annotations" concepts. + + + An implementation may chose to add additional + implementation-specific annotations as they see fit. + + + Support: Extended + maxProperties: 8 + type: object + x-kubernetes-validations: + - message: >- + Annotation keys must be in the form of an optional + DNS subdomain prefix followed by a required name + segment of up to 63 characters. + rule: >- + self.all(key, + key.matches(r"""^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9]$""")) + - message: >- + If specified, the annotation key's prefix must be a + DNS subdomain not longer than 253 characters in + total. + rule: self.all(key, key.split("/")[0].size() < 253) + labels: + additionalProperties: + description: >- + LabelValue is the value of a label in the Gateway API. + This is used for validation + + of maps such as Gateway infrastructure labels. This + matches the Kubernetes + + label validation rules: + + * must be 63 characters or less (can be empty), + + * unless empty, must begin and end with an + alphanumeric character ([a-z0-9A-Z]), + + * could contain dashes (-), underscores (_), dots (.), + and alphanumerics between. + + + Valid values include: + + + * MyValue + + * my.name + + * 123-my-value + maxLength: 63 + minLength: 0 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: >- + Labels that SHOULD be applied to any resources created + in response to this Gateway. + + + For implementations creating other Kubernetes objects, + this should be the `metadata.labels` field on resources. + + For other implementations, this refers to any relevant + (implementation specific) "labels" concepts. + + + An implementation may chose to add additional + implementation-specific labels as they see fit. + + + If an implementation maps these labels to Pods, or any + other resource that would need to be recreated when + labels + + change, it SHOULD clearly warn about this behavior in + documentation. + + + Support: Extended + maxProperties: 8 + type: object + x-kubernetes-validations: + - message: >- + Label keys must be in the form of an optional DNS + subdomain prefix followed by a required name segment + of up to 63 characters. + rule: >- + self.all(key, + key.matches(r"""^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9]$""")) + - message: >- + If specified, the label key's prefix must be a DNS + subdomain not longer than 253 characters in total. + rule: self.all(key, key.split("/")[0].size() < 253) + parametersRef: + description: >- + ParametersRef is a reference to a resource that contains + the configuration + + parameters corresponding to the Gateway. This is + optional if the + + controller does not require any additional + configuration. + + + This follows the same semantics as GatewayClass's + `parametersRef`, but on a per-Gateway basis + + + The Gateway's GatewayClass may provide its own + `parametersRef`. When both are specified, + + the merging behavior is implementation specific. + + It is generally recommended that GatewayClass provides + defaults that can be overridden by a Gateway. + + + If the referent cannot be found, refers to an + unsupported kind, or when + + the data within that resource is malformed, the Gateway + SHOULD be + + rejected with the "Accepted" status condition set to + "False" and an + + "InvalidParameters" reason. + + + Support: Implementation-specific + properties: + group: + description: Group is the group of the referent. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + type: object + listeners: + description: >- + Listeners associated with this Gateway. Listeners define + + logical endpoints that are bound on this Gateway's + addresses. + + At least one Listener MUST be specified. + + + ## Distinct Listeners + + + Each Listener in a set of Listeners (for example, in a + single Gateway) + + MUST be _distinct_, in that a traffic flow MUST be able to + be assigned to + + exactly one listener. (This section uses "set of Listeners" + rather than + + "Listeners in a single Gateway" because implementations MAY + merge configuration + + from multiple Gateways onto a single data plane, and these + rules _also_ + + apply in that case). + + + Practically, this means that each listener in a set MUST + have a unique + + combination of Port, Protocol, and, if supported by the + protocol, Hostname. + + + Some combinations of port, protocol, and TLS settings are + considered + + Core support and MUST be supported by implementations based + on the objects + + they support: + + + HTTPRoute + + + 1. HTTPRoute, Port: 80, Protocol: HTTP + + 2. HTTPRoute, Port: 443, Protocol: HTTPS, TLS Mode: + Terminate, TLS keypair provided + + + TLSRoute + + + 1. TLSRoute, Port: 443, Protocol: TLS, TLS Mode: Passthrough + + + "Distinct" Listeners have the following property: + + + **The implementation can match inbound requests to a single + distinct + + Listener**. + + + When multiple Listeners share values for fields (for + + example, two Listeners with the same Port value), the + implementation + + can match requests to only one of the Listeners using other + + Listener fields. + + + When multiple listeners have the same value for the Protocol + field, then + + each of the Listeners with matching Protocol values MUST + have different + + values for other fields. + + + The set of fields that MUST be different for a Listener + differs per protocol. + + The following rules define the rules for what fields MUST be + considered for + + Listeners to be distinct with each protocol currently + defined in the + + Gateway API spec. + + + The set of listeners that all share a protocol value MUST + have _different_ + + values for _at least one_ of these fields to be distinct: + + + * **HTTP, HTTPS, TLS**: Port, Hostname + + * **TCP, UDP**: Port + + + One **very** important rule to call out involves what + happens when an + + implementation: + + + * Supports TCP protocol Listeners, as well as HTTP, HTTPS, + or TLS protocol + Listeners, and + * sees HTTP, HTTPS, or TLS protocols with the same `port` as + one with TCP + Protocol. + + In this case all the Listeners that share a port with the + + TCP Listener are not distinct and so MUST NOT be accepted. + + + If an implementation does not support TCP Protocol + Listeners, then the + + previous rule does not apply, and the TCP Listeners SHOULD + NOT be + + accepted. + + + Note that the `tls` field is not used for determining if a + listener is distinct, because + + Listeners that _only_ differ on TLS config will still + conflict in all cases. + + + ### Listeners that are distinct only by Hostname + + + When the Listeners are distinct based only on Hostname, + inbound request + + hostnames MUST match from the most specific to least + specific Hostname + + values to choose the correct Listener and its associated set + of Routes. + + + Exact matches MUST be processed before wildcard matches, and + wildcard + + matches MUST be processed before fallback (empty Hostname + value) + + matches. For example, `"foo.example.com"` takes precedence + over + + `"*.example.com"`, and `"*.example.com"` takes precedence + over `""`. + + + Additionally, if there are multiple wildcard entries, more + specific + + wildcard entries must be processed before less specific + wildcard entries. + + For example, `"*.foo.example.com"` takes precedence over + `"*.example.com"`. + + + The precise definition here is that the higher the number of + dots in the + + hostname to the right of the wildcard character, the higher + the precedence. + + + The wildcard character will match any number of characters + _and dots_ to + + the left, however, so `"*.example.com"` will match both + + `"foo.bar.example.com"` _and_ `"bar.example.com"`. + + + ## Handling indistinct Listeners + + + If a set of Listeners contains Listeners that are not + distinct, then those + + Listeners are _Conflicted_, and the implementation MUST set + the "Conflicted" + + condition in the Listener Status to "True". + + + The words "indistinct" and "conflicted" are considered + equivalent for the + + purpose of this documentation. + + + Implementations MAY choose to accept a Gateway with some + Conflicted + + Listeners only if they only accept the partial Listener set + that contains + + no Conflicted Listeners. + + + Specifically, an implementation MAY accept a partial + Listener set subject to + + the following rules: + + + * The implementation MUST NOT pick one conflicting Listener + as the winner. + ALL indistinct Listeners must not be accepted for processing. + * At least one distinct Listener MUST be present, or else + the Gateway effectively + contains _no_ Listeners, and must be rejected from processing as a whole. + + The implementation MUST set a "ListenersNotValid" condition + on the + + Gateway Status when the Gateway contains Conflicted + Listeners whether or + + not they accept the Gateway. That Condition SHOULD clearly + + indicate in the Message which Listeners are conflicted, and + which are + + Accepted. Additionally, the Listener status for those + listeners SHOULD + + indicate which Listeners are conflicted and not Accepted. + + + ## General Listener behavior + + + Note that, for all distinct Listeners, requests SHOULD match + at most one Listener. + + For example, if Listeners are defined for "foo.example.com" + and "*.example.com", a + + request to "foo.example.com" SHOULD only be routed using + routes attached + + to the "foo.example.com" Listener (and not the + "*.example.com" Listener). + + + This concept is known as "Listener Isolation", and it is an + Extended feature + + of Gateway API. Implementations that do not support Listener + Isolation MUST + + clearly document this, and MUST NOT claim support for the + + `GatewayHTTPListenerIsolation` feature. + + + Implementations that _do_ support Listener Isolation SHOULD + claim support + + for the Extended `GatewayHTTPListenerIsolation` feature and + pass the associated + + conformance tests. + + + ## Compatible Listeners + + + A Gateway's Listeners are considered _compatible_ if: + + + 1. They are distinct. + + 2. The implementation can serve them in compliance with the + Addresses + requirement that all Listeners are available on all assigned + addresses. + + Compatible combinations in Extended support are expected to + vary across + + implementations. A combination that is compatible for one + implementation + + may not be compatible for another. + + + For example, an implementation that cannot serve both TCP + and UDP listeners + + on the same address, or cannot mix HTTPS and generic TLS + listens on the same port + + would not consider those cases compatible, even though they + are distinct. + + + Implementations MAY merge separate Gateways onto a single + set of + + Addresses if all Listeners across all Gateways are + compatible. + + + In a future release the MinItems=1 requirement MAY be + dropped. + + + Support: Core + items: + description: >- + Listener embodies the concept of a logical endpoint where + a Gateway accepts + + network connections. + properties: + allowedRoutes: + default: + namespaces: + from: Same + description: >- + AllowedRoutes defines the types of routes that MAY be + attached to a + + Listener and the trusted namespaces where those Route + resources MAY be + + present. + + + Although a client request may match multiple route + rules, only one rule + + may ultimately receive the request. Matching + precedence MUST be + + determined in order of the following criteria: + + + * The most specific match as defined by the Route + type. + + * The oldest Route based on creation timestamp. For + example, a Route with + a creation timestamp of "2020-09-08 01:02:03" is given precedence over + a Route with a creation timestamp of "2020-09-08 01:02:04". + * If everything else is equivalent, the Route + appearing first in + alphabetical order (namespace/name) should be given precedence. For + example, foo/bar is given precedence over foo/baz. + + All valid rules within a Route attached to this + Listener should be + + implemented. Invalid Route rules can be ignored + (sometimes that will mean + + the full Route). If a Route rule transitions from + valid to invalid, + + support for that Route rule should be dropped to + ensure consistency. For + + example, even if a filter specified by a Route rule is + invalid, the rest + + of the rules within that Route should still be + supported. + + + Support: Core + properties: + kinds: + description: >- + Kinds specifies the groups and kinds of Routes + that are allowed to bind + + to this Gateway Listener. When unspecified or + empty, the kinds of Routes + + selected are determined using the Listener + protocol. + + + A RouteGroupKind MUST correspond to kinds of + Routes that are compatible + + with the application protocol specified in the + Listener's Protocol field. + + If an implementation does not support or recognize + this resource type, it + + MUST set the "ResolvedRefs" condition to False for + this Listener with the + + "InvalidRouteKinds" reason. + + + Support: Core + items: + description: >- + RouteGroupKind indicates the group and kind of a + Route resource. + properties: + group: + default: gateway.networking.k8s.io + description: Group is the group of the Route. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is the kind of the Route. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + required: + - kind + type: object + maxItems: 8 + type: array + x-kubernetes-list-type: atomic + namespaces: + default: + from: Same + description: >- + Namespaces indicates namespaces from which Routes + may be attached to this + + Listener. This is restricted to the namespace of + this Gateway by default. + + + Support: Core + properties: + from: + default: Same + description: >- + From indicates where Routes will be selected + for this Gateway. Possible + + values are: + + + * All: Routes in all namespaces may be used by + this Gateway. + + * Selector: Routes in namespaces selected by + the selector may be used by + this Gateway. + * Same: Only Routes in the same namespace may + be used by this Gateway. + + + Support: Core + enum: + - All + - Selector + - Same + type: string + selector: + description: >- + Selector must be specified when From is set to + "Selector". In that case, + + only Routes in Namespaces matching this + Selector will be selected by this + + Gateway. This field is ignored for other + values of "From". + + + Support: Core + properties: + matchExpressions: + description: >- + matchExpressions is a list of label + selector requirements. The requirements + are ANDed. + items: + description: >- + A label selector requirement is a + selector that contains values, a key, + and an operator that + + relates the key and values. + properties: + key: + description: >- + key is the label key that the selector + applies to. + type: string + operator: + description: >- + operator represents a key's relationship + to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: >- + values is an array of string values. If + the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: >- + matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is + "key", the + + operator is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + type: object + hostname: + description: >- + Hostname specifies the virtual hostname to match for + protocol types that + + define this concept. When unspecified, all hostnames + are matched. This + + field is ignored for protocols that don't require + hostname based + + matching. + + + Implementations MUST apply Hostname matching + appropriately for each of + + the following protocols: + + + * TLS: The Listener Hostname MUST match the SNI. + + * HTTP: The Listener Hostname MUST match the Host + header of the request. + + * HTTPS: The Listener Hostname SHOULD match both the + SNI and Host header. + Note that this does not require the SNI and Host header to be the same. + The semantics of this are described in more detail below. + + To ensure security, Section 11.1 of RFC-6066 + emphasizes that server + + implementations that rely on SNI hostname matching + MUST also verify + + hostnames within the application protocol. + + + Section 9.1.2 of RFC-7540 provides a mechanism for + servers to reject the + + reuse of a connection by responding with the HTTP 421 + Misdirected Request + + status code. This indicates that the origin server has + rejected the + + request because it appears to have been misdirected. + + + To detect misdirected requests, Gateways SHOULD match + the authority of + + the requests with all the SNI hostname(s) configured + across all the + + Gateway Listeners on the same port and protocol: + + + * If another Listener has an exact match or more + specific wildcard entry, + the Gateway SHOULD return a 421. + * If the current Listener (selected by SNI matching + during ClientHello) + does not match the Host: + * If another Listener does match the Host, the Gateway SHOULD return a + 421. + * If no other Listener matches the Host, the Gateway MUST return a + 404. + + For HTTPRoute and TLSRoute resources, there is an + interaction with the + + `spec.hostnames` array. When both listener and route + specify hostnames, + + there MUST be an intersection between the values for a + Route to be + + accepted. For more information, refer to the Route + specific Hostnames + + documentation. + + + Hostnames that are prefixed with a wildcard label + (`*.`) are interpreted + + as a suffix match. That means that a match for + `*.example.com` would match + + both `test.example.com`, and `foo.test.example.com`, + but not `example.com`. + + + Support: Core + maxLength: 253 + minLength: 1 + pattern: >- + ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + name: + description: >- + Name is the name of the Listener. This name MUST be + unique within a + + Gateway. + + + Support: Core + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + port: + description: >- + Port is the network port. Multiple listeners may use + the + + same port, subject to the Listener compatibility + rules. + + + Support: Core + format: int32 + maximum: 65535 + minimum: 1 + type: integer + protocol: + description: >- + Protocol specifies the network protocol this listener + expects to receive. + + + Support: Core + maxLength: 255 + minLength: 1 + pattern: >- + ^[a-zA-Z0-9]([-a-zA-Z0-9]*[a-zA-Z0-9])?$|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9]+$ + type: string + tls: + description: >- + TLS is the TLS configuration for the Listener. This + field is required if + + the Protocol field is "HTTPS" or "TLS". It is invalid + to set this field + + if the Protocol field is "HTTP", "TCP", or "UDP". + + + The association of SNIs to Certificate defined in + ListenerTLSConfig is + + defined based on the Hostname field for this listener. + + + The GatewayClass MUST use the longest matching SNI out + of all + + available certificates for any TLS handshake. + + + Support: Core + properties: + certificateRefs: + description: >- + CertificateRefs contains a series of references to + Kubernetes objects that + + contains TLS certificates and private keys. These + certificates are used to + + establish a TLS handshake for requests that match + the hostname of the + + associated listener. + + + A single CertificateRef to a Kubernetes Secret has + "Core" support. + + Implementations MAY choose to support attaching + multiple certificates to + + a Listener, but this behavior is + implementation-specific. + + + References to a resource in different namespace + are invalid UNLESS there + + is a ReferenceGrant in the target namespace that + allows the certificate + + to be attached. If a ReferenceGrant does not allow + this reference, the + + "ResolvedRefs" condition MUST be set to False for + this listener with the + + "RefNotPermitted" reason. + + + This field is required to have at least one + element when the mode is set + + to "Terminate" (default) and is optional + otherwise. + + + CertificateRefs can reference to standard + Kubernetes resources, i.e. + + Secret, or implementation-specific custom + resources. + + + Support: Core - A single reference to a Kubernetes + Secret of type kubernetes.io/tls + + + Support: Implementation-specific (More than one + reference or other resource types) + items: + description: >- + SecretObjectReference identifies an API object + including its namespace, + + defaulting to Secret. + + + The API object must be valid in the cluster; the + Group and Kind must + + be registered in the cluster for this reference + to be valid. + + + References to objects with invalid Group and + Kind are not valid, and must + + be rejected by the implementation, with + appropriate Conditions set + + on the containing object. + properties: + group: + default: '' + description: >- + Group is the group of the referent. For + example, "gateway.networking.k8s.io". + + When unspecified or empty string, core API + group is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Secret + description: >- + Kind is kind of the referent. For example + "Secret". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the referenced + object. When unspecified, the local + + namespace is inferred. + + + Note that when a namespace different than + the local namespace is specified, + + a ReferenceGrant object is required in the + referent namespace to allow that + + namespace's owner to accept the reference. + See the ReferenceGrant + + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + maxItems: 64 + type: array + x-kubernetes-list-type: atomic + mode: + default: Terminate + description: >- + Mode defines the TLS behavior for the TLS session + initiated by the client. + + There are two possible modes: + + + - Terminate: The TLS session between the + downstream client and the + Gateway is terminated at the Gateway. This mode requires certificates + to be specified in some way, such as populating the certificateRefs + field. + - Passthrough: The TLS session is NOT terminated + by the Gateway. This + implies that the Gateway can't decipher the TLS stream except for + the ClientHello message of the TLS protocol. The certificateRefs field + is ignored in this mode. + + Support: Core + enum: + - Terminate + - Passthrough + type: string + options: + additionalProperties: + description: >- + AnnotationValue is the value of an annotation in + Gateway API. This is used + + for validation of maps such as TLS options. This + roughly matches Kubernetes + + annotation validation, although the length + validation in that case is based + + on the entire size of the annotations struct. + maxLength: 4096 + minLength: 0 + type: string + description: >- + Options are a list of key/value pairs to enable + extended TLS + + configuration for each implementation. For + example, configuring the + + minimum TLS version or supported cipher suites. + + + A set of common keys MAY be defined by the API in + the future. To avoid + + any ambiguity, implementation-specific definitions + MUST use + + domain-prefixed names, such as + `example.com/my-custom-option`. + + Un-prefixed names are reserved for key names + defined by Gateway API. + + + Support: Implementation-specific + maxProperties: 16 + type: object + type: object + x-kubernetes-validations: + - message: >- + certificateRefs or options must be specified when + mode is Terminate + rule: >- + self.mode == 'Terminate' ? + size(self.certificateRefs) > 0 || + size(self.options) > 0 : true + required: + - name + - port + - protocol + type: object + maxItems: 64 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: >- + tls must not be specified for protocols ['HTTP', 'TCP', + 'UDP'] + rule: >- + self.all(l, l.protocol in ['HTTP', 'TCP', 'UDP'] ? + !has(l.tls) : true) + - message: tls mode must be Terminate for protocol HTTPS + rule: >- + self.all(l, (l.protocol == 'HTTPS' && has(l.tls)) ? + (l.tls.mode == '' || l.tls.mode == 'Terminate') : true) + - message: tls mode must be set for protocol TLS + rule: >- + self.all(l, (l.protocol == 'TLS' ? has(l.tls) && + has(l.tls.mode) && l.tls.mode != '' : true)) + - message: >- + hostname must not be specified for protocols ['TCP', + 'UDP'] + rule: >- + self.all(l, l.protocol in ['TCP', 'UDP'] ? + (!has(l.hostname) || l.hostname == '') : true) + - message: Listener name must be unique within the Gateway + rule: self.all(l1, self.exists_one(l2, l1.name == l2.name)) + - message: >- + Combination of port, protocol and hostname must be + unique for each listener + rule: >- + self.all(l1, self.exists_one(l2, l1.port == l2.port && + l1.protocol == l2.protocol && (has(l1.hostname) && + has(l2.hostname) ? l1.hostname == l2.hostname : + !has(l1.hostname) && !has(l2.hostname)))) + tls: + description: >- + TLS specifies frontend and backend tls configuration for + entire gateway. + + + Support: Extended + properties: + backend: + description: >- + Backend describes TLS configuration for gateway when + connecting + + to backends. + + + Note that this contains only details for the Gateway as + a TLS client, + + and does _not_ imply behavior about how to choose which + backend should + + get a TLS connection. That is determined by the presence + of a BackendTLSPolicy. + + + Support: Core + properties: + clientCertificateRef: + description: >- + ClientCertificateRef references an object that + contains a client certificate + + and its associated private key. It can reference + standard Kubernetes resources, + + i.e., Secret, or implementation-specific custom + resources. + + + A ClientCertificateRef is considered invalid if: + + + * It refers to a resource that cannot be resolved + (e.g., the referenced resource + does not exist) or is misconfigured (e.g., a Secret does not contain the keys + named `tls.crt` and `tls.key`). In this case, the `ResolvedRefs` condition + on the Gateway MUST be set to False with the Reason `InvalidClientCertificateRef` + and the Message of the Condition MUST indicate why the reference is invalid. + + * It refers to a resource in another namespace + UNLESS there is a ReferenceGrant + in the target namespace that allows the certificate to be attached. + If a ReferenceGrant does not allow this reference, the `ResolvedRefs` condition + on the Gateway MUST be set to False with the Reason `RefNotPermitted`. + + Implementations MAY choose to perform further + validation of the certificate + + content (e.g., checking expiry or enforcing specific + formats). In such cases, + + an implementation-specific Reason and Message MUST + be set. + + + Support: Core - Reference to a Kubernetes TLS Secret + (with the type `kubernetes.io/tls`). + + Support: Implementation-specific - Other resource + kinds or Secrets with a + + different type (e.g., `Opaque`). + properties: + group: + default: '' + description: >- + Group is the group of the referent. For example, + "gateway.networking.k8s.io". + + When unspecified or empty string, core API group + is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Secret + description: >- + Kind is kind of the referent. For example + "Secret". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the referenced + object. When unspecified, the local + + namespace is inferred. + + + Note that when a namespace different than the + local namespace is specified, + + a ReferenceGrant object is required in the + referent namespace to allow that + + namespace's owner to accept the reference. See + the ReferenceGrant + + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + type: object + frontend: + description: >- + Frontend describes TLS config when client connects to + Gateway. + + Support: Core + properties: + default: + description: >- + Default specifies the default client certificate + validation configuration + + for all Listeners handling HTTPS traffic, unless a + per-port configuration + + is defined. + + + support: Core + properties: + validation: + description: >- + Validation holds configuration information for + validating the frontend (client). + + Setting this field will result in mutual + authentication when connecting to the gateway. + + In browsers this may result in a dialog + appearing + + that requests a user to specify the client + certificate. + + The maximum depth of a certificate chain + accepted in verification is Implementation + specific. + + + Support: Core + properties: + caCertificateRefs: + description: >- + CACertificateRefs contains one or more + references to Kubernetes + + objects that contain a PEM-encoded TLS CA + certificate bundle, which + + is used as a trust anchor to validate the + certificates presented by + + the client. + + + A CACertificateRef is invalid if: + + + * It refers to a resource that cannot be + resolved (e.g., the + referenced resource does not exist) or is misconfigured (e.g., a + ConfigMap does not contain a key named `ca.crt`). In this case, the + Reason on all matching HTTPS listeners must be set to `InvalidCACertificateRef` + and the Message of the Condition must indicate which reference is invalid and why. + + * It refers to an unknown or unsupported + kind of resource. In this + case, the Reason on all matching HTTPS listeners must be set to + `InvalidCACertificateKind` and the Message of the Condition must explain + which kind of resource is unknown or unsupported. + + * It refers to a resource in another + namespace UNLESS there is a + ReferenceGrant in the target namespace that allows the CA + certificate to be attached. If a ReferenceGrant does not allow this + reference, the `ResolvedRefs` on all matching HTTPS listeners condition + MUST be set with the Reason `RefNotPermitted`. + + Implementations MAY choose to perform + further validation of the + + certificate content (e.g., checking expiry + or enforcing specific formats). + + In such cases, an implementation-specific + Reason and Message MUST be set. + + + In all cases, the implementation MUST ensure + that the `ResolvedRefs` + + condition is set to `status: False` on all + targeted listeners (i.e., + + listeners serving HTTPS on a matching port). + The condition MUST + + include a Reason and Message that indicate + the cause of the error. If + + ALL CACertificateRefs are invalid, the + implementation MUST also ensure + + the `Accepted` condition on the listener is + set to `status: False`, with + + the Reason `NoValidCACertificate`. + + Implementations MAY choose to support + attaching multiple CA certificates + + to a listener, but this behavior is + implementation-specific. + + + Support: Core - A single reference to a + Kubernetes ConfigMap, with the + + CA certificate in a key named `ca.crt`. + + + Support: Implementation-specific - More than + one reference, other kinds + + of resources, or a single reference that + includes multiple certificates. + items: + description: >- + ObjectReference identifies an API object + including its namespace. + + + The API object must be valid in the + cluster; the Group and Kind must + + be registered in the cluster for this + reference to be valid. + + + References to objects with invalid Group + and Kind are not valid, and must + + be rejected by the implementation, with + appropriate Conditions set + + on the containing object. + properties: + group: + description: >- + Group is the group of the referent. For + example, "gateway.networking.k8s.io". + + When set to the empty string, core API + group is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: >- + Kind is kind of the referent. For + example "ConfigMap" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the + referenced object. When unspecified, the + local + + namespace is inferred. + + + Note that when a namespace different + than the local namespace is specified, + + a ReferenceGrant object is required in + the referent namespace to allow that + + namespace's owner to accept the + reference. See the ReferenceGrant + + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - name + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + mode: + default: AllowValidOnly + description: >- + FrontendValidationMode defines the mode for + validating the client certificate. + + There are two possible modes: + + + - AllowValidOnly: In this mode, the gateway + will accept connections only if + the client presents a valid certificate. This certificate must successfully + pass validation against the CA certificates specified in `CACertificateRefs`. + - AllowInsecureFallback: In this mode, the + gateway will accept connections + even if the client certificate is not presented or fails verification. + + This approach delegates client authorization to the backend and introduce + a significant security risk. It should be used in testing environments or + on a temporary basis in non-testing environments. + + Defaults to AllowValidOnly. + + + Support: Core + enum: + - AllowValidOnly + - AllowInsecureFallback + type: string + required: + - caCertificateRefs + type: object + type: object + perPort: + description: >- + PerPort specifies tls configuration assigned per + port. + + Per port configuration is optional. Once set this + configuration overrides + + the default configuration for all Listeners handling + HTTPS traffic + + that match this port. + + Each override port requires a unique TLS + configuration. + + + support: Core + items: + properties: + port: + description: >- + The Port indicates the Port Number to which + the TLS configuration will be + + applied. This configuration will be applied to + all Listeners handling HTTPS + + traffic that match this port. + + + Support: Core + format: int32 + maximum: 65535 + minimum: 1 + type: integer + tls: + description: >- + TLS store the configuration that will be + applied to all Listeners handling + + HTTPS traffic and matching given port. + + + Support: Core + properties: + validation: + description: >- + Validation holds configuration information + for validating the frontend (client). + + Setting this field will result in mutual + authentication when connecting to the + gateway. + + In browsers this may result in a dialog + appearing + + that requests a user to specify the client + certificate. + + The maximum depth of a certificate chain + accepted in verification is Implementation + specific. + + + Support: Core + properties: + caCertificateRefs: + description: >- + CACertificateRefs contains one or more + references to Kubernetes + + objects that contain a PEM-encoded TLS + CA certificate bundle, which + + is used as a trust anchor to validate + the certificates presented by + + the client. + + + A CACertificateRef is invalid if: + + + * It refers to a resource that cannot be + resolved (e.g., the + referenced resource does not exist) or is misconfigured (e.g., a + ConfigMap does not contain a key named `ca.crt`). In this case, the + Reason on all matching HTTPS listeners must be set to `InvalidCACertificateRef` + and the Message of the Condition must indicate which reference is invalid and why. + + * It refers to an unknown or unsupported + kind of resource. In this + case, the Reason on all matching HTTPS listeners must be set to + `InvalidCACertificateKind` and the Message of the Condition must explain + which kind of resource is unknown or unsupported. + + * It refers to a resource in another + namespace UNLESS there is a + ReferenceGrant in the target namespace that allows the CA + certificate to be attached. If a ReferenceGrant does not allow this + reference, the `ResolvedRefs` on all matching HTTPS listeners condition + MUST be set with the Reason `RefNotPermitted`. + + Implementations MAY choose to perform + further validation of the + + certificate content (e.g., checking + expiry or enforcing specific formats). + + In such cases, an + implementation-specific Reason and + Message MUST be set. + + + In all cases, the implementation MUST + ensure that the `ResolvedRefs` + + condition is set to `status: False` on + all targeted listeners (i.e., + + listeners serving HTTPS on a matching + port). The condition MUST + + include a Reason and Message that + indicate the cause of the error. If + + ALL CACertificateRefs are invalid, the + implementation MUST also ensure + + the `Accepted` condition on the listener + is set to `status: False`, with + + the Reason `NoValidCACertificate`. + + Implementations MAY choose to support + attaching multiple CA certificates + + to a listener, but this behavior is + implementation-specific. + + + Support: Core - A single reference to a + Kubernetes ConfigMap, with the + + CA certificate in a key named `ca.crt`. + + + Support: Implementation-specific - More + than one reference, other kinds + + of resources, or a single reference that + includes multiple certificates. + items: + description: >- + ObjectReference identifies an API object + including its namespace. + + + The API object must be valid in the + cluster; the Group and Kind must + + be registered in the cluster for this + reference to be valid. + + + References to objects with invalid Group + and Kind are not valid, and must + + be rejected by the implementation, with + appropriate Conditions set + + on the containing object. + properties: + group: + description: >- + Group is the group of the referent. For + example, "gateway.networking.k8s.io". + + When set to the empty string, core API + group is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: >- + Kind is kind of the referent. For + example "ConfigMap" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the + referenced object. When unspecified, the + local + + namespace is inferred. + + + Note that when a namespace different + than the local namespace is specified, + + a ReferenceGrant object is required in + the referent namespace to allow that + + namespace's owner to accept the + reference. See the ReferenceGrant + + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - name + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + mode: + default: AllowValidOnly + description: >- + FrontendValidationMode defines the mode + for validating the client certificate. + + There are two possible modes: + + + - AllowValidOnly: In this mode, the + gateway will accept connections only if + the client presents a valid certificate. This certificate must successfully + pass validation against the CA certificates specified in `CACertificateRefs`. + - AllowInsecureFallback: In this mode, + the gateway will accept connections + even if the client certificate is not presented or fails verification. + + This approach delegates client authorization to the backend and introduce + a significant security risk. It should be used in testing environments or + on a temporary basis in non-testing environments. + + Defaults to AllowValidOnly. + + + Support: Core + enum: + - AllowValidOnly + - AllowInsecureFallback + type: string + required: + - caCertificateRefs + type: object + type: object + required: + - port + - tls + type: object + maxItems: 64 + type: array + x-kubernetes-list-map-keys: + - port + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: >- + Port for TLS configuration must be unique within + the Gateway + rule: >- + self.all(t1, self.exists_one(t2, t1.port == + t2.port)) + required: + - default + type: object + type: object + required: + - gatewayClassName + - listeners + type: object + status: + default: + conditions: + - lastTransitionTime: '1970-01-01T00:00:00Z' + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + - lastTransitionTime: '1970-01-01T00:00:00Z' + message: Waiting for controller + reason: Pending + status: Unknown + type: Programmed + description: Status defines the current state of Gateway. + properties: + addresses: + description: >- + Addresses lists the network addresses that have been bound + to the + + Gateway. + + + This list may differ from the addresses provided in the spec + under some + + conditions: + + * no addresses are specified, all addresses are dynamically assigned + * a combination of specified and dynamic addresses are assigned + * a specified address was unusable (e.g. already in use) + items: + description: >- + GatewayStatusAddress describes a network address that is + bound to a Gateway. + oneOf: + - properties: + type: + enum: + - IPAddress + value: + anyOf: + - format: ipv4 + - format: ipv6 + - properties: + type: + not: + enum: + - IPAddress + properties: + type: + default: IPAddress + description: Type of the address. + maxLength: 253 + minLength: 1 + pattern: >- + ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + value: + description: >- + Value of the address. The validity of the values will + depend + + on the type and support by the controller. + + + Examples: `1.2.3.4`, `128::1`, `my-ip-address`. + maxLength: 253 + minLength: 1 + type: string + required: + - value + type: object + x-kubernetes-validations: + - message: >- + Hostname value must only contain valid characters + (matching + ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$) + rule: >- + self.type == 'Hostname' ? + self.value.matches(r"""^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$"""): + true + maxItems: 16 + type: array + x-kubernetes-list-type: atomic + attachedListenerSets: + description: >- + AttachedListenerSets represents the total number of + ListenerSets that have been + + successfully attached to this Gateway. + + + A ListenerSet is successfully attached to a Gateway when all + the following conditions are met: + + - The ListenerSet is selected by the Gateway's + AllowedListeners field + + - The ListenerSet has a valid ParentRef selecting the + Gateway + + - The ListenerSet's status has the condition "Accepted: + true" + + + Uses for this field include troubleshooting + AttachedListenerSets attachment and + + measuring blast radius/impact of changes to a Gateway. + format: int32 + type: integer + conditions: + default: + - lastTransitionTime: '1970-01-01T00:00:00Z' + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + - lastTransitionTime: '1970-01-01T00:00:00Z' + message: Waiting for controller + reason: Pending + status: Unknown + type: Programmed + description: >- + Conditions describe the current conditions of the Gateway. + + + Implementations should prefer to express Gateway conditions + + using the `GatewayConditionType` and + `GatewayConditionReason` + + constants so that operators and tools can converge on a + common + + vocabulary to describe Gateway state. + + + Known condition types are: + + + * "Accepted" + + * "Programmed" + + * "Ready" + items: + description: >- + Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: >- + lastTransitionTime is the last time the condition + transitioned from one status to another. + + This should be when the underlying condition changed. + If that is not known, then using the time when the API + field changed is acceptable. + format: date-time + type: string + message: + description: >- + message is a human readable message indicating details + about the transition. + + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: >- + observedGeneration represents the .metadata.generation + that the condition was set based upon. + + For instance, if .metadata.generation is currently 12, + but the .status.conditions[x].observedGeneration is 9, + the condition is out of date + + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: >- + reason contains a programmatic identifier indicating + the reason for the condition's last transition. + + Producers of specific condition types may define + expected values and meanings for this field, + + and whether the values are considered a guaranteed + API. + + The value should be a CamelCase string. + + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - 'True' + - 'False' + - Unknown + type: string + type: + description: >- + type of condition in CamelCase or in + foo.example.com/CamelCase. + maxLength: 316 + pattern: >- + ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + listeners: + description: >- + Listeners provide status for each unique listener port + defined in the Spec. + items: + description: ListenerStatus is the status associated with a Listener. + properties: + attachedRoutes: + description: >- + AttachedRoutes represents the total number of Routes + that have been + + successfully attached to this Listener. + + + Successful attachment of a Route to a Listener is + based solely on the + + combination of the AllowedRoutes field on the + corresponding Listener + + and the Route's ParentRefs field. A Route is + successfully attached to + + a Listener when it is selected by the Listener's + AllowedRoutes field + + AND the Route has a valid ParentRef selecting the + whole Gateway + + resource or a specific Listener as a parent resource + (more detail on + + attachment semantics can be found in the documentation + on the various + + Route kinds ParentRefs fields). Listener or Route + status does not impact + + successful attachment, i.e. the AttachedRoutes field + count MUST be set + + for Listeners, even if the Accepted condition of an + individual Listener is set + + to "False". The AttachedRoutes number represents the + number of Routes with + + the Accepted condition set to "True" that have been + attached to this Listener. + + Routes with any other value for the Accepted condition + MUST NOT be included + + in this count. + + + Uses for this field include troubleshooting Route + attachment and + + measuring blast radius/impact of changes to a + Listener. + format: int32 + type: integer + conditions: + description: >- + Conditions describe the current condition of this + listener. + items: + description: >- + Condition contains details for one aspect of the + current state of this API Resource. + properties: + lastTransitionTime: + description: >- + lastTransitionTime is the last time the + condition transitioned from one status to + another. + + This should be when the underlying condition + changed. If that is not known, then using the + time when the API field changed is acceptable. + format: date-time + type: string + message: + description: >- + message is a human readable message indicating + details about the transition. + + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: >- + observedGeneration represents the + .metadata.generation that the condition was set + based upon. + + For instance, if .metadata.generation is + currently 12, but the + .status.conditions[x].observedGeneration is 9, + the condition is out of date + + with respect to the current state of the + instance. + format: int64 + minimum: 0 + type: integer + reason: + description: >- + reason contains a programmatic identifier + indicating the reason for the condition's last + transition. + + Producers of specific condition types may define + expected values and meanings for this field, + + and whether the values are considered a + guaranteed API. + + The value should be a CamelCase string. + + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: >- + status of the condition, one of True, False, + Unknown. + enum: + - 'True' + - 'False' + - Unknown + type: string + type: + description: >- + type of condition in CamelCase or in + foo.example.com/CamelCase. + maxLength: 316 + pattern: >- + ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + name: + description: >- + Name is the name of the Listener that this status + corresponds to. + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + supportedKinds: + description: >- + SupportedKinds is the list indicating the Kinds + supported by this + + listener. This MUST represent the kinds supported by + an implementation for + + that Listener configuration. + + + If kinds are specified in Spec that are not supported, + they MUST NOT + + appear in this list and an implementation MUST set the + "ResolvedRefs" + + condition to "False" with the "InvalidRouteKinds" + reason. If both valid + + and invalid Route kinds are specified, the + implementation MUST + + reference the valid Route kinds that have been + specified. + items: + description: >- + RouteGroupKind indicates the group and kind of a + Route resource. + properties: + group: + default: gateway.networking.k8s.io + description: Group is the group of the Route. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is the kind of the Route. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + required: + - kind + type: object + maxItems: 8 + type: array + x-kubernetes-list-type: atomic + required: + - attachedRoutes + - conditions + - name + type: object + maxItems: 64 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} +status: + acceptedNames: + kind: '' + plural: '' + conditions: null + storedVersions: null diff --git a/_/CustomResourceDefinition/grpcroutes.gateway.networking.k8s.io.yaml b/_/CustomResourceDefinition/grpcroutes.gateway.networking.k8s.io.yaml new file mode 100644 index 0000000..7fa7882 --- /dev/null +++ b/_/CustomResourceDefinition/grpcroutes.gateway.networking.k8s.io.yaml @@ -0,0 +1,3295 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/4530 + gateway.networking.k8s.io/bundle-version: v1.5.1 + gateway.networking.k8s.io/channel: standard + name: grpcroutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: GRPCRoute + listKind: GRPCRouteList + plural: grpcroutes + singular: grpcroute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.hostnames + name: Hostnames + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: >- + GRPCRoute provides a way to route gRPC requests. This includes the + capability + + to match requests by hostname, gRPC service, gRPC method, or HTTP/2 + header. + + Filters can be used to specify additional processing steps. Backends + specify + + where matching requests will be routed. + + + GRPCRoute falls under extended support within the Gateway API. + Within the + + following specification, the word "MUST" indicates that an + implementation + + supporting GRPCRoute must conform to the indicated requirement, but + an + + implementation not supporting this route type need not follow the + requirement + + unless explicitly indicated. + + + Implementations supporting `GRPCRoute` with the `HTTPS` + `ProtocolType` MUST + + accept HTTP/2 connections without an initial upgrade from HTTP/1.1, + i.e. via + + ALPN. If the implementation does not support this, then it MUST set + the + + "Accepted" condition to "False" for the affected listener with a + reason of + + "UnsupportedProtocol". Implementations MAY also accept HTTP/2 + connections + + with an upgrade from HTTP/1. + + + Implementations supporting `GRPCRoute` with the `HTTP` + `ProtocolType` MUST + + support HTTP/2 over cleartext TCP (h2c, + + https://www.rfc-editor.org/rfc/rfc7540#section-3.1) without an + initial + + upgrade from HTTP/1.1, i.e. with prior knowledge + + (https://www.rfc-editor.org/rfc/rfc7540#section-3.4). If the + implementation + + does not support this, then it MUST set the "Accepted" condition to + "False" + + for the affected listener with a reason of "UnsupportedProtocol". + + Implementations MAY also accept HTTP/2 connections with an upgrade + from + + HTTP/1, i.e. without prior knowledge. + properties: + apiVersion: + description: >- + APIVersion defines the versioned schema of this representation + of an object. + + Servers should convert recognized schemas to the latest internal + value, and + + may reject unrecognized values. + + More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: >- + Kind is a string value representing the REST resource this + object represents. + + Servers may infer this from the endpoint the client submits + requests to. + + Cannot be updated. + + In CamelCase. + + More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of GRPCRoute. + properties: + hostnames: + description: >- + Hostnames defines a set of hostnames to match against the + GRPC + + Host header to select a GRPCRoute to process the request. + This matches + + the RFC 1123 definition of a hostname with 2 notable + exceptions: + + + 1. IPs are not allowed. + + 2. A hostname may be prefixed with a wildcard label (`*.`). + The wildcard + label MUST appear by itself as the first label. + + If a hostname is specified by both the Listener and + GRPCRoute, there + + MUST be at least one intersecting hostname for the GRPCRoute + to be + + attached to the Listener. For example: + + + * A Listener with `test.example.com` as the hostname matches + GRPCRoutes + that have either not specified any hostnames, or have specified at + least one of `test.example.com` or `*.example.com`. + * A Listener with `*.example.com` as the hostname matches + GRPCRoutes + that have either not specified any hostnames or have specified at least + one hostname that matches the Listener hostname. For example, + `test.example.com` and `*.example.com` would both match. On the other + hand, `example.com` and `test.example.net` would not match. + + Hostnames that are prefixed with a wildcard label (`*.`) are + interpreted + + as a suffix match. That means that a match for + `*.example.com` would match + + both `test.example.com`, and `foo.test.example.com`, but not + `example.com`. + + + If both the Listener and GRPCRoute have specified hostnames, + any + + GRPCRoute hostnames that do not match the Listener hostname + MUST be + + ignored. For example, if a Listener specified + `*.example.com`, and the + + GRPCRoute specified `test.example.com` and + `test.example.net`, + + `test.example.net` MUST NOT be considered for a match. + + + If both the Listener and GRPCRoute have specified hostnames, + and none + + match with the criteria above, then the GRPCRoute MUST NOT + be accepted by + + the implementation. The implementation MUST raise an + 'Accepted' Condition + + with a status of `False` in the corresponding + RouteParentStatus. + + + If a Route (A) of type HTTPRoute or GRPCRoute is attached to + a + + Listener and that listener already has another Route (B) of + the other + + type attached and the intersection of the hostnames of A and + B is + + non-empty, then the implementation MUST accept exactly one + of these two + + routes, determined by the following criteria, in order: + + + * The oldest Route based on creation timestamp. + + * The Route appearing first in alphabetical order by + "{namespace}/{name}". + + The rejected Route MUST raise an 'Accepted' condition with a + status of + + 'False' in the corresponding RouteParentStatus. + + + Support: Core + items: + description: >- + Hostname is the fully qualified domain name of a network + host. This matches + + the RFC 1123 definition of a hostname with 2 notable + exceptions: + + 1. IPs are not allowed. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. + + Hostname can be "precise" which is a domain name without + the terminating + + dot of a network host (e.g. "foo.example.com") or + "wildcard", which is a + + domain name prefixed with a single wildcard label (e.g. + `*.example.com`). + + + Note that as per RFC1035 and RFC1123, a *label* must + consist of lower case + + alphanumeric characters or '-', and must start and end + with an alphanumeric + + character. No other punctuation is allowed. + maxLength: 253 + minLength: 1 + pattern: >- + ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: atomic + parentRefs: + description: >- + ParentRefs references the resources (usually Gateways) that + a Route wants + + to be attached to. Note that the referenced parent resource + needs to + + allow this for the attachment to be complete. For Gateways, + that means + + the Gateway needs to allow attachment from Routes of this + kind and + + namespace. For Services, that means the Service must either + be in the same + + namespace for a "producer" route, or the mesh implementation + must support + + and allow "consumer" routes for the referenced Service. + ReferenceGrant is + + not applicable for governing ParentRefs to Services - it is + not possible to + + create a "producer" route for a Service in a different + namespace from the + + Route. + + + There are two kinds of parent resources with "Core" support: + + + * Gateway (Gateway conformance profile) + + * Service (Mesh conformance profile, ClusterIP Services + only) + + + This API may be extended in the future to support additional + kinds of parent + + resources. + + + ParentRefs must be _distinct_. This means either that: + + + * They select different objects. If this is the case, then + parentRef + entries are distinct. In terms of fields, this means that the + multi-part key defined by `group`, `kind`, `namespace`, and `name` must + be unique across all parentRef entries in the Route. + * They do not select different objects, but for each + optional field used, + each ParentRef that selects the same object must set the same set of + optional fields to different values. If one ParentRef sets a + combination of optional fields, all must set the same combination. + + Some examples: + + + * If one ParentRef sets `sectionName`, all ParentRefs + referencing the + same object must also set `sectionName`. + * If one ParentRef sets `port`, all ParentRefs referencing + the same + object must also set `port`. + * If one ParentRef sets `sectionName` and `port`, all + ParentRefs + referencing the same object must also set `sectionName` and `port`. + + It is possible to separately reference multiple distinct + objects that may + + be collapsed by an implementation. For example, some + implementations may + + choose to merge compatible Gateway Listeners together. If + that is the + + case, the list of routes attached to those resources should + also be + + merged. + + + Note that for ParentRefs that cross namespace boundaries, + there are specific + + rules. Cross-namespace references are only valid if they are + explicitly + + allowed by something in the namespace they are referring to. + For example, + + Gateway has the AllowedRoutes field, and ReferenceGrant + provides a + + generic way to enable other kinds of cross-namespace + reference. + items: + description: >- + ParentReference identifies an API object (usually a + Gateway) that can be considered + + a parent of this resource (usually a route). There are two + kinds of parent resources + + with "Core" support: + + + * Gateway (Gateway conformance profile) + + * Service (Mesh conformance profile, ClusterIP Services + only) + + + This API may be extended in the future to support + additional kinds of parent + + resources. + + + The API object must be valid in the cluster; the Group and + Kind must + + be registered in the cluster for this reference to be + valid. + properties: + group: + default: gateway.networking.k8s.io + description: >- + Group is the group of the referent. + + When unspecified, "gateway.networking.k8s.io" is + inferred. + + To set the core API group (such as for a "Service" + kind referent), + + Group must be explicitly set to "" (empty string). + + + Support: Core + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: >- + Kind is kind of the referent. + + + There are two kinds of parent resources with "Core" + support: + + + * Gateway (Gateway conformance profile) + + * Service (Mesh conformance profile, ClusterIP + Services only) + + + Support for other resources is + Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the referent. When + unspecified, this refers + + to the local namespace of the Route. + + + Note that there are specific rules for ParentRefs + which cross namespace + + boundaries. Cross-namespace references are only valid + if they are explicitly + + allowed by something in the namespace they are + referring to. For example: + + Gateway has the AllowedRoutes field, and + ReferenceGrant provides a + + generic way to enable any other kind of + cross-namespace reference. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: >- + Port is the network port this Route targets. It can be + interpreted + + differently based on the type of parent resource. + + + When the parent resource is a Gateway, this targets + all listeners + + listening on the specified port that also support this + kind of Route(and + + select this Route). It's not recommended to set `Port` + unless the + + networking behaviors specified in a Route must apply + to a specific port + + as opposed to a listener(s) whose port(s) may be + changed. When both Port + + and SectionName are specified, the name and port of + the selected listener + + must match both specified values. + + + Implementations MAY choose to support other parent + resources. + + Implementations supporting other types of parent + resources MUST clearly + + document how/if Port is interpreted. + + + For the purpose of status, an attachment is considered + successful as + + long as the parent resource accepts it partially. For + example, Gateway + + listeners can restrict which Routes can attach to them + by Route kind, + + namespace, or hostname. If 1 of 2 Gateway listeners + accept attachment + + from the referencing Route, the Route MUST be + considered successfully + + attached. If no Gateway listeners accept attachment + from this Route, + + the Route MUST be considered detached from the + Gateway. + + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: >- + SectionName is the name of a section within the target + resource. In the + + following resources, SectionName is interpreted as the + following: + + + * Gateway: Listener name. When both Port + (experimental) and SectionName + + are specified, the name and port of the selected + listener must match + + both specified values. + + * Service: Port name. When both Port (experimental) + and SectionName + + are specified, the name and port of the selected + listener must match + + both specified values. + + + Implementations MAY choose to support attaching Routes + to other resources. + + If that is the case, they MUST clearly document how + SectionName is + + interpreted. + + + When unspecified (empty string), this will reference + the entire resource. + + For the purpose of status, an attachment is considered + successful if at + + least one section in the parent resource accepts it. + For example, Gateway + + listeners can restrict which Routes can attach to them + by Route kind, + + namespace, or hostname. If 1 of 2 Gateway listeners + accept attachment from + + the referencing Route, the Route MUST be considered + successfully + + attached. If no Gateway listeners accept attachment + from this Route, the + + Route MUST be considered detached from the Gateway. + + + Support: Core + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: >- + sectionName must be specified when parentRefs includes 2 + or more references to the same parent + rule: >- + self.all(p1, self.all(p2, p1.group == p2.group && + p1.kind == p2.kind && p1.name == p2.name && + (((!has(p1.__namespace__) || p1.__namespace__ == '') && + (!has(p2.__namespace__) || p2.__namespace__ == '')) || + (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__ )) ? + ((!has(p1.sectionName) || p1.sectionName == '') == + (!has(p2.sectionName) || p2.sectionName == '')) : true)) + - message: >- + sectionName must be unique when parentRefs includes 2 or + more references to the same parent + rule: >- + self.all(p1, self.exists_one(p2, p1.group == p2.group && + p1.kind == p2.kind && p1.name == p2.name && + (((!has(p1.__namespace__) || p1.__namespace__ == '') && + (!has(p2.__namespace__) || p2.__namespace__ == '')) || + (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__ )) && + (((!has(p1.sectionName) || p1.sectionName == '') && + (!has(p2.sectionName) || p2.sectionName == '')) || + (has(p1.sectionName) && has(p2.sectionName) && + p1.sectionName == p2.sectionName)))) + rules: + description: Rules are a list of GRPC matchers, filters and actions. + items: + description: >- + GRPCRouteRule defines the semantics for matching a gRPC + request based on + + conditions (matches), processing it (filters), and + forwarding the request to + + an API object (backendRefs). + properties: + backendRefs: + description: >- + BackendRefs defines the backend(s) where matching + requests should be + + sent. + + + Failure behavior here depends on how many BackendRefs + are specified and + + how many are invalid. + + + If *all* entries in BackendRefs are invalid, and there + are also no filters + + specified in this route rule, *all* traffic which + matches this rule MUST + + receive an `UNAVAILABLE` status. + + + See the GRPCBackendRef definition for the rules about + what makes a single + + GRPCBackendRef invalid. + + + When a GRPCBackendRef is invalid, `UNAVAILABLE` + statuses MUST be returned for + + requests that would have otherwise been routed to an + invalid backend. If + + multiple backends are specified, and some are invalid, + the proportion of + + requests that would otherwise have been routed to an + invalid backend + + MUST receive an `UNAVAILABLE` status. + + + For example, if two backends are specified with equal + weights, and one is + + invalid, 50 percent of traffic MUST receive an + `UNAVAILABLE` status. + + Implementations may choose how that 50 percent is + determined. + + + Support: Core for Kubernetes Service + + + Support: Implementation-specific for any other + resource + + + Support for weight: Core + items: + description: >- + GRPCBackendRef defines how a GRPCRoute forwards a + gRPC request. + + + Note that when a namespace different than the local + namespace is specified, a + + ReferenceGrant object is required in the referent + namespace to allow that + + namespace's owner to accept the reference. See the + ReferenceGrant + + documentation for details. + properties: + filters: + description: >- + Filters defined at this level MUST be executed + if and only if the + + request is being forwarded to the backend + defined here. + + + Support: Implementation-specific (For broader + support of filters, use the + + Filters field in GRPCRouteRule.) + items: + description: >- + GRPCRouteFilter defines processing steps that + must be completed during the + + request or response lifecycle. + GRPCRouteFilters are meant as an extension + + point to express processing that may be done + in Gateway implementations. Some + + examples include request or response + modification, implementing + + authentication strategies, rate-limiting, and + traffic shaping. API + + guarantee/conformance is defined based on the + type of the filter. + properties: + extensionRef: + description: >- + ExtensionRef is an optional, + implementation-specific extension to the + + "filter" behavior. For example, resource + "myroutefilter" in group + + "networking.example.net"). ExtensionRef + MUST NOT be used for core and + + extended filters. + + + Support: Implementation-specific + + + This filter can be used multiple times + within the same rule. + properties: + group: + description: >- + Group is the group of the referent. For + example, "gateway.networking.k8s.io". + + When unspecified or empty string, core + API group is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: >- + Kind is kind of the referent. For + example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: >- + RequestHeaderModifier defines a schema for + a filter that modifies request + + headers. + + + Support: Core + properties: + add: + description: >- + Add adds the given header(s) (name, + value) to the request + + before the action. It appends to any + existing values associated + + with the header name. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + add: + - name: "my-header" + value: "bar,baz" + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: >- + HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: >- + Name is the name of the HTTP Header to + be matched. Name matching MUST be + + case-insensitive. (See + https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent + header names, the first entry with + + an equivalent name MUST be considered + for a match. Subsequent entries + + with an equivalent header name MUST be + ignored. Due to the + + case-insensitivity of header names, + "foo" and "Foo" are considered + + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: >- + Value is the value of HTTP Header to be + matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: >- + Remove the given header(s) from the HTTP + request before the action. The + + value of Remove is a list of HTTP header + names. Note that the header + + names are case-insensitive (see + + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + Config: + remove: ["my-header1", "my-header3"] + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: >- + Set overwrites the request with the + given header (name, value) + + before the action. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + set: + - name: "my-header" + value: "bar" + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: >- + HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: >- + Name is the name of the HTTP Header to + be matched. Name matching MUST be + + case-insensitive. (See + https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent + header names, the first entry with + + an equivalent name MUST be considered + for a match. Subsequent entries + + with an equivalent header name MUST be + ignored. Due to the + + case-insensitivity of header names, + "foo" and "Foo" are considered + + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: >- + Value is the value of HTTP Header to be + matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: >- + RequestMirror defines a schema for a + filter that mirrors requests. + + Requests are sent to the specified + destination, but responses from + + that destination are ignored. + + + This filter can be used multiple times + within the same rule. Note that + + not all implementations will be able to + support mirroring to multiple + + backends. + + + Support: Extended + properties: + backendRef: + description: >- + BackendRef references a resource where + mirrored requests are sent. + + + Mirrored requests must be sent only to a + single destination endpoint + + within this BackendRef, irrespective of + how many endpoints are present + + within this BackendRef. + + + If the referent cannot be found, this + BackendRef is invalid and must be + + dropped from the Gateway. The controller + must ensure the "ResolvedRefs" + + condition on the Route status is set to + `status: False` and not configure + + this backend in the underlying + implementation. + + + If there is a cross-namespace reference + to an *existing* object + + that is not allowed by a ReferenceGrant, + the controller must ensure the + + "ResolvedRefs" condition on the Route + is set to `status: False`, + + with the "RefNotPermitted" reason and + not configure this backend in the + + underlying implementation. + + + In either error case, the Message of the + `ResolvedRefs` Condition + + should be used to provide more detail + about the problem. + + + Support: Extended for Kubernetes Service + + + Support: Implementation-specific for any + other resource + properties: + group: + default: '' + description: >- + Group is the group of the referent. For + example, "gateway.networking.k8s.io". + + When unspecified or empty string, core + API group is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: >- + Kind is the Kubernetes resource kind of + the referent. For example + + "Service". + + + Defaults to "Service" when not + specified. + + + ExternalName services can refer to CNAME + DNS records that may live + + outside of the cluster and as such are + difficult to reason about in + + terms of conformance. They also may not + be safe to forward to (see + + CVE-2021-25740 for more information). + Implementations SHOULD NOT + + support ExternalName Services. + + + Support: Core (Services with a type + other than ExternalName) + + + Support: Implementation-specific + (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the + backend. When unspecified, the local + + namespace is inferred. + + + Note that when a namespace different + than the local namespace is specified, + + a ReferenceGrant object is required in + the referent namespace to allow that + + namespace's owner to accept the + reference. See the ReferenceGrant + + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: >- + Port specifies the destination port + number to use for this resource. + + Port is required when the referent is a + Kubernetes Service. In this + + case, the port number is the service + port number, not the target port. + + For other resources, destination port + might be derived from the referent + + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: >- + (size(self.group) == 0 && self.kind == + 'Service') ? has(self.port) : true + fraction: + description: >- + Fraction represents the fraction of + requests that should be + + mirrored to BackendRef. + + + Only one of Fraction or Percent may be + specified. If neither field + + is specified, 100% of requests will be + mirrored. + properties: + denominator: + default: 100 + format: int32 + minimum: 1 + type: integer + numerator: + format: int32 + minimum: 0 + type: integer + required: + - numerator + type: object + x-kubernetes-validations: + - message: >- + numerator must be less than or equal to + denominator + rule: self.numerator <= self.denominator + percent: + description: >- + Percent represents the percentage of + requests that should be + + mirrored to BackendRef. Its minimum + value is 0 (indicating 0% of + + requests) and its maximum value is 100 + (indicating 100% of requests). + + + Only one of Fraction or Percent may be + specified. If neither field + + is specified, 100% of requests will be + mirrored. + format: int32 + maximum: 100 + minimum: 0 + type: integer + required: + - backendRef + type: object + x-kubernetes-validations: + - message: >- + Only one of percent or fraction may be + specified in HTTPRequestMirrorFilter + rule: >- + !(has(self.percent) && + has(self.fraction)) + responseHeaderModifier: + description: >- + ResponseHeaderModifier defines a schema + for a filter that modifies response + + headers. + + + Support: Extended + properties: + add: + description: >- + Add adds the given header(s) (name, + value) to the request + + before the action. It appends to any + existing values associated + + with the header name. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + add: + - name: "my-header" + value: "bar,baz" + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: >- + HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: >- + Name is the name of the HTTP Header to + be matched. Name matching MUST be + + case-insensitive. (See + https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent + header names, the first entry with + + an equivalent name MUST be considered + for a match. Subsequent entries + + with an equivalent header name MUST be + ignored. Due to the + + case-insensitivity of header names, + "foo" and "Foo" are considered + + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: >- + Value is the value of HTTP Header to be + matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: >- + Remove the given header(s) from the HTTP + request before the action. The + + value of Remove is a list of HTTP header + names. Note that the header + + names are case-insensitive (see + + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + Config: + remove: ["my-header1", "my-header3"] + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: >- + Set overwrites the request with the + given header (name, value) + + before the action. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + set: + - name: "my-header" + value: "bar" + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: >- + HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: >- + Name is the name of the HTTP Header to + be matched. Name matching MUST be + + case-insensitive. (See + https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent + header names, the first entry with + + an equivalent name MUST be considered + for a match. Subsequent entries + + with an equivalent header name MUST be + ignored. Due to the + + case-insensitivity of header names, + "foo" and "Foo" are considered + + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: >- + Value is the value of HTTP Header to be + matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: >- + Type identifies the type of filter to + apply. As with other API fields, + + types are classified into three + conformance levels: + + + - Core: Filter types and their + corresponding configuration defined by + "Support: Core" in this package, e.g. "RequestHeaderModifier". All + implementations supporting GRPCRoute MUST support core filters. + + - Extended: Filter types and their + corresponding configuration defined by + "Support: Extended" in this package, e.g. "RequestMirror". Implementers + are encouraged to support extended filters. + + - Implementation-specific: Filters that + are defined and supported by specific + vendors. + In the future, filters showing convergence in behavior across multiple + implementations will be considered for inclusion in extended or core + conformance levels. Filter-specific configuration for such filters + is specified using the ExtensionRef field. `Type` MUST be set to + "ExtensionRef" for custom filters. + + Implementers are encouraged to define + custom implementation types to + + extend the core API with + implementation-specific behavior. + + + If a reference to a custom filter type + cannot be resolved, the filter + + MUST NOT be skipped. Instead, requests + that would have been processed by + + that filter MUST receive a HTTP error + response. + enum: + - ResponseHeaderModifier + - RequestHeaderModifier + - RequestMirror + - ExtensionRef + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + filter.requestHeaderModifier must be nil + if the filter.type is not + RequestHeaderModifier + rule: >- + !(has(self.requestHeaderModifier) && + self.type != 'RequestHeaderModifier') + - message: >- + filter.requestHeaderModifier must be + specified for RequestHeaderModifier + filter.type + rule: >- + !(!has(self.requestHeaderModifier) && + self.type == 'RequestHeaderModifier') + - message: >- + filter.responseHeaderModifier must be nil + if the filter.type is not + ResponseHeaderModifier + rule: >- + !(has(self.responseHeaderModifier) && + self.type != 'ResponseHeaderModifier') + - message: >- + filter.responseHeaderModifier must be + specified for ResponseHeaderModifier + filter.type + rule: >- + !(!has(self.responseHeaderModifier) && + self.type == 'ResponseHeaderModifier') + - message: >- + filter.requestMirror must be nil if the + filter.type is not RequestMirror + rule: >- + !(has(self.requestMirror) && self.type != + 'RequestMirror') + - message: >- + filter.requestMirror must be specified for + RequestMirror filter.type + rule: >- + !(!has(self.requestMirror) && self.type == + 'RequestMirror') + - message: >- + filter.extensionRef must be nil if the + filter.type is not ExtensionRef + rule: >- + !(has(self.extensionRef) && self.type != + 'ExtensionRef') + - message: >- + filter.extensionRef must be specified for + ExtensionRef filter.type + rule: >- + !(!has(self.extensionRef) && self.type == + 'ExtensionRef') + maxItems: 16 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: >- + RequestHeaderModifier filter cannot be + repeated + rule: >- + self.filter(f, f.type == + 'RequestHeaderModifier').size() <= 1 + - message: >- + ResponseHeaderModifier filter cannot be + repeated + rule: >- + self.filter(f, f.type == + 'ResponseHeaderModifier').size() <= 1 + group: + default: '' + description: >- + Group is the group of the referent. For example, + "gateway.networking.k8s.io". + + When unspecified or empty string, core API group + is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: >- + Kind is the Kubernetes resource kind of the + referent. For example + + "Service". + + + Defaults to "Service" when not specified. + + + ExternalName services can refer to CNAME DNS + records that may live + + outside of the cluster and as such are difficult + to reason about in + + terms of conformance. They also may not be safe + to forward to (see + + CVE-2021-25740 for more information). + Implementations SHOULD NOT + + support ExternalName Services. + + + Support: Core (Services with a type other than + ExternalName) + + + Support: Implementation-specific (Services with + type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the backend. When + unspecified, the local + + namespace is inferred. + + + Note that when a namespace different than the + local namespace is specified, + + a ReferenceGrant object is required in the + referent namespace to allow that + + namespace's owner to accept the reference. See + the ReferenceGrant + + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: >- + Port specifies the destination port number to + use for this resource. + + Port is required when the referent is a + Kubernetes Service. In this + + case, the port number is the service port + number, not the target port. + + For other resources, destination port might be + derived from the referent + + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: >- + Weight specifies the proportion of requests + forwarded to the referenced + + backend. This is computed as weight/(sum of all + weights in this + + BackendRefs list). For non-zero values, there + may be some epsilon from + + the exact proportion defined here depending on + the precision an + + implementation supports. Weight is not a + percentage and the sum of + + weights does not need to equal 100. + + + If only one backend is specified and it has a + weight greater than 0, 100% + + of the traffic is forwarded to that backend. If + weight is set to 0, no + + traffic should be forwarded for this entry. If + unspecified, weight + + defaults to 1. + + + Support for this field varies based on the + context where used. + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: >- + (size(self.group) == 0 && self.kind == + 'Service') ? has(self.port) : true + maxItems: 16 + type: array + x-kubernetes-list-type: atomic + filters: + description: >- + Filters define the filters that are applied to + requests that match + + this rule. + + + The effects of ordering of multiple behaviors are + currently unspecified. + + This can change in the future based on feedback during + the alpha stage. + + + Conformance-levels at this level are defined based on + the type of filter: + + + - ALL core filters MUST be supported by all + implementations that support + GRPCRoute. + - Implementers are encouraged to support extended + filters. + + - Implementation-specific custom filters have no API + guarantees across + implementations. + + Specifying the same filter multiple times is not + supported unless explicitly + + indicated in the filter. + + + If an implementation cannot support a combination of + filters, it must clearly + + document that limitation. In cases where incompatible + or unsupported + + filters are specified and cause the `Accepted` + condition to be set to status + + `False`, implementations may use the + `IncompatibleFilters` reason to specify + + this configuration error. + + + Support: Core + items: + description: >- + GRPCRouteFilter defines processing steps that must + be completed during the + + request or response lifecycle. GRPCRouteFilters are + meant as an extension + + point to express processing that may be done in + Gateway implementations. Some + + examples include request or response modification, + implementing + + authentication strategies, rate-limiting, and + traffic shaping. API + + guarantee/conformance is defined based on the type + of the filter. + properties: + extensionRef: + description: >- + ExtensionRef is an optional, + implementation-specific extension to the + + "filter" behavior. For example, resource + "myroutefilter" in group + + "networking.example.net"). ExtensionRef MUST NOT + be used for core and + + extended filters. + + + Support: Implementation-specific + + + This filter can be used multiple times within + the same rule. + properties: + group: + description: >- + Group is the group of the referent. For + example, "gateway.networking.k8s.io". + + When unspecified or empty string, core API + group is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: >- + Kind is kind of the referent. For example + "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: >- + RequestHeaderModifier defines a schema for a + filter that modifies request + + headers. + + + Support: Core + properties: + add: + description: >- + Add adds the given header(s) (name, value) + to the request + + before the action. It appends to any + existing values associated + + with the header name. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + add: + - name: "my-header" + value: "bar,baz" + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: >- + HTTPHeader represents an HTTP Header name + and value as defined by RFC 7230. + properties: + name: + description: >- + Name is the name of the HTTP Header to + be matched. Name matching MUST be + + case-insensitive. (See + https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent + header names, the first entry with + + an equivalent name MUST be considered + for a match. Subsequent entries + + with an equivalent header name MUST be + ignored. Due to the + + case-insensitivity of header names, + "foo" and "Foo" are considered + + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: >- + Value is the value of HTTP Header to be + matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: >- + Remove the given header(s) from the HTTP + request before the action. The + + value of Remove is a list of HTTP header + names. Note that the header + + names are case-insensitive (see + + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + Config: + remove: ["my-header1", "my-header3"] + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: >- + Set overwrites the request with the given + header (name, value) + + before the action. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + set: + - name: "my-header" + value: "bar" + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: >- + HTTPHeader represents an HTTP Header name + and value as defined by RFC 7230. + properties: + name: + description: >- + Name is the name of the HTTP Header to + be matched. Name matching MUST be + + case-insensitive. (See + https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent + header names, the first entry with + + an equivalent name MUST be considered + for a match. Subsequent entries + + with an equivalent header name MUST be + ignored. Due to the + + case-insensitivity of header names, + "foo" and "Foo" are considered + + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: >- + Value is the value of HTTP Header to be + matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: >- + RequestMirror defines a schema for a filter that + mirrors requests. + + Requests are sent to the specified destination, + but responses from + + that destination are ignored. + + + This filter can be used multiple times within + the same rule. Note that + + not all implementations will be able to support + mirroring to multiple + + backends. + + + Support: Extended + properties: + backendRef: + description: >- + BackendRef references a resource where + mirrored requests are sent. + + + Mirrored requests must be sent only to a + single destination endpoint + + within this BackendRef, irrespective of how + many endpoints are present + + within this BackendRef. + + + If the referent cannot be found, this + BackendRef is invalid and must be + + dropped from the Gateway. The controller + must ensure the "ResolvedRefs" + + condition on the Route status is set to + `status: False` and not configure + + this backend in the underlying + implementation. + + + If there is a cross-namespace reference to + an *existing* object + + that is not allowed by a ReferenceGrant, the + controller must ensure the + + "ResolvedRefs" condition on the Route is + set to `status: False`, + + with the "RefNotPermitted" reason and not + configure this backend in the + + underlying implementation. + + + In either error case, the Message of the + `ResolvedRefs` Condition + + should be used to provide more detail about + the problem. + + + Support: Extended for Kubernetes Service + + + Support: Implementation-specific for any + other resource + properties: + group: + default: '' + description: >- + Group is the group of the referent. For + example, "gateway.networking.k8s.io". + + When unspecified or empty string, core + API group is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: >- + Kind is the Kubernetes resource kind of + the referent. For example + + "Service". + + + Defaults to "Service" when not + specified. + + + ExternalName services can refer to CNAME + DNS records that may live + + outside of the cluster and as such are + difficult to reason about in + + terms of conformance. They also may not + be safe to forward to (see + + CVE-2021-25740 for more information). + Implementations SHOULD NOT + + support ExternalName Services. + + + Support: Core (Services with a type + other than ExternalName) + + + Support: Implementation-specific + (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the + backend. When unspecified, the local + + namespace is inferred. + + + Note that when a namespace different + than the local namespace is specified, + + a ReferenceGrant object is required in + the referent namespace to allow that + + namespace's owner to accept the + reference. See the ReferenceGrant + + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: >- + Port specifies the destination port + number to use for this resource. + + Port is required when the referent is a + Kubernetes Service. In this + + case, the port number is the service + port number, not the target port. + + For other resources, destination port + might be derived from the referent + + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: >- + (size(self.group) == 0 && self.kind == + 'Service') ? has(self.port) : true + fraction: + description: >- + Fraction represents the fraction of requests + that should be + + mirrored to BackendRef. + + + Only one of Fraction or Percent may be + specified. If neither field + + is specified, 100% of requests will be + mirrored. + properties: + denominator: + default: 100 + format: int32 + minimum: 1 + type: integer + numerator: + format: int32 + minimum: 0 + type: integer + required: + - numerator + type: object + x-kubernetes-validations: + - message: >- + numerator must be less than or equal to + denominator + rule: self.numerator <= self.denominator + percent: + description: >- + Percent represents the percentage of + requests that should be + + mirrored to BackendRef. Its minimum value is + 0 (indicating 0% of + + requests) and its maximum value is 100 + (indicating 100% of requests). + + + Only one of Fraction or Percent may be + specified. If neither field + + is specified, 100% of requests will be + mirrored. + format: int32 + maximum: 100 + minimum: 0 + type: integer + required: + - backendRef + type: object + x-kubernetes-validations: + - message: >- + Only one of percent or fraction may be + specified in HTTPRequestMirrorFilter + rule: '!(has(self.percent) && has(self.fraction))' + responseHeaderModifier: + description: >- + ResponseHeaderModifier defines a schema for a + filter that modifies response + + headers. + + + Support: Extended + properties: + add: + description: >- + Add adds the given header(s) (name, value) + to the request + + before the action. It appends to any + existing values associated + + with the header name. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + add: + - name: "my-header" + value: "bar,baz" + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: >- + HTTPHeader represents an HTTP Header name + and value as defined by RFC 7230. + properties: + name: + description: >- + Name is the name of the HTTP Header to + be matched. Name matching MUST be + + case-insensitive. (See + https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent + header names, the first entry with + + an equivalent name MUST be considered + for a match. Subsequent entries + + with an equivalent header name MUST be + ignored. Due to the + + case-insensitivity of header names, + "foo" and "Foo" are considered + + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: >- + Value is the value of HTTP Header to be + matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: >- + Remove the given header(s) from the HTTP + request before the action. The + + value of Remove is a list of HTTP header + names. Note that the header + + names are case-insensitive (see + + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + Config: + remove: ["my-header1", "my-header3"] + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: >- + Set overwrites the request with the given + header (name, value) + + before the action. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + set: + - name: "my-header" + value: "bar" + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: >- + HTTPHeader represents an HTTP Header name + and value as defined by RFC 7230. + properties: + name: + description: >- + Name is the name of the HTTP Header to + be matched. Name matching MUST be + + case-insensitive. (See + https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent + header names, the first entry with + + an equivalent name MUST be considered + for a match. Subsequent entries + + with an equivalent header name MUST be + ignored. Due to the + + case-insensitivity of header names, + "foo" and "Foo" are considered + + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: >- + Value is the value of HTTP Header to be + matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: >- + Type identifies the type of filter to apply. As + with other API fields, + + types are classified into three conformance + levels: + + + - Core: Filter types and their corresponding + configuration defined by + "Support: Core" in this package, e.g. "RequestHeaderModifier". All + implementations supporting GRPCRoute MUST support core filters. + + - Extended: Filter types and their corresponding + configuration defined by + "Support: Extended" in this package, e.g. "RequestMirror". Implementers + are encouraged to support extended filters. + + - Implementation-specific: Filters that are + defined and supported by specific vendors. + In the future, filters showing convergence in behavior across multiple + implementations will be considered for inclusion in extended or core + conformance levels. Filter-specific configuration for such filters + is specified using the ExtensionRef field. `Type` MUST be set to + "ExtensionRef" for custom filters. + + Implementers are encouraged to define custom + implementation types to + + extend the core API with implementation-specific + behavior. + + + If a reference to a custom filter type cannot be + resolved, the filter + + MUST NOT be skipped. Instead, requests that + would have been processed by + + that filter MUST receive a HTTP error response. + enum: + - ResponseHeaderModifier + - RequestHeaderModifier + - RequestMirror + - ExtensionRef + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + filter.requestHeaderModifier must be nil if the + filter.type is not RequestHeaderModifier + rule: >- + !(has(self.requestHeaderModifier) && self.type + != 'RequestHeaderModifier') + - message: >- + filter.requestHeaderModifier must be specified + for RequestHeaderModifier filter.type + rule: >- + !(!has(self.requestHeaderModifier) && self.type + == 'RequestHeaderModifier') + - message: >- + filter.responseHeaderModifier must be nil if the + filter.type is not ResponseHeaderModifier + rule: >- + !(has(self.responseHeaderModifier) && self.type + != 'ResponseHeaderModifier') + - message: >- + filter.responseHeaderModifier must be specified + for ResponseHeaderModifier filter.type + rule: >- + !(!has(self.responseHeaderModifier) && self.type + == 'ResponseHeaderModifier') + - message: >- + filter.requestMirror must be nil if the + filter.type is not RequestMirror + rule: >- + !(has(self.requestMirror) && self.type != + 'RequestMirror') + - message: >- + filter.requestMirror must be specified for + RequestMirror filter.type + rule: >- + !(!has(self.requestMirror) && self.type == + 'RequestMirror') + - message: >- + filter.extensionRef must be nil if the + filter.type is not ExtensionRef + rule: >- + !(has(self.extensionRef) && self.type != + 'ExtensionRef') + - message: >- + filter.extensionRef must be specified for + ExtensionRef filter.type + rule: >- + !(!has(self.extensionRef) && self.type == + 'ExtensionRef') + maxItems: 16 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: RequestHeaderModifier filter cannot be repeated + rule: >- + self.filter(f, f.type == + 'RequestHeaderModifier').size() <= 1 + - message: ResponseHeaderModifier filter cannot be repeated + rule: >- + self.filter(f, f.type == + 'ResponseHeaderModifier').size() <= 1 + matches: + description: >- + Matches define conditions used for matching the rule + against incoming + + gRPC requests. Each match is independent, i.e. this + rule will be matched + + if **any** one of the matches is satisfied. + + + For example, take the following matches configuration: + + + ``` + + matches: + + - method: + service: foo.bar + headers: + values: + version: 2 + - method: + service: foo.bar.v2 + ``` + + + For a request to match against this rule, it MUST + satisfy + + EITHER of the two conditions: + + + - service of foo.bar AND contains the header `version: + 2` + + - service of foo.bar.v2 + + + See the documentation for GRPCRouteMatch on how to + specify multiple + + match conditions to be ANDed together. + + + If no matches are specified, the implementation MUST + match every gRPC request. + + + Proxy or Load Balancer routing configuration generated + from GRPCRoutes + + MUST prioritize rules based on the following criteria, + continuing on + + ties. Merging MUST not be done between GRPCRoutes and + HTTPRoutes. + + Precedence MUST be given to the rule with the largest + number of: + + + * Characters in a matching non-wildcard hostname. + + * Characters in a matching hostname. + + * Characters in a matching service. + + * Characters in a matching method. + + * Header matches. + + + If ties still exist across multiple Routes, matching + precedence MUST be + + determined in order of the following criteria, + continuing on ties: + + + * The oldest Route based on creation timestamp. + + * The Route appearing first in alphabetical order by + "{namespace}/{name}". + + If ties still exist within the Route that has been + given precedence, + + matching precedence MUST be granted to the first + matching rule meeting + + the above criteria. + items: + description: >- + GRPCRouteMatch defines the predicate used to match + requests to a given + + action. Multiple match types are ANDed together, + i.e. the match will + + evaluate to true only if all conditions are + satisfied. + + + For example, the match below will match a gRPC + request only if its service + + is `foo` AND it contains the `version: v1` header: + + + ``` + + matches: + - method: + type: Exact + service: "foo" + - headers: + name: "version" + value "v1" + + ``` + properties: + headers: + description: >- + Headers specifies gRPC request header matchers. + Multiple match values are + + ANDed together, meaning, a request MUST match + all the specified headers + + to select the route. + items: + description: >- + GRPCHeaderMatch describes how to select a gRPC + route by matching gRPC request + + headers. + properties: + name: + description: >- + Name is the name of the gRPC Header to be + matched. + + + If multiple entries specify equivalent + header names, only the first + + entry with an equivalent name MUST be + considered for a match. Subsequent + + entries with an equivalent header name + MUST be ignored. Due to the + + case-insensitivity of header names, "foo" + and "Foo" are considered + + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: >- + Type specifies how to match against the + value of the header. + enum: + - Exact + - RegularExpression + type: string + value: + description: >- + Value is the value of the gRPC Header to + be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + method: + description: >- + Method specifies a gRPC request service/method + matcher. If this field is + + not specified, all services and methods will + match. + properties: + method: + description: >- + Value of the method to match against. If + left empty or omitted, will + + match all services. + + + At least one of Service and Method MUST be a + non-empty string. + maxLength: 1024 + type: string + service: + description: >- + Value of the service to match against. If + left empty or omitted, will + + match any service. + + + At least one of Service and Method MUST be a + non-empty string. + maxLength: 1024 + type: string + type: + default: Exact + description: >- + Type specifies how to match against the + service and/or method. + + Support: Core (Exact with service and method + specified) + + + Support: Implementation-specific (Exact with + method specified but no service specified) + + + Support: Implementation-specific + (RegularExpression) + enum: + - Exact + - RegularExpression + type: string + type: object + x-kubernetes-validations: + - message: >- + One or both of 'service' or 'method' must be + specified + rule: >- + has(self.type) ? has(self.service) || + has(self.method) : true + - message: >- + service must only contain valid characters + (matching + ^(?i)\.?[a-z_][a-z_0-9]*(\.[a-z_][a-z_0-9]*)*$) + rule: >- + (!has(self.type) || self.type == 'Exact') && + has(self.service) ? + self.service.matches(r"""^(?i)\.?[a-z_][a-z_0-9]*(\.[a-z_][a-z_0-9]*)*$"""): + true + - message: >- + method must only contain valid characters + (matching ^[A-Za-z_][A-Za-z_0-9]*$) + rule: >- + (!has(self.type) || self.type == 'Exact') && + has(self.method) ? + self.method.matches(r"""^[A-Za-z_][A-Za-z_0-9]*$"""): + true + type: object + maxItems: 64 + type: array + x-kubernetes-list-type: atomic + name: + description: >- + Name is the name of the route rule. This name MUST be + unique within a Route if it is set. + + + Support: Extended + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + type: object + maxItems: 16 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: >- + While 16 rules and 64 matches per rule are allowed, the + total number of matches across all rules in a route must + be less than 128 + rule: >- + (self.size() > 0 ? (has(self[0].matches) ? + self[0].matches.size() : 0) : 0) + (self.size() > 1 ? + (has(self[1].matches) ? self[1].matches.size() : 0) : 0) + + (self.size() > 2 ? (has(self[2].matches) ? + self[2].matches.size() : 0) : 0) + (self.size() > 3 ? + (has(self[3].matches) ? self[3].matches.size() : 0) : 0) + + (self.size() > 4 ? (has(self[4].matches) ? + self[4].matches.size() : 0) : 0) + (self.size() > 5 ? + (has(self[5].matches) ? self[5].matches.size() : 0) : 0) + + (self.size() > 6 ? (has(self[6].matches) ? + self[6].matches.size() : 0) : 0) + (self.size() > 7 ? + (has(self[7].matches) ? self[7].matches.size() : 0) : 0) + + (self.size() > 8 ? (has(self[8].matches) ? + self[8].matches.size() : 0) : 0) + (self.size() > 9 ? + (has(self[9].matches) ? self[9].matches.size() : 0) : 0) + + (self.size() > 10 ? (has(self[10].matches) ? + self[10].matches.size() : 0) : 0) + (self.size() > 11 ? + (has(self[11].matches) ? self[11].matches.size() : 0) : + 0) + (self.size() > 12 ? (has(self[12].matches) ? + self[12].matches.size() : 0) : 0) + (self.size() > 13 ? + (has(self[13].matches) ? self[13].matches.size() : 0) : + 0) + (self.size() > 14 ? (has(self[14].matches) ? + self[14].matches.size() : 0) : 0) + (self.size() > 15 ? + (has(self[15].matches) ? self[15].matches.size() : 0) : + 0) <= 128 + type: object + status: + description: Status defines the current state of GRPCRoute. + properties: + parents: + description: >- + Parents is a list of parent resources (usually Gateways) + that are + + associated with the route, and the status of the route with + respect to + + each parent. When this route attaches to a parent, the + controller that + + manages the parent must add an entry to this list when the + controller + + first sees the route and should update the entry as + appropriate when the + + route or gateway is modified. + + + Note that parent references that cannot be resolved by an + implementation + + of this API will not be added to this list. Implementations + of this API + + can only populate Route status for the Gateways/parent + resources they are + + responsible for. + + + A maximum of 32 Gateways will be represented in this list. + An empty list + + means the route has not been attached to any Gateway. + items: + description: >- + RouteParentStatus describes the status of a route with + respect to an + + associated Parent. + properties: + conditions: + description: >- + Conditions describes the status of the route with + respect to the Gateway. + + Note that the route's availability is also subject to + the Gateway's own + + status conditions and listener status. + + + If the Route's ParentRef specifies an existing Gateway + that supports + + Routes of this kind AND that Gateway's controller has + sufficient access, + + then that Gateway's controller MUST set the "Accepted" + condition on the + + Route, to indicate whether the route has been accepted + or rejected by the + + Gateway, and why. + + + A Route MUST be considered "Accepted" if at least one + of the Route's + + rules is implemented by the Gateway. + + + There are a number of cases where the "Accepted" + condition may not be set + + due to lack of controller visibility, that includes + when: + + + * The Route refers to a nonexistent parent. + + * The Route is of a type that the controller does not + support. + + * The Route is in a namespace to which the controller + does not have access. + items: + description: >- + Condition contains details for one aspect of the + current state of this API Resource. + properties: + lastTransitionTime: + description: >- + lastTransitionTime is the last time the + condition transitioned from one status to + another. + + This should be when the underlying condition + changed. If that is not known, then using the + time when the API field changed is acceptable. + format: date-time + type: string + message: + description: >- + message is a human readable message indicating + details about the transition. + + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: >- + observedGeneration represents the + .metadata.generation that the condition was set + based upon. + + For instance, if .metadata.generation is + currently 12, but the + .status.conditions[x].observedGeneration is 9, + the condition is out of date + + with respect to the current state of the + instance. + format: int64 + minimum: 0 + type: integer + reason: + description: >- + reason contains a programmatic identifier + indicating the reason for the condition's last + transition. + + Producers of specific condition types may define + expected values and meanings for this field, + + and whether the values are considered a + guaranteed API. + + The value should be a CamelCase string. + + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: >- + status of the condition, one of True, False, + Unknown. + enum: + - 'True' + - 'False' + - Unknown + type: string + type: + description: >- + type of condition in CamelCase or in + foo.example.com/CamelCase. + maxLength: 316 + pattern: >- + ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: >- + ControllerName is a domain/path string that indicates + the name of the + + controller that wrote this status. This corresponds + with the + + controllerName field on GatewayClass. + + + Example: "example.net/gateway-controller". + + + The format of this field is DOMAIN "/" PATH, where + DOMAIN and PATH are + + valid Kubernetes names + + (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + + + Controllers MUST populate this field when writing + status. Controllers should ensure that + + entries to status populated with their ControllerName + are cleaned up when they are no + + longer necessary. + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: >- + ParentRef corresponds with a ParentRef in the spec + that this + + RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: >- + Group is the group of the referent. + + When unspecified, "gateway.networking.k8s.io" is + inferred. + + To set the core API group (such as for a "Service" + kind referent), + + Group must be explicitly set to "" (empty string). + + + Support: Core + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: >- + Kind is kind of the referent. + + + There are two kinds of parent resources with + "Core" support: + + + * Gateway (Gateway conformance profile) + + * Service (Mesh conformance profile, ClusterIP + Services only) + + + Support for other resources is + Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the referent. When + unspecified, this refers + + to the local namespace of the Route. + + + Note that there are specific rules for ParentRefs + which cross namespace + + boundaries. Cross-namespace references are only + valid if they are explicitly + + allowed by something in the namespace they are + referring to. For example: + + Gateway has the AllowedRoutes field, and + ReferenceGrant provides a + + generic way to enable any other kind of + cross-namespace reference. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: >- + Port is the network port this Route targets. It + can be interpreted + + differently based on the type of parent resource. + + + When the parent resource is a Gateway, this + targets all listeners + + listening on the specified port that also support + this kind of Route(and + + select this Route). It's not recommended to set + `Port` unless the + + networking behaviors specified in a Route must + apply to a specific port + + as opposed to a listener(s) whose port(s) may be + changed. When both Port + + and SectionName are specified, the name and port + of the selected listener + + must match both specified values. + + + Implementations MAY choose to support other parent + resources. + + Implementations supporting other types of parent + resources MUST clearly + + document how/if Port is interpreted. + + + For the purpose of status, an attachment is + considered successful as + + long as the parent resource accepts it partially. + For example, Gateway + + listeners can restrict which Routes can attach to + them by Route kind, + + namespace, or hostname. If 1 of 2 Gateway + listeners accept attachment + + from the referencing Route, the Route MUST be + considered successfully + + attached. If no Gateway listeners accept + attachment from this Route, + + the Route MUST be considered detached from the + Gateway. + + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: >- + SectionName is the name of a section within the + target resource. In the + + following resources, SectionName is interpreted as + the following: + + + * Gateway: Listener name. When both Port + (experimental) and SectionName + + are specified, the name and port of the selected + listener must match + + both specified values. + + * Service: Port name. When both Port + (experimental) and SectionName + + are specified, the name and port of the selected + listener must match + + both specified values. + + + Implementations MAY choose to support attaching + Routes to other resources. + + If that is the case, they MUST clearly document + how SectionName is + + interpreted. + + + When unspecified (empty string), this will + reference the entire resource. + + For the purpose of status, an attachment is + considered successful if at + + least one section in the parent resource accepts + it. For example, Gateway + + listeners can restrict which Routes can attach to + them by Route kind, + + namespace, or hostname. If 1 of 2 Gateway + listeners accept attachment from + + the referencing Route, the Route MUST be + considered successfully + + attached. If no Gateway listeners accept + attachment from this Route, the + + Route MUST be considered detached from the + Gateway. + + + Support: Core + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - conditions + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + x-kubernetes-list-type: atomic + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: '' + plural: '' + conditions: null + storedVersions: null diff --git a/_/CustomResourceDefinition/httproutefilters.gateway.envoyproxy.io.yaml b/_/CustomResourceDefinition/httproutefilters.gateway.envoyproxy.io.yaml new file mode 100644 index 0000000..75bddd1 --- /dev/null +++ b/_/CustomResourceDefinition/httproutefilters.gateway.envoyproxy.io.yaml @@ -0,0 +1,621 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.18.0 + name: httproutefilters.gateway.envoyproxy.io +spec: + group: gateway.envoyproxy.io + names: + categories: + - envoy-gateway + kind: HTTPRouteFilter + listKind: HTTPRouteFilterList + plural: httproutefilters + shortNames: + - hrf + singular: httproutefilter + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: >- + HTTPRouteFilter is a custom Envoy Gateway HTTPRouteFilter which + provides extended + + traffic processing options such as path regex rewrite, direct + response and more. + properties: + apiVersion: + description: >- + APIVersion defines the versioned schema of this representation + of an object. + + Servers should convert recognized schemas to the latest internal + value, and + + may reject unrecognized values. + + More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: >- + Kind is a string value representing the REST resource this + object represents. + + Servers may infer this from the endpoint the client submits + requests to. + + Cannot be updated. + + In CamelCase. + + More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of HTTPRouteFilter. + properties: + credentialInjection: + description: >- + HTTPCredentialInjectionFilter defines the configuration to + inject credentials into the request. + + This is useful when the backend service requires credentials + in the request, and the original + + request does not contain them. The filter can inject + credentials into the request before forwarding + + it to the backend service. + properties: + credential: + description: Credential is the credential to be injected. + properties: + valueRef: + description: >- + ValueRef is a reference to the secret containing the + credentials to be injected. + + This is an Opaque secret. The credential should be + stored in the key + + "credential", and the value should be the credential + to be injected. + + For example, for basic authentication, the value + should be "Basic ". + + for bearer token, the value should be "Bearer + ". + + Note: The secret must be in the same namespace as + the HTTPRouteFilter. + properties: + group: + default: '' + description: >- + Group is the group of the referent. For example, + "gateway.networking.k8s.io". + + When unspecified or empty string, core API group + is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Secret + description: >- + Kind is kind of the referent. For example + "Secret". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the referenced + object. When unspecified, the local + + namespace is inferred. + + + Note that when a namespace different than the + local namespace is specified, + + a ReferenceGrant object is required in the + referent namespace to allow that + + namespace's owner to accept the reference. See + the ReferenceGrant + + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + required: + - valueRef + type: object + header: + description: >- + Header is the name of the header where the credentials + are injected. + + If not specified, the credentials are injected into the + Authorization header. + type: string + overwrite: + description: >- + Whether to overwrite the value or not if the injected + headers already exist. + + If not specified, the default value is false. + type: boolean + required: + - credential + type: object + directResponse: + description: >- + HTTPDirectResponseFilter defines the configuration to return + a fixed response. + properties: + body: + description: Body of the direct response. + properties: + inline: + description: Inline contains the value as an inline string. + type: string + type: + allOf: + - enum: + - Inline + - ValueRef + - enum: + - Inline + - ValueRef + default: Inline + description: >- + Type is the type of method to use to read the body + value. + + Valid values are Inline and ValueRef, default is + Inline. + type: string + valueRef: + description: >- + ValueRef contains the contents of the body + + specified as a local object reference. + + Only a reference to ConfigMap is supported. + + + The value of key `response.body` in the ConfigMap + will be used as the response body. + + If the key is not found, the first value in the + ConfigMap will be used. + properties: + group: + description: >- + Group is the group of the referent. For example, + "gateway.networking.k8s.io". + + When unspecified or empty string, core API group + is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: >- + Kind is kind of the referent. For example + "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + required: + - type + type: object + x-kubernetes-validations: + - message: inline must be set for type Inline + rule: >- + (!has(self.type) || self.type == 'Inline')? + has(self.inline) : true + - message: valueRef must be set for type ValueRef + rule: >- + (has(self.type) && self.type == 'ValueRef')? + has(self.valueRef) : true + - message: only ConfigMap is supported for ValueRef + rule: >- + has(self.valueRef) ? self.valueRef.kind == + 'ConfigMap' : true + contentType: + description: >- + Content Type of the direct response. This will be set in + the Content-Type header. + type: string + header: + description: Header defines the headers of the direct response. + properties: + add: + description: >- + Add adds the given header(s) (name, value) to the + request + + before the action. It appends to any existing values + associated + + with the header name. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + add: + - name: "my-header" + value: "bar,baz" + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: >- + HTTPHeader represents an HTTP Header name and + value as defined by RFC 7230. + properties: + name: + description: >- + Name is the name of the HTTP Header to be + matched. Name matching MUST be + + case-insensitive. (See + https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent header + names, the first entry with + + an equivalent name MUST be considered for a + match. Subsequent entries + + with an equivalent header name MUST be + ignored. Due to the + + case-insensitivity of header names, "foo" and + "Foo" are considered + + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: >- + Value is the value of HTTP Header to be + matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: >- + Remove the given header(s) from the HTTP request + before the action. The + + value of Remove is a list of HTTP header names. Note + that the header + + names are case-insensitive (see + + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + Config: + remove: ["my-header1", "my-header3"] + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: >- + Set overwrites the request with the given header + (name, value) + + before the action. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + set: + - name: "my-header" + value: "bar" + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: >- + HTTPHeader represents an HTTP Header name and + value as defined by RFC 7230. + properties: + name: + description: >- + Name is the name of the HTTP Header to be + matched. Name matching MUST be + + case-insensitive. (See + https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent header + names, the first entry with + + an equivalent name MUST be considered for a + match. Subsequent entries + + with an equivalent header name MUST be + ignored. Due to the + + case-insensitivity of header names, "foo" and + "Foo" are considered + + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: >- + Value is the value of HTTP Header to be + matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + x-kubernetes-validations: + - message: header.remove is not supported for DirectResponse + rule: '!has(self.remove) || size(self.remove) == 0' + statusCode: + description: |- + Status Code of the HTTP response + If unset, defaults to 200. + type: integer + type: object + matches: + description: >- + Matches defines additional matching criteria for the + HTTPRoute rule. + + As with HTTPRouteRule.Matches, the rule is matched if any + one match applies. + + When both HTTPRouteRule.Matches and HTTPRouteFilter.Matches + are set, the + + effective matching is the logical AND of the two sets. + items: + description: >- + HTTPRouteMatchFilter defines additional matching criteria + for the HTTPRoute rule. + + At least one matcher must be specified. + minProperties: 1 + properties: + cookies: + description: >- + Cookies is a list of cookie matchers evaluated against + the HTTP request. + + All specified matchers must match. + items: + description: >- + HTTPCookieMatch defines how to match a single + cookie. + properties: + name: + description: Name is the cookie name to evaluate. + maxLength: 256 + minLength: 1 + type: string + type: + default: Exact + description: >- + Type specifies how to match against the value of + the cookie. + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the cookie value to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + minItems: 1 + type: array + type: object + maxItems: 8 + type: array + urlRewrite: + description: >- + HTTPURLRewriteFilter define rewrites of HTTP URL components + such as path and host + properties: + hostname: + description: >- + Hostname is the value to be used to replace the Host + header value during + + forwarding. + properties: + header: + description: >- + Header is the name of the header whose value would + be used to rewrite the Host header + type: string + type: + description: >- + HTTPPathModifierType defines the type of Hostname + rewrite. + enum: + - Header + - Backend + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: header must be nil if the type is not Header + rule: '!(has(self.header) && self.type != ''Header'')' + - message: header must be specified for Header type + rule: '!(!has(self.header) && self.type == ''Header'')' + path: + description: Path defines a path rewrite. + properties: + replaceRegexMatch: + description: >- + ReplaceRegexMatch defines a path regex rewrite. The + path portions matched by the regex pattern are + replaced by the defined substitution. + + https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#envoy-v3-api-field-config-route-v3-routeaction-regex-rewrite + + Some examples: + + (1) replaceRegexMatch: + pattern: ^/service/([^/]+)(/.*)$ + substitution: \2/instance/\1 + Would transform /service/foo/v1/api into /v1/api/instance/foo. + (2) replaceRegexMatch: + pattern: one + substitution: two + Would transform /xxx/one/yyy/one/zzz into /xxx/two/yyy/two/zzz. + (3) replaceRegexMatch: + pattern: ^(.*?)one(.*)$ + substitution: \1two\2 + Would transform /xxx/one/yyy/one/zzz into /xxx/two/yyy/one/zzz. + (3) replaceRegexMatch: + pattern: (?i)/xxx/ + substitution: /yyy/ + Would transform path /aaa/XxX/bbb into /aaa/yyy/bbb (case-insensitive). + properties: + pattern: + description: >- + Pattern matches a regular expression against the + value of the HTTP Path.The regex string must + + adhere to the syntax documented in + https://github.com/google/re2/wiki/Syntax. + minLength: 1 + type: string + substitution: + description: >- + Substitution is an expression that replaces the + matched portion.The expression may include + numbered + + capture groups that adhere to syntax documented + in https://github.com/google/re2/wiki/Syntax. + type: string + required: + - pattern + - substitution + type: object + type: + description: >- + HTTPPathModifierType defines the type of path + redirect or rewrite. + enum: + - ReplaceRegexMatch + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If HTTPPathModifier type is ReplaceRegexMatch, + replaceRegexMatch field needs to be set. + rule: >- + self.type == 'ReplaceRegexMatch' ? + has(self.replaceRegexMatch) : + !has(self.replaceRegexMatch) + type: object + type: object + required: + - spec + type: object + served: true + storage: true + subresources: {} diff --git a/_/CustomResourceDefinition/httproutes.gateway.networking.k8s.io.yaml b/_/CustomResourceDefinition/httproutes.gateway.networking.k8s.io.yaml new file mode 100644 index 0000000..c25a82e --- /dev/null +++ b/_/CustomResourceDefinition/httproutes.gateway.networking.k8s.io.yaml @@ -0,0 +1,11661 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/4530 + gateway.networking.k8s.io/bundle-version: v1.5.1 + gateway.networking.k8s.io/channel: standard + name: httproutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: HTTPRoute + listKind: HTTPRouteList + plural: httproutes + singular: httproute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.hostnames + name: Hostnames + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: >- + HTTPRoute provides a way to route HTTP requests. This includes the + capability + + to match requests by hostname, path, header, or query param. Filters + can be + + used to specify additional processing steps. Backends specify where + matching + + requests should be routed. + properties: + apiVersion: + description: >- + APIVersion defines the versioned schema of this representation + of an object. + + Servers should convert recognized schemas to the latest internal + value, and + + may reject unrecognized values. + + More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: >- + Kind is a string value representing the REST resource this + object represents. + + Servers may infer this from the endpoint the client submits + requests to. + + Cannot be updated. + + In CamelCase. + + More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of HTTPRoute. + properties: + hostnames: + description: >- + Hostnames defines a set of hostnames that should match + against the HTTP Host + + header to select a HTTPRoute used to process the request. + Implementations + + MUST ignore any port value specified in the HTTP Host header + while + + performing a match and (absent of any applicable header + modification + + configuration) MUST forward this header unmodified to the + backend. + + + Valid values for Hostnames are determined by RFC 1123 + definition of a + + hostname with 2 notable exceptions: + + + 1. IPs are not allowed. + + 2. A hostname may be prefixed with a wildcard label (`*.`). + The wildcard + label must appear by itself as the first label. + + If a hostname is specified by both the Listener and + HTTPRoute, there + + must be at least one intersecting hostname for the HTTPRoute + to be + + attached to the Listener. For example: + + + * A Listener with `test.example.com` as the hostname matches + HTTPRoutes + that have either not specified any hostnames, or have specified at + least one of `test.example.com` or `*.example.com`. + * A Listener with `*.example.com` as the hostname matches + HTTPRoutes + that have either not specified any hostnames or have specified at least + one hostname that matches the Listener hostname. For example, + `*.example.com`, `test.example.com`, and `foo.test.example.com` would + all match. On the other hand, `example.com` and `test.example.net` would + not match. + + Hostnames that are prefixed with a wildcard label (`*.`) are + interpreted + + as a suffix match. That means that a match for + `*.example.com` would match + + both `test.example.com`, and `foo.test.example.com`, but not + `example.com`. + + + If both the Listener and HTTPRoute have specified hostnames, + any + + HTTPRoute hostnames that do not match the Listener hostname + MUST be + + ignored. For example, if a Listener specified + `*.example.com`, and the + + HTTPRoute specified `test.example.com` and + `test.example.net`, + + `test.example.net` must not be considered for a match. + + + If both the Listener and HTTPRoute have specified hostnames, + and none + + match with the criteria above, then the HTTPRoute is not + accepted. The + + implementation must raise an 'Accepted' Condition with a + status of + + `False` in the corresponding RouteParentStatus. + + + In the event that multiple HTTPRoutes specify intersecting + hostnames (e.g. + + overlapping wildcard matching and exact matching hostnames), + precedence must + + be given to rules from the HTTPRoute with the largest number + of: + + + * Characters in a matching non-wildcard hostname. + + * Characters in a matching hostname. + + + If ties exist across multiple Routes, the matching + precedence rules for + + HTTPRouteMatches takes over. + + + Support: Core + items: + description: >- + Hostname is the fully qualified domain name of a network + host. This matches + + the RFC 1123 definition of a hostname with 2 notable + exceptions: + + 1. IPs are not allowed. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. + + Hostname can be "precise" which is a domain name without + the terminating + + dot of a network host (e.g. "foo.example.com") or + "wildcard", which is a + + domain name prefixed with a single wildcard label (e.g. + `*.example.com`). + + + Note that as per RFC1035 and RFC1123, a *label* must + consist of lower case + + alphanumeric characters or '-', and must start and end + with an alphanumeric + + character. No other punctuation is allowed. + maxLength: 253 + minLength: 1 + pattern: >- + ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: atomic + parentRefs: + description: >- + ParentRefs references the resources (usually Gateways) that + a Route wants + + to be attached to. Note that the referenced parent resource + needs to + + allow this for the attachment to be complete. For Gateways, + that means + + the Gateway needs to allow attachment from Routes of this + kind and + + namespace. For Services, that means the Service must either + be in the same + + namespace for a "producer" route, or the mesh implementation + must support + + and allow "consumer" routes for the referenced Service. + ReferenceGrant is + + not applicable for governing ParentRefs to Services - it is + not possible to + + create a "producer" route for a Service in a different + namespace from the + + Route. + + + There are two kinds of parent resources with "Core" support: + + + * Gateway (Gateway conformance profile) + + * Service (Mesh conformance profile, ClusterIP Services + only) + + + This API may be extended in the future to support additional + kinds of parent + + resources. + + + ParentRefs must be _distinct_. This means either that: + + + * They select different objects. If this is the case, then + parentRef + entries are distinct. In terms of fields, this means that the + multi-part key defined by `group`, `kind`, `namespace`, and `name` must + be unique across all parentRef entries in the Route. + * They do not select different objects, but for each + optional field used, + each ParentRef that selects the same object must set the same set of + optional fields to different values. If one ParentRef sets a + combination of optional fields, all must set the same combination. + + Some examples: + + + * If one ParentRef sets `sectionName`, all ParentRefs + referencing the + same object must also set `sectionName`. + * If one ParentRef sets `port`, all ParentRefs referencing + the same + object must also set `port`. + * If one ParentRef sets `sectionName` and `port`, all + ParentRefs + referencing the same object must also set `sectionName` and `port`. + + It is possible to separately reference multiple distinct + objects that may + + be collapsed by an implementation. For example, some + implementations may + + choose to merge compatible Gateway Listeners together. If + that is the + + case, the list of routes attached to those resources should + also be + + merged. + + + Note that for ParentRefs that cross namespace boundaries, + there are specific + + rules. Cross-namespace references are only valid if they are + explicitly + + allowed by something in the namespace they are referring to. + For example, + + Gateway has the AllowedRoutes field, and ReferenceGrant + provides a + + generic way to enable other kinds of cross-namespace + reference. + items: + description: >- + ParentReference identifies an API object (usually a + Gateway) that can be considered + + a parent of this resource (usually a route). There are two + kinds of parent resources + + with "Core" support: + + + * Gateway (Gateway conformance profile) + + * Service (Mesh conformance profile, ClusterIP Services + only) + + + This API may be extended in the future to support + additional kinds of parent + + resources. + + + The API object must be valid in the cluster; the Group and + Kind must + + be registered in the cluster for this reference to be + valid. + properties: + group: + default: gateway.networking.k8s.io + description: >- + Group is the group of the referent. + + When unspecified, "gateway.networking.k8s.io" is + inferred. + + To set the core API group (such as for a "Service" + kind referent), + + Group must be explicitly set to "" (empty string). + + + Support: Core + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: >- + Kind is kind of the referent. + + + There are two kinds of parent resources with "Core" + support: + + + * Gateway (Gateway conformance profile) + + * Service (Mesh conformance profile, ClusterIP + Services only) + + + Support for other resources is + Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the referent. When + unspecified, this refers + + to the local namespace of the Route. + + + Note that there are specific rules for ParentRefs + which cross namespace + + boundaries. Cross-namespace references are only valid + if they are explicitly + + allowed by something in the namespace they are + referring to. For example: + + Gateway has the AllowedRoutes field, and + ReferenceGrant provides a + + generic way to enable any other kind of + cross-namespace reference. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: >- + Port is the network port this Route targets. It can be + interpreted + + differently based on the type of parent resource. + + + When the parent resource is a Gateway, this targets + all listeners + + listening on the specified port that also support this + kind of Route(and + + select this Route). It's not recommended to set `Port` + unless the + + networking behaviors specified in a Route must apply + to a specific port + + as opposed to a listener(s) whose port(s) may be + changed. When both Port + + and SectionName are specified, the name and port of + the selected listener + + must match both specified values. + + + Implementations MAY choose to support other parent + resources. + + Implementations supporting other types of parent + resources MUST clearly + + document how/if Port is interpreted. + + + For the purpose of status, an attachment is considered + successful as + + long as the parent resource accepts it partially. For + example, Gateway + + listeners can restrict which Routes can attach to them + by Route kind, + + namespace, or hostname. If 1 of 2 Gateway listeners + accept attachment + + from the referencing Route, the Route MUST be + considered successfully + + attached. If no Gateway listeners accept attachment + from this Route, + + the Route MUST be considered detached from the + Gateway. + + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: >- + SectionName is the name of a section within the target + resource. In the + + following resources, SectionName is interpreted as the + following: + + + * Gateway: Listener name. When both Port + (experimental) and SectionName + + are specified, the name and port of the selected + listener must match + + both specified values. + + * Service: Port name. When both Port (experimental) + and SectionName + + are specified, the name and port of the selected + listener must match + + both specified values. + + + Implementations MAY choose to support attaching Routes + to other resources. + + If that is the case, they MUST clearly document how + SectionName is + + interpreted. + + + When unspecified (empty string), this will reference + the entire resource. + + For the purpose of status, an attachment is considered + successful if at + + least one section in the parent resource accepts it. + For example, Gateway + + listeners can restrict which Routes can attach to them + by Route kind, + + namespace, or hostname. If 1 of 2 Gateway listeners + accept attachment from + + the referencing Route, the Route MUST be considered + successfully + + attached. If no Gateway listeners accept attachment + from this Route, the + + Route MUST be considered detached from the Gateway. + + + Support: Core + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: >- + sectionName must be specified when parentRefs includes 2 + or more references to the same parent + rule: >- + self.all(p1, self.all(p2, p1.group == p2.group && + p1.kind == p2.kind && p1.name == p2.name && + (((!has(p1.__namespace__) || p1.__namespace__ == '') && + (!has(p2.__namespace__) || p2.__namespace__ == '')) || + (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__ )) ? + ((!has(p1.sectionName) || p1.sectionName == '') == + (!has(p2.sectionName) || p2.sectionName == '')) : true)) + - message: >- + sectionName must be unique when parentRefs includes 2 or + more references to the same parent + rule: >- + self.all(p1, self.exists_one(p2, p1.group == p2.group && + p1.kind == p2.kind && p1.name == p2.name && + (((!has(p1.__namespace__) || p1.__namespace__ == '') && + (!has(p2.__namespace__) || p2.__namespace__ == '')) || + (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__ )) && + (((!has(p1.sectionName) || p1.sectionName == '') && + (!has(p2.sectionName) || p2.sectionName == '')) || + (has(p1.sectionName) && has(p2.sectionName) && + p1.sectionName == p2.sectionName)))) + rules: + default: + - matches: + - path: + type: PathPrefix + value: / + description: Rules are a list of HTTP matchers, filters and actions. + items: + description: >- + HTTPRouteRule defines semantics for matching an HTTP + request based on + + conditions (matches), processing it (filters), and + forwarding the request to + + an API object (backendRefs). + properties: + backendRefs: + description: >- + BackendRefs defines the backend(s) where matching + requests should be + + sent. + + + Failure behavior here depends on how many BackendRefs + are specified and + + how many are invalid. + + + If *all* entries in BackendRefs are invalid, and there + are also no filters + + specified in this route rule, *all* traffic which + matches this rule MUST + + receive a 500 status code. + + + See the HTTPBackendRef definition for the rules about + what makes a single + + HTTPBackendRef invalid. + + + When a HTTPBackendRef is invalid, 500 status codes + MUST be returned for + + requests that would have otherwise been routed to an + invalid backend. If + + multiple backends are specified, and some are invalid, + the proportion of + + requests that would otherwise have been routed to an + invalid backend + + MUST receive a 500 status code. + + + For example, if two backends are specified with equal + weights, and one is + + invalid, 50 percent of traffic must receive a 500. + Implementations may + + choose how that 50 percent is determined. + + + When a HTTPBackendRef refers to a Service that has no + ready endpoints, + + implementations SHOULD return a 503 for requests to + that backend instead. + + If an implementation chooses to do this, all of the + above rules for 500 responses + + MUST also apply for responses that return a 503. + + + Support: Core for Kubernetes Service + + + Support: Extended for Kubernetes ServiceImport + + + Support: Implementation-specific for any other + resource + + + Support for weight: Core + items: + description: >- + HTTPBackendRef defines how a HTTPRoute forwards a + HTTP request. + + + Note that when a namespace different than the local + namespace is specified, a + + ReferenceGrant object is required in the referent + namespace to allow that + + namespace's owner to accept the reference. See the + ReferenceGrant + + documentation for details. + properties: + filters: + description: >- + Filters defined at this level should be executed + if and only if the + + request is being forwarded to the backend + defined here. + + + Support: Implementation-specific (For broader + support of filters, use the + + Filters field in HTTPRouteRule.) + items: + description: >- + HTTPRouteFilter defines processing steps that + must be completed during the + + request or response lifecycle. + HTTPRouteFilters are meant as an extension + + point to express processing that may be done + in Gateway implementations. Some + + examples include request or response + modification, implementing + + authentication strategies, rate-limiting, and + traffic shaping. API + + guarantee/conformance is defined based on the + type of the filter. + properties: + cors: + description: >- + CORS defines a schema for a filter that + responds to the + + cross-origin request based on HTTP + response header. + + + Support: Extended + properties: + allowCredentials: + description: >- + AllowCredentials indicates whether the + actual cross-origin request allows + + to include credentials. + + + When set to true, the gateway will + include the + `Access-Control-Allow-Credentials` + + response header with value true + (case-sensitive). + + + When set to false or omitted the gateway + will omit the header + + `Access-Control-Allow-Credentials` + entirely (this is the standard CORS + + behavior). + + + Support: Extended + type: boolean + allowHeaders: + description: >- + AllowHeaders indicates which HTTP + request headers are supported for + + accessing the requested resource. + + + Header names are not case-sensitive. + + + Multiple header names in the value of + the `Access-Control-Allow-Headers` + + response header are separated by a comma + (","). + + + When the `AllowHeaders` field is + configured with one or more headers, the + + gateway must return the + `Access-Control-Allow-Headers` response + header + + which value is present in the + `AllowHeaders` field. + + + If any header name in the + `Access-Control-Request-Headers` request + header + + is not included in the list of header + names specified by the response + + header `Access-Control-Allow-Headers`, + it will present an error on the + + client side. + + + If any header name in the + `Access-Control-Allow-Headers` response + header + + does not recognize by the client, it + will also occur an error on the + + client side. + + + A wildcard indicates that the requests + with all HTTP headers are allowed. + + If config contains the wildcard "*" in + allowHeaders and the request is + + not credentialed, the + `Access-Control-Allow-Headers` response + header + + can either use the `*` wildcard or the + value of + + Access-Control-Request-Headers from the + request. + + + When the request is credentialed, the + gateway must not specify the `*` + + wildcard in the + `Access-Control-Allow-Headers` response + header. When + + also the `AllowCredentials` field is + true and `AllowHeaders` field + + is specified with the `*` wildcard, the + gateway must specify one or more + + HTTP headers in the value of the + `Access-Control-Allow-Headers` response + + header. The value of the header + `Access-Control-Allow-Headers` is same + as + + the `Access-Control-Request-Headers` + header provided by the client. If + + the header + `Access-Control-Request-Headers` is not + included in the + + request, the gateway will omit the + `Access-Control-Allow-Headers` + + response header, instead of specifying + the `*` wildcard. + + + Support: Extended + items: + description: >- + HTTPHeaderName is the name of an HTTP + header. + + + Valid values include: + + + * "Authorization" + + * "Set-Cookie" + + + Invalid values include: + + - ":method" - ":" is an invalid character. This means that HTTP/2 pseudo + headers are not currently supported by this type. + - "/invalid" - "/ " is an invalid character + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + maxItems: 64 + type: array + x-kubernetes-list-type: set + x-kubernetes-validations: + - message: >- + AllowHeaders cannot contain '*' + alongside other methods + rule: '!(''*'' in self && self.size() > 1)' + allowMethods: + description: >- + AllowMethods indicates which HTTP + methods are supported for accessing the + + requested resource. + + + Valid values are any method defined by + RFC9110, along with the special + + value `*`, which represents all HTTP + methods are allowed. + + + Method names are case-sensitive, so + these values are also case-sensitive. + + (See + https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1) + + + Multiple method names in the value of + the `Access-Control-Allow-Methods` + + response header are separated by a comma + (","). + + + A CORS-safelisted method is a method + that is `GET`, `HEAD`, or `POST`. + + (See + https://fetch.spec.whatwg.org/#cors-safelisted-method) + The + + CORS-safelisted methods are always + allowed, regardless of whether they + + are specified in the `AllowMethods` + field. + + + When the `AllowMethods` field is + configured with one or more methods, the + + gateway must return the + `Access-Control-Allow-Methods` response + header + + which value is present in the + `AllowMethods` field. + + + If the HTTP method of the + `Access-Control-Request-Method` request + header + + is not included in the list of methods + specified by the response header + + `Access-Control-Allow-Methods`, it will + present an error on the client + + side. + + + If config contains the wildcard "*" in + allowMethods and the request is + + not credentialed, the + `Access-Control-Allow-Methods` response + header + + can either use the `*` wildcard or the + value of + + Access-Control-Request-Method from the + request. + + + When the request is credentialed, the + gateway must not specify the `*` + + wildcard in the + `Access-Control-Allow-Methods` response + header. When + + also the `AllowCredentials` field is + true and `AllowMethods` field + + specified with the `*` wildcard, the + gateway must specify one HTTP method + + in the value of the + Access-Control-Allow-Methods response + header. The + + value of the header + `Access-Control-Allow-Methods` is same + as the + + `Access-Control-Request-Method` header + provided by the client. If the + + header `Access-Control-Request-Method` + is not included in the request, + + the gateway will omit the + `Access-Control-Allow-Methods` response + header, + + instead of specifying the `*` wildcard. + + + Support: Extended + items: + enum: + - GET + - HEAD + - POST + - PUT + - DELETE + - CONNECT + - OPTIONS + - TRACE + - PATCH + - '*' + type: string + maxItems: 9 + type: array + x-kubernetes-list-type: set + x-kubernetes-validations: + - message: >- + AllowMethods cannot contain '*' + alongside other methods + rule: '!(''*'' in self && self.size() > 1)' + allowOrigins: + description: >- + AllowOrigins indicates whether the + response can be shared with requested + + resource from the given `Origin`. + + + The `Origin` consists of a scheme and a + host, with an optional port, and + + takes the form + `://(:)`. + + + Valid values for scheme are: `http` and + `https`. + + + Valid values for port are any integer + between 1 and 65535 (the list of + + available TCP/UDP ports). Note that, if + not included, port `80` is + + assumed for `http` scheme origins, and + port `443` is assumed for `https` + + origins. This may affect origin + matching. + + + The host part of the origin may contain + the wildcard character `*`. These + + wildcard characters behave as follows: + + + * `*` is a greedy match to the _left_, + including any number of + DNS labels to the left of its position. This also means that + `*` will include any number of period `.` characters to the + left of its position. + * A wildcard by itself matches all + hosts. + + + An origin value that includes _only_ the + `*` character indicates requests + + from all `Origin`s are allowed. + + + When the `AllowOrigins` field is + configured with multiple origins, it + + means the server supports clients from + multiple origins. If the request + + `Origin` matches the configured allowed + origins, the gateway must return + + the given `Origin` and sets value of the + header + + `Access-Control-Allow-Origin` same as + the `Origin` header provided by the + + client. + + + The status code of a successful response + to a "preflight" request is + + always an OK status (i.e., 204 or 200). + + + If the request `Origin` does not match + the configured allowed origins, + + the gateway returns 204/200 response but + doesn't set the relevant + + cross-origin response headers. + Alternatively, the gateway responds with + + 403 status to the "preflight" request is + denied, coupled with omitting + + the CORS headers. The cross-origin + request fails on the client side. + + Therefore, the client doesn't attempt + the actual cross-origin request. + + + Conversely, if the request `Origin` + matches one of the configured + + allowed origins, the gateway sets the + response header + + `Access-Control-Allow-Origin` to the + same value as the `Origin` + + header provided by the client. + + + When config has the wildcard ("*") in + allowOrigins, and the request + + is not credentialed (e.g., it is a + preflight request), the + + `Access-Control-Allow-Origin` response + header either contains the + + wildcard as well or the Origin from the + request. + + + When the request is credentialed, the + gateway must not specify the `*` + + wildcard in the + `Access-Control-Allow-Origin` response + header. When + + also the `AllowCredentials` field is + true and `AllowOrigins` field + + specified with the `*` wildcard, the + gateway must return a single origin + + in the value of the + `Access-Control-Allow-Origin` response + header, + + instead of specifying the `*` wildcard. + The value of the header + + `Access-Control-Allow-Origin` is same as + the `Origin` header provided by + + the client. + + + Support: Extended + items: + description: >- + The CORSOrigin MUST NOT be a relative + URI, and it MUST follow the URI syntax + and + + encoding rules specified in RFC3986. + The CORSOrigin MUST include both a + + scheme ("http" or "https") and a + scheme-specific-part, or it should be a + single '*' character. + + URIs that include an authority MUST + include a fully qualified domain name or + + IP address as the host. + maxLength: 253 + minLength: 1 + pattern: >- + (^\*$)|(^(http(s)?):\/\/(((\*\.)?([a-zA-Z0-9\-]+\.)*[a-zA-Z0-9-]+|\*)(:([0-9]{1,5}))?)$) + type: string + maxItems: 64 + type: array + x-kubernetes-list-type: set + x-kubernetes-validations: + - message: >- + AllowOrigins cannot contain '*' + alongside other origins + rule: '!(''*'' in self && self.size() > 1)' + exposeHeaders: + description: >- + ExposeHeaders indicates which HTTP + response headers can be exposed + + to client-side scripts in response to a + cross-origin request. + + + A CORS-safelisted response header is an + HTTP header in a CORS response + + that it is considered safe to expose to + the client scripts. + + The CORS-safelisted response headers + include the following headers: + + `Cache-Control` + + `Content-Language` + + `Content-Length` + + `Content-Type` + + `Expires` + + `Last-Modified` + + `Pragma` + + (See + https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name) + + The CORS-safelisted response headers are + exposed to client by default. + + + When an HTTP header name is specified + using the `ExposeHeaders` field, + + this additional header will be exposed + as part of the response to the + + client. + + + Header names are not case-sensitive. + + + Multiple header names in the value of + the `Access-Control-Expose-Headers` + + response header are separated by a comma + (","). + + + A wildcard indicates that the responses + with all HTTP headers are exposed + + to clients. The + `Access-Control-Expose-Headers` response + header can only + + use `*` wildcard as value when the + request is not credentialed. + + + When the `exposeHeaders` config field + contains the "*" wildcard and + + the request is credentialed, the gateway + cannot use the `*` wildcard in + + the `Access-Control-Expose-Headers` + response header. + + + Support: Extended + items: + description: >- + HTTPHeaderName is the name of an HTTP + header. + + + Valid values include: + + + * "Authorization" + + * "Set-Cookie" + + + Invalid values include: + + - ":method" - ":" is an invalid character. This means that HTTP/2 pseudo + headers are not currently supported by this type. + - "/invalid" - "/ " is an invalid character + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + maxItems: 64 + type: array + x-kubernetes-list-type: set + maxAge: + default: 5 + description: >- + MaxAge indicates the duration (in + seconds) for the client to cache the + + results of a "preflight" request. + + + The information provided by the + `Access-Control-Allow-Methods` and + + `Access-Control-Allow-Headers` response + headers can be cached by the + + client until the time specified by + `Access-Control-Max-Age` elapses. + + + The default value of + `Access-Control-Max-Age` response header + is 5 + + (seconds). + + + When the `MaxAge` field is unspecified, + the gateway sets the response + + header "Access-Control-Max-Age: 5" by + default. + format: int32 + minimum: 1 + type: integer + type: object + extensionRef: + description: >- + ExtensionRef is an optional, + implementation-specific extension to the + + "filter" behavior. For example, resource + "myroutefilter" in group + + "networking.example.net"). ExtensionRef + MUST NOT be used for core and + + extended filters. + + + This filter can be used multiple times + within the same rule. + + + Support: Implementation-specific + properties: + group: + description: >- + Group is the group of the referent. For + example, "gateway.networking.k8s.io". + + When unspecified or empty string, core + API group is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: >- + Kind is kind of the referent. For + example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: >- + RequestHeaderModifier defines a schema for + a filter that modifies request + + headers. + + + Support: Core + properties: + add: + description: >- + Add adds the given header(s) (name, + value) to the request + + before the action. It appends to any + existing values associated + + with the header name. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + add: + - name: "my-header" + value: "bar,baz" + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: >- + HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: >- + Name is the name of the HTTP Header to + be matched. Name matching MUST be + + case-insensitive. (See + https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent + header names, the first entry with + + an equivalent name MUST be considered + for a match. Subsequent entries + + with an equivalent header name MUST be + ignored. Due to the + + case-insensitivity of header names, + "foo" and "Foo" are considered + + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: >- + Value is the value of HTTP Header to be + matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: >- + Remove the given header(s) from the HTTP + request before the action. The + + value of Remove is a list of HTTP header + names. Note that the header + + names are case-insensitive (see + + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + Config: + remove: ["my-header1", "my-header3"] + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: >- + Set overwrites the request with the + given header (name, value) + + before the action. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + set: + - name: "my-header" + value: "bar" + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: >- + HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: >- + Name is the name of the HTTP Header to + be matched. Name matching MUST be + + case-insensitive. (See + https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent + header names, the first entry with + + an equivalent name MUST be considered + for a match. Subsequent entries + + with an equivalent header name MUST be + ignored. Due to the + + case-insensitivity of header names, + "foo" and "Foo" are considered + + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: >- + Value is the value of HTTP Header to be + matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: >- + RequestMirror defines a schema for a + filter that mirrors requests. + + Requests are sent to the specified + destination, but responses from + + that destination are ignored. + + + This filter can be used multiple times + within the same rule. Note that + + not all implementations will be able to + support mirroring to multiple + + backends. + + + Support: Extended + properties: + backendRef: + description: >- + BackendRef references a resource where + mirrored requests are sent. + + + Mirrored requests must be sent only to a + single destination endpoint + + within this BackendRef, irrespective of + how many endpoints are present + + within this BackendRef. + + + If the referent cannot be found, this + BackendRef is invalid and must be + + dropped from the Gateway. The controller + must ensure the "ResolvedRefs" + + condition on the Route status is set to + `status: False` and not configure + + this backend in the underlying + implementation. + + + If there is a cross-namespace reference + to an *existing* object + + that is not allowed by a ReferenceGrant, + the controller must ensure the + + "ResolvedRefs" condition on the Route + is set to `status: False`, + + with the "RefNotPermitted" reason and + not configure this backend in the + + underlying implementation. + + + In either error case, the Message of the + `ResolvedRefs` Condition + + should be used to provide more detail + about the problem. + + + Support: Extended for Kubernetes Service + + + Support: Implementation-specific for any + other resource + properties: + group: + default: '' + description: >- + Group is the group of the referent. For + example, "gateway.networking.k8s.io". + + When unspecified or empty string, core + API group is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: >- + Kind is the Kubernetes resource kind of + the referent. For example + + "Service". + + + Defaults to "Service" when not + specified. + + + ExternalName services can refer to CNAME + DNS records that may live + + outside of the cluster and as such are + difficult to reason about in + + terms of conformance. They also may not + be safe to forward to (see + + CVE-2021-25740 for more information). + Implementations SHOULD NOT + + support ExternalName Services. + + + Support: Core (Services with a type + other than ExternalName) + + + Support: Implementation-specific + (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the + backend. When unspecified, the local + + namespace is inferred. + + + Note that when a namespace different + than the local namespace is specified, + + a ReferenceGrant object is required in + the referent namespace to allow that + + namespace's owner to accept the + reference. See the ReferenceGrant + + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: >- + Port specifies the destination port + number to use for this resource. + + Port is required when the referent is a + Kubernetes Service. In this + + case, the port number is the service + port number, not the target port. + + For other resources, destination port + might be derived from the referent + + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: >- + (size(self.group) == 0 && self.kind == + 'Service') ? has(self.port) : true + fraction: + description: >- + Fraction represents the fraction of + requests that should be + + mirrored to BackendRef. + + + Only one of Fraction or Percent may be + specified. If neither field + + is specified, 100% of requests will be + mirrored. + properties: + denominator: + default: 100 + format: int32 + minimum: 1 + type: integer + numerator: + format: int32 + minimum: 0 + type: integer + required: + - numerator + type: object + x-kubernetes-validations: + - message: >- + numerator must be less than or equal to + denominator + rule: self.numerator <= self.denominator + percent: + description: >- + Percent represents the percentage of + requests that should be + + mirrored to BackendRef. Its minimum + value is 0 (indicating 0% of + + requests) and its maximum value is 100 + (indicating 100% of requests). + + + Only one of Fraction or Percent may be + specified. If neither field + + is specified, 100% of requests will be + mirrored. + format: int32 + maximum: 100 + minimum: 0 + type: integer + required: + - backendRef + type: object + x-kubernetes-validations: + - message: >- + Only one of percent or fraction may be + specified in HTTPRequestMirrorFilter + rule: >- + !(has(self.percent) && + has(self.fraction)) + requestRedirect: + description: >- + RequestRedirect defines a schema for a + filter that responds to the + + request with an HTTP redirection. + + + Support: Core + properties: + hostname: + description: >- + Hostname is the hostname to be used in + the value of the `Location` + + header in the response. + + When empty, the hostname in the `Host` + header of the request is used. + + + Support: Core + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: >- + Path defines parameters used to modify + the path of the incoming request. + + The modified path is then used to + construct the `Location` header. When + + empty, the request path is used as-is. + + + Support: Extended + properties: + replaceFullPath: + description: >- + ReplaceFullPath specifies the value with + which to replace the full path + + of a request during a rewrite or + redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: >- + ReplacePrefixMatch specifies the value + with which to replace the prefix + + match of a request during a rewrite or + redirect. For example, a request + + to "/foo/bar" with a prefix match of + "/foo" and a ReplacePrefixMatch + + of "/xyz" would be modified to + "/xyz/bar". + + + Note that this matches the behavior of + the PathPrefix match type. This + + matches full path elements. A path + element refers to the list of labels + + in the path split by the `/` separator. + When specified, a trailing `/` is + + ignored. For example, the paths `/abc`, + `/abc/`, and `/abc/def` would all + + match the prefix `/abc`, but the path + `/abcd` would not. + + + ReplacePrefixMatch is only compatible + with a `PathPrefix` HTTPRouteMatch. + + Using any other HTTPRouteMatch type on + the same HTTPRouteRule will result in + + the implementation setting the Accepted + Condition for the Route to `status: + False`. + + + Request Path | Prefix Match | Replace + Prefix | Modified Path + maxLength: 1024 + type: string + type: + description: >- + Type defines the type of path modifier. + Additional types may be + + added in a future release of the API. + + + Note that values may be added to this + enum, implementations + + must ensure that unknown values will not + cause a crash. + + + Unknown values here must result in the + implementation setting the + + Accepted Condition for the Route to + `status: False`, with a + + Reason of `UnsupportedValue`. + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + replaceFullPath must be specified when + type is set to 'ReplaceFullPath' + rule: >- + self.type == 'ReplaceFullPath' ? + has(self.replaceFullPath) : true + - message: >- + type must be 'ReplaceFullPath' when + replaceFullPath is set + rule: >- + has(self.replaceFullPath) ? self.type == + 'ReplaceFullPath' : true + - message: >- + replacePrefixMatch must be specified + when type is set to 'ReplacePrefixMatch' + rule: >- + self.type == 'ReplacePrefixMatch' ? + has(self.replacePrefixMatch) : true + - message: >- + type must be 'ReplacePrefixMatch' when + replacePrefixMatch is set + rule: >- + has(self.replacePrefixMatch) ? self.type + == 'ReplacePrefixMatch' : true + port: + description: >- + Port is the port to be used in the value + of the `Location` + + header in the response. + + + If no port is specified, the redirect + port MUST be derived using the + + following rules: + + + * If redirect scheme is not-empty, the + redirect port MUST be the well-known + port associated with the redirect scheme. Specifically "http" to port 80 + and "https" to port 443. If the redirect scheme does not have a + well-known port, the listener port of the Gateway SHOULD be used. + * If redirect scheme is empty, the + redirect port MUST be the Gateway + Listener port. + + Implementations SHOULD NOT add the port + number in the 'Location' + + header in the following cases: + + + * A Location header that will use HTTP + (whether that is determined via + the Listener protocol or the Scheme field) _and_ use port 80. + * A Location header that will use HTTPS + (whether that is determined via + the Listener protocol or the Scheme field) _and_ use port 443. + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: >- + Scheme is the scheme to be used in the + value of the `Location` header in + + the response. When empty, the scheme of + the request is used. + + + Scheme redirects can affect the port of + the redirect, for more information, + + refer to the documentation for the port + field of this filter. + + + Note that values may be added to this + enum, implementations + + must ensure that unknown values will not + cause a crash. + + + Unknown values here must result in the + implementation setting the + + Accepted Condition for the Route to + `status: False`, with a + + Reason of `UnsupportedValue`. + + + Support: Extended + enum: + - http + - https + type: string + statusCode: + default: 302 + description: >- + StatusCode is the HTTP status code to be + used in response. + + + Note that values may be added to this + enum, implementations + + must ensure that unknown values will not + cause a crash. + + + Unknown values here must result in the + implementation setting the + + Accepted Condition for the Route to + `status: False`, with a + + Reason of `UnsupportedValue`. + + + Support: Core + enum: + - 301 + - 302 + - 303 + - 307 + - 308 + type: integer + type: object + responseHeaderModifier: + description: >- + ResponseHeaderModifier defines a schema + for a filter that modifies response + + headers. + + + Support: Extended + properties: + add: + description: >- + Add adds the given header(s) (name, + value) to the request + + before the action. It appends to any + existing values associated + + with the header name. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + add: + - name: "my-header" + value: "bar,baz" + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: >- + HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: >- + Name is the name of the HTTP Header to + be matched. Name matching MUST be + + case-insensitive. (See + https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent + header names, the first entry with + + an equivalent name MUST be considered + for a match. Subsequent entries + + with an equivalent header name MUST be + ignored. Due to the + + case-insensitivity of header names, + "foo" and "Foo" are considered + + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: >- + Value is the value of HTTP Header to be + matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: >- + Remove the given header(s) from the HTTP + request before the action. The + + value of Remove is a list of HTTP header + names. Note that the header + + names are case-insensitive (see + + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + Config: + remove: ["my-header1", "my-header3"] + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: >- + Set overwrites the request with the + given header (name, value) + + before the action. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + set: + - name: "my-header" + value: "bar" + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: >- + HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: >- + Name is the name of the HTTP Header to + be matched. Name matching MUST be + + case-insensitive. (See + https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent + header names, the first entry with + + an equivalent name MUST be considered + for a match. Subsequent entries + + with an equivalent header name MUST be + ignored. Due to the + + case-insensitivity of header names, + "foo" and "Foo" are considered + + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: >- + Value is the value of HTTP Header to be + matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: >- + Type identifies the type of filter to + apply. As with other API fields, + + types are classified into three + conformance levels: + + + - Core: Filter types and their + corresponding configuration defined by + "Support: Core" in this package, e.g. "RequestHeaderModifier". All + implementations must support core filters. + + - Extended: Filter types and their + corresponding configuration defined by + "Support: Extended" in this package, e.g. "RequestMirror". Implementers + are encouraged to support extended filters. + + - Implementation-specific: Filters that + are defined and supported by + specific vendors. + In the future, filters showing convergence in behavior across multiple + implementations will be considered for inclusion in extended or core + conformance levels. Filter-specific configuration for such filters + is specified using the ExtensionRef field. `Type` should be set to + "ExtensionRef" for custom filters. + + Implementers are encouraged to define + custom implementation types to + + extend the core API with + implementation-specific behavior. + + + If a reference to a custom filter type + cannot be resolved, the filter + + MUST NOT be skipped. Instead, requests + that would have been processed by + + that filter MUST receive a HTTP error + response. + + + Note that values may be added to this + enum, implementations + + must ensure that unknown values will not + cause a crash. + + + Unknown values here must result in the + implementation setting the + + Accepted Condition for the Route to + `status: False`, with a + + Reason of `UnsupportedValue`. + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestMirror + - RequestRedirect + - URLRewrite + - ExtensionRef + - CORS + type: string + urlRewrite: + description: >- + URLRewrite defines a schema for a filter + that modifies a request during forwarding. + + + Support: Extended + properties: + hostname: + description: >- + Hostname is the value to be used to + replace the Host header value during + + forwarding. + + + Support: Extended + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: |- + Path defines a path rewrite. + + Support: Extended + properties: + replaceFullPath: + description: >- + ReplaceFullPath specifies the value with + which to replace the full path + + of a request during a rewrite or + redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: >- + ReplacePrefixMatch specifies the value + with which to replace the prefix + + match of a request during a rewrite or + redirect. For example, a request + + to "/foo/bar" with a prefix match of + "/foo" and a ReplacePrefixMatch + + of "/xyz" would be modified to + "/xyz/bar". + + + Note that this matches the behavior of + the PathPrefix match type. This + + matches full path elements. A path + element refers to the list of labels + + in the path split by the `/` separator. + When specified, a trailing `/` is + + ignored. For example, the paths `/abc`, + `/abc/`, and `/abc/def` would all + + match the prefix `/abc`, but the path + `/abcd` would not. + + + ReplacePrefixMatch is only compatible + with a `PathPrefix` HTTPRouteMatch. + + Using any other HTTPRouteMatch type on + the same HTTPRouteRule will result in + + the implementation setting the Accepted + Condition for the Route to `status: + False`. + + + Request Path | Prefix Match | Replace + Prefix | Modified Path + maxLength: 1024 + type: string + type: + description: >- + Type defines the type of path modifier. + Additional types may be + + added in a future release of the API. + + + Note that values may be added to this + enum, implementations + + must ensure that unknown values will not + cause a crash. + + + Unknown values here must result in the + implementation setting the + + Accepted Condition for the Route to + `status: False`, with a + + Reason of `UnsupportedValue`. + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + replaceFullPath must be specified when + type is set to 'ReplaceFullPath' + rule: >- + self.type == 'ReplaceFullPath' ? + has(self.replaceFullPath) : true + - message: >- + type must be 'ReplaceFullPath' when + replaceFullPath is set + rule: >- + has(self.replaceFullPath) ? self.type == + 'ReplaceFullPath' : true + - message: >- + replacePrefixMatch must be specified + when type is set to 'ReplacePrefixMatch' + rule: >- + self.type == 'ReplacePrefixMatch' ? + has(self.replacePrefixMatch) : true + - message: >- + type must be 'ReplacePrefixMatch' when + replacePrefixMatch is set + rule: >- + has(self.replacePrefixMatch) ? self.type + == 'ReplacePrefixMatch' : true + type: object + required: + - type + type: object + x-kubernetes-validations: + - message: >- + filter.cors must be nil if the filter.type + is not CORS + rule: '!(has(self.cors) && self.type != ''CORS'')' + - message: >- + filter.cors must be specified for CORS + filter.type + rule: '!(!has(self.cors) && self.type == ''CORS'')' + - message: >- + filter.requestHeaderModifier must be nil + if the filter.type is not + RequestHeaderModifier + rule: >- + !(has(self.requestHeaderModifier) && + self.type != 'RequestHeaderModifier') + - message: >- + filter.requestHeaderModifier must be + specified for RequestHeaderModifier + filter.type + rule: >- + !(!has(self.requestHeaderModifier) && + self.type == 'RequestHeaderModifier') + - message: >- + filter.responseHeaderModifier must be nil + if the filter.type is not + ResponseHeaderModifier + rule: >- + !(has(self.responseHeaderModifier) && + self.type != 'ResponseHeaderModifier') + - message: >- + filter.responseHeaderModifier must be + specified for ResponseHeaderModifier + filter.type + rule: >- + !(!has(self.responseHeaderModifier) && + self.type == 'ResponseHeaderModifier') + - message: >- + filter.requestMirror must be nil if the + filter.type is not RequestMirror + rule: >- + !(has(self.requestMirror) && self.type != + 'RequestMirror') + - message: >- + filter.requestMirror must be specified for + RequestMirror filter.type + rule: >- + !(!has(self.requestMirror) && self.type == + 'RequestMirror') + - message: >- + filter.requestRedirect must be nil if the + filter.type is not RequestRedirect + rule: >- + !(has(self.requestRedirect) && self.type + != 'RequestRedirect') + - message: >- + filter.requestRedirect must be specified + for RequestRedirect filter.type + rule: >- + !(!has(self.requestRedirect) && self.type + == 'RequestRedirect') + - message: >- + filter.urlRewrite must be nil if the + filter.type is not URLRewrite + rule: >- + !(has(self.urlRewrite) && self.type != + 'URLRewrite') + - message: >- + filter.urlRewrite must be specified for + URLRewrite filter.type + rule: >- + !(!has(self.urlRewrite) && self.type == + 'URLRewrite') + - message: >- + filter.extensionRef must be nil if the + filter.type is not ExtensionRef + rule: >- + !(has(self.extensionRef) && self.type != + 'ExtensionRef') + - message: >- + filter.extensionRef must be specified for + ExtensionRef filter.type + rule: >- + !(!has(self.extensionRef) && self.type == + 'ExtensionRef') + maxItems: 16 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: >- + May specify either + httpRouteFilterRequestRedirect or + httpRouteFilterRequestRewrite, but not both + rule: >- + !(self.exists(f, f.type == + 'RequestRedirect') && self.exists(f, f.type + == 'URLRewrite')) + - message: CORS filter cannot be repeated + rule: self.filter(f, f.type == 'CORS').size() <= 1 + - message: >- + RequestHeaderModifier filter cannot be + repeated + rule: >- + self.filter(f, f.type == + 'RequestHeaderModifier').size() <= 1 + - message: >- + ResponseHeaderModifier filter cannot be + repeated + rule: >- + self.filter(f, f.type == + 'ResponseHeaderModifier').size() <= 1 + - message: RequestRedirect filter cannot be repeated + rule: >- + self.filter(f, f.type == + 'RequestRedirect').size() <= 1 + - message: URLRewrite filter cannot be repeated + rule: >- + self.filter(f, f.type == + 'URLRewrite').size() <= 1 + group: + default: '' + description: >- + Group is the group of the referent. For example, + "gateway.networking.k8s.io". + + When unspecified or empty string, core API group + is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: >- + Kind is the Kubernetes resource kind of the + referent. For example + + "Service". + + + Defaults to "Service" when not specified. + + + ExternalName services can refer to CNAME DNS + records that may live + + outside of the cluster and as such are difficult + to reason about in + + terms of conformance. They also may not be safe + to forward to (see + + CVE-2021-25740 for more information). + Implementations SHOULD NOT + + support ExternalName Services. + + + Support: Core (Services with a type other than + ExternalName) + + + Support: Implementation-specific (Services with + type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the backend. When + unspecified, the local + + namespace is inferred. + + + Note that when a namespace different than the + local namespace is specified, + + a ReferenceGrant object is required in the + referent namespace to allow that + + namespace's owner to accept the reference. See + the ReferenceGrant + + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: >- + Port specifies the destination port number to + use for this resource. + + Port is required when the referent is a + Kubernetes Service. In this + + case, the port number is the service port + number, not the target port. + + For other resources, destination port might be + derived from the referent + + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: >- + Weight specifies the proportion of requests + forwarded to the referenced + + backend. This is computed as weight/(sum of all + weights in this + + BackendRefs list). For non-zero values, there + may be some epsilon from + + the exact proportion defined here depending on + the precision an + + implementation supports. Weight is not a + percentage and the sum of + + weights does not need to equal 100. + + + If only one backend is specified and it has a + weight greater than 0, 100% + + of the traffic is forwarded to that backend. If + weight is set to 0, no + + traffic should be forwarded for this entry. If + unspecified, weight + + defaults to 1. + + + Support for this field varies based on the + context where used. + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: >- + (size(self.group) == 0 && self.kind == + 'Service') ? has(self.port) : true + maxItems: 16 + type: array + x-kubernetes-list-type: atomic + filters: + description: >- + Filters define the filters that are applied to + requests that match + + this rule. + + + Wherever possible, implementations SHOULD implement + filters in the order + + they are specified. + + + Implementations MAY choose to implement this ordering + strictly, rejecting + + any combination or order of filters that cannot be + supported. If implementations + + choose a strict interpretation of filter ordering, + they MUST clearly document + + that behavior. + + + To reject an invalid combination or order of filters, + implementations SHOULD + + consider the Route Rules with this configuration + invalid. If all Route Rules + + in a Route are invalid, the entire Route would be + considered invalid. If only + + a portion of Route Rules are invalid, implementations + MUST set the + + "PartiallyInvalid" condition for the Route. + + + Conformance-levels at this level are defined based on + the type of filter: + + + - ALL core filters MUST be supported by all + implementations. + + - Implementers are encouraged to support extended + filters. + + - Implementation-specific custom filters have no API + guarantees across + implementations. + + Specifying the same filter multiple times is not + supported unless explicitly + + indicated in the filter. + + + All filters are expected to be compatible with each + other except for the + + URLRewrite and RequestRedirect filters, which may not + be combined. If an + + implementation cannot support other combinations of + filters, they must clearly + + document that limitation. In cases where incompatible + or unsupported + + filters are specified and cause the `Accepted` + condition to be set to status + + `False`, implementations may use the + `IncompatibleFilters` reason to specify + + this configuration error. + + + Support: Core + items: + description: >- + HTTPRouteFilter defines processing steps that must + be completed during the + + request or response lifecycle. HTTPRouteFilters are + meant as an extension + + point to express processing that may be done in + Gateway implementations. Some + + examples include request or response modification, + implementing + + authentication strategies, rate-limiting, and + traffic shaping. API + + guarantee/conformance is defined based on the type + of the filter. + properties: + cors: + description: >- + CORS defines a schema for a filter that responds + to the + + cross-origin request based on HTTP response + header. + + + Support: Extended + properties: + allowCredentials: + description: >- + AllowCredentials indicates whether the + actual cross-origin request allows + + to include credentials. + + + When set to true, the gateway will include + the `Access-Control-Allow-Credentials` + + response header with value true + (case-sensitive). + + + When set to false or omitted the gateway + will omit the header + + `Access-Control-Allow-Credentials` entirely + (this is the standard CORS + + behavior). + + + Support: Extended + type: boolean + allowHeaders: + description: >- + AllowHeaders indicates which HTTP request + headers are supported for + + accessing the requested resource. + + + Header names are not case-sensitive. + + + Multiple header names in the value of the + `Access-Control-Allow-Headers` + + response header are separated by a comma + (","). + + + When the `AllowHeaders` field is configured + with one or more headers, the + + gateway must return the + `Access-Control-Allow-Headers` response + header + + which value is present in the `AllowHeaders` + field. + + + If any header name in the + `Access-Control-Request-Headers` request + header + + is not included in the list of header names + specified by the response + + header `Access-Control-Allow-Headers`, it + will present an error on the + + client side. + + + If any header name in the + `Access-Control-Allow-Headers` response + header + + does not recognize by the client, it will + also occur an error on the + + client side. + + + A wildcard indicates that the requests with + all HTTP headers are allowed. + + If config contains the wildcard "*" in + allowHeaders and the request is + + not credentialed, the + `Access-Control-Allow-Headers` response + header + + can either use the `*` wildcard or the value + of + + Access-Control-Request-Headers from the + request. + + + When the request is credentialed, the + gateway must not specify the `*` + + wildcard in the + `Access-Control-Allow-Headers` response + header. When + + also the `AllowCredentials` field is true + and `AllowHeaders` field + + is specified with the `*` wildcard, the + gateway must specify one or more + + HTTP headers in the value of the + `Access-Control-Allow-Headers` response + + header. The value of the header + `Access-Control-Allow-Headers` is same as + + the `Access-Control-Request-Headers` header + provided by the client. If + + the header `Access-Control-Request-Headers` + is not included in the + + request, the gateway will omit the + `Access-Control-Allow-Headers` + + response header, instead of specifying the + `*` wildcard. + + + Support: Extended + items: + description: >- + HTTPHeaderName is the name of an HTTP + header. + + + Valid values include: + + + * "Authorization" + + * "Set-Cookie" + + + Invalid values include: + + - ":method" - ":" is an invalid character. This means that HTTP/2 pseudo + headers are not currently supported by this type. + - "/invalid" - "/ " is an invalid character + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + maxItems: 64 + type: array + x-kubernetes-list-type: set + x-kubernetes-validations: + - message: >- + AllowHeaders cannot contain '*' + alongside other methods + rule: '!(''*'' in self && self.size() > 1)' + allowMethods: + description: >- + AllowMethods indicates which HTTP methods + are supported for accessing the + + requested resource. + + + Valid values are any method defined by + RFC9110, along with the special + + value `*`, which represents all HTTP methods + are allowed. + + + Method names are case-sensitive, so these + values are also case-sensitive. + + (See + https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1) + + + Multiple method names in the value of the + `Access-Control-Allow-Methods` + + response header are separated by a comma + (","). + + + A CORS-safelisted method is a method that is + `GET`, `HEAD`, or `POST`. + + (See + https://fetch.spec.whatwg.org/#cors-safelisted-method) + The + + CORS-safelisted methods are always allowed, + regardless of whether they + + are specified in the `AllowMethods` field. + + + When the `AllowMethods` field is configured + with one or more methods, the + + gateway must return the + `Access-Control-Allow-Methods` response + header + + which value is present in the `AllowMethods` + field. + + + If the HTTP method of the + `Access-Control-Request-Method` request + header + + is not included in the list of methods + specified by the response header + + `Access-Control-Allow-Methods`, it will + present an error on the client + + side. + + + If config contains the wildcard "*" in + allowMethods and the request is + + not credentialed, the + `Access-Control-Allow-Methods` response + header + + can either use the `*` wildcard or the value + of + + Access-Control-Request-Method from the + request. + + + When the request is credentialed, the + gateway must not specify the `*` + + wildcard in the + `Access-Control-Allow-Methods` response + header. When + + also the `AllowCredentials` field is true + and `AllowMethods` field + + specified with the `*` wildcard, the gateway + must specify one HTTP method + + in the value of the + Access-Control-Allow-Methods response + header. The + + value of the header + `Access-Control-Allow-Methods` is same as + the + + `Access-Control-Request-Method` header + provided by the client. If the + + header `Access-Control-Request-Method` is + not included in the request, + + the gateway will omit the + `Access-Control-Allow-Methods` response + header, + + instead of specifying the `*` wildcard. + + + Support: Extended + items: + enum: + - GET + - HEAD + - POST + - PUT + - DELETE + - CONNECT + - OPTIONS + - TRACE + - PATCH + - '*' + type: string + maxItems: 9 + type: array + x-kubernetes-list-type: set + x-kubernetes-validations: + - message: >- + AllowMethods cannot contain '*' + alongside other methods + rule: '!(''*'' in self && self.size() > 1)' + allowOrigins: + description: >- + AllowOrigins indicates whether the response + can be shared with requested + + resource from the given `Origin`. + + + The `Origin` consists of a scheme and a + host, with an optional port, and + + takes the form `://(:)`. + + + Valid values for scheme are: `http` and + `https`. + + + Valid values for port are any integer + between 1 and 65535 (the list of + + available TCP/UDP ports). Note that, if not + included, port `80` is + + assumed for `http` scheme origins, and port + `443` is assumed for `https` + + origins. This may affect origin matching. + + + The host part of the origin may contain the + wildcard character `*`. These + + wildcard characters behave as follows: + + + * `*` is a greedy match to the _left_, + including any number of + DNS labels to the left of its position. This also means that + `*` will include any number of period `.` characters to the + left of its position. + * A wildcard by itself matches all hosts. + + + An origin value that includes _only_ the `*` + character indicates requests + + from all `Origin`s are allowed. + + + When the `AllowOrigins` field is configured + with multiple origins, it + + means the server supports clients from + multiple origins. If the request + + `Origin` matches the configured allowed + origins, the gateway must return + + the given `Origin` and sets value of the + header + + `Access-Control-Allow-Origin` same as the + `Origin` header provided by the + + client. + + + The status code of a successful response to + a "preflight" request is + + always an OK status (i.e., 204 or 200). + + + If the request `Origin` does not match the + configured allowed origins, + + the gateway returns 204/200 response but + doesn't set the relevant + + cross-origin response headers. + Alternatively, the gateway responds with + + 403 status to the "preflight" request is + denied, coupled with omitting + + the CORS headers. The cross-origin request + fails on the client side. + + Therefore, the client doesn't attempt the + actual cross-origin request. + + + Conversely, if the request `Origin` matches + one of the configured + + allowed origins, the gateway sets the + response header + + `Access-Control-Allow-Origin` to the same + value as the `Origin` + + header provided by the client. + + + When config has the wildcard ("*") in + allowOrigins, and the request + + is not credentialed (e.g., it is a preflight + request), the + + `Access-Control-Allow-Origin` response + header either contains the + + wildcard as well or the Origin from the + request. + + + When the request is credentialed, the + gateway must not specify the `*` + + wildcard in the + `Access-Control-Allow-Origin` response + header. When + + also the `AllowCredentials` field is true + and `AllowOrigins` field + + specified with the `*` wildcard, the gateway + must return a single origin + + in the value of the + `Access-Control-Allow-Origin` response + header, + + instead of specifying the `*` wildcard. The + value of the header + + `Access-Control-Allow-Origin` is same as the + `Origin` header provided by + + the client. + + + Support: Extended + items: + description: >- + The CORSOrigin MUST NOT be a relative URI, + and it MUST follow the URI syntax and + + encoding rules specified in RFC3986. The + CORSOrigin MUST include both a + + scheme ("http" or "https") and a + scheme-specific-part, or it should be a + single '*' character. + + URIs that include an authority MUST + include a fully qualified domain name or + + IP address as the host. + maxLength: 253 + minLength: 1 + pattern: >- + (^\*$)|(^(http(s)?):\/\/(((\*\.)?([a-zA-Z0-9\-]+\.)*[a-zA-Z0-9-]+|\*)(:([0-9]{1,5}))?)$) + type: string + maxItems: 64 + type: array + x-kubernetes-list-type: set + x-kubernetes-validations: + - message: >- + AllowOrigins cannot contain '*' + alongside other origins + rule: '!(''*'' in self && self.size() > 1)' + exposeHeaders: + description: >- + ExposeHeaders indicates which HTTP response + headers can be exposed + + to client-side scripts in response to a + cross-origin request. + + + A CORS-safelisted response header is an HTTP + header in a CORS response + + that it is considered safe to expose to the + client scripts. + + The CORS-safelisted response headers include + the following headers: + + `Cache-Control` + + `Content-Language` + + `Content-Length` + + `Content-Type` + + `Expires` + + `Last-Modified` + + `Pragma` + + (See + https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name) + + The CORS-safelisted response headers are + exposed to client by default. + + + When an HTTP header name is specified using + the `ExposeHeaders` field, + + this additional header will be exposed as + part of the response to the + + client. + + + Header names are not case-sensitive. + + + Multiple header names in the value of the + `Access-Control-Expose-Headers` + + response header are separated by a comma + (","). + + + A wildcard indicates that the responses with + all HTTP headers are exposed + + to clients. The + `Access-Control-Expose-Headers` response + header can only + + use `*` wildcard as value when the request + is not credentialed. + + + When the `exposeHeaders` config field + contains the "*" wildcard and + + the request is credentialed, the gateway + cannot use the `*` wildcard in + + the `Access-Control-Expose-Headers` response + header. + + + Support: Extended + items: + description: >- + HTTPHeaderName is the name of an HTTP + header. + + + Valid values include: + + + * "Authorization" + + * "Set-Cookie" + + + Invalid values include: + + - ":method" - ":" is an invalid character. This means that HTTP/2 pseudo + headers are not currently supported by this type. + - "/invalid" - "/ " is an invalid character + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + maxItems: 64 + type: array + x-kubernetes-list-type: set + maxAge: + default: 5 + description: >- + MaxAge indicates the duration (in seconds) + for the client to cache the + + results of a "preflight" request. + + + The information provided by the + `Access-Control-Allow-Methods` and + + `Access-Control-Allow-Headers` response + headers can be cached by the + + client until the time specified by + `Access-Control-Max-Age` elapses. + + + The default value of + `Access-Control-Max-Age` response header is + 5 + + (seconds). + + + When the `MaxAge` field is unspecified, the + gateway sets the response + + header "Access-Control-Max-Age: 5" by + default. + format: int32 + minimum: 1 + type: integer + type: object + extensionRef: + description: >- + ExtensionRef is an optional, + implementation-specific extension to the + + "filter" behavior. For example, resource + "myroutefilter" in group + + "networking.example.net"). ExtensionRef MUST NOT + be used for core and + + extended filters. + + + This filter can be used multiple times within + the same rule. + + + Support: Implementation-specific + properties: + group: + description: >- + Group is the group of the referent. For + example, "gateway.networking.k8s.io". + + When unspecified or empty string, core API + group is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: >- + Kind is kind of the referent. For example + "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: >- + RequestHeaderModifier defines a schema for a + filter that modifies request + + headers. + + + Support: Core + properties: + add: + description: >- + Add adds the given header(s) (name, value) + to the request + + before the action. It appends to any + existing values associated + + with the header name. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + add: + - name: "my-header" + value: "bar,baz" + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: >- + HTTPHeader represents an HTTP Header name + and value as defined by RFC 7230. + properties: + name: + description: >- + Name is the name of the HTTP Header to + be matched. Name matching MUST be + + case-insensitive. (See + https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent + header names, the first entry with + + an equivalent name MUST be considered + for a match. Subsequent entries + + with an equivalent header name MUST be + ignored. Due to the + + case-insensitivity of header names, + "foo" and "Foo" are considered + + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: >- + Value is the value of HTTP Header to be + matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: >- + Remove the given header(s) from the HTTP + request before the action. The + + value of Remove is a list of HTTP header + names. Note that the header + + names are case-insensitive (see + + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + Config: + remove: ["my-header1", "my-header3"] + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: >- + Set overwrites the request with the given + header (name, value) + + before the action. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + set: + - name: "my-header" + value: "bar" + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: >- + HTTPHeader represents an HTTP Header name + and value as defined by RFC 7230. + properties: + name: + description: >- + Name is the name of the HTTP Header to + be matched. Name matching MUST be + + case-insensitive. (See + https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent + header names, the first entry with + + an equivalent name MUST be considered + for a match. Subsequent entries + + with an equivalent header name MUST be + ignored. Due to the + + case-insensitivity of header names, + "foo" and "Foo" are considered + + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: >- + Value is the value of HTTP Header to be + matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: >- + RequestMirror defines a schema for a filter that + mirrors requests. + + Requests are sent to the specified destination, + but responses from + + that destination are ignored. + + + This filter can be used multiple times within + the same rule. Note that + + not all implementations will be able to support + mirroring to multiple + + backends. + + + Support: Extended + properties: + backendRef: + description: >- + BackendRef references a resource where + mirrored requests are sent. + + + Mirrored requests must be sent only to a + single destination endpoint + + within this BackendRef, irrespective of how + many endpoints are present + + within this BackendRef. + + + If the referent cannot be found, this + BackendRef is invalid and must be + + dropped from the Gateway. The controller + must ensure the "ResolvedRefs" + + condition on the Route status is set to + `status: False` and not configure + + this backend in the underlying + implementation. + + + If there is a cross-namespace reference to + an *existing* object + + that is not allowed by a ReferenceGrant, the + controller must ensure the + + "ResolvedRefs" condition on the Route is + set to `status: False`, + + with the "RefNotPermitted" reason and not + configure this backend in the + + underlying implementation. + + + In either error case, the Message of the + `ResolvedRefs` Condition + + should be used to provide more detail about + the problem. + + + Support: Extended for Kubernetes Service + + + Support: Implementation-specific for any + other resource + properties: + group: + default: '' + description: >- + Group is the group of the referent. For + example, "gateway.networking.k8s.io". + + When unspecified or empty string, core + API group is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: >- + Kind is the Kubernetes resource kind of + the referent. For example + + "Service". + + + Defaults to "Service" when not + specified. + + + ExternalName services can refer to CNAME + DNS records that may live + + outside of the cluster and as such are + difficult to reason about in + + terms of conformance. They also may not + be safe to forward to (see + + CVE-2021-25740 for more information). + Implementations SHOULD NOT + + support ExternalName Services. + + + Support: Core (Services with a type + other than ExternalName) + + + Support: Implementation-specific + (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the + backend. When unspecified, the local + + namespace is inferred. + + + Note that when a namespace different + than the local namespace is specified, + + a ReferenceGrant object is required in + the referent namespace to allow that + + namespace's owner to accept the + reference. See the ReferenceGrant + + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: >- + Port specifies the destination port + number to use for this resource. + + Port is required when the referent is a + Kubernetes Service. In this + + case, the port number is the service + port number, not the target port. + + For other resources, destination port + might be derived from the referent + + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: >- + (size(self.group) == 0 && self.kind == + 'Service') ? has(self.port) : true + fraction: + description: >- + Fraction represents the fraction of requests + that should be + + mirrored to BackendRef. + + + Only one of Fraction or Percent may be + specified. If neither field + + is specified, 100% of requests will be + mirrored. + properties: + denominator: + default: 100 + format: int32 + minimum: 1 + type: integer + numerator: + format: int32 + minimum: 0 + type: integer + required: + - numerator + type: object + x-kubernetes-validations: + - message: >- + numerator must be less than or equal to + denominator + rule: self.numerator <= self.denominator + percent: + description: >- + Percent represents the percentage of + requests that should be + + mirrored to BackendRef. Its minimum value is + 0 (indicating 0% of + + requests) and its maximum value is 100 + (indicating 100% of requests). + + + Only one of Fraction or Percent may be + specified. If neither field + + is specified, 100% of requests will be + mirrored. + format: int32 + maximum: 100 + minimum: 0 + type: integer + required: + - backendRef + type: object + x-kubernetes-validations: + - message: >- + Only one of percent or fraction may be + specified in HTTPRequestMirrorFilter + rule: '!(has(self.percent) && has(self.fraction))' + requestRedirect: + description: >- + RequestRedirect defines a schema for a filter + that responds to the + + request with an HTTP redirection. + + + Support: Core + properties: + hostname: + description: >- + Hostname is the hostname to be used in the + value of the `Location` + + header in the response. + + When empty, the hostname in the `Host` + header of the request is used. + + + Support: Core + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: >- + Path defines parameters used to modify the + path of the incoming request. + + The modified path is then used to construct + the `Location` header. When + + empty, the request path is used as-is. + + + Support: Extended + properties: + replaceFullPath: + description: >- + ReplaceFullPath specifies the value with + which to replace the full path + + of a request during a rewrite or + redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: >- + ReplacePrefixMatch specifies the value + with which to replace the prefix + + match of a request during a rewrite or + redirect. For example, a request + + to "/foo/bar" with a prefix match of + "/foo" and a ReplacePrefixMatch + + of "/xyz" would be modified to + "/xyz/bar". + + + Note that this matches the behavior of + the PathPrefix match type. This + + matches full path elements. A path + element refers to the list of labels + + in the path split by the `/` separator. + When specified, a trailing `/` is + + ignored. For example, the paths `/abc`, + `/abc/`, and `/abc/def` would all + + match the prefix `/abc`, but the path + `/abcd` would not. + + + ReplacePrefixMatch is only compatible + with a `PathPrefix` HTTPRouteMatch. + + Using any other HTTPRouteMatch type on + the same HTTPRouteRule will result in + + the implementation setting the Accepted + Condition for the Route to `status: + False`. + + + Request Path | Prefix Match | Replace + Prefix | Modified Path + maxLength: 1024 + type: string + type: + description: >- + Type defines the type of path modifier. + Additional types may be + + added in a future release of the API. + + + Note that values may be added to this + enum, implementations + + must ensure that unknown values will not + cause a crash. + + + Unknown values here must result in the + implementation setting the + + Accepted Condition for the Route to + `status: False`, with a + + Reason of `UnsupportedValue`. + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + replaceFullPath must be specified when + type is set to 'ReplaceFullPath' + rule: >- + self.type == 'ReplaceFullPath' ? + has(self.replaceFullPath) : true + - message: >- + type must be 'ReplaceFullPath' when + replaceFullPath is set + rule: >- + has(self.replaceFullPath) ? self.type == + 'ReplaceFullPath' : true + - message: >- + replacePrefixMatch must be specified + when type is set to 'ReplacePrefixMatch' + rule: >- + self.type == 'ReplacePrefixMatch' ? + has(self.replacePrefixMatch) : true + - message: >- + type must be 'ReplacePrefixMatch' when + replacePrefixMatch is set + rule: >- + has(self.replacePrefixMatch) ? self.type + == 'ReplacePrefixMatch' : true + port: + description: >- + Port is the port to be used in the value of + the `Location` + + header in the response. + + + If no port is specified, the redirect port + MUST be derived using the + + following rules: + + + * If redirect scheme is not-empty, the + redirect port MUST be the well-known + port associated with the redirect scheme. Specifically "http" to port 80 + and "https" to port 443. If the redirect scheme does not have a + well-known port, the listener port of the Gateway SHOULD be used. + * If redirect scheme is empty, the redirect + port MUST be the Gateway + Listener port. + + Implementations SHOULD NOT add the port + number in the 'Location' + + header in the following cases: + + + * A Location header that will use HTTP + (whether that is determined via + the Listener protocol or the Scheme field) _and_ use port 80. + * A Location header that will use HTTPS + (whether that is determined via + the Listener protocol or the Scheme field) _and_ use port 443. + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: >- + Scheme is the scheme to be used in the value + of the `Location` header in + + the response. When empty, the scheme of the + request is used. + + + Scheme redirects can affect the port of the + redirect, for more information, + + refer to the documentation for the port + field of this filter. + + + Note that values may be added to this enum, + implementations + + must ensure that unknown values will not + cause a crash. + + + Unknown values here must result in the + implementation setting the + + Accepted Condition for the Route to `status: + False`, with a + + Reason of `UnsupportedValue`. + + + Support: Extended + enum: + - http + - https + type: string + statusCode: + default: 302 + description: >- + StatusCode is the HTTP status code to be + used in response. + + + Note that values may be added to this enum, + implementations + + must ensure that unknown values will not + cause a crash. + + + Unknown values here must result in the + implementation setting the + + Accepted Condition for the Route to `status: + False`, with a + + Reason of `UnsupportedValue`. + + + Support: Core + enum: + - 301 + - 302 + - 303 + - 307 + - 308 + type: integer + type: object + responseHeaderModifier: + description: >- + ResponseHeaderModifier defines a schema for a + filter that modifies response + + headers. + + + Support: Extended + properties: + add: + description: >- + Add adds the given header(s) (name, value) + to the request + + before the action. It appends to any + existing values associated + + with the header name. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + add: + - name: "my-header" + value: "bar,baz" + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: >- + HTTPHeader represents an HTTP Header name + and value as defined by RFC 7230. + properties: + name: + description: >- + Name is the name of the HTTP Header to + be matched. Name matching MUST be + + case-insensitive. (See + https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent + header names, the first entry with + + an equivalent name MUST be considered + for a match. Subsequent entries + + with an equivalent header name MUST be + ignored. Due to the + + case-insensitivity of header names, + "foo" and "Foo" are considered + + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: >- + Value is the value of HTTP Header to be + matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: >- + Remove the given header(s) from the HTTP + request before the action. The + + value of Remove is a list of HTTP header + names. Note that the header + + names are case-insensitive (see + + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + Config: + remove: ["my-header1", "my-header3"] + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: >- + Set overwrites the request with the given + header (name, value) + + before the action. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + set: + - name: "my-header" + value: "bar" + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: >- + HTTPHeader represents an HTTP Header name + and value as defined by RFC 7230. + properties: + name: + description: >- + Name is the name of the HTTP Header to + be matched. Name matching MUST be + + case-insensitive. (See + https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent + header names, the first entry with + + an equivalent name MUST be considered + for a match. Subsequent entries + + with an equivalent header name MUST be + ignored. Due to the + + case-insensitivity of header names, + "foo" and "Foo" are considered + + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: >- + Value is the value of HTTP Header to be + matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: >- + Type identifies the type of filter to apply. As + with other API fields, + + types are classified into three conformance + levels: + + + - Core: Filter types and their corresponding + configuration defined by + "Support: Core" in this package, e.g. "RequestHeaderModifier". All + implementations must support core filters. + + - Extended: Filter types and their corresponding + configuration defined by + "Support: Extended" in this package, e.g. "RequestMirror". Implementers + are encouraged to support extended filters. + + - Implementation-specific: Filters that are + defined and supported by + specific vendors. + In the future, filters showing convergence in behavior across multiple + implementations will be considered for inclusion in extended or core + conformance levels. Filter-specific configuration for such filters + is specified using the ExtensionRef field. `Type` should be set to + "ExtensionRef" for custom filters. + + Implementers are encouraged to define custom + implementation types to + + extend the core API with implementation-specific + behavior. + + + If a reference to a custom filter type cannot be + resolved, the filter + + MUST NOT be skipped. Instead, requests that + would have been processed by + + that filter MUST receive a HTTP error response. + + + Note that values may be added to this enum, + implementations + + must ensure that unknown values will not cause a + crash. + + + Unknown values here must result in the + implementation setting the + + Accepted Condition for the Route to `status: + False`, with a + + Reason of `UnsupportedValue`. + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestMirror + - RequestRedirect + - URLRewrite + - ExtensionRef + - CORS + type: string + urlRewrite: + description: >- + URLRewrite defines a schema for a filter that + modifies a request during forwarding. + + + Support: Extended + properties: + hostname: + description: >- + Hostname is the value to be used to replace + the Host header value during + + forwarding. + + + Support: Extended + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: |- + Path defines a path rewrite. + + Support: Extended + properties: + replaceFullPath: + description: >- + ReplaceFullPath specifies the value with + which to replace the full path + + of a request during a rewrite or + redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: >- + ReplacePrefixMatch specifies the value + with which to replace the prefix + + match of a request during a rewrite or + redirect. For example, a request + + to "/foo/bar" with a prefix match of + "/foo" and a ReplacePrefixMatch + + of "/xyz" would be modified to + "/xyz/bar". + + + Note that this matches the behavior of + the PathPrefix match type. This + + matches full path elements. A path + element refers to the list of labels + + in the path split by the `/` separator. + When specified, a trailing `/` is + + ignored. For example, the paths `/abc`, + `/abc/`, and `/abc/def` would all + + match the prefix `/abc`, but the path + `/abcd` would not. + + + ReplacePrefixMatch is only compatible + with a `PathPrefix` HTTPRouteMatch. + + Using any other HTTPRouteMatch type on + the same HTTPRouteRule will result in + + the implementation setting the Accepted + Condition for the Route to `status: + False`. + + + Request Path | Prefix Match | Replace + Prefix | Modified Path + maxLength: 1024 + type: string + type: + description: >- + Type defines the type of path modifier. + Additional types may be + + added in a future release of the API. + + + Note that values may be added to this + enum, implementations + + must ensure that unknown values will not + cause a crash. + + + Unknown values here must result in the + implementation setting the + + Accepted Condition for the Route to + `status: False`, with a + + Reason of `UnsupportedValue`. + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + replaceFullPath must be specified when + type is set to 'ReplaceFullPath' + rule: >- + self.type == 'ReplaceFullPath' ? + has(self.replaceFullPath) : true + - message: >- + type must be 'ReplaceFullPath' when + replaceFullPath is set + rule: >- + has(self.replaceFullPath) ? self.type == + 'ReplaceFullPath' : true + - message: >- + replacePrefixMatch must be specified + when type is set to 'ReplacePrefixMatch' + rule: >- + self.type == 'ReplacePrefixMatch' ? + has(self.replacePrefixMatch) : true + - message: >- + type must be 'ReplacePrefixMatch' when + replacePrefixMatch is set + rule: >- + has(self.replacePrefixMatch) ? self.type + == 'ReplacePrefixMatch' : true + type: object + required: + - type + type: object + x-kubernetes-validations: + - message: >- + filter.cors must be nil if the filter.type is + not CORS + rule: '!(has(self.cors) && self.type != ''CORS'')' + - message: >- + filter.cors must be specified for CORS + filter.type + rule: '!(!has(self.cors) && self.type == ''CORS'')' + - message: >- + filter.requestHeaderModifier must be nil if the + filter.type is not RequestHeaderModifier + rule: >- + !(has(self.requestHeaderModifier) && self.type + != 'RequestHeaderModifier') + - message: >- + filter.requestHeaderModifier must be specified + for RequestHeaderModifier filter.type + rule: >- + !(!has(self.requestHeaderModifier) && self.type + == 'RequestHeaderModifier') + - message: >- + filter.responseHeaderModifier must be nil if the + filter.type is not ResponseHeaderModifier + rule: >- + !(has(self.responseHeaderModifier) && self.type + != 'ResponseHeaderModifier') + - message: >- + filter.responseHeaderModifier must be specified + for ResponseHeaderModifier filter.type + rule: >- + !(!has(self.responseHeaderModifier) && self.type + == 'ResponseHeaderModifier') + - message: >- + filter.requestMirror must be nil if the + filter.type is not RequestMirror + rule: >- + !(has(self.requestMirror) && self.type != + 'RequestMirror') + - message: >- + filter.requestMirror must be specified for + RequestMirror filter.type + rule: >- + !(!has(self.requestMirror) && self.type == + 'RequestMirror') + - message: >- + filter.requestRedirect must be nil if the + filter.type is not RequestRedirect + rule: >- + !(has(self.requestRedirect) && self.type != + 'RequestRedirect') + - message: >- + filter.requestRedirect must be specified for + RequestRedirect filter.type + rule: >- + !(!has(self.requestRedirect) && self.type == + 'RequestRedirect') + - message: >- + filter.urlRewrite must be nil if the filter.type + is not URLRewrite + rule: >- + !(has(self.urlRewrite) && self.type != + 'URLRewrite') + - message: >- + filter.urlRewrite must be specified for + URLRewrite filter.type + rule: >- + !(!has(self.urlRewrite) && self.type == + 'URLRewrite') + - message: >- + filter.extensionRef must be nil if the + filter.type is not ExtensionRef + rule: >- + !(has(self.extensionRef) && self.type != + 'ExtensionRef') + - message: >- + filter.extensionRef must be specified for + ExtensionRef filter.type + rule: >- + !(!has(self.extensionRef) && self.type == + 'ExtensionRef') + maxItems: 16 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: >- + May specify either httpRouteFilterRequestRedirect + or httpRouteFilterRequestRewrite, but not both + rule: >- + !(self.exists(f, f.type == 'RequestRedirect') && + self.exists(f, f.type == 'URLRewrite')) + - message: CORS filter cannot be repeated + rule: self.filter(f, f.type == 'CORS').size() <= 1 + - message: RequestHeaderModifier filter cannot be repeated + rule: >- + self.filter(f, f.type == + 'RequestHeaderModifier').size() <= 1 + - message: ResponseHeaderModifier filter cannot be repeated + rule: >- + self.filter(f, f.type == + 'ResponseHeaderModifier').size() <= 1 + - message: RequestRedirect filter cannot be repeated + rule: >- + self.filter(f, f.type == 'RequestRedirect').size() + <= 1 + - message: URLRewrite filter cannot be repeated + rule: self.filter(f, f.type == 'URLRewrite').size() <= 1 + matches: + default: + - path: + type: PathPrefix + value: / + description: >- + Matches define conditions used for matching the rule + against incoming + + HTTP requests. Each match is independent, i.e. this + rule will be matched + + if **any** one of the matches is satisfied. + + + For example, take the following matches configuration: + + + ``` + + matches: + + - path: + value: "/foo" + headers: + - name: "version" + value: "v2" + - path: + value: "/v2/foo" + ``` + + + For a request to match against this rule, a request + must satisfy + + EITHER of the two conditions: + + + - path prefixed with `/foo` AND contains the header + `version: v2` + + - path prefix of `/v2/foo` + + + See the documentation for HTTPRouteMatch on how to + specify multiple + + match conditions that should be ANDed together. + + + If no matches are specified, the default is a prefix + + path match on "/", which has the effect of matching + every + + HTTP request. + + + Proxy or Load Balancer routing configuration generated + from HTTPRoutes + + MUST prioritize matches based on the following + criteria, continuing on + + ties. Across all rules specified on applicable Routes, + precedence must be + + given to the match having: + + + * "Exact" path match. + + * "Prefix" path match with largest number of + characters. + + * Method match. + + * Largest number of header matches. + + * Largest number of query param matches. + + + Note: The precedence of RegularExpression path matches + are implementation-specific. + + + If ties still exist across multiple Routes, matching + precedence MUST be + + determined in order of the following criteria, + continuing on ties: + + + * The oldest Route based on creation timestamp. + + * The Route appearing first in alphabetical order by + "{namespace}/{name}". + + If ties still exist within an HTTPRoute, matching + precedence MUST be granted + + to the FIRST matching rule (in list order) with a + match meeting the above + + criteria. + + + When no rules matching a request have been + successfully attached to the + + parent a request is coming from, a HTTP 404 status + code MUST be returned. + items: + description: "HTTPRouteMatch defines the predicate used to match requests to a given\naction. Multiple match types are ANDed together, i.e. the match will\nevaluate to true only if all conditions are satisfied.\n\nFor example, the match below will match a HTTP request only if its path\nstarts with `/foo` AND it contains the `version: v1` header:\n\n```\nmatch:\n\n\tpath:\n\t value: \"/foo\"\n\theaders:\n\t- name: \"version\"\n\t value \"v1\"\n\n```" + properties: + headers: + description: >- + Headers specifies HTTP request header matchers. + Multiple match values are + + ANDed together, meaning, a request must match + all the specified headers + + to select the route. + items: + description: >- + HTTPHeaderMatch describes how to select a HTTP + route by matching HTTP request + + headers. + properties: + name: + description: >- + Name is the name of the HTTP Header to be + matched. Name matching MUST be + + case-insensitive. (See + https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent + header names, only the first + + entry with an equivalent name MUST be + considered for a match. Subsequent + + entries with an equivalent header name + MUST be ignored. Due to the + + case-insensitivity of header names, "foo" + and "Foo" are considered + + equivalent. + + + When a header is repeated in an HTTP + request, it is + + implementation-specific behavior as to how + this is represented. + + Generally, proxies should follow the + guidance from the RFC: + + https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 + regarding + + processing a repeated header, with special + handling for "Set-Cookie". + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: >- + Type specifies how to match against the + value of the header. + + + Support: Core (Exact) + + + Support: Implementation-specific + (RegularExpression) + + + Since RegularExpression HeaderMatchType + has implementation-specific + + conformance, implementations can support + POSIX, PCRE or any other dialects + + of regular expressions. Please read the + implementation's documentation to + + determine the supported dialect. + enum: + - Exact + - RegularExpression + type: string + value: + description: >- + Value is the value of HTTP Header to be + matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + method: + description: >- + Method specifies HTTP method matcher. + + When specified, this route will be matched only + if the request has the + + specified method. + + + Support: Extended + enum: + - GET + - HEAD + - POST + - PUT + - DELETE + - CONNECT + - OPTIONS + - TRACE + - PATCH + type: string + path: + default: + type: PathPrefix + value: / + description: >- + Path specifies a HTTP request path matcher. If + this field is not + + specified, a default prefix match on the "/" + path is provided. + properties: + type: + default: PathPrefix + description: >- + Type specifies how to match against the path + Value. + + + Support: Core (Exact, PathPrefix) + + + Support: Implementation-specific + (RegularExpression) + enum: + - Exact + - PathPrefix + - RegularExpression + type: string + value: + default: / + description: Value of the HTTP path to match against. + maxLength: 1024 + type: string + type: object + x-kubernetes-validations: + - message: >- + value must be an absolute path and start + with '/' when type one of ['Exact', + 'PathPrefix'] + rule: >- + (self.type in ['Exact','PathPrefix']) ? + self.value.startsWith('/') : true + - message: >- + must not contain '//' when type one of + ['Exact', 'PathPrefix'] + rule: >- + (self.type in ['Exact','PathPrefix']) ? + !self.value.contains('//') : true + - message: >- + must not contain '/./' when type one of + ['Exact', 'PathPrefix'] + rule: >- + (self.type in ['Exact','PathPrefix']) ? + !self.value.contains('/./') : true + - message: >- + must not contain '/../' when type one of + ['Exact', 'PathPrefix'] + rule: >- + (self.type in ['Exact','PathPrefix']) ? + !self.value.contains('/../') : true + - message: >- + must not contain '%2f' when type one of + ['Exact', 'PathPrefix'] + rule: >- + (self.type in ['Exact','PathPrefix']) ? + !self.value.contains('%2f') : true + - message: >- + must not contain '%2F' when type one of + ['Exact', 'PathPrefix'] + rule: >- + (self.type in ['Exact','PathPrefix']) ? + !self.value.contains('%2F') : true + - message: >- + must not contain '#' when type one of + ['Exact', 'PathPrefix'] + rule: >- + (self.type in ['Exact','PathPrefix']) ? + !self.value.contains('#') : true + - message: >- + must not end with '/..' when type one of + ['Exact', 'PathPrefix'] + rule: >- + (self.type in ['Exact','PathPrefix']) ? + !self.value.endsWith('/..') : true + - message: >- + must not end with '/.' when type one of + ['Exact', 'PathPrefix'] + rule: >- + (self.type in ['Exact','PathPrefix']) ? + !self.value.endsWith('/.') : true + - message: >- + type must be one of ['Exact', 'PathPrefix', + 'RegularExpression'] + rule: >- + self.type in ['Exact','PathPrefix'] || + self.type == 'RegularExpression' + - message: >- + must only contain valid characters (matching + ^(?:[-A-Za-z0-9/._~!$&'()*+,;=:@]|[%][0-9a-fA-F]{2})+$) + for types ['Exact', 'PathPrefix'] + rule: >- + (self.type in ['Exact','PathPrefix']) ? + self.value.matches(r"""^(?:[-A-Za-z0-9/._~!$&'()*+,;=:@]|[%][0-9a-fA-F]{2})+$""") + : true + queryParams: + description: >- + QueryParams specifies HTTP query parameter + matchers. Multiple match + + values are ANDed together, meaning, a request + must match all the + + specified query parameters to select the route. + + + Support: Extended + items: + description: >- + HTTPQueryParamMatch describes how to select a + HTTP route by matching HTTP + + query parameters. + properties: + name: + description: >- + Name is the name of the HTTP query param + to be matched. This must be an + + exact string match. (See + + https://tools.ietf.org/html/rfc7230#section-2.7.3). + + + If multiple entries specify equivalent + query param names, only the first + + entry with an equivalent name MUST be + considered for a match. Subsequent + + entries with an equivalent query param + name MUST be ignored. + + + If a query param is repeated in an HTTP + request, the behavior is + + purposely left undefined, since different + data planes have different + + capabilities. However, it is *recommended* + that implementations should + + match against the first value of the param + if the data plane supports it, + + as this behavior is expected in other load + balancing contexts outside of + + the Gateway API. + + + Users SHOULD NOT route traffic based on + repeated query params to guard + + themselves against potential differences + in the implementations. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: >- + Type specifies how to match against the + value of the query parameter. + + + Support: Extended (Exact) + + + Support: Implementation-specific + (RegularExpression) + + + Since RegularExpression + QueryParamMatchType has + Implementation-specific + + conformance, implementations can support + POSIX, PCRE or any other + + dialects of regular expressions. Please + read the implementation's + + documentation to determine the supported + dialect. + enum: + - Exact + - RegularExpression + type: string + value: + description: >- + Value is the value of HTTP query param to + be matched. + maxLength: 1024 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + maxItems: 64 + type: array + x-kubernetes-list-type: atomic + name: + description: >- + Name is the name of the route rule. This name MUST be + unique within a Route if it is set. + + + Support: Extended + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + timeouts: + description: >- + Timeouts defines the timeouts that can be configured + for an HTTP request. + + + Support: Extended + properties: + backendRequest: + description: >- + BackendRequest specifies a timeout for an + individual request from the gateway + + to a backend. This covers the time from when the + request first starts being + + sent from the gateway to when the full response + has been received from the backend. + + + Setting a timeout to the zero duration (e.g. "0s") + SHOULD disable the timeout + + completely. Implementations that cannot completely + disable the timeout MUST + + instead interpret the zero duration as the longest + possible value to which + + the timeout can be set. + + + An entire client HTTP transaction with a gateway, + covered by the Request timeout, + + may result in more than one call from the gateway + to the destination backend, + + for example, if automatic retries are supported. + + + The value of BackendRequest must be a Gateway API + Duration string as defined by + + GEP-2257. When this field is unspecified, its + behavior is implementation-specific; + + when specified, the value of BackendRequest must + be no more than the value of the + + Request timeout (since the Request timeout + encompasses the BackendRequest timeout). + + + Support: Extended + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + request: + description: >- + Request specifies the maximum duration for a + gateway to respond to an HTTP request. + + If the gateway has not been able to respond before + this deadline is met, the gateway + + MUST return a timeout error. + + + For example, setting the `rules.timeouts.request` + field to the value `10s` in an + + `HTTPRoute` will cause a timeout if a client + request is taking longer than 10 seconds + + to complete. + + + Setting a timeout to the zero duration (e.g. "0s") + SHOULD disable the timeout + + completely. Implementations that cannot completely + disable the timeout MUST + + instead interpret the zero duration as the longest + possible value to which + + the timeout can be set. + + + This timeout is intended to cover as close to the + whole request-response transaction + + as possible although an implementation MAY choose + to start the timeout after the entire + + request stream has been received instead of + immediately after the transaction is + + initiated by the client. + + + The value of Request is a Gateway API Duration + string as defined by GEP-2257. When this + + field is unspecified, request timeout behavior is + implementation-specific. + + + Support: Extended + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + x-kubernetes-validations: + - message: >- + backendRequest timeout cannot be longer than + request timeout + rule: >- + !(has(self.request) && has(self.backendRequest) && + duration(self.request) != duration('0s') && + duration(self.backendRequest) > + duration(self.request)) + type: object + x-kubernetes-validations: + - message: >- + RequestRedirect filter must not be used together with + backendRefs + rule: >- + (has(self.backendRefs) && size(self.backendRefs) > 0) + ? (!has(self.filters) || self.filters.all(f, + !has(f.requestRedirect))): true + - message: >- + When using RequestRedirect filter with + path.replacePrefixMatch, exactly one PathPrefix match + must be specified + rule: >- + (has(self.filters) && self.filters.exists_one(f, + has(f.requestRedirect) && has(f.requestRedirect.path) + && f.requestRedirect.path.type == 'ReplacePrefixMatch' + && has(f.requestRedirect.path.replacePrefixMatch))) ? + ((size(self.matches) != 1 || + !has(self.matches[0].path) || + self.matches[0].path.type != 'PathPrefix') ? false : + true) : true + - message: >- + When using URLRewrite filter with + path.replacePrefixMatch, exactly one PathPrefix match + must be specified + rule: >- + (has(self.filters) && self.filters.exists_one(f, + has(f.urlRewrite) && has(f.urlRewrite.path) && + f.urlRewrite.path.type == 'ReplacePrefixMatch' && + has(f.urlRewrite.path.replacePrefixMatch))) ? + ((size(self.matches) != 1 || + !has(self.matches[0].path) || + self.matches[0].path.type != 'PathPrefix') ? false : + true) : true + - message: >- + Within backendRefs, when using RequestRedirect filter + with path.replacePrefixMatch, exactly one PathPrefix + match must be specified + rule: >- + (has(self.backendRefs) && + self.backendRefs.exists_one(b, (has(b.filters) && + b.filters.exists_one(f, has(f.requestRedirect) && + has(f.requestRedirect.path) && + f.requestRedirect.path.type == 'ReplacePrefixMatch' && + has(f.requestRedirect.path.replacePrefixMatch))) )) ? + ((size(self.matches) != 1 || + !has(self.matches[0].path) || + self.matches[0].path.type != 'PathPrefix') ? false : + true) : true + - message: >- + Within backendRefs, When using URLRewrite filter with + path.replacePrefixMatch, exactly one PathPrefix match + must be specified + rule: >- + (has(self.backendRefs) && + self.backendRefs.exists_one(b, (has(b.filters) && + b.filters.exists_one(f, has(f.urlRewrite) && + has(f.urlRewrite.path) && f.urlRewrite.path.type == + 'ReplacePrefixMatch' && + has(f.urlRewrite.path.replacePrefixMatch))) )) ? + ((size(self.matches) != 1 || + !has(self.matches[0].path) || + self.matches[0].path.type != 'PathPrefix') ? false : + true) : true + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: >- + While 16 rules and 64 matches per rule are allowed, the + total number of matches across all rules in a route must + be less than 128 + rule: >- + (self.size() > 0 ? self[0].matches.size() : 0) + + (self.size() > 1 ? self[1].matches.size() : 0) + + (self.size() > 2 ? self[2].matches.size() : 0) + + (self.size() > 3 ? self[3].matches.size() : 0) + + (self.size() > 4 ? self[4].matches.size() : 0) + + (self.size() > 5 ? self[5].matches.size() : 0) + + (self.size() > 6 ? self[6].matches.size() : 0) + + (self.size() > 7 ? self[7].matches.size() : 0) + + (self.size() > 8 ? self[8].matches.size() : 0) + + (self.size() > 9 ? self[9].matches.size() : 0) + + (self.size() > 10 ? self[10].matches.size() : 0) + + (self.size() > 11 ? self[11].matches.size() : 0) + + (self.size() > 12 ? self[12].matches.size() : 0) + + (self.size() > 13 ? self[13].matches.size() : 0) + + (self.size() > 14 ? self[14].matches.size() : 0) + + (self.size() > 15 ? self[15].matches.size() : 0) <= 128 + type: object + status: + description: Status defines the current state of HTTPRoute. + properties: + parents: + description: >- + Parents is a list of parent resources (usually Gateways) + that are + + associated with the route, and the status of the route with + respect to + + each parent. When this route attaches to a parent, the + controller that + + manages the parent must add an entry to this list when the + controller + + first sees the route and should update the entry as + appropriate when the + + route or gateway is modified. + + + Note that parent references that cannot be resolved by an + implementation + + of this API will not be added to this list. Implementations + of this API + + can only populate Route status for the Gateways/parent + resources they are + + responsible for. + + + A maximum of 32 Gateways will be represented in this list. + An empty list + + means the route has not been attached to any Gateway. + items: + description: >- + RouteParentStatus describes the status of a route with + respect to an + + associated Parent. + properties: + conditions: + description: >- + Conditions describes the status of the route with + respect to the Gateway. + + Note that the route's availability is also subject to + the Gateway's own + + status conditions and listener status. + + + If the Route's ParentRef specifies an existing Gateway + that supports + + Routes of this kind AND that Gateway's controller has + sufficient access, + + then that Gateway's controller MUST set the "Accepted" + condition on the + + Route, to indicate whether the route has been accepted + or rejected by the + + Gateway, and why. + + + A Route MUST be considered "Accepted" if at least one + of the Route's + + rules is implemented by the Gateway. + + + There are a number of cases where the "Accepted" + condition may not be set + + due to lack of controller visibility, that includes + when: + + + * The Route refers to a nonexistent parent. + + * The Route is of a type that the controller does not + support. + + * The Route is in a namespace to which the controller + does not have access. + items: + description: >- + Condition contains details for one aspect of the + current state of this API Resource. + properties: + lastTransitionTime: + description: >- + lastTransitionTime is the last time the + condition transitioned from one status to + another. + + This should be when the underlying condition + changed. If that is not known, then using the + time when the API field changed is acceptable. + format: date-time + type: string + message: + description: >- + message is a human readable message indicating + details about the transition. + + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: >- + observedGeneration represents the + .metadata.generation that the condition was set + based upon. + + For instance, if .metadata.generation is + currently 12, but the + .status.conditions[x].observedGeneration is 9, + the condition is out of date + + with respect to the current state of the + instance. + format: int64 + minimum: 0 + type: integer + reason: + description: >- + reason contains a programmatic identifier + indicating the reason for the condition's last + transition. + + Producers of specific condition types may define + expected values and meanings for this field, + + and whether the values are considered a + guaranteed API. + + The value should be a CamelCase string. + + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: >- + status of the condition, one of True, False, + Unknown. + enum: + - 'True' + - 'False' + - Unknown + type: string + type: + description: >- + type of condition in CamelCase or in + foo.example.com/CamelCase. + maxLength: 316 + pattern: >- + ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: >- + ControllerName is a domain/path string that indicates + the name of the + + controller that wrote this status. This corresponds + with the + + controllerName field on GatewayClass. + + + Example: "example.net/gateway-controller". + + + The format of this field is DOMAIN "/" PATH, where + DOMAIN and PATH are + + valid Kubernetes names + + (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + + + Controllers MUST populate this field when writing + status. Controllers should ensure that + + entries to status populated with their ControllerName + are cleaned up when they are no + + longer necessary. + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: >- + ParentRef corresponds with a ParentRef in the spec + that this + + RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: >- + Group is the group of the referent. + + When unspecified, "gateway.networking.k8s.io" is + inferred. + + To set the core API group (such as for a "Service" + kind referent), + + Group must be explicitly set to "" (empty string). + + + Support: Core + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: >- + Kind is kind of the referent. + + + There are two kinds of parent resources with + "Core" support: + + + * Gateway (Gateway conformance profile) + + * Service (Mesh conformance profile, ClusterIP + Services only) + + + Support for other resources is + Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the referent. When + unspecified, this refers + + to the local namespace of the Route. + + + Note that there are specific rules for ParentRefs + which cross namespace + + boundaries. Cross-namespace references are only + valid if they are explicitly + + allowed by something in the namespace they are + referring to. For example: + + Gateway has the AllowedRoutes field, and + ReferenceGrant provides a + + generic way to enable any other kind of + cross-namespace reference. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: >- + Port is the network port this Route targets. It + can be interpreted + + differently based on the type of parent resource. + + + When the parent resource is a Gateway, this + targets all listeners + + listening on the specified port that also support + this kind of Route(and + + select this Route). It's not recommended to set + `Port` unless the + + networking behaviors specified in a Route must + apply to a specific port + + as opposed to a listener(s) whose port(s) may be + changed. When both Port + + and SectionName are specified, the name and port + of the selected listener + + must match both specified values. + + + Implementations MAY choose to support other parent + resources. + + Implementations supporting other types of parent + resources MUST clearly + + document how/if Port is interpreted. + + + For the purpose of status, an attachment is + considered successful as + + long as the parent resource accepts it partially. + For example, Gateway + + listeners can restrict which Routes can attach to + them by Route kind, + + namespace, or hostname. If 1 of 2 Gateway + listeners accept attachment + + from the referencing Route, the Route MUST be + considered successfully + + attached. If no Gateway listeners accept + attachment from this Route, + + the Route MUST be considered detached from the + Gateway. + + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: >- + SectionName is the name of a section within the + target resource. In the + + following resources, SectionName is interpreted as + the following: + + + * Gateway: Listener name. When both Port + (experimental) and SectionName + + are specified, the name and port of the selected + listener must match + + both specified values. + + * Service: Port name. When both Port + (experimental) and SectionName + + are specified, the name and port of the selected + listener must match + + both specified values. + + + Implementations MAY choose to support attaching + Routes to other resources. + + If that is the case, they MUST clearly document + how SectionName is + + interpreted. + + + When unspecified (empty string), this will + reference the entire resource. + + For the purpose of status, an attachment is + considered successful if at + + least one section in the parent resource accepts + it. For example, Gateway + + listeners can restrict which Routes can attach to + them by Route kind, + + namespace, or hostname. If 1 of 2 Gateway + listeners accept attachment from + + the referencing Route, the Route MUST be + considered successfully + + attached. If no Gateway listeners accept + attachment from this Route, the + + Route MUST be considered detached from the + Gateway. + + + Support: Core + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - conditions + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + x-kubernetes-list-type: atomic + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.hostnames + name: Hostnames + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: >- + HTTPRoute provides a way to route HTTP requests. This includes the + capability + + to match requests by hostname, path, header, or query param. Filters + can be + + used to specify additional processing steps. Backends specify where + matching + + requests should be routed. + properties: + apiVersion: + description: >- + APIVersion defines the versioned schema of this representation + of an object. + + Servers should convert recognized schemas to the latest internal + value, and + + may reject unrecognized values. + + More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: >- + Kind is a string value representing the REST resource this + object represents. + + Servers may infer this from the endpoint the client submits + requests to. + + Cannot be updated. + + In CamelCase. + + More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of HTTPRoute. + properties: + hostnames: + description: >- + Hostnames defines a set of hostnames that should match + against the HTTP Host + + header to select a HTTPRoute used to process the request. + Implementations + + MUST ignore any port value specified in the HTTP Host header + while + + performing a match and (absent of any applicable header + modification + + configuration) MUST forward this header unmodified to the + backend. + + + Valid values for Hostnames are determined by RFC 1123 + definition of a + + hostname with 2 notable exceptions: + + + 1. IPs are not allowed. + + 2. A hostname may be prefixed with a wildcard label (`*.`). + The wildcard + label must appear by itself as the first label. + + If a hostname is specified by both the Listener and + HTTPRoute, there + + must be at least one intersecting hostname for the HTTPRoute + to be + + attached to the Listener. For example: + + + * A Listener with `test.example.com` as the hostname matches + HTTPRoutes + that have either not specified any hostnames, or have specified at + least one of `test.example.com` or `*.example.com`. + * A Listener with `*.example.com` as the hostname matches + HTTPRoutes + that have either not specified any hostnames or have specified at least + one hostname that matches the Listener hostname. For example, + `*.example.com`, `test.example.com`, and `foo.test.example.com` would + all match. On the other hand, `example.com` and `test.example.net` would + not match. + + Hostnames that are prefixed with a wildcard label (`*.`) are + interpreted + + as a suffix match. That means that a match for + `*.example.com` would match + + both `test.example.com`, and `foo.test.example.com`, but not + `example.com`. + + + If both the Listener and HTTPRoute have specified hostnames, + any + + HTTPRoute hostnames that do not match the Listener hostname + MUST be + + ignored. For example, if a Listener specified + `*.example.com`, and the + + HTTPRoute specified `test.example.com` and + `test.example.net`, + + `test.example.net` must not be considered for a match. + + + If both the Listener and HTTPRoute have specified hostnames, + and none + + match with the criteria above, then the HTTPRoute is not + accepted. The + + implementation must raise an 'Accepted' Condition with a + status of + + `False` in the corresponding RouteParentStatus. + + + In the event that multiple HTTPRoutes specify intersecting + hostnames (e.g. + + overlapping wildcard matching and exact matching hostnames), + precedence must + + be given to rules from the HTTPRoute with the largest number + of: + + + * Characters in a matching non-wildcard hostname. + + * Characters in a matching hostname. + + + If ties exist across multiple Routes, the matching + precedence rules for + + HTTPRouteMatches takes over. + + + Support: Core + items: + description: >- + Hostname is the fully qualified domain name of a network + host. This matches + + the RFC 1123 definition of a hostname with 2 notable + exceptions: + + 1. IPs are not allowed. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. + + Hostname can be "precise" which is a domain name without + the terminating + + dot of a network host (e.g. "foo.example.com") or + "wildcard", which is a + + domain name prefixed with a single wildcard label (e.g. + `*.example.com`). + + + Note that as per RFC1035 and RFC1123, a *label* must + consist of lower case + + alphanumeric characters or '-', and must start and end + with an alphanumeric + + character. No other punctuation is allowed. + maxLength: 253 + minLength: 1 + pattern: >- + ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: atomic + parentRefs: + description: >- + ParentRefs references the resources (usually Gateways) that + a Route wants + + to be attached to. Note that the referenced parent resource + needs to + + allow this for the attachment to be complete. For Gateways, + that means + + the Gateway needs to allow attachment from Routes of this + kind and + + namespace. For Services, that means the Service must either + be in the same + + namespace for a "producer" route, or the mesh implementation + must support + + and allow "consumer" routes for the referenced Service. + ReferenceGrant is + + not applicable for governing ParentRefs to Services - it is + not possible to + + create a "producer" route for a Service in a different + namespace from the + + Route. + + + There are two kinds of parent resources with "Core" support: + + + * Gateway (Gateway conformance profile) + + * Service (Mesh conformance profile, ClusterIP Services + only) + + + This API may be extended in the future to support additional + kinds of parent + + resources. + + + ParentRefs must be _distinct_. This means either that: + + + * They select different objects. If this is the case, then + parentRef + entries are distinct. In terms of fields, this means that the + multi-part key defined by `group`, `kind`, `namespace`, and `name` must + be unique across all parentRef entries in the Route. + * They do not select different objects, but for each + optional field used, + each ParentRef that selects the same object must set the same set of + optional fields to different values. If one ParentRef sets a + combination of optional fields, all must set the same combination. + + Some examples: + + + * If one ParentRef sets `sectionName`, all ParentRefs + referencing the + same object must also set `sectionName`. + * If one ParentRef sets `port`, all ParentRefs referencing + the same + object must also set `port`. + * If one ParentRef sets `sectionName` and `port`, all + ParentRefs + referencing the same object must also set `sectionName` and `port`. + + It is possible to separately reference multiple distinct + objects that may + + be collapsed by an implementation. For example, some + implementations may + + choose to merge compatible Gateway Listeners together. If + that is the + + case, the list of routes attached to those resources should + also be + + merged. + + + Note that for ParentRefs that cross namespace boundaries, + there are specific + + rules. Cross-namespace references are only valid if they are + explicitly + + allowed by something in the namespace they are referring to. + For example, + + Gateway has the AllowedRoutes field, and ReferenceGrant + provides a + + generic way to enable other kinds of cross-namespace + reference. + items: + description: >- + ParentReference identifies an API object (usually a + Gateway) that can be considered + + a parent of this resource (usually a route). There are two + kinds of parent resources + + with "Core" support: + + + * Gateway (Gateway conformance profile) + + * Service (Mesh conformance profile, ClusterIP Services + only) + + + This API may be extended in the future to support + additional kinds of parent + + resources. + + + The API object must be valid in the cluster; the Group and + Kind must + + be registered in the cluster for this reference to be + valid. + properties: + group: + default: gateway.networking.k8s.io + description: >- + Group is the group of the referent. + + When unspecified, "gateway.networking.k8s.io" is + inferred. + + To set the core API group (such as for a "Service" + kind referent), + + Group must be explicitly set to "" (empty string). + + + Support: Core + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: >- + Kind is kind of the referent. + + + There are two kinds of parent resources with "Core" + support: + + + * Gateway (Gateway conformance profile) + + * Service (Mesh conformance profile, ClusterIP + Services only) + + + Support for other resources is + Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the referent. When + unspecified, this refers + + to the local namespace of the Route. + + + Note that there are specific rules for ParentRefs + which cross namespace + + boundaries. Cross-namespace references are only valid + if they are explicitly + + allowed by something in the namespace they are + referring to. For example: + + Gateway has the AllowedRoutes field, and + ReferenceGrant provides a + + generic way to enable any other kind of + cross-namespace reference. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: >- + Port is the network port this Route targets. It can be + interpreted + + differently based on the type of parent resource. + + + When the parent resource is a Gateway, this targets + all listeners + + listening on the specified port that also support this + kind of Route(and + + select this Route). It's not recommended to set `Port` + unless the + + networking behaviors specified in a Route must apply + to a specific port + + as opposed to a listener(s) whose port(s) may be + changed. When both Port + + and SectionName are specified, the name and port of + the selected listener + + must match both specified values. + + + Implementations MAY choose to support other parent + resources. + + Implementations supporting other types of parent + resources MUST clearly + + document how/if Port is interpreted. + + + For the purpose of status, an attachment is considered + successful as + + long as the parent resource accepts it partially. For + example, Gateway + + listeners can restrict which Routes can attach to them + by Route kind, + + namespace, or hostname. If 1 of 2 Gateway listeners + accept attachment + + from the referencing Route, the Route MUST be + considered successfully + + attached. If no Gateway listeners accept attachment + from this Route, + + the Route MUST be considered detached from the + Gateway. + + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: >- + SectionName is the name of a section within the target + resource. In the + + following resources, SectionName is interpreted as the + following: + + + * Gateway: Listener name. When both Port + (experimental) and SectionName + + are specified, the name and port of the selected + listener must match + + both specified values. + + * Service: Port name. When both Port (experimental) + and SectionName + + are specified, the name and port of the selected + listener must match + + both specified values. + + + Implementations MAY choose to support attaching Routes + to other resources. + + If that is the case, they MUST clearly document how + SectionName is + + interpreted. + + + When unspecified (empty string), this will reference + the entire resource. + + For the purpose of status, an attachment is considered + successful if at + + least one section in the parent resource accepts it. + For example, Gateway + + listeners can restrict which Routes can attach to them + by Route kind, + + namespace, or hostname. If 1 of 2 Gateway listeners + accept attachment from + + the referencing Route, the Route MUST be considered + successfully + + attached. If no Gateway listeners accept attachment + from this Route, the + + Route MUST be considered detached from the Gateway. + + + Support: Core + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: >- + sectionName must be specified when parentRefs includes 2 + or more references to the same parent + rule: >- + self.all(p1, self.all(p2, p1.group == p2.group && + p1.kind == p2.kind && p1.name == p2.name && + (((!has(p1.__namespace__) || p1.__namespace__ == '') && + (!has(p2.__namespace__) || p2.__namespace__ == '')) || + (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__ )) ? + ((!has(p1.sectionName) || p1.sectionName == '') == + (!has(p2.sectionName) || p2.sectionName == '')) : true)) + - message: >- + sectionName must be unique when parentRefs includes 2 or + more references to the same parent + rule: >- + self.all(p1, self.exists_one(p2, p1.group == p2.group && + p1.kind == p2.kind && p1.name == p2.name && + (((!has(p1.__namespace__) || p1.__namespace__ == '') && + (!has(p2.__namespace__) || p2.__namespace__ == '')) || + (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__ )) && + (((!has(p1.sectionName) || p1.sectionName == '') && + (!has(p2.sectionName) || p2.sectionName == '')) || + (has(p1.sectionName) && has(p2.sectionName) && + p1.sectionName == p2.sectionName)))) + rules: + default: + - matches: + - path: + type: PathPrefix + value: / + description: Rules are a list of HTTP matchers, filters and actions. + items: + description: >- + HTTPRouteRule defines semantics for matching an HTTP + request based on + + conditions (matches), processing it (filters), and + forwarding the request to + + an API object (backendRefs). + properties: + backendRefs: + description: >- + BackendRefs defines the backend(s) where matching + requests should be + + sent. + + + Failure behavior here depends on how many BackendRefs + are specified and + + how many are invalid. + + + If *all* entries in BackendRefs are invalid, and there + are also no filters + + specified in this route rule, *all* traffic which + matches this rule MUST + + receive a 500 status code. + + + See the HTTPBackendRef definition for the rules about + what makes a single + + HTTPBackendRef invalid. + + + When a HTTPBackendRef is invalid, 500 status codes + MUST be returned for + + requests that would have otherwise been routed to an + invalid backend. If + + multiple backends are specified, and some are invalid, + the proportion of + + requests that would otherwise have been routed to an + invalid backend + + MUST receive a 500 status code. + + + For example, if two backends are specified with equal + weights, and one is + + invalid, 50 percent of traffic must receive a 500. + Implementations may + + choose how that 50 percent is determined. + + + When a HTTPBackendRef refers to a Service that has no + ready endpoints, + + implementations SHOULD return a 503 for requests to + that backend instead. + + If an implementation chooses to do this, all of the + above rules for 500 responses + + MUST also apply for responses that return a 503. + + + Support: Core for Kubernetes Service + + + Support: Extended for Kubernetes ServiceImport + + + Support: Implementation-specific for any other + resource + + + Support for weight: Core + items: + description: >- + HTTPBackendRef defines how a HTTPRoute forwards a + HTTP request. + + + Note that when a namespace different than the local + namespace is specified, a + + ReferenceGrant object is required in the referent + namespace to allow that + + namespace's owner to accept the reference. See the + ReferenceGrant + + documentation for details. + properties: + filters: + description: >- + Filters defined at this level should be executed + if and only if the + + request is being forwarded to the backend + defined here. + + + Support: Implementation-specific (For broader + support of filters, use the + + Filters field in HTTPRouteRule.) + items: + description: >- + HTTPRouteFilter defines processing steps that + must be completed during the + + request or response lifecycle. + HTTPRouteFilters are meant as an extension + + point to express processing that may be done + in Gateway implementations. Some + + examples include request or response + modification, implementing + + authentication strategies, rate-limiting, and + traffic shaping. API + + guarantee/conformance is defined based on the + type of the filter. + properties: + cors: + description: >- + CORS defines a schema for a filter that + responds to the + + cross-origin request based on HTTP + response header. + + + Support: Extended + properties: + allowCredentials: + description: >- + AllowCredentials indicates whether the + actual cross-origin request allows + + to include credentials. + + + When set to true, the gateway will + include the + `Access-Control-Allow-Credentials` + + response header with value true + (case-sensitive). + + + When set to false or omitted the gateway + will omit the header + + `Access-Control-Allow-Credentials` + entirely (this is the standard CORS + + behavior). + + + Support: Extended + type: boolean + allowHeaders: + description: >- + AllowHeaders indicates which HTTP + request headers are supported for + + accessing the requested resource. + + + Header names are not case-sensitive. + + + Multiple header names in the value of + the `Access-Control-Allow-Headers` + + response header are separated by a comma + (","). + + + When the `AllowHeaders` field is + configured with one or more headers, the + + gateway must return the + `Access-Control-Allow-Headers` response + header + + which value is present in the + `AllowHeaders` field. + + + If any header name in the + `Access-Control-Request-Headers` request + header + + is not included in the list of header + names specified by the response + + header `Access-Control-Allow-Headers`, + it will present an error on the + + client side. + + + If any header name in the + `Access-Control-Allow-Headers` response + header + + does not recognize by the client, it + will also occur an error on the + + client side. + + + A wildcard indicates that the requests + with all HTTP headers are allowed. + + If config contains the wildcard "*" in + allowHeaders and the request is + + not credentialed, the + `Access-Control-Allow-Headers` response + header + + can either use the `*` wildcard or the + value of + + Access-Control-Request-Headers from the + request. + + + When the request is credentialed, the + gateway must not specify the `*` + + wildcard in the + `Access-Control-Allow-Headers` response + header. When + + also the `AllowCredentials` field is + true and `AllowHeaders` field + + is specified with the `*` wildcard, the + gateway must specify one or more + + HTTP headers in the value of the + `Access-Control-Allow-Headers` response + + header. The value of the header + `Access-Control-Allow-Headers` is same + as + + the `Access-Control-Request-Headers` + header provided by the client. If + + the header + `Access-Control-Request-Headers` is not + included in the + + request, the gateway will omit the + `Access-Control-Allow-Headers` + + response header, instead of specifying + the `*` wildcard. + + + Support: Extended + items: + description: >- + HTTPHeaderName is the name of an HTTP + header. + + + Valid values include: + + + * "Authorization" + + * "Set-Cookie" + + + Invalid values include: + + - ":method" - ":" is an invalid character. This means that HTTP/2 pseudo + headers are not currently supported by this type. + - "/invalid" - "/ " is an invalid character + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + maxItems: 64 + type: array + x-kubernetes-list-type: set + x-kubernetes-validations: + - message: >- + AllowHeaders cannot contain '*' + alongside other methods + rule: '!(''*'' in self && self.size() > 1)' + allowMethods: + description: >- + AllowMethods indicates which HTTP + methods are supported for accessing the + + requested resource. + + + Valid values are any method defined by + RFC9110, along with the special + + value `*`, which represents all HTTP + methods are allowed. + + + Method names are case-sensitive, so + these values are also case-sensitive. + + (See + https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1) + + + Multiple method names in the value of + the `Access-Control-Allow-Methods` + + response header are separated by a comma + (","). + + + A CORS-safelisted method is a method + that is `GET`, `HEAD`, or `POST`. + + (See + https://fetch.spec.whatwg.org/#cors-safelisted-method) + The + + CORS-safelisted methods are always + allowed, regardless of whether they + + are specified in the `AllowMethods` + field. + + + When the `AllowMethods` field is + configured with one or more methods, the + + gateway must return the + `Access-Control-Allow-Methods` response + header + + which value is present in the + `AllowMethods` field. + + + If the HTTP method of the + `Access-Control-Request-Method` request + header + + is not included in the list of methods + specified by the response header + + `Access-Control-Allow-Methods`, it will + present an error on the client + + side. + + + If config contains the wildcard "*" in + allowMethods and the request is + + not credentialed, the + `Access-Control-Allow-Methods` response + header + + can either use the `*` wildcard or the + value of + + Access-Control-Request-Method from the + request. + + + When the request is credentialed, the + gateway must not specify the `*` + + wildcard in the + `Access-Control-Allow-Methods` response + header. When + + also the `AllowCredentials` field is + true and `AllowMethods` field + + specified with the `*` wildcard, the + gateway must specify one HTTP method + + in the value of the + Access-Control-Allow-Methods response + header. The + + value of the header + `Access-Control-Allow-Methods` is same + as the + + `Access-Control-Request-Method` header + provided by the client. If the + + header `Access-Control-Request-Method` + is not included in the request, + + the gateway will omit the + `Access-Control-Allow-Methods` response + header, + + instead of specifying the `*` wildcard. + + + Support: Extended + items: + enum: + - GET + - HEAD + - POST + - PUT + - DELETE + - CONNECT + - OPTIONS + - TRACE + - PATCH + - '*' + type: string + maxItems: 9 + type: array + x-kubernetes-list-type: set + x-kubernetes-validations: + - message: >- + AllowMethods cannot contain '*' + alongside other methods + rule: '!(''*'' in self && self.size() > 1)' + allowOrigins: + description: >- + AllowOrigins indicates whether the + response can be shared with requested + + resource from the given `Origin`. + + + The `Origin` consists of a scheme and a + host, with an optional port, and + + takes the form + `://(:)`. + + + Valid values for scheme are: `http` and + `https`. + + + Valid values for port are any integer + between 1 and 65535 (the list of + + available TCP/UDP ports). Note that, if + not included, port `80` is + + assumed for `http` scheme origins, and + port `443` is assumed for `https` + + origins. This may affect origin + matching. + + + The host part of the origin may contain + the wildcard character `*`. These + + wildcard characters behave as follows: + + + * `*` is a greedy match to the _left_, + including any number of + DNS labels to the left of its position. This also means that + `*` will include any number of period `.` characters to the + left of its position. + * A wildcard by itself matches all + hosts. + + + An origin value that includes _only_ the + `*` character indicates requests + + from all `Origin`s are allowed. + + + When the `AllowOrigins` field is + configured with multiple origins, it + + means the server supports clients from + multiple origins. If the request + + `Origin` matches the configured allowed + origins, the gateway must return + + the given `Origin` and sets value of the + header + + `Access-Control-Allow-Origin` same as + the `Origin` header provided by the + + client. + + + The status code of a successful response + to a "preflight" request is + + always an OK status (i.e., 204 or 200). + + + If the request `Origin` does not match + the configured allowed origins, + + the gateway returns 204/200 response but + doesn't set the relevant + + cross-origin response headers. + Alternatively, the gateway responds with + + 403 status to the "preflight" request is + denied, coupled with omitting + + the CORS headers. The cross-origin + request fails on the client side. + + Therefore, the client doesn't attempt + the actual cross-origin request. + + + Conversely, if the request `Origin` + matches one of the configured + + allowed origins, the gateway sets the + response header + + `Access-Control-Allow-Origin` to the + same value as the `Origin` + + header provided by the client. + + + When config has the wildcard ("*") in + allowOrigins, and the request + + is not credentialed (e.g., it is a + preflight request), the + + `Access-Control-Allow-Origin` response + header either contains the + + wildcard as well or the Origin from the + request. + + + When the request is credentialed, the + gateway must not specify the `*` + + wildcard in the + `Access-Control-Allow-Origin` response + header. When + + also the `AllowCredentials` field is + true and `AllowOrigins` field + + specified with the `*` wildcard, the + gateway must return a single origin + + in the value of the + `Access-Control-Allow-Origin` response + header, + + instead of specifying the `*` wildcard. + The value of the header + + `Access-Control-Allow-Origin` is same as + the `Origin` header provided by + + the client. + + + Support: Extended + items: + description: >- + The CORSOrigin MUST NOT be a relative + URI, and it MUST follow the URI syntax + and + + encoding rules specified in RFC3986. + The CORSOrigin MUST include both a + + scheme ("http" or "https") and a + scheme-specific-part, or it should be a + single '*' character. + + URIs that include an authority MUST + include a fully qualified domain name or + + IP address as the host. + maxLength: 253 + minLength: 1 + pattern: >- + (^\*$)|(^(http(s)?):\/\/(((\*\.)?([a-zA-Z0-9\-]+\.)*[a-zA-Z0-9-]+|\*)(:([0-9]{1,5}))?)$) + type: string + maxItems: 64 + type: array + x-kubernetes-list-type: set + x-kubernetes-validations: + - message: >- + AllowOrigins cannot contain '*' + alongside other origins + rule: '!(''*'' in self && self.size() > 1)' + exposeHeaders: + description: >- + ExposeHeaders indicates which HTTP + response headers can be exposed + + to client-side scripts in response to a + cross-origin request. + + + A CORS-safelisted response header is an + HTTP header in a CORS response + + that it is considered safe to expose to + the client scripts. + + The CORS-safelisted response headers + include the following headers: + + `Cache-Control` + + `Content-Language` + + `Content-Length` + + `Content-Type` + + `Expires` + + `Last-Modified` + + `Pragma` + + (See + https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name) + + The CORS-safelisted response headers are + exposed to client by default. + + + When an HTTP header name is specified + using the `ExposeHeaders` field, + + this additional header will be exposed + as part of the response to the + + client. + + + Header names are not case-sensitive. + + + Multiple header names in the value of + the `Access-Control-Expose-Headers` + + response header are separated by a comma + (","). + + + A wildcard indicates that the responses + with all HTTP headers are exposed + + to clients. The + `Access-Control-Expose-Headers` response + header can only + + use `*` wildcard as value when the + request is not credentialed. + + + When the `exposeHeaders` config field + contains the "*" wildcard and + + the request is credentialed, the gateway + cannot use the `*` wildcard in + + the `Access-Control-Expose-Headers` + response header. + + + Support: Extended + items: + description: >- + HTTPHeaderName is the name of an HTTP + header. + + + Valid values include: + + + * "Authorization" + + * "Set-Cookie" + + + Invalid values include: + + - ":method" - ":" is an invalid character. This means that HTTP/2 pseudo + headers are not currently supported by this type. + - "/invalid" - "/ " is an invalid character + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + maxItems: 64 + type: array + x-kubernetes-list-type: set + maxAge: + default: 5 + description: >- + MaxAge indicates the duration (in + seconds) for the client to cache the + + results of a "preflight" request. + + + The information provided by the + `Access-Control-Allow-Methods` and + + `Access-Control-Allow-Headers` response + headers can be cached by the + + client until the time specified by + `Access-Control-Max-Age` elapses. + + + The default value of + `Access-Control-Max-Age` response header + is 5 + + (seconds). + + + When the `MaxAge` field is unspecified, + the gateway sets the response + + header "Access-Control-Max-Age: 5" by + default. + format: int32 + minimum: 1 + type: integer + type: object + extensionRef: + description: >- + ExtensionRef is an optional, + implementation-specific extension to the + + "filter" behavior. For example, resource + "myroutefilter" in group + + "networking.example.net"). ExtensionRef + MUST NOT be used for core and + + extended filters. + + + This filter can be used multiple times + within the same rule. + + + Support: Implementation-specific + properties: + group: + description: >- + Group is the group of the referent. For + example, "gateway.networking.k8s.io". + + When unspecified or empty string, core + API group is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: >- + Kind is kind of the referent. For + example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: >- + RequestHeaderModifier defines a schema for + a filter that modifies request + + headers. + + + Support: Core + properties: + add: + description: >- + Add adds the given header(s) (name, + value) to the request + + before the action. It appends to any + existing values associated + + with the header name. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + add: + - name: "my-header" + value: "bar,baz" + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: >- + HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: >- + Name is the name of the HTTP Header to + be matched. Name matching MUST be + + case-insensitive. (See + https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent + header names, the first entry with + + an equivalent name MUST be considered + for a match. Subsequent entries + + with an equivalent header name MUST be + ignored. Due to the + + case-insensitivity of header names, + "foo" and "Foo" are considered + + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: >- + Value is the value of HTTP Header to be + matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: >- + Remove the given header(s) from the HTTP + request before the action. The + + value of Remove is a list of HTTP header + names. Note that the header + + names are case-insensitive (see + + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + Config: + remove: ["my-header1", "my-header3"] + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: >- + Set overwrites the request with the + given header (name, value) + + before the action. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + set: + - name: "my-header" + value: "bar" + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: >- + HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: >- + Name is the name of the HTTP Header to + be matched. Name matching MUST be + + case-insensitive. (See + https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent + header names, the first entry with + + an equivalent name MUST be considered + for a match. Subsequent entries + + with an equivalent header name MUST be + ignored. Due to the + + case-insensitivity of header names, + "foo" and "Foo" are considered + + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: >- + Value is the value of HTTP Header to be + matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: >- + RequestMirror defines a schema for a + filter that mirrors requests. + + Requests are sent to the specified + destination, but responses from + + that destination are ignored. + + + This filter can be used multiple times + within the same rule. Note that + + not all implementations will be able to + support mirroring to multiple + + backends. + + + Support: Extended + properties: + backendRef: + description: >- + BackendRef references a resource where + mirrored requests are sent. + + + Mirrored requests must be sent only to a + single destination endpoint + + within this BackendRef, irrespective of + how many endpoints are present + + within this BackendRef. + + + If the referent cannot be found, this + BackendRef is invalid and must be + + dropped from the Gateway. The controller + must ensure the "ResolvedRefs" + + condition on the Route status is set to + `status: False` and not configure + + this backend in the underlying + implementation. + + + If there is a cross-namespace reference + to an *existing* object + + that is not allowed by a ReferenceGrant, + the controller must ensure the + + "ResolvedRefs" condition on the Route + is set to `status: False`, + + with the "RefNotPermitted" reason and + not configure this backend in the + + underlying implementation. + + + In either error case, the Message of the + `ResolvedRefs` Condition + + should be used to provide more detail + about the problem. + + + Support: Extended for Kubernetes Service + + + Support: Implementation-specific for any + other resource + properties: + group: + default: '' + description: >- + Group is the group of the referent. For + example, "gateway.networking.k8s.io". + + When unspecified or empty string, core + API group is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: >- + Kind is the Kubernetes resource kind of + the referent. For example + + "Service". + + + Defaults to "Service" when not + specified. + + + ExternalName services can refer to CNAME + DNS records that may live + + outside of the cluster and as such are + difficult to reason about in + + terms of conformance. They also may not + be safe to forward to (see + + CVE-2021-25740 for more information). + Implementations SHOULD NOT + + support ExternalName Services. + + + Support: Core (Services with a type + other than ExternalName) + + + Support: Implementation-specific + (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the + backend. When unspecified, the local + + namespace is inferred. + + + Note that when a namespace different + than the local namespace is specified, + + a ReferenceGrant object is required in + the referent namespace to allow that + + namespace's owner to accept the + reference. See the ReferenceGrant + + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: >- + Port specifies the destination port + number to use for this resource. + + Port is required when the referent is a + Kubernetes Service. In this + + case, the port number is the service + port number, not the target port. + + For other resources, destination port + might be derived from the referent + + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: >- + (size(self.group) == 0 && self.kind == + 'Service') ? has(self.port) : true + fraction: + description: >- + Fraction represents the fraction of + requests that should be + + mirrored to BackendRef. + + + Only one of Fraction or Percent may be + specified. If neither field + + is specified, 100% of requests will be + mirrored. + properties: + denominator: + default: 100 + format: int32 + minimum: 1 + type: integer + numerator: + format: int32 + minimum: 0 + type: integer + required: + - numerator + type: object + x-kubernetes-validations: + - message: >- + numerator must be less than or equal to + denominator + rule: self.numerator <= self.denominator + percent: + description: >- + Percent represents the percentage of + requests that should be + + mirrored to BackendRef. Its minimum + value is 0 (indicating 0% of + + requests) and its maximum value is 100 + (indicating 100% of requests). + + + Only one of Fraction or Percent may be + specified. If neither field + + is specified, 100% of requests will be + mirrored. + format: int32 + maximum: 100 + minimum: 0 + type: integer + required: + - backendRef + type: object + x-kubernetes-validations: + - message: >- + Only one of percent or fraction may be + specified in HTTPRequestMirrorFilter + rule: >- + !(has(self.percent) && + has(self.fraction)) + requestRedirect: + description: >- + RequestRedirect defines a schema for a + filter that responds to the + + request with an HTTP redirection. + + + Support: Core + properties: + hostname: + description: >- + Hostname is the hostname to be used in + the value of the `Location` + + header in the response. + + When empty, the hostname in the `Host` + header of the request is used. + + + Support: Core + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: >- + Path defines parameters used to modify + the path of the incoming request. + + The modified path is then used to + construct the `Location` header. When + + empty, the request path is used as-is. + + + Support: Extended + properties: + replaceFullPath: + description: >- + ReplaceFullPath specifies the value with + which to replace the full path + + of a request during a rewrite or + redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: >- + ReplacePrefixMatch specifies the value + with which to replace the prefix + + match of a request during a rewrite or + redirect. For example, a request + + to "/foo/bar" with a prefix match of + "/foo" and a ReplacePrefixMatch + + of "/xyz" would be modified to + "/xyz/bar". + + + Note that this matches the behavior of + the PathPrefix match type. This + + matches full path elements. A path + element refers to the list of labels + + in the path split by the `/` separator. + When specified, a trailing `/` is + + ignored. For example, the paths `/abc`, + `/abc/`, and `/abc/def` would all + + match the prefix `/abc`, but the path + `/abcd` would not. + + + ReplacePrefixMatch is only compatible + with a `PathPrefix` HTTPRouteMatch. + + Using any other HTTPRouteMatch type on + the same HTTPRouteRule will result in + + the implementation setting the Accepted + Condition for the Route to `status: + False`. + + + Request Path | Prefix Match | Replace + Prefix | Modified Path + maxLength: 1024 + type: string + type: + description: >- + Type defines the type of path modifier. + Additional types may be + + added in a future release of the API. + + + Note that values may be added to this + enum, implementations + + must ensure that unknown values will not + cause a crash. + + + Unknown values here must result in the + implementation setting the + + Accepted Condition for the Route to + `status: False`, with a + + Reason of `UnsupportedValue`. + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + replaceFullPath must be specified when + type is set to 'ReplaceFullPath' + rule: >- + self.type == 'ReplaceFullPath' ? + has(self.replaceFullPath) : true + - message: >- + type must be 'ReplaceFullPath' when + replaceFullPath is set + rule: >- + has(self.replaceFullPath) ? self.type == + 'ReplaceFullPath' : true + - message: >- + replacePrefixMatch must be specified + when type is set to 'ReplacePrefixMatch' + rule: >- + self.type == 'ReplacePrefixMatch' ? + has(self.replacePrefixMatch) : true + - message: >- + type must be 'ReplacePrefixMatch' when + replacePrefixMatch is set + rule: >- + has(self.replacePrefixMatch) ? self.type + == 'ReplacePrefixMatch' : true + port: + description: >- + Port is the port to be used in the value + of the `Location` + + header in the response. + + + If no port is specified, the redirect + port MUST be derived using the + + following rules: + + + * If redirect scheme is not-empty, the + redirect port MUST be the well-known + port associated with the redirect scheme. Specifically "http" to port 80 + and "https" to port 443. If the redirect scheme does not have a + well-known port, the listener port of the Gateway SHOULD be used. + * If redirect scheme is empty, the + redirect port MUST be the Gateway + Listener port. + + Implementations SHOULD NOT add the port + number in the 'Location' + + header in the following cases: + + + * A Location header that will use HTTP + (whether that is determined via + the Listener protocol or the Scheme field) _and_ use port 80. + * A Location header that will use HTTPS + (whether that is determined via + the Listener protocol or the Scheme field) _and_ use port 443. + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: >- + Scheme is the scheme to be used in the + value of the `Location` header in + + the response. When empty, the scheme of + the request is used. + + + Scheme redirects can affect the port of + the redirect, for more information, + + refer to the documentation for the port + field of this filter. + + + Note that values may be added to this + enum, implementations + + must ensure that unknown values will not + cause a crash. + + + Unknown values here must result in the + implementation setting the + + Accepted Condition for the Route to + `status: False`, with a + + Reason of `UnsupportedValue`. + + + Support: Extended + enum: + - http + - https + type: string + statusCode: + default: 302 + description: >- + StatusCode is the HTTP status code to be + used in response. + + + Note that values may be added to this + enum, implementations + + must ensure that unknown values will not + cause a crash. + + + Unknown values here must result in the + implementation setting the + + Accepted Condition for the Route to + `status: False`, with a + + Reason of `UnsupportedValue`. + + + Support: Core + enum: + - 301 + - 302 + - 303 + - 307 + - 308 + type: integer + type: object + responseHeaderModifier: + description: >- + ResponseHeaderModifier defines a schema + for a filter that modifies response + + headers. + + + Support: Extended + properties: + add: + description: >- + Add adds the given header(s) (name, + value) to the request + + before the action. It appends to any + existing values associated + + with the header name. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + add: + - name: "my-header" + value: "bar,baz" + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: >- + HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: >- + Name is the name of the HTTP Header to + be matched. Name matching MUST be + + case-insensitive. (See + https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent + header names, the first entry with + + an equivalent name MUST be considered + for a match. Subsequent entries + + with an equivalent header name MUST be + ignored. Due to the + + case-insensitivity of header names, + "foo" and "Foo" are considered + + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: >- + Value is the value of HTTP Header to be + matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: >- + Remove the given header(s) from the HTTP + request before the action. The + + value of Remove is a list of HTTP header + names. Note that the header + + names are case-insensitive (see + + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + Config: + remove: ["my-header1", "my-header3"] + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: >- + Set overwrites the request with the + given header (name, value) + + before the action. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + set: + - name: "my-header" + value: "bar" + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: >- + HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: >- + Name is the name of the HTTP Header to + be matched. Name matching MUST be + + case-insensitive. (See + https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent + header names, the first entry with + + an equivalent name MUST be considered + for a match. Subsequent entries + + with an equivalent header name MUST be + ignored. Due to the + + case-insensitivity of header names, + "foo" and "Foo" are considered + + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: >- + Value is the value of HTTP Header to be + matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: >- + Type identifies the type of filter to + apply. As with other API fields, + + types are classified into three + conformance levels: + + + - Core: Filter types and their + corresponding configuration defined by + "Support: Core" in this package, e.g. "RequestHeaderModifier". All + implementations must support core filters. + + - Extended: Filter types and their + corresponding configuration defined by + "Support: Extended" in this package, e.g. "RequestMirror". Implementers + are encouraged to support extended filters. + + - Implementation-specific: Filters that + are defined and supported by + specific vendors. + In the future, filters showing convergence in behavior across multiple + implementations will be considered for inclusion in extended or core + conformance levels. Filter-specific configuration for such filters + is specified using the ExtensionRef field. `Type` should be set to + "ExtensionRef" for custom filters. + + Implementers are encouraged to define + custom implementation types to + + extend the core API with + implementation-specific behavior. + + + If a reference to a custom filter type + cannot be resolved, the filter + + MUST NOT be skipped. Instead, requests + that would have been processed by + + that filter MUST receive a HTTP error + response. + + + Note that values may be added to this + enum, implementations + + must ensure that unknown values will not + cause a crash. + + + Unknown values here must result in the + implementation setting the + + Accepted Condition for the Route to + `status: False`, with a + + Reason of `UnsupportedValue`. + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestMirror + - RequestRedirect + - URLRewrite + - ExtensionRef + - CORS + type: string + urlRewrite: + description: >- + URLRewrite defines a schema for a filter + that modifies a request during forwarding. + + + Support: Extended + properties: + hostname: + description: >- + Hostname is the value to be used to + replace the Host header value during + + forwarding. + + + Support: Extended + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: |- + Path defines a path rewrite. + + Support: Extended + properties: + replaceFullPath: + description: >- + ReplaceFullPath specifies the value with + which to replace the full path + + of a request during a rewrite or + redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: >- + ReplacePrefixMatch specifies the value + with which to replace the prefix + + match of a request during a rewrite or + redirect. For example, a request + + to "/foo/bar" with a prefix match of + "/foo" and a ReplacePrefixMatch + + of "/xyz" would be modified to + "/xyz/bar". + + + Note that this matches the behavior of + the PathPrefix match type. This + + matches full path elements. A path + element refers to the list of labels + + in the path split by the `/` separator. + When specified, a trailing `/` is + + ignored. For example, the paths `/abc`, + `/abc/`, and `/abc/def` would all + + match the prefix `/abc`, but the path + `/abcd` would not. + + + ReplacePrefixMatch is only compatible + with a `PathPrefix` HTTPRouteMatch. + + Using any other HTTPRouteMatch type on + the same HTTPRouteRule will result in + + the implementation setting the Accepted + Condition for the Route to `status: + False`. + + + Request Path | Prefix Match | Replace + Prefix | Modified Path + maxLength: 1024 + type: string + type: + description: >- + Type defines the type of path modifier. + Additional types may be + + added in a future release of the API. + + + Note that values may be added to this + enum, implementations + + must ensure that unknown values will not + cause a crash. + + + Unknown values here must result in the + implementation setting the + + Accepted Condition for the Route to + `status: False`, with a + + Reason of `UnsupportedValue`. + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + replaceFullPath must be specified when + type is set to 'ReplaceFullPath' + rule: >- + self.type == 'ReplaceFullPath' ? + has(self.replaceFullPath) : true + - message: >- + type must be 'ReplaceFullPath' when + replaceFullPath is set + rule: >- + has(self.replaceFullPath) ? self.type == + 'ReplaceFullPath' : true + - message: >- + replacePrefixMatch must be specified + when type is set to 'ReplacePrefixMatch' + rule: >- + self.type == 'ReplacePrefixMatch' ? + has(self.replacePrefixMatch) : true + - message: >- + type must be 'ReplacePrefixMatch' when + replacePrefixMatch is set + rule: >- + has(self.replacePrefixMatch) ? self.type + == 'ReplacePrefixMatch' : true + type: object + required: + - type + type: object + x-kubernetes-validations: + - message: >- + filter.cors must be nil if the filter.type + is not CORS + rule: '!(has(self.cors) && self.type != ''CORS'')' + - message: >- + filter.cors must be specified for CORS + filter.type + rule: '!(!has(self.cors) && self.type == ''CORS'')' + - message: >- + filter.requestHeaderModifier must be nil + if the filter.type is not + RequestHeaderModifier + rule: >- + !(has(self.requestHeaderModifier) && + self.type != 'RequestHeaderModifier') + - message: >- + filter.requestHeaderModifier must be + specified for RequestHeaderModifier + filter.type + rule: >- + !(!has(self.requestHeaderModifier) && + self.type == 'RequestHeaderModifier') + - message: >- + filter.responseHeaderModifier must be nil + if the filter.type is not + ResponseHeaderModifier + rule: >- + !(has(self.responseHeaderModifier) && + self.type != 'ResponseHeaderModifier') + - message: >- + filter.responseHeaderModifier must be + specified for ResponseHeaderModifier + filter.type + rule: >- + !(!has(self.responseHeaderModifier) && + self.type == 'ResponseHeaderModifier') + - message: >- + filter.requestMirror must be nil if the + filter.type is not RequestMirror + rule: >- + !(has(self.requestMirror) && self.type != + 'RequestMirror') + - message: >- + filter.requestMirror must be specified for + RequestMirror filter.type + rule: >- + !(!has(self.requestMirror) && self.type == + 'RequestMirror') + - message: >- + filter.requestRedirect must be nil if the + filter.type is not RequestRedirect + rule: >- + !(has(self.requestRedirect) && self.type + != 'RequestRedirect') + - message: >- + filter.requestRedirect must be specified + for RequestRedirect filter.type + rule: >- + !(!has(self.requestRedirect) && self.type + == 'RequestRedirect') + - message: >- + filter.urlRewrite must be nil if the + filter.type is not URLRewrite + rule: >- + !(has(self.urlRewrite) && self.type != + 'URLRewrite') + - message: >- + filter.urlRewrite must be specified for + URLRewrite filter.type + rule: >- + !(!has(self.urlRewrite) && self.type == + 'URLRewrite') + - message: >- + filter.extensionRef must be nil if the + filter.type is not ExtensionRef + rule: >- + !(has(self.extensionRef) && self.type != + 'ExtensionRef') + - message: >- + filter.extensionRef must be specified for + ExtensionRef filter.type + rule: >- + !(!has(self.extensionRef) && self.type == + 'ExtensionRef') + maxItems: 16 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: >- + May specify either + httpRouteFilterRequestRedirect or + httpRouteFilterRequestRewrite, but not both + rule: >- + !(self.exists(f, f.type == + 'RequestRedirect') && self.exists(f, f.type + == 'URLRewrite')) + - message: CORS filter cannot be repeated + rule: self.filter(f, f.type == 'CORS').size() <= 1 + - message: >- + RequestHeaderModifier filter cannot be + repeated + rule: >- + self.filter(f, f.type == + 'RequestHeaderModifier').size() <= 1 + - message: >- + ResponseHeaderModifier filter cannot be + repeated + rule: >- + self.filter(f, f.type == + 'ResponseHeaderModifier').size() <= 1 + - message: RequestRedirect filter cannot be repeated + rule: >- + self.filter(f, f.type == + 'RequestRedirect').size() <= 1 + - message: URLRewrite filter cannot be repeated + rule: >- + self.filter(f, f.type == + 'URLRewrite').size() <= 1 + group: + default: '' + description: >- + Group is the group of the referent. For example, + "gateway.networking.k8s.io". + + When unspecified or empty string, core API group + is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: >- + Kind is the Kubernetes resource kind of the + referent. For example + + "Service". + + + Defaults to "Service" when not specified. + + + ExternalName services can refer to CNAME DNS + records that may live + + outside of the cluster and as such are difficult + to reason about in + + terms of conformance. They also may not be safe + to forward to (see + + CVE-2021-25740 for more information). + Implementations SHOULD NOT + + support ExternalName Services. + + + Support: Core (Services with a type other than + ExternalName) + + + Support: Implementation-specific (Services with + type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the backend. When + unspecified, the local + + namespace is inferred. + + + Note that when a namespace different than the + local namespace is specified, + + a ReferenceGrant object is required in the + referent namespace to allow that + + namespace's owner to accept the reference. See + the ReferenceGrant + + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: >- + Port specifies the destination port number to + use for this resource. + + Port is required when the referent is a + Kubernetes Service. In this + + case, the port number is the service port + number, not the target port. + + For other resources, destination port might be + derived from the referent + + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: >- + Weight specifies the proportion of requests + forwarded to the referenced + + backend. This is computed as weight/(sum of all + weights in this + + BackendRefs list). For non-zero values, there + may be some epsilon from + + the exact proportion defined here depending on + the precision an + + implementation supports. Weight is not a + percentage and the sum of + + weights does not need to equal 100. + + + If only one backend is specified and it has a + weight greater than 0, 100% + + of the traffic is forwarded to that backend. If + weight is set to 0, no + + traffic should be forwarded for this entry. If + unspecified, weight + + defaults to 1. + + + Support for this field varies based on the + context where used. + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: >- + (size(self.group) == 0 && self.kind == + 'Service') ? has(self.port) : true + maxItems: 16 + type: array + x-kubernetes-list-type: atomic + filters: + description: >- + Filters define the filters that are applied to + requests that match + + this rule. + + + Wherever possible, implementations SHOULD implement + filters in the order + + they are specified. + + + Implementations MAY choose to implement this ordering + strictly, rejecting + + any combination or order of filters that cannot be + supported. If implementations + + choose a strict interpretation of filter ordering, + they MUST clearly document + + that behavior. + + + To reject an invalid combination or order of filters, + implementations SHOULD + + consider the Route Rules with this configuration + invalid. If all Route Rules + + in a Route are invalid, the entire Route would be + considered invalid. If only + + a portion of Route Rules are invalid, implementations + MUST set the + + "PartiallyInvalid" condition for the Route. + + + Conformance-levels at this level are defined based on + the type of filter: + + + - ALL core filters MUST be supported by all + implementations. + + - Implementers are encouraged to support extended + filters. + + - Implementation-specific custom filters have no API + guarantees across + implementations. + + Specifying the same filter multiple times is not + supported unless explicitly + + indicated in the filter. + + + All filters are expected to be compatible with each + other except for the + + URLRewrite and RequestRedirect filters, which may not + be combined. If an + + implementation cannot support other combinations of + filters, they must clearly + + document that limitation. In cases where incompatible + or unsupported + + filters are specified and cause the `Accepted` + condition to be set to status + + `False`, implementations may use the + `IncompatibleFilters` reason to specify + + this configuration error. + + + Support: Core + items: + description: >- + HTTPRouteFilter defines processing steps that must + be completed during the + + request or response lifecycle. HTTPRouteFilters are + meant as an extension + + point to express processing that may be done in + Gateway implementations. Some + + examples include request or response modification, + implementing + + authentication strategies, rate-limiting, and + traffic shaping. API + + guarantee/conformance is defined based on the type + of the filter. + properties: + cors: + description: >- + CORS defines a schema for a filter that responds + to the + + cross-origin request based on HTTP response + header. + + + Support: Extended + properties: + allowCredentials: + description: >- + AllowCredentials indicates whether the + actual cross-origin request allows + + to include credentials. + + + When set to true, the gateway will include + the `Access-Control-Allow-Credentials` + + response header with value true + (case-sensitive). + + + When set to false or omitted the gateway + will omit the header + + `Access-Control-Allow-Credentials` entirely + (this is the standard CORS + + behavior). + + + Support: Extended + type: boolean + allowHeaders: + description: >- + AllowHeaders indicates which HTTP request + headers are supported for + + accessing the requested resource. + + + Header names are not case-sensitive. + + + Multiple header names in the value of the + `Access-Control-Allow-Headers` + + response header are separated by a comma + (","). + + + When the `AllowHeaders` field is configured + with one or more headers, the + + gateway must return the + `Access-Control-Allow-Headers` response + header + + which value is present in the `AllowHeaders` + field. + + + If any header name in the + `Access-Control-Request-Headers` request + header + + is not included in the list of header names + specified by the response + + header `Access-Control-Allow-Headers`, it + will present an error on the + + client side. + + + If any header name in the + `Access-Control-Allow-Headers` response + header + + does not recognize by the client, it will + also occur an error on the + + client side. + + + A wildcard indicates that the requests with + all HTTP headers are allowed. + + If config contains the wildcard "*" in + allowHeaders and the request is + + not credentialed, the + `Access-Control-Allow-Headers` response + header + + can either use the `*` wildcard or the value + of + + Access-Control-Request-Headers from the + request. + + + When the request is credentialed, the + gateway must not specify the `*` + + wildcard in the + `Access-Control-Allow-Headers` response + header. When + + also the `AllowCredentials` field is true + and `AllowHeaders` field + + is specified with the `*` wildcard, the + gateway must specify one or more + + HTTP headers in the value of the + `Access-Control-Allow-Headers` response + + header. The value of the header + `Access-Control-Allow-Headers` is same as + + the `Access-Control-Request-Headers` header + provided by the client. If + + the header `Access-Control-Request-Headers` + is not included in the + + request, the gateway will omit the + `Access-Control-Allow-Headers` + + response header, instead of specifying the + `*` wildcard. + + + Support: Extended + items: + description: >- + HTTPHeaderName is the name of an HTTP + header. + + + Valid values include: + + + * "Authorization" + + * "Set-Cookie" + + + Invalid values include: + + - ":method" - ":" is an invalid character. This means that HTTP/2 pseudo + headers are not currently supported by this type. + - "/invalid" - "/ " is an invalid character + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + maxItems: 64 + type: array + x-kubernetes-list-type: set + x-kubernetes-validations: + - message: >- + AllowHeaders cannot contain '*' + alongside other methods + rule: '!(''*'' in self && self.size() > 1)' + allowMethods: + description: >- + AllowMethods indicates which HTTP methods + are supported for accessing the + + requested resource. + + + Valid values are any method defined by + RFC9110, along with the special + + value `*`, which represents all HTTP methods + are allowed. + + + Method names are case-sensitive, so these + values are also case-sensitive. + + (See + https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1) + + + Multiple method names in the value of the + `Access-Control-Allow-Methods` + + response header are separated by a comma + (","). + + + A CORS-safelisted method is a method that is + `GET`, `HEAD`, or `POST`. + + (See + https://fetch.spec.whatwg.org/#cors-safelisted-method) + The + + CORS-safelisted methods are always allowed, + regardless of whether they + + are specified in the `AllowMethods` field. + + + When the `AllowMethods` field is configured + with one or more methods, the + + gateway must return the + `Access-Control-Allow-Methods` response + header + + which value is present in the `AllowMethods` + field. + + + If the HTTP method of the + `Access-Control-Request-Method` request + header + + is not included in the list of methods + specified by the response header + + `Access-Control-Allow-Methods`, it will + present an error on the client + + side. + + + If config contains the wildcard "*" in + allowMethods and the request is + + not credentialed, the + `Access-Control-Allow-Methods` response + header + + can either use the `*` wildcard or the value + of + + Access-Control-Request-Method from the + request. + + + When the request is credentialed, the + gateway must not specify the `*` + + wildcard in the + `Access-Control-Allow-Methods` response + header. When + + also the `AllowCredentials` field is true + and `AllowMethods` field + + specified with the `*` wildcard, the gateway + must specify one HTTP method + + in the value of the + Access-Control-Allow-Methods response + header. The + + value of the header + `Access-Control-Allow-Methods` is same as + the + + `Access-Control-Request-Method` header + provided by the client. If the + + header `Access-Control-Request-Method` is + not included in the request, + + the gateway will omit the + `Access-Control-Allow-Methods` response + header, + + instead of specifying the `*` wildcard. + + + Support: Extended + items: + enum: + - GET + - HEAD + - POST + - PUT + - DELETE + - CONNECT + - OPTIONS + - TRACE + - PATCH + - '*' + type: string + maxItems: 9 + type: array + x-kubernetes-list-type: set + x-kubernetes-validations: + - message: >- + AllowMethods cannot contain '*' + alongside other methods + rule: '!(''*'' in self && self.size() > 1)' + allowOrigins: + description: >- + AllowOrigins indicates whether the response + can be shared with requested + + resource from the given `Origin`. + + + The `Origin` consists of a scheme and a + host, with an optional port, and + + takes the form `://(:)`. + + + Valid values for scheme are: `http` and + `https`. + + + Valid values for port are any integer + between 1 and 65535 (the list of + + available TCP/UDP ports). Note that, if not + included, port `80` is + + assumed for `http` scheme origins, and port + `443` is assumed for `https` + + origins. This may affect origin matching. + + + The host part of the origin may contain the + wildcard character `*`. These + + wildcard characters behave as follows: + + + * `*` is a greedy match to the _left_, + including any number of + DNS labels to the left of its position. This also means that + `*` will include any number of period `.` characters to the + left of its position. + * A wildcard by itself matches all hosts. + + + An origin value that includes _only_ the `*` + character indicates requests + + from all `Origin`s are allowed. + + + When the `AllowOrigins` field is configured + with multiple origins, it + + means the server supports clients from + multiple origins. If the request + + `Origin` matches the configured allowed + origins, the gateway must return + + the given `Origin` and sets value of the + header + + `Access-Control-Allow-Origin` same as the + `Origin` header provided by the + + client. + + + The status code of a successful response to + a "preflight" request is + + always an OK status (i.e., 204 or 200). + + + If the request `Origin` does not match the + configured allowed origins, + + the gateway returns 204/200 response but + doesn't set the relevant + + cross-origin response headers. + Alternatively, the gateway responds with + + 403 status to the "preflight" request is + denied, coupled with omitting + + the CORS headers. The cross-origin request + fails on the client side. + + Therefore, the client doesn't attempt the + actual cross-origin request. + + + Conversely, if the request `Origin` matches + one of the configured + + allowed origins, the gateway sets the + response header + + `Access-Control-Allow-Origin` to the same + value as the `Origin` + + header provided by the client. + + + When config has the wildcard ("*") in + allowOrigins, and the request + + is not credentialed (e.g., it is a preflight + request), the + + `Access-Control-Allow-Origin` response + header either contains the + + wildcard as well or the Origin from the + request. + + + When the request is credentialed, the + gateway must not specify the `*` + + wildcard in the + `Access-Control-Allow-Origin` response + header. When + + also the `AllowCredentials` field is true + and `AllowOrigins` field + + specified with the `*` wildcard, the gateway + must return a single origin + + in the value of the + `Access-Control-Allow-Origin` response + header, + + instead of specifying the `*` wildcard. The + value of the header + + `Access-Control-Allow-Origin` is same as the + `Origin` header provided by + + the client. + + + Support: Extended + items: + description: >- + The CORSOrigin MUST NOT be a relative URI, + and it MUST follow the URI syntax and + + encoding rules specified in RFC3986. The + CORSOrigin MUST include both a + + scheme ("http" or "https") and a + scheme-specific-part, or it should be a + single '*' character. + + URIs that include an authority MUST + include a fully qualified domain name or + + IP address as the host. + maxLength: 253 + minLength: 1 + pattern: >- + (^\*$)|(^(http(s)?):\/\/(((\*\.)?([a-zA-Z0-9\-]+\.)*[a-zA-Z0-9-]+|\*)(:([0-9]{1,5}))?)$) + type: string + maxItems: 64 + type: array + x-kubernetes-list-type: set + x-kubernetes-validations: + - message: >- + AllowOrigins cannot contain '*' + alongside other origins + rule: '!(''*'' in self && self.size() > 1)' + exposeHeaders: + description: >- + ExposeHeaders indicates which HTTP response + headers can be exposed + + to client-side scripts in response to a + cross-origin request. + + + A CORS-safelisted response header is an HTTP + header in a CORS response + + that it is considered safe to expose to the + client scripts. + + The CORS-safelisted response headers include + the following headers: + + `Cache-Control` + + `Content-Language` + + `Content-Length` + + `Content-Type` + + `Expires` + + `Last-Modified` + + `Pragma` + + (See + https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name) + + The CORS-safelisted response headers are + exposed to client by default. + + + When an HTTP header name is specified using + the `ExposeHeaders` field, + + this additional header will be exposed as + part of the response to the + + client. + + + Header names are not case-sensitive. + + + Multiple header names in the value of the + `Access-Control-Expose-Headers` + + response header are separated by a comma + (","). + + + A wildcard indicates that the responses with + all HTTP headers are exposed + + to clients. The + `Access-Control-Expose-Headers` response + header can only + + use `*` wildcard as value when the request + is not credentialed. + + + When the `exposeHeaders` config field + contains the "*" wildcard and + + the request is credentialed, the gateway + cannot use the `*` wildcard in + + the `Access-Control-Expose-Headers` response + header. + + + Support: Extended + items: + description: >- + HTTPHeaderName is the name of an HTTP + header. + + + Valid values include: + + + * "Authorization" + + * "Set-Cookie" + + + Invalid values include: + + - ":method" - ":" is an invalid character. This means that HTTP/2 pseudo + headers are not currently supported by this type. + - "/invalid" - "/ " is an invalid character + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + maxItems: 64 + type: array + x-kubernetes-list-type: set + maxAge: + default: 5 + description: >- + MaxAge indicates the duration (in seconds) + for the client to cache the + + results of a "preflight" request. + + + The information provided by the + `Access-Control-Allow-Methods` and + + `Access-Control-Allow-Headers` response + headers can be cached by the + + client until the time specified by + `Access-Control-Max-Age` elapses. + + + The default value of + `Access-Control-Max-Age` response header is + 5 + + (seconds). + + + When the `MaxAge` field is unspecified, the + gateway sets the response + + header "Access-Control-Max-Age: 5" by + default. + format: int32 + minimum: 1 + type: integer + type: object + extensionRef: + description: >- + ExtensionRef is an optional, + implementation-specific extension to the + + "filter" behavior. For example, resource + "myroutefilter" in group + + "networking.example.net"). ExtensionRef MUST NOT + be used for core and + + extended filters. + + + This filter can be used multiple times within + the same rule. + + + Support: Implementation-specific + properties: + group: + description: >- + Group is the group of the referent. For + example, "gateway.networking.k8s.io". + + When unspecified or empty string, core API + group is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: >- + Kind is kind of the referent. For example + "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: >- + RequestHeaderModifier defines a schema for a + filter that modifies request + + headers. + + + Support: Core + properties: + add: + description: >- + Add adds the given header(s) (name, value) + to the request + + before the action. It appends to any + existing values associated + + with the header name. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + add: + - name: "my-header" + value: "bar,baz" + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: >- + HTTPHeader represents an HTTP Header name + and value as defined by RFC 7230. + properties: + name: + description: >- + Name is the name of the HTTP Header to + be matched. Name matching MUST be + + case-insensitive. (See + https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent + header names, the first entry with + + an equivalent name MUST be considered + for a match. Subsequent entries + + with an equivalent header name MUST be + ignored. Due to the + + case-insensitivity of header names, + "foo" and "Foo" are considered + + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: >- + Value is the value of HTTP Header to be + matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: >- + Remove the given header(s) from the HTTP + request before the action. The + + value of Remove is a list of HTTP header + names. Note that the header + + names are case-insensitive (see + + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + Config: + remove: ["my-header1", "my-header3"] + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: >- + Set overwrites the request with the given + header (name, value) + + before the action. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + set: + - name: "my-header" + value: "bar" + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: >- + HTTPHeader represents an HTTP Header name + and value as defined by RFC 7230. + properties: + name: + description: >- + Name is the name of the HTTP Header to + be matched. Name matching MUST be + + case-insensitive. (See + https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent + header names, the first entry with + + an equivalent name MUST be considered + for a match. Subsequent entries + + with an equivalent header name MUST be + ignored. Due to the + + case-insensitivity of header names, + "foo" and "Foo" are considered + + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: >- + Value is the value of HTTP Header to be + matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: >- + RequestMirror defines a schema for a filter that + mirrors requests. + + Requests are sent to the specified destination, + but responses from + + that destination are ignored. + + + This filter can be used multiple times within + the same rule. Note that + + not all implementations will be able to support + mirroring to multiple + + backends. + + + Support: Extended + properties: + backendRef: + description: >- + BackendRef references a resource where + mirrored requests are sent. + + + Mirrored requests must be sent only to a + single destination endpoint + + within this BackendRef, irrespective of how + many endpoints are present + + within this BackendRef. + + + If the referent cannot be found, this + BackendRef is invalid and must be + + dropped from the Gateway. The controller + must ensure the "ResolvedRefs" + + condition on the Route status is set to + `status: False` and not configure + + this backend in the underlying + implementation. + + + If there is a cross-namespace reference to + an *existing* object + + that is not allowed by a ReferenceGrant, the + controller must ensure the + + "ResolvedRefs" condition on the Route is + set to `status: False`, + + with the "RefNotPermitted" reason and not + configure this backend in the + + underlying implementation. + + + In either error case, the Message of the + `ResolvedRefs` Condition + + should be used to provide more detail about + the problem. + + + Support: Extended for Kubernetes Service + + + Support: Implementation-specific for any + other resource + properties: + group: + default: '' + description: >- + Group is the group of the referent. For + example, "gateway.networking.k8s.io". + + When unspecified or empty string, core + API group is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: >- + Kind is the Kubernetes resource kind of + the referent. For example + + "Service". + + + Defaults to "Service" when not + specified. + + + ExternalName services can refer to CNAME + DNS records that may live + + outside of the cluster and as such are + difficult to reason about in + + terms of conformance. They also may not + be safe to forward to (see + + CVE-2021-25740 for more information). + Implementations SHOULD NOT + + support ExternalName Services. + + + Support: Core (Services with a type + other than ExternalName) + + + Support: Implementation-specific + (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the + backend. When unspecified, the local + + namespace is inferred. + + + Note that when a namespace different + than the local namespace is specified, + + a ReferenceGrant object is required in + the referent namespace to allow that + + namespace's owner to accept the + reference. See the ReferenceGrant + + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: >- + Port specifies the destination port + number to use for this resource. + + Port is required when the referent is a + Kubernetes Service. In this + + case, the port number is the service + port number, not the target port. + + For other resources, destination port + might be derived from the referent + + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: >- + (size(self.group) == 0 && self.kind == + 'Service') ? has(self.port) : true + fraction: + description: >- + Fraction represents the fraction of requests + that should be + + mirrored to BackendRef. + + + Only one of Fraction or Percent may be + specified. If neither field + + is specified, 100% of requests will be + mirrored. + properties: + denominator: + default: 100 + format: int32 + minimum: 1 + type: integer + numerator: + format: int32 + minimum: 0 + type: integer + required: + - numerator + type: object + x-kubernetes-validations: + - message: >- + numerator must be less than or equal to + denominator + rule: self.numerator <= self.denominator + percent: + description: >- + Percent represents the percentage of + requests that should be + + mirrored to BackendRef. Its minimum value is + 0 (indicating 0% of + + requests) and its maximum value is 100 + (indicating 100% of requests). + + + Only one of Fraction or Percent may be + specified. If neither field + + is specified, 100% of requests will be + mirrored. + format: int32 + maximum: 100 + minimum: 0 + type: integer + required: + - backendRef + type: object + x-kubernetes-validations: + - message: >- + Only one of percent or fraction may be + specified in HTTPRequestMirrorFilter + rule: '!(has(self.percent) && has(self.fraction))' + requestRedirect: + description: >- + RequestRedirect defines a schema for a filter + that responds to the + + request with an HTTP redirection. + + + Support: Core + properties: + hostname: + description: >- + Hostname is the hostname to be used in the + value of the `Location` + + header in the response. + + When empty, the hostname in the `Host` + header of the request is used. + + + Support: Core + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: >- + Path defines parameters used to modify the + path of the incoming request. + + The modified path is then used to construct + the `Location` header. When + + empty, the request path is used as-is. + + + Support: Extended + properties: + replaceFullPath: + description: >- + ReplaceFullPath specifies the value with + which to replace the full path + + of a request during a rewrite or + redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: >- + ReplacePrefixMatch specifies the value + with which to replace the prefix + + match of a request during a rewrite or + redirect. For example, a request + + to "/foo/bar" with a prefix match of + "/foo" and a ReplacePrefixMatch + + of "/xyz" would be modified to + "/xyz/bar". + + + Note that this matches the behavior of + the PathPrefix match type. This + + matches full path elements. A path + element refers to the list of labels + + in the path split by the `/` separator. + When specified, a trailing `/` is + + ignored. For example, the paths `/abc`, + `/abc/`, and `/abc/def` would all + + match the prefix `/abc`, but the path + `/abcd` would not. + + + ReplacePrefixMatch is only compatible + with a `PathPrefix` HTTPRouteMatch. + + Using any other HTTPRouteMatch type on + the same HTTPRouteRule will result in + + the implementation setting the Accepted + Condition for the Route to `status: + False`. + + + Request Path | Prefix Match | Replace + Prefix | Modified Path + maxLength: 1024 + type: string + type: + description: >- + Type defines the type of path modifier. + Additional types may be + + added in a future release of the API. + + + Note that values may be added to this + enum, implementations + + must ensure that unknown values will not + cause a crash. + + + Unknown values here must result in the + implementation setting the + + Accepted Condition for the Route to + `status: False`, with a + + Reason of `UnsupportedValue`. + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + replaceFullPath must be specified when + type is set to 'ReplaceFullPath' + rule: >- + self.type == 'ReplaceFullPath' ? + has(self.replaceFullPath) : true + - message: >- + type must be 'ReplaceFullPath' when + replaceFullPath is set + rule: >- + has(self.replaceFullPath) ? self.type == + 'ReplaceFullPath' : true + - message: >- + replacePrefixMatch must be specified + when type is set to 'ReplacePrefixMatch' + rule: >- + self.type == 'ReplacePrefixMatch' ? + has(self.replacePrefixMatch) : true + - message: >- + type must be 'ReplacePrefixMatch' when + replacePrefixMatch is set + rule: >- + has(self.replacePrefixMatch) ? self.type + == 'ReplacePrefixMatch' : true + port: + description: >- + Port is the port to be used in the value of + the `Location` + + header in the response. + + + If no port is specified, the redirect port + MUST be derived using the + + following rules: + + + * If redirect scheme is not-empty, the + redirect port MUST be the well-known + port associated with the redirect scheme. Specifically "http" to port 80 + and "https" to port 443. If the redirect scheme does not have a + well-known port, the listener port of the Gateway SHOULD be used. + * If redirect scheme is empty, the redirect + port MUST be the Gateway + Listener port. + + Implementations SHOULD NOT add the port + number in the 'Location' + + header in the following cases: + + + * A Location header that will use HTTP + (whether that is determined via + the Listener protocol or the Scheme field) _and_ use port 80. + * A Location header that will use HTTPS + (whether that is determined via + the Listener protocol or the Scheme field) _and_ use port 443. + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: >- + Scheme is the scheme to be used in the value + of the `Location` header in + + the response. When empty, the scheme of the + request is used. + + + Scheme redirects can affect the port of the + redirect, for more information, + + refer to the documentation for the port + field of this filter. + + + Note that values may be added to this enum, + implementations + + must ensure that unknown values will not + cause a crash. + + + Unknown values here must result in the + implementation setting the + + Accepted Condition for the Route to `status: + False`, with a + + Reason of `UnsupportedValue`. + + + Support: Extended + enum: + - http + - https + type: string + statusCode: + default: 302 + description: >- + StatusCode is the HTTP status code to be + used in response. + + + Note that values may be added to this enum, + implementations + + must ensure that unknown values will not + cause a crash. + + + Unknown values here must result in the + implementation setting the + + Accepted Condition for the Route to `status: + False`, with a + + Reason of `UnsupportedValue`. + + + Support: Core + enum: + - 301 + - 302 + - 303 + - 307 + - 308 + type: integer + type: object + responseHeaderModifier: + description: >- + ResponseHeaderModifier defines a schema for a + filter that modifies response + + headers. + + + Support: Extended + properties: + add: + description: >- + Add adds the given header(s) (name, value) + to the request + + before the action. It appends to any + existing values associated + + with the header name. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + add: + - name: "my-header" + value: "bar,baz" + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: >- + HTTPHeader represents an HTTP Header name + and value as defined by RFC 7230. + properties: + name: + description: >- + Name is the name of the HTTP Header to + be matched. Name matching MUST be + + case-insensitive. (See + https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent + header names, the first entry with + + an equivalent name MUST be considered + for a match. Subsequent entries + + with an equivalent header name MUST be + ignored. Due to the + + case-insensitivity of header names, + "foo" and "Foo" are considered + + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: >- + Value is the value of HTTP Header to be + matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: >- + Remove the given header(s) from the HTTP + request before the action. The + + value of Remove is a list of HTTP header + names. Note that the header + + names are case-insensitive (see + + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + Config: + remove: ["my-header1", "my-header3"] + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: >- + Set overwrites the request with the given + header (name, value) + + before the action. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + set: + - name: "my-header" + value: "bar" + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: >- + HTTPHeader represents an HTTP Header name + and value as defined by RFC 7230. + properties: + name: + description: >- + Name is the name of the HTTP Header to + be matched. Name matching MUST be + + case-insensitive. (See + https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent + header names, the first entry with + + an equivalent name MUST be considered + for a match. Subsequent entries + + with an equivalent header name MUST be + ignored. Due to the + + case-insensitivity of header names, + "foo" and "Foo" are considered + + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: >- + Value is the value of HTTP Header to be + matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: >- + Type identifies the type of filter to apply. As + with other API fields, + + types are classified into three conformance + levels: + + + - Core: Filter types and their corresponding + configuration defined by + "Support: Core" in this package, e.g. "RequestHeaderModifier". All + implementations must support core filters. + + - Extended: Filter types and their corresponding + configuration defined by + "Support: Extended" in this package, e.g. "RequestMirror". Implementers + are encouraged to support extended filters. + + - Implementation-specific: Filters that are + defined and supported by + specific vendors. + In the future, filters showing convergence in behavior across multiple + implementations will be considered for inclusion in extended or core + conformance levels. Filter-specific configuration for such filters + is specified using the ExtensionRef field. `Type` should be set to + "ExtensionRef" for custom filters. + + Implementers are encouraged to define custom + implementation types to + + extend the core API with implementation-specific + behavior. + + + If a reference to a custom filter type cannot be + resolved, the filter + + MUST NOT be skipped. Instead, requests that + would have been processed by + + that filter MUST receive a HTTP error response. + + + Note that values may be added to this enum, + implementations + + must ensure that unknown values will not cause a + crash. + + + Unknown values here must result in the + implementation setting the + + Accepted Condition for the Route to `status: + False`, with a + + Reason of `UnsupportedValue`. + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestMirror + - RequestRedirect + - URLRewrite + - ExtensionRef + - CORS + type: string + urlRewrite: + description: >- + URLRewrite defines a schema for a filter that + modifies a request during forwarding. + + + Support: Extended + properties: + hostname: + description: >- + Hostname is the value to be used to replace + the Host header value during + + forwarding. + + + Support: Extended + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: |- + Path defines a path rewrite. + + Support: Extended + properties: + replaceFullPath: + description: >- + ReplaceFullPath specifies the value with + which to replace the full path + + of a request during a rewrite or + redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: >- + ReplacePrefixMatch specifies the value + with which to replace the prefix + + match of a request during a rewrite or + redirect. For example, a request + + to "/foo/bar" with a prefix match of + "/foo" and a ReplacePrefixMatch + + of "/xyz" would be modified to + "/xyz/bar". + + + Note that this matches the behavior of + the PathPrefix match type. This + + matches full path elements. A path + element refers to the list of labels + + in the path split by the `/` separator. + When specified, a trailing `/` is + + ignored. For example, the paths `/abc`, + `/abc/`, and `/abc/def` would all + + match the prefix `/abc`, but the path + `/abcd` would not. + + + ReplacePrefixMatch is only compatible + with a `PathPrefix` HTTPRouteMatch. + + Using any other HTTPRouteMatch type on + the same HTTPRouteRule will result in + + the implementation setting the Accepted + Condition for the Route to `status: + False`. + + + Request Path | Prefix Match | Replace + Prefix | Modified Path + maxLength: 1024 + type: string + type: + description: >- + Type defines the type of path modifier. + Additional types may be + + added in a future release of the API. + + + Note that values may be added to this + enum, implementations + + must ensure that unknown values will not + cause a crash. + + + Unknown values here must result in the + implementation setting the + + Accepted Condition for the Route to + `status: False`, with a + + Reason of `UnsupportedValue`. + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + replaceFullPath must be specified when + type is set to 'ReplaceFullPath' + rule: >- + self.type == 'ReplaceFullPath' ? + has(self.replaceFullPath) : true + - message: >- + type must be 'ReplaceFullPath' when + replaceFullPath is set + rule: >- + has(self.replaceFullPath) ? self.type == + 'ReplaceFullPath' : true + - message: >- + replacePrefixMatch must be specified + when type is set to 'ReplacePrefixMatch' + rule: >- + self.type == 'ReplacePrefixMatch' ? + has(self.replacePrefixMatch) : true + - message: >- + type must be 'ReplacePrefixMatch' when + replacePrefixMatch is set + rule: >- + has(self.replacePrefixMatch) ? self.type + == 'ReplacePrefixMatch' : true + type: object + required: + - type + type: object + x-kubernetes-validations: + - message: >- + filter.cors must be nil if the filter.type is + not CORS + rule: '!(has(self.cors) && self.type != ''CORS'')' + - message: >- + filter.cors must be specified for CORS + filter.type + rule: '!(!has(self.cors) && self.type == ''CORS'')' + - message: >- + filter.requestHeaderModifier must be nil if the + filter.type is not RequestHeaderModifier + rule: >- + !(has(self.requestHeaderModifier) && self.type + != 'RequestHeaderModifier') + - message: >- + filter.requestHeaderModifier must be specified + for RequestHeaderModifier filter.type + rule: >- + !(!has(self.requestHeaderModifier) && self.type + == 'RequestHeaderModifier') + - message: >- + filter.responseHeaderModifier must be nil if the + filter.type is not ResponseHeaderModifier + rule: >- + !(has(self.responseHeaderModifier) && self.type + != 'ResponseHeaderModifier') + - message: >- + filter.responseHeaderModifier must be specified + for ResponseHeaderModifier filter.type + rule: >- + !(!has(self.responseHeaderModifier) && self.type + == 'ResponseHeaderModifier') + - message: >- + filter.requestMirror must be nil if the + filter.type is not RequestMirror + rule: >- + !(has(self.requestMirror) && self.type != + 'RequestMirror') + - message: >- + filter.requestMirror must be specified for + RequestMirror filter.type + rule: >- + !(!has(self.requestMirror) && self.type == + 'RequestMirror') + - message: >- + filter.requestRedirect must be nil if the + filter.type is not RequestRedirect + rule: >- + !(has(self.requestRedirect) && self.type != + 'RequestRedirect') + - message: >- + filter.requestRedirect must be specified for + RequestRedirect filter.type + rule: >- + !(!has(self.requestRedirect) && self.type == + 'RequestRedirect') + - message: >- + filter.urlRewrite must be nil if the filter.type + is not URLRewrite + rule: >- + !(has(self.urlRewrite) && self.type != + 'URLRewrite') + - message: >- + filter.urlRewrite must be specified for + URLRewrite filter.type + rule: >- + !(!has(self.urlRewrite) && self.type == + 'URLRewrite') + - message: >- + filter.extensionRef must be nil if the + filter.type is not ExtensionRef + rule: >- + !(has(self.extensionRef) && self.type != + 'ExtensionRef') + - message: >- + filter.extensionRef must be specified for + ExtensionRef filter.type + rule: >- + !(!has(self.extensionRef) && self.type == + 'ExtensionRef') + maxItems: 16 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: >- + May specify either httpRouteFilterRequestRedirect + or httpRouteFilterRequestRewrite, but not both + rule: >- + !(self.exists(f, f.type == 'RequestRedirect') && + self.exists(f, f.type == 'URLRewrite')) + - message: CORS filter cannot be repeated + rule: self.filter(f, f.type == 'CORS').size() <= 1 + - message: RequestHeaderModifier filter cannot be repeated + rule: >- + self.filter(f, f.type == + 'RequestHeaderModifier').size() <= 1 + - message: ResponseHeaderModifier filter cannot be repeated + rule: >- + self.filter(f, f.type == + 'ResponseHeaderModifier').size() <= 1 + - message: RequestRedirect filter cannot be repeated + rule: >- + self.filter(f, f.type == 'RequestRedirect').size() + <= 1 + - message: URLRewrite filter cannot be repeated + rule: self.filter(f, f.type == 'URLRewrite').size() <= 1 + matches: + default: + - path: + type: PathPrefix + value: / + description: >- + Matches define conditions used for matching the rule + against incoming + + HTTP requests. Each match is independent, i.e. this + rule will be matched + + if **any** one of the matches is satisfied. + + + For example, take the following matches configuration: + + + ``` + + matches: + + - path: + value: "/foo" + headers: + - name: "version" + value: "v2" + - path: + value: "/v2/foo" + ``` + + + For a request to match against this rule, a request + must satisfy + + EITHER of the two conditions: + + + - path prefixed with `/foo` AND contains the header + `version: v2` + + - path prefix of `/v2/foo` + + + See the documentation for HTTPRouteMatch on how to + specify multiple + + match conditions that should be ANDed together. + + + If no matches are specified, the default is a prefix + + path match on "/", which has the effect of matching + every + + HTTP request. + + + Proxy or Load Balancer routing configuration generated + from HTTPRoutes + + MUST prioritize matches based on the following + criteria, continuing on + + ties. Across all rules specified on applicable Routes, + precedence must be + + given to the match having: + + + * "Exact" path match. + + * "Prefix" path match with largest number of + characters. + + * Method match. + + * Largest number of header matches. + + * Largest number of query param matches. + + + Note: The precedence of RegularExpression path matches + are implementation-specific. + + + If ties still exist across multiple Routes, matching + precedence MUST be + + determined in order of the following criteria, + continuing on ties: + + + * The oldest Route based on creation timestamp. + + * The Route appearing first in alphabetical order by + "{namespace}/{name}". + + If ties still exist within an HTTPRoute, matching + precedence MUST be granted + + to the FIRST matching rule (in list order) with a + match meeting the above + + criteria. + + + When no rules matching a request have been + successfully attached to the + + parent a request is coming from, a HTTP 404 status + code MUST be returned. + items: + description: "HTTPRouteMatch defines the predicate used to match requests to a given\naction. Multiple match types are ANDed together, i.e. the match will\nevaluate to true only if all conditions are satisfied.\n\nFor example, the match below will match a HTTP request only if its path\nstarts with `/foo` AND it contains the `version: v1` header:\n\n```\nmatch:\n\n\tpath:\n\t value: \"/foo\"\n\theaders:\n\t- name: \"version\"\n\t value \"v1\"\n\n```" + properties: + headers: + description: >- + Headers specifies HTTP request header matchers. + Multiple match values are + + ANDed together, meaning, a request must match + all the specified headers + + to select the route. + items: + description: >- + HTTPHeaderMatch describes how to select a HTTP + route by matching HTTP request + + headers. + properties: + name: + description: >- + Name is the name of the HTTP Header to be + matched. Name matching MUST be + + case-insensitive. (See + https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent + header names, only the first + + entry with an equivalent name MUST be + considered for a match. Subsequent + + entries with an equivalent header name + MUST be ignored. Due to the + + case-insensitivity of header names, "foo" + and "Foo" are considered + + equivalent. + + + When a header is repeated in an HTTP + request, it is + + implementation-specific behavior as to how + this is represented. + + Generally, proxies should follow the + guidance from the RFC: + + https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 + regarding + + processing a repeated header, with special + handling for "Set-Cookie". + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: >- + Type specifies how to match against the + value of the header. + + + Support: Core (Exact) + + + Support: Implementation-specific + (RegularExpression) + + + Since RegularExpression HeaderMatchType + has implementation-specific + + conformance, implementations can support + POSIX, PCRE or any other dialects + + of regular expressions. Please read the + implementation's documentation to + + determine the supported dialect. + enum: + - Exact + - RegularExpression + type: string + value: + description: >- + Value is the value of HTTP Header to be + matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + method: + description: >- + Method specifies HTTP method matcher. + + When specified, this route will be matched only + if the request has the + + specified method. + + + Support: Extended + enum: + - GET + - HEAD + - POST + - PUT + - DELETE + - CONNECT + - OPTIONS + - TRACE + - PATCH + type: string + path: + default: + type: PathPrefix + value: / + description: >- + Path specifies a HTTP request path matcher. If + this field is not + + specified, a default prefix match on the "/" + path is provided. + properties: + type: + default: PathPrefix + description: >- + Type specifies how to match against the path + Value. + + + Support: Core (Exact, PathPrefix) + + + Support: Implementation-specific + (RegularExpression) + enum: + - Exact + - PathPrefix + - RegularExpression + type: string + value: + default: / + description: Value of the HTTP path to match against. + maxLength: 1024 + type: string + type: object + x-kubernetes-validations: + - message: >- + value must be an absolute path and start + with '/' when type one of ['Exact', + 'PathPrefix'] + rule: >- + (self.type in ['Exact','PathPrefix']) ? + self.value.startsWith('/') : true + - message: >- + must not contain '//' when type one of + ['Exact', 'PathPrefix'] + rule: >- + (self.type in ['Exact','PathPrefix']) ? + !self.value.contains('//') : true + - message: >- + must not contain '/./' when type one of + ['Exact', 'PathPrefix'] + rule: >- + (self.type in ['Exact','PathPrefix']) ? + !self.value.contains('/./') : true + - message: >- + must not contain '/../' when type one of + ['Exact', 'PathPrefix'] + rule: >- + (self.type in ['Exact','PathPrefix']) ? + !self.value.contains('/../') : true + - message: >- + must not contain '%2f' when type one of + ['Exact', 'PathPrefix'] + rule: >- + (self.type in ['Exact','PathPrefix']) ? + !self.value.contains('%2f') : true + - message: >- + must not contain '%2F' when type one of + ['Exact', 'PathPrefix'] + rule: >- + (self.type in ['Exact','PathPrefix']) ? + !self.value.contains('%2F') : true + - message: >- + must not contain '#' when type one of + ['Exact', 'PathPrefix'] + rule: >- + (self.type in ['Exact','PathPrefix']) ? + !self.value.contains('#') : true + - message: >- + must not end with '/..' when type one of + ['Exact', 'PathPrefix'] + rule: >- + (self.type in ['Exact','PathPrefix']) ? + !self.value.endsWith('/..') : true + - message: >- + must not end with '/.' when type one of + ['Exact', 'PathPrefix'] + rule: >- + (self.type in ['Exact','PathPrefix']) ? + !self.value.endsWith('/.') : true + - message: >- + type must be one of ['Exact', 'PathPrefix', + 'RegularExpression'] + rule: >- + self.type in ['Exact','PathPrefix'] || + self.type == 'RegularExpression' + - message: >- + must only contain valid characters (matching + ^(?:[-A-Za-z0-9/._~!$&'()*+,;=:@]|[%][0-9a-fA-F]{2})+$) + for types ['Exact', 'PathPrefix'] + rule: >- + (self.type in ['Exact','PathPrefix']) ? + self.value.matches(r"""^(?:[-A-Za-z0-9/._~!$&'()*+,;=:@]|[%][0-9a-fA-F]{2})+$""") + : true + queryParams: + description: >- + QueryParams specifies HTTP query parameter + matchers. Multiple match + + values are ANDed together, meaning, a request + must match all the + + specified query parameters to select the route. + + + Support: Extended + items: + description: >- + HTTPQueryParamMatch describes how to select a + HTTP route by matching HTTP + + query parameters. + properties: + name: + description: >- + Name is the name of the HTTP query param + to be matched. This must be an + + exact string match. (See + + https://tools.ietf.org/html/rfc7230#section-2.7.3). + + + If multiple entries specify equivalent + query param names, only the first + + entry with an equivalent name MUST be + considered for a match. Subsequent + + entries with an equivalent query param + name MUST be ignored. + + + If a query param is repeated in an HTTP + request, the behavior is + + purposely left undefined, since different + data planes have different + + capabilities. However, it is *recommended* + that implementations should + + match against the first value of the param + if the data plane supports it, + + as this behavior is expected in other load + balancing contexts outside of + + the Gateway API. + + + Users SHOULD NOT route traffic based on + repeated query params to guard + + themselves against potential differences + in the implementations. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: >- + Type specifies how to match against the + value of the query parameter. + + + Support: Extended (Exact) + + + Support: Implementation-specific + (RegularExpression) + + + Since RegularExpression + QueryParamMatchType has + Implementation-specific + + conformance, implementations can support + POSIX, PCRE or any other + + dialects of regular expressions. Please + read the implementation's + + documentation to determine the supported + dialect. + enum: + - Exact + - RegularExpression + type: string + value: + description: >- + Value is the value of HTTP query param to + be matched. + maxLength: 1024 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + maxItems: 64 + type: array + x-kubernetes-list-type: atomic + name: + description: >- + Name is the name of the route rule. This name MUST be + unique within a Route if it is set. + + + Support: Extended + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + timeouts: + description: >- + Timeouts defines the timeouts that can be configured + for an HTTP request. + + + Support: Extended + properties: + backendRequest: + description: >- + BackendRequest specifies a timeout for an + individual request from the gateway + + to a backend. This covers the time from when the + request first starts being + + sent from the gateway to when the full response + has been received from the backend. + + + Setting a timeout to the zero duration (e.g. "0s") + SHOULD disable the timeout + + completely. Implementations that cannot completely + disable the timeout MUST + + instead interpret the zero duration as the longest + possible value to which + + the timeout can be set. + + + An entire client HTTP transaction with a gateway, + covered by the Request timeout, + + may result in more than one call from the gateway + to the destination backend, + + for example, if automatic retries are supported. + + + The value of BackendRequest must be a Gateway API + Duration string as defined by + + GEP-2257. When this field is unspecified, its + behavior is implementation-specific; + + when specified, the value of BackendRequest must + be no more than the value of the + + Request timeout (since the Request timeout + encompasses the BackendRequest timeout). + + + Support: Extended + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + request: + description: >- + Request specifies the maximum duration for a + gateway to respond to an HTTP request. + + If the gateway has not been able to respond before + this deadline is met, the gateway + + MUST return a timeout error. + + + For example, setting the `rules.timeouts.request` + field to the value `10s` in an + + `HTTPRoute` will cause a timeout if a client + request is taking longer than 10 seconds + + to complete. + + + Setting a timeout to the zero duration (e.g. "0s") + SHOULD disable the timeout + + completely. Implementations that cannot completely + disable the timeout MUST + + instead interpret the zero duration as the longest + possible value to which + + the timeout can be set. + + + This timeout is intended to cover as close to the + whole request-response transaction + + as possible although an implementation MAY choose + to start the timeout after the entire + + request stream has been received instead of + immediately after the transaction is + + initiated by the client. + + + The value of Request is a Gateway API Duration + string as defined by GEP-2257. When this + + field is unspecified, request timeout behavior is + implementation-specific. + + + Support: Extended + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + x-kubernetes-validations: + - message: >- + backendRequest timeout cannot be longer than + request timeout + rule: >- + !(has(self.request) && has(self.backendRequest) && + duration(self.request) != duration('0s') && + duration(self.backendRequest) > + duration(self.request)) + type: object + x-kubernetes-validations: + - message: >- + RequestRedirect filter must not be used together with + backendRefs + rule: >- + (has(self.backendRefs) && size(self.backendRefs) > 0) + ? (!has(self.filters) || self.filters.all(f, + !has(f.requestRedirect))): true + - message: >- + When using RequestRedirect filter with + path.replacePrefixMatch, exactly one PathPrefix match + must be specified + rule: >- + (has(self.filters) && self.filters.exists_one(f, + has(f.requestRedirect) && has(f.requestRedirect.path) + && f.requestRedirect.path.type == 'ReplacePrefixMatch' + && has(f.requestRedirect.path.replacePrefixMatch))) ? + ((size(self.matches) != 1 || + !has(self.matches[0].path) || + self.matches[0].path.type != 'PathPrefix') ? false : + true) : true + - message: >- + When using URLRewrite filter with + path.replacePrefixMatch, exactly one PathPrefix match + must be specified + rule: >- + (has(self.filters) && self.filters.exists_one(f, + has(f.urlRewrite) && has(f.urlRewrite.path) && + f.urlRewrite.path.type == 'ReplacePrefixMatch' && + has(f.urlRewrite.path.replacePrefixMatch))) ? + ((size(self.matches) != 1 || + !has(self.matches[0].path) || + self.matches[0].path.type != 'PathPrefix') ? false : + true) : true + - message: >- + Within backendRefs, when using RequestRedirect filter + with path.replacePrefixMatch, exactly one PathPrefix + match must be specified + rule: >- + (has(self.backendRefs) && + self.backendRefs.exists_one(b, (has(b.filters) && + b.filters.exists_one(f, has(f.requestRedirect) && + has(f.requestRedirect.path) && + f.requestRedirect.path.type == 'ReplacePrefixMatch' && + has(f.requestRedirect.path.replacePrefixMatch))) )) ? + ((size(self.matches) != 1 || + !has(self.matches[0].path) || + self.matches[0].path.type != 'PathPrefix') ? false : + true) : true + - message: >- + Within backendRefs, When using URLRewrite filter with + path.replacePrefixMatch, exactly one PathPrefix match + must be specified + rule: >- + (has(self.backendRefs) && + self.backendRefs.exists_one(b, (has(b.filters) && + b.filters.exists_one(f, has(f.urlRewrite) && + has(f.urlRewrite.path) && f.urlRewrite.path.type == + 'ReplacePrefixMatch' && + has(f.urlRewrite.path.replacePrefixMatch))) )) ? + ((size(self.matches) != 1 || + !has(self.matches[0].path) || + self.matches[0].path.type != 'PathPrefix') ? false : + true) : true + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: >- + While 16 rules and 64 matches per rule are allowed, the + total number of matches across all rules in a route must + be less than 128 + rule: >- + (self.size() > 0 ? self[0].matches.size() : 0) + + (self.size() > 1 ? self[1].matches.size() : 0) + + (self.size() > 2 ? self[2].matches.size() : 0) + + (self.size() > 3 ? self[3].matches.size() : 0) + + (self.size() > 4 ? self[4].matches.size() : 0) + + (self.size() > 5 ? self[5].matches.size() : 0) + + (self.size() > 6 ? self[6].matches.size() : 0) + + (self.size() > 7 ? self[7].matches.size() : 0) + + (self.size() > 8 ? self[8].matches.size() : 0) + + (self.size() > 9 ? self[9].matches.size() : 0) + + (self.size() > 10 ? self[10].matches.size() : 0) + + (self.size() > 11 ? self[11].matches.size() : 0) + + (self.size() > 12 ? self[12].matches.size() : 0) + + (self.size() > 13 ? self[13].matches.size() : 0) + + (self.size() > 14 ? self[14].matches.size() : 0) + + (self.size() > 15 ? self[15].matches.size() : 0) <= 128 + type: object + status: + description: Status defines the current state of HTTPRoute. + properties: + parents: + description: >- + Parents is a list of parent resources (usually Gateways) + that are + + associated with the route, and the status of the route with + respect to + + each parent. When this route attaches to a parent, the + controller that + + manages the parent must add an entry to this list when the + controller + + first sees the route and should update the entry as + appropriate when the + + route or gateway is modified. + + + Note that parent references that cannot be resolved by an + implementation + + of this API will not be added to this list. Implementations + of this API + + can only populate Route status for the Gateways/parent + resources they are + + responsible for. + + + A maximum of 32 Gateways will be represented in this list. + An empty list + + means the route has not been attached to any Gateway. + items: + description: >- + RouteParentStatus describes the status of a route with + respect to an + + associated Parent. + properties: + conditions: + description: >- + Conditions describes the status of the route with + respect to the Gateway. + + Note that the route's availability is also subject to + the Gateway's own + + status conditions and listener status. + + + If the Route's ParentRef specifies an existing Gateway + that supports + + Routes of this kind AND that Gateway's controller has + sufficient access, + + then that Gateway's controller MUST set the "Accepted" + condition on the + + Route, to indicate whether the route has been accepted + or rejected by the + + Gateway, and why. + + + A Route MUST be considered "Accepted" if at least one + of the Route's + + rules is implemented by the Gateway. + + + There are a number of cases where the "Accepted" + condition may not be set + + due to lack of controller visibility, that includes + when: + + + * The Route refers to a nonexistent parent. + + * The Route is of a type that the controller does not + support. + + * The Route is in a namespace to which the controller + does not have access. + items: + description: >- + Condition contains details for one aspect of the + current state of this API Resource. + properties: + lastTransitionTime: + description: >- + lastTransitionTime is the last time the + condition transitioned from one status to + another. + + This should be when the underlying condition + changed. If that is not known, then using the + time when the API field changed is acceptable. + format: date-time + type: string + message: + description: >- + message is a human readable message indicating + details about the transition. + + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: >- + observedGeneration represents the + .metadata.generation that the condition was set + based upon. + + For instance, if .metadata.generation is + currently 12, but the + .status.conditions[x].observedGeneration is 9, + the condition is out of date + + with respect to the current state of the + instance. + format: int64 + minimum: 0 + type: integer + reason: + description: >- + reason contains a programmatic identifier + indicating the reason for the condition's last + transition. + + Producers of specific condition types may define + expected values and meanings for this field, + + and whether the values are considered a + guaranteed API. + + The value should be a CamelCase string. + + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: >- + status of the condition, one of True, False, + Unknown. + enum: + - 'True' + - 'False' + - Unknown + type: string + type: + description: >- + type of condition in CamelCase or in + foo.example.com/CamelCase. + maxLength: 316 + pattern: >- + ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: >- + ControllerName is a domain/path string that indicates + the name of the + + controller that wrote this status. This corresponds + with the + + controllerName field on GatewayClass. + + + Example: "example.net/gateway-controller". + + + The format of this field is DOMAIN "/" PATH, where + DOMAIN and PATH are + + valid Kubernetes names + + (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + + + Controllers MUST populate this field when writing + status. Controllers should ensure that + + entries to status populated with their ControllerName + are cleaned up when they are no + + longer necessary. + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: >- + ParentRef corresponds with a ParentRef in the spec + that this + + RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: >- + Group is the group of the referent. + + When unspecified, "gateway.networking.k8s.io" is + inferred. + + To set the core API group (such as for a "Service" + kind referent), + + Group must be explicitly set to "" (empty string). + + + Support: Core + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: >- + Kind is kind of the referent. + + + There are two kinds of parent resources with + "Core" support: + + + * Gateway (Gateway conformance profile) + + * Service (Mesh conformance profile, ClusterIP + Services only) + + + Support for other resources is + Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the referent. When + unspecified, this refers + + to the local namespace of the Route. + + + Note that there are specific rules for ParentRefs + which cross namespace + + boundaries. Cross-namespace references are only + valid if they are explicitly + + allowed by something in the namespace they are + referring to. For example: + + Gateway has the AllowedRoutes field, and + ReferenceGrant provides a + + generic way to enable any other kind of + cross-namespace reference. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: >- + Port is the network port this Route targets. It + can be interpreted + + differently based on the type of parent resource. + + + When the parent resource is a Gateway, this + targets all listeners + + listening on the specified port that also support + this kind of Route(and + + select this Route). It's not recommended to set + `Port` unless the + + networking behaviors specified in a Route must + apply to a specific port + + as opposed to a listener(s) whose port(s) may be + changed. When both Port + + and SectionName are specified, the name and port + of the selected listener + + must match both specified values. + + + Implementations MAY choose to support other parent + resources. + + Implementations supporting other types of parent + resources MUST clearly + + document how/if Port is interpreted. + + + For the purpose of status, an attachment is + considered successful as + + long as the parent resource accepts it partially. + For example, Gateway + + listeners can restrict which Routes can attach to + them by Route kind, + + namespace, or hostname. If 1 of 2 Gateway + listeners accept attachment + + from the referencing Route, the Route MUST be + considered successfully + + attached. If no Gateway listeners accept + attachment from this Route, + + the Route MUST be considered detached from the + Gateway. + + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: >- + SectionName is the name of a section within the + target resource. In the + + following resources, SectionName is interpreted as + the following: + + + * Gateway: Listener name. When both Port + (experimental) and SectionName + + are specified, the name and port of the selected + listener must match + + both specified values. + + * Service: Port name. When both Port + (experimental) and SectionName + + are specified, the name and port of the selected + listener must match + + both specified values. + + + Implementations MAY choose to support attaching + Routes to other resources. + + If that is the case, they MUST clearly document + how SectionName is + + interpreted. + + + When unspecified (empty string), this will + reference the entire resource. + + For the purpose of status, an attachment is + considered successful if at + + least one section in the parent resource accepts + it. For example, Gateway + + listeners can restrict which Routes can attach to + them by Route kind, + + namespace, or hostname. If 1 of 2 Gateway + listeners accept attachment from + + the referencing Route, the Route MUST be + considered successfully + + attached. If no Gateway listeners accept + attachment from this Route, the + + Route MUST be considered detached from the + Gateway. + + + Support: Core + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - conditions + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + x-kubernetes-list-type: atomic + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} +status: + acceptedNames: + kind: '' + plural: '' + conditions: null + storedVersions: null diff --git a/_/CustomResourceDefinition/issuers.cert-manager.io.yaml b/_/CustomResourceDefinition/issuers.cert-manager.io.yaml index 57b3416..7b1421c 100644 --- a/_/CustomResourceDefinition/issuers.cert-manager.io.yaml +++ b/_/CustomResourceDefinition/issuers.cert-manager.io.yaml @@ -1,13 +1,8 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - labels: - app: cert-manager - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.10.1 - helm.sh/chart: cert-manager-v1.10.1 + annotations: + controller-gen.kubebuilder.io/version: v0.20.1 name: issuers.cert-manager.io spec: group: cert-manager.io @@ -17,14 +12,16 @@ spec: kind: Issuer listKind: IssuerList plural: issuers + shortNames: + - iss singular: issuer scope: Namespaced versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=="Ready")].status + - jsonPath: .status.conditions[?(@.type == "Ready")].status name: Ready type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message + - jsonPath: .status.conditions[?(@.type == "Ready")].message name: Status priority: 1 type: string @@ -41,23 +38,39 @@ spec: openAPIV3Schema: description: >- An Issuer represents a certificate issuing authority which can be - referenced as part of `issuerRef` fields. It is scoped to a single - namespace and can therefore only be referenced by resources within - the same namespace. + + referenced as part of `issuerRef` fields. + + It is scoped to a single namespace and can therefore only be + referenced by + + resources within the same namespace. properties: apiVersion: description: >- APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the - latest internal value, and may reject unrecognized values. More - info: + of an object. + + Servers should convert recognized schemas to the latest internal + value, and + + may reject unrecognized values. + + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: description: >- Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the - client submits requests to. Cannot be updated. In CamelCase. + object represents. + + Servers may infer this from the endpoint the client submits + requests to. + + Cannot be updated. + + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string @@ -69,59 +82,97 @@ spec: acme: description: >- ACME configures this issuer to communicate with a RFC8555 - (ACME) server to obtain signed x509 certificates. + (ACME) server + + to obtain signed x509 certificates. properties: caBundle: description: >- Base64-encoded bundle of PEM CAs which can be used to - validate the certificate chain presented by the ACME - server. Mutually exclusive with SkipTLSVerify; prefer - using CABundle to prevent various kinds of security - vulnerabilities. If CABundle and SkipTLSVerify are - unset, the system certificate bundle inside the - container is used to validate the TLS connection. + validate the certificate + + chain presented by the ACME server. + + Mutually exclusive with SkipTLSVerify; prefer using + CABundle to prevent various + + kinds of security vulnerabilities. + + If CABundle and SkipTLSVerify are unset, the system + certificate bundle inside + + the container is used to validate the TLS connection. format: byte type: string disableAccountKeyGeneration: description: >- Enables or disables generating a new ACME account key. + If true, the Issuer resource will *not* request a new - account but will expect the account key to be supplied - via an existing secret. If false, the cert-manager - system will generate a new ACME account key for the - Issuer. Defaults to false. + account but will expect + + the account key to be supplied via an existing secret. + + If false, the cert-manager system will generate a new + ACME account key + + for the Issuer. + + Defaults to false. type: boolean email: description: >- Email is the email address to be associated with the - ACME account. This field is optional, but it is strongly - recommended to be set. It will be used to contact you in - case of issues with your account or certificates, - including expiry notification emails. This field may be - updated after the account is initially registered. + ACME account. + + This field is optional, but it is strongly recommended + to be set. + + It will be used to contact you in case of issues with + your account or + + certificates, including expiry notification emails. + + This field may be updated after the account is initially + registered. type: string enableDurationFeature: description: >- Enables requesting a Not After date on certificates that - matches the duration of the certificate. This is not - supported by all ACME servers like Let's Encrypt. If set - to true when the ACME server does not support it it will - create an error on the Order. Defaults to false. + matches the + + duration of the certificate. This is not supported by + all ACME servers + + like Let's Encrypt. If set to true when the ACME server + does not support + + it, it will create an error on the Order. + + Defaults to false. type: boolean externalAccountBinding: description: >- ExternalAccountBinding is a reference to a CA external - account of the ACME server. If set, upon registration - cert-manager will attempt to associate the given + account of the ACME + + server. + + If set, upon registration cert-manager will attempt to + associate the given + external account credentials with the registered ACME account. properties: keyAlgorithm: description: >- Deprecated: keyAlgorithm field exists for historical - compatibility reasons and should not be used. The - algorithm is now hardcoded to HS256 in - golang/x/crypto/acme. + compatibility + + reasons and should not be used. The algorithm is now + hardcoded to HS256 + + in golang/x/crypto/acme. enum: - HS256 - HS384 @@ -135,26 +186,39 @@ spec: keySecretRef: description: >- keySecretRef is a Secret Key Selector referencing a - data item in a Kubernetes Secret which holds the - symmetric MAC key of the External Account Binding. + data item in a Kubernetes + + Secret which holds the symmetric MAC key of the + External Account Binding. + The `key` is the index string that is paired with - the key data in the Secret and should not be - confused with the key data itself, or indeed with - the External Account Binding keyID above. The secret - key stored in the Secret **must** be un-padded, - base64 URL encoded data. + the key data in the + + Secret and should not be confused with the key data + itself, or indeed with + + the External Account Binding keyID above. + + The secret key stored in the Secret **must** be + un-padded, base64 URL + + encoded data. properties: key: description: >- The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be + `data` field to be used. + + Some instances of this field may be defaulted, + in others it may be + required. type: string name: description: >- - Name of the resource being referred to. More - info: + Name of the resource being referred to. + + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string required: @@ -167,102 +231,169 @@ spec: preferredChain: description: >- PreferredChain is the chain to use if the ACME server - outputs multiple. PreferredChain is no guarantee that - this one gets delivered by the ACME endpoint. For - example, for Let's Encrypt's DST crosssign you would - use: "DST Root CA X3" or "ISRG Root X1" for the newer - Let's Encrypt root CA. This value picks the first - certificate bundle in the ACME alternative chains that - has a certificate with this value as its issuer's CN + outputs multiple. + + PreferredChain is no guarantee that this one gets + delivered by the ACME + + endpoint. + + For example, for Let's Encrypt's DST cross-sign you + would use: + + "DST Root CA X3" or "ISRG Root X1" for the newer Let's + Encrypt root CA. + + This value picks the first certificate bundle in the + combined set of + + ACME default and alternative chains that has a root-most + certificate with + + this value as its issuer's commonname. maxLength: 64 type: string privateKeySecretRef: description: >- PrivateKey is the name of a Kubernetes Secret resource - that will be used to store the automatically generated - ACME account private key. Optionally, a `key` may be - specified to select a specific entry within the named - Secret resource. If `key` is not specified, a default of - `tls.key` will be used. + that will be used to + + store the automatically generated ACME account private + key. + + Optionally, a `key` may be specified to select a + specific entry within + + the named Secret resource. + + If `key` is not specified, a default of `tls.key` will + be used. properties: key: description: >- The key of the entry in the Secret resource's `data` - field to be used. Some instances of this field may - be defaulted, in others it may be required. + field to be used. + + Some instances of this field may be defaulted, in + others it may be + + required. type: string name: description: >- - Name of the resource being referred to. More info: + Name of the resource being referred to. + + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string required: - name type: object + profile: + description: >- + Profile allows requesting a certificate profile from the + ACME server. + + Supported profiles are listed by the server's ACME + directory URL. + type: string server: description: >- Server is the URL used to access the ACME server's - 'directory' endpoint. For example, for Let's Encrypt's - staging endpoint, you would use: + 'directory' endpoint. + + For example, for Let's Encrypt's staging endpoint, you + would use: + "https://acme-staging-v02.api.letsencrypt.org/directory". + Only ACME v2 endpoints (i.e. RFC 8555) are supported. type: string skipTLSVerify: description: >- INSECURE: Enables or disables validation of the ACME - server TLS certificate. If true, requests to the ACME - server will not have the TLS certificate chain - validated. Mutually exclusive with CABundle; prefer - using CABundle to prevent various kinds of security - vulnerabilities. Only enable this option in development - environments. If CABundle and SkipTLSVerify are unset, - the system certificate bundle inside the container is - used to validate the TLS connection. Defaults to false. + server TLS certificate. + + If true, requests to the ACME server will not have the + TLS certificate chain + + validated. + + Mutually exclusive with CABundle; prefer using CABundle + to prevent various + + kinds of security vulnerabilities. + + Only enable this option in development environments. + + If CABundle and SkipTLSVerify are unset, the system + certificate bundle inside + + the container is used to validate the TLS connection. + + Defaults to false. type: boolean solvers: description: >- Solvers is a list of challenge solvers that will be used - to solve ACME challenges for the matching domains. + to solve + + ACME challenges for the matching domains. + Solver configurations must be provided in order to - obtain certificates from an ACME server. For more - information, see: + obtain certificates + + from an ACME server. + + For more information, see: https://cert-manager.io/docs/configuration/acme/ items: description: >- An ACMEChallengeSolver describes how to solve ACME - challenges for the issuer it is part of. A selector - may be provided to use different solving strategies - for different DNS names. Only one of HTTP01 or DNS01 - must be provided. + challenges for the issuer it is part of. + + A selector may be provided to use different solving + strategies for different DNS names. + + Only one of HTTP01 or DNS01 must be provided. properties: dns01: description: >- Configures cert-manager to attempt to complete - authorizations by performing the DNS01 challenge - flow. + authorizations by + + performing the DNS01 challenge flow. properties: acmeDNS: description: >- Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to - manage DNS01 challenge records. + manage + + DNS01 challenge records. properties: accountSecretRef: description: >- A reference to a specific 'key' within a - Secret resource. In some instances, `key` - is a required field. + Secret resource. + + In some instances, `key` is a required + field. properties: key: description: >- The key of the entry in the Secret - resource's `data` field to be used. Some - instances of this field may be - defaulted, in others it may be required. + resource's `data` field to be used. + + Some instances of this field may be + defaulted, in others it may be + + required. type: string name: description: >- Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string @@ -283,19 +414,25 @@ spec: accessTokenSecretRef: description: >- A reference to a specific 'key' within a - Secret resource. In some instances, `key` - is a required field. + Secret resource. + + In some instances, `key` is a required + field. properties: key: description: >- The key of the entry in the Secret - resource's `data` field to be used. Some - instances of this field may be - defaulted, in others it may be required. + resource's `data` field to be used. + + Some instances of this field may be + defaulted, in others it may be + + required. type: string name: description: >- Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string @@ -305,19 +442,25 @@ spec: clientSecretSecretRef: description: >- A reference to a specific 'key' within a - Secret resource. In some instances, `key` - is a required field. + Secret resource. + + In some instances, `key` is a required + field. properties: key: description: >- The key of the entry in the Secret - resource's `data` field to be used. Some - instances of this field may be - defaulted, in others it may be required. + resource's `data` field to be used. + + Some instances of this field may be + defaulted, in others it may be + + required. type: string name: description: >- Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string @@ -327,19 +470,25 @@ spec: clientTokenSecretRef: description: >- A reference to a specific 'key' within a - Secret resource. In some instances, `key` - is a required field. + Secret resource. + + In some instances, `key` is a required + field. properties: key: description: >- The key of the entry in the Secret - resource's `data` field to be used. Some - instances of this field may be - defaulted, in others it may be required. + resource's `data` field to be used. + + Some instances of this field may be + defaulted, in others it may be + + required. type: string name: description: >- Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string @@ -361,24 +510,40 @@ spec: properties: clientID: description: >- - if both this and ClientSecret are left - unset MSI will be used + Auth: Azure Service Principal: + + The ClientID of the Azure Service + Principal used to authenticate with Azure + DNS. + + If set, ClientSecret and TenantID must + also be set. type: string clientSecretSecretRef: description: >- - if both this and ClientID are left unset - MSI will be used + Auth: Azure Service Principal: + + A reference to a Secret containing the + password associated with the Service + Principal. + + If set, ClientID and TenantID must also be + set. properties: key: description: >- The key of the entry in the Secret - resource's `data` field to be used. Some - instances of this field may be - defaulted, in others it may be required. + resource's `data` field to be used. + + Some instances of this field may be + defaulted, in others it may be + + required. type: string name: description: >- Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string @@ -400,20 +565,35 @@ spec: type: string managedIdentity: description: >- - managed identity configuration, can not be - used at the same time as clientID, - clientSecretSecretRef or tenantID + Auth: Azure Workload Identity or Azure + Managed Service Identity: + + Settings to enable Azure Workload Identity + or Azure Managed Service Identity + + If set, ClientID, ClientSecret and + TenantID must not be set. properties: clientID: description: >- - client ID of the managed identity, can - not be used at the same time as + client ID of the managed identity, + cannot be used at the same time as resourceID type: string resourceID: description: >- - resource ID of the managed identity, can - not be used at the same time as clientID + resource ID of the managed identity, + cannot be used at the same time as + clientID + + Cannot be used for Azure Managed Service + Identity + type: string + tenantID: + description: >- + tenant ID of the managed identity, + cannot be used at the same time as + resourceID type: string type: object resourceGroupName: @@ -424,8 +604,36 @@ spec: type: string tenantID: description: >- - when specifying ClientID and ClientSecret - then this field is also needed + Auth: Azure Service Principal: + + The TenantID of the Azure Service + Principal used to authenticate with Azure + DNS. + + If set, ClientID and ClientSecret must + also be set. + type: string + zoneType: + description: >- + ZoneType determines which type of Azure + DNS zone to use. + + + Valid values are: + - AzurePublicZone (default): Use a public Azure DNS zone. + - AzurePrivateZone: Use an Azure Private DNS zone. + + If not specified, AzurePublicZone is used. + + + Support for Azure Private DNS zones is + currently + + experimental and may change in future + releases. + enum: + - AzurePublicZone + - AzurePrivateZone type: string required: - resourceGroupName @@ -439,29 +647,38 @@ spec: hostedZoneName: description: >- HostedZoneName is an optional field that - tells cert-manager in which Cloud DNS zone - the challenge record has to be created. If - left empty cert-manager will automatically - choose a zone. + tells cert-manager in which + + Cloud DNS zone the challenge record has to + be created. + + If left empty cert-manager will + automatically choose a zone. type: string project: type: string serviceAccountSecretRef: description: >- A reference to a specific 'key' within a - Secret resource. In some instances, `key` - is a required field. + Secret resource. + + In some instances, `key` is a required + field. properties: key: description: >- The key of the entry in the Secret - resource's `data` field to be used. Some - instances of this field may be - defaulted, in others it may be required. + resource's `data` field to be used. + + Some instances of this field may be + defaulted, in others it may be + + required. type: string name: description: >- Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string @@ -479,21 +696,28 @@ spec: apiKeySecretRef: description: >- API key to use to authenticate with - Cloudflare. Note: using an API token to - authenticate is now the recommended method + Cloudflare. + + Note: using an API token to authenticate + is now the recommended method + as it allows greater control of permissions. properties: key: description: >- The key of the entry in the Secret - resource's `data` field to be used. Some - instances of this field may be - defaulted, in others it may be required. + resource's `data` field to be used. + + Some instances of this field may be + defaulted, in others it may be + + required. type: string name: description: >- Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string @@ -508,13 +732,17 @@ spec: key: description: >- The key of the entry in the Secret - resource's `data` field to be used. Some - instances of this field may be - defaulted, in others it may be required. + resource's `data` field to be used. + + Some instances of this field may be + defaulted, in others it may be + + required. type: string name: description: >- Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string @@ -530,8 +758,9 @@ spec: cnameStrategy: description: >- CNAMEStrategy configures how the DNS01 - provider should handle CNAME records when - found in DNS zones. + provider should handle CNAME + + records when found in DNS zones. enum: - None - Follow @@ -544,19 +773,25 @@ spec: tokenSecretRef: description: >- A reference to a specific 'key' within a - Secret resource. In some instances, `key` - is a required field. + Secret resource. + + In some instances, `key` is a required + field. properties: key: description: >- The key of the entry in the Secret - resource's `data` field to be used. Some - instances of this field may be - defaulted, in others it may be required. + resource's `data` field to be used. + + Some instances of this field may be + defaulted, in others it may be + + required. type: string name: description: >- Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string @@ -570,44 +805,75 @@ spec: description: >- Use RFC2136 ("Dynamic Updates in the Domain Name System") - (https://datatracker.ietf.org/doc/rfc2136/) to - manage DNS01 challenge records. + (https://datatracker.ietf.org/doc/rfc2136/) + + to manage DNS01 challenge records. properties: nameserver: - description: "The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1])\_; port is optional. This field is required." + description: >- + The IP address or hostname of an + authoritative DNS server supporting + + RFC2136 in the form host:port. If the host + is an IPv6 address it must be + + enclosed in square brackets (e.g + [2001:db8::1]); port is optional. + + This field is required. + type: string + protocol: + description: >- + Protocol to use for dynamic DNS update + queries. Valid values are (case-sensitive) + ``TCP`` and ``UDP``; ``UDP`` (default). + enum: + - TCP + - UDP type: string tsigAlgorithm: description: >- The TSIG Algorithm configured in the DNS - supporting RFC2136. Used only when - ``tsigSecretSecretRef`` and - ``tsigKeyName`` are defined. Supported - values are (case-insensitive): ``HMACMD5`` - (default), ``HMACSHA1``, ``HMACSHA256`` or + supporting RFC2136. Used only + + when ``tsigSecretSecretRef`` and + ``tsigKeyName`` are defined. + + Supported values are (case-insensitive): + ``HMACMD5`` (default), + + ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``. type: string tsigKeyName: description: >- The TSIG Key name configured in the DNS. + If ``tsigSecretSecretRef`` is defined, this field is required. type: string tsigSecretSecretRef: description: >- The name of the secret containing the TSIG - value. If ``tsigKeyName`` is defined, this - field is required. + value. + + If ``tsigKeyName`` is defined, this field + is required. properties: key: description: >- The key of the entry in the Secret - resource's `data` field to be used. Some - instances of this field may be - defaulted, in others it may be required. + resource's `data` field to be used. + + Some instances of this field may be + defaulted, in others it may be + + required. type: string name: description: >- Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string @@ -625,11 +891,17 @@ spec: accessKeyID: description: >- The AccessKeyID is used for - authentication. Cannot be set when - SecretAccessKeyID is set. If neither the - Access Key nor Key ID are set, we - fall-back to using env vars, shared - credentials file or AWS Instance metadata, + authentication. + + Cannot be set when SecretAccessKeyID is + set. + + If neither the Access Key nor Key ID are + set, we fall back to using env + + vars, shared credentials file, or AWS + Instance metadata, + see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials type: string @@ -637,114 +909,259 @@ spec: description: >- The SecretAccessKey is used for authentication. If set, pull the AWS + access key ID from a key within a - Kubernetes Secret. Cannot be set when - AccessKeyID is set. If neither the Access - Key nor Key ID are set, we fall-back to - using env vars, shared credentials file or - AWS Instance metadata, see: + Kubernetes Secret. + + Cannot be set when AccessKeyID is set. + + If neither the Access Key nor Key ID are + set, we fall back to using env + + vars, shared credentials file, or AWS + Instance metadata, + + see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials properties: key: description: >- The key of the entry in the Secret - resource's `data` field to be used. Some - instances of this field may be - defaulted, in others it may be required. + resource's `data` field to be used. + + Some instances of this field may be + defaulted, in others it may be + + required. type: string name: description: >- Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string required: - name type: object + auth: + description: >- + Auth configures how cert-manager + authenticates. + properties: + kubernetes: + description: >- + Kubernetes authenticates with Route53 + using AssumeRoleWithWebIdentity + + by passing a bound ServiceAccount token. + properties: + serviceAccountRef: + description: >- + A reference to a service account that + will be used to request a bound + + token (also known as "projected token"). + To use this field, you must + + configure an RBAC rule to let + cert-manager request a token. + properties: + audiences: + description: >- + TokenAudiences is an optional list of + audiences to include in the + + token passed to AWS. The default token + consisting of the issuer's namespace + + and name is always included. + + If unset the audience defaults to + `sts.amazonaws.com`. + items: + type: string + type: array + x-kubernetes-list-type: atomic + name: + description: >- + Name of the ServiceAccount used to + request a token. + type: string + required: + - name + type: object + required: + - serviceAccountRef + type: object + required: + - kubernetes + type: object hostedZoneID: description: >- If set, the provider will manage only this - zone in Route53 and will not do an lookup + zone in Route53 and will not do a lookup using the route53:ListHostedZonesByName api call. type: string region: description: >- - Always set the region when using - AccessKeyID and SecretAccessKey + Override the AWS region. + + + Route53 is a global service and does not + have regional endpoints but the + + region specified here (or via environment + variables) is used as a hint to + + help compute the correct AWS credential + scope and partition when it + + connects to Route53. See: + + - [Amazon Route 53 endpoints and + quotas](https://docs.aws.amazon.com/general/latest/gr/r53.html) + + - [Global + services](https://docs.aws.amazon.com/whitepapers/latest/aws-fault-isolation-boundaries/global-services.html) + + + If you omit this region field, + cert-manager will use the region from + + AWS_REGION and AWS_DEFAULT_REGION + environment variables, if they are set + + in the cert-manager controller Pod. + + + The `region` field is not needed if you + use [IAM Roles for Service Accounts + (IRSA)](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html). + + Instead an AWS_REGION environment variable + is added to the cert-manager controller + Pod by: + + [Amazon EKS Pod Identity + Webhook](https://github.com/aws/amazon-eks-pod-identity-webhook). + + In this case this `region` field value is + ignored. + + + The `region` field is not needed if you + use [EKS Pod + Identities](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html). + + Instead an AWS_REGION environment variable + is added to the cert-manager controller + Pod by: + + [Amazon EKS Pod Identity + Agent](https://github.com/aws/eks-pod-identity-agent), + + In this case this `region` field value is + ignored. type: string role: description: >- Role is a Role ARN which the Route53 provider will assume using either the explicit credentials - AccessKeyID/SecretAccessKey or the - inferred credentials from environment - variables, shared credentials file or AWS - Instance metadata + AccessKeyID/SecretAccessKey + + or the inferred credentials from + environment variables, shared credentials + file or AWS Instance metadata type: string secretAccessKeySecretRef: description: >- The SecretAccessKey is used for - authentication. If neither the Access Key - nor Key ID are set, we fall-back to using - env vars, shared credentials file or AWS - Instance metadata, see: + authentication. + + If neither the Access Key nor Key ID are + set, we fall back to using env + + vars, shared credentials file, or AWS + Instance metadata, + + see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials properties: key: description: >- The key of the entry in the Secret - resource's `data` field to be used. Some - instances of this field may be - defaulted, in others it may be required. + resource's `data` field to be used. + + Some instances of this field may be + defaulted, in others it may be + + required. type: string name: description: >- Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string required: - name type: object - required: - - region type: object webhook: description: >- Configure an external webhook based DNS01 - challenge solver to manage DNS01 challenge - records. + challenge solver to manage + + DNS01 challenge records. properties: config: description: >- Additional configuration that should be - passed to the webhook apiserver when - challenges are processed. This can contain - arbitrary JSON data. Secret values should - not be specified in this stanza. If secret - values are needed (e.g. credentials for a - DNS service), you should use a - SecretKeySelector to reference a Secret - resource. For details on the schema of - this field, consult the webhook provider + passed to the webhook apiserver + + when challenges are processed. + + This can contain arbitrary JSON data. + + Secret values should not be specified in + this stanza. + + If secret values are needed (e.g., + credentials for a DNS service), you + + should use a SecretKeySelector to + reference a Secret resource. + + For details on the schema of this field, + consult the webhook provider + implementation's documentation. x-kubernetes-preserve-unknown-fields: true groupName: description: >- The API group name that should be used - when POSTing ChallengePayload resources to - the webhook apiserver. This should be the - same as the GroupName specified in the - webhook provider implementation. + when POSTing ChallengePayload + + resources to the webhook apiserver. + + This should be the same as the GroupName + specified in the webhook + + provider implementation. type: string solverName: description: >- The name of the solver to use, as defined - in the webhook provider implementation. + in the webhook provider + + implementation. + This will typically be the name of the - provider, e.g. 'cloudflare'. + provider, e.g., 'cloudflare'. type: string required: - groupName @@ -754,79 +1171,130 @@ spec: http01: description: >- Configures cert-manager to attempt to complete - authorizations by performing the HTTP01 challenge - flow. It is not possible to obtain certificates - for wildcard domain names (e.g. `*.example.com`) - using the HTTP01 challenge mechanism. + authorizations by + + performing the HTTP01 challenge flow. + + It is not possible to obtain certificates for + wildcard domain names + + (e.g., `*.example.com`) using the HTTP01 challenge + mechanism. properties: gatewayHTTPRoute: description: >- The Gateway API is a sig-network community API - that models service networking in Kubernetes + that models service networking + + in Kubernetes (https://gateway-api.sigs.k8s.io/). The - Gateway solver will create HTTPRoutes with the - specified labels in the same namespace as the - challenge. This solver is experimental, and - fields / behaviour may change in the future. + Gateway solver will + + create HTTPRoutes with the specified labels in + the same namespace as the challenge. + + This solver is experimental, and fields / + behaviour may change in the future. properties: labels: additionalProperties: type: string description: >- Custom labels that will be applied to - HTTPRoutes created by cert-manager while - solving HTTP-01 challenges. + HTTPRoutes created by cert-manager + + while solving HTTP-01 challenges. type: object parentRefs: description: >- When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute. + cert-manager needs to know which parentRefs should be used when creating + the HTTPRoute. Usually, the parentRef references a Gateway. See: + https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways items: description: >- ParentReference identifies an API object (usually a Gateway) that can be - considered a parent of this resource - (usually a route). There are two kinds - of parent resources with "Core" - support: - * Gateway (Gateway conformance profile) * Service (Mesh conformance profile, experimental, ClusterIP Services only) - This API may be extended in the future to support additional kinds of parent resources. - The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid. + considered + + a parent of this resource (usually a + route). There are two kinds of parent + resources + + with "Core" support: + + + * Gateway (Gateway conformance profile) + + * Service (Mesh conformance profile, + ClusterIP Services only) + + + This API may be extended in the future + to support additional kinds of parent + + resources. + + + The API object must be valid in the + cluster; the Group and Kind must + + be registered in the cluster for this + reference to be valid. properties: group: default: gateway.networking.k8s.io description: >- - Group is the group of the referent. When - unspecified, "gateway.networking.k8s.io" - is inferred. To set the core API group - (such as for a "Service" kind referent), + Group is the group of the referent. + + When unspecified, + "gateway.networking.k8s.io" is inferred. + + To set the core API group (such as for a + "Service" kind referent), + Group must be explicitly set to "" - (empty string). - Support: Core + (empty string). + + + Support: Core maxLength: 253 pattern: >- ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string kind: default: Gateway - description: |- - Kind is kind of the referent. - There are two kinds of parent resources with "Core" support: - * Gateway (Gateway conformance profile) * Service (Mesh conformance profile, experimental, ClusterIP Services only) - Support for other resources is Implementation-Specific. + description: >- + Kind is kind of the referent. + + + There are two kinds of parent resources + with "Core" support: + + + * Gateway (Gateway conformance profile) + + * Service (Mesh conformance profile, + ClusterIP Services only) + + + Support for other resources is + Implementation-Specific. maxLength: 63 minLength: 1 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ type: string name: description: |- - Name is the name of the referent. - Support: Core + Name is the name of the referent. + + Support: Core maxLength: 253 minLength: 1 type: string @@ -834,11 +1302,55 @@ spec: description: >- Namespace is the namespace of the referent. When unspecified, this refers - to the local namespace of the Route. - Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. - ParentRefs from a Route to a Service in the same namespace are "producer" routes, which apply default routing rules to inbound connections from any namespace to the Service. - ParentRefs from a Route to a Service in a different namespace are "consumer" routes, and these routing rules are only applied to outbound connections originating from the same namespace as the Route, for which the intended destination of the connections are a Service targeted as a ParentRef of the Route. - Support: Core + + to the local namespace of the Route. + + + Note that there are specific rules for + ParentRefs which cross namespace + + boundaries. Cross-namespace references + are only valid if they are explicitly + + allowed by something in the namespace + they are referring to. For example: + + Gateway has the AllowedRoutes field, and + ReferenceGrant provides a + + generic way to enable any other kind of + cross-namespace reference. + + + + + ParentRefs from a Route to a Service in + the same namespace are "producer" + + routes, which apply default routing + rules to inbound connections from + + any namespace to the Service. + + + ParentRefs from a Route to a Service in + a different namespace are + + "consumer" routes, and these routing + rules are only applied to outbound + + connections originating from the same + namespace as the Route, for which + + the intended destination of the + connections are a Service targeted as a + + ParentRef of the Route. + + + + + Support: Core maxLength: 63 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ @@ -847,14 +1359,79 @@ spec: description: >- Port is the network port this Route targets. It can be interpreted + differently based on the type of parent - resource. - When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. - When the parent resource is a Service, this targets a specific port in the Service spec. When both Port (experimental) and SectionName are specified, the name and port of the selected port must match both specified values. - Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. - For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. - Support: Extended - + resource. + + + When the parent resource is a Gateway, + this targets all listeners + + listening on the specified port that + also support this kind of Route(and + + select this Route). It's not recommended + to set `Port` unless the + + networking behaviors specified in a + Route must apply to a specific port + + as opposed to a listener(s) whose + port(s) may be changed. When both Port + + and SectionName are specified, the name + and port of the selected listener + + must match both specified values. + + + + + When the parent resource is a Service, + this targets a specific port in the + + Service spec. When both Port + (experimental) and SectionName are + specified, + + the name and port of the selected port + must match both specified values. + + + + + Implementations MAY choose to support + other parent resources. + + Implementations supporting other types + of parent resources MUST clearly + + document how/if Port is interpreted. + + + For the purpose of status, an attachment + is considered successful as + + long as the parent resource accepts it + partially. For example, Gateway + + listeners can restrict which Routes can + attach to them by Route kind, + + namespace, or hostname. If 1 of 2 + Gateway listeners accept attachment + + from the referencing Route, the Route + MUST be considered successfully + + attached. If no Gateway listeners accept + attachment from this Route, + + the Route MUST be considered detached + from the Gateway. + + + Support: Extended format: int32 maximum: 65535 minimum: 1 @@ -863,12 +1440,63 @@ spec: description: >- SectionName is the name of a section within the target resource. In the + following resources, SectionName is - interpreted as the following: - * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. * Service: Port Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. Note that attaching Routes to Services as Parents is part of experimental Mesh support and is not supported for any other purpose. - Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. - When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. - Support: Core + interpreted as the following: + + + * Gateway: Listener name. When both Port + (experimental) and SectionName + + are specified, the name and port of the + selected listener must match + + both specified values. + + * Service: Port name. When both Port + (experimental) and SectionName + + are specified, the name and port of the + selected listener must match + + both specified values. + + + Implementations MAY choose to support + attaching Routes to other resources. + + If that is the case, they MUST clearly + document how SectionName is + + interpreted. + + + When unspecified (empty string), this + will reference the entire resource. + + For the purpose of status, an attachment + is considered successful if at + + least one section in the parent resource + accepts it. For example, Gateway + + listeners can restrict which Routes can + attach to them by Route kind, + + namespace, or hostname. If 1 of 2 + Gateway listeners accept attachment from + + the referencing Route, the Route MUST be + considered successfully + + attached. If no Gateway listeners accept + attachment from this Route, the + + Route MUST be considered detached from + the Gateway. + + + Support: Core maxLength: 253 minLength: 1 pattern: >- @@ -878,99 +1506,25 @@ spec: - name type: object type: array - serviceType: - description: >- - Optional service type for Kubernetes - solver service. Supported values are - NodePort or ClusterIP. If unset, defaults - to NodePort. - type: string - type: object - ingress: - description: >- - The ingress based HTTP01 challenge solver will - solve challenges by creating or modifying - Ingress resources in order to route requests - for '/.well-known/acme-challenge/XYZ' to - 'challenge solver' pods that are provisioned - by cert-manager for each Challenge to be - completed. - properties: - class: - description: >- - This field configures the annotation - `kubernetes.io/ingress.class` when - creating Ingress resources to solve ACME - challenges that use this challenge solver. - Only one of `class`, `name` or - `ingressClassName` may be specified. - type: string - ingressClassName: - description: >- - This field configures the field - `ingressClassName` on the created Ingress - resources used to solve ACME challenges - that use this challenge solver. This is - the recommended way of configuring the - ingress class. Only one of `class`, `name` - or `ingressClassName` may be specified. - type: string - ingressTemplate: - description: >- - Optional ingress template used to - configure the ACME challenge solver - ingress used for HTTP01 challenges. - properties: - metadata: - description: >- - ObjectMeta overrides for the ingress - used to solve HTTP01 challenges. Only - the 'labels' and 'annotations' fields - may be set. If labels or annotations - overlap with in-built values, the values - here will override the in-built values. - properties: - annotations: - additionalProperties: - type: string - description: >- - Annotations that should be added to the - created ACME HTTP01 solver ingress. - type: object - labels: - additionalProperties: - type: string - description: >- - Labels that should be added to the - created ACME HTTP01 solver ingress. - type: object - type: object - type: object - name: - description: >- - The name of the ingress resource that - should have ACME challenge solving routes - inserted into it in order to solve HTTP01 - challenges. This is typically used in - conjunction with ingress controllers like - ingress-gce, which maintains a 1:1 mapping - between external IPs and ingress - resources. Only one of `class`, `name` or - `ingressClassName` may be specified. - type: string + x-kubernetes-list-type: atomic podTemplate: description: >- Optional pod template used to configure - the ACME challenge solver pods used for - HTTP01 challenges. + the ACME challenge solver pods + + used for HTTP01 challenges. properties: metadata: description: >- ObjectMeta overrides for the pod used to - solve HTTP01 challenges. Only the - 'labels' and 'annotations' fields may be - set. If labels or annotations overlap - with in-built values, the values here + solve HTTP01 challenges. + + Only the 'labels' and 'annotations' + fields may be set. + + If labels or annotations overlap with + in-built values, the values here + will override the in-built values. properties: annotations: @@ -978,7 +1532,7 @@ spec: type: string description: >- Annotations that should be added to the - create ACME HTTP01 solver pods. + created ACME HTTP01 solver pods. type: object labels: additionalProperties: @@ -991,9 +1545,12 @@ spec: spec: description: >- PodSpec defines overrides for the HTTP01 - challenge solver pod. Check + challenge solver pod. + + Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields. + All other fields will be ignored. properties: affinity: @@ -1009,27 +1566,38 @@ spec: preferredDuringSchedulingIgnoredDuringExecution: description: >- The scheduler will prefer to schedule - pods to nodes that satisfy the affinity - expressions specified by this field, but - it may choose a node that violates one - or more of the expressions. The node - that is most preferred is the one with - the greatest sum of weights, i.e. for - each node that meets all of the + pods to nodes that satisfy + + the affinity expressions specified by + this field, but it may choose + + a node that violates one or more of the + expressions. The node that is + + most preferred is the one with the + greatest sum of weights, i.e. + + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling - affinity expressions, etc.), compute a - sum by iterating through the elements of - this field and adding "weight" to the - sum if the node matches the - corresponding matchExpressions; the + affinity expressions, etc.), + + compute a sum by iterating through the + elements of this field and adding + + "weight" to the sum if the node matches + the corresponding matchExpressions; the + node(s) with the highest sum are the most preferred. items: description: >- An empty preferred scheduling term matches all objects with implicit weight - 0 (i.e. it's a no-op). A null preferred + 0 + + (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). properties: @@ -1046,8 +1614,9 @@ spec: description: >- A node selector requirement is a selector that contains values, a key, - and an operator that relates the key and - values. + and an operator + + that relates the key and values. properties: key: description: >- @@ -1057,28 +1626,37 @@ spec: operator: description: >- Represents a key's relationship to a set - of values. Valid operators are In, - NotIn, Exists, DoesNotExist. Gt, and Lt. + of values. + + Valid operators are In, NotIn, Exists, + DoesNotExist. Gt, and Lt. type: string values: description: >- An array of string values. If the - operator is In or NotIn, the values - array must be non-empty. If the operator - is Exists or DoesNotExist, the values - array must be empty. If the operator is - Gt or Lt, the values array must have a - single element, which will be - interpreted as an integer. This array is - replaced during a strategic merge patch. + operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. If the + operator is Gt or Lt, the values + + array must have a single element, which + will be interpreted as an integer. + + This array is replaced during a + strategic merge patch. items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchFields: description: >- A list of node selector requirements by @@ -1087,8 +1665,9 @@ spec: description: >- A node selector requirement is a selector that contains values, a key, - and an operator that relates the key and - values. + and an operator + + that relates the key and values. properties: key: description: >- @@ -1098,28 +1677,37 @@ spec: operator: description: >- Represents a key's relationship to a set - of values. Valid operators are In, - NotIn, Exists, DoesNotExist. Gt, and Lt. + of values. + + Valid operators are In, NotIn, Exists, + DoesNotExist. Gt, and Lt. type: string values: description: >- An array of string values. If the - operator is In or NotIn, the values - array must be non-empty. If the operator - is Exists or DoesNotExist, the values - array must be empty. If the operator is - Gt or Lt, the values array must have a - single element, which will be - interpreted as an integer. This array is - replaced during a strategic merge patch. + operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. If the + operator is Gt or Lt, the values + + array must have a single element, which + will be interpreted as an integer. + + This array is replaced during a + strategic merge patch. items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic type: object x-kubernetes-map-type: atomic weight: @@ -1134,17 +1722,23 @@ spec: - weight type: object type: array + x-kubernetes-list-type: atomic requiredDuringSchedulingIgnoredDuringExecution: description: >- If the affinity requirements specified - by this field are not met at scheduling - time, the pod will not be scheduled onto - the node. If the affinity requirements - specified by this field cease to be met + by this field are not met at + + scheduling time, the pod will not be + scheduled onto the node. + + If the affinity requirements specified + by this field cease to be met + at some point during pod execution (e.g. - due to an update), the system may or may - not try to eventually evict the pod from - its node. + due to an update), the system + + may or may not try to eventually evict + the pod from its node. properties: nodeSelectorTerms: description: >- @@ -1154,9 +1748,11 @@ spec: description: >- A null or empty node selector term matches no objects. The requirements of - them are ANDed. The TopologySelectorTerm - type implements a subset of the - NodeSelectorTerm. + + them are ANDed. + + The TopologySelectorTerm type implements + a subset of the NodeSelectorTerm. properties: matchExpressions: description: >- @@ -1166,8 +1762,9 @@ spec: description: >- A node selector requirement is a selector that contains values, a key, - and an operator that relates the key and - values. + and an operator + + that relates the key and values. properties: key: description: >- @@ -1177,28 +1774,37 @@ spec: operator: description: >- Represents a key's relationship to a set - of values. Valid operators are In, - NotIn, Exists, DoesNotExist. Gt, and Lt. + of values. + + Valid operators are In, NotIn, Exists, + DoesNotExist. Gt, and Lt. type: string values: description: >- An array of string values. If the - operator is In or NotIn, the values - array must be non-empty. If the operator - is Exists or DoesNotExist, the values - array must be empty. If the operator is - Gt or Lt, the values array must have a - single element, which will be - interpreted as an integer. This array is - replaced during a strategic merge patch. + operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. If the + operator is Gt or Lt, the values + + array must have a single element, which + will be interpreted as an integer. + + This array is replaced during a + strategic merge patch. items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchFields: description: >- A list of node selector requirements by @@ -1207,8 +1813,9 @@ spec: description: >- A node selector requirement is a selector that contains values, a key, - and an operator that relates the key and - values. + and an operator + + that relates the key and values. properties: key: description: >- @@ -1218,31 +1825,41 @@ spec: operator: description: >- Represents a key's relationship to a set - of values. Valid operators are In, - NotIn, Exists, DoesNotExist. Gt, and Lt. + of values. + + Valid operators are In, NotIn, Exists, + DoesNotExist. Gt, and Lt. type: string values: description: >- An array of string values. If the - operator is In or NotIn, the values - array must be non-empty. If the operator - is Exists or DoesNotExist, the values - array must be empty. If the operator is - Gt or Lt, the values array must have a - single element, which will be - interpreted as an integer. This array is - replaced during a strategic merge patch. + operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. If the + operator is Gt or Lt, the values + + array must have a single element, which + will be interpreted as an integer. + + This array is replaced during a + strategic merge patch. items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic type: object x-kubernetes-map-type: atomic type: array + x-kubernetes-list-type: atomic required: - nodeSelectorTerms type: object @@ -1257,20 +1874,30 @@ spec: preferredDuringSchedulingIgnoredDuringExecution: description: >- The scheduler will prefer to schedule - pods to nodes that satisfy the affinity - expressions specified by this field, but - it may choose a node that violates one - or more of the expressions. The node - that is most preferred is the one with - the greatest sum of weights, i.e. for - each node that meets all of the + pods to nodes that satisfy + + the affinity expressions specified by + this field, but it may choose + + a node that violates one or more of the + expressions. The node that is + + most preferred is the one with the + greatest sum of weights, i.e. + + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling - affinity expressions, etc.), compute a - sum by iterating through the elements of - this field and adding "weight" to the - sum if the node has pods which matches - the corresponding podAffinityTerm; the + affinity expressions, etc.), + + compute a sum by iterating through the + elements of this field and adding + + "weight" to the sum if the node has pods + which matches the corresponding + podAffinityTerm; the + node(s) with the highest sum are the most preferred. items: @@ -1290,6 +1917,9 @@ spec: description: >- A label query over a set of resources, in this case pods. + + If it's null, this PodAffinityTerm + matches with no Pods. properties: matchExpressions: description: >- @@ -1300,8 +1930,9 @@ spec: description: >- A label selector requirement is a selector that contains values, a key, - and an operator that relates the key and - values. + and an operator that + + relates the key and values. properties: key: description: >- @@ -1311,49 +1942,132 @@ spec: operator: description: >- operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist. type: string values: description: >- values is an array of string values. If - the operator is In or NotIn, the values - array must be non-empty. If the operator - is Exists or DoesNotExist, the values - array must be empty. This array is - replaced during a strategic merge patch. + the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch. items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string description: >- matchLabels is a map of {key,value} pairs. A single {key,value} in the - matchLabels map is equivalent to an - element of matchExpressions, whose key - field is "key", the operator is "In", - and the values array contains only - "value". The requirements are ANDed. + matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is + "key", the + + operator is "In", and the values array + contains only "value". The requirements + are ANDed. type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: >- + MatchLabelKeys is a set of pod label + keys to select which pods will + + be taken into consideration. The keys + are used to lookup values from the + + incoming pod labels, those key-value + labels are merged with `labelSelector` + as `key in (value)` + + to select the group of existing pods + which pods will be taken into + consideration + + for the incoming pod's pod (anti) + affinity. Keys that don't exist in the + incoming + + pod labels will be ignored. The default + value is empty. + + The same key is forbidden to exist in + both matchLabelKeys and labelSelector. + + Also, matchLabelKeys cannot be set when + labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: >- + MismatchLabelKeys is a set of pod label + keys to select which pods will + + be taken into consideration. The keys + are used to lookup values from the + + incoming pod labels, those key-value + labels are merged with `labelSelector` + as `key notin (value)` + + to select the group of existing pods + which pods will be taken into + consideration + + for the incoming pod's pod (anti) + affinity. Keys that don't exist in the + incoming + + pod labels will be ignored. The default + value is empty. + + The same key is forbidden to exist in + both mismatchLabelKeys and + labelSelector. + + Also, mismatchLabelKeys cannot be set + when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: description: >- A label query over the set of namespaces - that the term applies to. The term is - applied to the union of the namespaces - selected by this field and the ones - listed in the namespaces field. null - selector and null or empty namespaces - list means "this pod's namespace". An - empty selector ({}) matches all + that the term applies to. + + The term is applied to the union of the + namespaces selected by this field + + and the ones listed in the namespaces + field. + + null selector and null or empty + namespaces list means "this pod's + namespace". + + An empty selector ({}) matches all namespaces. properties: matchExpressions: @@ -1365,8 +2079,9 @@ spec: description: >- A label selector requirement is a selector that contains values, a key, - and an operator that relates the key and - values. + and an operator that + + relates the key and values. properties: key: description: >- @@ -1376,36 +2091,48 @@ spec: operator: description: >- operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist. type: string values: description: >- values is an array of string values. If - the operator is In or NotIn, the values - array must be non-empty. If the operator - is Exists or DoesNotExist, the values - array must be empty. This array is - replaced during a strategic merge patch. + the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch. items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string description: >- matchLabels is a map of {key,value} pairs. A single {key,value} in the - matchLabels map is equivalent to an - element of matchExpressions, whose key - field is "key", the operator is "In", - and the values array contains only - "value". The requirements are ANDed. + matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is + "key", the + + operator is "In", and the values array + contains only "value". The requirements + are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -1413,27 +2140,38 @@ spec: description: >- namespaces specifies a static list of namespace names that the term applies - to. The term is applied to the union of - the namespaces listed in this field and - the ones selected by namespaceSelector. + to. + + The term is applied to the union of the + namespaces listed in this field + + and the ones selected by + namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array + x-kubernetes-list-type: atomic topologyKey: description: >- This pod should be co-located (affinity) or not co-located (anti-affinity) with - the pods matching the labelSelector in - the specified namespaces, where - co-located is defined as running on a - node whose value of the label with key + the pods matching + + the labelSelector in the specified + namespaces, where co-located is defined + as running on a node + + whose value of the label with key topologyKey matches that of any node on - which any of the selected pods is - running. Empty topologyKey is not - allowed. + which any of the + + selected pods is running. + + Empty topologyKey is not allowed. type: string required: - topologyKey @@ -1441,8 +2179,9 @@ spec: weight: description: >- weight associated with matching the - corresponding podAffinityTerm, in the - range 1-100. + corresponding podAffinityTerm, + + in the range 1-100. format: int32 type: integer required: @@ -1450,38 +2189,55 @@ spec: - weight type: object type: array + x-kubernetes-list-type: atomic requiredDuringSchedulingIgnoredDuringExecution: description: >- If the affinity requirements specified - by this field are not met at scheduling - time, the pod will not be scheduled onto - the node. If the affinity requirements - specified by this field cease to be met + by this field are not met at + + scheduling time, the pod will not be + scheduled onto the node. + + If the affinity requirements specified + by this field cease to be met + at some point during pod execution (e.g. - due to a pod label update), the system - may or may not try to eventually evict - the pod from its node. When there are - multiple elements, the lists of nodes - corresponding to each podAffinityTerm - are intersected, i.e. all terms must be - satisfied. + due to a pod label update), the + + system may or may not try to eventually + evict the pod from its node. + + When there are multiple elements, the + lists of nodes corresponding to each + + podAffinityTerm are intersected, i.e. + all terms must be satisfied. items: description: >- Defines a set of pods (namely those - matching the labelSelector relative to - the given namespace(s)) that this pod - should be co-located (affinity) or not - co-located (anti-affinity) with, where - co-located is defined as running on a - node whose value of the label with key - matches that of any node - on which a pod of the set of pods is - running + matching the labelSelector + + relative to the given namespace(s)) that + this pod should be + + co-located (affinity) or not co-located + (anti-affinity) with, + + where co-located is defined as running + on a node whose value of + + the label with key matches + that of any node on which + + a pod of the set of pods is running properties: labelSelector: description: >- A label query over a set of resources, in this case pods. + + If it's null, this PodAffinityTerm + matches with no Pods. properties: matchExpressions: description: >- @@ -1492,8 +2248,9 @@ spec: description: >- A label selector requirement is a selector that contains values, a key, - and an operator that relates the key and - values. + and an operator that + + relates the key and values. properties: key: description: >- @@ -1503,49 +2260,132 @@ spec: operator: description: >- operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist. type: string values: description: >- values is an array of string values. If - the operator is In or NotIn, the values - array must be non-empty. If the operator - is Exists or DoesNotExist, the values - array must be empty. This array is - replaced during a strategic merge patch. + the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch. items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string description: >- matchLabels is a map of {key,value} pairs. A single {key,value} in the - matchLabels map is equivalent to an - element of matchExpressions, whose key - field is "key", the operator is "In", - and the values array contains only - "value". The requirements are ANDed. + matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is + "key", the + + operator is "In", and the values array + contains only "value". The requirements + are ANDed. type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: >- + MatchLabelKeys is a set of pod label + keys to select which pods will + + be taken into consideration. The keys + are used to lookup values from the + + incoming pod labels, those key-value + labels are merged with `labelSelector` + as `key in (value)` + + to select the group of existing pods + which pods will be taken into + consideration + + for the incoming pod's pod (anti) + affinity. Keys that don't exist in the + incoming + + pod labels will be ignored. The default + value is empty. + + The same key is forbidden to exist in + both matchLabelKeys and labelSelector. + + Also, matchLabelKeys cannot be set when + labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: >- + MismatchLabelKeys is a set of pod label + keys to select which pods will + + be taken into consideration. The keys + are used to lookup values from the + + incoming pod labels, those key-value + labels are merged with `labelSelector` + as `key notin (value)` + + to select the group of existing pods + which pods will be taken into + consideration + + for the incoming pod's pod (anti) + affinity. Keys that don't exist in the + incoming + + pod labels will be ignored. The default + value is empty. + + The same key is forbidden to exist in + both mismatchLabelKeys and + labelSelector. + + Also, mismatchLabelKeys cannot be set + when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: description: >- A label query over the set of namespaces - that the term applies to. The term is - applied to the union of the namespaces - selected by this field and the ones - listed in the namespaces field. null - selector and null or empty namespaces - list means "this pod's namespace". An - empty selector ({}) matches all + that the term applies to. + + The term is applied to the union of the + namespaces selected by this field + + and the ones listed in the namespaces + field. + + null selector and null or empty + namespaces list means "this pod's + namespace". + + An empty selector ({}) matches all namespaces. properties: matchExpressions: @@ -1557,8 +2397,9 @@ spec: description: >- A label selector requirement is a selector that contains values, a key, - and an operator that relates the key and - values. + and an operator that + + relates the key and values. properties: key: description: >- @@ -1568,36 +2409,48 @@ spec: operator: description: >- operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist. type: string values: description: >- values is an array of string values. If - the operator is In or NotIn, the values - array must be non-empty. If the operator - is Exists or DoesNotExist, the values - array must be empty. This array is - replaced during a strategic merge patch. + the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch. items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string description: >- matchLabels is a map of {key,value} pairs. A single {key,value} in the - matchLabels map is equivalent to an - element of matchExpressions, whose key - field is "key", the operator is "In", - and the values array contains only - "value". The requirements are ANDed. + matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is + "key", the + + operator is "In", and the values array + contains only "value". The requirements + are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -1605,32 +2458,44 @@ spec: description: >- namespaces specifies a static list of namespace names that the term applies - to. The term is applied to the union of - the namespaces listed in this field and - the ones selected by namespaceSelector. + to. + + The term is applied to the union of the + namespaces listed in this field + + and the ones selected by + namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array + x-kubernetes-list-type: atomic topologyKey: description: >- This pod should be co-located (affinity) or not co-located (anti-affinity) with - the pods matching the labelSelector in - the specified namespaces, where - co-located is defined as running on a - node whose value of the label with key + the pods matching + + the labelSelector in the specified + namespaces, where co-located is defined + as running on a node + + whose value of the label with key topologyKey matches that of any node on - which any of the selected pods is - running. Empty topologyKey is not - allowed. + which any of the + + selected pods is running. + + Empty topologyKey is not allowed. type: string required: - topologyKey type: object type: array + x-kubernetes-list-type: atomic type: object podAntiAffinity: description: >- @@ -1642,21 +2507,30 @@ spec: preferredDuringSchedulingIgnoredDuringExecution: description: >- The scheduler will prefer to schedule - pods to nodes that satisfy the - anti-affinity expressions specified by - this field, but it may choose a node - that violates one or more of the - expressions. The node that is most - preferred is the one with the greatest - sum of weights, i.e. for each node that - meets all of the scheduling requirements - (resource request, - requiredDuringScheduling anti-affinity - expressions, etc.), compute a sum by - iterating through the elements of this - field and adding "weight" to the sum if - the node has pods which matches the - corresponding podAffinityTerm; the + pods to nodes that satisfy + + the anti-affinity expressions specified + by this field, but it may choose + + a node that violates one or more of the + expressions. The node that is + + most preferred is the one with the + greatest sum of weights, i.e. + + for each node that meets all of the + scheduling requirements (resource + + request, requiredDuringScheduling + anti-affinity expressions, etc.), + + compute a sum by iterating through the + elements of this field and subtracting + + "weight" from the sum if the node has + pods which matches the corresponding + podAffinityTerm; the + node(s) with the highest sum are the most preferred. items: @@ -1676,6 +2550,9 @@ spec: description: >- A label query over a set of resources, in this case pods. + + If it's null, this PodAffinityTerm + matches with no Pods. properties: matchExpressions: description: >- @@ -1686,8 +2563,9 @@ spec: description: >- A label selector requirement is a selector that contains values, a key, - and an operator that relates the key and - values. + and an operator that + + relates the key and values. properties: key: description: >- @@ -1697,49 +2575,132 @@ spec: operator: description: >- operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist. type: string values: description: >- values is an array of string values. If - the operator is In or NotIn, the values - array must be non-empty. If the operator - is Exists or DoesNotExist, the values - array must be empty. This array is - replaced during a strategic merge patch. + the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch. items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string description: >- matchLabels is a map of {key,value} pairs. A single {key,value} in the - matchLabels map is equivalent to an - element of matchExpressions, whose key - field is "key", the operator is "In", - and the values array contains only - "value". The requirements are ANDed. + matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is + "key", the + + operator is "In", and the values array + contains only "value". The requirements + are ANDed. type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: >- + MatchLabelKeys is a set of pod label + keys to select which pods will + + be taken into consideration. The keys + are used to lookup values from the + + incoming pod labels, those key-value + labels are merged with `labelSelector` + as `key in (value)` + + to select the group of existing pods + which pods will be taken into + consideration + + for the incoming pod's pod (anti) + affinity. Keys that don't exist in the + incoming + + pod labels will be ignored. The default + value is empty. + + The same key is forbidden to exist in + both matchLabelKeys and labelSelector. + + Also, matchLabelKeys cannot be set when + labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: >- + MismatchLabelKeys is a set of pod label + keys to select which pods will + + be taken into consideration. The keys + are used to lookup values from the + + incoming pod labels, those key-value + labels are merged with `labelSelector` + as `key notin (value)` + + to select the group of existing pods + which pods will be taken into + consideration + + for the incoming pod's pod (anti) + affinity. Keys that don't exist in the + incoming + + pod labels will be ignored. The default + value is empty. + + The same key is forbidden to exist in + both mismatchLabelKeys and + labelSelector. + + Also, mismatchLabelKeys cannot be set + when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: description: >- A label query over the set of namespaces - that the term applies to. The term is - applied to the union of the namespaces - selected by this field and the ones - listed in the namespaces field. null - selector and null or empty namespaces - list means "this pod's namespace". An - empty selector ({}) matches all + that the term applies to. + + The term is applied to the union of the + namespaces selected by this field + + and the ones listed in the namespaces + field. + + null selector and null or empty + namespaces list means "this pod's + namespace". + + An empty selector ({}) matches all namespaces. properties: matchExpressions: @@ -1751,8 +2712,9 @@ spec: description: >- A label selector requirement is a selector that contains values, a key, - and an operator that relates the key and - values. + and an operator that + + relates the key and values. properties: key: description: >- @@ -1762,36 +2724,48 @@ spec: operator: description: >- operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist. type: string values: description: >- values is an array of string values. If - the operator is In or NotIn, the values - array must be non-empty. If the operator - is Exists or DoesNotExist, the values - array must be empty. This array is - replaced during a strategic merge patch. + the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch. items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string description: >- matchLabels is a map of {key,value} pairs. A single {key,value} in the - matchLabels map is equivalent to an - element of matchExpressions, whose key - field is "key", the operator is "In", - and the values array contains only - "value". The requirements are ANDed. + matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is + "key", the + + operator is "In", and the values array + contains only "value". The requirements + are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -1799,27 +2773,38 @@ spec: description: >- namespaces specifies a static list of namespace names that the term applies - to. The term is applied to the union of - the namespaces listed in this field and - the ones selected by namespaceSelector. + to. + + The term is applied to the union of the + namespaces listed in this field + + and the ones selected by + namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array + x-kubernetes-list-type: atomic topologyKey: description: >- This pod should be co-located (affinity) or not co-located (anti-affinity) with - the pods matching the labelSelector in - the specified namespaces, where - co-located is defined as running on a - node whose value of the label with key + the pods matching + + the labelSelector in the specified + namespaces, where co-located is defined + as running on a node + + whose value of the label with key topologyKey matches that of any node on - which any of the selected pods is - running. Empty topologyKey is not - allowed. + which any of the + + selected pods is running. + + Empty topologyKey is not allowed. type: string required: - topologyKey @@ -1827,8 +2812,9 @@ spec: weight: description: >- weight associated with matching the - corresponding podAffinityTerm, in the - range 1-100. + corresponding podAffinityTerm, + + in the range 1-100. format: int32 type: integer required: @@ -1836,38 +2822,55 @@ spec: - weight type: object type: array + x-kubernetes-list-type: atomic requiredDuringSchedulingIgnoredDuringExecution: description: >- If the anti-affinity requirements specified by this field are not met at + scheduling time, the pod will not be - scheduled onto the node. If the - anti-affinity requirements specified by - this field cease to be met at some point - during pod execution (e.g. due to a pod - label update), the system may or may not - try to eventually evict the pod from its - node. When there are multiple elements, - the lists of nodes corresponding to each + scheduled onto the node. + + If the anti-affinity requirements + specified by this field cease to be met + + at some point during pod execution (e.g. + due to a pod label update), the + + system may or may not try to eventually + evict the pod from its node. + + When there are multiple elements, the + lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. items: description: >- Defines a set of pods (namely those - matching the labelSelector relative to - the given namespace(s)) that this pod - should be co-located (affinity) or not - co-located (anti-affinity) with, where - co-located is defined as running on a - node whose value of the label with key - matches that of any node - on which a pod of the set of pods is - running + matching the labelSelector + + relative to the given namespace(s)) that + this pod should be + + co-located (affinity) or not co-located + (anti-affinity) with, + + where co-located is defined as running + on a node whose value of + + the label with key matches + that of any node on which + + a pod of the set of pods is running properties: labelSelector: description: >- A label query over a set of resources, in this case pods. + + If it's null, this PodAffinityTerm + matches with no Pods. properties: matchExpressions: description: >- @@ -1878,8 +2881,9 @@ spec: description: >- A label selector requirement is a selector that contains values, a key, - and an operator that relates the key and - values. + and an operator that + + relates the key and values. properties: key: description: >- @@ -1889,49 +2893,132 @@ spec: operator: description: >- operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist. type: string values: description: >- values is an array of string values. If - the operator is In or NotIn, the values - array must be non-empty. If the operator - is Exists or DoesNotExist, the values - array must be empty. This array is - replaced during a strategic merge patch. + the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch. items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string description: >- matchLabels is a map of {key,value} pairs. A single {key,value} in the - matchLabels map is equivalent to an - element of matchExpressions, whose key - field is "key", the operator is "In", - and the values array contains only - "value". The requirements are ANDed. + matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is + "key", the + + operator is "In", and the values array + contains only "value". The requirements + are ANDed. type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: >- + MatchLabelKeys is a set of pod label + keys to select which pods will + + be taken into consideration. The keys + are used to lookup values from the + + incoming pod labels, those key-value + labels are merged with `labelSelector` + as `key in (value)` + + to select the group of existing pods + which pods will be taken into + consideration + + for the incoming pod's pod (anti) + affinity. Keys that don't exist in the + incoming + + pod labels will be ignored. The default + value is empty. + + The same key is forbidden to exist in + both matchLabelKeys and labelSelector. + + Also, matchLabelKeys cannot be set when + labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: >- + MismatchLabelKeys is a set of pod label + keys to select which pods will + + be taken into consideration. The keys + are used to lookup values from the + + incoming pod labels, those key-value + labels are merged with `labelSelector` + as `key notin (value)` + + to select the group of existing pods + which pods will be taken into + consideration + + for the incoming pod's pod (anti) + affinity. Keys that don't exist in the + incoming + + pod labels will be ignored. The default + value is empty. + + The same key is forbidden to exist in + both mismatchLabelKeys and + labelSelector. + + Also, mismatchLabelKeys cannot be set + when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: description: >- A label query over the set of namespaces - that the term applies to. The term is - applied to the union of the namespaces - selected by this field and the ones - listed in the namespaces field. null - selector and null or empty namespaces - list means "this pod's namespace". An - empty selector ({}) matches all + that the term applies to. + + The term is applied to the union of the + namespaces selected by this field + + and the ones listed in the namespaces + field. + + null selector and null or empty + namespaces list means "this pod's + namespace". + + An empty selector ({}) matches all namespaces. properties: matchExpressions: @@ -1943,8 +3030,9 @@ spec: description: >- A label selector requirement is a selector that contains values, a key, - and an operator that relates the key and - values. + and an operator that + + relates the key and values. properties: key: description: >- @@ -1954,36 +3042,48 @@ spec: operator: description: >- operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist. type: string values: description: >- values is an array of string values. If - the operator is In or NotIn, the values - array must be non-empty. If the operator - is Exists or DoesNotExist, the values - array must be empty. This array is - replaced during a strategic merge patch. + the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch. items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string description: >- matchLabels is a map of {key,value} pairs. A single {key,value} in the - matchLabels map is equivalent to an - element of matchExpressions, whose key - field is "key", the operator is "In", - and the values array contains only - "value". The requirements are ANDed. + matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is + "key", the + + operator is "In", and the values array + contains only "value". The requirements + are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -1991,32 +3091,44 @@ spec: description: >- namespaces specifies a static list of namespace names that the term applies - to. The term is applied to the union of - the namespaces listed in this field and - the ones selected by namespaceSelector. + to. + + The term is applied to the union of the + namespaces listed in this field + + and the ones selected by + namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array + x-kubernetes-list-type: atomic topologyKey: description: >- This pod should be co-located (affinity) or not co-located (anti-affinity) with - the pods matching the labelSelector in - the specified namespaces, where - co-located is defined as running on a - node whose value of the label with key + the pods matching + + the labelSelector in the specified + namespaces, where co-located is defined + as running on a node + + whose value of the label with key topologyKey matches that of any node on - which any of the selected pods is - running. Empty topologyKey is not - allowed. + which any of the + + selected pods is running. + + Empty topologyKey is not allowed. type: string required: - topologyKey type: object type: array + x-kubernetes-list-type: atomic type: object type: object imagePullSecrets: @@ -2025,28 +3137,44 @@ spec: description: >- LocalObjectReference contains enough information to let you locate the + referenced object inside the same namespace. properties: name: + default: '' description: >- - Name of the referent. More info: + Name of the referent. + + This field is effectively required, but + due to backwards compatibility is + + allowed to be empty. Instances of this + type with an empty value here are + + almost certainly wrong. + + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. - apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map nodeSelector: additionalProperties: type: string description: >- NodeSelector is a selector which must be true for the pod to fit on a node. + Selector which must match a node's labels for the pod to be scheduled on - that node. More info: + that node. + + More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ type: object priorityClassName: @@ -2054,6 +3182,328 @@ spec: If specified, the pod's priorityClassName. type: string + resources: + description: >- + If specified, the pod's resource + requirements. + + These values override the global + resource configuration flags. + + Note that when only specifying resource + limits, ensure they are greater than or + equal + + to the corresponding global resource + requests configured via controller flags + + (--acme-http01-solver-resource-request-cpu, + --acme-http01-solver-resource-request-memory). + + Kubernetes will reject pod creation if + limits are lower than requests, causing + challenge failures. + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: >- + Limits describes the maximum amount of + compute resources allowed. + + More info: + https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: >- + Requests describes the minimum amount of + compute resources required. + + If Requests is omitted for a container, + it defaults to Limits if that is + explicitly specified, + + otherwise to the global values + configured via controller flags. + Requests cannot exceed Limits. + + More info: + https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + type: object + securityContext: + description: If specified, the pod's security context + properties: + fsGroup: + description: >- + A special supplemental group that + applies to all containers in a pod. + + Some volume types allow the Kubelet to + change the ownership of that volume + + to be owned by the pod: + + + 1. The owning GID will be the FSGroup + + 2. The setgid bit is set (new files + created in the volume will be owned by + FSGroup) + + 3. The permission bits are OR'd with + rw-rw---- + + + If unset, the Kubelet will not modify + the ownership and permissions of any + volume. + + Note that this field cannot be set when + spec.os.name is windows. + format: int64 + type: integer + fsGroupChangePolicy: + description: >- + fsGroupChangePolicy defines behavior of + changing ownership and permission of the + volume + + before being exposed inside Pod. This + field will only apply to + + volume types which support fsGroup based + ownership(and permissions). + + It will have no effect on ephemeral + volume types such as: secret, configmaps + + and emptydir. + + Valid values are "OnRootMismatch" and + "Always". If not specified, "Always" is + used. + + Note that this field cannot be set when + spec.os.name is windows. + type: string + runAsGroup: + description: >- + The GID to run the entrypoint of the + container process. + + Uses runtime default if unset. + + May also be set in SecurityContext. If + set in both SecurityContext and + + PodSecurityContext, the value specified + in SecurityContext takes precedence + + for that container. + + Note that this field cannot be set when + spec.os.name is windows. + format: int64 + type: integer + runAsNonRoot: + description: >- + Indicates that the container must run as + a non-root user. + + If true, the Kubelet will validate the + image at runtime to ensure that it + + does not run as UID 0 (root) and fail to + start the container if it does. + + If unset or false, no such validation + will be performed. + + May also be set in SecurityContext. If + set in both SecurityContext and + + PodSecurityContext, the value specified + in SecurityContext takes precedence. + type: boolean + runAsUser: + description: >- + The UID to run the entrypoint of the + container process. + + Defaults to user specified in image + metadata if unspecified. + + May also be set in SecurityContext. If + set in both SecurityContext and + + PodSecurityContext, the value specified + in SecurityContext takes precedence + + for that container. + + Note that this field cannot be set when + spec.os.name is windows. + format: int64 + type: integer + seLinuxOptions: + description: >- + The SELinux context to be applied to all + containers. + + If unspecified, the container runtime + will allocate a random SELinux context + for each + + container. May also be set in + SecurityContext. If set in + + both SecurityContext and + PodSecurityContext, the value specified + in SecurityContext + + takes precedence for that container. + + Note that this field cannot be set when + spec.os.name is windows. + properties: + level: + description: >- + Level is SELinux level label that + applies to the container. + type: string + role: + description: >- + Role is a SELinux role label that + applies to the container. + type: string + type: + description: >- + Type is a SELinux type label that + applies to the container. + type: string + user: + description: >- + User is a SELinux user label that + applies to the container. + type: string + type: object + seccompProfile: + description: >- + The seccomp options to use by the + containers in this pod. + + Note that this field cannot be set when + spec.os.name is windows. + properties: + localhostProfile: + description: >- + localhostProfile indicates a profile + defined in a file on the node should be + used. + + The profile must be preconfigured on the + node to work. + + Must be a descending path, relative to + the kubelet's configured seccomp profile + location. + + Must be set if type is "Localhost". Must + NOT be set for any other type. + type: string + type: + description: >- + type indicates which kind of seccomp + profile will be applied. + + Valid options are: + + + Localhost - a profile defined in a file + on the node should be used. + + RuntimeDefault - the container runtime + default profile should be used. + + Unconfined - no profile should be + applied. + type: string + required: + - type + type: object + supplementalGroups: + description: >- + A list of groups applied to the first + process run in each container, in + addition + + to the container's primary GID, the + fsGroup (if specified), and group + memberships + + defined in the container image for the + uid of the container process. If + unspecified, + + no additional groups are added to any + container. Note that group memberships + + defined in the container image for the + uid of the container process are still + effective, + + even if they are not included in this + list. + + Note that this field cannot be set when + spec.os.name is windows. + items: + format: int64 + type: integer + type: array + x-kubernetes-list-type: atomic + sysctls: + description: >- + Sysctls hold a list of namespaced + sysctls used for the pod. Pods with + unsupported + + sysctls (by the container runtime) might + fail to launch. + + Note that this field cannot be set when + spec.os.name is windows. + items: + description: >- + Sysctl defines a kernel parameter to be + set + properties: + name: + description: Name of a property to set + type: string + value: + description: Value of a property to set + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + type: object serviceAccountName: description: If specified, the pod's service account type: string @@ -2062,182 +3512,2456 @@ spec: items: description: >- The pod this Toleration is attached to - tolerates any taint that matches the - triple using the + tolerates any taint that matches + + the triple using the matching operator . properties: effect: description: >- Effect indicates the taint effect to match. Empty means match all taint - effects. When specified, allowed values - are NoSchedule, PreferNoSchedule and + effects. + + When specified, allowed values are + NoSchedule, PreferNoSchedule and NoExecute. type: string key: description: >- Key is the taint key that the toleration applies to. Empty means match all taint - keys. If the key is empty, operator must - be Exists; this combination means to - match all values and all keys. + keys. + + If the key is empty, operator must be + Exists; this combination means to match + all values and all keys. type: string operator: description: >- Operator represents a key's relationship - to the value. Valid operators are Exists - and Equal. Defaults to Equal. Exists is - equivalent to wildcard for value, so - that a pod can tolerate all taints of a - particular category. + to the value. + + Valid operators are Exists, Equal, Lt, + and Gt. Defaults to Equal. + + Exists is equivalent to wildcard for + value, so that a pod can + + tolerate all taints of a particular + category. + + Lt and Gt perform numeric comparisons + (requires feature gate + TaintTolerationComparisonOperators). type: string tolerationSeconds: description: >- TolerationSeconds represents the period - of time the toleration (which must be of - effect NoExecute, otherwise this field - is ignored) tolerates the taint. By - default, it is not set, which means - tolerate the taint forever (do not - evict). Zero and negative values will be - treated as 0 (evict immediately) by the - system. + of time the toleration (which must be + + of effect NoExecute, otherwise this + field is ignored) tolerates the taint. + By default, + + it is not set, which means tolerate the + taint forever (do not evict). Zero and + + negative values will be treated as 0 + (evict immediately) by the system. format: int64 type: integer value: description: >- Value is the taint value the toleration - matches to. If the operator is Exists, - the value should be empty, otherwise - just a regular string. + matches to. + + If the operator is Exists, the value + should be empty, otherwise just a + regular string. type: string type: object type: array + x-kubernetes-list-type: atomic type: object type: object serviceType: description: >- Optional service type for Kubernetes - solver service. Supported values are - NodePort or ClusterIP. If unset, defaults - to NodePort. + solver service. Supported values + + are NodePort or ClusterIP. If unset, + defaults to NodePort. type: string type: object - type: object - selector: - description: >- - Selector selects a set of DNSNames on the - Certificate resource that should be solved using - this challenge solver. If not specified, the - solver will be treated as the 'default' solver - with the lowest priority, i.e. if any other solver - has a more specific match, it will be used - instead. - properties: - dnsNames: - description: >- - List of DNSNames that this solver will be used - to solve. If specified and a match is found, a - dnsNames selector will take precedence over a - dnsZones selector. If multiple solvers match - with the same dnsNames value, the solver with - the most matching labels in matchLabels will - be selected. If neither has more matches, the - solver defined earlier in the list will be - selected. - items: - type: string - type: array - dnsZones: - description: >- - List of DNSZones that this solver will be used - to solve. The most specific DNS zone match - specified here will take precedence over other - DNS zone matches, so a solver specifying - sys.example.com will be selected over one - specifying example.com for the domain - www.sys.example.com. If multiple solvers match - with the same dnsZones value, the solver with - the most matching labels in matchLabels will - be selected. If neither has more matches, the - solver defined earlier in the list will be - selected. - items: - type: string - type: array - matchLabels: - additionalProperties: - type: string + ingress: description: >- - A label selector that is used to refine the - set of certificate's that this challenge - solver will apply to. - type: object - type: object - type: object - type: array - required: - - privateKeySecretRef - - server - type: object - ca: - description: >- - CA configures this issuer to sign certificates using a - signing CA keypair stored in a Secret resource. This is used - to build internal PKIs that are managed by cert-manager. - properties: - crlDistributionPoints: - description: >- - The CRL distribution points is an X.509 v3 certificate - extension which identifies the location of the CRL from - which the revocation of this certificate can be checked. - If not set, certificates will be issued without - distribution points set. - items: - type: string - type: array - ocspServers: - description: >- - The OCSP server list is an X.509 v3 extension that - defines a list of URLs of OCSP responders. The OCSP - responders can be queried for the revocation status of - an issued certificate. If not set, the certificate will - be issued with no OCSP servers set. For example, an OCSP - server URL could be - "http://ocsp.int-x3.letsencrypt.org". - items: - type: string - type: array - secretName: - description: >- - SecretName is the name of the secret used to sign - Certificates issued by this Issuer. - type: string - required: - - secretName - type: object - selfSigned: - description: >- - SelfSigned configures this issuer to 'self sign' - certificates using the private key used to create the - CertificateRequest object. - properties: - crlDistributionPoints: - description: >- - The CRL distribution points is an X.509 v3 certificate - extension which identifies the location of the CRL from - which the revocation of this certificate can be checked. - If not set certificate will be issued without CDP. - Values are strings. - items: - type: string - type: array - type: object - vault: - description: >- - Vault configures this issuer to sign certificates using a - HashiCorp Vault PKI backend. - properties: + The ingress based HTTP01 challenge solver will + solve challenges by + + creating or modifying Ingress resources in + order to route requests for + + '/.well-known/acme-challenge/XYZ' to + 'challenge solver' pods that are + + provisioned by cert-manager for each Challenge + to be completed. + properties: + class: + description: >- + This field configures the annotation + `kubernetes.io/ingress.class` when + + creating Ingress resources to solve ACME + challenges that use this + + challenge solver. Only one of `class`, + `name` or `ingressClassName` may + + be specified. + type: string + ingressClassName: + description: >- + This field configures the field + `ingressClassName` on the created Ingress + + resources used to solve ACME challenges + that use this challenge solver. + + This is the recommended way of configuring + the ingress class. Only one of + + `class`, `name` or `ingressClassName` may + be specified. + type: string + ingressTemplate: + description: >- + Optional ingress template used to + configure the ACME challenge solver + + ingress used for HTTP01 challenges. + properties: + metadata: + description: >- + ObjectMeta overrides for the ingress + used to solve HTTP01 challenges. + + Only the 'labels' and 'annotations' + fields may be set. + + If labels or annotations overlap with + in-built values, the values here + + will override the in-built values. + properties: + annotations: + additionalProperties: + type: string + description: >- + Annotations that should be added to the + created ACME HTTP01 solver ingress. + type: object + labels: + additionalProperties: + type: string + description: >- + Labels that should be added to the + created ACME HTTP01 solver ingress. + type: object + type: object + type: object + name: + description: >- + The name of the ingress resource that + should have ACME challenge solving + + routes inserted into it in order to solve + HTTP01 challenges. + + This is typically used in conjunction with + ingress controllers like + + ingress-gce, which maintains a 1:1 mapping + between external IPs and + + ingress resources. Only one of `class`, + `name` or `ingressClassName` may + + be specified. + type: string + podTemplate: + description: >- + Optional pod template used to configure + the ACME challenge solver pods + + used for HTTP01 challenges. + properties: + metadata: + description: >- + ObjectMeta overrides for the pod used to + solve HTTP01 challenges. + + Only the 'labels' and 'annotations' + fields may be set. + + If labels or annotations overlap with + in-built values, the values here + + will override the in-built values. + properties: + annotations: + additionalProperties: + type: string + description: >- + Annotations that should be added to the + created ACME HTTP01 solver pods. + type: object + labels: + additionalProperties: + type: string + description: >- + Labels that should be added to the + created ACME HTTP01 solver pods. + type: object + type: object + spec: + description: >- + PodSpec defines overrides for the HTTP01 + challenge solver pod. + + Check + ACMEChallengeSolverHTTP01IngressPodSpec + to find out currently supported fields. + + All other fields will be ignored. + properties: + affinity: + description: >- + If specified, the pod's scheduling + constraints + properties: + nodeAffinity: + description: >- + Describes node affinity scheduling rules + for the pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: >- + The scheduler will prefer to schedule + pods to nodes that satisfy + + the affinity expressions specified by + this field, but it may choose + + a node that violates one or more of the + expressions. The node that is + + most preferred is the one with the + greatest sum of weights, i.e. + + for each node that meets all of the + scheduling requirements (resource + + request, requiredDuringScheduling + affinity expressions, etc.), + + compute a sum by iterating through the + elements of this field and adding + + "weight" to the sum if the node matches + the corresponding matchExpressions; the + + node(s) with the highest sum are the + most preferred. + items: + description: >- + An empty preferred scheduling term + matches all objects with implicit weight + 0 + + (i.e. it's a no-op). A null preferred + scheduling term matches no objects (i.e. + is also a no-op). + properties: + preference: + description: >- + A node selector term, associated with + the corresponding weight. + properties: + matchExpressions: + description: >- + A list of node selector requirements by + node's labels. + items: + description: >- + A node selector requirement is a + selector that contains values, a key, + and an operator + + that relates the key and values. + properties: + key: + description: >- + The label key that the selector applies + to. + type: string + operator: + description: >- + Represents a key's relationship to a set + of values. + + Valid operators are In, NotIn, Exists, + DoesNotExist. Gt, and Lt. + type: string + values: + description: >- + An array of string values. If the + operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. If the + operator is Gt or Lt, the values + + array must have a single element, which + will be interpreted as an integer. + + This array is replaced during a + strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + description: >- + A list of node selector requirements by + node's fields. + items: + description: >- + A node selector requirement is a + selector that contains values, a key, + and an operator + + that relates the key and values. + properties: + key: + description: >- + The label key that the selector applies + to. + type: string + operator: + description: >- + Represents a key's relationship to a set + of values. + + Valid operators are In, NotIn, Exists, + DoesNotExist. Gt, and Lt. + type: string + values: + description: >- + An array of string values. If the + operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. If the + operator is Gt or Lt, the values + + array must have a single element, which + will be interpreted as an integer. + + This array is replaced during a + strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + weight: + description: >- + Weight associated with matching the + corresponding nodeSelectorTerm, in the + range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: >- + If the affinity requirements specified + by this field are not met at + + scheduling time, the pod will not be + scheduled onto the node. + + If the affinity requirements specified + by this field cease to be met + + at some point during pod execution (e.g. + due to an update), the system + + may or may not try to eventually evict + the pod from its node. + properties: + nodeSelectorTerms: + description: >- + Required. A list of node selector terms. + The terms are ORed. + items: + description: >- + A null or empty node selector term + matches no objects. The requirements of + + them are ANDed. + + The TopologySelectorTerm type implements + a subset of the NodeSelectorTerm. + properties: + matchExpressions: + description: >- + A list of node selector requirements by + node's labels. + items: + description: >- + A node selector requirement is a + selector that contains values, a key, + and an operator + + that relates the key and values. + properties: + key: + description: >- + The label key that the selector applies + to. + type: string + operator: + description: >- + Represents a key's relationship to a set + of values. + + Valid operators are In, NotIn, Exists, + DoesNotExist. Gt, and Lt. + type: string + values: + description: >- + An array of string values. If the + operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. If the + operator is Gt or Lt, the values + + array must have a single element, which + will be interpreted as an integer. + + This array is replaced during a + strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + description: >- + A list of node selector requirements by + node's fields. + items: + description: >- + A node selector requirement is a + selector that contains values, a key, + and an operator + + that relates the key and values. + properties: + key: + description: >- + The label key that the selector applies + to. + type: string + operator: + description: >- + Represents a key's relationship to a set + of values. + + Valid operators are In, NotIn, Exists, + DoesNotExist. Gt, and Lt. + type: string + values: + description: >- + An array of string values. If the + operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. If the + operator is Gt or Lt, the values + + array must have a single element, which + will be interpreted as an integer. + + This array is replaced during a + strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + type: array + x-kubernetes-list-type: atomic + required: + - nodeSelectorTerms + type: object + x-kubernetes-map-type: atomic + type: object + podAffinity: + description: >- + Describes pod affinity scheduling rules + (e.g. co-locate this pod in the same + node, zone, etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: >- + The scheduler will prefer to schedule + pods to nodes that satisfy + + the affinity expressions specified by + this field, but it may choose + + a node that violates one or more of the + expressions. The node that is + + most preferred is the one with the + greatest sum of weights, i.e. + + for each node that meets all of the + scheduling requirements (resource + + request, requiredDuringScheduling + affinity expressions, etc.), + + compute a sum by iterating through the + elements of this field and adding + + "weight" to the sum if the node has pods + which matches the corresponding + podAffinityTerm; the + + node(s) with the highest sum are the + most preferred. + items: + description: >- + The weights of all of the matched + WeightedPodAffinityTerm fields are added + per-node to find the most preferred + node(s) + properties: + podAffinityTerm: + description: >- + Required. A pod affinity term, + associated with the corresponding + weight. + properties: + labelSelector: + description: >- + A label query over a set of resources, + in this case pods. + + If it's null, this PodAffinityTerm + matches with no Pods. + properties: + matchExpressions: + description: >- + matchExpressions is a list of label + selector requirements. The requirements + are ANDed. + items: + description: >- + A label selector requirement is a + selector that contains values, a key, + and an operator that + + relates the key and values. + properties: + key: + description: >- + key is the label key that the selector + applies to. + type: string + operator: + description: >- + operator represents a key's relationship + to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: >- + values is an array of string values. If + the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: >- + matchLabels is a map of {key,value} + pairs. A single {key,value} in the + matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is + "key", the + + operator is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: >- + MatchLabelKeys is a set of pod label + keys to select which pods will + + be taken into consideration. The keys + are used to lookup values from the + + incoming pod labels, those key-value + labels are merged with `labelSelector` + as `key in (value)` + + to select the group of existing pods + which pods will be taken into + consideration + + for the incoming pod's pod (anti) + affinity. Keys that don't exist in the + incoming + + pod labels will be ignored. The default + value is empty. + + The same key is forbidden to exist in + both matchLabelKeys and labelSelector. + + Also, matchLabelKeys cannot be set when + labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: >- + MismatchLabelKeys is a set of pod label + keys to select which pods will + + be taken into consideration. The keys + are used to lookup values from the + + incoming pod labels, those key-value + labels are merged with `labelSelector` + as `key notin (value)` + + to select the group of existing pods + which pods will be taken into + consideration + + for the incoming pod's pod (anti) + affinity. Keys that don't exist in the + incoming + + pod labels will be ignored. The default + value is empty. + + The same key is forbidden to exist in + both mismatchLabelKeys and + labelSelector. + + Also, mismatchLabelKeys cannot be set + when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: >- + A label query over the set of namespaces + that the term applies to. + + The term is applied to the union of the + namespaces selected by this field + + and the ones listed in the namespaces + field. + + null selector and null or empty + namespaces list means "this pod's + namespace". + + An empty selector ({}) matches all + namespaces. + properties: + matchExpressions: + description: >- + matchExpressions is a list of label + selector requirements. The requirements + are ANDed. + items: + description: >- + A label selector requirement is a + selector that contains values, a key, + and an operator that + + relates the key and values. + properties: + key: + description: >- + key is the label key that the selector + applies to. + type: string + operator: + description: >- + operator represents a key's relationship + to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: >- + values is an array of string values. If + the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: >- + matchLabels is a map of {key,value} + pairs. A single {key,value} in the + matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is + "key", the + + operator is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: >- + namespaces specifies a static list of + namespace names that the term applies + to. + + The term is applied to the union of the + namespaces listed in this field + + and the ones selected by + namespaceSelector. + + null or empty namespaces list and null + namespaceSelector means "this pod's + namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: >- + This pod should be co-located (affinity) + or not co-located (anti-affinity) with + the pods matching + + the labelSelector in the specified + namespaces, where co-located is defined + as running on a node + + whose value of the label with key + topologyKey matches that of any node on + which any of the + + selected pods is running. + + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: >- + weight associated with matching the + corresponding podAffinityTerm, + + in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: >- + If the affinity requirements specified + by this field are not met at + + scheduling time, the pod will not be + scheduled onto the node. + + If the affinity requirements specified + by this field cease to be met + + at some point during pod execution (e.g. + due to a pod label update), the + + system may or may not try to eventually + evict the pod from its node. + + When there are multiple elements, the + lists of nodes corresponding to each + + podAffinityTerm are intersected, i.e. + all terms must be satisfied. + items: + description: >- + Defines a set of pods (namely those + matching the labelSelector + + relative to the given namespace(s)) that + this pod should be + + co-located (affinity) or not co-located + (anti-affinity) with, + + where co-located is defined as running + on a node whose value of + + the label with key matches + that of any node on which + + a pod of the set of pods is running + properties: + labelSelector: + description: >- + A label query over a set of resources, + in this case pods. + + If it's null, this PodAffinityTerm + matches with no Pods. + properties: + matchExpressions: + description: >- + matchExpressions is a list of label + selector requirements. The requirements + are ANDed. + items: + description: >- + A label selector requirement is a + selector that contains values, a key, + and an operator that + + relates the key and values. + properties: + key: + description: >- + key is the label key that the selector + applies to. + type: string + operator: + description: >- + operator represents a key's relationship + to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: >- + values is an array of string values. If + the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: >- + matchLabels is a map of {key,value} + pairs. A single {key,value} in the + matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is + "key", the + + operator is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: >- + MatchLabelKeys is a set of pod label + keys to select which pods will + + be taken into consideration. The keys + are used to lookup values from the + + incoming pod labels, those key-value + labels are merged with `labelSelector` + as `key in (value)` + + to select the group of existing pods + which pods will be taken into + consideration + + for the incoming pod's pod (anti) + affinity. Keys that don't exist in the + incoming + + pod labels will be ignored. The default + value is empty. + + The same key is forbidden to exist in + both matchLabelKeys and labelSelector. + + Also, matchLabelKeys cannot be set when + labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: >- + MismatchLabelKeys is a set of pod label + keys to select which pods will + + be taken into consideration. The keys + are used to lookup values from the + + incoming pod labels, those key-value + labels are merged with `labelSelector` + as `key notin (value)` + + to select the group of existing pods + which pods will be taken into + consideration + + for the incoming pod's pod (anti) + affinity. Keys that don't exist in the + incoming + + pod labels will be ignored. The default + value is empty. + + The same key is forbidden to exist in + both mismatchLabelKeys and + labelSelector. + + Also, mismatchLabelKeys cannot be set + when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: >- + A label query over the set of namespaces + that the term applies to. + + The term is applied to the union of the + namespaces selected by this field + + and the ones listed in the namespaces + field. + + null selector and null or empty + namespaces list means "this pod's + namespace". + + An empty selector ({}) matches all + namespaces. + properties: + matchExpressions: + description: >- + matchExpressions is a list of label + selector requirements. The requirements + are ANDed. + items: + description: >- + A label selector requirement is a + selector that contains values, a key, + and an operator that + + relates the key and values. + properties: + key: + description: >- + key is the label key that the selector + applies to. + type: string + operator: + description: >- + operator represents a key's relationship + to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: >- + values is an array of string values. If + the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: >- + matchLabels is a map of {key,value} + pairs. A single {key,value} in the + matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is + "key", the + + operator is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: >- + namespaces specifies a static list of + namespace names that the term applies + to. + + The term is applied to the union of the + namespaces listed in this field + + and the ones selected by + namespaceSelector. + + null or empty namespaces list and null + namespaceSelector means "this pod's + namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: >- + This pod should be co-located (affinity) + or not co-located (anti-affinity) with + the pods matching + + the labelSelector in the specified + namespaces, where co-located is defined + as running on a node + + whose value of the label with key + topologyKey matches that of any node on + which any of the + + selected pods is running. + + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + podAntiAffinity: + description: >- + Describes pod anti-affinity scheduling + rules (e.g. avoid putting this pod in + the same node, zone, etc. as some other + pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: >- + The scheduler will prefer to schedule + pods to nodes that satisfy + + the anti-affinity expressions specified + by this field, but it may choose + + a node that violates one or more of the + expressions. The node that is + + most preferred is the one with the + greatest sum of weights, i.e. + + for each node that meets all of the + scheduling requirements (resource + + request, requiredDuringScheduling + anti-affinity expressions, etc.), + + compute a sum by iterating through the + elements of this field and subtracting + + "weight" from the sum if the node has + pods which matches the corresponding + podAffinityTerm; the + + node(s) with the highest sum are the + most preferred. + items: + description: >- + The weights of all of the matched + WeightedPodAffinityTerm fields are added + per-node to find the most preferred + node(s) + properties: + podAffinityTerm: + description: >- + Required. A pod affinity term, + associated with the corresponding + weight. + properties: + labelSelector: + description: >- + A label query over a set of resources, + in this case pods. + + If it's null, this PodAffinityTerm + matches with no Pods. + properties: + matchExpressions: + description: >- + matchExpressions is a list of label + selector requirements. The requirements + are ANDed. + items: + description: >- + A label selector requirement is a + selector that contains values, a key, + and an operator that + + relates the key and values. + properties: + key: + description: >- + key is the label key that the selector + applies to. + type: string + operator: + description: >- + operator represents a key's relationship + to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: >- + values is an array of string values. If + the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: >- + matchLabels is a map of {key,value} + pairs. A single {key,value} in the + matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is + "key", the + + operator is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: >- + MatchLabelKeys is a set of pod label + keys to select which pods will + + be taken into consideration. The keys + are used to lookup values from the + + incoming pod labels, those key-value + labels are merged with `labelSelector` + as `key in (value)` + + to select the group of existing pods + which pods will be taken into + consideration + + for the incoming pod's pod (anti) + affinity. Keys that don't exist in the + incoming + + pod labels will be ignored. The default + value is empty. + + The same key is forbidden to exist in + both matchLabelKeys and labelSelector. + + Also, matchLabelKeys cannot be set when + labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: >- + MismatchLabelKeys is a set of pod label + keys to select which pods will + + be taken into consideration. The keys + are used to lookup values from the + + incoming pod labels, those key-value + labels are merged with `labelSelector` + as `key notin (value)` + + to select the group of existing pods + which pods will be taken into + consideration + + for the incoming pod's pod (anti) + affinity. Keys that don't exist in the + incoming + + pod labels will be ignored. The default + value is empty. + + The same key is forbidden to exist in + both mismatchLabelKeys and + labelSelector. + + Also, mismatchLabelKeys cannot be set + when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: >- + A label query over the set of namespaces + that the term applies to. + + The term is applied to the union of the + namespaces selected by this field + + and the ones listed in the namespaces + field. + + null selector and null or empty + namespaces list means "this pod's + namespace". + + An empty selector ({}) matches all + namespaces. + properties: + matchExpressions: + description: >- + matchExpressions is a list of label + selector requirements. The requirements + are ANDed. + items: + description: >- + A label selector requirement is a + selector that contains values, a key, + and an operator that + + relates the key and values. + properties: + key: + description: >- + key is the label key that the selector + applies to. + type: string + operator: + description: >- + operator represents a key's relationship + to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: >- + values is an array of string values. If + the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: >- + matchLabels is a map of {key,value} + pairs. A single {key,value} in the + matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is + "key", the + + operator is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: >- + namespaces specifies a static list of + namespace names that the term applies + to. + + The term is applied to the union of the + namespaces listed in this field + + and the ones selected by + namespaceSelector. + + null or empty namespaces list and null + namespaceSelector means "this pod's + namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: >- + This pod should be co-located (affinity) + or not co-located (anti-affinity) with + the pods matching + + the labelSelector in the specified + namespaces, where co-located is defined + as running on a node + + whose value of the label with key + topologyKey matches that of any node on + which any of the + + selected pods is running. + + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: >- + weight associated with matching the + corresponding podAffinityTerm, + + in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: >- + If the anti-affinity requirements + specified by this field are not met at + + scheduling time, the pod will not be + scheduled onto the node. + + If the anti-affinity requirements + specified by this field cease to be met + + at some point during pod execution (e.g. + due to a pod label update), the + + system may or may not try to eventually + evict the pod from its node. + + When there are multiple elements, the + lists of nodes corresponding to each + + podAffinityTerm are intersected, i.e. + all terms must be satisfied. + items: + description: >- + Defines a set of pods (namely those + matching the labelSelector + + relative to the given namespace(s)) that + this pod should be + + co-located (affinity) or not co-located + (anti-affinity) with, + + where co-located is defined as running + on a node whose value of + + the label with key matches + that of any node on which + + a pod of the set of pods is running + properties: + labelSelector: + description: >- + A label query over a set of resources, + in this case pods. + + If it's null, this PodAffinityTerm + matches with no Pods. + properties: + matchExpressions: + description: >- + matchExpressions is a list of label + selector requirements. The requirements + are ANDed. + items: + description: >- + A label selector requirement is a + selector that contains values, a key, + and an operator that + + relates the key and values. + properties: + key: + description: >- + key is the label key that the selector + applies to. + type: string + operator: + description: >- + operator represents a key's relationship + to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: >- + values is an array of string values. If + the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: >- + matchLabels is a map of {key,value} + pairs. A single {key,value} in the + matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is + "key", the + + operator is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: >- + MatchLabelKeys is a set of pod label + keys to select which pods will + + be taken into consideration. The keys + are used to lookup values from the + + incoming pod labels, those key-value + labels are merged with `labelSelector` + as `key in (value)` + + to select the group of existing pods + which pods will be taken into + consideration + + for the incoming pod's pod (anti) + affinity. Keys that don't exist in the + incoming + + pod labels will be ignored. The default + value is empty. + + The same key is forbidden to exist in + both matchLabelKeys and labelSelector. + + Also, matchLabelKeys cannot be set when + labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: >- + MismatchLabelKeys is a set of pod label + keys to select which pods will + + be taken into consideration. The keys + are used to lookup values from the + + incoming pod labels, those key-value + labels are merged with `labelSelector` + as `key notin (value)` + + to select the group of existing pods + which pods will be taken into + consideration + + for the incoming pod's pod (anti) + affinity. Keys that don't exist in the + incoming + + pod labels will be ignored. The default + value is empty. + + The same key is forbidden to exist in + both mismatchLabelKeys and + labelSelector. + + Also, mismatchLabelKeys cannot be set + when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: >- + A label query over the set of namespaces + that the term applies to. + + The term is applied to the union of the + namespaces selected by this field + + and the ones listed in the namespaces + field. + + null selector and null or empty + namespaces list means "this pod's + namespace". + + An empty selector ({}) matches all + namespaces. + properties: + matchExpressions: + description: >- + matchExpressions is a list of label + selector requirements. The requirements + are ANDed. + items: + description: >- + A label selector requirement is a + selector that contains values, a key, + and an operator that + + relates the key and values. + properties: + key: + description: >- + key is the label key that the selector + applies to. + type: string + operator: + description: >- + operator represents a key's relationship + to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: >- + values is an array of string values. If + the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: >- + matchLabels is a map of {key,value} + pairs. A single {key,value} in the + matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is + "key", the + + operator is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: >- + namespaces specifies a static list of + namespace names that the term applies + to. + + The term is applied to the union of the + namespaces listed in this field + + and the ones selected by + namespaceSelector. + + null or empty namespaces list and null + namespaceSelector means "this pod's + namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: >- + This pod should be co-located (affinity) + or not co-located (anti-affinity) with + the pods matching + + the labelSelector in the specified + namespaces, where co-located is defined + as running on a node + + whose value of the label with key + topologyKey matches that of any node on + which any of the + + selected pods is running. + + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + type: object + imagePullSecrets: + description: If specified, the pod's imagePullSecrets + items: + description: >- + LocalObjectReference contains enough + information to let you locate the + + referenced object inside the same + namespace. + properties: + name: + default: '' + description: >- + Name of the referent. + + This field is effectively required, but + due to backwards compatibility is + + allowed to be empty. Instances of this + type with an empty value here are + + almost certainly wrong. + + More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + nodeSelector: + additionalProperties: + type: string + description: >- + NodeSelector is a selector which must be + true for the pod to fit on a node. + + Selector which must match a node's + labels for the pod to be scheduled on + that node. + + More info: + https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + type: object + priorityClassName: + description: >- + If specified, the pod's + priorityClassName. + type: string + resources: + description: >- + If specified, the pod's resource + requirements. + + These values override the global + resource configuration flags. + + Note that when only specifying resource + limits, ensure they are greater than or + equal + + to the corresponding global resource + requests configured via controller flags + + (--acme-http01-solver-resource-request-cpu, + --acme-http01-solver-resource-request-memory). + + Kubernetes will reject pod creation if + limits are lower than requests, causing + challenge failures. + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: >- + Limits describes the maximum amount of + compute resources allowed. + + More info: + https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: >- + Requests describes the minimum amount of + compute resources required. + + If Requests is omitted for a container, + it defaults to Limits if that is + explicitly specified, + + otherwise to the global values + configured via controller flags. + Requests cannot exceed Limits. + + More info: + https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + type: object + securityContext: + description: If specified, the pod's security context + properties: + fsGroup: + description: >- + A special supplemental group that + applies to all containers in a pod. + + Some volume types allow the Kubelet to + change the ownership of that volume + + to be owned by the pod: + + + 1. The owning GID will be the FSGroup + + 2. The setgid bit is set (new files + created in the volume will be owned by + FSGroup) + + 3. The permission bits are OR'd with + rw-rw---- + + + If unset, the Kubelet will not modify + the ownership and permissions of any + volume. + + Note that this field cannot be set when + spec.os.name is windows. + format: int64 + type: integer + fsGroupChangePolicy: + description: >- + fsGroupChangePolicy defines behavior of + changing ownership and permission of the + volume + + before being exposed inside Pod. This + field will only apply to + + volume types which support fsGroup based + ownership(and permissions). + + It will have no effect on ephemeral + volume types such as: secret, configmaps + + and emptydir. + + Valid values are "OnRootMismatch" and + "Always". If not specified, "Always" is + used. + + Note that this field cannot be set when + spec.os.name is windows. + type: string + runAsGroup: + description: >- + The GID to run the entrypoint of the + container process. + + Uses runtime default if unset. + + May also be set in SecurityContext. If + set in both SecurityContext and + + PodSecurityContext, the value specified + in SecurityContext takes precedence + + for that container. + + Note that this field cannot be set when + spec.os.name is windows. + format: int64 + type: integer + runAsNonRoot: + description: >- + Indicates that the container must run as + a non-root user. + + If true, the Kubelet will validate the + image at runtime to ensure that it + + does not run as UID 0 (root) and fail to + start the container if it does. + + If unset or false, no such validation + will be performed. + + May also be set in SecurityContext. If + set in both SecurityContext and + + PodSecurityContext, the value specified + in SecurityContext takes precedence. + type: boolean + runAsUser: + description: >- + The UID to run the entrypoint of the + container process. + + Defaults to user specified in image + metadata if unspecified. + + May also be set in SecurityContext. If + set in both SecurityContext and + + PodSecurityContext, the value specified + in SecurityContext takes precedence + + for that container. + + Note that this field cannot be set when + spec.os.name is windows. + format: int64 + type: integer + seLinuxOptions: + description: >- + The SELinux context to be applied to all + containers. + + If unspecified, the container runtime + will allocate a random SELinux context + for each + + container. May also be set in + SecurityContext. If set in + + both SecurityContext and + PodSecurityContext, the value specified + in SecurityContext + + takes precedence for that container. + + Note that this field cannot be set when + spec.os.name is windows. + properties: + level: + description: >- + Level is SELinux level label that + applies to the container. + type: string + role: + description: >- + Role is a SELinux role label that + applies to the container. + type: string + type: + description: >- + Type is a SELinux type label that + applies to the container. + type: string + user: + description: >- + User is a SELinux user label that + applies to the container. + type: string + type: object + seccompProfile: + description: >- + The seccomp options to use by the + containers in this pod. + + Note that this field cannot be set when + spec.os.name is windows. + properties: + localhostProfile: + description: >- + localhostProfile indicates a profile + defined in a file on the node should be + used. + + The profile must be preconfigured on the + node to work. + + Must be a descending path, relative to + the kubelet's configured seccomp profile + location. + + Must be set if type is "Localhost". Must + NOT be set for any other type. + type: string + type: + description: >- + type indicates which kind of seccomp + profile will be applied. + + Valid options are: + + + Localhost - a profile defined in a file + on the node should be used. + + RuntimeDefault - the container runtime + default profile should be used. + + Unconfined - no profile should be + applied. + type: string + required: + - type + type: object + supplementalGroups: + description: >- + A list of groups applied to the first + process run in each container, in + addition + + to the container's primary GID, the + fsGroup (if specified), and group + memberships + + defined in the container image for the + uid of the container process. If + unspecified, + + no additional groups are added to any + container. Note that group memberships + + defined in the container image for the + uid of the container process are still + effective, + + even if they are not included in this + list. + + Note that this field cannot be set when + spec.os.name is windows. + items: + format: int64 + type: integer + type: array + x-kubernetes-list-type: atomic + sysctls: + description: >- + Sysctls hold a list of namespaced + sysctls used for the pod. Pods with + unsupported + + sysctls (by the container runtime) might + fail to launch. + + Note that this field cannot be set when + spec.os.name is windows. + items: + description: >- + Sysctl defines a kernel parameter to be + set + properties: + name: + description: Name of a property to set + type: string + value: + description: Value of a property to set + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + type: object + serviceAccountName: + description: If specified, the pod's service account + type: string + tolerations: + description: If specified, the pod's tolerations. + items: + description: >- + The pod this Toleration is attached to + tolerates any taint that matches + + the triple using the + matching operator . + properties: + effect: + description: >- + Effect indicates the taint effect to + match. Empty means match all taint + effects. + + When specified, allowed values are + NoSchedule, PreferNoSchedule and + NoExecute. + type: string + key: + description: >- + Key is the taint key that the toleration + applies to. Empty means match all taint + keys. + + If the key is empty, operator must be + Exists; this combination means to match + all values and all keys. + type: string + operator: + description: >- + Operator represents a key's relationship + to the value. + + Valid operators are Exists, Equal, Lt, + and Gt. Defaults to Equal. + + Exists is equivalent to wildcard for + value, so that a pod can + + tolerate all taints of a particular + category. + + Lt and Gt perform numeric comparisons + (requires feature gate + TaintTolerationComparisonOperators). + type: string + tolerationSeconds: + description: >- + TolerationSeconds represents the period + of time the toleration (which must be + + of effect NoExecute, otherwise this + field is ignored) tolerates the taint. + By default, + + it is not set, which means tolerate the + taint forever (do not evict). Zero and + + negative values will be treated as 0 + (evict immediately) by the system. + format: int64 + type: integer + value: + description: >- + Value is the taint value the toleration + matches to. + + If the operator is Exists, the value + should be empty, otherwise just a + regular string. + type: string + type: object + type: array + x-kubernetes-list-type: atomic + type: object + type: object + serviceType: + description: >- + Optional service type for Kubernetes + solver service. Supported values + + are NodePort or ClusterIP. If unset, + defaults to NodePort. + type: string + type: object + type: object + selector: + description: >- + Selector selects a set of DNSNames on the + Certificate resource that + + should be solved using this challenge solver. + + If not specified, the solver will be treated as + the 'default' solver + + with the lowest priority, i.e. if any other solver + has a more specific + + match, it will be used instead. + properties: + dnsNames: + description: >- + List of DNSNames that this solver will be used + to solve. + + If specified and a match is found, a dnsNames + selector will take + + precedence over a dnsZones selector. + + If multiple solvers match with the same + dnsNames value, the solver + + with the most matching labels in matchLabels + will be selected. + + If neither has more matches, the solver + defined earlier in the list + + will be selected. + items: + type: string + type: array + x-kubernetes-list-type: atomic + dnsZones: + description: >- + List of DNSZones that this solver will be used + to solve. + + The most specific DNS zone match specified + here will take precedence + + over other DNS zone matches, so a solver + specifying sys.example.com + + will be selected over one specifying + example.com for the domain + + www.sys.example.com. + + If multiple solvers match with the same + dnsZones value, the solver + + with the most matching labels in matchLabels + will be selected. + + If neither has more matches, the solver + defined earlier in the list + + will be selected. + items: + type: string + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: >- + A label selector that is used to refine the + set of certificate's that + + this challenge solver will apply to. + type: object + type: object + type: object + type: array + x-kubernetes-list-type: atomic + required: + - privateKeySecretRef + - server + type: object + ca: + description: >- + CA configures this issuer to sign certificates using a + signing CA keypair + + stored in a Secret resource. + + This is used to build internal PKIs that are managed by + cert-manager. + properties: + crlDistributionPoints: + description: >- + The CRL distribution points is an X.509 v3 certificate + extension which identifies + + the location of the CRL from which the revocation of + this certificate can be checked. + + If not set, certificates will be issued without + distribution points set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + issuingCertificateURLs: + description: >- + IssuingCertificateURLs is a list of URLs which this + issuer should embed into certificates + + it creates. See + https://www.rfc-editor.org/rfc/rfc5280#section-4.2.2.1 + for more details. + + As an example, such a URL might be + "http://ca.domain.com/ca.crt". + items: + type: string + type: array + x-kubernetes-list-type: atomic + ocspServers: + description: >- + The OCSP server list is an X.509 v3 extension that + defines a list of + + URLs of OCSP responders. The OCSP responders can be + queried for the + + revocation status of an issued certificate. If not set, + the + + certificate will be issued with no OCSP servers set. For + example, an + + OCSP server URL could be + "http://ocsp.int-x3.letsencrypt.org". + items: + type: string + type: array + x-kubernetes-list-type: atomic + secretName: + description: >- + SecretName is the name of the secret used to sign + Certificates issued + + by this Issuer. + type: string + required: + - secretName + type: object + selfSigned: + description: >- + SelfSigned configures this issuer to 'self sign' + certificates using the + + private key used to create the CertificateRequest object. + properties: + crlDistributionPoints: + description: >- + The CRL distribution points is an X.509 v3 certificate + extension which identifies + + the location of the CRL from which the revocation of + this certificate can be checked. + + If not set certificate will be issued without CDP. + Values are strings. + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + vault: + description: >- + Vault configures this issuer to sign certificates using a + HashiCorp Vault + + PKI backend. + properties: auth: description: >- Auth configures how cert-manager authenticates with the @@ -2246,39 +5970,52 @@ spec: appRole: description: >- AppRole authenticates with Vault using the App Role - auth mechanism, with the role and secret stored in a - Kubernetes Secret resource. + auth mechanism, + + with the role and secret stored in a Kubernetes + Secret resource. properties: path: description: >- Path where the App Role authentication backend - is mounted in Vault, e.g: "approle" + is mounted in Vault, e.g: + + "approle" type: string roleId: description: >- RoleID configured in the App Role authentication - backend when setting up the authentication - backend in Vault. + backend when setting + + up the authentication backend in Vault. type: string secretRef: description: >- Reference to a key in a Secret that contains the - App Role secret used to authenticate with Vault. + App Role secret used + + to authenticate with Vault. + The `key` field must be specified and denotes - which entry within the Secret resource is used - as the app role secret. + which entry within the Secret + + resource is used as the app role secret. properties: key: description: >- The key of the entry in the Secret - resource's `data` field to be used. Some - instances of this field may be defaulted, in - others it may be required. + resource's `data` field to be used. + + Some instances of this field may be + defaulted, in others it may be + + required. type: string name: description: >- - Name of the resource being referred to. More - info: + Name of the resource being referred to. + + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string required: @@ -2289,45 +6026,102 @@ spec: - roleId - secretRef type: object + clientCertificate: + description: >- + ClientCertificate authenticates with Vault by + presenting a client + + certificate during the request's TLS handshake. + + Works only when using HTTPS protocol. + properties: + mountPath: + description: >- + The Vault mountPath here is the mount path to + use when authenticating with + + Vault. For example, setting a value to + `/v1/auth/foo`, will use the path + + `/v1/auth/foo/login` to authenticate with Vault. + If unspecified, the + + default value "/v1/auth/cert" will be used. + type: string + name: + description: >- + Name of the certificate role to authenticate + against. + + If not set, matching any certificate role, if + available. + type: string + secretName: + description: >- + Reference to Kubernetes Secret of type + "kubernetes.io/tls" (hence containing + + tls.crt and tls.key) used to authenticate to + Vault using TLS client + + authentication. + type: string + type: object kubernetes: description: >- Kubernetes authenticates with Vault by passing the - ServiceAccount token stored in the named Secret - resource to the Vault server. + ServiceAccount + + token stored in the named Secret resource to the + Vault server. properties: mountPath: description: >- The Vault mountPath here is the mount path to - use when authenticating with Vault. For example, - setting a value to `/v1/auth/foo`, will use the - path `/v1/auth/foo/login` to authenticate with - Vault. If unspecified, the default value - "/v1/auth/kubernetes" will be used. + use when authenticating with + + Vault. For example, setting a value to + `/v1/auth/foo`, will use the path + + `/v1/auth/foo/login` to authenticate with Vault. + If unspecified, the + + default value "/v1/auth/kubernetes" will be + used. type: string role: description: >- A required field containing the Vault Role to - assume. A Role binds a Kubernetes ServiceAccount - with a set of Vault policies. + assume. A Role binds a + + Kubernetes ServiceAccount with a set of Vault + policies. type: string secretRef: description: >- The required Secret field containing a - Kubernetes ServiceAccount JWT used for - authenticating with Vault. Use of 'ambient - credentials' is not supported. + Kubernetes ServiceAccount JWT used + + for authenticating with Vault. Use of 'ambient + credentials' is not + + supported. properties: key: description: >- The key of the entry in the Secret - resource's `data` field to be used. Some - instances of this field may be defaulted, in - others it may be required. + resource's `data` field to be used. + + Some instances of this field may be + defaulted, in others it may be + + required. type: string name: description: >- - Name of the resource being referred to. More - info: + Name of the resource being referred to. + + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string required: @@ -2336,13 +6130,31 @@ spec: serviceAccountRef: description: >- A reference to a service account that will be - used to request a bound token (also known as - "projected token"). Compared to using - "secretRef", using this field means that you - don't rely on statically bound tokens. To use - this field, you must configure an RBAC rule to - let cert-manager request a token. + used to request a bound + + token (also known as "projected token"). + Compared to using "secretRef", + + using this field means that you don't rely on + statically bound tokens. To + + use this field, you must configure an RBAC rule + to let cert-manager + + request a token. properties: + audiences: + description: >- + TokenAudiences is an optional list of extra + audiences to include in the token passed to + Vault. + + The default audiences are always included in + the token. + items: + type: string + type: array + x-kubernetes-list-type: atomic name: description: >- Name of the ServiceAccount used to request a @@ -2362,14 +6174,18 @@ spec: key: description: >- The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be + `data` field to be used. + + Some instances of this field may be defaulted, + in others it may be + required. type: string name: description: >- - Name of the resource being referred to. More - info: + Name of the resource being referred to. + + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string required: @@ -2379,11 +6195,18 @@ spec: caBundle: description: >- Base64-encoded bundle of PEM CAs which will be used to - validate the certificate chain presented by Vault. Only - used if using HTTPS to connect to Vault and ignored for - HTTP connections. Mutually exclusive with - CABundleSecretRef. If neither CABundle nor - CABundleSecretRef are defined, the certificate bundle in + validate the certificate + + chain presented by Vault. Only used if using HTTPS to + connect to Vault and + + ignored for HTTP connections. + + Mutually exclusive with CABundleSecretRef. + + If neither CABundle nor CABundleSecretRef are defined, + the certificate bundle in + the cert-manager controller container is used to validate the TLS connection. format: byte @@ -2391,23 +6214,91 @@ spec: caBundleSecretRef: description: >- Reference to a Secret containing a bundle of PEM-encoded - CAs to use when verifying the certificate chain - presented by Vault when using HTTPS. Mutually exclusive - with CABundle. If neither CABundle nor CABundleSecretRef - are defined, the certificate bundle in the cert-manager - controller container is used to validate the TLS - connection. If no key for the Secret is specified, - cert-manager will default to 'ca.crt'. + CAs to use when + + verifying the certificate chain presented by Vault when + using HTTPS. + + Mutually exclusive with CABundle. + + If neither CABundle nor CABundleSecretRef are defined, + the certificate bundle in + + the cert-manager controller container is used to + validate the TLS connection. + + If no key for the Secret is specified, cert-manager will + default to 'ca.crt'. + properties: + key: + description: >- + The key of the entry in the Secret resource's `data` + field to be used. + + Some instances of this field may be defaulted, in + others it may be + + required. + type: string + name: + description: >- + Name of the resource being referred to. + + More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + required: + - name + type: object + clientCertSecretRef: + description: >- + Reference to a Secret containing a PEM-encoded Client + Certificate to use when the + + Vault server requires mTLS. + properties: + key: + description: >- + The key of the entry in the Secret resource's `data` + field to be used. + + Some instances of this field may be defaulted, in + others it may be + + required. + type: string + name: + description: >- + Name of the resource being referred to. + + More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + required: + - name + type: object + clientKeySecretRef: + description: >- + Reference to a Secret containing a PEM-encoded Client + Private Key to use when the + + Vault server requires mTLS. properties: key: description: >- The key of the entry in the Secret resource's `data` - field to be used. Some instances of this field may - be defaulted, in others it may be required. + field to be used. + + Some instances of this field may be defaulted, in + others it may be + + required. type: string name: description: >- - Name of the resource being referred to. More info: + Name of the resource being referred to. + + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string required: @@ -2418,19 +6309,29 @@ spec: Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1" + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces type: string path: description: >- Path is the mount path of the Vault PKI backend's `sign` - endpoint, e.g: "my_pki_mount/sign/my-role-name". + endpoint, e.g: + + "my_pki_mount/sign/my-role-name". type: string server: description: >- Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200". type: string + serverName: + description: >- + ServerName is used to verify the hostname on the + returned certificates + + by the Vault server. + type: string required: - auth - path @@ -2439,29 +6340,38 @@ spec: venafi: description: >- Venafi configures this issuer to sign certificates using a - Venafi TPP or Venafi Cloud policy zone. + CyberArk Certificate Manager Self-Hosted + + or SaaS policy zone. properties: cloud: description: >- - Cloud specifies the Venafi cloud configuration settings. - Only one of TPP or Cloud may be specified. + Cloud specifies the CyberArk Certificate Manager SaaS + configuration settings. + + Only one of CyberArk Certificate Manager may be + specified. properties: apiTokenSecretRef: description: >- APITokenSecretRef is a secret key selector for the - Venafi Cloud API token. + CyberArk Certificate Manager SaaS API token. properties: key: description: >- The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be + `data` field to be used. + + Some instances of this field may be defaulted, + in others it may be + required. type: string name: description: >- - Name of the resource being referred to. More - info: + Name of the resource being referred to. + + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string required: @@ -2469,38 +6379,92 @@ spec: type: object url: description: >- - URL is the base URL for Venafi Cloud. Defaults to - "https://api.venafi.cloud/v1". + URL is the base URL for CyberArk Certificate Manager + SaaS. + + Defaults to "https://api.venafi.cloud/". type: string required: - apiTokenSecretRef type: object tpp: description: >- - TPP specifies Trust Protection Platform configuration - settings. Only one of TPP or Cloud may be specified. + TPP specifies CyberArk Certificate Manager Self-Hosted + configuration settings. + + Only one of CyberArk Certificate Manager may be + specified. properties: caBundle: description: >- Base64-encoded bundle of PEM CAs which will be used - to validate the certificate chain presented by the - TPP server. Only used if using HTTPS; ignored for - HTTP. If undefined, the certificate bundle in the - cert-manager controller container is used to - validate the chain. + to validate the certificate + + chain presented by the CyberArk Certificate Manager + Self-Hosted server. Only used if using HTTPS; + ignored for HTTP. + + If undefined, the certificate bundle in the + cert-manager controller container + + is used to validate the chain. format: byte type: string + caBundleSecretRef: + description: >- + Reference to a Secret containing a base64-encoded + bundle of PEM CAs + + which will be used to validate the certificate chain + presented by the CyberArk Certificate Manager + Self-Hosted server. + + Only used if using HTTPS; ignored for HTTP. Mutually + exclusive with CABundle. + + If neither CABundle nor CABundleSecretRef is + defined, the certificate bundle in + + the cert-manager controller container is used to + validate the TLS connection. + properties: + key: + description: >- + The key of the entry in the Secret resource's + `data` field to be used. + + Some instances of this field may be defaulted, + in others it may be + + required. + type: string + name: + description: >- + Name of the resource being referred to. + + More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + required: + - name + type: object credentialsRef: description: >- CredentialsRef is a reference to a Secret containing - the username and password for the TPP server. The - secret must contain two keys, 'username' and - 'password'. + the CyberArk Certificate Manager Self-Hosted API + credentials. + + The secret must contain the key 'access-token' for + the Access Token Authentication, + + or two keys, 'username' and 'password' for the API + Keys Authentication. properties: name: description: >- - Name of the resource being referred to. More - info: + Name of the resource being referred to. + + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string required: @@ -2509,8 +6473,9 @@ spec: url: description: >- URL is the base URL for the vedsdk endpoint of the - Venafi TPP instance, for example: - "https://tpp.example.com/vedsdk". + CyberArk Certificate Manager Self-Hosted instance, + + for example: "https://tpp.example.com/vedsdk". type: string required: - credentialsRef @@ -2518,10 +6483,15 @@ spec: type: object zone: description: >- - Zone is the Venafi Policy Zone to use for this issuer. - All requests made to the Venafi platform will be - restricted by the named zone policy. This field is - required. + Zone is the Certificate Manager Policy Zone to use for + this issuer. + + All requests made to the Certificate Manager platform + will be restricted by the named + + zone policy. + + This field is required. type: string required: - zone @@ -2532,34 +6502,47 @@ spec: properties: acme: description: >- - ACME specific status options. This field should only be set - if the Issuer is configured to use an ACME server to issue - certificates. + ACME specific status options. + + This field should only be set if the Issuer is configured to + use an ACME + + server to issue certificates. properties: lastPrivateKeyHash: description: >- LastPrivateKeyHash is a hash of the private key - associated with the latest registered ACME account, in - order to track changes made to registered account + associated with the latest + + registered ACME account, in order to track changes made + to registered account + associated with the Issuer type: string lastRegisteredEmail: description: >- LastRegisteredEmail is the email associated with the - latest registered ACME account, in order to track - changes made to registered account associated with the - Issuer + latest registered + + ACME account, in order to track changes made to + registered account + + associated with the Issuer type: string uri: description: >- URI is the unique account identifier, which can also be - used to retrieve account details from the CA + used to retrieve + + account details from the CA type: string type: object conditions: description: >- List of status conditions to indicate the status of a - CertificateRequest. Known condition types are `Ready`. + CertificateRequest. + + Known condition types are `Ready`. items: description: >- IssuerCondition contains condition information for an @@ -2568,28 +6551,40 @@ spec: lastTransitionTime: description: >- LastTransitionTime is the timestamp corresponding to - the last status change of this condition. + the last status + + change of this condition. format: date-time type: string message: description: >- Message is a human readable description of the details - of the last transition, complementing reason. + of the last + + transition, complementing reason. type: string observedGeneration: description: >- If set, this represents the .metadata.generation that - the condition was set based upon. For instance, if - .metadata.generation is currently 12, but the + the condition was + + set based upon. + + For instance, if .metadata.generation is currently 12, + but the + .status.condition[x].observedGeneration is 9, the - condition is out of date with respect to the current - state of the Issuer. + condition is out of date + + with respect to the current state of the Issuer. format: int64 type: integer reason: description: >- Reason is a brief machine readable explanation for the - condition's last transition. + condition's last + + transition. type: string status: description: >- diff --git a/_/CustomResourceDefinition/listenersets.gateway.networking.k8s.io.yaml b/_/CustomResourceDefinition/listenersets.gateway.networking.k8s.io.yaml new file mode 100644 index 0000000..dfe0333 --- /dev/null +++ b/_/CustomResourceDefinition/listenersets.gateway.networking.k8s.io.yaml @@ -0,0 +1,1201 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/4530 + gateway.networking.k8s.io/bundle-version: v1.5.1 + gateway.networking.k8s.io/channel: standard + name: listenersets.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: ListenerSet + listKind: ListenerSetList + plural: listenersets + shortNames: + - lset + singular: listenerset + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .status.conditions[?(@.type=="Accepted")].status + name: Accepted + type: string + - jsonPath: .status.conditions[?(@.type=="Programmed")].status + name: Programmed + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: >- + ListenerSet defines a set of additional listeners to attach to an + existing Gateway. + + This resource provides a mechanism to merge multiple listeners into + a single Gateway. + + + The parent Gateway must explicitly allow ListenerSet attachment + through its + + AllowedListeners configuration. By default, Gateways do not allow + ListenerSet + + attachment. + + + Routes can attach to a ListenerSet by specifying it as a parentRef, + and can + + optionally target specific listeners using the sectionName field. + + + Policy Attachment: + + - Policies that attach to a ListenerSet apply to all listeners + defined in that resource + + - Policies do not impact listeners in the parent Gateway + + - Different ListenerSets attached to the same Gateway can have + different policies + + - If an implementation cannot apply a policy to specific listeners, + it should reject the policy + + + ReferenceGrant Semantics: + + - ReferenceGrants applied to a Gateway are not inherited by child + ListenerSets + + - ReferenceGrants applied to a ListenerSet do not grant permission + to the parent Gateway's listeners + + - A ListenerSet can reference secrets/backends in its own namespace + without a ReferenceGrant + + + Gateway Integration: + - The parent Gateway's status will include "AttachedListenerSets" + which is the count of ListenerSets that have successfully attached to a Gateway + A ListenerSet is successfully attached to a Gateway when all the following conditions are met: + - The ListenerSet is selected by the Gateway's AllowedListeners field + - The ListenerSet has a valid ParentRef selecting the Gateway + - The ListenerSet's status has the condition "Accepted: true" + properties: + apiVersion: + description: >- + APIVersion defines the versioned schema of this representation + of an object. + + Servers should convert recognized schemas to the latest internal + value, and + + may reject unrecognized values. + + More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: >- + Kind is a string value representing the REST resource this + object represents. + + Servers may infer this from the endpoint the client submits + requests to. + + Cannot be updated. + + In CamelCase. + + More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of ListenerSet. + properties: + listeners: + description: >- + Listeners associated with this ListenerSet. Listeners define + + logical endpoints that are bound on this referenced parent + Gateway's addresses. + + + Listeners in a `Gateway` and their attached `ListenerSets` + are concatenated + + as a list when programming the underlying infrastructure. + Each listener + + name does not need to be unique across the Gateway and + ListenerSets. + + See ListenerEntry.Name for more details. + + + Implementations MUST treat the parent Gateway as having the + merged + + list of all listeners from itself and attached ListenerSets + using + + the following precedence: + + + 1. "parent" Gateway + + 2. ListenerSet ordered by creation time (oldest first) + + 3. ListenerSet ordered alphabetically by + "{namespace}/{name}". + + + An implementation MAY reject listeners by setting the + ListenerEntryStatus + + `Accepted` condition to False with the Reason + `TooManyListeners` + + + If a listener has a conflict, this will be reported in the + + Status.ListenerEntryStatus setting the `Conflicted` + condition to True. + + + Implementations SHOULD be cautious about what information + from the + + parent or siblings are reported to avoid accidentally + leaking + + sensitive information that the child would not otherwise + have access + + to. This can include contents of secrets etc. + items: + properties: + allowedRoutes: + default: + namespaces: + from: Same + description: >- + AllowedRoutes defines the types of routes that MAY be + attached to a + + Listener and the trusted namespaces where those Route + resources MAY be + + present. + + + Although a client request may match multiple route + rules, only one rule + + may ultimately receive the request. Matching + precedence MUST be + + determined in order of the following criteria: + + + * The most specific match as defined by the Route + type. + + * The oldest Route based on creation timestamp. For + example, a Route with + a creation timestamp of "2020-09-08 01:02:03" is given precedence over + a Route with a creation timestamp of "2020-09-08 01:02:04". + * If everything else is equivalent, the Route + appearing first in + alphabetical order (namespace/name) should be given precedence. For + example, foo/bar is given precedence over foo/baz. + + All valid rules within a Route attached to this + Listener should be + + implemented. Invalid Route rules can be ignored + (sometimes that will mean + + the full Route). If a Route rule transitions from + valid to invalid, + + support for that Route rule should be dropped to + ensure consistency. For + + example, even if a filter specified by a Route rule is + invalid, the rest + + of the rules within that Route should still be + supported. + properties: + kinds: + description: >- + Kinds specifies the groups and kinds of Routes + that are allowed to bind + + to this Gateway Listener. When unspecified or + empty, the kinds of Routes + + selected are determined using the Listener + protocol. + + + A RouteGroupKind MUST correspond to kinds of + Routes that are compatible + + with the application protocol specified in the + Listener's Protocol field. + + If an implementation does not support or recognize + this resource type, it + + MUST set the "ResolvedRefs" condition to False for + this Listener with the + + "InvalidRouteKinds" reason. + + + Support: Core + items: + description: >- + RouteGroupKind indicates the group and kind of a + Route resource. + properties: + group: + default: gateway.networking.k8s.io + description: Group is the group of the Route. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is the kind of the Route. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + required: + - kind + type: object + maxItems: 8 + type: array + x-kubernetes-list-type: atomic + namespaces: + default: + from: Same + description: >- + Namespaces indicates namespaces from which Routes + may be attached to this + + Listener. This is restricted to the namespace of + this Gateway by default. + + + Support: Core + properties: + from: + default: Same + description: >- + From indicates where Routes will be selected + for this Gateway. Possible + + values are: + + + * All: Routes in all namespaces may be used by + this Gateway. + + * Selector: Routes in namespaces selected by + the selector may be used by + this Gateway. + * Same: Only Routes in the same namespace may + be used by this Gateway. + + + Support: Core + enum: + - All + - Selector + - Same + type: string + selector: + description: >- + Selector must be specified when From is set to + "Selector". In that case, + + only Routes in Namespaces matching this + Selector will be selected by this + + Gateway. This field is ignored for other + values of "From". + + + Support: Core + properties: + matchExpressions: + description: >- + matchExpressions is a list of label + selector requirements. The requirements + are ANDed. + items: + description: >- + A label selector requirement is a + selector that contains values, a key, + and an operator that + + relates the key and values. + properties: + key: + description: >- + key is the label key that the selector + applies to. + type: string + operator: + description: >- + operator represents a key's relationship + to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: >- + values is an array of string values. If + the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: >- + matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is + "key", the + + operator is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + type: object + hostname: + description: >- + Hostname specifies the virtual hostname to match for + protocol types that + + define this concept. When unspecified, all hostnames + are matched. This + + field is ignored for protocols that don't require + hostname based + + matching. + + + Implementations MUST apply Hostname matching + appropriately for each of + + the following protocols: + + + * TLS: The Listener Hostname MUST match the SNI. + + * HTTP: The Listener Hostname MUST match the Host + header of the request. + + * HTTPS: The Listener Hostname SHOULD match at both + the TLS and HTTP + protocol layers as described above. If an implementation does not + ensure that both the SNI and Host header match the Listener hostname, + it MUST clearly document that. + + For HTTPRoute and TLSRoute resources, there is an + interaction with the + + `spec.hostnames` array. When both listener and route + specify hostnames, + + there MUST be an intersection between the values for a + Route to be + + accepted. For more information, refer to the Route + specific Hostnames + + documentation. + + + Hostnames that are prefixed with a wildcard label + (`*.`) are interpreted + + as a suffix match. That means that a match for + `*.example.com` would match + + both `test.example.com`, and `foo.test.example.com`, + but not `example.com`. + maxLength: 253 + minLength: 1 + pattern: >- + ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + name: + description: >- + Name is the name of the Listener. This name MUST be + unique within a + + ListenerSet. + + + Name is not required to be unique across a Gateway and + ListenerSets. + + Routes can attach to a Listener by having a + ListenerSet as a parentRef + + and setting the SectionName + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + port: + description: >- + Port is the network port. Multiple listeners may use + the + + same port, subject to the Listener compatibility + rules. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + protocol: + description: >- + Protocol specifies the network protocol this listener + expects to receive. + maxLength: 255 + minLength: 1 + pattern: >- + ^[a-zA-Z0-9]([-a-zA-Z0-9]*[a-zA-Z0-9])?$|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9]+$ + type: string + tls: + description: >- + TLS is the TLS configuration for the Listener. This + field is required if + + the Protocol field is "HTTPS" or "TLS". It is invalid + to set this field + + if the Protocol field is "HTTP", "TCP", or "UDP". + + + The association of SNIs to Certificate defined in + ListenerTLSConfig is + + defined based on the Hostname field for this listener. + + + The GatewayClass MUST use the longest matching SNI out + of all + + available certificates for any TLS handshake. + properties: + certificateRefs: + description: >- + CertificateRefs contains a series of references to + Kubernetes objects that + + contains TLS certificates and private keys. These + certificates are used to + + establish a TLS handshake for requests that match + the hostname of the + + associated listener. + + + A single CertificateRef to a Kubernetes Secret has + "Core" support. + + Implementations MAY choose to support attaching + multiple certificates to + + a Listener, but this behavior is + implementation-specific. + + + References to a resource in different namespace + are invalid UNLESS there + + is a ReferenceGrant in the target namespace that + allows the certificate + + to be attached. If a ReferenceGrant does not allow + this reference, the + + "ResolvedRefs" condition MUST be set to False for + this listener with the + + "RefNotPermitted" reason. + + + This field is required to have at least one + element when the mode is set + + to "Terminate" (default) and is optional + otherwise. + + + CertificateRefs can reference to standard + Kubernetes resources, i.e. + + Secret, or implementation-specific custom + resources. + + + Support: Core - A single reference to a Kubernetes + Secret of type kubernetes.io/tls + + + Support: Implementation-specific (More than one + reference or other resource types) + items: + description: >- + SecretObjectReference identifies an API object + including its namespace, + + defaulting to Secret. + + + The API object must be valid in the cluster; the + Group and Kind must + + be registered in the cluster for this reference + to be valid. + + + References to objects with invalid Group and + Kind are not valid, and must + + be rejected by the implementation, with + appropriate Conditions set + + on the containing object. + properties: + group: + default: '' + description: >- + Group is the group of the referent. For + example, "gateway.networking.k8s.io". + + When unspecified or empty string, core API + group is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Secret + description: >- + Kind is kind of the referent. For example + "Secret". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the referenced + object. When unspecified, the local + + namespace is inferred. + + + Note that when a namespace different than + the local namespace is specified, + + a ReferenceGrant object is required in the + referent namespace to allow that + + namespace's owner to accept the reference. + See the ReferenceGrant + + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + maxItems: 64 + type: array + x-kubernetes-list-type: atomic + mode: + default: Terminate + description: >- + Mode defines the TLS behavior for the TLS session + initiated by the client. + + There are two possible modes: + + + - Terminate: The TLS session between the + downstream client and the + Gateway is terminated at the Gateway. This mode requires certificates + to be specified in some way, such as populating the certificateRefs + field. + - Passthrough: The TLS session is NOT terminated + by the Gateway. This + implies that the Gateway can't decipher the TLS stream except for + the ClientHello message of the TLS protocol. The certificateRefs field + is ignored in this mode. + + Support: Core + enum: + - Terminate + - Passthrough + type: string + options: + additionalProperties: + description: >- + AnnotationValue is the value of an annotation in + Gateway API. This is used + + for validation of maps such as TLS options. This + roughly matches Kubernetes + + annotation validation, although the length + validation in that case is based + + on the entire size of the annotations struct. + maxLength: 4096 + minLength: 0 + type: string + description: >- + Options are a list of key/value pairs to enable + extended TLS + + configuration for each implementation. For + example, configuring the + + minimum TLS version or supported cipher suites. + + + A set of common keys MAY be defined by the API in + the future. To avoid + + any ambiguity, implementation-specific definitions + MUST use + + domain-prefixed names, such as + `example.com/my-custom-option`. + + Un-prefixed names are reserved for key names + defined by Gateway API. + + + Support: Implementation-specific + maxProperties: 16 + type: object + type: object + x-kubernetes-validations: + - message: >- + certificateRefs or options must be specified when + mode is Terminate + rule: >- + self.mode == 'Terminate' ? + size(self.certificateRefs) > 0 || + size(self.options) > 0 : true + required: + - name + - port + - protocol + type: object + maxItems: 64 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: >- + tls must not be specified for protocols ['HTTP', 'TCP', + 'UDP'] + rule: >- + self.all(l, l.protocol in ['HTTP', 'TCP', 'UDP'] ? + !has(l.tls) : true) + - message: tls mode must be Terminate for protocol HTTPS + rule: >- + self.all(l, (l.protocol == 'HTTPS' && has(l.tls)) ? + (l.tls.mode == '' || l.tls.mode == 'Terminate') : true) + - message: tls mode must be set for protocol TLS + rule: >- + self.all(l, (l.protocol == 'TLS' ? has(l.tls) && + has(l.tls.mode) && l.tls.mode != '' : true)) + - message: >- + hostname must not be specified for protocols ['TCP', + 'UDP'] + rule: >- + self.all(l, l.protocol in ['TCP', 'UDP'] ? + (!has(l.hostname) || l.hostname == '') : true) + - message: Listener name must be unique within the Gateway + rule: self.all(l1, self.exists_one(l2, l1.name == l2.name)) + - message: >- + Combination of port, protocol and hostname must be + unique for each listener + rule: >- + self.all(l1, !has(l1.port) || self.exists_one(l2, + has(l2.port) && l1.port == l2.port && l1.protocol == + l2.protocol && (has(l1.hostname) && has(l2.hostname) ? + l1.hostname == l2.hostname : !has(l1.hostname) && + !has(l2.hostname)))) + parentRef: + description: >- + ParentRef references the Gateway that the listeners are + attached to. + properties: + group: + default: gateway.networking.k8s.io + description: Group is the group of the referent. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: Kind is kind of the referent. For example "Gateway". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the referent. If not + present, + + the namespace of the referent is assumed to be the same + as + + the namespace of the referring object. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + required: + - listeners + - parentRef + type: object + status: + default: + conditions: + - lastTransitionTime: '1970-01-01T00:00:00Z' + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + - lastTransitionTime: '1970-01-01T00:00:00Z' + message: Waiting for controller + reason: Pending + status: Unknown + type: Programmed + description: Status defines the current state of ListenerSet. + properties: + conditions: + default: + - lastTransitionTime: '1970-01-01T00:00:00Z' + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + - lastTransitionTime: '1970-01-01T00:00:00Z' + message: Waiting for controller + reason: Pending + status: Unknown + type: Programmed + description: >- + Conditions describe the current conditions of the + ListenerSet. + + + Implementations MUST express ListenerSet conditions using + the + + `ListenerSetConditionType` and `ListenerSetConditionReason` + + constants so that operators and tools can converge on a + common + + vocabulary to describe ListenerSet state. + + + Known condition types are: + + + * "Accepted" + + * "Programmed" + items: + description: >- + Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: >- + lastTransitionTime is the last time the condition + transitioned from one status to another. + + This should be when the underlying condition changed. + If that is not known, then using the time when the API + field changed is acceptable. + format: date-time + type: string + message: + description: >- + message is a human readable message indicating details + about the transition. + + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: >- + observedGeneration represents the .metadata.generation + that the condition was set based upon. + + For instance, if .metadata.generation is currently 12, + but the .status.conditions[x].observedGeneration is 9, + the condition is out of date + + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: >- + reason contains a programmatic identifier indicating + the reason for the condition's last transition. + + Producers of specific condition types may define + expected values and meanings for this field, + + and whether the values are considered a guaranteed + API. + + The value should be a CamelCase string. + + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - 'True' + - 'False' + - Unknown + type: string + type: + description: >- + type of condition in CamelCase or in + foo.example.com/CamelCase. + maxLength: 316 + pattern: >- + ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + listeners: + description: >- + Listeners provide status for each unique listener port + defined in the Spec. + items: + description: ListenerStatus is the status associated with a Listener. + properties: + attachedRoutes: + description: >- + AttachedRoutes represents the total number of Routes + that have been + + successfully attached to this Listener. + + + Successful attachment of a Route to a Listener is + based solely on the + + combination of the AllowedRoutes field on the + corresponding Listener + + and the Route's ParentRefs field. A Route is + successfully attached to + + a Listener when it is selected by the Listener's + AllowedRoutes field + + AND the Route has a valid ParentRef selecting the + whole Gateway + + resource or a specific Listener as a parent resource + (more detail on + + attachment semantics can be found in the documentation + on the various + + Route kinds ParentRefs fields). Listener status does + not impact + + successful attachment, i.e. the AttachedRoutes field + count MUST be set + + for Listeners, even if the Accepted condition of an + individual Listener is set + + to "False". The AttachedRoutes number represents the + number of Routes with + + the Accepted condition set to "True" that have been + attached to this Listener. + + Routes with any other value for the Accepted condition + MUST NOT be included + + in this count. + + + Uses for this field include troubleshooting Route + attachment and + + measuring blast radius/impact of changes to a + Listener. + format: int32 + type: integer + conditions: + description: >- + Conditions describe the current condition of this + listener. + items: + description: >- + Condition contains details for one aspect of the + current state of this API Resource. + properties: + lastTransitionTime: + description: >- + lastTransitionTime is the last time the + condition transitioned from one status to + another. + + This should be when the underlying condition + changed. If that is not known, then using the + time when the API field changed is acceptable. + format: date-time + type: string + message: + description: >- + message is a human readable message indicating + details about the transition. + + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: >- + observedGeneration represents the + .metadata.generation that the condition was set + based upon. + + For instance, if .metadata.generation is + currently 12, but the + .status.conditions[x].observedGeneration is 9, + the condition is out of date + + with respect to the current state of the + instance. + format: int64 + minimum: 0 + type: integer + reason: + description: >- + reason contains a programmatic identifier + indicating the reason for the condition's last + transition. + + Producers of specific condition types may define + expected values and meanings for this field, + + and whether the values are considered a + guaranteed API. + + The value should be a CamelCase string. + + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: >- + status of the condition, one of True, False, + Unknown. + enum: + - 'True' + - 'False' + - Unknown + type: string + type: + description: >- + type of condition in CamelCase or in + foo.example.com/CamelCase. + maxLength: 316 + pattern: >- + ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + name: + description: >- + Name is the name of the Listener that this status + corresponds to. + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + supportedKinds: + description: >- + SupportedKinds is the list indicating the Kinds + supported by this + + listener. This MUST represent the kinds supported by + an implementation for + + that Listener configuration. + + + If kinds are specified in Spec that are not supported, + they MUST NOT + + appear in this list and an implementation MUST set the + "ResolvedRefs" + + condition to "False" with the "InvalidRouteKinds" + reason. If both valid + + and invalid Route kinds are specified, the + implementation MUST + + reference the valid Route kinds that have been + specified. + items: + description: >- + RouteGroupKind indicates the group and kind of a + Route resource. + properties: + group: + default: gateway.networking.k8s.io + description: Group is the group of the Route. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is the kind of the Route. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + required: + - kind + type: object + maxItems: 8 + type: array + x-kubernetes-list-type: atomic + required: + - attachedRoutes + - conditions + - name + type: object + maxItems: 64 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: '' + plural: '' + conditions: null + storedVersions: null diff --git a/_/CustomResourceDefinition/orders.acme.cert-manager.io.yaml b/_/CustomResourceDefinition/orders.acme.cert-manager.io.yaml index 8d3ce96..394f26b 100644 --- a/_/CustomResourceDefinition/orders.acme.cert-manager.io.yaml +++ b/_/CustomResourceDefinition/orders.acme.cert-manager.io.yaml @@ -1,13 +1,8 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - labels: - app: cert-manager - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.10.1 - helm.sh/chart: cert-manager-v1.10.1 + annotations: + controller-gen.kubebuilder.io/version: v0.20.1 name: orders.acme.cert-manager.io spec: group: acme.cert-manager.io @@ -49,16 +44,28 @@ spec: apiVersion: description: >- APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the - latest internal value, and may reject unrecognized values. More - info: + of an object. + + Servers should convert recognized schemas to the latest internal + value, and + + may reject unrecognized values. + + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: description: >- Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the - client submits requests to. Cannot be updated. In CamelCase. + object represents. + + Servers may infer this from the endpoint the client submits + requests to. + + Cannot be updated. + + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string @@ -69,57 +76,90 @@ spec: commonName: description: >- CommonName is the common name as specified on the DER - encoded CSR. If specified, this value must also be present - in `dnsNames` or `ipAddresses`. This field must match the - corresponding field on the DER encoded CSR. + encoded CSR. + + If specified, this value must also be present in `dnsNames` + or `ipAddresses`. + + This field must match the corresponding field on the DER + encoded CSR. type: string dnsNames: description: >- DNSNames is a list of DNS names that should be included as - part of the Order validation process. This field must match - the corresponding field on the DER encoded CSR. + part of the Order + + validation process. + + This field must match the corresponding field on the DER + encoded CSR. items: type: string type: array + x-kubernetes-list-type: atomic duration: description: >- Duration is the duration for the not after date for the - requested certificate. this is set on order creation as pe - the ACME spec. + requested certificate. + + this is set on order creation as pe the ACME spec. type: string ipAddresses: description: >- IPAddresses is a list of IP addresses that should be - included as part of the Order validation process. This field - must match the corresponding field on the DER encoded CSR. + included as part of the Order + + validation process. + + This field must match the corresponding field on the DER + encoded CSR. items: type: string type: array + x-kubernetes-list-type: atomic issuerRef: description: >- IssuerRef references a properly configured ACME-type Issuer - which should be used to create this Order. If the Issuer - does not exist, processing will be retried. If the Issuer is - not an 'ACME' Issuer, an error will be returned and the + which should + + be used to create this Order. + + If the Issuer does not exist, processing will be retried. + + If the Issuer is not an 'ACME' Issuer, an error will be + returned and the + Order will be marked as failed. properties: group: - description: Group of the resource being referred to. + description: |- + Group of the issuer being referred to. + Defaults to 'cert-manager.io'. type: string kind: - description: Kind of the resource being referred to. + description: |- + Kind of the issuer being referred to. + Defaults to 'Issuer'. type: string name: - description: Name of the resource being referred to. + description: Name of the issuer being referred to. type: string required: - name type: object - request: + profile: description: >- - Certificate signing request bytes in DER encoding. This will - be used when finalizing the order. This field must be set on - the order. + Profile allows requesting a certificate profile from the + ACME server. + + Supported profiles are listed by the server's ACME directory + URL. + type: string + request: + description: |- + Certificate signing request bytes in DER encoding. + This will be used when finalizing the order. + This field must be set on the order. format: byte type: string required: @@ -131,48 +171,74 @@ spec: authorizations: description: >- Authorizations contains data returned from the ACME server - on what authorizations must be completed in order to - validate the DNS names specified on the Order. + on what + + authorizations must be completed in order to validate the + DNS names + + specified on the Order. items: description: >- ACMEAuthorization contains data returned from the ACME - server on an authorization that must be completed in order - validate a DNS name on an ACME Order resource. + server on an + + authorization that must be completed in order validate a + DNS name on an ACME + + Order resource. properties: challenges: description: >- Challenges specifies the challenge types offered by - the ACME server. One of these challenge types will be - selected when validating the DNS name and an - appropriate Challenge resource will be created to - perform the ACME challenge process. + the ACME server. + + One of these challenge types will be selected when + validating the DNS + + name and an appropriate Challenge resource will be + created to perform + + the ACME challenge process. items: description: >- Challenge specifies a challenge offered by the ACME - server for an Order. An appropriate Challenge - resource can be created to perform the ACME + server for an Order. + + An appropriate Challenge resource can be created to + perform the ACME + challenge process. properties: token: description: >- Token is the token that must be presented for - this challenge. This is used to compute the - 'key' that must also be presented. + this challenge. + + This is used to compute the 'key' that must also + be presented. type: string type: description: >- Type is the type of challenge being offered, - e.g. 'http-01', 'dns-01', 'tls-sni-01', etc. + e.g., 'http-01', 'dns-01', + + 'tls-sni-01', etc. + This is the raw value retrieved from the ACME - server. Only 'http-01' and 'dns-01' are - supported by cert-manager, other values will be - ignored. + server. + + Only 'http-01' and 'dns-01' are supported by + cert-manager, other values + + will be ignored. type: string url: description: >- URL is the URL of this challenge. It can be used - to retrieve additional metadata about the - Challenge from the ACME server. + to retrieve additional + + metadata about the Challenge from the ACME + server. type: string required: - token @@ -180,6 +246,7 @@ spec: - url type: object type: array + x-kubernetes-list-type: atomic identifier: description: >- Identifier is the DNS name to be validated as part of @@ -188,14 +255,25 @@ spec: initialState: description: >- InitialState is the initial state of the ACME - authorization when first fetched from the ACME server. + authorization when first + + fetched from the ACME server. + If an Authorization is already 'valid', the Order - controller will not create a Challenge resource for - the authorization. This will occur when working with - an ACME server that enables 'authz reuse' (such as - Let's Encrypt's production endpoint). If not set and - 'identifier' is set, the state is assumed to be - pending and a Challenge will be created. + controller will not + + create a Challenge resource for the authorization. + This will occur when + + working with an ACME server that enables 'authz reuse' + (such as Let's + + Encrypt's production endpoint). + + If not set and 'identifier' is set, the state is + assumed to be pending + + and a Challenge will be created. enum: - valid - ready @@ -213,42 +291,60 @@ spec: wildcard: description: >- Wildcard will be true if this authorization is for a - wildcard DNS name. If this is true, the identifier - will be the *non-wildcard* version of the DNS name. + wildcard DNS name. + + If this is true, the identifier will be the + *non-wildcard* version of + + the DNS name. + For example, if '*.example.com' is the DNS name being - validated, this field will be 'true' and the - 'identifier' field will be 'example.com'. + validated, this + + field will be 'true' and the 'identifier' field will + be 'example.com'. type: boolean required: - url type: object type: array + x-kubernetes-list-type: atomic certificate: description: >- Certificate is a copy of the PEM encoded certificate for - this Order. This field will be populated after the order has - been successfully finalized with the ACME server, and the - order has transitioned to the 'valid' state. + this Order. + + This field will be populated after the order has been + successfully + + finalized with the ACME server, and the order has + transitioned to the + + 'valid' state. format: byte type: string failureTime: - description: >- - FailureTime stores the time that this order failed. This is - used to influence garbage collection and back-off. + description: |- + FailureTime stores the time that this order failed. + This is used to influence garbage collection and back-off. format: date-time type: string finalizeURL: description: >- - FinalizeURL of the Order. This is used to obtain - certificates for this order once it has been completed. + FinalizeURL of the Order. + + This is used to obtain certificates for this order once it + has been completed. type: string reason: description: >- Reason optionally provides more information about a why the - order is in the current state. + order is in + + the current state. type: string state: - description: >- + description: |- State contains the current state of this Order resource. States 'success' and 'expired' are 'final' enum: @@ -262,16 +358,25 @@ spec: type: string url: description: >- - URL of the Order. This will initially be empty when the - resource is first created. The Order controller will - populate this field when the Order is first processed. This - field will be immutable after it is initially set. + URL of the Order. + + This will initially be empty when the resource is first + created. + + The Order controller will populate this field when the Order + is first processed. + + This field will be immutable after it is initially set. type: string type: object required: - metadata - spec type: object + selectableFields: + - jsonPath: .spec.issuerRef.group + - jsonPath: .spec.issuerRef.kind + - jsonPath: .spec.issuerRef.name served: true storage: true subresources: diff --git a/_/CustomResourceDefinition/referencegrants.gateway.networking.k8s.io.yaml b/_/CustomResourceDefinition/referencegrants.gateway.networking.k8s.io.yaml new file mode 100644 index 0000000..b1d0357 --- /dev/null +++ b/_/CustomResourceDefinition/referencegrants.gateway.networking.k8s.io.yaml @@ -0,0 +1,499 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/4530 + gateway.networking.k8s.io/bundle-version: v1.5.1 + gateway.networking.k8s.io/channel: standard + name: referencegrants.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: ReferenceGrant + listKind: ReferenceGrantList + plural: referencegrants + shortNames: + - refgrant + singular: referencegrant + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: >- + ReferenceGrant identifies kinds of resources in other namespaces + that are + + trusted to reference the specified kinds of resources in the same + namespace + + as the policy. + + + Each ReferenceGrant can be used to represent a unique trust + relationship. + + Additional Reference Grants can be used to add to the set of trusted + + sources of inbound references for the namespace they are defined + within. + + + All cross-namespace references in Gateway API (with the exception of + cross-namespace + + Gateway-route attachment) require a ReferenceGrant. + + + ReferenceGrant is a form of runtime verification allowing users to + assert + + which cross-namespace object references are permitted. + Implementations that + + support ReferenceGrant MUST NOT permit cross-namespace references + which have + + no grant, and MUST respond to the removal of a grant by revoking the + access + + that the grant allowed. + properties: + apiVersion: + description: >- + APIVersion defines the versioned schema of this representation + of an object. + + Servers should convert recognized schemas to the latest internal + value, and + + may reject unrecognized values. + + More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: >- + Kind is a string value representing the REST resource this + object represents. + + Servers may infer this from the endpoint the client submits + requests to. + + Cannot be updated. + + In CamelCase. + + More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of ReferenceGrant. + properties: + from: + description: >- + From describes the trusted namespaces and kinds that can + reference the + + resources described in "To". Each entry in this list MUST be + considered + + to be an additional place that references can be valid from, + or to put + + this another way, entries MUST be combined using OR. + + + Support: Core + items: + description: ReferenceGrantFrom describes trusted namespaces and kinds. + properties: + group: + description: |- + Group is the group of the referent. + When empty, the Kubernetes core API group is inferred. + + Support: Core + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: >- + Kind is the kind of the referent. Although + implementations may support + + additional resources, the following types are part of + the "Core" + + support level for this field. + + + When used to permit a SecretObjectReference: + + + * Gateway + + + When used to permit a BackendObjectReference: + + + * GRPCRoute + + * HTTPRoute + + * TCPRoute + + * TLSRoute + + * UDPRoute + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + namespace: + description: |- + Namespace is the namespace of the referent. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - namespace + type: object + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + to: + description: >- + To describes the resources that may be referenced by the + resources + + described in "From". Each entry in this list MUST be + considered to be an + + additional place that references can be valid to, or to put + this another + + way, entries MUST be combined using OR. + + + Support: Core + items: + description: >- + ReferenceGrantTo describes what Kinds are allowed as + targets of the + + references. + properties: + group: + description: |- + Group is the group of the referent. + When empty, the Kubernetes core API group is inferred. + + Support: Core + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: >- + Kind is the kind of the referent. Although + implementations may support + + additional resources, the following types are part of + the "Core" + + support level for this field: + + + * Secret when used to permit a SecretObjectReference + + * Service when used to permit a BackendObjectReference + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: >- + Name is the name of the referent. When unspecified, + this policy + + refers to all resources of the specified Group and + Kind in the local + + namespace. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + type: object + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + required: + - from + - to + type: object + type: object + served: true + storage: false + subresources: {} + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: >- + ReferenceGrant identifies kinds of resources in other namespaces + that are + + trusted to reference the specified kinds of resources in the same + namespace + + as the policy. + + + Each ReferenceGrant can be used to represent a unique trust + relationship. + + Additional Reference Grants can be used to add to the set of trusted + + sources of inbound references for the namespace they are defined + within. + + + All cross-namespace references in Gateway API (with the exception of + cross-namespace + + Gateway-route attachment) require a ReferenceGrant. + + + ReferenceGrant is a form of runtime verification allowing users to + assert + + which cross-namespace object references are permitted. + Implementations that + + support ReferenceGrant MUST NOT permit cross-namespace references + which have + + no grant, and MUST respond to the removal of a grant by revoking the + access + + that the grant allowed. + properties: + apiVersion: + description: >- + APIVersion defines the versioned schema of this representation + of an object. + + Servers should convert recognized schemas to the latest internal + value, and + + may reject unrecognized values. + + More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: >- + Kind is a string value representing the REST resource this + object represents. + + Servers may infer this from the endpoint the client submits + requests to. + + Cannot be updated. + + In CamelCase. + + More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of ReferenceGrant. + properties: + from: + description: >- + From describes the trusted namespaces and kinds that can + reference the + + resources described in "To". Each entry in this list MUST be + considered + + to be an additional place that references can be valid from, + or to put + + this another way, entries MUST be combined using OR. + + + Support: Core + items: + description: ReferenceGrantFrom describes trusted namespaces and kinds. + properties: + group: + description: |- + Group is the group of the referent. + When empty, the Kubernetes core API group is inferred. + + Support: Core + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: >- + Kind is the kind of the referent. Although + implementations may support + + additional resources, the following types are part of + the "Core" + + support level for this field. + + + When used to permit a SecretObjectReference: + + + * Gateway + + + When used to permit a BackendObjectReference: + + + * GRPCRoute + + * HTTPRoute + + * TCPRoute + + * TLSRoute + + * UDPRoute + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + namespace: + description: |- + Namespace is the namespace of the referent. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - namespace + type: object + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + to: + description: >- + To describes the resources that may be referenced by the + resources + + described in "From". Each entry in this list MUST be + considered to be an + + additional place that references can be valid to, or to put + this another + + way, entries MUST be combined using OR. + + + Support: Core + items: + description: >- + ReferenceGrantTo describes what Kinds are allowed as + targets of the + + references. + properties: + group: + description: |- + Group is the group of the referent. + When empty, the Kubernetes core API group is inferred. + + Support: Core + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: >- + Kind is the kind of the referent. Although + implementations may support + + additional resources, the following types are part of + the "Core" + + support level for this field: + + + * Secret when used to permit a SecretObjectReference + + * Service when used to permit a BackendObjectReference + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: >- + Name is the name of the referent. When unspecified, + this policy + + refers to all resources of the specified Group and + Kind in the local + + namespace. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + type: object + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + required: + - from + - to + type: object + type: object + served: true + storage: true + subresources: {} +status: + acceptedNames: + kind: '' + plural: '' + conditions: null + storedVersions: null diff --git a/_/CustomResourceDefinition/securitypolicies.gateway.envoyproxy.io.yaml b/_/CustomResourceDefinition/securitypolicies.gateway.envoyproxy.io.yaml new file mode 100644 index 0000000..d044e29 --- /dev/null +++ b/_/CustomResourceDefinition/securitypolicies.gateway.envoyproxy.io.yaml @@ -0,0 +1,9204 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.18.0 + name: securitypolicies.gateway.envoyproxy.io +spec: + group: gateway.envoyproxy.io + names: + categories: + - envoy-gateway + kind: SecurityPolicy + listKind: SecurityPolicyList + plural: securitypolicies + shortNames: + - sp + singular: securitypolicy + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: >- + SecurityPolicy allows the user to configure various security + settings for a + + Gateway. + properties: + apiVersion: + description: >- + APIVersion defines the versioned schema of this representation + of an object. + + Servers should convert recognized schemas to the latest internal + value, and + + may reject unrecognized values. + + More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: >- + Kind is a string value representing the REST resource this + object represents. + + Servers may infer this from the endpoint the client submits + requests to. + + Cannot be updated. + + In CamelCase. + + More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of SecurityPolicy. + properties: + apiKeyAuth: + description: >- + APIKeyAuth defines the configuration for the API Key + Authentication. + properties: + credentialRefs: + description: >- + CredentialRefs is the Kubernetes secret which contains + the API keys. + + This is an Opaque secret. + + Each API key is stored in the key representing the + client id. + + If the secrets have a key for a duplicated client, the + first one will be used. + items: + description: >- + SecretObjectReference identifies an API object + including its namespace, + + defaulting to Secret. + + + The API object must be valid in the cluster; the Group + and Kind must + + be registered in the cluster for this reference to be + valid. + + + References to objects with invalid Group and Kind are + not valid, and must + + be rejected by the implementation, with appropriate + Conditions set + + on the containing object. + properties: + group: + default: '' + description: >- + Group is the group of the referent. For example, + "gateway.networking.k8s.io". + + When unspecified or empty string, core API group + is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Secret + description: >- + Kind is kind of the referent. For example + "Secret". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the referenced + object. When unspecified, the local + + namespace is inferred. + + + Note that when a namespace different than the + local namespace is specified, + + a ReferenceGrant object is required in the + referent namespace to allow that + + namespace's owner to accept the reference. See the + ReferenceGrant + + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + type: array + extractFrom: + description: >- + ExtractFrom is where to fetch the key from the coming + request. + + The value from the first source that has a key will be + used. + items: + description: >- + ExtractFrom is where to fetch the key from the coming + request. + + Only one of header, param or cookie is supposed to be + specified. + properties: + cookies: + description: >- + Cookies is the names of the cookie to fetch the + key from. + + If multiple cookies are specified, envoy will look + for the api key in the order of the list. + + This field is optional, but only one of headers, + params or cookies is supposed to be specified. + items: + type: string + type: array + headers: + description: >- + Headers is the names of the header to fetch the + key from. + + If multiple headers are specified, envoy will look + for the api key in the order of the list. + + This field is optional, but only one of headers, + params or cookies is supposed to be specified. + items: + type: string + type: array + params: + description: >- + Params is the names of the query parameter to + fetch the key from. + + If multiple params are specified, envoy will look + for the api key in the order of the list. + + This field is optional, but only one of headers, + params or cookies is supposed to be specified. + items: + type: string + type: array + type: object + type: array + forwardClientIDHeader: + description: >- + ForwardClientIDHeader is the name of the header to + forward the client identity to the backend + + service. The header will be added to the request with + the client id as the value. + type: string + sanitize: + description: >- + Sanitize indicates whether to remove the API key from + the request before forwarding it to the backend service. + type: boolean + required: + - credentialRefs + - extractFrom + type: object + authorization: + description: Authorization defines the authorization configuration. + properties: + defaultAction: + description: >- + DefaultAction defines the default action to be taken if + no rules match. + + If not specified, the default action is Deny. + enum: + - Allow + - Deny + type: string + rules: + description: >- + Rules defines a list of authorization rules. + + These rules are evaluated in order, the first matching + rule will be applied, + + and the rest will be skipped. + + + For example, if there are two rules: the first rule + allows the request + + and the second rule denies it, when a request matches + both rules, it will be allowed. + items: + description: AuthorizationRule defines a single authorization rule. + properties: + action: + description: >- + Action defines the action to be taken if the rule + matches. + enum: + - Allow + - Deny + type: string + name: + description: >- + Name is a user-friendly name for the rule. + + If not specified, Envoy Gateway will generate a + unique name for the rule. + maxLength: 253 + minLength: 1 + type: string + operation: + description: >- + Operation specifies the operation of a request, + such as HTTP methods. + + If not specified, all operations are matched on. + properties: + methods: + description: >- + Methods are the HTTP methods of the request. + + If multiple methods are specified, all + specified methods are allowed or denied, based + on the action of the rule. + items: + description: >- + HTTPMethod describes how to select a HTTP + route by matching the HTTP + + method as defined by + + [RFC + 7231](https://datatracker.ietf.org/doc/html/rfc7231#section-4) + and + + [RFC + 5789](https://datatracker.ietf.org/doc/html/rfc5789#section-2). + + The value is expected in upper case. + + + Note that values may be added to this enum, + implementations + + must ensure that unknown values will not + cause a crash. + + + Unknown values here must result in the + implementation setting the + + Accepted Condition for the Route to `status: + False`, with a + + Reason of `UnsupportedValue`. + enum: + - GET + - HEAD + - POST + - PUT + - DELETE + - CONNECT + - OPTIONS + - TRACE + - PATCH + type: string + maxItems: 16 + minItems: 1 + type: array + required: + - methods + type: object + principal: + description: >- + Principal specifies the client identity of a + request. + + If there are multiple principal types, all + principals must match for the rule to match. + + For example, if there are two principals: one for + client IP and one for JWT claim, + + the rule will match only if both the client IP and + the JWT claim match. + properties: + clientCIDRs: + description: >- + ClientCIDRs are the IP CIDR ranges of the + client. + + Valid examples are "192.168.1.0/24" or + "2001:db8::/64" + + + If multiple CIDR ranges are specified, one of + the CIDR ranges must match + + the client IP for the rule to match. + + + The client IP is inferred from the + X-Forwarded-For header, a custom header, + + or the proxy protocol. + + You can use the `ClientIPDetection` or the + `ProxyProtocol` field in + + the `ClientTrafficPolicy` to configure how the + client IP is detected. + + + For TCPRoute targets (raw TCP connections), + HTTP headers such as + + X-Forwarded-For are not available. The client + IP is obtained from the + + TCP connection's peer address. If + intermediaries (load balancers, NAT) + + terminate or proxy TCP, the original client IP + will only be available + + if the intermediary preserves the source + address (for example by + + enabling the PROXY protocol or avoiding SNAT). + Ensure your L4 proxy is + + configured to preserve the source IP to enable + correct client-IP + + matching for TCPRoute targets. + items: + description: >- + CIDR defines a CIDR Address range. + + A CIDR can be an IPv4 address range such as + "192.168.1.0/24" or an IPv6 address range + such as "2001:0db8:11a3:09d7::/64". + pattern: >- + ((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([0-9]+))|((([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))\/([0-9]+)) + type: string + minItems: 1 + type: array + headers: + description: >- + Headers authorize the request based on user + identity extracted from custom headers. + + If multiple headers are specified, all headers + must match for the rule to match. + items: + description: >- + AuthorizationHeaderMatch specifies how to + match against the value of an HTTP header + within a authorization rule. + properties: + name: + description: >- + Name of the HTTP header. + + The header name is case-insensitive + unless PreserveHeaderCase is set to + true. + + For example, "Foo" and "foo" are + considered the same header. + maxLength: 256 + minLength: 1 + type: string + values: + description: >- + Values are the values that the header + must match. + + If multiple values are specified, the + rule will match if any of the values + match. + items: + type: string + maxItems: 256 + minItems: 1 + type: array + required: + - name + - values + type: object + maxItems: 256 + minItems: 1 + type: array + jwt: + description: >- + JWT authorize the request based on the JWT + claims and scopes. + + Note: in order to use JWT claims for + authorization, you must configure the + + JWT authentication in the same + `SecurityPolicy`. + properties: + claims: + description: >- + Claims are the claims in a JWT token. + + + If multiple claims are specified, all + claims must match for the rule to match. + + For example, if there are two claims: one + for the audience and one for the issuer, + + the rule will match only if both the + audience and the issuer match. + items: + description: >- + JWTClaim specifies a claim in a JWT + token. + properties: + name: + description: >- + Name is the name of the claim. + + If it is a nested claim, use a dot (.) + separated string as the name to + + represent the full path to the claim. + + For example, if the claim is in the + "department" field in the "organization" + field, + + the name should be + "organization.department". + maxLength: 253 + minLength: 1 + type: string + valueType: + default: String + description: >- + ValueType is the type of the claim + value. + + Only String and StringArray types are + supported for now. + enum: + - String + - StringArray + type: string + values: + description: >- + Values are the values that the claim + must match. + + If the claim is a string type, the + specified value must match exactly. + + If the claim is a string array type, the + specified value must match one of the + values in the array. + + If multiple values are specified, one of + the values must match for the rule to + match. + items: + type: string + maxItems: 128 + minItems: 1 + type: array + required: + - name + - values + type: object + maxItems: 16 + minItems: 1 + type: array + provider: + description: >- + Provider is the name of the JWT provider + that used to verify the JWT token. + + In order to use JWT claims for + authorization, you must configure the JWT + + authentication with the same provider in + the same `SecurityPolicy`. + maxLength: 253 + minLength: 1 + type: string + scopes: + description: >- + Scopes are a special type of claim in a + JWT token that represents the permissions + of the client. + + + The value of the scopes field should be a + space delimited string that is expected in + the + + scope (or scp) claim, as defined in RFC + 6749: + https://datatracker.ietf.org/doc/html/rfc6749#page-23. + + + If multiple scopes are specified, all + scopes must match for the rule to match. + items: + maxLength: 253 + minLength: 1 + type: string + maxItems: 16 + minItems: 1 + type: array + required: + - provider + type: object + x-kubernetes-validations: + - message: >- + at least one of claims or scopes must be + specified + rule: (has(self.claims) || has(self.scopes)) + sourceCIDRs: + description: >- + SourceCIDRs are the IP CIDR ranges of the + source (L4 peer IP). + + Valid examples are "192.168.1.0/24" or + "2001:db8::/64" + + + If multiple CIDR ranges are specified, one of + the CIDR ranges must match + + the source IP for the rule to match. + + + The source IP is the IP address of the peer + that connected to Envoy. + + This IP is obtained from the TCP connection's + peer address and is not + + affected by X-Forwarded-For or other IP + detection headers. + + If intermediaries (load balancers, NAT) + terminate or proxy TCP, + + the original client IP will only be available + if the intermediary + + preserves the source address (for example by + enabling the PROXY protocol + + or avoiding SNAT). + items: + description: >- + CIDR defines a CIDR Address range. + + A CIDR can be an IPv4 address range such as + "192.168.1.0/24" or an IPv6 address range + such as "2001:0db8:11a3:09d7::/64". + pattern: >- + ((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([0-9]+))|((([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))\/([0-9]+)) + type: string + minItems: 1 + type: array + type: object + x-kubernetes-validations: + - message: >- + at least one of clientCIDRs, jwt, or headers + must be specified + rule: >- + (has(self.clientCIDRs) || has(self.jwt) || + has(self.headers)) + required: + - action + - principal + type: object + type: array + type: object + basicAuth: + description: >- + BasicAuth defines the configuration for the HTTP Basic + Authentication. + properties: + forwardUsernameHeader: + description: >- + This field specifies the header name to forward a + successfully authenticated user to + + the backend. The header will be added to the request + with the username as the value. + + + If it is not specified, the username will not be + forwarded. + type: string + users: + description: >- + The Kubernetes secret which contains the + username-password pairs in + + htpasswd format, used to verify user credentials in the + "Authorization" + + header. + + + This is an Opaque secret. The username-password pairs + should be stored in + + the key ".htpasswd". As the key name indicates, the + value needs to be the + + htpasswd format, for example: + "user1:{SHA}hashed_user1_password". + + Right now, only SHA hash algorithm is supported. + + Reference to + https://httpd.apache.org/docs/2.4/programs/htpasswd.html + + for more details. + + + Note: The secret must be in the same namespace as the + SecurityPolicy. + properties: + group: + default: '' + description: >- + Group is the group of the referent. For example, + "gateway.networking.k8s.io". + + When unspecified or empty string, core API group is + inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Secret + description: Kind is kind of the referent. For example "Secret". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the referenced object. + When unspecified, the local + + namespace is inferred. + + + Note that when a namespace different than the local + namespace is specified, + + a ReferenceGrant object is required in the referent + namespace to allow that + + namespace's owner to accept the reference. See the + ReferenceGrant + + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + required: + - users + type: object + cors: + description: >- + CORS defines the configuration for Cross-Origin Resource + Sharing (CORS). + properties: + allowCredentials: + description: >- + AllowCredentials indicates whether a request can include + user credentials + + like cookies, authentication headers, or TLS client + certificates. + + It specifies the value in the + Access-Control-Allow-Credentials CORS response header. + type: boolean + allowHeaders: + description: >- + AllowHeaders defines the headers that are allowed to be + sent with requests. + + It specifies the allowed headers in the + Access-Control-Allow-Headers CORS response header.. + + The value "*" allows any header to be sent. + items: + type: string + type: array + allowMethods: + description: >- + AllowMethods defines the methods that are allowed to + make requests. + + It specifies the allowed methods in the + Access-Control-Allow-Methods CORS response header.. + + The value "*" allows any method to be used. + items: + type: string + type: array + allowOrigins: + description: >- + AllowOrigins defines the origins that are allowed to + make requests. + + It specifies the allowed origins in the + Access-Control-Allow-Origin CORS response header. + + The value "*" allows any origin to make requests. + items: + description: >- + Origin is defined by the scheme (protocol), hostname + (domain), and port of + + the URL used to access it. The hostname can be + "precise" which is just the + + domain name or "wildcard" which is a domain name + prefixed with a single + + wildcard label such as "*.example.com". + + In addition to that a single wildcard (with or without + scheme) can be + + configured to match any origin. + + + For example, the following are valid origins: + + - https://foo.example.com + + - https://*.example.com + + - http://foo.example.com:8080 + + - http://*.example.com:8080 + + - https://* + maxLength: 253 + minLength: 1 + pattern: >- + ^(\*|https?:\/\/(\*|(\*\.)?(([\w-]+\.?)+)?[\w-]+)(:\d{1,5})?)$ + type: string + type: array + exposeHeaders: + description: >- + ExposeHeaders defines which response headers should be + made accessible to + + scripts running in the browser. + + It specifies the headers in the + Access-Control-Expose-Headers CORS response header.. + + The value "*" allows any header to be exposed. + items: + type: string + type: array + maxAge: + description: >- + MaxAge defines how long the results of a preflight + request can be cached. + + It specifies the value in the Access-Control-Max-Age + CORS response header.. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + extAuth: + description: >- + ExtAuth defines the configuration for External + Authorization. + properties: + bodyToExtAuth: + description: >- + BodyToExtAuth defines the Body to Ext Auth + configuration. + properties: + maxRequestBytes: + description: >- + MaxRequestBytes is the maximum size of a message + body that the filter will hold in memory. + + Envoy will return HTTP 413 and will not initiate the + authorization process when buffer + + reaches the number set in this field. + + Note that this setting will have precedence over + failOpen mode. + format: int32 + minimum: 1 + type: integer + required: + - maxRequestBytes + type: object + contextExtensions: + description: >- + ContextExtensions are analogous to http_request.headers, + however these + + contents will not be sent to the upstream server. This + provides an + + extension mechanism for sending additional information + to the auth server + + without modifying the proto definition. It maps to the + internal opaque + + context in the filter chain. + items: + description: >- + ContextExtension is analogous to http_request.headers, + however these + + contents will not be sent to the upstream server. This + provides an + + extension mechanism for sending additional information + to the auth server + + without modifying the proto definition. It maps to the + internal opaque + + context in the filter chain. + properties: + name: + description: Name of the context extension. + type: string + type: + default: Value + description: >- + Type is the type of method to use to read the + ContextExtension value. + + Valid values are Value and ValueRef, default is + Value. + enum: + - Value + - ValueRef + type: string + value: + description: Value of the context extension. + type: string + valueRef: + description: ValueRef for the context extension's value. + properties: + group: + description: >- + Group is the group of the referent. For + example, "gateway.networking.k8s.io". + + When unspecified or empty string, core API + group is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + key: + description: The key to select. + type: string + kind: + description: >- + Kind is kind of the referent. For example + "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - key + - kind + - name + type: object + x-kubernetes-validations: + - message: >- + Only a reference to an object of kind + ConfigMap or Secret belonging to default v1 + API group is supported. + rule: >- + self.kind in ['ConfigMap', 'Secret'] && + self.group in ['', 'v1'] + required: + - name + - type + type: object + x-kubernetes-validations: + - message: >- + Exactly one of value or valueRef must be set with + correct type. + rule: >- + (self.type == 'Value' && has(self.value) && + !has(self.valueRef)) || (self.type == 'ValueRef' + && !has(self.value) && has(self.valueRef)) + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + failOpen: + default: false + description: >- + FailOpen is a switch used to control the behavior when a + response from the External Authorization service cannot + be obtained. + + If FailOpen is set to true, the system allows the + traffic to pass through. + + Otherwise, if it is set to false or not set (defaulting + to false), + + the system blocks the traffic and returns a HTTP 5xx + error, reflecting a fail-closed approach. + + This setting determines whether to prioritize + accessibility over strict security in case of + authorization service failure. + + + If set to true, the External Authorization will also be + bypassed if its configuration is invalid. + type: boolean + grpc: + description: |- + GRPC defines the gRPC External Authorization service. + Either GRPCService or HTTPService must be specified, + and only one of them can be provided. + properties: + backendRef: + description: >- + BackendRef references a Kubernetes object that + represents the + + backend server to which the authorization request + will be sent. + + + Deprecated: Use BackendRefs instead. + properties: + group: + default: '' + description: >- + Group is the group of the referent. For example, + "gateway.networking.k8s.io". + + When unspecified or empty string, core API group + is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: >- + Kind is the Kubernetes resource kind of the + referent. For example + + "Service". + + + Defaults to "Service" when not specified. + + + ExternalName services can refer to CNAME DNS + records that may live + + outside of the cluster and as such are difficult + to reason about in + + terms of conformance. They also may not be safe + to forward to (see + + CVE-2021-25740 for more information). + Implementations SHOULD NOT + + support ExternalName Services. + + + Support: Core (Services with a type other than + ExternalName) + + + Support: Implementation-specific (Services with + type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the backend. When + unspecified, the local + + namespace is inferred. + + + Note that when a namespace different than the + local namespace is specified, + + a ReferenceGrant object is required in the + referent namespace to allow that + + namespace's owner to accept the reference. See + the ReferenceGrant + + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: >- + Port specifies the destination port number to + use for this resource. + + Port is required when the referent is a + Kubernetes Service. In this + + case, the port number is the service port + number, not the target port. + + For other resources, destination port might be + derived from the referent + + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: >- + (size(self.group) == 0 && self.kind == + 'Service') ? has(self.port) : true + backendRefs: + description: >- + BackendRefs references a Kubernetes object that + represents the + + backend server to which the authorization request + will be sent. + items: + description: >- + BackendRef defines how an ObjectReference that is + specific to BackendRef. + properties: + fallback: + description: >- + Fallback indicates whether the backend is + designated as a fallback. + + Multiple fallback backends can be configured. + + It is highly recommended to configure active + or passive health checks to ensure that + failover can be detected + + when the active backends become unhealthy and + to automatically readjust once the primary + backends are healthy again. + + The overprovisioning factor is set to 1.4, + meaning the fallback backends will only start + receiving traffic when + + the health of the active backends falls below + 72%. + type: boolean + group: + default: '' + description: >- + Group is the group of the referent. For + example, "gateway.networking.k8s.io". + + When unspecified or empty string, core API + group is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: >- + Kind is the Kubernetes resource kind of the + referent. For example + + "Service". + + + Defaults to "Service" when not specified. + + + ExternalName services can refer to CNAME DNS + records that may live + + outside of the cluster and as such are + difficult to reason about in + + terms of conformance. They also may not be + safe to forward to (see + + CVE-2021-25740 for more information). + Implementations SHOULD NOT + + support ExternalName Services. + + + Support: Core (Services with a type other than + ExternalName) + + + Support: Implementation-specific (Services + with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the backend. + When unspecified, the local + + namespace is inferred. + + + Note that when a namespace different than the + local namespace is specified, + + a ReferenceGrant object is required in the + referent namespace to allow that + + namespace's owner to accept the reference. See + the ReferenceGrant + + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: >- + Port specifies the destination port number to + use for this resource. + + Port is required when the referent is a + Kubernetes Service. In this + + case, the port number is the service port + number, not the target port. + + For other resources, destination port might be + derived from the referent + + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: >- + Weight specifies the proportion of requests + forwarded to the referenced + + backend. This is computed as weight/(sum of + all weights in this + + BackendRefs list). For non-zero values, there + may be some epsilon from + + the exact proportion defined here depending on + the precision an + + implementation supports. Weight is not a + percentage and the sum of + + weights does not need to equal 100. + + + If only one backend is specified and it has a + weight greater than 0, 100% + + of the traffic is forwarded to that backend. + If weight is set to 0, no + + traffic should be forwarded for this entry. If + unspecified, weight + + defaults to 1. + + + Support for this field varies based on the + context where used. + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: >- + (size(self.group) == 0 && self.kind == + 'Service') ? has(self.port) : true + maxItems: 16 + type: array + backendSettings: + description: >- + BackendSettings holds configuration for managing the + connection + + to the backend. + properties: + circuitBreaker: + description: >- + Circuit Breaker settings for the upstream + connections and requests. + + If not set, circuit breakers will be enabled + with the default thresholds + properties: + maxConnections: + default: 1024 + description: >- + The maximum number of connections that Envoy + will establish to the referenced backend + defined within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxParallelRequests: + default: 1024 + description: >- + The maximum number of parallel requests that + Envoy will make to the referenced backend + defined within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxParallelRetries: + default: 1024 + description: >- + The maximum number of parallel retries that + Envoy will make to the referenced backend + defined within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxPendingRequests: + default: 1024 + description: >- + The maximum number of pending requests that + Envoy will queue to the referenced backend + defined within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxRequestsPerConnection: + description: >- + The maximum number of requests that Envoy + will make over a single connection to the + referenced backend defined within a xRoute + rule. + + Default: unlimited. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + perEndpoint: + description: >- + PerEndpoint defines Circuit Breakers that + will apply per-endpoint for an upstream + cluster + properties: + maxConnections: + default: 1024 + description: >- + MaxConnections configures the maximum + number of connections that Envoy will + establish per-endpoint to the referenced + backend defined within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + type: object + type: object + connection: + description: Connection includes backend connection settings. + properties: + bufferLimit: + allOf: + - pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: >- + BufferLimit Soft limit on size of the + cluster’s connections read and write + buffers. + + BufferLimit applies to connection streaming + (maybe non-streaming) channel between + processes, it's in user space. + + If unspecified, an implementation defined + default is applied (32768 bytes). + + For example, 20Mi, 1Gi, 256Ki etc. + + Note: that when the suffix is not provided, + the value is interpreted as bytes. + x-kubernetes-int-or-string: true + preconnect: + description: >- + Preconnect configures proactive upstream + connections to reduce latency by + establishing + + connections before they’re needed and + avoiding connection establishment overhead. + + + If unset, Envoy will fetch connections as + needed to serve in-flight requests. + properties: + perEndpointPercent: + description: >- + PerEndpointPercent configures how many + additional connections to maintain per + + upstream endpoint, useful for high-QPS + or latency sensitive services. Expressed + as a + + percentage of the connections required + by active streams + + (e.g. 100 = preconnect disabled, 105 = + 1.05x connections per-endpoint, 200 = + 2.00×). + + + Allowed value range is between 100-300. + When both PerEndpointPercent and + + PredictivePercent are set, Envoy ensures + both are satisfied (max of the two). + format: int32 + maximum: 300 + minimum: 100 + type: integer + predictivePercent: + description: >- + PredictivePercent configures how many + additional connections to maintain + + across the cluster by anticipating which + upstream endpoint the load balancer + + will select next, useful for low-QPS + services. Relies on deterministic + + loadbalancing and is only supported with + Random or RoundRobin. + + Expressed as a percentage of the + connections required by active streams + + (e.g. 100 = 1.0 (no preconnect), 105 = + 1.05× connections across the cluster, + 200 = 2.00×). + + + Minimum allowed value is 100. When both + PerEndpointPercent and PredictivePercent + are + + set Envoy ensures both are satisfied per + host (max of the two). + format: int32 + minimum: 100 + type: integer + type: object + socketBufferLimit: + allOf: + - pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: >- + SocketBufferLimit provides configuration for + the maximum buffer size in bytes for each + socket + + to backend. + + SocketBufferLimit applies to socket + streaming channel between TCP/IP stacks, + it's in kernel space. + + For example, 20Mi, 1Gi, 256Ki etc. + + Note that when the suffix is not provided, + the value is interpreted as bytes. + x-kubernetes-int-or-string: true + type: object + dns: + description: DNS includes dns resolution settings. + properties: + dnsRefreshRate: + description: >- + DNSRefreshRate specifies the rate at which + DNS records should be refreshed. + + Defaults to 30 seconds. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + lookupFamily: + description: >- + LookupFamily determines how Envoy would + resolve DNS for Routes where the backend is + specified as a fully qualified domain name + (FQDN). + + If set, this configuration overrides other + defaults. + enum: + - IPv4 + - IPv6 + - IPv4Preferred + - IPv6Preferred + - IPv4AndIPv6 + type: string + respectDnsTtl: + description: >- + RespectDNSTTL indicates whether the DNS + Time-To-Live (TTL) should be respected. + + If the value is set to true, the DNS refresh + rate will be set to the resource record’s + TTL. + + Defaults to true. + type: boolean + type: object + healthCheck: + description: >- + HealthCheck allows gateway to perform active + health checking on backends. + properties: + active: + description: Active health check configuration + properties: + grpc: + description: >- + GRPC defines the configuration of the + GRPC health checker. + + It's optional, and can only be used if + the specified type is GRPC. + properties: + service: + description: >- + Service to send in the health check + request. + + If this is not specified, then the + health check request applies to the + entire + + server and not to a specific service. + type: string + type: object + healthyThreshold: + default: 1 + description: >- + HealthyThreshold defines the number of + healthy health checks required before a + backend host is marked healthy. + format: int32 + minimum: 1 + type: integer + http: + description: >- + HTTP defines the configuration of http + health checker. + + It's required while the health checker + type is HTTP. + properties: + expectedResponse: + description: >- + ExpectedResponse defines a list of HTTP + expected responses to match. + properties: + binary: + description: Binary payload base64 encoded. + format: byte + type: string + text: + description: Text payload in plain text. + type: string + type: + allOf: + - enum: + - Text + - Binary + - enum: + - Text + - Binary + description: Type defines the type of the payload. + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If payload type is Text, text field + needs to be set. + rule: >- + self.type == 'Text' ? has(self.text) : + !has(self.text) + - message: >- + If payload type is Binary, binary field + needs to be set. + rule: >- + self.type == 'Binary' ? has(self.binary) + : !has(self.binary) + expectedStatuses: + description: >- + ExpectedStatuses defines a list of HTTP + response statuses considered healthy. + + Defaults to 200 only + items: + description: HTTPStatus defines the http status code. + maximum: 599 + minimum: 100 + type: integer + type: array + hostname: + description: >- + Hostname defines the HTTP Host header + used for active HTTP health checks. + + Host selection uses this order: this + field, the associated Backend endpoint + + hostname if available, then the + effective Route hostname. + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + method: + description: >- + Method defines the HTTP method used for + health checking. + + Defaults to GET + type: string + path: + description: >- + Path defines the HTTP path that will be + requested during health checking. + maxLength: 1024 + minLength: 1 + type: string + required: + - path + type: object + initialJitter: + description: >- + InitialJitter defines the maximum time + Envoy will wait before the first health + check. + + Envoy will randomly select a value + between 0 and the initial jitter value. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + interval: + default: 3s + description: >- + Interval defines the time between active + health checks. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + tcp: + description: >- + TCP defines the configuration of tcp + health checker. + + It's required while the health checker + type is TCP. + properties: + receive: + description: >- + Receive defines the expected response + payload. + properties: + binary: + description: Binary payload base64 encoded. + format: byte + type: string + text: + description: Text payload in plain text. + type: string + type: + allOf: + - enum: + - Text + - Binary + - enum: + - Text + - Binary + description: Type defines the type of the payload. + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If payload type is Text, text field + needs to be set. + rule: >- + self.type == 'Text' ? has(self.text) : + !has(self.text) + - message: >- + If payload type is Binary, binary field + needs to be set. + rule: >- + self.type == 'Binary' ? has(self.binary) + : !has(self.binary) + send: + description: Send defines the request payload. + properties: + binary: + description: Binary payload base64 encoded. + format: byte + type: string + text: + description: Text payload in plain text. + type: string + type: + allOf: + - enum: + - Text + - Binary + - enum: + - Text + - Binary + description: Type defines the type of the payload. + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If payload type is Text, text field + needs to be set. + rule: >- + self.type == 'Text' ? has(self.text) : + !has(self.text) + - message: >- + If payload type is Binary, binary field + needs to be set. + rule: >- + self.type == 'Binary' ? has(self.binary) + : !has(self.binary) + type: object + timeout: + default: 1s + description: >- + Timeout defines the time to wait for a + health check response. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: + allOf: + - enum: + - HTTP + - TCP + - GRPC + - enum: + - HTTP + - TCP + - GRPC + description: Type defines the type of health checker. + type: string + unhealthyThreshold: + default: 3 + description: >- + UnhealthyThreshold defines the number of + unhealthy health checks required before + a backend host is marked unhealthy. + format: int32 + minimum: 1 + type: integer + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If Health Checker type is HTTP, http + field needs to be set. + rule: >- + self.type == 'HTTP' ? has(self.http) : + !has(self.http) + - message: >- + If Health Checker type is TCP, tcp field + needs to be set. + rule: >- + self.type == 'TCP' ? has(self.tcp) : + !has(self.tcp) + - message: >- + The grpc field can only be set if the + Health Checker type is GRPC. + rule: >- + has(self.grpc) ? self.type == 'GRPC' : + true + panicThreshold: + description: >- + When number of unhealthy endpoints for a + backend reaches this threshold + + Envoy will disregard health status and + balance across all endpoints. + + It's designed to prevent a situation in + which host failures cascade throughout the + cluster + + as load increases. If not set, the default + value is 50%. To disable panic mode, set + value to `0`. + format: int32 + maximum: 100 + minimum: 0 + type: integer + passive: + description: Passive passive check configuration + properties: + baseEjectionTime: + default: 30s + description: >- + BaseEjectionTime defines the base + duration for which a host will be + ejected on consecutive failures. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + consecutive5XxErrors: + default: 5 + description: >- + Consecutive5xxErrors sets the number of + consecutive 5xx errors triggering + ejection. + format: int32 + type: integer + consecutiveGatewayErrors: + description: >- + ConsecutiveGatewayErrors sets the number + of consecutive gateway errors triggering + ejection. + format: int32 + type: integer + consecutiveLocalOriginFailures: + default: 5 + description: >- + ConsecutiveLocalOriginFailures sets the + number of consecutive local origin + failures triggering ejection. + + Parameter takes effect only when + split_external_local_origin_errors is + set to true. + format: int32 + type: integer + failurePercentageThreshold: + description: >- + FailurePercentageThreshold sets the + failure percentage threshold for outlier + detection. + + If the failure percentage of a given + host is greater than or equal to this + value, it will be ejected. + + Defaults to 85. + format: int32 + maximum: 100 + minimum: 0 + type: integer + interval: + default: 3s + description: >- + Interval defines the time between + passive health checks. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + maxEjectionPercent: + default: 10 + description: >- + MaxEjectionPercent sets the maximum + percentage of hosts in a cluster that + can be ejected. + format: int32 + type: integer + splitExternalLocalOriginErrors: + default: false + description: >- + SplitExternalLocalOriginErrors enables + splitting of errors between external and + local origin. + type: boolean + type: object + type: object + http2: + description: >- + HTTP2 provides HTTP/2 configuration for backend + connections. + properties: + initialConnectionWindowSize: + allOf: + - pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: >- + InitialConnectionWindowSize sets the initial + window size for HTTP/2 connections. + + If not set, the default value is 1 MiB. + x-kubernetes-int-or-string: true + initialStreamWindowSize: + allOf: + - pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: >- + InitialStreamWindowSize sets the initial + window size for HTTP/2 streams. + + If not set, the default value is 64 + KiB(64*1024). + x-kubernetes-int-or-string: true + maxConcurrentStreams: + description: >- + MaxConcurrentStreams sets the maximum number + of concurrent streams allowed per + connection. + + If not set, the default value is 100. + format: int32 + maximum: 2147483647 + minimum: 1 + type: integer + onInvalidMessage: + description: >- + OnInvalidMessage determines if Envoy will + terminate the connection or just the + offending stream in the event of HTTP + messaging error + + It's recommended for L2 Envoy deployments to + set this value to TerminateStream. + + https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/level_two + + Default: TerminateConnection + type: string + type: object + loadBalancer: + description: >- + LoadBalancer policy to apply when routing + traffic from the gateway to + + the backend endpoints. Defaults to + `LeastRequest`. + properties: + consistentHash: + description: >- + ConsistentHash defines the configuration + when the load balancer type is + + set to ConsistentHash + properties: + cookie: + description: >- + Cookie configures the cookie hash policy + when the consistent hash type is set to + Cookie. + properties: + attributes: + additionalProperties: + type: string + description: >- + Additional Attributes to set for the + generated cookie. + type: object + name: + description: >- + Name of the cookie to hash. + + If this cookie does not exist in the + request, Envoy will generate a cookie + and set + + the TTL on the response back to the + client based on Layer 4 + + attributes of the backend endpoint, to + ensure that these future requests + + go to the same backend endpoint. Make + sure to set the TTL field for this case. + type: string + ttl: + description: >- + TTL of the generated cookie if the + cookie is not present. This value sets + the + + Max-Age attribute value. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + required: + - name + type: object + header: + description: >- + Header configures the header hash policy + when the consistent hash type is set to + Header. + + + Deprecated: use Headers instead + properties: + name: + description: Name of the header to hash. + type: string + required: + - name + type: object + headers: + description: >- + Headers configures the header hash + policy for each header, when the + consistent hash type is set to Headers. + items: + description: >- + Header defines the header hashing + configuration for consistent hash based + + load balancing. + properties: + name: + description: Name of the header to hash. + type: string + required: + - name + type: object + type: array + queryParams: + description: >- + QueryParams configures the query + parameter hash policy when the + consistent hash type is set to + QueryParams. + items: + description: >- + QueryParam defines the query parameter + name hashing configuration for + consistent hash based + + load balancing. + properties: + name: + description: Name of the query param to hash. + type: string + required: + - name + type: object + type: array + tableSize: + default: 65537 + description: >- + The table size for consistent hashing, + must be prime number limited to 5000011. + format: int64 + maximum: 5000011 + minimum: 2 + type: integer + type: + description: >- + ConsistentHashType defines the type of + input to hash on. Valid Type values are + + "SourceIP", + + "Header", + + "Headers", + + "Cookie". + + "QueryParams". + enum: + - SourceIP + - Header + - Headers + - Cookie + - QueryParams + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If consistent hash type is header, the + header field must be set. + rule: >- + self.type == 'Header' ? has(self.header) + : !has(self.header) + - message: >- + If consistent hash type is headers, the + headers field must be set. + rule: >- + self.type == 'Headers' ? + has(self.headers) : !has(self.headers) + - message: >- + If consistent hash type is cookie, the + cookie field must be set. + rule: >- + self.type == 'Cookie' ? has(self.cookie) + : !has(self.cookie) + - message: >- + If consistent hash type is queryParams, + the queryParams field must be set. + rule: >- + self.type == 'QueryParams' ? + has(self.queryParams) : + !has(self.queryParams) + endpointOverride: + description: >- + EndpointOverride defines the configuration + for endpoint override. + + When specified, the load balancer will + attempt to route requests to endpoints + + based on the override information extracted + from request headers or metadata. + If the override endpoints are not available, the configured load balancer policy will be used as fallback. + properties: + extractFrom: + description: >- + ExtractFrom defines the sources to + extract endpoint override information + from. + items: + description: >- + EndpointOverrideExtractFrom defines a + source to extract endpoint override + information from. + properties: + header: + description: >- + Header defines the header to get the + override endpoint addresses. + + The header value must specify at least + one endpoint in `IP:Port` format or + multiple endpoints in + `IP:Port,IP:Port,...` format. + + For example `10.0.0.5:8080` or + `[2600:4040:5204::1574:24ae]:80`. + + The IPv6 address is enclosed in square + brackets. + type: string + type: object + maxItems: 10 + minItems: 1 + type: array + required: + - extractFrom + type: object + slowStart: + description: >- + SlowStart defines the configuration related + to the slow start load balancer policy. + + If set, during slow start window, traffic + sent to the newly added hosts will gradually + increase. + + Currently this is only supported for + RoundRobin and LeastRequest load balancers + properties: + window: + description: >- + Window defines the duration of the warm + up period for newly added host. + + During slow start window, traffic sent + to the newly added hosts will gradually + increase. + + Currently only supports linear growth of + traffic. For additional details, + + see + https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + required: + - window + type: object + type: + description: >- + Type decides the type of Load Balancer + policy. + + Valid LoadBalancerType values are + + "ConsistentHash", + + "LeastRequest", + + "Random", + + "RoundRobin". + enum: + - ConsistentHash + - LeastRequest + - Random + - RoundRobin + type: string + zoneAware: + description: >- + ZoneAware defines the configuration related + to the distribution of requests between + locality zones. + properties: + preferLocal: + description: >- + PreferLocalZone configures zone-aware + routing to prefer sending traffic to the + local locality zone. + properties: + force: + description: >- + ForceLocalZone defines override + configuration for forcing all traffic to + stay within the local zone instead of + the default behavior + + which maintains equal distribution among + upstream endpoints while sending as much + traffic as possible locally. + properties: + minEndpointsInZoneThreshold: + description: >- + MinEndpointsInZoneThreshold is the + minimum number of upstream endpoints in + the local zone required to honor the + forceLocalZone + + override. This is useful for protecting + zones with fewer endpoints. + format: int32 + type: integer + type: object + minEndpointsThreshold: + description: >- + MinEndpointsThreshold is the minimum + number of total upstream endpoints + across all zones required to enable + zone-aware routing. + format: int64 + type: integer + percentageEnabled: + description: >- + Configures percentage of requests that + will be considered for zone aware + routing if zone aware routing is + configured. If not specified, Envoy + defaults to 100%. + format: int32 + maximum: 100 + minimum: 0 + type: integer + type: object + type: object + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If LoadBalancer type is consistentHash, + consistentHash field needs to be set. + rule: >- + self.type == 'ConsistentHash' ? + has(self.consistentHash) : + !has(self.consistentHash) + - message: >- + Currently SlowStart is only supported for + RoundRobin and LeastRequest load balancers. + rule: >- + self.type in ['Random', 'ConsistentHash'] ? + !has(self.slowStart) : true + - message: >- + Currently ZoneAware is only supported for + LeastRequest, Random, and RoundRobin load + balancers. + rule: >- + self.type == 'ConsistentHash' ? + !has(self.zoneAware) : true + proxyProtocol: + description: >- + ProxyProtocol enables the Proxy Protocol when + communicating with the backend. + properties: + version: + description: |- + Version of ProxyProtol + Valid ProxyProtocolVersion values are + "V1" + "V2" + enum: + - V1 + - V2 + type: string + required: + - version + type: object + retry: + description: >- + Retry provides more advanced usage, allowing + users to customize the number of retries, retry + fallback strategy, and retry triggering + conditions. + + If not set, retry will be disabled. + properties: + numAttemptsPerPriority: + description: >- + NumAttemptsPerPriority defines the number of + requests (initial attempt + retries) + + that should be sent to the same priority + before switching to a different one. + + If not specified or set to 0, all requests + are sent to the highest priority that is + healthy. + format: int32 + type: integer + numRetries: + default: 2 + description: >- + NumRetries is the number of retries to be + attempted. Defaults to 2. + format: int32 + minimum: 0 + type: integer + perRetry: + description: >- + PerRetry is the retry policy to be applied + per retry attempt. + properties: + backOff: + description: >- + Backoff is the backoff policy to be + applied per retry attempt. gateway uses + a fully jittered exponential + + back-off algorithm for retries. For + additional details, + + see + https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#config-http-filters-router-x-envoy-max-retries + properties: + baseInterval: + description: >- + BaseInterval is the base interval + between retries. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + maxInterval: + description: >- + MaxInterval is the maximum interval + between retries. This parameter is + optional, but must be greater than or + equal to the base_interval if set. + + The default is 10 times the + base_interval + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + timeout: + description: >- + Timeout is the timeout per retry + attempt. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + retryOn: + description: >- + RetryOn specifies the retry trigger + condition. + + + If not specified, the default is to retry on + connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes(503). + properties: + httpStatusCodes: + description: >- + HttpStatusCodes specifies the http + status codes to be retried. + + The retriable-status-codes trigger must + also be configured for these status + codes to trigger a retry. + items: + description: HTTPStatus defines the http status code. + maximum: 599 + minimum: 100 + type: integer + type: array + triggers: + description: >- + Triggers specifies the retry trigger + condition(Http/Grpc). + items: + description: >- + TriggerEnum specifies the conditions + that trigger retries. + enum: + - 5xx + - gateway-error + - reset + - reset-before-request + - connect-failure + - retriable-4xx + - refused-stream + - retriable-status-codes + - cancelled + - deadline-exceeded + - internal + - resource-exhausted + - unavailable + type: string + type: array + type: object + type: object + tcpKeepalive: + description: >- + TcpKeepalive settings associated with the + upstream client connection. + + Disabled by default. + properties: + idleTime: + description: >- + The duration a connection needs to be idle + before keep-alive + + probes start being sent. + + The duration format is + + Defaults to `7200s`. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + interval: + description: |- + The duration between keep-alive probes. + Defaults to `75s`. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + probes: + description: >- + The total number of unacknowledged probes to + send before deciding + + the connection is dead. + + Defaults to 9. + format: int32 + type: integer + type: object + timeout: + description: Timeout settings for the backend connections. + properties: + http: + description: Timeout settings for HTTP. + properties: + connectionIdleTimeout: + description: >- + The idle timeout for an HTTP connection. + Idle time is defined as a period in + which there are no active requests in + the connection. + + Default: 1 hour. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + maxConnectionDuration: + description: >- + The maximum duration of an HTTP + connection. + + Default: unlimited. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + maxStreamDuration: + description: >- + MaxStreamDuration is the maximum + duration for a stream to complete. This + timeout measures the time + + from when the request is sent until the + response stream is fully consumed and + does not apply to + + non-streaming requests. + + When set to "0s", no max duration is + applied and streams can run + indefinitely. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + requestTimeout: + description: >- + RequestTimeout is the time until which + entire response is received from the + upstream. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + tcp: + description: Timeout settings for TCP. + properties: + connectTimeout: + description: >- + The timeout for network connection + establishment, including TCP and TLS + handshakes. + + Default: 10 seconds. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + type: object + type: object + x-kubernetes-validations: + - message: >- + predictivePercent in preconnect policy only + works with RoundRobin or Random load balancers + rule: >- + !((has(self.connection) && + has(self.connection.preconnect) && + has(self.connection.preconnect.predictivePercent)) + && !(has(self.loadBalancer) && + has(self.loadBalancer.type) && + self.loadBalancer.type in ['Random', + 'RoundRobin'])) + type: object + x-kubernetes-validations: + - message: backendRef or backendRefs needs to be set + rule: has(self.backendRef) || self.backendRefs.size() > 0 + - message: >- + BackendRefs only supports Service, ServiceImport, + and Backend kind. + rule: >- + has(self.backendRefs) ? self.backendRefs.all(f, + f.kind == 'Service' || f.kind == 'ServiceImport' || + f.kind == 'Backend') : true + - message: >- + BackendRefs only supports Core, + multicluster.x-k8s.io, and gateway.envoyproxy.io + groups. + rule: >- + has(self.backendRefs) ? (self.backendRefs.all(f, + f.group == "" || f.group == 'multicluster.x-k8s.io' + || f.group == 'gateway.envoyproxy.io')) : true + headersToExtAuth: + description: >- + HeadersToExtAuth defines the client request headers that + will be included + + in the request to the external authorization service. + + Note: If not specified, the default behavior for gRPC + and HTTP external + + authorization services is different due to backward + compatibility reasons. + + All headers will be included in the check request to a + gRPC authorization server. + + Only the following headers will be included in the check + request to an HTTP + + authorization server: Host, Method, Path, + Content-Length, and Authorization. + + And these headers will always be included to the check + request to an HTTP + + authorization server by default, no matter whether they + are specified + + in HeadersToExtAuth or not. + items: + type: string + type: array + http: + description: |- + HTTP defines the HTTP External Authorization service. + Either GRPCService or HTTPService must be specified, + and only one of them can be provided. + properties: + backendRef: + description: >- + BackendRef references a Kubernetes object that + represents the + + backend server to which the authorization request + will be sent. + + + Deprecated: Use BackendRefs instead. + properties: + group: + default: '' + description: >- + Group is the group of the referent. For example, + "gateway.networking.k8s.io". + + When unspecified or empty string, core API group + is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: >- + Kind is the Kubernetes resource kind of the + referent. For example + + "Service". + + + Defaults to "Service" when not specified. + + + ExternalName services can refer to CNAME DNS + records that may live + + outside of the cluster and as such are difficult + to reason about in + + terms of conformance. They also may not be safe + to forward to (see + + CVE-2021-25740 for more information). + Implementations SHOULD NOT + + support ExternalName Services. + + + Support: Core (Services with a type other than + ExternalName) + + + Support: Implementation-specific (Services with + type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the backend. When + unspecified, the local + + namespace is inferred. + + + Note that when a namespace different than the + local namespace is specified, + + a ReferenceGrant object is required in the + referent namespace to allow that + + namespace's owner to accept the reference. See + the ReferenceGrant + + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: >- + Port specifies the destination port number to + use for this resource. + + Port is required when the referent is a + Kubernetes Service. In this + + case, the port number is the service port + number, not the target port. + + For other resources, destination port might be + derived from the referent + + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: >- + (size(self.group) == 0 && self.kind == + 'Service') ? has(self.port) : true + backendRefs: + description: >- + BackendRefs references a Kubernetes object that + represents the + + backend server to which the authorization request + will be sent. + items: + description: >- + BackendRef defines how an ObjectReference that is + specific to BackendRef. + properties: + fallback: + description: >- + Fallback indicates whether the backend is + designated as a fallback. + + Multiple fallback backends can be configured. + + It is highly recommended to configure active + or passive health checks to ensure that + failover can be detected + + when the active backends become unhealthy and + to automatically readjust once the primary + backends are healthy again. + + The overprovisioning factor is set to 1.4, + meaning the fallback backends will only start + receiving traffic when + + the health of the active backends falls below + 72%. + type: boolean + group: + default: '' + description: >- + Group is the group of the referent. For + example, "gateway.networking.k8s.io". + + When unspecified or empty string, core API + group is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: >- + Kind is the Kubernetes resource kind of the + referent. For example + + "Service". + + + Defaults to "Service" when not specified. + + + ExternalName services can refer to CNAME DNS + records that may live + + outside of the cluster and as such are + difficult to reason about in + + terms of conformance. They also may not be + safe to forward to (see + + CVE-2021-25740 for more information). + Implementations SHOULD NOT + + support ExternalName Services. + + + Support: Core (Services with a type other than + ExternalName) + + + Support: Implementation-specific (Services + with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the backend. + When unspecified, the local + + namespace is inferred. + + + Note that when a namespace different than the + local namespace is specified, + + a ReferenceGrant object is required in the + referent namespace to allow that + + namespace's owner to accept the reference. See + the ReferenceGrant + + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: >- + Port specifies the destination port number to + use for this resource. + + Port is required when the referent is a + Kubernetes Service. In this + + case, the port number is the service port + number, not the target port. + + For other resources, destination port might be + derived from the referent + + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: >- + Weight specifies the proportion of requests + forwarded to the referenced + + backend. This is computed as weight/(sum of + all weights in this + + BackendRefs list). For non-zero values, there + may be some epsilon from + + the exact proportion defined here depending on + the precision an + + implementation supports. Weight is not a + percentage and the sum of + + weights does not need to equal 100. + + + If only one backend is specified and it has a + weight greater than 0, 100% + + of the traffic is forwarded to that backend. + If weight is set to 0, no + + traffic should be forwarded for this entry. If + unspecified, weight + + defaults to 1. + + + Support for this field varies based on the + context where used. + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: >- + (size(self.group) == 0 && self.kind == + 'Service') ? has(self.port) : true + maxItems: 16 + type: array + backendSettings: + description: >- + BackendSettings holds configuration for managing the + connection + + to the backend. + properties: + circuitBreaker: + description: >- + Circuit Breaker settings for the upstream + connections and requests. + + If not set, circuit breakers will be enabled + with the default thresholds + properties: + maxConnections: + default: 1024 + description: >- + The maximum number of connections that Envoy + will establish to the referenced backend + defined within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxParallelRequests: + default: 1024 + description: >- + The maximum number of parallel requests that + Envoy will make to the referenced backend + defined within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxParallelRetries: + default: 1024 + description: >- + The maximum number of parallel retries that + Envoy will make to the referenced backend + defined within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxPendingRequests: + default: 1024 + description: >- + The maximum number of pending requests that + Envoy will queue to the referenced backend + defined within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxRequestsPerConnection: + description: >- + The maximum number of requests that Envoy + will make over a single connection to the + referenced backend defined within a xRoute + rule. + + Default: unlimited. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + perEndpoint: + description: >- + PerEndpoint defines Circuit Breakers that + will apply per-endpoint for an upstream + cluster + properties: + maxConnections: + default: 1024 + description: >- + MaxConnections configures the maximum + number of connections that Envoy will + establish per-endpoint to the referenced + backend defined within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + type: object + type: object + connection: + description: Connection includes backend connection settings. + properties: + bufferLimit: + allOf: + - pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: >- + BufferLimit Soft limit on size of the + cluster’s connections read and write + buffers. + + BufferLimit applies to connection streaming + (maybe non-streaming) channel between + processes, it's in user space. + + If unspecified, an implementation defined + default is applied (32768 bytes). + + For example, 20Mi, 1Gi, 256Ki etc. + + Note: that when the suffix is not provided, + the value is interpreted as bytes. + x-kubernetes-int-or-string: true + preconnect: + description: >- + Preconnect configures proactive upstream + connections to reduce latency by + establishing + + connections before they’re needed and + avoiding connection establishment overhead. + + + If unset, Envoy will fetch connections as + needed to serve in-flight requests. + properties: + perEndpointPercent: + description: >- + PerEndpointPercent configures how many + additional connections to maintain per + + upstream endpoint, useful for high-QPS + or latency sensitive services. Expressed + as a + + percentage of the connections required + by active streams + + (e.g. 100 = preconnect disabled, 105 = + 1.05x connections per-endpoint, 200 = + 2.00×). + + + Allowed value range is between 100-300. + When both PerEndpointPercent and + + PredictivePercent are set, Envoy ensures + both are satisfied (max of the two). + format: int32 + maximum: 300 + minimum: 100 + type: integer + predictivePercent: + description: >- + PredictivePercent configures how many + additional connections to maintain + + across the cluster by anticipating which + upstream endpoint the load balancer + + will select next, useful for low-QPS + services. Relies on deterministic + + loadbalancing and is only supported with + Random or RoundRobin. + + Expressed as a percentage of the + connections required by active streams + + (e.g. 100 = 1.0 (no preconnect), 105 = + 1.05× connections across the cluster, + 200 = 2.00×). + + + Minimum allowed value is 100. When both + PerEndpointPercent and PredictivePercent + are + + set Envoy ensures both are satisfied per + host (max of the two). + format: int32 + minimum: 100 + type: integer + type: object + socketBufferLimit: + allOf: + - pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: >- + SocketBufferLimit provides configuration for + the maximum buffer size in bytes for each + socket + + to backend. + + SocketBufferLimit applies to socket + streaming channel between TCP/IP stacks, + it's in kernel space. + + For example, 20Mi, 1Gi, 256Ki etc. + + Note that when the suffix is not provided, + the value is interpreted as bytes. + x-kubernetes-int-or-string: true + type: object + dns: + description: DNS includes dns resolution settings. + properties: + dnsRefreshRate: + description: >- + DNSRefreshRate specifies the rate at which + DNS records should be refreshed. + + Defaults to 30 seconds. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + lookupFamily: + description: >- + LookupFamily determines how Envoy would + resolve DNS for Routes where the backend is + specified as a fully qualified domain name + (FQDN). + + If set, this configuration overrides other + defaults. + enum: + - IPv4 + - IPv6 + - IPv4Preferred + - IPv6Preferred + - IPv4AndIPv6 + type: string + respectDnsTtl: + description: >- + RespectDNSTTL indicates whether the DNS + Time-To-Live (TTL) should be respected. + + If the value is set to true, the DNS refresh + rate will be set to the resource record’s + TTL. + + Defaults to true. + type: boolean + type: object + healthCheck: + description: >- + HealthCheck allows gateway to perform active + health checking on backends. + properties: + active: + description: Active health check configuration + properties: + grpc: + description: >- + GRPC defines the configuration of the + GRPC health checker. + + It's optional, and can only be used if + the specified type is GRPC. + properties: + service: + description: >- + Service to send in the health check + request. + + If this is not specified, then the + health check request applies to the + entire + + server and not to a specific service. + type: string + type: object + healthyThreshold: + default: 1 + description: >- + HealthyThreshold defines the number of + healthy health checks required before a + backend host is marked healthy. + format: int32 + minimum: 1 + type: integer + http: + description: >- + HTTP defines the configuration of http + health checker. + + It's required while the health checker + type is HTTP. + properties: + expectedResponse: + description: >- + ExpectedResponse defines a list of HTTP + expected responses to match. + properties: + binary: + description: Binary payload base64 encoded. + format: byte + type: string + text: + description: Text payload in plain text. + type: string + type: + allOf: + - enum: + - Text + - Binary + - enum: + - Text + - Binary + description: Type defines the type of the payload. + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If payload type is Text, text field + needs to be set. + rule: >- + self.type == 'Text' ? has(self.text) : + !has(self.text) + - message: >- + If payload type is Binary, binary field + needs to be set. + rule: >- + self.type == 'Binary' ? has(self.binary) + : !has(self.binary) + expectedStatuses: + description: >- + ExpectedStatuses defines a list of HTTP + response statuses considered healthy. + + Defaults to 200 only + items: + description: HTTPStatus defines the http status code. + maximum: 599 + minimum: 100 + type: integer + type: array + hostname: + description: >- + Hostname defines the HTTP Host header + used for active HTTP health checks. + + Host selection uses this order: this + field, the associated Backend endpoint + + hostname if available, then the + effective Route hostname. + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + method: + description: >- + Method defines the HTTP method used for + health checking. + + Defaults to GET + type: string + path: + description: >- + Path defines the HTTP path that will be + requested during health checking. + maxLength: 1024 + minLength: 1 + type: string + required: + - path + type: object + initialJitter: + description: >- + InitialJitter defines the maximum time + Envoy will wait before the first health + check. + + Envoy will randomly select a value + between 0 and the initial jitter value. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + interval: + default: 3s + description: >- + Interval defines the time between active + health checks. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + tcp: + description: >- + TCP defines the configuration of tcp + health checker. + + It's required while the health checker + type is TCP. + properties: + receive: + description: >- + Receive defines the expected response + payload. + properties: + binary: + description: Binary payload base64 encoded. + format: byte + type: string + text: + description: Text payload in plain text. + type: string + type: + allOf: + - enum: + - Text + - Binary + - enum: + - Text + - Binary + description: Type defines the type of the payload. + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If payload type is Text, text field + needs to be set. + rule: >- + self.type == 'Text' ? has(self.text) : + !has(self.text) + - message: >- + If payload type is Binary, binary field + needs to be set. + rule: >- + self.type == 'Binary' ? has(self.binary) + : !has(self.binary) + send: + description: Send defines the request payload. + properties: + binary: + description: Binary payload base64 encoded. + format: byte + type: string + text: + description: Text payload in plain text. + type: string + type: + allOf: + - enum: + - Text + - Binary + - enum: + - Text + - Binary + description: Type defines the type of the payload. + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If payload type is Text, text field + needs to be set. + rule: >- + self.type == 'Text' ? has(self.text) : + !has(self.text) + - message: >- + If payload type is Binary, binary field + needs to be set. + rule: >- + self.type == 'Binary' ? has(self.binary) + : !has(self.binary) + type: object + timeout: + default: 1s + description: >- + Timeout defines the time to wait for a + health check response. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: + allOf: + - enum: + - HTTP + - TCP + - GRPC + - enum: + - HTTP + - TCP + - GRPC + description: Type defines the type of health checker. + type: string + unhealthyThreshold: + default: 3 + description: >- + UnhealthyThreshold defines the number of + unhealthy health checks required before + a backend host is marked unhealthy. + format: int32 + minimum: 1 + type: integer + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If Health Checker type is HTTP, http + field needs to be set. + rule: >- + self.type == 'HTTP' ? has(self.http) : + !has(self.http) + - message: >- + If Health Checker type is TCP, tcp field + needs to be set. + rule: >- + self.type == 'TCP' ? has(self.tcp) : + !has(self.tcp) + - message: >- + The grpc field can only be set if the + Health Checker type is GRPC. + rule: >- + has(self.grpc) ? self.type == 'GRPC' : + true + panicThreshold: + description: >- + When number of unhealthy endpoints for a + backend reaches this threshold + + Envoy will disregard health status and + balance across all endpoints. + + It's designed to prevent a situation in + which host failures cascade throughout the + cluster + + as load increases. If not set, the default + value is 50%. To disable panic mode, set + value to `0`. + format: int32 + maximum: 100 + minimum: 0 + type: integer + passive: + description: Passive passive check configuration + properties: + baseEjectionTime: + default: 30s + description: >- + BaseEjectionTime defines the base + duration for which a host will be + ejected on consecutive failures. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + consecutive5XxErrors: + default: 5 + description: >- + Consecutive5xxErrors sets the number of + consecutive 5xx errors triggering + ejection. + format: int32 + type: integer + consecutiveGatewayErrors: + description: >- + ConsecutiveGatewayErrors sets the number + of consecutive gateway errors triggering + ejection. + format: int32 + type: integer + consecutiveLocalOriginFailures: + default: 5 + description: >- + ConsecutiveLocalOriginFailures sets the + number of consecutive local origin + failures triggering ejection. + + Parameter takes effect only when + split_external_local_origin_errors is + set to true. + format: int32 + type: integer + failurePercentageThreshold: + description: >- + FailurePercentageThreshold sets the + failure percentage threshold for outlier + detection. + + If the failure percentage of a given + host is greater than or equal to this + value, it will be ejected. + + Defaults to 85. + format: int32 + maximum: 100 + minimum: 0 + type: integer + interval: + default: 3s + description: >- + Interval defines the time between + passive health checks. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + maxEjectionPercent: + default: 10 + description: >- + MaxEjectionPercent sets the maximum + percentage of hosts in a cluster that + can be ejected. + format: int32 + type: integer + splitExternalLocalOriginErrors: + default: false + description: >- + SplitExternalLocalOriginErrors enables + splitting of errors between external and + local origin. + type: boolean + type: object + type: object + http2: + description: >- + HTTP2 provides HTTP/2 configuration for backend + connections. + properties: + initialConnectionWindowSize: + allOf: + - pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: >- + InitialConnectionWindowSize sets the initial + window size for HTTP/2 connections. + + If not set, the default value is 1 MiB. + x-kubernetes-int-or-string: true + initialStreamWindowSize: + allOf: + - pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: >- + InitialStreamWindowSize sets the initial + window size for HTTP/2 streams. + + If not set, the default value is 64 + KiB(64*1024). + x-kubernetes-int-or-string: true + maxConcurrentStreams: + description: >- + MaxConcurrentStreams sets the maximum number + of concurrent streams allowed per + connection. + + If not set, the default value is 100. + format: int32 + maximum: 2147483647 + minimum: 1 + type: integer + onInvalidMessage: + description: >- + OnInvalidMessage determines if Envoy will + terminate the connection or just the + offending stream in the event of HTTP + messaging error + + It's recommended for L2 Envoy deployments to + set this value to TerminateStream. + + https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/level_two + + Default: TerminateConnection + type: string + type: object + loadBalancer: + description: >- + LoadBalancer policy to apply when routing + traffic from the gateway to + + the backend endpoints. Defaults to + `LeastRequest`. + properties: + consistentHash: + description: >- + ConsistentHash defines the configuration + when the load balancer type is + + set to ConsistentHash + properties: + cookie: + description: >- + Cookie configures the cookie hash policy + when the consistent hash type is set to + Cookie. + properties: + attributes: + additionalProperties: + type: string + description: >- + Additional Attributes to set for the + generated cookie. + type: object + name: + description: >- + Name of the cookie to hash. + + If this cookie does not exist in the + request, Envoy will generate a cookie + and set + + the TTL on the response back to the + client based on Layer 4 + + attributes of the backend endpoint, to + ensure that these future requests + + go to the same backend endpoint. Make + sure to set the TTL field for this case. + type: string + ttl: + description: >- + TTL of the generated cookie if the + cookie is not present. This value sets + the + + Max-Age attribute value. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + required: + - name + type: object + header: + description: >- + Header configures the header hash policy + when the consistent hash type is set to + Header. + + + Deprecated: use Headers instead + properties: + name: + description: Name of the header to hash. + type: string + required: + - name + type: object + headers: + description: >- + Headers configures the header hash + policy for each header, when the + consistent hash type is set to Headers. + items: + description: >- + Header defines the header hashing + configuration for consistent hash based + + load balancing. + properties: + name: + description: Name of the header to hash. + type: string + required: + - name + type: object + type: array + queryParams: + description: >- + QueryParams configures the query + parameter hash policy when the + consistent hash type is set to + QueryParams. + items: + description: >- + QueryParam defines the query parameter + name hashing configuration for + consistent hash based + + load balancing. + properties: + name: + description: Name of the query param to hash. + type: string + required: + - name + type: object + type: array + tableSize: + default: 65537 + description: >- + The table size for consistent hashing, + must be prime number limited to 5000011. + format: int64 + maximum: 5000011 + minimum: 2 + type: integer + type: + description: >- + ConsistentHashType defines the type of + input to hash on. Valid Type values are + + "SourceIP", + + "Header", + + "Headers", + + "Cookie". + + "QueryParams". + enum: + - SourceIP + - Header + - Headers + - Cookie + - QueryParams + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If consistent hash type is header, the + header field must be set. + rule: >- + self.type == 'Header' ? has(self.header) + : !has(self.header) + - message: >- + If consistent hash type is headers, the + headers field must be set. + rule: >- + self.type == 'Headers' ? + has(self.headers) : !has(self.headers) + - message: >- + If consistent hash type is cookie, the + cookie field must be set. + rule: >- + self.type == 'Cookie' ? has(self.cookie) + : !has(self.cookie) + - message: >- + If consistent hash type is queryParams, + the queryParams field must be set. + rule: >- + self.type == 'QueryParams' ? + has(self.queryParams) : + !has(self.queryParams) + endpointOverride: + description: >- + EndpointOverride defines the configuration + for endpoint override. + + When specified, the load balancer will + attempt to route requests to endpoints + + based on the override information extracted + from request headers or metadata. + If the override endpoints are not available, the configured load balancer policy will be used as fallback. + properties: + extractFrom: + description: >- + ExtractFrom defines the sources to + extract endpoint override information + from. + items: + description: >- + EndpointOverrideExtractFrom defines a + source to extract endpoint override + information from. + properties: + header: + description: >- + Header defines the header to get the + override endpoint addresses. + + The header value must specify at least + one endpoint in `IP:Port` format or + multiple endpoints in + `IP:Port,IP:Port,...` format. + + For example `10.0.0.5:8080` or + `[2600:4040:5204::1574:24ae]:80`. + + The IPv6 address is enclosed in square + brackets. + type: string + type: object + maxItems: 10 + minItems: 1 + type: array + required: + - extractFrom + type: object + slowStart: + description: >- + SlowStart defines the configuration related + to the slow start load balancer policy. + + If set, during slow start window, traffic + sent to the newly added hosts will gradually + increase. + + Currently this is only supported for + RoundRobin and LeastRequest load balancers + properties: + window: + description: >- + Window defines the duration of the warm + up period for newly added host. + + During slow start window, traffic sent + to the newly added hosts will gradually + increase. + + Currently only supports linear growth of + traffic. For additional details, + + see + https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + required: + - window + type: object + type: + description: >- + Type decides the type of Load Balancer + policy. + + Valid LoadBalancerType values are + + "ConsistentHash", + + "LeastRequest", + + "Random", + + "RoundRobin". + enum: + - ConsistentHash + - LeastRequest + - Random + - RoundRobin + type: string + zoneAware: + description: >- + ZoneAware defines the configuration related + to the distribution of requests between + locality zones. + properties: + preferLocal: + description: >- + PreferLocalZone configures zone-aware + routing to prefer sending traffic to the + local locality zone. + properties: + force: + description: >- + ForceLocalZone defines override + configuration for forcing all traffic to + stay within the local zone instead of + the default behavior + + which maintains equal distribution among + upstream endpoints while sending as much + traffic as possible locally. + properties: + minEndpointsInZoneThreshold: + description: >- + MinEndpointsInZoneThreshold is the + minimum number of upstream endpoints in + the local zone required to honor the + forceLocalZone + + override. This is useful for protecting + zones with fewer endpoints. + format: int32 + type: integer + type: object + minEndpointsThreshold: + description: >- + MinEndpointsThreshold is the minimum + number of total upstream endpoints + across all zones required to enable + zone-aware routing. + format: int64 + type: integer + percentageEnabled: + description: >- + Configures percentage of requests that + will be considered for zone aware + routing if zone aware routing is + configured. If not specified, Envoy + defaults to 100%. + format: int32 + maximum: 100 + minimum: 0 + type: integer + type: object + type: object + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If LoadBalancer type is consistentHash, + consistentHash field needs to be set. + rule: >- + self.type == 'ConsistentHash' ? + has(self.consistentHash) : + !has(self.consistentHash) + - message: >- + Currently SlowStart is only supported for + RoundRobin and LeastRequest load balancers. + rule: >- + self.type in ['Random', 'ConsistentHash'] ? + !has(self.slowStart) : true + - message: >- + Currently ZoneAware is only supported for + LeastRequest, Random, and RoundRobin load + balancers. + rule: >- + self.type == 'ConsistentHash' ? + !has(self.zoneAware) : true + proxyProtocol: + description: >- + ProxyProtocol enables the Proxy Protocol when + communicating with the backend. + properties: + version: + description: |- + Version of ProxyProtol + Valid ProxyProtocolVersion values are + "V1" + "V2" + enum: + - V1 + - V2 + type: string + required: + - version + type: object + retry: + description: >- + Retry provides more advanced usage, allowing + users to customize the number of retries, retry + fallback strategy, and retry triggering + conditions. + + If not set, retry will be disabled. + properties: + numAttemptsPerPriority: + description: >- + NumAttemptsPerPriority defines the number of + requests (initial attempt + retries) + + that should be sent to the same priority + before switching to a different one. + + If not specified or set to 0, all requests + are sent to the highest priority that is + healthy. + format: int32 + type: integer + numRetries: + default: 2 + description: >- + NumRetries is the number of retries to be + attempted. Defaults to 2. + format: int32 + minimum: 0 + type: integer + perRetry: + description: >- + PerRetry is the retry policy to be applied + per retry attempt. + properties: + backOff: + description: >- + Backoff is the backoff policy to be + applied per retry attempt. gateway uses + a fully jittered exponential + + back-off algorithm for retries. For + additional details, + + see + https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#config-http-filters-router-x-envoy-max-retries + properties: + baseInterval: + description: >- + BaseInterval is the base interval + between retries. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + maxInterval: + description: >- + MaxInterval is the maximum interval + between retries. This parameter is + optional, but must be greater than or + equal to the base_interval if set. + + The default is 10 times the + base_interval + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + timeout: + description: >- + Timeout is the timeout per retry + attempt. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + retryOn: + description: >- + RetryOn specifies the retry trigger + condition. + + + If not specified, the default is to retry on + connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes(503). + properties: + httpStatusCodes: + description: >- + HttpStatusCodes specifies the http + status codes to be retried. + + The retriable-status-codes trigger must + also be configured for these status + codes to trigger a retry. + items: + description: HTTPStatus defines the http status code. + maximum: 599 + minimum: 100 + type: integer + type: array + triggers: + description: >- + Triggers specifies the retry trigger + condition(Http/Grpc). + items: + description: >- + TriggerEnum specifies the conditions + that trigger retries. + enum: + - 5xx + - gateway-error + - reset + - reset-before-request + - connect-failure + - retriable-4xx + - refused-stream + - retriable-status-codes + - cancelled + - deadline-exceeded + - internal + - resource-exhausted + - unavailable + type: string + type: array + type: object + type: object + tcpKeepalive: + description: >- + TcpKeepalive settings associated with the + upstream client connection. + + Disabled by default. + properties: + idleTime: + description: >- + The duration a connection needs to be idle + before keep-alive + + probes start being sent. + + The duration format is + + Defaults to `7200s`. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + interval: + description: |- + The duration between keep-alive probes. + Defaults to `75s`. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + probes: + description: >- + The total number of unacknowledged probes to + send before deciding + + the connection is dead. + + Defaults to 9. + format: int32 + type: integer + type: object + timeout: + description: Timeout settings for the backend connections. + properties: + http: + description: Timeout settings for HTTP. + properties: + connectionIdleTimeout: + description: >- + The idle timeout for an HTTP connection. + Idle time is defined as a period in + which there are no active requests in + the connection. + + Default: 1 hour. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + maxConnectionDuration: + description: >- + The maximum duration of an HTTP + connection. + + Default: unlimited. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + maxStreamDuration: + description: >- + MaxStreamDuration is the maximum + duration for a stream to complete. This + timeout measures the time + + from when the request is sent until the + response stream is fully consumed and + does not apply to + + non-streaming requests. + + When set to "0s", no max duration is + applied and streams can run + indefinitely. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + requestTimeout: + description: >- + RequestTimeout is the time until which + entire response is received from the + upstream. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + tcp: + description: Timeout settings for TCP. + properties: + connectTimeout: + description: >- + The timeout for network connection + establishment, including TCP and TLS + handshakes. + + Default: 10 seconds. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + type: object + type: object + x-kubernetes-validations: + - message: >- + predictivePercent in preconnect policy only + works with RoundRobin or Random load balancers + rule: >- + !((has(self.connection) && + has(self.connection.preconnect) && + has(self.connection.preconnect.predictivePercent)) + && !(has(self.loadBalancer) && + has(self.loadBalancer.type) && + self.loadBalancer.type in ['Random', + 'RoundRobin'])) + headersToBackend: + description: >- + HeadersToBackend are the authorization response + headers that will be added + + to the original client request before sending it to + the backend server. + + Note that coexisting headers will be overridden. + + If not specified, no authorization response headers + will be added to the + + original client request. + items: + type: string + type: array + path: + description: >- + Path is the path of the HTTP External Authorization + service. + + If path is specified, the authorization request will + be sent to that path, + + or else the authorization request will use the path + of the original request. + + + Please note that the original request path will be + appended to the path specified here. + + For example, if the original request path is + "/hello", and the path specified here is "/auth", + + then the path of the authorization request will be + "/auth/hello". If the path is not specified, + + the path of the authorization request will be + "/hello". + type: string + type: object + x-kubernetes-validations: + - message: backendRef or backendRefs needs to be set + rule: has(self.backendRef) || self.backendRefs.size() > 0 + - message: >- + BackendRefs only supports Service, ServiceImport, + and Backend kind. + rule: >- + has(self.backendRefs) ? self.backendRefs.all(f, + f.kind == 'Service' || f.kind == 'ServiceImport' || + f.kind == 'Backend') : true + - message: >- + BackendRefs only supports Core, + multicluster.x-k8s.io, and gateway.envoyproxy.io + groups. + rule: >- + has(self.backendRefs) ? (self.backendRefs.all(f, + f.group == "" || f.group == 'multicluster.x-k8s.io' + || f.group == 'gateway.envoyproxy.io')) : true + recomputeRoute: + description: >- + RecomputeRoute clears the route cache and recalculates + the routing decision. + + This field must be enabled if the headers added or + modified by the ExtAuth are used for + + route matching decisions. If the recomputation selects a + new route, features targeting + + the new matched route will be applied. + type: boolean + timeout: + description: >- + Timeout defines the timeout for requests to the external + authorization service. + + If not specified, defaults to 10 seconds. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + x-kubernetes-validations: + - message: one of grpc or http must be specified + rule: (has(self.grpc) || has(self.http)) + - message: only one of grpc or http can be specified + rule: >- + (has(self.grpc) && !has(self.http)) || (!has(self.grpc) + && has(self.http)) + jwt: + description: >- + JWT defines the configuration for JSON Web Token (JWT) + authentication. + properties: + optional: + description: >- + Optional determines whether a missing JWT is acceptable, + defaulting to false if not specified. + + Note: Even if optional is set to true, JWT + authentication will still fail if an invalid JWT is + presented. + type: boolean + providers: + description: >- + Providers defines the JSON Web Token (JWT) + authentication provider type. + + When multiple JWT providers are specified, the JWT is + considered valid if + + any of the providers successfully validate the JWT. For + additional details, + + see + https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/jwt_authn_filter.html. + items: + description: >- + JWTProvider defines how a JSON Web Token (JWT) can be + verified. + properties: + audiences: + description: >- + Audiences is a list of JWT audiences allowed + access. For additional details, see + + https://tools.ietf.org/html/rfc7519#section-4.1.3. + If not provided, JWT audiences + + are not checked. + items: + type: string + maxItems: 8 + type: array + claimToHeaders: + description: >- + ClaimToHeaders is a list of JWT claims that must + be extracted into HTTP request headers + + For examples, following config: + + The claim must be of type; string, int, double, + bool. Array type claims are not supported + items: + description: >- + ClaimToHeader defines a configuration to convert + JWT claims into HTTP headers + properties: + claim: + description: >- + Claim is the JWT Claim that should be saved + into the header : it can be a nested claim + of type + + (eg. "claim.nested.key", "sub"). The nested + claim name must use dot "." + + to separate the JSON name path. + type: string + header: + description: >- + Header defines the name of the HTTP request + header that the JWT Claim will be saved + into. + type: string + required: + - claim + - header + type: object + type: array + extractFrom: + description: >- + ExtractFrom defines different ways to extract the + JWT token from HTTP request. + + If empty, it defaults to extract JWT token from + the Authorization HTTP request header using Bearer + schema + + or access_token from query parameters. + properties: + cookies: + description: >- + Cookies represents a list of cookie names to + extract the JWT token from. + items: + type: string + type: array + headers: + description: >- + Headers represents a list of HTTP request + headers to extract the JWT token from. + items: + description: >- + JWTHeaderExtractor defines an HTTP header + location to extract JWT token + properties: + name: + description: >- + Name is the HTTP header name to retrieve + the token + type: string + valuePrefix: + description: >- + ValuePrefix is the prefix that should be + stripped before extracting the token. + + The format would be used by Envoy like + "{ValuePrefix}". + + For example, "Authorization: Bearer + ", then the ValuePrefix="Bearer " + with a space at the end. + type: string + required: + - name + type: object + type: array + params: + description: >- + Params represents a list of query parameters + to extract the JWT token from. + items: + type: string + type: array + type: object + issuer: + description: >- + Issuer is the principal that issued the JWT and + takes the form of a URL or email address. + + For additional details, see + https://tools.ietf.org/html/rfc7519#section-4.1.1 + for + + URL format and + https://rfc-editor.org/rfc/rfc5322.html for email + format. If not provided, + + the JWT issuer is not checked. + maxLength: 253 + type: string + localJWKS: + description: >- + LocalJWKS defines how to get the JSON Web Key Sets + (JWKS) from a local source. + properties: + inline: + description: Inline contains the value as an inline string. + type: string + type: + default: Inline + description: >- + Type is the type of method to use to read the + body value. + + Valid values are Inline and ValueRef, default + is Inline. + enum: + - Inline + - ValueRef + type: string + valueRef: + description: >- + ValueRef is a reference to a local ConfigMap + that contains the JSON Web Key Sets (JWKS). + + + The value of key `jwks` in the ConfigMap will + be used. + + If the key is not found, the first value in + the ConfigMap will be used. + properties: + group: + description: >- + Group is the group of the referent. For + example, "gateway.networking.k8s.io". + + When unspecified or empty string, core API + group is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: >- + Kind is kind of the referent. For example + "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + required: + - type + type: object + x-kubernetes-validations: + - message: >- + Exactly one of inline or valueRef must be set + with correct type. + rule: >- + (self.type == 'Inline' && has(self.inline) && + !has(self.valueRef)) || (self.type == + 'ValueRef' && !has(self.inline) && + has(self.valueRef)) + name: + description: >- + Name defines a unique name for the JWT provider. A + name can have a variety of forms, + + including RFC1123 subdomains, RFC 1123 labels, or + RFC 1035 labels. + maxLength: 253 + minLength: 1 + type: string + recomputeRoute: + description: >- + RecomputeRoute clears the route cache and + recalculates the routing decision. + + This field must be enabled if the headers + generated from the claim are used for + + route matching decisions. If the recomputation + selects a new route, features targeting + + the new matched route will be applied. + type: boolean + remoteJWKS: + description: >- + RemoteJWKS defines how to fetch and cache JSON Web + Key Sets (JWKS) from a remote + + HTTP/HTTPS endpoint. + properties: + backendRef: + description: >- + BackendRef references a Kubernetes object that + represents the + + backend server to which the authorization + request will be sent. + + + Deprecated: Use BackendRefs instead. + properties: + group: + default: '' + description: >- + Group is the group of the referent. For + example, "gateway.networking.k8s.io". + + When unspecified or empty string, core API + group is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: >- + Kind is the Kubernetes resource kind of + the referent. For example + + "Service". + + + Defaults to "Service" when not specified. + + + ExternalName services can refer to CNAME + DNS records that may live + + outside of the cluster and as such are + difficult to reason about in + + terms of conformance. They also may not be + safe to forward to (see + + CVE-2021-25740 for more information). + Implementations SHOULD NOT + + support ExternalName Services. + + + Support: Core (Services with a type other + than ExternalName) + + + Support: Implementation-specific (Services + with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the backend. + When unspecified, the local + + namespace is inferred. + + + Note that when a namespace different than + the local namespace is specified, + + a ReferenceGrant object is required in the + referent namespace to allow that + + namespace's owner to accept the reference. + See the ReferenceGrant + + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: >- + Port specifies the destination port number + to use for this resource. + + Port is required when the referent is a + Kubernetes Service. In this + + case, the port number is the service port + number, not the target port. + + For other resources, destination port + might be derived from the referent + + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: >- + (size(self.group) == 0 && self.kind == + 'Service') ? has(self.port) : true + backendRefs: + description: >- + BackendRefs references a Kubernetes object + that represents the + + backend server to which the authorization + request will be sent. + items: + description: >- + BackendRef defines how an ObjectReference + that is specific to BackendRef. + properties: + fallback: + description: >- + Fallback indicates whether the backend + is designated as a fallback. + + Multiple fallback backends can be + configured. + + It is highly recommended to configure + active or passive health checks to + ensure that failover can be detected + + when the active backends become + unhealthy and to automatically readjust + once the primary backends are healthy + again. + + The overprovisioning factor is set to + 1.4, meaning the fallback backends will + only start receiving traffic when + + the health of the active backends falls + below 72%. + type: boolean + group: + default: '' + description: >- + Group is the group of the referent. For + example, "gateway.networking.k8s.io". + + When unspecified or empty string, core + API group is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: >- + Kind is the Kubernetes resource kind of + the referent. For example + + "Service". + + + Defaults to "Service" when not + specified. + + + ExternalName services can refer to CNAME + DNS records that may live + + outside of the cluster and as such are + difficult to reason about in + + terms of conformance. They also may not + be safe to forward to (see + + CVE-2021-25740 for more information). + Implementations SHOULD NOT + + support ExternalName Services. + + + Support: Core (Services with a type + other than ExternalName) + + + Support: Implementation-specific + (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the + backend. When unspecified, the local + + namespace is inferred. + + + Note that when a namespace different + than the local namespace is specified, + + a ReferenceGrant object is required in + the referent namespace to allow that + + namespace's owner to accept the + reference. See the ReferenceGrant + + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: >- + Port specifies the destination port + number to use for this resource. + + Port is required when the referent is a + Kubernetes Service. In this + + case, the port number is the service + port number, not the target port. + + For other resources, destination port + might be derived from the referent + + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: >- + Weight specifies the proportion of + requests forwarded to the referenced + + backend. This is computed as weight/(sum + of all weights in this + + BackendRefs list). For non-zero values, + there may be some epsilon from + + the exact proportion defined here + depending on the precision an + + implementation supports. Weight is not a + percentage and the sum of + + weights does not need to equal 100. + + + If only one backend is specified and it + has a weight greater than 0, 100% + + of the traffic is forwarded to that + backend. If weight is set to 0, no + + traffic should be forwarded for this + entry. If unspecified, weight + + defaults to 1. + + + Support for this field varies based on + the context where used. + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: >- + (size(self.group) == 0 && self.kind == + 'Service') ? has(self.port) : true + maxItems: 16 + type: array + backendSettings: + description: >- + BackendSettings holds configuration for + managing the connection + + to the backend. + properties: + circuitBreaker: + description: >- + Circuit Breaker settings for the upstream + connections and requests. + + If not set, circuit breakers will be + enabled with the default thresholds + properties: + maxConnections: + default: 1024 + description: >- + The maximum number of connections that + Envoy will establish to the referenced + backend defined within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxParallelRequests: + default: 1024 + description: >- + The maximum number of parallel requests + that Envoy will make to the referenced + backend defined within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxParallelRetries: + default: 1024 + description: >- + The maximum number of parallel retries + that Envoy will make to the referenced + backend defined within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxPendingRequests: + default: 1024 + description: >- + The maximum number of pending requests + that Envoy will queue to the referenced + backend defined within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxRequestsPerConnection: + description: >- + The maximum number of requests that + Envoy will make over a single connection + to the referenced backend defined within + a xRoute rule. + + Default: unlimited. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + perEndpoint: + description: >- + PerEndpoint defines Circuit Breakers + that will apply per-endpoint for an + upstream cluster + properties: + maxConnections: + default: 1024 + description: >- + MaxConnections configures the maximum + number of connections that Envoy will + establish per-endpoint to the referenced + backend defined within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + type: object + type: object + connection: + description: >- + Connection includes backend connection + settings. + properties: + bufferLimit: + allOf: + - pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: >- + BufferLimit Soft limit on size of the + cluster’s connections read and write + buffers. + + BufferLimit applies to connection + streaming (maybe non-streaming) channel + between processes, it's in user space. + + If unspecified, an implementation + defined default is applied (32768 + bytes). + + For example, 20Mi, 1Gi, 256Ki etc. + + Note: that when the suffix is not + provided, the value is interpreted as + bytes. + x-kubernetes-int-or-string: true + preconnect: + description: >- + Preconnect configures proactive upstream + connections to reduce latency by + establishing + + connections before they’re needed and + avoiding connection establishment + overhead. + + + If unset, Envoy will fetch connections + as needed to serve in-flight requests. + properties: + perEndpointPercent: + description: >- + PerEndpointPercent configures how many + additional connections to maintain per + + upstream endpoint, useful for high-QPS + or latency sensitive services. Expressed + as a + + percentage of the connections required + by active streams + + (e.g. 100 = preconnect disabled, 105 = + 1.05x connections per-endpoint, 200 = + 2.00×). + + + Allowed value range is between 100-300. + When both PerEndpointPercent and + + PredictivePercent are set, Envoy ensures + both are satisfied (max of the two). + format: int32 + maximum: 300 + minimum: 100 + type: integer + predictivePercent: + description: >- + PredictivePercent configures how many + additional connections to maintain + + across the cluster by anticipating which + upstream endpoint the load balancer + + will select next, useful for low-QPS + services. Relies on deterministic + + loadbalancing and is only supported with + Random or RoundRobin. + + Expressed as a percentage of the + connections required by active streams + + (e.g. 100 = 1.0 (no preconnect), 105 = + 1.05× connections across the cluster, + 200 = 2.00×). + + + Minimum allowed value is 100. When both + PerEndpointPercent and PredictivePercent + are + + set Envoy ensures both are satisfied per + host (max of the two). + format: int32 + minimum: 100 + type: integer + type: object + socketBufferLimit: + allOf: + - pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: >- + SocketBufferLimit provides configuration + for the maximum buffer size in bytes for + each socket + + to backend. + + SocketBufferLimit applies to socket + streaming channel between TCP/IP stacks, + it's in kernel space. + + For example, 20Mi, 1Gi, 256Ki etc. + + Note that when the suffix is not + provided, the value is interpreted as + bytes. + x-kubernetes-int-or-string: true + type: object + dns: + description: DNS includes dns resolution settings. + properties: + dnsRefreshRate: + description: >- + DNSRefreshRate specifies the rate at + which DNS records should be refreshed. + + Defaults to 30 seconds. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + lookupFamily: + description: >- + LookupFamily determines how Envoy would + resolve DNS for Routes where the backend + is specified as a fully qualified domain + name (FQDN). + + If set, this configuration overrides + other defaults. + enum: + - IPv4 + - IPv6 + - IPv4Preferred + - IPv6Preferred + - IPv4AndIPv6 + type: string + respectDnsTtl: + description: >- + RespectDNSTTL indicates whether the DNS + Time-To-Live (TTL) should be respected. + + If the value is set to true, the DNS + refresh rate will be set to the resource + record’s TTL. + + Defaults to true. + type: boolean + type: object + healthCheck: + description: >- + HealthCheck allows gateway to perform + active health checking on backends. + properties: + active: + description: Active health check configuration + properties: + grpc: + description: >- + GRPC defines the configuration of the + GRPC health checker. + + It's optional, and can only be used if + the specified type is GRPC. + properties: + service: + description: >- + Service to send in the health check + request. + + If this is not specified, then the + health check request applies to the + entire + + server and not to a specific service. + type: string + type: object + healthyThreshold: + default: 1 + description: >- + HealthyThreshold defines the number of + healthy health checks required before a + backend host is marked healthy. + format: int32 + minimum: 1 + type: integer + http: + description: >- + HTTP defines the configuration of http + health checker. + + It's required while the health checker + type is HTTP. + properties: + expectedResponse: + description: >- + ExpectedResponse defines a list of HTTP + expected responses to match. + properties: + binary: + description: Binary payload base64 encoded. + format: byte + type: string + text: + description: Text payload in plain text. + type: string + type: + allOf: + - enum: + - Text + - Binary + - enum: + - Text + - Binary + description: Type defines the type of the payload. + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If payload type is Text, text field + needs to be set. + rule: >- + self.type == 'Text' ? has(self.text) : + !has(self.text) + - message: >- + If payload type is Binary, binary field + needs to be set. + rule: >- + self.type == 'Binary' ? has(self.binary) + : !has(self.binary) + expectedStatuses: + description: >- + ExpectedStatuses defines a list of HTTP + response statuses considered healthy. + + Defaults to 200 only + items: + description: HTTPStatus defines the http status code. + maximum: 599 + minimum: 100 + type: integer + type: array + hostname: + description: >- + Hostname defines the HTTP Host header + used for active HTTP health checks. + + Host selection uses this order: this + field, the associated Backend endpoint + + hostname if available, then the + effective Route hostname. + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + method: + description: >- + Method defines the HTTP method used for + health checking. + + Defaults to GET + type: string + path: + description: >- + Path defines the HTTP path that will be + requested during health checking. + maxLength: 1024 + minLength: 1 + type: string + required: + - path + type: object + initialJitter: + description: >- + InitialJitter defines the maximum time + Envoy will wait before the first health + check. + + Envoy will randomly select a value + between 0 and the initial jitter value. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + interval: + default: 3s + description: >- + Interval defines the time between active + health checks. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + tcp: + description: >- + TCP defines the configuration of tcp + health checker. + + It's required while the health checker + type is TCP. + properties: + receive: + description: >- + Receive defines the expected response + payload. + properties: + binary: + description: Binary payload base64 encoded. + format: byte + type: string + text: + description: Text payload in plain text. + type: string + type: + allOf: + - enum: + - Text + - Binary + - enum: + - Text + - Binary + description: Type defines the type of the payload. + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If payload type is Text, text field + needs to be set. + rule: >- + self.type == 'Text' ? has(self.text) : + !has(self.text) + - message: >- + If payload type is Binary, binary field + needs to be set. + rule: >- + self.type == 'Binary' ? has(self.binary) + : !has(self.binary) + send: + description: Send defines the request payload. + properties: + binary: + description: Binary payload base64 encoded. + format: byte + type: string + text: + description: Text payload in plain text. + type: string + type: + allOf: + - enum: + - Text + - Binary + - enum: + - Text + - Binary + description: Type defines the type of the payload. + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If payload type is Text, text field + needs to be set. + rule: >- + self.type == 'Text' ? has(self.text) : + !has(self.text) + - message: >- + If payload type is Binary, binary field + needs to be set. + rule: >- + self.type == 'Binary' ? has(self.binary) + : !has(self.binary) + type: object + timeout: + default: 1s + description: >- + Timeout defines the time to wait for a + health check response. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: + allOf: + - enum: + - HTTP + - TCP + - GRPC + - enum: + - HTTP + - TCP + - GRPC + description: Type defines the type of health checker. + type: string + unhealthyThreshold: + default: 3 + description: >- + UnhealthyThreshold defines the number of + unhealthy health checks required before + a backend host is marked unhealthy. + format: int32 + minimum: 1 + type: integer + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If Health Checker type is HTTP, http + field needs to be set. + rule: >- + self.type == 'HTTP' ? has(self.http) : + !has(self.http) + - message: >- + If Health Checker type is TCP, tcp field + needs to be set. + rule: >- + self.type == 'TCP' ? has(self.tcp) : + !has(self.tcp) + - message: >- + The grpc field can only be set if the + Health Checker type is GRPC. + rule: >- + has(self.grpc) ? self.type == 'GRPC' : + true + panicThreshold: + description: >- + When number of unhealthy endpoints for a + backend reaches this threshold + + Envoy will disregard health status and + balance across all endpoints. + + It's designed to prevent a situation in + which host failures cascade throughout + the cluster + + as load increases. If not set, the + default value is 50%. To disable panic + mode, set value to `0`. + format: int32 + maximum: 100 + minimum: 0 + type: integer + passive: + description: Passive passive check configuration + properties: + baseEjectionTime: + default: 30s + description: >- + BaseEjectionTime defines the base + duration for which a host will be + ejected on consecutive failures. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + consecutive5XxErrors: + default: 5 + description: >- + Consecutive5xxErrors sets the number of + consecutive 5xx errors triggering + ejection. + format: int32 + type: integer + consecutiveGatewayErrors: + description: >- + ConsecutiveGatewayErrors sets the number + of consecutive gateway errors triggering + ejection. + format: int32 + type: integer + consecutiveLocalOriginFailures: + default: 5 + description: >- + ConsecutiveLocalOriginFailures sets the + number of consecutive local origin + failures triggering ejection. + + Parameter takes effect only when + split_external_local_origin_errors is + set to true. + format: int32 + type: integer + failurePercentageThreshold: + description: >- + FailurePercentageThreshold sets the + failure percentage threshold for outlier + detection. + + If the failure percentage of a given + host is greater than or equal to this + value, it will be ejected. + + Defaults to 85. + format: int32 + maximum: 100 + minimum: 0 + type: integer + interval: + default: 3s + description: >- + Interval defines the time between + passive health checks. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + maxEjectionPercent: + default: 10 + description: >- + MaxEjectionPercent sets the maximum + percentage of hosts in a cluster that + can be ejected. + format: int32 + type: integer + splitExternalLocalOriginErrors: + default: false + description: >- + SplitExternalLocalOriginErrors enables + splitting of errors between external and + local origin. + type: boolean + type: object + type: object + http2: + description: >- + HTTP2 provides HTTP/2 configuration for + backend connections. + properties: + initialConnectionWindowSize: + allOf: + - pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: >- + InitialConnectionWindowSize sets the + initial window size for HTTP/2 + connections. + + If not set, the default value is 1 MiB. + x-kubernetes-int-or-string: true + initialStreamWindowSize: + allOf: + - pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: >- + InitialStreamWindowSize sets the initial + window size for HTTP/2 streams. + + If not set, the default value is 64 + KiB(64*1024). + x-kubernetes-int-or-string: true + maxConcurrentStreams: + description: >- + MaxConcurrentStreams sets the maximum + number of concurrent streams allowed per + connection. + + If not set, the default value is 100. + format: int32 + maximum: 2147483647 + minimum: 1 + type: integer + onInvalidMessage: + description: >- + OnInvalidMessage determines if Envoy + will terminate the connection or just + the offending stream in the event of + HTTP messaging error + + It's recommended for L2 Envoy + deployments to set this value to + TerminateStream. + + https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/level_two + + Default: TerminateConnection + type: string + type: object + loadBalancer: + description: >- + LoadBalancer policy to apply when routing + traffic from the gateway to + + the backend endpoints. Defaults to + `LeastRequest`. + properties: + consistentHash: + description: >- + ConsistentHash defines the configuration + when the load balancer type is + + set to ConsistentHash + properties: + cookie: + description: >- + Cookie configures the cookie hash policy + when the consistent hash type is set to + Cookie. + properties: + attributes: + additionalProperties: + type: string + description: >- + Additional Attributes to set for the + generated cookie. + type: object + name: + description: >- + Name of the cookie to hash. + + If this cookie does not exist in the + request, Envoy will generate a cookie + and set + + the TTL on the response back to the + client based on Layer 4 + + attributes of the backend endpoint, to + ensure that these future requests + + go to the same backend endpoint. Make + sure to set the TTL field for this case. + type: string + ttl: + description: >- + TTL of the generated cookie if the + cookie is not present. This value sets + the + + Max-Age attribute value. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + required: + - name + type: object + header: + description: >- + Header configures the header hash policy + when the consistent hash type is set to + Header. + + + Deprecated: use Headers instead + properties: + name: + description: Name of the header to hash. + type: string + required: + - name + type: object + headers: + description: >- + Headers configures the header hash + policy for each header, when the + consistent hash type is set to Headers. + items: + description: >- + Header defines the header hashing + configuration for consistent hash based + + load balancing. + properties: + name: + description: Name of the header to hash. + type: string + required: + - name + type: object + type: array + queryParams: + description: >- + QueryParams configures the query + parameter hash policy when the + consistent hash type is set to + QueryParams. + items: + description: >- + QueryParam defines the query parameter + name hashing configuration for + consistent hash based + + load balancing. + properties: + name: + description: Name of the query param to hash. + type: string + required: + - name + type: object + type: array + tableSize: + default: 65537 + description: >- + The table size for consistent hashing, + must be prime number limited to 5000011. + format: int64 + maximum: 5000011 + minimum: 2 + type: integer + type: + description: >- + ConsistentHashType defines the type of + input to hash on. Valid Type values are + + "SourceIP", + + "Header", + + "Headers", + + "Cookie". + + "QueryParams". + enum: + - SourceIP + - Header + - Headers + - Cookie + - QueryParams + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If consistent hash type is header, the + header field must be set. + rule: >- + self.type == 'Header' ? has(self.header) + : !has(self.header) + - message: >- + If consistent hash type is headers, the + headers field must be set. + rule: >- + self.type == 'Headers' ? + has(self.headers) : !has(self.headers) + - message: >- + If consistent hash type is cookie, the + cookie field must be set. + rule: >- + self.type == 'Cookie' ? has(self.cookie) + : !has(self.cookie) + - message: >- + If consistent hash type is queryParams, + the queryParams field must be set. + rule: >- + self.type == 'QueryParams' ? + has(self.queryParams) : + !has(self.queryParams) + endpointOverride: + description: >- + EndpointOverride defines the + configuration for endpoint override. + + When specified, the load balancer will + attempt to route requests to endpoints + + based on the override information + extracted from request headers or + metadata. + If the override endpoints are not available, the configured load balancer policy will be used as fallback. + properties: + extractFrom: + description: >- + ExtractFrom defines the sources to + extract endpoint override information + from. + items: + description: >- + EndpointOverrideExtractFrom defines a + source to extract endpoint override + information from. + properties: + header: + description: >- + Header defines the header to get the + override endpoint addresses. + + The header value must specify at least + one endpoint in `IP:Port` format or + multiple endpoints in + `IP:Port,IP:Port,...` format. + + For example `10.0.0.5:8080` or + `[2600:4040:5204::1574:24ae]:80`. + + The IPv6 address is enclosed in square + brackets. + type: string + type: object + maxItems: 10 + minItems: 1 + type: array + required: + - extractFrom + type: object + slowStart: + description: >- + SlowStart defines the configuration + related to the slow start load balancer + policy. + + If set, during slow start window, + traffic sent to the newly added hosts + will gradually increase. + + Currently this is only supported for + RoundRobin and LeastRequest load + balancers + properties: + window: + description: >- + Window defines the duration of the warm + up period for newly added host. + + During slow start window, traffic sent + to the newly added hosts will gradually + increase. + + Currently only supports linear growth of + traffic. For additional details, + + see + https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + required: + - window + type: object + type: + description: >- + Type decides the type of Load Balancer + policy. + + Valid LoadBalancerType values are + + "ConsistentHash", + + "LeastRequest", + + "Random", + + "RoundRobin". + enum: + - ConsistentHash + - LeastRequest + - Random + - RoundRobin + type: string + zoneAware: + description: >- + ZoneAware defines the configuration + related to the distribution of requests + between locality zones. + properties: + preferLocal: + description: >- + PreferLocalZone configures zone-aware + routing to prefer sending traffic to the + local locality zone. + properties: + force: + description: >- + ForceLocalZone defines override + configuration for forcing all traffic to + stay within the local zone instead of + the default behavior + + which maintains equal distribution among + upstream endpoints while sending as much + traffic as possible locally. + properties: + minEndpointsInZoneThreshold: + description: >- + MinEndpointsInZoneThreshold is the + minimum number of upstream endpoints in + the local zone required to honor the + forceLocalZone + + override. This is useful for protecting + zones with fewer endpoints. + format: int32 + type: integer + type: object + minEndpointsThreshold: + description: >- + MinEndpointsThreshold is the minimum + number of total upstream endpoints + across all zones required to enable + zone-aware routing. + format: int64 + type: integer + percentageEnabled: + description: >- + Configures percentage of requests that + will be considered for zone aware + routing if zone aware routing is + configured. If not specified, Envoy + defaults to 100%. + format: int32 + maximum: 100 + minimum: 0 + type: integer + type: object + type: object + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If LoadBalancer type is consistentHash, + consistentHash field needs to be set. + rule: >- + self.type == 'ConsistentHash' ? + has(self.consistentHash) : + !has(self.consistentHash) + - message: >- + Currently SlowStart is only supported + for RoundRobin and LeastRequest load + balancers. + rule: >- + self.type in ['Random', + 'ConsistentHash'] ? !has(self.slowStart) + : true + - message: >- + Currently ZoneAware is only supported + for LeastRequest, Random, and RoundRobin + load balancers. + rule: >- + self.type == 'ConsistentHash' ? + !has(self.zoneAware) : true + proxyProtocol: + description: >- + ProxyProtocol enables the Proxy Protocol + when communicating with the backend. + properties: + version: + description: |- + Version of ProxyProtol + Valid ProxyProtocolVersion values are + "V1" + "V2" + enum: + - V1 + - V2 + type: string + required: + - version + type: object + retry: + description: >- + Retry provides more advanced usage, + allowing users to customize the number of + retries, retry fallback strategy, and + retry triggering conditions. + + If not set, retry will be disabled. + properties: + numAttemptsPerPriority: + description: >- + NumAttemptsPerPriority defines the + number of requests (initial attempt + + retries) + + that should be sent to the same priority + before switching to a different one. + + If not specified or set to 0, all + requests are sent to the highest + priority that is healthy. + format: int32 + type: integer + numRetries: + default: 2 + description: >- + NumRetries is the number of retries to + be attempted. Defaults to 2. + format: int32 + minimum: 0 + type: integer + perRetry: + description: >- + PerRetry is the retry policy to be + applied per retry attempt. + properties: + backOff: + description: >- + Backoff is the backoff policy to be + applied per retry attempt. gateway uses + a fully jittered exponential + + back-off algorithm for retries. For + additional details, + + see + https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#config-http-filters-router-x-envoy-max-retries + properties: + baseInterval: + description: >- + BaseInterval is the base interval + between retries. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + maxInterval: + description: >- + MaxInterval is the maximum interval + between retries. This parameter is + optional, but must be greater than or + equal to the base_interval if set. + + The default is 10 times the + base_interval + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + timeout: + description: >- + Timeout is the timeout per retry + attempt. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + retryOn: + description: >- + RetryOn specifies the retry trigger + condition. + + + If not specified, the default is to + retry on + connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes(503). + properties: + httpStatusCodes: + description: >- + HttpStatusCodes specifies the http + status codes to be retried. + + The retriable-status-codes trigger must + also be configured for these status + codes to trigger a retry. + items: + description: HTTPStatus defines the http status code. + maximum: 599 + minimum: 100 + type: integer + type: array + triggers: + description: >- + Triggers specifies the retry trigger + condition(Http/Grpc). + items: + description: >- + TriggerEnum specifies the conditions + that trigger retries. + enum: + - 5xx + - gateway-error + - reset + - reset-before-request + - connect-failure + - retriable-4xx + - refused-stream + - retriable-status-codes + - cancelled + - deadline-exceeded + - internal + - resource-exhausted + - unavailable + type: string + type: array + type: object + type: object + tcpKeepalive: + description: >- + TcpKeepalive settings associated with the + upstream client connection. + + Disabled by default. + properties: + idleTime: + description: >- + The duration a connection needs to be + idle before keep-alive + + probes start being sent. + + The duration format is + + Defaults to `7200s`. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + interval: + description: |- + The duration between keep-alive probes. + Defaults to `75s`. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + probes: + description: >- + The total number of unacknowledged + probes to send before deciding + + the connection is dead. + + Defaults to 9. + format: int32 + type: integer + type: object + timeout: + description: >- + Timeout settings for the backend + connections. + properties: + http: + description: Timeout settings for HTTP. + properties: + connectionIdleTimeout: + description: >- + The idle timeout for an HTTP connection. + Idle time is defined as a period in + which there are no active requests in + the connection. + + Default: 1 hour. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + maxConnectionDuration: + description: >- + The maximum duration of an HTTP + connection. + + Default: unlimited. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + maxStreamDuration: + description: >- + MaxStreamDuration is the maximum + duration for a stream to complete. This + timeout measures the time + + from when the request is sent until the + response stream is fully consumed and + does not apply to + + non-streaming requests. + + When set to "0s", no max duration is + applied and streams can run + indefinitely. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + requestTimeout: + description: >- + RequestTimeout is the time until which + entire response is received from the + upstream. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + tcp: + description: Timeout settings for TCP. + properties: + connectTimeout: + description: >- + The timeout for network connection + establishment, including TCP and TLS + handshakes. + + Default: 10 seconds. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + type: object + type: object + x-kubernetes-validations: + - message: >- + predictivePercent in preconnect policy + only works with RoundRobin or Random load + balancers + rule: >- + !((has(self.connection) && + has(self.connection.preconnect) && + has(self.connection.preconnect.predictivePercent)) + && !(has(self.loadBalancer) && + has(self.loadBalancer.type) && + self.loadBalancer.type in ['Random', + 'RoundRobin'])) + cacheDuration: + default: 300s + description: >- + Duration is a string value representing a + duration in time. The format is as specified + + in GEP-2257, a strict subset of the syntax + parsed by Golang time.ParseDuration. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + uri: + description: >- + URI is the HTTPS URI to fetch the JWKS. + Envoy's system trust bundle is used to + validate the server certificate. + + If a custom trust bundle is needed, it can be + specified in a BackendTLSConfig resource and + target the BackendRefs. + maxLength: 253 + minLength: 1 + type: string + required: + - uri + type: object + x-kubernetes-validations: + - message: >- + BackendRefs must be used, backendRef is not + supported. + rule: '!has(self.backendRef)' + - message: Retry timeout is not supported. + rule: >- + has(self.backendSettings)? + (has(self.backendSettings.retry)?(has(self.backendSettings.retry.perRetry)? + !has(self.backendSettings.retry.perRetry.timeout):true):true):true + - message: HTTPStatusCodes is not supported. + rule: >- + has(self.backendSettings)? + (has(self.backendSettings.retry)?(has(self.backendSettings.retry.retryOn)? + !has(self.backendSettings.retry.retryOn.httpStatusCodes):true):true):true + required: + - name + type: object + x-kubernetes-validations: + - message: >- + claimToHeaders must be specified if recomputeRoute + is enabled. + rule: >- + (has(self.recomputeRoute) && self.recomputeRoute) + ? size(self.claimToHeaders) > 0 : true + - message: either remoteJWKS or localJWKS must be specified. + rule: has(self.remoteJWKS) || has(self.localJWKS) + - message: remoteJWKS and localJWKS cannot both be specified. + rule: '!(has(self.remoteJWKS) && has(self.localJWKS))' + maxItems: 4 + minItems: 1 + type: array + required: + - providers + type: object + oidc: + description: >- + OIDC defines the configuration for the OpenID Connect (OIDC) + authentication. + properties: + clientID: + description: >- + The client ID to be used in the OIDC + + [Authentication + Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). + + + Only one of clientID or clientIDRef must be set. + minLength: 1 + type: string + clientIDRef: + description: >- + The Kubernetes secret which contains the client ID to be + used in the + + [Authentication + Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). + + Exactly one of clientID or clientIDRef must be set. + + This is an Opaque secret. The client ID should be stored + in the key "client-id". + + + Only one of clientID or clientIDRef must be set. + properties: + group: + default: '' + description: >- + Group is the group of the referent. For example, + "gateway.networking.k8s.io". + + When unspecified or empty string, core API group is + inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Secret + description: Kind is kind of the referent. For example "Secret". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the referenced object. + When unspecified, the local + + namespace is inferred. + + + Note that when a namespace different than the local + namespace is specified, + + a ReferenceGrant object is required in the referent + namespace to allow that + + namespace's owner to accept the reference. See the + ReferenceGrant + + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + clientSecret: + description: >- + The Kubernetes secret which contains the OIDC client + secret to be used in the + + [Authentication + Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). + + + This is an Opaque secret. The client secret should be + stored in the key + + "client-secret". + properties: + group: + default: '' + description: >- + Group is the group of the referent. For example, + "gateway.networking.k8s.io". + + When unspecified or empty string, core API group is + inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Secret + description: Kind is kind of the referent. For example "Secret". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the referenced object. + When unspecified, the local + + namespace is inferred. + + + Note that when a namespace different than the local + namespace is specified, + + a ReferenceGrant object is required in the referent + namespace to allow that + + namespace's owner to accept the reference. See the + ReferenceGrant + + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + cookieConfig: + description: >- + CookieConfigs allows setting the SameSite attribute for + OIDC cookies. + + By default, its unset. + properties: + sameSite: + enum: + - Lax + - Strict + - None + type: string + type: object + cookieDomain: + description: >- + The optional domain to set the access and ID token + cookies on. + + If not set, the cookies will default to the host of the + request, not including the subdomains. + + If set, the cookies will be set on the specified domain + and all subdomains. + + This means that requests to any subdomain will not + require reauthentication after users log in to the + parent domain. + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9]))*$ + type: string + cookieNames: + description: >- + The optional cookie name overrides to be used for Bearer + and IdToken cookies in the + + [Authentication + Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). + + If not specified, uses a randomly generated suffix + properties: + accessToken: + description: >- + The name of the cookie used to store the AccessToken + in the + + [Authentication + Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). + + If not specified, defaults to "AccessToken-(randomly + generated uid)" + type: string + idToken: + description: >- + The name of the cookie used to store the IdToken in + the + + [Authentication + Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). + + If not specified, defaults to "IdToken-(randomly + generated uid)" + type: string + type: object + csrfTokenTTL: + description: >- + CSRFTokenTTL defines how long the CSRF token generated + during the OAuth2 authorization flow remains valid. + + + This duration determines the lifetime of the CSRF + cookie, which is validated against the CSRF token + + in the "state" parameter when the provider redirects + back to the callback endpoint. + + + If omitted, Envoy Gateway defaults the token expiration + to 10 minutes. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + defaultRefreshTokenTTL: + description: >- + DefaultRefreshTokenTTL is the default lifetime of the + refresh token. + + This field is only used when the exp (expiration time) + claim is omitted in + + the refresh token or the refresh token is not JWT. + + + If not specified, defaults to 604800s (one week). + + Note: this field is only applicable when the + "refreshToken" field is set to true. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + defaultTokenTTL: + description: >- + DefaultTokenTTL is the default lifetime of the id token + and access token. + + Please note that Envoy will always use the expiry time + from the response + + of the authorization server if it is provided. This + field is only used when + + the expiry time is not provided by the authorization. + + + If not specified, defaults to 0. In this case, the + "expires_in" field in + + the authorization response must be set by the + authorization server, or the + + OAuth flow will fail. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + denyRedirect: + description: >- + Any request that matches any of the provided matchers + (with either tokens that are expired or missing tokens) + will not be redirected to the OIDC Provider. + + This behavior can be useful for AJAX or machine + requests. + properties: + headers: + description: >- + Defines the headers to match against the request to + deny redirect to the OIDC Provider. + items: + description: >- + OIDCDenyRedirectHeader defines how a header is + matched + properties: + name: + description: >- + Specifies the name of the header in the + request. + minLength: 1 + type: string + type: + default: Exact + description: Type specifies how to match against a string. + enum: + - Exact + - Prefix + - Suffix + - RegularExpression + type: string + value: + description: >- + Value specifies the string value that the + match must have. + maxLength: 1024 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + minItems: 1 + type: array + required: + - headers + type: object + disableTokenEncryption: + description: >- + Disable token encryption. When set to true, both the + access token and the ID token will be stored in plain + text. + + This option should only be used in secure environments + where token encryption is not required. + + Default is false (tokens are encrypted). + type: boolean + forwardAccessToken: + description: >- + ForwardAccessToken indicates whether the Envoy should + forward the access token + + via the Authorization header Bearer scheme to the + upstream. + + If not specified, defaults to false. + type: boolean + logoutPath: + description: >- + The path to log a user out, clearing their credential + cookies. + + + If not specified, uses a default logout path "/logout" + type: string + passThroughAuthHeader: + description: >- + Skips OIDC authentication when the request contains a + header that will be extracted by the JWT filter. Unless + + explicitly stated otherwise in the extractFrom field, + this will be the "Authorization: Bearer ..." header. + + + The passThroughAuthHeader option is typically used for + non-browser clients that may not be able to handle OIDC + + redirects and wish to directly supply a token instead. + + + If not specified, defaults to false. + type: boolean + provider: + description: The OIDC Provider configuration. + properties: + authorizationEndpoint: + description: >- + The OIDC Provider's [authorization + endpoint](https://openid.net/specs/openid-connect-core-1_0.html#AuthorizationEndpoint). + + If not provided, EG will try to discover it from the + provider's [Well-Known Configuration + Endpoint](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse). + type: string + backendRef: + description: >- + BackendRef references a Kubernetes object that + represents the + + backend server to which the authorization request + will be sent. + + + Deprecated: Use BackendRefs instead. + properties: + group: + default: '' + description: >- + Group is the group of the referent. For example, + "gateway.networking.k8s.io". + + When unspecified or empty string, core API group + is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: >- + Kind is the Kubernetes resource kind of the + referent. For example + + "Service". + + + Defaults to "Service" when not specified. + + + ExternalName services can refer to CNAME DNS + records that may live + + outside of the cluster and as such are difficult + to reason about in + + terms of conformance. They also may not be safe + to forward to (see + + CVE-2021-25740 for more information). + Implementations SHOULD NOT + + support ExternalName Services. + + + Support: Core (Services with a type other than + ExternalName) + + + Support: Implementation-specific (Services with + type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the backend. When + unspecified, the local + + namespace is inferred. + + + Note that when a namespace different than the + local namespace is specified, + + a ReferenceGrant object is required in the + referent namespace to allow that + + namespace's owner to accept the reference. See + the ReferenceGrant + + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: >- + Port specifies the destination port number to + use for this resource. + + Port is required when the referent is a + Kubernetes Service. In this + + case, the port number is the service port + number, not the target port. + + For other resources, destination port might be + derived from the referent + + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: >- + (size(self.group) == 0 && self.kind == + 'Service') ? has(self.port) : true + backendRefs: + description: >- + BackendRefs references a Kubernetes object that + represents the + + backend server to which the authorization request + will be sent. + items: + description: >- + BackendRef defines how an ObjectReference that is + specific to BackendRef. + properties: + fallback: + description: >- + Fallback indicates whether the backend is + designated as a fallback. + + Multiple fallback backends can be configured. + + It is highly recommended to configure active + or passive health checks to ensure that + failover can be detected + + when the active backends become unhealthy and + to automatically readjust once the primary + backends are healthy again. + + The overprovisioning factor is set to 1.4, + meaning the fallback backends will only start + receiving traffic when + + the health of the active backends falls below + 72%. + type: boolean + group: + default: '' + description: >- + Group is the group of the referent. For + example, "gateway.networking.k8s.io". + + When unspecified or empty string, core API + group is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: >- + Kind is the Kubernetes resource kind of the + referent. For example + + "Service". + + + Defaults to "Service" when not specified. + + + ExternalName services can refer to CNAME DNS + records that may live + + outside of the cluster and as such are + difficult to reason about in + + terms of conformance. They also may not be + safe to forward to (see + + CVE-2021-25740 for more information). + Implementations SHOULD NOT + + support ExternalName Services. + + + Support: Core (Services with a type other than + ExternalName) + + + Support: Implementation-specific (Services + with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the backend. + When unspecified, the local + + namespace is inferred. + + + Note that when a namespace different than the + local namespace is specified, + + a ReferenceGrant object is required in the + referent namespace to allow that + + namespace's owner to accept the reference. See + the ReferenceGrant + + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: >- + Port specifies the destination port number to + use for this resource. + + Port is required when the referent is a + Kubernetes Service. In this + + case, the port number is the service port + number, not the target port. + + For other resources, destination port might be + derived from the referent + + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: >- + Weight specifies the proportion of requests + forwarded to the referenced + + backend. This is computed as weight/(sum of + all weights in this + + BackendRefs list). For non-zero values, there + may be some epsilon from + + the exact proportion defined here depending on + the precision an + + implementation supports. Weight is not a + percentage and the sum of + + weights does not need to equal 100. + + + If only one backend is specified and it has a + weight greater than 0, 100% + + of the traffic is forwarded to that backend. + If weight is set to 0, no + + traffic should be forwarded for this entry. If + unspecified, weight + + defaults to 1. + + + Support for this field varies based on the + context where used. + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: >- + (size(self.group) == 0 && self.kind == + 'Service') ? has(self.port) : true + maxItems: 16 + type: array + backendSettings: + description: >- + BackendSettings holds configuration for managing the + connection + + to the backend. + properties: + circuitBreaker: + description: >- + Circuit Breaker settings for the upstream + connections and requests. + + If not set, circuit breakers will be enabled + with the default thresholds + properties: + maxConnections: + default: 1024 + description: >- + The maximum number of connections that Envoy + will establish to the referenced backend + defined within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxParallelRequests: + default: 1024 + description: >- + The maximum number of parallel requests that + Envoy will make to the referenced backend + defined within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxParallelRetries: + default: 1024 + description: >- + The maximum number of parallel retries that + Envoy will make to the referenced backend + defined within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxPendingRequests: + default: 1024 + description: >- + The maximum number of pending requests that + Envoy will queue to the referenced backend + defined within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxRequestsPerConnection: + description: >- + The maximum number of requests that Envoy + will make over a single connection to the + referenced backend defined within a xRoute + rule. + + Default: unlimited. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + perEndpoint: + description: >- + PerEndpoint defines Circuit Breakers that + will apply per-endpoint for an upstream + cluster + properties: + maxConnections: + default: 1024 + description: >- + MaxConnections configures the maximum + number of connections that Envoy will + establish per-endpoint to the referenced + backend defined within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + type: object + type: object + connection: + description: Connection includes backend connection settings. + properties: + bufferLimit: + allOf: + - pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: >- + BufferLimit Soft limit on size of the + cluster’s connections read and write + buffers. + + BufferLimit applies to connection streaming + (maybe non-streaming) channel between + processes, it's in user space. + + If unspecified, an implementation defined + default is applied (32768 bytes). + + For example, 20Mi, 1Gi, 256Ki etc. + + Note: that when the suffix is not provided, + the value is interpreted as bytes. + x-kubernetes-int-or-string: true + preconnect: + description: >- + Preconnect configures proactive upstream + connections to reduce latency by + establishing + + connections before they’re needed and + avoiding connection establishment overhead. + + + If unset, Envoy will fetch connections as + needed to serve in-flight requests. + properties: + perEndpointPercent: + description: >- + PerEndpointPercent configures how many + additional connections to maintain per + + upstream endpoint, useful for high-QPS + or latency sensitive services. Expressed + as a + + percentage of the connections required + by active streams + + (e.g. 100 = preconnect disabled, 105 = + 1.05x connections per-endpoint, 200 = + 2.00×). + + + Allowed value range is between 100-300. + When both PerEndpointPercent and + + PredictivePercent are set, Envoy ensures + both are satisfied (max of the two). + format: int32 + maximum: 300 + minimum: 100 + type: integer + predictivePercent: + description: >- + PredictivePercent configures how many + additional connections to maintain + + across the cluster by anticipating which + upstream endpoint the load balancer + + will select next, useful for low-QPS + services. Relies on deterministic + + loadbalancing and is only supported with + Random or RoundRobin. + + Expressed as a percentage of the + connections required by active streams + + (e.g. 100 = 1.0 (no preconnect), 105 = + 1.05× connections across the cluster, + 200 = 2.00×). + + + Minimum allowed value is 100. When both + PerEndpointPercent and PredictivePercent + are + + set Envoy ensures both are satisfied per + host (max of the two). + format: int32 + minimum: 100 + type: integer + type: object + socketBufferLimit: + allOf: + - pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: >- + SocketBufferLimit provides configuration for + the maximum buffer size in bytes for each + socket + + to backend. + + SocketBufferLimit applies to socket + streaming channel between TCP/IP stacks, + it's in kernel space. + + For example, 20Mi, 1Gi, 256Ki etc. + + Note that when the suffix is not provided, + the value is interpreted as bytes. + x-kubernetes-int-or-string: true + type: object + dns: + description: DNS includes dns resolution settings. + properties: + dnsRefreshRate: + description: >- + DNSRefreshRate specifies the rate at which + DNS records should be refreshed. + + Defaults to 30 seconds. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + lookupFamily: + description: >- + LookupFamily determines how Envoy would + resolve DNS for Routes where the backend is + specified as a fully qualified domain name + (FQDN). + + If set, this configuration overrides other + defaults. + enum: + - IPv4 + - IPv6 + - IPv4Preferred + - IPv6Preferred + - IPv4AndIPv6 + type: string + respectDnsTtl: + description: >- + RespectDNSTTL indicates whether the DNS + Time-To-Live (TTL) should be respected. + + If the value is set to true, the DNS refresh + rate will be set to the resource record’s + TTL. + + Defaults to true. + type: boolean + type: object + healthCheck: + description: >- + HealthCheck allows gateway to perform active + health checking on backends. + properties: + active: + description: Active health check configuration + properties: + grpc: + description: >- + GRPC defines the configuration of the + GRPC health checker. + + It's optional, and can only be used if + the specified type is GRPC. + properties: + service: + description: >- + Service to send in the health check + request. + + If this is not specified, then the + health check request applies to the + entire + + server and not to a specific service. + type: string + type: object + healthyThreshold: + default: 1 + description: >- + HealthyThreshold defines the number of + healthy health checks required before a + backend host is marked healthy. + format: int32 + minimum: 1 + type: integer + http: + description: >- + HTTP defines the configuration of http + health checker. + + It's required while the health checker + type is HTTP. + properties: + expectedResponse: + description: >- + ExpectedResponse defines a list of HTTP + expected responses to match. + properties: + binary: + description: Binary payload base64 encoded. + format: byte + type: string + text: + description: Text payload in plain text. + type: string + type: + allOf: + - enum: + - Text + - Binary + - enum: + - Text + - Binary + description: Type defines the type of the payload. + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If payload type is Text, text field + needs to be set. + rule: >- + self.type == 'Text' ? has(self.text) : + !has(self.text) + - message: >- + If payload type is Binary, binary field + needs to be set. + rule: >- + self.type == 'Binary' ? has(self.binary) + : !has(self.binary) + expectedStatuses: + description: >- + ExpectedStatuses defines a list of HTTP + response statuses considered healthy. + + Defaults to 200 only + items: + description: HTTPStatus defines the http status code. + maximum: 599 + minimum: 100 + type: integer + type: array + hostname: + description: >- + Hostname defines the HTTP Host header + used for active HTTP health checks. + + Host selection uses this order: this + field, the associated Backend endpoint + + hostname if available, then the + effective Route hostname. + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + method: + description: >- + Method defines the HTTP method used for + health checking. + + Defaults to GET + type: string + path: + description: >- + Path defines the HTTP path that will be + requested during health checking. + maxLength: 1024 + minLength: 1 + type: string + required: + - path + type: object + initialJitter: + description: >- + InitialJitter defines the maximum time + Envoy will wait before the first health + check. + + Envoy will randomly select a value + between 0 and the initial jitter value. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + interval: + default: 3s + description: >- + Interval defines the time between active + health checks. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + tcp: + description: >- + TCP defines the configuration of tcp + health checker. + + It's required while the health checker + type is TCP. + properties: + receive: + description: >- + Receive defines the expected response + payload. + properties: + binary: + description: Binary payload base64 encoded. + format: byte + type: string + text: + description: Text payload in plain text. + type: string + type: + allOf: + - enum: + - Text + - Binary + - enum: + - Text + - Binary + description: Type defines the type of the payload. + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If payload type is Text, text field + needs to be set. + rule: >- + self.type == 'Text' ? has(self.text) : + !has(self.text) + - message: >- + If payload type is Binary, binary field + needs to be set. + rule: >- + self.type == 'Binary' ? has(self.binary) + : !has(self.binary) + send: + description: Send defines the request payload. + properties: + binary: + description: Binary payload base64 encoded. + format: byte + type: string + text: + description: Text payload in plain text. + type: string + type: + allOf: + - enum: + - Text + - Binary + - enum: + - Text + - Binary + description: Type defines the type of the payload. + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If payload type is Text, text field + needs to be set. + rule: >- + self.type == 'Text' ? has(self.text) : + !has(self.text) + - message: >- + If payload type is Binary, binary field + needs to be set. + rule: >- + self.type == 'Binary' ? has(self.binary) + : !has(self.binary) + type: object + timeout: + default: 1s + description: >- + Timeout defines the time to wait for a + health check response. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: + allOf: + - enum: + - HTTP + - TCP + - GRPC + - enum: + - HTTP + - TCP + - GRPC + description: Type defines the type of health checker. + type: string + unhealthyThreshold: + default: 3 + description: >- + UnhealthyThreshold defines the number of + unhealthy health checks required before + a backend host is marked unhealthy. + format: int32 + minimum: 1 + type: integer + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If Health Checker type is HTTP, http + field needs to be set. + rule: >- + self.type == 'HTTP' ? has(self.http) : + !has(self.http) + - message: >- + If Health Checker type is TCP, tcp field + needs to be set. + rule: >- + self.type == 'TCP' ? has(self.tcp) : + !has(self.tcp) + - message: >- + The grpc field can only be set if the + Health Checker type is GRPC. + rule: >- + has(self.grpc) ? self.type == 'GRPC' : + true + panicThreshold: + description: >- + When number of unhealthy endpoints for a + backend reaches this threshold + + Envoy will disregard health status and + balance across all endpoints. + + It's designed to prevent a situation in + which host failures cascade throughout the + cluster + + as load increases. If not set, the default + value is 50%. To disable panic mode, set + value to `0`. + format: int32 + maximum: 100 + minimum: 0 + type: integer + passive: + description: Passive passive check configuration + properties: + baseEjectionTime: + default: 30s + description: >- + BaseEjectionTime defines the base + duration for which a host will be + ejected on consecutive failures. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + consecutive5XxErrors: + default: 5 + description: >- + Consecutive5xxErrors sets the number of + consecutive 5xx errors triggering + ejection. + format: int32 + type: integer + consecutiveGatewayErrors: + description: >- + ConsecutiveGatewayErrors sets the number + of consecutive gateway errors triggering + ejection. + format: int32 + type: integer + consecutiveLocalOriginFailures: + default: 5 + description: >- + ConsecutiveLocalOriginFailures sets the + number of consecutive local origin + failures triggering ejection. + + Parameter takes effect only when + split_external_local_origin_errors is + set to true. + format: int32 + type: integer + failurePercentageThreshold: + description: >- + FailurePercentageThreshold sets the + failure percentage threshold for outlier + detection. + + If the failure percentage of a given + host is greater than or equal to this + value, it will be ejected. + + Defaults to 85. + format: int32 + maximum: 100 + minimum: 0 + type: integer + interval: + default: 3s + description: >- + Interval defines the time between + passive health checks. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + maxEjectionPercent: + default: 10 + description: >- + MaxEjectionPercent sets the maximum + percentage of hosts in a cluster that + can be ejected. + format: int32 + type: integer + splitExternalLocalOriginErrors: + default: false + description: >- + SplitExternalLocalOriginErrors enables + splitting of errors between external and + local origin. + type: boolean + type: object + type: object + http2: + description: >- + HTTP2 provides HTTP/2 configuration for backend + connections. + properties: + initialConnectionWindowSize: + allOf: + - pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: >- + InitialConnectionWindowSize sets the initial + window size for HTTP/2 connections. + + If not set, the default value is 1 MiB. + x-kubernetes-int-or-string: true + initialStreamWindowSize: + allOf: + - pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: >- + InitialStreamWindowSize sets the initial + window size for HTTP/2 streams. + + If not set, the default value is 64 + KiB(64*1024). + x-kubernetes-int-or-string: true + maxConcurrentStreams: + description: >- + MaxConcurrentStreams sets the maximum number + of concurrent streams allowed per + connection. + + If not set, the default value is 100. + format: int32 + maximum: 2147483647 + minimum: 1 + type: integer + onInvalidMessage: + description: >- + OnInvalidMessage determines if Envoy will + terminate the connection or just the + offending stream in the event of HTTP + messaging error + + It's recommended for L2 Envoy deployments to + set this value to TerminateStream. + + https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/level_two + + Default: TerminateConnection + type: string + type: object + loadBalancer: + description: >- + LoadBalancer policy to apply when routing + traffic from the gateway to + + the backend endpoints. Defaults to + `LeastRequest`. + properties: + consistentHash: + description: >- + ConsistentHash defines the configuration + when the load balancer type is + + set to ConsistentHash + properties: + cookie: + description: >- + Cookie configures the cookie hash policy + when the consistent hash type is set to + Cookie. + properties: + attributes: + additionalProperties: + type: string + description: >- + Additional Attributes to set for the + generated cookie. + type: object + name: + description: >- + Name of the cookie to hash. + + If this cookie does not exist in the + request, Envoy will generate a cookie + and set + + the TTL on the response back to the + client based on Layer 4 + + attributes of the backend endpoint, to + ensure that these future requests + + go to the same backend endpoint. Make + sure to set the TTL field for this case. + type: string + ttl: + description: >- + TTL of the generated cookie if the + cookie is not present. This value sets + the + + Max-Age attribute value. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + required: + - name + type: object + header: + description: >- + Header configures the header hash policy + when the consistent hash type is set to + Header. + + + Deprecated: use Headers instead + properties: + name: + description: Name of the header to hash. + type: string + required: + - name + type: object + headers: + description: >- + Headers configures the header hash + policy for each header, when the + consistent hash type is set to Headers. + items: + description: >- + Header defines the header hashing + configuration for consistent hash based + + load balancing. + properties: + name: + description: Name of the header to hash. + type: string + required: + - name + type: object + type: array + queryParams: + description: >- + QueryParams configures the query + parameter hash policy when the + consistent hash type is set to + QueryParams. + items: + description: >- + QueryParam defines the query parameter + name hashing configuration for + consistent hash based + + load balancing. + properties: + name: + description: Name of the query param to hash. + type: string + required: + - name + type: object + type: array + tableSize: + default: 65537 + description: >- + The table size for consistent hashing, + must be prime number limited to 5000011. + format: int64 + maximum: 5000011 + minimum: 2 + type: integer + type: + description: >- + ConsistentHashType defines the type of + input to hash on. Valid Type values are + + "SourceIP", + + "Header", + + "Headers", + + "Cookie". + + "QueryParams". + enum: + - SourceIP + - Header + - Headers + - Cookie + - QueryParams + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If consistent hash type is header, the + header field must be set. + rule: >- + self.type == 'Header' ? has(self.header) + : !has(self.header) + - message: >- + If consistent hash type is headers, the + headers field must be set. + rule: >- + self.type == 'Headers' ? + has(self.headers) : !has(self.headers) + - message: >- + If consistent hash type is cookie, the + cookie field must be set. + rule: >- + self.type == 'Cookie' ? has(self.cookie) + : !has(self.cookie) + - message: >- + If consistent hash type is queryParams, + the queryParams field must be set. + rule: >- + self.type == 'QueryParams' ? + has(self.queryParams) : + !has(self.queryParams) + endpointOverride: + description: >- + EndpointOverride defines the configuration + for endpoint override. + + When specified, the load balancer will + attempt to route requests to endpoints + + based on the override information extracted + from request headers or metadata. + If the override endpoints are not available, the configured load balancer policy will be used as fallback. + properties: + extractFrom: + description: >- + ExtractFrom defines the sources to + extract endpoint override information + from. + items: + description: >- + EndpointOverrideExtractFrom defines a + source to extract endpoint override + information from. + properties: + header: + description: >- + Header defines the header to get the + override endpoint addresses. + + The header value must specify at least + one endpoint in `IP:Port` format or + multiple endpoints in + `IP:Port,IP:Port,...` format. + + For example `10.0.0.5:8080` or + `[2600:4040:5204::1574:24ae]:80`. + + The IPv6 address is enclosed in square + brackets. + type: string + type: object + maxItems: 10 + minItems: 1 + type: array + required: + - extractFrom + type: object + slowStart: + description: >- + SlowStart defines the configuration related + to the slow start load balancer policy. + + If set, during slow start window, traffic + sent to the newly added hosts will gradually + increase. + + Currently this is only supported for + RoundRobin and LeastRequest load balancers + properties: + window: + description: >- + Window defines the duration of the warm + up period for newly added host. + + During slow start window, traffic sent + to the newly added hosts will gradually + increase. + + Currently only supports linear growth of + traffic. For additional details, + + see + https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + required: + - window + type: object + type: + description: >- + Type decides the type of Load Balancer + policy. + + Valid LoadBalancerType values are + + "ConsistentHash", + + "LeastRequest", + + "Random", + + "RoundRobin". + enum: + - ConsistentHash + - LeastRequest + - Random + - RoundRobin + type: string + zoneAware: + description: >- + ZoneAware defines the configuration related + to the distribution of requests between + locality zones. + properties: + preferLocal: + description: >- + PreferLocalZone configures zone-aware + routing to prefer sending traffic to the + local locality zone. + properties: + force: + description: >- + ForceLocalZone defines override + configuration for forcing all traffic to + stay within the local zone instead of + the default behavior + + which maintains equal distribution among + upstream endpoints while sending as much + traffic as possible locally. + properties: + minEndpointsInZoneThreshold: + description: >- + MinEndpointsInZoneThreshold is the + minimum number of upstream endpoints in + the local zone required to honor the + forceLocalZone + + override. This is useful for protecting + zones with fewer endpoints. + format: int32 + type: integer + type: object + minEndpointsThreshold: + description: >- + MinEndpointsThreshold is the minimum + number of total upstream endpoints + across all zones required to enable + zone-aware routing. + format: int64 + type: integer + percentageEnabled: + description: >- + Configures percentage of requests that + will be considered for zone aware + routing if zone aware routing is + configured. If not specified, Envoy + defaults to 100%. + format: int32 + maximum: 100 + minimum: 0 + type: integer + type: object + type: object + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If LoadBalancer type is consistentHash, + consistentHash field needs to be set. + rule: >- + self.type == 'ConsistentHash' ? + has(self.consistentHash) : + !has(self.consistentHash) + - message: >- + Currently SlowStart is only supported for + RoundRobin and LeastRequest load balancers. + rule: >- + self.type in ['Random', 'ConsistentHash'] ? + !has(self.slowStart) : true + - message: >- + Currently ZoneAware is only supported for + LeastRequest, Random, and RoundRobin load + balancers. + rule: >- + self.type == 'ConsistentHash' ? + !has(self.zoneAware) : true + proxyProtocol: + description: >- + ProxyProtocol enables the Proxy Protocol when + communicating with the backend. + properties: + version: + description: |- + Version of ProxyProtol + Valid ProxyProtocolVersion values are + "V1" + "V2" + enum: + - V1 + - V2 + type: string + required: + - version + type: object + retry: + description: >- + Retry provides more advanced usage, allowing + users to customize the number of retries, retry + fallback strategy, and retry triggering + conditions. + + If not set, retry will be disabled. + properties: + numAttemptsPerPriority: + description: >- + NumAttemptsPerPriority defines the number of + requests (initial attempt + retries) + + that should be sent to the same priority + before switching to a different one. + + If not specified or set to 0, all requests + are sent to the highest priority that is + healthy. + format: int32 + type: integer + numRetries: + default: 2 + description: >- + NumRetries is the number of retries to be + attempted. Defaults to 2. + format: int32 + minimum: 0 + type: integer + perRetry: + description: >- + PerRetry is the retry policy to be applied + per retry attempt. + properties: + backOff: + description: >- + Backoff is the backoff policy to be + applied per retry attempt. gateway uses + a fully jittered exponential + + back-off algorithm for retries. For + additional details, + + see + https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#config-http-filters-router-x-envoy-max-retries + properties: + baseInterval: + description: >- + BaseInterval is the base interval + between retries. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + maxInterval: + description: >- + MaxInterval is the maximum interval + between retries. This parameter is + optional, but must be greater than or + equal to the base_interval if set. + + The default is 10 times the + base_interval + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + timeout: + description: >- + Timeout is the timeout per retry + attempt. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + retryOn: + description: >- + RetryOn specifies the retry trigger + condition. + + + If not specified, the default is to retry on + connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes(503). + properties: + httpStatusCodes: + description: >- + HttpStatusCodes specifies the http + status codes to be retried. + + The retriable-status-codes trigger must + also be configured for these status + codes to trigger a retry. + items: + description: HTTPStatus defines the http status code. + maximum: 599 + minimum: 100 + type: integer + type: array + triggers: + description: >- + Triggers specifies the retry trigger + condition(Http/Grpc). + items: + description: >- + TriggerEnum specifies the conditions + that trigger retries. + enum: + - 5xx + - gateway-error + - reset + - reset-before-request + - connect-failure + - retriable-4xx + - refused-stream + - retriable-status-codes + - cancelled + - deadline-exceeded + - internal + - resource-exhausted + - unavailable + type: string + type: array + type: object + type: object + tcpKeepalive: + description: >- + TcpKeepalive settings associated with the + upstream client connection. + + Disabled by default. + properties: + idleTime: + description: >- + The duration a connection needs to be idle + before keep-alive + + probes start being sent. + + The duration format is + + Defaults to `7200s`. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + interval: + description: |- + The duration between keep-alive probes. + Defaults to `75s`. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + probes: + description: >- + The total number of unacknowledged probes to + send before deciding + + the connection is dead. + + Defaults to 9. + format: int32 + type: integer + type: object + timeout: + description: Timeout settings for the backend connections. + properties: + http: + description: Timeout settings for HTTP. + properties: + connectionIdleTimeout: + description: >- + The idle timeout for an HTTP connection. + Idle time is defined as a period in + which there are no active requests in + the connection. + + Default: 1 hour. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + maxConnectionDuration: + description: >- + The maximum duration of an HTTP + connection. + + Default: unlimited. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + maxStreamDuration: + description: >- + MaxStreamDuration is the maximum + duration for a stream to complete. This + timeout measures the time + + from when the request is sent until the + response stream is fully consumed and + does not apply to + + non-streaming requests. + + When set to "0s", no max duration is + applied and streams can run + indefinitely. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + requestTimeout: + description: >- + RequestTimeout is the time until which + entire response is received from the + upstream. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + tcp: + description: Timeout settings for TCP. + properties: + connectTimeout: + description: >- + The timeout for network connection + establishment, including TCP and TLS + handshakes. + + Default: 10 seconds. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + type: object + type: object + x-kubernetes-validations: + - message: >- + predictivePercent in preconnect policy only + works with RoundRobin or Random load balancers + rule: >- + !((has(self.connection) && + has(self.connection.preconnect) && + has(self.connection.preconnect.predictivePercent)) + && !(has(self.loadBalancer) && + has(self.loadBalancer.type) && + self.loadBalancer.type in ['Random', + 'RoundRobin'])) + endSessionEndpoint: + description: >- + The OIDC Provider's [end session + endpoint](https://openid.net/specs/openid-connect-core-1_0.html#RPLogout). + + + If the end session endpoint is provided, EG will use + it to log out the user from the OIDC Provider when + the user accesses the logout path. + + EG will also try to discover the end session + endpoint from the provider's [Well-Known + Configuration + Endpoint](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse) + when authorizationEndpoint or tokenEndpoint is not + provided. + type: string + issuer: + description: >- + The OIDC Provider's [issuer + identifier](https://openid.net/specs/openid-connect-discovery-1_0.html#IssuerDiscovery). + + Issuer MUST be a URI RFC 3986 [RFC3986] with a + scheme component that MUST + + be https, a host component, and optionally, port and + path components and + + no query or fragment components. + minLength: 1 + type: string + tokenEndpoint: + description: >- + The OIDC Provider's [token + endpoint](https://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint). + + If not provided, EG will try to discover it from the + provider's [Well-Known Configuration + Endpoint](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse). + type: string + required: + - issuer + type: object + x-kubernetes-validations: + - message: >- + BackendRefs must be used, backendRef is not + supported. + rule: '!has(self.backendRef)' + - message: Retry timeout is not supported. + rule: >- + has(self.backendSettings)? + (has(self.backendSettings.retry)?(has(self.backendSettings.retry.perRetry)? + !has(self.backendSettings.retry.perRetry.timeout):true):true):true + - message: HTTPStatusCodes is not supported. + rule: >- + has(self.backendSettings)? + (has(self.backendSettings.retry)?(has(self.backendSettings.retry.retryOn)? + !has(self.backendSettings.retry.retryOn.httpStatusCodes):true):true):true + redirectURL: + description: >- + The redirect URL to be used in the OIDC + + [Authentication + Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). + + If not specified, uses the default redirect URI + "%REQ(x-forwarded-proto)%://%REQ(:authority)%/oauth2/callback" + type: string + refreshToken: + default: true + description: >- + RefreshToken indicates whether the Envoy should + automatically refresh the + + id token and access token when they expire. + + When set to true, the Envoy will use the refresh token + to get a new id token + + and access token when they expire. + + + If not specified, defaults to true. + type: boolean + resources: + description: >- + The OIDC resources to be used in the + + [Authentication + Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). + items: + type: string + type: array + scopes: + description: >- + The OIDC scopes to be used in the + + [Authentication + Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). + + The "openid" scope is always added to the list of scopes + if not already + + specified. + items: + type: string + type: array + required: + - clientSecret + - provider + type: object + x-kubernetes-validations: + - message: only one of clientID or clientIDRef must be set + rule: >- + (has(self.clientID) && !has(self.clientIDRef)) || + (!has(self.clientID) && has(self.clientIDRef)) + targetRef: + description: >- + TargetRef is the name of the resource this policy is being + attached to. + + This policy and the TargetRef MUST be in the same namespace + for this + + Policy to have effect + + + Deprecated: use targetRefs/targetSelectors instead + properties: + group: + description: Group is the group of the target resource. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + sectionName: + description: >- + SectionName is the name of a section within the target + resource. When + + unspecified, this targetRef targets the entire resource. + In the following + + resources, SectionName is interpreted as the following: + + + * Gateway: Listener name + + * HTTPRoute: HTTPRouteRule name + + * Service: Port name + + + If a SectionName is specified, but does not exist on the + targeted object, + + the Policy must fail to attach, and the policy + implementation should record + + a `ResolvedRefs` or similar Condition in the Policy's + status. + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - group + - kind + - name + type: object + targetRefs: + description: >- + TargetRefs are the names of the Gateway resources this + policy + + is being attached to. + items: + description: >- + LocalPolicyTargetReferenceWithSectionName identifies an + API object to apply a + + direct policy to. This should be used as part of Policy + resources that can + + target single resources. For more information on how this + policy attachment + + mode works, and a sample Policy resource, refer to the + policy attachment + + documentation for Gateway API. + + + Note: This should only be used for direct policy + attachment when references + + to SectionName are actually needed. In all other cases, + + LocalPolicyTargetReference should be used. + properties: + group: + description: Group is the group of the target resource. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + sectionName: + description: >- + SectionName is the name of a section within the target + resource. When + + unspecified, this targetRef targets the entire + resource. In the following + + resources, SectionName is interpreted as the + following: + + + * Gateway: Listener name + + * HTTPRoute: HTTPRouteRule name + + * Service: Port name + + + If a SectionName is specified, but does not exist on + the targeted object, + + the Policy must fail to attach, and the policy + implementation should record + + a `ResolvedRefs` or similar Condition in the Policy's + status. + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - group + - kind + - name + type: object + type: array + targetSelectors: + description: >- + TargetSelectors allow targeting resources for this policy + based on labels + items: + properties: + group: + default: gateway.networking.k8s.io + description: >- + Group is the group that this selector targets. + Defaults to gateway.networking.k8s.io + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is the resource kind that this selector targets. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + matchExpressions: + description: >- + MatchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: >- + A label selector requirement is a selector that + contains values, a key, and an operator that + + relates the key and values. + properties: + key: + description: >- + key is the label key that the selector applies + to. + type: string + operator: + description: >- + operator represents a key's relationship to a + set of values. + + Valid operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: >- + values is an array of string values. If the + operator is In or NotIn, + + the values array must be non-empty. If the + operator is Exists or DoesNotExist, + + the values array must be empty. This array is + replaced during a strategic + + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: >- + MatchLabels are the set of label selectors for + identifying the targeted resource + type: object + required: + - kind + type: object + x-kubernetes-validations: + - message: group must be gateway.networking.k8s.io + rule: >- + has(self.group) ? self.group == + 'gateway.networking.k8s.io' : true + type: array + type: object + x-kubernetes-validations: + - message: either targetRef or targetRefs must be used + rule: >- + (has(self.targetRef) && !has(self.targetRefs)) || + (!has(self.targetRef) && has(self.targetRefs)) || + (has(self.targetSelectors) && self.targetSelectors.size() > + 0) + - message: >- + this policy can only have a targetRef.group of + gateway.networking.k8s.io + rule: >- + has(self.targetRef) ? self.targetRef.group == + 'gateway.networking.k8s.io' : true + - message: >- + this policy can only have a targetRef.kind of + Gateway/HTTPRoute/GRPCRoute/TCPRoute + rule: >- + has(self.targetRef) ? self.targetRef.kind in ['Gateway', + 'HTTPRoute', 'GRPCRoute', 'TCPRoute'] : true + - message: >- + this policy can only have a targetRefs[*].group of + gateway.networking.k8s.io + rule: >- + has(self.targetRefs) ? self.targetRefs.all(ref, ref.group == + 'gateway.networking.k8s.io') : true + - message: >- + this policy can only have a targetRefs[*].kind of + Gateway/HTTPRoute/GRPCRoute/TCPRoute + rule: >- + has(self.targetRefs) ? self.targetRefs.all(ref, ref.kind in + ['Gateway', 'HTTPRoute', 'GRPCRoute', 'TCPRoute']) : true + - message: >- + if authorization.rules.principal.jwt is used, jwt must be + defined + rule: >- + (has(self.authorization) && has(self.authorization.rules) && + self.authorization.rules.exists(r, has(r.principal.jwt))) ? + has(self.jwt) : true + status: + description: Status defines the current status of SecurityPolicy. + properties: + ancestors: + description: >- + Ancestors is a list of ancestor resources (usually Gateways) + that are + + associated with the policy, and the status of the policy + with respect to + + each ancestor. When this policy attaches to a parent, the + controller that + + manages the parent and the ancestors MUST add an entry to + this list when + + the controller first sees the policy and SHOULD update the + entry as + + appropriate when the relevant ancestor is modified. + + + Note that choosing the relevant ancestor is left to the + Policy designers; + + an important part of Policy design is designing the right + object level at + + which to namespace this status. + + + Note also that implementations MUST ONLY populate ancestor + status for + + the Ancestor resources they are responsible for. + Implementations MUST + + use the ControllerName field to uniquely identify the + entries in this list + + that they are responsible for. + + + Note that to achieve this, the list of PolicyAncestorStatus + structs + + MUST be treated as a map with a composite key, made up of + the AncestorRef + + and ControllerName fields combined. + + + A maximum of 16 ancestors will be represented in this list. + An empty list + + means the Policy is not relevant for any ancestors. + + + If this slice is full, implementations MUST NOT add further + entries. + + Instead they MUST consider the policy unimplementable and + signal that + + on any related resources such as the ancestor that would be + referenced + + here. For example, if this list was full on + BackendTLSPolicy, no + + additional Gateways would be able to reference the Service + targeted by + + the BackendTLSPolicy. + items: + description: >- + PolicyAncestorStatus describes the status of a route with + respect to an + + associated Ancestor. + + + Ancestors refer to objects that are either the Target of a + policy or above it + + in terms of object hierarchy. For example, if a policy + targets a Service, the + + Policy's Ancestors are, in order, the Service, the + HTTPRoute, the Gateway, and + + the GatewayClass. Almost always, in this hierarchy, the + Gateway will be the most + + useful object to place Policy status on, so we recommend + that implementations + + SHOULD use Gateway as the PolicyAncestorStatus object + unless the designers + + have a _very_ good reason otherwise. + + + In the context of policy attachment, the Ancestor is used + to distinguish which + + resource results in a distinct application of this policy. + For example, if a policy + + targets a Service, it may have a distinct result per + attached Gateway. + + + Policies targeting the same resource may have different + effects depending on the + + ancestors of those resources. For example, different + Gateways targeting the same + + Service may have different capabilities, especially if + they have different underlying + + implementations. + + + For example, in BackendTLSPolicy, the Policy attaches to a + Service that is + + used as a backend in a HTTPRoute that is itself attached + to a Gateway. + + In this case, the relevant object for status is the + Gateway, and that is the + + ancestor object referred to in this status. + + + Note that a parent is also an ancestor, so for objects + where the parent is the + + relevant object for status, this struct SHOULD still be + used. + + + This struct is intended to be used in a slice that's + effectively a map, + + with a composite key made up of the AncestorRef and the + ControllerName. + properties: + ancestorRef: + description: >- + AncestorRef corresponds with a ParentRef in the spec + that this + + PolicyAncestorStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: >- + Group is the group of the referent. + + When unspecified, "gateway.networking.k8s.io" is + inferred. + + To set the core API group (such as for a "Service" + kind referent), + + Group must be explicitly set to "" (empty string). + + + Support: Core + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: >- + Kind is kind of the referent. + + + There are two kinds of parent resources with + "Core" support: + + + * Gateway (Gateway conformance profile) + + * Service (Mesh conformance profile, ClusterIP + Services only) + + + Support for other resources is + Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the referent. When + unspecified, this refers + + to the local namespace of the Route. + + + Note that there are specific rules for ParentRefs + which cross namespace + + boundaries. Cross-namespace references are only + valid if they are explicitly + + allowed by something in the namespace they are + referring to. For example: + + Gateway has the AllowedRoutes field, and + ReferenceGrant provides a + + generic way to enable any other kind of + cross-namespace reference. + + + + + ParentRefs from a Route to a Service in the same + namespace are "producer" + + routes, which apply default routing rules to + inbound connections from + + any namespace to the Service. + + + ParentRefs from a Route to a Service in a + different namespace are + + "consumer" routes, and these routing rules are + only applied to outbound + + connections originating from the same namespace as + the Route, for which + + the intended destination of the connections are a + Service targeted as a + + ParentRef of the Route. + + + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: >- + Port is the network port this Route targets. It + can be interpreted + + differently based on the type of parent resource. + + + When the parent resource is a Gateway, this + targets all listeners + + listening on the specified port that also support + this kind of Route(and + + select this Route). It's not recommended to set + `Port` unless the + + networking behaviors specified in a Route must + apply to a specific port + + as opposed to a listener(s) whose port(s) may be + changed. When both Port + + and SectionName are specified, the name and port + of the selected listener + + must match both specified values. + + + + + When the parent resource is a Service, this + targets a specific port in the + + Service spec. When both Port (experimental) and + SectionName are specified, + + the name and port of the selected port must match + both specified values. + + + + + Implementations MAY choose to support other parent + resources. + + Implementations supporting other types of parent + resources MUST clearly + + document how/if Port is interpreted. + + + For the purpose of status, an attachment is + considered successful as + + long as the parent resource accepts it partially. + For example, Gateway + + listeners can restrict which Routes can attach to + them by Route kind, + + namespace, or hostname. If 1 of 2 Gateway + listeners accept attachment + + from the referencing Route, the Route MUST be + considered successfully + + attached. If no Gateway listeners accept + attachment from this Route, + + the Route MUST be considered detached from the + Gateway. + + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: >- + SectionName is the name of a section within the + target resource. In the + + following resources, SectionName is interpreted as + the following: + + + * Gateway: Listener name. When both Port + (experimental) and SectionName + + are specified, the name and port of the selected + listener must match + + both specified values. + + * Service: Port name. When both Port + (experimental) and SectionName + + are specified, the name and port of the selected + listener must match + + both specified values. + + + Implementations MAY choose to support attaching + Routes to other resources. + + If that is the case, they MUST clearly document + how SectionName is + + interpreted. + + + When unspecified (empty string), this will + reference the entire resource. + + For the purpose of status, an attachment is + considered successful if at + + least one section in the parent resource accepts + it. For example, Gateway + + listeners can restrict which Routes can attach to + them by Route kind, + + namespace, or hostname. If 1 of 2 Gateway + listeners accept attachment from + + the referencing Route, the Route MUST be + considered successfully + + attached. If no Gateway listeners accept + attachment from this Route, the + + Route MUST be considered detached from the + Gateway. + + + Support: Core + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + conditions: + description: >- + Conditions describes the status of the Policy with + respect to the given Ancestor. + + + + + + Notes for implementors: + + + Conditions are a listType `map`, which means that they + function like a + + map with a key of the `type` field _in the k8s + apiserver_. + + + This means that implementations must obey some rules + when updating this + + section. + + + * Implementations MUST perform a read-modify-write + cycle on this field + before modifying it. That is, when modifying this field, implementations + must be confident they have fetched the most recent version of this field, + and ensure that changes they make are on that recent version. + * Implementations MUST NOT remove or reorder + Conditions that they are not + directly responsible for. For example, if an implementation sees a Condition + with type `special.io/SomeField`, it MUST NOT remove, change or update that + Condition. + * Implementations MUST always _merge_ changes into + Conditions of the same Type, + rather than creating more than one Condition of the same Type. + * Implementations MUST always update the + `observedGeneration` field of the + Condition to the `metadata.generation` of the Gateway at the time of update creation. + * If the `observedGeneration` of a Condition is + _greater than_ the value the + implementation knows about, then it MUST NOT perform the update on that Condition, + but must wait for a future reconciliation and status update. (The assumption is that + the implementation's copy of the object is stale and an update will be re-triggered + if relevant.) + + + items: + description: >- + Condition contains details for one aspect of the + current state of this API Resource. + properties: + lastTransitionTime: + description: >- + lastTransitionTime is the last time the + condition transitioned from one status to + another. + + This should be when the underlying condition + changed. If that is not known, then using the + time when the API field changed is acceptable. + format: date-time + type: string + message: + description: >- + message is a human readable message indicating + details about the transition. + + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: >- + observedGeneration represents the + .metadata.generation that the condition was set + based upon. + + For instance, if .metadata.generation is + currently 12, but the + .status.conditions[x].observedGeneration is 9, + the condition is out of date + + with respect to the current state of the + instance. + format: int64 + minimum: 0 + type: integer + reason: + description: >- + reason contains a programmatic identifier + indicating the reason for the condition's last + transition. + + Producers of specific condition types may define + expected values and meanings for this field, + + and whether the values are considered a + guaranteed API. + + The value should be a CamelCase string. + + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: >- + status of the condition, one of True, False, + Unknown. + enum: + - 'True' + - 'False' + - Unknown + type: string + type: + description: >- + type of condition in CamelCase or in + foo.example.com/CamelCase. + maxLength: 316 + pattern: >- + ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: >- + ControllerName is a domain/path string that indicates + the name of the + + controller that wrote this status. This corresponds + with the + + controllerName field on GatewayClass. + + + Example: "example.net/gateway-controller". + + + The format of this field is DOMAIN "/" PATH, where + DOMAIN and PATH are + + valid Kubernetes names + + (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + + + Controllers MUST populate this field when writing + status. Controllers should ensure that + + entries to status populated with their ControllerName + are cleaned up when they are no + + longer necessary. + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + required: + - ancestorRef + - conditions + - controllerName + type: object + maxItems: 16 + type: array + x-kubernetes-list-type: atomic + required: + - ancestors + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/_/CustomResourceDefinition/tlsroutes.gateway.networking.k8s.io.yaml b/_/CustomResourceDefinition/tlsroutes.gateway.networking.k8s.io.yaml new file mode 100644 index 0000000..7202c7e --- /dev/null +++ b/_/CustomResourceDefinition/tlsroutes.gateway.networking.k8s.io.yaml @@ -0,0 +1,3621 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/4530 + gateway.networking.k8s.io/bundle-version: v1.5.1 + gateway.networking.k8s.io/channel: standard + name: tlsroutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: TLSRoute + listKind: TLSRouteList + plural: tlsroutes + singular: tlsroute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: >- + The TLSRoute resource is similar to TCPRoute, but can be configured + + to match against TLS-specific metadata. This allows more flexibility + + in matching streams for a given TLS listener. + + + If you need to forward traffic to a single target for a TLS + listener, you + + could choose to use a TCPRoute with a TLS listener. + properties: + apiVersion: + description: >- + APIVersion defines the versioned schema of this representation + of an object. + + Servers should convert recognized schemas to the latest internal + value, and + + may reject unrecognized values. + + More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: >- + Kind is a string value representing the REST resource this + object represents. + + Servers may infer this from the endpoint the client submits + requests to. + + Cannot be updated. + + In CamelCase. + + More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of TLSRoute. + properties: + hostnames: + description: >- + Hostnames defines a set of SNI hostnames that should match + against the + + SNI attribute of TLS ClientHello message in TLS handshake. + This matches + + the RFC 1123 definition of a hostname with 2 notable + exceptions: + + + 1. IPs are not allowed in SNI hostnames per RFC 6066. + + 2. A hostname may be prefixed with a wildcard label (`*.`). + The wildcard + label must appear by itself as the first label. + items: + description: >- + Hostname is the fully qualified domain name of a network + host. This matches + + the RFC 1123 definition of a hostname with 2 notable + exceptions: + + 1. IPs are not allowed. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. + + Hostname can be "precise" which is a domain name without + the terminating + + dot of a network host (e.g. "foo.example.com") or + "wildcard", which is a + + domain name prefixed with a single wildcard label (e.g. + `*.example.com`). + + + Note that as per RFC1035 and RFC1123, a *label* must + consist of lower case + + alphanumeric characters or '-', and must start and end + with an alphanumeric + + character. No other punctuation is allowed. + maxLength: 253 + minLength: 1 + pattern: >- + ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: Hostnames cannot contain an IP + rule: self.all(h, !isIP(h)) + - message: Hostnames must be valid based on RFC-1123 + rule: >- + self.all(h, !h.contains('*') ? + h.matches('^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*)$') + : true) + - message: >- + Wildcards on hostnames must be the first label, and the + rest of hostname must be valid based on RFC-1123 + rule: >- + self.all(h, h.contains('*') ? (h.startsWith('*.') && + h.substring(2).matches('^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*)$')) + : true) + parentRefs: + description: >- + ParentRefs references the resources (usually Gateways) that + a Route wants + + to be attached to. Note that the referenced parent resource + needs to + + allow this for the attachment to be complete. For Gateways, + that means + + the Gateway needs to allow attachment from Routes of this + kind and + + namespace. For Services, that means the Service must either + be in the same + + namespace for a "producer" route, or the mesh implementation + must support + + and allow "consumer" routes for the referenced Service. + ReferenceGrant is + + not applicable for governing ParentRefs to Services - it is + not possible to + + create a "producer" route for a Service in a different + namespace from the + + Route. + + + There are two kinds of parent resources with "Core" support: + + + * Gateway (Gateway conformance profile) + + * Service (Mesh conformance profile, ClusterIP Services + only) + + + This API may be extended in the future to support additional + kinds of parent + + resources. + + + ParentRefs must be _distinct_. This means either that: + + + * They select different objects. If this is the case, then + parentRef + entries are distinct. In terms of fields, this means that the + multi-part key defined by `group`, `kind`, `namespace`, and `name` must + be unique across all parentRef entries in the Route. + * They do not select different objects, but for each + optional field used, + each ParentRef that selects the same object must set the same set of + optional fields to different values. If one ParentRef sets a + combination of optional fields, all must set the same combination. + + Some examples: + + + * If one ParentRef sets `sectionName`, all ParentRefs + referencing the + same object must also set `sectionName`. + * If one ParentRef sets `port`, all ParentRefs referencing + the same + object must also set `port`. + * If one ParentRef sets `sectionName` and `port`, all + ParentRefs + referencing the same object must also set `sectionName` and `port`. + + It is possible to separately reference multiple distinct + objects that may + + be collapsed by an implementation. For example, some + implementations may + + choose to merge compatible Gateway Listeners together. If + that is the + + case, the list of routes attached to those resources should + also be + + merged. + + + Note that for ParentRefs that cross namespace boundaries, + there are specific + + rules. Cross-namespace references are only valid if they are + explicitly + + allowed by something in the namespace they are referring to. + For example, + + Gateway has the AllowedRoutes field, and ReferenceGrant + provides a + + generic way to enable other kinds of cross-namespace + reference. + items: + description: >- + ParentReference identifies an API object (usually a + Gateway) that can be considered + + a parent of this resource (usually a route). There are two + kinds of parent resources + + with "Core" support: + + + * Gateway (Gateway conformance profile) + + * Service (Mesh conformance profile, ClusterIP Services + only) + + + This API may be extended in the future to support + additional kinds of parent + + resources. + + + The API object must be valid in the cluster; the Group and + Kind must + + be registered in the cluster for this reference to be + valid. + properties: + group: + default: gateway.networking.k8s.io + description: >- + Group is the group of the referent. + + When unspecified, "gateway.networking.k8s.io" is + inferred. + + To set the core API group (such as for a "Service" + kind referent), + + Group must be explicitly set to "" (empty string). + + + Support: Core + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: >- + Kind is kind of the referent. + + + There are two kinds of parent resources with "Core" + support: + + + * Gateway (Gateway conformance profile) + + * Service (Mesh conformance profile, ClusterIP + Services only) + + + Support for other resources is + Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the referent. When + unspecified, this refers + + to the local namespace of the Route. + + + Note that there are specific rules for ParentRefs + which cross namespace + + boundaries. Cross-namespace references are only valid + if they are explicitly + + allowed by something in the namespace they are + referring to. For example: + + Gateway has the AllowedRoutes field, and + ReferenceGrant provides a + + generic way to enable any other kind of + cross-namespace reference. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: >- + Port is the network port this Route targets. It can be + interpreted + + differently based on the type of parent resource. + + + When the parent resource is a Gateway, this targets + all listeners + + listening on the specified port that also support this + kind of Route(and + + select this Route). It's not recommended to set `Port` + unless the + + networking behaviors specified in a Route must apply + to a specific port + + as opposed to a listener(s) whose port(s) may be + changed. When both Port + + and SectionName are specified, the name and port of + the selected listener + + must match both specified values. + + + Implementations MAY choose to support other parent + resources. + + Implementations supporting other types of parent + resources MUST clearly + + document how/if Port is interpreted. + + + For the purpose of status, an attachment is considered + successful as + + long as the parent resource accepts it partially. For + example, Gateway + + listeners can restrict which Routes can attach to them + by Route kind, + + namespace, or hostname. If 1 of 2 Gateway listeners + accept attachment + + from the referencing Route, the Route MUST be + considered successfully + + attached. If no Gateway listeners accept attachment + from this Route, + + the Route MUST be considered detached from the + Gateway. + + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: >- + SectionName is the name of a section within the target + resource. In the + + following resources, SectionName is interpreted as the + following: + + + * Gateway: Listener name. When both Port + (experimental) and SectionName + + are specified, the name and port of the selected + listener must match + + both specified values. + + * Service: Port name. When both Port (experimental) + and SectionName + + are specified, the name and port of the selected + listener must match + + both specified values. + + + Implementations MAY choose to support attaching Routes + to other resources. + + If that is the case, they MUST clearly document how + SectionName is + + interpreted. + + + When unspecified (empty string), this will reference + the entire resource. + + For the purpose of status, an attachment is considered + successful if at + + least one section in the parent resource accepts it. + For example, Gateway + + listeners can restrict which Routes can attach to them + by Route kind, + + namespace, or hostname. If 1 of 2 Gateway listeners + accept attachment from + + the referencing Route, the Route MUST be considered + successfully + + attached. If no Gateway listeners accept attachment + from this Route, the + + Route MUST be considered detached from the Gateway. + + + Support: Core + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: >- + sectionName must be specified when parentRefs includes 2 + or more references to the same parent + rule: >- + self.all(p1, self.all(p2, p1.group == p2.group && + p1.kind == p2.kind && p1.name == p2.name && + (((!has(p1.__namespace__) || p1.__namespace__ == '') && + (!has(p2.__namespace__) || p2.__namespace__ == '')) || + (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__ )) ? + ((!has(p1.sectionName) || p1.sectionName == '') == + (!has(p2.sectionName) || p2.sectionName == '')) : true)) + - message: >- + sectionName must be unique when parentRefs includes 2 or + more references to the same parent + rule: >- + self.all(p1, self.exists_one(p2, p1.group == p2.group && + p1.kind == p2.kind && p1.name == p2.name && + (((!has(p1.__namespace__) || p1.__namespace__ == '') && + (!has(p2.__namespace__) || p2.__namespace__ == '')) || + (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__ )) && + (((!has(p1.sectionName) || p1.sectionName == '') && + (!has(p2.sectionName) || p2.sectionName == '')) || + (has(p1.sectionName) && has(p2.sectionName) && + p1.sectionName == p2.sectionName)))) + rules: + description: Rules are a list of actions. + items: + description: TLSRouteRule is the configuration for a given rule. + properties: + backendRefs: + description: >- + BackendRefs defines the backend(s) where matching + requests should be + + sent. If unspecified or invalid (refers to a + nonexistent resource or + + a Service with no endpoints), the rule performs no + forwarding; if no + + filters are specified that would result in a response + being sent, the + + underlying implementation must actively reject request + attempts to this + + backend, by rejecting the connection. Request + rejections must respect + + weight; if an invalid backend is requested to have 80% + of requests, then + + 80% of requests must be rejected instead. + + + Support: Core for Kubernetes Service + + + Support: Extended for Kubernetes ServiceImport + + + Support: Implementation-specific for any other + resource + + + Support for weight: Extended + items: + description: >- + BackendRef defines how a Route should forward a + request to a Kubernetes + + resource. + + + Note that when a namespace different than the local + namespace is specified, a + + ReferenceGrant object is required in the referent + namespace to allow that + + namespace's owner to accept the reference. See the + ReferenceGrant + + documentation for details. + + + Note that when the BackendTLSPolicy object is + enabled by the implementation, + + there are some extra rules about validity to + consider here. See the fields + + where this struct is used for more information about + the exact behavior. + properties: + group: + default: '' + description: >- + Group is the group of the referent. For example, + "gateway.networking.k8s.io". + + When unspecified or empty string, core API group + is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: >- + Kind is the Kubernetes resource kind of the + referent. For example + + "Service". + + + Defaults to "Service" when not specified. + + + ExternalName services can refer to CNAME DNS + records that may live + + outside of the cluster and as such are difficult + to reason about in + + terms of conformance. They also may not be safe + to forward to (see + + CVE-2021-25740 for more information). + Implementations SHOULD NOT + + support ExternalName Services. + + + Support: Core (Services with a type other than + ExternalName) + + + Support: Implementation-specific (Services with + type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the backend. When + unspecified, the local + + namespace is inferred. + + + Note that when a namespace different than the + local namespace is specified, + + a ReferenceGrant object is required in the + referent namespace to allow that + + namespace's owner to accept the reference. See + the ReferenceGrant + + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: >- + Port specifies the destination port number to + use for this resource. + + Port is required when the referent is a + Kubernetes Service. In this + + case, the port number is the service port + number, not the target port. + + For other resources, destination port might be + derived from the referent + + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: >- + Weight specifies the proportion of requests + forwarded to the referenced + + backend. This is computed as weight/(sum of all + weights in this + + BackendRefs list). For non-zero values, there + may be some epsilon from + + the exact proportion defined here depending on + the precision an + + implementation supports. Weight is not a + percentage and the sum of + + weights does not need to equal 100. + + + If only one backend is specified and it has a + weight greater than 0, 100% + + of the traffic is forwarded to that backend. If + weight is set to 0, no + + traffic should be forwarded for this entry. If + unspecified, weight + + defaults to 1. + + + Support for this field varies based on the + context where used. + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: >- + (size(self.group) == 0 && self.kind == + 'Service') ? has(self.port) : true + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + name: + description: >- + Name is the name of the route rule. This name MUST be + unique within a Route if it is set. + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - backendRefs + type: object + maxItems: 1 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + required: + - hostnames + - rules + type: object + status: + description: Status defines the current state of TLSRoute. + properties: + parents: + description: >- + Parents is a list of parent resources (usually Gateways) + that are + + associated with the route, and the status of the route with + respect to + + each parent. When this route attaches to a parent, the + controller that + + manages the parent must add an entry to this list when the + controller + + first sees the route and should update the entry as + appropriate when the + + route or gateway is modified. + + + Note that parent references that cannot be resolved by an + implementation + + of this API will not be added to this list. Implementations + of this API + + can only populate Route status for the Gateways/parent + resources they are + + responsible for. + + + A maximum of 32 Gateways will be represented in this list. + An empty list + + means the route has not been attached to any Gateway. + items: + description: >- + RouteParentStatus describes the status of a route with + respect to an + + associated Parent. + properties: + conditions: + description: >- + Conditions describes the status of the route with + respect to the Gateway. + + Note that the route's availability is also subject to + the Gateway's own + + status conditions and listener status. + + + If the Route's ParentRef specifies an existing Gateway + that supports + + Routes of this kind AND that Gateway's controller has + sufficient access, + + then that Gateway's controller MUST set the "Accepted" + condition on the + + Route, to indicate whether the route has been accepted + or rejected by the + + Gateway, and why. + + + A Route MUST be considered "Accepted" if at least one + of the Route's + + rules is implemented by the Gateway. + + + There are a number of cases where the "Accepted" + condition may not be set + + due to lack of controller visibility, that includes + when: + + + * The Route refers to a nonexistent parent. + + * The Route is of a type that the controller does not + support. + + * The Route is in a namespace to which the controller + does not have access. + items: + description: >- + Condition contains details for one aspect of the + current state of this API Resource. + properties: + lastTransitionTime: + description: >- + lastTransitionTime is the last time the + condition transitioned from one status to + another. + + This should be when the underlying condition + changed. If that is not known, then using the + time when the API field changed is acceptable. + format: date-time + type: string + message: + description: >- + message is a human readable message indicating + details about the transition. + + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: >- + observedGeneration represents the + .metadata.generation that the condition was set + based upon. + + For instance, if .metadata.generation is + currently 12, but the + .status.conditions[x].observedGeneration is 9, + the condition is out of date + + with respect to the current state of the + instance. + format: int64 + minimum: 0 + type: integer + reason: + description: >- + reason contains a programmatic identifier + indicating the reason for the condition's last + transition. + + Producers of specific condition types may define + expected values and meanings for this field, + + and whether the values are considered a + guaranteed API. + + The value should be a CamelCase string. + + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: >- + status of the condition, one of True, False, + Unknown. + enum: + - 'True' + - 'False' + - Unknown + type: string + type: + description: >- + type of condition in CamelCase or in + foo.example.com/CamelCase. + maxLength: 316 + pattern: >- + ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: >- + ControllerName is a domain/path string that indicates + the name of the + + controller that wrote this status. This corresponds + with the + + controllerName field on GatewayClass. + + + Example: "example.net/gateway-controller". + + + The format of this field is DOMAIN "/" PATH, where + DOMAIN and PATH are + + valid Kubernetes names + + (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + + + Controllers MUST populate this field when writing + status. Controllers should ensure that + + entries to status populated with their ControllerName + are cleaned up when they are no + + longer necessary. + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: >- + ParentRef corresponds with a ParentRef in the spec + that this + + RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: >- + Group is the group of the referent. + + When unspecified, "gateway.networking.k8s.io" is + inferred. + + To set the core API group (such as for a "Service" + kind referent), + + Group must be explicitly set to "" (empty string). + + + Support: Core + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: >- + Kind is kind of the referent. + + + There are two kinds of parent resources with + "Core" support: + + + * Gateway (Gateway conformance profile) + + * Service (Mesh conformance profile, ClusterIP + Services only) + + + Support for other resources is + Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the referent. When + unspecified, this refers + + to the local namespace of the Route. + + + Note that there are specific rules for ParentRefs + which cross namespace + + boundaries. Cross-namespace references are only + valid if they are explicitly + + allowed by something in the namespace they are + referring to. For example: + + Gateway has the AllowedRoutes field, and + ReferenceGrant provides a + + generic way to enable any other kind of + cross-namespace reference. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: >- + Port is the network port this Route targets. It + can be interpreted + + differently based on the type of parent resource. + + + When the parent resource is a Gateway, this + targets all listeners + + listening on the specified port that also support + this kind of Route(and + + select this Route). It's not recommended to set + `Port` unless the + + networking behaviors specified in a Route must + apply to a specific port + + as opposed to a listener(s) whose port(s) may be + changed. When both Port + + and SectionName are specified, the name and port + of the selected listener + + must match both specified values. + + + Implementations MAY choose to support other parent + resources. + + Implementations supporting other types of parent + resources MUST clearly + + document how/if Port is interpreted. + + + For the purpose of status, an attachment is + considered successful as + + long as the parent resource accepts it partially. + For example, Gateway + + listeners can restrict which Routes can attach to + them by Route kind, + + namespace, or hostname. If 1 of 2 Gateway + listeners accept attachment + + from the referencing Route, the Route MUST be + considered successfully + + attached. If no Gateway listeners accept + attachment from this Route, + + the Route MUST be considered detached from the + Gateway. + + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: >- + SectionName is the name of a section within the + target resource. In the + + following resources, SectionName is interpreted as + the following: + + + * Gateway: Listener name. When both Port + (experimental) and SectionName + + are specified, the name and port of the selected + listener must match + + both specified values. + + * Service: Port name. When both Port + (experimental) and SectionName + + are specified, the name and port of the selected + listener must match + + both specified values. + + + Implementations MAY choose to support attaching + Routes to other resources. + + If that is the case, they MUST clearly document + how SectionName is + + interpreted. + + + When unspecified (empty string), this will + reference the entire resource. + + For the purpose of status, an attachment is + considered successful if at + + least one section in the parent resource accepts + it. For example, Gateway + + listeners can restrict which Routes can attach to + them by Route kind, + + namespace, or hostname. If 1 of 2 Gateway + listeners accept attachment from + + the referencing Route, the Route MUST be + considered successfully + + attached. If no Gateway listeners accept + attachment from this Route, the + + Route MUST be considered detached from the + Gateway. + + + Support: Core + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - conditions + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + x-kubernetes-list-type: atomic + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + deprecated: true + deprecationWarning: >- + The v1alpha2 version of TLSRoute has been deprecated and will be removed + in a future release of the API. Please upgrade to v1. + name: v1alpha2 + schema: + openAPIV3Schema: + description: |- + The TLSRoute resource is similar to TCPRoute, but can be configured + to match against TLS-specific metadata. This allows more flexibility + in matching streams for a given TLS listener. + properties: + apiVersion: + description: >- + APIVersion defines the versioned schema of this representation + of an object. + + Servers should convert recognized schemas to the latest internal + value, and + + may reject unrecognized values. + + More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: >- + Kind is a string value representing the REST resource this + object represents. + + Servers may infer this from the endpoint the client submits + requests to. + + Cannot be updated. + + In CamelCase. + + More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of TLSRoute. + properties: + hostnames: + description: >- + Hostnames defines a set of SNI names that should match + against the + + SNI attribute of TLS ClientHello message in TLS handshake. + This matches + + the RFC 1123 definition of a hostname with 2 notable + exceptions: + + + 1. IPs are not allowed in SNI names per RFC 6066. + + 2. A hostname may be prefixed with a wildcard label (`*.`). + The wildcard + label must appear by itself as the first label. + + If a hostname is specified by both the Listener and + TLSRoute, there + + must be at least one intersecting hostname for the TLSRoute + to be + + attached to the Listener. For example: + + + * A Listener with `test.example.com` as the hostname matches + TLSRoutes + that have either not specified any hostnames, or have specified at + least one of `test.example.com` or `*.example.com`. + * A Listener with `*.example.com` as the hostname matches + TLSRoutes + that have either not specified any hostnames or have specified at least + one hostname that matches the Listener hostname. For example, + `test.example.com` and `*.example.com` would both match. On the other + hand, `example.com` and `test.example.net` would not match. + + If both the Listener and TLSRoute have specified hostnames, + any + + TLSRoute hostnames that do not match the Listener hostname + MUST be + + ignored. For example, if a Listener specified + `*.example.com`, and the + + TLSRoute specified `test.example.com` and + `test.example.net`, + + `test.example.net` must not be considered for a match. + + + If both the Listener and TLSRoute have specified hostnames, + and none + + match with the criteria above, then the TLSRoute is not + accepted. The + + implementation must raise an 'Accepted' Condition with a + status of + + `False` in the corresponding RouteParentStatus. + + + Support: Core + items: + description: >- + Hostname is the fully qualified domain name of a network + host. This matches + + the RFC 1123 definition of a hostname with 2 notable + exceptions: + + 1. IPs are not allowed. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. + + Hostname can be "precise" which is a domain name without + the terminating + + dot of a network host (e.g. "foo.example.com") or + "wildcard", which is a + + domain name prefixed with a single wildcard label (e.g. + `*.example.com`). + + + Note that as per RFC1035 and RFC1123, a *label* must + consist of lower case + + alphanumeric characters or '-', and must start and end + with an alphanumeric + + character. No other punctuation is allowed. + maxLength: 253 + minLength: 1 + pattern: >- + ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: atomic + parentRefs: + description: >- + ParentRefs references the resources (usually Gateways) that + a Route wants + + to be attached to. Note that the referenced parent resource + needs to + + allow this for the attachment to be complete. For Gateways, + that means + + the Gateway needs to allow attachment from Routes of this + kind and + + namespace. For Services, that means the Service must either + be in the same + + namespace for a "producer" route, or the mesh implementation + must support + + and allow "consumer" routes for the referenced Service. + ReferenceGrant is + + not applicable for governing ParentRefs to Services - it is + not possible to + + create a "producer" route for a Service in a different + namespace from the + + Route. + + + There are two kinds of parent resources with "Core" support: + + + * Gateway (Gateway conformance profile) + + * Service (Mesh conformance profile, ClusterIP Services + only) + + + This API may be extended in the future to support additional + kinds of parent + + resources. + + + ParentRefs must be _distinct_. This means either that: + + + * They select different objects. If this is the case, then + parentRef + entries are distinct. In terms of fields, this means that the + multi-part key defined by `group`, `kind`, `namespace`, and `name` must + be unique across all parentRef entries in the Route. + * They do not select different objects, but for each + optional field used, + each ParentRef that selects the same object must set the same set of + optional fields to different values. If one ParentRef sets a + combination of optional fields, all must set the same combination. + + Some examples: + + + * If one ParentRef sets `sectionName`, all ParentRefs + referencing the + same object must also set `sectionName`. + * If one ParentRef sets `port`, all ParentRefs referencing + the same + object must also set `port`. + * If one ParentRef sets `sectionName` and `port`, all + ParentRefs + referencing the same object must also set `sectionName` and `port`. + + It is possible to separately reference multiple distinct + objects that may + + be collapsed by an implementation. For example, some + implementations may + + choose to merge compatible Gateway Listeners together. If + that is the + + case, the list of routes attached to those resources should + also be + + merged. + + + Note that for ParentRefs that cross namespace boundaries, + there are specific + + rules. Cross-namespace references are only valid if they are + explicitly + + allowed by something in the namespace they are referring to. + For example, + + Gateway has the AllowedRoutes field, and ReferenceGrant + provides a + + generic way to enable other kinds of cross-namespace + reference. + items: + description: >- + ParentReference identifies an API object (usually a + Gateway) that can be considered + + a parent of this resource (usually a route). There are two + kinds of parent resources + + with "Core" support: + + + * Gateway (Gateway conformance profile) + + * Service (Mesh conformance profile, ClusterIP Services + only) + + + This API may be extended in the future to support + additional kinds of parent + + resources. + + + The API object must be valid in the cluster; the Group and + Kind must + + be registered in the cluster for this reference to be + valid. + properties: + group: + default: gateway.networking.k8s.io + description: >- + Group is the group of the referent. + + When unspecified, "gateway.networking.k8s.io" is + inferred. + + To set the core API group (such as for a "Service" + kind referent), + + Group must be explicitly set to "" (empty string). + + + Support: Core + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: >- + Kind is kind of the referent. + + + There are two kinds of parent resources with "Core" + support: + + + * Gateway (Gateway conformance profile) + + * Service (Mesh conformance profile, ClusterIP + Services only) + + + Support for other resources is + Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the referent. When + unspecified, this refers + + to the local namespace of the Route. + + + Note that there are specific rules for ParentRefs + which cross namespace + + boundaries. Cross-namespace references are only valid + if they are explicitly + + allowed by something in the namespace they are + referring to. For example: + + Gateway has the AllowedRoutes field, and + ReferenceGrant provides a + + generic way to enable any other kind of + cross-namespace reference. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: >- + Port is the network port this Route targets. It can be + interpreted + + differently based on the type of parent resource. + + + When the parent resource is a Gateway, this targets + all listeners + + listening on the specified port that also support this + kind of Route(and + + select this Route). It's not recommended to set `Port` + unless the + + networking behaviors specified in a Route must apply + to a specific port + + as opposed to a listener(s) whose port(s) may be + changed. When both Port + + and SectionName are specified, the name and port of + the selected listener + + must match both specified values. + + + Implementations MAY choose to support other parent + resources. + + Implementations supporting other types of parent + resources MUST clearly + + document how/if Port is interpreted. + + + For the purpose of status, an attachment is considered + successful as + + long as the parent resource accepts it partially. For + example, Gateway + + listeners can restrict which Routes can attach to them + by Route kind, + + namespace, or hostname. If 1 of 2 Gateway listeners + accept attachment + + from the referencing Route, the Route MUST be + considered successfully + + attached. If no Gateway listeners accept attachment + from this Route, + + the Route MUST be considered detached from the + Gateway. + + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: >- + SectionName is the name of a section within the target + resource. In the + + following resources, SectionName is interpreted as the + following: + + + * Gateway: Listener name. When both Port + (experimental) and SectionName + + are specified, the name and port of the selected + listener must match + + both specified values. + + * Service: Port name. When both Port (experimental) + and SectionName + + are specified, the name and port of the selected + listener must match + + both specified values. + + + Implementations MAY choose to support attaching Routes + to other resources. + + If that is the case, they MUST clearly document how + SectionName is + + interpreted. + + + When unspecified (empty string), this will reference + the entire resource. + + For the purpose of status, an attachment is considered + successful if at + + least one section in the parent resource accepts it. + For example, Gateway + + listeners can restrict which Routes can attach to them + by Route kind, + + namespace, or hostname. If 1 of 2 Gateway listeners + accept attachment from + + the referencing Route, the Route MUST be considered + successfully + + attached. If no Gateway listeners accept attachment + from this Route, the + + Route MUST be considered detached from the Gateway. + + + Support: Core + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: >- + sectionName must be specified when parentRefs includes 2 + or more references to the same parent + rule: >- + self.all(p1, self.all(p2, p1.group == p2.group && + p1.kind == p2.kind && p1.name == p2.name && + (((!has(p1.__namespace__) || p1.__namespace__ == '') && + (!has(p2.__namespace__) || p2.__namespace__ == '')) || + (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__ )) ? + ((!has(p1.sectionName) || p1.sectionName == '') == + (!has(p2.sectionName) || p2.sectionName == '')) : true)) + - message: >- + sectionName must be unique when parentRefs includes 2 or + more references to the same parent + rule: >- + self.all(p1, self.exists_one(p2, p1.group == p2.group && + p1.kind == p2.kind && p1.name == p2.name && + (((!has(p1.__namespace__) || p1.__namespace__ == '') && + (!has(p2.__namespace__) || p2.__namespace__ == '')) || + (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__ )) && + (((!has(p1.sectionName) || p1.sectionName == '') && + (!has(p2.sectionName) || p2.sectionName == '')) || + (has(p1.sectionName) && has(p2.sectionName) && + p1.sectionName == p2.sectionName)))) + rules: + description: Rules are a list of TLS matchers and actions. + items: + description: TLSRouteRule is the configuration for a given rule. + properties: + backendRefs: + description: >- + BackendRefs defines the backend(s) where matching + requests should be + + sent. If unspecified or invalid (refers to a + nonexistent resource or + + a Service with no endpoints), the rule performs no + forwarding; if no + + filters are specified that would result in a response + being sent, the + + underlying implementation must actively reject request + attempts to this + + backend, by rejecting the connection. Request + rejections must respect + + weight; if an invalid backend is requested to have 80% + of requests, then + + 80% of requests must be rejected instead. + + + Support: Core for Kubernetes Service + + + Support: Extended for Kubernetes ServiceImport + + + Support: Implementation-specific for any other + resource + + + Support for weight: Extended + items: + description: >- + BackendRef defines how a Route should forward a + request to a Kubernetes + + resource. + + + Note that when a namespace different than the local + namespace is specified, a + + ReferenceGrant object is required in the referent + namespace to allow that + + namespace's owner to accept the reference. See the + ReferenceGrant + + documentation for details. + + + Note that when the BackendTLSPolicy object is + enabled by the implementation, + + there are some extra rules about validity to + consider here. See the fields + + where this struct is used for more information about + the exact behavior. + properties: + group: + default: '' + description: >- + Group is the group of the referent. For example, + "gateway.networking.k8s.io". + + When unspecified or empty string, core API group + is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: >- + Kind is the Kubernetes resource kind of the + referent. For example + + "Service". + + + Defaults to "Service" when not specified. + + + ExternalName services can refer to CNAME DNS + records that may live + + outside of the cluster and as such are difficult + to reason about in + + terms of conformance. They also may not be safe + to forward to (see + + CVE-2021-25740 for more information). + Implementations SHOULD NOT + + support ExternalName Services. + + + Support: Core (Services with a type other than + ExternalName) + + + Support: Implementation-specific (Services with + type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the backend. When + unspecified, the local + + namespace is inferred. + + + Note that when a namespace different than the + local namespace is specified, + + a ReferenceGrant object is required in the + referent namespace to allow that + + namespace's owner to accept the reference. See + the ReferenceGrant + + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: >- + Port specifies the destination port number to + use for this resource. + + Port is required when the referent is a + Kubernetes Service. In this + + case, the port number is the service port + number, not the target port. + + For other resources, destination port might be + derived from the referent + + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: >- + Weight specifies the proportion of requests + forwarded to the referenced + + backend. This is computed as weight/(sum of all + weights in this + + BackendRefs list). For non-zero values, there + may be some epsilon from + + the exact proportion defined here depending on + the precision an + + implementation supports. Weight is not a + percentage and the sum of + + weights does not need to equal 100. + + + If only one backend is specified and it has a + weight greater than 0, 100% + + of the traffic is forwarded to that backend. If + weight is set to 0, no + + traffic should be forwarded for this entry. If + unspecified, weight + + defaults to 1. + + + Support for this field varies based on the + context where used. + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: >- + (size(self.group) == 0 && self.kind == + 'Service') ? has(self.port) : true + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + name: + description: >- + Name is the name of the route rule. This name MUST be + unique within a Route if it is set. + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - backendRefs + type: object + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + required: + - rules + type: object + status: + description: Status defines the current state of TLSRoute. + properties: + parents: + description: >- + Parents is a list of parent resources (usually Gateways) + that are + + associated with the route, and the status of the route with + respect to + + each parent. When this route attaches to a parent, the + controller that + + manages the parent must add an entry to this list when the + controller + + first sees the route and should update the entry as + appropriate when the + + route or gateway is modified. + + + Note that parent references that cannot be resolved by an + implementation + + of this API will not be added to this list. Implementations + of this API + + can only populate Route status for the Gateways/parent + resources they are + + responsible for. + + + A maximum of 32 Gateways will be represented in this list. + An empty list + + means the route has not been attached to any Gateway. + items: + description: >- + RouteParentStatus describes the status of a route with + respect to an + + associated Parent. + properties: + conditions: + description: >- + Conditions describes the status of the route with + respect to the Gateway. + + Note that the route's availability is also subject to + the Gateway's own + + status conditions and listener status. + + + If the Route's ParentRef specifies an existing Gateway + that supports + + Routes of this kind AND that Gateway's controller has + sufficient access, + + then that Gateway's controller MUST set the "Accepted" + condition on the + + Route, to indicate whether the route has been accepted + or rejected by the + + Gateway, and why. + + + A Route MUST be considered "Accepted" if at least one + of the Route's + + rules is implemented by the Gateway. + + + There are a number of cases where the "Accepted" + condition may not be set + + due to lack of controller visibility, that includes + when: + + + * The Route refers to a nonexistent parent. + + * The Route is of a type that the controller does not + support. + + * The Route is in a namespace to which the controller + does not have access. + items: + description: >- + Condition contains details for one aspect of the + current state of this API Resource. + properties: + lastTransitionTime: + description: >- + lastTransitionTime is the last time the + condition transitioned from one status to + another. + + This should be when the underlying condition + changed. If that is not known, then using the + time when the API field changed is acceptable. + format: date-time + type: string + message: + description: >- + message is a human readable message indicating + details about the transition. + + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: >- + observedGeneration represents the + .metadata.generation that the condition was set + based upon. + + For instance, if .metadata.generation is + currently 12, but the + .status.conditions[x].observedGeneration is 9, + the condition is out of date + + with respect to the current state of the + instance. + format: int64 + minimum: 0 + type: integer + reason: + description: >- + reason contains a programmatic identifier + indicating the reason for the condition's last + transition. + + Producers of specific condition types may define + expected values and meanings for this field, + + and whether the values are considered a + guaranteed API. + + The value should be a CamelCase string. + + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: >- + status of the condition, one of True, False, + Unknown. + enum: + - 'True' + - 'False' + - Unknown + type: string + type: + description: >- + type of condition in CamelCase or in + foo.example.com/CamelCase. + maxLength: 316 + pattern: >- + ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: >- + ControllerName is a domain/path string that indicates + the name of the + + controller that wrote this status. This corresponds + with the + + controllerName field on GatewayClass. + + + Example: "example.net/gateway-controller". + + + The format of this field is DOMAIN "/" PATH, where + DOMAIN and PATH are + + valid Kubernetes names + + (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + + + Controllers MUST populate this field when writing + status. Controllers should ensure that + + entries to status populated with their ControllerName + are cleaned up when they are no + + longer necessary. + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: >- + ParentRef corresponds with a ParentRef in the spec + that this + + RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: >- + Group is the group of the referent. + + When unspecified, "gateway.networking.k8s.io" is + inferred. + + To set the core API group (such as for a "Service" + kind referent), + + Group must be explicitly set to "" (empty string). + + + Support: Core + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: >- + Kind is kind of the referent. + + + There are two kinds of parent resources with + "Core" support: + + + * Gateway (Gateway conformance profile) + + * Service (Mesh conformance profile, ClusterIP + Services only) + + + Support for other resources is + Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the referent. When + unspecified, this refers + + to the local namespace of the Route. + + + Note that there are specific rules for ParentRefs + which cross namespace + + boundaries. Cross-namespace references are only + valid if they are explicitly + + allowed by something in the namespace they are + referring to. For example: + + Gateway has the AllowedRoutes field, and + ReferenceGrant provides a + + generic way to enable any other kind of + cross-namespace reference. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: >- + Port is the network port this Route targets. It + can be interpreted + + differently based on the type of parent resource. + + + When the parent resource is a Gateway, this + targets all listeners + + listening on the specified port that also support + this kind of Route(and + + select this Route). It's not recommended to set + `Port` unless the + + networking behaviors specified in a Route must + apply to a specific port + + as opposed to a listener(s) whose port(s) may be + changed. When both Port + + and SectionName are specified, the name and port + of the selected listener + + must match both specified values. + + + Implementations MAY choose to support other parent + resources. + + Implementations supporting other types of parent + resources MUST clearly + + document how/if Port is interpreted. + + + For the purpose of status, an attachment is + considered successful as + + long as the parent resource accepts it partially. + For example, Gateway + + listeners can restrict which Routes can attach to + them by Route kind, + + namespace, or hostname. If 1 of 2 Gateway + listeners accept attachment + + from the referencing Route, the Route MUST be + considered successfully + + attached. If no Gateway listeners accept + attachment from this Route, + + the Route MUST be considered detached from the + Gateway. + + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: >- + SectionName is the name of a section within the + target resource. In the + + following resources, SectionName is interpreted as + the following: + + + * Gateway: Listener name. When both Port + (experimental) and SectionName + + are specified, the name and port of the selected + listener must match + + both specified values. + + * Service: Port name. When both Port + (experimental) and SectionName + + are specified, the name and port of the selected + listener must match + + both specified values. + + + Implementations MAY choose to support attaching + Routes to other resources. + + If that is the case, they MUST clearly document + how SectionName is + + interpreted. + + + When unspecified (empty string), this will + reference the entire resource. + + For the purpose of status, an attachment is + considered successful if at + + least one section in the parent resource accepts + it. For example, Gateway + + listeners can restrict which Routes can attach to + them by Route kind, + + namespace, or hostname. If 1 of 2 Gateway + listeners accept attachment from + + the referencing Route, the Route MUST be + considered successfully + + attached. If no Gateway listeners accept + attachment from this Route, the + + Route MUST be considered detached from the + Gateway. + + + Support: Core + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - conditions + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + x-kubernetes-list-type: atomic + required: + - parents + type: object + required: + - spec + type: object + served: false + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + deprecated: true + deprecationWarning: >- + The v1alpha3 version of TLSRoute has been deprecated and will be removed + in a future release of the API. Please upgrade to v1. + name: v1alpha3 + schema: + openAPIV3Schema: + description: >- + The TLSRoute resource is similar to TCPRoute, but can be configured + + to match against TLS-specific metadata. This allows more flexibility + + in matching streams for a given TLS listener. + + + If you need to forward traffic to a single target for a TLS + listener, you + + could choose to use a TCPRoute with a TLS listener. + properties: + apiVersion: + description: >- + APIVersion defines the versioned schema of this representation + of an object. + + Servers should convert recognized schemas to the latest internal + value, and + + may reject unrecognized values. + + More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: >- + Kind is a string value representing the REST resource this + object represents. + + Servers may infer this from the endpoint the client submits + requests to. + + Cannot be updated. + + In CamelCase. + + More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of TLSRoute. + properties: + hostnames: + description: >- + Hostnames defines a set of SNI hostnames that should match + against the + + SNI attribute of TLS ClientHello message in TLS handshake. + This matches + + the RFC 1123 definition of a hostname with 2 notable + exceptions: + + + 1. IPs are not allowed in SNI hostnames per RFC 6066. + + 2. A hostname may be prefixed with a wildcard label (`*.`). + The wildcard + label must appear by itself as the first label. + items: + description: >- + Hostname is the fully qualified domain name of a network + host. This matches + + the RFC 1123 definition of a hostname with 2 notable + exceptions: + + 1. IPs are not allowed. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. + + Hostname can be "precise" which is a domain name without + the terminating + + dot of a network host (e.g. "foo.example.com") or + "wildcard", which is a + + domain name prefixed with a single wildcard label (e.g. + `*.example.com`). + + + Note that as per RFC1035 and RFC1123, a *label* must + consist of lower case + + alphanumeric characters or '-', and must start and end + with an alphanumeric + + character. No other punctuation is allowed. + maxLength: 253 + minLength: 1 + pattern: >- + ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: Hostnames cannot contain an IP + rule: self.all(h, !isIP(h)) + - message: Hostnames must be valid based on RFC-1123 + rule: >- + self.all(h, !h.contains('*') ? + h.matches('^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*)$') + : true) + - message: >- + Wildcards on hostnames must be the first label, and the + rest of hostname must be valid based on RFC-1123 + rule: >- + self.all(h, h.contains('*') ? (h.startsWith('*.') && + h.substring(2).matches('^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*)$')) + : true) + parentRefs: + description: >- + ParentRefs references the resources (usually Gateways) that + a Route wants + + to be attached to. Note that the referenced parent resource + needs to + + allow this for the attachment to be complete. For Gateways, + that means + + the Gateway needs to allow attachment from Routes of this + kind and + + namespace. For Services, that means the Service must either + be in the same + + namespace for a "producer" route, or the mesh implementation + must support + + and allow "consumer" routes for the referenced Service. + ReferenceGrant is + + not applicable for governing ParentRefs to Services - it is + not possible to + + create a "producer" route for a Service in a different + namespace from the + + Route. + + + There are two kinds of parent resources with "Core" support: + + + * Gateway (Gateway conformance profile) + + * Service (Mesh conformance profile, ClusterIP Services + only) + + + This API may be extended in the future to support additional + kinds of parent + + resources. + + + ParentRefs must be _distinct_. This means either that: + + + * They select different objects. If this is the case, then + parentRef + entries are distinct. In terms of fields, this means that the + multi-part key defined by `group`, `kind`, `namespace`, and `name` must + be unique across all parentRef entries in the Route. + * They do not select different objects, but for each + optional field used, + each ParentRef that selects the same object must set the same set of + optional fields to different values. If one ParentRef sets a + combination of optional fields, all must set the same combination. + + Some examples: + + + * If one ParentRef sets `sectionName`, all ParentRefs + referencing the + same object must also set `sectionName`. + * If one ParentRef sets `port`, all ParentRefs referencing + the same + object must also set `port`. + * If one ParentRef sets `sectionName` and `port`, all + ParentRefs + referencing the same object must also set `sectionName` and `port`. + + It is possible to separately reference multiple distinct + objects that may + + be collapsed by an implementation. For example, some + implementations may + + choose to merge compatible Gateway Listeners together. If + that is the + + case, the list of routes attached to those resources should + also be + + merged. + + + Note that for ParentRefs that cross namespace boundaries, + there are specific + + rules. Cross-namespace references are only valid if they are + explicitly + + allowed by something in the namespace they are referring to. + For example, + + Gateway has the AllowedRoutes field, and ReferenceGrant + provides a + + generic way to enable other kinds of cross-namespace + reference. + items: + description: >- + ParentReference identifies an API object (usually a + Gateway) that can be considered + + a parent of this resource (usually a route). There are two + kinds of parent resources + + with "Core" support: + + + * Gateway (Gateway conformance profile) + + * Service (Mesh conformance profile, ClusterIP Services + only) + + + This API may be extended in the future to support + additional kinds of parent + + resources. + + + The API object must be valid in the cluster; the Group and + Kind must + + be registered in the cluster for this reference to be + valid. + properties: + group: + default: gateway.networking.k8s.io + description: >- + Group is the group of the referent. + + When unspecified, "gateway.networking.k8s.io" is + inferred. + + To set the core API group (such as for a "Service" + kind referent), + + Group must be explicitly set to "" (empty string). + + + Support: Core + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: >- + Kind is kind of the referent. + + + There are two kinds of parent resources with "Core" + support: + + + * Gateway (Gateway conformance profile) + + * Service (Mesh conformance profile, ClusterIP + Services only) + + + Support for other resources is + Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the referent. When + unspecified, this refers + + to the local namespace of the Route. + + + Note that there are specific rules for ParentRefs + which cross namespace + + boundaries. Cross-namespace references are only valid + if they are explicitly + + allowed by something in the namespace they are + referring to. For example: + + Gateway has the AllowedRoutes field, and + ReferenceGrant provides a + + generic way to enable any other kind of + cross-namespace reference. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: >- + Port is the network port this Route targets. It can be + interpreted + + differently based on the type of parent resource. + + + When the parent resource is a Gateway, this targets + all listeners + + listening on the specified port that also support this + kind of Route(and + + select this Route). It's not recommended to set `Port` + unless the + + networking behaviors specified in a Route must apply + to a specific port + + as opposed to a listener(s) whose port(s) may be + changed. When both Port + + and SectionName are specified, the name and port of + the selected listener + + must match both specified values. + + + Implementations MAY choose to support other parent + resources. + + Implementations supporting other types of parent + resources MUST clearly + + document how/if Port is interpreted. + + + For the purpose of status, an attachment is considered + successful as + + long as the parent resource accepts it partially. For + example, Gateway + + listeners can restrict which Routes can attach to them + by Route kind, + + namespace, or hostname. If 1 of 2 Gateway listeners + accept attachment + + from the referencing Route, the Route MUST be + considered successfully + + attached. If no Gateway listeners accept attachment + from this Route, + + the Route MUST be considered detached from the + Gateway. + + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: >- + SectionName is the name of a section within the target + resource. In the + + following resources, SectionName is interpreted as the + following: + + + * Gateway: Listener name. When both Port + (experimental) and SectionName + + are specified, the name and port of the selected + listener must match + + both specified values. + + * Service: Port name. When both Port (experimental) + and SectionName + + are specified, the name and port of the selected + listener must match + + both specified values. + + + Implementations MAY choose to support attaching Routes + to other resources. + + If that is the case, they MUST clearly document how + SectionName is + + interpreted. + + + When unspecified (empty string), this will reference + the entire resource. + + For the purpose of status, an attachment is considered + successful if at + + least one section in the parent resource accepts it. + For example, Gateway + + listeners can restrict which Routes can attach to them + by Route kind, + + namespace, or hostname. If 1 of 2 Gateway listeners + accept attachment from + + the referencing Route, the Route MUST be considered + successfully + + attached. If no Gateway listeners accept attachment + from this Route, the + + Route MUST be considered detached from the Gateway. + + + Support: Core + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: >- + sectionName must be specified when parentRefs includes 2 + or more references to the same parent + rule: >- + self.all(p1, self.all(p2, p1.group == p2.group && + p1.kind == p2.kind && p1.name == p2.name && + (((!has(p1.__namespace__) || p1.__namespace__ == '') && + (!has(p2.__namespace__) || p2.__namespace__ == '')) || + (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__ )) ? + ((!has(p1.sectionName) || p1.sectionName == '') == + (!has(p2.sectionName) || p2.sectionName == '')) : true)) + - message: >- + sectionName must be unique when parentRefs includes 2 or + more references to the same parent + rule: >- + self.all(p1, self.exists_one(p2, p1.group == p2.group && + p1.kind == p2.kind && p1.name == p2.name && + (((!has(p1.__namespace__) || p1.__namespace__ == '') && + (!has(p2.__namespace__) || p2.__namespace__ == '')) || + (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__ )) && + (((!has(p1.sectionName) || p1.sectionName == '') && + (!has(p2.sectionName) || p2.sectionName == '')) || + (has(p1.sectionName) && has(p2.sectionName) && + p1.sectionName == p2.sectionName)))) + rules: + description: Rules are a list of actions. + items: + description: TLSRouteRule is the configuration for a given rule. + properties: + backendRefs: + description: >- + BackendRefs defines the backend(s) where matching + requests should be + + sent. If unspecified or invalid (refers to a + nonexistent resource or + + a Service with no endpoints), the rule performs no + forwarding; if no + + filters are specified that would result in a response + being sent, the + + underlying implementation must actively reject request + attempts to this + + backend, by rejecting the connection. Request + rejections must respect + + weight; if an invalid backend is requested to have 80% + of requests, then + + 80% of requests must be rejected instead. + + + Support: Core for Kubernetes Service + + + Support: Extended for Kubernetes ServiceImport + + + Support: Implementation-specific for any other + resource + + + Support for weight: Extended + items: + description: >- + BackendRef defines how a Route should forward a + request to a Kubernetes + + resource. + + + Note that when a namespace different than the local + namespace is specified, a + + ReferenceGrant object is required in the referent + namespace to allow that + + namespace's owner to accept the reference. See the + ReferenceGrant + + documentation for details. + + + Note that when the BackendTLSPolicy object is + enabled by the implementation, + + there are some extra rules about validity to + consider here. See the fields + + where this struct is used for more information about + the exact behavior. + properties: + group: + default: '' + description: >- + Group is the group of the referent. For example, + "gateway.networking.k8s.io". + + When unspecified or empty string, core API group + is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: >- + Kind is the Kubernetes resource kind of the + referent. For example + + "Service". + + + Defaults to "Service" when not specified. + + + ExternalName services can refer to CNAME DNS + records that may live + + outside of the cluster and as such are difficult + to reason about in + + terms of conformance. They also may not be safe + to forward to (see + + CVE-2021-25740 for more information). + Implementations SHOULD NOT + + support ExternalName Services. + + + Support: Core (Services with a type other than + ExternalName) + + + Support: Implementation-specific (Services with + type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the backend. When + unspecified, the local + + namespace is inferred. + + + Note that when a namespace different than the + local namespace is specified, + + a ReferenceGrant object is required in the + referent namespace to allow that + + namespace's owner to accept the reference. See + the ReferenceGrant + + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: >- + Port specifies the destination port number to + use for this resource. + + Port is required when the referent is a + Kubernetes Service. In this + + case, the port number is the service port + number, not the target port. + + For other resources, destination port might be + derived from the referent + + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: >- + Weight specifies the proportion of requests + forwarded to the referenced + + backend. This is computed as weight/(sum of all + weights in this + + BackendRefs list). For non-zero values, there + may be some epsilon from + + the exact proportion defined here depending on + the precision an + + implementation supports. Weight is not a + percentage and the sum of + + weights does not need to equal 100. + + + If only one backend is specified and it has a + weight greater than 0, 100% + + of the traffic is forwarded to that backend. If + weight is set to 0, no + + traffic should be forwarded for this entry. If + unspecified, weight + + defaults to 1. + + + Support for this field varies based on the + context where used. + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: >- + (size(self.group) == 0 && self.kind == + 'Service') ? has(self.port) : true + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + name: + description: >- + Name is the name of the route rule. This name MUST be + unique within a Route if it is set. + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - backendRefs + type: object + maxItems: 1 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + required: + - hostnames + - rules + type: object + status: + description: Status defines the current state of TLSRoute. + properties: + parents: + description: >- + Parents is a list of parent resources (usually Gateways) + that are + + associated with the route, and the status of the route with + respect to + + each parent. When this route attaches to a parent, the + controller that + + manages the parent must add an entry to this list when the + controller + + first sees the route and should update the entry as + appropriate when the + + route or gateway is modified. + + + Note that parent references that cannot be resolved by an + implementation + + of this API will not be added to this list. Implementations + of this API + + can only populate Route status for the Gateways/parent + resources they are + + responsible for. + + + A maximum of 32 Gateways will be represented in this list. + An empty list + + means the route has not been attached to any Gateway. + items: + description: >- + RouteParentStatus describes the status of a route with + respect to an + + associated Parent. + properties: + conditions: + description: >- + Conditions describes the status of the route with + respect to the Gateway. + + Note that the route's availability is also subject to + the Gateway's own + + status conditions and listener status. + + + If the Route's ParentRef specifies an existing Gateway + that supports + + Routes of this kind AND that Gateway's controller has + sufficient access, + + then that Gateway's controller MUST set the "Accepted" + condition on the + + Route, to indicate whether the route has been accepted + or rejected by the + + Gateway, and why. + + + A Route MUST be considered "Accepted" if at least one + of the Route's + + rules is implemented by the Gateway. + + + There are a number of cases where the "Accepted" + condition may not be set + + due to lack of controller visibility, that includes + when: + + + * The Route refers to a nonexistent parent. + + * The Route is of a type that the controller does not + support. + + * The Route is in a namespace to which the controller + does not have access. + items: + description: >- + Condition contains details for one aspect of the + current state of this API Resource. + properties: + lastTransitionTime: + description: >- + lastTransitionTime is the last time the + condition transitioned from one status to + another. + + This should be when the underlying condition + changed. If that is not known, then using the + time when the API field changed is acceptable. + format: date-time + type: string + message: + description: >- + message is a human readable message indicating + details about the transition. + + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: >- + observedGeneration represents the + .metadata.generation that the condition was set + based upon. + + For instance, if .metadata.generation is + currently 12, but the + .status.conditions[x].observedGeneration is 9, + the condition is out of date + + with respect to the current state of the + instance. + format: int64 + minimum: 0 + type: integer + reason: + description: >- + reason contains a programmatic identifier + indicating the reason for the condition's last + transition. + + Producers of specific condition types may define + expected values and meanings for this field, + + and whether the values are considered a + guaranteed API. + + The value should be a CamelCase string. + + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: >- + status of the condition, one of True, False, + Unknown. + enum: + - 'True' + - 'False' + - Unknown + type: string + type: + description: >- + type of condition in CamelCase or in + foo.example.com/CamelCase. + maxLength: 316 + pattern: >- + ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: >- + ControllerName is a domain/path string that indicates + the name of the + + controller that wrote this status. This corresponds + with the + + controllerName field on GatewayClass. + + + Example: "example.net/gateway-controller". + + + The format of this field is DOMAIN "/" PATH, where + DOMAIN and PATH are + + valid Kubernetes names + + (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + + + Controllers MUST populate this field when writing + status. Controllers should ensure that + + entries to status populated with their ControllerName + are cleaned up when they are no + + longer necessary. + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: >- + ParentRef corresponds with a ParentRef in the spec + that this + + RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: >- + Group is the group of the referent. + + When unspecified, "gateway.networking.k8s.io" is + inferred. + + To set the core API group (such as for a "Service" + kind referent), + + Group must be explicitly set to "" (empty string). + + + Support: Core + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: >- + Kind is kind of the referent. + + + There are two kinds of parent resources with + "Core" support: + + + * Gateway (Gateway conformance profile) + + * Service (Mesh conformance profile, ClusterIP + Services only) + + + Support for other resources is + Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the referent. When + unspecified, this refers + + to the local namespace of the Route. + + + Note that there are specific rules for ParentRefs + which cross namespace + + boundaries. Cross-namespace references are only + valid if they are explicitly + + allowed by something in the namespace they are + referring to. For example: + + Gateway has the AllowedRoutes field, and + ReferenceGrant provides a + + generic way to enable any other kind of + cross-namespace reference. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: >- + Port is the network port this Route targets. It + can be interpreted + + differently based on the type of parent resource. + + + When the parent resource is a Gateway, this + targets all listeners + + listening on the specified port that also support + this kind of Route(and + + select this Route). It's not recommended to set + `Port` unless the + + networking behaviors specified in a Route must + apply to a specific port + + as opposed to a listener(s) whose port(s) may be + changed. When both Port + + and SectionName are specified, the name and port + of the selected listener + + must match both specified values. + + + Implementations MAY choose to support other parent + resources. + + Implementations supporting other types of parent + resources MUST clearly + + document how/if Port is interpreted. + + + For the purpose of status, an attachment is + considered successful as + + long as the parent resource accepts it partially. + For example, Gateway + + listeners can restrict which Routes can attach to + them by Route kind, + + namespace, or hostname. If 1 of 2 Gateway + listeners accept attachment + + from the referencing Route, the Route MUST be + considered successfully + + attached. If no Gateway listeners accept + attachment from this Route, + + the Route MUST be considered detached from the + Gateway. + + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: >- + SectionName is the name of a section within the + target resource. In the + + following resources, SectionName is interpreted as + the following: + + + * Gateway: Listener name. When both Port + (experimental) and SectionName + + are specified, the name and port of the selected + listener must match + + both specified values. + + * Service: Port name. When both Port + (experimental) and SectionName + + are specified, the name and port of the selected + listener must match + + both specified values. + + + Implementations MAY choose to support attaching + Routes to other resources. + + If that is the case, they MUST clearly document + how SectionName is + + interpreted. + + + When unspecified (empty string), this will + reference the entire resource. + + For the purpose of status, an attachment is + considered successful if at + + least one section in the parent resource accepts + it. For example, Gateway + + listeners can restrict which Routes can attach to + them by Route kind, + + namespace, or hostname. If 1 of 2 Gateway + listeners accept attachment from + + the referencing Route, the Route MUST be + considered successfully + + attached. If no Gateway listeners accept + attachment from this Route, the + + Route MUST be considered detached from the + Gateway. + + + Support: Core + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - conditions + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + x-kubernetes-list-type: atomic + required: + - parents + type: object + required: + - spec + type: object + served: false + storage: false + subresources: + status: {} +status: + acceptedNames: + kind: '' + plural: '' + conditions: null + storedVersions: null diff --git a/_/GatewayClass/eg.yaml b/_/GatewayClass/eg.yaml new file mode 100644 index 0000000..62262b7 --- /dev/null +++ b/_/GatewayClass/eg.yaml @@ -0,0 +1,11 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: GatewayClass +metadata: + name: eg +spec: + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parametersRef: + group: gateway.envoyproxy.io + kind: EnvoyProxy + name: shared + namespace: envoy-gateway-system diff --git a/_/MutatingWebhookConfiguration/cert-manager-webhook.yaml b/_/MutatingWebhookConfiguration/cert-manager-webhook.yaml index f1b4b00..94333ea 100644 --- a/_/MutatingWebhookConfiguration/cert-manager-webhook.yaml +++ b/_/MutatingWebhookConfiguration/cert-manager-webhook.yaml @@ -9,8 +9,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: webhook - app.kubernetes.io/version: v1.10.1 - helm.sh/chart: cert-manager-v1.10.1 + app.kubernetes.io/version: v1.20.2 + helm.sh/chart: cert-manager-v1.20.2 name: cert-manager-webhook webhooks: - admissionReviewVersions: @@ -26,13 +26,11 @@ webhooks: rules: - apiGroups: - cert-manager.io - - acme.cert-manager.io apiVersions: - v1 operations: - CREATE - - UPDATE resources: - - '*/*' + - certificaterequests sideEffects: None - timeoutSeconds: 10 + timeoutSeconds: 30 diff --git a/_/MutatingWebhookConfiguration/envoy-gateway-topology-injector.envoy-gateway-system.yaml b/_/MutatingWebhookConfiguration/envoy-gateway-topology-injector.envoy-gateway-system.yaml new file mode 100644 index 0000000..c084004 --- /dev/null +++ b/_/MutatingWebhookConfiguration/envoy-gateway-topology-injector.envoy-gateway-system.yaml @@ -0,0 +1,41 @@ +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + annotations: + helm.sh/hook: pre-install, pre-upgrade + helm.sh/hook-weight: '-1' + labels: + app.kubernetes.io/component: topology-injector + app.kubernetes.io/instance: envoy-gateway + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/version: v1.7.3 + helm.sh/chart: gateway-helm-v1.7.3 + name: envoy-gateway-topology-injector.envoy-gateway-system +webhooks: + - admissionReviewVersions: + - v1 + clientConfig: + service: + name: envoy-gateway + namespace: envoy-gateway-system + path: /inject-pod-topology + port: 9443 + failurePolicy: Ignore + name: topology.webhook.gateway.envoyproxy.io + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: In + values: + - envoy-gateway-system + rules: + - apiGroups: + - '' + apiVersions: + - v1 + operations: + - CREATE + resources: + - pods/binding + sideEffects: None diff --git a/_/Namespace/hairpin-proxy.yaml b/_/Namespace/envoy-gateway-system.yaml similarity index 58% rename from _/Namespace/hairpin-proxy.yaml rename to _/Namespace/envoy-gateway-system.yaml index 093b5da..6f4c14b 100644 --- a/_/Namespace/hairpin-proxy.yaml +++ b/_/Namespace/envoy-gateway-system.yaml @@ -1,4 +1,4 @@ apiVersion: v1 kind: Namespace metadata: - name: hairpin-proxy + name: envoy-gateway-system diff --git a/_/ValidatingAdmissionPolicy/safe-upgrades.gateway.networking.k8s.io.yaml b/_/ValidatingAdmissionPolicy/safe-upgrades.gateway.networking.k8s.io.yaml new file mode 100644 index 0000000..a889476 --- /dev/null +++ b/_/ValidatingAdmissionPolicy/safe-upgrades.gateway.networking.k8s.io.yaml @@ -0,0 +1,53 @@ +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicy +metadata: + annotations: + gateway.networking.k8s.io/bundle-version: v1.5.0-dev + gateway.networking.k8s.io/channel: standard + name: safe-upgrades.gateway.networking.k8s.io +spec: + failurePolicy: Fail + matchConstraints: + resourceRules: + - apiGroups: + - apiextensions.k8s.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - '*' + validations: + - expression: >- + object.spec.group != 'gateway.networking.k8s.io' || oldObject == null || + ( has(object.metadata.annotations) && + object.metadata.annotations.exists(k, k == + 'gateway.networking.k8s.io/channel') && + object.metadata.annotations['gateway.networking.k8s.io/channel'] == + 'standard' ) || ( oldObject != null && + has(oldObject.metadata.annotations) && + oldObject.metadata.annotations.exists(k, k == + 'gateway.networking.k8s.io/channel') && + oldObject.metadata.annotations['gateway.networking.k8s.io/channel'] == + 'experimental' ) + message: >- + Installing experimental CRDs on top of standard channel CRDs is + prohibited by default. Uninstall ValidatingAdmissionPolicy + safe-upgrades.gateway.networking.k8s.io to install experimental CRDs on + top of standard channel CRDs. + reason: Invalid + - expression: >- + object.spec.group != 'gateway.networking.k8s.io' || + (has(object.metadata.annotations) && + object.metadata.annotations.exists(k, k == + 'gateway.networking.k8s.io/bundle-version') && + !matches(object.metadata.annotations['gateway.networking.k8s.io/bundle-version'], + 'v1.[0-4].\\d+') && + !matches(object.metadata.annotations['gateway.networking.k8s.io/bundle-version'], + 'v0')) + message: >- + Installing CRDs with version before v1.5.0 is prohibited by default. + Uninstall ValidatingAdmissionPolicy + safe-upgrades.gateway.networking.k8s.io to install older versions. + reason: Invalid diff --git a/_/ValidatingAdmissionPolicyBinding/safe-upgrades.gateway.networking.k8s.io.yaml b/_/ValidatingAdmissionPolicyBinding/safe-upgrades.gateway.networking.k8s.io.yaml new file mode 100644 index 0000000..730ce15 --- /dev/null +++ b/_/ValidatingAdmissionPolicyBinding/safe-upgrades.gateway.networking.k8s.io.yaml @@ -0,0 +1,22 @@ +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicyBinding +metadata: + annotations: + gateway.networking.k8s.io/bundle-version: v1.5.0-dev + gateway.networking.k8s.io/channel: standard + name: safe-upgrades.gateway.networking.k8s.io +spec: + matchResources: + resourceRules: + - apiGroups: + - apiextensions.k8s.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - customresourcedefinitions + policyName: safe-upgrades.gateway.networking.k8s.io + validationActions: + - Deny diff --git a/_/ValidatingWebhookConfiguration/cert-manager-webhook.yaml b/_/ValidatingWebhookConfiguration/cert-manager-webhook.yaml index 75c7391..4c8c00d 100644 --- a/_/ValidatingWebhookConfiguration/cert-manager-webhook.yaml +++ b/_/ValidatingWebhookConfiguration/cert-manager-webhook.yaml @@ -9,8 +9,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: webhook - app.kubernetes.io/version: v1.10.1 - helm.sh/chart: cert-manager-v1.10.1 + app.kubernetes.io/version: v1.20.2 + helm.sh/chart: cert-manager-v1.20.2 name: cert-manager-webhook webhooks: - admissionReviewVersions: @@ -41,4 +41,4 @@ webhooks: resources: - '*/*' sideEffects: None - timeoutSeconds: 10 + timeoutSeconds: 30 diff --git a/balancer/Gateway/balancer.yaml b/balancer/Gateway/balancer.yaml new file mode 100644 index 0000000..28e23af --- /dev/null +++ b/balancer/Gateway/balancer.yaml @@ -0,0 +1,21 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: Gateway +metadata: + annotations: + cert-manager.io/cluster-issuer: letsencrypt-prod-gateway + name: balancer + namespace: balancer +spec: + gatewayClassName: eg + listeners: + - allowedRoutes: + namespaces: + from: Same + hostname: balancerproject.org + name: https + port: 443 + protocol: HTTPS + tls: + certificateRefs: + - name: balancer-gw-tls + mode: Terminate diff --git a/balancer/HTTPRoute/balancer.yaml b/balancer/HTTPRoute/balancer.yaml new file mode 100644 index 0000000..2ca73b1 --- /dev/null +++ b/balancer/HTTPRoute/balancer.yaml @@ -0,0 +1,14 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: balancer + namespace: balancer +spec: + hostnames: + - balancerproject.org + parentRefs: + - name: balancer + rules: + - backendRefs: + - name: balancer + port: 8000 diff --git a/browserless-chrome/Gateway/browserless-chrome.yaml b/browserless-chrome/Gateway/browserless-chrome.yaml new file mode 100644 index 0000000..3de5f34 --- /dev/null +++ b/browserless-chrome/Gateway/browserless-chrome.yaml @@ -0,0 +1,21 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: Gateway +metadata: + annotations: + cert-manager.io/cluster-issuer: letsencrypt-prod-gateway + name: browserless-chrome + namespace: browserless-chrome +spec: + gatewayClassName: eg + listeners: + - allowedRoutes: + namespaces: + from: Same + hostname: browserless-chrome.live.k8s.phl.io + name: https + port: 443 + protocol: HTTPS + tls: + certificateRefs: + - name: browserless-chrome-gw-tls + mode: Terminate diff --git a/browserless-chrome/HTTPRoute/browserless-chrome.yaml b/browserless-chrome/HTTPRoute/browserless-chrome.yaml new file mode 100644 index 0000000..09584ac --- /dev/null +++ b/browserless-chrome/HTTPRoute/browserless-chrome.yaml @@ -0,0 +1,14 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: browserless-chrome + namespace: browserless-chrome +spec: + hostnames: + - browserless-chrome.live.k8s.phl.io + parentRefs: + - name: browserless-chrome + rules: + - backendRefs: + - name: browserless-chrome + port: 80 diff --git a/cert-manager/ConfigMap/cert-manager-webhook.yaml b/cert-manager/ConfigMap/cert-manager-webhook.yaml deleted file mode 100644 index cec4cf9..0000000 --- a/cert-manager/ConfigMap/cert-manager-webhook.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: v1 -data: null -kind: ConfigMap -metadata: - labels: - app: webhook - app.kubernetes.io/component: webhook - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: webhook - app.kubernetes.io/version: v1.10.1 - helm.sh/chart: cert-manager-v1.10.1 - name: cert-manager-webhook - namespace: cert-manager diff --git a/cert-manager/ConfigMap/cert-manager.yaml b/cert-manager/ConfigMap/cert-manager.yaml index 465c5f8..eea3c22 100644 --- a/cert-manager/ConfigMap/cert-manager.yaml +++ b/cert-manager/ConfigMap/cert-manager.yaml @@ -1,5 +1,11 @@ apiVersion: v1 -data: null +data: + config.yaml: | + apiVersion: controller.config.cert-manager.io/v1alpha1 + enableGatewayAPI: true + featureGates: + ListenerSets: true + kind: ControllerConfiguration kind: ConfigMap metadata: labels: @@ -8,7 +14,7 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.10.1 - helm.sh/chart: cert-manager-v1.10.1 + app.kubernetes.io/version: v1.20.2 + helm.sh/chart: cert-manager-v1.20.2 name: cert-manager namespace: cert-manager diff --git a/cert-manager/Deployment/cert-manager-cainjector.yaml b/cert-manager/Deployment/cert-manager-cainjector.yaml index 3c4f612..1c6e621 100644 --- a/cert-manager/Deployment/cert-manager-cainjector.yaml +++ b/cert-manager/Deployment/cert-manager-cainjector.yaml @@ -7,8 +7,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cainjector - app.kubernetes.io/version: v1.10.1 - helm.sh/chart: cert-manager-v1.10.1 + app.kubernetes.io/version: v1.20.2 + helm.sh/chart: cert-manager-v1.20.2 name: cert-manager-cainjector namespace: cert-manager spec: @@ -20,14 +20,18 @@ spec: app.kubernetes.io/name: cainjector template: metadata: + annotations: + prometheus.io/path: /metrics + prometheus.io/port: '9402' + prometheus.io/scrape: 'true' labels: app: cainjector app.kubernetes.io/component: cainjector app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cainjector - app.kubernetes.io/version: v1.10.1 - helm.sh/chart: cert-manager-v1.10.1 + app.kubernetes.io/version: v1.20.2 + helm.sh/chart: cert-manager-v1.20.2 spec: containers: - args: @@ -38,14 +42,19 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: quay.io/jetstack/cert-manager-cainjector:v1.10.1 + image: quay.io/jetstack/cert-manager-cainjector:v1.20.2 imagePullPolicy: IfNotPresent name: cert-manager-cainjector + ports: + - containerPort: 9402 + name: http-metrics + protocol: TCP securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL + readOnlyRootFilesystem: true enableServiceLinks: false nodeSelector: kubernetes.io/os: linux diff --git a/cert-manager/Deployment/cert-manager-webhook.yaml b/cert-manager/Deployment/cert-manager-webhook.yaml index c504f7a..8d40388 100644 --- a/cert-manager/Deployment/cert-manager-webhook.yaml +++ b/cert-manager/Deployment/cert-manager-webhook.yaml @@ -7,8 +7,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: webhook - app.kubernetes.io/version: v1.10.1 - helm.sh/chart: cert-manager-v1.10.1 + app.kubernetes.io/version: v1.20.2 + helm.sh/chart: cert-manager-v1.20.2 name: cert-manager-webhook namespace: cert-manager spec: @@ -20,14 +20,18 @@ spec: app.kubernetes.io/name: webhook template: metadata: + annotations: + prometheus.io/path: /metrics + prometheus.io/port: '9402' + prometheus.io/scrape: 'true' labels: app: webhook app.kubernetes.io/component: webhook app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: webhook - app.kubernetes.io/version: v1.10.1 - helm.sh/chart: cert-manager-v1.10.1 + app.kubernetes.io/version: v1.20.2 + helm.sh/chart: cert-manager-v1.20.2 spec: containers: - args: @@ -44,13 +48,13 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: quay.io/jetstack/cert-manager-webhook:v1.10.1 + image: quay.io/jetstack/cert-manager-webhook:v1.20.2 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 3 httpGet: path: /livez - port: 6080 + port: healthcheck scheme: HTTP initialDelaySeconds: 60 periodSeconds: 10 @@ -64,11 +68,14 @@ spec: - containerPort: 6080 name: healthcheck protocol: TCP + - containerPort: 9402 + name: http-metrics + protocol: TCP readinessProbe: failureThreshold: 3 httpGet: path: /healthz - port: 6080 + port: healthcheck scheme: HTTP initialDelaySeconds: 5 periodSeconds: 5 @@ -79,6 +86,7 @@ spec: capabilities: drop: - ALL + readOnlyRootFilesystem: true enableServiceLinks: false nodeSelector: kubernetes.io/os: linux diff --git a/cert-manager/Deployment/cert-manager.yaml b/cert-manager/Deployment/cert-manager.yaml index fff451b..f410a14 100644 --- a/cert-manager/Deployment/cert-manager.yaml +++ b/cert-manager/Deployment/cert-manager.yaml @@ -7,8 +7,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.10.1 - helm.sh/chart: cert-manager-v1.10.1 + app.kubernetes.io/version: v1.20.2 + helm.sh/chart: cert-manager-v1.20.2 name: cert-manager namespace: cert-manager spec: @@ -30,24 +30,35 @@ spec: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.10.1 - helm.sh/chart: cert-manager-v1.10.1 + app.kubernetes.io/version: v1.20.2 + helm.sh/chart: cert-manager-v1.20.2 spec: containers: - args: - '--v=2' + - '--config=/var/cert-manager/config/config.yaml' - '--cluster-resource-namespace=$(POD_NAMESPACE)' - '--leader-election-namespace=kube-system' - >- - --acme-http01-solver-image=quay.io/jetstack/cert-manager-acmesolver:v1.10.1 + --acme-http01-solver-image=quay.io/jetstack/cert-manager-acmesolver:v1.20.2 - '--max-concurrent-challenges=60' env: - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - image: quay.io/jetstack/cert-manager-controller:v1.10.1 + image: quay.io/jetstack/cert-manager-controller:v1.20.2 imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 8 + httpGet: + path: /livez + port: http-healthz + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 15 name: cert-manager-controller ports: - containerPort: 9402 @@ -65,6 +76,10 @@ spec: capabilities: drop: - ALL + readOnlyRootFilesystem: true + volumeMounts: + - mountPath: /var/cert-manager/config + name: config enableServiceLinks: false nodeSelector: kubernetes.io/os: linux @@ -73,3 +88,7 @@ spec: seccompProfile: type: RuntimeDefault serviceAccountName: cert-manager + volumes: + - configMap: + name: cert-manager + name: config diff --git a/cert-manager/Role/cert-manager-tokenrequest.yaml b/cert-manager/Role/cert-manager-tokenrequest.yaml new file mode 100644 index 0000000..3d63316 --- /dev/null +++ b/cert-manager/Role/cert-manager-tokenrequest.yaml @@ -0,0 +1,22 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app: cert-manager + app.kubernetes.io/component: controller + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: cert-manager + app.kubernetes.io/version: v1.20.2 + helm.sh/chart: cert-manager-v1.20.2 + name: cert-manager-tokenrequest + namespace: cert-manager +rules: + - apiGroups: + - '' + resourceNames: + - cert-manager + resources: + - serviceaccounts/token + verbs: + - create diff --git a/cert-manager/Role/cert-manager-webhook:dynamic-serving.yaml b/cert-manager/Role/cert-manager-webhook:dynamic-serving.yaml index 156f369..2172318 100644 --- a/cert-manager/Role/cert-manager-webhook:dynamic-serving.yaml +++ b/cert-manager/Role/cert-manager-webhook:dynamic-serving.yaml @@ -7,8 +7,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: webhook - app.kubernetes.io/version: v1.10.1 - helm.sh/chart: cert-manager-v1.10.1 + app.kubernetes.io/version: v1.20.2 + helm.sh/chart: cert-manager-v1.20.2 name: cert-manager-webhook:dynamic-serving namespace: cert-manager rules: diff --git a/cert-manager/RoleBinding/cert-manager-tokenrequest.yaml b/cert-manager/RoleBinding/cert-manager-tokenrequest.yaml new file mode 100644 index 0000000..d74073d --- /dev/null +++ b/cert-manager/RoleBinding/cert-manager-tokenrequest.yaml @@ -0,0 +1,21 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app: cert-manager + app.kubernetes.io/component: controller + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: cert-manager + app.kubernetes.io/version: v1.20.2 + helm.sh/chart: cert-manager-v1.20.2 + name: cert-manager-tokenrequest + namespace: cert-manager +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cert-manager-tokenrequest +subjects: + - kind: ServiceAccount + name: cert-manager + namespace: cert-manager diff --git a/cert-manager/RoleBinding/cert-manager-webhook:dynamic-serving.yaml b/cert-manager/RoleBinding/cert-manager-webhook:dynamic-serving.yaml index baebb46..169fcbd 100644 --- a/cert-manager/RoleBinding/cert-manager-webhook:dynamic-serving.yaml +++ b/cert-manager/RoleBinding/cert-manager-webhook:dynamic-serving.yaml @@ -7,8 +7,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: webhook - app.kubernetes.io/version: v1.10.1 - helm.sh/chart: cert-manager-v1.10.1 + app.kubernetes.io/version: v1.20.2 + helm.sh/chart: cert-manager-v1.20.2 name: cert-manager-webhook:dynamic-serving namespace: cert-manager roleRef: @@ -16,7 +16,6 @@ roleRef: kind: Role name: cert-manager-webhook:dynamic-serving subjects: - - apiGroup: '' - kind: ServiceAccount + - kind: ServiceAccount name: cert-manager-webhook namespace: cert-manager diff --git a/cert-manager/Service/cert-manager-cainjector.yaml b/cert-manager/Service/cert-manager-cainjector.yaml new file mode 100644 index 0000000..3393b18 --- /dev/null +++ b/cert-manager/Service/cert-manager-cainjector.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app: cainjector + app.kubernetes.io/component: cainjector + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: cainjector + app.kubernetes.io/version: v1.20.2 + helm.sh/chart: cert-manager-v1.20.2 + name: cert-manager-cainjector + namespace: cert-manager +spec: + ports: + - name: http-metrics + port: 9402 + protocol: TCP + selector: + app.kubernetes.io/component: cainjector + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/name: cainjector + type: ClusterIP diff --git a/cert-manager/Service/cert-manager-webhook.yaml b/cert-manager/Service/cert-manager-webhook.yaml index 50ad4cc..41e7ca4 100644 --- a/cert-manager/Service/cert-manager-webhook.yaml +++ b/cert-manager/Service/cert-manager-webhook.yaml @@ -7,8 +7,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: webhook - app.kubernetes.io/version: v1.10.1 - helm.sh/chart: cert-manager-v1.10.1 + app.kubernetes.io/version: v1.20.2 + helm.sh/chart: cert-manager-v1.20.2 name: cert-manager-webhook namespace: cert-manager spec: @@ -17,6 +17,10 @@ spec: port: 443 protocol: TCP targetPort: https + - name: metrics + port: 9402 + protocol: TCP + targetPort: http-metrics selector: app.kubernetes.io/component: webhook app.kubernetes.io/instance: cert-manager diff --git a/cert-manager/Service/cert-manager.yaml b/cert-manager/Service/cert-manager.yaml index 15dacc2..a6fe948 100644 --- a/cert-manager/Service/cert-manager.yaml +++ b/cert-manager/Service/cert-manager.yaml @@ -7,8 +7,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.10.1 - helm.sh/chart: cert-manager-v1.10.1 + app.kubernetes.io/version: v1.20.2 + helm.sh/chart: cert-manager-v1.20.2 name: cert-manager namespace: cert-manager spec: @@ -16,7 +16,7 @@ spec: - name: tcp-prometheus-servicemonitor port: 9402 protocol: TCP - targetPort: 9402 + targetPort: http-metrics selector: app.kubernetes.io/component: controller app.kubernetes.io/instance: cert-manager diff --git a/cert-manager/ServiceAccount/cert-manager-cainjector.yaml b/cert-manager/ServiceAccount/cert-manager-cainjector.yaml index 82e11f3..d81893b 100644 --- a/cert-manager/ServiceAccount/cert-manager-cainjector.yaml +++ b/cert-manager/ServiceAccount/cert-manager-cainjector.yaml @@ -8,7 +8,7 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cainjector - app.kubernetes.io/version: v1.10.1 - helm.sh/chart: cert-manager-v1.10.1 + app.kubernetes.io/version: v1.20.2 + helm.sh/chart: cert-manager-v1.20.2 name: cert-manager-cainjector namespace: cert-manager diff --git a/cert-manager/ServiceAccount/cert-manager-webhook.yaml b/cert-manager/ServiceAccount/cert-manager-webhook.yaml index 5d3e565..aae3d3c 100644 --- a/cert-manager/ServiceAccount/cert-manager-webhook.yaml +++ b/cert-manager/ServiceAccount/cert-manager-webhook.yaml @@ -8,7 +8,7 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: webhook - app.kubernetes.io/version: v1.10.1 - helm.sh/chart: cert-manager-v1.10.1 + app.kubernetes.io/version: v1.20.2 + helm.sh/chart: cert-manager-v1.20.2 name: cert-manager-webhook namespace: cert-manager diff --git a/cert-manager/ServiceAccount/cert-manager.yaml b/cert-manager/ServiceAccount/cert-manager.yaml index a8d0fdc..13dac9d 100644 --- a/cert-manager/ServiceAccount/cert-manager.yaml +++ b/cert-manager/ServiceAccount/cert-manager.yaml @@ -8,7 +8,7 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.10.1 - helm.sh/chart: cert-manager-v1.10.1 + app.kubernetes.io/version: v1.20.2 + helm.sh/chart: cert-manager-v1.20.2 name: cert-manager namespace: cert-manager diff --git a/chime/Gateway/chime.yaml b/chime/Gateway/chime.yaml new file mode 100644 index 0000000..8da3b21 --- /dev/null +++ b/chime/Gateway/chime.yaml @@ -0,0 +1,32 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: Gateway +metadata: + annotations: + cert-manager.io/cluster-issuer: letsencrypt-prod-gateway + name: chime + namespace: chime +spec: + gatewayClassName: eg + listeners: + - allowedRoutes: + namespaces: + from: Same + hostname: penn-chime.phl.io + name: https-apex + port: 443 + protocol: HTTPS + tls: + certificateRefs: + - name: penn-chime-phl-gw-tls + mode: Terminate + - allowedRoutes: + namespaces: + from: Same + hostname: penn-chime.live.k8s.phl.io + name: https-subdomain + port: 443 + protocol: HTTPS + tls: + certificateRefs: + - name: penn-chime-live-gw-tls + mode: Terminate diff --git a/chime/HTTPRoute/chime.yaml b/chime/HTTPRoute/chime.yaml new file mode 100644 index 0000000..8d0637a --- /dev/null +++ b/chime/HTTPRoute/chime.yaml @@ -0,0 +1,15 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: chime + namespace: chime +spec: + hostnames: + - penn-chime.phl.io + - penn-chime.live.k8s.phl.io + parentRefs: + - name: chime + rules: + - backendRefs: + - name: chime + port: 80 diff --git a/choose-native-plants/Gateway/choose-native-plants.yaml b/choose-native-plants/Gateway/choose-native-plants.yaml new file mode 100644 index 0000000..c6acb39 --- /dev/null +++ b/choose-native-plants/Gateway/choose-native-plants.yaml @@ -0,0 +1,43 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: Gateway +metadata: + annotations: + cert-manager.io/cluster-issuer: letsencrypt-prod-gateway + name: choose-native-plants + namespace: choose-native-plants +spec: + gatewayClassName: eg + listeners: + - allowedRoutes: + namespaces: + from: Same + hostname: choose-native-plants.live.k8s.phl.io + name: https-subdomain + port: 443 + protocol: HTTPS + tls: + certificateRefs: + - name: choose-native-plants-gw-tls + mode: Terminate + - allowedRoutes: + namespaces: + from: Same + hostname: choosenativeplants.com + name: https-apex + port: 443 + protocol: HTTPS + tls: + certificateRefs: + - name: choosenativeplants-com-gw-tls + mode: Terminate + - allowedRoutes: + namespaces: + from: Same + hostname: www.choosenativeplants.com + name: https-www + port: 443 + protocol: HTTPS + tls: + certificateRefs: + - name: www-choosenativeplants-com-gw-tls + mode: Terminate diff --git a/choose-native-plants/HTTPRoute/choose-native-plants.yaml b/choose-native-plants/HTTPRoute/choose-native-plants.yaml new file mode 100644 index 0000000..2bacdae --- /dev/null +++ b/choose-native-plants/HTTPRoute/choose-native-plants.yaml @@ -0,0 +1,16 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: choose-native-plants + namespace: choose-native-plants +spec: + hostnames: + - choose-native-plants.live.k8s.phl.io + - choosenativeplants.com + - www.choosenativeplants.com + parentRefs: + - name: choose-native-plants + rules: + - backendRefs: + - name: choose-native-plants + port: 80 diff --git a/code-for-philly/Gateway/code-for-philly.yaml b/code-for-philly/Gateway/code-for-philly.yaml new file mode 100644 index 0000000..23c28a7 --- /dev/null +++ b/code-for-philly/Gateway/code-for-philly.yaml @@ -0,0 +1,43 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: Gateway +metadata: + annotations: + cert-manager.io/cluster-issuer: letsencrypt-prod-gateway + name: code-for-philly + namespace: code-for-philly +spec: + gatewayClassName: eg + listeners: + - allowedRoutes: + namespaces: + from: Same + hostname: codeforphilly.org + name: https-apex + port: 443 + protocol: HTTPS + tls: + certificateRefs: + - name: codeforphilly-org-gw-tls + mode: Terminate + - allowedRoutes: + namespaces: + from: Same + hostname: www.codeforphilly.org + name: https-www + port: 443 + protocol: HTTPS + tls: + certificateRefs: + - name: www-codeforphilly-org-gw-tls + mode: Terminate + - allowedRoutes: + namespaces: + from: Same + hostname: codeforphilly.live.k8s.phl.io + name: https-subdomain + port: 443 + protocol: HTTPS + tls: + certificateRefs: + - name: codeforphilly-live-gw-tls + mode: Terminate diff --git a/code-for-philly/HTTPRoute/code-for-philly.yaml b/code-for-philly/HTTPRoute/code-for-philly.yaml new file mode 100644 index 0000000..7587f25 --- /dev/null +++ b/code-for-philly/HTTPRoute/code-for-philly.yaml @@ -0,0 +1,16 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: code-for-philly + namespace: code-for-philly +spec: + hostnames: + - codeforphilly.org + - www.codeforphilly.org + - codeforphilly.live.k8s.phl.io + parentRefs: + - name: code-for-philly + rules: + - backendRefs: + - name: code-for-philly-site + port: 80 diff --git a/echo-http/Gateway/echo-http.yaml b/echo-http/Gateway/echo-http.yaml new file mode 100644 index 0000000..af131d0 --- /dev/null +++ b/echo-http/Gateway/echo-http.yaml @@ -0,0 +1,21 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: Gateway +metadata: + annotations: + cert-manager.io/cluster-issuer: letsencrypt-prod-gateway + name: echo-http + namespace: echo-http +spec: + gatewayClassName: eg + listeners: + - allowedRoutes: + namespaces: + from: Same + hostname: echo-http.live.k8s.phl.io + name: https + port: 443 + protocol: HTTPS + tls: + certificateRefs: + - name: echo-http-gw-tls + mode: Terminate diff --git a/echo-http/HTTPRoute/echo-http.yaml b/echo-http/HTTPRoute/echo-http.yaml new file mode 100644 index 0000000..1541deb --- /dev/null +++ b/echo-http/HTTPRoute/echo-http.yaml @@ -0,0 +1,14 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: echo-http + namespace: echo-http +spec: + hostnames: + - echo-http.live.k8s.phl.io + parentRefs: + - name: echo-http + rules: + - backendRefs: + - name: echo-http + port: 80 diff --git a/envoy-gateway-system/ConfigMap/envoy-gateway-config.yaml b/envoy-gateway-system/ConfigMap/envoy-gateway-config.yaml new file mode 100644 index 0000000..7e10db6 --- /dev/null +++ b/envoy-gateway-system/ConfigMap/envoy-gateway-config.yaml @@ -0,0 +1,38 @@ +apiVersion: v1 +data: + envoy-gateway.yaml: | + apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: EnvoyGateway + extensionApis: {} + gateway: + controllerName: gateway.envoyproxy.io/gatewayclass-controller + logging: + level: + default: info + provider: + kubernetes: + rateLimitDeployment: + container: + image: docker.io/envoyproxy/ratelimit:05c08d03 + patch: + type: StrategicMerge + value: + spec: + template: + spec: + containers: + - imagePullPolicy: IfNotPresent + name: envoy-ratelimit + shutdownManager: + image: docker.io/envoyproxy/gateway:v1.7.3 + type: Kubernetes +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/instance: envoy-gateway + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/version: v1.7.3 + helm.sh/chart: gateway-helm-v1.7.3 + name: envoy-gateway-config + namespace: envoy-gateway-system diff --git a/envoy-gateway-system/Deployment/envoy-gateway.yaml b/envoy-gateway-system/Deployment/envoy-gateway.yaml new file mode 100644 index 0000000..61d7ce1 --- /dev/null +++ b/envoy-gateway-system/Deployment/envoy-gateway.yaml @@ -0,0 +1,102 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/instance: envoy-gateway + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/version: v1.7.3 + control-plane: envoy-gateway + helm.sh/chart: gateway-helm-v1.7.3 + name: envoy-gateway + namespace: envoy-gateway-system +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/instance: envoy-gateway + app.kubernetes.io/name: gateway-helm + control-plane: envoy-gateway + template: + metadata: + annotations: + prometheus.io/port: '19001' + prometheus.io/scrape: 'true' + labels: + app.kubernetes.io/instance: envoy-gateway + app.kubernetes.io/name: gateway-helm + control-plane: envoy-gateway + spec: + containers: + - args: + - server + - '--config-path=/config/envoy-gateway.yaml' + env: + - name: ENVOY_GATEWAY_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: KUBERNETES_CLUSTER_DOMAIN + value: cluster.local + image: docker.io/envoyproxy/gateway:v1.7.3 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + name: envoy-gateway + ports: + - containerPort: 18000 + name: grpc + - containerPort: 18001 + name: ratelimit + - containerPort: 18002 + name: wasm + - containerPort: 19001 + name: metrics + - containerPort: 9443 + name: webhook + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + limits: + memory: 1024Mi + requests: + cpu: 100m + memory: 256Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /config + name: envoy-gateway-config + readOnly: true + - mountPath: /certs + name: certs + readOnly: true + imagePullSecrets: [] + serviceAccountName: envoy-gateway + terminationGracePeriodSeconds: 10 + volumes: + - configMap: + defaultMode: 420 + name: envoy-gateway-config + name: envoy-gateway-config + - name: certs + secret: + secretName: envoy-gateway diff --git a/envoy-gateway-system/EnvoyProxy/shared.yaml b/envoy-gateway-system/EnvoyProxy/shared.yaml new file mode 100644 index 0000000..cb7bb82 --- /dev/null +++ b/envoy-gateway-system/EnvoyProxy/shared.yaml @@ -0,0 +1,7 @@ +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: EnvoyProxy +metadata: + name: shared + namespace: envoy-gateway-system +spec: + mergeGateways: true diff --git a/envoy-gateway-system/Gateway/main-gateway.yaml b/envoy-gateway-system/Gateway/main-gateway.yaml new file mode 100644 index 0000000..fcec1b2 --- /dev/null +++ b/envoy-gateway-system/Gateway/main-gateway.yaml @@ -0,0 +1,14 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: Gateway +metadata: + name: main-gateway + namespace: envoy-gateway-system +spec: + gatewayClassName: eg + listeners: + - allowedRoutes: + namespaces: + from: All + name: http + port: 80 + protocol: HTTP diff --git a/envoy-gateway-system/HTTPRoute/http-redirect.yaml b/envoy-gateway-system/HTTPRoute/http-redirect.yaml new file mode 100644 index 0000000..611b673 --- /dev/null +++ b/envoy-gateway-system/HTTPRoute/http-redirect.yaml @@ -0,0 +1,14 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: http-redirect + namespace: envoy-gateway-system +spec: + parentRefs: + - name: main-gateway + rules: + - filters: + - requestRedirect: + scheme: https + statusCode: 301 + type: RequestRedirect diff --git a/envoy-gateway-system/Job/envoy-gateway-gateway-helm-certgen.yaml b/envoy-gateway-system/Job/envoy-gateway-gateway-helm-certgen.yaml new file mode 100644 index 0000000..6ab98bd --- /dev/null +++ b/envoy-gateway-system/Job/envoy-gateway-gateway-helm-certgen.yaml @@ -0,0 +1,53 @@ +apiVersion: batch/v1 +kind: Job +metadata: + annotations: + helm.sh/hook: pre-install, pre-upgrade + labels: + app.kubernetes.io/instance: envoy-gateway + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/version: v1.7.3 + helm.sh/chart: gateway-helm-v1.7.3 + name: envoy-gateway-gateway-helm-certgen + namespace: envoy-gateway-system +spec: + backoffLimit: 1 + completions: 1 + parallelism: 1 + template: + metadata: + labels: + app: certgen + spec: + containers: + - command: + - envoy-gateway + - certgen + env: + - name: ENVOY_GATEWAY_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: KUBERNETES_CLUSTER_DOMAIN + value: cluster.local + image: docker.io/envoyproxy/gateway:v1.7.3 + imagePullPolicy: IfNotPresent + name: envoy-gateway-certgen + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault + imagePullSecrets: [] + restartPolicy: Never + serviceAccountName: envoy-gateway-gateway-helm-certgen + ttlSecondsAfterFinished: 30 diff --git a/envoy-gateway-system/Role/envoy-gateway-gateway-helm-certgen.yaml b/envoy-gateway-system/Role/envoy-gateway-gateway-helm-certgen.yaml new file mode 100644 index 0000000..aa42121 --- /dev/null +++ b/envoy-gateway-system/Role/envoy-gateway-gateway-helm-certgen.yaml @@ -0,0 +1,23 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + annotations: + helm.sh/hook: pre-install, pre-upgrade + helm.sh/hook-weight: '-1' + labels: + app.kubernetes.io/instance: envoy-gateway + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/version: v1.7.3 + helm.sh/chart: gateway-helm-v1.7.3 + name: envoy-gateway-gateway-helm-certgen + namespace: envoy-gateway-system +rules: + - apiGroups: + - '' + resources: + - secrets + verbs: + - get + - create + - update diff --git a/envoy-gateway-system/Role/envoy-gateway-gateway-helm-infra-manager.yaml b/envoy-gateway-system/Role/envoy-gateway-gateway-helm-infra-manager.yaml new file mode 100644 index 0000000..014daca --- /dev/null +++ b/envoy-gateway-system/Role/envoy-gateway-gateway-helm-infra-manager.yaml @@ -0,0 +1,57 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/instance: envoy-gateway + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/version: v1.7.3 + helm.sh/chart: gateway-helm-v1.7.3 + name: envoy-gateway-gateway-helm-infra-manager + namespace: envoy-gateway-system +rules: + - apiGroups: + - '' + resources: + - serviceaccounts + - services + - configmaps + verbs: + - create + - get + - list + - delete + - deletecollection + - patch + - apiGroups: + - apps + resources: + - deployments + - daemonsets + verbs: + - create + - get + - delete + - deletecollection + - patch + - apiGroups: + - autoscaling + - policy + resources: + - horizontalpodautoscalers + - poddisruptionbudgets + verbs: + - create + - get + - list + - delete + - deletecollection + - patch + - apiGroups: + - certificates.k8s.io + resources: + - clustertrustbundles + verbs: + - list + - get + - watch diff --git a/envoy-gateway-system/Role/envoy-gateway-gateway-helm-leader-election-role.yaml b/envoy-gateway-system/Role/envoy-gateway-gateway-helm-leader-election-role.yaml new file mode 100644 index 0000000..0ebc576 --- /dev/null +++ b/envoy-gateway-system/Role/envoy-gateway-gateway-helm-leader-election-role.yaml @@ -0,0 +1,43 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/instance: envoy-gateway + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/version: v1.7.3 + helm.sh/chart: gateway-helm-v1.7.3 + name: envoy-gateway-gateway-helm-leader-election-role + namespace: envoy-gateway-system +rules: + - apiGroups: + - '' + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - '' + resources: + - events + verbs: + - create + - patch diff --git a/envoy-gateway-system/RoleBinding/envoy-gateway-gateway-helm-certgen.yaml b/envoy-gateway-system/RoleBinding/envoy-gateway-gateway-helm-certgen.yaml new file mode 100644 index 0000000..3ee5811 --- /dev/null +++ b/envoy-gateway-system/RoleBinding/envoy-gateway-gateway-helm-certgen.yaml @@ -0,0 +1,22 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + annotations: + helm.sh/hook: pre-install, pre-upgrade + helm.sh/hook-weight: '-1' + labels: + app.kubernetes.io/instance: envoy-gateway + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/version: v1.7.3 + helm.sh/chart: gateway-helm-v1.7.3 + name: envoy-gateway-gateway-helm-certgen + namespace: envoy-gateway-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: envoy-gateway-gateway-helm-certgen +subjects: + - kind: ServiceAccount + name: envoy-gateway-gateway-helm-certgen + namespace: envoy-gateway-system diff --git a/envoy-gateway-system/RoleBinding/envoy-gateway-gateway-helm-infra-manager.yaml b/envoy-gateway-system/RoleBinding/envoy-gateway-gateway-helm-infra-manager.yaml new file mode 100644 index 0000000..ee2b95b --- /dev/null +++ b/envoy-gateway-system/RoleBinding/envoy-gateway-gateway-helm-infra-manager.yaml @@ -0,0 +1,19 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/instance: envoy-gateway + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/version: v1.7.3 + helm.sh/chart: gateway-helm-v1.7.3 + name: envoy-gateway-gateway-helm-infra-manager + namespace: envoy-gateway-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: envoy-gateway-gateway-helm-infra-manager +subjects: + - kind: ServiceAccount + name: envoy-gateway + namespace: envoy-gateway-system diff --git a/envoy-gateway-system/RoleBinding/envoy-gateway-gateway-helm-leader-election-rolebinding.yaml b/envoy-gateway-system/RoleBinding/envoy-gateway-gateway-helm-leader-election-rolebinding.yaml new file mode 100644 index 0000000..c0a7f4e --- /dev/null +++ b/envoy-gateway-system/RoleBinding/envoy-gateway-gateway-helm-leader-election-rolebinding.yaml @@ -0,0 +1,19 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/instance: envoy-gateway + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/version: v1.7.3 + helm.sh/chart: gateway-helm-v1.7.3 + name: envoy-gateway-gateway-helm-leader-election-rolebinding + namespace: envoy-gateway-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: envoy-gateway-gateway-helm-leader-election-role +subjects: + - kind: ServiceAccount + name: envoy-gateway + namespace: envoy-gateway-system diff --git a/envoy-gateway-system/Service/envoy-gateway.yaml b/envoy-gateway-system/Service/envoy-gateway.yaml new file mode 100644 index 0000000..22e94eb --- /dev/null +++ b/envoy-gateway-system/Service/envoy-gateway.yaml @@ -0,0 +1,34 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/instance: envoy-gateway + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/version: v1.7.3 + control-plane: envoy-gateway + helm.sh/chart: gateway-helm-v1.7.3 + name: envoy-gateway + namespace: envoy-gateway-system +spec: + ports: + - name: grpc + port: 18000 + targetPort: 18000 + - name: ratelimit + port: 18001 + targetPort: 18001 + - name: wasm + port: 18002 + targetPort: 18002 + - name: metrics + port: 19001 + targetPort: 19001 + - name: webhook + port: 9443 + targetPort: 9443 + selector: + app.kubernetes.io/instance: envoy-gateway + app.kubernetes.io/name: gateway-helm + control-plane: envoy-gateway + type: ClusterIP diff --git a/envoy-gateway-system/ServiceAccount/envoy-gateway-gateway-helm-certgen.yaml b/envoy-gateway-system/ServiceAccount/envoy-gateway-gateway-helm-certgen.yaml new file mode 100644 index 0000000..27b0dc5 --- /dev/null +++ b/envoy-gateway-system/ServiceAccount/envoy-gateway-gateway-helm-certgen.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: + helm.sh/hook: pre-install, pre-upgrade + helm.sh/hook-weight: '-1' + labels: + app.kubernetes.io/instance: envoy-gateway + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/version: v1.7.3 + helm.sh/chart: gateway-helm-v1.7.3 + name: envoy-gateway-gateway-helm-certgen + namespace: envoy-gateway-system diff --git a/envoy-gateway-system/ServiceAccount/envoy-gateway.yaml b/envoy-gateway-system/ServiceAccount/envoy-gateway.yaml new file mode 100644 index 0000000..e7a6107 --- /dev/null +++ b/envoy-gateway-system/ServiceAccount/envoy-gateway.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/instance: envoy-gateway + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/version: v1.7.3 + helm.sh/chart: gateway-helm-v1.7.3 + name: envoy-gateway + namespace: envoy-gateway-system diff --git a/grafana/Gateway/grafana.yaml b/grafana/Gateway/grafana.yaml new file mode 100644 index 0000000..90d4765 --- /dev/null +++ b/grafana/Gateway/grafana.yaml @@ -0,0 +1,21 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: Gateway +metadata: + annotations: + cert-manager.io/cluster-issuer: letsencrypt-prod-gateway + name: grafana + namespace: grafana +spec: + gatewayClassName: eg + listeners: + - allowedRoutes: + namespaces: + from: Same + hostname: metrics.live.k8s.phl.io + name: https + port: 443 + protocol: HTTPS + tls: + certificateRefs: + - name: grafana-gw-tls + mode: Terminate diff --git a/grafana/HTTPRoute/grafana.yaml b/grafana/HTTPRoute/grafana.yaml new file mode 100644 index 0000000..ce0ca41 --- /dev/null +++ b/grafana/HTTPRoute/grafana.yaml @@ -0,0 +1,14 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: grafana + namespace: grafana +spec: + hostnames: + - metrics.live.k8s.phl.io + parentRefs: + - name: grafana + rules: + - backendRefs: + - name: grafana + port: 80 diff --git a/hairpin-proxy/Deployment/hairpin-proxy-controller.yaml b/hairpin-proxy/Deployment/hairpin-proxy-controller.yaml deleted file mode 100644 index 44c138e..0000000 --- a/hairpin-proxy/Deployment/hairpin-proxy-controller.yaml +++ /dev/null @@ -1,36 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: hairpin-proxy-controller - name: hairpin-proxy-controller - namespace: hairpin-proxy -spec: - replicas: 1 - selector: - matchLabels: - app: hairpin-proxy-controller - template: - metadata: - labels: - app: hairpin-proxy-controller - spec: - containers: - - env: - - name: COREDNS_CONFIGMAP_NAME - value: coredns-custom - - name: COREDNS_IMPORT_CONFIG - value: 'true' - image: ghcr.io/jarvusinnovations/hairpin-proxy/controller:0.3.0 - name: main - resources: - limits: - cpu: 50m - memory: 100Mi - requests: - cpu: 10m - memory: 50Mi - securityContext: - runAsGroup: 65533 - runAsUser: 405 - serviceAccountName: hairpin-proxy-controller-sa diff --git a/hairpin-proxy/Deployment/hairpin-proxy-haproxy.yaml b/hairpin-proxy/Deployment/hairpin-proxy-haproxy.yaml deleted file mode 100644 index 20ba8a9..0000000 --- a/hairpin-proxy/Deployment/hairpin-proxy-haproxy.yaml +++ /dev/null @@ -1,27 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: hairpin-proxy-haproxy - name: hairpin-proxy-haproxy - namespace: hairpin-proxy -spec: - replicas: 1 - selector: - matchLabels: - app: hairpin-proxy-haproxy - template: - metadata: - labels: - app: hairpin-proxy-haproxy - spec: - containers: - - image: ghcr.io/jarvusinnovations/hairpin-proxy/haproxy:0.3.0 - name: main - resources: - limits: - cpu: 50m - memory: 200Mi - requests: - cpu: 10m - memory: 100Mi diff --git a/hairpin-proxy/Service/hairpin-proxy.yaml b/hairpin-proxy/Service/hairpin-proxy.yaml deleted file mode 100644 index f38ee00..0000000 --- a/hairpin-proxy/Service/hairpin-proxy.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: hairpin-proxy - namespace: hairpin-proxy -spec: - ports: - - name: http - port: 80 - protocol: TCP - targetPort: 80 - - name: https - port: 443 - protocol: TCP - targetPort: 443 - selector: - app: hairpin-proxy-haproxy diff --git a/hairpin-proxy/ServiceAccount/hairpin-proxy-controller-sa.yaml b/hairpin-proxy/ServiceAccount/hairpin-proxy-controller-sa.yaml deleted file mode 100644 index d00336f..0000000 --- a/hairpin-proxy/ServiceAccount/hairpin-proxy-controller-sa.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: hairpin-proxy-controller-sa - namespace: hairpin-proxy diff --git a/kube-system/ConfigMap/coredns-custom.yaml b/kube-system/ConfigMap/coredns-custom.yaml deleted file mode 100644 index e50b593..0000000 --- a/kube-system/ConfigMap/coredns-custom.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: v1 -data: - hairpinproxy.include: '' -kind: ConfigMap -metadata: - name: coredns-custom - namespace: kube-system diff --git a/kube-system/Role/cert-manager-cainjector:leaderelection.yaml b/kube-system/Role/cert-manager-cainjector:leaderelection.yaml index aea3115..397f899 100644 --- a/kube-system/Role/cert-manager-cainjector:leaderelection.yaml +++ b/kube-system/Role/cert-manager-cainjector:leaderelection.yaml @@ -7,8 +7,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cainjector - app.kubernetes.io/version: v1.10.1 - helm.sh/chart: cert-manager-v1.10.1 + app.kubernetes.io/version: v1.20.2 + helm.sh/chart: cert-manager-v1.20.2 name: cert-manager-cainjector:leaderelection namespace: kube-system rules: diff --git a/kube-system/Role/cert-manager:leaderelection.yaml b/kube-system/Role/cert-manager:leaderelection.yaml index 1cfc88c..a3ea61c 100644 --- a/kube-system/Role/cert-manager:leaderelection.yaml +++ b/kube-system/Role/cert-manager:leaderelection.yaml @@ -7,8 +7,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.10.1 - helm.sh/chart: cert-manager-v1.10.1 + app.kubernetes.io/version: v1.20.2 + helm.sh/chart: cert-manager-v1.20.2 name: cert-manager:leaderelection namespace: kube-system rules: diff --git a/kube-system/Role/hairpin-proxy-controller-r.yaml b/kube-system/Role/hairpin-proxy-controller-r.yaml deleted file mode 100644 index e0e52ad..0000000 --- a/kube-system/Role/hairpin-proxy-controller-r.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: hairpin-proxy-controller-r - namespace: kube-system -rules: - - apiGroups: - - '' - resourceNames: - - coredns - - coredns-base - - coredns-custom - resources: - - configmaps - verbs: - - get - - watch - - update diff --git a/kube-system/RoleBinding/cert-manager-cainjector:leaderelection.yaml b/kube-system/RoleBinding/cert-manager-cainjector:leaderelection.yaml index 01ddf7e..4c7af1c 100644 --- a/kube-system/RoleBinding/cert-manager-cainjector:leaderelection.yaml +++ b/kube-system/RoleBinding/cert-manager-cainjector:leaderelection.yaml @@ -7,8 +7,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cainjector - app.kubernetes.io/version: v1.10.1 - helm.sh/chart: cert-manager-v1.10.1 + app.kubernetes.io/version: v1.20.2 + helm.sh/chart: cert-manager-v1.20.2 name: cert-manager-cainjector:leaderelection namespace: kube-system roleRef: diff --git a/kube-system/RoleBinding/cert-manager:leaderelection.yaml b/kube-system/RoleBinding/cert-manager:leaderelection.yaml index 55151e2..09b785a 100644 --- a/kube-system/RoleBinding/cert-manager:leaderelection.yaml +++ b/kube-system/RoleBinding/cert-manager:leaderelection.yaml @@ -7,8 +7,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.10.1 - helm.sh/chart: cert-manager-v1.10.1 + app.kubernetes.io/version: v1.20.2 + helm.sh/chart: cert-manager-v1.20.2 name: cert-manager:leaderelection namespace: kube-system roleRef: @@ -16,7 +16,6 @@ roleRef: kind: Role name: cert-manager:leaderelection subjects: - - apiGroup: '' - kind: ServiceAccount + - kind: ServiceAccount name: cert-manager namespace: cert-manager diff --git a/kube-system/RoleBinding/hairpin-proxy-controller-rb.yaml b/kube-system/RoleBinding/hairpin-proxy-controller-rb.yaml deleted file mode 100644 index f3df467..0000000 --- a/kube-system/RoleBinding/hairpin-proxy-controller-rb.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: hairpin-proxy-controller-rb - namespace: kube-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: hairpin-proxy-controller-r -subjects: - - kind: ServiceAccount - name: hairpin-proxy-controller-sa - namespace: hairpin-proxy diff --git a/sealed-secrets/Gateway/sealed-secrets.yaml b/sealed-secrets/Gateway/sealed-secrets.yaml new file mode 100644 index 0000000..1d596da --- /dev/null +++ b/sealed-secrets/Gateway/sealed-secrets.yaml @@ -0,0 +1,21 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: Gateway +metadata: + annotations: + cert-manager.io/cluster-issuer: letsencrypt-prod-gateway + name: sealed-secrets + namespace: sealed-secrets +spec: + gatewayClassName: eg + listeners: + - allowedRoutes: + namespaces: + from: Same + hostname: sealed-secrets.live.k8s.phl.io + name: https + port: 443 + protocol: HTTPS + tls: + certificateRefs: + - name: sealed-secrets-gw-tls + mode: Terminate diff --git a/sealed-secrets/HTTPRoute/sealed-secrets.yaml b/sealed-secrets/HTTPRoute/sealed-secrets.yaml new file mode 100644 index 0000000..bd28af4 --- /dev/null +++ b/sealed-secrets/HTTPRoute/sealed-secrets.yaml @@ -0,0 +1,14 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: sealed-secrets + namespace: sealed-secrets +spec: + hostnames: + - sealed-secrets.live.k8s.phl.io + parentRefs: + - name: sealed-secrets + rules: + - backendRefs: + - name: sealed-secrets + port: 8080 diff --git a/third-places/Gateway/third-places.yaml b/third-places/Gateway/third-places.yaml new file mode 100644 index 0000000..788eee8 --- /dev/null +++ b/third-places/Gateway/third-places.yaml @@ -0,0 +1,21 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: Gateway +metadata: + annotations: + cert-manager.io/cluster-issuer: letsencrypt-prod-gateway + name: third-places + namespace: third-places +spec: + gatewayClassName: eg + listeners: + - allowedRoutes: + namespaces: + from: Same + hostname: third-places.live.k8s.phl.io + name: https + port: 443 + protocol: HTTPS + tls: + certificateRefs: + - name: third-places-gw-tls + mode: Terminate diff --git a/third-places/HTTPRoute/third-places.yaml b/third-places/HTTPRoute/third-places.yaml new file mode 100644 index 0000000..93281b4 --- /dev/null +++ b/third-places/HTTPRoute/third-places.yaml @@ -0,0 +1,14 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: third-places + namespace: third-places +spec: + hostnames: + - third-places.live.k8s.phl.io + parentRefs: + - name: third-places + rules: + - backendRefs: + - name: third-places + port: 80 diff --git a/vaultwarden/Gateway/vaultwarden.yaml b/vaultwarden/Gateway/vaultwarden.yaml new file mode 100644 index 0000000..ea829dc --- /dev/null +++ b/vaultwarden/Gateway/vaultwarden.yaml @@ -0,0 +1,32 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: Gateway +metadata: + annotations: + cert-manager.io/cluster-issuer: letsencrypt-prod-gateway + name: vaultwarden + namespace: vaultwarden +spec: + gatewayClassName: eg + listeners: + - allowedRoutes: + namespaces: + from: Same + hostname: vaultwarden.phl.io + name: https-vaultwarden + port: 443 + protocol: HTTPS + tls: + certificateRefs: + - name: vaultwarden-phl-gw-tls + mode: Terminate + - allowedRoutes: + namespaces: + from: Same + hostname: bitwarden.phl.io + name: https-bitwarden + port: 443 + protocol: HTTPS + tls: + certificateRefs: + - name: bitwarden-phl-gw-tls + mode: Terminate diff --git a/vaultwarden/HTTPRoute/vaultwarden.yaml b/vaultwarden/HTTPRoute/vaultwarden.yaml new file mode 100644 index 0000000..eab301f --- /dev/null +++ b/vaultwarden/HTTPRoute/vaultwarden.yaml @@ -0,0 +1,15 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: vaultwarden + namespace: vaultwarden +spec: + hostnames: + - vaultwarden.phl.io + - bitwarden.phl.io + parentRefs: + - name: vaultwarden + rules: + - backendRefs: + - name: vaultwarden + port: 80