diff --git a/_/ClusterRole/envoy-gateway-gateway-helm-certgen:envoy-gateway-system.yaml b/_/ClusterRole/envoy-gateway-gateway-helm-certgen:envoy-gateway-system.yaml new file mode 100644 index 0000000..37b38dd --- /dev/null +++ b/_/ClusterRole/envoy-gateway-gateway-helm-certgen:envoy-gateway-system.yaml @@ -0,0 +1,31 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: + helm.sh/hook: pre-install, pre-upgrade + helm.sh/hook-weight: '-1' + labels: + app.kubernetes.io/instance: envoy-gateway + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/version: v1.7.3 + helm.sh/chart: gateway-helm-v1.7.3 + name: envoy-gateway-gateway-helm-certgen:envoy-gateway-system +rules: + - apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + verbs: + - get + - list + - watch + - apiGroups: + - admissionregistration.k8s.io + resourceNames: + - envoy-gateway-topology-injector.envoy-gateway-system + resources: + - mutatingwebhookconfigurations + verbs: + - update + - patch diff --git a/_/ClusterRole/envoy-gateway-gateway-helm-envoy-gateway-role.yaml b/_/ClusterRole/envoy-gateway-gateway-helm-envoy-gateway-role.yaml new file mode 100644 index 0000000..131b58e --- /dev/null +++ b/_/ClusterRole/envoy-gateway-gateway-helm-envoy-gateway-role.yaml @@ -0,0 +1,144 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + name: envoy-gateway-gateway-helm-envoy-gateway-role +rules: + - apiGroups: + - '' + resources: + - nodes + - namespaces + verbs: + - get + - list + - watch + - apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses + verbs: + - get + - list + - patch + - update + - watch + - apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses/status + verbs: + - update + - apiGroups: + - multicluster.x-k8s.io + resources: + - serviceimports + verbs: + - get + - list + - watch + - apiGroups: + - '' + resources: + - configmaps + - secrets + - services + verbs: + - get + - list + - watch + - apiGroups: + - apps + resources: + - deployments + - daemonsets + verbs: + - get + - list + - watch + - apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch + - apiGroups: + - gateway.envoyproxy.io + resources: + - envoyproxies + - envoypatchpolicies + - clienttrafficpolicies + - backendtrafficpolicies + - securitypolicies + - envoyextensionpolicies + - backends + - httproutefilters + verbs: + - get + - list + - watch + - apiGroups: + - gateway.envoyproxy.io + resources: + - envoypatchpolicies/status + - clienttrafficpolicies/status + - backendtrafficpolicies/status + - securitypolicies/status + - envoyextensionpolicies/status + - backends/status + verbs: + - update + - apiGroups: + - gateway.networking.k8s.io + resources: + - gateways + - grpcroutes + - httproutes + - referencegrants + - tcproutes + - tlsroutes + - udproutes + - backendtlspolicies + verbs: + - get + - list + - watch + - apiGroups: + - gateway.networking.k8s.io + resources: + - gateways/status + - grpcroutes/status + - httproutes/status + - tcproutes/status + - tlsroutes/status + - udproutes/status + - backendtlspolicies/status + verbs: + - update + - apiGroups: + - gateway.networking.x-k8s.io + resources: + - xlistenersets + verbs: + - get + - list + - watch + - apiGroups: + - gateway.networking.x-k8s.io + resources: + - xlistenersets/status + verbs: + - update + - apiGroups: + - '' + resources: + - pods + - pods/binding + verbs: + - get + - list + - patch + - update + - watch diff --git a/_/ClusterRoleBinding/envoy-gateway-gateway-helm-certgen:envoy-gateway-system.yaml b/_/ClusterRoleBinding/envoy-gateway-gateway-helm-certgen:envoy-gateway-system.yaml new file mode 100644 index 0000000..83636c6 --- /dev/null +++ b/_/ClusterRoleBinding/envoy-gateway-gateway-helm-certgen:envoy-gateway-system.yaml @@ -0,0 +1,21 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + annotations: + helm.sh/hook: pre-install, pre-upgrade + helm.sh/hook-weight: '-1' + labels: + app.kubernetes.io/instance: envoy-gateway + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/version: v1.7.3 + helm.sh/chart: gateway-helm-v1.7.3 + name: envoy-gateway-gateway-helm-certgen:envoy-gateway-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: envoy-gateway-gateway-helm-certgen:envoy-gateway-system +subjects: + - kind: ServiceAccount + name: envoy-gateway-gateway-helm-certgen + namespace: envoy-gateway-system diff --git a/_/ClusterRoleBinding/envoy-gateway-gateway-helm-envoy-gateway-rolebinding.yaml b/_/ClusterRoleBinding/envoy-gateway-gateway-helm-envoy-gateway-rolebinding.yaml new file mode 100644 index 0000000..951264e --- /dev/null +++ b/_/ClusterRoleBinding/envoy-gateway-gateway-helm-envoy-gateway-rolebinding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: envoy-gateway-gateway-helm-envoy-gateway-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: envoy-gateway-gateway-helm-envoy-gateway-role +subjects: + - kind: ServiceAccount + name: envoy-gateway + namespace: envoy-gateway-system diff --git a/_/CustomResourceDefinition/backends.gateway.envoyproxy.io.yaml b/_/CustomResourceDefinition/backends.gateway.envoyproxy.io.yaml new file mode 100644 index 0000000..8cb3e1f --- /dev/null +++ b/_/CustomResourceDefinition/backends.gateway.envoyproxy.io.yaml @@ -0,0 +1,669 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.18.0 + name: backends.gateway.envoyproxy.io +spec: + group: gateway.envoyproxy.io + names: + categories: + - envoy-gateway + kind: Backend + listKind: BackendList + plural: backends + shortNames: + - be + singular: backend + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .status.conditions[?(@.type=="Accepted")].reason + name: Status + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + Backend allows the user to configure the endpoints of a backend and + the behavior of the connection from Envoy Proxy to the backend. + properties: + apiVersion: + description: >- + APIVersion defines the versioned schema of this representation + of an object. + + Servers should convert recognized schemas to the latest internal + value, and + + may reject unrecognized values. + + More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: >- + Kind is a string value representing the REST resource this + object represents. + + Servers may infer this from the endpoint the client submits + requests to. + + Cannot be updated. + + In CamelCase. + + More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of Backend. + properties: + appProtocols: + description: >- + AppProtocols defines the application protocols to be + supported when connecting to the backend. + items: + description: >- + AppProtocolType defines various backend applications + protocols supported by Envoy Gateway + enum: + - gateway.envoyproxy.io/h2c + - gateway.envoyproxy.io/ws + - gateway.envoyproxy.io/wss + type: string + type: array + endpoints: + description: >- + Endpoints defines the endpoints to be used when connecting + to the backend. + items: + description: >- + BackendEndpoint describes a backend endpoint, which can be + either a fully-qualified domain name, IP address or unix + domain socket + + corresponding to Envoy's Address: + https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/address.proto#config-core-v3-address + properties: + fqdn: + description: FQDN defines a FQDN endpoint + properties: + hostname: + description: >- + Hostname defines the FQDN hostname of the backend + endpoint. + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + port: + description: Port defines the port of the backend endpoint. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + required: + - hostname + - port + type: object + hostname: + description: >- + Hostname defines an optional hostname for the backend + endpoint. + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + ip: + description: >- + IP defines an IP endpoint. Supports both IPv4 and IPv6 + addresses. + properties: + address: + description: >- + Address defines the IP address of the backend + endpoint. + + Supports both IPv4 and IPv6 addresses. + maxLength: 45 + minLength: 3 + pattern: >- + ^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$|^(([0-9a-fA-F]{1,4}:){1,7}[0-9a-fA-F]{1,4}|::|(([0-9a-fA-F]{1,4}:){0,5})?(:[0-9a-fA-F]{1,4}){1,2})$ + type: string + port: + description: Port defines the port of the backend endpoint. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + required: + - address + - port + type: object + unix: + description: Unix defines the unix domain socket endpoint + properties: + path: + description: >- + Path defines the unix domain socket path of the + backend endpoint. + + The path length must not exceed 108 characters. + type: string + x-kubernetes-validations: + - message: >- + unix domain socket path must not exceed 108 + characters + rule: size(self) <= 108 + required: + - path + type: object + zone: + description: Zone defines the service zone of the backend endpoint. + type: string + type: object + x-kubernetes-validations: + - message: one of fqdn, ip or unix must be specified + rule: (has(self.fqdn) || has(self.ip) || has(self.unix)) + - message: only one of fqdn, ip or unix can be specified + rule: >- + ((has(self.fqdn) && !(has(self.ip) || has(self.unix))) + || (has(self.ip) && !(has(self.fqdn) || + has(self.unix))) || (has(self.unix) && !(has(self.ip) + || has(self.fqdn)))) + maxItems: 256 + minItems: 1 + type: array + x-kubernetes-validations: + - message: fqdn addresses cannot be mixed with other address types + rule: self.all(f, has(f.fqdn)) || !self.exists(f, has(f.fqdn)) + fallback: + description: >- + Fallback indicates whether the backend is designated as a + fallback. + + It is highly recommended to configure active or passive + health checks to ensure that failover can be detected + + when the active backends become unhealthy and to + automatically readjust once the primary backends are healthy + again. + + The overprovisioning factor is set to 1.4, meaning the + fallback backends will only start receiving traffic when + + the health of the active backends falls below 72%. + type: boolean + tls: + description: >- + TLS defines the TLS settings for the backend. + + If TLS is specified here and a BackendTLSPolicy is also + configured for the backend, the final TLS settings will + + be a merge of both configurations. In case of overlapping + fields, the values defined in the BackendTLSPolicy will + + take precedence. + properties: + alpnProtocols: + description: >- + ALPNProtocols supplies the list of ALPN protocols that + should be + + exposed by the listener or used by the proxy to connect + to the backend. + + Defaults: + + 1. HTTPS Routes: h2 and http/1.1 are enabled in listener + context. + + 2. Other Routes: ALPN is disabled. + + 3. Backends: proxy uses the appropriate ALPN options for + the backend protocol. + + When an empty list is provided, the ALPN TLS extension + is disabled. + + + Defaults to [h2, http/1.1] if not specified. + + + Typical Supported values are: + + - http/1.0 + + - http/1.1 + + - h2 + items: + description: >- + ALPNProtocol specifies the protocol to be negotiated + using ALPN + type: string + type: array + caCertificateRefs: + description: >- + CACertificateRefs contains one or more references to + Kubernetes objects that + + contain TLS certificates of the Certificate Authorities + that can be used + + as a trust anchor to validate the certificates presented + by the backend. + + + A single reference to a Kubernetes ConfigMap or a + Kubernetes Secret, + + with the CA certificate in a key named `ca.crt` is + currently supported. + + + If CACertificateRefs is empty or unspecified, then + WellKnownCACertificates must be + + specified. Only one of CACertificateRefs or + WellKnownCACertificates may be specified, + + not both. + items: + description: >- + LocalObjectReference identifies an API object within + the namespace of the + + referrer. + + The API object must be valid in the cluster; the Group + and Kind must + + be registered in the cluster for this reference to be + valid. + + + References to objects with invalid Group and Kind are + not valid, and must + + be rejected by the implementation, with appropriate + Conditions set + + on the containing object. + properties: + group: + description: >- + Group is the group of the referent. For example, + "gateway.networking.k8s.io". + + When unspecified or empty string, core API group + is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: >- + Kind is kind of the referent. For example + "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + maxItems: 8 + type: array + ciphers: + description: >- + Ciphers specifies the set of cipher suites supported + when + + negotiating TLS 1.0 - 1.2. This setting has no effect + for TLS 1.3. + + In non-FIPS Envoy Proxy builds the default cipher list + is: + + - + [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305] + + - + [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305] + + - ECDHE-ECDSA-AES256-GCM-SHA384 + + - ECDHE-RSA-AES256-GCM-SHA384 + + In builds using BoringSSL FIPS the default cipher list + is: + + - ECDHE-ECDSA-AES128-GCM-SHA256 + + - ECDHE-RSA-AES128-GCM-SHA256 + + - ECDHE-ECDSA-AES256-GCM-SHA384 + + - ECDHE-RSA-AES256-GCM-SHA384 + items: + type: string + type: array + clientCertificateRef: + description: >- + ClientCertificateRef defines the reference to a + Kubernetes Secret that contains + + the client certificate and private key for Envoy to use + when connecting to + + backend services and external services, such as ExtAuth, + ALS, OpenTelemetry, etc. + + This secret should be located within the same namespace + as the Envoy proxy resource that references it. + properties: + group: + default: '' + description: >- + Group is the group of the referent. For example, + "gateway.networking.k8s.io". + + When unspecified or empty string, core API group is + inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Secret + description: Kind is kind of the referent. For example "Secret". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the referenced object. + When unspecified, the local + + namespace is inferred. + + + Note that when a namespace different than the local + namespace is specified, + + a ReferenceGrant object is required in the referent + namespace to allow that + + namespace's owner to accept the reference. See the + ReferenceGrant + + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + ecdhCurves: + description: |- + ECDHCurves specifies the set of supported ECDH curves. + In non-FIPS Envoy Proxy builds the default curves are: + - X25519 + - P-256 + In builds using BoringSSL FIPS the default curve is: + - P-256 + items: + type: string + type: array + insecureSkipVerify: + default: false + description: >- + InsecureSkipVerify indicates whether the upstream's + certificate verification + + should be skipped. Defaults to "false". + type: boolean + maxVersion: + description: |- + Max specifies the maximal TLS protocol version to allow + The default is TLS 1.3 if this is not specified. + enum: + - Auto + - '1.0' + - '1.1' + - '1.2' + - '1.3' + type: string + minVersion: + description: |- + Min specifies the minimal TLS protocol version to allow. + The default is TLS 1.2 if this is not specified. + enum: + - Auto + - '1.0' + - '1.1' + - '1.2' + - '1.3' + type: string + signatureAlgorithms: + description: >- + SignatureAlgorithms specifies which signature algorithms + the listener should + + support. + items: + type: string + type: array + sni: + description: >- + SNI is specifies the SNI value used when establishing an + upstream TLS connection to the backend. + + + Envoy Gateway will use the HTTP host header value for + SNI, when all resources referenced in BackendRefs are: + + 1. Backend resources that do not set SNI, or + + 2. Service/ServiceImport resources that do not have a + BackendTLSPolicy attached to them + + + When a BackendTLSPolicy attaches to a Backend resource, + the BackendTLSPolicy's Hostname value takes precedence + + over this value. + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + wellKnownCACertificates: + description: >- + WellKnownCACertificates specifies whether system CA + certificates may be used in + + the TLS handshake between the gateway and backend pod. + + + If WellKnownCACertificates is unspecified or empty (""), + then CACertificateRefs + + must be specified with at least one entry for a valid + configuration. Only one of + + CACertificateRefs or WellKnownCACertificates may be + specified, not both. + enum: + - System + type: string + type: object + x-kubernetes-validations: + - message: >- + must not contain both CACertificateRefs and + WellKnownCACertificates + rule: >- + !(has(self.caCertificateRefs) && + size(self.caCertificateRefs) > 0 && + has(self.wellKnownCACertificates) && + self.wellKnownCACertificates != "") + - message: >- + must not contain either CACertificateRefs or + WellKnownCACertificates when InsecureSkipVerify is + enabled + rule: >- + !((has(self.insecureSkipVerify) && + self.insecureSkipVerify) && + ((has(self.caCertificateRefs) && + size(self.caCertificateRefs) > 0) || + (has(self.wellKnownCACertificates) && + self.wellKnownCACertificates != ""))) + - message: >- + setting ciphers has no effect if the minimum possible + TLS version is 1.3 + rule: >- + has(self.minVersion) && self.minVersion == '1.3' ? + !has(self.ciphers) : true + - message: minVersion must be smaller or equal to maxVersion + rule: >- + has(self.minVersion) && has(self.maxVersion) ? + {"Auto":0,"1.0":1,"1.1":2,"1.2":3,"1.3":4}[self.minVersion] + <= + {"1.0":1,"1.1":2,"1.2":3,"1.3":4,"Auto":5}[self.maxVersion] + : !has(self.minVersion) && has(self.maxVersion) ? 3 <= + {"1.0":1,"1.1":2,"1.2":3,"1.3":4,"Auto":5}[self.maxVersion] + : true + type: + default: Endpoints + description: >- + Type defines the type of the backend. Defaults to + "Endpoints" + enum: + - Endpoints + - DynamicResolver + type: string + type: object + x-kubernetes-validations: + - message: DynamicResolver type cannot have endpoints specified + rule: self.type != 'DynamicResolver' || !has(self.endpoints) + status: + description: Status defines the current status of Backend. + properties: + conditions: + description: Conditions describe the current conditions of the Backend. + items: + description: >- + Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: >- + lastTransitionTime is the last time the condition + transitioned from one status to another. + + This should be when the underlying condition changed. + If that is not known, then using the time when the API + field changed is acceptable. + format: date-time + type: string + message: + description: >- + message is a human readable message indicating details + about the transition. + + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: >- + observedGeneration represents the .metadata.generation + that the condition was set based upon. + + For instance, if .metadata.generation is currently 12, + but the .status.conditions[x].observedGeneration is 9, + the condition is out of date + + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: >- + reason contains a programmatic identifier indicating + the reason for the condition's last transition. + + Producers of specific condition types may define + expected values and meanings for this field, + + and whether the values are considered a guaranteed + API. + + The value should be a CamelCase string. + + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - 'True' + - 'False' + - Unknown + type: string + type: + description: >- + type of condition in CamelCase or in + foo.example.com/CamelCase. + maxLength: 316 + pattern: >- + ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/_/CustomResourceDefinition/backendtlspolicies.gateway.networking.k8s.io.yaml b/_/CustomResourceDefinition/backendtlspolicies.gateway.networking.k8s.io.yaml new file mode 100644 index 0000000..bde649a --- /dev/null +++ b/_/CustomResourceDefinition/backendtlspolicies.gateway.networking.k8s.io.yaml @@ -0,0 +1,2323 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/4530 + gateway.networking.k8s.io/bundle-version: v1.5.1 + gateway.networking.k8s.io/channel: standard + labels: + gateway.networking.k8s.io/policy: Direct + name: backendtlspolicies.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: BackendTLSPolicy + listKind: BackendTLSPolicyList + plural: backendtlspolicies + shortNames: + - btlspolicy + singular: backendtlspolicy + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + BackendTLSPolicy provides a way to configure how a Gateway + connects to a Backend via TLS. + properties: + apiVersion: + description: >- + APIVersion defines the versioned schema of this representation + of an object. + + Servers should convert recognized schemas to the latest internal + value, and + + may reject unrecognized values. + + More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: >- + Kind is a string value representing the REST resource this + object represents. + + Servers may infer this from the endpoint the client submits + requests to. + + Cannot be updated. + + In CamelCase. + + More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of BackendTLSPolicy. + properties: + options: + additionalProperties: + description: >- + AnnotationValue is the value of an annotation in Gateway + API. This is used + + for validation of maps such as TLS options. This roughly + matches Kubernetes + + annotation validation, although the length validation in + that case is based + + on the entire size of the annotations struct. + maxLength: 4096 + minLength: 0 + type: string + description: >- + Options are a list of key/value pairs to enable extended TLS + + configuration for each implementation. For example, + configuring the + + minimum TLS version or supported cipher suites. + + + A set of common keys MAY be defined by the API in the + future. To avoid + + any ambiguity, implementation-specific definitions MUST use + + domain-prefixed names, such as + `example.com/my-custom-option`. + + Un-prefixed names are reserved for key names defined by + Gateway API. + + + Support: Implementation-specific + maxProperties: 16 + type: object + targetRefs: + description: >- + TargetRefs identifies an API object to apply the policy to. + + Note that this config applies to the entire referenced + resource + + by default, but this default may change in the future to + provide + + a more granular application of the policy. + + + TargetRefs must be _distinct_. This means either that: + + + * They select different targets. If this is the case, then + targetRef + entries are distinct. In terms of fields, this means that the + multi-part key defined by `group`, `kind`, and `name` must + be unique across all targetRef entries in the BackendTLSPolicy. + * They select different sectionNames in the same target. + + + When more than one BackendTLSPolicy selects the same target + and + + sectionName, implementations MUST determine precedence using + the + + following criteria, continuing on ties: + + + * The older policy by creation timestamp takes precedence. + For + example, a policy with a creation timestamp of "2021-07-15 + 01:02:03" MUST be given precedence over a policy with a + creation timestamp of "2021-07-15 01:02:04". + * The policy appearing first in alphabetical order by + {namespace}/{name}. + For example, a policy named `foo/bar` is given precedence over a + policy named `foo/baz`. + + For any BackendTLSPolicy that does not take precedence, the + + implementation MUST ensure the `Accepted` Condition is set + to + + `status: False`, with Reason `Conflicted`. + + + Implementations SHOULD NOT support more than one targetRef + at this + + time. Although the API technically allows for this, the + current guidance + + for conflict resolution and status handling is lacking. + Until that can be + + clarified in a future release, the safest approach is to + support a single + + targetRef. + + + Support Levels: + + + * Extended: Kubernetes Service referenced by HTTPRoute + backendRefs. + + + * Implementation-Specific: Services not connected via + HTTPRoute, and any + other kind of backend. Implementations MAY use BackendTLSPolicy for: + - Services not referenced by any Route (e.g., infrastructure services) + - Gateway feature backends (e.g., ExternalAuth, rate-limiting services) + - Service mesh workload-to-service communication + - Other resource types beyond Service + + Implementations SHOULD aim to ensure that BackendTLSPolicy + behavior is consistent, + + even outside of the extended HTTPRoute -(backendRef) -> + Service path. + + They SHOULD clearly document how BackendTLSPolicy is + interpreted in these + + scenarios, including: + - Which resources beyond Service are supported + - How the policy is discovered and applied + - Any implementation-specific semantics or restrictions + + Note that this config applies to the entire referenced + resource + + by default, but this default may change in the future to + provide + + a more granular application of the policy. + items: + description: >- + LocalPolicyTargetReferenceWithSectionName identifies an + API object to apply a + + direct policy to. This should be used as part of Policy + resources that can + + target single resources. For more information on how this + policy attachment + + mode works, and a sample Policy resource, refer to the + policy attachment + + documentation for Gateway API. + + + Note: This should only be used for direct policy + attachment when references + + to SectionName are actually needed. In all other cases, + + LocalPolicyTargetReference should be used. + properties: + group: + description: Group is the group of the target resource. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + sectionName: + description: >- + SectionName is the name of a section within the target + resource. When + + unspecified, this targetRef targets the entire + resource. In the following + + resources, SectionName is interpreted as the + following: + + + * Gateway: Listener name + + * HTTPRoute: HTTPRouteRule name + + * Service: Port name + + + If a SectionName is specified, but does not exist on + the targeted object, + + the Policy must fail to attach, and the policy + implementation should record + + a `ResolvedRefs` or similar Condition in the Policy's + status. + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - group + - kind + - name + type: object + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: >- + sectionName must be specified when targetRefs includes 2 + or more references to the same target + rule: >- + self.all(p1, self.all(p2, p1.group == p2.group && + p1.kind == p2.kind && p1.name == p2.name ? + ((!has(p1.sectionName) || p1.sectionName == '') == + (!has(p2.sectionName) || p2.sectionName == '')) : true)) + - message: >- + sectionName must be unique when targetRefs includes 2 or + more references to the same target + rule: >- + self.all(p1, self.exists_one(p2, p1.group == p2.group && + p1.kind == p2.kind && p1.name == p2.name && + (((!has(p1.sectionName) || p1.sectionName == '') && + (!has(p2.sectionName) || p2.sectionName == '')) || + (has(p1.sectionName) && has(p2.sectionName) && + p1.sectionName == p2.sectionName)))) + validation: + description: Validation contains backend TLS validation configuration. + properties: + caCertificateRefs: + description: >- + CACertificateRefs contains one or more references to + Kubernetes objects that + + contain a PEM-encoded TLS CA certificate bundle, which + is used to + + validate a TLS handshake between the Gateway and backend + Pod. + + + If CACertificateRefs is empty or unspecified, then + WellKnownCACertificates must be + + specified. Only one of CACertificateRefs or + WellKnownCACertificates may be specified, + + not both. If CACertificateRefs is empty or unspecified, + the configuration for + + WellKnownCACertificates MUST be honored instead if + supported by the implementation. + + + A CACertificateRef is invalid if: + + + * It refers to a resource that cannot be resolved (e.g., + the referenced resource + does not exist) or is misconfigured (e.g., a ConfigMap does not contain a key + named `ca.crt`). In this case, the Reason must be set to `InvalidCACertificateRef` + and the Message of the Condition must indicate which reference is invalid and why. + + * It refers to an unknown or unsupported kind of + resource. In this case, the Reason + must be set to `InvalidKind` and the Message of the Condition must explain which + kind of resource is unknown or unsupported. + + * It refers to a resource in another namespace. This may + change in future + spec updates. + + Implementations MAY choose to perform further validation + of the certificate + + content (e.g., checking expiry or enforcing specific + formats). In such cases, + + an implementation-specific Reason and Message must be + set for the invalid reference. + + + In all cases, the implementation MUST ensure the + `ResolvedRefs` Condition on + + the BackendTLSPolicy is set to `status: False`, with a + Reason and Message + + that indicate the cause of the error. Connections using + an invalid + + CACertificateRef MUST fail, and the client MUST receive + an HTTP 5xx error + + response. If ALL CACertificateRefs are invalid, the + implementation MUST also + + ensure the `Accepted` Condition on the BackendTLSPolicy + is set to + + `status: False`, with a Reason `NoValidCACertificate`. + + + A single CACertificateRef to a Kubernetes ConfigMap kind + has "Core" support. + + Implementations MAY choose to support attaching multiple + certificates to + + a backend, but this behavior is implementation-specific. + + + Support: Core - An optional single reference to a + Kubernetes ConfigMap, + + with the CA certificate in a key named `ca.crt`. + + + Support: Implementation-specific - More than one + reference, other kinds + + of resources, or a single reference that includes + multiple certificates. + items: + description: >- + LocalObjectReference identifies an API object within + the namespace of the + + referrer. + + The API object must be valid in the cluster; the Group + and Kind must + + be registered in the cluster for this reference to be + valid. + + + References to objects with invalid Group and Kind are + not valid, and must + + be rejected by the implementation, with appropriate + Conditions set + + on the containing object. + properties: + group: + description: >- + Group is the group of the referent. For example, + "gateway.networking.k8s.io". + + When unspecified or empty string, core API group + is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: >- + Kind is kind of the referent. For example + "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + maxItems: 8 + type: array + x-kubernetes-list-type: atomic + hostname: + description: >- + Hostname is used for two purposes in the connection + between Gateways and + + backends: + + + 1. Hostname MUST be used as the SNI to connect to the + backend (RFC 6066). + + 2. Hostname MUST be used for authentication and MUST + match the certificate + served by the matching backend, unless SubjectAltNames is specified. + 3. If SubjectAltNames are specified, Hostname can be + used for certificate selection + but MUST NOT be used for authentication. If you want to use the value + of the Hostname field for authentication, you MUST add it to the SubjectAltNames list. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + subjectAltNames: + description: >- + SubjectAltNames contains one or more Subject Alternative + Names. + + When specified the certificate served from the backend + MUST + + have at least one Subject Alternate Name matching one of + the specified SubjectAltNames. + + + Support: Extended + items: + description: SubjectAltName represents Subject Alternative Name. + properties: + hostname: + description: >- + Hostname contains Subject Alternative Name + specified in DNS name format. + + Required when Type is set to Hostname, ignored + otherwise. + + + Support: Core + maxLength: 253 + minLength: 1 + pattern: >- + ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + type: + description: >- + Type determines the format of the Subject + Alternative Name. Always required. + + + Support: Core + enum: + - Hostname + - URI + type: string + uri: + description: >- + URI contains Subject Alternative Name specified in + a full URI format. + + It MUST include both a scheme (e.g., "http" or + "ftp") and a scheme-specific-part. + + Common values include SPIFFE IDs like + "spiffe://mycluster.example.com/ns/myns/sa/svc1sa". + + Required when Type is set to URI, ignored + otherwise. + + + Support: Core + maxLength: 253 + minLength: 1 + pattern: >- + ^(([^:/?#]+):)(//([^/?#]*))([^?#]*)(\?([^#]*))?(#(.*))? + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + SubjectAltName element must contain Hostname, if + Type is set to Hostname + rule: >- + !(self.type == "Hostname" && (!has(self.hostname) + || self.hostname == "")) + - message: >- + SubjectAltName element must not contain Hostname, + if Type is not set to Hostname + rule: >- + !(self.type != "Hostname" && has(self.hostname) && + self.hostname != "") + - message: >- + SubjectAltName element must contain URI, if Type + is set to URI + rule: >- + !(self.type == "URI" && (!has(self.uri) || + self.uri == "")) + - message: >- + SubjectAltName element must not contain URI, if + Type is not set to URI + rule: >- + !(self.type != "URI" && has(self.uri) && self.uri + != "") + maxItems: 5 + type: array + x-kubernetes-list-type: atomic + wellKnownCACertificates: + description: >- + WellKnownCACertificates specifies whether a well-known + set of CA certificates + + may be used in the TLS handshake between the gateway and + backend pod. + + + If WellKnownCACertificates is unspecified or empty (""), + then CACertificateRefs + + must be specified with at least one entry for a valid + configuration. Only one of + + CACertificateRefs or WellKnownCACertificates may be + specified, not both. + + If an implementation does not support the + WellKnownCACertificates field, or + + the supplied value is not recognized, the implementation + MUST ensure the + + `Accepted` Condition on the BackendTLSPolicy is set to + `status: False`, with + + a Reason `Invalid`. + + + Valid values include: + + * "System" - indicates that well-known system CA + certificates should be used. + + + Implementations MAY define their own sets of CA + certificates. Such definitions + + MUST use an implementation-specific, prefixed name, such + as + + `mycompany.com/my-custom-ca-certificates`. + + + Support: Implementation-specific + maxLength: 253 + minLength: 1 + pattern: >- + ^(System|([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9]))$ + type: string + required: + - hostname + type: object + x-kubernetes-validations: + - message: >- + must not contain both CACertificateRefs and + WellKnownCACertificates + rule: >- + !(has(self.caCertificateRefs) && + size(self.caCertificateRefs) > 0 && + has(self.wellKnownCACertificates) && + self.wellKnownCACertificates != "") + - message: >- + must specify either CACertificateRefs or + WellKnownCACertificates + rule: >- + (has(self.caCertificateRefs) && + size(self.caCertificateRefs) > 0 || + has(self.wellKnownCACertificates) && + self.wellKnownCACertificates != "") + required: + - targetRefs + - validation + type: object + status: + description: Status defines the current state of BackendTLSPolicy. + properties: + ancestors: + description: >- + Ancestors is a list of ancestor resources (usually Gateways) + that are + + associated with the policy, and the status of the policy + with respect to + + each ancestor. When this policy attaches to a parent, the + controller that + + manages the parent and the ancestors MUST add an entry to + this list when + + the controller first sees the policy and SHOULD update the + entry as + + appropriate when the relevant ancestor is modified. + + + Note that choosing the relevant ancestor is left to the + Policy designers; + + an important part of Policy design is designing the right + object level at + + which to namespace this status. + + + Note also that implementations MUST ONLY populate ancestor + status for + + the Ancestor resources they are responsible for. + Implementations MUST + + use the ControllerName field to uniquely identify the + entries in this list + + that they are responsible for. + + + Note that to achieve this, the list of PolicyAncestorStatus + structs + + MUST be treated as a map with a composite key, made up of + the AncestorRef + + and ControllerName fields combined. + + + A maximum of 16 ancestors will be represented in this list. + An empty list + + means the Policy is not relevant for any ancestors. + + + If this slice is full, implementations MUST NOT add further + entries. + + Instead they MUST consider the policy unimplementable and + signal that + + on any related resources such as the ancestor that would be + referenced + + here. For example, if this list was full on + BackendTLSPolicy, no + + additional Gateways would be able to reference the Service + targeted by + + the BackendTLSPolicy. + items: + description: >- + PolicyAncestorStatus describes the status of a route with + respect to an + + associated Ancestor. + + + Ancestors refer to objects that are either the Target of a + policy or above it + + in terms of object hierarchy. For example, if a policy + targets a Service, the + + Policy's Ancestors are, in order, the Service, the + HTTPRoute, the Gateway, and + + the GatewayClass. Almost always, in this hierarchy, the + Gateway will be the most + + useful object to place Policy status on, so we recommend + that implementations + + SHOULD use Gateway as the PolicyAncestorStatus object + unless the designers + + have a _very_ good reason otherwise. + + + In the context of policy attachment, the Ancestor is used + to distinguish which + + resource results in a distinct application of this policy. + For example, if a policy + + targets a Service, it may have a distinct result per + attached Gateway. + + + Policies targeting the same resource may have different + effects depending on the + + ancestors of those resources. For example, different + Gateways targeting the same + + Service may have different capabilities, especially if + they have different underlying + + implementations. + + + For example, in BackendTLSPolicy, the Policy attaches to a + Service that is + + used as a backend in a HTTPRoute that is itself attached + to a Gateway. + + In this case, the relevant object for status is the + Gateway, and that is the + + ancestor object referred to in this status. + + + Note that a parent is also an ancestor, so for objects + where the parent is the + + relevant object for status, this struct SHOULD still be + used. + + + This struct is intended to be used in a slice that's + effectively a map, + + with a composite key made up of the AncestorRef and the + ControllerName. + properties: + ancestorRef: + description: >- + AncestorRef corresponds with a ParentRef in the spec + that this + + PolicyAncestorStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: >- + Group is the group of the referent. + + When unspecified, "gateway.networking.k8s.io" is + inferred. + + To set the core API group (such as for a "Service" + kind referent), + + Group must be explicitly set to "" (empty string). + + + Support: Core + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: >- + Kind is kind of the referent. + + + There are two kinds of parent resources with + "Core" support: + + + * Gateway (Gateway conformance profile) + + * Service (Mesh conformance profile, ClusterIP + Services only) + + + Support for other resources is + Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the referent. When + unspecified, this refers + + to the local namespace of the Route. + + + Note that there are specific rules for ParentRefs + which cross namespace + + boundaries. Cross-namespace references are only + valid if they are explicitly + + allowed by something in the namespace they are + referring to. For example: + + Gateway has the AllowedRoutes field, and + ReferenceGrant provides a + + generic way to enable any other kind of + cross-namespace reference. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: >- + Port is the network port this Route targets. It + can be interpreted + + differently based on the type of parent resource. + + + When the parent resource is a Gateway, this + targets all listeners + + listening on the specified port that also support + this kind of Route(and + + select this Route). It's not recommended to set + `Port` unless the + + networking behaviors specified in a Route must + apply to a specific port + + as opposed to a listener(s) whose port(s) may be + changed. When both Port + + and SectionName are specified, the name and port + of the selected listener + + must match both specified values. + + + Implementations MAY choose to support other parent + resources. + + Implementations supporting other types of parent + resources MUST clearly + + document how/if Port is interpreted. + + + For the purpose of status, an attachment is + considered successful as + + long as the parent resource accepts it partially. + For example, Gateway + + listeners can restrict which Routes can attach to + them by Route kind, + + namespace, or hostname. If 1 of 2 Gateway + listeners accept attachment + + from the referencing Route, the Route MUST be + considered successfully + + attached. If no Gateway listeners accept + attachment from this Route, + + the Route MUST be considered detached from the + Gateway. + + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: >- + SectionName is the name of a section within the + target resource. In the + + following resources, SectionName is interpreted as + the following: + + + * Gateway: Listener name. When both Port + (experimental) and SectionName + + are specified, the name and port of the selected + listener must match + + both specified values. + + * Service: Port name. When both Port + (experimental) and SectionName + + are specified, the name and port of the selected + listener must match + + both specified values. + + + Implementations MAY choose to support attaching + Routes to other resources. + + If that is the case, they MUST clearly document + how SectionName is + + interpreted. + + + When unspecified (empty string), this will + reference the entire resource. + + For the purpose of status, an attachment is + considered successful if at + + least one section in the parent resource accepts + it. For example, Gateway + + listeners can restrict which Routes can attach to + them by Route kind, + + namespace, or hostname. If 1 of 2 Gateway + listeners accept attachment from + + the referencing Route, the Route MUST be + considered successfully + + attached. If no Gateway listeners accept + attachment from this Route, the + + Route MUST be considered detached from the + Gateway. + + + Support: Core + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + conditions: + description: >- + Conditions describes the status of the Policy with + respect to the given Ancestor. + items: + description: >- + Condition contains details for one aspect of the + current state of this API Resource. + properties: + lastTransitionTime: + description: >- + lastTransitionTime is the last time the + condition transitioned from one status to + another. + + This should be when the underlying condition + changed. If that is not known, then using the + time when the API field changed is acceptable. + format: date-time + type: string + message: + description: >- + message is a human readable message indicating + details about the transition. + + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: >- + observedGeneration represents the + .metadata.generation that the condition was set + based upon. + + For instance, if .metadata.generation is + currently 12, but the + .status.conditions[x].observedGeneration is 9, + the condition is out of date + + with respect to the current state of the + instance. + format: int64 + minimum: 0 + type: integer + reason: + description: >- + reason contains a programmatic identifier + indicating the reason for the condition's last + transition. + + Producers of specific condition types may define + expected values and meanings for this field, + + and whether the values are considered a + guaranteed API. + + The value should be a CamelCase string. + + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: >- + status of the condition, one of True, False, + Unknown. + enum: + - 'True' + - 'False' + - Unknown + type: string + type: + description: >- + type of condition in CamelCase or in + foo.example.com/CamelCase. + maxLength: 316 + pattern: >- + ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: >- + ControllerName is a domain/path string that indicates + the name of the + + controller that wrote this status. This corresponds + with the + + controllerName field on GatewayClass. + + + Example: "example.net/gateway-controller". + + + The format of this field is DOMAIN "/" PATH, where + DOMAIN and PATH are + + valid Kubernetes names + + (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + + + Controllers MUST populate this field when writing + status. Controllers should ensure that + + entries to status populated with their ControllerName + are cleaned up when they are no + + longer necessary. + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + required: + - ancestorRef + - conditions + - controllerName + type: object + maxItems: 16 + type: array + x-kubernetes-list-type: atomic + required: + - ancestors + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} + - deprecated: true + deprecationWarning: >- + The v1alpha3 version of BackendTLSPolicy has been deprecated and will be + removed in a future release of the API. Please upgrade to v1. + name: v1alpha3 + schema: + openAPIV3Schema: + description: |- + BackendTLSPolicy provides a way to configure how a Gateway + connects to a Backend via TLS. + properties: + apiVersion: + description: >- + APIVersion defines the versioned schema of this representation + of an object. + + Servers should convert recognized schemas to the latest internal + value, and + + may reject unrecognized values. + + More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: >- + Kind is a string value representing the REST resource this + object represents. + + Servers may infer this from the endpoint the client submits + requests to. + + Cannot be updated. + + In CamelCase. + + More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of BackendTLSPolicy. + properties: + options: + additionalProperties: + description: >- + AnnotationValue is the value of an annotation in Gateway + API. This is used + + for validation of maps such as TLS options. This roughly + matches Kubernetes + + annotation validation, although the length validation in + that case is based + + on the entire size of the annotations struct. + maxLength: 4096 + minLength: 0 + type: string + description: >- + Options are a list of key/value pairs to enable extended TLS + + configuration for each implementation. For example, + configuring the + + minimum TLS version or supported cipher suites. + + + A set of common keys MAY be defined by the API in the + future. To avoid + + any ambiguity, implementation-specific definitions MUST use + + domain-prefixed names, such as + `example.com/my-custom-option`. + + Un-prefixed names are reserved for key names defined by + Gateway API. + + + Support: Implementation-specific + maxProperties: 16 + type: object + targetRefs: + description: >- + TargetRefs identifies an API object to apply the policy to. + + Note that this config applies to the entire referenced + resource + + by default, but this default may change in the future to + provide + + a more granular application of the policy. + + + TargetRefs must be _distinct_. This means either that: + + + * They select different targets. If this is the case, then + targetRef + entries are distinct. In terms of fields, this means that the + multi-part key defined by `group`, `kind`, and `name` must + be unique across all targetRef entries in the BackendTLSPolicy. + * They select different sectionNames in the same target. + + + When more than one BackendTLSPolicy selects the same target + and + + sectionName, implementations MUST determine precedence using + the + + following criteria, continuing on ties: + + + * The older policy by creation timestamp takes precedence. + For + example, a policy with a creation timestamp of "2021-07-15 + 01:02:03" MUST be given precedence over a policy with a + creation timestamp of "2021-07-15 01:02:04". + * The policy appearing first in alphabetical order by + {namespace}/{name}. + For example, a policy named `foo/bar` is given precedence over a + policy named `foo/baz`. + + For any BackendTLSPolicy that does not take precedence, the + + implementation MUST ensure the `Accepted` Condition is set + to + + `status: False`, with Reason `Conflicted`. + + + Implementations SHOULD NOT support more than one targetRef + at this + + time. Although the API technically allows for this, the + current guidance + + for conflict resolution and status handling is lacking. + Until that can be + + clarified in a future release, the safest approach is to + support a single + + targetRef. + + + Support Levels: + + + * Extended: Kubernetes Service referenced by HTTPRoute + backendRefs. + + + * Implementation-Specific: Services not connected via + HTTPRoute, and any + other kind of backend. Implementations MAY use BackendTLSPolicy for: + - Services not referenced by any Route (e.g., infrastructure services) + - Gateway feature backends (e.g., ExternalAuth, rate-limiting services) + - Service mesh workload-to-service communication + - Other resource types beyond Service + + Implementations SHOULD aim to ensure that BackendTLSPolicy + behavior is consistent, + + even outside of the extended HTTPRoute -(backendRef) -> + Service path. + + They SHOULD clearly document how BackendTLSPolicy is + interpreted in these + + scenarios, including: + - Which resources beyond Service are supported + - How the policy is discovered and applied + - Any implementation-specific semantics or restrictions + + Note that this config applies to the entire referenced + resource + + by default, but this default may change in the future to + provide + + a more granular application of the policy. + items: + description: >- + LocalPolicyTargetReferenceWithSectionName identifies an + API object to apply a + + direct policy to. This should be used as part of Policy + resources that can + + target single resources. For more information on how this + policy attachment + + mode works, and a sample Policy resource, refer to the + policy attachment + + documentation for Gateway API. + + + Note: This should only be used for direct policy + attachment when references + + to SectionName are actually needed. In all other cases, + + LocalPolicyTargetReference should be used. + properties: + group: + description: Group is the group of the target resource. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + sectionName: + description: >- + SectionName is the name of a section within the target + resource. When + + unspecified, this targetRef targets the entire + resource. In the following + + resources, SectionName is interpreted as the + following: + + + * Gateway: Listener name + + * HTTPRoute: HTTPRouteRule name + + * Service: Port name + + + If a SectionName is specified, but does not exist on + the targeted object, + + the Policy must fail to attach, and the policy + implementation should record + + a `ResolvedRefs` or similar Condition in the Policy's + status. + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - group + - kind + - name + type: object + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: >- + sectionName must be specified when targetRefs includes 2 + or more references to the same target + rule: >- + self.all(p1, self.all(p2, p1.group == p2.group && + p1.kind == p2.kind && p1.name == p2.name ? + ((!has(p1.sectionName) || p1.sectionName == '') == + (!has(p2.sectionName) || p2.sectionName == '')) : true)) + - message: >- + sectionName must be unique when targetRefs includes 2 or + more references to the same target + rule: >- + self.all(p1, self.exists_one(p2, p1.group == p2.group && + p1.kind == p2.kind && p1.name == p2.name && + (((!has(p1.sectionName) || p1.sectionName == '') && + (!has(p2.sectionName) || p2.sectionName == '')) || + (has(p1.sectionName) && has(p2.sectionName) && + p1.sectionName == p2.sectionName)))) + validation: + description: Validation contains backend TLS validation configuration. + properties: + caCertificateRefs: + description: >- + CACertificateRefs contains one or more references to + Kubernetes objects that + + contain a PEM-encoded TLS CA certificate bundle, which + is used to + + validate a TLS handshake between the Gateway and backend + Pod. + + + If CACertificateRefs is empty or unspecified, then + WellKnownCACertificates must be + + specified. Only one of CACertificateRefs or + WellKnownCACertificates may be specified, + + not both. If CACertificateRefs is empty or unspecified, + the configuration for + + WellKnownCACertificates MUST be honored instead if + supported by the implementation. + + + A CACertificateRef is invalid if: + + + * It refers to a resource that cannot be resolved (e.g., + the referenced resource + does not exist) or is misconfigured (e.g., a ConfigMap does not contain a key + named `ca.crt`). In this case, the Reason must be set to `InvalidCACertificateRef` + and the Message of the Condition must indicate which reference is invalid and why. + + * It refers to an unknown or unsupported kind of + resource. In this case, the Reason + must be set to `InvalidKind` and the Message of the Condition must explain which + kind of resource is unknown or unsupported. + + * It refers to a resource in another namespace. This may + change in future + spec updates. + + Implementations MAY choose to perform further validation + of the certificate + + content (e.g., checking expiry or enforcing specific + formats). In such cases, + + an implementation-specific Reason and Message must be + set for the invalid reference. + + + In all cases, the implementation MUST ensure the + `ResolvedRefs` Condition on + + the BackendTLSPolicy is set to `status: False`, with a + Reason and Message + + that indicate the cause of the error. Connections using + an invalid + + CACertificateRef MUST fail, and the client MUST receive + an HTTP 5xx error + + response. If ALL CACertificateRefs are invalid, the + implementation MUST also + + ensure the `Accepted` Condition on the BackendTLSPolicy + is set to + + `status: False`, with a Reason `NoValidCACertificate`. + + + A single CACertificateRef to a Kubernetes ConfigMap kind + has "Core" support. + + Implementations MAY choose to support attaching multiple + certificates to + + a backend, but this behavior is implementation-specific. + + + Support: Core - An optional single reference to a + Kubernetes ConfigMap, + + with the CA certificate in a key named `ca.crt`. + + + Support: Implementation-specific - More than one + reference, other kinds + + of resources, or a single reference that includes + multiple certificates. + items: + description: >- + LocalObjectReference identifies an API object within + the namespace of the + + referrer. + + The API object must be valid in the cluster; the Group + and Kind must + + be registered in the cluster for this reference to be + valid. + + + References to objects with invalid Group and Kind are + not valid, and must + + be rejected by the implementation, with appropriate + Conditions set + + on the containing object. + properties: + group: + description: >- + Group is the group of the referent. For example, + "gateway.networking.k8s.io". + + When unspecified or empty string, core API group + is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: >- + Kind is kind of the referent. For example + "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + maxItems: 8 + type: array + x-kubernetes-list-type: atomic + hostname: + description: >- + Hostname is used for two purposes in the connection + between Gateways and + + backends: + + + 1. Hostname MUST be used as the SNI to connect to the + backend (RFC 6066). + + 2. Hostname MUST be used for authentication and MUST + match the certificate + served by the matching backend, unless SubjectAltNames is specified. + 3. If SubjectAltNames are specified, Hostname can be + used for certificate selection + but MUST NOT be used for authentication. If you want to use the value + of the Hostname field for authentication, you MUST add it to the SubjectAltNames list. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + subjectAltNames: + description: >- + SubjectAltNames contains one or more Subject Alternative + Names. + + When specified the certificate served from the backend + MUST + + have at least one Subject Alternate Name matching one of + the specified SubjectAltNames. + + + Support: Extended + items: + description: SubjectAltName represents Subject Alternative Name. + properties: + hostname: + description: >- + Hostname contains Subject Alternative Name + specified in DNS name format. + + Required when Type is set to Hostname, ignored + otherwise. + + + Support: Core + maxLength: 253 + minLength: 1 + pattern: >- + ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + type: + description: >- + Type determines the format of the Subject + Alternative Name. Always required. + + + Support: Core + enum: + - Hostname + - URI + type: string + uri: + description: >- + URI contains Subject Alternative Name specified in + a full URI format. + + It MUST include both a scheme (e.g., "http" or + "ftp") and a scheme-specific-part. + + Common values include SPIFFE IDs like + "spiffe://mycluster.example.com/ns/myns/sa/svc1sa". + + Required when Type is set to URI, ignored + otherwise. + + + Support: Core + maxLength: 253 + minLength: 1 + pattern: >- + ^(([^:/?#]+):)(//([^/?#]*))([^?#]*)(\?([^#]*))?(#(.*))? + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + SubjectAltName element must contain Hostname, if + Type is set to Hostname + rule: >- + !(self.type == "Hostname" && (!has(self.hostname) + || self.hostname == "")) + - message: >- + SubjectAltName element must not contain Hostname, + if Type is not set to Hostname + rule: >- + !(self.type != "Hostname" && has(self.hostname) && + self.hostname != "") + - message: >- + SubjectAltName element must contain URI, if Type + is set to URI + rule: >- + !(self.type == "URI" && (!has(self.uri) || + self.uri == "")) + - message: >- + SubjectAltName element must not contain URI, if + Type is not set to URI + rule: >- + !(self.type != "URI" && has(self.uri) && self.uri + != "") + maxItems: 5 + type: array + x-kubernetes-list-type: atomic + wellKnownCACertificates: + description: >- + WellKnownCACertificates specifies whether a well-known + set of CA certificates + + may be used in the TLS handshake between the gateway and + backend pod. + + + If WellKnownCACertificates is unspecified or empty (""), + then CACertificateRefs + + must be specified with at least one entry for a valid + configuration. Only one of + + CACertificateRefs or WellKnownCACertificates may be + specified, not both. + + If an implementation does not support the + WellKnownCACertificates field, or + + the supplied value is not recognized, the implementation + MUST ensure the + + `Accepted` Condition on the BackendTLSPolicy is set to + `status: False`, with + + a Reason `Invalid`. + + + Valid values include: + + * "System" - indicates that well-known system CA + certificates should be used. + + + Implementations MAY define their own sets of CA + certificates. Such definitions + + MUST use an implementation-specific, prefixed name, such + as + + `mycompany.com/my-custom-ca-certificates`. + + + Support: Implementation-specific + maxLength: 253 + minLength: 1 + pattern: >- + ^(System|([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9]))$ + type: string + required: + - hostname + type: object + x-kubernetes-validations: + - message: >- + must not contain both CACertificateRefs and + WellKnownCACertificates + rule: >- + !(has(self.caCertificateRefs) && + size(self.caCertificateRefs) > 0 && + has(self.wellKnownCACertificates) && + self.wellKnownCACertificates != "") + - message: >- + must specify either CACertificateRefs or + WellKnownCACertificates + rule: >- + (has(self.caCertificateRefs) && + size(self.caCertificateRefs) > 0 || + has(self.wellKnownCACertificates) && + self.wellKnownCACertificates != "") + required: + - targetRefs + - validation + type: object + status: + description: Status defines the current state of BackendTLSPolicy. + properties: + ancestors: + description: >- + Ancestors is a list of ancestor resources (usually Gateways) + that are + + associated with the policy, and the status of the policy + with respect to + + each ancestor. When this policy attaches to a parent, the + controller that + + manages the parent and the ancestors MUST add an entry to + this list when + + the controller first sees the policy and SHOULD update the + entry as + + appropriate when the relevant ancestor is modified. + + + Note that choosing the relevant ancestor is left to the + Policy designers; + + an important part of Policy design is designing the right + object level at + + which to namespace this status. + + + Note also that implementations MUST ONLY populate ancestor + status for + + the Ancestor resources they are responsible for. + Implementations MUST + + use the ControllerName field to uniquely identify the + entries in this list + + that they are responsible for. + + + Note that to achieve this, the list of PolicyAncestorStatus + structs + + MUST be treated as a map with a composite key, made up of + the AncestorRef + + and ControllerName fields combined. + + + A maximum of 16 ancestors will be represented in this list. + An empty list + + means the Policy is not relevant for any ancestors. + + + If this slice is full, implementations MUST NOT add further + entries. + + Instead they MUST consider the policy unimplementable and + signal that + + on any related resources such as the ancestor that would be + referenced + + here. For example, if this list was full on + BackendTLSPolicy, no + + additional Gateways would be able to reference the Service + targeted by + + the BackendTLSPolicy. + items: + description: >- + PolicyAncestorStatus describes the status of a route with + respect to an + + associated Ancestor. + + + Ancestors refer to objects that are either the Target of a + policy or above it + + in terms of object hierarchy. For example, if a policy + targets a Service, the + + Policy's Ancestors are, in order, the Service, the + HTTPRoute, the Gateway, and + + the GatewayClass. Almost always, in this hierarchy, the + Gateway will be the most + + useful object to place Policy status on, so we recommend + that implementations + + SHOULD use Gateway as the PolicyAncestorStatus object + unless the designers + + have a _very_ good reason otherwise. + + + In the context of policy attachment, the Ancestor is used + to distinguish which + + resource results in a distinct application of this policy. + For example, if a policy + + targets a Service, it may have a distinct result per + attached Gateway. + + + Policies targeting the same resource may have different + effects depending on the + + ancestors of those resources. For example, different + Gateways targeting the same + + Service may have different capabilities, especially if + they have different underlying + + implementations. + + + For example, in BackendTLSPolicy, the Policy attaches to a + Service that is + + used as a backend in a HTTPRoute that is itself attached + to a Gateway. + + In this case, the relevant object for status is the + Gateway, and that is the + + ancestor object referred to in this status. + + + Note that a parent is also an ancestor, so for objects + where the parent is the + + relevant object for status, this struct SHOULD still be + used. + + + This struct is intended to be used in a slice that's + effectively a map, + + with a composite key made up of the AncestorRef and the + ControllerName. + properties: + ancestorRef: + description: >- + AncestorRef corresponds with a ParentRef in the spec + that this + + PolicyAncestorStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: >- + Group is the group of the referent. + + When unspecified, "gateway.networking.k8s.io" is + inferred. + + To set the core API group (such as for a "Service" + kind referent), + + Group must be explicitly set to "" (empty string). + + + Support: Core + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: >- + Kind is kind of the referent. + + + There are two kinds of parent resources with + "Core" support: + + + * Gateway (Gateway conformance profile) + + * Service (Mesh conformance profile, ClusterIP + Services only) + + + Support for other resources is + Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the referent. When + unspecified, this refers + + to the local namespace of the Route. + + + Note that there are specific rules for ParentRefs + which cross namespace + + boundaries. Cross-namespace references are only + valid if they are explicitly + + allowed by something in the namespace they are + referring to. For example: + + Gateway has the AllowedRoutes field, and + ReferenceGrant provides a + + generic way to enable any other kind of + cross-namespace reference. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: >- + Port is the network port this Route targets. It + can be interpreted + + differently based on the type of parent resource. + + + When the parent resource is a Gateway, this + targets all listeners + + listening on the specified port that also support + this kind of Route(and + + select this Route). It's not recommended to set + `Port` unless the + + networking behaviors specified in a Route must + apply to a specific port + + as opposed to a listener(s) whose port(s) may be + changed. When both Port + + and SectionName are specified, the name and port + of the selected listener + + must match both specified values. + + + Implementations MAY choose to support other parent + resources. + + Implementations supporting other types of parent + resources MUST clearly + + document how/if Port is interpreted. + + + For the purpose of status, an attachment is + considered successful as + + long as the parent resource accepts it partially. + For example, Gateway + + listeners can restrict which Routes can attach to + them by Route kind, + + namespace, or hostname. If 1 of 2 Gateway + listeners accept attachment + + from the referencing Route, the Route MUST be + considered successfully + + attached. If no Gateway listeners accept + attachment from this Route, + + the Route MUST be considered detached from the + Gateway. + + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: >- + SectionName is the name of a section within the + target resource. In the + + following resources, SectionName is interpreted as + the following: + + + * Gateway: Listener name. When both Port + (experimental) and SectionName + + are specified, the name and port of the selected + listener must match + + both specified values. + + * Service: Port name. When both Port + (experimental) and SectionName + + are specified, the name and port of the selected + listener must match + + both specified values. + + + Implementations MAY choose to support attaching + Routes to other resources. + + If that is the case, they MUST clearly document + how SectionName is + + interpreted. + + + When unspecified (empty string), this will + reference the entire resource. + + For the purpose of status, an attachment is + considered successful if at + + least one section in the parent resource accepts + it. For example, Gateway + + listeners can restrict which Routes can attach to + them by Route kind, + + namespace, or hostname. If 1 of 2 Gateway + listeners accept attachment from + + the referencing Route, the Route MUST be + considered successfully + + attached. If no Gateway listeners accept + attachment from this Route, the + + Route MUST be considered detached from the + Gateway. + + + Support: Core + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + conditions: + description: >- + Conditions describes the status of the Policy with + respect to the given Ancestor. + items: + description: >- + Condition contains details for one aspect of the + current state of this API Resource. + properties: + lastTransitionTime: + description: >- + lastTransitionTime is the last time the + condition transitioned from one status to + another. + + This should be when the underlying condition + changed. If that is not known, then using the + time when the API field changed is acceptable. + format: date-time + type: string + message: + description: >- + message is a human readable message indicating + details about the transition. + + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: >- + observedGeneration represents the + .metadata.generation that the condition was set + based upon. + + For instance, if .metadata.generation is + currently 12, but the + .status.conditions[x].observedGeneration is 9, + the condition is out of date + + with respect to the current state of the + instance. + format: int64 + minimum: 0 + type: integer + reason: + description: >- + reason contains a programmatic identifier + indicating the reason for the condition's last + transition. + + Producers of specific condition types may define + expected values and meanings for this field, + + and whether the values are considered a + guaranteed API. + + The value should be a CamelCase string. + + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: >- + status of the condition, one of True, False, + Unknown. + enum: + - 'True' + - 'False' + - Unknown + type: string + type: + description: >- + type of condition in CamelCase or in + foo.example.com/CamelCase. + maxLength: 316 + pattern: >- + ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: >- + ControllerName is a domain/path string that indicates + the name of the + + controller that wrote this status. This corresponds + with the + + controllerName field on GatewayClass. + + + Example: "example.net/gateway-controller". + + + The format of this field is DOMAIN "/" PATH, where + DOMAIN and PATH are + + valid Kubernetes names + + (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + + + Controllers MUST populate this field when writing + status. Controllers should ensure that + + entries to status populated with their ControllerName + are cleaned up when they are no + + longer necessary. + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + required: + - ancestorRef + - conditions + - controllerName + type: object + maxItems: 16 + type: array + x-kubernetes-list-type: atomic + required: + - ancestors + type: object + required: + - spec + type: object + served: false + storage: false + subresources: + status: {} +status: + acceptedNames: + kind: '' + plural: '' + conditions: null + storedVersions: null diff --git a/_/CustomResourceDefinition/backendtrafficpolicies.gateway.envoyproxy.io.yaml b/_/CustomResourceDefinition/backendtrafficpolicies.gateway.envoyproxy.io.yaml new file mode 100644 index 0000000..0cbc79e --- /dev/null +++ b/_/CustomResourceDefinition/backendtrafficpolicies.gateway.envoyproxy.io.yaml @@ -0,0 +1,4316 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.18.0 + name: backendtrafficpolicies.gateway.envoyproxy.io +spec: + group: gateway.envoyproxy.io + names: + categories: + - envoy-gateway + kind: BackendTrafficPolicy + listKind: BackendTrafficPolicyList + plural: backendtrafficpolicies + shortNames: + - btp + singular: backendtrafficpolicy + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: >- + BackendTrafficPolicy allows the user to configure the behavior of + the connection + + between the Envoy Proxy listener and the backend service. + properties: + apiVersion: + description: >- + APIVersion defines the versioned schema of this representation + of an object. + + Servers should convert recognized schemas to the latest internal + value, and + + may reject unrecognized values. + + More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: >- + Kind is a string value representing the REST resource this + object represents. + + Servers may infer this from the endpoint the client submits + requests to. + + Cannot be updated. + + In CamelCase. + + More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec defines the desired state of BackendTrafficPolicy. + properties: + circuitBreaker: + description: >- + Circuit Breaker settings for the upstream connections and + requests. + + If not set, circuit breakers will be enabled with the + default thresholds + properties: + maxConnections: + default: 1024 + description: >- + The maximum number of connections that Envoy will + establish to the referenced backend defined within a + xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxParallelRequests: + default: 1024 + description: >- + The maximum number of parallel requests that Envoy will + make to the referenced backend defined within a xRoute + rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxParallelRetries: + default: 1024 + description: >- + The maximum number of parallel retries that Envoy will + make to the referenced backend defined within a xRoute + rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxPendingRequests: + default: 1024 + description: >- + The maximum number of pending requests that Envoy will + queue to the referenced backend defined within a xRoute + rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxRequestsPerConnection: + description: >- + The maximum number of requests that Envoy will make over + a single connection to the referenced backend defined + within a xRoute rule. + + Default: unlimited. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + perEndpoint: + description: >- + PerEndpoint defines Circuit Breakers that will apply + per-endpoint for an upstream cluster + properties: + maxConnections: + default: 1024 + description: >- + MaxConnections configures the maximum number of + connections that Envoy will establish per-endpoint + to the referenced backend defined within a xRoute + rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + type: object + type: object + compression: + description: |- + The compression config for the http streams. + Deprecated: Use Compressor instead. + items: + description: >- + Compression defines the config of enabling compression. + + This can help reduce the bandwidth at the expense of + higher CPU. + properties: + brotli: + description: The configuration for Brotli compressor. + type: object + gzip: + description: The configuration for GZIP compressor. + type: object + minContentLength: + allOf: + - pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: >- + MinContentLength defines the minimum response size in + bytes to apply compression. + + Responses smaller than this threshold will not be + compressed. + + Must be at least 30 bytes as enforced by Envoy Proxy. + + Note that when the suffix is not provided, the value + is interpreted as bytes. + + Default: 30 bytes + x-kubernetes-int-or-string: true + type: + description: >- + CompressorType defines the compressor type to use for + compression. + enum: + - Gzip + - Brotli + - Zstd + type: string + zstd: + description: The configuration for Zstd compressor. + type: object + required: + - type + type: object + type: array + compressor: + description: >- + The compressor config for the http streams. + + This provides more granular control over compression + configuration. + + Order matters: The first compressor in the list is preferred + when q-values in Accept-Encoding are equal. + items: + description: >- + Compression defines the config of enabling compression. + + This can help reduce the bandwidth at the expense of + higher CPU. + properties: + brotli: + description: The configuration for Brotli compressor. + type: object + gzip: + description: The configuration for GZIP compressor. + type: object + minContentLength: + allOf: + - pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: >- + MinContentLength defines the minimum response size in + bytes to apply compression. + + Responses smaller than this threshold will not be + compressed. + + Must be at least 30 bytes as enforced by Envoy Proxy. + + Note that when the suffix is not provided, the value + is interpreted as bytes. + + Default: 30 bytes + x-kubernetes-int-or-string: true + type: + description: >- + CompressorType defines the compressor type to use for + compression. + enum: + - Gzip + - Brotli + - Zstd + type: string + zstd: + description: The configuration for Zstd compressor. + type: object + required: + - type + type: object + type: array + connection: + description: Connection includes backend connection settings. + properties: + bufferLimit: + allOf: + - pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: >- + BufferLimit Soft limit on size of the cluster’s + connections read and write buffers. + + BufferLimit applies to connection streaming (maybe + non-streaming) channel between processes, it's in user + space. + + If unspecified, an implementation defined default is + applied (32768 bytes). + + For example, 20Mi, 1Gi, 256Ki etc. + + Note: that when the suffix is not provided, the value is + interpreted as bytes. + x-kubernetes-int-or-string: true + preconnect: + description: >- + Preconnect configures proactive upstream connections to + reduce latency by establishing + + connections before they’re needed and avoiding + connection establishment overhead. + + + If unset, Envoy will fetch connections as needed to + serve in-flight requests. + properties: + perEndpointPercent: + description: >- + PerEndpointPercent configures how many additional + connections to maintain per + + upstream endpoint, useful for high-QPS or latency + sensitive services. Expressed as a + + percentage of the connections required by active + streams + + (e.g. 100 = preconnect disabled, 105 = 1.05x + connections per-endpoint, 200 = 2.00×). + + + Allowed value range is between 100-300. When both + PerEndpointPercent and + + PredictivePercent are set, Envoy ensures both are + satisfied (max of the two). + format: int32 + maximum: 300 + minimum: 100 + type: integer + predictivePercent: + description: >- + PredictivePercent configures how many additional + connections to maintain + + across the cluster by anticipating which upstream + endpoint the load balancer + + will select next, useful for low-QPS services. + Relies on deterministic + + loadbalancing and is only supported with Random or + RoundRobin. + + Expressed as a percentage of the connections + required by active streams + + (e.g. 100 = 1.0 (no preconnect), 105 = 1.05× + connections across the cluster, 200 = 2.00×). + + + Minimum allowed value is 100. When both + PerEndpointPercent and PredictivePercent are + + set Envoy ensures both are satisfied per host (max + of the two). + format: int32 + minimum: 100 + type: integer + type: object + socketBufferLimit: + allOf: + - pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: >- + SocketBufferLimit provides configuration for the maximum + buffer size in bytes for each socket + + to backend. + + SocketBufferLimit applies to socket streaming channel + between TCP/IP stacks, it's in kernel space. + + For example, 20Mi, 1Gi, 256Ki etc. + + Note that when the suffix is not provided, the value is + interpreted as bytes. + x-kubernetes-int-or-string: true + type: object + dns: + description: DNS includes dns resolution settings. + properties: + dnsRefreshRate: + description: >- + DNSRefreshRate specifies the rate at which DNS records + should be refreshed. + + Defaults to 30 seconds. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + lookupFamily: + description: >- + LookupFamily determines how Envoy would resolve DNS for + Routes where the backend is specified as a fully + qualified domain name (FQDN). + + If set, this configuration overrides other defaults. + enum: + - IPv4 + - IPv6 + - IPv4Preferred + - IPv6Preferred + - IPv4AndIPv6 + type: string + respectDnsTtl: + description: >- + RespectDNSTTL indicates whether the DNS Time-To-Live + (TTL) should be respected. + + If the value is set to true, the DNS refresh rate will + be set to the resource record’s TTL. + + Defaults to true. + type: boolean + type: object + faultInjection: + description: >- + FaultInjection defines the fault injection policy to be + applied. This configuration can be used to + + inject delays and abort requests to mimic failure scenarios + such as service failures and overloads + properties: + abort: + description: >- + If specified, the request will be aborted if it meets + the configuration criteria. + properties: + grpcStatus: + description: >- + GrpcStatus specifies the GRPC status code to be + returned + format: int32 + type: integer + httpStatus: + description: >- + StatusCode specifies the HTTP status code to be + returned + format: int32 + maximum: 600 + minimum: 200 + type: integer + percentage: + default: 100 + description: >- + Percentage specifies the percentage of requests to + be aborted. Default 100%, if set 0, no requests will + be aborted. Accuracy to 0.0001%. + type: number + type: object + x-kubernetes-validations: + - message: >- + httpStatus and grpcStatus cannot be simultaneously + defined. + rule: ' !(has(self.httpStatus) && has(self.grpcStatus)) ' + - message: httpStatus and grpcStatus are set at least one. + rule: ' has(self.httpStatus) || has(self.grpcStatus) ' + delay: + description: If specified, a delay will be injected into the request. + properties: + fixedDelay: + description: FixedDelay specifies the fixed delay duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + percentage: + default: 100 + description: >- + Percentage specifies the percentage of requests to + be delayed. Default 100%, if set 0, no requests will + be delayed. Accuracy to 0.0001%. + type: number + required: + - fixedDelay + type: object + type: object + x-kubernetes-validations: + - message: Delay and abort faults are set at least one. + rule: ' has(self.delay) || has(self.abort) ' + healthCheck: + description: >- + HealthCheck allows gateway to perform active health checking + on backends. + properties: + active: + description: Active health check configuration + properties: + grpc: + description: >- + GRPC defines the configuration of the GRPC health + checker. + + It's optional, and can only be used if the specified + type is GRPC. + properties: + service: + description: >- + Service to send in the health check request. + + If this is not specified, then the health check + request applies to the entire + + server and not to a specific service. + type: string + type: object + healthyThreshold: + default: 1 + description: >- + HealthyThreshold defines the number of healthy + health checks required before a backend host is + marked healthy. + format: int32 + minimum: 1 + type: integer + http: + description: >- + HTTP defines the configuration of http health + checker. + + It's required while the health checker type is HTTP. + properties: + expectedResponse: + description: >- + ExpectedResponse defines a list of HTTP expected + responses to match. + properties: + binary: + description: Binary payload base64 encoded. + format: byte + type: string + text: + description: Text payload in plain text. + type: string + type: + allOf: + - enum: + - Text + - Binary + - enum: + - Text + - Binary + description: Type defines the type of the payload. + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If payload type is Text, text field needs to + be set. + rule: >- + self.type == 'Text' ? has(self.text) : + !has(self.text) + - message: >- + If payload type is Binary, binary field + needs to be set. + rule: >- + self.type == 'Binary' ? has(self.binary) : + !has(self.binary) + expectedStatuses: + description: >- + ExpectedStatuses defines a list of HTTP response + statuses considered healthy. + + Defaults to 200 only + items: + description: HTTPStatus defines the http status code. + maximum: 599 + minimum: 100 + type: integer + type: array + hostname: + description: >- + Hostname defines the HTTP Host header used for + active HTTP health checks. + + Host selection uses this order: this field, the + associated Backend endpoint + + hostname if available, then the effective Route + hostname. + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + method: + description: >- + Method defines the HTTP method used for health + checking. + + Defaults to GET + type: string + path: + description: >- + Path defines the HTTP path that will be + requested during health checking. + maxLength: 1024 + minLength: 1 + type: string + required: + - path + type: object + initialJitter: + description: >- + InitialJitter defines the maximum time Envoy will + wait before the first health check. + + Envoy will randomly select a value between 0 and the + initial jitter value. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + interval: + default: 3s + description: >- + Interval defines the time between active health + checks. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + tcp: + description: |- + TCP defines the configuration of tcp health checker. + It's required while the health checker type is TCP. + properties: + receive: + description: Receive defines the expected response payload. + properties: + binary: + description: Binary payload base64 encoded. + format: byte + type: string + text: + description: Text payload in plain text. + type: string + type: + allOf: + - enum: + - Text + - Binary + - enum: + - Text + - Binary + description: Type defines the type of the payload. + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If payload type is Text, text field needs to + be set. + rule: >- + self.type == 'Text' ? has(self.text) : + !has(self.text) + - message: >- + If payload type is Binary, binary field + needs to be set. + rule: >- + self.type == 'Binary' ? has(self.binary) : + !has(self.binary) + send: + description: Send defines the request payload. + properties: + binary: + description: Binary payload base64 encoded. + format: byte + type: string + text: + description: Text payload in plain text. + type: string + type: + allOf: + - enum: + - Text + - Binary + - enum: + - Text + - Binary + description: Type defines the type of the payload. + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If payload type is Text, text field needs to + be set. + rule: >- + self.type == 'Text' ? has(self.text) : + !has(self.text) + - message: >- + If payload type is Binary, binary field + needs to be set. + rule: >- + self.type == 'Binary' ? has(self.binary) : + !has(self.binary) + type: object + timeout: + default: 1s + description: >- + Timeout defines the time to wait for a health check + response. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: + allOf: + - enum: + - HTTP + - TCP + - GRPC + - enum: + - HTTP + - TCP + - GRPC + description: Type defines the type of health checker. + type: string + unhealthyThreshold: + default: 3 + description: >- + UnhealthyThreshold defines the number of unhealthy + health checks required before a backend host is + marked unhealthy. + format: int32 + minimum: 1 + type: integer + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If Health Checker type is HTTP, http field needs to + be set. + rule: >- + self.type == 'HTTP' ? has(self.http) : + !has(self.http) + - message: >- + If Health Checker type is TCP, tcp field needs to be + set. + rule: 'self.type == ''TCP'' ? has(self.tcp) : !has(self.tcp)' + - message: >- + The grpc field can only be set if the Health Checker + type is GRPC. + rule: 'has(self.grpc) ? self.type == ''GRPC'' : true' + panicThreshold: + description: >- + When number of unhealthy endpoints for a backend reaches + this threshold + + Envoy will disregard health status and balance across + all endpoints. + + It's designed to prevent a situation in which host + failures cascade throughout the cluster + + as load increases. If not set, the default value is 50%. + To disable panic mode, set value to `0`. + format: int32 + maximum: 100 + minimum: 0 + type: integer + passive: + description: Passive passive check configuration + properties: + baseEjectionTime: + default: 30s + description: >- + BaseEjectionTime defines the base duration for which + a host will be ejected on consecutive failures. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + consecutive5XxErrors: + default: 5 + description: >- + Consecutive5xxErrors sets the number of consecutive + 5xx errors triggering ejection. + format: int32 + type: integer + consecutiveGatewayErrors: + description: >- + ConsecutiveGatewayErrors sets the number of + consecutive gateway errors triggering ejection. + format: int32 + type: integer + consecutiveLocalOriginFailures: + default: 5 + description: >- + ConsecutiveLocalOriginFailures sets the number of + consecutive local origin failures triggering + ejection. + + Parameter takes effect only when + split_external_local_origin_errors is set to true. + format: int32 + type: integer + failurePercentageThreshold: + description: >- + FailurePercentageThreshold sets the failure + percentage threshold for outlier detection. + + If the failure percentage of a given host is greater + than or equal to this value, it will be ejected. + + Defaults to 85. + format: int32 + maximum: 100 + minimum: 0 + type: integer + interval: + default: 3s + description: >- + Interval defines the time between passive health + checks. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + maxEjectionPercent: + default: 10 + description: >- + MaxEjectionPercent sets the maximum percentage of + hosts in a cluster that can be ejected. + format: int32 + type: integer + splitExternalLocalOriginErrors: + default: false + description: >- + SplitExternalLocalOriginErrors enables splitting of + errors between external and local origin. + type: boolean + type: object + type: object + http2: + description: HTTP2 provides HTTP/2 configuration for backend connections. + properties: + initialConnectionWindowSize: + allOf: + - pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: >- + InitialConnectionWindowSize sets the initial window size + for HTTP/2 connections. + + If not set, the default value is 1 MiB. + x-kubernetes-int-or-string: true + initialStreamWindowSize: + allOf: + - pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: >- + InitialStreamWindowSize sets the initial window size for + HTTP/2 streams. + + If not set, the default value is 64 KiB(64*1024). + x-kubernetes-int-or-string: true + maxConcurrentStreams: + description: >- + MaxConcurrentStreams sets the maximum number of + concurrent streams allowed per connection. + + If not set, the default value is 100. + format: int32 + maximum: 2147483647 + minimum: 1 + type: integer + onInvalidMessage: + description: >- + OnInvalidMessage determines if Envoy will terminate the + connection or just the offending stream in the event of + HTTP messaging error + + It's recommended for L2 Envoy deployments to set this + value to TerminateStream. + + https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/level_two + + Default: TerminateConnection + type: string + type: object + httpUpgrade: + description: >- + HTTPUpgrade defines the configuration for HTTP protocol + upgrades. + + If not specified, the default upgrade + configuration(websocket) will be used. + items: + description: >- + ProtocolUpgradeConfig specifies the configuration for + protocol upgrades. + properties: + connect: + description: >- + Connect specifies the configuration for the CONNECT + config. + + This is allowed only when type is CONNECT. + properties: + terminate: + description: >- + Terminate the CONNECT request, and forwards the + payload as raw TCP data. + type: boolean + type: object + type: + description: |- + Type is the case-insensitive type of protocol upgrade. + e.g. `websocket`, `CONNECT`, `spdy/3.1` etc. + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + The connect configuration is only allowed when the + type is CONNECT. + rule: '!has(self.connect) || self.type == ''CONNECT''' + type: array + loadBalancer: + description: >- + LoadBalancer policy to apply when routing traffic from the + gateway to + + the backend endpoints. Defaults to `LeastRequest`. + properties: + consistentHash: + description: >- + ConsistentHash defines the configuration when the load + balancer type is + + set to ConsistentHash + properties: + cookie: + description: >- + Cookie configures the cookie hash policy when the + consistent hash type is set to Cookie. + properties: + attributes: + additionalProperties: + type: string + description: >- + Additional Attributes to set for the generated + cookie. + type: object + name: + description: >- + Name of the cookie to hash. + + If this cookie does not exist in the request, + Envoy will generate a cookie and set + + the TTL on the response back to the client based + on Layer 4 + + attributes of the backend endpoint, to ensure + that these future requests + + go to the same backend endpoint. Make sure to + set the TTL field for this case. + type: string + ttl: + description: >- + TTL of the generated cookie if the cookie is not + present. This value sets the + + Max-Age attribute value. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + required: + - name + type: object + header: + description: >- + Header configures the header hash policy when the + consistent hash type is set to Header. + + + Deprecated: use Headers instead + properties: + name: + description: Name of the header to hash. + type: string + required: + - name + type: object + headers: + description: >- + Headers configures the header hash policy for each + header, when the consistent hash type is set to + Headers. + items: + description: >- + Header defines the header hashing configuration + for consistent hash based + + load balancing. + properties: + name: + description: Name of the header to hash. + type: string + required: + - name + type: object + type: array + queryParams: + description: >- + QueryParams configures the query parameter hash + policy when the consistent hash type is set to + QueryParams. + items: + description: >- + QueryParam defines the query parameter name + hashing configuration for consistent hash based + + load balancing. + properties: + name: + description: Name of the query param to hash. + type: string + required: + - name + type: object + type: array + tableSize: + default: 65537 + description: >- + The table size for consistent hashing, must be prime + number limited to 5000011. + format: int64 + maximum: 5000011 + minimum: 2 + type: integer + type: + description: >- + ConsistentHashType defines the type of input to hash + on. Valid Type values are + + "SourceIP", + + "Header", + + "Headers", + + "Cookie". + + "QueryParams". + enum: + - SourceIP + - Header + - Headers + - Cookie + - QueryParams + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If consistent hash type is header, the header field + must be set. + rule: >- + self.type == 'Header' ? has(self.header) : + !has(self.header) + - message: >- + If consistent hash type is headers, the headers + field must be set. + rule: >- + self.type == 'Headers' ? has(self.headers) : + !has(self.headers) + - message: >- + If consistent hash type is cookie, the cookie field + must be set. + rule: >- + self.type == 'Cookie' ? has(self.cookie) : + !has(self.cookie) + - message: >- + If consistent hash type is queryParams, the + queryParams field must be set. + rule: >- + self.type == 'QueryParams' ? has(self.queryParams) : + !has(self.queryParams) + endpointOverride: + description: >- + EndpointOverride defines the configuration for endpoint + override. + + When specified, the load balancer will attempt to route + requests to endpoints + + based on the override information extracted from request + headers or metadata. + If the override endpoints are not available, the configured load balancer policy will be used as fallback. + properties: + extractFrom: + description: >- + ExtractFrom defines the sources to extract endpoint + override information from. + items: + description: >- + EndpointOverrideExtractFrom defines a source to + extract endpoint override information from. + properties: + header: + description: >- + Header defines the header to get the override + endpoint addresses. + + The header value must specify at least one + endpoint in `IP:Port` format or multiple + endpoints in `IP:Port,IP:Port,...` format. + + For example `10.0.0.5:8080` or + `[2600:4040:5204::1574:24ae]:80`. + + The IPv6 address is enclosed in square + brackets. + type: string + type: object + maxItems: 10 + minItems: 1 + type: array + required: + - extractFrom + type: object + slowStart: + description: >- + SlowStart defines the configuration related to the slow + start load balancer policy. + + If set, during slow start window, traffic sent to the + newly added hosts will gradually increase. + + Currently this is only supported for RoundRobin and + LeastRequest load balancers + properties: + window: + description: >- + Window defines the duration of the warm up period + for newly added host. + + During slow start window, traffic sent to the newly + added hosts will gradually increase. + + Currently only supports linear growth of traffic. + For additional details, + + see + https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + required: + - window + type: object + type: + description: |- + Type decides the type of Load Balancer policy. + Valid LoadBalancerType values are + "ConsistentHash", + "LeastRequest", + "Random", + "RoundRobin". + enum: + - ConsistentHash + - LeastRequest + - Random + - RoundRobin + type: string + zoneAware: + description: >- + ZoneAware defines the configuration related to the + distribution of requests between locality zones. + properties: + preferLocal: + description: >- + PreferLocalZone configures zone-aware routing to + prefer sending traffic to the local locality zone. + properties: + force: + description: >- + ForceLocalZone defines override configuration + for forcing all traffic to stay within the local + zone instead of the default behavior + + which maintains equal distribution among + upstream endpoints while sending as much traffic + as possible locally. + properties: + minEndpointsInZoneThreshold: + description: >- + MinEndpointsInZoneThreshold is the minimum + number of upstream endpoints in the local + zone required to honor the forceLocalZone + + override. This is useful for protecting + zones with fewer endpoints. + format: int32 + type: integer + type: object + minEndpointsThreshold: + description: >- + MinEndpointsThreshold is the minimum number of + total upstream endpoints across all zones + required to enable zone-aware routing. + format: int64 + type: integer + percentageEnabled: + description: >- + Configures percentage of requests that will be + considered for zone aware routing if zone aware + routing is configured. If not specified, Envoy + defaults to 100%. + format: int32 + maximum: 100 + minimum: 0 + type: integer + type: object + type: object + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If LoadBalancer type is consistentHash, consistentHash + field needs to be set. + rule: >- + self.type == 'ConsistentHash' ? has(self.consistentHash) + : !has(self.consistentHash) + - message: >- + Currently SlowStart is only supported for RoundRobin and + LeastRequest load balancers. + rule: >- + self.type in ['Random', 'ConsistentHash'] ? + !has(self.slowStart) : true + - message: >- + Currently ZoneAware is only supported for LeastRequest, + Random, and RoundRobin load balancers. + rule: >- + self.type == 'ConsistentHash' ? !has(self.zoneAware) : + true + mergeType: + description: >- + MergeType determines how this configuration is merged with + existing BackendTrafficPolicy + + configurations targeting a parent resource. When set, this + configuration will be merged + + into a parent BackendTrafficPolicy (i.e. the one targeting a + Gateway or Listener). + + This field cannot be set when targeting a parent resource + (Gateway). + + If unset, no merging occurs, and only the most specific + configuration takes effect. + type: string + proxyProtocol: + description: >- + ProxyProtocol enables the Proxy Protocol when communicating + with the backend. + properties: + version: + description: |- + Version of ProxyProtol + Valid ProxyProtocolVersion values are + "V1" + "V2" + enum: + - V1 + - V2 + type: string + required: + - version + type: object + rateLimit: + description: >- + RateLimit allows the user to limit the number of incoming + requests + + to a predefined value based on attributes within the traffic + flow. + properties: + global: + description: Global defines global rate limit configuration. + properties: + rules: + description: >- + Rules are a list of RateLimit selectors and limits. + Each rule and its + + associated limit is applied in a mutually exclusive + way. If a request + + matches multiple rules, each of their associated + limits get applied, so a + + single request might increase the rate limit + counters for multiple rules + + if selected. The rate limit service will return a + logical OR of the individual + + rate limit decisions of all matching rules. For + example, if a request + + matches two rules, one rate limited and one not, the + final decision will be + + to rate limit the request. + items: + description: >- + RateLimitRule defines the semantics for matching + attributes + + from the incoming requests, and setting limits for + them. + properties: + clientSelectors: + description: >- + ClientSelectors holds the list of select + conditions to select + + specific clients using attributes from the + traffic flow. + + All individual select conditions must hold + True for this rule + + and its limit to be applied. + + + If no client selectors are specified, the rule + applies to all traffic of + + the targeted Route. + + + If the policy targets a Gateway, the rule + applies to each Route of the Gateway. + + Please note that each Route has its own rate + limit counters. For example, + + if a Gateway has two Routes, and the policy + has a rule with limit 10rps, + + each Route will have its own 10rps limit. + items: + description: >- + RateLimitSelectCondition specifies the + attributes within the traffic flow that can + + be used to select a subset of clients to be + ratelimited. + + All the individual conditions must hold True + for the overall condition to hold True. + + And, at least one of headers or methods or + path or sourceCIDR or queryParams condition + must be specified. + properties: + headers: + description: >- + Headers is a list of request headers to + match. Multiple header values are ANDed + together, + + meaning, a request MUST match all the + specified headers. + items: + description: >- + HeaderMatch defines the match attributes + within the HTTP Headers of the request. + properties: + invert: + default: false + description: >- + Invert specifies whether the value match + result will be inverted. + + Do not set this field when + Type="Distinct", implying matching on + any/all unique + + values within the header. + type: boolean + name: + description: >- + Name of the HTTP header. + + The header name is case-insensitive + unless PreserveHeaderCase is set to + true. + + For example, "Foo" and "foo" are + considered the same header. + maxLength: 256 + minLength: 1 + type: string + type: + default: Exact + description: >- + Type specifies how to match against the + value of the header. + enum: + - Exact + - RegularExpression + - Distinct + type: string + value: + description: >- + Value within the HTTP header. + + Do not set this field when + Type="Distinct", implying matching on + any/all unique + + values within the header. + maxLength: 1024 + type: string + required: + - name + type: object + maxItems: 16 + type: array + methods: + description: >- + Methods is a list of request methods to + match. Multiple method values are ORed + together, + + meaning, a request can match any one of + the specified methods. If not specified, + it matches all methods. + items: + description: >- + MethodMatch defines the matching + criteria for the HTTP method of a + request. + properties: + invert: + default: false + description: >- + Invert specifies whether the value match + result will be inverted. + type: boolean + value: + description: Value specifies the HTTP method. + enum: + - GET + - HEAD + - POST + - PUT + - DELETE + - CONNECT + - OPTIONS + - TRACE + - PATCH + type: string + required: + - value + type: object + type: array + path: + description: >- + Path is the request path to match. + + Support Exact, PathPrefix and + RegularExpression match types. + properties: + invert: + default: false + description: >- + Invert specifies whether the value match + result will be inverted. + type: boolean + type: + default: PathPrefix + description: >- + Type specifies how to match against the + value of the path. + enum: + - Exact + - PathPrefix + - RegularExpression + type: string + value: + default: / + description: Value specifies the HTTP path. + maxLength: 1024 + type: string + required: + - value + type: object + queryParams: + description: >- + QueryParams is a list of query + parameters to match. Multiple query + parameter values are ANDed together, + + meaning, a request MUST match all the + specified query parameters. + items: + description: >- + QueryParamMatch defines the match + attributes within the query parameters + of the request. + properties: + invert: + default: false + description: >- + Invert specifies whether the value match + result will be inverted. + + Do not set this field when + Type="Distinct", implying matching on + any/all unique + + values within the query parameter. + type: boolean + name: + description: Name of the query parameter. + maxLength: 256 + minLength: 1 + type: string + type: + default: Exact + description: >- + Type specifies how to match against the + value of the query parameter. + enum: + - Exact + - RegularExpression + - Distinct + type: string + value: + description: >- + Value of the query parameter. + + Do not set this field when + Type="Distinct", implying matching on + any/all unique + + values within the query parameter. + maxLength: 1024 + type: string + required: + - name + type: object + maxItems: 16 + type: array + sourceCIDR: + description: >- + SourceCIDR is the client IP Address + range to match on. + properties: + type: + default: Exact + enum: + - Exact + - Distinct + type: string + value: + description: >- + Value is the IP CIDR that represents the + range of Source IP Addresses of the + client. + + These could also be the intermediate + addresses through which the request has + flown through and is part of the + `X-Forwarded-For` header. + + For example, `192.168.0.1/32`, + `192.168.0.0/24`, `001:db8::/64`. + maxLength: 256 + minLength: 1 + type: string + required: + - value + type: object + type: object + x-kubernetes-validations: + - message: >- + at least one of headers, methods, path, + sourceCIDR or queryParams must be + specified + rule: >- + has(self.headers) || has(self.methods) + || has(self.path) || + has(self.sourceCIDR) || + has(self.queryParams) + maxItems: 8 + type: array + cost: + description: >- + Cost specifies the cost of requests and + responses for the rule. + + + This is optional and if not specified, the + default behavior is to reduce the rate limit + counters by 1 on + + the request path and do not reduce the rate + limit counters on the response path. + properties: + request: + description: >- + Request specifies the number to reduce the + rate limit counters + + on the request path. If this is not + specified, the default behavior + + is to reduce the rate limit counters by 1. + + + When Envoy receives a request that matches + the rule, it tries to reduce the + + rate limit counters by the specified + number. If the counter doesn't have + + enough capacity, the request is rate + limited. + properties: + from: + description: >- + From specifies where to get the rate + limit cost. Currently, only "Number" and + "Metadata" are supported. + enum: + - Number + - Metadata + type: string + metadata: + description: >- + Metadata specifies the per-request + metadata to retrieve the usage number + from. + properties: + key: + description: >- + Key is the key to retrieve the usage + number from the filter metadata. + type: string + namespace: + description: >- + Namespace is the namespace of the + dynamic metadata. + type: string + required: + - key + - namespace + type: object + number: + description: >- + Number specifies the fixed usage number + to reduce the rate limit counters. + + Using zero can be used to only check the + rate limit counters without reducing + them. + format: int64 + type: integer + required: + - from + type: object + x-kubernetes-validations: + - message: >- + only one of number or metadata can be + specified + rule: >- + !(has(self.number) && + has(self.metadata)) + response: + description: >- + Response specifies the number to reduce + the rate limit counters + + after the response is sent back to the + client or the request stream is closed. + + + The cost is used to reduce the rate limit + counters for the matching requests. + + Since the reduction happens after the + request stream is complete, the rate limit + + won't be enforced for the current request, + but for the subsequent matching requests. + + + This is optional and if not specified, the + rate limit counters are not reduced + + on the response path. + + + Currently, this is only supported for HTTP + Global Rate Limits. + properties: + from: + description: >- + From specifies where to get the rate + limit cost. Currently, only "Number" and + "Metadata" are supported. + enum: + - Number + - Metadata + type: string + metadata: + description: >- + Metadata specifies the per-request + metadata to retrieve the usage number + from. + properties: + key: + description: >- + Key is the key to retrieve the usage + number from the filter metadata. + type: string + namespace: + description: >- + Namespace is the namespace of the + dynamic metadata. + type: string + required: + - key + - namespace + type: object + number: + description: >- + Number specifies the fixed usage number + to reduce the rate limit counters. + + Using zero can be used to only check the + rate limit counters without reducing + them. + format: int64 + type: integer + required: + - from + type: object + x-kubernetes-validations: + - message: >- + only one of number or metadata can be + specified + rule: >- + !(has(self.number) && + has(self.metadata)) + type: object + limit: + description: >- + Limit holds the rate limit values. + + This limit is applied for traffic flows when + the selectors + + compute to True, causing the request to be + counted towards the limit. + + The limit is enforced and the request is + ratelimited, i.e. a response with + + 429 HTTP status code is sent back to the + client when + + the selected requests have reached the limit. + properties: + requests: + type: integer + unit: + description: >- + RateLimitUnit specifies the intervals for + setting rate limits. + + Valid RateLimitUnit values are "Second", + "Minute", "Hour", "Day", "Month" and + "Year". + enum: + - Second + - Minute + - Hour + - Day + - Month + - Year + type: string + required: + - requests + - unit + type: object + shadowMode: + description: >- + ShadowMode indicates whether this rate-limit + rule runs in shadow mode. + + When enabled, all rate-limiting operations are + performed (cache lookups, + + counter updates, telemetry generation), but + the outcome is never enforced. + + The request always succeeds, even if the + configured limit is exceeded. + + + Only supported for Global Rate Limits. + type: boolean + shared: + description: >- + Shared determines whether this rate limit rule + applies across all the policy targets. + + If set to true, the rule is treated as a + common bucket and is shared across all policy + targets (xRoutes). + + Default: false. + type: boolean + required: + - limit + type: object + maxItems: 128 + type: array + required: + - rules + type: object + local: + description: Local defines local rate limit configuration. + properties: + rules: + description: >- + Rules are a list of RateLimit selectors and limits. + If a request matches + + multiple rules, the strictest limit is applied. For + example, if a request + + matches two rules, one with 10rps and one with + 20rps, the final limit will + + be based on the rule with 10rps. + items: + description: >- + RateLimitRule defines the semantics for matching + attributes + + from the incoming requests, and setting limits for + them. + properties: + clientSelectors: + description: >- + ClientSelectors holds the list of select + conditions to select + + specific clients using attributes from the + traffic flow. + + All individual select conditions must hold + True for this rule + + and its limit to be applied. + + + If no client selectors are specified, the rule + applies to all traffic of + + the targeted Route. + + + If the policy targets a Gateway, the rule + applies to each Route of the Gateway. + + Please note that each Route has its own rate + limit counters. For example, + + if a Gateway has two Routes, and the policy + has a rule with limit 10rps, + + each Route will have its own 10rps limit. + items: + description: >- + RateLimitSelectCondition specifies the + attributes within the traffic flow that can + + be used to select a subset of clients to be + ratelimited. + + All the individual conditions must hold True + for the overall condition to hold True. + + And, at least one of headers or methods or + path or sourceCIDR or queryParams condition + must be specified. + properties: + headers: + description: >- + Headers is a list of request headers to + match. Multiple header values are ANDed + together, + + meaning, a request MUST match all the + specified headers. + items: + description: >- + HeaderMatch defines the match attributes + within the HTTP Headers of the request. + properties: + invert: + default: false + description: >- + Invert specifies whether the value match + result will be inverted. + + Do not set this field when + Type="Distinct", implying matching on + any/all unique + + values within the header. + type: boolean + name: + description: >- + Name of the HTTP header. + + The header name is case-insensitive + unless PreserveHeaderCase is set to + true. + + For example, "Foo" and "foo" are + considered the same header. + maxLength: 256 + minLength: 1 + type: string + type: + default: Exact + description: >- + Type specifies how to match against the + value of the header. + enum: + - Exact + - RegularExpression + - Distinct + type: string + value: + description: >- + Value within the HTTP header. + + Do not set this field when + Type="Distinct", implying matching on + any/all unique + + values within the header. + maxLength: 1024 + type: string + required: + - name + type: object + maxItems: 16 + type: array + methods: + description: >- + Methods is a list of request methods to + match. Multiple method values are ORed + together, + + meaning, a request can match any one of + the specified methods. If not specified, + it matches all methods. + items: + description: >- + MethodMatch defines the matching + criteria for the HTTP method of a + request. + properties: + invert: + default: false + description: >- + Invert specifies whether the value match + result will be inverted. + type: boolean + value: + description: Value specifies the HTTP method. + enum: + - GET + - HEAD + - POST + - PUT + - DELETE + - CONNECT + - OPTIONS + - TRACE + - PATCH + type: string + required: + - value + type: object + type: array + path: + description: >- + Path is the request path to match. + + Support Exact, PathPrefix and + RegularExpression match types. + properties: + invert: + default: false + description: >- + Invert specifies whether the value match + result will be inverted. + type: boolean + type: + default: PathPrefix + description: >- + Type specifies how to match against the + value of the path. + enum: + - Exact + - PathPrefix + - RegularExpression + type: string + value: + default: / + description: Value specifies the HTTP path. + maxLength: 1024 + type: string + required: + - value + type: object + queryParams: + description: >- + QueryParams is a list of query + parameters to match. Multiple query + parameter values are ANDed together, + + meaning, a request MUST match all the + specified query parameters. + items: + description: >- + QueryParamMatch defines the match + attributes within the query parameters + of the request. + properties: + invert: + default: false + description: >- + Invert specifies whether the value match + result will be inverted. + + Do not set this field when + Type="Distinct", implying matching on + any/all unique + + values within the query parameter. + type: boolean + name: + description: Name of the query parameter. + maxLength: 256 + minLength: 1 + type: string + type: + default: Exact + description: >- + Type specifies how to match against the + value of the query parameter. + enum: + - Exact + - RegularExpression + - Distinct + type: string + value: + description: >- + Value of the query parameter. + + Do not set this field when + Type="Distinct", implying matching on + any/all unique + + values within the query parameter. + maxLength: 1024 + type: string + required: + - name + type: object + maxItems: 16 + type: array + sourceCIDR: + description: >- + SourceCIDR is the client IP Address + range to match on. + properties: + type: + default: Exact + enum: + - Exact + - Distinct + type: string + value: + description: >- + Value is the IP CIDR that represents the + range of Source IP Addresses of the + client. + + These could also be the intermediate + addresses through which the request has + flown through and is part of the + `X-Forwarded-For` header. + + For example, `192.168.0.1/32`, + `192.168.0.0/24`, `001:db8::/64`. + maxLength: 256 + minLength: 1 + type: string + required: + - value + type: object + type: object + x-kubernetes-validations: + - message: >- + at least one of headers, methods, path, + sourceCIDR or queryParams must be + specified + rule: >- + has(self.headers) || has(self.methods) + || has(self.path) || + has(self.sourceCIDR) || + has(self.queryParams) + maxItems: 8 + type: array + cost: + description: >- + Cost specifies the cost of requests and + responses for the rule. + + + This is optional and if not specified, the + default behavior is to reduce the rate limit + counters by 1 on + + the request path and do not reduce the rate + limit counters on the response path. + properties: + request: + description: >- + Request specifies the number to reduce the + rate limit counters + + on the request path. If this is not + specified, the default behavior + + is to reduce the rate limit counters by 1. + + + When Envoy receives a request that matches + the rule, it tries to reduce the + + rate limit counters by the specified + number. If the counter doesn't have + + enough capacity, the request is rate + limited. + properties: + from: + description: >- + From specifies where to get the rate + limit cost. Currently, only "Number" and + "Metadata" are supported. + enum: + - Number + - Metadata + type: string + metadata: + description: >- + Metadata specifies the per-request + metadata to retrieve the usage number + from. + properties: + key: + description: >- + Key is the key to retrieve the usage + number from the filter metadata. + type: string + namespace: + description: >- + Namespace is the namespace of the + dynamic metadata. + type: string + required: + - key + - namespace + type: object + number: + description: >- + Number specifies the fixed usage number + to reduce the rate limit counters. + + Using zero can be used to only check the + rate limit counters without reducing + them. + format: int64 + type: integer + required: + - from + type: object + x-kubernetes-validations: + - message: >- + only one of number or metadata can be + specified + rule: >- + !(has(self.number) && + has(self.metadata)) + response: + description: >- + Response specifies the number to reduce + the rate limit counters + + after the response is sent back to the + client or the request stream is closed. + + + The cost is used to reduce the rate limit + counters for the matching requests. + + Since the reduction happens after the + request stream is complete, the rate limit + + won't be enforced for the current request, + but for the subsequent matching requests. + + + This is optional and if not specified, the + rate limit counters are not reduced + + on the response path. + + + Currently, this is only supported for HTTP + Global Rate Limits. + properties: + from: + description: >- + From specifies where to get the rate + limit cost. Currently, only "Number" and + "Metadata" are supported. + enum: + - Number + - Metadata + type: string + metadata: + description: >- + Metadata specifies the per-request + metadata to retrieve the usage number + from. + properties: + key: + description: >- + Key is the key to retrieve the usage + number from the filter metadata. + type: string + namespace: + description: >- + Namespace is the namespace of the + dynamic metadata. + type: string + required: + - key + - namespace + type: object + number: + description: >- + Number specifies the fixed usage number + to reduce the rate limit counters. + + Using zero can be used to only check the + rate limit counters without reducing + them. + format: int64 + type: integer + required: + - from + type: object + x-kubernetes-validations: + - message: >- + only one of number or metadata can be + specified + rule: >- + !(has(self.number) && + has(self.metadata)) + type: object + limit: + description: >- + Limit holds the rate limit values. + + This limit is applied for traffic flows when + the selectors + + compute to True, causing the request to be + counted towards the limit. + + The limit is enforced and the request is + ratelimited, i.e. a response with + + 429 HTTP status code is sent back to the + client when + + the selected requests have reached the limit. + properties: + requests: + type: integer + unit: + description: >- + RateLimitUnit specifies the intervals for + setting rate limits. + + Valid RateLimitUnit values are "Second", + "Minute", "Hour", "Day", "Month" and + "Year". + enum: + - Second + - Minute + - Hour + - Day + - Month + - Year + type: string + required: + - requests + - unit + type: object + shadowMode: + description: >- + ShadowMode indicates whether this rate-limit + rule runs in shadow mode. + + When enabled, all rate-limiting operations are + performed (cache lookups, + + counter updates, telemetry generation), but + the outcome is never enforced. + + The request always succeeds, even if the + configured limit is exceeded. + + + Only supported for Global Rate Limits. + type: boolean + shared: + description: >- + Shared determines whether this rate limit rule + applies across all the policy targets. + + If set to true, the rule is treated as a + common bucket and is shared across all policy + targets (xRoutes). + + Default: false. + type: boolean + required: + - limit + type: object + maxItems: 16 + type: array + x-kubernetes-validations: + - message: >- + response cost is not supported for Local Rate + Limits + rule: >- + self.all(foo, !has(foo.cost) || + !has(foo.cost.response)) + - message: >- + shadow mode is not supported for Local Rate + Limits + rule: self.all(foo, !has(foo.shadowMode)) + type: object + type: + description: >- + Type decides the scope for the RateLimits. + + Valid RateLimitType values are "Global" or "Local". + + + Deprecated: Use Global and/or Local fields directly + instead. Both can be specified simultaneously for + combined rate limiting. + enum: + - Global + - Local + type: string + type: object + requestBuffer: + description: >- + RequestBuffer allows the gateway to buffer and fully receive + each request from a client before continuing to send the + request + + upstream to the backends. This can be helpful to shield your + backend servers from slow clients, and also to enforce a + maximum size per request + + as any requests larger than the buffer size will be + rejected. + + + This can have a negative performance impact so should only + be enabled when necessary. + + + When enabling this option, you should also configure your + connection buffer size to account for these request buffers. + There will also be an + + increase in memory usage for Envoy that should be accounted + for in your deployment settings. + properties: + limit: + allOf: + - pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: >- + Limit specifies the maximum allowed size in bytes for + each incoming request buffer. + + If exceeded, the request will be rejected with HTTP 413 + Content Too Large. + + + Accepts values in resource.Quantity format (e.g., + "10Mi", "500Ki"). + x-kubernetes-int-or-string: true + type: object + responseOverride: + description: >- + ResponseOverride defines the configuration to override + specific responses with a custom one. + + If multiple configurations are specified, the first one to + match wins. + items: + description: >- + ResponseOverride defines the configuration to override + specific responses with a custom one. + properties: + match: + description: Match configuration. + properties: + statusCodes: + description: >- + Status code to match on. The match evaluates to + true if any of the matches are successful. + items: + description: >- + StatusCodeMatch defines the configuration for + matching a status code. + properties: + range: + description: Range contains the range of status codes. + properties: + end: + description: >- + End of the range, including the end + value. + type: integer + start: + description: >- + Start of the range, including the start + value. + type: integer + required: + - end + - start + type: object + x-kubernetes-validations: + - message: end must be greater than start + rule: self.end > self.start + type: + allOf: + - enum: + - Value + - Range + - enum: + - Value + - Range + default: Value + description: >- + Type is the type of value. + + Valid values are Value and Range, default is + Value. + type: string + value: + description: Value contains the value of the status code. + type: integer + required: + - type + type: object + x-kubernetes-validations: + - message: value must be set for type Value + rule: >- + (!has(self.type) || self.type == 'Value')? + has(self.value) : true + - message: range must be set for type Range + rule: >- + (has(self.type) && self.type == 'Range')? + has(self.range) : true + maxItems: 50 + minItems: 1 + type: array + required: + - statusCodes + type: object + redirect: + description: Redirect configuration + properties: + hostname: + description: >- + Hostname is the hostname to be used in the value + of the `Location` + + header in the response. + + When empty, the hostname in the `Host` header of + the request is used. + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: >- + Path defines parameters used to modify the path of + the incoming request. + + The modified path is then used to construct the + `Location` header. When + + empty, the request path is used as-is. + + Only ReplaceFullPath path modifier is supported + currently. + properties: + replaceFullPath: + description: >- + ReplaceFullPath specifies the value with which + to replace the full path + + of a request during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: >- + ReplacePrefixMatch specifies the value with + which to replace the prefix + + match of a request during a rewrite or + redirect. For example, a request + + to "/foo/bar" with a prefix match of "/foo" + and a ReplacePrefixMatch + + of "/xyz" would be modified to "/xyz/bar". + + + Note that this matches the behavior of the + PathPrefix match type. This + + matches full path elements. A path element + refers to the list of labels + + in the path split by the `/` separator. When + specified, a trailing `/` is + + ignored. For example, the paths `/abc`, + `/abc/`, and `/abc/def` would all + + match the prefix `/abc`, but the path `/abcd` + would not. + + + ReplacePrefixMatch is only compatible with a + `PathPrefix` HTTPRouteMatch. + + Using any other HTTPRouteMatch type on the + same HTTPRouteRule will result in + + the implementation setting the Accepted + Condition for the Route to `status: False`. + + + Request Path | Prefix Match | Replace Prefix | + Modified Path + maxLength: 1024 + type: string + type: + description: >- + Type defines the type of path modifier. + Additional types may be + + added in a future release of the API. + + + Note that values may be added to this enum, + implementations + + must ensure that unknown values will not cause + a crash. + + + Unknown values here must result in the + implementation setting the + + Accepted Condition for the Route to `status: + False`, with a + + Reason of `UnsupportedValue`. + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + only ReplaceFullPath is supported for + path.type + rule: self.type == 'ReplaceFullPath' + - message: >- + replaceFullPath must be specified when type is + set to 'ReplaceFullPath' + rule: >- + self.type == 'ReplaceFullPath' ? + has(self.replaceFullPath) : true + - message: >- + type must be 'ReplaceFullPath' when + replaceFullPath is set + rule: >- + has(self.replaceFullPath) ? self.type == + 'ReplaceFullPath' : true + - message: >- + replacePrefixMatch must be specified when type + is set to 'ReplacePrefixMatch' + rule: >- + self.type == 'ReplacePrefixMatch' ? + has(self.replacePrefixMatch) : true + - message: >- + type must be 'ReplacePrefixMatch' when + replacePrefixMatch is set + rule: >- + has(self.replacePrefixMatch) ? self.type == + 'ReplacePrefixMatch' : true + port: + description: >- + Port is the port to be used in the value of the + `Location` + + header in the response. + + + If redirect scheme is not-empty, the well-known + port associated with the redirect scheme will be + used. + + Specifically "http" to port 80 and "https" to port + 443. If the redirect scheme does not have a + + well-known port or redirect scheme is empty, the + listener port of the Gateway will be used. + + + Port will not be added in the 'Location' header if + scheme is HTTP and port is 80 + + or scheme is HTTPS and port is 443. + format: int32 + type: integer + scheme: + description: >- + Scheme is the scheme to be used in the value of + the `Location` header in + + the response. When empty, the scheme of the + request is used. + enum: + - http + - https + type: string + statusCode: + default: 302 + description: >- + StatusCode is the HTTP status code to be used in + response. + enum: + - 301 + - 302 + type: integer + type: object + response: + description: Response configuration. + properties: + body: + description: >- + Body of the Custom Response + + Supports Envoy command operators for dynamic + content (see + https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators). + properties: + inline: + description: Inline contains the value as an inline string. + type: string + type: + allOf: + - enum: + - Inline + - ValueRef + - enum: + - Inline + - ValueRef + default: Inline + description: >- + Type is the type of method to use to read the + body value. + + Valid values are Inline and ValueRef, default + is Inline. + type: string + valueRef: + description: >- + ValueRef contains the contents of the body + + specified as a local object reference. + + Only a reference to ConfigMap is supported. + + + The value of key `response.body` in the + ConfigMap will be used as the response body. + + If the key is not found, the first value in + the ConfigMap will be used. + properties: + group: + description: >- + Group is the group of the referent. For + example, "gateway.networking.k8s.io". + + When unspecified or empty string, core API + group is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: >- + Kind is kind of the referent. For example + "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + required: + - type + type: object + x-kubernetes-validations: + - message: inline must be set for type Inline + rule: >- + (!has(self.type) || self.type == 'Inline')? + has(self.inline) : true + - message: valueRef must be set for type ValueRef + rule: >- + (has(self.type) && self.type == 'ValueRef')? + has(self.valueRef) : true + - message: only ConfigMap is supported for ValueRef + rule: >- + has(self.valueRef) ? self.valueRef.kind == + 'ConfigMap' : true + contentType: + description: >- + Content Type of the response. This will be set in + the Content-Type header. + type: string + header: + description: >- + Header defines headers to add, set or remove from + the response. + + This allows the response policy to append, add or + override headers + + of the final response before it is sent to a + downstream client. + + Note: Header removal is not supported for + responseOverride. + properties: + add: + description: >- + Add adds the given header(s) (name, value) to + the request + + before the action. It appends to any existing + values associated + + with the header name. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + add: + - name: "my-header" + value: "bar,baz" + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: >- + HTTPHeader represents an HTTP Header name + and value as defined by RFC 7230. + properties: + name: + description: >- + Name is the name of the HTTP Header to + be matched. Name matching MUST be + + case-insensitive. (See + https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent + header names, the first entry with + + an equivalent name MUST be considered + for a match. Subsequent entries + + with an equivalent header name MUST be + ignored. Due to the + + case-insensitivity of header names, + "foo" and "Foo" are considered + + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: >- + Value is the value of HTTP Header to be + matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: >- + Remove the given header(s) from the HTTP + request before the action. The + + value of Remove is a list of HTTP header + names. Note that the header + + names are case-insensitive (see + + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + Config: + remove: ["my-header1", "my-header3"] + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: >- + Set overwrites the request with the given + header (name, value) + + before the action. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + set: + - name: "my-header" + value: "bar" + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: >- + HTTPHeader represents an HTTP Header name + and value as defined by RFC 7230. + properties: + name: + description: >- + Name is the name of the HTTP Header to + be matched. Name matching MUST be + + case-insensitive. (See + https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent + header names, the first entry with + + an equivalent name MUST be considered + for a match. Subsequent entries + + with an equivalent header name MUST be + ignored. Due to the + + case-insensitivity of header names, + "foo" and "Foo" are considered + + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: >- + Value is the value of HTTP Header to be + matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + x-kubernetes-validations: + - message: >- + Remove is not supported for header in + CustomResponse + rule: '!has(self.remove) || size(self.remove) == 0' + statusCode: + description: >- + Status Code of the Custom Response + + If unset, does not override the status of + response. + type: integer + type: object + required: + - match + type: object + x-kubernetes-validations: + - message: exactly one of response or redirect must be specified + rule: >- + (has(self.response) && !has(self.redirect)) || + (!has(self.response) && has(self.redirect)) + type: array + retry: + description: >- + Retry provides more advanced usage, allowing users to + customize the number of retries, retry fallback strategy, + and retry triggering conditions. + + If not set, retry will be disabled. + properties: + numAttemptsPerPriority: + description: >- + NumAttemptsPerPriority defines the number of requests + (initial attempt + retries) + + that should be sent to the same priority before + switching to a different one. + + If not specified or set to 0, all requests are sent to + the highest priority that is healthy. + format: int32 + type: integer + numRetries: + default: 2 + description: >- + NumRetries is the number of retries to be attempted. + Defaults to 2. + format: int32 + minimum: 0 + type: integer + perRetry: + description: >- + PerRetry is the retry policy to be applied per retry + attempt. + properties: + backOff: + description: >- + Backoff is the backoff policy to be applied per + retry attempt. gateway uses a fully jittered + exponential + + back-off algorithm for retries. For additional + details, + + see + https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#config-http-filters-router-x-envoy-max-retries + properties: + baseInterval: + description: >- + BaseInterval is the base interval between + retries. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + maxInterval: + description: >- + MaxInterval is the maximum interval between + retries. This parameter is optional, but must be + greater than or equal to the base_interval if + set. + + The default is 10 times the base_interval + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + timeout: + description: Timeout is the timeout per retry attempt. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + retryOn: + description: >- + RetryOn specifies the retry trigger condition. + + + If not specified, the default is to retry on + connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes(503). + properties: + httpStatusCodes: + description: >- + HttpStatusCodes specifies the http status codes to + be retried. + + The retriable-status-codes trigger must also be + configured for these status codes to trigger a + retry. + items: + description: HTTPStatus defines the http status code. + maximum: 599 + minimum: 100 + type: integer + type: array + triggers: + description: >- + Triggers specifies the retry trigger + condition(Http/Grpc). + items: + description: >- + TriggerEnum specifies the conditions that trigger + retries. + enum: + - 5xx + - gateway-error + - reset + - reset-before-request + - connect-failure + - retriable-4xx + - refused-stream + - retriable-status-codes + - cancelled + - deadline-exceeded + - internal + - resource-exhausted + - unavailable + type: string + type: array + type: object + type: object + routingType: + description: >- + RoutingType can be set to "Service" to use the Service + Cluster IP for routing to the backend, + + or it can be set to "Endpoint" to use Endpoint routing. + + When specified, this overrides the EnvoyProxy-level setting + for the relevant targeRefs. + + If not specified, the EnvoyProxy-level setting is used. + type: string + targetRef: + description: >- + TargetRef is the name of the resource this policy is being + attached to. + + This policy and the TargetRef MUST be in the same namespace + for this + + Policy to have effect + + + Deprecated: use targetRefs/targetSelectors instead + properties: + group: + description: Group is the group of the target resource. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + sectionName: + description: >- + SectionName is the name of a section within the target + resource. When + + unspecified, this targetRef targets the entire resource. + In the following + + resources, SectionName is interpreted as the following: + + + * Gateway: Listener name + + * HTTPRoute: HTTPRouteRule name + + * Service: Port name + + + If a SectionName is specified, but does not exist on the + targeted object, + + the Policy must fail to attach, and the policy + implementation should record + + a `ResolvedRefs` or similar Condition in the Policy's + status. + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - group + - kind + - name + type: object + targetRefs: + description: >- + TargetRefs are the names of the Gateway resources this + policy + + is being attached to. + items: + description: >- + LocalPolicyTargetReferenceWithSectionName identifies an + API object to apply a + + direct policy to. This should be used as part of Policy + resources that can + + target single resources. For more information on how this + policy attachment + + mode works, and a sample Policy resource, refer to the + policy attachment + + documentation for Gateway API. + + + Note: This should only be used for direct policy + attachment when references + + to SectionName are actually needed. In all other cases, + + LocalPolicyTargetReference should be used. + properties: + group: + description: Group is the group of the target resource. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + sectionName: + description: >- + SectionName is the name of a section within the target + resource. When + + unspecified, this targetRef targets the entire + resource. In the following + + resources, SectionName is interpreted as the + following: + + + * Gateway: Listener name + + * HTTPRoute: HTTPRouteRule name + + * Service: Port name + + + If a SectionName is specified, but does not exist on + the targeted object, + + the Policy must fail to attach, and the policy + implementation should record + + a `ResolvedRefs` or similar Condition in the Policy's + status. + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - group + - kind + - name + type: object + type: array + targetSelectors: + description: >- + TargetSelectors allow targeting resources for this policy + based on labels + items: + properties: + group: + default: gateway.networking.k8s.io + description: >- + Group is the group that this selector targets. + Defaults to gateway.networking.k8s.io + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is the resource kind that this selector targets. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + matchExpressions: + description: >- + MatchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: >- + A label selector requirement is a selector that + contains values, a key, and an operator that + + relates the key and values. + properties: + key: + description: >- + key is the label key that the selector applies + to. + type: string + operator: + description: >- + operator represents a key's relationship to a + set of values. + + Valid operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: >- + values is an array of string values. If the + operator is In or NotIn, + + the values array must be non-empty. If the + operator is Exists or DoesNotExist, + + the values array must be empty. This array is + replaced during a strategic + + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: >- + MatchLabels are the set of label selectors for + identifying the targeted resource + type: object + required: + - kind + type: object + x-kubernetes-validations: + - message: group must be gateway.networking.k8s.io + rule: >- + has(self.group) ? self.group == + 'gateway.networking.k8s.io' : true + type: array + tcpKeepalive: + description: >- + TcpKeepalive settings associated with the upstream client + connection. + + Disabled by default. + properties: + idleTime: + description: >- + The duration a connection needs to be idle before + keep-alive + + probes start being sent. + + The duration format is + + Defaults to `7200s`. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + interval: + description: |- + The duration between keep-alive probes. + Defaults to `75s`. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + probes: + description: >- + The total number of unacknowledged probes to send before + deciding + + the connection is dead. + + Defaults to 9. + format: int32 + type: integer + type: object + telemetry: + description: >- + Telemetry configures the telemetry settings for the policy + target (Gateway or xRoute). + + This will override the telemetry settings in the EnvoyProxy + resource. + properties: + metrics: + description: >- + Metrics defines metrics configuration for the backend or + Route. + properties: + routeStatName: + description: >- + RouteStatName defines the value of the Route + stat_prefix, determining how the route stats are + named. + + For more details, see envoy docs: + https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#config-route-v3-route + + The supported operators for this pattern are: + + %ROUTE_NAME%: name of Gateway API xRoute resource + + %ROUTE_NAMESPACE%: namespace of Gateway API xRoute + resource + + %ROUTE_KIND%: kind of Gateway API xRoute resource + + Example: %ROUTE_KIND%/%ROUTE_NAMESPACE%/%ROUTE_NAME% + => httproute/my-ns/my-route + + Disabled by default. + type: string + type: object + tracing: + description: >- + Tracing configures the tracing settings for the backend + or HTTPRoute. + + + This takes precedence over EnvoyProxy tracing when set. + properties: + customTags: + additionalProperties: + properties: + environment: + description: >- + Environment adds value from environment + variable to each span. + + It's required when the type is "Environment". + properties: + defaultValue: + description: >- + DefaultValue defines the default value to + use if the environment variable is not + set. + type: string + name: + description: >- + Name defines the name of the environment + variable which to extract the value from. + type: string + required: + - name + type: object + literal: + description: |- + Literal adds hard-coded value to each span. + It's required when the type is "Literal". + properties: + value: + description: >- + Value defines the hard-coded value to add + to each span. + type: string + required: + - value + type: object + requestHeader: + description: >- + RequestHeader adds value from request header + to each span. + + It's required when the type is + "RequestHeader". + properties: + defaultValue: + description: >- + DefaultValue defines the default value to + use if the request header is not set. + type: string + name: + description: >- + Name defines the name of the request + header which to extract the value from. + type: string + required: + - name + type: object + type: + default: Literal + description: Type defines the type of custom tag. + enum: + - Literal + - Environment + - RequestHeader + type: string + required: + - type + type: object + description: >- + CustomTags defines the custom tags to add to each + span. + + If provider is kubernetes, pod name and namespace + are added by default. + + + Deprecated: Use Tags instead. + type: object + samplingFraction: + description: >- + SamplingFraction represents the fraction of requests + that should be + + selected for tracing if no prior sampling decision + has been made. + properties: + denominator: + default: 100 + format: int32 + minimum: 1 + type: integer + numerator: + format: int32 + minimum: 0 + type: integer + required: + - numerator + type: object + x-kubernetes-validations: + - message: >- + numerator must be less than or equal to + denominator + rule: self.numerator <= self.denominator + spanName: + description: >- + SpanName defines the name of the span which will be + used for tracing. + + Envoy [command + operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators) + may be used in the value. + + The [format string + documentation](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-strings) + provides more information. + + + If not set, the span name is provider specific. + + e.g. Datadog use `ingress` as the default client + span name, + + and `router egress` as the server + span name. + properties: + client: + description: >- + Client defines operation name of the span which + will be used for tracing. + type: string + server: + description: >- + Server defines the operation name of the + upstream span which will be used for tracing. + type: string + required: + - client + - server + type: object + tags: + additionalProperties: + type: string + description: >- + Tags defines the custom tags to add to each span. + + Envoy [command + operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators) + may be used in the value. + + The [format string + documentation](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-strings) + provides more information. + + If provider is kubernetes, pod name and namespace + are added by default. + + + Same keys take precedence over CustomTags. + type: object + type: object + type: object + timeout: + description: Timeout settings for the backend connections. + properties: + http: + description: Timeout settings for HTTP. + properties: + connectionIdleTimeout: + description: >- + The idle timeout for an HTTP connection. Idle time + is defined as a period in which there are no active + requests in the connection. + + Default: 1 hour. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + maxConnectionDuration: + description: |- + The maximum duration of an HTTP connection. + Default: unlimited. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + maxStreamDuration: + description: >- + MaxStreamDuration is the maximum duration for a + stream to complete. This timeout measures the time + + from when the request is sent until the response + stream is fully consumed and does not apply to + + non-streaming requests. + + When set to "0s", no max duration is applied and + streams can run indefinitely. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + requestTimeout: + description: >- + RequestTimeout is the time until which entire + response is received from the upstream. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + tcp: + description: Timeout settings for TCP. + properties: + connectTimeout: + description: >- + The timeout for network connection establishment, + including TCP and TLS handshakes. + + Default: 10 seconds. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + type: object + useClientProtocol: + description: >- + UseClientProtocol configures Envoy to prefer sending + requests to backends using + + the same HTTP protocol that the incoming request used. + Defaults to false, which means + + that Envoy will use the protocol indicated by the attached + BackendRef. + type: boolean + type: object + x-kubernetes-validations: + - message: either targetRef or targetRefs must be used + rule: >- + (has(self.targetRef) && !has(self.targetRefs)) || + (!has(self.targetRef) && has(self.targetRefs)) || + (has(self.targetSelectors) && self.targetSelectors.size() > + 0) + - message: >- + this policy can only have a targetRef.group of + gateway.networking.k8s.io + rule: >- + has(self.targetRef) ? self.targetRef.group == + 'gateway.networking.k8s.io' : true + - message: >- + this policy can only have a targetRef.kind of + Gateway/HTTPRoute/GRPCRoute/TCPRoute/UDPRoute/TLSRoute + rule: >- + has(self.targetRef) ? self.targetRef.kind in ['Gateway', + 'HTTPRoute', 'GRPCRoute', 'UDPRoute', 'TCPRoute', + 'TLSRoute'] : true + - message: >- + this policy can only have a targetRefs[*].group of + gateway.networking.k8s.io + rule: >- + has(self.targetRefs) ? self.targetRefs.all(ref, ref.group == + 'gateway.networking.k8s.io') : true + - message: >- + this policy can only have a targetRefs[*].kind of + Gateway/HTTPRoute/GRPCRoute/TCPRoute/UDPRoute/TLSRoute + rule: >- + has(self.targetRefs) ? self.targetRefs.all(ref, ref.kind in + ['Gateway', 'HTTPRoute', 'GRPCRoute', 'UDPRoute', + 'TCPRoute', 'TLSRoute']) : true + - message: either compression or compressor can be set, not both + rule: '!has(self.compression) || !has(self.compressor)' + - message: >- + predictivePercent in preconnect policy only works with + RoundRobin or Random load balancers + rule: >- + !((has(self.connection) && has(self.connection.preconnect) + && has(self.connection.preconnect.predictivePercent)) && + !(has(self.loadBalancer) && has(self.loadBalancer.type) && + self.loadBalancer.type in ['Random', 'RoundRobin'])) + status: + description: status defines the current status of BackendTrafficPolicy. + properties: + ancestors: + description: >- + Ancestors is a list of ancestor resources (usually Gateways) + that are + + associated with the policy, and the status of the policy + with respect to + + each ancestor. When this policy attaches to a parent, the + controller that + + manages the parent and the ancestors MUST add an entry to + this list when + + the controller first sees the policy and SHOULD update the + entry as + + appropriate when the relevant ancestor is modified. + + + Note that choosing the relevant ancestor is left to the + Policy designers; + + an important part of Policy design is designing the right + object level at + + which to namespace this status. + + + Note also that implementations MUST ONLY populate ancestor + status for + + the Ancestor resources they are responsible for. + Implementations MUST + + use the ControllerName field to uniquely identify the + entries in this list + + that they are responsible for. + + + Note that to achieve this, the list of PolicyAncestorStatus + structs + + MUST be treated as a map with a composite key, made up of + the AncestorRef + + and ControllerName fields combined. + + + A maximum of 16 ancestors will be represented in this list. + An empty list + + means the Policy is not relevant for any ancestors. + + + If this slice is full, implementations MUST NOT add further + entries. + + Instead they MUST consider the policy unimplementable and + signal that + + on any related resources such as the ancestor that would be + referenced + + here. For example, if this list was full on + BackendTLSPolicy, no + + additional Gateways would be able to reference the Service + targeted by + + the BackendTLSPolicy. + items: + description: >- + PolicyAncestorStatus describes the status of a route with + respect to an + + associated Ancestor. + + + Ancestors refer to objects that are either the Target of a + policy or above it + + in terms of object hierarchy. For example, if a policy + targets a Service, the + + Policy's Ancestors are, in order, the Service, the + HTTPRoute, the Gateway, and + + the GatewayClass. Almost always, in this hierarchy, the + Gateway will be the most + + useful object to place Policy status on, so we recommend + that implementations + + SHOULD use Gateway as the PolicyAncestorStatus object + unless the designers + + have a _very_ good reason otherwise. + + + In the context of policy attachment, the Ancestor is used + to distinguish which + + resource results in a distinct application of this policy. + For example, if a policy + + targets a Service, it may have a distinct result per + attached Gateway. + + + Policies targeting the same resource may have different + effects depending on the + + ancestors of those resources. For example, different + Gateways targeting the same + + Service may have different capabilities, especially if + they have different underlying + + implementations. + + + For example, in BackendTLSPolicy, the Policy attaches to a + Service that is + + used as a backend in a HTTPRoute that is itself attached + to a Gateway. + + In this case, the relevant object for status is the + Gateway, and that is the + + ancestor object referred to in this status. + + + Note that a parent is also an ancestor, so for objects + where the parent is the + + relevant object for status, this struct SHOULD still be + used. + + + This struct is intended to be used in a slice that's + effectively a map, + + with a composite key made up of the AncestorRef and the + ControllerName. + properties: + ancestorRef: + description: >- + AncestorRef corresponds with a ParentRef in the spec + that this + + PolicyAncestorStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: >- + Group is the group of the referent. + + When unspecified, "gateway.networking.k8s.io" is + inferred. + + To set the core API group (such as for a "Service" + kind referent), + + Group must be explicitly set to "" (empty string). + + + Support: Core + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: >- + Kind is kind of the referent. + + + There are two kinds of parent resources with + "Core" support: + + + * Gateway (Gateway conformance profile) + + * Service (Mesh conformance profile, ClusterIP + Services only) + + + Support for other resources is + Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the referent. When + unspecified, this refers + + to the local namespace of the Route. + + + Note that there are specific rules for ParentRefs + which cross namespace + + boundaries. Cross-namespace references are only + valid if they are explicitly + + allowed by something in the namespace they are + referring to. For example: + + Gateway has the AllowedRoutes field, and + ReferenceGrant provides a + + generic way to enable any other kind of + cross-namespace reference. + + + + + ParentRefs from a Route to a Service in the same + namespace are "producer" + + routes, which apply default routing rules to + inbound connections from + + any namespace to the Service. + + + ParentRefs from a Route to a Service in a + different namespace are + + "consumer" routes, and these routing rules are + only applied to outbound + + connections originating from the same namespace as + the Route, for which + + the intended destination of the connections are a + Service targeted as a + + ParentRef of the Route. + + + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: >- + Port is the network port this Route targets. It + can be interpreted + + differently based on the type of parent resource. + + + When the parent resource is a Gateway, this + targets all listeners + + listening on the specified port that also support + this kind of Route(and + + select this Route). It's not recommended to set + `Port` unless the + + networking behaviors specified in a Route must + apply to a specific port + + as opposed to a listener(s) whose port(s) may be + changed. When both Port + + and SectionName are specified, the name and port + of the selected listener + + must match both specified values. + + + + + When the parent resource is a Service, this + targets a specific port in the + + Service spec. When both Port (experimental) and + SectionName are specified, + + the name and port of the selected port must match + both specified values. + + + + + Implementations MAY choose to support other parent + resources. + + Implementations supporting other types of parent + resources MUST clearly + + document how/if Port is interpreted. + + + For the purpose of status, an attachment is + considered successful as + + long as the parent resource accepts it partially. + For example, Gateway + + listeners can restrict which Routes can attach to + them by Route kind, + + namespace, or hostname. If 1 of 2 Gateway + listeners accept attachment + + from the referencing Route, the Route MUST be + considered successfully + + attached. If no Gateway listeners accept + attachment from this Route, + + the Route MUST be considered detached from the + Gateway. + + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: >- + SectionName is the name of a section within the + target resource. In the + + following resources, SectionName is interpreted as + the following: + + + * Gateway: Listener name. When both Port + (experimental) and SectionName + + are specified, the name and port of the selected + listener must match + + both specified values. + + * Service: Port name. When both Port + (experimental) and SectionName + + are specified, the name and port of the selected + listener must match + + both specified values. + + + Implementations MAY choose to support attaching + Routes to other resources. + + If that is the case, they MUST clearly document + how SectionName is + + interpreted. + + + When unspecified (empty string), this will + reference the entire resource. + + For the purpose of status, an attachment is + considered successful if at + + least one section in the parent resource accepts + it. For example, Gateway + + listeners can restrict which Routes can attach to + them by Route kind, + + namespace, or hostname. If 1 of 2 Gateway + listeners accept attachment from + + the referencing Route, the Route MUST be + considered successfully + + attached. If no Gateway listeners accept + attachment from this Route, the + + Route MUST be considered detached from the + Gateway. + + + Support: Core + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + conditions: + description: >- + Conditions describes the status of the Policy with + respect to the given Ancestor. + + + + + + Notes for implementors: + + + Conditions are a listType `map`, which means that they + function like a + + map with a key of the `type` field _in the k8s + apiserver_. + + + This means that implementations must obey some rules + when updating this + + section. + + + * Implementations MUST perform a read-modify-write + cycle on this field + before modifying it. That is, when modifying this field, implementations + must be confident they have fetched the most recent version of this field, + and ensure that changes they make are on that recent version. + * Implementations MUST NOT remove or reorder + Conditions that they are not + directly responsible for. For example, if an implementation sees a Condition + with type `special.io/SomeField`, it MUST NOT remove, change or update that + Condition. + * Implementations MUST always _merge_ changes into + Conditions of the same Type, + rather than creating more than one Condition of the same Type. + * Implementations MUST always update the + `observedGeneration` field of the + Condition to the `metadata.generation` of the Gateway at the time of update creation. + * If the `observedGeneration` of a Condition is + _greater than_ the value the + implementation knows about, then it MUST NOT perform the update on that Condition, + but must wait for a future reconciliation and status update. (The assumption is that + the implementation's copy of the object is stale and an update will be re-triggered + if relevant.) + + + items: + description: >- + Condition contains details for one aspect of the + current state of this API Resource. + properties: + lastTransitionTime: + description: >- + lastTransitionTime is the last time the + condition transitioned from one status to + another. + + This should be when the underlying condition + changed. If that is not known, then using the + time when the API field changed is acceptable. + format: date-time + type: string + message: + description: >- + message is a human readable message indicating + details about the transition. + + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: >- + observedGeneration represents the + .metadata.generation that the condition was set + based upon. + + For instance, if .metadata.generation is + currently 12, but the + .status.conditions[x].observedGeneration is 9, + the condition is out of date + + with respect to the current state of the + instance. + format: int64 + minimum: 0 + type: integer + reason: + description: >- + reason contains a programmatic identifier + indicating the reason for the condition's last + transition. + + Producers of specific condition types may define + expected values and meanings for this field, + + and whether the values are considered a + guaranteed API. + + The value should be a CamelCase string. + + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: >- + status of the condition, one of True, False, + Unknown. + enum: + - 'True' + - 'False' + - Unknown + type: string + type: + description: >- + type of condition in CamelCase or in + foo.example.com/CamelCase. + maxLength: 316 + pattern: >- + ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: >- + ControllerName is a domain/path string that indicates + the name of the + + controller that wrote this status. This corresponds + with the + + controllerName field on GatewayClass. + + + Example: "example.net/gateway-controller". + + + The format of this field is DOMAIN "/" PATH, where + DOMAIN and PATH are + + valid Kubernetes names + + (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + + + Controllers MUST populate this field when writing + status. Controllers should ensure that + + entries to status populated with their ControllerName + are cleaned up when they are no + + longer necessary. + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + required: + - ancestorRef + - conditions + - controllerName + type: object + maxItems: 16 + type: array + x-kubernetes-list-type: atomic + required: + - ancestors + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/_/CustomResourceDefinition/clienttrafficpolicies.gateway.envoyproxy.io.yaml b/_/CustomResourceDefinition/clienttrafficpolicies.gateway.envoyproxy.io.yaml new file mode 100644 index 0000000..92d224d --- /dev/null +++ b/_/CustomResourceDefinition/clienttrafficpolicies.gateway.envoyproxy.io.yaml @@ -0,0 +1,2803 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.18.0 + name: clienttrafficpolicies.gateway.envoyproxy.io +spec: + group: gateway.envoyproxy.io + names: + categories: + - envoy-gateway + kind: ClientTrafficPolicy + listKind: ClientTrafficPolicyList + plural: clienttrafficpolicies + shortNames: + - ctp + singular: clienttrafficpolicy + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: >- + ClientTrafficPolicy allows the user to configure the behavior of the + connection + + between the downstream client and Envoy Proxy listener. + properties: + apiVersion: + description: >- + APIVersion defines the versioned schema of this representation + of an object. + + Servers should convert recognized schemas to the latest internal + value, and + + may reject unrecognized values. + + More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: >- + Kind is a string value representing the REST resource this + object represents. + + Servers may infer this from the endpoint the client submits + requests to. + + Cannot be updated. + + In CamelCase. + + More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of ClientTrafficPolicy. + properties: + clientIPDetection: + description: >- + ClientIPDetectionSettings provides configuration for + determining the original client IP address for requests. + properties: + customHeader: + description: >- + CustomHeader provides configuration for determining the + client IP address for a request based on + + a trusted custom HTTP header. This uses the + custom_header original IP detection extension. + + Refer to + https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/http/original_ip_detection/custom_header/v3/custom_header.proto + + for more details. + properties: + failClosed: + description: >- + FailClosed is a switch used to control the flow of + traffic when client IP detection + + fails. If set to true, the listener will respond + with 403 Forbidden when the client + + IP address cannot be determined. + type: boolean + name: + description: >- + Name of the header containing the original + downstream remote address, if present. + maxLength: 255 + minLength: 1 + pattern: ^[A-Za-z0-9-]+$ + type: string + required: + - name + type: object + xForwardedFor: + description: >- + XForwardedForSettings provides configuration for using + X-Forwarded-For headers for determining the client IP + address. + properties: + numTrustedHops: + description: >- + NumTrustedHops specifies how many trusted hops to + count from the rightmost side of + + the X-Forwarded-For (XFF) header when determining + the original client’s IP address. + + + If NumTrustedHops is set to N, the client IP is + taken from the Nth address from the + + right end of the XFF header. + + + Example: + XFF = "203.0.113.128, 203.0.113.10, 203.0.113.1" + NumTrustedHops = 2 + → Trusted client address = 203.0.113.10 + + Only one of NumTrustedHops or TrustedCIDRs should be + configured. + format: int32 + type: integer + trustedCIDRs: + description: >- + TrustedCIDRs is a list of CIDR ranges to trust when + evaluating + + the remote IP address to determine the original + client’s IP address. + + When the remote IP address matches a trusted CIDR + and the x-forwarded-for header was sent, + + each entry in the x-forwarded-for header is + evaluated from right to left + + and the first public non-trusted address is used as + the original client address. + + If all addresses in x-forwarded-for are within the + trusted list, the first (leftmost) entry is used. + + Only one of NumTrustedHops and TrustedCIDRs must be + set. + items: + description: >- + CIDR defines a CIDR Address range. + + A CIDR can be an IPv4 address range such as + "192.168.1.0/24" or an IPv6 address range such as + "2001:0db8:11a3:09d7::/64". + pattern: >- + ((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([0-9]+))|((([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))\/([0-9]+)) + type: string + minItems: 1 + type: array + type: object + x-kubernetes-validations: + - message: >- + only one of numTrustedHops or trustedCIDRs must be + set + rule: >- + (has(self.numTrustedHops) && + !has(self.trustedCIDRs)) || + (!has(self.numTrustedHops) && + has(self.trustedCIDRs)) + type: object + x-kubernetes-validations: + - message: >- + customHeader cannot be used in conjunction with + xForwardedFor + rule: '!(has(self.xForwardedFor) && has(self.customHeader))' + connection: + description: Connection includes client connection settings. + properties: + bufferLimit: + allOf: + - pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: >- + BufferLimit provides configuration for the maximum + buffer size in bytes for each incoming connection. + + BufferLimit applies to connection streaming (maybe + non-streaming) channel between processes, it's in user + space. + + For example, 20Mi, 1Gi, 256Ki etc. + + Note that when the suffix is not provided, the value is + interpreted as bytes. + + Default: 32768 bytes. + x-kubernetes-int-or-string: true + connectionLimit: + description: ConnectionLimit defines limits related to connections + properties: + closeDelay: + description: >- + CloseDelay defines the delay to use before closing + connections that are rejected + + once the limit value is reached. + + Default: none. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + maxConnectionDuration: + description: >- + MaxConnectionDuration is the maximum amount of time + a connection can remain established + + (usually via TCP/HTTP Keepalive packets) before + being drained and/or closed. + + If not specified, there is no limit. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + maxRequestsPerConnection: + description: >- + MaxRequestsPerConnection defines the maximum number + of requests allowed over a single connection. + + If not specified, there is no limit. Setting this + parameter to 1 will effectively disable keep alive. + format: int32 + type: integer + maxStreamDuration: + description: >- + MaxStreamDuration is the maximum amount of time to + keep alive an http stream. When the limit is reached + + the stream will be reset independent of any other + timeouts. If not specified, no value is set. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + value: + description: >- + Value of the maximum concurrent connections limit. + + When the limit is reached, incoming connections will + be closed after the CloseDelay duration. + format: int64 + minimum: 1 + type: integer + type: object + x-kubernetes-validations: + - message: closeDelay can only be configured when value is set + rule: '!has(self.closeDelay) || has(self.value)' + maxAcceptPerSocketEvent: + default: 1 + description: >- + MaxAcceptPerSocketEvent provides configuration for the + maximum number of connections to accept from the kernel + + per socket event. If there are more than + MaxAcceptPerSocketEvent connections pending accept, + connections over + + this threshold will be accepted in later event loop + iterations. + + Defaults to 1 and can be disabled by setting to 0 for + allowing unlimited accepted connections. + format: int32 + type: integer + socketBufferLimit: + allOf: + - pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: >- + SocketBufferLimit provides configuration for the maximum + buffer size in bytes for each incoming socket. + + SocketBufferLimit applies to socket streaming channel + between TCP/IP stacks, it's in kernel space. + + For example, 20Mi, 1Gi, 256Ki etc. + + Note that when the suffix is not provided, the value is + interpreted as bytes. + x-kubernetes-int-or-string: true + type: object + enableProxyProtocol: + description: >- + EnableProxyProtocol interprets the ProxyProtocol header and + adds the + + Client Address into the X-Forwarded-For header. + + Note Proxy Protocol must be present when this field is set, + else the connection + + is closed. + + + Deprecated: Use ProxyProtocol instead. + type: boolean + headers: + description: HeaderSettings provides configuration for header management. + properties: + disableRateLimitHeaders: + description: >- + DisableRateLimitHeaders configures Envoy Proxy to omit + the "X-RateLimit-" response headers + + when rate limiting is enabled. + type: boolean + earlyRequestHeaders: + description: >- + EarlyRequestHeaders defines settings for early request + header modification, before envoy performs + + routing, tracing and built-in header manipulation. + properties: + add: + description: >- + Add adds the given header(s) (name, value) to the + request + + before the action. It appends to any existing values + associated + + with the header name. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + add: + - name: "my-header" + value: "bar,baz" + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: >- + HTTPHeader represents an HTTP Header name and + value as defined by RFC 7230. + properties: + name: + description: >- + Name is the name of the HTTP Header to be + matched. Name matching MUST be + + case-insensitive. (See + https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent header + names, the first entry with + + an equivalent name MUST be considered for a + match. Subsequent entries + + with an equivalent header name MUST be + ignored. Due to the + + case-insensitivity of header names, "foo" and + "Foo" are considered + + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: >- + Value is the value of HTTP Header to be + matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 64 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + addIfAbsent: + description: >- + AddIfAbsent adds the given header(s) (name, value) + to the request/response + + only if the header does not already exist. Unlike + Add which appends to + + existing values, this is a no-op if the header is + already present. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + addIfAbsent: + - name: "my-header" + value: "bar" + + Output: + GET /foo HTTP/1.1 + my-header: foo + items: + description: >- + HTTPHeader represents an HTTP Header name and + value as defined by RFC 7230. + properties: + name: + description: >- + Name is the name of the HTTP Header to be + matched. Name matching MUST be + + case-insensitive. (See + https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent header + names, the first entry with + + an equivalent name MUST be considered for a + match. Subsequent entries + + with an equivalent header name MUST be + ignored. Due to the + + case-insensitivity of header names, "foo" and + "Foo" are considered + + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: >- + Value is the value of HTTP Header to be + matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 64 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: >- + Remove the given header(s) from the HTTP request + before the action. The + + value of Remove is a list of HTTP header names. Note + that the header + + names are case-insensitive (see + + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + Config: + remove: ["my-header1", "my-header3"] + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 64 + minItems: 1 + type: array + x-kubernetes-list-type: set + removeOnMatch: + description: >- + RemoveOnMatch removes headers whose names match the + specified string matchers. + + Matching is performed on the header name + (case-insensitive). + items: + description: >- + StringMatch defines how to match any strings. + + This is a general purpose match condition that can + be used by other EG APIs + + that need to match against a string. + properties: + type: + default: Exact + description: Type specifies how to match against a string. + enum: + - Exact + - Prefix + - Suffix + - RegularExpression + type: string + value: + description: >- + Value specifies the string value that the + match must have. + maxLength: 1024 + minLength: 1 + type: string + required: + - value + type: object + maxItems: 64 + minItems: 1 + type: array + set: + description: >- + Set overwrites the request with the given header + (name, value) + + before the action. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + set: + - name: "my-header" + value: "bar" + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: >- + HTTPHeader represents an HTTP Header name and + value as defined by RFC 7230. + properties: + name: + description: >- + Name is the name of the HTTP Header to be + matched. Name matching MUST be + + case-insensitive. (See + https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent header + names, the first entry with + + an equivalent name MUST be considered for a + match. Subsequent entries + + with an equivalent header name MUST be + ignored. Due to the + + case-insensitivity of header names, "foo" and + "Foo" are considered + + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: >- + Value is the value of HTTP Header to be + matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 64 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + enableEnvoyHeaders: + description: >- + EnableEnvoyHeaders configures Envoy Proxy to add the + "X-Envoy-" headers to requests + + and responses. + type: boolean + lateResponseHeaders: + description: >- + LateResponseHeaders defines settings for global response + header modification. + properties: + add: + description: >- + Add adds the given header(s) (name, value) to the + request + + before the action. It appends to any existing values + associated + + with the header name. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + add: + - name: "my-header" + value: "bar,baz" + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: >- + HTTPHeader represents an HTTP Header name and + value as defined by RFC 7230. + properties: + name: + description: >- + Name is the name of the HTTP Header to be + matched. Name matching MUST be + + case-insensitive. (See + https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent header + names, the first entry with + + an equivalent name MUST be considered for a + match. Subsequent entries + + with an equivalent header name MUST be + ignored. Due to the + + case-insensitivity of header names, "foo" and + "Foo" are considered + + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: >- + Value is the value of HTTP Header to be + matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 64 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + addIfAbsent: + description: >- + AddIfAbsent adds the given header(s) (name, value) + to the request/response + + only if the header does not already exist. Unlike + Add which appends to + + existing values, this is a no-op if the header is + already present. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + addIfAbsent: + - name: "my-header" + value: "bar" + + Output: + GET /foo HTTP/1.1 + my-header: foo + items: + description: >- + HTTPHeader represents an HTTP Header name and + value as defined by RFC 7230. + properties: + name: + description: >- + Name is the name of the HTTP Header to be + matched. Name matching MUST be + + case-insensitive. (See + https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent header + names, the first entry with + + an equivalent name MUST be considered for a + match. Subsequent entries + + with an equivalent header name MUST be + ignored. Due to the + + case-insensitivity of header names, "foo" and + "Foo" are considered + + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: >- + Value is the value of HTTP Header to be + matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 64 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: >- + Remove the given header(s) from the HTTP request + before the action. The + + value of Remove is a list of HTTP header names. Note + that the header + + names are case-insensitive (see + + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + Config: + remove: ["my-header1", "my-header3"] + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 64 + minItems: 1 + type: array + x-kubernetes-list-type: set + removeOnMatch: + description: >- + RemoveOnMatch removes headers whose names match the + specified string matchers. + + Matching is performed on the header name + (case-insensitive). + items: + description: >- + StringMatch defines how to match any strings. + + This is a general purpose match condition that can + be used by other EG APIs + + that need to match against a string. + properties: + type: + default: Exact + description: Type specifies how to match against a string. + enum: + - Exact + - Prefix + - Suffix + - RegularExpression + type: string + value: + description: >- + Value specifies the string value that the + match must have. + maxLength: 1024 + minLength: 1 + type: string + required: + - value + type: object + maxItems: 64 + minItems: 1 + type: array + set: + description: >- + Set overwrites the request with the given header + (name, value) + + before the action. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + set: + - name: "my-header" + value: "bar" + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: >- + HTTPHeader represents an HTTP Header name and + value as defined by RFC 7230. + properties: + name: + description: >- + Name is the name of the HTTP Header to be + matched. Name matching MUST be + + case-insensitive. (See + https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent header + names, the first entry with + + an equivalent name MUST be considered for a + match. Subsequent entries + + with an equivalent header name MUST be + ignored. Due to the + + case-insensitivity of header names, "foo" and + "Foo" are considered + + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: >- + Value is the value of HTTP Header to be + matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 64 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + preserveXRequestID: + description: >- + PreserveXRequestID configures Envoy to keep the + X-Request-ID header if passed for a request that is edge + + (Edge request is the request from external clients to + front Envoy) and not reset it, which is the current + Envoy behaviour. + + Defaults to false and cannot be combined with RequestID. + + Deprecated: use RequestID=PreserveOrGenerate instead + type: boolean + requestID: + description: >- + RequestID configures Envoy's behavior for handling the + `X-Request-ID` header. + + When omitted default behavior is `Generate` which builds + the `X-Request-ID` for every request + and ignores pre-existing values from the edge. + (An "edge request" refers to a request from an external + client to the Envoy entrypoint.) + enum: + - PreserveOrGenerate + - Preserve + - Generate + - Disable + type: string + withUnderscoresAction: + description: >- + WithUnderscoresAction configures the action to take when + an HTTP header with underscores + + is encountered. The default action is to reject the + request. + enum: + - Allow + - RejectRequest + - DropHeader + type: string + xForwardedClientCert: + description: >- + XForwardedClientCert configures how Envoy Proxy handle + the x-forwarded-client-cert (XFCC) HTTP header. + + + x-forwarded-client-cert (XFCC) is an HTTP header used to + forward the certificate + + information of part or all of the clients or proxies + that a request has flowed through, + + on its way from the client to the server. + + + Envoy proxy may choose to sanitize/append/forward the + XFCC header before proxying the request. + + + If not set, the default behavior is sanitizing the XFCC + header. + properties: + certDetailsToAdd: + description: >- + CertDetailsToAdd specifies the fields in the client + certificate to be forwarded in the XFCC header. + + + Hash(the SHA 256 digest of the current client + certificate) and By(the Subject Alternative Name) + + are always included if the client certificate is + forwarded. + + + This field is only applicable when the mode is set + to `AppendForward` or + + `SanitizeSet` and the client connection is mTLS. + items: + description: >- + XFCCCertData specifies the fields in the client + certificate to be forwarded in the XFCC header. + enum: + - Subject + - Cert + - Chain + - DNS + - URI + type: string + maxItems: 5 + type: array + mode: + description: >- + Mode defines how XFCC header is handled by Envoy + Proxy. + + If not set, the default mode is `Sanitize`. + enum: + - Sanitize + - ForwardOnly + - AppendForward + - SanitizeSet + - AlwaysForwardOnly + type: string + type: object + x-kubernetes-validations: + - message: >- + certDetailsToAdd can only be set when mode is + AppendForward or SanitizeSet + rule: >- + (has(self.certDetailsToAdd) && + self.certDetailsToAdd.size() > 0) ? (self.mode == + 'AppendForward' || self.mode == 'SanitizeSet') : + true + type: object + x-kubernetes-validations: + - message: preserveXRequestID and requestID cannot both be set. + rule: '!(has(self.preserveXRequestID) && has(self.requestID))' + healthCheck: + description: >- + HealthCheck provides configuration for determining whether + the HTTP/HTTPS listener is healthy. + properties: + path: + description: >- + Path specifies the HTTP path to match on for health + check requests. + maxLength: 1024 + minLength: 1 + type: string + required: + - path + type: object + http1: + description: HTTP1 provides HTTP/1 configuration on the listener. + properties: + disableSafeMaxConnectionDuration: + description: >- + DisableSafeMaxConnectionDuration controls the close + behavior for HTTP/1 connections. + + By default, connection closure is delayed until the next + request arrives after maxConnectionDuration is exceeded. + + It then adds a Connection: close header and gracefully + closes the connection after the response completes. + + When set to true (disabled), Envoy uses its default + drain behavior, closing the connection shortly after + maxConnectionDuration elapses. + + Has no effect unless maxConnectionDuration is set. + type: boolean + enableTrailers: + description: >- + EnableTrailers defines if HTTP/1 trailers should be + proxied by Envoy. + type: boolean + http10: + description: >- + HTTP10 turns on support for HTTP/1.0 and HTTP/0.9 + requests. + properties: + useDefaultHost: + description: >- + UseDefaultHost specifies whether a default Host + header should be injected + + into HTTP/1.0 requests that do not include one. + + + When set to true, Envoy Gateway injects the hostname + associated with the + + listener or route into the request, in the following + order: + + 1. If the targeted listener has a non-wildcard hostname, use that hostname. + 2. If there is exactly one HTTPRoute with a non-wildcard hostname under + the targeted listener, use that hostname. + + Note: Setting this field to true without a non-wildcard hostname makes the + ClientTrafficPolicy invalid. + type: boolean + type: object + preserveHeaderCase: + description: >- + PreserveHeaderCase defines if Envoy should preserve the + letter case of headers. + + By default, Envoy will lowercase all the headers. + type: boolean + type: object + http2: + description: HTTP2 provides HTTP/2 configuration on the listener. + properties: + initialConnectionWindowSize: + allOf: + - pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: >- + InitialConnectionWindowSize sets the initial window size + for HTTP/2 connections. + + If not set, the default value is 1 MiB. + x-kubernetes-int-or-string: true + initialStreamWindowSize: + allOf: + - pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: >- + InitialStreamWindowSize sets the initial window size for + HTTP/2 streams. + + If not set, the default value is 64 KiB(64*1024). + x-kubernetes-int-or-string: true + maxConcurrentStreams: + description: >- + MaxConcurrentStreams sets the maximum number of + concurrent streams allowed per connection. + + If not set, the default value is 100. + format: int32 + maximum: 2147483647 + minimum: 1 + type: integer + onInvalidMessage: + description: >- + OnInvalidMessage determines if Envoy will terminate the + connection or just the offending stream in the event of + HTTP messaging error + + It's recommended for L2 Envoy deployments to set this + value to TerminateStream. + + https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/level_two + + Default: TerminateConnection + type: string + type: object + http3: + description: HTTP3 provides HTTP/3 configuration on the listener. + type: object + path: + description: >- + Path enables managing how the incoming path set by clients + can be normalized. + properties: + disableMergeSlashes: + description: >- + DisableMergeSlashes allows disabling the default + configuration of merging adjacent + + slashes in the path. + + Note that slash merging is not part of the HTTP spec and + is provided for convenience. + type: boolean + escapedSlashesAction: + description: >- + EscapedSlashesAction determines how %2f, %2F, %5c, or + %5C sequences in the path URI + + should be handled. + + The default is UnescapeAndRedirect. + enum: + - KeepUnchanged + - RejectRequest + - UnescapeAndForward + - UnescapeAndRedirect + type: string + type: object + proxyProtocol: + description: >- + ProxyProtocol configures the Proxy Protocol settings. When + configured, + + the Proxy Protocol header will be interpreted and the Client + Address + + will be added into the X-Forwarded-For header. + + If both EnableProxyProtocol and ProxyProtocol are set, + ProxyProtocol takes precedence. + minProperties: 0 + properties: + optional: + description: >- + Optional allows requests without a Proxy Protocol header + to be proxied. + + If set to true, the listener will accept requests + without a Proxy Protocol header. + + If set to false, the listener will reject requests + without a Proxy Protocol header. + + If not set, the default behavior is to reject requests + without a Proxy Protocol header. + + Warning: Optional breaks conformance with the + specification. Only enable if ALL traffic to the + listener comes from a trusted source. + + For more information on security implications, see + haproxy.org/download/2.1/doc/proxy-protocol.txt + type: boolean + type: object + scheme: + description: >- + Scheme configures how the :scheme pseudo-header is set for + requests forwarded to backends. + + + - Preserve (default): Preserves the :scheme from the + original client request. + Use this when backends need to know the original client scheme for URL generation or redirects. + + - MatchBackend: Sets the :scheme to match the backend + transport protocol. + If the backend uses TLS, the scheme is "https", otherwise "http". + Use this when backends require the scheme to match the actual transport protocol, + such as strictly HTTPS services that validate the :scheme header. + enum: + - Preserve + - MatchBackend + type: string + targetRef: + description: >- + TargetRef is the name of the resource this policy is being + attached to. + + This policy and the TargetRef MUST be in the same namespace + for this + + Policy to have effect + + + Deprecated: use targetRefs/targetSelectors instead + properties: + group: + description: Group is the group of the target resource. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + sectionName: + description: >- + SectionName is the name of a section within the target + resource. When + + unspecified, this targetRef targets the entire resource. + In the following + + resources, SectionName is interpreted as the following: + + + * Gateway: Listener name + + * HTTPRoute: HTTPRouteRule name + + * Service: Port name + + + If a SectionName is specified, but does not exist on the + targeted object, + + the Policy must fail to attach, and the policy + implementation should record + + a `ResolvedRefs` or similar Condition in the Policy's + status. + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - group + - kind + - name + type: object + targetRefs: + description: >- + TargetRefs are the names of the Gateway resources this + policy + + is being attached to. + items: + description: >- + LocalPolicyTargetReferenceWithSectionName identifies an + API object to apply a + + direct policy to. This should be used as part of Policy + resources that can + + target single resources. For more information on how this + policy attachment + + mode works, and a sample Policy resource, refer to the + policy attachment + + documentation for Gateway API. + + + Note: This should only be used for direct policy + attachment when references + + to SectionName are actually needed. In all other cases, + + LocalPolicyTargetReference should be used. + properties: + group: + description: Group is the group of the target resource. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + sectionName: + description: >- + SectionName is the name of a section within the target + resource. When + + unspecified, this targetRef targets the entire + resource. In the following + + resources, SectionName is interpreted as the + following: + + + * Gateway: Listener name + + * HTTPRoute: HTTPRouteRule name + + * Service: Port name + + + If a SectionName is specified, but does not exist on + the targeted object, + + the Policy must fail to attach, and the policy + implementation should record + + a `ResolvedRefs` or similar Condition in the Policy's + status. + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - group + - kind + - name + type: object + type: array + targetSelectors: + description: >- + TargetSelectors allow targeting resources for this policy + based on labels + items: + properties: + group: + default: gateway.networking.k8s.io + description: >- + Group is the group that this selector targets. + Defaults to gateway.networking.k8s.io + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is the resource kind that this selector targets. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + matchExpressions: + description: >- + MatchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: >- + A label selector requirement is a selector that + contains values, a key, and an operator that + + relates the key and values. + properties: + key: + description: >- + key is the label key that the selector applies + to. + type: string + operator: + description: >- + operator represents a key's relationship to a + set of values. + + Valid operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: >- + values is an array of string values. If the + operator is In or NotIn, + + the values array must be non-empty. If the + operator is Exists or DoesNotExist, + + the values array must be empty. This array is + replaced during a strategic + + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: >- + MatchLabels are the set of label selectors for + identifying the targeted resource + type: object + required: + - kind + type: object + x-kubernetes-validations: + - message: group must be gateway.networking.k8s.io + rule: >- + has(self.group) ? self.group == + 'gateway.networking.k8s.io' : true + type: array + tcpKeepalive: + description: >- + TcpKeepalive settings associated with the downstream client + connection. + + If defined, sets SO_KEEPALIVE on the listener socket to + enable TCP Keepalives. + + Disabled by default. + properties: + idleTime: + description: >- + The duration a connection needs to be idle before + keep-alive + + probes start being sent. + + The duration format is + + Defaults to `7200s`. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + interval: + description: |- + The duration between keep-alive probes. + Defaults to `75s`. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + probes: + description: >- + The total number of unacknowledged probes to send before + deciding + + the connection is dead. + + Defaults to 9. + format: int32 + type: integer + type: object + timeout: + description: Timeout settings for the client connections. + properties: + http: + description: Timeout settings for HTTP. + properties: + idleTimeout: + description: >- + IdleTimeout for an HTTP connection. Idle time is + defined as a period in which there are no active + requests in the connection. + + Default: 1 hour. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + requestReceivedTimeout: + description: >- + RequestReceivedTimeout is the duration envoy waits + for the complete request reception. This timer + starts upon request + + initiation and stops when either the last byte of + the request is sent upstream or when the response + begins. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + streamIdleTimeout: + description: |2- + The stream idle timeout defines the amount of time a stream can exist without any upstream or downstream activity. + Default: 5 minutes. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + tcp: + description: Timeout settings for TCP. + properties: + idleTimeout: + description: >- + IdleTimeout for a TCP connection. Idle time is + defined as a period in which there are no + + bytes sent or received on either the upstream or + downstream connection. + + Default: 1 hour. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + type: object + tls: + description: >- + TLS settings configure TLS termination settings with the + downstream client. + properties: + alpnProtocols: + description: >- + ALPNProtocols supplies the list of ALPN protocols that + should be + + exposed by the listener or used by the proxy to connect + to the backend. + + Defaults: + + 1. HTTPS Routes: h2 and http/1.1 are enabled in listener + context. + + 2. Other Routes: ALPN is disabled. + + 3. Backends: proxy uses the appropriate ALPN options for + the backend protocol. + + When an empty list is provided, the ALPN TLS extension + is disabled. + + + Defaults to [h2, http/1.1] if not specified. + + + Typical Supported values are: + + - http/1.0 + + - http/1.1 + + - h2 + items: + description: >- + ALPNProtocol specifies the protocol to be negotiated + using ALPN + type: string + type: array + ciphers: + description: >- + Ciphers specifies the set of cipher suites supported + when + + negotiating TLS 1.0 - 1.2. This setting has no effect + for TLS 1.3. + + In non-FIPS Envoy Proxy builds the default cipher list + is: + + - + [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305] + + - + [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305] + + - ECDHE-ECDSA-AES256-GCM-SHA384 + + - ECDHE-RSA-AES256-GCM-SHA384 + + In builds using BoringSSL FIPS the default cipher list + is: + + - ECDHE-ECDSA-AES128-GCM-SHA256 + + - ECDHE-RSA-AES128-GCM-SHA256 + + - ECDHE-ECDSA-AES256-GCM-SHA384 + + - ECDHE-RSA-AES256-GCM-SHA384 + items: + type: string + type: array + clientValidation: + description: >- + ClientValidation specifies the configuration to validate + the client + + initiating the TLS connection to the Gateway listener. + properties: + caCertificateRefs: + description: >- + CACertificateRefs contains one or more references to + + Kubernetes objects that contain TLS certificates of + + the Certificate Authorities that can be used + + as a trust anchor to validate the certificates + presented by the client. + + + A single reference to a Kubernetes ConfigMap or a + Kubernetes Secret, + + with the CA certificate in a key named `ca.crt` is + currently supported. + + + References to a resource in different namespace are + invalid UNLESS there + + is a ReferenceGrant in the target namespace that + allows the certificate + + to be attached. + items: + description: >- + SecretObjectReference identifies an API object + including its namespace, + + defaulting to Secret. + + + The API object must be valid in the cluster; the + Group and Kind must + + be registered in the cluster for this reference to + be valid. + + + References to objects with invalid Group and Kind + are not valid, and must + + be rejected by the implementation, with + appropriate Conditions set + + on the containing object. + properties: + group: + default: '' + description: >- + Group is the group of the referent. For + example, "gateway.networking.k8s.io". + + When unspecified or empty string, core API + group is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Secret + description: >- + Kind is kind of the referent. For example + "Secret". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the referenced + object. When unspecified, the local + + namespace is inferred. + + + Note that when a namespace different than the + local namespace is specified, + + a ReferenceGrant object is required in the + referent namespace to allow that + + namespace's owner to accept the reference. See + the ReferenceGrant + + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + maxItems: 8 + type: array + certificateHashes: + description: >- + An optional list of hex-encoded SHA-256 hashes. If + specified, Envoy will + + verify that the SHA-256 of the DER-encoded presented + certificate matches + + one of the specified values. + items: + type: string + type: array + crl: + description: >- + Crl specifies the crl configuration that can be used + to validate the client initiating the TLS connection + properties: + onlyVerifyLeafCertificate: + description: >- + If this option is set to true, Envoy will only + verify the certificate at the end of the + certificate chain against the CRL. + + Defaults to false, which will verify the entire + certificate chain against the CRL. + type: boolean + refs: + description: >- + Refs contains one or more references to a + Kubernetes ConfigMap or a Kubernetes Secret, + + containing the certificate revocation list in + PEM format + + Expects the content in a key named `ca.crl`. + + + References to a resource in different namespace + are invalid UNLESS there + + is a ReferenceGrant in the target namespace that + allows the crl + + to be attached. + items: + description: >- + SecretObjectReference identifies an API object + including its namespace, + + defaulting to Secret. + + + The API object must be valid in the cluster; + the Group and Kind must + + be registered in the cluster for this + reference to be valid. + + + References to objects with invalid Group and + Kind are not valid, and must + + be rejected by the implementation, with + appropriate Conditions set + + on the containing object. + properties: + group: + default: '' + description: >- + Group is the group of the referent. For + example, "gateway.networking.k8s.io". + + When unspecified or empty string, core API + group is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Secret + description: >- + Kind is kind of the referent. For example + "Secret". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the + referenced object. When unspecified, the + local + + namespace is inferred. + + + Note that when a namespace different than + the local namespace is specified, + + a ReferenceGrant object is required in the + referent namespace to allow that + + namespace's owner to accept the reference. + See the ReferenceGrant + + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + maxItems: 8 + minItems: 1 + type: array + required: + - refs + type: object + optional: + description: >- + Optional set to true accepts connections even when a + client doesn't present a certificate. + + Defaults to false, which rejects connections without + a valid client certificate. + type: boolean + spkiHashes: + description: >- + An optional list of base64-encoded SHA-256 hashes. + If specified, Envoy will + + verify that the SHA-256 of the DER-encoded Subject + Public Key Information + + (SPKI) of the presented certificate matches one of + the specified values. + items: + type: string + type: array + subjectAltNames: + description: >- + An optional list of Subject Alternative name + matchers. If specified, Envoy + + will verify that the Subject Alternative Name of the + presented certificate + + matches one of the specified matchers + properties: + dnsNames: + description: DNS names matchers + items: + description: >- + StringMatch defines how to match any strings. + + This is a general purpose match condition that + can be used by other EG APIs + + that need to match against a string. + properties: + type: + default: Exact + description: >- + Type specifies how to match against a + string. + enum: + - Exact + - Prefix + - Suffix + - RegularExpression + type: string + value: + description: >- + Value specifies the string value that the + match must have. + maxLength: 1024 + minLength: 1 + type: string + required: + - value + type: object + type: array + emailAddresses: + description: Email addresses matchers + items: + description: >- + StringMatch defines how to match any strings. + + This is a general purpose match condition that + can be used by other EG APIs + + that need to match against a string. + properties: + type: + default: Exact + description: >- + Type specifies how to match against a + string. + enum: + - Exact + - Prefix + - Suffix + - RegularExpression + type: string + value: + description: >- + Value specifies the string value that the + match must have. + maxLength: 1024 + minLength: 1 + type: string + required: + - value + type: object + type: array + ipAddresses: + description: IP addresses matchers + items: + description: >- + StringMatch defines how to match any strings. + + This is a general purpose match condition that + can be used by other EG APIs + + that need to match against a string. + properties: + type: + default: Exact + description: >- + Type specifies how to match against a + string. + enum: + - Exact + - Prefix + - Suffix + - RegularExpression + type: string + value: + description: >- + Value specifies the string value that the + match must have. + maxLength: 1024 + minLength: 1 + type: string + required: + - value + type: object + type: array + otherNames: + description: Other names matchers + items: + properties: + oid: + description: OID Value + type: string + type: + default: Exact + description: >- + Type specifies how to match against a + string. + enum: + - Exact + - Prefix + - Suffix + - RegularExpression + type: string + value: + description: >- + Value specifies the string value that the + match must have. + maxLength: 1024 + minLength: 1 + type: string + required: + - oid + - value + type: object + type: array + uris: + description: URIs matchers + items: + description: >- + StringMatch defines how to match any strings. + + This is a general purpose match condition that + can be used by other EG APIs + + that need to match against a string. + properties: + type: + default: Exact + description: >- + Type specifies how to match against a + string. + enum: + - Exact + - Prefix + - Suffix + - RegularExpression + type: string + value: + description: >- + Value specifies the string value that the + match must have. + maxLength: 1024 + minLength: 1 + type: string + required: + - value + type: object + type: array + type: object + type: object + ecdhCurves: + description: |- + ECDHCurves specifies the set of supported ECDH curves. + In non-FIPS Envoy Proxy builds the default curves are: + - X25519 + - P-256 + In builds using BoringSSL FIPS the default curve is: + - P-256 + items: + type: string + type: array + maxVersion: + description: |- + Max specifies the maximal TLS protocol version to allow + The default is TLS 1.3 if this is not specified. + enum: + - Auto + - '1.0' + - '1.1' + - '1.2' + - '1.3' + type: string + minVersion: + description: |- + Min specifies the minimal TLS protocol version to allow. + The default is TLS 1.2 if this is not specified. + enum: + - Auto + - '1.0' + - '1.1' + - '1.2' + - '1.3' + type: string + session: + description: >- + Session defines settings related to TLS session + management. + properties: + resumption: + description: >- + Resumption determines the proxy's supported TLS + session resumption option. + + By default, Envoy Gateway does not enable session + resumption. Use sessionResumption to + + enable stateful and stateless session resumption. + Users should consider security impacts + + of different resumption methods. Performance gains + from resumption are diminished when + + Envoy proxy is deployed with more than one replica. + properties: + stateful: + description: >- + Stateful defines setting for stateful + (session-id based) session resumption + type: object + stateless: + description: >- + Stateless defines setting for stateless + (session-ticket based) session resumption + type: object + type: object + type: object + signatureAlgorithms: + description: >- + SignatureAlgorithms specifies which signature algorithms + the listener should + + support. + items: + type: string + type: array + type: object + x-kubernetes-validations: + - message: >- + setting ciphers has no effect if the minimum possible + TLS version is 1.3 + rule: >- + has(self.minVersion) && self.minVersion == '1.3' ? + !has(self.ciphers) : true + - message: minVersion must be smaller or equal to maxVersion + rule: >- + has(self.minVersion) && has(self.maxVersion) ? + {"Auto":0,"1.0":1,"1.1":2,"1.2":3,"1.3":4}[self.minVersion] + <= + {"1.0":1,"1.1":2,"1.2":3,"1.3":4,"Auto":5}[self.maxVersion] + : !has(self.minVersion) && has(self.maxVersion) ? 3 <= + {"1.0":1,"1.1":2,"1.2":3,"1.3":4,"Auto":5}[self.maxVersion] + : true + type: object + x-kubernetes-validations: + - message: either targetRef or targetRefs must be used + rule: >- + (has(self.targetRef) && !has(self.targetRefs)) || + (!has(self.targetRef) && has(self.targetRefs)) || + (has(self.targetSelectors) && self.targetSelectors.size() > + 0) + - message: >- + this policy can only have a targetRef.group of + gateway.networking.k8s.io + rule: >- + has(self.targetRef) ? self.targetRef.group == + 'gateway.networking.k8s.io' : true + - message: this policy can only have a targetRef.kind of Gateway + rule: >- + has(self.targetRef) ? self.targetRef.kind == 'Gateway' : + true + - message: >- + this policy can only have a targetRefs[*].group of + gateway.networking.k8s.io + rule: >- + has(self.targetRefs) ? self.targetRefs.all(ref, ref.group == + 'gateway.networking.k8s.io') : true + - message: this policy can only have a targetRefs[*].kind of Gateway + rule: >- + has(self.targetRefs) ? self.targetRefs.all(ref, ref.kind == + 'Gateway') : true + status: + description: Status defines the current status of ClientTrafficPolicy. + properties: + ancestors: + description: >- + Ancestors is a list of ancestor resources (usually Gateways) + that are + + associated with the policy, and the status of the policy + with respect to + + each ancestor. When this policy attaches to a parent, the + controller that + + manages the parent and the ancestors MUST add an entry to + this list when + + the controller first sees the policy and SHOULD update the + entry as + + appropriate when the relevant ancestor is modified. + + + Note that choosing the relevant ancestor is left to the + Policy designers; + + an important part of Policy design is designing the right + object level at + + which to namespace this status. + + + Note also that implementations MUST ONLY populate ancestor + status for + + the Ancestor resources they are responsible for. + Implementations MUST + + use the ControllerName field to uniquely identify the + entries in this list + + that they are responsible for. + + + Note that to achieve this, the list of PolicyAncestorStatus + structs + + MUST be treated as a map with a composite key, made up of + the AncestorRef + + and ControllerName fields combined. + + + A maximum of 16 ancestors will be represented in this list. + An empty list + + means the Policy is not relevant for any ancestors. + + + If this slice is full, implementations MUST NOT add further + entries. + + Instead they MUST consider the policy unimplementable and + signal that + + on any related resources such as the ancestor that would be + referenced + + here. For example, if this list was full on + BackendTLSPolicy, no + + additional Gateways would be able to reference the Service + targeted by + + the BackendTLSPolicy. + items: + description: >- + PolicyAncestorStatus describes the status of a route with + respect to an + + associated Ancestor. + + + Ancestors refer to objects that are either the Target of a + policy or above it + + in terms of object hierarchy. For example, if a policy + targets a Service, the + + Policy's Ancestors are, in order, the Service, the + HTTPRoute, the Gateway, and + + the GatewayClass. Almost always, in this hierarchy, the + Gateway will be the most + + useful object to place Policy status on, so we recommend + that implementations + + SHOULD use Gateway as the PolicyAncestorStatus object + unless the designers + + have a _very_ good reason otherwise. + + + In the context of policy attachment, the Ancestor is used + to distinguish which + + resource results in a distinct application of this policy. + For example, if a policy + + targets a Service, it may have a distinct result per + attached Gateway. + + + Policies targeting the same resource may have different + effects depending on the + + ancestors of those resources. For example, different + Gateways targeting the same + + Service may have different capabilities, especially if + they have different underlying + + implementations. + + + For example, in BackendTLSPolicy, the Policy attaches to a + Service that is + + used as a backend in a HTTPRoute that is itself attached + to a Gateway. + + In this case, the relevant object for status is the + Gateway, and that is the + + ancestor object referred to in this status. + + + Note that a parent is also an ancestor, so for objects + where the parent is the + + relevant object for status, this struct SHOULD still be + used. + + + This struct is intended to be used in a slice that's + effectively a map, + + with a composite key made up of the AncestorRef and the + ControllerName. + properties: + ancestorRef: + description: >- + AncestorRef corresponds with a ParentRef in the spec + that this + + PolicyAncestorStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: >- + Group is the group of the referent. + + When unspecified, "gateway.networking.k8s.io" is + inferred. + + To set the core API group (such as for a "Service" + kind referent), + + Group must be explicitly set to "" (empty string). + + + Support: Core + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: >- + Kind is kind of the referent. + + + There are two kinds of parent resources with + "Core" support: + + + * Gateway (Gateway conformance profile) + + * Service (Mesh conformance profile, ClusterIP + Services only) + + + Support for other resources is + Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the referent. When + unspecified, this refers + + to the local namespace of the Route. + + + Note that there are specific rules for ParentRefs + which cross namespace + + boundaries. Cross-namespace references are only + valid if they are explicitly + + allowed by something in the namespace they are + referring to. For example: + + Gateway has the AllowedRoutes field, and + ReferenceGrant provides a + + generic way to enable any other kind of + cross-namespace reference. + + + + + ParentRefs from a Route to a Service in the same + namespace are "producer" + + routes, which apply default routing rules to + inbound connections from + + any namespace to the Service. + + + ParentRefs from a Route to a Service in a + different namespace are + + "consumer" routes, and these routing rules are + only applied to outbound + + connections originating from the same namespace as + the Route, for which + + the intended destination of the connections are a + Service targeted as a + + ParentRef of the Route. + + + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: >- + Port is the network port this Route targets. It + can be interpreted + + differently based on the type of parent resource. + + + When the parent resource is a Gateway, this + targets all listeners + + listening on the specified port that also support + this kind of Route(and + + select this Route). It's not recommended to set + `Port` unless the + + networking behaviors specified in a Route must + apply to a specific port + + as opposed to a listener(s) whose port(s) may be + changed. When both Port + + and SectionName are specified, the name and port + of the selected listener + + must match both specified values. + + + + + When the parent resource is a Service, this + targets a specific port in the + + Service spec. When both Port (experimental) and + SectionName are specified, + + the name and port of the selected port must match + both specified values. + + + + + Implementations MAY choose to support other parent + resources. + + Implementations supporting other types of parent + resources MUST clearly + + document how/if Port is interpreted. + + + For the purpose of status, an attachment is + considered successful as + + long as the parent resource accepts it partially. + For example, Gateway + + listeners can restrict which Routes can attach to + them by Route kind, + + namespace, or hostname. If 1 of 2 Gateway + listeners accept attachment + + from the referencing Route, the Route MUST be + considered successfully + + attached. If no Gateway listeners accept + attachment from this Route, + + the Route MUST be considered detached from the + Gateway. + + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: >- + SectionName is the name of a section within the + target resource. In the + + following resources, SectionName is interpreted as + the following: + + + * Gateway: Listener name. When both Port + (experimental) and SectionName + + are specified, the name and port of the selected + listener must match + + both specified values. + + * Service: Port name. When both Port + (experimental) and SectionName + + are specified, the name and port of the selected + listener must match + + both specified values. + + + Implementations MAY choose to support attaching + Routes to other resources. + + If that is the case, they MUST clearly document + how SectionName is + + interpreted. + + + When unspecified (empty string), this will + reference the entire resource. + + For the purpose of status, an attachment is + considered successful if at + + least one section in the parent resource accepts + it. For example, Gateway + + listeners can restrict which Routes can attach to + them by Route kind, + + namespace, or hostname. If 1 of 2 Gateway + listeners accept attachment from + + the referencing Route, the Route MUST be + considered successfully + + attached. If no Gateway listeners accept + attachment from this Route, the + + Route MUST be considered detached from the + Gateway. + + + Support: Core + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + conditions: + description: >- + Conditions describes the status of the Policy with + respect to the given Ancestor. + + + + + + Notes for implementors: + + + Conditions are a listType `map`, which means that they + function like a + + map with a key of the `type` field _in the k8s + apiserver_. + + + This means that implementations must obey some rules + when updating this + + section. + + + * Implementations MUST perform a read-modify-write + cycle on this field + before modifying it. That is, when modifying this field, implementations + must be confident they have fetched the most recent version of this field, + and ensure that changes they make are on that recent version. + * Implementations MUST NOT remove or reorder + Conditions that they are not + directly responsible for. For example, if an implementation sees a Condition + with type `special.io/SomeField`, it MUST NOT remove, change or update that + Condition. + * Implementations MUST always _merge_ changes into + Conditions of the same Type, + rather than creating more than one Condition of the same Type. + * Implementations MUST always update the + `observedGeneration` field of the + Condition to the `metadata.generation` of the Gateway at the time of update creation. + * If the `observedGeneration` of a Condition is + _greater than_ the value the + implementation knows about, then it MUST NOT perform the update on that Condition, + but must wait for a future reconciliation and status update. (The assumption is that + the implementation's copy of the object is stale and an update will be re-triggered + if relevant.) + + + items: + description: >- + Condition contains details for one aspect of the + current state of this API Resource. + properties: + lastTransitionTime: + description: >- + lastTransitionTime is the last time the + condition transitioned from one status to + another. + + This should be when the underlying condition + changed. If that is not known, then using the + time when the API field changed is acceptable. + format: date-time + type: string + message: + description: >- + message is a human readable message indicating + details about the transition. + + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: >- + observedGeneration represents the + .metadata.generation that the condition was set + based upon. + + For instance, if .metadata.generation is + currently 12, but the + .status.conditions[x].observedGeneration is 9, + the condition is out of date + + with respect to the current state of the + instance. + format: int64 + minimum: 0 + type: integer + reason: + description: >- + reason contains a programmatic identifier + indicating the reason for the condition's last + transition. + + Producers of specific condition types may define + expected values and meanings for this field, + + and whether the values are considered a + guaranteed API. + + The value should be a CamelCase string. + + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: >- + status of the condition, one of True, False, + Unknown. + enum: + - 'True' + - 'False' + - Unknown + type: string + type: + description: >- + type of condition in CamelCase or in + foo.example.com/CamelCase. + maxLength: 316 + pattern: >- + ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: >- + ControllerName is a domain/path string that indicates + the name of the + + controller that wrote this status. This corresponds + with the + + controllerName field on GatewayClass. + + + Example: "example.net/gateway-controller". + + + The format of this field is DOMAIN "/" PATH, where + DOMAIN and PATH are + + valid Kubernetes names + + (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + + + Controllers MUST populate this field when writing + status. Controllers should ensure that + + entries to status populated with their ControllerName + are cleaned up when they are no + + longer necessary. + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + required: + - ancestorRef + - conditions + - controllerName + type: object + maxItems: 16 + type: array + x-kubernetes-list-type: atomic + required: + - ancestors + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/_/CustomResourceDefinition/envoyextensionpolicies.gateway.envoyproxy.io.yaml b/_/CustomResourceDefinition/envoyextensionpolicies.gateway.envoyproxy.io.yaml new file mode 100644 index 0000000..06eb445 --- /dev/null +++ b/_/CustomResourceDefinition/envoyextensionpolicies.gateway.envoyproxy.io.yaml @@ -0,0 +1,3222 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.18.0 + name: envoyextensionpolicies.gateway.envoyproxy.io +spec: + group: gateway.envoyproxy.io + names: + kind: EnvoyExtensionPolicy + listKind: EnvoyExtensionPolicyList + plural: envoyextensionpolicies + shortNames: + - eep + singular: envoyextensionpolicy + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: >- + EnvoyExtensionPolicy allows the user to configure various envoy + extensibility options for the Gateway. + properties: + apiVersion: + description: >- + APIVersion defines the versioned schema of this representation + of an object. + + Servers should convert recognized schemas to the latest internal + value, and + + may reject unrecognized values. + + More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: >- + Kind is a string value representing the REST resource this + object represents. + + Servers may infer this from the endpoint the client submits + requests to. + + Cannot be updated. + + In CamelCase. + + More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of EnvoyExtensionPolicy. + properties: + extProc: + description: |- + ExtProc is an ordered list of external processing filters + that should be added to the envoy filter chain + items: + description: >- + ExtProc defines the configuration for External Processing + filter. + properties: + backendRef: + description: >- + BackendRef references a Kubernetes object that + represents the + + backend server to which the authorization request will + be sent. + + + Deprecated: Use BackendRefs instead. + properties: + group: + default: '' + description: >- + Group is the group of the referent. For example, + "gateway.networking.k8s.io". + + When unspecified or empty string, core API group + is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: >- + Kind is the Kubernetes resource kind of the + referent. For example + + "Service". + + + Defaults to "Service" when not specified. + + + ExternalName services can refer to CNAME DNS + records that may live + + outside of the cluster and as such are difficult + to reason about in + + terms of conformance. They also may not be safe to + forward to (see + + CVE-2021-25740 for more information). + Implementations SHOULD NOT + + support ExternalName Services. + + + Support: Core (Services with a type other than + ExternalName) + + + Support: Implementation-specific (Services with + type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the backend. When + unspecified, the local + + namespace is inferred. + + + Note that when a namespace different than the + local namespace is specified, + + a ReferenceGrant object is required in the + referent namespace to allow that + + namespace's owner to accept the reference. See the + ReferenceGrant + + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: >- + Port specifies the destination port number to use + for this resource. + + Port is required when the referent is a Kubernetes + Service. In this + + case, the port number is the service port number, + not the target port. + + For other resources, destination port might be + derived from the referent + + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: >- + (size(self.group) == 0 && self.kind == 'Service') + ? has(self.port) : true + backendRefs: + description: >- + BackendRefs references a Kubernetes object that + represents the + + backend server to which the authorization request will + be sent. + items: + description: >- + BackendRef defines how an ObjectReference that is + specific to BackendRef. + properties: + fallback: + description: >- + Fallback indicates whether the backend is + designated as a fallback. + + Multiple fallback backends can be configured. + + It is highly recommended to configure active or + passive health checks to ensure that failover + can be detected + + when the active backends become unhealthy and to + automatically readjust once the primary backends + are healthy again. + + The overprovisioning factor is set to 1.4, + meaning the fallback backends will only start + receiving traffic when + + the health of the active backends falls below + 72%. + type: boolean + group: + default: '' + description: >- + Group is the group of the referent. For example, + "gateway.networking.k8s.io". + + When unspecified or empty string, core API group + is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: >- + Kind is the Kubernetes resource kind of the + referent. For example + + "Service". + + + Defaults to "Service" when not specified. + + + ExternalName services can refer to CNAME DNS + records that may live + + outside of the cluster and as such are difficult + to reason about in + + terms of conformance. They also may not be safe + to forward to (see + + CVE-2021-25740 for more information). + Implementations SHOULD NOT + + support ExternalName Services. + + + Support: Core (Services with a type other than + ExternalName) + + + Support: Implementation-specific (Services with + type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the backend. When + unspecified, the local + + namespace is inferred. + + + Note that when a namespace different than the + local namespace is specified, + + a ReferenceGrant object is required in the + referent namespace to allow that + + namespace's owner to accept the reference. See + the ReferenceGrant + + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: >- + Port specifies the destination port number to + use for this resource. + + Port is required when the referent is a + Kubernetes Service. In this + + case, the port number is the service port + number, not the target port. + + For other resources, destination port might be + derived from the referent + + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: >- + Weight specifies the proportion of requests + forwarded to the referenced + + backend. This is computed as weight/(sum of all + weights in this + + BackendRefs list). For non-zero values, there + may be some epsilon from + + the exact proportion defined here depending on + the precision an + + implementation supports. Weight is not a + percentage and the sum of + + weights does not need to equal 100. + + + If only one backend is specified and it has a + weight greater than 0, 100% + + of the traffic is forwarded to that backend. If + weight is set to 0, no + + traffic should be forwarded for this entry. If + unspecified, weight + + defaults to 1. + + + Support for this field varies based on the + context where used. + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: >- + (size(self.group) == 0 && self.kind == + 'Service') ? has(self.port) : true + maxItems: 16 + type: array + backendSettings: + description: >- + BackendSettings holds configuration for managing the + connection + + to the backend. + properties: + circuitBreaker: + description: >- + Circuit Breaker settings for the upstream + connections and requests. + + If not set, circuit breakers will be enabled with + the default thresholds + properties: + maxConnections: + default: 1024 + description: >- + The maximum number of connections that Envoy + will establish to the referenced backend + defined within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxParallelRequests: + default: 1024 + description: >- + The maximum number of parallel requests that + Envoy will make to the referenced backend + defined within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxParallelRetries: + default: 1024 + description: >- + The maximum number of parallel retries that + Envoy will make to the referenced backend + defined within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxPendingRequests: + default: 1024 + description: >- + The maximum number of pending requests that + Envoy will queue to the referenced backend + defined within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxRequestsPerConnection: + description: >- + The maximum number of requests that Envoy will + make over a single connection to the + referenced backend defined within a xRoute + rule. + + Default: unlimited. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + perEndpoint: + description: >- + PerEndpoint defines Circuit Breakers that will + apply per-endpoint for an upstream cluster + properties: + maxConnections: + default: 1024 + description: >- + MaxConnections configures the maximum + number of connections that Envoy will + establish per-endpoint to the referenced + backend defined within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + type: object + type: object + connection: + description: Connection includes backend connection settings. + properties: + bufferLimit: + allOf: + - pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: >- + BufferLimit Soft limit on size of the + cluster’s connections read and write buffers. + + BufferLimit applies to connection streaming + (maybe non-streaming) channel between + processes, it's in user space. + + If unspecified, an implementation defined + default is applied (32768 bytes). + + For example, 20Mi, 1Gi, 256Ki etc. + + Note: that when the suffix is not provided, + the value is interpreted as bytes. + x-kubernetes-int-or-string: true + preconnect: + description: >- + Preconnect configures proactive upstream + connections to reduce latency by establishing + + connections before they’re needed and avoiding + connection establishment overhead. + + + If unset, Envoy will fetch connections as + needed to serve in-flight requests. + properties: + perEndpointPercent: + description: >- + PerEndpointPercent configures how many + additional connections to maintain per + + upstream endpoint, useful for high-QPS or + latency sensitive services. Expressed as a + + percentage of the connections required by + active streams + + (e.g. 100 = preconnect disabled, 105 = + 1.05x connections per-endpoint, 200 = + 2.00×). + + + Allowed value range is between 100-300. + When both PerEndpointPercent and + + PredictivePercent are set, Envoy ensures + both are satisfied (max of the two). + format: int32 + maximum: 300 + minimum: 100 + type: integer + predictivePercent: + description: >- + PredictivePercent configures how many + additional connections to maintain + + across the cluster by anticipating which + upstream endpoint the load balancer + + will select next, useful for low-QPS + services. Relies on deterministic + + loadbalancing and is only supported with + Random or RoundRobin. + + Expressed as a percentage of the + connections required by active streams + + (e.g. 100 = 1.0 (no preconnect), 105 = + 1.05× connections across the cluster, 200 + = 2.00×). + + + Minimum allowed value is 100. When both + PerEndpointPercent and PredictivePercent + are + + set Envoy ensures both are satisfied per + host (max of the two). + format: int32 + minimum: 100 + type: integer + type: object + socketBufferLimit: + allOf: + - pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: >- + SocketBufferLimit provides configuration for + the maximum buffer size in bytes for each + socket + + to backend. + + SocketBufferLimit applies to socket streaming + channel between TCP/IP stacks, it's in kernel + space. + + For example, 20Mi, 1Gi, 256Ki etc. + + Note that when the suffix is not provided, the + value is interpreted as bytes. + x-kubernetes-int-or-string: true + type: object + dns: + description: DNS includes dns resolution settings. + properties: + dnsRefreshRate: + description: >- + DNSRefreshRate specifies the rate at which DNS + records should be refreshed. + + Defaults to 30 seconds. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + lookupFamily: + description: >- + LookupFamily determines how Envoy would + resolve DNS for Routes where the backend is + specified as a fully qualified domain name + (FQDN). + + If set, this configuration overrides other + defaults. + enum: + - IPv4 + - IPv6 + - IPv4Preferred + - IPv6Preferred + - IPv4AndIPv6 + type: string + respectDnsTtl: + description: >- + RespectDNSTTL indicates whether the DNS + Time-To-Live (TTL) should be respected. + + If the value is set to true, the DNS refresh + rate will be set to the resource record’s TTL. + + Defaults to true. + type: boolean + type: object + healthCheck: + description: >- + HealthCheck allows gateway to perform active + health checking on backends. + properties: + active: + description: Active health check configuration + properties: + grpc: + description: >- + GRPC defines the configuration of the GRPC + health checker. + + It's optional, and can only be used if the + specified type is GRPC. + properties: + service: + description: >- + Service to send in the health check + request. + + If this is not specified, then the + health check request applies to the + entire + + server and not to a specific service. + type: string + type: object + healthyThreshold: + default: 1 + description: >- + HealthyThreshold defines the number of + healthy health checks required before a + backend host is marked healthy. + format: int32 + minimum: 1 + type: integer + http: + description: >- + HTTP defines the configuration of http + health checker. + + It's required while the health checker + type is HTTP. + properties: + expectedResponse: + description: >- + ExpectedResponse defines a list of HTTP + expected responses to match. + properties: + binary: + description: Binary payload base64 encoded. + format: byte + type: string + text: + description: Text payload in plain text. + type: string + type: + allOf: + - enum: + - Text + - Binary + - enum: + - Text + - Binary + description: Type defines the type of the payload. + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If payload type is Text, text field + needs to be set. + rule: >- + self.type == 'Text' ? has(self.text) : + !has(self.text) + - message: >- + If payload type is Binary, binary field + needs to be set. + rule: >- + self.type == 'Binary' ? has(self.binary) + : !has(self.binary) + expectedStatuses: + description: >- + ExpectedStatuses defines a list of HTTP + response statuses considered healthy. + + Defaults to 200 only + items: + description: HTTPStatus defines the http status code. + maximum: 599 + minimum: 100 + type: integer + type: array + hostname: + description: >- + Hostname defines the HTTP Host header + used for active HTTP health checks. + + Host selection uses this order: this + field, the associated Backend endpoint + + hostname if available, then the + effective Route hostname. + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + method: + description: >- + Method defines the HTTP method used for + health checking. + + Defaults to GET + type: string + path: + description: >- + Path defines the HTTP path that will be + requested during health checking. + maxLength: 1024 + minLength: 1 + type: string + required: + - path + type: object + initialJitter: + description: >- + InitialJitter defines the maximum time + Envoy will wait before the first health + check. + + Envoy will randomly select a value between + 0 and the initial jitter value. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + interval: + default: 3s + description: >- + Interval defines the time between active + health checks. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + tcp: + description: >- + TCP defines the configuration of tcp + health checker. + + It's required while the health checker + type is TCP. + properties: + receive: + description: >- + Receive defines the expected response + payload. + properties: + binary: + description: Binary payload base64 encoded. + format: byte + type: string + text: + description: Text payload in plain text. + type: string + type: + allOf: + - enum: + - Text + - Binary + - enum: + - Text + - Binary + description: Type defines the type of the payload. + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If payload type is Text, text field + needs to be set. + rule: >- + self.type == 'Text' ? has(self.text) : + !has(self.text) + - message: >- + If payload type is Binary, binary field + needs to be set. + rule: >- + self.type == 'Binary' ? has(self.binary) + : !has(self.binary) + send: + description: Send defines the request payload. + properties: + binary: + description: Binary payload base64 encoded. + format: byte + type: string + text: + description: Text payload in plain text. + type: string + type: + allOf: + - enum: + - Text + - Binary + - enum: + - Text + - Binary + description: Type defines the type of the payload. + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If payload type is Text, text field + needs to be set. + rule: >- + self.type == 'Text' ? has(self.text) : + !has(self.text) + - message: >- + If payload type is Binary, binary field + needs to be set. + rule: >- + self.type == 'Binary' ? has(self.binary) + : !has(self.binary) + type: object + timeout: + default: 1s + description: >- + Timeout defines the time to wait for a + health check response. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: + allOf: + - enum: + - HTTP + - TCP + - GRPC + - enum: + - HTTP + - TCP + - GRPC + description: Type defines the type of health checker. + type: string + unhealthyThreshold: + default: 3 + description: >- + UnhealthyThreshold defines the number of + unhealthy health checks required before a + backend host is marked unhealthy. + format: int32 + minimum: 1 + type: integer + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If Health Checker type is HTTP, http field + needs to be set. + rule: >- + self.type == 'HTTP' ? has(self.http) : + !has(self.http) + - message: >- + If Health Checker type is TCP, tcp field + needs to be set. + rule: >- + self.type == 'TCP' ? has(self.tcp) : + !has(self.tcp) + - message: >- + The grpc field can only be set if the + Health Checker type is GRPC. + rule: >- + has(self.grpc) ? self.type == 'GRPC' : + true + panicThreshold: + description: >- + When number of unhealthy endpoints for a + backend reaches this threshold + + Envoy will disregard health status and balance + across all endpoints. + + It's designed to prevent a situation in which + host failures cascade throughout the cluster + + as load increases. If not set, the default + value is 50%. To disable panic mode, set value + to `0`. + format: int32 + maximum: 100 + minimum: 0 + type: integer + passive: + description: Passive passive check configuration + properties: + baseEjectionTime: + default: 30s + description: >- + BaseEjectionTime defines the base duration + for which a host will be ejected on + consecutive failures. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + consecutive5XxErrors: + default: 5 + description: >- + Consecutive5xxErrors sets the number of + consecutive 5xx errors triggering + ejection. + format: int32 + type: integer + consecutiveGatewayErrors: + description: >- + ConsecutiveGatewayErrors sets the number + of consecutive gateway errors triggering + ejection. + format: int32 + type: integer + consecutiveLocalOriginFailures: + default: 5 + description: >- + ConsecutiveLocalOriginFailures sets the + number of consecutive local origin + failures triggering ejection. + + Parameter takes effect only when + split_external_local_origin_errors is set + to true. + format: int32 + type: integer + failurePercentageThreshold: + description: >- + FailurePercentageThreshold sets the + failure percentage threshold for outlier + detection. + + If the failure percentage of a given host + is greater than or equal to this value, it + will be ejected. + + Defaults to 85. + format: int32 + maximum: 100 + minimum: 0 + type: integer + interval: + default: 3s + description: >- + Interval defines the time between passive + health checks. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + maxEjectionPercent: + default: 10 + description: >- + MaxEjectionPercent sets the maximum + percentage of hosts in a cluster that can + be ejected. + format: int32 + type: integer + splitExternalLocalOriginErrors: + default: false + description: >- + SplitExternalLocalOriginErrors enables + splitting of errors between external and + local origin. + type: boolean + type: object + type: object + http2: + description: >- + HTTP2 provides HTTP/2 configuration for backend + connections. + properties: + initialConnectionWindowSize: + allOf: + - pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: >- + InitialConnectionWindowSize sets the initial + window size for HTTP/2 connections. + + If not set, the default value is 1 MiB. + x-kubernetes-int-or-string: true + initialStreamWindowSize: + allOf: + - pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: >- + InitialStreamWindowSize sets the initial + window size for HTTP/2 streams. + + If not set, the default value is 64 + KiB(64*1024). + x-kubernetes-int-or-string: true + maxConcurrentStreams: + description: >- + MaxConcurrentStreams sets the maximum number + of concurrent streams allowed per connection. + + If not set, the default value is 100. + format: int32 + maximum: 2147483647 + minimum: 1 + type: integer + onInvalidMessage: + description: >- + OnInvalidMessage determines if Envoy will + terminate the connection or just the offending + stream in the event of HTTP messaging error + + It's recommended for L2 Envoy deployments to + set this value to TerminateStream. + + https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/level_two + + Default: TerminateConnection + type: string + type: object + loadBalancer: + description: >- + LoadBalancer policy to apply when routing traffic + from the gateway to + + the backend endpoints. Defaults to `LeastRequest`. + properties: + consistentHash: + description: >- + ConsistentHash defines the configuration when + the load balancer type is + + set to ConsistentHash + properties: + cookie: + description: >- + Cookie configures the cookie hash policy + when the consistent hash type is set to + Cookie. + properties: + attributes: + additionalProperties: + type: string + description: >- + Additional Attributes to set for the + generated cookie. + type: object + name: + description: >- + Name of the cookie to hash. + + If this cookie does not exist in the + request, Envoy will generate a cookie + and set + + the TTL on the response back to the + client based on Layer 4 + + attributes of the backend endpoint, to + ensure that these future requests + + go to the same backend endpoint. Make + sure to set the TTL field for this case. + type: string + ttl: + description: >- + TTL of the generated cookie if the + cookie is not present. This value sets + the + + Max-Age attribute value. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + required: + - name + type: object + header: + description: >- + Header configures the header hash policy + when the consistent hash type is set to + Header. + + + Deprecated: use Headers instead + properties: + name: + description: Name of the header to hash. + type: string + required: + - name + type: object + headers: + description: >- + Headers configures the header hash policy + for each header, when the consistent hash + type is set to Headers. + items: + description: >- + Header defines the header hashing + configuration for consistent hash based + + load balancing. + properties: + name: + description: Name of the header to hash. + type: string + required: + - name + type: object + type: array + queryParams: + description: >- + QueryParams configures the query parameter + hash policy when the consistent hash type + is set to QueryParams. + items: + description: >- + QueryParam defines the query parameter + name hashing configuration for + consistent hash based + + load balancing. + properties: + name: + description: Name of the query param to hash. + type: string + required: + - name + type: object + type: array + tableSize: + default: 65537 + description: >- + The table size for consistent hashing, + must be prime number limited to 5000011. + format: int64 + maximum: 5000011 + minimum: 2 + type: integer + type: + description: >- + ConsistentHashType defines the type of + input to hash on. Valid Type values are + + "SourceIP", + + "Header", + + "Headers", + + "Cookie". + + "QueryParams". + enum: + - SourceIP + - Header + - Headers + - Cookie + - QueryParams + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If consistent hash type is header, the + header field must be set. + rule: >- + self.type == 'Header' ? has(self.header) : + !has(self.header) + - message: >- + If consistent hash type is headers, the + headers field must be set. + rule: >- + self.type == 'Headers' ? has(self.headers) + : !has(self.headers) + - message: >- + If consistent hash type is cookie, the + cookie field must be set. + rule: >- + self.type == 'Cookie' ? has(self.cookie) : + !has(self.cookie) + - message: >- + If consistent hash type is queryParams, + the queryParams field must be set. + rule: >- + self.type == 'QueryParams' ? + has(self.queryParams) : + !has(self.queryParams) + endpointOverride: + description: >- + EndpointOverride defines the configuration for + endpoint override. + + When specified, the load balancer will attempt + to route requests to endpoints + + based on the override information extracted + from request headers or metadata. + If the override endpoints are not available, the configured load balancer policy will be used as fallback. + properties: + extractFrom: + description: >- + ExtractFrom defines the sources to extract + endpoint override information from. + items: + description: >- + EndpointOverrideExtractFrom defines a + source to extract endpoint override + information from. + properties: + header: + description: >- + Header defines the header to get the + override endpoint addresses. + + The header value must specify at least + one endpoint in `IP:Port` format or + multiple endpoints in + `IP:Port,IP:Port,...` format. + + For example `10.0.0.5:8080` or + `[2600:4040:5204::1574:24ae]:80`. + + The IPv6 address is enclosed in square + brackets. + type: string + type: object + maxItems: 10 + minItems: 1 + type: array + required: + - extractFrom + type: object + slowStart: + description: >- + SlowStart defines the configuration related to + the slow start load balancer policy. + + If set, during slow start window, traffic sent + to the newly added hosts will gradually + increase. + + Currently this is only supported for + RoundRobin and LeastRequest load balancers + properties: + window: + description: >- + Window defines the duration of the warm up + period for newly added host. + + During slow start window, traffic sent to + the newly added hosts will gradually + increase. + + Currently only supports linear growth of + traffic. For additional details, + + see + https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + required: + - window + type: object + type: + description: |- + Type decides the type of Load Balancer policy. + Valid LoadBalancerType values are + "ConsistentHash", + "LeastRequest", + "Random", + "RoundRobin". + enum: + - ConsistentHash + - LeastRequest + - Random + - RoundRobin + type: string + zoneAware: + description: >- + ZoneAware defines the configuration related to + the distribution of requests between locality + zones. + properties: + preferLocal: + description: >- + PreferLocalZone configures zone-aware + routing to prefer sending traffic to the + local locality zone. + properties: + force: + description: >- + ForceLocalZone defines override + configuration for forcing all traffic to + stay within the local zone instead of + the default behavior + + which maintains equal distribution among + upstream endpoints while sending as much + traffic as possible locally. + properties: + minEndpointsInZoneThreshold: + description: >- + MinEndpointsInZoneThreshold is the + minimum number of upstream endpoints in + the local zone required to honor the + forceLocalZone + + override. This is useful for protecting + zones with fewer endpoints. + format: int32 + type: integer + type: object + minEndpointsThreshold: + description: >- + MinEndpointsThreshold is the minimum + number of total upstream endpoints + across all zones required to enable + zone-aware routing. + format: int64 + type: integer + percentageEnabled: + description: >- + Configures percentage of requests that + will be considered for zone aware + routing if zone aware routing is + configured. If not specified, Envoy + defaults to 100%. + format: int32 + maximum: 100 + minimum: 0 + type: integer + type: object + type: object + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If LoadBalancer type is consistentHash, + consistentHash field needs to be set. + rule: >- + self.type == 'ConsistentHash' ? + has(self.consistentHash) : + !has(self.consistentHash) + - message: >- + Currently SlowStart is only supported for + RoundRobin and LeastRequest load balancers. + rule: >- + self.type in ['Random', 'ConsistentHash'] ? + !has(self.slowStart) : true + - message: >- + Currently ZoneAware is only supported for + LeastRequest, Random, and RoundRobin load + balancers. + rule: >- + self.type == 'ConsistentHash' ? + !has(self.zoneAware) : true + proxyProtocol: + description: >- + ProxyProtocol enables the Proxy Protocol when + communicating with the backend. + properties: + version: + description: |- + Version of ProxyProtol + Valid ProxyProtocolVersion values are + "V1" + "V2" + enum: + - V1 + - V2 + type: string + required: + - version + type: object + retry: + description: >- + Retry provides more advanced usage, allowing users + to customize the number of retries, retry fallback + strategy, and retry triggering conditions. + + If not set, retry will be disabled. + properties: + numAttemptsPerPriority: + description: >- + NumAttemptsPerPriority defines the number of + requests (initial attempt + retries) + + that should be sent to the same priority + before switching to a different one. + + If not specified or set to 0, all requests are + sent to the highest priority that is healthy. + format: int32 + type: integer + numRetries: + default: 2 + description: >- + NumRetries is the number of retries to be + attempted. Defaults to 2. + format: int32 + minimum: 0 + type: integer + perRetry: + description: >- + PerRetry is the retry policy to be applied per + retry attempt. + properties: + backOff: + description: >- + Backoff is the backoff policy to be + applied per retry attempt. gateway uses a + fully jittered exponential + + back-off algorithm for retries. For + additional details, + + see + https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#config-http-filters-router-x-envoy-max-retries + properties: + baseInterval: + description: >- + BaseInterval is the base interval + between retries. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + maxInterval: + description: >- + MaxInterval is the maximum interval + between retries. This parameter is + optional, but must be greater than or + equal to the base_interval if set. + + The default is 10 times the + base_interval + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + timeout: + description: Timeout is the timeout per retry attempt. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + retryOn: + description: >- + RetryOn specifies the retry trigger condition. + + + If not specified, the default is to retry on + connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes(503). + properties: + httpStatusCodes: + description: >- + HttpStatusCodes specifies the http status + codes to be retried. + + The retriable-status-codes trigger must + also be configured for these status codes + to trigger a retry. + items: + description: HTTPStatus defines the http status code. + maximum: 599 + minimum: 100 + type: integer + type: array + triggers: + description: >- + Triggers specifies the retry trigger + condition(Http/Grpc). + items: + description: >- + TriggerEnum specifies the conditions + that trigger retries. + enum: + - 5xx + - gateway-error + - reset + - reset-before-request + - connect-failure + - retriable-4xx + - refused-stream + - retriable-status-codes + - cancelled + - deadline-exceeded + - internal + - resource-exhausted + - unavailable + type: string + type: array + type: object + type: object + tcpKeepalive: + description: >- + TcpKeepalive settings associated with the upstream + client connection. + + Disabled by default. + properties: + idleTime: + description: >- + The duration a connection needs to be idle + before keep-alive + + probes start being sent. + + The duration format is + + Defaults to `7200s`. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + interval: + description: |- + The duration between keep-alive probes. + Defaults to `75s`. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + probes: + description: >- + The total number of unacknowledged probes to + send before deciding + + the connection is dead. + + Defaults to 9. + format: int32 + type: integer + type: object + timeout: + description: Timeout settings for the backend connections. + properties: + http: + description: Timeout settings for HTTP. + properties: + connectionIdleTimeout: + description: >- + The idle timeout for an HTTP connection. + Idle time is defined as a period in which + there are no active requests in the + connection. + + Default: 1 hour. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + maxConnectionDuration: + description: >- + The maximum duration of an HTTP + connection. + + Default: unlimited. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + maxStreamDuration: + description: >- + MaxStreamDuration is the maximum duration + for a stream to complete. This timeout + measures the time + + from when the request is sent until the + response stream is fully consumed and does + not apply to + + non-streaming requests. + + When set to "0s", no max duration is + applied and streams can run indefinitely. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + requestTimeout: + description: >- + RequestTimeout is the time until which + entire response is received from the + upstream. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + tcp: + description: Timeout settings for TCP. + properties: + connectTimeout: + description: >- + The timeout for network connection + establishment, including TCP and TLS + handshakes. + + Default: 10 seconds. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + type: object + type: object + x-kubernetes-validations: + - message: >- + predictivePercent in preconnect policy only works + with RoundRobin or Random load balancers + rule: >- + !((has(self.connection) && + has(self.connection.preconnect) && + has(self.connection.preconnect.predictivePercent)) + && !(has(self.loadBalancer) && + has(self.loadBalancer.type) && + self.loadBalancer.type in ['Random', + 'RoundRobin'])) + failOpen: + default: false + description: >- + FailOpen is a switch used to control the behavior when + failing to call the external processor. + + + If FailOpen is set to true, the system bypasses the + ExtProc extension and + + allows the traffic to pass through. If it is set to + false or + + not set (defaulting to false), the system blocks the + traffic and returns + + an HTTP 5xx error. + + + If set to true, the ExtProc extension will also be + bypassed if the configuration is invalid. + type: boolean + messageTimeout: + description: >- + MessageTimeout is the timeout for a response to be + returned from the external processor + + Default: 200ms + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + metadata: + description: >- + Metadata defines options related to the sending and + receiving of dynamic metadata. + + These options define which metadata namespaces would + be sent to the processor and which dynamic metadata + + namespaces the processor would be permitted to emit + metadata to. + + Users can specify custom namespaces or well-known + envoy metadata namespace (such as + envoy.filters.http.ext_authz) + + documented here: + https://www.envoyproxy.io/docs/envoy/latest/configuration/advanced/well_known_dynamic_metadata#well-known-dynamic-metadata + + Default: no metadata context is sent or received from + the external processor + properties: + accessibleNamespaces: + description: >- + AccessibleNamespaces are metadata namespaces that + are sent to the external processor as context + items: + type: string + type: array + writableNamespaces: + description: >- + WritableNamespaces are metadata namespaces that + the external processor can write to + items: + type: string + maxItems: 8 + type: array + x-kubernetes-validations: + - message: >- + writableNamespaces cannot contain well-known + Envoy HTTP filter namespaces + rule: >- + self.all(f, + !f.startsWith('envoy.filters.http')) + type: object + processingMode: + description: >- + ProcessingMode defines how request and response body + is processed + + Default: header and body are not sent to the external + processor + properties: + allowModeOverride: + description: >- + AllowModeOverride allows the external processor to + override the processing mode set via the + + `mode_override` field in the gRPC response + message. This defaults to false. + type: boolean + request: + description: >- + Defines processing mode for requests. If present, + request headers are sent. Request body is + processed according + + to the specified mode. + properties: + attributes: + description: >- + Defines which attributes are sent to the + external processor. Envoy Gateway currently + + supports only the following attribute + prefixes: connection, source, destination, + + request, response, upstream and xds.route. + + https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/advanced/attributes + items: + pattern: >- + ^(connection\.|source\.|destination\.|request\.|response\.|upstream\.|xds\.route_)[a-z_1-9]*$ + type: string + type: array + body: + description: Defines body processing mode + enum: + - Streamed + - Buffered + - BufferedPartial + - FullDuplexStreamed + type: string + type: object + response: + description: >- + Defines processing mode for responses. If present, + response headers are sent. Response body is + processed according + + to the specified mode. + properties: + attributes: + description: >- + Defines which attributes are sent to the + external processor. Envoy Gateway currently + + supports only the following attribute + prefixes: connection, source, destination, + + request, response, upstream and xds.route. + + https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/advanced/attributes + items: + pattern: >- + ^(connection\.|source\.|destination\.|request\.|response\.|upstream\.|xds\.route_)[a-z_1-9]*$ + type: string + type: array + body: + description: Defines body processing mode + enum: + - Streamed + - Buffered + - BufferedPartial + - FullDuplexStreamed + type: string + type: object + type: object + type: object + x-kubernetes-validations: + - message: BackendRefs must be used, backendRef is not supported. + rule: '!has(self.backendRef)' + - message: >- + BackendRefs only supports Service, ServiceImport, and + Backend kind. + rule: >- + has(self.backendRefs) ? self.backendRefs.all(f, f.kind + == 'Service' || f.kind == 'ServiceImport' || f.kind == + 'Backend') : true + - message: >- + BackendRefs only supports Core, multicluster.x-k8s.io, + and gateway.envoyproxy.io groups. + rule: >- + has(self.backendRefs) ? (self.backendRefs.all(f, + f.group == "" || f.group == 'multicluster.x-k8s.io' || + f.group == 'gateway.envoyproxy.io')) : true + - message: >- + If FullDuplexStreamed body processing mode is used, + FailOpen must be false. + rule: >- + !(has(self.failOpen) && self.failOpen == true && + has(self.processingMode) && + ((has(self.processingMode.request) && + has(self.processingMode.request.body) && + self.processingMode.request.body == + 'FullDuplexStreamed') || + (has(self.processingMode.response) && + has(self.processingMode.response.body) && + self.processingMode.response.body == + 'FullDuplexStreamed'))) + maxItems: 16 + type: array + lua: + description: |- + Lua is an ordered list of Lua filters + that should be added to the envoy filter chain + items: + description: |- + Lua defines a Lua extension + Only one of Inline or ValueRef must be set + properties: + inline: + description: Inline contains the source code as an inline string. + type: string + type: + default: Inline + description: >- + Type is the type of method to use to read the Lua + value. + + Valid values are Inline and ValueRef, default is + Inline. + enum: + - Inline + - ValueRef + type: string + valueRef: + description: >- + ValueRef has the source code specified as a local + object reference. + + Only a reference to ConfigMap is supported. + + The value of key `lua` in the ConfigMap will be used. + + If the key is not found, the first value in the + ConfigMap will be used. + properties: + group: + description: >- + Group is the group of the referent. For example, + "gateway.networking.k8s.io". + + When unspecified or empty string, core API group + is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: >- + Kind is kind of the referent. For example + "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + x-kubernetes-validations: + - message: >- + Only a reference to an object of kind ConfigMap + belonging to default v1 API group is supported. + rule: >- + self.kind == 'ConfigMap' && (self.group == 'v1' || + self.group == '') + required: + - type + type: object + x-kubernetes-validations: + - message: >- + Exactly one of inline or valueRef must be set with + correct type. + rule: >- + (self.type == 'Inline' && has(self.inline) && + !has(self.valueRef)) || (self.type == 'ValueRef' && + !has(self.inline) && has(self.valueRef)) + maxItems: 16 + type: array + targetRef: + description: >- + TargetRef is the name of the resource this policy is being + attached to. + + This policy and the TargetRef MUST be in the same namespace + for this + + Policy to have effect + + + Deprecated: use targetRefs/targetSelectors instead + properties: + group: + description: Group is the group of the target resource. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + sectionName: + description: >- + SectionName is the name of a section within the target + resource. When + + unspecified, this targetRef targets the entire resource. + In the following + + resources, SectionName is interpreted as the following: + + + * Gateway: Listener name + + * HTTPRoute: HTTPRouteRule name + + * Service: Port name + + + If a SectionName is specified, but does not exist on the + targeted object, + + the Policy must fail to attach, and the policy + implementation should record + + a `ResolvedRefs` or similar Condition in the Policy's + status. + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - group + - kind + - name + type: object + targetRefs: + description: >- + TargetRefs are the names of the Gateway resources this + policy + + is being attached to. + items: + description: >- + LocalPolicyTargetReferenceWithSectionName identifies an + API object to apply a + + direct policy to. This should be used as part of Policy + resources that can + + target single resources. For more information on how this + policy attachment + + mode works, and a sample Policy resource, refer to the + policy attachment + + documentation for Gateway API. + + + Note: This should only be used for direct policy + attachment when references + + to SectionName are actually needed. In all other cases, + + LocalPolicyTargetReference should be used. + properties: + group: + description: Group is the group of the target resource. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + sectionName: + description: >- + SectionName is the name of a section within the target + resource. When + + unspecified, this targetRef targets the entire + resource. In the following + + resources, SectionName is interpreted as the + following: + + + * Gateway: Listener name + + * HTTPRoute: HTTPRouteRule name + + * Service: Port name + + + If a SectionName is specified, but does not exist on + the targeted object, + + the Policy must fail to attach, and the policy + implementation should record + + a `ResolvedRefs` or similar Condition in the Policy's + status. + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - group + - kind + - name + type: object + type: array + targetSelectors: + description: >- + TargetSelectors allow targeting resources for this policy + based on labels + items: + properties: + group: + default: gateway.networking.k8s.io + description: >- + Group is the group that this selector targets. + Defaults to gateway.networking.k8s.io + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is the resource kind that this selector targets. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + matchExpressions: + description: >- + MatchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: >- + A label selector requirement is a selector that + contains values, a key, and an operator that + + relates the key and values. + properties: + key: + description: >- + key is the label key that the selector applies + to. + type: string + operator: + description: >- + operator represents a key's relationship to a + set of values. + + Valid operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: >- + values is an array of string values. If the + operator is In or NotIn, + + the values array must be non-empty. If the + operator is Exists or DoesNotExist, + + the values array must be empty. This array is + replaced during a strategic + + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: >- + MatchLabels are the set of label selectors for + identifying the targeted resource + type: object + required: + - kind + type: object + x-kubernetes-validations: + - message: group must be gateway.networking.k8s.io + rule: >- + has(self.group) ? self.group == + 'gateway.networking.k8s.io' : true + type: array + wasm: + description: >- + Wasm is a list of Wasm extensions to be loaded by the + Gateway. + + Order matters, as the extensions will be loaded in the order + they are + + defined in this list. + items: + description: >- + Wasm defines a Wasm extension. + + + Note: at the moment, Envoy Gateway does not support + configuring Wasm runtime. + + v8 is used as the VM runtime for the Wasm extensions. + properties: + code: + description: Code is the Wasm code for the extension. + properties: + http: + description: >- + HTTP is the HTTP URL containing the Wasm code. + + + Note that the HTTP server must be accessible from + the Envoy proxy. + properties: + sha256: + description: >- + SHA256 checksum that will be used to verify + the Wasm code. + + + If not specified, Envoy Gateway will not + verify the downloaded Wasm code. + + kubebuilder:validation:Pattern=`^[a-f0-9]{64}$` + type: string + tls: + description: >- + TLS configuration when connecting to the Wasm + code source. + properties: + caCertificateRef: + description: >- + CACertificateRef contains a references to + + Kubernetes objects that contain TLS + certificates of + + the Certificate Authorities that can be + used + + as a trust anchor to validate the + certificates presented by the Wasm code + source. + + + Kubernetes ConfigMap and Kubernetes Secret + are supported. + + Note: The ConfigMap or Secret must be in + the same namespace as the + EnvoyExtensionPolicy. + properties: + group: + default: '' + description: >- + Group is the group of the referent. For + example, "gateway.networking.k8s.io". + + When unspecified or empty string, core + API group is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Secret + description: >- + Kind is kind of the referent. For + example "Secret". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the + referenced object. When unspecified, the + local + + namespace is inferred. + + + Note that when a namespace different + than the local namespace is specified, + + a ReferenceGrant object is required in + the referent namespace to allow that + + namespace's owner to accept the + reference. See the ReferenceGrant + + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + required: + - caCertificateRef + type: object + url: + description: URL is the URL containing the Wasm code. + pattern: >- + ^((https?:)(\/\/\/?)([\w]*(?::[\w]*)?@)?([\d\w\.-]+)(?::(\d+))?)?([\/\\\w\.()-]*)?(?:([?][^#]*)?(#.*)?)* + type: string + required: + - url + type: object + image: + description: >- + Image is the OCI image containing the Wasm code. + + + Note that the image must be accessible from the + Envoy Gateway. + properties: + pullSecretRef: + description: >- + PullSecretRef is a reference to the secret + containing the credentials to pull the image. + + Only support Kubernetes Secret resource from + the same namespace. + properties: + group: + default: '' + description: >- + Group is the group of the referent. For + example, "gateway.networking.k8s.io". + + When unspecified or empty string, core API + group is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Secret + description: >- + Kind is kind of the referent. For example + "Secret". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the + referenced object. When unspecified, the + local + + namespace is inferred. + + + Note that when a namespace different than + the local namespace is specified, + + a ReferenceGrant object is required in the + referent namespace to allow that + + namespace's owner to accept the reference. + See the ReferenceGrant + + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + x-kubernetes-validations: + - message: only support Secret kind. + rule: self.kind == 'Secret' + sha256: + description: >- + SHA256 checksum that will be used to verify + the OCI image. + + + It must match the digest of the OCI image. + + + If not specified, Envoy Gateway will not + verify the downloaded OCI image. + + kubebuilder:validation:Pattern=`^[a-f0-9]{64}$` + type: string + tls: + description: >- + TLS configuration when connecting to the Wasm + code source. + properties: + caCertificateRef: + description: >- + CACertificateRef contains a references to + + Kubernetes objects that contain TLS + certificates of + + the Certificate Authorities that can be + used + + as a trust anchor to validate the + certificates presented by the Wasm code + source. + + + Kubernetes ConfigMap and Kubernetes Secret + are supported. + + Note: The ConfigMap or Secret must be in + the same namespace as the + EnvoyExtensionPolicy. + properties: + group: + default: '' + description: >- + Group is the group of the referent. For + example, "gateway.networking.k8s.io". + + When unspecified or empty string, core + API group is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Secret + description: >- + Kind is kind of the referent. For + example "Secret". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the + referenced object. When unspecified, the + local + + namespace is inferred. + + + Note that when a namespace different + than the local namespace is specified, + + a ReferenceGrant object is required in + the referent namespace to allow that + + namespace's owner to accept the + reference. See the ReferenceGrant + + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + required: + - caCertificateRef + type: object + url: + description: >- + URL is the URL of the OCI image. + + URL can be in the format of + `registry/image:tag` or + `registry/image@sha256:digest`. + type: string + required: + - url + type: object + pullPolicy: + description: >- + PullPolicy is the policy to use when pulling the + Wasm module by either the HTTP or Image source. + + This field is only applicable when the SHA256 + field is not set. + + + If not specified, the default policy is + IfNotPresent except for OCI images whose tag is + latest. + + + Note: EG does not update the Wasm module every + time an Envoy proxy requests + + the Wasm module even if the pull policy is set to + Always. + + It only updates the Wasm module when the + EnvoyExtension resource version changes. + enum: + - IfNotPresent + - Always + type: string + type: + allOf: + - enum: + - HTTP + - Image + - enum: + - HTTP + - Image + - ConfigMap + description: >- + Type is the type of the source of the Wasm code. + + Valid WasmCodeSourceType values are "HTTP" or + "Image". + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: If type is HTTP, http field needs to be set. + rule: >- + self.type == 'HTTP' ? has(self.http) : + !has(self.http) + - message: If type is Image, image field needs to be set. + rule: >- + self.type == 'Image' ? has(self.image) : + !has(self.image) + config: + description: >- + Config is the configuration for the Wasm extension. + + This configuration will be passed as a JSON string to + the Wasm extension. + x-kubernetes-preserve-unknown-fields: true + env: + description: Env configures the environment for the Wasm extension + properties: + hostKeys: + description: >- + HostKeys is a list of keys for environment + variables from the host envoy process + + that should be passed into the Wasm VM. This is + useful for passing secrets to to Wasm extensions. + items: + type: string + type: array + type: object + failOpen: + default: false + description: >- + FailOpen is a switch used to control the behavior when + a fatal error occurs + + during the initialization or the execution of the Wasm + extension. + + + If FailOpen is set to true, the system bypasses the + Wasm extension and + + allows the traffic to pass through. If it is set to + false or + + not set (defaulting to false), the system blocks the + traffic and returns + + an HTTP 5xx error. + + + If set to true, the Wasm extension will also be + bypassed if the configuration is invalid. + type: boolean + name: + description: >- + Name is a unique name for this Wasm extension. It is + used to identify the + + Wasm extension if multiple extensions are handled by + the same vm_id and root_id. + + It's also used for logging/debugging. + + If not specified, EG will generate a unique name for + the Wasm extension. + type: string + rootID: + description: >- + RootID is a unique ID for a set of extensions in a VM + which will share a + + RootContext and Contexts if applicable (e.g., an Wasm + HttpFilter and an Wasm AccessLog). + + If left blank, all extensions with a blank root_id + with the same vm_id will share Context(s). + + + Note: RootID must match the root_id parameter used to + register the Context in the Wasm code. + type: string + required: + - code + type: object + maxItems: 16 + type: array + type: object + x-kubernetes-validations: + - message: either targetRef or targetRefs must be used + rule: >- + (has(self.targetRef) && !has(self.targetRefs)) || + (!has(self.targetRef) && has(self.targetRefs)) || + (has(self.targetSelectors) && self.targetSelectors.size() > + 0) + - message: >- + this policy can only have a targetRef.group of + gateway.networking.k8s.io + rule: >- + has(self.targetRef) ? self.targetRef.group == + 'gateway.networking.k8s.io' : true + - message: >- + this policy can only have a targetRef.kind of + Gateway/HTTPRoute/GRPCRoute/TCPRoute/UDPRoute/TLSRoute + rule: >- + has(self.targetRef) ? self.targetRef.kind in ['Gateway', + 'HTTPRoute', 'GRPCRoute', 'UDPRoute', 'TCPRoute', + 'TLSRoute'] : true + - message: >- + this policy can only have a targetRefs[*].group of + gateway.networking.k8s.io + rule: >- + has(self.targetRefs) ? self.targetRefs.all(ref, ref.group == + 'gateway.networking.k8s.io') : true + - message: >- + this policy can only have a targetRefs[*].kind of + Gateway/HTTPRoute/GRPCRoute/TCPRoute/UDPRoute/TLSRoute + rule: >- + has(self.targetRefs) ? self.targetRefs.all(ref, ref.kind in + ['Gateway', 'HTTPRoute', 'GRPCRoute', 'UDPRoute', + 'TCPRoute', 'TLSRoute']) : true + status: + description: Status defines the current status of EnvoyExtensionPolicy. + properties: + ancestors: + description: >- + Ancestors is a list of ancestor resources (usually Gateways) + that are + + associated with the policy, and the status of the policy + with respect to + + each ancestor. When this policy attaches to a parent, the + controller that + + manages the parent and the ancestors MUST add an entry to + this list when + + the controller first sees the policy and SHOULD update the + entry as + + appropriate when the relevant ancestor is modified. + + + Note that choosing the relevant ancestor is left to the + Policy designers; + + an important part of Policy design is designing the right + object level at + + which to namespace this status. + + + Note also that implementations MUST ONLY populate ancestor + status for + + the Ancestor resources they are responsible for. + Implementations MUST + + use the ControllerName field to uniquely identify the + entries in this list + + that they are responsible for. + + + Note that to achieve this, the list of PolicyAncestorStatus + structs + + MUST be treated as a map with a composite key, made up of + the AncestorRef + + and ControllerName fields combined. + + + A maximum of 16 ancestors will be represented in this list. + An empty list + + means the Policy is not relevant for any ancestors. + + + If this slice is full, implementations MUST NOT add further + entries. + + Instead they MUST consider the policy unimplementable and + signal that + + on any related resources such as the ancestor that would be + referenced + + here. For example, if this list was full on + BackendTLSPolicy, no + + additional Gateways would be able to reference the Service + targeted by + + the BackendTLSPolicy. + items: + description: >- + PolicyAncestorStatus describes the status of a route with + respect to an + + associated Ancestor. + + + Ancestors refer to objects that are either the Target of a + policy or above it + + in terms of object hierarchy. For example, if a policy + targets a Service, the + + Policy's Ancestors are, in order, the Service, the + HTTPRoute, the Gateway, and + + the GatewayClass. Almost always, in this hierarchy, the + Gateway will be the most + + useful object to place Policy status on, so we recommend + that implementations + + SHOULD use Gateway as the PolicyAncestorStatus object + unless the designers + + have a _very_ good reason otherwise. + + + In the context of policy attachment, the Ancestor is used + to distinguish which + + resource results in a distinct application of this policy. + For example, if a policy + + targets a Service, it may have a distinct result per + attached Gateway. + + + Policies targeting the same resource may have different + effects depending on the + + ancestors of those resources. For example, different + Gateways targeting the same + + Service may have different capabilities, especially if + they have different underlying + + implementations. + + + For example, in BackendTLSPolicy, the Policy attaches to a + Service that is + + used as a backend in a HTTPRoute that is itself attached + to a Gateway. + + In this case, the relevant object for status is the + Gateway, and that is the + + ancestor object referred to in this status. + + + Note that a parent is also an ancestor, so for objects + where the parent is the + + relevant object for status, this struct SHOULD still be + used. + + + This struct is intended to be used in a slice that's + effectively a map, + + with a composite key made up of the AncestorRef and the + ControllerName. + properties: + ancestorRef: + description: >- + AncestorRef corresponds with a ParentRef in the spec + that this + + PolicyAncestorStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: >- + Group is the group of the referent. + + When unspecified, "gateway.networking.k8s.io" is + inferred. + + To set the core API group (such as for a "Service" + kind referent), + + Group must be explicitly set to "" (empty string). + + + Support: Core + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: >- + Kind is kind of the referent. + + + There are two kinds of parent resources with + "Core" support: + + + * Gateway (Gateway conformance profile) + + * Service (Mesh conformance profile, ClusterIP + Services only) + + + Support for other resources is + Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the referent. When + unspecified, this refers + + to the local namespace of the Route. + + + Note that there are specific rules for ParentRefs + which cross namespace + + boundaries. Cross-namespace references are only + valid if they are explicitly + + allowed by something in the namespace they are + referring to. For example: + + Gateway has the AllowedRoutes field, and + ReferenceGrant provides a + + generic way to enable any other kind of + cross-namespace reference. + + + + + ParentRefs from a Route to a Service in the same + namespace are "producer" + + routes, which apply default routing rules to + inbound connections from + + any namespace to the Service. + + + ParentRefs from a Route to a Service in a + different namespace are + + "consumer" routes, and these routing rules are + only applied to outbound + + connections originating from the same namespace as + the Route, for which + + the intended destination of the connections are a + Service targeted as a + + ParentRef of the Route. + + + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: >- + Port is the network port this Route targets. It + can be interpreted + + differently based on the type of parent resource. + + + When the parent resource is a Gateway, this + targets all listeners + + listening on the specified port that also support + this kind of Route(and + + select this Route). It's not recommended to set + `Port` unless the + + networking behaviors specified in a Route must + apply to a specific port + + as opposed to a listener(s) whose port(s) may be + changed. When both Port + + and SectionName are specified, the name and port + of the selected listener + + must match both specified values. + + + + + When the parent resource is a Service, this + targets a specific port in the + + Service spec. When both Port (experimental) and + SectionName are specified, + + the name and port of the selected port must match + both specified values. + + + + + Implementations MAY choose to support other parent + resources. + + Implementations supporting other types of parent + resources MUST clearly + + document how/if Port is interpreted. + + + For the purpose of status, an attachment is + considered successful as + + long as the parent resource accepts it partially. + For example, Gateway + + listeners can restrict which Routes can attach to + them by Route kind, + + namespace, or hostname. If 1 of 2 Gateway + listeners accept attachment + + from the referencing Route, the Route MUST be + considered successfully + + attached. If no Gateway listeners accept + attachment from this Route, + + the Route MUST be considered detached from the + Gateway. + + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: >- + SectionName is the name of a section within the + target resource. In the + + following resources, SectionName is interpreted as + the following: + + + * Gateway: Listener name. When both Port + (experimental) and SectionName + + are specified, the name and port of the selected + listener must match + + both specified values. + + * Service: Port name. When both Port + (experimental) and SectionName + + are specified, the name and port of the selected + listener must match + + both specified values. + + + Implementations MAY choose to support attaching + Routes to other resources. + + If that is the case, they MUST clearly document + how SectionName is + + interpreted. + + + When unspecified (empty string), this will + reference the entire resource. + + For the purpose of status, an attachment is + considered successful if at + + least one section in the parent resource accepts + it. For example, Gateway + + listeners can restrict which Routes can attach to + them by Route kind, + + namespace, or hostname. If 1 of 2 Gateway + listeners accept attachment from + + the referencing Route, the Route MUST be + considered successfully + + attached. If no Gateway listeners accept + attachment from this Route, the + + Route MUST be considered detached from the + Gateway. + + + Support: Core + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + conditions: + description: >- + Conditions describes the status of the Policy with + respect to the given Ancestor. + + + + + + Notes for implementors: + + + Conditions are a listType `map`, which means that they + function like a + + map with a key of the `type` field _in the k8s + apiserver_. + + + This means that implementations must obey some rules + when updating this + + section. + + + * Implementations MUST perform a read-modify-write + cycle on this field + before modifying it. That is, when modifying this field, implementations + must be confident they have fetched the most recent version of this field, + and ensure that changes they make are on that recent version. + * Implementations MUST NOT remove or reorder + Conditions that they are not + directly responsible for. For example, if an implementation sees a Condition + with type `special.io/SomeField`, it MUST NOT remove, change or update that + Condition. + * Implementations MUST always _merge_ changes into + Conditions of the same Type, + rather than creating more than one Condition of the same Type. + * Implementations MUST always update the + `observedGeneration` field of the + Condition to the `metadata.generation` of the Gateway at the time of update creation. + * If the `observedGeneration` of a Condition is + _greater than_ the value the + implementation knows about, then it MUST NOT perform the update on that Condition, + but must wait for a future reconciliation and status update. (The assumption is that + the implementation's copy of the object is stale and an update will be re-triggered + if relevant.) + + + items: + description: >- + Condition contains details for one aspect of the + current state of this API Resource. + properties: + lastTransitionTime: + description: >- + lastTransitionTime is the last time the + condition transitioned from one status to + another. + + This should be when the underlying condition + changed. If that is not known, then using the + time when the API field changed is acceptable. + format: date-time + type: string + message: + description: >- + message is a human readable message indicating + details about the transition. + + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: >- + observedGeneration represents the + .metadata.generation that the condition was set + based upon. + + For instance, if .metadata.generation is + currently 12, but the + .status.conditions[x].observedGeneration is 9, + the condition is out of date + + with respect to the current state of the + instance. + format: int64 + minimum: 0 + type: integer + reason: + description: >- + reason contains a programmatic identifier + indicating the reason for the condition's last + transition. + + Producers of specific condition types may define + expected values and meanings for this field, + + and whether the values are considered a + guaranteed API. + + The value should be a CamelCase string. + + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: >- + status of the condition, one of True, False, + Unknown. + enum: + - 'True' + - 'False' + - Unknown + type: string + type: + description: >- + type of condition in CamelCase or in + foo.example.com/CamelCase. + maxLength: 316 + pattern: >- + ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: >- + ControllerName is a domain/path string that indicates + the name of the + + controller that wrote this status. This corresponds + with the + + controllerName field on GatewayClass. + + + Example: "example.net/gateway-controller". + + + The format of this field is DOMAIN "/" PATH, where + DOMAIN and PATH are + + valid Kubernetes names + + (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + + + Controllers MUST populate this field when writing + status. Controllers should ensure that + + entries to status populated with their ControllerName + are cleaned up when they are no + + longer necessary. + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + required: + - ancestorRef + - conditions + - controllerName + type: object + maxItems: 16 + type: array + x-kubernetes-list-type: atomic + required: + - ancestors + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/_/CustomResourceDefinition/envoypatchpolicies.gateway.envoyproxy.io.yaml b/_/CustomResourceDefinition/envoypatchpolicies.gateway.envoyproxy.io.yaml new file mode 100644 index 0000000..4e9003a --- /dev/null +++ b/_/CustomResourceDefinition/envoypatchpolicies.gateway.envoyproxy.io.yaml @@ -0,0 +1,830 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.18.0 + name: envoypatchpolicies.gateway.envoyproxy.io +spec: + group: gateway.envoyproxy.io + names: + categories: + - envoy-gateway + kind: EnvoyPatchPolicy + listKind: EnvoyPatchPolicyList + plural: envoypatchpolicies + shortNames: + - epp + singular: envoypatchpolicy + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .status.ancestors[0].conditions[?(@.type=="Accepted")].status + name: Accepted + type: string + - jsonPath: .status.ancestors[0].conditions[?(@.type=="Programmed")].status + name: Programmed + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + EnvoyPatchPolicy allows the user to modify the generated Envoy xDS + resources by Envoy Gateway using this patch API + properties: + apiVersion: + description: >- + APIVersion defines the versioned schema of this representation + of an object. + + Servers should convert recognized schemas to the latest internal + value, and + + may reject unrecognized values. + + More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: >- + Kind is a string value representing the REST resource this + object represents. + + Servers may infer this from the endpoint the client submits + requests to. + + Cannot be updated. + + In CamelCase. + + More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of EnvoyPatchPolicy. + properties: + jsonPatches: + description: JSONPatch defines the JSONPatch configuration. + items: + description: >- + EnvoyJSONPatchConfig defines the configuration for + patching a Envoy xDS Resource + + using JSONPatch semantic + properties: + name: + description: Name is the name of the resource + type: string + operation: + description: Patch defines the JSON Patch Operation + properties: + from: + description: >- + From is the source location of the value to be + copied or moved. Only valid + + for move or copy operations + + Refer to + https://datatracker.ietf.org/doc/html/rfc6901 for + more details. + type: string + jsonPath: + description: >- + JSONPath is a JSONPath expression. Refer to + https://datatracker.ietf.org/doc/rfc9535/ for more + details. + + It produces one or more JSONPointer expressions + based on the given JSON document. + + If no JSONPointer is found, it will result in an + error. + + If the 'Path' property is also set, it will be + appended to the resulting JSONPointer expressions + from the JSONPath evaluation. + + This is useful when creating a property that does + not yet exist in the JSON document. + + The final JSONPointer expressions specifies the + locations in the target document/field where the + operation will be applied. + type: string + op: + description: Op is the type of operation to perform + enum: + - add + - remove + - replace + - move + - copy + - test + type: string + path: + description: >- + Path is a JSONPointer expression. Refer to + https://datatracker.ietf.org/doc/html/rfc6901 for + more details. + + It specifies the location of the target + document/field where the operation will be + performed + type: string + value: + description: >- + Value is the new value of the path location. The + value is only used by + + the `add` and `replace` operations. + x-kubernetes-preserve-unknown-fields: true + required: + - op + type: object + type: + description: Type is the typed URL of the Envoy xDS Resource + enum: + - >- + type.googleapis.com/envoy.config.listener.v3.Listener + - >- + type.googleapis.com/envoy.config.route.v3.RouteConfiguration + - type.googleapis.com/envoy.config.cluster.v3.Cluster + - >- + type.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment + - >- + type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret + type: string + required: + - name + - operation + - type + type: object + type: array + priority: + description: |- + Priority of the EnvoyPatchPolicy. + If multiple EnvoyPatchPolicies are applied to the same + TargetRef, they will be applied in the ascending order of + the priority i.e. int32.min has the highest priority and + int32.max has the lowest priority. + Defaults to 0. + format: int32 + type: integer + targetRef: + description: >- + TargetRef is the name of the Gateway API resource this + policy + + is being attached to. + + By default, attaching to Gateway is supported and + + when mergeGateways is enabled it should attach to + GatewayClass. + + This Policy and the TargetRef MUST be in the same namespace + + for this Policy to have effect and be applied to the Gateway + + TargetRef + properties: + group: + description: Group is the group of the target resource. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + type: + description: |- + Type decides the type of patch. + Valid EnvoyPatchType values are "JSONPatch". + enum: + - JSONPatch + type: string + required: + - targetRef + - type + type: object + status: + description: Status defines the current status of EnvoyPatchPolicy. + properties: + ancestors: + description: >- + Ancestors is a list of ancestor resources (usually Gateways) + that are + + associated with the policy, and the status of the policy + with respect to + + each ancestor. When this policy attaches to a parent, the + controller that + + manages the parent and the ancestors MUST add an entry to + this list when + + the controller first sees the policy and SHOULD update the + entry as + + appropriate when the relevant ancestor is modified. + + + Note that choosing the relevant ancestor is left to the + Policy designers; + + an important part of Policy design is designing the right + object level at + + which to namespace this status. + + + Note also that implementations MUST ONLY populate ancestor + status for + + the Ancestor resources they are responsible for. + Implementations MUST + + use the ControllerName field to uniquely identify the + entries in this list + + that they are responsible for. + + + Note that to achieve this, the list of PolicyAncestorStatus + structs + + MUST be treated as a map with a composite key, made up of + the AncestorRef + + and ControllerName fields combined. + + + A maximum of 16 ancestors will be represented in this list. + An empty list + + means the Policy is not relevant for any ancestors. + + + If this slice is full, implementations MUST NOT add further + entries. + + Instead they MUST consider the policy unimplementable and + signal that + + on any related resources such as the ancestor that would be + referenced + + here. For example, if this list was full on + BackendTLSPolicy, no + + additional Gateways would be able to reference the Service + targeted by + + the BackendTLSPolicy. + items: + description: >- + PolicyAncestorStatus describes the status of a route with + respect to an + + associated Ancestor. + + + Ancestors refer to objects that are either the Target of a + policy or above it + + in terms of object hierarchy. For example, if a policy + targets a Service, the + + Policy's Ancestors are, in order, the Service, the + HTTPRoute, the Gateway, and + + the GatewayClass. Almost always, in this hierarchy, the + Gateway will be the most + + useful object to place Policy status on, so we recommend + that implementations + + SHOULD use Gateway as the PolicyAncestorStatus object + unless the designers + + have a _very_ good reason otherwise. + + + In the context of policy attachment, the Ancestor is used + to distinguish which + + resource results in a distinct application of this policy. + For example, if a policy + + targets a Service, it may have a distinct result per + attached Gateway. + + + Policies targeting the same resource may have different + effects depending on the + + ancestors of those resources. For example, different + Gateways targeting the same + + Service may have different capabilities, especially if + they have different underlying + + implementations. + + + For example, in BackendTLSPolicy, the Policy attaches to a + Service that is + + used as a backend in a HTTPRoute that is itself attached + to a Gateway. + + In this case, the relevant object for status is the + Gateway, and that is the + + ancestor object referred to in this status. + + + Note that a parent is also an ancestor, so for objects + where the parent is the + + relevant object for status, this struct SHOULD still be + used. + + + This struct is intended to be used in a slice that's + effectively a map, + + with a composite key made up of the AncestorRef and the + ControllerName. + properties: + ancestorRef: + description: >- + AncestorRef corresponds with a ParentRef in the spec + that this + + PolicyAncestorStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: >- + Group is the group of the referent. + + When unspecified, "gateway.networking.k8s.io" is + inferred. + + To set the core API group (such as for a "Service" + kind referent), + + Group must be explicitly set to "" (empty string). + + + Support: Core + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: >- + Kind is kind of the referent. + + + There are two kinds of parent resources with + "Core" support: + + + * Gateway (Gateway conformance profile) + + * Service (Mesh conformance profile, ClusterIP + Services only) + + + Support for other resources is + Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the referent. When + unspecified, this refers + + to the local namespace of the Route. + + + Note that there are specific rules for ParentRefs + which cross namespace + + boundaries. Cross-namespace references are only + valid if they are explicitly + + allowed by something in the namespace they are + referring to. For example: + + Gateway has the AllowedRoutes field, and + ReferenceGrant provides a + + generic way to enable any other kind of + cross-namespace reference. + + + + + ParentRefs from a Route to a Service in the same + namespace are "producer" + + routes, which apply default routing rules to + inbound connections from + + any namespace to the Service. + + + ParentRefs from a Route to a Service in a + different namespace are + + "consumer" routes, and these routing rules are + only applied to outbound + + connections originating from the same namespace as + the Route, for which + + the intended destination of the connections are a + Service targeted as a + + ParentRef of the Route. + + + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: >- + Port is the network port this Route targets. It + can be interpreted + + differently based on the type of parent resource. + + + When the parent resource is a Gateway, this + targets all listeners + + listening on the specified port that also support + this kind of Route(and + + select this Route). It's not recommended to set + `Port` unless the + + networking behaviors specified in a Route must + apply to a specific port + + as opposed to a listener(s) whose port(s) may be + changed. When both Port + + and SectionName are specified, the name and port + of the selected listener + + must match both specified values. + + + + + When the parent resource is a Service, this + targets a specific port in the + + Service spec. When both Port (experimental) and + SectionName are specified, + + the name and port of the selected port must match + both specified values. + + + + + Implementations MAY choose to support other parent + resources. + + Implementations supporting other types of parent + resources MUST clearly + + document how/if Port is interpreted. + + + For the purpose of status, an attachment is + considered successful as + + long as the parent resource accepts it partially. + For example, Gateway + + listeners can restrict which Routes can attach to + them by Route kind, + + namespace, or hostname. If 1 of 2 Gateway + listeners accept attachment + + from the referencing Route, the Route MUST be + considered successfully + + attached. If no Gateway listeners accept + attachment from this Route, + + the Route MUST be considered detached from the + Gateway. + + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: >- + SectionName is the name of a section within the + target resource. In the + + following resources, SectionName is interpreted as + the following: + + + * Gateway: Listener name. When both Port + (experimental) and SectionName + + are specified, the name and port of the selected + listener must match + + both specified values. + + * Service: Port name. When both Port + (experimental) and SectionName + + are specified, the name and port of the selected + listener must match + + both specified values. + + + Implementations MAY choose to support attaching + Routes to other resources. + + If that is the case, they MUST clearly document + how SectionName is + + interpreted. + + + When unspecified (empty string), this will + reference the entire resource. + + For the purpose of status, an attachment is + considered successful if at + + least one section in the parent resource accepts + it. For example, Gateway + + listeners can restrict which Routes can attach to + them by Route kind, + + namespace, or hostname. If 1 of 2 Gateway + listeners accept attachment from + + the referencing Route, the Route MUST be + considered successfully + + attached. If no Gateway listeners accept + attachment from this Route, the + + Route MUST be considered detached from the + Gateway. + + + Support: Core + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + conditions: + description: >- + Conditions describes the status of the Policy with + respect to the given Ancestor. + + + + + + Notes for implementors: + + + Conditions are a listType `map`, which means that they + function like a + + map with a key of the `type` field _in the k8s + apiserver_. + + + This means that implementations must obey some rules + when updating this + + section. + + + * Implementations MUST perform a read-modify-write + cycle on this field + before modifying it. That is, when modifying this field, implementations + must be confident they have fetched the most recent version of this field, + and ensure that changes they make are on that recent version. + * Implementations MUST NOT remove or reorder + Conditions that they are not + directly responsible for. For example, if an implementation sees a Condition + with type `special.io/SomeField`, it MUST NOT remove, change or update that + Condition. + * Implementations MUST always _merge_ changes into + Conditions of the same Type, + rather than creating more than one Condition of the same Type. + * Implementations MUST always update the + `observedGeneration` field of the + Condition to the `metadata.generation` of the Gateway at the time of update creation. + * If the `observedGeneration` of a Condition is + _greater than_ the value the + implementation knows about, then it MUST NOT perform the update on that Condition, + but must wait for a future reconciliation and status update. (The assumption is that + the implementation's copy of the object is stale and an update will be re-triggered + if relevant.) + + + items: + description: >- + Condition contains details for one aspect of the + current state of this API Resource. + properties: + lastTransitionTime: + description: >- + lastTransitionTime is the last time the + condition transitioned from one status to + another. + + This should be when the underlying condition + changed. If that is not known, then using the + time when the API field changed is acceptable. + format: date-time + type: string + message: + description: >- + message is a human readable message indicating + details about the transition. + + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: >- + observedGeneration represents the + .metadata.generation that the condition was set + based upon. + + For instance, if .metadata.generation is + currently 12, but the + .status.conditions[x].observedGeneration is 9, + the condition is out of date + + with respect to the current state of the + instance. + format: int64 + minimum: 0 + type: integer + reason: + description: >- + reason contains a programmatic identifier + indicating the reason for the condition's last + transition. + + Producers of specific condition types may define + expected values and meanings for this field, + + and whether the values are considered a + guaranteed API. + + The value should be a CamelCase string. + + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: >- + status of the condition, one of True, False, + Unknown. + enum: + - 'True' + - 'False' + - Unknown + type: string + type: + description: >- + type of condition in CamelCase or in + foo.example.com/CamelCase. + maxLength: 316 + pattern: >- + ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: >- + ControllerName is a domain/path string that indicates + the name of the + + controller that wrote this status. This corresponds + with the + + controllerName field on GatewayClass. + + + Example: "example.net/gateway-controller". + + + The format of this field is DOMAIN "/" PATH, where + DOMAIN and PATH are + + valid Kubernetes names + + (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + + + Controllers MUST populate this field when writing + status. Controllers should ensure that + + entries to status populated with their ControllerName + are cleaned up when they are no + + longer necessary. + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + required: + - ancestorRef + - conditions + - controllerName + type: object + maxItems: 16 + type: array + x-kubernetes-list-type: atomic + required: + - ancestors + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/_/CustomResourceDefinition/envoyproxies.gateway.envoyproxy.io.yaml b/_/CustomResourceDefinition/envoyproxies.gateway.envoyproxy.io.yaml new file mode 100644 index 0000000..c799f2b --- /dev/null +++ b/_/CustomResourceDefinition/envoyproxies.gateway.envoyproxy.io.yaml @@ -0,0 +1,26210 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.18.0 + name: envoyproxies.gateway.envoyproxy.io +spec: + group: gateway.envoyproxy.io + names: + categories: + - envoy-gateway + kind: EnvoyProxy + listKind: EnvoyProxyList + plural: envoyproxies + shortNames: + - eproxy + singular: envoyproxy + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: EnvoyProxy is the schema for the envoyproxies API. + properties: + apiVersion: + description: >- + APIVersion defines the versioned schema of this representation + of an object. + + Servers should convert recognized schemas to the latest internal + value, and + + may reject unrecognized values. + + More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: >- + Kind is a string value representing the REST resource this + object represents. + + Servers may infer this from the endpoint the client submits + requests to. + + Cannot be updated. + + In CamelCase. + + More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: EnvoyProxySpec defines the desired state of EnvoyProxy. + properties: + backendTLS: + description: >- + BackendTLS is the TLS configuration for the Envoy proxy to + use when connecting to backends. + + These settings are applied on backends for which TLS + policies are specified. + properties: + alpnProtocols: + description: >- + ALPNProtocols supplies the list of ALPN protocols that + should be + + exposed by the listener or used by the proxy to connect + to the backend. + + Defaults: + + 1. HTTPS Routes: h2 and http/1.1 are enabled in listener + context. + + 2. Other Routes: ALPN is disabled. + + 3. Backends: proxy uses the appropriate ALPN options for + the backend protocol. + + When an empty list is provided, the ALPN TLS extension + is disabled. + + + Defaults to [h2, http/1.1] if not specified. + + + Typical Supported values are: + + - http/1.0 + + - http/1.1 + + - h2 + items: + description: >- + ALPNProtocol specifies the protocol to be negotiated + using ALPN + type: string + type: array + ciphers: + description: >- + Ciphers specifies the set of cipher suites supported + when + + negotiating TLS 1.0 - 1.2. This setting has no effect + for TLS 1.3. + + In non-FIPS Envoy Proxy builds the default cipher list + is: + + - + [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305] + + - + [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305] + + - ECDHE-ECDSA-AES256-GCM-SHA384 + + - ECDHE-RSA-AES256-GCM-SHA384 + + In builds using BoringSSL FIPS the default cipher list + is: + + - ECDHE-ECDSA-AES128-GCM-SHA256 + + - ECDHE-RSA-AES128-GCM-SHA256 + + - ECDHE-ECDSA-AES256-GCM-SHA384 + + - ECDHE-RSA-AES256-GCM-SHA384 + items: + type: string + type: array + clientCertificateRef: + description: >- + ClientCertificateRef defines the reference to a + Kubernetes Secret that contains + + the client certificate and private key for Envoy to use + when connecting to + + backend services and external services, such as ExtAuth, + ALS, OpenTelemetry, etc. + + This secret should be located within the same namespace + as the Envoy proxy resource that references it. + properties: + group: + default: '' + description: >- + Group is the group of the referent. For example, + "gateway.networking.k8s.io". + + When unspecified or empty string, core API group is + inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Secret + description: Kind is kind of the referent. For example "Secret". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the referenced object. + When unspecified, the local + + namespace is inferred. + + + Note that when a namespace different than the local + namespace is specified, + + a ReferenceGrant object is required in the referent + namespace to allow that + + namespace's owner to accept the reference. See the + ReferenceGrant + + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + ecdhCurves: + description: |- + ECDHCurves specifies the set of supported ECDH curves. + In non-FIPS Envoy Proxy builds the default curves are: + - X25519 + - P-256 + In builds using BoringSSL FIPS the default curve is: + - P-256 + items: + type: string + type: array + maxVersion: + description: |- + Max specifies the maximal TLS protocol version to allow + The default is TLS 1.3 if this is not specified. + enum: + - Auto + - '1.0' + - '1.1' + - '1.2' + - '1.3' + type: string + minVersion: + description: |- + Min specifies the minimal TLS protocol version to allow. + The default is TLS 1.2 if this is not specified. + enum: + - Auto + - '1.0' + - '1.1' + - '1.2' + - '1.3' + type: string + signatureAlgorithms: + description: >- + SignatureAlgorithms specifies which signature algorithms + the listener should + + support. + items: + type: string + type: array + type: object + x-kubernetes-validations: + - message: >- + setting ciphers has no effect if the minimum possible + TLS version is 1.3 + rule: >- + has(self.minVersion) && self.minVersion == '1.3' ? + !has(self.ciphers) : true + - message: minVersion must be smaller or equal to maxVersion + rule: >- + has(self.minVersion) && has(self.maxVersion) ? + {"Auto":0,"1.0":1,"1.1":2,"1.2":3,"1.3":4}[self.minVersion] + <= + {"1.0":1,"1.1":2,"1.2":3,"1.3":4,"Auto":5}[self.maxVersion] + : !has(self.minVersion) && has(self.maxVersion) ? 3 <= + {"1.0":1,"1.1":2,"1.2":3,"1.3":4,"Auto":5}[self.maxVersion] + : true + bootstrap: + description: >- + Bootstrap defines the Envoy Bootstrap as a YAML string. + + Visit + https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/bootstrap/v3/bootstrap.proto#envoy-v3-api-msg-config-bootstrap-v3-bootstrap + + to learn more about the syntax. + + If set, this is the Bootstrap configuration used for the + managed Envoy Proxy fleet instead of the default Bootstrap + configuration + + set by Envoy Gateway. + + Some fields within the Bootstrap that are required to + communicate with the xDS Server (Envoy Gateway) and receive + xDS resources + + from it are not configurable and will result in the + `EnvoyProxy` resource being rejected. + + Backward compatibility across minor versions is not + guaranteed. + + We strongly recommend using `egctl x translate` to generate + a `EnvoyProxy` resource with the `Bootstrap` field set to + the default + + Bootstrap configuration used. You can edit this + configuration, and rerun `egctl x translate` to ensure there + are no validation errors. + properties: + jsonPatches: + description: >- + JSONPatches is an array of JSONPatches to be applied to + the default bootstrap. Patches are + + applied in the order in which they are defined. + items: + description: >- + JSONPatchOperation defines the JSON Patch Operation as + defined in + + https://datatracker.ietf.org/doc/html/rfc6902 + properties: + from: + description: >- + From is the source location of the value to be + copied or moved. Only valid + + for move or copy operations + + Refer to + https://datatracker.ietf.org/doc/html/rfc6901 for + more details. + type: string + jsonPath: + description: >- + JSONPath is a JSONPath expression. Refer to + https://datatracker.ietf.org/doc/rfc9535/ for more + details. + + It produces one or more JSONPointer expressions + based on the given JSON document. + + If no JSONPointer is found, it will result in an + error. + + If the 'Path' property is also set, it will be + appended to the resulting JSONPointer expressions + from the JSONPath evaluation. + + This is useful when creating a property that does + not yet exist in the JSON document. + + The final JSONPointer expressions specifies the + locations in the target document/field where the + operation will be applied. + type: string + op: + description: Op is the type of operation to perform + enum: + - add + - remove + - replace + - move + - copy + - test + type: string + path: + description: >- + Path is a JSONPointer expression. Refer to + https://datatracker.ietf.org/doc/html/rfc6901 for + more details. + + It specifies the location of the target + document/field where the operation will be + performed + type: string + value: + description: >- + Value is the new value of the path location. The + value is only used by + + the `add` and `replace` operations. + x-kubernetes-preserve-unknown-fields: true + required: + - op + type: object + type: array + type: + default: Replace + description: >- + Type is the type of the bootstrap configuration, it + should be either **Replace**, **Merge**, or + **JSONPatch**. + + If unspecified, it defaults to Replace. + enum: + - Merge + - Replace + - JSONPatch + type: string + value: + description: Value is a YAML string of the bootstrap. + type: string + type: object + x-kubernetes-validations: + - message: >- + provided bootstrap patch doesn't match the configured + patch type + rule: >- + self.type == 'JSONPatch' ? self.jsonPatches.size() > 0 : + has(self.value) + concurrency: + description: >- + Concurrency defines the number of worker threads to run. If + unset, it defaults to + + the number of cpuset threads on the platform. + format: int32 + type: integer + extraArgs: + description: >- + ExtraArgs defines additional command line options that are + provided to Envoy. + + More info: + https://www.envoyproxy.io/docs/envoy/latest/operations/cli#command-line-options + + Note: some command line options are used internally(e.g. + --log-level) so they cannot be provided here. + items: + type: string + type: array + filterOrder: + description: >- + FilterOrder defines the order of filters in the Envoy + proxy's HTTP filter chain. + + The FilterPosition in the list will be applied in the order + they are defined. + + If unspecified, the default filter order is applied. + + Default filter order is: + + + - envoy.filters.http.custom_response + + + - envoy.filters.http.health_check + + + - envoy.filters.http.fault + + + - envoy.filters.http.cors + + + - envoy.filters.http.header_mutation + + + - envoy.filters.http.ext_authz + + + - envoy.filters.http.api_key_auth + + + - envoy.filters.http.basic_auth + + + - envoy.filters.http.oauth2 + + + - envoy.filters.http.jwt_authn + + + - envoy.filters.http.stateful_session + + + - envoy.filters.http.buffer + + + - envoy.filters.http.lua + + + - envoy.filters.http.ext_proc + + + - envoy.filters.http.wasm + + + - envoy.filters.http.rbac + + + - envoy.filters.http.local_ratelimit + + + - envoy.filters.http.ratelimit + + + - envoy.filters.http.grpc_web + + + - envoy.filters.http.grpc_stats + + + - envoy.filters.http.credential_injector + + + - envoy.filters.http.compressor + + + - envoy.filters.http.dynamic_forward_proxy + + + - envoy.filters.http.router + + + Note: "envoy.filters.http.router" cannot be reordered, it's + always the last filter in the chain. + items: + description: >- + FilterPosition defines the position of an Envoy HTTP + filter in the filter chain. + properties: + after: + description: >- + After defines the filter that should come after the + filter. + + Only one of Before or After must be set. + enum: + - envoy.filters.http.custom_response + - envoy.filters.http.health_check + - envoy.filters.http.fault + - envoy.filters.http.cors + - envoy.filters.http.header_mutation + - envoy.filters.http.ext_authz + - envoy.filters.http.api_key_auth + - envoy.filters.http.basic_auth + - envoy.filters.http.oauth2 + - envoy.filters.http.jwt_authn + - envoy.filters.http.stateful_session + - envoy.filters.http.buffer + - envoy.filters.http.lua + - envoy.filters.http.ext_proc + - envoy.filters.http.wasm + - envoy.filters.http.rbac + - envoy.filters.http.local_ratelimit + - envoy.filters.http.ratelimit + - envoy.filters.http.grpc_web + - envoy.filters.http.grpc_stats + - envoy.filters.http.credential_injector + - envoy.filters.http.compressor + - envoy.filters.http.dynamic_forward_proxy + type: string + before: + description: >- + Before defines the filter that should come before the + filter. + + Only one of Before or After must be set. + enum: + - envoy.filters.http.custom_response + - envoy.filters.http.health_check + - envoy.filters.http.fault + - envoy.filters.http.cors + - envoy.filters.http.header_mutation + - envoy.filters.http.ext_authz + - envoy.filters.http.api_key_auth + - envoy.filters.http.basic_auth + - envoy.filters.http.oauth2 + - envoy.filters.http.jwt_authn + - envoy.filters.http.stateful_session + - envoy.filters.http.buffer + - envoy.filters.http.lua + - envoy.filters.http.ext_proc + - envoy.filters.http.wasm + - envoy.filters.http.rbac + - envoy.filters.http.local_ratelimit + - envoy.filters.http.ratelimit + - envoy.filters.http.grpc_web + - envoy.filters.http.grpc_stats + - envoy.filters.http.credential_injector + - envoy.filters.http.compressor + - envoy.filters.http.dynamic_forward_proxy + type: string + name: + description: Name of the filter. + enum: + - envoy.filters.http.custom_response + - envoy.filters.http.health_check + - envoy.filters.http.fault + - envoy.filters.http.cors + - envoy.filters.http.header_mutation + - envoy.filters.http.ext_authz + - envoy.filters.http.api_key_auth + - envoy.filters.http.basic_auth + - envoy.filters.http.oauth2 + - envoy.filters.http.jwt_authn + - envoy.filters.http.stateful_session + - envoy.filters.http.buffer + - envoy.filters.http.lua + - envoy.filters.http.ext_proc + - envoy.filters.http.wasm + - envoy.filters.http.rbac + - envoy.filters.http.local_ratelimit + - envoy.filters.http.ratelimit + - envoy.filters.http.grpc_web + - envoy.filters.http.grpc_stats + - envoy.filters.http.credential_injector + - envoy.filters.http.compressor + - envoy.filters.http.dynamic_forward_proxy + type: string + required: + - name + type: object + x-kubernetes-validations: + - message: one of before or after must be specified + rule: (has(self.before) || has(self.after)) + - message: only one of before or after can be specified + rule: >- + (has(self.before) && !has(self.after)) || + (!has(self.before) && has(self.after)) + type: array + ipFamily: + description: >- + IPFamily specifies the IP family for the EnvoyProxy fleet. + + This setting only affects the Gateway listener port and does + not impact + + other aspects of the Envoy proxy configuration. + + If not specified, the system will operate as follows: + + - It defaults to IPv4 only. + + - IPv6 and dual-stack environments are not supported in this + default configuration. + + Note: To enable IPv6 or dual-stack functionality, explicit + configuration is required. + enum: + - IPv4 + - IPv6 + - DualStack + type: string + logging: + default: + level: + default: warn + description: Logging defines logging parameters for managed proxies. + properties: + level: + additionalProperties: + description: >- + LogLevel defines a log level for Envoy Gateway and + EnvoyProxy system logs. + enum: + - trace + - debug + - info + - warn + - error + type: string + default: + default: warn + description: >- + Level is a map of logging level per component, where the + component is the key + + and the log level is the value. If unspecified, defaults + to "default: warn". + type: object + type: object + luaValidation: + description: >- + LuaValidation determines strictness of the Lua script + validation for Lua EnvoyExtensionPolicies + + Default: Strict + enum: + - Strict + - InsecureSyntax + - Disabled + type: string + mergeGateways: + description: >- + MergeGateways defines if Gateway resources should be merged + onto the same Envoy Proxy Infrastructure. + + Setting this field to true would merge all Gateway Listeners + under the parent Gateway Class. + + This means that the port, protocol and hostname tuple must + be unique for every listener. + + If a duplicate listener is detected, the newer listener + (based on timestamp) will be rejected and its status will be + updated with a "Accepted=False" condition. + type: boolean + preserveRouteOrder: + description: >- + PreserveRouteOrder determines if the order of matching for + HTTPRoutes is determined by Gateway-API + + specification + (https://gateway-api.sigs.k8s.io/reference/1.4/spec/#httprouterule) + + or preserves the order defined by users in the HTTPRoute's + HTTPRouteRule list. + + Default: False + type: boolean + provider: + description: >- + Provider defines the desired resource provider and + provider-specific configuration. + + If unspecified, the "Kubernetes" resource provider is used + with default configuration + + parameters. + properties: + host: + description: >- + Host provides runtime deployment of the data plane as a + child process on the + + host environment. + + If unspecified and type is "Host", default settings for + the custom provider + + are applied. + properties: + envoyVersion: + description: >- + EnvoyVersion is the version of Envoy to use. If + unspecified, the version + + against which Envoy Gateway is built will be used. + type: string + type: object + kubernetes: + description: >- + Kubernetes defines the desired state of the Kubernetes + resource provider. + + Kubernetes provides infrastructure resources for running + the data plane, + + e.g. Envoy proxy. If unspecified and type is + "Kubernetes", default settings + + for managed Kubernetes resources are applied. + properties: + envoyDaemonSet: + description: >- + EnvoyDaemonSet defines the desired state of the + Envoy daemonset resource. + + Disabled by default, a deployment resource is used + instead to provision the Envoy Proxy fleet + properties: + container: + description: >- + Container defines the desired specification of + main container. + properties: + env: + description: >- + List of environment variables to set in the + container. + items: + description: >- + EnvVar represents an environment variable + present in a Container. + properties: + name: + description: >- + Name of the environment variable. + + May consist of any printable ASCII + characters except '='. + type: string + value: + description: >- + Variable references $(VAR_NAME) are + expanded + + using the previously defined environment + variables in the container and + + any service environment variables. If a + variable cannot be resolved, + + the reference in the input string will + be unchanged. Double $$ are reduced + + to a single $, which allows for escaping + the $(VAR_NAME) syntax: i.e. + + "$$(VAR_NAME)" will produce the string + literal "$(VAR_NAME)". + + Escaped references will never be + expanded, regardless of whether the + variable + + exists or not. + + Defaults to "". + type: string + valueFrom: + description: >- + Source for the environment variable's + value. Cannot be used if value is not + empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + default: '' + description: >- + Name of the referent. + + This field is effectively required, but + due to backwards compatibility is + + allowed to be empty. Instances of this + type with an empty value here are + + almost certainly wrong. + + More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: >- + Specify whether the ConfigMap or its key + must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + description: >- + Selects a field of the pod: supports + metadata.name, metadata.namespace, + `metadata.labels['']`, + `metadata.annotations['']`, + + spec.nodeName, spec.serviceAccountName, + status.hostIP, status.podIP, + status.podIPs. + properties: + apiVersion: + description: >- + Version of the schema the FieldPath is + written in terms of, defaults to "v1". + type: string + fieldPath: + description: >- + Path of the field to select in the + specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + fileKeyRef: + description: >- + FileKeyRef selects a key of the env + file. + + Requires the EnvFiles feature gate to be + enabled. + properties: + key: + description: >- + The key within the env file. An invalid + key will prevent the pod from starting. + + The keys defined within a source may + consist of any printable ASCII + characters except '='. + + During Alpha stage of the EnvFiles + feature gate, the key size is limited to + 128 characters. + type: string + optional: + default: false + description: >- + Specify whether the file or its key must + be defined. If the file or key + + does not exist, then the env var is not + published. + + If optional is set to true and the + specified key does not exist, + + the environment variable will not be set + in the Pod's containers. + + + If optional is set to false and the + specified key does not exist, + + an error will be returned during Pod + creation. + type: boolean + path: + description: >- + The path within the volume from which to + select the file. + + Must be relative and may not contain the + '..' path or start with '..'. + type: string + volumeName: + description: >- + The name of the volume mount containing + the env file. + type: string + required: + - key + - path + - volumeName + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + description: >- + Selects a resource of the container: + only resources limits and requests + + (limits.cpu, limits.memory, + limits.ephemeral-storage, requests.cpu, + requests.memory and + requests.ephemeral-storage) are + currently supported. + properties: + containerName: + description: >- + Container name: required for volumes, + optional for env vars + type: string + divisor: + anyOf: + - type: integer + - type: string + description: >- + Specifies the output format of the + exposed resources, defaults to "1" + pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + description: >- + Selects a key of a secret in the pod's + namespace + properties: + key: + description: >- + The key of the secret to select from. + Must be a valid secret key. + type: string + name: + default: '' + description: >- + Name of the referent. + + This field is effectively required, but + due to backwards compatibility is + + allowed to be empty. Instances of this + type with an empty value here are + + almost certainly wrong. + + More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: >- + Specify whether the Secret or its key + must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + image: + description: >- + Image specifies the EnvoyProxy container + image to be used including a tag, instead of + the default image. + + This field is mutually exclusive with + ImageRepository. + type: string + x-kubernetes-validations: + - message: >- + Image must include a tag and allowed + characters only (e.g., 'repo:tag'). + rule: >- + self.matches('^[a-zA-Z0-9._-]+(:[0-9]+)?(/[a-zA-Z0-9._/-]+)?(:[a-zA-Z0-9._-]+)?(@sha256:[a-z0-9]+)?$') + imageRepository: + description: >- + ImageRepository specifies the container + image repository to be used without + specifying a tag. + + The default tag will be used. + + This field is mutually exclusive with Image. + type: string + x-kubernetes-validations: + - message: >- + ImageRepository must contain only + allowed characters and must not include + a tag. + rule: >- + self.matches('^[a-zA-Z0-9._-]+(:[0-9]+)?[a-zA-Z0-9._/-]+$') + resources: + description: >- + Resources required by this container. + + More info: + https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + properties: + claims: + description: >- + Claims lists the names of resources, + defined in spec.resourceClaims, + + that are used by this container. + + + This field depends on the + + DynamicResourceAllocation feature gate. + + + This field is immutable. It can only be + set for containers. + items: + description: >- + ResourceClaim references one entry in + PodSpec.ResourceClaims. + properties: + name: + description: >- + Name must match the name of one entry in + pod.spec.resourceClaims of + + the Pod where this field is used. It + makes that resource available + + inside a container. + type: string + request: + description: >- + Request is the name chosen for a request + in the referenced claim. + + If empty, everything from the claim is + made available, otherwise + + only the result of this request. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: >- + Limits describes the maximum amount of + compute resources allowed. + + More info: + https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: >- + Requests describes the minimum amount of + compute resources required. + + If Requests is omitted for a container, + it defaults to Limits if that is + explicitly specified, + + otherwise to an implementation-defined + value. Requests cannot exceed Limits. + + More info: + https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + type: object + securityContext: + description: >- + SecurityContext defines the security options + the container should be run with. + + If set, the fields of SecurityContext + override the equivalent fields of + PodSecurityContext. + + More info: + https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + properties: + allowPrivilegeEscalation: + description: >- + AllowPrivilegeEscalation controls + whether a process can gain more + + privileges than its parent process. This + bool directly controls if + + the no_new_privs flag will be set on the + container process. + + AllowPrivilegeEscalation is true always + when the container is: + + 1) run as Privileged + + 2) has CAP_SYS_ADMIN + + Note that this field cannot be set when + spec.os.name is windows. + type: boolean + appArmorProfile: + description: >- + appArmorProfile is the AppArmor options + to use by this container. If set, this + profile + + overrides the pod's appArmorProfile. + + Note that this field cannot be set when + spec.os.name is windows. + properties: + localhostProfile: + description: >- + localhostProfile indicates a profile + loaded on the node that should be used. + + The profile must be preconfigured on the + node to work. + + Must match the loaded name of the + profile. + + Must be set if and only if type is + "Localhost". + type: string + type: + description: >- + type indicates which kind of AppArmor + profile will be applied. + + Valid options are: + Localhost - a profile pre-loaded on the node. + RuntimeDefault - the container runtime's default profile. + Unconfined - no AppArmor enforcement. + type: string + required: + - type + type: object + capabilities: + description: >- + The capabilities to add/drop when + running containers. + + Defaults to the default set of + capabilities granted by the container + runtime. + + Note that this field cannot be set when + spec.os.name is windows. + properties: + add: + description: Added capabilities + items: + description: >- + Capability represent POSIX capabilities + type + type: string + type: array + x-kubernetes-list-type: atomic + drop: + description: Removed capabilities + items: + description: >- + Capability represent POSIX capabilities + type + type: string + type: array + x-kubernetes-list-type: atomic + type: object + privileged: + description: >- + Run container in privileged mode. + + Processes in privileged containers are + essentially equivalent to root on the + host. + + Defaults to false. + + Note that this field cannot be set when + spec.os.name is windows. + type: boolean + procMount: + description: >- + procMount denotes the type of proc mount + to use for the containers. + + The default value is Default which uses + the container runtime defaults for + + readonly paths and masked paths. + + This requires the ProcMountType feature + flag to be enabled. + + Note that this field cannot be set when + spec.os.name is windows. + type: string + readOnlyRootFilesystem: + description: >- + Whether this container has a read-only + root filesystem. + + Default is false. + + Note that this field cannot be set when + spec.os.name is windows. + type: boolean + runAsGroup: + description: >- + The GID to run the entrypoint of the + container process. + + Uses runtime default if unset. + + May also be set in PodSecurityContext. + If set in both SecurityContext and + + PodSecurityContext, the value specified + in SecurityContext takes precedence. + + Note that this field cannot be set when + spec.os.name is windows. + format: int64 + type: integer + runAsNonRoot: + description: >- + Indicates that the container must run as + a non-root user. + + If true, the Kubelet will validate the + image at runtime to ensure that it + + does not run as UID 0 (root) and fail to + start the container if it does. + + If unset or false, no such validation + will be performed. + + May also be set in PodSecurityContext. + If set in both SecurityContext and + + PodSecurityContext, the value specified + in SecurityContext takes precedence. + type: boolean + runAsUser: + description: >- + The UID to run the entrypoint of the + container process. + + Defaults to user specified in image + metadata if unspecified. + + May also be set in PodSecurityContext. + If set in both SecurityContext and + + PodSecurityContext, the value specified + in SecurityContext takes precedence. + + Note that this field cannot be set when + spec.os.name is windows. + format: int64 + type: integer + seLinuxOptions: + description: >- + The SELinux context to be applied to the + container. + + If unspecified, the container runtime + will allocate a random SELinux context + for each + + container. May also be set in + PodSecurityContext. If set in both + SecurityContext and + + PodSecurityContext, the value specified + in SecurityContext takes precedence. + + Note that this field cannot be set when + spec.os.name is windows. + properties: + level: + description: >- + Level is SELinux level label that + applies to the container. + type: string + role: + description: >- + Role is a SELinux role label that + applies to the container. + type: string + type: + description: >- + Type is a SELinux type label that + applies to the container. + type: string + user: + description: >- + User is a SELinux user label that + applies to the container. + type: string + type: object + seccompProfile: + description: >- + The seccomp options to use by this + container. If seccomp options are + + provided at both the pod & container + level, the container options + + override the pod options. + + Note that this field cannot be set when + spec.os.name is windows. + properties: + localhostProfile: + description: >- + localhostProfile indicates a profile + defined in a file on the node should be + used. + + The profile must be preconfigured on the + node to work. + + Must be a descending path, relative to + the kubelet's configured seccomp profile + location. + + Must be set if type is "Localhost". Must + NOT be set for any other type. + type: string + type: + description: >- + type indicates which kind of seccomp + profile will be applied. + + Valid options are: + + + Localhost - a profile defined in a file + on the node should be used. + + RuntimeDefault - the container runtime + default profile should be used. + + Unconfined - no profile should be + applied. + type: string + required: + - type + type: object + windowsOptions: + description: >- + The Windows specific settings applied to + all containers. + + If unspecified, the options from the + PodSecurityContext will be used. + + If set in both SecurityContext and + PodSecurityContext, the value specified + in SecurityContext takes precedence. + + Note that this field cannot be set when + spec.os.name is linux. + properties: + gmsaCredentialSpec: + description: >- + GMSACredentialSpec is where the GMSA + admission webhook + + (https://github.com/kubernetes-sigs/windows-gmsa) + inlines the contents of the + + GMSA credential spec named by the + GMSACredentialSpecName field. + type: string + gmsaCredentialSpecName: + description: >- + GMSACredentialSpecName is the name of + the GMSA credential spec to use. + type: string + hostProcess: + description: >- + HostProcess determines if a container + should be run as a 'Host Process' + container. + + All of a Pod's containers must have the + same effective HostProcess value + + (it is not allowed to have a mix of + HostProcess containers and + non-HostProcess containers). + + In addition, if HostProcess is true then + HostNetwork must also be set to true. + type: boolean + runAsUserName: + description: >- + The UserName in Windows to run the + entrypoint of the container process. + + Defaults to the user specified in image + metadata if unspecified. + + May also be set in PodSecurityContext. + If set in both SecurityContext and + + PodSecurityContext, the value specified + in SecurityContext takes precedence. + type: string + type: object + type: object + volumeMounts: + description: >- + VolumeMounts are volumes to mount into the + container's filesystem. + + Cannot be updated. + items: + description: >- + VolumeMount describes a mounting of a + Volume within a container. + properties: + mountPath: + description: >- + Path within the container at which the + volume should be mounted. Must + + not contain ':'. + type: string + mountPropagation: + description: >- + mountPropagation determines how mounts + are propagated from the host + + to container and the other way around. + + When not set, MountPropagationNone is + used. + + This field is beta in 1.10. + + When RecursiveReadOnly is set to + IfPossible or to Enabled, + MountPropagation must be None or + unspecified + + (which defaults to None). + type: string + name: + description: This must match the Name of a Volume. + type: string + readOnly: + description: >- + Mounted read-only if true, read-write + otherwise (false or unspecified). + + Defaults to false. + type: boolean + recursiveReadOnly: + description: >- + RecursiveReadOnly specifies whether + read-only mounts should be handled + + recursively. + + + If ReadOnly is false, this field has no + meaning and must be unspecified. + + + If ReadOnly is true, and this field is + set to Disabled, the mount is not made + + recursively read-only. If this field is + set to IfPossible, the mount is made + + recursively read-only, if it is + supported by the container runtime. If + this + + field is set to Enabled, the mount is + made recursively read-only if it is + + supported by the container runtime, + otherwise the pod will not be started + and + + an error will be generated to indicate + the reason. + + + If this field is set to IfPossible or + Enabled, MountPropagation must be set to + + None (or be unspecified, which defaults + to None). + + + If this field is not specified, it is + treated as an equivalent of Disabled. + type: string + subPath: + description: >- + Path within the volume from which the + container's volume should be mounted. + + Defaults to "" (volume's root). + type: string + subPathExpr: + description: >- + Expanded path within the volume from + which the container's volume should be + mounted. + + Behaves similarly to SubPath but + environment variable references + $(VAR_NAME) are expanded using the + container's environment. + + Defaults to "" (volume's root). + + SubPathExpr and SubPath are mutually + exclusive. + type: string + required: + - mountPath + - name + type: object + type: array + type: object + x-kubernetes-validations: + - message: Either image or imageRepository can be set. + rule: >- + !has(self.image) || + !has(self.imageRepository) + name: + description: >- + Name of the daemonSet. + + When unset, this defaults to an autogenerated + name. + type: string + patch: + description: >- + Patch defines how to perform the patch operation + to daemonset + properties: + type: + description: >- + Type is the type of merge operation to + perform + + + By default, StrategicMerge is used as the + patch type. + type: string + value: + description: >- + Object contains the raw configuration for + merged object + x-kubernetes-preserve-unknown-fields: true + required: + - value + type: object + pod: + description: Pod defines the desired specification of pod. + properties: + affinity: + description: >- + If specified, the pod's scheduling + constraints. + properties: + nodeAffinity: + description: >- + Describes node affinity scheduling rules + for the pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: >- + The scheduler will prefer to schedule + pods to nodes that satisfy + + the affinity expressions specified by + this field, but it may choose + + a node that violates one or more of the + expressions. The node that is + + most preferred is the one with the + greatest sum of weights, i.e. + + for each node that meets all of the + scheduling requirements (resource + + request, requiredDuringScheduling + affinity expressions, etc.), + + compute a sum by iterating through the + elements of this field and adding + + "weight" to the sum if the node matches + the corresponding matchExpressions; the + + node(s) with the highest sum are the + most preferred. + items: + description: >- + An empty preferred scheduling term + matches all objects with implicit weight + 0 + + (i.e. it's a no-op). A null preferred + scheduling term matches no objects (i.e. + is also a no-op). + properties: + preference: + description: >- + A node selector term, associated with + the corresponding weight. + properties: + matchExpressions: + description: >- + A list of node selector requirements by + node's labels. + items: + description: >- + A node selector requirement is a + selector that contains values, a key, + and an operator + + that relates the key and values. + properties: + key: + description: >- + The label key that the selector applies + to. + type: string + operator: + description: >- + Represents a key's relationship to a set + of values. + + Valid operators are In, NotIn, Exists, + DoesNotExist. Gt, and Lt. + type: string + values: + description: >- + An array of string values. If the + operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. If the + operator is Gt or Lt, the values + + array must have a single element, which + will be interpreted as an integer. + + This array is replaced during a + strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + description: >- + A list of node selector requirements by + node's fields. + items: + description: >- + A node selector requirement is a + selector that contains values, a key, + and an operator + + that relates the key and values. + properties: + key: + description: >- + The label key that the selector applies + to. + type: string + operator: + description: >- + Represents a key's relationship to a set + of values. + + Valid operators are In, NotIn, Exists, + DoesNotExist. Gt, and Lt. + type: string + values: + description: >- + An array of string values. If the + operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. If the + operator is Gt or Lt, the values + + array must have a single element, which + will be interpreted as an integer. + + This array is replaced during a + strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + weight: + description: >- + Weight associated with matching the + corresponding nodeSelectorTerm, in the + range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: >- + If the affinity requirements specified + by this field are not met at + + scheduling time, the pod will not be + scheduled onto the node. + + If the affinity requirements specified + by this field cease to be met + + at some point during pod execution (e.g. + due to an update), the system + + may or may not try to eventually evict + the pod from its node. + properties: + nodeSelectorTerms: + description: >- + Required. A list of node selector terms. + The terms are ORed. + items: + description: >- + A null or empty node selector term + matches no objects. The requirements of + + them are ANDed. + + The TopologySelectorTerm type implements + a subset of the NodeSelectorTerm. + properties: + matchExpressions: + description: >- + A list of node selector requirements by + node's labels. + items: + description: >- + A node selector requirement is a + selector that contains values, a key, + and an operator + + that relates the key and values. + properties: + key: + description: >- + The label key that the selector applies + to. + type: string + operator: + description: >- + Represents a key's relationship to a set + of values. + + Valid operators are In, NotIn, Exists, + DoesNotExist. Gt, and Lt. + type: string + values: + description: >- + An array of string values. If the + operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. If the + operator is Gt or Lt, the values + + array must have a single element, which + will be interpreted as an integer. + + This array is replaced during a + strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + description: >- + A list of node selector requirements by + node's fields. + items: + description: >- + A node selector requirement is a + selector that contains values, a key, + and an operator + + that relates the key and values. + properties: + key: + description: >- + The label key that the selector applies + to. + type: string + operator: + description: >- + Represents a key's relationship to a set + of values. + + Valid operators are In, NotIn, Exists, + DoesNotExist. Gt, and Lt. + type: string + values: + description: >- + An array of string values. If the + operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. If the + operator is Gt or Lt, the values + + array must have a single element, which + will be interpreted as an integer. + + This array is replaced during a + strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + type: array + x-kubernetes-list-type: atomic + required: + - nodeSelectorTerms + type: object + x-kubernetes-map-type: atomic + type: object + podAffinity: + description: >- + Describes pod affinity scheduling rules + (e.g. co-locate this pod in the same + node, zone, etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: >- + The scheduler will prefer to schedule + pods to nodes that satisfy + + the affinity expressions specified by + this field, but it may choose + + a node that violates one or more of the + expressions. The node that is + + most preferred is the one with the + greatest sum of weights, i.e. + + for each node that meets all of the + scheduling requirements (resource + + request, requiredDuringScheduling + affinity expressions, etc.), + + compute a sum by iterating through the + elements of this field and adding + + "weight" to the sum if the node has pods + which matches the corresponding + podAffinityTerm; the + + node(s) with the highest sum are the + most preferred. + items: + description: >- + The weights of all of the matched + WeightedPodAffinityTerm fields are added + per-node to find the most preferred + node(s) + properties: + podAffinityTerm: + description: >- + Required. A pod affinity term, + associated with the corresponding + weight. + properties: + labelSelector: + description: >- + A label query over a set of resources, + in this case pods. + + If it's null, this PodAffinityTerm + matches with no Pods. + properties: + matchExpressions: + description: >- + matchExpressions is a list of label + selector requirements. The requirements + are ANDed. + items: + description: >- + A label selector requirement is a + selector that contains values, a key, + and an operator that + + relates the key and values. + properties: + key: + description: >- + key is the label key that the selector + applies to. + type: string + operator: + description: >- + operator represents a key's relationship + to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: >- + values is an array of string values. If + the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: >- + matchLabels is a map of {key,value} + pairs. A single {key,value} in the + matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is + "key", the + + operator is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: >- + MatchLabelKeys is a set of pod label + keys to select which pods will + + be taken into consideration. The keys + are used to lookup values from the + + incoming pod labels, those key-value + labels are merged with `labelSelector` + as `key in (value)` + + to select the group of existing pods + which pods will be taken into + consideration + + for the incoming pod's pod (anti) + affinity. Keys that don't exist in the + incoming + + pod labels will be ignored. The default + value is empty. + + The same key is forbidden to exist in + both matchLabelKeys and labelSelector. + + Also, matchLabelKeys cannot be set when + labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: >- + MismatchLabelKeys is a set of pod label + keys to select which pods will + + be taken into consideration. The keys + are used to lookup values from the + + incoming pod labels, those key-value + labels are merged with `labelSelector` + as `key notin (value)` + + to select the group of existing pods + which pods will be taken into + consideration + + for the incoming pod's pod (anti) + affinity. Keys that don't exist in the + incoming + + pod labels will be ignored. The default + value is empty. + + The same key is forbidden to exist in + both mismatchLabelKeys and + labelSelector. + + Also, mismatchLabelKeys cannot be set + when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: >- + A label query over the set of namespaces + that the term applies to. + + The term is applied to the union of the + namespaces selected by this field + + and the ones listed in the namespaces + field. + + null selector and null or empty + namespaces list means "this pod's + namespace". + + An empty selector ({}) matches all + namespaces. + properties: + matchExpressions: + description: >- + matchExpressions is a list of label + selector requirements. The requirements + are ANDed. + items: + description: >- + A label selector requirement is a + selector that contains values, a key, + and an operator that + + relates the key and values. + properties: + key: + description: >- + key is the label key that the selector + applies to. + type: string + operator: + description: >- + operator represents a key's relationship + to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: >- + values is an array of string values. If + the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: >- + matchLabels is a map of {key,value} + pairs. A single {key,value} in the + matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is + "key", the + + operator is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: >- + namespaces specifies a static list of + namespace names that the term applies + to. + + The term is applied to the union of the + namespaces listed in this field + + and the ones selected by + namespaceSelector. + + null or empty namespaces list and null + namespaceSelector means "this pod's + namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: >- + This pod should be co-located (affinity) + or not co-located (anti-affinity) with + the pods matching + + the labelSelector in the specified + namespaces, where co-located is defined + as running on a node + + whose value of the label with key + topologyKey matches that of any node on + which any of the + + selected pods is running. + + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: >- + weight associated with matching the + corresponding podAffinityTerm, + + in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: >- + If the affinity requirements specified + by this field are not met at + + scheduling time, the pod will not be + scheduled onto the node. + + If the affinity requirements specified + by this field cease to be met + + at some point during pod execution (e.g. + due to a pod label update), the + + system may or may not try to eventually + evict the pod from its node. + + When there are multiple elements, the + lists of nodes corresponding to each + + podAffinityTerm are intersected, i.e. + all terms must be satisfied. + items: + description: >- + Defines a set of pods (namely those + matching the labelSelector + + relative to the given namespace(s)) that + this pod should be + + co-located (affinity) or not co-located + (anti-affinity) with, + + where co-located is defined as running + on a node whose value of + + the label with key matches + that of any node on which + + a pod of the set of pods is running + properties: + labelSelector: + description: >- + A label query over a set of resources, + in this case pods. + + If it's null, this PodAffinityTerm + matches with no Pods. + properties: + matchExpressions: + description: >- + matchExpressions is a list of label + selector requirements. The requirements + are ANDed. + items: + description: >- + A label selector requirement is a + selector that contains values, a key, + and an operator that + + relates the key and values. + properties: + key: + description: >- + key is the label key that the selector + applies to. + type: string + operator: + description: >- + operator represents a key's relationship + to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: >- + values is an array of string values. If + the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: >- + matchLabels is a map of {key,value} + pairs. A single {key,value} in the + matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is + "key", the + + operator is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: >- + MatchLabelKeys is a set of pod label + keys to select which pods will + + be taken into consideration. The keys + are used to lookup values from the + + incoming pod labels, those key-value + labels are merged with `labelSelector` + as `key in (value)` + + to select the group of existing pods + which pods will be taken into + consideration + + for the incoming pod's pod (anti) + affinity. Keys that don't exist in the + incoming + + pod labels will be ignored. The default + value is empty. + + The same key is forbidden to exist in + both matchLabelKeys and labelSelector. + + Also, matchLabelKeys cannot be set when + labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: >- + MismatchLabelKeys is a set of pod label + keys to select which pods will + + be taken into consideration. The keys + are used to lookup values from the + + incoming pod labels, those key-value + labels are merged with `labelSelector` + as `key notin (value)` + + to select the group of existing pods + which pods will be taken into + consideration + + for the incoming pod's pod (anti) + affinity. Keys that don't exist in the + incoming + + pod labels will be ignored. The default + value is empty. + + The same key is forbidden to exist in + both mismatchLabelKeys and + labelSelector. + + Also, mismatchLabelKeys cannot be set + when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: >- + A label query over the set of namespaces + that the term applies to. + + The term is applied to the union of the + namespaces selected by this field + + and the ones listed in the namespaces + field. + + null selector and null or empty + namespaces list means "this pod's + namespace". + + An empty selector ({}) matches all + namespaces. + properties: + matchExpressions: + description: >- + matchExpressions is a list of label + selector requirements. The requirements + are ANDed. + items: + description: >- + A label selector requirement is a + selector that contains values, a key, + and an operator that + + relates the key and values. + properties: + key: + description: >- + key is the label key that the selector + applies to. + type: string + operator: + description: >- + operator represents a key's relationship + to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: >- + values is an array of string values. If + the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: >- + matchLabels is a map of {key,value} + pairs. A single {key,value} in the + matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is + "key", the + + operator is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: >- + namespaces specifies a static list of + namespace names that the term applies + to. + + The term is applied to the union of the + namespaces listed in this field + + and the ones selected by + namespaceSelector. + + null or empty namespaces list and null + namespaceSelector means "this pod's + namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: >- + This pod should be co-located (affinity) + or not co-located (anti-affinity) with + the pods matching + + the labelSelector in the specified + namespaces, where co-located is defined + as running on a node + + whose value of the label with key + topologyKey matches that of any node on + which any of the + + selected pods is running. + + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + podAntiAffinity: + description: >- + Describes pod anti-affinity scheduling + rules (e.g. avoid putting this pod in + the same node, zone, etc. as some other + pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: >- + The scheduler will prefer to schedule + pods to nodes that satisfy + + the anti-affinity expressions specified + by this field, but it may choose + + a node that violates one or more of the + expressions. The node that is + + most preferred is the one with the + greatest sum of weights, i.e. + + for each node that meets all of the + scheduling requirements (resource + + request, requiredDuringScheduling + anti-affinity expressions, etc.), + + compute a sum by iterating through the + elements of this field and subtracting + + "weight" from the sum if the node has + pods which matches the corresponding + podAffinityTerm; the + + node(s) with the highest sum are the + most preferred. + items: + description: >- + The weights of all of the matched + WeightedPodAffinityTerm fields are added + per-node to find the most preferred + node(s) + properties: + podAffinityTerm: + description: >- + Required. A pod affinity term, + associated with the corresponding + weight. + properties: + labelSelector: + description: >- + A label query over a set of resources, + in this case pods. + + If it's null, this PodAffinityTerm + matches with no Pods. + properties: + matchExpressions: + description: >- + matchExpressions is a list of label + selector requirements. The requirements + are ANDed. + items: + description: >- + A label selector requirement is a + selector that contains values, a key, + and an operator that + + relates the key and values. + properties: + key: + description: >- + key is the label key that the selector + applies to. + type: string + operator: + description: >- + operator represents a key's relationship + to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: >- + values is an array of string values. If + the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: >- + matchLabels is a map of {key,value} + pairs. A single {key,value} in the + matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is + "key", the + + operator is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: >- + MatchLabelKeys is a set of pod label + keys to select which pods will + + be taken into consideration. The keys + are used to lookup values from the + + incoming pod labels, those key-value + labels are merged with `labelSelector` + as `key in (value)` + + to select the group of existing pods + which pods will be taken into + consideration + + for the incoming pod's pod (anti) + affinity. Keys that don't exist in the + incoming + + pod labels will be ignored. The default + value is empty. + + The same key is forbidden to exist in + both matchLabelKeys and labelSelector. + + Also, matchLabelKeys cannot be set when + labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: >- + MismatchLabelKeys is a set of pod label + keys to select which pods will + + be taken into consideration. The keys + are used to lookup values from the + + incoming pod labels, those key-value + labels are merged with `labelSelector` + as `key notin (value)` + + to select the group of existing pods + which pods will be taken into + consideration + + for the incoming pod's pod (anti) + affinity. Keys that don't exist in the + incoming + + pod labels will be ignored. The default + value is empty. + + The same key is forbidden to exist in + both mismatchLabelKeys and + labelSelector. + + Also, mismatchLabelKeys cannot be set + when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: >- + A label query over the set of namespaces + that the term applies to. + + The term is applied to the union of the + namespaces selected by this field + + and the ones listed in the namespaces + field. + + null selector and null or empty + namespaces list means "this pod's + namespace". + + An empty selector ({}) matches all + namespaces. + properties: + matchExpressions: + description: >- + matchExpressions is a list of label + selector requirements. The requirements + are ANDed. + items: + description: >- + A label selector requirement is a + selector that contains values, a key, + and an operator that + + relates the key and values. + properties: + key: + description: >- + key is the label key that the selector + applies to. + type: string + operator: + description: >- + operator represents a key's relationship + to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: >- + values is an array of string values. If + the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: >- + matchLabels is a map of {key,value} + pairs. A single {key,value} in the + matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is + "key", the + + operator is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: >- + namespaces specifies a static list of + namespace names that the term applies + to. + + The term is applied to the union of the + namespaces listed in this field + + and the ones selected by + namespaceSelector. + + null or empty namespaces list and null + namespaceSelector means "this pod's + namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: >- + This pod should be co-located (affinity) + or not co-located (anti-affinity) with + the pods matching + + the labelSelector in the specified + namespaces, where co-located is defined + as running on a node + + whose value of the label with key + topologyKey matches that of any node on + which any of the + + selected pods is running. + + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: >- + weight associated with matching the + corresponding podAffinityTerm, + + in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: >- + If the anti-affinity requirements + specified by this field are not met at + + scheduling time, the pod will not be + scheduled onto the node. + + If the anti-affinity requirements + specified by this field cease to be met + + at some point during pod execution (e.g. + due to a pod label update), the + + system may or may not try to eventually + evict the pod from its node. + + When there are multiple elements, the + lists of nodes corresponding to each + + podAffinityTerm are intersected, i.e. + all terms must be satisfied. + items: + description: >- + Defines a set of pods (namely those + matching the labelSelector + + relative to the given namespace(s)) that + this pod should be + + co-located (affinity) or not co-located + (anti-affinity) with, + + where co-located is defined as running + on a node whose value of + + the label with key matches + that of any node on which + + a pod of the set of pods is running + properties: + labelSelector: + description: >- + A label query over a set of resources, + in this case pods. + + If it's null, this PodAffinityTerm + matches with no Pods. + properties: + matchExpressions: + description: >- + matchExpressions is a list of label + selector requirements. The requirements + are ANDed. + items: + description: >- + A label selector requirement is a + selector that contains values, a key, + and an operator that + + relates the key and values. + properties: + key: + description: >- + key is the label key that the selector + applies to. + type: string + operator: + description: >- + operator represents a key's relationship + to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: >- + values is an array of string values. If + the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: >- + matchLabels is a map of {key,value} + pairs. A single {key,value} in the + matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is + "key", the + + operator is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: >- + MatchLabelKeys is a set of pod label + keys to select which pods will + + be taken into consideration. The keys + are used to lookup values from the + + incoming pod labels, those key-value + labels are merged with `labelSelector` + as `key in (value)` + + to select the group of existing pods + which pods will be taken into + consideration + + for the incoming pod's pod (anti) + affinity. Keys that don't exist in the + incoming + + pod labels will be ignored. The default + value is empty. + + The same key is forbidden to exist in + both matchLabelKeys and labelSelector. + + Also, matchLabelKeys cannot be set when + labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: >- + MismatchLabelKeys is a set of pod label + keys to select which pods will + + be taken into consideration. The keys + are used to lookup values from the + + incoming pod labels, those key-value + labels are merged with `labelSelector` + as `key notin (value)` + + to select the group of existing pods + which pods will be taken into + consideration + + for the incoming pod's pod (anti) + affinity. Keys that don't exist in the + incoming + + pod labels will be ignored. The default + value is empty. + + The same key is forbidden to exist in + both mismatchLabelKeys and + labelSelector. + + Also, mismatchLabelKeys cannot be set + when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: >- + A label query over the set of namespaces + that the term applies to. + + The term is applied to the union of the + namespaces selected by this field + + and the ones listed in the namespaces + field. + + null selector and null or empty + namespaces list means "this pod's + namespace". + + An empty selector ({}) matches all + namespaces. + properties: + matchExpressions: + description: >- + matchExpressions is a list of label + selector requirements. The requirements + are ANDed. + items: + description: >- + A label selector requirement is a + selector that contains values, a key, + and an operator that + + relates the key and values. + properties: + key: + description: >- + key is the label key that the selector + applies to. + type: string + operator: + description: >- + operator represents a key's relationship + to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: >- + values is an array of string values. If + the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: >- + matchLabels is a map of {key,value} + pairs. A single {key,value} in the + matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is + "key", the + + operator is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: >- + namespaces specifies a static list of + namespace names that the term applies + to. + + The term is applied to the union of the + namespaces listed in this field + + and the ones selected by + namespaceSelector. + + null or empty namespaces list and null + namespaceSelector means "this pod's + namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: >- + This pod should be co-located (affinity) + or not co-located (anti-affinity) with + the pods matching + + the labelSelector in the specified + namespaces, where co-located is defined + as running on a node + + whose value of the label with key + topologyKey matches that of any node on + which any of the + + selected pods is running. + + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + type: object + annotations: + additionalProperties: + type: string + description: >- + Annotations are the annotations that should + be appended to the pods. + + By default, no pod annotations are appended. + type: object + imagePullSecrets: + description: >- + ImagePullSecrets is an optional list of + references to secrets + + in the same namespace to use for pulling any + of the images used by this PodSpec. + + If specified, these secrets will be passed + to individual puller implementations for + them to use. + + More info: + https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod + items: + description: >- + LocalObjectReference contains enough + information to let you locate the + + referenced object inside the same + namespace. + properties: + name: + default: '' + description: >- + Name of the referent. + + This field is effectively required, but + due to backwards compatibility is + + allowed to be empty. Instances of this + type with an empty value here are + + almost certainly wrong. + + More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + type: array + labels: + additionalProperties: + type: string + description: >- + Labels are the additional labels that should + be tagged to the pods. + + By default, no additional pod labels are + tagged. + type: object + nodeSelector: + additionalProperties: + type: string + description: >- + NodeSelector is a selector which must be + true for the pod to fit on a node. + + Selector which must match a node's labels + for the pod to be scheduled on that node. + + More info: + https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + type: object + priorityClassName: + description: >- + PriorityClassName indicates the importance + of a Pod relative to other Pods. + + If a PriorityClassName is not specified, the + pod priority will be default or zero if + there is no default. + + More info: + https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/ + type: string + securityContext: + description: >- + SecurityContext holds pod-level security + attributes and common container settings. + + Optional: Defaults to empty. See type + description for default values of each + field. + properties: + appArmorProfile: + description: >- + appArmorProfile is the AppArmor options + to use by the containers in this pod. + + Note that this field cannot be set when + spec.os.name is windows. + properties: + localhostProfile: + description: >- + localhostProfile indicates a profile + loaded on the node that should be used. + + The profile must be preconfigured on the + node to work. + + Must match the loaded name of the + profile. + + Must be set if and only if type is + "Localhost". + type: string + type: + description: >- + type indicates which kind of AppArmor + profile will be applied. + + Valid options are: + Localhost - a profile pre-loaded on the node. + RuntimeDefault - the container runtime's default profile. + Unconfined - no AppArmor enforcement. + type: string + required: + - type + type: object + fsGroup: + description: >- + A special supplemental group that + applies to all containers in a pod. + + Some volume types allow the Kubelet to + change the ownership of that volume + + to be owned by the pod: + + + 1. The owning GID will be the FSGroup + + 2. The setgid bit is set (new files + created in the volume will be owned by + FSGroup) + + 3. The permission bits are OR'd with + rw-rw---- + + + If unset, the Kubelet will not modify + the ownership and permissions of any + volume. + + Note that this field cannot be set when + spec.os.name is windows. + format: int64 + type: integer + fsGroupChangePolicy: + description: >- + fsGroupChangePolicy defines behavior of + changing ownership and permission of the + volume + + before being exposed inside Pod. This + field will only apply to + + volume types which support fsGroup based + ownership(and permissions). + + It will have no effect on ephemeral + volume types such as: secret, configmaps + + and emptydir. + + Valid values are "OnRootMismatch" and + "Always". If not specified, "Always" is + used. + + Note that this field cannot be set when + spec.os.name is windows. + type: string + runAsGroup: + description: >- + The GID to run the entrypoint of the + container process. + + Uses runtime default if unset. + + May also be set in SecurityContext. If + set in both SecurityContext and + + PodSecurityContext, the value specified + in SecurityContext takes precedence + + for that container. + + Note that this field cannot be set when + spec.os.name is windows. + format: int64 + type: integer + runAsNonRoot: + description: >- + Indicates that the container must run as + a non-root user. + + If true, the Kubelet will validate the + image at runtime to ensure that it + + does not run as UID 0 (root) and fail to + start the container if it does. + + If unset or false, no such validation + will be performed. + + May also be set in SecurityContext. If + set in both SecurityContext and + + PodSecurityContext, the value specified + in SecurityContext takes precedence. + type: boolean + runAsUser: + description: >- + The UID to run the entrypoint of the + container process. + + Defaults to user specified in image + metadata if unspecified. + + May also be set in SecurityContext. If + set in both SecurityContext and + + PodSecurityContext, the value specified + in SecurityContext takes precedence + + for that container. + + Note that this field cannot be set when + spec.os.name is windows. + format: int64 + type: integer + seLinuxChangePolicy: + description: >- + seLinuxChangePolicy defines how the + container's SELinux label is applied to + all volumes used by the Pod. + + It has no effect on nodes that do not + support SELinux or to volumes does not + support SELinux. + + Valid values are "MountOption" and + "Recursive". + + + "Recursive" means relabeling of all + files on all Pod volumes by the + container runtime. + + This may be slow for large volumes, but + allows mixing privileged and + unprivileged Pods sharing the same + volume on the same node. + + + "MountOption" mounts all eligible Pod + volumes with `-o context` mount option. + + This requires all Pods that share the + same volume to use the same SELinux + label. + + It is not possible to share the same + volume among privileged and unprivileged + Pods. + + Eligible volumes are in-tree + FibreChannel and iSCSI volumes, and all + CSI volumes + + whose CSI driver announces SELinux + support by setting spec.seLinuxMount: + true in their + + CSIDriver instance. Other volumes are + always re-labelled recursively. + + "MountOption" value is allowed only when + SELinuxMount feature gate is enabled. + + + If not specified and SELinuxMount + feature gate is enabled, "MountOption" + is used. + + If not specified and SELinuxMount + feature gate is disabled, "MountOption" + is used for ReadWriteOncePod volumes + + and "Recursive" for all other volumes. + + + This field affects only Pods that have + SELinux label set, either in + PodSecurityContext or in SecurityContext + of all containers. + + + All Pods that use the same volume should + use the same seLinuxChangePolicy, + otherwise some pods can get stuck in + ContainerCreating state. + + Note that this field cannot be set when + spec.os.name is windows. + type: string + seLinuxOptions: + description: >- + The SELinux context to be applied to all + containers. + + If unspecified, the container runtime + will allocate a random SELinux context + for each + + container. May also be set in + SecurityContext. If set in + + both SecurityContext and + PodSecurityContext, the value specified + in SecurityContext + + takes precedence for that container. + + Note that this field cannot be set when + spec.os.name is windows. + properties: + level: + description: >- + Level is SELinux level label that + applies to the container. + type: string + role: + description: >- + Role is a SELinux role label that + applies to the container. + type: string + type: + description: >- + Type is a SELinux type label that + applies to the container. + type: string + user: + description: >- + User is a SELinux user label that + applies to the container. + type: string + type: object + seccompProfile: + description: >- + The seccomp options to use by the + containers in this pod. + + Note that this field cannot be set when + spec.os.name is windows. + properties: + localhostProfile: + description: >- + localhostProfile indicates a profile + defined in a file on the node should be + used. + + The profile must be preconfigured on the + node to work. + + Must be a descending path, relative to + the kubelet's configured seccomp profile + location. + + Must be set if type is "Localhost". Must + NOT be set for any other type. + type: string + type: + description: >- + type indicates which kind of seccomp + profile will be applied. + + Valid options are: + + + Localhost - a profile defined in a file + on the node should be used. + + RuntimeDefault - the container runtime + default profile should be used. + + Unconfined - no profile should be + applied. + type: string + required: + - type + type: object + supplementalGroups: + description: >- + A list of groups applied to the first + process run in each container, in + + addition to the container's primary GID + and fsGroup (if specified). If + + the SupplementalGroupsPolicy feature is + enabled, the + + supplementalGroupsPolicy field + determines whether these are in addition + + to or instead of any group memberships + defined in the container image. + + If unspecified, no additional groups are + added, though group memberships + + defined in the container image may still + be used, depending on the + + supplementalGroupsPolicy field. + + Note that this field cannot be set when + spec.os.name is windows. + items: + format: int64 + type: integer + type: array + x-kubernetes-list-type: atomic + supplementalGroupsPolicy: + description: >- + Defines how supplemental groups of the + first container processes are + calculated. + + Valid values are "Merge" and "Strict". + If not specified, "Merge" is used. + + (Alpha) Using the field requires the + SupplementalGroupsPolicy feature gate to + be enabled + + and the container runtime must implement + support for this feature. + + Note that this field cannot be set when + spec.os.name is windows. + type: string + sysctls: + description: >- + Sysctls hold a list of namespaced + sysctls used for the pod. Pods with + unsupported + + sysctls (by the container runtime) might + fail to launch. + + Note that this field cannot be set when + spec.os.name is windows. + items: + description: >- + Sysctl defines a kernel parameter to be + set + properties: + name: + description: Name of a property to set + type: string + value: + description: Value of a property to set + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + windowsOptions: + description: >- + The Windows specific settings applied to + all containers. + + If unspecified, the options within a + container's SecurityContext will be + used. + + If set in both SecurityContext and + PodSecurityContext, the value specified + in SecurityContext takes precedence. + + Note that this field cannot be set when + spec.os.name is linux. + properties: + gmsaCredentialSpec: + description: >- + GMSACredentialSpec is where the GMSA + admission webhook + + (https://github.com/kubernetes-sigs/windows-gmsa) + inlines the contents of the + + GMSA credential spec named by the + GMSACredentialSpecName field. + type: string + gmsaCredentialSpecName: + description: >- + GMSACredentialSpecName is the name of + the GMSA credential spec to use. + type: string + hostProcess: + description: >- + HostProcess determines if a container + should be run as a 'Host Process' + container. + + All of a Pod's containers must have the + same effective HostProcess value + + (it is not allowed to have a mix of + HostProcess containers and + non-HostProcess containers). + + In addition, if HostProcess is true then + HostNetwork must also be set to true. + type: boolean + runAsUserName: + description: >- + The UserName in Windows to run the + entrypoint of the container process. + + Defaults to the user specified in image + metadata if unspecified. + + May also be set in PodSecurityContext. + If set in both SecurityContext and + + PodSecurityContext, the value specified + in SecurityContext takes precedence. + type: string + type: object + type: object + tolerations: + description: If specified, the pod's tolerations. + items: + description: >- + The pod this Toleration is attached to + tolerates any taint that matches + + the triple using the + matching operator . + properties: + effect: + description: >- + Effect indicates the taint effect to + match. Empty means match all taint + effects. + + When specified, allowed values are + NoSchedule, PreferNoSchedule and + NoExecute. + type: string + key: + description: >- + Key is the taint key that the toleration + applies to. Empty means match all taint + keys. + + If the key is empty, operator must be + Exists; this combination means to match + all values and all keys. + type: string + operator: + description: >- + Operator represents a key's relationship + to the value. + + Valid operators are Exists, Equal, Lt, + and Gt. Defaults to Equal. + + Exists is equivalent to wildcard for + value, so that a pod can + + tolerate all taints of a particular + category. + + Lt and Gt perform numeric comparisons + (requires feature gate + TaintTolerationComparisonOperators). + type: string + tolerationSeconds: + description: >- + TolerationSeconds represents the period + of time the toleration (which must be + + of effect NoExecute, otherwise this + field is ignored) tolerates the taint. + By default, + + it is not set, which means tolerate the + taint forever (do not evict). Zero and + + negative values will be treated as 0 + (evict immediately) by the system. + format: int64 + type: integer + value: + description: >- + Value is the taint value the toleration + matches to. + + If the operator is Exists, the value + should be empty, otherwise just a + regular string. + type: string + type: object + type: array + topologySpreadConstraints: + description: >- + TopologySpreadConstraints describes how a + group of pods ought to spread across + topology + + domains. Scheduler will schedule pods in a + way which abides by the constraints. + + All topologySpreadConstraints are ANDed. + items: + description: >- + TopologySpreadConstraint specifies how to + spread matching pods among the given + topology. + properties: + labelSelector: + description: >- + LabelSelector is used to find matching + pods. + + Pods that match this label selector are + counted to determine the number of pods + + in their corresponding topology domain. + properties: + matchExpressions: + description: >- + matchExpressions is a list of label + selector requirements. The requirements + are ANDed. + items: + description: >- + A label selector requirement is a + selector that contains values, a key, + and an operator that + + relates the key and values. + properties: + key: + description: >- + key is the label key that the selector + applies to. + type: string + operator: + description: >- + operator represents a key's relationship + to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: >- + values is an array of string values. If + the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: >- + matchLabels is a map of {key,value} + pairs. A single {key,value} in the + matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is + "key", the + + operator is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: >- + MatchLabelKeys is a set of pod label + keys to select the pods over which + + spreading will be calculated. The keys + are used to lookup values from the + + incoming pod labels, those key-value + labels are ANDed with labelSelector + + to select the group of existing pods + over which spreading will be calculated + + for the incoming pod. The same key is + forbidden to exist in both + MatchLabelKeys and LabelSelector. + + MatchLabelKeys cannot be set when + LabelSelector isn't set. + + Keys that don't exist in the incoming + pod labels will + + be ignored. A null or empty list means + only match against labelSelector. + + + This is a beta field and requires the + MatchLabelKeysInPodTopologySpread + feature gate to be enabled (enabled by + default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + maxSkew: + description: >- + MaxSkew describes the degree to which + pods may be unevenly distributed. + + When `whenUnsatisfiable=DoNotSchedule`, + it is the maximum permitted difference + + between the number of matching pods in + the target topology and the global + minimum. + + The global minimum is the minimum number + of matching pods in an eligible domain + + or zero if the number of eligible + domains is less than MinDomains. + + For example, in a 3-zone cluster, + MaxSkew is set to 1, and pods with the + same + + labelSelector spread as 2/2/1: + + In this case, the global minimum is 1. + + | zone1 | zone2 | zone3 | + + | P P | P P | P | + + - if MaxSkew is 1, incoming pod can only + be scheduled to zone3 to become 2/2/2; + + scheduling it onto zone1(zone2) would + make the ActualSkew(3-1) on zone1(zone2) + + violate MaxSkew(1). + + - if MaxSkew is 2, incoming pod can be + scheduled onto any zone. + + When `whenUnsatisfiable=ScheduleAnyway`, + it is used to give higher precedence + + to topologies that satisfy it. + + It's a required field. Default value is + 1 and 0 is not allowed. + format: int32 + type: integer + minDomains: + description: >- + MinDomains indicates a minimum number of + eligible domains. + + When the number of eligible domains with + matching topology keys is less than + minDomains, + + Pod Topology Spread treats "global + minimum" as 0, and then the calculation + of Skew is performed. + + And when the number of eligible domains + with matching topology keys equals or + greater than minDomains, + + this value has no effect on scheduling. + + As a result, when the number of eligible + domains is less than minDomains, + + scheduler won't schedule more than + maxSkew Pods to those domains. + + If value is nil, the constraint behaves + as if MinDomains is equal to 1. + + Valid values are integers greater than + 0. + + When value is not nil, WhenUnsatisfiable + must be DoNotSchedule. + + + For example, in a 3-zone cluster, + MaxSkew is set to 2, MinDomains is set + to 5 and pods with the same + + labelSelector spread as 2/2/2: + + | zone1 | zone2 | zone3 | + + | P P | P P | P P | + + The number of domains is less than + 5(MinDomains), so "global minimum" is + treated as 0. + + In this situation, new pod with the same + labelSelector cannot be scheduled, + + because computed skew will be 3(3 - 0) + if new Pod is scheduled to any of the + three zones, + + it will violate MaxSkew. + format: int32 + type: integer + nodeAffinityPolicy: + description: >- + NodeAffinityPolicy indicates how we will + treat Pod's nodeAffinity/nodeSelector + + when calculating pod topology spread + skew. Options are: + + - Honor: only nodes matching + nodeAffinity/nodeSelector are included + in the calculations. + + - Ignore: nodeAffinity/nodeSelector are + ignored. All nodes are included in the + calculations. + + + If this value is nil, the behavior is + equivalent to the Honor policy. + type: string + nodeTaintsPolicy: + description: >- + NodeTaintsPolicy indicates how we will + treat node taints when calculating + + pod topology spread skew. Options are: + + - Honor: nodes without taints, along + with tainted nodes for which the + incoming pod + + has a toleration, are included. + + - Ignore: node taints are ignored. All + nodes are included. + + + If this value is nil, the behavior is + equivalent to the Ignore policy. + type: string + topologyKey: + description: >- + TopologyKey is the key of node labels. + Nodes that have a label with this key + + and identical values are considered to + be in the same topology. + + We consider each as a + "bucket", and try to put balanced number + + of pods into each bucket. + + We define a domain as a particular + instance of a topology. + + Also, we define an eligible domain as a + domain whose nodes meet the requirements + of + + nodeAffinityPolicy and nodeTaintsPolicy. + + e.g. If TopologyKey is + "kubernetes.io/hostname", each Node is a + domain of that topology. + + And, if TopologyKey is + "topology.kubernetes.io/zone", each zone + is a domain of that topology. + + It's a required field. + type: string + whenUnsatisfiable: + description: >- + WhenUnsatisfiable indicates how to deal + with a pod if it doesn't satisfy + + the spread constraint. + + - DoNotSchedule (default) tells the + scheduler not to schedule it. + + - ScheduleAnyway tells the scheduler to + schedule the pod in any location, + but giving higher precedence to topologies that would help reduce the + skew. + A constraint is considered + "Unsatisfiable" for an incoming pod + + if and only if every possible node + assignment for that pod would violate + + "MaxSkew" on some topology. + + For example, in a 3-zone cluster, + MaxSkew is set to 1, and pods with the + same + + labelSelector spread as 3/1/1: + + | zone1 | zone2 | zone3 | + + | P P P | P | P | + + If WhenUnsatisfiable is set to + DoNotSchedule, incoming pod can only be + scheduled + + to zone2(zone3) to become 3/2/1(3/1/2) + as ActualSkew(2-1) on zone2(zone3) + satisfies + + MaxSkew(1). In other words, the cluster + can still be imbalanced, but scheduler + + won't make it *more* imbalanced. + + It's a required field. + type: string + required: + - maxSkew + - topologyKey + - whenUnsatisfiable + type: object + type: array + volumes: + description: >- + Volumes that can be mounted by containers + belonging to the pod. + + More info: + https://kubernetes.io/docs/concepts/storage/volumes + items: + description: >- + Volume represents a named volume in a pod + that may be accessed by any container in + the pod. + properties: + awsElasticBlockStore: + description: >- + awsElasticBlockStore represents an AWS + Disk resource that is attached to a + + kubelet's host machine and then exposed + to the pod. + + Deprecated: AWSElasticBlockStore is + deprecated. All operations for the + in-tree + + awsElasticBlockStore type are redirected + to the ebs.csi.aws.com CSI driver. + + More info: + https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + properties: + fsType: + description: >- + fsType is the filesystem type of the + volume that you want to mount. + + Tip: Ensure that the filesystem type is + supported by the host operating system. + + Examples: "ext4", "xfs", "ntfs". + Implicitly inferred to be "ext4" if + unspecified. + + More info: + https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + type: string + partition: + description: >- + partition is the partition in the volume + that you want to mount. + + If omitted, the default is to mount by + volume name. + + Examples: For volume /dev/sda1, you + specify the partition as "1". + + Similarly, the volume partition for + /dev/sda is "0" (or you can leave the + property empty). + format: int32 + type: integer + readOnly: + description: >- + readOnly value true will force the + readOnly setting in VolumeMounts. + + More info: + https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + type: boolean + volumeID: + description: >- + volumeID is unique ID of the persistent + disk resource in AWS (Amazon EBS + volume). + + More info: + https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + type: string + required: + - volumeID + type: object + azureDisk: + description: >- + azureDisk represents an Azure Data Disk + mount on the host and bind mount to the + pod. + + Deprecated: AzureDisk is deprecated. All + operations for the in-tree azureDisk + type + + are redirected to the disk.csi.azure.com + CSI driver. + properties: + cachingMode: + description: >- + cachingMode is the Host Caching mode: + None, Read Only, Read Write. + type: string + diskName: + description: >- + diskName is the Name of the data disk in + the blob storage + type: string + diskURI: + description: >- + diskURI is the URI of data disk in the + blob storage + type: string + fsType: + default: ext4 + description: >- + fsType is Filesystem type to mount. + + Must be a filesystem type supported by + the host operating system. + + Ex. "ext4", "xfs", "ntfs". Implicitly + inferred to be "ext4" if unspecified. + type: string + kind: + description: >- + kind expected values are Shared: + multiple blob disks per storage account + Dedicated: single blob disk per storage + account Managed: azure managed data + disk (only in managed availability set). + defaults to shared + type: string + readOnly: + default: false + description: >- + readOnly Defaults to false (read/write). + ReadOnly here will force + + the ReadOnly setting in VolumeMounts. + type: boolean + required: + - diskName + - diskURI + type: object + azureFile: + description: >- + azureFile represents an Azure File + Service mount on the host and bind mount + to the pod. + + Deprecated: AzureFile is deprecated. All + operations for the in-tree azureFile + type + + are redirected to the file.csi.azure.com + CSI driver. + properties: + readOnly: + description: >- + readOnly defaults to false (read/write). + ReadOnly here will force + + the ReadOnly setting in VolumeMounts. + type: boolean + secretName: + description: >- + secretName is the name of secret that + contains Azure Storage Account Name and + Key + type: string + shareName: + description: shareName is the azure share Name + type: string + required: + - secretName + - shareName + type: object + cephfs: + description: >- + cephFS represents a Ceph FS mount on the + host that shares a pod's lifetime. + + Deprecated: CephFS is deprecated and the + in-tree cephfs type is no longer + supported. + properties: + monitors: + description: >- + monitors is Required: Monitors is a + collection of Ceph monitors + + More info: + https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + items: + type: string + type: array + x-kubernetes-list-type: atomic + path: + description: >- + path is Optional: Used as the mounted + root, rather than the full Ceph tree, + default is / + type: string + readOnly: + description: >- + readOnly is Optional: Defaults to false + (read/write). ReadOnly here will force + + the ReadOnly setting in VolumeMounts. + + More info: + https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + type: boolean + secretFile: + description: >- + secretFile is Optional: SecretFile is + the path to key ring for User, default + is /etc/ceph/user.secret + + More info: + https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + type: string + secretRef: + description: >- + secretRef is Optional: SecretRef is + reference to the authentication secret + for User, default is empty. + + More info: + https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + properties: + name: + default: '' + description: >- + Name of the referent. + + This field is effectively required, but + due to backwards compatibility is + + allowed to be empty. Instances of this + type with an empty value here are + + almost certainly wrong. + + More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + user: + description: >- + user is optional: User is the rados user + name, default is admin + + More info: + https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + type: string + required: + - monitors + type: object + cinder: + description: >- + cinder represents a cinder volume + attached and mounted on kubelets host + machine. + + Deprecated: Cinder is deprecated. All + operations for the in-tree cinder type + + are redirected to the + cinder.csi.openstack.org CSI driver. + + More info: + https://examples.k8s.io/mysql-cinder-pd/README.md + properties: + fsType: + description: >- + fsType is the filesystem type to mount. + + Must be a filesystem type supported by + the host operating system. + + Examples: "ext4", "xfs", "ntfs". + Implicitly inferred to be "ext4" if + unspecified. + + More info: + https://examples.k8s.io/mysql-cinder-pd/README.md + type: string + readOnly: + description: >- + readOnly defaults to false (read/write). + ReadOnly here will force + + the ReadOnly setting in VolumeMounts. + + More info: + https://examples.k8s.io/mysql-cinder-pd/README.md + type: boolean + secretRef: + description: >- + secretRef is optional: points to a + secret object containing parameters used + to connect + + to OpenStack. + properties: + name: + default: '' + description: >- + Name of the referent. + + This field is effectively required, but + due to backwards compatibility is + + allowed to be empty. Instances of this + type with an empty value here are + + almost certainly wrong. + + More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + volumeID: + description: >- + volumeID used to identify the volume in + cinder. + + More info: + https://examples.k8s.io/mysql-cinder-pd/README.md + type: string + required: + - volumeID + type: object + configMap: + description: >- + configMap represents a configMap that + should populate this volume + properties: + defaultMode: + description: >- + defaultMode is optional: mode bits used + to set permissions on created files by + default. + + Must be an octal value between 0000 and + 0777 or a decimal value between 0 and + 511. + + YAML accepts both octal and decimal + values, JSON requires decimal values for + mode bits. + + Defaults to 0644. + + Directories within the path are not + affected by this setting. + + This might be in conflict with other + options that affect the file + + mode, like fsGroup, and the result can + be other mode bits set. + format: int32 + type: integer + items: + description: >- + items if unspecified, each key-value + pair in the Data field of the referenced + + ConfigMap will be projected into the + volume as a file whose name is the + + key and content is the value. If + specified, the listed keys will be + + projected into the specified paths, and + unlisted keys will not be + + present. If a key is specified which is + not present in the ConfigMap, + + the volume setup will error unless it is + marked optional. Paths must be + + relative and may not contain the '..' + path or start with '..'. + items: + description: >- + Maps a string key to a path within a + volume. + properties: + key: + description: key is the key to project. + type: string + mode: + description: >- + mode is Optional: mode bits used to set + permissions on this file. + + Must be an octal value between 0000 and + 0777 or a decimal value between 0 and + 511. + + YAML accepts both octal and decimal + values, JSON requires decimal values for + mode bits. + + If not specified, the volume defaultMode + will be used. + + This might be in conflict with other + options that affect the file + + mode, like fsGroup, and the result can + be other mode bits set. + format: int32 + type: integer + path: + description: >- + path is the relative path of the file to + map the key to. + + May not be an absolute path. + + May not contain the path element '..'. + + May not start with the string '..'. + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + name: + default: '' + description: >- + Name of the referent. + + This field is effectively required, but + due to backwards compatibility is + + allowed to be empty. Instances of this + type with an empty value here are + + almost certainly wrong. + + More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: >- + optional specify whether the ConfigMap + or its keys must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + csi: + description: >- + csi (Container Storage Interface) + represents ephemeral storage that is + handled by certain external CSI drivers. + properties: + driver: + description: >- + driver is the name of the CSI driver + that handles this volume. + + Consult with your admin for the correct + name as registered in the cluster. + type: string + fsType: + description: >- + fsType to mount. Ex. "ext4", "xfs", + "ntfs". + + If not provided, the empty value is + passed to the associated CSI driver + + which will determine the default + filesystem to apply. + type: string + nodePublishSecretRef: + description: >- + nodePublishSecretRef is a reference to + the secret object containing + + sensitive information to pass to the CSI + driver to complete the CSI + + NodePublishVolume and + NodeUnpublishVolume calls. + + This field is optional, and may be + empty if no secret is required. If the + + secret object contains more than one + secret, all secret references are + passed. + properties: + name: + default: '' + description: >- + Name of the referent. + + This field is effectively required, but + due to backwards compatibility is + + allowed to be empty. Instances of this + type with an empty value here are + + almost certainly wrong. + + More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + readOnly: + description: >- + readOnly specifies a read-only + configuration for the volume. + + Defaults to false (read/write). + type: boolean + volumeAttributes: + additionalProperties: + type: string + description: >- + volumeAttributes stores driver-specific + properties that are passed to the CSI + + driver. Consult your driver's + documentation for supported values. + type: object + required: + - driver + type: object + downwardAPI: + description: >- + downwardAPI represents downward API + about the pod that should populate this + volume + properties: + defaultMode: + description: >- + Optional: mode bits to use on created + files by default. Must be a + + Optional: mode bits used to set + permissions on created files by default. + + Must be an octal value between 0000 and + 0777 or a decimal value between 0 and + 511. + + YAML accepts both octal and decimal + values, JSON requires decimal values for + mode bits. + + Defaults to 0644. + + Directories within the path are not + affected by this setting. + + This might be in conflict with other + options that affect the file + + mode, like fsGroup, and the result can + be other mode bits set. + format: int32 + type: integer + items: + description: >- + Items is a list of downward API volume + file + items: + description: >- + DownwardAPIVolumeFile represents + information to create the file + containing the pod field + properties: + fieldRef: + description: >- + Required: Selects a field of the pod: + only annotations, labels, name, + namespace and uid are supported. + properties: + apiVersion: + description: >- + Version of the schema the FieldPath is + written in terms of, defaults to "v1". + type: string + fieldPath: + description: >- + Path of the field to select in the + specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + mode: + description: >- + Optional: mode bits used to set + permissions on this file, must be an + octal value + + between 0000 and 0777 or a decimal value + between 0 and 511. + + YAML accepts both octal and decimal + values, JSON requires decimal values for + mode bits. + + If not specified, the volume defaultMode + will be used. + + This might be in conflict with other + options that affect the file + + mode, like fsGroup, and the result can + be other mode bits set. + format: int32 + type: integer + path: + description: >- + Required: Path is the relative path + name of the file to be created. Must not + be absolute or contain the '..' path. + Must be utf-8 encoded. The first item of + the relative path must not start with + '..' + type: string + resourceFieldRef: + description: >- + Selects a resource of the container: + only resources limits and requests + + (limits.cpu, limits.memory, requests.cpu + and requests.memory) are currently + supported. + properties: + containerName: + description: >- + Container name: required for volumes, + optional for env vars + type: string + divisor: + anyOf: + - type: integer + - type: string + description: >- + Specifies the output format of the + exposed resources, defaults to "1" + pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + required: + - path + type: object + type: array + x-kubernetes-list-type: atomic + type: object + emptyDir: + description: >- + emptyDir represents a temporary + directory that shares a pod's lifetime. + + More info: + https://kubernetes.io/docs/concepts/storage/volumes#emptydir + properties: + medium: + description: >- + medium represents what type of storage + medium should back this directory. + + The default is "" which means to use the + node's default medium. + + Must be an empty string (default) or + Memory. + + More info: + https://kubernetes.io/docs/concepts/storage/volumes#emptydir + type: string + sizeLimit: + anyOf: + - type: integer + - type: string + description: >- + sizeLimit is the total amount of local + storage required for this EmptyDir + volume. + + The size limit is also applicable for + memory medium. + + The maximum usage on memory medium + EmptyDir would be the minimum value + between + + the SizeLimit specified here and the sum + of memory limits of all containers in a + pod. + + The default is nil which means that the + limit is undefined. + + More info: + https://kubernetes.io/docs/concepts/storage/volumes#emptydir + pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + ephemeral: + description: >- + ephemeral represents a volume that is + handled by a cluster storage driver. + + The volume's lifecycle is tied to the + pod that defines it - it will be created + before the pod starts, + + and deleted when the pod is removed. + + + Use this if: + + a) the volume is only needed while the + pod runs, + + b) features of normal volumes like + restoring from snapshot or capacity + tracking are needed, + c) the storage driver is specified + through a storage class, and + + d) the storage driver supports dynamic + volume provisioning through + a PersistentVolumeClaim (see EphemeralVolumeSource for more + information on the connection between this volume type + and PersistentVolumeClaim). + + Use PersistentVolumeClaim or one of the + vendor-specific + + APIs for volumes that persist for longer + than the lifecycle + + of an individual pod. + + + Use CSI for light-weight local ephemeral + volumes if the CSI driver is meant to + + be used that way - see the documentation + of the driver for + + more information. + + + A pod can use both types of ephemeral + volumes and + + persistent volumes at the same time. + properties: + volumeClaimTemplate: + description: >- + Will be used to create a stand-alone PVC + to provision the volume. + + The pod in which this + EphemeralVolumeSource is embedded will + be the + + owner of the PVC, i.e. the PVC will be + deleted together with the + + pod. The name of the PVC will be `-` where + + `` is the name from the + `PodSpec.Volumes` array + + entry. Pod validation will reject the + pod if the concatenated name + + is not valid for a PVC (for example, too + long). + + + An existing PVC with that name that is + not owned by the pod + + will *not* be used for the pod to avoid + using an unrelated + + volume by mistake. Starting the pod is + then blocked until + + the unrelated PVC is removed. If such a + pre-created PVC is + + meant to be used by the pod, the PVC has + to updated with an + + owner reference to the pod once the pod + exists. Normally + + this should not be necessary, but it may + be useful when + + manually reconstructing a broken + cluster. + + + This field is read-only and no changes + will be made by Kubernetes + + to the PVC after it has been created. + + + Required, must not be nil. + properties: + metadata: + description: >- + May contain labels and annotations that + will be copied into the PVC + + when creating it. No other fields are + allowed and will be rejected during + + validation. + type: object + spec: + description: >- + The specification for the + PersistentVolumeClaim. The entire + content is + + copied unchanged into the PVC that gets + created from this + + template. The same fields as in a + PersistentVolumeClaim + + are also valid here. + properties: + accessModes: + description: >- + accessModes contains the desired access + modes the volume should have. + + More info: + https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1 + items: + type: string + type: array + x-kubernetes-list-type: atomic + dataSource: + description: >- + dataSource field can be used to specify + either: + + * An existing VolumeSnapshot object + (snapshot.storage.k8s.io/VolumeSnapshot) + + * An existing PVC + (PersistentVolumeClaim) + + If the provisioner or an external + controller can support the specified + data source, + + it will create a new volume based on the + contents of the specified data source. + + When the AnyVolumeDataSource feature + gate is enabled, dataSource contents + will be copied to dataSourceRef, + + and dataSourceRef contents will be + copied to dataSource when + dataSourceRef.namespace is not + specified. + + If the namespace is specified, then + dataSourceRef will not be copied to + dataSource. + properties: + apiGroup: + description: >- + APIGroup is the group for the resource + being referenced. + + If APIGroup is not specified, the + specified Kind must be in the core API + group. + + For any other third-party types, + APIGroup is required. + type: string + kind: + description: >- + Kind is the type of resource being + referenced + type: string + name: + description: >- + Name is the name of resource being + referenced + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + dataSourceRef: + description: >- + dataSourceRef specifies the object from + which to populate the volume with data, + if a non-empty + + volume is desired. This may be any + object from a non-empty API group (non + + core object) or a PersistentVolumeClaim + object. + + When this field is specified, volume + binding will only succeed if the type of + + the specified object matches some + installed volume populator or dynamic + + provisioner. + + This field will replace the + functionality of the dataSource field + and as such + + if both fields are non-empty, they must + have the same value. For backwards + + compatibility, when namespace isn't + specified in dataSourceRef, + + both fields (dataSource and + dataSourceRef) will be set to the same + + value automatically if one of them is + empty and the other is non-empty. + + When namespace is specified in + dataSourceRef, + + dataSource isn't set to the same value + and must be empty. + + There are three important differences + between dataSource and dataSourceRef: + + * While dataSource only allows two + specific types of objects, dataSourceRef + allows any non-core object, as well as PersistentVolumeClaim objects. + * While dataSource ignores disallowed + values (dropping them), dataSourceRef + preserves all values, and generates an error if a disallowed value is + specified. + * While dataSource only allows local + objects, dataSourceRef allows objects + in any namespaces. + (Beta) Using this field requires the + AnyVolumeDataSource feature gate to be + enabled. + + (Alpha) Using the namespace field of + dataSourceRef requires the + CrossNamespaceVolumeDataSource feature + gate to be enabled. + properties: + apiGroup: + description: >- + APIGroup is the group for the resource + being referenced. + + If APIGroup is not specified, the + specified Kind must be in the core API + group. + + For any other third-party types, + APIGroup is required. + type: string + kind: + description: >- + Kind is the type of resource being + referenced + type: string + name: + description: >- + Name is the name of resource being + referenced + type: string + namespace: + description: >- + Namespace is the namespace of resource + being referenced + + Note that when a namespace is specified, + a + gateway.networking.k8s.io/ReferenceGrant + object is required in the referent + namespace to allow that namespace's + owner to accept the reference. See the + ReferenceGrant documentation for + details. + + (Alpha) This field requires the + CrossNamespaceVolumeDataSource feature + gate to be enabled. + type: string + required: + - kind + - name + type: object + resources: + description: >- + resources represents the minimum + resources the volume should have. + + Users are allowed to specify resource + requirements + + that are lower than previous value but + must still be higher than capacity + recorded in the + + status field of the claim. + + More info: + https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: >- + Limits describes the maximum amount of + compute resources allowed. + + More info: + https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: >- + Requests describes the minimum amount of + compute resources required. + + If Requests is omitted for a container, + it defaults to Limits if that is + explicitly specified, + + otherwise to an implementation-defined + value. Requests cannot exceed Limits. + + More info: + https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + type: object + selector: + description: >- + selector is a label query over volumes + to consider for binding. + properties: + matchExpressions: + description: >- + matchExpressions is a list of label + selector requirements. The requirements + are ANDed. + items: + description: >- + A label selector requirement is a + selector that contains values, a key, + and an operator that + + relates the key and values. + properties: + key: + description: >- + key is the label key that the selector + applies to. + type: string + operator: + description: >- + operator represents a key's relationship + to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: >- + values is an array of string values. If + the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: >- + matchLabels is a map of {key,value} + pairs. A single {key,value} in the + matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is + "key", the + + operator is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + storageClassName: + description: >- + storageClassName is the name of the + StorageClass required by the claim. + + More info: + https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1 + type: string + volumeAttributesClassName: + description: >- + volumeAttributesClassName may be used to + set the VolumeAttributesClass used by + this claim. + + If specified, the CSI driver will create + or update the volume with the attributes + defined + + in the corresponding + VolumeAttributesClass. This has a + different purpose than storageClassName, + + it can be changed after the claim is + created. An empty string or nil value + indicates that no + + VolumeAttributesClass will be applied to + the claim. If the claim enters an + Infeasible error state, + + this field can be reset to its previous + value (including nil) to cancel the + modification. + + If the resource referred to by + volumeAttributesClass does not exist, + this PersistentVolumeClaim will be + + set to a Pending state, as reflected by + the modifyVolumeStatus field, until such + as a resource + + exists. + + More info: + https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/ + type: string + volumeMode: + description: >- + volumeMode defines what type of volume + is required by the claim. + + Value of Filesystem is implied when not + included in claim spec. + type: string + volumeName: + description: >- + volumeName is the binding reference to + the PersistentVolume backing this claim. + type: string + type: object + required: + - spec + type: object + type: object + fc: + description: >- + fc represents a Fibre Channel resource + that is attached to a kubelet's host + machine and then exposed to the pod. + properties: + fsType: + description: >- + fsType is the filesystem type to mount. + + Must be a filesystem type supported by + the host operating system. + + Ex. "ext4", "xfs", "ntfs". Implicitly + inferred to be "ext4" if unspecified. + type: string + lun: + description: 'lun is Optional: FC target lun number' + format: int32 + type: integer + readOnly: + description: >- + readOnly is Optional: Defaults to false + (read/write). ReadOnly here will force + + the ReadOnly setting in VolumeMounts. + type: boolean + targetWWNs: + description: >- + targetWWNs is Optional: FC target + worldwide names (WWNs) + items: + type: string + type: array + x-kubernetes-list-type: atomic + wwids: + description: >- + wwids Optional: FC volume world wide + identifiers (wwids) + + Either wwids or combination of + targetWWNs and lun must be set, but not + both simultaneously. + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + flexVolume: + description: >- + flexVolume represents a generic volume + resource that is + + provisioned/attached using an exec based + plugin. + + Deprecated: FlexVolume is deprecated. + Consider using a CSIDriver instead. + properties: + driver: + description: >- + driver is the name of the driver to use + for this volume. + type: string + fsType: + description: >- + fsType is the filesystem type to mount. + + Must be a filesystem type supported by + the host operating system. + + Ex. "ext4", "xfs", "ntfs". The default + filesystem depends on FlexVolume script. + type: string + options: + additionalProperties: + type: string + description: >- + options is Optional: this field holds + extra command options if any. + type: object + readOnly: + description: >- + readOnly is Optional: defaults to false + (read/write). ReadOnly here will force + + the ReadOnly setting in VolumeMounts. + type: boolean + secretRef: + description: >- + secretRef is Optional: secretRef is + reference to the secret object + containing + + sensitive information to pass to the + plugin scripts. This may be + + empty if no secret object is specified. + If the secret object + + contains more than one secret, all + secrets are passed to the plugin + + scripts. + properties: + name: + default: '' + description: >- + Name of the referent. + + This field is effectively required, but + due to backwards compatibility is + + allowed to be empty. Instances of this + type with an empty value here are + + almost certainly wrong. + + More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + required: + - driver + type: object + flocker: + description: >- + flocker represents a Flocker volume + attached to a kubelet's host machine. + This depends on the Flocker control + service being running. + + Deprecated: Flocker is deprecated and + the in-tree flocker type is no longer + supported. + properties: + datasetName: + description: >- + datasetName is Name of the dataset + stored as metadata -> name on the + dataset for Flocker + + should be considered as deprecated + type: string + datasetUUID: + description: >- + datasetUUID is the UUID of the dataset. + This is unique identifier of a Flocker + dataset + type: string + type: object + gcePersistentDisk: + description: >- + gcePersistentDisk represents a GCE Disk + resource that is attached to a + + kubelet's host machine and then exposed + to the pod. + + Deprecated: GCEPersistentDisk is + deprecated. All operations for the + in-tree + + gcePersistentDisk type are redirected to + the pd.csi.storage.gke.io CSI driver. + + More info: + https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + properties: + fsType: + description: >- + fsType is filesystem type of the volume + that you want to mount. + + Tip: Ensure that the filesystem type is + supported by the host operating system. + + Examples: "ext4", "xfs", "ntfs". + Implicitly inferred to be "ext4" if + unspecified. + + More info: + https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + type: string + partition: + description: >- + partition is the partition in the volume + that you want to mount. + + If omitted, the default is to mount by + volume name. + + Examples: For volume /dev/sda1, you + specify the partition as "1". + + Similarly, the volume partition for + /dev/sda is "0" (or you can leave the + property empty). + + More info: + https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + format: int32 + type: integer + pdName: + description: >- + pdName is unique name of the PD resource + in GCE. Used to identify the disk in + GCE. + + More info: + https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + type: string + readOnly: + description: >- + readOnly here will force the ReadOnly + setting in VolumeMounts. + + Defaults to false. + + More info: + https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + type: boolean + required: + - pdName + type: object + gitRepo: + description: >- + gitRepo represents a git repository at a + particular revision. + + Deprecated: GitRepo is deprecated. To + provision a container with a git repo, + mount an + + EmptyDir into an InitContainer that + clones the repo using git, then mount + the EmptyDir + + into the Pod's container. + properties: + directory: + description: >- + directory is the target directory name. + + Must not contain or start with '..'. If + '.' is supplied, the volume directory + will be the + + git repository. Otherwise, if + specified, the volume will contain the + git repository in + + the subdirectory with the given name. + type: string + repository: + description: repository is the URL + type: string + revision: + description: >- + revision is the commit hash for the + specified revision. + type: string + required: + - repository + type: object + glusterfs: + description: >- + glusterfs represents a Glusterfs mount + on the host that shares a pod's + lifetime. + + Deprecated: Glusterfs is deprecated and + the in-tree glusterfs type is no longer + supported. + properties: + endpoints: + description: >- + endpoints is the endpoint name that + details Glusterfs topology. + type: string + path: + description: >- + path is the Glusterfs volume path. + + More info: + https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod + type: string + readOnly: + description: >- + readOnly here will force the Glusterfs + volume to be mounted with read-only + permissions. + + Defaults to false. + + More info: + https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod + type: boolean + required: + - endpoints + - path + type: object + hostPath: + description: >- + hostPath represents a pre-existing file + or directory on the host + + machine that is directly exposed to the + container. This is generally + + used for system agents or other + privileged things that are allowed + + to see the host machine. Most containers + will NOT need this. + + More info: + https://kubernetes.io/docs/concepts/storage/volumes#hostpath + properties: + path: + description: >- + path of the directory on the host. + + If the path is a symlink, it will follow + the link to the real path. + + More info: + https://kubernetes.io/docs/concepts/storage/volumes#hostpath + type: string + type: + description: >- + type for HostPath Volume + + Defaults to "" + + More info: + https://kubernetes.io/docs/concepts/storage/volumes#hostpath + type: string + required: + - path + type: object + image: + description: >- + image represents an OCI object (a + container image or artifact) pulled and + mounted on the kubelet's host machine. + + The volume is resolved at pod startup + depending on which PullPolicy value is + provided: + + + - Always: the kubelet always attempts to + pull the reference. Container creation + will fail If the pull fails. + + - Never: the kubelet never pulls the + reference and only uses a local image or + artifact. Container creation will fail + if the reference isn't present. + + - IfNotPresent: the kubelet pulls if the + reference isn't already present on disk. + Container creation will fail if the + reference isn't present and the pull + fails. + + + The volume gets re-resolved if the pod + gets deleted and recreated, which means + that new remote content will become + available on pod recreation. + + A failure to resolve or pull the image + during pod startup will block containers + from starting and may add significant + latency. Failures will be retried using + normal volume backoff and will be + reported on the pod reason and message. + + The types of objects that may be mounted + by this volume are defined by the + container runtime implementation on a + host machine and at minimum must include + all valid types supported by the + container image field. + + The OCI object gets mounted in a single + directory + (spec.containers[*].volumeMounts.mountPath) + by merging the manifest layers in the + same way as for container images. + + The volume will be mounted read-only + (ro) and non-executable files (noexec). + + Sub path mounts for containers are not + supported + (spec.containers[*].volumeMounts.subpath) + before 1.33. + + The field + spec.securityContext.fsGroupChangePolicy + has no effect on this volume type. + properties: + pullPolicy: + description: >- + Policy for pulling OCI objects. Possible + values are: + + Always: the kubelet always attempts to + pull the reference. Container creation + will fail If the pull fails. + + Never: the kubelet never pulls the + reference and only uses a local image or + artifact. Container creation will fail + if the reference isn't present. + + IfNotPresent: the kubelet pulls if the + reference isn't already present on disk. + Container creation will fail if the + reference isn't present and the pull + fails. + + Defaults to Always if :latest tag is + specified, or IfNotPresent otherwise. + type: string + reference: + description: >- + Required: Image or artifact reference to + be used. + + Behaves in the same way as + pod.spec.containers[*].image. + + Pull secrets will be assembled in the + same way as for the container image by + looking up node credentials, SA image + pull secrets, and pod spec image pull + secrets. + + More info: + https://kubernetes.io/docs/concepts/containers/images + + This field is optional to allow higher + level config management to default or + override + + container images in workload controllers + like Deployments and StatefulSets. + type: string + type: object + iscsi: + description: >- + iscsi represents an ISCSI Disk resource + that is attached to a + + kubelet's host machine and then exposed + to the pod. + + More info: + https://kubernetes.io/docs/concepts/storage/volumes/#iscsi + properties: + chapAuthDiscovery: + description: >- + chapAuthDiscovery defines whether + support iSCSI Discovery CHAP + authentication + type: boolean + chapAuthSession: + description: >- + chapAuthSession defines whether support + iSCSI Session CHAP authentication + type: boolean + fsType: + description: >- + fsType is the filesystem type of the + volume that you want to mount. + + Tip: Ensure that the filesystem type is + supported by the host operating system. + + Examples: "ext4", "xfs", "ntfs". + Implicitly inferred to be "ext4" if + unspecified. + + More info: + https://kubernetes.io/docs/concepts/storage/volumes#iscsi + type: string + initiatorName: + description: >- + initiatorName is the custom iSCSI + Initiator Name. + + If initiatorName is specified with + iscsiInterface simultaneously, new iSCSI + interface + + : will be + created for the connection. + type: string + iqn: + description: iqn is the target iSCSI Qualified Name. + type: string + iscsiInterface: + default: default + description: >- + iscsiInterface is the interface Name + that uses an iSCSI transport. + + Defaults to 'default' (tcp). + type: string + lun: + description: lun represents iSCSI Target Lun number. + format: int32 + type: integer + portals: + description: >- + portals is the iSCSI Target Portal List. + The portal is either an IP or + ip_addr:port if the port + + is other than default (typically TCP + ports 860 and 3260). + items: + type: string + type: array + x-kubernetes-list-type: atomic + readOnly: + description: >- + readOnly here will force the ReadOnly + setting in VolumeMounts. + + Defaults to false. + type: boolean + secretRef: + description: >- + secretRef is the CHAP Secret for iSCSI + target and initiator authentication + properties: + name: + default: '' + description: >- + Name of the referent. + + This field is effectively required, but + due to backwards compatibility is + + allowed to be empty. Instances of this + type with an empty value here are + + almost certainly wrong. + + More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + targetPortal: + description: >- + targetPortal is iSCSI Target Portal. The + Portal is either an IP or ip_addr:port + if the port + + is other than default (typically TCP + ports 860 and 3260). + type: string + required: + - iqn + - lun + - targetPortal + type: object + name: + description: >- + name of the volume. + + Must be a DNS_LABEL and unique within + the pod. + + More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + nfs: + description: >- + nfs represents an NFS mount on the host + that shares a pod's lifetime + + More info: + https://kubernetes.io/docs/concepts/storage/volumes#nfs + properties: + path: + description: >- + path that is exported by the NFS server. + + More info: + https://kubernetes.io/docs/concepts/storage/volumes#nfs + type: string + readOnly: + description: >- + readOnly here will force the NFS export + to be mounted with read-only + permissions. + + Defaults to false. + + More info: + https://kubernetes.io/docs/concepts/storage/volumes#nfs + type: boolean + server: + description: >- + server is the hostname or IP address of + the NFS server. + + More info: + https://kubernetes.io/docs/concepts/storage/volumes#nfs + type: string + required: + - path + - server + type: object + persistentVolumeClaim: + description: >- + persistentVolumeClaimVolumeSource + represents a reference to a + + PersistentVolumeClaim in the same + namespace. + + More info: + https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims + properties: + claimName: + description: >- + claimName is the name of a + PersistentVolumeClaim in the same + namespace as the pod using this volume. + + More info: + https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims + type: string + readOnly: + description: >- + readOnly Will force the ReadOnly setting + in VolumeMounts. + + Default false. + type: boolean + required: + - claimName + type: object + photonPersistentDisk: + description: >- + photonPersistentDisk represents a + PhotonController persistent disk + attached and mounted on kubelets host + machine. + + Deprecated: PhotonPersistentDisk is + deprecated and the in-tree + photonPersistentDisk type is no longer + supported. + properties: + fsType: + description: >- + fsType is the filesystem type to mount. + + Must be a filesystem type supported by + the host operating system. + + Ex. "ext4", "xfs", "ntfs". Implicitly + inferred to be "ext4" if unspecified. + type: string + pdID: + description: >- + pdID is the ID that identifies Photon + Controller persistent disk + type: string + required: + - pdID + type: object + portworxVolume: + description: >- + portworxVolume represents a portworx + volume attached and mounted on kubelets + host machine. + + Deprecated: PortworxVolume is + deprecated. All operations for the + in-tree portworxVolume type + + are redirected to the pxd.portworx.com + CSI driver when the CSIMigrationPortworx + feature-gate + + is on. + properties: + fsType: + description: >- + fSType represents the filesystem type to + mount + + Must be a filesystem type supported by + the host operating system. + + Ex. "ext4", "xfs". Implicitly inferred + to be "ext4" if unspecified. + type: string + readOnly: + description: >- + readOnly defaults to false (read/write). + ReadOnly here will force + + the ReadOnly setting in VolumeMounts. + type: boolean + volumeID: + description: >- + volumeID uniquely identifies a Portworx + volume + type: string + required: + - volumeID + type: object + projected: + description: >- + projected items for all in one resources + secrets, configmaps, and downward API + properties: + defaultMode: + description: >- + defaultMode are the mode bits used to + set permissions on created files by + default. + + Must be an octal value between 0000 and + 0777 or a decimal value between 0 and + 511. + + YAML accepts both octal and decimal + values, JSON requires decimal values for + mode bits. + + Directories within the path are not + affected by this setting. + + This might be in conflict with other + options that affect the file + + mode, like fsGroup, and the result can + be other mode bits set. + format: int32 + type: integer + sources: + description: >- + sources is the list of volume + projections. Each entry in this list + + handles one source. + items: + description: >- + Projection that may be projected along + with other supported volume types. + + Exactly one of these fields must be set. + properties: + clusterTrustBundle: + description: >- + ClusterTrustBundle allows a pod to + access the `.spec.trustBundle` field + + of ClusterTrustBundle objects in an + auto-updating file. + + + Alpha, gated by the + ClusterTrustBundleProjection feature + gate. + + + ClusterTrustBundle objects can either be + selected by name, or by the + + combination of signer name and a label + selector. + + + Kubelet performs aggressive + normalization of the PEM contents + written + + into the pod filesystem. Esoteric PEM + features such as inter-block + + comments and block headers are + stripped. Certificates are + deduplicated. + + The ordering of certificates within the + file is arbitrary, and Kubelet + + may change the order over time. + properties: + labelSelector: + description: >- + Select all ClusterTrustBundles that + match this label selector. Only has + + effect if signerName is set. + Mutually-exclusive with name. If unset, + + interpreted as "match nothing". If set + but empty, interpreted as "match + + everything". + properties: + matchExpressions: + description: >- + matchExpressions is a list of label + selector requirements. The requirements + are ANDed. + items: + description: >- + A label selector requirement is a + selector that contains values, a key, + and an operator that + + relates the key and values. + properties: + key: + description: >- + key is the label key that the selector + applies to. + type: string + operator: + description: >- + operator represents a key's relationship + to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: >- + values is an array of string values. If + the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: >- + matchLabels is a map of {key,value} + pairs. A single {key,value} in the + matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is + "key", the + + operator is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + name: + description: >- + Select a single ClusterTrustBundle by + object name. Mutually-exclusive + + with signerName and labelSelector. + type: string + optional: + description: >- + If true, don't block pod startup if the + referenced ClusterTrustBundle(s) + + aren't available. If using name, then + the named ClusterTrustBundle is + + allowed not to exist. If using + signerName, then the combination of + + signerName and labelSelector is allowed + to match zero + + ClusterTrustBundles. + type: boolean + path: + description: >- + Relative path from the volume root to + write the bundle. + type: string + signerName: + description: >- + Select all ClusterTrustBundles that + match this signer name. + + Mutually-exclusive with name. The + contents of all selected + + ClusterTrustBundles will be unified and + deduplicated. + type: string + required: + - path + type: object + configMap: + description: >- + configMap information about the + configMap data to project + properties: + items: + description: >- + items if unspecified, each key-value + pair in the Data field of the referenced + + ConfigMap will be projected into the + volume as a file whose name is the + + key and content is the value. If + specified, the listed keys will be + + projected into the specified paths, and + unlisted keys will not be + + present. If a key is specified which is + not present in the ConfigMap, + + the volume setup will error unless it is + marked optional. Paths must be + + relative and may not contain the '..' + path or start with '..'. + items: + description: >- + Maps a string key to a path within a + volume. + properties: + key: + description: key is the key to project. + type: string + mode: + description: >- + mode is Optional: mode bits used to set + permissions on this file. + + Must be an octal value between 0000 and + 0777 or a decimal value between 0 and + 511. + + YAML accepts both octal and decimal + values, JSON requires decimal values for + mode bits. + + If not specified, the volume defaultMode + will be used. + + This might be in conflict with other + options that affect the file + + mode, like fsGroup, and the result can + be other mode bits set. + format: int32 + type: integer + path: + description: >- + path is the relative path of the file to + map the key to. + + May not be an absolute path. + + May not contain the path element '..'. + + May not start with the string '..'. + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + name: + default: '' + description: >- + Name of the referent. + + This field is effectively required, but + due to backwards compatibility is + + allowed to be empty. Instances of this + type with an empty value here are + + almost certainly wrong. + + More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: >- + optional specify whether the ConfigMap + or its keys must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + downwardAPI: + description: >- + downwardAPI information about the + downwardAPI data to project + properties: + items: + description: >- + Items is a list of DownwardAPIVolume + file + items: + description: >- + DownwardAPIVolumeFile represents + information to create the file + containing the pod field + properties: + fieldRef: + description: >- + Required: Selects a field of the pod: + only annotations, labels, name, + namespace and uid are supported. + properties: + apiVersion: + description: >- + Version of the schema the FieldPath is + written in terms of, defaults to "v1". + type: string + fieldPath: + description: >- + Path of the field to select in the + specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + mode: + description: >- + Optional: mode bits used to set + permissions on this file, must be an + octal value + + between 0000 and 0777 or a decimal value + between 0 and 511. + + YAML accepts both octal and decimal + values, JSON requires decimal values for + mode bits. + + If not specified, the volume defaultMode + will be used. + + This might be in conflict with other + options that affect the file + + mode, like fsGroup, and the result can + be other mode bits set. + format: int32 + type: integer + path: + description: >- + Required: Path is the relative path + name of the file to be created. Must not + be absolute or contain the '..' path. + Must be utf-8 encoded. The first item of + the relative path must not start with + '..' + type: string + resourceFieldRef: + description: >- + Selects a resource of the container: + only resources limits and requests + + (limits.cpu, limits.memory, requests.cpu + and requests.memory) are currently + supported. + properties: + containerName: + description: >- + Container name: required for volumes, + optional for env vars + type: string + divisor: + anyOf: + - type: integer + - type: string + description: >- + Specifies the output format of the + exposed resources, defaults to "1" + pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + required: + - path + type: object + type: array + x-kubernetes-list-type: atomic + type: object + podCertificate: + description: >- + Projects an auto-rotating credential + bundle (private key and certificate + + chain) that the pod can use either as a + TLS client or server. + + + Kubelet generates a private key and uses + it to send a + + PodCertificateRequest to the named + signer. Once the signer approves the + + request and issues a certificate chain, + Kubelet writes the key and + + certificate chain to the pod + filesystem. The pod does not start + until + + certificates have been issued for each + podCertificate projected volume + + source in its spec. + + + Kubelet will begin trying to rotate the + certificate at the time indicated + + by the signer using the + PodCertificateRequest.Status.BeginRefreshAt + + timestamp. + + + Kubelet can write a single file, + indicated by the credentialBundlePath + + field, or separate files, indicated by + the keyPath and + + certificateChainPath fields. + + + The credential bundle is a single file + in PEM format. The first PEM + + entry is the private key (in PKCS#8 + format), and the remaining PEM + + entries are the certificate chain issued + by the signer (typically, + + signers will return their certificate + chain in leaf-to-root order). + + + Prefer using the credential bundle + format, since your application code + + can read it atomically. If you use + keyPath and certificateChainPath, + + your application must make two separate + file reads. If these coincide + + with a certificate rotation, it is + possible that the private key and leaf + + certificate you read may not correspond + to each other. Your application + + will need to check for this condition, + and re-read until they are + + consistent. + + + The named signer controls chooses the + format of the certificate it + + issues; consult the signer + implementation's documentation to learn + how to + + use the certificates it issues. + properties: + certificateChainPath: + description: >- + Write the certificate chain at this path + in the projected volume. + + + Most applications should use + credentialBundlePath. When using + keyPath + + and certificateChainPath, your + application needs to check that the key + + and leaf certificate are consistent, + because it is possible to read the + + files mid-rotation. + type: string + credentialBundlePath: + description: >- + Write the credential bundle at this path + in the projected volume. + + + The credential bundle is a single file + that contains multiple PEM blocks. + + The first PEM block is a PRIVATE KEY + block, containing a PKCS#8 private + + key. + + + The remaining blocks are CERTIFICATE + blocks, containing the issued + + certificate chain from the signer (leaf + and any intermediates). + + + Using credentialBundlePath lets your + Pod's application code make a single + + atomic read that retrieves a consistent + key and certificate chain. If you + + project them to separate files, your + application code will need to + + additionally check that the leaf + certificate was issued to the key. + type: string + keyPath: + description: >- + Write the key at this path in the + projected volume. + + + Most applications should use + credentialBundlePath. When using + keyPath + + and certificateChainPath, your + application needs to check that the key + + and leaf certificate are consistent, + because it is possible to read the + + files mid-rotation. + type: string + keyType: + description: >- + The type of keypair Kubelet will + generate for the pod. + + + Valid values are "RSA3072", "RSA4096", + "ECDSAP256", "ECDSAP384", + + "ECDSAP521", and "ED25519". + type: string + maxExpirationSeconds: + description: >- + maxExpirationSeconds is the maximum + lifetime permitted for the + + certificate. + + + Kubelet copies this value verbatim into + the PodCertificateRequests it + + generates for this projection. + + + If omitted, kube-apiserver will set it + to 86400(24 hours). kube-apiserver + + will reject values shorter than 3600 (1 + hour). The maximum allowable + + value is 7862400 (91 days). + + + The signer implementation is then free + to issue a certificate with any + + lifetime *shorter* than + MaxExpirationSeconds, but no shorter + than 3600 + + seconds (1 hour). This constraint is + enforced by kube-apiserver. + + `kubernetes.io` signers will never issue + certificates with a lifetime + + longer than 24 hours. + format: int32 + type: integer + signerName: + description: >- + Kubelet's generated CSRs will be + addressed to this signer. + type: string + userAnnotations: + additionalProperties: + type: string + description: >- + userAnnotations allow pod authors to + pass additional information to + + the signer implementation. Kubernetes + does not restrict or validate this + + metadata in any way. + + + These values are copied verbatim into + the `spec.unverifiedUserAnnotations` + field of + + the PodCertificateRequest objects that + Kubelet creates. + + + Entries are subject to the same + validation as object metadata + annotations, + + with the addition that all keys must be + domain-prefixed. No restrictions + + are placed on values, except an overall + size limitation on the entire field. + + + Signers should document the keys and + values they support. Signers should + + deny requests that contain keys they do + not recognize. + type: object + required: + - keyType + - signerName + type: object + secret: + description: >- + secret information about the secret data + to project + properties: + items: + description: >- + items if unspecified, each key-value + pair in the Data field of the referenced + + Secret will be projected into the volume + as a file whose name is the + + key and content is the value. If + specified, the listed keys will be + + projected into the specified paths, and + unlisted keys will not be + + present. If a key is specified which is + not present in the Secret, + + the volume setup will error unless it is + marked optional. Paths must be + + relative and may not contain the '..' + path or start with '..'. + items: + description: >- + Maps a string key to a path within a + volume. + properties: + key: + description: key is the key to project. + type: string + mode: + description: >- + mode is Optional: mode bits used to set + permissions on this file. + + Must be an octal value between 0000 and + 0777 or a decimal value between 0 and + 511. + + YAML accepts both octal and decimal + values, JSON requires decimal values for + mode bits. + + If not specified, the volume defaultMode + will be used. + + This might be in conflict with other + options that affect the file + + mode, like fsGroup, and the result can + be other mode bits set. + format: int32 + type: integer + path: + description: >- + path is the relative path of the file to + map the key to. + + May not be an absolute path. + + May not contain the path element '..'. + + May not start with the string '..'. + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + name: + default: '' + description: >- + Name of the referent. + + This field is effectively required, but + due to backwards compatibility is + + allowed to be empty. Instances of this + type with an empty value here are + + almost certainly wrong. + + More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: >- + optional field specify whether the + Secret or its key must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + serviceAccountToken: + description: >- + serviceAccountToken is information about + the serviceAccountToken data to project + properties: + audience: + description: >- + audience is the intended audience of the + token. A recipient of a token + + must identify itself with an identifier + specified in the audience of the + + token, and otherwise should reject the + token. The audience defaults to the + + identifier of the apiserver. + type: string + expirationSeconds: + description: >- + expirationSeconds is the requested + duration of validity of the service + + account token. As the token approaches + expiration, the kubelet volume + + plugin will proactively rotate the + service account token. The kubelet will + + start trying to rotate the token if the + token is older than 80 percent of + + its time to live or if the token is + older than 24 hours.Defaults to 1 hour + + and must be at least 10 minutes. + format: int64 + type: integer + path: + description: >- + path is the path relative to the mount + point of the file to project the + + token into. + type: string + required: + - path + type: object + type: object + type: array + x-kubernetes-list-type: atomic + type: object + quobyte: + description: >- + quobyte represents a Quobyte mount on + the host that shares a pod's lifetime. + + Deprecated: Quobyte is deprecated and + the in-tree quobyte type is no longer + supported. + properties: + group: + description: |- + group to map volume access to + Default is no group + type: string + readOnly: + description: >- + readOnly here will force the Quobyte + volume to be mounted with read-only + permissions. + + Defaults to false. + type: boolean + registry: + description: >- + registry represents a single or multiple + Quobyte Registry services + + specified as a string as host:port pair + (multiple entries are separated with + commas) + + which acts as the central registry for + volumes + type: string + tenant: + description: >- + tenant owning the given Quobyte volume + in the Backend + + Used with dynamically provisioned + Quobyte volumes, value is set by the + plugin + type: string + user: + description: |- + user to map volume access to + Defaults to serivceaccount user + type: string + volume: + description: >- + volume is a string that references an + already created Quobyte volume by name. + type: string + required: + - registry + - volume + type: object + rbd: + description: >- + rbd represents a Rados Block Device + mount on the host that shares a pod's + lifetime. + + Deprecated: RBD is deprecated and the + in-tree rbd type is no longer supported. + properties: + fsType: + description: >- + fsType is the filesystem type of the + volume that you want to mount. + + Tip: Ensure that the filesystem type is + supported by the host operating system. + + Examples: "ext4", "xfs", "ntfs". + Implicitly inferred to be "ext4" if + unspecified. + + More info: + https://kubernetes.io/docs/concepts/storage/volumes#rbd + type: string + image: + description: >- + image is the rados image name. + + More info: + https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + type: string + keyring: + default: /etc/ceph/keyring + description: >- + keyring is the path to key ring for + RBDUser. + + Default is /etc/ceph/keyring. + + More info: + https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + type: string + monitors: + description: >- + monitors is a collection of Ceph + monitors. + + More info: + https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + items: + type: string + type: array + x-kubernetes-list-type: atomic + pool: + default: rbd + description: >- + pool is the rados pool name. + + Default is rbd. + + More info: + https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + type: string + readOnly: + description: >- + readOnly here will force the ReadOnly + setting in VolumeMounts. + + Defaults to false. + + More info: + https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + type: boolean + secretRef: + description: >- + secretRef is name of the authentication + secret for RBDUser. If provided + + overrides keyring. + + Default is nil. + + More info: + https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + properties: + name: + default: '' + description: >- + Name of the referent. + + This field is effectively required, but + due to backwards compatibility is + + allowed to be empty. Instances of this + type with an empty value here are + + almost certainly wrong. + + More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + user: + default: admin + description: >- + user is the rados user name. + + Default is admin. + + More info: + https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + type: string + required: + - image + - monitors + type: object + scaleIO: + description: >- + scaleIO represents a ScaleIO persistent + volume attached and mounted on + Kubernetes nodes. + + Deprecated: ScaleIO is deprecated and + the in-tree scaleIO type is no longer + supported. + properties: + fsType: + default: xfs + description: >- + fsType is the filesystem type to mount. + + Must be a filesystem type supported by + the host operating system. + + Ex. "ext4", "xfs", "ntfs". + + Default is "xfs". + type: string + gateway: + description: >- + gateway is the host address of the + ScaleIO API Gateway. + type: string + protectionDomain: + description: >- + protectionDomain is the name of the + ScaleIO Protection Domain for the + configured storage. + type: string + readOnly: + description: >- + readOnly Defaults to false (read/write). + ReadOnly here will force + + the ReadOnly setting in VolumeMounts. + type: boolean + secretRef: + description: >- + secretRef references to the secret for + ScaleIO user and other + + sensitive information. If this is not + provided, Login operation will fail. + properties: + name: + default: '' + description: >- + Name of the referent. + + This field is effectively required, but + due to backwards compatibility is + + allowed to be empty. Instances of this + type with an empty value here are + + almost certainly wrong. + + More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + sslEnabled: + description: >- + sslEnabled Flag enable/disable SSL + communication with Gateway, default + false + type: boolean + storageMode: + default: ThinProvisioned + description: >- + storageMode indicates whether the + storage for a volume should be + ThickProvisioned or ThinProvisioned. + + Default is ThinProvisioned. + type: string + storagePool: + description: >- + storagePool is the ScaleIO Storage Pool + associated with the protection domain. + type: string + system: + description: >- + system is the name of the storage system + as configured in ScaleIO. + type: string + volumeName: + description: >- + volumeName is the name of a volume + already created in the ScaleIO system + + that is associated with this volume + source. + type: string + required: + - gateway + - secretRef + - system + type: object + secret: + description: >- + secret represents a secret that should + populate this volume. + + More info: + https://kubernetes.io/docs/concepts/storage/volumes#secret + properties: + defaultMode: + description: >- + defaultMode is Optional: mode bits used + to set permissions on created files by + default. + + Must be an octal value between 0000 and + 0777 or a decimal value between 0 and + 511. + + YAML accepts both octal and decimal + values, JSON requires decimal values + + for mode bits. Defaults to 0644. + + Directories within the path are not + affected by this setting. + + This might be in conflict with other + options that affect the file + + mode, like fsGroup, and the result can + be other mode bits set. + format: int32 + type: integer + items: + description: >- + items If unspecified, each key-value + pair in the Data field of the referenced + + Secret will be projected into the volume + as a file whose name is the + + key and content is the value. If + specified, the listed keys will be + + projected into the specified paths, and + unlisted keys will not be + + present. If a key is specified which is + not present in the Secret, + + the volume setup will error unless it is + marked optional. Paths must be + + relative and may not contain the '..' + path or start with '..'. + items: + description: >- + Maps a string key to a path within a + volume. + properties: + key: + description: key is the key to project. + type: string + mode: + description: >- + mode is Optional: mode bits used to set + permissions on this file. + + Must be an octal value between 0000 and + 0777 or a decimal value between 0 and + 511. + + YAML accepts both octal and decimal + values, JSON requires decimal values for + mode bits. + + If not specified, the volume defaultMode + will be used. + + This might be in conflict with other + options that affect the file + + mode, like fsGroup, and the result can + be other mode bits set. + format: int32 + type: integer + path: + description: >- + path is the relative path of the file to + map the key to. + + May not be an absolute path. + + May not contain the path element '..'. + + May not start with the string '..'. + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + optional: + description: >- + optional field specify whether the + Secret or its keys must be defined + type: boolean + secretName: + description: >- + secretName is the name of the secret in + the pod's namespace to use. + + More info: + https://kubernetes.io/docs/concepts/storage/volumes#secret + type: string + type: object + storageos: + description: >- + storageOS represents a StorageOS volume + attached and mounted on Kubernetes + nodes. + + Deprecated: StorageOS is deprecated and + the in-tree storageos type is no longer + supported. + properties: + fsType: + description: >- + fsType is the filesystem type to mount. + + Must be a filesystem type supported by + the host operating system. + + Ex. "ext4", "xfs", "ntfs". Implicitly + inferred to be "ext4" if unspecified. + type: string + readOnly: + description: >- + readOnly defaults to false (read/write). + ReadOnly here will force + + the ReadOnly setting in VolumeMounts. + type: boolean + secretRef: + description: >- + secretRef specifies the secret to use + for obtaining the StorageOS API + + credentials. If not specified, default + values will be attempted. + properties: + name: + default: '' + description: >- + Name of the referent. + + This field is effectively required, but + due to backwards compatibility is + + allowed to be empty. Instances of this + type with an empty value here are + + almost certainly wrong. + + More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + volumeName: + description: >- + volumeName is the human-readable name of + the StorageOS volume. Volume + + names are only unique within a + namespace. + type: string + volumeNamespace: + description: >- + volumeNamespace specifies the scope of + the volume within StorageOS. If no + + namespace is specified then the Pod's + namespace will be used. This allows the + + Kubernetes name scoping to be mirrored + within StorageOS for tighter + integration. + + Set VolumeName to any name to override + the default behaviour. + + Set to "default" if you are not using + namespaces within StorageOS. + + Namespaces that do not pre-exist within + StorageOS will be created. + type: string + type: object + vsphereVolume: + description: >- + vsphereVolume represents a vSphere + volume attached and mounted on kubelets + host machine. + + Deprecated: VsphereVolume is deprecated. + All operations for the in-tree + vsphereVolume type + + are redirected to the + csi.vsphere.vmware.com CSI driver. + properties: + fsType: + description: >- + fsType is filesystem type to mount. + + Must be a filesystem type supported by + the host operating system. + + Ex. "ext4", "xfs", "ntfs". Implicitly + inferred to be "ext4" if unspecified. + type: string + storagePolicyID: + description: >- + storagePolicyID is the storage Policy + Based Management (SPBM) profile ID + associated with the StoragePolicyName. + type: string + storagePolicyName: + description: >- + storagePolicyName is the storage Policy + Based Management (SPBM) profile name. + type: string + volumePath: + description: >- + volumePath is the path that identifies + vSphere volume vmdk + type: string + required: + - volumePath + type: object + required: + - name + type: object + type: array + type: object + strategy: + description: >- + The daemonset strategy to use to replace + existing pods with new ones. + properties: + rollingUpdate: + description: >- + Rolling update config params. Present only + if type = "RollingUpdate". + properties: + maxSurge: + anyOf: + - type: integer + - type: string + description: >- + The maximum number of nodes with an + existing available DaemonSet pod that + + can have an updated DaemonSet pod during + during an update. + + Value can be an absolute number (ex: 5) + or a percentage of desired pods (ex: + 10%). + + This can not be 0 if MaxUnavailable is + 0. + + Absolute number is calculated from + percentage by rounding up to a minimum + of 1. + + Default value is 0. + + Example: when this is set to 30%, at + most 30% of the total number of nodes + + that should be running the daemon pod + (i.e. status.desiredNumberScheduled) + + can have their a new pod created before + the old pod is marked as deleted. + + The update starts by launching new pods + on 30% of nodes. Once an updated + + pod is available (Ready for at least + minReadySeconds) the old DaemonSet pod + + on that node is marked deleted. If the + old pod becomes unavailable for any + + reason (Ready transitions to false, is + evicted, or is drained) an updated + + pod is immediately created on that node + without considering surge limits. + + Allowing surge implies the possibility + that the resources consumed by the + + daemonset on any given node can double + if the readiness check fails, and + + so resource intensive daemonsets should + take into account that they may + + cause evictions during disruption. + x-kubernetes-int-or-string: true + maxUnavailable: + anyOf: + - type: integer + - type: string + description: >- + The maximum number of DaemonSet pods + that can be unavailable during the + + update. Value can be an absolute number + (ex: 5) or a percentage of total + + number of DaemonSet pods at the start of + the update (ex: 10%). Absolute + + number is calculated from percentage by + rounding up. + + This cannot be 0 if MaxSurge is 0 + + Default value is 1. + + Example: when this is set to 30%, at + most 30% of the total number of nodes + + that should be running the daemon pod + (i.e. status.desiredNumberScheduled) + + can have their pods stopped for an + update at any given time. The update + + starts by stopping at most 30% of those + DaemonSet pods and then brings + + up new DaemonSet pods in their place. + Once the new pods are available, + + it then proceeds onto other DaemonSet + pods, thus ensuring that at least + + 70% of original number of DaemonSet pods + are available at all times during + + the update. + x-kubernetes-int-or-string: true + type: object + type: + description: >- + Type of daemon set update. Can be + "RollingUpdate" or "OnDelete". Default is + RollingUpdate. + type: string + type: object + type: object + envoyDeployment: + description: >- + EnvoyDeployment defines the desired state of the + Envoy deployment resource. + + If unspecified, default settings for the managed + Envoy deployment resource + + are applied. + properties: + container: + description: >- + Container defines the desired specification of + main container. + properties: + env: + description: >- + List of environment variables to set in the + container. + items: + description: >- + EnvVar represents an environment variable + present in a Container. + properties: + name: + description: >- + Name of the environment variable. + + May consist of any printable ASCII + characters except '='. + type: string + value: + description: >- + Variable references $(VAR_NAME) are + expanded + + using the previously defined environment + variables in the container and + + any service environment variables. If a + variable cannot be resolved, + + the reference in the input string will + be unchanged. Double $$ are reduced + + to a single $, which allows for escaping + the $(VAR_NAME) syntax: i.e. + + "$$(VAR_NAME)" will produce the string + literal "$(VAR_NAME)". + + Escaped references will never be + expanded, regardless of whether the + variable + + exists or not. + + Defaults to "". + type: string + valueFrom: + description: >- + Source for the environment variable's + value. Cannot be used if value is not + empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + default: '' + description: >- + Name of the referent. + + This field is effectively required, but + due to backwards compatibility is + + allowed to be empty. Instances of this + type with an empty value here are + + almost certainly wrong. + + More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: >- + Specify whether the ConfigMap or its key + must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + description: >- + Selects a field of the pod: supports + metadata.name, metadata.namespace, + `metadata.labels['']`, + `metadata.annotations['']`, + + spec.nodeName, spec.serviceAccountName, + status.hostIP, status.podIP, + status.podIPs. + properties: + apiVersion: + description: >- + Version of the schema the FieldPath is + written in terms of, defaults to "v1". + type: string + fieldPath: + description: >- + Path of the field to select in the + specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + fileKeyRef: + description: >- + FileKeyRef selects a key of the env + file. + + Requires the EnvFiles feature gate to be + enabled. + properties: + key: + description: >- + The key within the env file. An invalid + key will prevent the pod from starting. + + The keys defined within a source may + consist of any printable ASCII + characters except '='. + + During Alpha stage of the EnvFiles + feature gate, the key size is limited to + 128 characters. + type: string + optional: + default: false + description: >- + Specify whether the file or its key must + be defined. If the file or key + + does not exist, then the env var is not + published. + + If optional is set to true and the + specified key does not exist, + + the environment variable will not be set + in the Pod's containers. + + + If optional is set to false and the + specified key does not exist, + + an error will be returned during Pod + creation. + type: boolean + path: + description: >- + The path within the volume from which to + select the file. + + Must be relative and may not contain the + '..' path or start with '..'. + type: string + volumeName: + description: >- + The name of the volume mount containing + the env file. + type: string + required: + - key + - path + - volumeName + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + description: >- + Selects a resource of the container: + only resources limits and requests + + (limits.cpu, limits.memory, + limits.ephemeral-storage, requests.cpu, + requests.memory and + requests.ephemeral-storage) are + currently supported. + properties: + containerName: + description: >- + Container name: required for volumes, + optional for env vars + type: string + divisor: + anyOf: + - type: integer + - type: string + description: >- + Specifies the output format of the + exposed resources, defaults to "1" + pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + description: >- + Selects a key of a secret in the pod's + namespace + properties: + key: + description: >- + The key of the secret to select from. + Must be a valid secret key. + type: string + name: + default: '' + description: >- + Name of the referent. + + This field is effectively required, but + due to backwards compatibility is + + allowed to be empty. Instances of this + type with an empty value here are + + almost certainly wrong. + + More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: >- + Specify whether the Secret or its key + must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + image: + description: >- + Image specifies the EnvoyProxy container + image to be used including a tag, instead of + the default image. + + This field is mutually exclusive with + ImageRepository. + type: string + x-kubernetes-validations: + - message: >- + Image must include a tag and allowed + characters only (e.g., 'repo:tag'). + rule: >- + self.matches('^[a-zA-Z0-9._-]+(:[0-9]+)?(/[a-zA-Z0-9._/-]+)?(:[a-zA-Z0-9._-]+)?(@sha256:[a-z0-9]+)?$') + imageRepository: + description: >- + ImageRepository specifies the container + image repository to be used without + specifying a tag. + + The default tag will be used. + + This field is mutually exclusive with Image. + type: string + x-kubernetes-validations: + - message: >- + ImageRepository must contain only + allowed characters and must not include + a tag. + rule: >- + self.matches('^[a-zA-Z0-9._-]+(:[0-9]+)?[a-zA-Z0-9._/-]+$') + resources: + description: >- + Resources required by this container. + + More info: + https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + properties: + claims: + description: >- + Claims lists the names of resources, + defined in spec.resourceClaims, + + that are used by this container. + + + This field depends on the + + DynamicResourceAllocation feature gate. + + + This field is immutable. It can only be + set for containers. + items: + description: >- + ResourceClaim references one entry in + PodSpec.ResourceClaims. + properties: + name: + description: >- + Name must match the name of one entry in + pod.spec.resourceClaims of + + the Pod where this field is used. It + makes that resource available + + inside a container. + type: string + request: + description: >- + Request is the name chosen for a request + in the referenced claim. + + If empty, everything from the claim is + made available, otherwise + + only the result of this request. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: >- + Limits describes the maximum amount of + compute resources allowed. + + More info: + https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: >- + Requests describes the minimum amount of + compute resources required. + + If Requests is omitted for a container, + it defaults to Limits if that is + explicitly specified, + + otherwise to an implementation-defined + value. Requests cannot exceed Limits. + + More info: + https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + type: object + securityContext: + description: >- + SecurityContext defines the security options + the container should be run with. + + If set, the fields of SecurityContext + override the equivalent fields of + PodSecurityContext. + + More info: + https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + properties: + allowPrivilegeEscalation: + description: >- + AllowPrivilegeEscalation controls + whether a process can gain more + + privileges than its parent process. This + bool directly controls if + + the no_new_privs flag will be set on the + container process. + + AllowPrivilegeEscalation is true always + when the container is: + + 1) run as Privileged + + 2) has CAP_SYS_ADMIN + + Note that this field cannot be set when + spec.os.name is windows. + type: boolean + appArmorProfile: + description: >- + appArmorProfile is the AppArmor options + to use by this container. If set, this + profile + + overrides the pod's appArmorProfile. + + Note that this field cannot be set when + spec.os.name is windows. + properties: + localhostProfile: + description: >- + localhostProfile indicates a profile + loaded on the node that should be used. + + The profile must be preconfigured on the + node to work. + + Must match the loaded name of the + profile. + + Must be set if and only if type is + "Localhost". + type: string + type: + description: >- + type indicates which kind of AppArmor + profile will be applied. + + Valid options are: + Localhost - a profile pre-loaded on the node. + RuntimeDefault - the container runtime's default profile. + Unconfined - no AppArmor enforcement. + type: string + required: + - type + type: object + capabilities: + description: >- + The capabilities to add/drop when + running containers. + + Defaults to the default set of + capabilities granted by the container + runtime. + + Note that this field cannot be set when + spec.os.name is windows. + properties: + add: + description: Added capabilities + items: + description: >- + Capability represent POSIX capabilities + type + type: string + type: array + x-kubernetes-list-type: atomic + drop: + description: Removed capabilities + items: + description: >- + Capability represent POSIX capabilities + type + type: string + type: array + x-kubernetes-list-type: atomic + type: object + privileged: + description: >- + Run container in privileged mode. + + Processes in privileged containers are + essentially equivalent to root on the + host. + + Defaults to false. + + Note that this field cannot be set when + spec.os.name is windows. + type: boolean + procMount: + description: >- + procMount denotes the type of proc mount + to use for the containers. + + The default value is Default which uses + the container runtime defaults for + + readonly paths and masked paths. + + This requires the ProcMountType feature + flag to be enabled. + + Note that this field cannot be set when + spec.os.name is windows. + type: string + readOnlyRootFilesystem: + description: >- + Whether this container has a read-only + root filesystem. + + Default is false. + + Note that this field cannot be set when + spec.os.name is windows. + type: boolean + runAsGroup: + description: >- + The GID to run the entrypoint of the + container process. + + Uses runtime default if unset. + + May also be set in PodSecurityContext. + If set in both SecurityContext and + + PodSecurityContext, the value specified + in SecurityContext takes precedence. + + Note that this field cannot be set when + spec.os.name is windows. + format: int64 + type: integer + runAsNonRoot: + description: >- + Indicates that the container must run as + a non-root user. + + If true, the Kubelet will validate the + image at runtime to ensure that it + + does not run as UID 0 (root) and fail to + start the container if it does. + + If unset or false, no such validation + will be performed. + + May also be set in PodSecurityContext. + If set in both SecurityContext and + + PodSecurityContext, the value specified + in SecurityContext takes precedence. + type: boolean + runAsUser: + description: >- + The UID to run the entrypoint of the + container process. + + Defaults to user specified in image + metadata if unspecified. + + May also be set in PodSecurityContext. + If set in both SecurityContext and + + PodSecurityContext, the value specified + in SecurityContext takes precedence. + + Note that this field cannot be set when + spec.os.name is windows. + format: int64 + type: integer + seLinuxOptions: + description: >- + The SELinux context to be applied to the + container. + + If unspecified, the container runtime + will allocate a random SELinux context + for each + + container. May also be set in + PodSecurityContext. If set in both + SecurityContext and + + PodSecurityContext, the value specified + in SecurityContext takes precedence. + + Note that this field cannot be set when + spec.os.name is windows. + properties: + level: + description: >- + Level is SELinux level label that + applies to the container. + type: string + role: + description: >- + Role is a SELinux role label that + applies to the container. + type: string + type: + description: >- + Type is a SELinux type label that + applies to the container. + type: string + user: + description: >- + User is a SELinux user label that + applies to the container. + type: string + type: object + seccompProfile: + description: >- + The seccomp options to use by this + container. If seccomp options are + + provided at both the pod & container + level, the container options + + override the pod options. + + Note that this field cannot be set when + spec.os.name is windows. + properties: + localhostProfile: + description: >- + localhostProfile indicates a profile + defined in a file on the node should be + used. + + The profile must be preconfigured on the + node to work. + + Must be a descending path, relative to + the kubelet's configured seccomp profile + location. + + Must be set if type is "Localhost". Must + NOT be set for any other type. + type: string + type: + description: >- + type indicates which kind of seccomp + profile will be applied. + + Valid options are: + + + Localhost - a profile defined in a file + on the node should be used. + + RuntimeDefault - the container runtime + default profile should be used. + + Unconfined - no profile should be + applied. + type: string + required: + - type + type: object + windowsOptions: + description: >- + The Windows specific settings applied to + all containers. + + If unspecified, the options from the + PodSecurityContext will be used. + + If set in both SecurityContext and + PodSecurityContext, the value specified + in SecurityContext takes precedence. + + Note that this field cannot be set when + spec.os.name is linux. + properties: + gmsaCredentialSpec: + description: >- + GMSACredentialSpec is where the GMSA + admission webhook + + (https://github.com/kubernetes-sigs/windows-gmsa) + inlines the contents of the + + GMSA credential spec named by the + GMSACredentialSpecName field. + type: string + gmsaCredentialSpecName: + description: >- + GMSACredentialSpecName is the name of + the GMSA credential spec to use. + type: string + hostProcess: + description: >- + HostProcess determines if a container + should be run as a 'Host Process' + container. + + All of a Pod's containers must have the + same effective HostProcess value + + (it is not allowed to have a mix of + HostProcess containers and + non-HostProcess containers). + + In addition, if HostProcess is true then + HostNetwork must also be set to true. + type: boolean + runAsUserName: + description: >- + The UserName in Windows to run the + entrypoint of the container process. + + Defaults to the user specified in image + metadata if unspecified. + + May also be set in PodSecurityContext. + If set in both SecurityContext and + + PodSecurityContext, the value specified + in SecurityContext takes precedence. + type: string + type: object + type: object + volumeMounts: + description: >- + VolumeMounts are volumes to mount into the + container's filesystem. + + Cannot be updated. + items: + description: >- + VolumeMount describes a mounting of a + Volume within a container. + properties: + mountPath: + description: >- + Path within the container at which the + volume should be mounted. Must + + not contain ':'. + type: string + mountPropagation: + description: >- + mountPropagation determines how mounts + are propagated from the host + + to container and the other way around. + + When not set, MountPropagationNone is + used. + + This field is beta in 1.10. + + When RecursiveReadOnly is set to + IfPossible or to Enabled, + MountPropagation must be None or + unspecified + + (which defaults to None). + type: string + name: + description: This must match the Name of a Volume. + type: string + readOnly: + description: >- + Mounted read-only if true, read-write + otherwise (false or unspecified). + + Defaults to false. + type: boolean + recursiveReadOnly: + description: >- + RecursiveReadOnly specifies whether + read-only mounts should be handled + + recursively. + + + If ReadOnly is false, this field has no + meaning and must be unspecified. + + + If ReadOnly is true, and this field is + set to Disabled, the mount is not made + + recursively read-only. If this field is + set to IfPossible, the mount is made + + recursively read-only, if it is + supported by the container runtime. If + this + + field is set to Enabled, the mount is + made recursively read-only if it is + + supported by the container runtime, + otherwise the pod will not be started + and + + an error will be generated to indicate + the reason. + + + If this field is set to IfPossible or + Enabled, MountPropagation must be set to + + None (or be unspecified, which defaults + to None). + + + If this field is not specified, it is + treated as an equivalent of Disabled. + type: string + subPath: + description: >- + Path within the volume from which the + container's volume should be mounted. + + Defaults to "" (volume's root). + type: string + subPathExpr: + description: >- + Expanded path within the volume from + which the container's volume should be + mounted. + + Behaves similarly to SubPath but + environment variable references + $(VAR_NAME) are expanded using the + container's environment. + + Defaults to "" (volume's root). + + SubPathExpr and SubPath are mutually + exclusive. + type: string + required: + - mountPath + - name + type: object + type: array + type: object + x-kubernetes-validations: + - message: Either image or imageRepository can be set. + rule: >- + !has(self.image) || + !has(self.imageRepository) + initContainers: + description: >- + List of initialization containers belonging to + the pod. + + More info: + https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ + items: + description: >- + A single application container that you want + to run within a pod. + properties: + args: + description: >- + Arguments to the entrypoint. + + The container image's CMD is used if this + is not provided. + + Variable references $(VAR_NAME) are + expanded using the container's + environment. If a variable + + cannot be resolved, the reference in the + input string will be unchanged. Double $$ + are reduced + + to a single $, which allows for escaping + the $(VAR_NAME) syntax: i.e. + "$$(VAR_NAME)" will + + produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, + regardless + + of whether the variable exists or not. + Cannot be updated. + + More info: + https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell + items: + type: string + type: array + x-kubernetes-list-type: atomic + command: + description: >- + Entrypoint array. Not executed within a + shell. + + The container image's ENTRYPOINT is used + if this is not provided. + + Variable references $(VAR_NAME) are + expanded using the container's + environment. If a variable + + cannot be resolved, the reference in the + input string will be unchanged. Double $$ + are reduced + + to a single $, which allows for escaping + the $(VAR_NAME) syntax: i.e. + "$$(VAR_NAME)" will + + produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, + regardless + + of whether the variable exists or not. + Cannot be updated. + + More info: + https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell + items: + type: string + type: array + x-kubernetes-list-type: atomic + env: + description: >- + List of environment variables to set in + the container. + + Cannot be updated. + items: + description: >- + EnvVar represents an environment + variable present in a Container. + properties: + name: + description: >- + Name of the environment variable. + + May consist of any printable ASCII + characters except '='. + type: string + value: + description: >- + Variable references $(VAR_NAME) are + expanded + + using the previously defined environment + variables in the container and + + any service environment variables. If a + variable cannot be resolved, + + the reference in the input string will + be unchanged. Double $$ are reduced + + to a single $, which allows for escaping + the $(VAR_NAME) syntax: i.e. + + "$$(VAR_NAME)" will produce the string + literal "$(VAR_NAME)". + + Escaped references will never be + expanded, regardless of whether the + variable + + exists or not. + + Defaults to "". + type: string + valueFrom: + description: >- + Source for the environment variable's + value. Cannot be used if value is not + empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + default: '' + description: >- + Name of the referent. + + This field is effectively required, but + due to backwards compatibility is + + allowed to be empty. Instances of this + type with an empty value here are + + almost certainly wrong. + + More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: >- + Specify whether the ConfigMap or its key + must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + description: >- + Selects a field of the pod: supports + metadata.name, metadata.namespace, + `metadata.labels['']`, + `metadata.annotations['']`, + + spec.nodeName, spec.serviceAccountName, + status.hostIP, status.podIP, + status.podIPs. + properties: + apiVersion: + description: >- + Version of the schema the FieldPath is + written in terms of, defaults to "v1". + type: string + fieldPath: + description: >- + Path of the field to select in the + specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + fileKeyRef: + description: >- + FileKeyRef selects a key of the env + file. + + Requires the EnvFiles feature gate to be + enabled. + properties: + key: + description: >- + The key within the env file. An invalid + key will prevent the pod from starting. + + The keys defined within a source may + consist of any printable ASCII + characters except '='. + + During Alpha stage of the EnvFiles + feature gate, the key size is limited to + 128 characters. + type: string + optional: + default: false + description: >- + Specify whether the file or its key must + be defined. If the file or key + + does not exist, then the env var is not + published. + + If optional is set to true and the + specified key does not exist, + + the environment variable will not be set + in the Pod's containers. + + + If optional is set to false and the + specified key does not exist, + + an error will be returned during Pod + creation. + type: boolean + path: + description: >- + The path within the volume from which to + select the file. + + Must be relative and may not contain the + '..' path or start with '..'. + type: string + volumeName: + description: >- + The name of the volume mount containing + the env file. + type: string + required: + - key + - path + - volumeName + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + description: >- + Selects a resource of the container: + only resources limits and requests + + (limits.cpu, limits.memory, + limits.ephemeral-storage, requests.cpu, + requests.memory and + requests.ephemeral-storage) are + currently supported. + properties: + containerName: + description: >- + Container name: required for volumes, + optional for env vars + type: string + divisor: + anyOf: + - type: integer + - type: string + description: >- + Specifies the output format of the + exposed resources, defaults to "1" + pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + description: >- + Selects a key of a secret in the pod's + namespace + properties: + key: + description: >- + The key of the secret to select from. + Must be a valid secret key. + type: string + name: + default: '' + description: >- + Name of the referent. + + This field is effectively required, but + due to backwards compatibility is + + allowed to be empty. Instances of this + type with an empty value here are + + almost certainly wrong. + + More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: >- + Specify whether the Secret or its key + must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + envFrom: + description: >- + List of sources to populate environment + variables in the container. + + The keys defined within a source may + consist of any printable ASCII characters + except '='. + + When a key exists in multiple + + sources, the value associated with the + last source will take precedence. + + Values defined by an Env with a duplicate + key will take precedence. + + Cannot be updated. + items: + description: >- + EnvFromSource represents the source of a + set of ConfigMaps or Secrets + properties: + configMapRef: + description: The ConfigMap to select from + properties: + name: + default: '' + description: >- + Name of the referent. + + This field is effectively required, but + due to backwards compatibility is + + allowed to be empty. Instances of this + type with an empty value here are + + almost certainly wrong. + + More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: >- + Specify whether the ConfigMap must be + defined + type: boolean + type: object + x-kubernetes-map-type: atomic + prefix: + description: >- + Optional text to prepend to the name of + each environment variable. + + May consist of any printable ASCII + characters except '='. + type: string + secretRef: + description: The Secret to select from + properties: + name: + default: '' + description: >- + Name of the referent. + + This field is effectively required, but + due to backwards compatibility is + + allowed to be empty. Instances of this + type with an empty value here are + + almost certainly wrong. + + More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: >- + Specify whether the Secret must be + defined + type: boolean + type: object + x-kubernetes-map-type: atomic + type: object + type: array + x-kubernetes-list-type: atomic + image: + description: >- + Container image name. + + More info: + https://kubernetes.io/docs/concepts/containers/images + + This field is optional to allow higher + level config management to default or + override + + container images in workload controllers + like Deployments and StatefulSets. + type: string + imagePullPolicy: + description: >- + Image pull policy. + + One of Always, Never, IfNotPresent. + + Defaults to Always if :latest tag is + specified, or IfNotPresent otherwise. + + Cannot be updated. + + More info: + https://kubernetes.io/docs/concepts/containers/images#updating-images + type: string + lifecycle: + description: >- + Actions that the management system should + take in response to container lifecycle + events. + + Cannot be updated. + properties: + postStart: + description: >- + PostStart is called immediately after a + container is created. If the handler + fails, + + the container is terminated and + restarted according to its restart + policy. + + Other management of the container blocks + until the hook completes. + + More info: + https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks + properties: + exec: + description: >- + Exec specifies a command to execute in + the container. + properties: + command: + description: >- + Command is the command line to execute + inside the container, the working + directory for the + + command is root ('/') in the + container's filesystem. The command is + simply exec'd, it is + + not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use + + a shell, you need to explicitly call out + to that shell. + + Exit status of 0 is treated as + live/healthy and non-zero is unhealthy. + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + httpGet: + description: >- + HTTPGet specifies an HTTP GET request to + perform. + properties: + host: + description: >- + Host name to connect to, defaults to the + pod IP. You probably want to set + + "Host" in httpHeaders instead. + type: string + httpHeaders: + description: >- + Custom headers to set in the request. + HTTP allows repeated headers. + items: + description: >- + HTTPHeader describes a custom header to + be used in HTTP probes + properties: + name: + description: >- + The header field name. + + This will be canonicalized upon output, + so case-variant names will be understood + as the same header. + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: >- + Name or number of the port to access on + the container. + + Number must be in the range 1 to 65535. + + Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: >- + Scheme to use for connecting to the + host. + + Defaults to HTTP. + type: string + required: + - port + type: object + sleep: + description: >- + Sleep represents a duration that the + container should sleep. + properties: + seconds: + description: >- + Seconds is the number of seconds to + sleep. + format: int64 + type: integer + required: + - seconds + type: object + tcpSocket: + description: >- + Deprecated. TCPSocket is NOT supported + as a LifecycleHandler and kept + + for backward compatibility. There is no + validation of this field and + + lifecycle hooks will fail at runtime + when it is specified. + properties: + host: + description: >- + Optional: Host name to connect to, + defaults to the pod IP. + type: string + port: + anyOf: + - type: integer + - type: string + description: >- + Number or name of the port to access on + the container. + + Number must be in the range 1 to 65535. + + Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + preStop: + description: >- + PreStop is called immediately before a + container is terminated due to an + + API request or management event such as + liveness/startup probe failure, + + preemption, resource contention, etc. + The handler is not called if the + + container crashes or exits. The Pod's + termination grace period countdown + begins before the + + PreStop hook is executed. Regardless of + the outcome of the handler, the + + container will eventually terminate + within the Pod's termination grace + + period (unless delayed by finalizers). + Other management of the container blocks + until the hook completes + + or until the termination grace period is + reached. + + More info: + https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks + properties: + exec: + description: >- + Exec specifies a command to execute in + the container. + properties: + command: + description: >- + Command is the command line to execute + inside the container, the working + directory for the + + command is root ('/') in the + container's filesystem. The command is + simply exec'd, it is + + not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use + + a shell, you need to explicitly call out + to that shell. + + Exit status of 0 is treated as + live/healthy and non-zero is unhealthy. + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + httpGet: + description: >- + HTTPGet specifies an HTTP GET request to + perform. + properties: + host: + description: >- + Host name to connect to, defaults to the + pod IP. You probably want to set + + "Host" in httpHeaders instead. + type: string + httpHeaders: + description: >- + Custom headers to set in the request. + HTTP allows repeated headers. + items: + description: >- + HTTPHeader describes a custom header to + be used in HTTP probes + properties: + name: + description: >- + The header field name. + + This will be canonicalized upon output, + so case-variant names will be understood + as the same header. + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: >- + Name or number of the port to access on + the container. + + Number must be in the range 1 to 65535. + + Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: >- + Scheme to use for connecting to the + host. + + Defaults to HTTP. + type: string + required: + - port + type: object + sleep: + description: >- + Sleep represents a duration that the + container should sleep. + properties: + seconds: + description: >- + Seconds is the number of seconds to + sleep. + format: int64 + type: integer + required: + - seconds + type: object + tcpSocket: + description: >- + Deprecated. TCPSocket is NOT supported + as a LifecycleHandler and kept + + for backward compatibility. There is no + validation of this field and + + lifecycle hooks will fail at runtime + when it is specified. + properties: + host: + description: >- + Optional: Host name to connect to, + defaults to the pod IP. + type: string + port: + anyOf: + - type: integer + - type: string + description: >- + Number or name of the port to access on + the container. + + Number must be in the range 1 to 65535. + + Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + stopSignal: + description: >- + StopSignal defines which signal will be + sent to a container when it is being + stopped. + + If not specified, the default is defined + by the container runtime in use. + + StopSignal can only be set for Pods with + a non-empty .spec.os.name + type: string + type: object + livenessProbe: + description: >- + Periodic probe of container liveness. + + Container will be restarted if the probe + fails. + + Cannot be updated. + + More info: + https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes + properties: + exec: + description: >- + Exec specifies a command to execute in + the container. + properties: + command: + description: >- + Command is the command line to execute + inside the container, the working + directory for the + + command is root ('/') in the + container's filesystem. The command is + simply exec'd, it is + + not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use + + a shell, you need to explicitly call out + to that shell. + + Exit status of 0 is treated as + live/healthy and non-zero is unhealthy. + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + failureThreshold: + description: >- + Minimum consecutive failures for the + probe to be considered failed after + having succeeded. + + Defaults to 3. Minimum value is 1. + format: int32 + type: integer + grpc: + description: >- + GRPC specifies a GRPC + HealthCheckRequest. + properties: + port: + description: >- + Port number of the gRPC service. Number + must be in the range 1 to 65535. + format: int32 + type: integer + service: + default: '' + description: >- + Service is the name of the service to + place in the gRPC HealthCheckRequest + + (see + https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + + + If this is not specified, the default + behavior is defined by gRPC. + type: string + required: + - port + type: object + httpGet: + description: >- + HTTPGet specifies an HTTP GET request to + perform. + properties: + host: + description: >- + Host name to connect to, defaults to the + pod IP. You probably want to set + + "Host" in httpHeaders instead. + type: string + httpHeaders: + description: >- + Custom headers to set in the request. + HTTP allows repeated headers. + items: + description: >- + HTTPHeader describes a custom header to + be used in HTTP probes + properties: + name: + description: >- + The header field name. + + This will be canonicalized upon output, + so case-variant names will be understood + as the same header. + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: >- + Name or number of the port to access on + the container. + + Number must be in the range 1 to 65535. + + Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: >- + Scheme to use for connecting to the + host. + + Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: >- + Number of seconds after the container + has started before liveness probes are + initiated. + + More info: + https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes + format: int32 + type: integer + periodSeconds: + description: >- + How often (in seconds) to perform the + probe. + + Default to 10 seconds. Minimum value is + 1. + format: int32 + type: integer + successThreshold: + description: >- + Minimum consecutive successes for the + probe to be considered successful after + having failed. + + Defaults to 1. Must be 1 for liveness + and startup. Minimum value is 1. + format: int32 + type: integer + tcpSocket: + description: >- + TCPSocket specifies a connection to a + TCP port. + properties: + host: + description: >- + Optional: Host name to connect to, + defaults to the pod IP. + type: string + port: + anyOf: + - type: integer + - type: string + description: >- + Number or name of the port to access on + the container. + + Number must be in the range 1 to 65535. + + Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: >- + Optional duration in seconds the pod + needs to terminate gracefully upon probe + failure. + + The grace period is the duration in + seconds after the processes running in + the pod are sent + + a termination signal and the time when + the processes are forcibly halted with a + kill signal. + + Set this value longer than the expected + cleanup time for your process. + + If this value is nil, the pod's + terminationGracePeriodSeconds will be + used. Otherwise, this + + value overrides the value provided by + the pod spec. + + Value must be non-negative integer. The + value zero indicates stop immediately + via + + the kill signal (no opportunity to shut + down). + + This is a beta field and requires + enabling ProbeTerminationGracePeriod + feature gate. + + Minimum value is 1. + spec.terminationGracePeriodSeconds is + used if unset. + format: int64 + type: integer + timeoutSeconds: + description: >- + Number of seconds after which the probe + times out. + + Defaults to 1 second. Minimum value is + 1. + + More info: + https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes + format: int32 + type: integer + type: object + name: + description: >- + Name of the container specified as a + DNS_LABEL. + + Each container in a pod must have a unique + name (DNS_LABEL). + + Cannot be updated. + type: string + ports: + description: >- + List of ports to expose from the + container. Not specifying a port here + + DOES NOT prevent that port from being + exposed. Any port which is + + listening on the default "0.0.0.0" address + inside a container will be + + accessible from the network. + + Modifying this array with strategic merge + patch may corrupt the data. + + For more information See + https://github.com/kubernetes/kubernetes/issues/108255. + + Cannot be updated. + items: + description: >- + ContainerPort represents a network port + in a single container. + properties: + containerPort: + description: >- + Number of port to expose on the pod's IP + address. + + This must be a valid port number, 0 < x + < 65536. + format: int32 + type: integer + hostIP: + description: >- + What host IP to bind the external port + to. + type: string + hostPort: + description: >- + Number of port to expose on the host. + + If specified, this must be a valid port + number, 0 < x < 65536. + + If HostNetwork is specified, this must + match ContainerPort. + + Most containers do not need this. + format: int32 + type: integer + name: + description: >- + If specified, this must be an + IANA_SVC_NAME and unique within the pod. + Each + + named port in a pod must have a unique + name. Name for the port that can be + + referred to by services. + type: string + protocol: + default: TCP + description: >- + Protocol for port. Must be UDP, TCP, or + SCTP. + + Defaults to "TCP". + type: string + required: + - containerPort + type: object + type: array + x-kubernetes-list-map-keys: + - containerPort + - protocol + x-kubernetes-list-type: map + readinessProbe: + description: >- + Periodic probe of container service + readiness. + + Container will be removed from service + endpoints if the probe fails. + + Cannot be updated. + + More info: + https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes + properties: + exec: + description: >- + Exec specifies a command to execute in + the container. + properties: + command: + description: >- + Command is the command line to execute + inside the container, the working + directory for the + + command is root ('/') in the + container's filesystem. The command is + simply exec'd, it is + + not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use + + a shell, you need to explicitly call out + to that shell. + + Exit status of 0 is treated as + live/healthy and non-zero is unhealthy. + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + failureThreshold: + description: >- + Minimum consecutive failures for the + probe to be considered failed after + having succeeded. + + Defaults to 3. Minimum value is 1. + format: int32 + type: integer + grpc: + description: >- + GRPC specifies a GRPC + HealthCheckRequest. + properties: + port: + description: >- + Port number of the gRPC service. Number + must be in the range 1 to 65535. + format: int32 + type: integer + service: + default: '' + description: >- + Service is the name of the service to + place in the gRPC HealthCheckRequest + + (see + https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + + + If this is not specified, the default + behavior is defined by gRPC. + type: string + required: + - port + type: object + httpGet: + description: >- + HTTPGet specifies an HTTP GET request to + perform. + properties: + host: + description: >- + Host name to connect to, defaults to the + pod IP. You probably want to set + + "Host" in httpHeaders instead. + type: string + httpHeaders: + description: >- + Custom headers to set in the request. + HTTP allows repeated headers. + items: + description: >- + HTTPHeader describes a custom header to + be used in HTTP probes + properties: + name: + description: >- + The header field name. + + This will be canonicalized upon output, + so case-variant names will be understood + as the same header. + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: >- + Name or number of the port to access on + the container. + + Number must be in the range 1 to 65535. + + Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: >- + Scheme to use for connecting to the + host. + + Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: >- + Number of seconds after the container + has started before liveness probes are + initiated. + + More info: + https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes + format: int32 + type: integer + periodSeconds: + description: >- + How often (in seconds) to perform the + probe. + + Default to 10 seconds. Minimum value is + 1. + format: int32 + type: integer + successThreshold: + description: >- + Minimum consecutive successes for the + probe to be considered successful after + having failed. + + Defaults to 1. Must be 1 for liveness + and startup. Minimum value is 1. + format: int32 + type: integer + tcpSocket: + description: >- + TCPSocket specifies a connection to a + TCP port. + properties: + host: + description: >- + Optional: Host name to connect to, + defaults to the pod IP. + type: string + port: + anyOf: + - type: integer + - type: string + description: >- + Number or name of the port to access on + the container. + + Number must be in the range 1 to 65535. + + Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: >- + Optional duration in seconds the pod + needs to terminate gracefully upon probe + failure. + + The grace period is the duration in + seconds after the processes running in + the pod are sent + + a termination signal and the time when + the processes are forcibly halted with a + kill signal. + + Set this value longer than the expected + cleanup time for your process. + + If this value is nil, the pod's + terminationGracePeriodSeconds will be + used. Otherwise, this + + value overrides the value provided by + the pod spec. + + Value must be non-negative integer. The + value zero indicates stop immediately + via + + the kill signal (no opportunity to shut + down). + + This is a beta field and requires + enabling ProbeTerminationGracePeriod + feature gate. + + Minimum value is 1. + spec.terminationGracePeriodSeconds is + used if unset. + format: int64 + type: integer + timeoutSeconds: + description: >- + Number of seconds after which the probe + times out. + + Defaults to 1 second. Minimum value is + 1. + + More info: + https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes + format: int32 + type: integer + type: object + resizePolicy: + description: >- + Resources resize policy for the container. + + This field cannot be set on ephemeral + containers. + items: + description: >- + ContainerResizePolicy represents + resource resize policy for the + container. + properties: + resourceName: + description: >- + Name of the resource to which this + resource resize policy applies. + + Supported values: cpu, memory. + type: string + restartPolicy: + description: >- + Restart policy to apply when specified + resource is resized. + + If not specified, it defaults to + NotRequired. + type: string + required: + - resourceName + - restartPolicy + type: object + type: array + x-kubernetes-list-type: atomic + resources: + description: >- + Compute Resources required by this + container. + + Cannot be updated. + + More info: + https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + properties: + claims: + description: >- + Claims lists the names of resources, + defined in spec.resourceClaims, + + that are used by this container. + + + This field depends on the + + DynamicResourceAllocation feature gate. + + + This field is immutable. It can only be + set for containers. + items: + description: >- + ResourceClaim references one entry in + PodSpec.ResourceClaims. + properties: + name: + description: >- + Name must match the name of one entry in + pod.spec.resourceClaims of + + the Pod where this field is used. It + makes that resource available + + inside a container. + type: string + request: + description: >- + Request is the name chosen for a request + in the referenced claim. + + If empty, everything from the claim is + made available, otherwise + + only the result of this request. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: >- + Limits describes the maximum amount of + compute resources allowed. + + More info: + https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: >- + Requests describes the minimum amount of + compute resources required. + + If Requests is omitted for a container, + it defaults to Limits if that is + explicitly specified, + + otherwise to an implementation-defined + value. Requests cannot exceed Limits. + + More info: + https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + type: object + restartPolicy: + description: >- + RestartPolicy defines the restart behavior + of individual containers in a pod. + + This overrides the pod-level restart + policy. When this field is not specified, + + the restart behavior is defined by the + Pod's restart policy and the container + type. + + Additionally, setting the RestartPolicy as + "Always" for the init container will + + have the following effect: + + this init container will be continually + restarted on + + exit until all regular containers have + terminated. Once all regular + + containers have completed, all init + containers with restartPolicy "Always" + + will be shut down. This lifecycle differs + from normal init containers and + + is often referred to as a "sidecar" + container. Although this init + + container still starts in the init + container sequence, it does not wait + + for the container to complete before + proceeding to the next init + + container. Instead, the next init + container starts immediately after this + + init container is started, or after any + startupProbe has successfully + + completed. + type: string + restartPolicyRules: + description: >- + Represents a list of rules to be checked + to determine if the + + container should be restarted on exit. The + rules are evaluated in + + order. Once a rule matches a container + exit condition, the remaining + + rules are ignored. If no rule matches the + container exit condition, + + the Container-level restart policy + determines the whether the container + + is restarted or not. Constraints on the + rules: + + - At most 20 rules are allowed. + + - Rules can have the same action. + + - Identical rules are not forbidden in + validations. + + When rules are specified, container MUST + set RestartPolicy explicitly + + even it if matches the Pod's + RestartPolicy. + items: + description: >- + ContainerRestartRule describes how a + container exit is handled. + properties: + action: + description: >- + Specifies the action taken on a + container exit if the requirements + + are satisfied. The only possible value + is "Restart" to restart the + + container. + type: string + exitCodes: + description: >- + Represents the exit codes to check on + container exits. + properties: + operator: + description: >- + Represents the relationship between the + container exit code(s) and the + + specified values. Possible values are: + + - In: the requirement is satisfied if + the container exit code is in the + set of specified values. + - NotIn: the requirement is satisfied if + the container exit code is + not in the set of specified values. + type: string + values: + description: >- + Specifies the set of values to check for + container exit codes. + + At most 255 elements are allowed. + items: + format: int32 + type: integer + type: array + x-kubernetes-list-type: set + required: + - operator + type: object + required: + - action + type: object + type: array + x-kubernetes-list-type: atomic + securityContext: + description: >- + SecurityContext defines the security + options the container should be run with. + + If set, the fields of SecurityContext + override the equivalent fields of + PodSecurityContext. + + More info: + https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + properties: + allowPrivilegeEscalation: + description: >- + AllowPrivilegeEscalation controls + whether a process can gain more + + privileges than its parent process. This + bool directly controls if + + the no_new_privs flag will be set on the + container process. + + AllowPrivilegeEscalation is true always + when the container is: + + 1) run as Privileged + + 2) has CAP_SYS_ADMIN + + Note that this field cannot be set when + spec.os.name is windows. + type: boolean + appArmorProfile: + description: >- + appArmorProfile is the AppArmor options + to use by this container. If set, this + profile + + overrides the pod's appArmorProfile. + + Note that this field cannot be set when + spec.os.name is windows. + properties: + localhostProfile: + description: >- + localhostProfile indicates a profile + loaded on the node that should be used. + + The profile must be preconfigured on the + node to work. + + Must match the loaded name of the + profile. + + Must be set if and only if type is + "Localhost". + type: string + type: + description: >- + type indicates which kind of AppArmor + profile will be applied. + + Valid options are: + Localhost - a profile pre-loaded on the node. + RuntimeDefault - the container runtime's default profile. + Unconfined - no AppArmor enforcement. + type: string + required: + - type + type: object + capabilities: + description: >- + The capabilities to add/drop when + running containers. + + Defaults to the default set of + capabilities granted by the container + runtime. + + Note that this field cannot be set when + spec.os.name is windows. + properties: + add: + description: Added capabilities + items: + description: >- + Capability represent POSIX capabilities + type + type: string + type: array + x-kubernetes-list-type: atomic + drop: + description: Removed capabilities + items: + description: >- + Capability represent POSIX capabilities + type + type: string + type: array + x-kubernetes-list-type: atomic + type: object + privileged: + description: >- + Run container in privileged mode. + + Processes in privileged containers are + essentially equivalent to root on the + host. + + Defaults to false. + + Note that this field cannot be set when + spec.os.name is windows. + type: boolean + procMount: + description: >- + procMount denotes the type of proc mount + to use for the containers. + + The default value is Default which uses + the container runtime defaults for + + readonly paths and masked paths. + + This requires the ProcMountType feature + flag to be enabled. + + Note that this field cannot be set when + spec.os.name is windows. + type: string + readOnlyRootFilesystem: + description: >- + Whether this container has a read-only + root filesystem. + + Default is false. + + Note that this field cannot be set when + spec.os.name is windows. + type: boolean + runAsGroup: + description: >- + The GID to run the entrypoint of the + container process. + + Uses runtime default if unset. + + May also be set in PodSecurityContext. + If set in both SecurityContext and + + PodSecurityContext, the value specified + in SecurityContext takes precedence. + + Note that this field cannot be set when + spec.os.name is windows. + format: int64 + type: integer + runAsNonRoot: + description: >- + Indicates that the container must run as + a non-root user. + + If true, the Kubelet will validate the + image at runtime to ensure that it + + does not run as UID 0 (root) and fail to + start the container if it does. + + If unset or false, no such validation + will be performed. + + May also be set in PodSecurityContext. + If set in both SecurityContext and + + PodSecurityContext, the value specified + in SecurityContext takes precedence. + type: boolean + runAsUser: + description: >- + The UID to run the entrypoint of the + container process. + + Defaults to user specified in image + metadata if unspecified. + + May also be set in PodSecurityContext. + If set in both SecurityContext and + + PodSecurityContext, the value specified + in SecurityContext takes precedence. + + Note that this field cannot be set when + spec.os.name is windows. + format: int64 + type: integer + seLinuxOptions: + description: >- + The SELinux context to be applied to the + container. + + If unspecified, the container runtime + will allocate a random SELinux context + for each + + container. May also be set in + PodSecurityContext. If set in both + SecurityContext and + + PodSecurityContext, the value specified + in SecurityContext takes precedence. + + Note that this field cannot be set when + spec.os.name is windows. + properties: + level: + description: >- + Level is SELinux level label that + applies to the container. + type: string + role: + description: >- + Role is a SELinux role label that + applies to the container. + type: string + type: + description: >- + Type is a SELinux type label that + applies to the container. + type: string + user: + description: >- + User is a SELinux user label that + applies to the container. + type: string + type: object + seccompProfile: + description: >- + The seccomp options to use by this + container. If seccomp options are + + provided at both the pod & container + level, the container options + + override the pod options. + + Note that this field cannot be set when + spec.os.name is windows. + properties: + localhostProfile: + description: >- + localhostProfile indicates a profile + defined in a file on the node should be + used. + + The profile must be preconfigured on the + node to work. + + Must be a descending path, relative to + the kubelet's configured seccomp profile + location. + + Must be set if type is "Localhost". Must + NOT be set for any other type. + type: string + type: + description: >- + type indicates which kind of seccomp + profile will be applied. + + Valid options are: + + + Localhost - a profile defined in a file + on the node should be used. + + RuntimeDefault - the container runtime + default profile should be used. + + Unconfined - no profile should be + applied. + type: string + required: + - type + type: object + windowsOptions: + description: >- + The Windows specific settings applied to + all containers. + + If unspecified, the options from the + PodSecurityContext will be used. + + If set in both SecurityContext and + PodSecurityContext, the value specified + in SecurityContext takes precedence. + + Note that this field cannot be set when + spec.os.name is linux. + properties: + gmsaCredentialSpec: + description: >- + GMSACredentialSpec is where the GMSA + admission webhook + + (https://github.com/kubernetes-sigs/windows-gmsa) + inlines the contents of the + + GMSA credential spec named by the + GMSACredentialSpecName field. + type: string + gmsaCredentialSpecName: + description: >- + GMSACredentialSpecName is the name of + the GMSA credential spec to use. + type: string + hostProcess: + description: >- + HostProcess determines if a container + should be run as a 'Host Process' + container. + + All of a Pod's containers must have the + same effective HostProcess value + + (it is not allowed to have a mix of + HostProcess containers and + non-HostProcess containers). + + In addition, if HostProcess is true then + HostNetwork must also be set to true. + type: boolean + runAsUserName: + description: >- + The UserName in Windows to run the + entrypoint of the container process. + + Defaults to the user specified in image + metadata if unspecified. + + May also be set in PodSecurityContext. + If set in both SecurityContext and + + PodSecurityContext, the value specified + in SecurityContext takes precedence. + type: string + type: object + type: object + startupProbe: + description: >- + StartupProbe indicates that the Pod has + successfully initialized. + + If specified, no other probes are executed + until this completes successfully. + + If this probe fails, the Pod will be + restarted, just as if the livenessProbe + failed. + + This can be used to provide different + probe parameters at the beginning of a + Pod's lifecycle, + + when it might take a long time to load + data or warm a cache, than during + steady-state operation. + + This cannot be updated. + + More info: + https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes + properties: + exec: + description: >- + Exec specifies a command to execute in + the container. + properties: + command: + description: >- + Command is the command line to execute + inside the container, the working + directory for the + + command is root ('/') in the + container's filesystem. The command is + simply exec'd, it is + + not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use + + a shell, you need to explicitly call out + to that shell. + + Exit status of 0 is treated as + live/healthy and non-zero is unhealthy. + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + failureThreshold: + description: >- + Minimum consecutive failures for the + probe to be considered failed after + having succeeded. + + Defaults to 3. Minimum value is 1. + format: int32 + type: integer + grpc: + description: >- + GRPC specifies a GRPC + HealthCheckRequest. + properties: + port: + description: >- + Port number of the gRPC service. Number + must be in the range 1 to 65535. + format: int32 + type: integer + service: + default: '' + description: >- + Service is the name of the service to + place in the gRPC HealthCheckRequest + + (see + https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + + + If this is not specified, the default + behavior is defined by gRPC. + type: string + required: + - port + type: object + httpGet: + description: >- + HTTPGet specifies an HTTP GET request to + perform. + properties: + host: + description: >- + Host name to connect to, defaults to the + pod IP. You probably want to set + + "Host" in httpHeaders instead. + type: string + httpHeaders: + description: >- + Custom headers to set in the request. + HTTP allows repeated headers. + items: + description: >- + HTTPHeader describes a custom header to + be used in HTTP probes + properties: + name: + description: >- + The header field name. + + This will be canonicalized upon output, + so case-variant names will be understood + as the same header. + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: >- + Name or number of the port to access on + the container. + + Number must be in the range 1 to 65535. + + Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: >- + Scheme to use for connecting to the + host. + + Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: >- + Number of seconds after the container + has started before liveness probes are + initiated. + + More info: + https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes + format: int32 + type: integer + periodSeconds: + description: >- + How often (in seconds) to perform the + probe. + + Default to 10 seconds. Minimum value is + 1. + format: int32 + type: integer + successThreshold: + description: >- + Minimum consecutive successes for the + probe to be considered successful after + having failed. + + Defaults to 1. Must be 1 for liveness + and startup. Minimum value is 1. + format: int32 + type: integer + tcpSocket: + description: >- + TCPSocket specifies a connection to a + TCP port. + properties: + host: + description: >- + Optional: Host name to connect to, + defaults to the pod IP. + type: string + port: + anyOf: + - type: integer + - type: string + description: >- + Number or name of the port to access on + the container. + + Number must be in the range 1 to 65535. + + Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: >- + Optional duration in seconds the pod + needs to terminate gracefully upon probe + failure. + + The grace period is the duration in + seconds after the processes running in + the pod are sent + + a termination signal and the time when + the processes are forcibly halted with a + kill signal. + + Set this value longer than the expected + cleanup time for your process. + + If this value is nil, the pod's + terminationGracePeriodSeconds will be + used. Otherwise, this + + value overrides the value provided by + the pod spec. + + Value must be non-negative integer. The + value zero indicates stop immediately + via + + the kill signal (no opportunity to shut + down). + + This is a beta field and requires + enabling ProbeTerminationGracePeriod + feature gate. + + Minimum value is 1. + spec.terminationGracePeriodSeconds is + used if unset. + format: int64 + type: integer + timeoutSeconds: + description: >- + Number of seconds after which the probe + times out. + + Defaults to 1 second. Minimum value is + 1. + + More info: + https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes + format: int32 + type: integer + type: object + stdin: + description: >- + Whether this container should allocate a + buffer for stdin in the container runtime. + If this + + is not set, reads from stdin in the + container will always result in EOF. + + Default is false. + type: boolean + stdinOnce: + description: >- + Whether the container runtime should close + the stdin channel after it has been opened + by + + a single attach. When stdin is true the + stdin stream will remain open across + multiple attach + + sessions. If stdinOnce is set to true, + stdin is opened on container start, is + empty until the + + first client attaches to stdin, and then + remains open and accepts data until the + client disconnects, + + at which time stdin is closed and remains + closed until the container is restarted. + If this + + flag is false, a container processes that + reads from stdin will never receive an + EOF. + + Default is false + type: boolean + terminationMessagePath: + description: >- + Optional: Path at which the file to which + the container's termination message + + will be written is mounted into the + container's filesystem. + + Message written is intended to be brief + final status, such as an assertion failure + message. + + Will be truncated by the node if greater + than 4096 bytes. The total message length + across + + all containers will be limited to 12kb. + + Defaults to /dev/termination-log. + + Cannot be updated. + type: string + terminationMessagePolicy: + description: >- + Indicate how the termination message + should be populated. File will use the + contents of + + terminationMessagePath to populate the + container status message on both success + and failure. + + FallbackToLogsOnError will use the last + chunk of container log output if the + termination + + message file is empty and the container + exited with an error. + + The log output is limited to 2048 bytes or + 80 lines, whichever is smaller. + + Defaults to File. + + Cannot be updated. + type: string + tty: + description: >- + Whether this container should allocate a + TTY for itself, also requires 'stdin' to + be true. + + Default is false. + type: boolean + volumeDevices: + description: >- + volumeDevices is the list of block devices + to be used by the container. + items: + description: >- + volumeDevice describes a mapping of a + raw block device within a container. + properties: + devicePath: + description: >- + devicePath is the path inside of the + container that the device will be mapped + to. + type: string + name: + description: >- + name must match the name of a + persistentVolumeClaim in the pod + type: string + required: + - devicePath + - name + type: object + type: array + x-kubernetes-list-map-keys: + - devicePath + x-kubernetes-list-type: map + volumeMounts: + description: >- + Pod volumes to mount into the container's + filesystem. + + Cannot be updated. + items: + description: >- + VolumeMount describes a mounting of a + Volume within a container. + properties: + mountPath: + description: >- + Path within the container at which the + volume should be mounted. Must + + not contain ':'. + type: string + mountPropagation: + description: >- + mountPropagation determines how mounts + are propagated from the host + + to container and the other way around. + + When not set, MountPropagationNone is + used. + + This field is beta in 1.10. + + When RecursiveReadOnly is set to + IfPossible or to Enabled, + MountPropagation must be None or + unspecified + + (which defaults to None). + type: string + name: + description: This must match the Name of a Volume. + type: string + readOnly: + description: >- + Mounted read-only if true, read-write + otherwise (false or unspecified). + + Defaults to false. + type: boolean + recursiveReadOnly: + description: >- + RecursiveReadOnly specifies whether + read-only mounts should be handled + + recursively. + + + If ReadOnly is false, this field has no + meaning and must be unspecified. + + + If ReadOnly is true, and this field is + set to Disabled, the mount is not made + + recursively read-only. If this field is + set to IfPossible, the mount is made + + recursively read-only, if it is + supported by the container runtime. If + this + + field is set to Enabled, the mount is + made recursively read-only if it is + + supported by the container runtime, + otherwise the pod will not be started + and + + an error will be generated to indicate + the reason. + + + If this field is set to IfPossible or + Enabled, MountPropagation must be set to + + None (or be unspecified, which defaults + to None). + + + If this field is not specified, it is + treated as an equivalent of Disabled. + type: string + subPath: + description: >- + Path within the volume from which the + container's volume should be mounted. + + Defaults to "" (volume's root). + type: string + subPathExpr: + description: >- + Expanded path within the volume from + which the container's volume should be + mounted. + + Behaves similarly to SubPath but + environment variable references + $(VAR_NAME) are expanded using the + container's environment. + + Defaults to "" (volume's root). + + SubPathExpr and SubPath are mutually + exclusive. + type: string + required: + - mountPath + - name + type: object + type: array + x-kubernetes-list-map-keys: + - mountPath + x-kubernetes-list-type: map + workingDir: + description: >- + Container's working directory. + + If not specified, the container runtime's + default will be used, which + + might be configured in the container + image. + + Cannot be updated. + type: string + required: + - name + type: object + type: array + name: + description: >- + Name of the deployment. + + When unset, this defaults to an autogenerated + name. + type: string + patch: + description: >- + Patch defines how to perform the patch operation + to deployment + properties: + type: + description: >- + Type is the type of merge operation to + perform + + + By default, StrategicMerge is used as the + patch type. + type: string + value: + description: >- + Object contains the raw configuration for + merged object + x-kubernetes-preserve-unknown-fields: true + required: + - value + type: object + pod: + description: Pod defines the desired specification of pod. + properties: + affinity: + description: >- + If specified, the pod's scheduling + constraints. + properties: + nodeAffinity: + description: >- + Describes node affinity scheduling rules + for the pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: >- + The scheduler will prefer to schedule + pods to nodes that satisfy + + the affinity expressions specified by + this field, but it may choose + + a node that violates one or more of the + expressions. The node that is + + most preferred is the one with the + greatest sum of weights, i.e. + + for each node that meets all of the + scheduling requirements (resource + + request, requiredDuringScheduling + affinity expressions, etc.), + + compute a sum by iterating through the + elements of this field and adding + + "weight" to the sum if the node matches + the corresponding matchExpressions; the + + node(s) with the highest sum are the + most preferred. + items: + description: >- + An empty preferred scheduling term + matches all objects with implicit weight + 0 + + (i.e. it's a no-op). A null preferred + scheduling term matches no objects (i.e. + is also a no-op). + properties: + preference: + description: >- + A node selector term, associated with + the corresponding weight. + properties: + matchExpressions: + description: >- + A list of node selector requirements by + node's labels. + items: + description: >- + A node selector requirement is a + selector that contains values, a key, + and an operator + + that relates the key and values. + properties: + key: + description: >- + The label key that the selector applies + to. + type: string + operator: + description: >- + Represents a key's relationship to a set + of values. + + Valid operators are In, NotIn, Exists, + DoesNotExist. Gt, and Lt. + type: string + values: + description: >- + An array of string values. If the + operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. If the + operator is Gt or Lt, the values + + array must have a single element, which + will be interpreted as an integer. + + This array is replaced during a + strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + description: >- + A list of node selector requirements by + node's fields. + items: + description: >- + A node selector requirement is a + selector that contains values, a key, + and an operator + + that relates the key and values. + properties: + key: + description: >- + The label key that the selector applies + to. + type: string + operator: + description: >- + Represents a key's relationship to a set + of values. + + Valid operators are In, NotIn, Exists, + DoesNotExist. Gt, and Lt. + type: string + values: + description: >- + An array of string values. If the + operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. If the + operator is Gt or Lt, the values + + array must have a single element, which + will be interpreted as an integer. + + This array is replaced during a + strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + weight: + description: >- + Weight associated with matching the + corresponding nodeSelectorTerm, in the + range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: >- + If the affinity requirements specified + by this field are not met at + + scheduling time, the pod will not be + scheduled onto the node. + + If the affinity requirements specified + by this field cease to be met + + at some point during pod execution (e.g. + due to an update), the system + + may or may not try to eventually evict + the pod from its node. + properties: + nodeSelectorTerms: + description: >- + Required. A list of node selector terms. + The terms are ORed. + items: + description: >- + A null or empty node selector term + matches no objects. The requirements of + + them are ANDed. + + The TopologySelectorTerm type implements + a subset of the NodeSelectorTerm. + properties: + matchExpressions: + description: >- + A list of node selector requirements by + node's labels. + items: + description: >- + A node selector requirement is a + selector that contains values, a key, + and an operator + + that relates the key and values. + properties: + key: + description: >- + The label key that the selector applies + to. + type: string + operator: + description: >- + Represents a key's relationship to a set + of values. + + Valid operators are In, NotIn, Exists, + DoesNotExist. Gt, and Lt. + type: string + values: + description: >- + An array of string values. If the + operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. If the + operator is Gt or Lt, the values + + array must have a single element, which + will be interpreted as an integer. + + This array is replaced during a + strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + description: >- + A list of node selector requirements by + node's fields. + items: + description: >- + A node selector requirement is a + selector that contains values, a key, + and an operator + + that relates the key and values. + properties: + key: + description: >- + The label key that the selector applies + to. + type: string + operator: + description: >- + Represents a key's relationship to a set + of values. + + Valid operators are In, NotIn, Exists, + DoesNotExist. Gt, and Lt. + type: string + values: + description: >- + An array of string values. If the + operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. If the + operator is Gt or Lt, the values + + array must have a single element, which + will be interpreted as an integer. + + This array is replaced during a + strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + type: array + x-kubernetes-list-type: atomic + required: + - nodeSelectorTerms + type: object + x-kubernetes-map-type: atomic + type: object + podAffinity: + description: >- + Describes pod affinity scheduling rules + (e.g. co-locate this pod in the same + node, zone, etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: >- + The scheduler will prefer to schedule + pods to nodes that satisfy + + the affinity expressions specified by + this field, but it may choose + + a node that violates one or more of the + expressions. The node that is + + most preferred is the one with the + greatest sum of weights, i.e. + + for each node that meets all of the + scheduling requirements (resource + + request, requiredDuringScheduling + affinity expressions, etc.), + + compute a sum by iterating through the + elements of this field and adding + + "weight" to the sum if the node has pods + which matches the corresponding + podAffinityTerm; the + + node(s) with the highest sum are the + most preferred. + items: + description: >- + The weights of all of the matched + WeightedPodAffinityTerm fields are added + per-node to find the most preferred + node(s) + properties: + podAffinityTerm: + description: >- + Required. A pod affinity term, + associated with the corresponding + weight. + properties: + labelSelector: + description: >- + A label query over a set of resources, + in this case pods. + + If it's null, this PodAffinityTerm + matches with no Pods. + properties: + matchExpressions: + description: >- + matchExpressions is a list of label + selector requirements. The requirements + are ANDed. + items: + description: >- + A label selector requirement is a + selector that contains values, a key, + and an operator that + + relates the key and values. + properties: + key: + description: >- + key is the label key that the selector + applies to. + type: string + operator: + description: >- + operator represents a key's relationship + to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: >- + values is an array of string values. If + the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: >- + matchLabels is a map of {key,value} + pairs. A single {key,value} in the + matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is + "key", the + + operator is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: >- + MatchLabelKeys is a set of pod label + keys to select which pods will + + be taken into consideration. The keys + are used to lookup values from the + + incoming pod labels, those key-value + labels are merged with `labelSelector` + as `key in (value)` + + to select the group of existing pods + which pods will be taken into + consideration + + for the incoming pod's pod (anti) + affinity. Keys that don't exist in the + incoming + + pod labels will be ignored. The default + value is empty. + + The same key is forbidden to exist in + both matchLabelKeys and labelSelector. + + Also, matchLabelKeys cannot be set when + labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: >- + MismatchLabelKeys is a set of pod label + keys to select which pods will + + be taken into consideration. The keys + are used to lookup values from the + + incoming pod labels, those key-value + labels are merged with `labelSelector` + as `key notin (value)` + + to select the group of existing pods + which pods will be taken into + consideration + + for the incoming pod's pod (anti) + affinity. Keys that don't exist in the + incoming + + pod labels will be ignored. The default + value is empty. + + The same key is forbidden to exist in + both mismatchLabelKeys and + labelSelector. + + Also, mismatchLabelKeys cannot be set + when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: >- + A label query over the set of namespaces + that the term applies to. + + The term is applied to the union of the + namespaces selected by this field + + and the ones listed in the namespaces + field. + + null selector and null or empty + namespaces list means "this pod's + namespace". + + An empty selector ({}) matches all + namespaces. + properties: + matchExpressions: + description: >- + matchExpressions is a list of label + selector requirements. The requirements + are ANDed. + items: + description: >- + A label selector requirement is a + selector that contains values, a key, + and an operator that + + relates the key and values. + properties: + key: + description: >- + key is the label key that the selector + applies to. + type: string + operator: + description: >- + operator represents a key's relationship + to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: >- + values is an array of string values. If + the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: >- + matchLabels is a map of {key,value} + pairs. A single {key,value} in the + matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is + "key", the + + operator is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: >- + namespaces specifies a static list of + namespace names that the term applies + to. + + The term is applied to the union of the + namespaces listed in this field + + and the ones selected by + namespaceSelector. + + null or empty namespaces list and null + namespaceSelector means "this pod's + namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: >- + This pod should be co-located (affinity) + or not co-located (anti-affinity) with + the pods matching + + the labelSelector in the specified + namespaces, where co-located is defined + as running on a node + + whose value of the label with key + topologyKey matches that of any node on + which any of the + + selected pods is running. + + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: >- + weight associated with matching the + corresponding podAffinityTerm, + + in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: >- + If the affinity requirements specified + by this field are not met at + + scheduling time, the pod will not be + scheduled onto the node. + + If the affinity requirements specified + by this field cease to be met + + at some point during pod execution (e.g. + due to a pod label update), the + + system may or may not try to eventually + evict the pod from its node. + + When there are multiple elements, the + lists of nodes corresponding to each + + podAffinityTerm are intersected, i.e. + all terms must be satisfied. + items: + description: >- + Defines a set of pods (namely those + matching the labelSelector + + relative to the given namespace(s)) that + this pod should be + + co-located (affinity) or not co-located + (anti-affinity) with, + + where co-located is defined as running + on a node whose value of + + the label with key matches + that of any node on which + + a pod of the set of pods is running + properties: + labelSelector: + description: >- + A label query over a set of resources, + in this case pods. + + If it's null, this PodAffinityTerm + matches with no Pods. + properties: + matchExpressions: + description: >- + matchExpressions is a list of label + selector requirements. The requirements + are ANDed. + items: + description: >- + A label selector requirement is a + selector that contains values, a key, + and an operator that + + relates the key and values. + properties: + key: + description: >- + key is the label key that the selector + applies to. + type: string + operator: + description: >- + operator represents a key's relationship + to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: >- + values is an array of string values. If + the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: >- + matchLabels is a map of {key,value} + pairs. A single {key,value} in the + matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is + "key", the + + operator is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: >- + MatchLabelKeys is a set of pod label + keys to select which pods will + + be taken into consideration. The keys + are used to lookup values from the + + incoming pod labels, those key-value + labels are merged with `labelSelector` + as `key in (value)` + + to select the group of existing pods + which pods will be taken into + consideration + + for the incoming pod's pod (anti) + affinity. Keys that don't exist in the + incoming + + pod labels will be ignored. The default + value is empty. + + The same key is forbidden to exist in + both matchLabelKeys and labelSelector. + + Also, matchLabelKeys cannot be set when + labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: >- + MismatchLabelKeys is a set of pod label + keys to select which pods will + + be taken into consideration. The keys + are used to lookup values from the + + incoming pod labels, those key-value + labels are merged with `labelSelector` + as `key notin (value)` + + to select the group of existing pods + which pods will be taken into + consideration + + for the incoming pod's pod (anti) + affinity. Keys that don't exist in the + incoming + + pod labels will be ignored. The default + value is empty. + + The same key is forbidden to exist in + both mismatchLabelKeys and + labelSelector. + + Also, mismatchLabelKeys cannot be set + when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: >- + A label query over the set of namespaces + that the term applies to. + + The term is applied to the union of the + namespaces selected by this field + + and the ones listed in the namespaces + field. + + null selector and null or empty + namespaces list means "this pod's + namespace". + + An empty selector ({}) matches all + namespaces. + properties: + matchExpressions: + description: >- + matchExpressions is a list of label + selector requirements. The requirements + are ANDed. + items: + description: >- + A label selector requirement is a + selector that contains values, a key, + and an operator that + + relates the key and values. + properties: + key: + description: >- + key is the label key that the selector + applies to. + type: string + operator: + description: >- + operator represents a key's relationship + to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: >- + values is an array of string values. If + the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: >- + matchLabels is a map of {key,value} + pairs. A single {key,value} in the + matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is + "key", the + + operator is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: >- + namespaces specifies a static list of + namespace names that the term applies + to. + + The term is applied to the union of the + namespaces listed in this field + + and the ones selected by + namespaceSelector. + + null or empty namespaces list and null + namespaceSelector means "this pod's + namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: >- + This pod should be co-located (affinity) + or not co-located (anti-affinity) with + the pods matching + + the labelSelector in the specified + namespaces, where co-located is defined + as running on a node + + whose value of the label with key + topologyKey matches that of any node on + which any of the + + selected pods is running. + + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + podAntiAffinity: + description: >- + Describes pod anti-affinity scheduling + rules (e.g. avoid putting this pod in + the same node, zone, etc. as some other + pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: >- + The scheduler will prefer to schedule + pods to nodes that satisfy + + the anti-affinity expressions specified + by this field, but it may choose + + a node that violates one or more of the + expressions. The node that is + + most preferred is the one with the + greatest sum of weights, i.e. + + for each node that meets all of the + scheduling requirements (resource + + request, requiredDuringScheduling + anti-affinity expressions, etc.), + + compute a sum by iterating through the + elements of this field and subtracting + + "weight" from the sum if the node has + pods which matches the corresponding + podAffinityTerm; the + + node(s) with the highest sum are the + most preferred. + items: + description: >- + The weights of all of the matched + WeightedPodAffinityTerm fields are added + per-node to find the most preferred + node(s) + properties: + podAffinityTerm: + description: >- + Required. A pod affinity term, + associated with the corresponding + weight. + properties: + labelSelector: + description: >- + A label query over a set of resources, + in this case pods. + + If it's null, this PodAffinityTerm + matches with no Pods. + properties: + matchExpressions: + description: >- + matchExpressions is a list of label + selector requirements. The requirements + are ANDed. + items: + description: >- + A label selector requirement is a + selector that contains values, a key, + and an operator that + + relates the key and values. + properties: + key: + description: >- + key is the label key that the selector + applies to. + type: string + operator: + description: >- + operator represents a key's relationship + to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: >- + values is an array of string values. If + the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: >- + matchLabels is a map of {key,value} + pairs. A single {key,value} in the + matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is + "key", the + + operator is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: >- + MatchLabelKeys is a set of pod label + keys to select which pods will + + be taken into consideration. The keys + are used to lookup values from the + + incoming pod labels, those key-value + labels are merged with `labelSelector` + as `key in (value)` + + to select the group of existing pods + which pods will be taken into + consideration + + for the incoming pod's pod (anti) + affinity. Keys that don't exist in the + incoming + + pod labels will be ignored. The default + value is empty. + + The same key is forbidden to exist in + both matchLabelKeys and labelSelector. + + Also, matchLabelKeys cannot be set when + labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: >- + MismatchLabelKeys is a set of pod label + keys to select which pods will + + be taken into consideration. The keys + are used to lookup values from the + + incoming pod labels, those key-value + labels are merged with `labelSelector` + as `key notin (value)` + + to select the group of existing pods + which pods will be taken into + consideration + + for the incoming pod's pod (anti) + affinity. Keys that don't exist in the + incoming + + pod labels will be ignored. The default + value is empty. + + The same key is forbidden to exist in + both mismatchLabelKeys and + labelSelector. + + Also, mismatchLabelKeys cannot be set + when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: >- + A label query over the set of namespaces + that the term applies to. + + The term is applied to the union of the + namespaces selected by this field + + and the ones listed in the namespaces + field. + + null selector and null or empty + namespaces list means "this pod's + namespace". + + An empty selector ({}) matches all + namespaces. + properties: + matchExpressions: + description: >- + matchExpressions is a list of label + selector requirements. The requirements + are ANDed. + items: + description: >- + A label selector requirement is a + selector that contains values, a key, + and an operator that + + relates the key and values. + properties: + key: + description: >- + key is the label key that the selector + applies to. + type: string + operator: + description: >- + operator represents a key's relationship + to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: >- + values is an array of string values. If + the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: >- + matchLabels is a map of {key,value} + pairs. A single {key,value} in the + matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is + "key", the + + operator is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: >- + namespaces specifies a static list of + namespace names that the term applies + to. + + The term is applied to the union of the + namespaces listed in this field + + and the ones selected by + namespaceSelector. + + null or empty namespaces list and null + namespaceSelector means "this pod's + namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: >- + This pod should be co-located (affinity) + or not co-located (anti-affinity) with + the pods matching + + the labelSelector in the specified + namespaces, where co-located is defined + as running on a node + + whose value of the label with key + topologyKey matches that of any node on + which any of the + + selected pods is running. + + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: >- + weight associated with matching the + corresponding podAffinityTerm, + + in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: >- + If the anti-affinity requirements + specified by this field are not met at + + scheduling time, the pod will not be + scheduled onto the node. + + If the anti-affinity requirements + specified by this field cease to be met + + at some point during pod execution (e.g. + due to a pod label update), the + + system may or may not try to eventually + evict the pod from its node. + + When there are multiple elements, the + lists of nodes corresponding to each + + podAffinityTerm are intersected, i.e. + all terms must be satisfied. + items: + description: >- + Defines a set of pods (namely those + matching the labelSelector + + relative to the given namespace(s)) that + this pod should be + + co-located (affinity) or not co-located + (anti-affinity) with, + + where co-located is defined as running + on a node whose value of + + the label with key matches + that of any node on which + + a pod of the set of pods is running + properties: + labelSelector: + description: >- + A label query over a set of resources, + in this case pods. + + If it's null, this PodAffinityTerm + matches with no Pods. + properties: + matchExpressions: + description: >- + matchExpressions is a list of label + selector requirements. The requirements + are ANDed. + items: + description: >- + A label selector requirement is a + selector that contains values, a key, + and an operator that + + relates the key and values. + properties: + key: + description: >- + key is the label key that the selector + applies to. + type: string + operator: + description: >- + operator represents a key's relationship + to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: >- + values is an array of string values. If + the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: >- + matchLabels is a map of {key,value} + pairs. A single {key,value} in the + matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is + "key", the + + operator is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: >- + MatchLabelKeys is a set of pod label + keys to select which pods will + + be taken into consideration. The keys + are used to lookup values from the + + incoming pod labels, those key-value + labels are merged with `labelSelector` + as `key in (value)` + + to select the group of existing pods + which pods will be taken into + consideration + + for the incoming pod's pod (anti) + affinity. Keys that don't exist in the + incoming + + pod labels will be ignored. The default + value is empty. + + The same key is forbidden to exist in + both matchLabelKeys and labelSelector. + + Also, matchLabelKeys cannot be set when + labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: >- + MismatchLabelKeys is a set of pod label + keys to select which pods will + + be taken into consideration. The keys + are used to lookup values from the + + incoming pod labels, those key-value + labels are merged with `labelSelector` + as `key notin (value)` + + to select the group of existing pods + which pods will be taken into + consideration + + for the incoming pod's pod (anti) + affinity. Keys that don't exist in the + incoming + + pod labels will be ignored. The default + value is empty. + + The same key is forbidden to exist in + both mismatchLabelKeys and + labelSelector. + + Also, mismatchLabelKeys cannot be set + when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: >- + A label query over the set of namespaces + that the term applies to. + + The term is applied to the union of the + namespaces selected by this field + + and the ones listed in the namespaces + field. + + null selector and null or empty + namespaces list means "this pod's + namespace". + + An empty selector ({}) matches all + namespaces. + properties: + matchExpressions: + description: >- + matchExpressions is a list of label + selector requirements. The requirements + are ANDed. + items: + description: >- + A label selector requirement is a + selector that contains values, a key, + and an operator that + + relates the key and values. + properties: + key: + description: >- + key is the label key that the selector + applies to. + type: string + operator: + description: >- + operator represents a key's relationship + to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: >- + values is an array of string values. If + the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: >- + matchLabels is a map of {key,value} + pairs. A single {key,value} in the + matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is + "key", the + + operator is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: >- + namespaces specifies a static list of + namespace names that the term applies + to. + + The term is applied to the union of the + namespaces listed in this field + + and the ones selected by + namespaceSelector. + + null or empty namespaces list and null + namespaceSelector means "this pod's + namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: >- + This pod should be co-located (affinity) + or not co-located (anti-affinity) with + the pods matching + + the labelSelector in the specified + namespaces, where co-located is defined + as running on a node + + whose value of the label with key + topologyKey matches that of any node on + which any of the + + selected pods is running. + + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + type: object + annotations: + additionalProperties: + type: string + description: >- + Annotations are the annotations that should + be appended to the pods. + + By default, no pod annotations are appended. + type: object + imagePullSecrets: + description: >- + ImagePullSecrets is an optional list of + references to secrets + + in the same namespace to use for pulling any + of the images used by this PodSpec. + + If specified, these secrets will be passed + to individual puller implementations for + them to use. + + More info: + https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod + items: + description: >- + LocalObjectReference contains enough + information to let you locate the + + referenced object inside the same + namespace. + properties: + name: + default: '' + description: >- + Name of the referent. + + This field is effectively required, but + due to backwards compatibility is + + allowed to be empty. Instances of this + type with an empty value here are + + almost certainly wrong. + + More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + type: array + labels: + additionalProperties: + type: string + description: >- + Labels are the additional labels that should + be tagged to the pods. + + By default, no additional pod labels are + tagged. + type: object + nodeSelector: + additionalProperties: + type: string + description: >- + NodeSelector is a selector which must be + true for the pod to fit on a node. + + Selector which must match a node's labels + for the pod to be scheduled on that node. + + More info: + https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + type: object + priorityClassName: + description: >- + PriorityClassName indicates the importance + of a Pod relative to other Pods. + + If a PriorityClassName is not specified, the + pod priority will be default or zero if + there is no default. + + More info: + https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/ + type: string + securityContext: + description: >- + SecurityContext holds pod-level security + attributes and common container settings. + + Optional: Defaults to empty. See type + description for default values of each + field. + properties: + appArmorProfile: + description: >- + appArmorProfile is the AppArmor options + to use by the containers in this pod. + + Note that this field cannot be set when + spec.os.name is windows. + properties: + localhostProfile: + description: >- + localhostProfile indicates a profile + loaded on the node that should be used. + + The profile must be preconfigured on the + node to work. + + Must match the loaded name of the + profile. + + Must be set if and only if type is + "Localhost". + type: string + type: + description: >- + type indicates which kind of AppArmor + profile will be applied. + + Valid options are: + Localhost - a profile pre-loaded on the node. + RuntimeDefault - the container runtime's default profile. + Unconfined - no AppArmor enforcement. + type: string + required: + - type + type: object + fsGroup: + description: >- + A special supplemental group that + applies to all containers in a pod. + + Some volume types allow the Kubelet to + change the ownership of that volume + + to be owned by the pod: + + + 1. The owning GID will be the FSGroup + + 2. The setgid bit is set (new files + created in the volume will be owned by + FSGroup) + + 3. The permission bits are OR'd with + rw-rw---- + + + If unset, the Kubelet will not modify + the ownership and permissions of any + volume. + + Note that this field cannot be set when + spec.os.name is windows. + format: int64 + type: integer + fsGroupChangePolicy: + description: >- + fsGroupChangePolicy defines behavior of + changing ownership and permission of the + volume + + before being exposed inside Pod. This + field will only apply to + + volume types which support fsGroup based + ownership(and permissions). + + It will have no effect on ephemeral + volume types such as: secret, configmaps + + and emptydir. + + Valid values are "OnRootMismatch" and + "Always". If not specified, "Always" is + used. + + Note that this field cannot be set when + spec.os.name is windows. + type: string + runAsGroup: + description: >- + The GID to run the entrypoint of the + container process. + + Uses runtime default if unset. + + May also be set in SecurityContext. If + set in both SecurityContext and + + PodSecurityContext, the value specified + in SecurityContext takes precedence + + for that container. + + Note that this field cannot be set when + spec.os.name is windows. + format: int64 + type: integer + runAsNonRoot: + description: >- + Indicates that the container must run as + a non-root user. + + If true, the Kubelet will validate the + image at runtime to ensure that it + + does not run as UID 0 (root) and fail to + start the container if it does. + + If unset or false, no such validation + will be performed. + + May also be set in SecurityContext. If + set in both SecurityContext and + + PodSecurityContext, the value specified + in SecurityContext takes precedence. + type: boolean + runAsUser: + description: >- + The UID to run the entrypoint of the + container process. + + Defaults to user specified in image + metadata if unspecified. + + May also be set in SecurityContext. If + set in both SecurityContext and + + PodSecurityContext, the value specified + in SecurityContext takes precedence + + for that container. + + Note that this field cannot be set when + spec.os.name is windows. + format: int64 + type: integer + seLinuxChangePolicy: + description: >- + seLinuxChangePolicy defines how the + container's SELinux label is applied to + all volumes used by the Pod. + + It has no effect on nodes that do not + support SELinux or to volumes does not + support SELinux. + + Valid values are "MountOption" and + "Recursive". + + + "Recursive" means relabeling of all + files on all Pod volumes by the + container runtime. + + This may be slow for large volumes, but + allows mixing privileged and + unprivileged Pods sharing the same + volume on the same node. + + + "MountOption" mounts all eligible Pod + volumes with `-o context` mount option. + + This requires all Pods that share the + same volume to use the same SELinux + label. + + It is not possible to share the same + volume among privileged and unprivileged + Pods. + + Eligible volumes are in-tree + FibreChannel and iSCSI volumes, and all + CSI volumes + + whose CSI driver announces SELinux + support by setting spec.seLinuxMount: + true in their + + CSIDriver instance. Other volumes are + always re-labelled recursively. + + "MountOption" value is allowed only when + SELinuxMount feature gate is enabled. + + + If not specified and SELinuxMount + feature gate is enabled, "MountOption" + is used. + + If not specified and SELinuxMount + feature gate is disabled, "MountOption" + is used for ReadWriteOncePod volumes + + and "Recursive" for all other volumes. + + + This field affects only Pods that have + SELinux label set, either in + PodSecurityContext or in SecurityContext + of all containers. + + + All Pods that use the same volume should + use the same seLinuxChangePolicy, + otherwise some pods can get stuck in + ContainerCreating state. + + Note that this field cannot be set when + spec.os.name is windows. + type: string + seLinuxOptions: + description: >- + The SELinux context to be applied to all + containers. + + If unspecified, the container runtime + will allocate a random SELinux context + for each + + container. May also be set in + SecurityContext. If set in + + both SecurityContext and + PodSecurityContext, the value specified + in SecurityContext + + takes precedence for that container. + + Note that this field cannot be set when + spec.os.name is windows. + properties: + level: + description: >- + Level is SELinux level label that + applies to the container. + type: string + role: + description: >- + Role is a SELinux role label that + applies to the container. + type: string + type: + description: >- + Type is a SELinux type label that + applies to the container. + type: string + user: + description: >- + User is a SELinux user label that + applies to the container. + type: string + type: object + seccompProfile: + description: >- + The seccomp options to use by the + containers in this pod. + + Note that this field cannot be set when + spec.os.name is windows. + properties: + localhostProfile: + description: >- + localhostProfile indicates a profile + defined in a file on the node should be + used. + + The profile must be preconfigured on the + node to work. + + Must be a descending path, relative to + the kubelet's configured seccomp profile + location. + + Must be set if type is "Localhost". Must + NOT be set for any other type. + type: string + type: + description: >- + type indicates which kind of seccomp + profile will be applied. + + Valid options are: + + + Localhost - a profile defined in a file + on the node should be used. + + RuntimeDefault - the container runtime + default profile should be used. + + Unconfined - no profile should be + applied. + type: string + required: + - type + type: object + supplementalGroups: + description: >- + A list of groups applied to the first + process run in each container, in + + addition to the container's primary GID + and fsGroup (if specified). If + + the SupplementalGroupsPolicy feature is + enabled, the + + supplementalGroupsPolicy field + determines whether these are in addition + + to or instead of any group memberships + defined in the container image. + + If unspecified, no additional groups are + added, though group memberships + + defined in the container image may still + be used, depending on the + + supplementalGroupsPolicy field. + + Note that this field cannot be set when + spec.os.name is windows. + items: + format: int64 + type: integer + type: array + x-kubernetes-list-type: atomic + supplementalGroupsPolicy: + description: >- + Defines how supplemental groups of the + first container processes are + calculated. + + Valid values are "Merge" and "Strict". + If not specified, "Merge" is used. + + (Alpha) Using the field requires the + SupplementalGroupsPolicy feature gate to + be enabled + + and the container runtime must implement + support for this feature. + + Note that this field cannot be set when + spec.os.name is windows. + type: string + sysctls: + description: >- + Sysctls hold a list of namespaced + sysctls used for the pod. Pods with + unsupported + + sysctls (by the container runtime) might + fail to launch. + + Note that this field cannot be set when + spec.os.name is windows. + items: + description: >- + Sysctl defines a kernel parameter to be + set + properties: + name: + description: Name of a property to set + type: string + value: + description: Value of a property to set + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + windowsOptions: + description: >- + The Windows specific settings applied to + all containers. + + If unspecified, the options within a + container's SecurityContext will be + used. + + If set in both SecurityContext and + PodSecurityContext, the value specified + in SecurityContext takes precedence. + + Note that this field cannot be set when + spec.os.name is linux. + properties: + gmsaCredentialSpec: + description: >- + GMSACredentialSpec is where the GMSA + admission webhook + + (https://github.com/kubernetes-sigs/windows-gmsa) + inlines the contents of the + + GMSA credential spec named by the + GMSACredentialSpecName field. + type: string + gmsaCredentialSpecName: + description: >- + GMSACredentialSpecName is the name of + the GMSA credential spec to use. + type: string + hostProcess: + description: >- + HostProcess determines if a container + should be run as a 'Host Process' + container. + + All of a Pod's containers must have the + same effective HostProcess value + + (it is not allowed to have a mix of + HostProcess containers and + non-HostProcess containers). + + In addition, if HostProcess is true then + HostNetwork must also be set to true. + type: boolean + runAsUserName: + description: >- + The UserName in Windows to run the + entrypoint of the container process. + + Defaults to the user specified in image + metadata if unspecified. + + May also be set in PodSecurityContext. + If set in both SecurityContext and + + PodSecurityContext, the value specified + in SecurityContext takes precedence. + type: string + type: object + type: object + tolerations: + description: If specified, the pod's tolerations. + items: + description: >- + The pod this Toleration is attached to + tolerates any taint that matches + + the triple using the + matching operator . + properties: + effect: + description: >- + Effect indicates the taint effect to + match. Empty means match all taint + effects. + + When specified, allowed values are + NoSchedule, PreferNoSchedule and + NoExecute. + type: string + key: + description: >- + Key is the taint key that the toleration + applies to. Empty means match all taint + keys. + + If the key is empty, operator must be + Exists; this combination means to match + all values and all keys. + type: string + operator: + description: >- + Operator represents a key's relationship + to the value. + + Valid operators are Exists, Equal, Lt, + and Gt. Defaults to Equal. + + Exists is equivalent to wildcard for + value, so that a pod can + + tolerate all taints of a particular + category. + + Lt and Gt perform numeric comparisons + (requires feature gate + TaintTolerationComparisonOperators). + type: string + tolerationSeconds: + description: >- + TolerationSeconds represents the period + of time the toleration (which must be + + of effect NoExecute, otherwise this + field is ignored) tolerates the taint. + By default, + + it is not set, which means tolerate the + taint forever (do not evict). Zero and + + negative values will be treated as 0 + (evict immediately) by the system. + format: int64 + type: integer + value: + description: >- + Value is the taint value the toleration + matches to. + + If the operator is Exists, the value + should be empty, otherwise just a + regular string. + type: string + type: object + type: array + topologySpreadConstraints: + description: >- + TopologySpreadConstraints describes how a + group of pods ought to spread across + topology + + domains. Scheduler will schedule pods in a + way which abides by the constraints. + + All topologySpreadConstraints are ANDed. + items: + description: >- + TopologySpreadConstraint specifies how to + spread matching pods among the given + topology. + properties: + labelSelector: + description: >- + LabelSelector is used to find matching + pods. + + Pods that match this label selector are + counted to determine the number of pods + + in their corresponding topology domain. + properties: + matchExpressions: + description: >- + matchExpressions is a list of label + selector requirements. The requirements + are ANDed. + items: + description: >- + A label selector requirement is a + selector that contains values, a key, + and an operator that + + relates the key and values. + properties: + key: + description: >- + key is the label key that the selector + applies to. + type: string + operator: + description: >- + operator represents a key's relationship + to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: >- + values is an array of string values. If + the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: >- + matchLabels is a map of {key,value} + pairs. A single {key,value} in the + matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is + "key", the + + operator is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: >- + MatchLabelKeys is a set of pod label + keys to select the pods over which + + spreading will be calculated. The keys + are used to lookup values from the + + incoming pod labels, those key-value + labels are ANDed with labelSelector + + to select the group of existing pods + over which spreading will be calculated + + for the incoming pod. The same key is + forbidden to exist in both + MatchLabelKeys and LabelSelector. + + MatchLabelKeys cannot be set when + LabelSelector isn't set. + + Keys that don't exist in the incoming + pod labels will + + be ignored. A null or empty list means + only match against labelSelector. + + + This is a beta field and requires the + MatchLabelKeysInPodTopologySpread + feature gate to be enabled (enabled by + default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + maxSkew: + description: >- + MaxSkew describes the degree to which + pods may be unevenly distributed. + + When `whenUnsatisfiable=DoNotSchedule`, + it is the maximum permitted difference + + between the number of matching pods in + the target topology and the global + minimum. + + The global minimum is the minimum number + of matching pods in an eligible domain + + or zero if the number of eligible + domains is less than MinDomains. + + For example, in a 3-zone cluster, + MaxSkew is set to 1, and pods with the + same + + labelSelector spread as 2/2/1: + + In this case, the global minimum is 1. + + | zone1 | zone2 | zone3 | + + | P P | P P | P | + + - if MaxSkew is 1, incoming pod can only + be scheduled to zone3 to become 2/2/2; + + scheduling it onto zone1(zone2) would + make the ActualSkew(3-1) on zone1(zone2) + + violate MaxSkew(1). + + - if MaxSkew is 2, incoming pod can be + scheduled onto any zone. + + When `whenUnsatisfiable=ScheduleAnyway`, + it is used to give higher precedence + + to topologies that satisfy it. + + It's a required field. Default value is + 1 and 0 is not allowed. + format: int32 + type: integer + minDomains: + description: >- + MinDomains indicates a minimum number of + eligible domains. + + When the number of eligible domains with + matching topology keys is less than + minDomains, + + Pod Topology Spread treats "global + minimum" as 0, and then the calculation + of Skew is performed. + + And when the number of eligible domains + with matching topology keys equals or + greater than minDomains, + + this value has no effect on scheduling. + + As a result, when the number of eligible + domains is less than minDomains, + + scheduler won't schedule more than + maxSkew Pods to those domains. + + If value is nil, the constraint behaves + as if MinDomains is equal to 1. + + Valid values are integers greater than + 0. + + When value is not nil, WhenUnsatisfiable + must be DoNotSchedule. + + + For example, in a 3-zone cluster, + MaxSkew is set to 2, MinDomains is set + to 5 and pods with the same + + labelSelector spread as 2/2/2: + + | zone1 | zone2 | zone3 | + + | P P | P P | P P | + + The number of domains is less than + 5(MinDomains), so "global minimum" is + treated as 0. + + In this situation, new pod with the same + labelSelector cannot be scheduled, + + because computed skew will be 3(3 - 0) + if new Pod is scheduled to any of the + three zones, + + it will violate MaxSkew. + format: int32 + type: integer + nodeAffinityPolicy: + description: >- + NodeAffinityPolicy indicates how we will + treat Pod's nodeAffinity/nodeSelector + + when calculating pod topology spread + skew. Options are: + + - Honor: only nodes matching + nodeAffinity/nodeSelector are included + in the calculations. + + - Ignore: nodeAffinity/nodeSelector are + ignored. All nodes are included in the + calculations. + + + If this value is nil, the behavior is + equivalent to the Honor policy. + type: string + nodeTaintsPolicy: + description: >- + NodeTaintsPolicy indicates how we will + treat node taints when calculating + + pod topology spread skew. Options are: + + - Honor: nodes without taints, along + with tainted nodes for which the + incoming pod + + has a toleration, are included. + + - Ignore: node taints are ignored. All + nodes are included. + + + If this value is nil, the behavior is + equivalent to the Ignore policy. + type: string + topologyKey: + description: >- + TopologyKey is the key of node labels. + Nodes that have a label with this key + + and identical values are considered to + be in the same topology. + + We consider each as a + "bucket", and try to put balanced number + + of pods into each bucket. + + We define a domain as a particular + instance of a topology. + + Also, we define an eligible domain as a + domain whose nodes meet the requirements + of + + nodeAffinityPolicy and nodeTaintsPolicy. + + e.g. If TopologyKey is + "kubernetes.io/hostname", each Node is a + domain of that topology. + + And, if TopologyKey is + "topology.kubernetes.io/zone", each zone + is a domain of that topology. + + It's a required field. + type: string + whenUnsatisfiable: + description: >- + WhenUnsatisfiable indicates how to deal + with a pod if it doesn't satisfy + + the spread constraint. + + - DoNotSchedule (default) tells the + scheduler not to schedule it. + + - ScheduleAnyway tells the scheduler to + schedule the pod in any location, + but giving higher precedence to topologies that would help reduce the + skew. + A constraint is considered + "Unsatisfiable" for an incoming pod + + if and only if every possible node + assignment for that pod would violate + + "MaxSkew" on some topology. + + For example, in a 3-zone cluster, + MaxSkew is set to 1, and pods with the + same + + labelSelector spread as 3/1/1: + + | zone1 | zone2 | zone3 | + + | P P P | P | P | + + If WhenUnsatisfiable is set to + DoNotSchedule, incoming pod can only be + scheduled + + to zone2(zone3) to become 3/2/1(3/1/2) + as ActualSkew(2-1) on zone2(zone3) + satisfies + + MaxSkew(1). In other words, the cluster + can still be imbalanced, but scheduler + + won't make it *more* imbalanced. + + It's a required field. + type: string + required: + - maxSkew + - topologyKey + - whenUnsatisfiable + type: object + type: array + volumes: + description: >- + Volumes that can be mounted by containers + belonging to the pod. + + More info: + https://kubernetes.io/docs/concepts/storage/volumes + items: + description: >- + Volume represents a named volume in a pod + that may be accessed by any container in + the pod. + properties: + awsElasticBlockStore: + description: >- + awsElasticBlockStore represents an AWS + Disk resource that is attached to a + + kubelet's host machine and then exposed + to the pod. + + Deprecated: AWSElasticBlockStore is + deprecated. All operations for the + in-tree + + awsElasticBlockStore type are redirected + to the ebs.csi.aws.com CSI driver. + + More info: + https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + properties: + fsType: + description: >- + fsType is the filesystem type of the + volume that you want to mount. + + Tip: Ensure that the filesystem type is + supported by the host operating system. + + Examples: "ext4", "xfs", "ntfs". + Implicitly inferred to be "ext4" if + unspecified. + + More info: + https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + type: string + partition: + description: >- + partition is the partition in the volume + that you want to mount. + + If omitted, the default is to mount by + volume name. + + Examples: For volume /dev/sda1, you + specify the partition as "1". + + Similarly, the volume partition for + /dev/sda is "0" (or you can leave the + property empty). + format: int32 + type: integer + readOnly: + description: >- + readOnly value true will force the + readOnly setting in VolumeMounts. + + More info: + https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + type: boolean + volumeID: + description: >- + volumeID is unique ID of the persistent + disk resource in AWS (Amazon EBS + volume). + + More info: + https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + type: string + required: + - volumeID + type: object + azureDisk: + description: >- + azureDisk represents an Azure Data Disk + mount on the host and bind mount to the + pod. + + Deprecated: AzureDisk is deprecated. All + operations for the in-tree azureDisk + type + + are redirected to the disk.csi.azure.com + CSI driver. + properties: + cachingMode: + description: >- + cachingMode is the Host Caching mode: + None, Read Only, Read Write. + type: string + diskName: + description: >- + diskName is the Name of the data disk in + the blob storage + type: string + diskURI: + description: >- + diskURI is the URI of data disk in the + blob storage + type: string + fsType: + default: ext4 + description: >- + fsType is Filesystem type to mount. + + Must be a filesystem type supported by + the host operating system. + + Ex. "ext4", "xfs", "ntfs". Implicitly + inferred to be "ext4" if unspecified. + type: string + kind: + description: >- + kind expected values are Shared: + multiple blob disks per storage account + Dedicated: single blob disk per storage + account Managed: azure managed data + disk (only in managed availability set). + defaults to shared + type: string + readOnly: + default: false + description: >- + readOnly Defaults to false (read/write). + ReadOnly here will force + + the ReadOnly setting in VolumeMounts. + type: boolean + required: + - diskName + - diskURI + type: object + azureFile: + description: >- + azureFile represents an Azure File + Service mount on the host and bind mount + to the pod. + + Deprecated: AzureFile is deprecated. All + operations for the in-tree azureFile + type + + are redirected to the file.csi.azure.com + CSI driver. + properties: + readOnly: + description: >- + readOnly defaults to false (read/write). + ReadOnly here will force + + the ReadOnly setting in VolumeMounts. + type: boolean + secretName: + description: >- + secretName is the name of secret that + contains Azure Storage Account Name and + Key + type: string + shareName: + description: shareName is the azure share Name + type: string + required: + - secretName + - shareName + type: object + cephfs: + description: >- + cephFS represents a Ceph FS mount on the + host that shares a pod's lifetime. + + Deprecated: CephFS is deprecated and the + in-tree cephfs type is no longer + supported. + properties: + monitors: + description: >- + monitors is Required: Monitors is a + collection of Ceph monitors + + More info: + https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + items: + type: string + type: array + x-kubernetes-list-type: atomic + path: + description: >- + path is Optional: Used as the mounted + root, rather than the full Ceph tree, + default is / + type: string + readOnly: + description: >- + readOnly is Optional: Defaults to false + (read/write). ReadOnly here will force + + the ReadOnly setting in VolumeMounts. + + More info: + https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + type: boolean + secretFile: + description: >- + secretFile is Optional: SecretFile is + the path to key ring for User, default + is /etc/ceph/user.secret + + More info: + https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + type: string + secretRef: + description: >- + secretRef is Optional: SecretRef is + reference to the authentication secret + for User, default is empty. + + More info: + https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + properties: + name: + default: '' + description: >- + Name of the referent. + + This field is effectively required, but + due to backwards compatibility is + + allowed to be empty. Instances of this + type with an empty value here are + + almost certainly wrong. + + More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + user: + description: >- + user is optional: User is the rados user + name, default is admin + + More info: + https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + type: string + required: + - monitors + type: object + cinder: + description: >- + cinder represents a cinder volume + attached and mounted on kubelets host + machine. + + Deprecated: Cinder is deprecated. All + operations for the in-tree cinder type + + are redirected to the + cinder.csi.openstack.org CSI driver. + + More info: + https://examples.k8s.io/mysql-cinder-pd/README.md + properties: + fsType: + description: >- + fsType is the filesystem type to mount. + + Must be a filesystem type supported by + the host operating system. + + Examples: "ext4", "xfs", "ntfs". + Implicitly inferred to be "ext4" if + unspecified. + + More info: + https://examples.k8s.io/mysql-cinder-pd/README.md + type: string + readOnly: + description: >- + readOnly defaults to false (read/write). + ReadOnly here will force + + the ReadOnly setting in VolumeMounts. + + More info: + https://examples.k8s.io/mysql-cinder-pd/README.md + type: boolean + secretRef: + description: >- + secretRef is optional: points to a + secret object containing parameters used + to connect + + to OpenStack. + properties: + name: + default: '' + description: >- + Name of the referent. + + This field is effectively required, but + due to backwards compatibility is + + allowed to be empty. Instances of this + type with an empty value here are + + almost certainly wrong. + + More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + volumeID: + description: >- + volumeID used to identify the volume in + cinder. + + More info: + https://examples.k8s.io/mysql-cinder-pd/README.md + type: string + required: + - volumeID + type: object + configMap: + description: >- + configMap represents a configMap that + should populate this volume + properties: + defaultMode: + description: >- + defaultMode is optional: mode bits used + to set permissions on created files by + default. + + Must be an octal value between 0000 and + 0777 or a decimal value between 0 and + 511. + + YAML accepts both octal and decimal + values, JSON requires decimal values for + mode bits. + + Defaults to 0644. + + Directories within the path are not + affected by this setting. + + This might be in conflict with other + options that affect the file + + mode, like fsGroup, and the result can + be other mode bits set. + format: int32 + type: integer + items: + description: >- + items if unspecified, each key-value + pair in the Data field of the referenced + + ConfigMap will be projected into the + volume as a file whose name is the + + key and content is the value. If + specified, the listed keys will be + + projected into the specified paths, and + unlisted keys will not be + + present. If a key is specified which is + not present in the ConfigMap, + + the volume setup will error unless it is + marked optional. Paths must be + + relative and may not contain the '..' + path or start with '..'. + items: + description: >- + Maps a string key to a path within a + volume. + properties: + key: + description: key is the key to project. + type: string + mode: + description: >- + mode is Optional: mode bits used to set + permissions on this file. + + Must be an octal value between 0000 and + 0777 or a decimal value between 0 and + 511. + + YAML accepts both octal and decimal + values, JSON requires decimal values for + mode bits. + + If not specified, the volume defaultMode + will be used. + + This might be in conflict with other + options that affect the file + + mode, like fsGroup, and the result can + be other mode bits set. + format: int32 + type: integer + path: + description: >- + path is the relative path of the file to + map the key to. + + May not be an absolute path. + + May not contain the path element '..'. + + May not start with the string '..'. + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + name: + default: '' + description: >- + Name of the referent. + + This field is effectively required, but + due to backwards compatibility is + + allowed to be empty. Instances of this + type with an empty value here are + + almost certainly wrong. + + More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: >- + optional specify whether the ConfigMap + or its keys must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + csi: + description: >- + csi (Container Storage Interface) + represents ephemeral storage that is + handled by certain external CSI drivers. + properties: + driver: + description: >- + driver is the name of the CSI driver + that handles this volume. + + Consult with your admin for the correct + name as registered in the cluster. + type: string + fsType: + description: >- + fsType to mount. Ex. "ext4", "xfs", + "ntfs". + + If not provided, the empty value is + passed to the associated CSI driver + + which will determine the default + filesystem to apply. + type: string + nodePublishSecretRef: + description: >- + nodePublishSecretRef is a reference to + the secret object containing + + sensitive information to pass to the CSI + driver to complete the CSI + + NodePublishVolume and + NodeUnpublishVolume calls. + + This field is optional, and may be + empty if no secret is required. If the + + secret object contains more than one + secret, all secret references are + passed. + properties: + name: + default: '' + description: >- + Name of the referent. + + This field is effectively required, but + due to backwards compatibility is + + allowed to be empty. Instances of this + type with an empty value here are + + almost certainly wrong. + + More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + readOnly: + description: >- + readOnly specifies a read-only + configuration for the volume. + + Defaults to false (read/write). + type: boolean + volumeAttributes: + additionalProperties: + type: string + description: >- + volumeAttributes stores driver-specific + properties that are passed to the CSI + + driver. Consult your driver's + documentation for supported values. + type: object + required: + - driver + type: object + downwardAPI: + description: >- + downwardAPI represents downward API + about the pod that should populate this + volume + properties: + defaultMode: + description: >- + Optional: mode bits to use on created + files by default. Must be a + + Optional: mode bits used to set + permissions on created files by default. + + Must be an octal value between 0000 and + 0777 or a decimal value between 0 and + 511. + + YAML accepts both octal and decimal + values, JSON requires decimal values for + mode bits. + + Defaults to 0644. + + Directories within the path are not + affected by this setting. + + This might be in conflict with other + options that affect the file + + mode, like fsGroup, and the result can + be other mode bits set. + format: int32 + type: integer + items: + description: >- + Items is a list of downward API volume + file + items: + description: >- + DownwardAPIVolumeFile represents + information to create the file + containing the pod field + properties: + fieldRef: + description: >- + Required: Selects a field of the pod: + only annotations, labels, name, + namespace and uid are supported. + properties: + apiVersion: + description: >- + Version of the schema the FieldPath is + written in terms of, defaults to "v1". + type: string + fieldPath: + description: >- + Path of the field to select in the + specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + mode: + description: >- + Optional: mode bits used to set + permissions on this file, must be an + octal value + + between 0000 and 0777 or a decimal value + between 0 and 511. + + YAML accepts both octal and decimal + values, JSON requires decimal values for + mode bits. + + If not specified, the volume defaultMode + will be used. + + This might be in conflict with other + options that affect the file + + mode, like fsGroup, and the result can + be other mode bits set. + format: int32 + type: integer + path: + description: >- + Required: Path is the relative path + name of the file to be created. Must not + be absolute or contain the '..' path. + Must be utf-8 encoded. The first item of + the relative path must not start with + '..' + type: string + resourceFieldRef: + description: >- + Selects a resource of the container: + only resources limits and requests + + (limits.cpu, limits.memory, requests.cpu + and requests.memory) are currently + supported. + properties: + containerName: + description: >- + Container name: required for volumes, + optional for env vars + type: string + divisor: + anyOf: + - type: integer + - type: string + description: >- + Specifies the output format of the + exposed resources, defaults to "1" + pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + required: + - path + type: object + type: array + x-kubernetes-list-type: atomic + type: object + emptyDir: + description: >- + emptyDir represents a temporary + directory that shares a pod's lifetime. + + More info: + https://kubernetes.io/docs/concepts/storage/volumes#emptydir + properties: + medium: + description: >- + medium represents what type of storage + medium should back this directory. + + The default is "" which means to use the + node's default medium. + + Must be an empty string (default) or + Memory. + + More info: + https://kubernetes.io/docs/concepts/storage/volumes#emptydir + type: string + sizeLimit: + anyOf: + - type: integer + - type: string + description: >- + sizeLimit is the total amount of local + storage required for this EmptyDir + volume. + + The size limit is also applicable for + memory medium. + + The maximum usage on memory medium + EmptyDir would be the minimum value + between + + the SizeLimit specified here and the sum + of memory limits of all containers in a + pod. + + The default is nil which means that the + limit is undefined. + + More info: + https://kubernetes.io/docs/concepts/storage/volumes#emptydir + pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + ephemeral: + description: >- + ephemeral represents a volume that is + handled by a cluster storage driver. + + The volume's lifecycle is tied to the + pod that defines it - it will be created + before the pod starts, + + and deleted when the pod is removed. + + + Use this if: + + a) the volume is only needed while the + pod runs, + + b) features of normal volumes like + restoring from snapshot or capacity + tracking are needed, + c) the storage driver is specified + through a storage class, and + + d) the storage driver supports dynamic + volume provisioning through + a PersistentVolumeClaim (see EphemeralVolumeSource for more + information on the connection between this volume type + and PersistentVolumeClaim). + + Use PersistentVolumeClaim or one of the + vendor-specific + + APIs for volumes that persist for longer + than the lifecycle + + of an individual pod. + + + Use CSI for light-weight local ephemeral + volumes if the CSI driver is meant to + + be used that way - see the documentation + of the driver for + + more information. + + + A pod can use both types of ephemeral + volumes and + + persistent volumes at the same time. + properties: + volumeClaimTemplate: + description: >- + Will be used to create a stand-alone PVC + to provision the volume. + + The pod in which this + EphemeralVolumeSource is embedded will + be the + + owner of the PVC, i.e. the PVC will be + deleted together with the + + pod. The name of the PVC will be `-` where + + `` is the name from the + `PodSpec.Volumes` array + + entry. Pod validation will reject the + pod if the concatenated name + + is not valid for a PVC (for example, too + long). + + + An existing PVC with that name that is + not owned by the pod + + will *not* be used for the pod to avoid + using an unrelated + + volume by mistake. Starting the pod is + then blocked until + + the unrelated PVC is removed. If such a + pre-created PVC is + + meant to be used by the pod, the PVC has + to updated with an + + owner reference to the pod once the pod + exists. Normally + + this should not be necessary, but it may + be useful when + + manually reconstructing a broken + cluster. + + + This field is read-only and no changes + will be made by Kubernetes + + to the PVC after it has been created. + + + Required, must not be nil. + properties: + metadata: + description: >- + May contain labels and annotations that + will be copied into the PVC + + when creating it. No other fields are + allowed and will be rejected during + + validation. + type: object + spec: + description: >- + The specification for the + PersistentVolumeClaim. The entire + content is + + copied unchanged into the PVC that gets + created from this + + template. The same fields as in a + PersistentVolumeClaim + + are also valid here. + properties: + accessModes: + description: >- + accessModes contains the desired access + modes the volume should have. + + More info: + https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1 + items: + type: string + type: array + x-kubernetes-list-type: atomic + dataSource: + description: >- + dataSource field can be used to specify + either: + + * An existing VolumeSnapshot object + (snapshot.storage.k8s.io/VolumeSnapshot) + + * An existing PVC + (PersistentVolumeClaim) + + If the provisioner or an external + controller can support the specified + data source, + + it will create a new volume based on the + contents of the specified data source. + + When the AnyVolumeDataSource feature + gate is enabled, dataSource contents + will be copied to dataSourceRef, + + and dataSourceRef contents will be + copied to dataSource when + dataSourceRef.namespace is not + specified. + + If the namespace is specified, then + dataSourceRef will not be copied to + dataSource. + properties: + apiGroup: + description: >- + APIGroup is the group for the resource + being referenced. + + If APIGroup is not specified, the + specified Kind must be in the core API + group. + + For any other third-party types, + APIGroup is required. + type: string + kind: + description: >- + Kind is the type of resource being + referenced + type: string + name: + description: >- + Name is the name of resource being + referenced + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + dataSourceRef: + description: >- + dataSourceRef specifies the object from + which to populate the volume with data, + if a non-empty + + volume is desired. This may be any + object from a non-empty API group (non + + core object) or a PersistentVolumeClaim + object. + + When this field is specified, volume + binding will only succeed if the type of + + the specified object matches some + installed volume populator or dynamic + + provisioner. + + This field will replace the + functionality of the dataSource field + and as such + + if both fields are non-empty, they must + have the same value. For backwards + + compatibility, when namespace isn't + specified in dataSourceRef, + + both fields (dataSource and + dataSourceRef) will be set to the same + + value automatically if one of them is + empty and the other is non-empty. + + When namespace is specified in + dataSourceRef, + + dataSource isn't set to the same value + and must be empty. + + There are three important differences + between dataSource and dataSourceRef: + + * While dataSource only allows two + specific types of objects, dataSourceRef + allows any non-core object, as well as PersistentVolumeClaim objects. + * While dataSource ignores disallowed + values (dropping them), dataSourceRef + preserves all values, and generates an error if a disallowed value is + specified. + * While dataSource only allows local + objects, dataSourceRef allows objects + in any namespaces. + (Beta) Using this field requires the + AnyVolumeDataSource feature gate to be + enabled. + + (Alpha) Using the namespace field of + dataSourceRef requires the + CrossNamespaceVolumeDataSource feature + gate to be enabled. + properties: + apiGroup: + description: >- + APIGroup is the group for the resource + being referenced. + + If APIGroup is not specified, the + specified Kind must be in the core API + group. + + For any other third-party types, + APIGroup is required. + type: string + kind: + description: >- + Kind is the type of resource being + referenced + type: string + name: + description: >- + Name is the name of resource being + referenced + type: string + namespace: + description: >- + Namespace is the namespace of resource + being referenced + + Note that when a namespace is specified, + a + gateway.networking.k8s.io/ReferenceGrant + object is required in the referent + namespace to allow that namespace's + owner to accept the reference. See the + ReferenceGrant documentation for + details. + + (Alpha) This field requires the + CrossNamespaceVolumeDataSource feature + gate to be enabled. + type: string + required: + - kind + - name + type: object + resources: + description: >- + resources represents the minimum + resources the volume should have. + + Users are allowed to specify resource + requirements + + that are lower than previous value but + must still be higher than capacity + recorded in the + + status field of the claim. + + More info: + https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: >- + Limits describes the maximum amount of + compute resources allowed. + + More info: + https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: >- + Requests describes the minimum amount of + compute resources required. + + If Requests is omitted for a container, + it defaults to Limits if that is + explicitly specified, + + otherwise to an implementation-defined + value. Requests cannot exceed Limits. + + More info: + https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + type: object + selector: + description: >- + selector is a label query over volumes + to consider for binding. + properties: + matchExpressions: + description: >- + matchExpressions is a list of label + selector requirements. The requirements + are ANDed. + items: + description: >- + A label selector requirement is a + selector that contains values, a key, + and an operator that + + relates the key and values. + properties: + key: + description: >- + key is the label key that the selector + applies to. + type: string + operator: + description: >- + operator represents a key's relationship + to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: >- + values is an array of string values. If + the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: >- + matchLabels is a map of {key,value} + pairs. A single {key,value} in the + matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is + "key", the + + operator is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + storageClassName: + description: >- + storageClassName is the name of the + StorageClass required by the claim. + + More info: + https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1 + type: string + volumeAttributesClassName: + description: >- + volumeAttributesClassName may be used to + set the VolumeAttributesClass used by + this claim. + + If specified, the CSI driver will create + or update the volume with the attributes + defined + + in the corresponding + VolumeAttributesClass. This has a + different purpose than storageClassName, + + it can be changed after the claim is + created. An empty string or nil value + indicates that no + + VolumeAttributesClass will be applied to + the claim. If the claim enters an + Infeasible error state, + + this field can be reset to its previous + value (including nil) to cancel the + modification. + + If the resource referred to by + volumeAttributesClass does not exist, + this PersistentVolumeClaim will be + + set to a Pending state, as reflected by + the modifyVolumeStatus field, until such + as a resource + + exists. + + More info: + https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/ + type: string + volumeMode: + description: >- + volumeMode defines what type of volume + is required by the claim. + + Value of Filesystem is implied when not + included in claim spec. + type: string + volumeName: + description: >- + volumeName is the binding reference to + the PersistentVolume backing this claim. + type: string + type: object + required: + - spec + type: object + type: object + fc: + description: >- + fc represents a Fibre Channel resource + that is attached to a kubelet's host + machine and then exposed to the pod. + properties: + fsType: + description: >- + fsType is the filesystem type to mount. + + Must be a filesystem type supported by + the host operating system. + + Ex. "ext4", "xfs", "ntfs". Implicitly + inferred to be "ext4" if unspecified. + type: string + lun: + description: 'lun is Optional: FC target lun number' + format: int32 + type: integer + readOnly: + description: >- + readOnly is Optional: Defaults to false + (read/write). ReadOnly here will force + + the ReadOnly setting in VolumeMounts. + type: boolean + targetWWNs: + description: >- + targetWWNs is Optional: FC target + worldwide names (WWNs) + items: + type: string + type: array + x-kubernetes-list-type: atomic + wwids: + description: >- + wwids Optional: FC volume world wide + identifiers (wwids) + + Either wwids or combination of + targetWWNs and lun must be set, but not + both simultaneously. + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + flexVolume: + description: >- + flexVolume represents a generic volume + resource that is + + provisioned/attached using an exec based + plugin. + + Deprecated: FlexVolume is deprecated. + Consider using a CSIDriver instead. + properties: + driver: + description: >- + driver is the name of the driver to use + for this volume. + type: string + fsType: + description: >- + fsType is the filesystem type to mount. + + Must be a filesystem type supported by + the host operating system. + + Ex. "ext4", "xfs", "ntfs". The default + filesystem depends on FlexVolume script. + type: string + options: + additionalProperties: + type: string + description: >- + options is Optional: this field holds + extra command options if any. + type: object + readOnly: + description: >- + readOnly is Optional: defaults to false + (read/write). ReadOnly here will force + + the ReadOnly setting in VolumeMounts. + type: boolean + secretRef: + description: >- + secretRef is Optional: secretRef is + reference to the secret object + containing + + sensitive information to pass to the + plugin scripts. This may be + + empty if no secret object is specified. + If the secret object + + contains more than one secret, all + secrets are passed to the plugin + + scripts. + properties: + name: + default: '' + description: >- + Name of the referent. + + This field is effectively required, but + due to backwards compatibility is + + allowed to be empty. Instances of this + type with an empty value here are + + almost certainly wrong. + + More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + required: + - driver + type: object + flocker: + description: >- + flocker represents a Flocker volume + attached to a kubelet's host machine. + This depends on the Flocker control + service being running. + + Deprecated: Flocker is deprecated and + the in-tree flocker type is no longer + supported. + properties: + datasetName: + description: >- + datasetName is Name of the dataset + stored as metadata -> name on the + dataset for Flocker + + should be considered as deprecated + type: string + datasetUUID: + description: >- + datasetUUID is the UUID of the dataset. + This is unique identifier of a Flocker + dataset + type: string + type: object + gcePersistentDisk: + description: >- + gcePersistentDisk represents a GCE Disk + resource that is attached to a + + kubelet's host machine and then exposed + to the pod. + + Deprecated: GCEPersistentDisk is + deprecated. All operations for the + in-tree + + gcePersistentDisk type are redirected to + the pd.csi.storage.gke.io CSI driver. + + More info: + https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + properties: + fsType: + description: >- + fsType is filesystem type of the volume + that you want to mount. + + Tip: Ensure that the filesystem type is + supported by the host operating system. + + Examples: "ext4", "xfs", "ntfs". + Implicitly inferred to be "ext4" if + unspecified. + + More info: + https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + type: string + partition: + description: >- + partition is the partition in the volume + that you want to mount. + + If omitted, the default is to mount by + volume name. + + Examples: For volume /dev/sda1, you + specify the partition as "1". + + Similarly, the volume partition for + /dev/sda is "0" (or you can leave the + property empty). + + More info: + https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + format: int32 + type: integer + pdName: + description: >- + pdName is unique name of the PD resource + in GCE. Used to identify the disk in + GCE. + + More info: + https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + type: string + readOnly: + description: >- + readOnly here will force the ReadOnly + setting in VolumeMounts. + + Defaults to false. + + More info: + https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + type: boolean + required: + - pdName + type: object + gitRepo: + description: >- + gitRepo represents a git repository at a + particular revision. + + Deprecated: GitRepo is deprecated. To + provision a container with a git repo, + mount an + + EmptyDir into an InitContainer that + clones the repo using git, then mount + the EmptyDir + + into the Pod's container. + properties: + directory: + description: >- + directory is the target directory name. + + Must not contain or start with '..'. If + '.' is supplied, the volume directory + will be the + + git repository. Otherwise, if + specified, the volume will contain the + git repository in + + the subdirectory with the given name. + type: string + repository: + description: repository is the URL + type: string + revision: + description: >- + revision is the commit hash for the + specified revision. + type: string + required: + - repository + type: object + glusterfs: + description: >- + glusterfs represents a Glusterfs mount + on the host that shares a pod's + lifetime. + + Deprecated: Glusterfs is deprecated and + the in-tree glusterfs type is no longer + supported. + properties: + endpoints: + description: >- + endpoints is the endpoint name that + details Glusterfs topology. + type: string + path: + description: >- + path is the Glusterfs volume path. + + More info: + https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod + type: string + readOnly: + description: >- + readOnly here will force the Glusterfs + volume to be mounted with read-only + permissions. + + Defaults to false. + + More info: + https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod + type: boolean + required: + - endpoints + - path + type: object + hostPath: + description: >- + hostPath represents a pre-existing file + or directory on the host + + machine that is directly exposed to the + container. This is generally + + used for system agents or other + privileged things that are allowed + + to see the host machine. Most containers + will NOT need this. + + More info: + https://kubernetes.io/docs/concepts/storage/volumes#hostpath + properties: + path: + description: >- + path of the directory on the host. + + If the path is a symlink, it will follow + the link to the real path. + + More info: + https://kubernetes.io/docs/concepts/storage/volumes#hostpath + type: string + type: + description: >- + type for HostPath Volume + + Defaults to "" + + More info: + https://kubernetes.io/docs/concepts/storage/volumes#hostpath + type: string + required: + - path + type: object + image: + description: >- + image represents an OCI object (a + container image or artifact) pulled and + mounted on the kubelet's host machine. + + The volume is resolved at pod startup + depending on which PullPolicy value is + provided: + + + - Always: the kubelet always attempts to + pull the reference. Container creation + will fail If the pull fails. + + - Never: the kubelet never pulls the + reference and only uses a local image or + artifact. Container creation will fail + if the reference isn't present. + + - IfNotPresent: the kubelet pulls if the + reference isn't already present on disk. + Container creation will fail if the + reference isn't present and the pull + fails. + + + The volume gets re-resolved if the pod + gets deleted and recreated, which means + that new remote content will become + available on pod recreation. + + A failure to resolve or pull the image + during pod startup will block containers + from starting and may add significant + latency. Failures will be retried using + normal volume backoff and will be + reported on the pod reason and message. + + The types of objects that may be mounted + by this volume are defined by the + container runtime implementation on a + host machine and at minimum must include + all valid types supported by the + container image field. + + The OCI object gets mounted in a single + directory + (spec.containers[*].volumeMounts.mountPath) + by merging the manifest layers in the + same way as for container images. + + The volume will be mounted read-only + (ro) and non-executable files (noexec). + + Sub path mounts for containers are not + supported + (spec.containers[*].volumeMounts.subpath) + before 1.33. + + The field + spec.securityContext.fsGroupChangePolicy + has no effect on this volume type. + properties: + pullPolicy: + description: >- + Policy for pulling OCI objects. Possible + values are: + + Always: the kubelet always attempts to + pull the reference. Container creation + will fail If the pull fails. + + Never: the kubelet never pulls the + reference and only uses a local image or + artifact. Container creation will fail + if the reference isn't present. + + IfNotPresent: the kubelet pulls if the + reference isn't already present on disk. + Container creation will fail if the + reference isn't present and the pull + fails. + + Defaults to Always if :latest tag is + specified, or IfNotPresent otherwise. + type: string + reference: + description: >- + Required: Image or artifact reference to + be used. + + Behaves in the same way as + pod.spec.containers[*].image. + + Pull secrets will be assembled in the + same way as for the container image by + looking up node credentials, SA image + pull secrets, and pod spec image pull + secrets. + + More info: + https://kubernetes.io/docs/concepts/containers/images + + This field is optional to allow higher + level config management to default or + override + + container images in workload controllers + like Deployments and StatefulSets. + type: string + type: object + iscsi: + description: >- + iscsi represents an ISCSI Disk resource + that is attached to a + + kubelet's host machine and then exposed + to the pod. + + More info: + https://kubernetes.io/docs/concepts/storage/volumes/#iscsi + properties: + chapAuthDiscovery: + description: >- + chapAuthDiscovery defines whether + support iSCSI Discovery CHAP + authentication + type: boolean + chapAuthSession: + description: >- + chapAuthSession defines whether support + iSCSI Session CHAP authentication + type: boolean + fsType: + description: >- + fsType is the filesystem type of the + volume that you want to mount. + + Tip: Ensure that the filesystem type is + supported by the host operating system. + + Examples: "ext4", "xfs", "ntfs". + Implicitly inferred to be "ext4" if + unspecified. + + More info: + https://kubernetes.io/docs/concepts/storage/volumes#iscsi + type: string + initiatorName: + description: >- + initiatorName is the custom iSCSI + Initiator Name. + + If initiatorName is specified with + iscsiInterface simultaneously, new iSCSI + interface + + : will be + created for the connection. + type: string + iqn: + description: iqn is the target iSCSI Qualified Name. + type: string + iscsiInterface: + default: default + description: >- + iscsiInterface is the interface Name + that uses an iSCSI transport. + + Defaults to 'default' (tcp). + type: string + lun: + description: lun represents iSCSI Target Lun number. + format: int32 + type: integer + portals: + description: >- + portals is the iSCSI Target Portal List. + The portal is either an IP or + ip_addr:port if the port + + is other than default (typically TCP + ports 860 and 3260). + items: + type: string + type: array + x-kubernetes-list-type: atomic + readOnly: + description: >- + readOnly here will force the ReadOnly + setting in VolumeMounts. + + Defaults to false. + type: boolean + secretRef: + description: >- + secretRef is the CHAP Secret for iSCSI + target and initiator authentication + properties: + name: + default: '' + description: >- + Name of the referent. + + This field is effectively required, but + due to backwards compatibility is + + allowed to be empty. Instances of this + type with an empty value here are + + almost certainly wrong. + + More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + targetPortal: + description: >- + targetPortal is iSCSI Target Portal. The + Portal is either an IP or ip_addr:port + if the port + + is other than default (typically TCP + ports 860 and 3260). + type: string + required: + - iqn + - lun + - targetPortal + type: object + name: + description: >- + name of the volume. + + Must be a DNS_LABEL and unique within + the pod. + + More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + nfs: + description: >- + nfs represents an NFS mount on the host + that shares a pod's lifetime + + More info: + https://kubernetes.io/docs/concepts/storage/volumes#nfs + properties: + path: + description: >- + path that is exported by the NFS server. + + More info: + https://kubernetes.io/docs/concepts/storage/volumes#nfs + type: string + readOnly: + description: >- + readOnly here will force the NFS export + to be mounted with read-only + permissions. + + Defaults to false. + + More info: + https://kubernetes.io/docs/concepts/storage/volumes#nfs + type: boolean + server: + description: >- + server is the hostname or IP address of + the NFS server. + + More info: + https://kubernetes.io/docs/concepts/storage/volumes#nfs + type: string + required: + - path + - server + type: object + persistentVolumeClaim: + description: >- + persistentVolumeClaimVolumeSource + represents a reference to a + + PersistentVolumeClaim in the same + namespace. + + More info: + https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims + properties: + claimName: + description: >- + claimName is the name of a + PersistentVolumeClaim in the same + namespace as the pod using this volume. + + More info: + https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims + type: string + readOnly: + description: >- + readOnly Will force the ReadOnly setting + in VolumeMounts. + + Default false. + type: boolean + required: + - claimName + type: object + photonPersistentDisk: + description: >- + photonPersistentDisk represents a + PhotonController persistent disk + attached and mounted on kubelets host + machine. + + Deprecated: PhotonPersistentDisk is + deprecated and the in-tree + photonPersistentDisk type is no longer + supported. + properties: + fsType: + description: >- + fsType is the filesystem type to mount. + + Must be a filesystem type supported by + the host operating system. + + Ex. "ext4", "xfs", "ntfs". Implicitly + inferred to be "ext4" if unspecified. + type: string + pdID: + description: >- + pdID is the ID that identifies Photon + Controller persistent disk + type: string + required: + - pdID + type: object + portworxVolume: + description: >- + portworxVolume represents a portworx + volume attached and mounted on kubelets + host machine. + + Deprecated: PortworxVolume is + deprecated. All operations for the + in-tree portworxVolume type + + are redirected to the pxd.portworx.com + CSI driver when the CSIMigrationPortworx + feature-gate + + is on. + properties: + fsType: + description: >- + fSType represents the filesystem type to + mount + + Must be a filesystem type supported by + the host operating system. + + Ex. "ext4", "xfs". Implicitly inferred + to be "ext4" if unspecified. + type: string + readOnly: + description: >- + readOnly defaults to false (read/write). + ReadOnly here will force + + the ReadOnly setting in VolumeMounts. + type: boolean + volumeID: + description: >- + volumeID uniquely identifies a Portworx + volume + type: string + required: + - volumeID + type: object + projected: + description: >- + projected items for all in one resources + secrets, configmaps, and downward API + properties: + defaultMode: + description: >- + defaultMode are the mode bits used to + set permissions on created files by + default. + + Must be an octal value between 0000 and + 0777 or a decimal value between 0 and + 511. + + YAML accepts both octal and decimal + values, JSON requires decimal values for + mode bits. + + Directories within the path are not + affected by this setting. + + This might be in conflict with other + options that affect the file + + mode, like fsGroup, and the result can + be other mode bits set. + format: int32 + type: integer + sources: + description: >- + sources is the list of volume + projections. Each entry in this list + + handles one source. + items: + description: >- + Projection that may be projected along + with other supported volume types. + + Exactly one of these fields must be set. + properties: + clusterTrustBundle: + description: >- + ClusterTrustBundle allows a pod to + access the `.spec.trustBundle` field + + of ClusterTrustBundle objects in an + auto-updating file. + + + Alpha, gated by the + ClusterTrustBundleProjection feature + gate. + + + ClusterTrustBundle objects can either be + selected by name, or by the + + combination of signer name and a label + selector. + + + Kubelet performs aggressive + normalization of the PEM contents + written + + into the pod filesystem. Esoteric PEM + features such as inter-block + + comments and block headers are + stripped. Certificates are + deduplicated. + + The ordering of certificates within the + file is arbitrary, and Kubelet + + may change the order over time. + properties: + labelSelector: + description: >- + Select all ClusterTrustBundles that + match this label selector. Only has + + effect if signerName is set. + Mutually-exclusive with name. If unset, + + interpreted as "match nothing". If set + but empty, interpreted as "match + + everything". + properties: + matchExpressions: + description: >- + matchExpressions is a list of label + selector requirements. The requirements + are ANDed. + items: + description: >- + A label selector requirement is a + selector that contains values, a key, + and an operator that + + relates the key and values. + properties: + key: + description: >- + key is the label key that the selector + applies to. + type: string + operator: + description: >- + operator represents a key's relationship + to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: >- + values is an array of string values. If + the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: >- + matchLabels is a map of {key,value} + pairs. A single {key,value} in the + matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is + "key", the + + operator is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + name: + description: >- + Select a single ClusterTrustBundle by + object name. Mutually-exclusive + + with signerName and labelSelector. + type: string + optional: + description: >- + If true, don't block pod startup if the + referenced ClusterTrustBundle(s) + + aren't available. If using name, then + the named ClusterTrustBundle is + + allowed not to exist. If using + signerName, then the combination of + + signerName and labelSelector is allowed + to match zero + + ClusterTrustBundles. + type: boolean + path: + description: >- + Relative path from the volume root to + write the bundle. + type: string + signerName: + description: >- + Select all ClusterTrustBundles that + match this signer name. + + Mutually-exclusive with name. The + contents of all selected + + ClusterTrustBundles will be unified and + deduplicated. + type: string + required: + - path + type: object + configMap: + description: >- + configMap information about the + configMap data to project + properties: + items: + description: >- + items if unspecified, each key-value + pair in the Data field of the referenced + + ConfigMap will be projected into the + volume as a file whose name is the + + key and content is the value. If + specified, the listed keys will be + + projected into the specified paths, and + unlisted keys will not be + + present. If a key is specified which is + not present in the ConfigMap, + + the volume setup will error unless it is + marked optional. Paths must be + + relative and may not contain the '..' + path or start with '..'. + items: + description: >- + Maps a string key to a path within a + volume. + properties: + key: + description: key is the key to project. + type: string + mode: + description: >- + mode is Optional: mode bits used to set + permissions on this file. + + Must be an octal value between 0000 and + 0777 or a decimal value between 0 and + 511. + + YAML accepts both octal and decimal + values, JSON requires decimal values for + mode bits. + + If not specified, the volume defaultMode + will be used. + + This might be in conflict with other + options that affect the file + + mode, like fsGroup, and the result can + be other mode bits set. + format: int32 + type: integer + path: + description: >- + path is the relative path of the file to + map the key to. + + May not be an absolute path. + + May not contain the path element '..'. + + May not start with the string '..'. + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + name: + default: '' + description: >- + Name of the referent. + + This field is effectively required, but + due to backwards compatibility is + + allowed to be empty. Instances of this + type with an empty value here are + + almost certainly wrong. + + More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: >- + optional specify whether the ConfigMap + or its keys must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + downwardAPI: + description: >- + downwardAPI information about the + downwardAPI data to project + properties: + items: + description: >- + Items is a list of DownwardAPIVolume + file + items: + description: >- + DownwardAPIVolumeFile represents + information to create the file + containing the pod field + properties: + fieldRef: + description: >- + Required: Selects a field of the pod: + only annotations, labels, name, + namespace and uid are supported. + properties: + apiVersion: + description: >- + Version of the schema the FieldPath is + written in terms of, defaults to "v1". + type: string + fieldPath: + description: >- + Path of the field to select in the + specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + mode: + description: >- + Optional: mode bits used to set + permissions on this file, must be an + octal value + + between 0000 and 0777 or a decimal value + between 0 and 511. + + YAML accepts both octal and decimal + values, JSON requires decimal values for + mode bits. + + If not specified, the volume defaultMode + will be used. + + This might be in conflict with other + options that affect the file + + mode, like fsGroup, and the result can + be other mode bits set. + format: int32 + type: integer + path: + description: >- + Required: Path is the relative path + name of the file to be created. Must not + be absolute or contain the '..' path. + Must be utf-8 encoded. The first item of + the relative path must not start with + '..' + type: string + resourceFieldRef: + description: >- + Selects a resource of the container: + only resources limits and requests + + (limits.cpu, limits.memory, requests.cpu + and requests.memory) are currently + supported. + properties: + containerName: + description: >- + Container name: required for volumes, + optional for env vars + type: string + divisor: + anyOf: + - type: integer + - type: string + description: >- + Specifies the output format of the + exposed resources, defaults to "1" + pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + required: + - path + type: object + type: array + x-kubernetes-list-type: atomic + type: object + podCertificate: + description: >- + Projects an auto-rotating credential + bundle (private key and certificate + + chain) that the pod can use either as a + TLS client or server. + + + Kubelet generates a private key and uses + it to send a + + PodCertificateRequest to the named + signer. Once the signer approves the + + request and issues a certificate chain, + Kubelet writes the key and + + certificate chain to the pod + filesystem. The pod does not start + until + + certificates have been issued for each + podCertificate projected volume + + source in its spec. + + + Kubelet will begin trying to rotate the + certificate at the time indicated + + by the signer using the + PodCertificateRequest.Status.BeginRefreshAt + + timestamp. + + + Kubelet can write a single file, + indicated by the credentialBundlePath + + field, or separate files, indicated by + the keyPath and + + certificateChainPath fields. + + + The credential bundle is a single file + in PEM format. The first PEM + + entry is the private key (in PKCS#8 + format), and the remaining PEM + + entries are the certificate chain issued + by the signer (typically, + + signers will return their certificate + chain in leaf-to-root order). + + + Prefer using the credential bundle + format, since your application code + + can read it atomically. If you use + keyPath and certificateChainPath, + + your application must make two separate + file reads. If these coincide + + with a certificate rotation, it is + possible that the private key and leaf + + certificate you read may not correspond + to each other. Your application + + will need to check for this condition, + and re-read until they are + + consistent. + + + The named signer controls chooses the + format of the certificate it + + issues; consult the signer + implementation's documentation to learn + how to + + use the certificates it issues. + properties: + certificateChainPath: + description: >- + Write the certificate chain at this path + in the projected volume. + + + Most applications should use + credentialBundlePath. When using + keyPath + + and certificateChainPath, your + application needs to check that the key + + and leaf certificate are consistent, + because it is possible to read the + + files mid-rotation. + type: string + credentialBundlePath: + description: >- + Write the credential bundle at this path + in the projected volume. + + + The credential bundle is a single file + that contains multiple PEM blocks. + + The first PEM block is a PRIVATE KEY + block, containing a PKCS#8 private + + key. + + + The remaining blocks are CERTIFICATE + blocks, containing the issued + + certificate chain from the signer (leaf + and any intermediates). + + + Using credentialBundlePath lets your + Pod's application code make a single + + atomic read that retrieves a consistent + key and certificate chain. If you + + project them to separate files, your + application code will need to + + additionally check that the leaf + certificate was issued to the key. + type: string + keyPath: + description: >- + Write the key at this path in the + projected volume. + + + Most applications should use + credentialBundlePath. When using + keyPath + + and certificateChainPath, your + application needs to check that the key + + and leaf certificate are consistent, + because it is possible to read the + + files mid-rotation. + type: string + keyType: + description: >- + The type of keypair Kubelet will + generate for the pod. + + + Valid values are "RSA3072", "RSA4096", + "ECDSAP256", "ECDSAP384", + + "ECDSAP521", and "ED25519". + type: string + maxExpirationSeconds: + description: >- + maxExpirationSeconds is the maximum + lifetime permitted for the + + certificate. + + + Kubelet copies this value verbatim into + the PodCertificateRequests it + + generates for this projection. + + + If omitted, kube-apiserver will set it + to 86400(24 hours). kube-apiserver + + will reject values shorter than 3600 (1 + hour). The maximum allowable + + value is 7862400 (91 days). + + + The signer implementation is then free + to issue a certificate with any + + lifetime *shorter* than + MaxExpirationSeconds, but no shorter + than 3600 + + seconds (1 hour). This constraint is + enforced by kube-apiserver. + + `kubernetes.io` signers will never issue + certificates with a lifetime + + longer than 24 hours. + format: int32 + type: integer + signerName: + description: >- + Kubelet's generated CSRs will be + addressed to this signer. + type: string + userAnnotations: + additionalProperties: + type: string + description: >- + userAnnotations allow pod authors to + pass additional information to + + the signer implementation. Kubernetes + does not restrict or validate this + + metadata in any way. + + + These values are copied verbatim into + the `spec.unverifiedUserAnnotations` + field of + + the PodCertificateRequest objects that + Kubelet creates. + + + Entries are subject to the same + validation as object metadata + annotations, + + with the addition that all keys must be + domain-prefixed. No restrictions + + are placed on values, except an overall + size limitation on the entire field. + + + Signers should document the keys and + values they support. Signers should + + deny requests that contain keys they do + not recognize. + type: object + required: + - keyType + - signerName + type: object + secret: + description: >- + secret information about the secret data + to project + properties: + items: + description: >- + items if unspecified, each key-value + pair in the Data field of the referenced + + Secret will be projected into the volume + as a file whose name is the + + key and content is the value. If + specified, the listed keys will be + + projected into the specified paths, and + unlisted keys will not be + + present. If a key is specified which is + not present in the Secret, + + the volume setup will error unless it is + marked optional. Paths must be + + relative and may not contain the '..' + path or start with '..'. + items: + description: >- + Maps a string key to a path within a + volume. + properties: + key: + description: key is the key to project. + type: string + mode: + description: >- + mode is Optional: mode bits used to set + permissions on this file. + + Must be an octal value between 0000 and + 0777 or a decimal value between 0 and + 511. + + YAML accepts both octal and decimal + values, JSON requires decimal values for + mode bits. + + If not specified, the volume defaultMode + will be used. + + This might be in conflict with other + options that affect the file + + mode, like fsGroup, and the result can + be other mode bits set. + format: int32 + type: integer + path: + description: >- + path is the relative path of the file to + map the key to. + + May not be an absolute path. + + May not contain the path element '..'. + + May not start with the string '..'. + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + name: + default: '' + description: >- + Name of the referent. + + This field is effectively required, but + due to backwards compatibility is + + allowed to be empty. Instances of this + type with an empty value here are + + almost certainly wrong. + + More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: >- + optional field specify whether the + Secret or its key must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + serviceAccountToken: + description: >- + serviceAccountToken is information about + the serviceAccountToken data to project + properties: + audience: + description: >- + audience is the intended audience of the + token. A recipient of a token + + must identify itself with an identifier + specified in the audience of the + + token, and otherwise should reject the + token. The audience defaults to the + + identifier of the apiserver. + type: string + expirationSeconds: + description: >- + expirationSeconds is the requested + duration of validity of the service + + account token. As the token approaches + expiration, the kubelet volume + + plugin will proactively rotate the + service account token. The kubelet will + + start trying to rotate the token if the + token is older than 80 percent of + + its time to live or if the token is + older than 24 hours.Defaults to 1 hour + + and must be at least 10 minutes. + format: int64 + type: integer + path: + description: >- + path is the path relative to the mount + point of the file to project the + + token into. + type: string + required: + - path + type: object + type: object + type: array + x-kubernetes-list-type: atomic + type: object + quobyte: + description: >- + quobyte represents a Quobyte mount on + the host that shares a pod's lifetime. + + Deprecated: Quobyte is deprecated and + the in-tree quobyte type is no longer + supported. + properties: + group: + description: |- + group to map volume access to + Default is no group + type: string + readOnly: + description: >- + readOnly here will force the Quobyte + volume to be mounted with read-only + permissions. + + Defaults to false. + type: boolean + registry: + description: >- + registry represents a single or multiple + Quobyte Registry services + + specified as a string as host:port pair + (multiple entries are separated with + commas) + + which acts as the central registry for + volumes + type: string + tenant: + description: >- + tenant owning the given Quobyte volume + in the Backend + + Used with dynamically provisioned + Quobyte volumes, value is set by the + plugin + type: string + user: + description: |- + user to map volume access to + Defaults to serivceaccount user + type: string + volume: + description: >- + volume is a string that references an + already created Quobyte volume by name. + type: string + required: + - registry + - volume + type: object + rbd: + description: >- + rbd represents a Rados Block Device + mount on the host that shares a pod's + lifetime. + + Deprecated: RBD is deprecated and the + in-tree rbd type is no longer supported. + properties: + fsType: + description: >- + fsType is the filesystem type of the + volume that you want to mount. + + Tip: Ensure that the filesystem type is + supported by the host operating system. + + Examples: "ext4", "xfs", "ntfs". + Implicitly inferred to be "ext4" if + unspecified. + + More info: + https://kubernetes.io/docs/concepts/storage/volumes#rbd + type: string + image: + description: >- + image is the rados image name. + + More info: + https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + type: string + keyring: + default: /etc/ceph/keyring + description: >- + keyring is the path to key ring for + RBDUser. + + Default is /etc/ceph/keyring. + + More info: + https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + type: string + monitors: + description: >- + monitors is a collection of Ceph + monitors. + + More info: + https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + items: + type: string + type: array + x-kubernetes-list-type: atomic + pool: + default: rbd + description: >- + pool is the rados pool name. + + Default is rbd. + + More info: + https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + type: string + readOnly: + description: >- + readOnly here will force the ReadOnly + setting in VolumeMounts. + + Defaults to false. + + More info: + https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + type: boolean + secretRef: + description: >- + secretRef is name of the authentication + secret for RBDUser. If provided + + overrides keyring. + + Default is nil. + + More info: + https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + properties: + name: + default: '' + description: >- + Name of the referent. + + This field is effectively required, but + due to backwards compatibility is + + allowed to be empty. Instances of this + type with an empty value here are + + almost certainly wrong. + + More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + user: + default: admin + description: >- + user is the rados user name. + + Default is admin. + + More info: + https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + type: string + required: + - image + - monitors + type: object + scaleIO: + description: >- + scaleIO represents a ScaleIO persistent + volume attached and mounted on + Kubernetes nodes. + + Deprecated: ScaleIO is deprecated and + the in-tree scaleIO type is no longer + supported. + properties: + fsType: + default: xfs + description: >- + fsType is the filesystem type to mount. + + Must be a filesystem type supported by + the host operating system. + + Ex. "ext4", "xfs", "ntfs". + + Default is "xfs". + type: string + gateway: + description: >- + gateway is the host address of the + ScaleIO API Gateway. + type: string + protectionDomain: + description: >- + protectionDomain is the name of the + ScaleIO Protection Domain for the + configured storage. + type: string + readOnly: + description: >- + readOnly Defaults to false (read/write). + ReadOnly here will force + + the ReadOnly setting in VolumeMounts. + type: boolean + secretRef: + description: >- + secretRef references to the secret for + ScaleIO user and other + + sensitive information. If this is not + provided, Login operation will fail. + properties: + name: + default: '' + description: >- + Name of the referent. + + This field is effectively required, but + due to backwards compatibility is + + allowed to be empty. Instances of this + type with an empty value here are + + almost certainly wrong. + + More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + sslEnabled: + description: >- + sslEnabled Flag enable/disable SSL + communication with Gateway, default + false + type: boolean + storageMode: + default: ThinProvisioned + description: >- + storageMode indicates whether the + storage for a volume should be + ThickProvisioned or ThinProvisioned. + + Default is ThinProvisioned. + type: string + storagePool: + description: >- + storagePool is the ScaleIO Storage Pool + associated with the protection domain. + type: string + system: + description: >- + system is the name of the storage system + as configured in ScaleIO. + type: string + volumeName: + description: >- + volumeName is the name of a volume + already created in the ScaleIO system + + that is associated with this volume + source. + type: string + required: + - gateway + - secretRef + - system + type: object + secret: + description: >- + secret represents a secret that should + populate this volume. + + More info: + https://kubernetes.io/docs/concepts/storage/volumes#secret + properties: + defaultMode: + description: >- + defaultMode is Optional: mode bits used + to set permissions on created files by + default. + + Must be an octal value between 0000 and + 0777 or a decimal value between 0 and + 511. + + YAML accepts both octal and decimal + values, JSON requires decimal values + + for mode bits. Defaults to 0644. + + Directories within the path are not + affected by this setting. + + This might be in conflict with other + options that affect the file + + mode, like fsGroup, and the result can + be other mode bits set. + format: int32 + type: integer + items: + description: >- + items If unspecified, each key-value + pair in the Data field of the referenced + + Secret will be projected into the volume + as a file whose name is the + + key and content is the value. If + specified, the listed keys will be + + projected into the specified paths, and + unlisted keys will not be + + present. If a key is specified which is + not present in the Secret, + + the volume setup will error unless it is + marked optional. Paths must be + + relative and may not contain the '..' + path or start with '..'. + items: + description: >- + Maps a string key to a path within a + volume. + properties: + key: + description: key is the key to project. + type: string + mode: + description: >- + mode is Optional: mode bits used to set + permissions on this file. + + Must be an octal value between 0000 and + 0777 or a decimal value between 0 and + 511. + + YAML accepts both octal and decimal + values, JSON requires decimal values for + mode bits. + + If not specified, the volume defaultMode + will be used. + + This might be in conflict with other + options that affect the file + + mode, like fsGroup, and the result can + be other mode bits set. + format: int32 + type: integer + path: + description: >- + path is the relative path of the file to + map the key to. + + May not be an absolute path. + + May not contain the path element '..'. + + May not start with the string '..'. + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + optional: + description: >- + optional field specify whether the + Secret or its keys must be defined + type: boolean + secretName: + description: >- + secretName is the name of the secret in + the pod's namespace to use. + + More info: + https://kubernetes.io/docs/concepts/storage/volumes#secret + type: string + type: object + storageos: + description: >- + storageOS represents a StorageOS volume + attached and mounted on Kubernetes + nodes. + + Deprecated: StorageOS is deprecated and + the in-tree storageos type is no longer + supported. + properties: + fsType: + description: >- + fsType is the filesystem type to mount. + + Must be a filesystem type supported by + the host operating system. + + Ex. "ext4", "xfs", "ntfs". Implicitly + inferred to be "ext4" if unspecified. + type: string + readOnly: + description: >- + readOnly defaults to false (read/write). + ReadOnly here will force + + the ReadOnly setting in VolumeMounts. + type: boolean + secretRef: + description: >- + secretRef specifies the secret to use + for obtaining the StorageOS API + + credentials. If not specified, default + values will be attempted. + properties: + name: + default: '' + description: >- + Name of the referent. + + This field is effectively required, but + due to backwards compatibility is + + allowed to be empty. Instances of this + type with an empty value here are + + almost certainly wrong. + + More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + volumeName: + description: >- + volumeName is the human-readable name of + the StorageOS volume. Volume + + names are only unique within a + namespace. + type: string + volumeNamespace: + description: >- + volumeNamespace specifies the scope of + the volume within StorageOS. If no + + namespace is specified then the Pod's + namespace will be used. This allows the + + Kubernetes name scoping to be mirrored + within StorageOS for tighter + integration. + + Set VolumeName to any name to override + the default behaviour. + + Set to "default" if you are not using + namespaces within StorageOS. + + Namespaces that do not pre-exist within + StorageOS will be created. + type: string + type: object + vsphereVolume: + description: >- + vsphereVolume represents a vSphere + volume attached and mounted on kubelets + host machine. + + Deprecated: VsphereVolume is deprecated. + All operations for the in-tree + vsphereVolume type + + are redirected to the + csi.vsphere.vmware.com CSI driver. + properties: + fsType: + description: >- + fsType is filesystem type to mount. + + Must be a filesystem type supported by + the host operating system. + + Ex. "ext4", "xfs", "ntfs". Implicitly + inferred to be "ext4" if unspecified. + type: string + storagePolicyID: + description: >- + storagePolicyID is the storage Policy + Based Management (SPBM) profile ID + associated with the StoragePolicyName. + type: string + storagePolicyName: + description: >- + storagePolicyName is the storage Policy + Based Management (SPBM) profile name. + type: string + volumePath: + description: >- + volumePath is the path that identifies + vSphere volume vmdk + type: string + required: + - volumePath + type: object + required: + - name + type: object + type: array + type: object + replicas: + description: >- + Replicas is the number of desired pods. Defaults + to 1. + format: int32 + type: integer + strategy: + description: >- + The deployment strategy to use to replace + existing pods with new ones. + properties: + rollingUpdate: + description: >- + Rolling update config params. Present only + if DeploymentStrategyType = + + RollingUpdate. + properties: + maxSurge: + anyOf: + - type: integer + - type: string + description: >- + The maximum number of pods that can be + scheduled above the desired number of + + pods. + + Value can be an absolute number (ex: 5) + or a percentage of desired pods (ex: + 10%). + + This can not be 0 if MaxUnavailable is + 0. + + Absolute number is calculated from + percentage by rounding up. + + Defaults to 25%. + + Example: when this is set to 30%, the + new ReplicaSet can be scaled up + immediately when + + the rolling update starts, such that the + total number of old and new pods do not + exceed + + 130% of desired pods. Once old pods have + been killed, + + new ReplicaSet can be scaled up further, + ensuring that total number of pods + running + + at any time during the update is at most + 130% of desired pods. + x-kubernetes-int-or-string: true + maxUnavailable: + anyOf: + - type: integer + - type: string + description: >- + The maximum number of pods that can be + unavailable during the update. + + Value can be an absolute number (ex: 5) + or a percentage of desired pods (ex: + 10%). + + Absolute number is calculated from + percentage by rounding down. + + This can not be 0 if MaxSurge is 0. + + Defaults to 25%. + + Example: when this is set to 30%, the + old ReplicaSet can be scaled down to 70% + of desired pods + + immediately when the rolling update + starts. Once new pods are ready, old + ReplicaSet + + can be scaled down further, followed by + scaling up the new ReplicaSet, ensuring + + that the total number of pods available + at all times during the update is at + + least 70% of desired pods. + x-kubernetes-int-or-string: true + type: object + type: + description: >- + Type of deployment. Can be "Recreate" or + "RollingUpdate". Default is RollingUpdate. + type: string + type: object + type: object + envoyHpa: + description: >- + EnvoyHpa defines the Horizontal Pod Autoscaler + settings for Envoy Proxy Deployment. + properties: + behavior: + description: >- + behavior configures the scaling behavior of the + target + + in both Up and Down directions (scaleUp and + scaleDown fields respectively). + + If not set, the default HPAScalingRules for + scale up and scale down are used. + + See + k8s.io.autoscaling.v2.HorizontalPodAutoScalerBehavior. + properties: + scaleDown: + description: >- + scaleDown is scaling policy for scaling + Down. + + If not set, the default value is to allow to + scale down to minReplicas pods, with a + + 300 second stabilization window (i.e., the + highest recommendation for + + the last 300sec is used). + properties: + policies: + description: >- + policies is a list of potential scaling + polices which can be used during + scaling. + + If not set, use the default values: + + - For scale up: allow doubling the + number of pods, or an absolute change of + 4 pods in a 15s window. + + - For scale down: allow all pods to be + removed in a 15s window. + items: + description: >- + HPAScalingPolicy is a single policy + which must hold true for a specified + past interval. + properties: + periodSeconds: + description: >- + periodSeconds specifies the window of + time for which the policy should hold + true. + + PeriodSeconds must be greater than zero + and less than or equal to 1800 (30 min). + format: int32 + type: integer + type: + description: >- + type is used to specify the scaling + policy. + type: string + value: + description: >- + value contains the amount of change + which is permitted by the policy. + + It must be greater than zero + format: int32 + type: integer + required: + - periodSeconds + - type + - value + type: object + type: array + x-kubernetes-list-type: atomic + selectPolicy: + description: >- + selectPolicy is used to specify which + policy should be used. + + If not set, the default value Max is + used. + type: string + stabilizationWindowSeconds: + description: >- + stabilizationWindowSeconds is the number + of seconds for which past + recommendations should be + + considered while scaling up or scaling + down. + + StabilizationWindowSeconds must be + greater than or equal to zero and less + than or equal to 3600 (one hour). + + If not set, use the default values: + + - For scale up: 0 (i.e. no stabilization + is done). + + - For scale down: 300 (i.e. the + stabilization window is 300 seconds + long). + format: int32 + type: integer + tolerance: + anyOf: + - type: integer + - type: string + description: >- + tolerance is the tolerance on the ratio + between the current and desired + + metric value under which no updates are + made to the desired number of + + replicas (e.g. 0.01 for 1%). Must be + greater than or equal to zero. If not + + set, the default cluster-wide tolerance + is applied (by default 10%). + + + For example, if autoscaling is + configured with a memory consumption + target of 100Mi, + + and scale-down and scale-up tolerances + of 5% and 1% respectively, scaling will + be + + triggered when the actual consumption + falls below 95Mi or exceeds 101Mi. + + + This is an beta field and requires the + HPAConfigurableTolerance feature + + gate to be enabled. + pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + scaleUp: + description: >- + scaleUp is scaling policy for scaling Up. + + If not set, the default value is the higher + of: + * increase no more than 4 pods per 60 seconds + * double the number of pods per 60 seconds + No stabilization is used. + properties: + policies: + description: >- + policies is a list of potential scaling + polices which can be used during + scaling. + + If not set, use the default values: + + - For scale up: allow doubling the + number of pods, or an absolute change of + 4 pods in a 15s window. + + - For scale down: allow all pods to be + removed in a 15s window. + items: + description: >- + HPAScalingPolicy is a single policy + which must hold true for a specified + past interval. + properties: + periodSeconds: + description: >- + periodSeconds specifies the window of + time for which the policy should hold + true. + + PeriodSeconds must be greater than zero + and less than or equal to 1800 (30 min). + format: int32 + type: integer + type: + description: >- + type is used to specify the scaling + policy. + type: string + value: + description: >- + value contains the amount of change + which is permitted by the policy. + + It must be greater than zero + format: int32 + type: integer + required: + - periodSeconds + - type + - value + type: object + type: array + x-kubernetes-list-type: atomic + selectPolicy: + description: >- + selectPolicy is used to specify which + policy should be used. + + If not set, the default value Max is + used. + type: string + stabilizationWindowSeconds: + description: >- + stabilizationWindowSeconds is the number + of seconds for which past + recommendations should be + + considered while scaling up or scaling + down. + + StabilizationWindowSeconds must be + greater than or equal to zero and less + than or equal to 3600 (one hour). + + If not set, use the default values: + + - For scale up: 0 (i.e. no stabilization + is done). + + - For scale down: 300 (i.e. the + stabilization window is 300 seconds + long). + format: int32 + type: integer + tolerance: + anyOf: + - type: integer + - type: string + description: >- + tolerance is the tolerance on the ratio + between the current and desired + + metric value under which no updates are + made to the desired number of + + replicas (e.g. 0.01 for 1%). Must be + greater than or equal to zero. If not + + set, the default cluster-wide tolerance + is applied (by default 10%). + + + For example, if autoscaling is + configured with a memory consumption + target of 100Mi, + + and scale-down and scale-up tolerances + of 5% and 1% respectively, scaling will + be + + triggered when the actual consumption + falls below 95Mi or exceeds 101Mi. + + + This is an beta field and requires the + HPAConfigurableTolerance feature + + gate to be enabled. + pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + type: object + maxReplicas: + description: >- + maxReplicas is the upper limit for the number of + replicas to which the autoscaler can scale up. + + It cannot be less that minReplicas. + format: int32 + type: integer + x-kubernetes-validations: + - message: maxReplicas must be greater than 0 + rule: self > 0 + metrics: + description: >- + metrics contains the specifications for which to + use to calculate the + + desired replica count (the maximum replica count + across all metrics will + + be used). + + If left empty, it defaults to being based on CPU + utilization with average on 80% usage. + items: + description: >- + MetricSpec specifies how to scale based on a + single metric + + (only `type` and one other matching field + should be set at once). + properties: + containerResource: + description: >- + containerResource refers to a resource + metric (such as those specified in + + requests and limits) known to Kubernetes + describing a single container in + + each pod of the current scale target (e.g. + CPU or memory). Such metrics are + + built in to Kubernetes, and have special + scaling options on top of those + + available to normal per-pod metrics using + the "pods" source. + properties: + container: + description: >- + container is the name of the container + in the pods of the scaling target + type: string + name: + description: >- + name is the name of the resource in + question. + type: string + target: + description: >- + target specifies the target value for + the given metric + properties: + averageUtilization: + description: >- + averageUtilization is the target value + of the average of the + + resource metric across all relevant + pods, represented as a percentage of + + the requested value of the resource for + the pods. + + Currently only valid for Resource metric + source type + format: int32 + type: integer + averageValue: + anyOf: + - type: integer + - type: string + description: >- + averageValue is the target value of the + average of the + + metric across all relevant pods (as a + quantity) + pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: + description: >- + type represents whether the metric type + is Utilization, Value, or AverageValue + type: string + value: + anyOf: + - type: integer + - type: string + description: >- + value is the target value of the metric + (as a quantity). + pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + required: + - type + type: object + required: + - container + - name + - target + type: object + external: + description: >- + external refers to a global metric that is + not associated + + with any Kubernetes object. It allows + autoscaling based on information + + coming from components running outside of + cluster + + (for example length of queue in cloud + messaging service, or + + QPS from loadbalancer running outside of + cluster). + properties: + metric: + description: >- + metric identifies the target metric by + name and selector + properties: + name: + description: name is the name of the given metric + type: string + selector: + description: >- + selector is the string-encoded form of a + standard kubernetes label selector for + the given metric + + When set, it is passed as an additional + parameter to the metrics server for more + specific metrics scoping. + + When unset, just the metricName will be + used to gather metrics. + properties: + matchExpressions: + description: >- + matchExpressions is a list of label + selector requirements. The requirements + are ANDed. + items: + description: >- + A label selector requirement is a + selector that contains values, a key, + and an operator that + + relates the key and values. + properties: + key: + description: >- + key is the label key that the selector + applies to. + type: string + operator: + description: >- + operator represents a key's relationship + to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: >- + values is an array of string values. If + the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: >- + matchLabels is a map of {key,value} + pairs. A single {key,value} in the + matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is + "key", the + + operator is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + required: + - name + type: object + target: + description: >- + target specifies the target value for + the given metric + properties: + averageUtilization: + description: >- + averageUtilization is the target value + of the average of the + + resource metric across all relevant + pods, represented as a percentage of + + the requested value of the resource for + the pods. + + Currently only valid for Resource metric + source type + format: int32 + type: integer + averageValue: + anyOf: + - type: integer + - type: string + description: >- + averageValue is the target value of the + average of the + + metric across all relevant pods (as a + quantity) + pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: + description: >- + type represents whether the metric type + is Utilization, Value, or AverageValue + type: string + value: + anyOf: + - type: integer + - type: string + description: >- + value is the target value of the metric + (as a quantity). + pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + required: + - type + type: object + required: + - metric + - target + type: object + object: + description: >- + object refers to a metric describing a + single kubernetes object + + (for example, hits-per-second on an + Ingress object). + properties: + describedObject: + description: >- + describedObject specifies the + descriptions of a object,such as + kind,name apiVersion + properties: + apiVersion: + description: >- + apiVersion is the API version of the + referent + type: string + kind: + description: >- + kind is the kind of the referent; More + info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + name: + description: >- + name is the name of the referent; More + info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + required: + - kind + - name + type: object + metric: + description: >- + metric identifies the target metric by + name and selector + properties: + name: + description: name is the name of the given metric + type: string + selector: + description: >- + selector is the string-encoded form of a + standard kubernetes label selector for + the given metric + + When set, it is passed as an additional + parameter to the metrics server for more + specific metrics scoping. + + When unset, just the metricName will be + used to gather metrics. + properties: + matchExpressions: + description: >- + matchExpressions is a list of label + selector requirements. The requirements + are ANDed. + items: + description: >- + A label selector requirement is a + selector that contains values, a key, + and an operator that + + relates the key and values. + properties: + key: + description: >- + key is the label key that the selector + applies to. + type: string + operator: + description: >- + operator represents a key's relationship + to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: >- + values is an array of string values. If + the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: >- + matchLabels is a map of {key,value} + pairs. A single {key,value} in the + matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is + "key", the + + operator is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + required: + - name + type: object + target: + description: >- + target specifies the target value for + the given metric + properties: + averageUtilization: + description: >- + averageUtilization is the target value + of the average of the + + resource metric across all relevant + pods, represented as a percentage of + + the requested value of the resource for + the pods. + + Currently only valid for Resource metric + source type + format: int32 + type: integer + averageValue: + anyOf: + - type: integer + - type: string + description: >- + averageValue is the target value of the + average of the + + metric across all relevant pods (as a + quantity) + pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: + description: >- + type represents whether the metric type + is Utilization, Value, or AverageValue + type: string + value: + anyOf: + - type: integer + - type: string + description: >- + value is the target value of the metric + (as a quantity). + pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + required: + - type + type: object + required: + - describedObject + - metric + - target + type: object + pods: + description: >- + pods refers to a metric describing each + pod in the current scale target + + (for example, + transactions-processed-per-second). The + values will be + + averaged together before being compared to + the target value. + properties: + metric: + description: >- + metric identifies the target metric by + name and selector + properties: + name: + description: name is the name of the given metric + type: string + selector: + description: >- + selector is the string-encoded form of a + standard kubernetes label selector for + the given metric + + When set, it is passed as an additional + parameter to the metrics server for more + specific metrics scoping. + + When unset, just the metricName will be + used to gather metrics. + properties: + matchExpressions: + description: >- + matchExpressions is a list of label + selector requirements. The requirements + are ANDed. + items: + description: >- + A label selector requirement is a + selector that contains values, a key, + and an operator that + + relates the key and values. + properties: + key: + description: >- + key is the label key that the selector + applies to. + type: string + operator: + description: >- + operator represents a key's relationship + to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: >- + values is an array of string values. If + the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: >- + matchLabels is a map of {key,value} + pairs. A single {key,value} in the + matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is + "key", the + + operator is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + required: + - name + type: object + target: + description: >- + target specifies the target value for + the given metric + properties: + averageUtilization: + description: >- + averageUtilization is the target value + of the average of the + + resource metric across all relevant + pods, represented as a percentage of + + the requested value of the resource for + the pods. + + Currently only valid for Resource metric + source type + format: int32 + type: integer + averageValue: + anyOf: + - type: integer + - type: string + description: >- + averageValue is the target value of the + average of the + + metric across all relevant pods (as a + quantity) + pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: + description: >- + type represents whether the metric type + is Utilization, Value, or AverageValue + type: string + value: + anyOf: + - type: integer + - type: string + description: >- + value is the target value of the metric + (as a quantity). + pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + required: + - type + type: object + required: + - metric + - target + type: object + resource: + description: >- + resource refers to a resource metric (such + as those specified in + + requests and limits) known to Kubernetes + describing each pod in the + + current scale target (e.g. CPU or memory). + Such metrics are built in to + + Kubernetes, and have special scaling + options on top of those available + + to normal per-pod metrics using the "pods" + source. + properties: + name: + description: >- + name is the name of the resource in + question. + type: string + target: + description: >- + target specifies the target value for + the given metric + properties: + averageUtilization: + description: >- + averageUtilization is the target value + of the average of the + + resource metric across all relevant + pods, represented as a percentage of + + the requested value of the resource for + the pods. + + Currently only valid for Resource metric + source type + format: int32 + type: integer + averageValue: + anyOf: + - type: integer + - type: string + description: >- + averageValue is the target value of the + average of the + + metric across all relevant pods (as a + quantity) + pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: + description: >- + type represents whether the metric type + is Utilization, Value, or AverageValue + type: string + value: + anyOf: + - type: integer + - type: string + description: >- + value is the target value of the metric + (as a quantity). + pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + required: + - type + type: object + required: + - name + - target + type: object + type: + description: >- + type is the type of metric source. It + should be one of "ContainerResource", + "External", + + "Object", "Pods" or "Resource", each + mapping to a matching field in the object. + type: string + required: + - type + type: object + type: array + minReplicas: + description: >- + minReplicas is the lower limit for the number of + replicas to which the autoscaler + + can scale down. It defaults to 1 replica. + format: int32 + type: integer + x-kubernetes-validations: + - message: minReplicas must be greater than 0 + rule: self > 0 + name: + description: >- + Name of the horizontalPodAutoScaler. + + When unset, this defaults to an autogenerated + name. + type: string + patch: + description: >- + Patch defines how to perform the patch operation + to the HorizontalPodAutoscaler + properties: + type: + description: >- + Type is the type of merge operation to + perform + + + By default, StrategicMerge is used as the + patch type. + type: string + value: + description: >- + Object contains the raw configuration for + merged object + x-kubernetes-preserve-unknown-fields: true + required: + - value + type: object + required: + - maxReplicas + type: object + x-kubernetes-validations: + - message: maxReplicas cannot be less than minReplicas + rule: >- + !has(self.minReplicas) || self.maxReplicas >= + self.minReplicas + envoyPDB: + description: >- + EnvoyPDB allows to control the pod disruption budget + of an Envoy Proxy. + properties: + maxUnavailable: + anyOf: + - type: integer + - type: string + description: >- + MaxUnavailable specifies the maximum amount of + pods (can be expressed as integers or as a + percentage) that can be unavailable at all times + during voluntary disruptions, + + such as node drains or updates. This setting + ensures that your envoy proxy maintains a + certain level of availability + + and resilience during maintenance operations. + Cannot be combined with minAvailable. + x-kubernetes-int-or-string: true + minAvailable: + anyOf: + - type: integer + - type: string + description: >- + MinAvailable specifies the minimum amount of + pods (can be expressed as integers or as a + percentage) that must be available at all times + during voluntary disruptions, + + such as node drains or updates. This setting + ensures that your envoy proxy maintains a + certain level of availability + + and resilience during maintenance operations. + Cannot be combined with maxUnavailable. + x-kubernetes-int-or-string: true + name: + description: >- + Name of the podDisruptionBudget. + + When unset, this defaults to an autogenerated + name. + type: string + patch: + description: >- + Patch defines how to perform the patch operation + to the PodDisruptionBudget + properties: + type: + description: >- + Type is the type of merge operation to + perform + + + By default, StrategicMerge is used as the + patch type. + type: string + value: + description: >- + Object contains the raw configuration for + merged object + x-kubernetes-preserve-unknown-fields: true + required: + - value + type: object + type: object + x-kubernetes-validations: + - message: >- + only one of minAvailable or maxUnavailable can + be specified + rule: >- + (has(self.minAvailable) && + !has(self.maxUnavailable)) || + (!has(self.minAvailable) && + has(self.maxUnavailable)) + envoyService: + description: >- + EnvoyService defines the desired state of the Envoy + service resource. + + If unspecified, default settings for the managed + Envoy service resource + + are applied. + properties: + allocateLoadBalancerNodePorts: + description: >- + AllocateLoadBalancerNodePorts defines if + NodePorts will be automatically allocated for + + services with type LoadBalancer. Default is + "true". It may be set to "false" if the cluster + + load-balancer does not rely on NodePorts. If the + caller requests specific NodePorts (by + specifying a + + value), those requests will be respected, + regardless of this field. This field may only be + set for + + services with type LoadBalancer and will be + cleared if the type is changed to any other + type. + type: boolean + annotations: + additionalProperties: + type: string + description: >- + Annotations that should be appended to the + service. + + By default, no annotations are appended. + type: object + externalTrafficPolicy: + default: Local + description: >- + ExternalTrafficPolicy determines the + externalTrafficPolicy for the Envoy Service. + Valid options + + are Local and Cluster. Default is "Local". + "Local" means traffic will only go to pods on + the node + + receiving the traffic. "Cluster" means + connections are loadbalanced to all pods in the + cluster. + enum: + - Local + - Cluster + type: string + labels: + additionalProperties: + type: string + description: |- + Labels that should be appended to the service. + By default, no labels are appended. + type: object + loadBalancerClass: + description: >- + LoadBalancerClass, when specified, allows for + choosing the LoadBalancer provider + + implementation if more than one are available or + is otherwise expected to be specified + type: string + loadBalancerIP: + description: >- + LoadBalancerIP defines the IP Address of the + underlying load balancer service. This field + + may be ignored if the load balancer provider + does not support this feature. + + This field has been deprecated in Kubernetes, + but it is still used for setting the IP Address + in some cloud + + providers such as GCP. + type: string + x-kubernetes-validations: + - message: loadBalancerIP must be a valid IPv4 address + rule: >- + self.matches(r"^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$") + loadBalancerSourceRanges: + description: >- + LoadBalancerSourceRanges defines a list of + allowed IP addresses which will be configured as + + firewall rules on the platform providers load + balancer. This is not guaranteed to be working + as + + it happens outside of kubernetes and has to be + supported and handled by the platform provider. + + This field may only be set for services with + type LoadBalancer and will be cleared if the + type + + is changed to any other type. + items: + type: string + type: array + name: + description: >- + Name of the service. + + When unset, this defaults to an autogenerated + name. + type: string + patch: + description: >- + Patch defines how to perform the patch operation + to the service + properties: + type: + description: >- + Type is the type of merge operation to + perform + + + By default, StrategicMerge is used as the + patch type. + type: string + value: + description: >- + Object contains the raw configuration for + merged object + x-kubernetes-preserve-unknown-fields: true + required: + - value + type: object + type: + default: LoadBalancer + description: >- + Type determines how the Service is exposed. + Defaults to LoadBalancer. + + Valid options are ClusterIP, LoadBalancer and + NodePort. + + "LoadBalancer" means a service will be exposed + via an external load balancer (if the cloud + provider supports it). + + "ClusterIP" means a service will only be + accessible inside the cluster, via the cluster + IP. + + "NodePort" means a service will be exposed on a + static Port on all Nodes of the cluster. + enum: + - ClusterIP + - LoadBalancer + - NodePort + type: string + type: object + x-kubernetes-validations: + - message: >- + allocateLoadBalancerNodePorts can only be set + for LoadBalancer type + rule: >- + !has(self.allocateLoadBalancerNodePorts) || + self.type == 'LoadBalancer' + - message: >- + loadBalancerSourceRanges can only be set for + LoadBalancer type + rule: >- + !has(self.loadBalancerSourceRanges) || self.type + == 'LoadBalancer' + - message: >- + loadBalancerIP can only be set for LoadBalancer + type + rule: >- + !has(self.loadBalancerIP) || self.type == + 'LoadBalancer' + envoyServiceAccount: + description: >- + EnvoyServiceAccount defines the desired state of the + Envoy service account resource. + properties: + name: + description: >- + Name of the Service Account. + + When unset, this defaults to an autogenerated + name. + type: string + type: object + useListenerPortAsContainerPort: + description: >- + UseListenerPortAsContainerPort disables the port + shifting feature in the Envoy Proxy. + + When set to false (default value), if the service + port is a privileged port (1-1023), add a constant + to the value converting it into an ephemeral port. + + This allows the container to bind to the port + without needing a CAP_NET_BIND_SERVICE capability. + type: boolean + type: object + x-kubernetes-validations: + - message: >- + only one of envoyDeployment or envoyDaemonSet can be + specified + rule: >- + ((has(self.envoyDeployment) && + !has(self.envoyDaemonSet)) || + (!has(self.envoyDeployment) && + has(self.envoyDaemonSet))) || + (!has(self.envoyDeployment) && + !has(self.envoyDaemonSet)) + - message: cannot use envoyHpa if envoyDaemonSet is used + rule: >- + ((has(self.envoyHpa) && !has(self.envoyDaemonSet)) + || (!has(self.envoyHpa) && + has(self.envoyDaemonSet))) || (!has(self.envoyHpa) + && !has(self.envoyDaemonSet)) + type: + description: >- + Type is the type of resource provider to use. A resource + provider provides + + infrastructure resources for running the data plane, + e.g. Envoy proxy, and + + optional auxiliary control planes. Supported types are + "Kubernetes"and "Host". + enum: + - Kubernetes + - Host + type: string + required: + - type + type: object + routingType: + description: >- + RoutingType can be set to "Service" to use the Service + Cluster IP for routing to the backend, + + or it can be set to "Endpoint" to use Endpoint routing. The + default is "Endpoint". + type: string + shutdown: + description: >- + Shutdown defines configuration for graceful envoy shutdown + process. + properties: + drainTimeout: + description: >- + DrainTimeout defines the graceful drain timeout. This + should be less than the pod's + terminationGracePeriodSeconds. + + If unspecified, defaults to 60 seconds. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + minDrainDuration: + description: >- + MinDrainDuration defines the minimum drain duration + allowing time for endpoint deprogramming to complete. + + If unspecified, defaults to 10 seconds. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + telemetry: + description: Telemetry defines telemetry parameters for managed proxies. + properties: + accessLog: + description: >- + AccessLogs defines accesslog parameters for managed + proxies. + + If unspecified, will send default format to stdout. + properties: + disable: + description: >- + Disable disables access logging for managed proxies + if set to true. + type: boolean + settings: + description: >- + Settings defines accesslog settings for managed + proxies. + + If unspecified, will send default format to stdout. + items: + properties: + format: + description: |- + Format defines the format of accesslog. + This will be ignored if sink type is ALS. + properties: + json: + additionalProperties: + type: string + description: >- + JSON is additional attributes that + describe the specific event occurrence. + + Structured format for the envoy access + logs. Envoy [command + operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators) + + can be used as values for fields within + the Struct. + + It's required when the format type is + "JSON". + type: object + text: + description: >- + Text defines the text accesslog format, + following Envoy accesslog formatting, + + It's required when the format type is + "Text". + + Envoy [command + operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators) + may be used in the format. + + The [format string + documentation](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-strings) + provides more information. + type: string + type: + description: >- + Type defines the type of accesslog format. + + When unset, both text and json can be + specified. + enum: + - Text + - JSON + type: string + type: object + x-kubernetes-validations: + - message: >- + If AccessLogFormat type is Text, text + field needs to be set. + rule: >- + has(self.type) && self.type == 'Text' ? + has(self.text) : true + - message: >- + If AccessLogFormat type is Text, json + field must not be set. + rule: >- + has(self.type) && self.type == 'Text' ? + !has(self.json) : true + - message: >- + If AccessLogFormat type is JSON, json + field needs to be set. + rule: >- + has(self.type) && self.type == 'JSON' ? + has(self.json) : true + - message: >- + If AccessLogFormat type is JSON, text + field must not be set. + rule: >- + has(self.type) && self.type == 'JSON' ? + !has(self.text) : true + - message: >- + If AccessLogFormat type is unset, at least + one of text or json must be set. + rule: >- + !has(self.type) ? (has(self.text) || + has(self.json)) : true + matches: + description: >- + Matches defines the match conditions for + accesslog in CEL expression. + + An accesslog will be emitted only when one or + more match conditions are evaluated to true. + + Invalid + [CEL](https://www.envoyproxy.io/docs/envoy/latest/xds/type/v3/cel.proto.html#common-expression-language-cel-proto) + expressions will be ignored. + items: + type: string + maxItems: 10 + type: array + sinks: + description: Sinks defines the sinks of accesslog. + items: + description: >- + ProxyAccessLogSink defines the sink of + accesslog. + properties: + als: + description: >- + ALS defines the gRPC Access Log Service + (ALS) sink. + properties: + backendRef: + description: >- + BackendRef references a Kubernetes + object that represents the + + backend server to which the + authorization request will be sent. + + + Deprecated: Use BackendRefs instead. + properties: + group: + default: '' + description: >- + Group is the group of the referent. For + example, "gateway.networking.k8s.io". + + When unspecified or empty string, core + API group is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: >- + Kind is the Kubernetes resource kind of + the referent. For example + + "Service". + + + Defaults to "Service" when not + specified. + + + ExternalName services can refer to CNAME + DNS records that may live + + outside of the cluster and as such are + difficult to reason about in + + terms of conformance. They also may not + be safe to forward to (see + + CVE-2021-25740 for more information). + Implementations SHOULD NOT + + support ExternalName Services. + + + Support: Core (Services with a type + other than ExternalName) + + + Support: Implementation-specific + (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the + backend. When unspecified, the local + + namespace is inferred. + + + Note that when a namespace different + than the local namespace is specified, + + a ReferenceGrant object is required in + the referent namespace to allow that + + namespace's owner to accept the + reference. See the ReferenceGrant + + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: >- + Port specifies the destination port + number to use for this resource. + + Port is required when the referent is a + Kubernetes Service. In this + + case, the port number is the service + port number, not the target port. + + For other resources, destination port + might be derived from the referent + + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: >- + (size(self.group) == 0 && self.kind == + 'Service') ? has(self.port) : true + backendRefs: + description: >- + BackendRefs references a Kubernetes + object that represents the + + backend server to which the + authorization request will be sent. + items: + description: >- + BackendRef defines how an + ObjectReference that is specific to + BackendRef. + properties: + fallback: + description: >- + Fallback indicates whether the backend + is designated as a fallback. + + Multiple fallback backends can be + configured. + + It is highly recommended to configure + active or passive health checks to + ensure that failover can be detected + + when the active backends become + unhealthy and to automatically readjust + once the primary backends are healthy + again. + + The overprovisioning factor is set to + 1.4, meaning the fallback backends will + only start receiving traffic when + + the health of the active backends falls + below 72%. + type: boolean + group: + default: '' + description: >- + Group is the group of the referent. For + example, "gateway.networking.k8s.io". + + When unspecified or empty string, core + API group is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: >- + Kind is the Kubernetes resource kind of + the referent. For example + + "Service". + + + Defaults to "Service" when not + specified. + + + ExternalName services can refer to CNAME + DNS records that may live + + outside of the cluster and as such are + difficult to reason about in + + terms of conformance. They also may not + be safe to forward to (see + + CVE-2021-25740 for more information). + Implementations SHOULD NOT + + support ExternalName Services. + + + Support: Core (Services with a type + other than ExternalName) + + + Support: Implementation-specific + (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the + backend. When unspecified, the local + + namespace is inferred. + + + Note that when a namespace different + than the local namespace is specified, + + a ReferenceGrant object is required in + the referent namespace to allow that + + namespace's owner to accept the + reference. See the ReferenceGrant + + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: >- + Port specifies the destination port + number to use for this resource. + + Port is required when the referent is a + Kubernetes Service. In this + + case, the port number is the service + port number, not the target port. + + For other resources, destination port + might be derived from the referent + + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: >- + Weight specifies the proportion of + requests forwarded to the referenced + + backend. This is computed as weight/(sum + of all weights in this + + BackendRefs list). For non-zero values, + there may be some epsilon from + + the exact proportion defined here + depending on the precision an + + implementation supports. Weight is not a + percentage and the sum of + + weights does not need to equal 100. + + + If only one backend is specified and it + has a weight greater than 0, 100% + + of the traffic is forwarded to that + backend. If weight is set to 0, no + + traffic should be forwarded for this + entry. If unspecified, weight + + defaults to 1. + + + Support for this field varies based on + the context where used. + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: >- + (size(self.group) == 0 && self.kind == + 'Service') ? has(self.port) : true + maxItems: 16 + type: array + backendSettings: + description: >- + BackendSettings holds configuration for + managing the connection + + to the backend. + properties: + circuitBreaker: + description: >- + Circuit Breaker settings for the + upstream connections and requests. + + If not set, circuit breakers will be + enabled with the default thresholds + properties: + maxConnections: + default: 1024 + description: >- + The maximum number of connections that + Envoy will establish to the referenced + backend defined within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxParallelRequests: + default: 1024 + description: >- + The maximum number of parallel requests + that Envoy will make to the referenced + backend defined within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxParallelRetries: + default: 1024 + description: >- + The maximum number of parallel retries + that Envoy will make to the referenced + backend defined within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxPendingRequests: + default: 1024 + description: >- + The maximum number of pending requests + that Envoy will queue to the referenced + backend defined within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxRequestsPerConnection: + description: >- + The maximum number of requests that + Envoy will make over a single connection + to the referenced backend defined within + a xRoute rule. + + Default: unlimited. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + perEndpoint: + description: >- + PerEndpoint defines Circuit Breakers + that will apply per-endpoint for an + upstream cluster + properties: + maxConnections: + default: 1024 + description: >- + MaxConnections configures the maximum + number of connections that Envoy will + establish per-endpoint to the referenced + backend defined within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + type: object + type: object + connection: + description: >- + Connection includes backend connection + settings. + properties: + bufferLimit: + allOf: + - pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: >- + BufferLimit Soft limit on size of the + cluster’s connections read and write + buffers. + + BufferLimit applies to connection + streaming (maybe non-streaming) channel + between processes, it's in user space. + + If unspecified, an implementation + defined default is applied (32768 + bytes). + + For example, 20Mi, 1Gi, 256Ki etc. + + Note: that when the suffix is not + provided, the value is interpreted as + bytes. + x-kubernetes-int-or-string: true + preconnect: + description: >- + Preconnect configures proactive upstream + connections to reduce latency by + establishing + + connections before they’re needed and + avoiding connection establishment + overhead. + + + If unset, Envoy will fetch connections + as needed to serve in-flight requests. + properties: + perEndpointPercent: + description: >- + PerEndpointPercent configures how many + additional connections to maintain per + + upstream endpoint, useful for high-QPS + or latency sensitive services. Expressed + as a + + percentage of the connections required + by active streams + + (e.g. 100 = preconnect disabled, 105 = + 1.05x connections per-endpoint, 200 = + 2.00×). + + + Allowed value range is between 100-300. + When both PerEndpointPercent and + + PredictivePercent are set, Envoy ensures + both are satisfied (max of the two). + format: int32 + maximum: 300 + minimum: 100 + type: integer + predictivePercent: + description: >- + PredictivePercent configures how many + additional connections to maintain + + across the cluster by anticipating which + upstream endpoint the load balancer + + will select next, useful for low-QPS + services. Relies on deterministic + + loadbalancing and is only supported with + Random or RoundRobin. + + Expressed as a percentage of the + connections required by active streams + + (e.g. 100 = 1.0 (no preconnect), 105 = + 1.05× connections across the cluster, + 200 = 2.00×). + + + Minimum allowed value is 100. When both + PerEndpointPercent and PredictivePercent + are + + set Envoy ensures both are satisfied per + host (max of the two). + format: int32 + minimum: 100 + type: integer + type: object + socketBufferLimit: + allOf: + - pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: >- + SocketBufferLimit provides configuration + for the maximum buffer size in bytes for + each socket + + to backend. + + SocketBufferLimit applies to socket + streaming channel between TCP/IP stacks, + it's in kernel space. + + For example, 20Mi, 1Gi, 256Ki etc. + + Note that when the suffix is not + provided, the value is interpreted as + bytes. + x-kubernetes-int-or-string: true + type: object + dns: + description: DNS includes dns resolution settings. + properties: + dnsRefreshRate: + description: >- + DNSRefreshRate specifies the rate at + which DNS records should be refreshed. + + Defaults to 30 seconds. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + lookupFamily: + description: >- + LookupFamily determines how Envoy would + resolve DNS for Routes where the backend + is specified as a fully qualified domain + name (FQDN). + + If set, this configuration overrides + other defaults. + enum: + - IPv4 + - IPv6 + - IPv4Preferred + - IPv6Preferred + - IPv4AndIPv6 + type: string + respectDnsTtl: + description: >- + RespectDNSTTL indicates whether the DNS + Time-To-Live (TTL) should be respected. + + If the value is set to true, the DNS + refresh rate will be set to the resource + record’s TTL. + + Defaults to true. + type: boolean + type: object + healthCheck: + description: >- + HealthCheck allows gateway to perform + active health checking on backends. + properties: + active: + description: Active health check configuration + properties: + grpc: + description: >- + GRPC defines the configuration of the + GRPC health checker. + + It's optional, and can only be used if + the specified type is GRPC. + properties: + service: + description: >- + Service to send in the health check + request. + + If this is not specified, then the + health check request applies to the + entire + + server and not to a specific service. + type: string + type: object + healthyThreshold: + default: 1 + description: >- + HealthyThreshold defines the number of + healthy health checks required before a + backend host is marked healthy. + format: int32 + minimum: 1 + type: integer + http: + description: >- + HTTP defines the configuration of http + health checker. + + It's required while the health checker + type is HTTP. + properties: + expectedResponse: + description: >- + ExpectedResponse defines a list of HTTP + expected responses to match. + properties: + binary: + description: Binary payload base64 encoded. + format: byte + type: string + text: + description: Text payload in plain text. + type: string + type: + allOf: + - enum: + - Text + - Binary + - enum: + - Text + - Binary + description: Type defines the type of the payload. + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If payload type is Text, text field + needs to be set. + rule: >- + self.type == 'Text' ? has(self.text) : + !has(self.text) + - message: >- + If payload type is Binary, binary field + needs to be set. + rule: >- + self.type == 'Binary' ? has(self.binary) + : !has(self.binary) + expectedStatuses: + description: >- + ExpectedStatuses defines a list of HTTP + response statuses considered healthy. + + Defaults to 200 only + items: + description: HTTPStatus defines the http status code. + maximum: 599 + minimum: 100 + type: integer + type: array + hostname: + description: >- + Hostname defines the HTTP Host header + used for active HTTP health checks. + + Host selection uses this order: this + field, the associated Backend endpoint + + hostname if available, then the + effective Route hostname. + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + method: + description: >- + Method defines the HTTP method used for + health checking. + + Defaults to GET + type: string + path: + description: >- + Path defines the HTTP path that will be + requested during health checking. + maxLength: 1024 + minLength: 1 + type: string + required: + - path + type: object + initialJitter: + description: >- + InitialJitter defines the maximum time + Envoy will wait before the first health + check. + + Envoy will randomly select a value + between 0 and the initial jitter value. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + interval: + default: 3s + description: >- + Interval defines the time between active + health checks. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + tcp: + description: >- + TCP defines the configuration of tcp + health checker. + + It's required while the health checker + type is TCP. + properties: + receive: + description: >- + Receive defines the expected response + payload. + properties: + binary: + description: Binary payload base64 encoded. + format: byte + type: string + text: + description: Text payload in plain text. + type: string + type: + allOf: + - enum: + - Text + - Binary + - enum: + - Text + - Binary + description: Type defines the type of the payload. + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If payload type is Text, text field + needs to be set. + rule: >- + self.type == 'Text' ? has(self.text) : + !has(self.text) + - message: >- + If payload type is Binary, binary field + needs to be set. + rule: >- + self.type == 'Binary' ? has(self.binary) + : !has(self.binary) + send: + description: Send defines the request payload. + properties: + binary: + description: Binary payload base64 encoded. + format: byte + type: string + text: + description: Text payload in plain text. + type: string + type: + allOf: + - enum: + - Text + - Binary + - enum: + - Text + - Binary + description: Type defines the type of the payload. + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If payload type is Text, text field + needs to be set. + rule: >- + self.type == 'Text' ? has(self.text) : + !has(self.text) + - message: >- + If payload type is Binary, binary field + needs to be set. + rule: >- + self.type == 'Binary' ? has(self.binary) + : !has(self.binary) + type: object + timeout: + default: 1s + description: >- + Timeout defines the time to wait for a + health check response. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: + allOf: + - enum: + - HTTP + - TCP + - GRPC + - enum: + - HTTP + - TCP + - GRPC + description: Type defines the type of health checker. + type: string + unhealthyThreshold: + default: 3 + description: >- + UnhealthyThreshold defines the number of + unhealthy health checks required before + a backend host is marked unhealthy. + format: int32 + minimum: 1 + type: integer + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If Health Checker type is HTTP, http + field needs to be set. + rule: >- + self.type == 'HTTP' ? has(self.http) : + !has(self.http) + - message: >- + If Health Checker type is TCP, tcp field + needs to be set. + rule: >- + self.type == 'TCP' ? has(self.tcp) : + !has(self.tcp) + - message: >- + The grpc field can only be set if the + Health Checker type is GRPC. + rule: >- + has(self.grpc) ? self.type == 'GRPC' : + true + panicThreshold: + description: >- + When number of unhealthy endpoints for a + backend reaches this threshold + + Envoy will disregard health status and + balance across all endpoints. + + It's designed to prevent a situation in + which host failures cascade throughout + the cluster + + as load increases. If not set, the + default value is 50%. To disable panic + mode, set value to `0`. + format: int32 + maximum: 100 + minimum: 0 + type: integer + passive: + description: Passive passive check configuration + properties: + baseEjectionTime: + default: 30s + description: >- + BaseEjectionTime defines the base + duration for which a host will be + ejected on consecutive failures. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + consecutive5XxErrors: + default: 5 + description: >- + Consecutive5xxErrors sets the number of + consecutive 5xx errors triggering + ejection. + format: int32 + type: integer + consecutiveGatewayErrors: + description: >- + ConsecutiveGatewayErrors sets the number + of consecutive gateway errors triggering + ejection. + format: int32 + type: integer + consecutiveLocalOriginFailures: + default: 5 + description: >- + ConsecutiveLocalOriginFailures sets the + number of consecutive local origin + failures triggering ejection. + + Parameter takes effect only when + split_external_local_origin_errors is + set to true. + format: int32 + type: integer + failurePercentageThreshold: + description: >- + FailurePercentageThreshold sets the + failure percentage threshold for outlier + detection. + + If the failure percentage of a given + host is greater than or equal to this + value, it will be ejected. + + Defaults to 85. + format: int32 + maximum: 100 + minimum: 0 + type: integer + interval: + default: 3s + description: >- + Interval defines the time between + passive health checks. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + maxEjectionPercent: + default: 10 + description: >- + MaxEjectionPercent sets the maximum + percentage of hosts in a cluster that + can be ejected. + format: int32 + type: integer + splitExternalLocalOriginErrors: + default: false + description: >- + SplitExternalLocalOriginErrors enables + splitting of errors between external and + local origin. + type: boolean + type: object + type: object + http2: + description: >- + HTTP2 provides HTTP/2 configuration for + backend connections. + properties: + initialConnectionWindowSize: + allOf: + - pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: >- + InitialConnectionWindowSize sets the + initial window size for HTTP/2 + connections. + + If not set, the default value is 1 MiB. + x-kubernetes-int-or-string: true + initialStreamWindowSize: + allOf: + - pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: >- + InitialStreamWindowSize sets the initial + window size for HTTP/2 streams. + + If not set, the default value is 64 + KiB(64*1024). + x-kubernetes-int-or-string: true + maxConcurrentStreams: + description: >- + MaxConcurrentStreams sets the maximum + number of concurrent streams allowed per + connection. + + If not set, the default value is 100. + format: int32 + maximum: 2147483647 + minimum: 1 + type: integer + onInvalidMessage: + description: >- + OnInvalidMessage determines if Envoy + will terminate the connection or just + the offending stream in the event of + HTTP messaging error + + It's recommended for L2 Envoy + deployments to set this value to + TerminateStream. + + https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/level_two + + Default: TerminateConnection + type: string + type: object + loadBalancer: + description: >- + LoadBalancer policy to apply when + routing traffic from the gateway to + + the backend endpoints. Defaults to + `LeastRequest`. + properties: + consistentHash: + description: >- + ConsistentHash defines the configuration + when the load balancer type is + + set to ConsistentHash + properties: + cookie: + description: >- + Cookie configures the cookie hash policy + when the consistent hash type is set to + Cookie. + properties: + attributes: + additionalProperties: + type: string + description: >- + Additional Attributes to set for the + generated cookie. + type: object + name: + description: >- + Name of the cookie to hash. + + If this cookie does not exist in the + request, Envoy will generate a cookie + and set + + the TTL on the response back to the + client based on Layer 4 + + attributes of the backend endpoint, to + ensure that these future requests + + go to the same backend endpoint. Make + sure to set the TTL field for this case. + type: string + ttl: + description: >- + TTL of the generated cookie if the + cookie is not present. This value sets + the + + Max-Age attribute value. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + required: + - name + type: object + header: + description: >- + Header configures the header hash policy + when the consistent hash type is set to + Header. + + + Deprecated: use Headers instead + properties: + name: + description: Name of the header to hash. + type: string + required: + - name + type: object + headers: + description: >- + Headers configures the header hash + policy for each header, when the + consistent hash type is set to Headers. + items: + description: >- + Header defines the header hashing + configuration for consistent hash based + + load balancing. + properties: + name: + description: Name of the header to hash. + type: string + required: + - name + type: object + type: array + queryParams: + description: >- + QueryParams configures the query + parameter hash policy when the + consistent hash type is set to + QueryParams. + items: + description: >- + QueryParam defines the query parameter + name hashing configuration for + consistent hash based + + load balancing. + properties: + name: + description: Name of the query param to hash. + type: string + required: + - name + type: object + type: array + tableSize: + default: 65537 + description: >- + The table size for consistent hashing, + must be prime number limited to 5000011. + format: int64 + maximum: 5000011 + minimum: 2 + type: integer + type: + description: >- + ConsistentHashType defines the type of + input to hash on. Valid Type values are + + "SourceIP", + + "Header", + + "Headers", + + "Cookie". + + "QueryParams". + enum: + - SourceIP + - Header + - Headers + - Cookie + - QueryParams + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If consistent hash type is header, the + header field must be set. + rule: >- + self.type == 'Header' ? has(self.header) + : !has(self.header) + - message: >- + If consistent hash type is headers, the + headers field must be set. + rule: >- + self.type == 'Headers' ? + has(self.headers) : !has(self.headers) + - message: >- + If consistent hash type is cookie, the + cookie field must be set. + rule: >- + self.type == 'Cookie' ? has(self.cookie) + : !has(self.cookie) + - message: >- + If consistent hash type is queryParams, + the queryParams field must be set. + rule: >- + self.type == 'QueryParams' ? + has(self.queryParams) : + !has(self.queryParams) + endpointOverride: + description: >- + EndpointOverride defines the + configuration for endpoint override. + + When specified, the load balancer will + attempt to route requests to endpoints + + based on the override information + extracted from request headers or + metadata. + If the override endpoints are not available, the configured load balancer policy will be used as fallback. + properties: + extractFrom: + description: >- + ExtractFrom defines the sources to + extract endpoint override information + from. + items: + description: >- + EndpointOverrideExtractFrom defines a + source to extract endpoint override + information from. + properties: + header: + description: >- + Header defines the header to get the + override endpoint addresses. + + The header value must specify at least + one endpoint in `IP:Port` format or + multiple endpoints in + `IP:Port,IP:Port,...` format. + + For example `10.0.0.5:8080` or + `[2600:4040:5204::1574:24ae]:80`. + + The IPv6 address is enclosed in square + brackets. + type: string + type: object + maxItems: 10 + minItems: 1 + type: array + required: + - extractFrom + type: object + slowStart: + description: >- + SlowStart defines the configuration + related to the slow start load balancer + policy. + + If set, during slow start window, + traffic sent to the newly added hosts + will gradually increase. + + Currently this is only supported for + RoundRobin and LeastRequest load + balancers + properties: + window: + description: >- + Window defines the duration of the warm + up period for newly added host. + + During slow start window, traffic sent + to the newly added hosts will gradually + increase. + + Currently only supports linear growth of + traffic. For additional details, + + see + https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + required: + - window + type: object + type: + description: >- + Type decides the type of Load Balancer + policy. + + Valid LoadBalancerType values are + + "ConsistentHash", + + "LeastRequest", + + "Random", + + "RoundRobin". + enum: + - ConsistentHash + - LeastRequest + - Random + - RoundRobin + type: string + zoneAware: + description: >- + ZoneAware defines the configuration + related to the distribution of requests + between locality zones. + properties: + preferLocal: + description: >- + PreferLocalZone configures zone-aware + routing to prefer sending traffic to the + local locality zone. + properties: + force: + description: >- + ForceLocalZone defines override + configuration for forcing all traffic to + stay within the local zone instead of + the default behavior + + which maintains equal distribution among + upstream endpoints while sending as much + traffic as possible locally. + properties: + minEndpointsInZoneThreshold: + description: >- + MinEndpointsInZoneThreshold is the + minimum number of upstream endpoints in + the local zone required to honor the + forceLocalZone + + override. This is useful for protecting + zones with fewer endpoints. + format: int32 + type: integer + type: object + minEndpointsThreshold: + description: >- + MinEndpointsThreshold is the minimum + number of total upstream endpoints + across all zones required to enable + zone-aware routing. + format: int64 + type: integer + percentageEnabled: + description: >- + Configures percentage of requests that + will be considered for zone aware + routing if zone aware routing is + configured. If not specified, Envoy + defaults to 100%. + format: int32 + maximum: 100 + minimum: 0 + type: integer + type: object + type: object + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If LoadBalancer type is consistentHash, + consistentHash field needs to be set. + rule: >- + self.type == 'ConsistentHash' ? + has(self.consistentHash) : + !has(self.consistentHash) + - message: >- + Currently SlowStart is only supported + for RoundRobin and LeastRequest load + balancers. + rule: >- + self.type in ['Random', + 'ConsistentHash'] ? !has(self.slowStart) + : true + - message: >- + Currently ZoneAware is only supported + for LeastRequest, Random, and RoundRobin + load balancers. + rule: >- + self.type == 'ConsistentHash' ? + !has(self.zoneAware) : true + proxyProtocol: + description: >- + ProxyProtocol enables the Proxy Protocol + when communicating with the backend. + properties: + version: + description: |- + Version of ProxyProtol + Valid ProxyProtocolVersion values are + "V1" + "V2" + enum: + - V1 + - V2 + type: string + required: + - version + type: object + retry: + description: >- + Retry provides more advanced usage, + allowing users to customize the number + of retries, retry fallback strategy, and + retry triggering conditions. + + If not set, retry will be disabled. + properties: + numAttemptsPerPriority: + description: >- + NumAttemptsPerPriority defines the + number of requests (initial attempt + + retries) + + that should be sent to the same priority + before switching to a different one. + + If not specified or set to 0, all + requests are sent to the highest + priority that is healthy. + format: int32 + type: integer + numRetries: + default: 2 + description: >- + NumRetries is the number of retries to + be attempted. Defaults to 2. + format: int32 + minimum: 0 + type: integer + perRetry: + description: >- + PerRetry is the retry policy to be + applied per retry attempt. + properties: + backOff: + description: >- + Backoff is the backoff policy to be + applied per retry attempt. gateway uses + a fully jittered exponential + + back-off algorithm for retries. For + additional details, + + see + https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#config-http-filters-router-x-envoy-max-retries + properties: + baseInterval: + description: >- + BaseInterval is the base interval + between retries. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + maxInterval: + description: >- + MaxInterval is the maximum interval + between retries. This parameter is + optional, but must be greater than or + equal to the base_interval if set. + + The default is 10 times the + base_interval + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + timeout: + description: >- + Timeout is the timeout per retry + attempt. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + retryOn: + description: >- + RetryOn specifies the retry trigger + condition. + + + If not specified, the default is to + retry on + connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes(503). + properties: + httpStatusCodes: + description: >- + HttpStatusCodes specifies the http + status codes to be retried. + + The retriable-status-codes trigger must + also be configured for these status + codes to trigger a retry. + items: + description: HTTPStatus defines the http status code. + maximum: 599 + minimum: 100 + type: integer + type: array + triggers: + description: >- + Triggers specifies the retry trigger + condition(Http/Grpc). + items: + description: >- + TriggerEnum specifies the conditions + that trigger retries. + enum: + - 5xx + - gateway-error + - reset + - reset-before-request + - connect-failure + - retriable-4xx + - refused-stream + - retriable-status-codes + - cancelled + - deadline-exceeded + - internal + - resource-exhausted + - unavailable + type: string + type: array + type: object + type: object + tcpKeepalive: + description: >- + TcpKeepalive settings associated with + the upstream client connection. + + Disabled by default. + properties: + idleTime: + description: >- + The duration a connection needs to be + idle before keep-alive + + probes start being sent. + + The duration format is + + Defaults to `7200s`. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + interval: + description: |- + The duration between keep-alive probes. + Defaults to `75s`. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + probes: + description: >- + The total number of unacknowledged + probes to send before deciding + + the connection is dead. + + Defaults to 9. + format: int32 + type: integer + type: object + timeout: + description: >- + Timeout settings for the backend + connections. + properties: + http: + description: Timeout settings for HTTP. + properties: + connectionIdleTimeout: + description: >- + The idle timeout for an HTTP connection. + Idle time is defined as a period in + which there are no active requests in + the connection. + + Default: 1 hour. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + maxConnectionDuration: + description: >- + The maximum duration of an HTTP + connection. + + Default: unlimited. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + maxStreamDuration: + description: >- + MaxStreamDuration is the maximum + duration for a stream to complete. This + timeout measures the time + + from when the request is sent until the + response stream is fully consumed and + does not apply to + + non-streaming requests. + + When set to "0s", no max duration is + applied and streams can run + indefinitely. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + requestTimeout: + description: >- + RequestTimeout is the time until which + entire response is received from the + upstream. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + tcp: + description: Timeout settings for TCP. + properties: + connectTimeout: + description: >- + The timeout for network connection + establishment, including TCP and TLS + handshakes. + + Default: 10 seconds. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + type: object + type: object + x-kubernetes-validations: + - message: >- + predictivePercent in preconnect policy + only works with RoundRobin or Random + load balancers + rule: >- + !((has(self.connection) && + has(self.connection.preconnect) && + has(self.connection.preconnect.predictivePercent)) + && !(has(self.loadBalancer) && + has(self.loadBalancer.type) && + self.loadBalancer.type in ['Random', + 'RoundRobin'])) + http: + description: >- + HTTP defines additional configuration + specific to HTTP access logs. + properties: + requestHeaders: + description: >- + RequestHeaders defines request headers + to include in log entries sent to the + access log service. + items: + type: string + type: array + responseHeaders: + description: >- + ResponseHeaders defines response headers + to include in log entries sent to the + access log service. + items: + type: string + type: array + responseTrailers: + description: >- + ResponseTrailers defines response + trailers to include in log entries sent + to the access log service. + items: + type: string + type: array + type: object + logName: + description: >- + LogName defines the friendly name of the + access log to be returned in + + StreamAccessLogsMessage.Identifier. This + allows the access log server + + to differentiate between different + access logs coming from the same Envoy. + minLength: 1 + type: string + type: + description: >- + Type defines the type of accesslog. + Supported types are "HTTP" and "TCP". + enum: + - HTTP + - TCP + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + The http field may only be set when type + is HTTP. + rule: self.type == 'HTTP' || !has(self.http) + - message: >- + BackendRefs must be used, backendRef is + not supported. + rule: '!has(self.backendRef)' + - message: >- + must have at least one backend in + backendRefs + rule: >- + has(self.backendRefs) && + self.backendRefs.size() > 0 + - message: >- + BackendRefs only support Service and + Backend kind. + rule: >- + has(self.backendRefs) ? + self.backendRefs.all(f, f.kind == + 'Service' || f.kind == 'Backend') : true + - message: >- + BackendRefs only support Core and + gateway.envoyproxy.io group. + rule: >- + has(self.backendRefs) ? + (self.backendRefs.all(f, f.group == "" + || f.group == 'gateway.envoyproxy.io')) + : true + file: + description: File defines the file accesslog sink. + properties: + path: + description: >- + Path defines the file path used to + expose envoy access log(e.g. + /dev/stdout). + minLength: 1 + type: string + type: object + openTelemetry: + description: >- + OpenTelemetry defines the OpenTelemetry + accesslog sink. + properties: + backendRef: + description: >- + BackendRef references a Kubernetes + object that represents the + + backend server to which the + authorization request will be sent. + + + Deprecated: Use BackendRefs instead. + properties: + group: + default: '' + description: >- + Group is the group of the referent. For + example, "gateway.networking.k8s.io". + + When unspecified or empty string, core + API group is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: >- + Kind is the Kubernetes resource kind of + the referent. For example + + "Service". + + + Defaults to "Service" when not + specified. + + + ExternalName services can refer to CNAME + DNS records that may live + + outside of the cluster and as such are + difficult to reason about in + + terms of conformance. They also may not + be safe to forward to (see + + CVE-2021-25740 for more information). + Implementations SHOULD NOT + + support ExternalName Services. + + + Support: Core (Services with a type + other than ExternalName) + + + Support: Implementation-specific + (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the + backend. When unspecified, the local + + namespace is inferred. + + + Note that when a namespace different + than the local namespace is specified, + + a ReferenceGrant object is required in + the referent namespace to allow that + + namespace's owner to accept the + reference. See the ReferenceGrant + + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: >- + Port specifies the destination port + number to use for this resource. + + Port is required when the referent is a + Kubernetes Service. In this + + case, the port number is the service + port number, not the target port. + + For other resources, destination port + might be derived from the referent + + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: >- + (size(self.group) == 0 && self.kind == + 'Service') ? has(self.port) : true + backendRefs: + description: >- + BackendRefs references a Kubernetes + object that represents the + + backend server to which the + authorization request will be sent. + items: + description: >- + BackendRef defines how an + ObjectReference that is specific to + BackendRef. + properties: + fallback: + description: >- + Fallback indicates whether the backend + is designated as a fallback. + + Multiple fallback backends can be + configured. + + It is highly recommended to configure + active or passive health checks to + ensure that failover can be detected + + when the active backends become + unhealthy and to automatically readjust + once the primary backends are healthy + again. + + The overprovisioning factor is set to + 1.4, meaning the fallback backends will + only start receiving traffic when + + the health of the active backends falls + below 72%. + type: boolean + group: + default: '' + description: >- + Group is the group of the referent. For + example, "gateway.networking.k8s.io". + + When unspecified or empty string, core + API group is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: >- + Kind is the Kubernetes resource kind of + the referent. For example + + "Service". + + + Defaults to "Service" when not + specified. + + + ExternalName services can refer to CNAME + DNS records that may live + + outside of the cluster and as such are + difficult to reason about in + + terms of conformance. They also may not + be safe to forward to (see + + CVE-2021-25740 for more information). + Implementations SHOULD NOT + + support ExternalName Services. + + + Support: Core (Services with a type + other than ExternalName) + + + Support: Implementation-specific + (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the + backend. When unspecified, the local + + namespace is inferred. + + + Note that when a namespace different + than the local namespace is specified, + + a ReferenceGrant object is required in + the referent namespace to allow that + + namespace's owner to accept the + reference. See the ReferenceGrant + + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: >- + Port specifies the destination port + number to use for this resource. + + Port is required when the referent is a + Kubernetes Service. In this + + case, the port number is the service + port number, not the target port. + + For other resources, destination port + might be derived from the referent + + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: >- + Weight specifies the proportion of + requests forwarded to the referenced + + backend. This is computed as weight/(sum + of all weights in this + + BackendRefs list). For non-zero values, + there may be some epsilon from + + the exact proportion defined here + depending on the precision an + + implementation supports. Weight is not a + percentage and the sum of + + weights does not need to equal 100. + + + If only one backend is specified and it + has a weight greater than 0, 100% + + of the traffic is forwarded to that + backend. If weight is set to 0, no + + traffic should be forwarded for this + entry. If unspecified, weight + + defaults to 1. + + + Support for this field varies based on + the context where used. + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: >- + (size(self.group) == 0 && self.kind == + 'Service') ? has(self.port) : true + maxItems: 16 + type: array + backendSettings: + description: >- + BackendSettings holds configuration for + managing the connection + + to the backend. + properties: + circuitBreaker: + description: >- + Circuit Breaker settings for the + upstream connections and requests. + + If not set, circuit breakers will be + enabled with the default thresholds + properties: + maxConnections: + default: 1024 + description: >- + The maximum number of connections that + Envoy will establish to the referenced + backend defined within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxParallelRequests: + default: 1024 + description: >- + The maximum number of parallel requests + that Envoy will make to the referenced + backend defined within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxParallelRetries: + default: 1024 + description: >- + The maximum number of parallel retries + that Envoy will make to the referenced + backend defined within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxPendingRequests: + default: 1024 + description: >- + The maximum number of pending requests + that Envoy will queue to the referenced + backend defined within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxRequestsPerConnection: + description: >- + The maximum number of requests that + Envoy will make over a single connection + to the referenced backend defined within + a xRoute rule. + + Default: unlimited. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + perEndpoint: + description: >- + PerEndpoint defines Circuit Breakers + that will apply per-endpoint for an + upstream cluster + properties: + maxConnections: + default: 1024 + description: >- + MaxConnections configures the maximum + number of connections that Envoy will + establish per-endpoint to the referenced + backend defined within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + type: object + type: object + connection: + description: >- + Connection includes backend connection + settings. + properties: + bufferLimit: + allOf: + - pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: >- + BufferLimit Soft limit on size of the + cluster’s connections read and write + buffers. + + BufferLimit applies to connection + streaming (maybe non-streaming) channel + between processes, it's in user space. + + If unspecified, an implementation + defined default is applied (32768 + bytes). + + For example, 20Mi, 1Gi, 256Ki etc. + + Note: that when the suffix is not + provided, the value is interpreted as + bytes. + x-kubernetes-int-or-string: true + preconnect: + description: >- + Preconnect configures proactive upstream + connections to reduce latency by + establishing + + connections before they’re needed and + avoiding connection establishment + overhead. + + + If unset, Envoy will fetch connections + as needed to serve in-flight requests. + properties: + perEndpointPercent: + description: >- + PerEndpointPercent configures how many + additional connections to maintain per + + upstream endpoint, useful for high-QPS + or latency sensitive services. Expressed + as a + + percentage of the connections required + by active streams + + (e.g. 100 = preconnect disabled, 105 = + 1.05x connections per-endpoint, 200 = + 2.00×). + + + Allowed value range is between 100-300. + When both PerEndpointPercent and + + PredictivePercent are set, Envoy ensures + both are satisfied (max of the two). + format: int32 + maximum: 300 + minimum: 100 + type: integer + predictivePercent: + description: >- + PredictivePercent configures how many + additional connections to maintain + + across the cluster by anticipating which + upstream endpoint the load balancer + + will select next, useful for low-QPS + services. Relies on deterministic + + loadbalancing and is only supported with + Random or RoundRobin. + + Expressed as a percentage of the + connections required by active streams + + (e.g. 100 = 1.0 (no preconnect), 105 = + 1.05× connections across the cluster, + 200 = 2.00×). + + + Minimum allowed value is 100. When both + PerEndpointPercent and PredictivePercent + are + + set Envoy ensures both are satisfied per + host (max of the two). + format: int32 + minimum: 100 + type: integer + type: object + socketBufferLimit: + allOf: + - pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: >- + SocketBufferLimit provides configuration + for the maximum buffer size in bytes for + each socket + + to backend. + + SocketBufferLimit applies to socket + streaming channel between TCP/IP stacks, + it's in kernel space. + + For example, 20Mi, 1Gi, 256Ki etc. + + Note that when the suffix is not + provided, the value is interpreted as + bytes. + x-kubernetes-int-or-string: true + type: object + dns: + description: DNS includes dns resolution settings. + properties: + dnsRefreshRate: + description: >- + DNSRefreshRate specifies the rate at + which DNS records should be refreshed. + + Defaults to 30 seconds. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + lookupFamily: + description: >- + LookupFamily determines how Envoy would + resolve DNS for Routes where the backend + is specified as a fully qualified domain + name (FQDN). + + If set, this configuration overrides + other defaults. + enum: + - IPv4 + - IPv6 + - IPv4Preferred + - IPv6Preferred + - IPv4AndIPv6 + type: string + respectDnsTtl: + description: >- + RespectDNSTTL indicates whether the DNS + Time-To-Live (TTL) should be respected. + + If the value is set to true, the DNS + refresh rate will be set to the resource + record’s TTL. + + Defaults to true. + type: boolean + type: object + healthCheck: + description: >- + HealthCheck allows gateway to perform + active health checking on backends. + properties: + active: + description: Active health check configuration + properties: + grpc: + description: >- + GRPC defines the configuration of the + GRPC health checker. + + It's optional, and can only be used if + the specified type is GRPC. + properties: + service: + description: >- + Service to send in the health check + request. + + If this is not specified, then the + health check request applies to the + entire + + server and not to a specific service. + type: string + type: object + healthyThreshold: + default: 1 + description: >- + HealthyThreshold defines the number of + healthy health checks required before a + backend host is marked healthy. + format: int32 + minimum: 1 + type: integer + http: + description: >- + HTTP defines the configuration of http + health checker. + + It's required while the health checker + type is HTTP. + properties: + expectedResponse: + description: >- + ExpectedResponse defines a list of HTTP + expected responses to match. + properties: + binary: + description: Binary payload base64 encoded. + format: byte + type: string + text: + description: Text payload in plain text. + type: string + type: + allOf: + - enum: + - Text + - Binary + - enum: + - Text + - Binary + description: Type defines the type of the payload. + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If payload type is Text, text field + needs to be set. + rule: >- + self.type == 'Text' ? has(self.text) : + !has(self.text) + - message: >- + If payload type is Binary, binary field + needs to be set. + rule: >- + self.type == 'Binary' ? has(self.binary) + : !has(self.binary) + expectedStatuses: + description: >- + ExpectedStatuses defines a list of HTTP + response statuses considered healthy. + + Defaults to 200 only + items: + description: HTTPStatus defines the http status code. + maximum: 599 + minimum: 100 + type: integer + type: array + hostname: + description: >- + Hostname defines the HTTP Host header + used for active HTTP health checks. + + Host selection uses this order: this + field, the associated Backend endpoint + + hostname if available, then the + effective Route hostname. + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + method: + description: >- + Method defines the HTTP method used for + health checking. + + Defaults to GET + type: string + path: + description: >- + Path defines the HTTP path that will be + requested during health checking. + maxLength: 1024 + minLength: 1 + type: string + required: + - path + type: object + initialJitter: + description: >- + InitialJitter defines the maximum time + Envoy will wait before the first health + check. + + Envoy will randomly select a value + between 0 and the initial jitter value. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + interval: + default: 3s + description: >- + Interval defines the time between active + health checks. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + tcp: + description: >- + TCP defines the configuration of tcp + health checker. + + It's required while the health checker + type is TCP. + properties: + receive: + description: >- + Receive defines the expected response + payload. + properties: + binary: + description: Binary payload base64 encoded. + format: byte + type: string + text: + description: Text payload in plain text. + type: string + type: + allOf: + - enum: + - Text + - Binary + - enum: + - Text + - Binary + description: Type defines the type of the payload. + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If payload type is Text, text field + needs to be set. + rule: >- + self.type == 'Text' ? has(self.text) : + !has(self.text) + - message: >- + If payload type is Binary, binary field + needs to be set. + rule: >- + self.type == 'Binary' ? has(self.binary) + : !has(self.binary) + send: + description: Send defines the request payload. + properties: + binary: + description: Binary payload base64 encoded. + format: byte + type: string + text: + description: Text payload in plain text. + type: string + type: + allOf: + - enum: + - Text + - Binary + - enum: + - Text + - Binary + description: Type defines the type of the payload. + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If payload type is Text, text field + needs to be set. + rule: >- + self.type == 'Text' ? has(self.text) : + !has(self.text) + - message: >- + If payload type is Binary, binary field + needs to be set. + rule: >- + self.type == 'Binary' ? has(self.binary) + : !has(self.binary) + type: object + timeout: + default: 1s + description: >- + Timeout defines the time to wait for a + health check response. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: + allOf: + - enum: + - HTTP + - TCP + - GRPC + - enum: + - HTTP + - TCP + - GRPC + description: Type defines the type of health checker. + type: string + unhealthyThreshold: + default: 3 + description: >- + UnhealthyThreshold defines the number of + unhealthy health checks required before + a backend host is marked unhealthy. + format: int32 + minimum: 1 + type: integer + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If Health Checker type is HTTP, http + field needs to be set. + rule: >- + self.type == 'HTTP' ? has(self.http) : + !has(self.http) + - message: >- + If Health Checker type is TCP, tcp field + needs to be set. + rule: >- + self.type == 'TCP' ? has(self.tcp) : + !has(self.tcp) + - message: >- + The grpc field can only be set if the + Health Checker type is GRPC. + rule: >- + has(self.grpc) ? self.type == 'GRPC' : + true + panicThreshold: + description: >- + When number of unhealthy endpoints for a + backend reaches this threshold + + Envoy will disregard health status and + balance across all endpoints. + + It's designed to prevent a situation in + which host failures cascade throughout + the cluster + + as load increases. If not set, the + default value is 50%. To disable panic + mode, set value to `0`. + format: int32 + maximum: 100 + minimum: 0 + type: integer + passive: + description: Passive passive check configuration + properties: + baseEjectionTime: + default: 30s + description: >- + BaseEjectionTime defines the base + duration for which a host will be + ejected on consecutive failures. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + consecutive5XxErrors: + default: 5 + description: >- + Consecutive5xxErrors sets the number of + consecutive 5xx errors triggering + ejection. + format: int32 + type: integer + consecutiveGatewayErrors: + description: >- + ConsecutiveGatewayErrors sets the number + of consecutive gateway errors triggering + ejection. + format: int32 + type: integer + consecutiveLocalOriginFailures: + default: 5 + description: >- + ConsecutiveLocalOriginFailures sets the + number of consecutive local origin + failures triggering ejection. + + Parameter takes effect only when + split_external_local_origin_errors is + set to true. + format: int32 + type: integer + failurePercentageThreshold: + description: >- + FailurePercentageThreshold sets the + failure percentage threshold for outlier + detection. + + If the failure percentage of a given + host is greater than or equal to this + value, it will be ejected. + + Defaults to 85. + format: int32 + maximum: 100 + minimum: 0 + type: integer + interval: + default: 3s + description: >- + Interval defines the time between + passive health checks. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + maxEjectionPercent: + default: 10 + description: >- + MaxEjectionPercent sets the maximum + percentage of hosts in a cluster that + can be ejected. + format: int32 + type: integer + splitExternalLocalOriginErrors: + default: false + description: >- + SplitExternalLocalOriginErrors enables + splitting of errors between external and + local origin. + type: boolean + type: object + type: object + http2: + description: >- + HTTP2 provides HTTP/2 configuration for + backend connections. + properties: + initialConnectionWindowSize: + allOf: + - pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: >- + InitialConnectionWindowSize sets the + initial window size for HTTP/2 + connections. + + If not set, the default value is 1 MiB. + x-kubernetes-int-or-string: true + initialStreamWindowSize: + allOf: + - pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: >- + InitialStreamWindowSize sets the initial + window size for HTTP/2 streams. + + If not set, the default value is 64 + KiB(64*1024). + x-kubernetes-int-or-string: true + maxConcurrentStreams: + description: >- + MaxConcurrentStreams sets the maximum + number of concurrent streams allowed per + connection. + + If not set, the default value is 100. + format: int32 + maximum: 2147483647 + minimum: 1 + type: integer + onInvalidMessage: + description: >- + OnInvalidMessage determines if Envoy + will terminate the connection or just + the offending stream in the event of + HTTP messaging error + + It's recommended for L2 Envoy + deployments to set this value to + TerminateStream. + + https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/level_two + + Default: TerminateConnection + type: string + type: object + loadBalancer: + description: >- + LoadBalancer policy to apply when + routing traffic from the gateway to + + the backend endpoints. Defaults to + `LeastRequest`. + properties: + consistentHash: + description: >- + ConsistentHash defines the configuration + when the load balancer type is + + set to ConsistentHash + properties: + cookie: + description: >- + Cookie configures the cookie hash policy + when the consistent hash type is set to + Cookie. + properties: + attributes: + additionalProperties: + type: string + description: >- + Additional Attributes to set for the + generated cookie. + type: object + name: + description: >- + Name of the cookie to hash. + + If this cookie does not exist in the + request, Envoy will generate a cookie + and set + + the TTL on the response back to the + client based on Layer 4 + + attributes of the backend endpoint, to + ensure that these future requests + + go to the same backend endpoint. Make + sure to set the TTL field for this case. + type: string + ttl: + description: >- + TTL of the generated cookie if the + cookie is not present. This value sets + the + + Max-Age attribute value. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + required: + - name + type: object + header: + description: >- + Header configures the header hash policy + when the consistent hash type is set to + Header. + + + Deprecated: use Headers instead + properties: + name: + description: Name of the header to hash. + type: string + required: + - name + type: object + headers: + description: >- + Headers configures the header hash + policy for each header, when the + consistent hash type is set to Headers. + items: + description: >- + Header defines the header hashing + configuration for consistent hash based + + load balancing. + properties: + name: + description: Name of the header to hash. + type: string + required: + - name + type: object + type: array + queryParams: + description: >- + QueryParams configures the query + parameter hash policy when the + consistent hash type is set to + QueryParams. + items: + description: >- + QueryParam defines the query parameter + name hashing configuration for + consistent hash based + + load balancing. + properties: + name: + description: Name of the query param to hash. + type: string + required: + - name + type: object + type: array + tableSize: + default: 65537 + description: >- + The table size for consistent hashing, + must be prime number limited to 5000011. + format: int64 + maximum: 5000011 + minimum: 2 + type: integer + type: + description: >- + ConsistentHashType defines the type of + input to hash on. Valid Type values are + + "SourceIP", + + "Header", + + "Headers", + + "Cookie". + + "QueryParams". + enum: + - SourceIP + - Header + - Headers + - Cookie + - QueryParams + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If consistent hash type is header, the + header field must be set. + rule: >- + self.type == 'Header' ? has(self.header) + : !has(self.header) + - message: >- + If consistent hash type is headers, the + headers field must be set. + rule: >- + self.type == 'Headers' ? + has(self.headers) : !has(self.headers) + - message: >- + If consistent hash type is cookie, the + cookie field must be set. + rule: >- + self.type == 'Cookie' ? has(self.cookie) + : !has(self.cookie) + - message: >- + If consistent hash type is queryParams, + the queryParams field must be set. + rule: >- + self.type == 'QueryParams' ? + has(self.queryParams) : + !has(self.queryParams) + endpointOverride: + description: >- + EndpointOverride defines the + configuration for endpoint override. + + When specified, the load balancer will + attempt to route requests to endpoints + + based on the override information + extracted from request headers or + metadata. + If the override endpoints are not available, the configured load balancer policy will be used as fallback. + properties: + extractFrom: + description: >- + ExtractFrom defines the sources to + extract endpoint override information + from. + items: + description: >- + EndpointOverrideExtractFrom defines a + source to extract endpoint override + information from. + properties: + header: + description: >- + Header defines the header to get the + override endpoint addresses. + + The header value must specify at least + one endpoint in `IP:Port` format or + multiple endpoints in + `IP:Port,IP:Port,...` format. + + For example `10.0.0.5:8080` or + `[2600:4040:5204::1574:24ae]:80`. + + The IPv6 address is enclosed in square + brackets. + type: string + type: object + maxItems: 10 + minItems: 1 + type: array + required: + - extractFrom + type: object + slowStart: + description: >- + SlowStart defines the configuration + related to the slow start load balancer + policy. + + If set, during slow start window, + traffic sent to the newly added hosts + will gradually increase. + + Currently this is only supported for + RoundRobin and LeastRequest load + balancers + properties: + window: + description: >- + Window defines the duration of the warm + up period for newly added host. + + During slow start window, traffic sent + to the newly added hosts will gradually + increase. + + Currently only supports linear growth of + traffic. For additional details, + + see + https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + required: + - window + type: object + type: + description: >- + Type decides the type of Load Balancer + policy. + + Valid LoadBalancerType values are + + "ConsistentHash", + + "LeastRequest", + + "Random", + + "RoundRobin". + enum: + - ConsistentHash + - LeastRequest + - Random + - RoundRobin + type: string + zoneAware: + description: >- + ZoneAware defines the configuration + related to the distribution of requests + between locality zones. + properties: + preferLocal: + description: >- + PreferLocalZone configures zone-aware + routing to prefer sending traffic to the + local locality zone. + properties: + force: + description: >- + ForceLocalZone defines override + configuration for forcing all traffic to + stay within the local zone instead of + the default behavior + + which maintains equal distribution among + upstream endpoints while sending as much + traffic as possible locally. + properties: + minEndpointsInZoneThreshold: + description: >- + MinEndpointsInZoneThreshold is the + minimum number of upstream endpoints in + the local zone required to honor the + forceLocalZone + + override. This is useful for protecting + zones with fewer endpoints. + format: int32 + type: integer + type: object + minEndpointsThreshold: + description: >- + MinEndpointsThreshold is the minimum + number of total upstream endpoints + across all zones required to enable + zone-aware routing. + format: int64 + type: integer + percentageEnabled: + description: >- + Configures percentage of requests that + will be considered for zone aware + routing if zone aware routing is + configured. If not specified, Envoy + defaults to 100%. + format: int32 + maximum: 100 + minimum: 0 + type: integer + type: object + type: object + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If LoadBalancer type is consistentHash, + consistentHash field needs to be set. + rule: >- + self.type == 'ConsistentHash' ? + has(self.consistentHash) : + !has(self.consistentHash) + - message: >- + Currently SlowStart is only supported + for RoundRobin and LeastRequest load + balancers. + rule: >- + self.type in ['Random', + 'ConsistentHash'] ? !has(self.slowStart) + : true + - message: >- + Currently ZoneAware is only supported + for LeastRequest, Random, and RoundRobin + load balancers. + rule: >- + self.type == 'ConsistentHash' ? + !has(self.zoneAware) : true + proxyProtocol: + description: >- + ProxyProtocol enables the Proxy Protocol + when communicating with the backend. + properties: + version: + description: |- + Version of ProxyProtol + Valid ProxyProtocolVersion values are + "V1" + "V2" + enum: + - V1 + - V2 + type: string + required: + - version + type: object + retry: + description: >- + Retry provides more advanced usage, + allowing users to customize the number + of retries, retry fallback strategy, and + retry triggering conditions. + + If not set, retry will be disabled. + properties: + numAttemptsPerPriority: + description: >- + NumAttemptsPerPriority defines the + number of requests (initial attempt + + retries) + + that should be sent to the same priority + before switching to a different one. + + If not specified or set to 0, all + requests are sent to the highest + priority that is healthy. + format: int32 + type: integer + numRetries: + default: 2 + description: >- + NumRetries is the number of retries to + be attempted. Defaults to 2. + format: int32 + minimum: 0 + type: integer + perRetry: + description: >- + PerRetry is the retry policy to be + applied per retry attempt. + properties: + backOff: + description: >- + Backoff is the backoff policy to be + applied per retry attempt. gateway uses + a fully jittered exponential + + back-off algorithm for retries. For + additional details, + + see + https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#config-http-filters-router-x-envoy-max-retries + properties: + baseInterval: + description: >- + BaseInterval is the base interval + between retries. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + maxInterval: + description: >- + MaxInterval is the maximum interval + between retries. This parameter is + optional, but must be greater than or + equal to the base_interval if set. + + The default is 10 times the + base_interval + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + timeout: + description: >- + Timeout is the timeout per retry + attempt. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + retryOn: + description: >- + RetryOn specifies the retry trigger + condition. + + + If not specified, the default is to + retry on + connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes(503). + properties: + httpStatusCodes: + description: >- + HttpStatusCodes specifies the http + status codes to be retried. + + The retriable-status-codes trigger must + also be configured for these status + codes to trigger a retry. + items: + description: HTTPStatus defines the http status code. + maximum: 599 + minimum: 100 + type: integer + type: array + triggers: + description: >- + Triggers specifies the retry trigger + condition(Http/Grpc). + items: + description: >- + TriggerEnum specifies the conditions + that trigger retries. + enum: + - 5xx + - gateway-error + - reset + - reset-before-request + - connect-failure + - retriable-4xx + - refused-stream + - retriable-status-codes + - cancelled + - deadline-exceeded + - internal + - resource-exhausted + - unavailable + type: string + type: array + type: object + type: object + tcpKeepalive: + description: >- + TcpKeepalive settings associated with + the upstream client connection. + + Disabled by default. + properties: + idleTime: + description: >- + The duration a connection needs to be + idle before keep-alive + + probes start being sent. + + The duration format is + + Defaults to `7200s`. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + interval: + description: |- + The duration between keep-alive probes. + Defaults to `75s`. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + probes: + description: >- + The total number of unacknowledged + probes to send before deciding + + the connection is dead. + + Defaults to 9. + format: int32 + type: integer + type: object + timeout: + description: >- + Timeout settings for the backend + connections. + properties: + http: + description: Timeout settings for HTTP. + properties: + connectionIdleTimeout: + description: >- + The idle timeout for an HTTP connection. + Idle time is defined as a period in + which there are no active requests in + the connection. + + Default: 1 hour. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + maxConnectionDuration: + description: >- + The maximum duration of an HTTP + connection. + + Default: unlimited. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + maxStreamDuration: + description: >- + MaxStreamDuration is the maximum + duration for a stream to complete. This + timeout measures the time + + from when the request is sent until the + response stream is fully consumed and + does not apply to + + non-streaming requests. + + When set to "0s", no max duration is + applied and streams can run + indefinitely. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + requestTimeout: + description: >- + RequestTimeout is the time until which + entire response is received from the + upstream. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + tcp: + description: Timeout settings for TCP. + properties: + connectTimeout: + description: >- + The timeout for network connection + establishment, including TCP and TLS + handshakes. + + Default: 10 seconds. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + type: object + type: object + x-kubernetes-validations: + - message: >- + predictivePercent in preconnect policy + only works with RoundRobin or Random + load balancers + rule: >- + !((has(self.connection) && + has(self.connection.preconnect) && + has(self.connection.preconnect.predictivePercent)) + && !(has(self.loadBalancer) && + has(self.loadBalancer.type) && + self.loadBalancer.type in ['Random', + 'RoundRobin'])) + headers: + description: >- + Headers is a list of additional headers + to send with OTLP export requests. + + These headers are added as gRPC initial + metadata for the OTLP gRPC service. + items: + description: >- + HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: >- + Name is the name of the HTTP Header to + be matched. Name matching MUST be + + case-insensitive. (See + https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent + header names, the first entry with + + an equivalent name MUST be considered + for a match. Subsequent entries + + with an equivalent header name MUST be + ignored. Due to the + + case-insensitivity of header names, + "foo" and "Foo" are considered + + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: >- + Value is the value of HTTP Header to be + matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 32 + minItems: 1 + type: array + host: + description: >- + Host define the extension service + hostname. + + Deprecated: Use BackendRefs instead. + type: string + port: + default: 4317 + description: >- + Port defines the port the extension + service is exposed on. + + Deprecated: Use BackendRefs instead. + format: int32 + minimum: 0 + type: integer + resourceAttributes: + additionalProperties: + type: string + description: >- + ResourceAttributes is a set of labels + that describe the source of a log entry, + including envoy node info. + + It's recommended to follow [semantic + conventions](https://opentelemetry.io/docs/reference/specification/resource/semantic_conventions/). + type: object + resources: + additionalProperties: + type: string + description: >- + Resources is a set of labels that + describe the source of a log entry, + including envoy node info. + + It's recommended to follow [semantic + conventions](https://opentelemetry.io/docs/reference/specification/resource/semantic_conventions/). + + + Deprecated: Use ResourceAttributes + instead. + type: object + type: object + x-kubernetes-validations: + - message: host or backendRefs needs to be set + rule: >- + has(self.host) || + self.backendRefs.size() > 0 + - message: >- + BackendRefs must be used, backendRef is + not supported. + rule: '!has(self.backendRef)' + - message: >- + BackendRefs only support Service and + Backend kind. + rule: >- + has(self.backendRefs) ? + self.backendRefs.all(f, f.kind == + 'Service' || f.kind == 'Backend') : true + - message: >- + BackendRefs only support Core and + gateway.envoyproxy.io group. + rule: >- + has(self.backendRefs) ? + (self.backendRefs.all(f, f.group == "" + || f.group == 'gateway.envoyproxy.io')) + : true + - message: >- + either resources or resourceAttributes + can be set, not both + rule: >- + !has(self.resources) || + !has(self.resourceAttributes) + type: + description: Type defines the type of accesslog sink. + enum: + - ALS + - File + - OpenTelemetry + type: string + type: object + x-kubernetes-validations: + - message: >- + If AccessLogSink type is ALS, als field + needs to be set. + rule: >- + self.type == 'ALS' ? has(self.als) : + !has(self.als) + - message: >- + If AccessLogSink type is File, file + field needs to be set. + rule: >- + self.type == 'File' ? has(self.file) : + !has(self.file) + - message: >- + If AccessLogSink type is OpenTelemetry, + openTelemetry field needs to be set. + rule: >- + self.type == 'OpenTelemetry' ? + has(self.openTelemetry) : + !has(self.openTelemetry) + maxItems: 50 + minItems: 1 + type: array + type: + description: >- + Type defines the component emitting the + accesslog, such as Listener and Route. + + If type not defined, the setting would apply + to: + + (1) All Routes. + + (2) Listeners if and only if Envoy does not + find a matching route for a request. + + If type is defined, the accesslog settings + would apply to the relevant component (as-is). + enum: + - Listener + - Route + type: string + required: + - sinks + type: object + maxItems: 50 + minItems: 1 + type: array + type: object + metrics: + description: >- + Metrics defines metrics configuration for managed + proxies. + properties: + clusterStatName: + description: >- + ClusterStatName defines the value of cluster + alt_stat_name, determining how cluster stats are + named. + + For more details, see envoy docs: + https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto.html + + The supported operators for this pattern are: + + `%ROUTE_NAME%`: name of Gateway API xRoute resource + + `%ROUTE_NAMESPACE%`: namespace of Gateway API xRoute + resource + + `%ROUTE_KIND%`: kind of Gateway API xRoute resource + + `%ROUTE_RULE_NAME%`: name of the Gateway API xRoute + section + + `%ROUTE_RULE_NUMBER%`: name of the Gateway API + xRoute section + + `%BACKEND_REFS%`: names of all backends referenced + in `/|/|...` + format + + Only xDS Clusters created for HTTPRoute and + GRPCRoute are currently supported. + + Default: + `%ROUTE_KIND%/%ROUTE_NAMESPACE%/%ROUTE_NAME%/rule/%ROUTE_RULE_NUMBER%` + + Example: `httproute/my-ns/my-route/rule/0` + type: string + enablePerEndpointStats: + description: >- + EnablePerEndpointStats enables per endpoint envoy + stats metrics. + + Please use with caution. + type: boolean + enableRequestResponseSizesStats: + description: >- + EnableRequestResponseSizesStats enables publishing + of histograms tracking header and body sizes of + requests and responses. + type: boolean + enableVirtualHostStats: + description: >- + EnableVirtualHostStats enables envoy stat metrics + for virtual hosts. + type: boolean + matches: + description: >- + Matches defines configuration for selecting specific + metrics instead of generating all metrics stats + + that are enabled by default. This helps reduce CPU + and memory overhead in Envoy, but eliminating some + stats + + may after critical functionality. Here are the stats + that we strongly recommend not disabling: + + `cluster_manager.warming_clusters`, + `cluster..membership_total`,`cluster..membership_healthy`, + + `cluster..membership_degraded`,reference + https://github.com/envoyproxy/envoy/issues/9856, + + https://github.com/envoyproxy/envoy/issues/14610 + items: + description: >- + StringMatch defines how to match any strings. + + This is a general purpose match condition that can + be used by other EG APIs + + that need to match against a string. + properties: + type: + default: Exact + description: Type specifies how to match against a string. + enum: + - Exact + - Prefix + - Suffix + - RegularExpression + type: string + value: + description: >- + Value specifies the string value that the + match must have. + maxLength: 1024 + minLength: 1 + type: string + required: + - value + type: object + type: array + prometheus: + description: >- + Prometheus defines the configuration for Admin + endpoint `/stats/prometheus`. + properties: + compression: + description: >- + Configure the compression on Prometheus + endpoint. Compression is useful in situations + when bandwidth is scarce and large payloads can + be effectively compressed at the expense of + higher CPU load. + properties: + brotli: + description: The configuration for Brotli compressor. + type: object + gzip: + description: The configuration for GZIP compressor. + type: object + minContentLength: + allOf: + - pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: >- + MinContentLength defines the minimum + response size in bytes to apply compression. + + Responses smaller than this threshold will + not be compressed. + + Must be at least 30 bytes as enforced by + Envoy Proxy. + + Note that when the suffix is not provided, + the value is interpreted as bytes. + + Default: 30 bytes + x-kubernetes-int-or-string: true + type: + description: >- + CompressorType defines the compressor type + to use for compression. + enum: + - Gzip + - Brotli + - Zstd + type: string + zstd: + description: The configuration for Zstd compressor. + type: object + required: + - type + type: object + disable: + description: Disable the Prometheus endpoint. + type: boolean + type: object + sinks: + description: >- + Sinks defines the metric sinks where metrics are + sent to. + items: + description: |- + ProxyMetricSink defines the sink of metrics. + Default metrics sink is OpenTelemetry. + properties: + openTelemetry: + description: >- + OpenTelemetry defines the configuration for + OpenTelemetry sink. + + It's required if the sink type is + OpenTelemetry. + properties: + backendRef: + description: >- + BackendRef references a Kubernetes object + that represents the + + backend server to which the authorization + request will be sent. + + + Deprecated: Use BackendRefs instead. + properties: + group: + default: '' + description: >- + Group is the group of the referent. For + example, "gateway.networking.k8s.io". + + When unspecified or empty string, core + API group is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: >- + Kind is the Kubernetes resource kind of + the referent. For example + + "Service". + + + Defaults to "Service" when not + specified. + + + ExternalName services can refer to CNAME + DNS records that may live + + outside of the cluster and as such are + difficult to reason about in + + terms of conformance. They also may not + be safe to forward to (see + + CVE-2021-25740 for more information). + Implementations SHOULD NOT + + support ExternalName Services. + + + Support: Core (Services with a type + other than ExternalName) + + + Support: Implementation-specific + (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the + backend. When unspecified, the local + + namespace is inferred. + + + Note that when a namespace different + than the local namespace is specified, + + a ReferenceGrant object is required in + the referent namespace to allow that + + namespace's owner to accept the + reference. See the ReferenceGrant + + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: >- + Port specifies the destination port + number to use for this resource. + + Port is required when the referent is a + Kubernetes Service. In this + + case, the port number is the service + port number, not the target port. + + For other resources, destination port + might be derived from the referent + + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: >- + (size(self.group) == 0 && self.kind == + 'Service') ? has(self.port) : true + backendRefs: + description: >- + BackendRefs references a Kubernetes object + that represents the + + backend server to which the authorization + request will be sent. + items: + description: >- + BackendRef defines how an + ObjectReference that is specific to + BackendRef. + properties: + fallback: + description: >- + Fallback indicates whether the backend + is designated as a fallback. + + Multiple fallback backends can be + configured. + + It is highly recommended to configure + active or passive health checks to + ensure that failover can be detected + + when the active backends become + unhealthy and to automatically readjust + once the primary backends are healthy + again. + + The overprovisioning factor is set to + 1.4, meaning the fallback backends will + only start receiving traffic when + + the health of the active backends falls + below 72%. + type: boolean + group: + default: '' + description: >- + Group is the group of the referent. For + example, "gateway.networking.k8s.io". + + When unspecified or empty string, core + API group is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: >- + Kind is the Kubernetes resource kind of + the referent. For example + + "Service". + + + Defaults to "Service" when not + specified. + + + ExternalName services can refer to CNAME + DNS records that may live + + outside of the cluster and as such are + difficult to reason about in + + terms of conformance. They also may not + be safe to forward to (see + + CVE-2021-25740 for more information). + Implementations SHOULD NOT + + support ExternalName Services. + + + Support: Core (Services with a type + other than ExternalName) + + + Support: Implementation-specific + (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the + backend. When unspecified, the local + + namespace is inferred. + + + Note that when a namespace different + than the local namespace is specified, + + a ReferenceGrant object is required in + the referent namespace to allow that + + namespace's owner to accept the + reference. See the ReferenceGrant + + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: >- + Port specifies the destination port + number to use for this resource. + + Port is required when the referent is a + Kubernetes Service. In this + + case, the port number is the service + port number, not the target port. + + For other resources, destination port + might be derived from the referent + + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: >- + Weight specifies the proportion of + requests forwarded to the referenced + + backend. This is computed as weight/(sum + of all weights in this + + BackendRefs list). For non-zero values, + there may be some epsilon from + + the exact proportion defined here + depending on the precision an + + implementation supports. Weight is not a + percentage and the sum of + + weights does not need to equal 100. + + + If only one backend is specified and it + has a weight greater than 0, 100% + + of the traffic is forwarded to that + backend. If weight is set to 0, no + + traffic should be forwarded for this + entry. If unspecified, weight + + defaults to 1. + + + Support for this field varies based on + the context where used. + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: >- + (size(self.group) == 0 && self.kind == + 'Service') ? has(self.port) : true + maxItems: 16 + type: array + backendSettings: + description: >- + BackendSettings holds configuration for + managing the connection + + to the backend. + properties: + circuitBreaker: + description: >- + Circuit Breaker settings for the + upstream connections and requests. + + If not set, circuit breakers will be + enabled with the default thresholds + properties: + maxConnections: + default: 1024 + description: >- + The maximum number of connections that + Envoy will establish to the referenced + backend defined within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxParallelRequests: + default: 1024 + description: >- + The maximum number of parallel requests + that Envoy will make to the referenced + backend defined within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxParallelRetries: + default: 1024 + description: >- + The maximum number of parallel retries + that Envoy will make to the referenced + backend defined within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxPendingRequests: + default: 1024 + description: >- + The maximum number of pending requests + that Envoy will queue to the referenced + backend defined within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxRequestsPerConnection: + description: >- + The maximum number of requests that + Envoy will make over a single connection + to the referenced backend defined within + a xRoute rule. + + Default: unlimited. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + perEndpoint: + description: >- + PerEndpoint defines Circuit Breakers + that will apply per-endpoint for an + upstream cluster + properties: + maxConnections: + default: 1024 + description: >- + MaxConnections configures the maximum + number of connections that Envoy will + establish per-endpoint to the referenced + backend defined within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + type: object + type: object + connection: + description: >- + Connection includes backend connection + settings. + properties: + bufferLimit: + allOf: + - pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: >- + BufferLimit Soft limit on size of the + cluster’s connections read and write + buffers. + + BufferLimit applies to connection + streaming (maybe non-streaming) channel + between processes, it's in user space. + + If unspecified, an implementation + defined default is applied (32768 + bytes). + + For example, 20Mi, 1Gi, 256Ki etc. + + Note: that when the suffix is not + provided, the value is interpreted as + bytes. + x-kubernetes-int-or-string: true + preconnect: + description: >- + Preconnect configures proactive upstream + connections to reduce latency by + establishing + + connections before they’re needed and + avoiding connection establishment + overhead. + + + If unset, Envoy will fetch connections + as needed to serve in-flight requests. + properties: + perEndpointPercent: + description: >- + PerEndpointPercent configures how many + additional connections to maintain per + + upstream endpoint, useful for high-QPS + or latency sensitive services. Expressed + as a + + percentage of the connections required + by active streams + + (e.g. 100 = preconnect disabled, 105 = + 1.05x connections per-endpoint, 200 = + 2.00×). + + + Allowed value range is between 100-300. + When both PerEndpointPercent and + + PredictivePercent are set, Envoy ensures + both are satisfied (max of the two). + format: int32 + maximum: 300 + minimum: 100 + type: integer + predictivePercent: + description: >- + PredictivePercent configures how many + additional connections to maintain + + across the cluster by anticipating which + upstream endpoint the load balancer + + will select next, useful for low-QPS + services. Relies on deterministic + + loadbalancing and is only supported with + Random or RoundRobin. + + Expressed as a percentage of the + connections required by active streams + + (e.g. 100 = 1.0 (no preconnect), 105 = + 1.05× connections across the cluster, + 200 = 2.00×). + + + Minimum allowed value is 100. When both + PerEndpointPercent and PredictivePercent + are + + set Envoy ensures both are satisfied per + host (max of the two). + format: int32 + minimum: 100 + type: integer + type: object + socketBufferLimit: + allOf: + - pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: >- + SocketBufferLimit provides configuration + for the maximum buffer size in bytes for + each socket + + to backend. + + SocketBufferLimit applies to socket + streaming channel between TCP/IP stacks, + it's in kernel space. + + For example, 20Mi, 1Gi, 256Ki etc. + + Note that when the suffix is not + provided, the value is interpreted as + bytes. + x-kubernetes-int-or-string: true + type: object + dns: + description: DNS includes dns resolution settings. + properties: + dnsRefreshRate: + description: >- + DNSRefreshRate specifies the rate at + which DNS records should be refreshed. + + Defaults to 30 seconds. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + lookupFamily: + description: >- + LookupFamily determines how Envoy would + resolve DNS for Routes where the backend + is specified as a fully qualified domain + name (FQDN). + + If set, this configuration overrides + other defaults. + enum: + - IPv4 + - IPv6 + - IPv4Preferred + - IPv6Preferred + - IPv4AndIPv6 + type: string + respectDnsTtl: + description: >- + RespectDNSTTL indicates whether the DNS + Time-To-Live (TTL) should be respected. + + If the value is set to true, the DNS + refresh rate will be set to the resource + record’s TTL. + + Defaults to true. + type: boolean + type: object + healthCheck: + description: >- + HealthCheck allows gateway to perform + active health checking on backends. + properties: + active: + description: Active health check configuration + properties: + grpc: + description: >- + GRPC defines the configuration of the + GRPC health checker. + + It's optional, and can only be used if + the specified type is GRPC. + properties: + service: + description: >- + Service to send in the health check + request. + + If this is not specified, then the + health check request applies to the + entire + + server and not to a specific service. + type: string + type: object + healthyThreshold: + default: 1 + description: >- + HealthyThreshold defines the number of + healthy health checks required before a + backend host is marked healthy. + format: int32 + minimum: 1 + type: integer + http: + description: >- + HTTP defines the configuration of http + health checker. + + It's required while the health checker + type is HTTP. + properties: + expectedResponse: + description: >- + ExpectedResponse defines a list of HTTP + expected responses to match. + properties: + binary: + description: Binary payload base64 encoded. + format: byte + type: string + text: + description: Text payload in plain text. + type: string + type: + allOf: + - enum: + - Text + - Binary + - enum: + - Text + - Binary + description: Type defines the type of the payload. + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If payload type is Text, text field + needs to be set. + rule: >- + self.type == 'Text' ? has(self.text) : + !has(self.text) + - message: >- + If payload type is Binary, binary field + needs to be set. + rule: >- + self.type == 'Binary' ? has(self.binary) + : !has(self.binary) + expectedStatuses: + description: >- + ExpectedStatuses defines a list of HTTP + response statuses considered healthy. + + Defaults to 200 only + items: + description: HTTPStatus defines the http status code. + maximum: 599 + minimum: 100 + type: integer + type: array + hostname: + description: >- + Hostname defines the HTTP Host header + used for active HTTP health checks. + + Host selection uses this order: this + field, the associated Backend endpoint + + hostname if available, then the + effective Route hostname. + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + method: + description: >- + Method defines the HTTP method used for + health checking. + + Defaults to GET + type: string + path: + description: >- + Path defines the HTTP path that will be + requested during health checking. + maxLength: 1024 + minLength: 1 + type: string + required: + - path + type: object + initialJitter: + description: >- + InitialJitter defines the maximum time + Envoy will wait before the first health + check. + + Envoy will randomly select a value + between 0 and the initial jitter value. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + interval: + default: 3s + description: >- + Interval defines the time between active + health checks. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + tcp: + description: >- + TCP defines the configuration of tcp + health checker. + + It's required while the health checker + type is TCP. + properties: + receive: + description: >- + Receive defines the expected response + payload. + properties: + binary: + description: Binary payload base64 encoded. + format: byte + type: string + text: + description: Text payload in plain text. + type: string + type: + allOf: + - enum: + - Text + - Binary + - enum: + - Text + - Binary + description: Type defines the type of the payload. + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If payload type is Text, text field + needs to be set. + rule: >- + self.type == 'Text' ? has(self.text) : + !has(self.text) + - message: >- + If payload type is Binary, binary field + needs to be set. + rule: >- + self.type == 'Binary' ? has(self.binary) + : !has(self.binary) + send: + description: Send defines the request payload. + properties: + binary: + description: Binary payload base64 encoded. + format: byte + type: string + text: + description: Text payload in plain text. + type: string + type: + allOf: + - enum: + - Text + - Binary + - enum: + - Text + - Binary + description: Type defines the type of the payload. + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If payload type is Text, text field + needs to be set. + rule: >- + self.type == 'Text' ? has(self.text) : + !has(self.text) + - message: >- + If payload type is Binary, binary field + needs to be set. + rule: >- + self.type == 'Binary' ? has(self.binary) + : !has(self.binary) + type: object + timeout: + default: 1s + description: >- + Timeout defines the time to wait for a + health check response. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: + allOf: + - enum: + - HTTP + - TCP + - GRPC + - enum: + - HTTP + - TCP + - GRPC + description: Type defines the type of health checker. + type: string + unhealthyThreshold: + default: 3 + description: >- + UnhealthyThreshold defines the number of + unhealthy health checks required before + a backend host is marked unhealthy. + format: int32 + minimum: 1 + type: integer + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If Health Checker type is HTTP, http + field needs to be set. + rule: >- + self.type == 'HTTP' ? has(self.http) : + !has(self.http) + - message: >- + If Health Checker type is TCP, tcp field + needs to be set. + rule: >- + self.type == 'TCP' ? has(self.tcp) : + !has(self.tcp) + - message: >- + The grpc field can only be set if the + Health Checker type is GRPC. + rule: >- + has(self.grpc) ? self.type == 'GRPC' : + true + panicThreshold: + description: >- + When number of unhealthy endpoints for a + backend reaches this threshold + + Envoy will disregard health status and + balance across all endpoints. + + It's designed to prevent a situation in + which host failures cascade throughout + the cluster + + as load increases. If not set, the + default value is 50%. To disable panic + mode, set value to `0`. + format: int32 + maximum: 100 + minimum: 0 + type: integer + passive: + description: Passive passive check configuration + properties: + baseEjectionTime: + default: 30s + description: >- + BaseEjectionTime defines the base + duration for which a host will be + ejected on consecutive failures. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + consecutive5XxErrors: + default: 5 + description: >- + Consecutive5xxErrors sets the number of + consecutive 5xx errors triggering + ejection. + format: int32 + type: integer + consecutiveGatewayErrors: + description: >- + ConsecutiveGatewayErrors sets the number + of consecutive gateway errors triggering + ejection. + format: int32 + type: integer + consecutiveLocalOriginFailures: + default: 5 + description: >- + ConsecutiveLocalOriginFailures sets the + number of consecutive local origin + failures triggering ejection. + + Parameter takes effect only when + split_external_local_origin_errors is + set to true. + format: int32 + type: integer + failurePercentageThreshold: + description: >- + FailurePercentageThreshold sets the + failure percentage threshold for outlier + detection. + + If the failure percentage of a given + host is greater than or equal to this + value, it will be ejected. + + Defaults to 85. + format: int32 + maximum: 100 + minimum: 0 + type: integer + interval: + default: 3s + description: >- + Interval defines the time between + passive health checks. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + maxEjectionPercent: + default: 10 + description: >- + MaxEjectionPercent sets the maximum + percentage of hosts in a cluster that + can be ejected. + format: int32 + type: integer + splitExternalLocalOriginErrors: + default: false + description: >- + SplitExternalLocalOriginErrors enables + splitting of errors between external and + local origin. + type: boolean + type: object + type: object + http2: + description: >- + HTTP2 provides HTTP/2 configuration for + backend connections. + properties: + initialConnectionWindowSize: + allOf: + - pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: >- + InitialConnectionWindowSize sets the + initial window size for HTTP/2 + connections. + + If not set, the default value is 1 MiB. + x-kubernetes-int-or-string: true + initialStreamWindowSize: + allOf: + - pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: >- + InitialStreamWindowSize sets the initial + window size for HTTP/2 streams. + + If not set, the default value is 64 + KiB(64*1024). + x-kubernetes-int-or-string: true + maxConcurrentStreams: + description: >- + MaxConcurrentStreams sets the maximum + number of concurrent streams allowed per + connection. + + If not set, the default value is 100. + format: int32 + maximum: 2147483647 + minimum: 1 + type: integer + onInvalidMessage: + description: >- + OnInvalidMessage determines if Envoy + will terminate the connection or just + the offending stream in the event of + HTTP messaging error + + It's recommended for L2 Envoy + deployments to set this value to + TerminateStream. + + https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/level_two + + Default: TerminateConnection + type: string + type: object + loadBalancer: + description: >- + LoadBalancer policy to apply when + routing traffic from the gateway to + + the backend endpoints. Defaults to + `LeastRequest`. + properties: + consistentHash: + description: >- + ConsistentHash defines the configuration + when the load balancer type is + + set to ConsistentHash + properties: + cookie: + description: >- + Cookie configures the cookie hash policy + when the consistent hash type is set to + Cookie. + properties: + attributes: + additionalProperties: + type: string + description: >- + Additional Attributes to set for the + generated cookie. + type: object + name: + description: >- + Name of the cookie to hash. + + If this cookie does not exist in the + request, Envoy will generate a cookie + and set + + the TTL on the response back to the + client based on Layer 4 + + attributes of the backend endpoint, to + ensure that these future requests + + go to the same backend endpoint. Make + sure to set the TTL field for this case. + type: string + ttl: + description: >- + TTL of the generated cookie if the + cookie is not present. This value sets + the + + Max-Age attribute value. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + required: + - name + type: object + header: + description: >- + Header configures the header hash policy + when the consistent hash type is set to + Header. + + + Deprecated: use Headers instead + properties: + name: + description: Name of the header to hash. + type: string + required: + - name + type: object + headers: + description: >- + Headers configures the header hash + policy for each header, when the + consistent hash type is set to Headers. + items: + description: >- + Header defines the header hashing + configuration for consistent hash based + + load balancing. + properties: + name: + description: Name of the header to hash. + type: string + required: + - name + type: object + type: array + queryParams: + description: >- + QueryParams configures the query + parameter hash policy when the + consistent hash type is set to + QueryParams. + items: + description: >- + QueryParam defines the query parameter + name hashing configuration for + consistent hash based + + load balancing. + properties: + name: + description: Name of the query param to hash. + type: string + required: + - name + type: object + type: array + tableSize: + default: 65537 + description: >- + The table size for consistent hashing, + must be prime number limited to 5000011. + format: int64 + maximum: 5000011 + minimum: 2 + type: integer + type: + description: >- + ConsistentHashType defines the type of + input to hash on. Valid Type values are + + "SourceIP", + + "Header", + + "Headers", + + "Cookie". + + "QueryParams". + enum: + - SourceIP + - Header + - Headers + - Cookie + - QueryParams + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If consistent hash type is header, the + header field must be set. + rule: >- + self.type == 'Header' ? has(self.header) + : !has(self.header) + - message: >- + If consistent hash type is headers, the + headers field must be set. + rule: >- + self.type == 'Headers' ? + has(self.headers) : !has(self.headers) + - message: >- + If consistent hash type is cookie, the + cookie field must be set. + rule: >- + self.type == 'Cookie' ? has(self.cookie) + : !has(self.cookie) + - message: >- + If consistent hash type is queryParams, + the queryParams field must be set. + rule: >- + self.type == 'QueryParams' ? + has(self.queryParams) : + !has(self.queryParams) + endpointOverride: + description: >- + EndpointOverride defines the + configuration for endpoint override. + + When specified, the load balancer will + attempt to route requests to endpoints + + based on the override information + extracted from request headers or + metadata. + If the override endpoints are not available, the configured load balancer policy will be used as fallback. + properties: + extractFrom: + description: >- + ExtractFrom defines the sources to + extract endpoint override information + from. + items: + description: >- + EndpointOverrideExtractFrom defines a + source to extract endpoint override + information from. + properties: + header: + description: >- + Header defines the header to get the + override endpoint addresses. + + The header value must specify at least + one endpoint in `IP:Port` format or + multiple endpoints in + `IP:Port,IP:Port,...` format. + + For example `10.0.0.5:8080` or + `[2600:4040:5204::1574:24ae]:80`. + + The IPv6 address is enclosed in square + brackets. + type: string + type: object + maxItems: 10 + minItems: 1 + type: array + required: + - extractFrom + type: object + slowStart: + description: >- + SlowStart defines the configuration + related to the slow start load balancer + policy. + + If set, during slow start window, + traffic sent to the newly added hosts + will gradually increase. + + Currently this is only supported for + RoundRobin and LeastRequest load + balancers + properties: + window: + description: >- + Window defines the duration of the warm + up period for newly added host. + + During slow start window, traffic sent + to the newly added hosts will gradually + increase. + + Currently only supports linear growth of + traffic. For additional details, + + see + https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + required: + - window + type: object + type: + description: >- + Type decides the type of Load Balancer + policy. + + Valid LoadBalancerType values are + + "ConsistentHash", + + "LeastRequest", + + "Random", + + "RoundRobin". + enum: + - ConsistentHash + - LeastRequest + - Random + - RoundRobin + type: string + zoneAware: + description: >- + ZoneAware defines the configuration + related to the distribution of requests + between locality zones. + properties: + preferLocal: + description: >- + PreferLocalZone configures zone-aware + routing to prefer sending traffic to the + local locality zone. + properties: + force: + description: >- + ForceLocalZone defines override + configuration for forcing all traffic to + stay within the local zone instead of + the default behavior + + which maintains equal distribution among + upstream endpoints while sending as much + traffic as possible locally. + properties: + minEndpointsInZoneThreshold: + description: >- + MinEndpointsInZoneThreshold is the + minimum number of upstream endpoints in + the local zone required to honor the + forceLocalZone + + override. This is useful for protecting + zones with fewer endpoints. + format: int32 + type: integer + type: object + minEndpointsThreshold: + description: >- + MinEndpointsThreshold is the minimum + number of total upstream endpoints + across all zones required to enable + zone-aware routing. + format: int64 + type: integer + percentageEnabled: + description: >- + Configures percentage of requests that + will be considered for zone aware + routing if zone aware routing is + configured. If not specified, Envoy + defaults to 100%. + format: int32 + maximum: 100 + minimum: 0 + type: integer + type: object + type: object + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If LoadBalancer type is consistentHash, + consistentHash field needs to be set. + rule: >- + self.type == 'ConsistentHash' ? + has(self.consistentHash) : + !has(self.consistentHash) + - message: >- + Currently SlowStart is only supported + for RoundRobin and LeastRequest load + balancers. + rule: >- + self.type in ['Random', + 'ConsistentHash'] ? !has(self.slowStart) + : true + - message: >- + Currently ZoneAware is only supported + for LeastRequest, Random, and RoundRobin + load balancers. + rule: >- + self.type == 'ConsistentHash' ? + !has(self.zoneAware) : true + proxyProtocol: + description: >- + ProxyProtocol enables the Proxy Protocol + when communicating with the backend. + properties: + version: + description: |- + Version of ProxyProtol + Valid ProxyProtocolVersion values are + "V1" + "V2" + enum: + - V1 + - V2 + type: string + required: + - version + type: object + retry: + description: >- + Retry provides more advanced usage, + allowing users to customize the number + of retries, retry fallback strategy, and + retry triggering conditions. + + If not set, retry will be disabled. + properties: + numAttemptsPerPriority: + description: >- + NumAttemptsPerPriority defines the + number of requests (initial attempt + + retries) + + that should be sent to the same priority + before switching to a different one. + + If not specified or set to 0, all + requests are sent to the highest + priority that is healthy. + format: int32 + type: integer + numRetries: + default: 2 + description: >- + NumRetries is the number of retries to + be attempted. Defaults to 2. + format: int32 + minimum: 0 + type: integer + perRetry: + description: >- + PerRetry is the retry policy to be + applied per retry attempt. + properties: + backOff: + description: >- + Backoff is the backoff policy to be + applied per retry attempt. gateway uses + a fully jittered exponential + + back-off algorithm for retries. For + additional details, + + see + https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#config-http-filters-router-x-envoy-max-retries + properties: + baseInterval: + description: >- + BaseInterval is the base interval + between retries. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + maxInterval: + description: >- + MaxInterval is the maximum interval + between retries. This parameter is + optional, but must be greater than or + equal to the base_interval if set. + + The default is 10 times the + base_interval + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + timeout: + description: >- + Timeout is the timeout per retry + attempt. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + retryOn: + description: >- + RetryOn specifies the retry trigger + condition. + + + If not specified, the default is to + retry on + connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes(503). + properties: + httpStatusCodes: + description: >- + HttpStatusCodes specifies the http + status codes to be retried. + + The retriable-status-codes trigger must + also be configured for these status + codes to trigger a retry. + items: + description: HTTPStatus defines the http status code. + maximum: 599 + minimum: 100 + type: integer + type: array + triggers: + description: >- + Triggers specifies the retry trigger + condition(Http/Grpc). + items: + description: >- + TriggerEnum specifies the conditions + that trigger retries. + enum: + - 5xx + - gateway-error + - reset + - reset-before-request + - connect-failure + - retriable-4xx + - refused-stream + - retriable-status-codes + - cancelled + - deadline-exceeded + - internal + - resource-exhausted + - unavailable + type: string + type: array + type: object + type: object + tcpKeepalive: + description: >- + TcpKeepalive settings associated with + the upstream client connection. + + Disabled by default. + properties: + idleTime: + description: >- + The duration a connection needs to be + idle before keep-alive + + probes start being sent. + + The duration format is + + Defaults to `7200s`. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + interval: + description: |- + The duration between keep-alive probes. + Defaults to `75s`. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + probes: + description: >- + The total number of unacknowledged + probes to send before deciding + + the connection is dead. + + Defaults to 9. + format: int32 + type: integer + type: object + timeout: + description: >- + Timeout settings for the backend + connections. + properties: + http: + description: Timeout settings for HTTP. + properties: + connectionIdleTimeout: + description: >- + The idle timeout for an HTTP connection. + Idle time is defined as a period in + which there are no active requests in + the connection. + + Default: 1 hour. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + maxConnectionDuration: + description: >- + The maximum duration of an HTTP + connection. + + Default: unlimited. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + maxStreamDuration: + description: >- + MaxStreamDuration is the maximum + duration for a stream to complete. This + timeout measures the time + + from when the request is sent until the + response stream is fully consumed and + does not apply to + + non-streaming requests. + + When set to "0s", no max duration is + applied and streams can run + indefinitely. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + requestTimeout: + description: >- + RequestTimeout is the time until which + entire response is received from the + upstream. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + tcp: + description: Timeout settings for TCP. + properties: + connectTimeout: + description: >- + The timeout for network connection + establishment, including TCP and TLS + handshakes. + + Default: 10 seconds. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + type: object + type: object + x-kubernetes-validations: + - message: >- + predictivePercent in preconnect policy + only works with RoundRobin or Random + load balancers + rule: >- + !((has(self.connection) && + has(self.connection.preconnect) && + has(self.connection.preconnect.predictivePercent)) + && !(has(self.loadBalancer) && + has(self.loadBalancer.type) && + self.loadBalancer.type in ['Random', + 'RoundRobin'])) + headers: + description: >- + Headers is a list of additional headers to + send with OTLP export requests. + + These headers are added as gRPC initial + metadata for the OTLP gRPC service. + items: + description: >- + HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: >- + Name is the name of the HTTP Header to + be matched. Name matching MUST be + + case-insensitive. (See + https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent + header names, the first entry with + + an equivalent name MUST be considered + for a match. Subsequent entries + + with an equivalent header name MUST be + ignored. Due to the + + case-insensitivity of header names, + "foo" and "Foo" are considered + + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: >- + Value is the value of HTTP Header to be + matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 32 + minItems: 1 + type: array + host: + description: |- + Host define the service hostname. + Deprecated: Use BackendRefs instead. + type: string + port: + default: 4317 + description: >- + Port defines the port the service is + exposed on. + + Deprecated: Use BackendRefs instead. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + reportCountersAsDeltas: + description: >- + ReportCountersAsDeltas configures the + OpenTelemetry sink to report + + counters as delta temporality instead of + cumulative. + type: boolean + reportHistogramsAsDeltas: + description: >- + ReportHistogramsAsDeltas configures the + OpenTelemetry sink to report + + histograms as delta temporality instead of + cumulative. + + Required for backends like Elastic that + drop cumulative histograms. + type: boolean + resourceAttributes: + additionalProperties: + type: string + description: >- + ResourceAttributes is a set of labels that + describe the source of metrics. + + It's recommended to follow semantic + conventions: + https://opentelemetry.io/docs/reference/specification/resource/semantic_conventions/ + type: object + type: object + x-kubernetes-validations: + - message: host or backendRefs needs to be set + rule: >- + has(self.host) || self.backendRefs.size() + > 0 + - message: >- + BackendRefs must be used, backendRef is + not supported. + rule: '!has(self.backendRef)' + - message: >- + BackendRefs only support Service and + Backend kind. + rule: >- + has(self.backendRefs) ? + self.backendRefs.all(f, f.kind == + 'Service' || f.kind == 'Backend') : true + - message: >- + BackendRefs only support Core and + gateway.envoyproxy.io group. + rule: >- + has(self.backendRefs) ? + (self.backendRefs.all(f, f.group == "" || + f.group == 'gateway.envoyproxy.io')) : + true + type: + default: OpenTelemetry + description: |- + Type defines the metric sink type. + EG currently only supports OpenTelemetry. + enum: + - OpenTelemetry + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If MetricSink type is OpenTelemetry, + openTelemetry field needs to be set. + rule: >- + self.type == 'OpenTelemetry' ? + has(self.openTelemetry) : + !has(self.openTelemetry) + maxItems: 16 + type: array + type: object + requestID: + description: RequestID configures Envoy request ID behavior. + properties: + tracing: + description: >- + Tracing configures Envoy's behavior for the UUID + request ID extension, + + including whether the trace sampling decision is + packed into the UUID and + + whether `X-Request-ID` is used for trace sampling + decisions. + + + When omitted, the default behavior is + `PackAndSample`, which alters the UUID + + to contain the trace sampling decision and uses + `X-Request-ID` for stable + + trace sampling. + enum: + - PackAndSample + - Sample + - Pack + - Disable + type: string + type: object + tracing: + description: >- + Tracing defines tracing configuration for managed + proxies. + + If unspecified, will not send tracing data. + properties: + customTags: + additionalProperties: + properties: + environment: + description: >- + Environment adds value from environment + variable to each span. + + It's required when the type is "Environment". + properties: + defaultValue: + description: >- + DefaultValue defines the default value to + use if the environment variable is not + set. + type: string + name: + description: >- + Name defines the name of the environment + variable which to extract the value from. + type: string + required: + - name + type: object + literal: + description: |- + Literal adds hard-coded value to each span. + It's required when the type is "Literal". + properties: + value: + description: >- + Value defines the hard-coded value to add + to each span. + type: string + required: + - value + type: object + requestHeader: + description: >- + RequestHeader adds value from request header + to each span. + + It's required when the type is + "RequestHeader". + properties: + defaultValue: + description: >- + DefaultValue defines the default value to + use if the request header is not set. + type: string + name: + description: >- + Name defines the name of the request + header which to extract the value from. + type: string + required: + - name + type: object + type: + default: Literal + description: Type defines the type of custom tag. + enum: + - Literal + - Environment + - RequestHeader + type: string + required: + - type + type: object + description: >- + CustomTags defines the custom tags to add to each + span. + + If provider is kubernetes, pod name and namespace + are added by default. + + + Deprecated: Use Tags instead. + type: object + provider: + description: Provider defines the tracing provider. + properties: + backendRef: + description: >- + BackendRef references a Kubernetes object that + represents the + + backend server to which the authorization + request will be sent. + + + Deprecated: Use BackendRefs instead. + properties: + group: + default: '' + description: >- + Group is the group of the referent. For + example, "gateway.networking.k8s.io". + + When unspecified or empty string, core API + group is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: >- + Kind is the Kubernetes resource kind of the + referent. For example + + "Service". + + + Defaults to "Service" when not specified. + + + ExternalName services can refer to CNAME DNS + records that may live + + outside of the cluster and as such are + difficult to reason about in + + terms of conformance. They also may not be + safe to forward to (see + + CVE-2021-25740 for more information). + Implementations SHOULD NOT + + support ExternalName Services. + + + Support: Core (Services with a type other + than ExternalName) + + + Support: Implementation-specific (Services + with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the backend. + When unspecified, the local + + namespace is inferred. + + + Note that when a namespace different than + the local namespace is specified, + + a ReferenceGrant object is required in the + referent namespace to allow that + + namespace's owner to accept the reference. + See the ReferenceGrant + + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: >- + Port specifies the destination port number + to use for this resource. + + Port is required when the referent is a + Kubernetes Service. In this + + case, the port number is the service port + number, not the target port. + + For other resources, destination port might + be derived from the referent + + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: >- + (size(self.group) == 0 && self.kind == + 'Service') ? has(self.port) : true + backendRefs: + description: >- + BackendRefs references a Kubernetes object that + represents the + + backend server to which the authorization + request will be sent. + items: + description: >- + BackendRef defines how an ObjectReference that + is specific to BackendRef. + properties: + fallback: + description: >- + Fallback indicates whether the backend is + designated as a fallback. + + Multiple fallback backends can be + configured. + + It is highly recommended to configure + active or passive health checks to ensure + that failover can be detected + + when the active backends become unhealthy + and to automatically readjust once the + primary backends are healthy again. + + The overprovisioning factor is set to 1.4, + meaning the fallback backends will only + start receiving traffic when + + the health of the active backends falls + below 72%. + type: boolean + group: + default: '' + description: >- + Group is the group of the referent. For + example, "gateway.networking.k8s.io". + + When unspecified or empty string, core API + group is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: >- + Kind is the Kubernetes resource kind of + the referent. For example + + "Service". + + + Defaults to "Service" when not specified. + + + ExternalName services can refer to CNAME + DNS records that may live + + outside of the cluster and as such are + difficult to reason about in + + terms of conformance. They also may not be + safe to forward to (see + + CVE-2021-25740 for more information). + Implementations SHOULD NOT + + support ExternalName Services. + + + Support: Core (Services with a type other + than ExternalName) + + + Support: Implementation-specific (Services + with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the backend. + When unspecified, the local + + namespace is inferred. + + + Note that when a namespace different than + the local namespace is specified, + + a ReferenceGrant object is required in the + referent namespace to allow that + + namespace's owner to accept the reference. + See the ReferenceGrant + + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: >- + Port specifies the destination port number + to use for this resource. + + Port is required when the referent is a + Kubernetes Service. In this + + case, the port number is the service port + number, not the target port. + + For other resources, destination port + might be derived from the referent + + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: >- + Weight specifies the proportion of + requests forwarded to the referenced + + backend. This is computed as weight/(sum + of all weights in this + + BackendRefs list). For non-zero values, + there may be some epsilon from + + the exact proportion defined here + depending on the precision an + + implementation supports. Weight is not a + percentage and the sum of + + weights does not need to equal 100. + + + If only one backend is specified and it + has a weight greater than 0, 100% + + of the traffic is forwarded to that + backend. If weight is set to 0, no + + traffic should be forwarded for this + entry. If unspecified, weight + + defaults to 1. + + + Support for this field varies based on the + context where used. + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: >- + (size(self.group) == 0 && self.kind == + 'Service') ? has(self.port) : true + maxItems: 16 + type: array + backendSettings: + description: >- + BackendSettings holds configuration for managing + the connection + + to the backend. + properties: + circuitBreaker: + description: >- + Circuit Breaker settings for the upstream + connections and requests. + + If not set, circuit breakers will be enabled + with the default thresholds + properties: + maxConnections: + default: 1024 + description: >- + The maximum number of connections that + Envoy will establish to the referenced + backend defined within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxParallelRequests: + default: 1024 + description: >- + The maximum number of parallel requests + that Envoy will make to the referenced + backend defined within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxParallelRetries: + default: 1024 + description: >- + The maximum number of parallel retries + that Envoy will make to the referenced + backend defined within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxPendingRequests: + default: 1024 + description: >- + The maximum number of pending requests + that Envoy will queue to the referenced + backend defined within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxRequestsPerConnection: + description: >- + The maximum number of requests that + Envoy will make over a single connection + to the referenced backend defined within + a xRoute rule. + + Default: unlimited. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + perEndpoint: + description: >- + PerEndpoint defines Circuit Breakers + that will apply per-endpoint for an + upstream cluster + properties: + maxConnections: + default: 1024 + description: >- + MaxConnections configures the maximum + number of connections that Envoy will + establish per-endpoint to the referenced + backend defined within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + type: object + type: object + connection: + description: >- + Connection includes backend connection + settings. + properties: + bufferLimit: + allOf: + - pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: >- + BufferLimit Soft limit on size of the + cluster’s connections read and write + buffers. + + BufferLimit applies to connection + streaming (maybe non-streaming) channel + between processes, it's in user space. + + If unspecified, an implementation + defined default is applied (32768 + bytes). + + For example, 20Mi, 1Gi, 256Ki etc. + + Note: that when the suffix is not + provided, the value is interpreted as + bytes. + x-kubernetes-int-or-string: true + preconnect: + description: >- + Preconnect configures proactive upstream + connections to reduce latency by + establishing + + connections before they’re needed and + avoiding connection establishment + overhead. + + + If unset, Envoy will fetch connections + as needed to serve in-flight requests. + properties: + perEndpointPercent: + description: >- + PerEndpointPercent configures how many + additional connections to maintain per + + upstream endpoint, useful for high-QPS + or latency sensitive services. Expressed + as a + + percentage of the connections required + by active streams + + (e.g. 100 = preconnect disabled, 105 = + 1.05x connections per-endpoint, 200 = + 2.00×). + + + Allowed value range is between 100-300. + When both PerEndpointPercent and + + PredictivePercent are set, Envoy ensures + both are satisfied (max of the two). + format: int32 + maximum: 300 + minimum: 100 + type: integer + predictivePercent: + description: >- + PredictivePercent configures how many + additional connections to maintain + + across the cluster by anticipating which + upstream endpoint the load balancer + + will select next, useful for low-QPS + services. Relies on deterministic + + loadbalancing and is only supported with + Random or RoundRobin. + + Expressed as a percentage of the + connections required by active streams + + (e.g. 100 = 1.0 (no preconnect), 105 = + 1.05× connections across the cluster, + 200 = 2.00×). + + + Minimum allowed value is 100. When both + PerEndpointPercent and PredictivePercent + are + + set Envoy ensures both are satisfied per + host (max of the two). + format: int32 + minimum: 100 + type: integer + type: object + socketBufferLimit: + allOf: + - pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: >- + SocketBufferLimit provides configuration + for the maximum buffer size in bytes for + each socket + + to backend. + + SocketBufferLimit applies to socket + streaming channel between TCP/IP stacks, + it's in kernel space. + + For example, 20Mi, 1Gi, 256Ki etc. + + Note that when the suffix is not + provided, the value is interpreted as + bytes. + x-kubernetes-int-or-string: true + type: object + dns: + description: DNS includes dns resolution settings. + properties: + dnsRefreshRate: + description: >- + DNSRefreshRate specifies the rate at + which DNS records should be refreshed. + + Defaults to 30 seconds. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + lookupFamily: + description: >- + LookupFamily determines how Envoy would + resolve DNS for Routes where the backend + is specified as a fully qualified domain + name (FQDN). + + If set, this configuration overrides + other defaults. + enum: + - IPv4 + - IPv6 + - IPv4Preferred + - IPv6Preferred + - IPv4AndIPv6 + type: string + respectDnsTtl: + description: >- + RespectDNSTTL indicates whether the DNS + Time-To-Live (TTL) should be respected. + + If the value is set to true, the DNS + refresh rate will be set to the resource + record’s TTL. + + Defaults to true. + type: boolean + type: object + healthCheck: + description: >- + HealthCheck allows gateway to perform active + health checking on backends. + properties: + active: + description: Active health check configuration + properties: + grpc: + description: >- + GRPC defines the configuration of the + GRPC health checker. + + It's optional, and can only be used if + the specified type is GRPC. + properties: + service: + description: >- + Service to send in the health check + request. + + If this is not specified, then the + health check request applies to the + entire + + server and not to a specific service. + type: string + type: object + healthyThreshold: + default: 1 + description: >- + HealthyThreshold defines the number of + healthy health checks required before a + backend host is marked healthy. + format: int32 + minimum: 1 + type: integer + http: + description: >- + HTTP defines the configuration of http + health checker. + + It's required while the health checker + type is HTTP. + properties: + expectedResponse: + description: >- + ExpectedResponse defines a list of HTTP + expected responses to match. + properties: + binary: + description: Binary payload base64 encoded. + format: byte + type: string + text: + description: Text payload in plain text. + type: string + type: + allOf: + - enum: + - Text + - Binary + - enum: + - Text + - Binary + description: Type defines the type of the payload. + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If payload type is Text, text field + needs to be set. + rule: >- + self.type == 'Text' ? has(self.text) : + !has(self.text) + - message: >- + If payload type is Binary, binary field + needs to be set. + rule: >- + self.type == 'Binary' ? has(self.binary) + : !has(self.binary) + expectedStatuses: + description: >- + ExpectedStatuses defines a list of HTTP + response statuses considered healthy. + + Defaults to 200 only + items: + description: HTTPStatus defines the http status code. + maximum: 599 + minimum: 100 + type: integer + type: array + hostname: + description: >- + Hostname defines the HTTP Host header + used for active HTTP health checks. + + Host selection uses this order: this + field, the associated Backend endpoint + + hostname if available, then the + effective Route hostname. + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + method: + description: >- + Method defines the HTTP method used for + health checking. + + Defaults to GET + type: string + path: + description: >- + Path defines the HTTP path that will be + requested during health checking. + maxLength: 1024 + minLength: 1 + type: string + required: + - path + type: object + initialJitter: + description: >- + InitialJitter defines the maximum time + Envoy will wait before the first health + check. + + Envoy will randomly select a value + between 0 and the initial jitter value. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + interval: + default: 3s + description: >- + Interval defines the time between active + health checks. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + tcp: + description: >- + TCP defines the configuration of tcp + health checker. + + It's required while the health checker + type is TCP. + properties: + receive: + description: >- + Receive defines the expected response + payload. + properties: + binary: + description: Binary payload base64 encoded. + format: byte + type: string + text: + description: Text payload in plain text. + type: string + type: + allOf: + - enum: + - Text + - Binary + - enum: + - Text + - Binary + description: Type defines the type of the payload. + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If payload type is Text, text field + needs to be set. + rule: >- + self.type == 'Text' ? has(self.text) : + !has(self.text) + - message: >- + If payload type is Binary, binary field + needs to be set. + rule: >- + self.type == 'Binary' ? has(self.binary) + : !has(self.binary) + send: + description: Send defines the request payload. + properties: + binary: + description: Binary payload base64 encoded. + format: byte + type: string + text: + description: Text payload in plain text. + type: string + type: + allOf: + - enum: + - Text + - Binary + - enum: + - Text + - Binary + description: Type defines the type of the payload. + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If payload type is Text, text field + needs to be set. + rule: >- + self.type == 'Text' ? has(self.text) : + !has(self.text) + - message: >- + If payload type is Binary, binary field + needs to be set. + rule: >- + self.type == 'Binary' ? has(self.binary) + : !has(self.binary) + type: object + timeout: + default: 1s + description: >- + Timeout defines the time to wait for a + health check response. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: + allOf: + - enum: + - HTTP + - TCP + - GRPC + - enum: + - HTTP + - TCP + - GRPC + description: Type defines the type of health checker. + type: string + unhealthyThreshold: + default: 3 + description: >- + UnhealthyThreshold defines the number of + unhealthy health checks required before + a backend host is marked unhealthy. + format: int32 + minimum: 1 + type: integer + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If Health Checker type is HTTP, http + field needs to be set. + rule: >- + self.type == 'HTTP' ? has(self.http) : + !has(self.http) + - message: >- + If Health Checker type is TCP, tcp field + needs to be set. + rule: >- + self.type == 'TCP' ? has(self.tcp) : + !has(self.tcp) + - message: >- + The grpc field can only be set if the + Health Checker type is GRPC. + rule: >- + has(self.grpc) ? self.type == 'GRPC' : + true + panicThreshold: + description: >- + When number of unhealthy endpoints for a + backend reaches this threshold + + Envoy will disregard health status and + balance across all endpoints. + + It's designed to prevent a situation in + which host failures cascade throughout + the cluster + + as load increases. If not set, the + default value is 50%. To disable panic + mode, set value to `0`. + format: int32 + maximum: 100 + minimum: 0 + type: integer + passive: + description: Passive passive check configuration + properties: + baseEjectionTime: + default: 30s + description: >- + BaseEjectionTime defines the base + duration for which a host will be + ejected on consecutive failures. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + consecutive5XxErrors: + default: 5 + description: >- + Consecutive5xxErrors sets the number of + consecutive 5xx errors triggering + ejection. + format: int32 + type: integer + consecutiveGatewayErrors: + description: >- + ConsecutiveGatewayErrors sets the number + of consecutive gateway errors triggering + ejection. + format: int32 + type: integer + consecutiveLocalOriginFailures: + default: 5 + description: >- + ConsecutiveLocalOriginFailures sets the + number of consecutive local origin + failures triggering ejection. + + Parameter takes effect only when + split_external_local_origin_errors is + set to true. + format: int32 + type: integer + failurePercentageThreshold: + description: >- + FailurePercentageThreshold sets the + failure percentage threshold for outlier + detection. + + If the failure percentage of a given + host is greater than or equal to this + value, it will be ejected. + + Defaults to 85. + format: int32 + maximum: 100 + minimum: 0 + type: integer + interval: + default: 3s + description: >- + Interval defines the time between + passive health checks. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + maxEjectionPercent: + default: 10 + description: >- + MaxEjectionPercent sets the maximum + percentage of hosts in a cluster that + can be ejected. + format: int32 + type: integer + splitExternalLocalOriginErrors: + default: false + description: >- + SplitExternalLocalOriginErrors enables + splitting of errors between external and + local origin. + type: boolean + type: object + type: object + http2: + description: >- + HTTP2 provides HTTP/2 configuration for + backend connections. + properties: + initialConnectionWindowSize: + allOf: + - pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: >- + InitialConnectionWindowSize sets the + initial window size for HTTP/2 + connections. + + If not set, the default value is 1 MiB. + x-kubernetes-int-or-string: true + initialStreamWindowSize: + allOf: + - pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: >- + InitialStreamWindowSize sets the initial + window size for HTTP/2 streams. + + If not set, the default value is 64 + KiB(64*1024). + x-kubernetes-int-or-string: true + maxConcurrentStreams: + description: >- + MaxConcurrentStreams sets the maximum + number of concurrent streams allowed per + connection. + + If not set, the default value is 100. + format: int32 + maximum: 2147483647 + minimum: 1 + type: integer + onInvalidMessage: + description: >- + OnInvalidMessage determines if Envoy + will terminate the connection or just + the offending stream in the event of + HTTP messaging error + + It's recommended for L2 Envoy + deployments to set this value to + TerminateStream. + + https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/level_two + + Default: TerminateConnection + type: string + type: object + loadBalancer: + description: >- + LoadBalancer policy to apply when routing + traffic from the gateway to + + the backend endpoints. Defaults to + `LeastRequest`. + properties: + consistentHash: + description: >- + ConsistentHash defines the configuration + when the load balancer type is + + set to ConsistentHash + properties: + cookie: + description: >- + Cookie configures the cookie hash policy + when the consistent hash type is set to + Cookie. + properties: + attributes: + additionalProperties: + type: string + description: >- + Additional Attributes to set for the + generated cookie. + type: object + name: + description: >- + Name of the cookie to hash. + + If this cookie does not exist in the + request, Envoy will generate a cookie + and set + + the TTL on the response back to the + client based on Layer 4 + + attributes of the backend endpoint, to + ensure that these future requests + + go to the same backend endpoint. Make + sure to set the TTL field for this case. + type: string + ttl: + description: >- + TTL of the generated cookie if the + cookie is not present. This value sets + the + + Max-Age attribute value. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + required: + - name + type: object + header: + description: >- + Header configures the header hash policy + when the consistent hash type is set to + Header. + + + Deprecated: use Headers instead + properties: + name: + description: Name of the header to hash. + type: string + required: + - name + type: object + headers: + description: >- + Headers configures the header hash + policy for each header, when the + consistent hash type is set to Headers. + items: + description: >- + Header defines the header hashing + configuration for consistent hash based + + load balancing. + properties: + name: + description: Name of the header to hash. + type: string + required: + - name + type: object + type: array + queryParams: + description: >- + QueryParams configures the query + parameter hash policy when the + consistent hash type is set to + QueryParams. + items: + description: >- + QueryParam defines the query parameter + name hashing configuration for + consistent hash based + + load balancing. + properties: + name: + description: Name of the query param to hash. + type: string + required: + - name + type: object + type: array + tableSize: + default: 65537 + description: >- + The table size for consistent hashing, + must be prime number limited to 5000011. + format: int64 + maximum: 5000011 + minimum: 2 + type: integer + type: + description: >- + ConsistentHashType defines the type of + input to hash on. Valid Type values are + + "SourceIP", + + "Header", + + "Headers", + + "Cookie". + + "QueryParams". + enum: + - SourceIP + - Header + - Headers + - Cookie + - QueryParams + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If consistent hash type is header, the + header field must be set. + rule: >- + self.type == 'Header' ? has(self.header) + : !has(self.header) + - message: >- + If consistent hash type is headers, the + headers field must be set. + rule: >- + self.type == 'Headers' ? + has(self.headers) : !has(self.headers) + - message: >- + If consistent hash type is cookie, the + cookie field must be set. + rule: >- + self.type == 'Cookie' ? has(self.cookie) + : !has(self.cookie) + - message: >- + If consistent hash type is queryParams, + the queryParams field must be set. + rule: >- + self.type == 'QueryParams' ? + has(self.queryParams) : + !has(self.queryParams) + endpointOverride: + description: >- + EndpointOverride defines the + configuration for endpoint override. + + When specified, the load balancer will + attempt to route requests to endpoints + + based on the override information + extracted from request headers or + metadata. + If the override endpoints are not available, the configured load balancer policy will be used as fallback. + properties: + extractFrom: + description: >- + ExtractFrom defines the sources to + extract endpoint override information + from. + items: + description: >- + EndpointOverrideExtractFrom defines a + source to extract endpoint override + information from. + properties: + header: + description: >- + Header defines the header to get the + override endpoint addresses. + + The header value must specify at least + one endpoint in `IP:Port` format or + multiple endpoints in + `IP:Port,IP:Port,...` format. + + For example `10.0.0.5:8080` or + `[2600:4040:5204::1574:24ae]:80`. + + The IPv6 address is enclosed in square + brackets. + type: string + type: object + maxItems: 10 + minItems: 1 + type: array + required: + - extractFrom + type: object + slowStart: + description: >- + SlowStart defines the configuration + related to the slow start load balancer + policy. + + If set, during slow start window, + traffic sent to the newly added hosts + will gradually increase. + + Currently this is only supported for + RoundRobin and LeastRequest load + balancers + properties: + window: + description: >- + Window defines the duration of the warm + up period for newly added host. + + During slow start window, traffic sent + to the newly added hosts will gradually + increase. + + Currently only supports linear growth of + traffic. For additional details, + + see + https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + required: + - window + type: object + type: + description: >- + Type decides the type of Load Balancer + policy. + + Valid LoadBalancerType values are + + "ConsistentHash", + + "LeastRequest", + + "Random", + + "RoundRobin". + enum: + - ConsistentHash + - LeastRequest + - Random + - RoundRobin + type: string + zoneAware: + description: >- + ZoneAware defines the configuration + related to the distribution of requests + between locality zones. + properties: + preferLocal: + description: >- + PreferLocalZone configures zone-aware + routing to prefer sending traffic to the + local locality zone. + properties: + force: + description: >- + ForceLocalZone defines override + configuration for forcing all traffic to + stay within the local zone instead of + the default behavior + + which maintains equal distribution among + upstream endpoints while sending as much + traffic as possible locally. + properties: + minEndpointsInZoneThreshold: + description: >- + MinEndpointsInZoneThreshold is the + minimum number of upstream endpoints in + the local zone required to honor the + forceLocalZone + + override. This is useful for protecting + zones with fewer endpoints. + format: int32 + type: integer + type: object + minEndpointsThreshold: + description: >- + MinEndpointsThreshold is the minimum + number of total upstream endpoints + across all zones required to enable + zone-aware routing. + format: int64 + type: integer + percentageEnabled: + description: >- + Configures percentage of requests that + will be considered for zone aware + routing if zone aware routing is + configured. If not specified, Envoy + defaults to 100%. + format: int32 + maximum: 100 + minimum: 0 + type: integer + type: object + type: object + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If LoadBalancer type is consistentHash, + consistentHash field needs to be set. + rule: >- + self.type == 'ConsistentHash' ? + has(self.consistentHash) : + !has(self.consistentHash) + - message: >- + Currently SlowStart is only supported + for RoundRobin and LeastRequest load + balancers. + rule: >- + self.type in ['Random', + 'ConsistentHash'] ? !has(self.slowStart) + : true + - message: >- + Currently ZoneAware is only supported + for LeastRequest, Random, and RoundRobin + load balancers. + rule: >- + self.type == 'ConsistentHash' ? + !has(self.zoneAware) : true + proxyProtocol: + description: >- + ProxyProtocol enables the Proxy Protocol + when communicating with the backend. + properties: + version: + description: |- + Version of ProxyProtol + Valid ProxyProtocolVersion values are + "V1" + "V2" + enum: + - V1 + - V2 + type: string + required: + - version + type: object + retry: + description: >- + Retry provides more advanced usage, allowing + users to customize the number of retries, + retry fallback strategy, and retry + triggering conditions. + + If not set, retry will be disabled. + properties: + numAttemptsPerPriority: + description: >- + NumAttemptsPerPriority defines the + number of requests (initial attempt + + retries) + + that should be sent to the same priority + before switching to a different one. + + If not specified or set to 0, all + requests are sent to the highest + priority that is healthy. + format: int32 + type: integer + numRetries: + default: 2 + description: >- + NumRetries is the number of retries to + be attempted. Defaults to 2. + format: int32 + minimum: 0 + type: integer + perRetry: + description: >- + PerRetry is the retry policy to be + applied per retry attempt. + properties: + backOff: + description: >- + Backoff is the backoff policy to be + applied per retry attempt. gateway uses + a fully jittered exponential + + back-off algorithm for retries. For + additional details, + + see + https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#config-http-filters-router-x-envoy-max-retries + properties: + baseInterval: + description: >- + BaseInterval is the base interval + between retries. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + maxInterval: + description: >- + MaxInterval is the maximum interval + between retries. This parameter is + optional, but must be greater than or + equal to the base_interval if set. + + The default is 10 times the + base_interval + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + timeout: + description: >- + Timeout is the timeout per retry + attempt. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + retryOn: + description: >- + RetryOn specifies the retry trigger + condition. + + + If not specified, the default is to + retry on + connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes(503). + properties: + httpStatusCodes: + description: >- + HttpStatusCodes specifies the http + status codes to be retried. + + The retriable-status-codes trigger must + also be configured for these status + codes to trigger a retry. + items: + description: HTTPStatus defines the http status code. + maximum: 599 + minimum: 100 + type: integer + type: array + triggers: + description: >- + Triggers specifies the retry trigger + condition(Http/Grpc). + items: + description: >- + TriggerEnum specifies the conditions + that trigger retries. + enum: + - 5xx + - gateway-error + - reset + - reset-before-request + - connect-failure + - retriable-4xx + - refused-stream + - retriable-status-codes + - cancelled + - deadline-exceeded + - internal + - resource-exhausted + - unavailable + type: string + type: array + type: object + type: object + tcpKeepalive: + description: >- + TcpKeepalive settings associated with the + upstream client connection. + + Disabled by default. + properties: + idleTime: + description: >- + The duration a connection needs to be + idle before keep-alive + + probes start being sent. + + The duration format is + + Defaults to `7200s`. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + interval: + description: |- + The duration between keep-alive probes. + Defaults to `75s`. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + probes: + description: >- + The total number of unacknowledged + probes to send before deciding + + the connection is dead. + + Defaults to 9. + format: int32 + type: integer + type: object + timeout: + description: >- + Timeout settings for the backend + connections. + properties: + http: + description: Timeout settings for HTTP. + properties: + connectionIdleTimeout: + description: >- + The idle timeout for an HTTP connection. + Idle time is defined as a period in + which there are no active requests in + the connection. + + Default: 1 hour. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + maxConnectionDuration: + description: >- + The maximum duration of an HTTP + connection. + + Default: unlimited. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + maxStreamDuration: + description: >- + MaxStreamDuration is the maximum + duration for a stream to complete. This + timeout measures the time + + from when the request is sent until the + response stream is fully consumed and + does not apply to + + non-streaming requests. + + When set to "0s", no max duration is + applied and streams can run + indefinitely. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + requestTimeout: + description: >- + RequestTimeout is the time until which + entire response is received from the + upstream. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + tcp: + description: Timeout settings for TCP. + properties: + connectTimeout: + description: >- + The timeout for network connection + establishment, including TCP and TLS + handshakes. + + Default: 10 seconds. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + type: object + type: object + x-kubernetes-validations: + - message: >- + predictivePercent in preconnect policy only + works with RoundRobin or Random load + balancers + rule: >- + !((has(self.connection) && + has(self.connection.preconnect) && + has(self.connection.preconnect.predictivePercent)) + && !(has(self.loadBalancer) && + has(self.loadBalancer.type) && + self.loadBalancer.type in ['Random', + 'RoundRobin'])) + host: + description: |- + Host define the provider service hostname. + Deprecated: Use BackendRefs instead. + type: string + openTelemetry: + description: >- + OpenTelemetry defines the OpenTelemetry tracing + provider configuration + properties: + headers: + description: >- + Headers is a list of additional headers to + send with OTLP export requests. + + These headers are added as gRPC initial + metadata for the OTLP gRPC service. + items: + description: >- + HTTPHeader represents an HTTP Header name + and value as defined by RFC 7230. + properties: + name: + description: >- + Name is the name of the HTTP Header to + be matched. Name matching MUST be + + case-insensitive. (See + https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent + header names, the first entry with + + an equivalent name MUST be considered + for a match. Subsequent entries + + with an equivalent header name MUST be + ignored. Due to the + + case-insensitivity of header names, + "foo" and "Foo" are considered + + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: >- + Value is the value of HTTP Header to be + matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 32 + minItems: 1 + type: array + resourceAttributes: + additionalProperties: + type: string + description: >- + ResourceAttributes is a set of labels that + describe the source of traces. + + It's recommended to follow semantic + conventions: + https://opentelemetry.io/docs/reference/specification/resource/semantic_conventions/ + type: object + type: object + port: + default: 4317 + description: >- + Port defines the port the provider service is + exposed on. + + Deprecated: Use BackendRefs instead. + format: int32 + minimum: 0 + type: integer + serviceName: + description: >- + ServiceName defines the service name to use in + tracing configuration. + + If not set, Envoy Gateway will use a default + service name set as + + "name.namespace" (e.g., "my-gateway.default"). + + Note: This field is only supported for + OpenTelemetry and Datadog tracing providers. + + For Zipkin, the service name in traces is always + derived from the Envoy --service-cluster flag + + (typically "namespace/name" format). Setting + this field has no effect for Zipkin. + type: string + x-kubernetes-validations: + - message: serviceName cannot be empty if provided + rule: self != "" + type: + default: OpenTelemetry + description: Type defines the tracing provider type. + enum: + - OpenTelemetry + - Zipkin + - Datadog + type: string + zipkin: + description: >- + Zipkin defines the Zipkin tracing provider + configuration + properties: + disableSharedSpanContext: + description: >- + DisableSharedSpanContext determines whether + the default Envoy behaviour of + + client and server spans sharing the same + span context should be disabled. + type: boolean + enable128BitTraceId: + description: >- + Enable128BitTraceID determines whether a + 128bit trace id will be used + + when creating a new trace instance. If set + to false, a 64bit trace + + id will be used. + type: boolean + type: object + required: + - type + type: object + x-kubernetes-validations: + - message: host or backendRefs needs to be set + rule: has(self.host) || self.backendRefs.size() > 0 + - message: >- + BackendRefs must be used, backendRef is not + supported. + rule: '!has(self.backendRef)' + - message: >- + BackendRefs only support Service and Backend + kind. + rule: >- + has(self.backendRefs) ? self.backendRefs.all(f, + f.kind == 'Service' || f.kind == 'Backend') : + true + - message: >- + BackendRefs only support Core and + gateway.envoyproxy.io group. + rule: >- + has(self.backendRefs) ? (self.backendRefs.all(f, + f.group == "" || f.group == + 'gateway.envoyproxy.io')) : true + - message: >- + openTelemetry can only be used with type + OpenTelemetry + rule: >- + has(self.openTelemetry) ? self.type == + 'OpenTelemetry' : true + samplingFraction: + description: >- + SamplingFraction represents the fraction of requests + that should be + + selected for tracing if no prior sampling decision + has been made. + properties: + denominator: + default: 100 + format: int32 + minimum: 1 + type: integer + numerator: + format: int32 + minimum: 0 + type: integer + required: + - numerator + type: object + x-kubernetes-validations: + - message: >- + numerator must be less than or equal to + denominator + rule: self.numerator <= self.denominator + samplingRate: + description: >- + SamplingRate controls the rate at which traffic will + be + + selected for tracing if no prior sampling decision + has been made. + + Defaults to 100, valid values [0-100]. 100 indicates + 100% sampling. + + + Only one of SamplingRate or SamplingFraction may be + specified. + + If neither field is specified, all requests will be + sampled. + format: int32 + maximum: 100 + minimum: 0 + type: integer + spanName: + description: >- + SpanName defines the name of the span which will be + used for tracing. + + Envoy [command + operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators) + may be used in the value. + + The [format string + documentation](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-strings) + provides more information. + + + If not set, the span name is provider specific. + + e.g. Datadog use `ingress` as the default client + span name, + + and `router egress` as the server + span name. + properties: + client: + description: >- + Client defines operation name of the span which + will be used for tracing. + type: string + server: + description: >- + Server defines the operation name of the + upstream span which will be used for tracing. + type: string + required: + - client + - server + type: object + tags: + additionalProperties: + type: string + description: >- + Tags defines the custom tags to add to each span. + + Envoy [command + operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators) + may be used in the value. + + The [format string + documentation](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-strings) + provides more information. + + If provider is kubernetes, pod name and namespace + are added by default. + + + Same keys take precedence over CustomTags. + type: object + required: + - provider + type: object + x-kubernetes-validations: + - message: >- + only one of SamplingRate or SamplingFraction can be + specified + rule: >- + !(has(self.samplingRate) && + has(self.samplingFraction)) + type: object + type: object + status: + description: EnvoyProxyStatus defines the actual state of EnvoyProxy. + properties: + ancestors: + description: >- + Ancestors represent the status information for all the + GatewayClass or Gateway + + reference this EnvoyProxy with ParametersReference. + items: + properties: + ancestorRef: + description: >- + AncestorRef corresponds a GatewayClass or Gateway use + this EnvoyProxy with ParametersReference. + properties: + group: + default: gateway.networking.k8s.io + description: >- + Group is the group of the referent. + + When unspecified, "gateway.networking.k8s.io" is + inferred. + + To set the core API group (such as for a "Service" + kind referent), + + Group must be explicitly set to "" (empty string). + + + Support: Core + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: >- + Kind is kind of the referent. + + + There are two kinds of parent resources with + "Core" support: + + + * Gateway (Gateway conformance profile) + + * Service (Mesh conformance profile, ClusterIP + Services only) + + + Support for other resources is + Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the referent. When + unspecified, this refers + + to the local namespace of the Route. + + + Note that there are specific rules for ParentRefs + which cross namespace + + boundaries. Cross-namespace references are only + valid if they are explicitly + + allowed by something in the namespace they are + referring to. For example: + + Gateway has the AllowedRoutes field, and + ReferenceGrant provides a + + generic way to enable any other kind of + cross-namespace reference. + + + + + ParentRefs from a Route to a Service in the same + namespace are "producer" + + routes, which apply default routing rules to + inbound connections from + + any namespace to the Service. + + + ParentRefs from a Route to a Service in a + different namespace are + + "consumer" routes, and these routing rules are + only applied to outbound + + connections originating from the same namespace as + the Route, for which + + the intended destination of the connections are a + Service targeted as a + + ParentRef of the Route. + + + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: >- + Port is the network port this Route targets. It + can be interpreted + + differently based on the type of parent resource. + + + When the parent resource is a Gateway, this + targets all listeners + + listening on the specified port that also support + this kind of Route(and + + select this Route). It's not recommended to set + `Port` unless the + + networking behaviors specified in a Route must + apply to a specific port + + as opposed to a listener(s) whose port(s) may be + changed. When both Port + + and SectionName are specified, the name and port + of the selected listener + + must match both specified values. + + + + + When the parent resource is a Service, this + targets a specific port in the + + Service spec. When both Port (experimental) and + SectionName are specified, + + the name and port of the selected port must match + both specified values. + + + + + Implementations MAY choose to support other parent + resources. + + Implementations supporting other types of parent + resources MUST clearly + + document how/if Port is interpreted. + + + For the purpose of status, an attachment is + considered successful as + + long as the parent resource accepts it partially. + For example, Gateway + + listeners can restrict which Routes can attach to + them by Route kind, + + namespace, or hostname. If 1 of 2 Gateway + listeners accept attachment + + from the referencing Route, the Route MUST be + considered successfully + + attached. If no Gateway listeners accept + attachment from this Route, + + the Route MUST be considered detached from the + Gateway. + + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: >- + SectionName is the name of a section within the + target resource. In the + + following resources, SectionName is interpreted as + the following: + + + * Gateway: Listener name. When both Port + (experimental) and SectionName + + are specified, the name and port of the selected + listener must match + + both specified values. + + * Service: Port name. When both Port + (experimental) and SectionName + + are specified, the name and port of the selected + listener must match + + both specified values. + + + Implementations MAY choose to support attaching + Routes to other resources. + + If that is the case, they MUST clearly document + how SectionName is + + interpreted. + + + When unspecified (empty string), this will + reference the entire resource. + + For the purpose of status, an attachment is + considered successful if at + + least one section in the parent resource accepts + it. For example, Gateway + + listeners can restrict which Routes can attach to + them by Route kind, + + namespace, or hostname. If 1 of 2 Gateway + listeners accept attachment from + + the referencing Route, the Route MUST be + considered successfully + + attached. If no Gateway listeners accept + attachment from this Route, the + + Route MUST be considered detached from the + Gateway. + + + Support: Core + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + conditions: + description: >- + Conditions describes the status of the Policy with + respect to the given Ancestor. + items: + description: >- + Condition contains details for one aspect of the + current state of this API Resource. + properties: + lastTransitionTime: + description: >- + lastTransitionTime is the last time the + condition transitioned from one status to + another. + + This should be when the underlying condition + changed. If that is not known, then using the + time when the API field changed is acceptable. + format: date-time + type: string + message: + description: >- + message is a human readable message indicating + details about the transition. + + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: >- + observedGeneration represents the + .metadata.generation that the condition was set + based upon. + + For instance, if .metadata.generation is + currently 12, but the + .status.conditions[x].observedGeneration is 9, + the condition is out of date + + with respect to the current state of the + instance. + format: int64 + minimum: 0 + type: integer + reason: + description: >- + reason contains a programmatic identifier + indicating the reason for the condition's last + transition. + + Producers of specific condition types may define + expected values and meanings for this field, + + and whether the values are considered a + guaranteed API. + + The value should be a CamelCase string. + + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: >- + status of the condition, one of True, False, + Unknown. + enum: + - 'True' + - 'False' + - Unknown + type: string + type: + description: >- + type of condition in CamelCase or in + foo.example.com/CamelCase. + maxLength: 316 + pattern: >- + ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + required: + - ancestorRef + type: object + type: array + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/_/CustomResourceDefinition/gatewayclasses.gateway.networking.k8s.io.yaml b/_/CustomResourceDefinition/gatewayclasses.gateway.networking.k8s.io.yaml new file mode 100644 index 0000000..f66d025 --- /dev/null +++ b/_/CustomResourceDefinition/gatewayclasses.gateway.networking.k8s.io.yaml @@ -0,0 +1,715 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/4530 + gateway.networking.k8s.io/bundle-version: v1.5.1 + gateway.networking.k8s.io/channel: standard + name: gatewayclasses.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: GatewayClass + listKind: GatewayClassList + plural: gatewayclasses + shortNames: + - gc + singular: gatewayclass + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.controllerName + name: Controller + type: string + - jsonPath: .status.conditions[?(@.type=="Accepted")].status + name: Accepted + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .spec.description + name: Description + priority: 1 + type: string + name: v1 + schema: + openAPIV3Schema: + description: >- + GatewayClass describes a class of Gateways available to the user for + creating + + Gateway resources. + + + It is recommended that this resource be used as a template for + Gateways. This + + means that a Gateway is based on the state of the GatewayClass at + the time it + + was created and changes to the GatewayClass or associated parameters + are not + + propagated down to existing Gateways. This recommendation is + intended to + + limit the blast radius of changes to GatewayClass or associated + parameters. + + If implementations choose to propagate GatewayClass changes to + existing + + Gateways, that MUST be clearly documented by the implementation. + + + Whenever one or more Gateways are using a GatewayClass, + implementations SHOULD + + add the `gateway-exists-finalizer.gateway.networking.k8s.io` + finalizer on the + + associated GatewayClass. This ensures that a GatewayClass associated + with a + + Gateway is not deleted while in use. + + + GatewayClass is a Cluster level resource. + properties: + apiVersion: + description: >- + APIVersion defines the versioned schema of this representation + of an object. + + Servers should convert recognized schemas to the latest internal + value, and + + may reject unrecognized values. + + More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: >- + Kind is a string value representing the REST resource this + object represents. + + Servers may infer this from the endpoint the client submits + requests to. + + Cannot be updated. + + In CamelCase. + + More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of GatewayClass. + properties: + controllerName: + description: >- + ControllerName is the name of the controller that is + managing Gateways of + + this class. The value of this field MUST be a domain + prefixed path. + + + Example: "example.net/gateway-controller". + + + This field is not mutable and cannot be empty. + + + Support: Core + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + x-kubernetes-validations: + - message: Value is immutable + rule: self == oldSelf + description: + description: Description helps describe a GatewayClass with more details. + maxLength: 64 + type: string + parametersRef: + description: >- + ParametersRef is a reference to a resource that contains the + configuration + + parameters corresponding to the GatewayClass. This is + optional if the + + controller does not require any additional configuration. + + + ParametersRef can reference a standard Kubernetes resource, + i.e. ConfigMap, + + or an implementation-specific custom resource. The resource + can be + + cluster-scoped or namespace-scoped. + + + If the referent cannot be found, refers to an unsupported + kind, or when + + the data within that resource is malformed, the GatewayClass + SHOULD be + + rejected with the "Accepted" status condition set to "False" + and an + + "InvalidParameters" reason. + + + A Gateway for this GatewayClass may provide its own + `parametersRef`. When both are specified, + + the merging behavior is implementation specific. + + It is generally recommended that GatewayClass provides + defaults that can be overridden by a Gateway. + + + Support: Implementation-specific + properties: + group: + description: Group is the group of the referent. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the referent. + + This field is required when referring to a + Namespace-scoped resource and + + MUST be unset when referring to a Cluster-scoped + resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - name + type: object + required: + - controllerName + type: object + status: + default: + conditions: + - lastTransitionTime: '1970-01-01T00:00:00Z' + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + description: >- + Status defines the current state of GatewayClass. + + + Implementations MUST populate status on all GatewayClass + resources which + + specify their controller name. + properties: + conditions: + default: + - lastTransitionTime: '1970-01-01T00:00:00Z' + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + description: |- + Conditions is the current status from the controller for + this GatewayClass. + + Controllers should prefer to publish conditions using values + of GatewayClassConditionType for the type of each Condition. + items: + description: >- + Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: >- + lastTransitionTime is the last time the condition + transitioned from one status to another. + + This should be when the underlying condition changed. + If that is not known, then using the time when the API + field changed is acceptable. + format: date-time + type: string + message: + description: >- + message is a human readable message indicating details + about the transition. + + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: >- + observedGeneration represents the .metadata.generation + that the condition was set based upon. + + For instance, if .metadata.generation is currently 12, + but the .status.conditions[x].observedGeneration is 9, + the condition is out of date + + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: >- + reason contains a programmatic identifier indicating + the reason for the condition's last transition. + + Producers of specific condition types may define + expected values and meanings for this field, + + and whether the values are considered a guaranteed + API. + + The value should be a CamelCase string. + + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - 'True' + - 'False' + - Unknown + type: string + type: + description: >- + type of condition in CamelCase or in + foo.example.com/CamelCase. + maxLength: 316 + pattern: >- + ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + supportedFeatures: + description: >- + SupportedFeatures is the set of features the GatewayClass + support. + + It MUST be sorted in ascending alphabetical order by the + Name key. + items: + properties: + name: + description: >- + FeatureName is used to describe distinct features that + are covered by + + conformance tests. + type: string + required: + - name + type: object + maxItems: 64 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.controllerName + name: Controller + type: string + - jsonPath: .status.conditions[?(@.type=="Accepted")].status + name: Accepted + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .spec.description + name: Description + priority: 1 + type: string + name: v1beta1 + schema: + openAPIV3Schema: + description: >- + GatewayClass describes a class of Gateways available to the user for + creating + + Gateway resources. + + + It is recommended that this resource be used as a template for + Gateways. This + + means that a Gateway is based on the state of the GatewayClass at + the time it + + was created and changes to the GatewayClass or associated parameters + are not + + propagated down to existing Gateways. This recommendation is + intended to + + limit the blast radius of changes to GatewayClass or associated + parameters. + + If implementations choose to propagate GatewayClass changes to + existing + + Gateways, that MUST be clearly documented by the implementation. + + + Whenever one or more Gateways are using a GatewayClass, + implementations SHOULD + + add the `gateway-exists-finalizer.gateway.networking.k8s.io` + finalizer on the + + associated GatewayClass. This ensures that a GatewayClass associated + with a + + Gateway is not deleted while in use. + + + GatewayClass is a Cluster level resource. + properties: + apiVersion: + description: >- + APIVersion defines the versioned schema of this representation + of an object. + + Servers should convert recognized schemas to the latest internal + value, and + + may reject unrecognized values. + + More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: >- + Kind is a string value representing the REST resource this + object represents. + + Servers may infer this from the endpoint the client submits + requests to. + + Cannot be updated. + + In CamelCase. + + More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of GatewayClass. + properties: + controllerName: + description: >- + ControllerName is the name of the controller that is + managing Gateways of + + this class. The value of this field MUST be a domain + prefixed path. + + + Example: "example.net/gateway-controller". + + + This field is not mutable and cannot be empty. + + + Support: Core + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + x-kubernetes-validations: + - message: Value is immutable + rule: self == oldSelf + description: + description: Description helps describe a GatewayClass with more details. + maxLength: 64 + type: string + parametersRef: + description: >- + ParametersRef is a reference to a resource that contains the + configuration + + parameters corresponding to the GatewayClass. This is + optional if the + + controller does not require any additional configuration. + + + ParametersRef can reference a standard Kubernetes resource, + i.e. ConfigMap, + + or an implementation-specific custom resource. The resource + can be + + cluster-scoped or namespace-scoped. + + + If the referent cannot be found, refers to an unsupported + kind, or when + + the data within that resource is malformed, the GatewayClass + SHOULD be + + rejected with the "Accepted" status condition set to "False" + and an + + "InvalidParameters" reason. + + + A Gateway for this GatewayClass may provide its own + `parametersRef`. When both are specified, + + the merging behavior is implementation specific. + + It is generally recommended that GatewayClass provides + defaults that can be overridden by a Gateway. + + + Support: Implementation-specific + properties: + group: + description: Group is the group of the referent. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the referent. + + This field is required when referring to a + Namespace-scoped resource and + + MUST be unset when referring to a Cluster-scoped + resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - name + type: object + required: + - controllerName + type: object + status: + default: + conditions: + - lastTransitionTime: '1970-01-01T00:00:00Z' + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + description: >- + Status defines the current state of GatewayClass. + + + Implementations MUST populate status on all GatewayClass + resources which + + specify their controller name. + properties: + conditions: + default: + - lastTransitionTime: '1970-01-01T00:00:00Z' + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + description: |- + Conditions is the current status from the controller for + this GatewayClass. + + Controllers should prefer to publish conditions using values + of GatewayClassConditionType for the type of each Condition. + items: + description: >- + Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: >- + lastTransitionTime is the last time the condition + transitioned from one status to another. + + This should be when the underlying condition changed. + If that is not known, then using the time when the API + field changed is acceptable. + format: date-time + type: string + message: + description: >- + message is a human readable message indicating details + about the transition. + + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: >- + observedGeneration represents the .metadata.generation + that the condition was set based upon. + + For instance, if .metadata.generation is currently 12, + but the .status.conditions[x].observedGeneration is 9, + the condition is out of date + + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: >- + reason contains a programmatic identifier indicating + the reason for the condition's last transition. + + Producers of specific condition types may define + expected values and meanings for this field, + + and whether the values are considered a guaranteed + API. + + The value should be a CamelCase string. + + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - 'True' + - 'False' + - Unknown + type: string + type: + description: >- + type of condition in CamelCase or in + foo.example.com/CamelCase. + maxLength: 316 + pattern: >- + ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + supportedFeatures: + description: >- + SupportedFeatures is the set of features the GatewayClass + support. + + It MUST be sorted in ascending alphabetical order by the + Name key. + items: + properties: + name: + description: >- + FeatureName is used to describe distinct features that + are covered by + + conformance tests. + type: string + required: + - name + type: object + maxItems: 64 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} +status: + acceptedNames: + kind: '' + plural: '' + conditions: null + storedVersions: null diff --git a/_/CustomResourceDefinition/gateways.gateway.networking.k8s.io.yaml b/_/CustomResourceDefinition/gateways.gateway.networking.k8s.io.yaml new file mode 100644 index 0000000..a333eda --- /dev/null +++ b/_/CustomResourceDefinition/gateways.gateway.networking.k8s.io.yaml @@ -0,0 +1,5235 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/4530 + gateway.networking.k8s.io/bundle-version: v1.5.1 + gateway.networking.k8s.io/channel: standard + name: gateways.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: Gateway + listKind: GatewayList + plural: gateways + shortNames: + - gtw + singular: gateway + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.gatewayClassName + name: Class + type: string + - jsonPath: .status.addresses[*].value + name: Address + type: string + - jsonPath: .status.conditions[?(@.type=="Programmed")].status + name: Programmed + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: >- + Gateway represents an instance of a service-traffic handling + infrastructure + + by binding Listeners to a set of IP addresses. + properties: + apiVersion: + description: >- + APIVersion defines the versioned schema of this representation + of an object. + + Servers should convert recognized schemas to the latest internal + value, and + + may reject unrecognized values. + + More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: >- + Kind is a string value representing the REST resource this + object represents. + + Servers may infer this from the endpoint the client submits + requests to. + + Cannot be updated. + + In CamelCase. + + More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of Gateway. + properties: + addresses: + description: >- + Addresses requested for this Gateway. This is optional and + behavior can + + depend on the implementation. If a value is set in the spec + and the + + requested address is invalid or unavailable, the + implementation MUST + + indicate this in an associated entry in + GatewayStatus.Conditions. + + + The Addresses field represents a request for the address(es) + on the + + "outside of the Gateway", that traffic bound for this + Gateway will use. + + This could be the IP address or hostname of an external load + balancer or + + other networking infrastructure, or some other address that + traffic will + + be sent to. + + + If no Addresses are specified, the implementation MAY + schedule the + + Gateway in an implementation-specific manner, assigning an + appropriate + + set of Addresses. + + + The implementation MUST bind all Listeners to every + GatewayAddress that + + it assigns to the Gateway and add a corresponding entry in + + GatewayStatus.Addresses. + + + Support: Extended + items: + description: >- + GatewaySpecAddress describes an address that can be bound + to a Gateway. + oneOf: + - properties: + type: + enum: + - IPAddress + value: + anyOf: + - format: ipv4 + - format: ipv6 + - properties: + type: + not: + enum: + - IPAddress + properties: + type: + default: IPAddress + description: Type of the address. + maxLength: 253 + minLength: 1 + pattern: >- + ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + value: + description: >- + When a value is unspecified, an implementation SHOULD + automatically + + assign an address matching the requested type if + possible. + + + If an implementation does not support an empty value, + they MUST set the + + "Programmed" condition in status to False with a + reason of "AddressNotAssigned". + + + Examples: `1.2.3.4`, `128::1`, `my-ip-address`. + maxLength: 253 + type: string + type: object + x-kubernetes-validations: + - message: >- + Hostname value must be empty or contain only valid + characters (matching + ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$) + rule: >- + self.type == 'Hostname' ? (!has(self.value) || + self.value.matches(r"""^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$""")): + true + maxItems: 16 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: IPAddress values must be unique + rule: >- + self.all(a1, a1.type == 'IPAddress' && has(a1.value) ? + self.exists_one(a2, a2.type == a1.type && has(a2.value) + && a2.value == a1.value) : true ) + - message: Hostname values must be unique + rule: >- + self.all(a1, a1.type == 'Hostname' && has(a1.value) ? + self.exists_one(a2, a2.type == a1.type && has(a2.value) + && a2.value == a1.value) : true ) + allowedListeners: + description: >- + AllowedListeners defines which ListenerSets can be attached + to this Gateway. + + The default value is to allow no ListenerSets. + properties: + namespaces: + default: + from: None + description: >- + Namespaces defines which namespaces ListenerSets can be + attached to this Gateway. + + The default value is to allow no ListenerSets. + properties: + from: + default: None + description: >- + From indicates where ListenerSets can attach to this + Gateway. Possible + + values are: + + + * Same: Only ListenerSets in the same namespace may + be attached to this Gateway. + + * Selector: ListenerSets in namespaces selected by + the selector may be attached to this Gateway. + + * All: ListenerSets in all namespaces may be + attached to this Gateway. + + * None: Only listeners defined in the Gateway's spec + are allowed + + + The default value None + enum: + - All + - Selector + - Same + - None + type: string + selector: + description: >- + Selector must be specified when From is set to + "Selector". In that case, + + only ListenerSets in Namespaces matching this + Selector will be selected by this + + Gateway. This field is ignored for other values of + "From". + properties: + matchExpressions: + description: >- + matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: >- + A label selector requirement is a selector + that contains values, a key, and an operator + that + + relates the key and values. + properties: + key: + description: >- + key is the label key that the selector + applies to. + type: string + operator: + description: >- + operator represents a key's relationship + to a set of values. + + Valid operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: >- + values is an array of string values. If + the operator is In or NotIn, + + the values array must be non-empty. If the + operator is Exists or DoesNotExist, + + the values array must be empty. This array + is replaced during a strategic + + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: >- + matchLabels is a map of {key,value} pairs. A + single {key,value} in the matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is "key", the + + operator is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + type: object + gatewayClassName: + description: >- + GatewayClassName used for this Gateway. This is the name of + a + + GatewayClass resource. + maxLength: 253 + minLength: 1 + type: string + infrastructure: + description: >- + Infrastructure defines infrastructure level attributes about + this Gateway instance. + + + Support: Extended + properties: + annotations: + additionalProperties: + description: >- + AnnotationValue is the value of an annotation in + Gateway API. This is used + + for validation of maps such as TLS options. This + roughly matches Kubernetes + + annotation validation, although the length validation + in that case is based + + on the entire size of the annotations struct. + maxLength: 4096 + minLength: 0 + type: string + description: >- + Annotations that SHOULD be applied to any resources + created in response to this Gateway. + + + For implementations creating other Kubernetes objects, + this should be the `metadata.annotations` field on + resources. + + For other implementations, this refers to any relevant + (implementation specific) "annotations" concepts. + + + An implementation may chose to add additional + implementation-specific annotations as they see fit. + + + Support: Extended + maxProperties: 8 + type: object + x-kubernetes-validations: + - message: >- + Annotation keys must be in the form of an optional + DNS subdomain prefix followed by a required name + segment of up to 63 characters. + rule: >- + self.all(key, + key.matches(r"""^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9]$""")) + - message: >- + If specified, the annotation key's prefix must be a + DNS subdomain not longer than 253 characters in + total. + rule: self.all(key, key.split("/")[0].size() < 253) + labels: + additionalProperties: + description: >- + LabelValue is the value of a label in the Gateway API. + This is used for validation + + of maps such as Gateway infrastructure labels. This + matches the Kubernetes + + label validation rules: + + * must be 63 characters or less (can be empty), + + * unless empty, must begin and end with an + alphanumeric character ([a-z0-9A-Z]), + + * could contain dashes (-), underscores (_), dots (.), + and alphanumerics between. + + + Valid values include: + + + * MyValue + + * my.name + + * 123-my-value + maxLength: 63 + minLength: 0 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: >- + Labels that SHOULD be applied to any resources created + in response to this Gateway. + + + For implementations creating other Kubernetes objects, + this should be the `metadata.labels` field on resources. + + For other implementations, this refers to any relevant + (implementation specific) "labels" concepts. + + + An implementation may chose to add additional + implementation-specific labels as they see fit. + + + If an implementation maps these labels to Pods, or any + other resource that would need to be recreated when + labels + + change, it SHOULD clearly warn about this behavior in + documentation. + + + Support: Extended + maxProperties: 8 + type: object + x-kubernetes-validations: + - message: >- + Label keys must be in the form of an optional DNS + subdomain prefix followed by a required name segment + of up to 63 characters. + rule: >- + self.all(key, + key.matches(r"""^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9]$""")) + - message: >- + If specified, the label key's prefix must be a DNS + subdomain not longer than 253 characters in total. + rule: self.all(key, key.split("/")[0].size() < 253) + parametersRef: + description: >- + ParametersRef is a reference to a resource that contains + the configuration + + parameters corresponding to the Gateway. This is + optional if the + + controller does not require any additional + configuration. + + + This follows the same semantics as GatewayClass's + `parametersRef`, but on a per-Gateway basis + + + The Gateway's GatewayClass may provide its own + `parametersRef`. When both are specified, + + the merging behavior is implementation specific. + + It is generally recommended that GatewayClass provides + defaults that can be overridden by a Gateway. + + + If the referent cannot be found, refers to an + unsupported kind, or when + + the data within that resource is malformed, the Gateway + SHOULD be + + rejected with the "Accepted" status condition set to + "False" and an + + "InvalidParameters" reason. + + + Support: Implementation-specific + properties: + group: + description: Group is the group of the referent. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + type: object + listeners: + description: >- + Listeners associated with this Gateway. Listeners define + + logical endpoints that are bound on this Gateway's + addresses. + + At least one Listener MUST be specified. + + + ## Distinct Listeners + + + Each Listener in a set of Listeners (for example, in a + single Gateway) + + MUST be _distinct_, in that a traffic flow MUST be able to + be assigned to + + exactly one listener. (This section uses "set of Listeners" + rather than + + "Listeners in a single Gateway" because implementations MAY + merge configuration + + from multiple Gateways onto a single data plane, and these + rules _also_ + + apply in that case). + + + Practically, this means that each listener in a set MUST + have a unique + + combination of Port, Protocol, and, if supported by the + protocol, Hostname. + + + Some combinations of port, protocol, and TLS settings are + considered + + Core support and MUST be supported by implementations based + on the objects + + they support: + + + HTTPRoute + + + 1. HTTPRoute, Port: 80, Protocol: HTTP + + 2. HTTPRoute, Port: 443, Protocol: HTTPS, TLS Mode: + Terminate, TLS keypair provided + + + TLSRoute + + + 1. TLSRoute, Port: 443, Protocol: TLS, TLS Mode: Passthrough + + + "Distinct" Listeners have the following property: + + + **The implementation can match inbound requests to a single + distinct + + Listener**. + + + When multiple Listeners share values for fields (for + + example, two Listeners with the same Port value), the + implementation + + can match requests to only one of the Listeners using other + + Listener fields. + + + When multiple listeners have the same value for the Protocol + field, then + + each of the Listeners with matching Protocol values MUST + have different + + values for other fields. + + + The set of fields that MUST be different for a Listener + differs per protocol. + + The following rules define the rules for what fields MUST be + considered for + + Listeners to be distinct with each protocol currently + defined in the + + Gateway API spec. + + + The set of listeners that all share a protocol value MUST + have _different_ + + values for _at least one_ of these fields to be distinct: + + + * **HTTP, HTTPS, TLS**: Port, Hostname + + * **TCP, UDP**: Port + + + One **very** important rule to call out involves what + happens when an + + implementation: + + + * Supports TCP protocol Listeners, as well as HTTP, HTTPS, + or TLS protocol + Listeners, and + * sees HTTP, HTTPS, or TLS protocols with the same `port` as + one with TCP + Protocol. + + In this case all the Listeners that share a port with the + + TCP Listener are not distinct and so MUST NOT be accepted. + + + If an implementation does not support TCP Protocol + Listeners, then the + + previous rule does not apply, and the TCP Listeners SHOULD + NOT be + + accepted. + + + Note that the `tls` field is not used for determining if a + listener is distinct, because + + Listeners that _only_ differ on TLS config will still + conflict in all cases. + + + ### Listeners that are distinct only by Hostname + + + When the Listeners are distinct based only on Hostname, + inbound request + + hostnames MUST match from the most specific to least + specific Hostname + + values to choose the correct Listener and its associated set + of Routes. + + + Exact matches MUST be processed before wildcard matches, and + wildcard + + matches MUST be processed before fallback (empty Hostname + value) + + matches. For example, `"foo.example.com"` takes precedence + over + + `"*.example.com"`, and `"*.example.com"` takes precedence + over `""`. + + + Additionally, if there are multiple wildcard entries, more + specific + + wildcard entries must be processed before less specific + wildcard entries. + + For example, `"*.foo.example.com"` takes precedence over + `"*.example.com"`. + + + The precise definition here is that the higher the number of + dots in the + + hostname to the right of the wildcard character, the higher + the precedence. + + + The wildcard character will match any number of characters + _and dots_ to + + the left, however, so `"*.example.com"` will match both + + `"foo.bar.example.com"` _and_ `"bar.example.com"`. + + + ## Handling indistinct Listeners + + + If a set of Listeners contains Listeners that are not + distinct, then those + + Listeners are _Conflicted_, and the implementation MUST set + the "Conflicted" + + condition in the Listener Status to "True". + + + The words "indistinct" and "conflicted" are considered + equivalent for the + + purpose of this documentation. + + + Implementations MAY choose to accept a Gateway with some + Conflicted + + Listeners only if they only accept the partial Listener set + that contains + + no Conflicted Listeners. + + + Specifically, an implementation MAY accept a partial + Listener set subject to + + the following rules: + + + * The implementation MUST NOT pick one conflicting Listener + as the winner. + ALL indistinct Listeners must not be accepted for processing. + * At least one distinct Listener MUST be present, or else + the Gateway effectively + contains _no_ Listeners, and must be rejected from processing as a whole. + + The implementation MUST set a "ListenersNotValid" condition + on the + + Gateway Status when the Gateway contains Conflicted + Listeners whether or + + not they accept the Gateway. That Condition SHOULD clearly + + indicate in the Message which Listeners are conflicted, and + which are + + Accepted. Additionally, the Listener status for those + listeners SHOULD + + indicate which Listeners are conflicted and not Accepted. + + + ## General Listener behavior + + + Note that, for all distinct Listeners, requests SHOULD match + at most one Listener. + + For example, if Listeners are defined for "foo.example.com" + and "*.example.com", a + + request to "foo.example.com" SHOULD only be routed using + routes attached + + to the "foo.example.com" Listener (and not the + "*.example.com" Listener). + + + This concept is known as "Listener Isolation", and it is an + Extended feature + + of Gateway API. Implementations that do not support Listener + Isolation MUST + + clearly document this, and MUST NOT claim support for the + + `GatewayHTTPListenerIsolation` feature. + + + Implementations that _do_ support Listener Isolation SHOULD + claim support + + for the Extended `GatewayHTTPListenerIsolation` feature and + pass the associated + + conformance tests. + + + ## Compatible Listeners + + + A Gateway's Listeners are considered _compatible_ if: + + + 1. They are distinct. + + 2. The implementation can serve them in compliance with the + Addresses + requirement that all Listeners are available on all assigned + addresses. + + Compatible combinations in Extended support are expected to + vary across + + implementations. A combination that is compatible for one + implementation + + may not be compatible for another. + + + For example, an implementation that cannot serve both TCP + and UDP listeners + + on the same address, or cannot mix HTTPS and generic TLS + listens on the same port + + would not consider those cases compatible, even though they + are distinct. + + + Implementations MAY merge separate Gateways onto a single + set of + + Addresses if all Listeners across all Gateways are + compatible. + + + In a future release the MinItems=1 requirement MAY be + dropped. + + + Support: Core + items: + description: >- + Listener embodies the concept of a logical endpoint where + a Gateway accepts + + network connections. + properties: + allowedRoutes: + default: + namespaces: + from: Same + description: >- + AllowedRoutes defines the types of routes that MAY be + attached to a + + Listener and the trusted namespaces where those Route + resources MAY be + + present. + + + Although a client request may match multiple route + rules, only one rule + + may ultimately receive the request. Matching + precedence MUST be + + determined in order of the following criteria: + + + * The most specific match as defined by the Route + type. + + * The oldest Route based on creation timestamp. For + example, a Route with + a creation timestamp of "2020-09-08 01:02:03" is given precedence over + a Route with a creation timestamp of "2020-09-08 01:02:04". + * If everything else is equivalent, the Route + appearing first in + alphabetical order (namespace/name) should be given precedence. For + example, foo/bar is given precedence over foo/baz. + + All valid rules within a Route attached to this + Listener should be + + implemented. Invalid Route rules can be ignored + (sometimes that will mean + + the full Route). If a Route rule transitions from + valid to invalid, + + support for that Route rule should be dropped to + ensure consistency. For + + example, even if a filter specified by a Route rule is + invalid, the rest + + of the rules within that Route should still be + supported. + + + Support: Core + properties: + kinds: + description: >- + Kinds specifies the groups and kinds of Routes + that are allowed to bind + + to this Gateway Listener. When unspecified or + empty, the kinds of Routes + + selected are determined using the Listener + protocol. + + + A RouteGroupKind MUST correspond to kinds of + Routes that are compatible + + with the application protocol specified in the + Listener's Protocol field. + + If an implementation does not support or recognize + this resource type, it + + MUST set the "ResolvedRefs" condition to False for + this Listener with the + + "InvalidRouteKinds" reason. + + + Support: Core + items: + description: >- + RouteGroupKind indicates the group and kind of a + Route resource. + properties: + group: + default: gateway.networking.k8s.io + description: Group is the group of the Route. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is the kind of the Route. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + required: + - kind + type: object + maxItems: 8 + type: array + x-kubernetes-list-type: atomic + namespaces: + default: + from: Same + description: >- + Namespaces indicates namespaces from which Routes + may be attached to this + + Listener. This is restricted to the namespace of + this Gateway by default. + + + Support: Core + properties: + from: + default: Same + description: >- + From indicates where Routes will be selected + for this Gateway. Possible + + values are: + + + * All: Routes in all namespaces may be used by + this Gateway. + + * Selector: Routes in namespaces selected by + the selector may be used by + this Gateway. + * Same: Only Routes in the same namespace may + be used by this Gateway. + + + Support: Core + enum: + - All + - Selector + - Same + type: string + selector: + description: >- + Selector must be specified when From is set to + "Selector". In that case, + + only Routes in Namespaces matching this + Selector will be selected by this + + Gateway. This field is ignored for other + values of "From". + + + Support: Core + properties: + matchExpressions: + description: >- + matchExpressions is a list of label + selector requirements. The requirements + are ANDed. + items: + description: >- + A label selector requirement is a + selector that contains values, a key, + and an operator that + + relates the key and values. + properties: + key: + description: >- + key is the label key that the selector + applies to. + type: string + operator: + description: >- + operator represents a key's relationship + to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: >- + values is an array of string values. If + the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: >- + matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is + "key", the + + operator is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + type: object + hostname: + description: >- + Hostname specifies the virtual hostname to match for + protocol types that + + define this concept. When unspecified, all hostnames + are matched. This + + field is ignored for protocols that don't require + hostname based + + matching. + + + Implementations MUST apply Hostname matching + appropriately for each of + + the following protocols: + + + * TLS: The Listener Hostname MUST match the SNI. + + * HTTP: The Listener Hostname MUST match the Host + header of the request. + + * HTTPS: The Listener Hostname SHOULD match both the + SNI and Host header. + Note that this does not require the SNI and Host header to be the same. + The semantics of this are described in more detail below. + + To ensure security, Section 11.1 of RFC-6066 + emphasizes that server + + implementations that rely on SNI hostname matching + MUST also verify + + hostnames within the application protocol. + + + Section 9.1.2 of RFC-7540 provides a mechanism for + servers to reject the + + reuse of a connection by responding with the HTTP 421 + Misdirected Request + + status code. This indicates that the origin server has + rejected the + + request because it appears to have been misdirected. + + + To detect misdirected requests, Gateways SHOULD match + the authority of + + the requests with all the SNI hostname(s) configured + across all the + + Gateway Listeners on the same port and protocol: + + + * If another Listener has an exact match or more + specific wildcard entry, + the Gateway SHOULD return a 421. + * If the current Listener (selected by SNI matching + during ClientHello) + does not match the Host: + * If another Listener does match the Host, the Gateway SHOULD return a + 421. + * If no other Listener matches the Host, the Gateway MUST return a + 404. + + For HTTPRoute and TLSRoute resources, there is an + interaction with the + + `spec.hostnames` array. When both listener and route + specify hostnames, + + there MUST be an intersection between the values for a + Route to be + + accepted. For more information, refer to the Route + specific Hostnames + + documentation. + + + Hostnames that are prefixed with a wildcard label + (`*.`) are interpreted + + as a suffix match. That means that a match for + `*.example.com` would match + + both `test.example.com`, and `foo.test.example.com`, + but not `example.com`. + + + Support: Core + maxLength: 253 + minLength: 1 + pattern: >- + ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + name: + description: >- + Name is the name of the Listener. This name MUST be + unique within a + + Gateway. + + + Support: Core + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + port: + description: >- + Port is the network port. Multiple listeners may use + the + + same port, subject to the Listener compatibility + rules. + + + Support: Core + format: int32 + maximum: 65535 + minimum: 1 + type: integer + protocol: + description: >- + Protocol specifies the network protocol this listener + expects to receive. + + + Support: Core + maxLength: 255 + minLength: 1 + pattern: >- + ^[a-zA-Z0-9]([-a-zA-Z0-9]*[a-zA-Z0-9])?$|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9]+$ + type: string + tls: + description: >- + TLS is the TLS configuration for the Listener. This + field is required if + + the Protocol field is "HTTPS" or "TLS". It is invalid + to set this field + + if the Protocol field is "HTTP", "TCP", or "UDP". + + + The association of SNIs to Certificate defined in + ListenerTLSConfig is + + defined based on the Hostname field for this listener. + + + The GatewayClass MUST use the longest matching SNI out + of all + + available certificates for any TLS handshake. + + + Support: Core + properties: + certificateRefs: + description: >- + CertificateRefs contains a series of references to + Kubernetes objects that + + contains TLS certificates and private keys. These + certificates are used to + + establish a TLS handshake for requests that match + the hostname of the + + associated listener. + + + A single CertificateRef to a Kubernetes Secret has + "Core" support. + + Implementations MAY choose to support attaching + multiple certificates to + + a Listener, but this behavior is + implementation-specific. + + + References to a resource in different namespace + are invalid UNLESS there + + is a ReferenceGrant in the target namespace that + allows the certificate + + to be attached. If a ReferenceGrant does not allow + this reference, the + + "ResolvedRefs" condition MUST be set to False for + this listener with the + + "RefNotPermitted" reason. + + + This field is required to have at least one + element when the mode is set + + to "Terminate" (default) and is optional + otherwise. + + + CertificateRefs can reference to standard + Kubernetes resources, i.e. + + Secret, or implementation-specific custom + resources. + + + Support: Core - A single reference to a Kubernetes + Secret of type kubernetes.io/tls + + + Support: Implementation-specific (More than one + reference or other resource types) + items: + description: >- + SecretObjectReference identifies an API object + including its namespace, + + defaulting to Secret. + + + The API object must be valid in the cluster; the + Group and Kind must + + be registered in the cluster for this reference + to be valid. + + + References to objects with invalid Group and + Kind are not valid, and must + + be rejected by the implementation, with + appropriate Conditions set + + on the containing object. + properties: + group: + default: '' + description: >- + Group is the group of the referent. For + example, "gateway.networking.k8s.io". + + When unspecified or empty string, core API + group is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Secret + description: >- + Kind is kind of the referent. For example + "Secret". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the referenced + object. When unspecified, the local + + namespace is inferred. + + + Note that when a namespace different than + the local namespace is specified, + + a ReferenceGrant object is required in the + referent namespace to allow that + + namespace's owner to accept the reference. + See the ReferenceGrant + + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + maxItems: 64 + type: array + x-kubernetes-list-type: atomic + mode: + default: Terminate + description: >- + Mode defines the TLS behavior for the TLS session + initiated by the client. + + There are two possible modes: + + + - Terminate: The TLS session between the + downstream client and the + Gateway is terminated at the Gateway. This mode requires certificates + to be specified in some way, such as populating the certificateRefs + field. + - Passthrough: The TLS session is NOT terminated + by the Gateway. This + implies that the Gateway can't decipher the TLS stream except for + the ClientHello message of the TLS protocol. The certificateRefs field + is ignored in this mode. + + Support: Core + enum: + - Terminate + - Passthrough + type: string + options: + additionalProperties: + description: >- + AnnotationValue is the value of an annotation in + Gateway API. This is used + + for validation of maps such as TLS options. This + roughly matches Kubernetes + + annotation validation, although the length + validation in that case is based + + on the entire size of the annotations struct. + maxLength: 4096 + minLength: 0 + type: string + description: >- + Options are a list of key/value pairs to enable + extended TLS + + configuration for each implementation. For + example, configuring the + + minimum TLS version or supported cipher suites. + + + A set of common keys MAY be defined by the API in + the future. To avoid + + any ambiguity, implementation-specific definitions + MUST use + + domain-prefixed names, such as + `example.com/my-custom-option`. + + Un-prefixed names are reserved for key names + defined by Gateway API. + + + Support: Implementation-specific + maxProperties: 16 + type: object + type: object + x-kubernetes-validations: + - message: >- + certificateRefs or options must be specified when + mode is Terminate + rule: >- + self.mode == 'Terminate' ? + size(self.certificateRefs) > 0 || + size(self.options) > 0 : true + required: + - name + - port + - protocol + type: object + maxItems: 64 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: >- + tls must not be specified for protocols ['HTTP', 'TCP', + 'UDP'] + rule: >- + self.all(l, l.protocol in ['HTTP', 'TCP', 'UDP'] ? + !has(l.tls) : true) + - message: tls mode must be Terminate for protocol HTTPS + rule: >- + self.all(l, (l.protocol == 'HTTPS' && has(l.tls)) ? + (l.tls.mode == '' || l.tls.mode == 'Terminate') : true) + - message: tls mode must be set for protocol TLS + rule: >- + self.all(l, (l.protocol == 'TLS' ? has(l.tls) && + has(l.tls.mode) && l.tls.mode != '' : true)) + - message: >- + hostname must not be specified for protocols ['TCP', + 'UDP'] + rule: >- + self.all(l, l.protocol in ['TCP', 'UDP'] ? + (!has(l.hostname) || l.hostname == '') : true) + - message: Listener name must be unique within the Gateway + rule: self.all(l1, self.exists_one(l2, l1.name == l2.name)) + - message: >- + Combination of port, protocol and hostname must be + unique for each listener + rule: >- + self.all(l1, self.exists_one(l2, l1.port == l2.port && + l1.protocol == l2.protocol && (has(l1.hostname) && + has(l2.hostname) ? l1.hostname == l2.hostname : + !has(l1.hostname) && !has(l2.hostname)))) + tls: + description: >- + TLS specifies frontend and backend tls configuration for + entire gateway. + + + Support: Extended + properties: + backend: + description: >- + Backend describes TLS configuration for gateway when + connecting + + to backends. + + + Note that this contains only details for the Gateway as + a TLS client, + + and does _not_ imply behavior about how to choose which + backend should + + get a TLS connection. That is determined by the presence + of a BackendTLSPolicy. + + + Support: Core + properties: + clientCertificateRef: + description: >- + ClientCertificateRef references an object that + contains a client certificate + + and its associated private key. It can reference + standard Kubernetes resources, + + i.e., Secret, or implementation-specific custom + resources. + + + A ClientCertificateRef is considered invalid if: + + + * It refers to a resource that cannot be resolved + (e.g., the referenced resource + does not exist) or is misconfigured (e.g., a Secret does not contain the keys + named `tls.crt` and `tls.key`). In this case, the `ResolvedRefs` condition + on the Gateway MUST be set to False with the Reason `InvalidClientCertificateRef` + and the Message of the Condition MUST indicate why the reference is invalid. + + * It refers to a resource in another namespace + UNLESS there is a ReferenceGrant + in the target namespace that allows the certificate to be attached. + If a ReferenceGrant does not allow this reference, the `ResolvedRefs` condition + on the Gateway MUST be set to False with the Reason `RefNotPermitted`. + + Implementations MAY choose to perform further + validation of the certificate + + content (e.g., checking expiry or enforcing specific + formats). In such cases, + + an implementation-specific Reason and Message MUST + be set. + + + Support: Core - Reference to a Kubernetes TLS Secret + (with the type `kubernetes.io/tls`). + + Support: Implementation-specific - Other resource + kinds or Secrets with a + + different type (e.g., `Opaque`). + properties: + group: + default: '' + description: >- + Group is the group of the referent. For example, + "gateway.networking.k8s.io". + + When unspecified or empty string, core API group + is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Secret + description: >- + Kind is kind of the referent. For example + "Secret". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the referenced + object. When unspecified, the local + + namespace is inferred. + + + Note that when a namespace different than the + local namespace is specified, + + a ReferenceGrant object is required in the + referent namespace to allow that + + namespace's owner to accept the reference. See + the ReferenceGrant + + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + type: object + frontend: + description: >- + Frontend describes TLS config when client connects to + Gateway. + + Support: Core + properties: + default: + description: >- + Default specifies the default client certificate + validation configuration + + for all Listeners handling HTTPS traffic, unless a + per-port configuration + + is defined. + + + support: Core + properties: + validation: + description: >- + Validation holds configuration information for + validating the frontend (client). + + Setting this field will result in mutual + authentication when connecting to the gateway. + + In browsers this may result in a dialog + appearing + + that requests a user to specify the client + certificate. + + The maximum depth of a certificate chain + accepted in verification is Implementation + specific. + + + Support: Core + properties: + caCertificateRefs: + description: >- + CACertificateRefs contains one or more + references to Kubernetes + + objects that contain a PEM-encoded TLS CA + certificate bundle, which + + is used as a trust anchor to validate the + certificates presented by + + the client. + + + A CACertificateRef is invalid if: + + + * It refers to a resource that cannot be + resolved (e.g., the + referenced resource does not exist) or is misconfigured (e.g., a + ConfigMap does not contain a key named `ca.crt`). In this case, the + Reason on all matching HTTPS listeners must be set to `InvalidCACertificateRef` + and the Message of the Condition must indicate which reference is invalid and why. + + * It refers to an unknown or unsupported + kind of resource. In this + case, the Reason on all matching HTTPS listeners must be set to + `InvalidCACertificateKind` and the Message of the Condition must explain + which kind of resource is unknown or unsupported. + + * It refers to a resource in another + namespace UNLESS there is a + ReferenceGrant in the target namespace that allows the CA + certificate to be attached. If a ReferenceGrant does not allow this + reference, the `ResolvedRefs` on all matching HTTPS listeners condition + MUST be set with the Reason `RefNotPermitted`. + + Implementations MAY choose to perform + further validation of the + + certificate content (e.g., checking expiry + or enforcing specific formats). + + In such cases, an implementation-specific + Reason and Message MUST be set. + + + In all cases, the implementation MUST ensure + that the `ResolvedRefs` + + condition is set to `status: False` on all + targeted listeners (i.e., + + listeners serving HTTPS on a matching port). + The condition MUST + + include a Reason and Message that indicate + the cause of the error. If + + ALL CACertificateRefs are invalid, the + implementation MUST also ensure + + the `Accepted` condition on the listener is + set to `status: False`, with + + the Reason `NoValidCACertificate`. + + Implementations MAY choose to support + attaching multiple CA certificates + + to a listener, but this behavior is + implementation-specific. + + + Support: Core - A single reference to a + Kubernetes ConfigMap, with the + + CA certificate in a key named `ca.crt`. + + + Support: Implementation-specific - More than + one reference, other kinds + + of resources, or a single reference that + includes multiple certificates. + items: + description: >- + ObjectReference identifies an API object + including its namespace. + + + The API object must be valid in the + cluster; the Group and Kind must + + be registered in the cluster for this + reference to be valid. + + + References to objects with invalid Group + and Kind are not valid, and must + + be rejected by the implementation, with + appropriate Conditions set + + on the containing object. + properties: + group: + description: >- + Group is the group of the referent. For + example, "gateway.networking.k8s.io". + + When set to the empty string, core API + group is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: >- + Kind is kind of the referent. For + example "ConfigMap" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the + referenced object. When unspecified, the + local + + namespace is inferred. + + + Note that when a namespace different + than the local namespace is specified, + + a ReferenceGrant object is required in + the referent namespace to allow that + + namespace's owner to accept the + reference. See the ReferenceGrant + + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - name + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + mode: + default: AllowValidOnly + description: >- + FrontendValidationMode defines the mode for + validating the client certificate. + + There are two possible modes: + + + - AllowValidOnly: In this mode, the gateway + will accept connections only if + the client presents a valid certificate. This certificate must successfully + pass validation against the CA certificates specified in `CACertificateRefs`. + - AllowInsecureFallback: In this mode, the + gateway will accept connections + even if the client certificate is not presented or fails verification. + + This approach delegates client authorization to the backend and introduce + a significant security risk. It should be used in testing environments or + on a temporary basis in non-testing environments. + + Defaults to AllowValidOnly. + + + Support: Core + enum: + - AllowValidOnly + - AllowInsecureFallback + type: string + required: + - caCertificateRefs + type: object + type: object + perPort: + description: >- + PerPort specifies tls configuration assigned per + port. + + Per port configuration is optional. Once set this + configuration overrides + + the default configuration for all Listeners handling + HTTPS traffic + + that match this port. + + Each override port requires a unique TLS + configuration. + + + support: Core + items: + properties: + port: + description: >- + The Port indicates the Port Number to which + the TLS configuration will be + + applied. This configuration will be applied to + all Listeners handling HTTPS + + traffic that match this port. + + + Support: Core + format: int32 + maximum: 65535 + minimum: 1 + type: integer + tls: + description: >- + TLS store the configuration that will be + applied to all Listeners handling + + HTTPS traffic and matching given port. + + + Support: Core + properties: + validation: + description: >- + Validation holds configuration information + for validating the frontend (client). + + Setting this field will result in mutual + authentication when connecting to the + gateway. + + In browsers this may result in a dialog + appearing + + that requests a user to specify the client + certificate. + + The maximum depth of a certificate chain + accepted in verification is Implementation + specific. + + + Support: Core + properties: + caCertificateRefs: + description: >- + CACertificateRefs contains one or more + references to Kubernetes + + objects that contain a PEM-encoded TLS + CA certificate bundle, which + + is used as a trust anchor to validate + the certificates presented by + + the client. + + + A CACertificateRef is invalid if: + + + * It refers to a resource that cannot be + resolved (e.g., the + referenced resource does not exist) or is misconfigured (e.g., a + ConfigMap does not contain a key named `ca.crt`). In this case, the + Reason on all matching HTTPS listeners must be set to `InvalidCACertificateRef` + and the Message of the Condition must indicate which reference is invalid and why. + + * It refers to an unknown or unsupported + kind of resource. In this + case, the Reason on all matching HTTPS listeners must be set to + `InvalidCACertificateKind` and the Message of the Condition must explain + which kind of resource is unknown or unsupported. + + * It refers to a resource in another + namespace UNLESS there is a + ReferenceGrant in the target namespace that allows the CA + certificate to be attached. If a ReferenceGrant does not allow this + reference, the `ResolvedRefs` on all matching HTTPS listeners condition + MUST be set with the Reason `RefNotPermitted`. + + Implementations MAY choose to perform + further validation of the + + certificate content (e.g., checking + expiry or enforcing specific formats). + + In such cases, an + implementation-specific Reason and + Message MUST be set. + + + In all cases, the implementation MUST + ensure that the `ResolvedRefs` + + condition is set to `status: False` on + all targeted listeners (i.e., + + listeners serving HTTPS on a matching + port). The condition MUST + + include a Reason and Message that + indicate the cause of the error. If + + ALL CACertificateRefs are invalid, the + implementation MUST also ensure + + the `Accepted` condition on the listener + is set to `status: False`, with + + the Reason `NoValidCACertificate`. + + Implementations MAY choose to support + attaching multiple CA certificates + + to a listener, but this behavior is + implementation-specific. + + + Support: Core - A single reference to a + Kubernetes ConfigMap, with the + + CA certificate in a key named `ca.crt`. + + + Support: Implementation-specific - More + than one reference, other kinds + + of resources, or a single reference that + includes multiple certificates. + items: + description: >- + ObjectReference identifies an API object + including its namespace. + + + The API object must be valid in the + cluster; the Group and Kind must + + be registered in the cluster for this + reference to be valid. + + + References to objects with invalid Group + and Kind are not valid, and must + + be rejected by the implementation, with + appropriate Conditions set + + on the containing object. + properties: + group: + description: >- + Group is the group of the referent. For + example, "gateway.networking.k8s.io". + + When set to the empty string, core API + group is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: >- + Kind is kind of the referent. For + example "ConfigMap" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the + referenced object. When unspecified, the + local + + namespace is inferred. + + + Note that when a namespace different + than the local namespace is specified, + + a ReferenceGrant object is required in + the referent namespace to allow that + + namespace's owner to accept the + reference. See the ReferenceGrant + + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - name + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + mode: + default: AllowValidOnly + description: >- + FrontendValidationMode defines the mode + for validating the client certificate. + + There are two possible modes: + + + - AllowValidOnly: In this mode, the + gateway will accept connections only if + the client presents a valid certificate. This certificate must successfully + pass validation against the CA certificates specified in `CACertificateRefs`. + - AllowInsecureFallback: In this mode, + the gateway will accept connections + even if the client certificate is not presented or fails verification. + + This approach delegates client authorization to the backend and introduce + a significant security risk. It should be used in testing environments or + on a temporary basis in non-testing environments. + + Defaults to AllowValidOnly. + + + Support: Core + enum: + - AllowValidOnly + - AllowInsecureFallback + type: string + required: + - caCertificateRefs + type: object + type: object + required: + - port + - tls + type: object + maxItems: 64 + type: array + x-kubernetes-list-map-keys: + - port + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: >- + Port for TLS configuration must be unique within + the Gateway + rule: >- + self.all(t1, self.exists_one(t2, t1.port == + t2.port)) + required: + - default + type: object + type: object + required: + - gatewayClassName + - listeners + type: object + status: + default: + conditions: + - lastTransitionTime: '1970-01-01T00:00:00Z' + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + - lastTransitionTime: '1970-01-01T00:00:00Z' + message: Waiting for controller + reason: Pending + status: Unknown + type: Programmed + description: Status defines the current state of Gateway. + properties: + addresses: + description: >- + Addresses lists the network addresses that have been bound + to the + + Gateway. + + + This list may differ from the addresses provided in the spec + under some + + conditions: + + * no addresses are specified, all addresses are dynamically assigned + * a combination of specified and dynamic addresses are assigned + * a specified address was unusable (e.g. already in use) + items: + description: >- + GatewayStatusAddress describes a network address that is + bound to a Gateway. + oneOf: + - properties: + type: + enum: + - IPAddress + value: + anyOf: + - format: ipv4 + - format: ipv6 + - properties: + type: + not: + enum: + - IPAddress + properties: + type: + default: IPAddress + description: Type of the address. + maxLength: 253 + minLength: 1 + pattern: >- + ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + value: + description: >- + Value of the address. The validity of the values will + depend + + on the type and support by the controller. + + + Examples: `1.2.3.4`, `128::1`, `my-ip-address`. + maxLength: 253 + minLength: 1 + type: string + required: + - value + type: object + x-kubernetes-validations: + - message: >- + Hostname value must only contain valid characters + (matching + ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$) + rule: >- + self.type == 'Hostname' ? + self.value.matches(r"""^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$"""): + true + maxItems: 16 + type: array + x-kubernetes-list-type: atomic + attachedListenerSets: + description: >- + AttachedListenerSets represents the total number of + ListenerSets that have been + + successfully attached to this Gateway. + + + A ListenerSet is successfully attached to a Gateway when all + the following conditions are met: + + - The ListenerSet is selected by the Gateway's + AllowedListeners field + + - The ListenerSet has a valid ParentRef selecting the + Gateway + + - The ListenerSet's status has the condition "Accepted: + true" + + + Uses for this field include troubleshooting + AttachedListenerSets attachment and + + measuring blast radius/impact of changes to a Gateway. + format: int32 + type: integer + conditions: + default: + - lastTransitionTime: '1970-01-01T00:00:00Z' + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + - lastTransitionTime: '1970-01-01T00:00:00Z' + message: Waiting for controller + reason: Pending + status: Unknown + type: Programmed + description: >- + Conditions describe the current conditions of the Gateway. + + + Implementations should prefer to express Gateway conditions + + using the `GatewayConditionType` and + `GatewayConditionReason` + + constants so that operators and tools can converge on a + common + + vocabulary to describe Gateway state. + + + Known condition types are: + + + * "Accepted" + + * "Programmed" + + * "Ready" + items: + description: >- + Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: >- + lastTransitionTime is the last time the condition + transitioned from one status to another. + + This should be when the underlying condition changed. + If that is not known, then using the time when the API + field changed is acceptable. + format: date-time + type: string + message: + description: >- + message is a human readable message indicating details + about the transition. + + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: >- + observedGeneration represents the .metadata.generation + that the condition was set based upon. + + For instance, if .metadata.generation is currently 12, + but the .status.conditions[x].observedGeneration is 9, + the condition is out of date + + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: >- + reason contains a programmatic identifier indicating + the reason for the condition's last transition. + + Producers of specific condition types may define + expected values and meanings for this field, + + and whether the values are considered a guaranteed + API. + + The value should be a CamelCase string. + + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - 'True' + - 'False' + - Unknown + type: string + type: + description: >- + type of condition in CamelCase or in + foo.example.com/CamelCase. + maxLength: 316 + pattern: >- + ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + listeners: + description: >- + Listeners provide status for each unique listener port + defined in the Spec. + items: + description: ListenerStatus is the status associated with a Listener. + properties: + attachedRoutes: + description: >- + AttachedRoutes represents the total number of Routes + that have been + + successfully attached to this Listener. + + + Successful attachment of a Route to a Listener is + based solely on the + + combination of the AllowedRoutes field on the + corresponding Listener + + and the Route's ParentRefs field. A Route is + successfully attached to + + a Listener when it is selected by the Listener's + AllowedRoutes field + + AND the Route has a valid ParentRef selecting the + whole Gateway + + resource or a specific Listener as a parent resource + (more detail on + + attachment semantics can be found in the documentation + on the various + + Route kinds ParentRefs fields). Listener or Route + status does not impact + + successful attachment, i.e. the AttachedRoutes field + count MUST be set + + for Listeners, even if the Accepted condition of an + individual Listener is set + + to "False". The AttachedRoutes number represents the + number of Routes with + + the Accepted condition set to "True" that have been + attached to this Listener. + + Routes with any other value for the Accepted condition + MUST NOT be included + + in this count. + + + Uses for this field include troubleshooting Route + attachment and + + measuring blast radius/impact of changes to a + Listener. + format: int32 + type: integer + conditions: + description: >- + Conditions describe the current condition of this + listener. + items: + description: >- + Condition contains details for one aspect of the + current state of this API Resource. + properties: + lastTransitionTime: + description: >- + lastTransitionTime is the last time the + condition transitioned from one status to + another. + + This should be when the underlying condition + changed. If that is not known, then using the + time when the API field changed is acceptable. + format: date-time + type: string + message: + description: >- + message is a human readable message indicating + details about the transition. + + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: >- + observedGeneration represents the + .metadata.generation that the condition was set + based upon. + + For instance, if .metadata.generation is + currently 12, but the + .status.conditions[x].observedGeneration is 9, + the condition is out of date + + with respect to the current state of the + instance. + format: int64 + minimum: 0 + type: integer + reason: + description: >- + reason contains a programmatic identifier + indicating the reason for the condition's last + transition. + + Producers of specific condition types may define + expected values and meanings for this field, + + and whether the values are considered a + guaranteed API. + + The value should be a CamelCase string. + + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: >- + status of the condition, one of True, False, + Unknown. + enum: + - 'True' + - 'False' + - Unknown + type: string + type: + description: >- + type of condition in CamelCase or in + foo.example.com/CamelCase. + maxLength: 316 + pattern: >- + ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + name: + description: >- + Name is the name of the Listener that this status + corresponds to. + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + supportedKinds: + description: >- + SupportedKinds is the list indicating the Kinds + supported by this + + listener. This MUST represent the kinds supported by + an implementation for + + that Listener configuration. + + + If kinds are specified in Spec that are not supported, + they MUST NOT + + appear in this list and an implementation MUST set the + "ResolvedRefs" + + condition to "False" with the "InvalidRouteKinds" + reason. If both valid + + and invalid Route kinds are specified, the + implementation MUST + + reference the valid Route kinds that have been + specified. + items: + description: >- + RouteGroupKind indicates the group and kind of a + Route resource. + properties: + group: + default: gateway.networking.k8s.io + description: Group is the group of the Route. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is the kind of the Route. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + required: + - kind + type: object + maxItems: 8 + type: array + x-kubernetes-list-type: atomic + required: + - attachedRoutes + - conditions + - name + type: object + maxItems: 64 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.gatewayClassName + name: Class + type: string + - jsonPath: .status.addresses[*].value + name: Address + type: string + - jsonPath: .status.conditions[?(@.type=="Programmed")].status + name: Programmed + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: >- + Gateway represents an instance of a service-traffic handling + infrastructure + + by binding Listeners to a set of IP addresses. + properties: + apiVersion: + description: >- + APIVersion defines the versioned schema of this representation + of an object. + + Servers should convert recognized schemas to the latest internal + value, and + + may reject unrecognized values. + + More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: >- + Kind is a string value representing the REST resource this + object represents. + + Servers may infer this from the endpoint the client submits + requests to. + + Cannot be updated. + + In CamelCase. + + More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of Gateway. + properties: + addresses: + description: >- + Addresses requested for this Gateway. This is optional and + behavior can + + depend on the implementation. If a value is set in the spec + and the + + requested address is invalid or unavailable, the + implementation MUST + + indicate this in an associated entry in + GatewayStatus.Conditions. + + + The Addresses field represents a request for the address(es) + on the + + "outside of the Gateway", that traffic bound for this + Gateway will use. + + This could be the IP address or hostname of an external load + balancer or + + other networking infrastructure, or some other address that + traffic will + + be sent to. + + + If no Addresses are specified, the implementation MAY + schedule the + + Gateway in an implementation-specific manner, assigning an + appropriate + + set of Addresses. + + + The implementation MUST bind all Listeners to every + GatewayAddress that + + it assigns to the Gateway and add a corresponding entry in + + GatewayStatus.Addresses. + + + Support: Extended + items: + description: >- + GatewaySpecAddress describes an address that can be bound + to a Gateway. + oneOf: + - properties: + type: + enum: + - IPAddress + value: + anyOf: + - format: ipv4 + - format: ipv6 + - properties: + type: + not: + enum: + - IPAddress + properties: + type: + default: IPAddress + description: Type of the address. + maxLength: 253 + minLength: 1 + pattern: >- + ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + value: + description: >- + When a value is unspecified, an implementation SHOULD + automatically + + assign an address matching the requested type if + possible. + + + If an implementation does not support an empty value, + they MUST set the + + "Programmed" condition in status to False with a + reason of "AddressNotAssigned". + + + Examples: `1.2.3.4`, `128::1`, `my-ip-address`. + maxLength: 253 + type: string + type: object + x-kubernetes-validations: + - message: >- + Hostname value must be empty or contain only valid + characters (matching + ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$) + rule: >- + self.type == 'Hostname' ? (!has(self.value) || + self.value.matches(r"""^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$""")): + true + maxItems: 16 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: IPAddress values must be unique + rule: >- + self.all(a1, a1.type == 'IPAddress' && has(a1.value) ? + self.exists_one(a2, a2.type == a1.type && has(a2.value) + && a2.value == a1.value) : true ) + - message: Hostname values must be unique + rule: >- + self.all(a1, a1.type == 'Hostname' && has(a1.value) ? + self.exists_one(a2, a2.type == a1.type && has(a2.value) + && a2.value == a1.value) : true ) + allowedListeners: + description: >- + AllowedListeners defines which ListenerSets can be attached + to this Gateway. + + The default value is to allow no ListenerSets. + properties: + namespaces: + default: + from: None + description: >- + Namespaces defines which namespaces ListenerSets can be + attached to this Gateway. + + The default value is to allow no ListenerSets. + properties: + from: + default: None + description: >- + From indicates where ListenerSets can attach to this + Gateway. Possible + + values are: + + + * Same: Only ListenerSets in the same namespace may + be attached to this Gateway. + + * Selector: ListenerSets in namespaces selected by + the selector may be attached to this Gateway. + + * All: ListenerSets in all namespaces may be + attached to this Gateway. + + * None: Only listeners defined in the Gateway's spec + are allowed + + + The default value None + enum: + - All + - Selector + - Same + - None + type: string + selector: + description: >- + Selector must be specified when From is set to + "Selector". In that case, + + only ListenerSets in Namespaces matching this + Selector will be selected by this + + Gateway. This field is ignored for other values of + "From". + properties: + matchExpressions: + description: >- + matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: >- + A label selector requirement is a selector + that contains values, a key, and an operator + that + + relates the key and values. + properties: + key: + description: >- + key is the label key that the selector + applies to. + type: string + operator: + description: >- + operator represents a key's relationship + to a set of values. + + Valid operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: >- + values is an array of string values. If + the operator is In or NotIn, + + the values array must be non-empty. If the + operator is Exists or DoesNotExist, + + the values array must be empty. This array + is replaced during a strategic + + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: >- + matchLabels is a map of {key,value} pairs. A + single {key,value} in the matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is "key", the + + operator is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + type: object + gatewayClassName: + description: >- + GatewayClassName used for this Gateway. This is the name of + a + + GatewayClass resource. + maxLength: 253 + minLength: 1 + type: string + infrastructure: + description: >- + Infrastructure defines infrastructure level attributes about + this Gateway instance. + + + Support: Extended + properties: + annotations: + additionalProperties: + description: >- + AnnotationValue is the value of an annotation in + Gateway API. This is used + + for validation of maps such as TLS options. This + roughly matches Kubernetes + + annotation validation, although the length validation + in that case is based + + on the entire size of the annotations struct. + maxLength: 4096 + minLength: 0 + type: string + description: >- + Annotations that SHOULD be applied to any resources + created in response to this Gateway. + + + For implementations creating other Kubernetes objects, + this should be the `metadata.annotations` field on + resources. + + For other implementations, this refers to any relevant + (implementation specific) "annotations" concepts. + + + An implementation may chose to add additional + implementation-specific annotations as they see fit. + + + Support: Extended + maxProperties: 8 + type: object + x-kubernetes-validations: + - message: >- + Annotation keys must be in the form of an optional + DNS subdomain prefix followed by a required name + segment of up to 63 characters. + rule: >- + self.all(key, + key.matches(r"""^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9]$""")) + - message: >- + If specified, the annotation key's prefix must be a + DNS subdomain not longer than 253 characters in + total. + rule: self.all(key, key.split("/")[0].size() < 253) + labels: + additionalProperties: + description: >- + LabelValue is the value of a label in the Gateway API. + This is used for validation + + of maps such as Gateway infrastructure labels. This + matches the Kubernetes + + label validation rules: + + * must be 63 characters or less (can be empty), + + * unless empty, must begin and end with an + alphanumeric character ([a-z0-9A-Z]), + + * could contain dashes (-), underscores (_), dots (.), + and alphanumerics between. + + + Valid values include: + + + * MyValue + + * my.name + + * 123-my-value + maxLength: 63 + minLength: 0 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: >- + Labels that SHOULD be applied to any resources created + in response to this Gateway. + + + For implementations creating other Kubernetes objects, + this should be the `metadata.labels` field on resources. + + For other implementations, this refers to any relevant + (implementation specific) "labels" concepts. + + + An implementation may chose to add additional + implementation-specific labels as they see fit. + + + If an implementation maps these labels to Pods, or any + other resource that would need to be recreated when + labels + + change, it SHOULD clearly warn about this behavior in + documentation. + + + Support: Extended + maxProperties: 8 + type: object + x-kubernetes-validations: + - message: >- + Label keys must be in the form of an optional DNS + subdomain prefix followed by a required name segment + of up to 63 characters. + rule: >- + self.all(key, + key.matches(r"""^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9]$""")) + - message: >- + If specified, the label key's prefix must be a DNS + subdomain not longer than 253 characters in total. + rule: self.all(key, key.split("/")[0].size() < 253) + parametersRef: + description: >- + ParametersRef is a reference to a resource that contains + the configuration + + parameters corresponding to the Gateway. This is + optional if the + + controller does not require any additional + configuration. + + + This follows the same semantics as GatewayClass's + `parametersRef`, but on a per-Gateway basis + + + The Gateway's GatewayClass may provide its own + `parametersRef`. When both are specified, + + the merging behavior is implementation specific. + + It is generally recommended that GatewayClass provides + defaults that can be overridden by a Gateway. + + + If the referent cannot be found, refers to an + unsupported kind, or when + + the data within that resource is malformed, the Gateway + SHOULD be + + rejected with the "Accepted" status condition set to + "False" and an + + "InvalidParameters" reason. + + + Support: Implementation-specific + properties: + group: + description: Group is the group of the referent. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + type: object + listeners: + description: >- + Listeners associated with this Gateway. Listeners define + + logical endpoints that are bound on this Gateway's + addresses. + + At least one Listener MUST be specified. + + + ## Distinct Listeners + + + Each Listener in a set of Listeners (for example, in a + single Gateway) + + MUST be _distinct_, in that a traffic flow MUST be able to + be assigned to + + exactly one listener. (This section uses "set of Listeners" + rather than + + "Listeners in a single Gateway" because implementations MAY + merge configuration + + from multiple Gateways onto a single data plane, and these + rules _also_ + + apply in that case). + + + Practically, this means that each listener in a set MUST + have a unique + + combination of Port, Protocol, and, if supported by the + protocol, Hostname. + + + Some combinations of port, protocol, and TLS settings are + considered + + Core support and MUST be supported by implementations based + on the objects + + they support: + + + HTTPRoute + + + 1. HTTPRoute, Port: 80, Protocol: HTTP + + 2. HTTPRoute, Port: 443, Protocol: HTTPS, TLS Mode: + Terminate, TLS keypair provided + + + TLSRoute + + + 1. TLSRoute, Port: 443, Protocol: TLS, TLS Mode: Passthrough + + + "Distinct" Listeners have the following property: + + + **The implementation can match inbound requests to a single + distinct + + Listener**. + + + When multiple Listeners share values for fields (for + + example, two Listeners with the same Port value), the + implementation + + can match requests to only one of the Listeners using other + + Listener fields. + + + When multiple listeners have the same value for the Protocol + field, then + + each of the Listeners with matching Protocol values MUST + have different + + values for other fields. + + + The set of fields that MUST be different for a Listener + differs per protocol. + + The following rules define the rules for what fields MUST be + considered for + + Listeners to be distinct with each protocol currently + defined in the + + Gateway API spec. + + + The set of listeners that all share a protocol value MUST + have _different_ + + values for _at least one_ of these fields to be distinct: + + + * **HTTP, HTTPS, TLS**: Port, Hostname + + * **TCP, UDP**: Port + + + One **very** important rule to call out involves what + happens when an + + implementation: + + + * Supports TCP protocol Listeners, as well as HTTP, HTTPS, + or TLS protocol + Listeners, and + * sees HTTP, HTTPS, or TLS protocols with the same `port` as + one with TCP + Protocol. + + In this case all the Listeners that share a port with the + + TCP Listener are not distinct and so MUST NOT be accepted. + + + If an implementation does not support TCP Protocol + Listeners, then the + + previous rule does not apply, and the TCP Listeners SHOULD + NOT be + + accepted. + + + Note that the `tls` field is not used for determining if a + listener is distinct, because + + Listeners that _only_ differ on TLS config will still + conflict in all cases. + + + ### Listeners that are distinct only by Hostname + + + When the Listeners are distinct based only on Hostname, + inbound request + + hostnames MUST match from the most specific to least + specific Hostname + + values to choose the correct Listener and its associated set + of Routes. + + + Exact matches MUST be processed before wildcard matches, and + wildcard + + matches MUST be processed before fallback (empty Hostname + value) + + matches. For example, `"foo.example.com"` takes precedence + over + + `"*.example.com"`, and `"*.example.com"` takes precedence + over `""`. + + + Additionally, if there are multiple wildcard entries, more + specific + + wildcard entries must be processed before less specific + wildcard entries. + + For example, `"*.foo.example.com"` takes precedence over + `"*.example.com"`. + + + The precise definition here is that the higher the number of + dots in the + + hostname to the right of the wildcard character, the higher + the precedence. + + + The wildcard character will match any number of characters + _and dots_ to + + the left, however, so `"*.example.com"` will match both + + `"foo.bar.example.com"` _and_ `"bar.example.com"`. + + + ## Handling indistinct Listeners + + + If a set of Listeners contains Listeners that are not + distinct, then those + + Listeners are _Conflicted_, and the implementation MUST set + the "Conflicted" + + condition in the Listener Status to "True". + + + The words "indistinct" and "conflicted" are considered + equivalent for the + + purpose of this documentation. + + + Implementations MAY choose to accept a Gateway with some + Conflicted + + Listeners only if they only accept the partial Listener set + that contains + + no Conflicted Listeners. + + + Specifically, an implementation MAY accept a partial + Listener set subject to + + the following rules: + + + * The implementation MUST NOT pick one conflicting Listener + as the winner. + ALL indistinct Listeners must not be accepted for processing. + * At least one distinct Listener MUST be present, or else + the Gateway effectively + contains _no_ Listeners, and must be rejected from processing as a whole. + + The implementation MUST set a "ListenersNotValid" condition + on the + + Gateway Status when the Gateway contains Conflicted + Listeners whether or + + not they accept the Gateway. That Condition SHOULD clearly + + indicate in the Message which Listeners are conflicted, and + which are + + Accepted. Additionally, the Listener status for those + listeners SHOULD + + indicate which Listeners are conflicted and not Accepted. + + + ## General Listener behavior + + + Note that, for all distinct Listeners, requests SHOULD match + at most one Listener. + + For example, if Listeners are defined for "foo.example.com" + and "*.example.com", a + + request to "foo.example.com" SHOULD only be routed using + routes attached + + to the "foo.example.com" Listener (and not the + "*.example.com" Listener). + + + This concept is known as "Listener Isolation", and it is an + Extended feature + + of Gateway API. Implementations that do not support Listener + Isolation MUST + + clearly document this, and MUST NOT claim support for the + + `GatewayHTTPListenerIsolation` feature. + + + Implementations that _do_ support Listener Isolation SHOULD + claim support + + for the Extended `GatewayHTTPListenerIsolation` feature and + pass the associated + + conformance tests. + + + ## Compatible Listeners + + + A Gateway's Listeners are considered _compatible_ if: + + + 1. They are distinct. + + 2. The implementation can serve them in compliance with the + Addresses + requirement that all Listeners are available on all assigned + addresses. + + Compatible combinations in Extended support are expected to + vary across + + implementations. A combination that is compatible for one + implementation + + may not be compatible for another. + + + For example, an implementation that cannot serve both TCP + and UDP listeners + + on the same address, or cannot mix HTTPS and generic TLS + listens on the same port + + would not consider those cases compatible, even though they + are distinct. + + + Implementations MAY merge separate Gateways onto a single + set of + + Addresses if all Listeners across all Gateways are + compatible. + + + In a future release the MinItems=1 requirement MAY be + dropped. + + + Support: Core + items: + description: >- + Listener embodies the concept of a logical endpoint where + a Gateway accepts + + network connections. + properties: + allowedRoutes: + default: + namespaces: + from: Same + description: >- + AllowedRoutes defines the types of routes that MAY be + attached to a + + Listener and the trusted namespaces where those Route + resources MAY be + + present. + + + Although a client request may match multiple route + rules, only one rule + + may ultimately receive the request. Matching + precedence MUST be + + determined in order of the following criteria: + + + * The most specific match as defined by the Route + type. + + * The oldest Route based on creation timestamp. For + example, a Route with + a creation timestamp of "2020-09-08 01:02:03" is given precedence over + a Route with a creation timestamp of "2020-09-08 01:02:04". + * If everything else is equivalent, the Route + appearing first in + alphabetical order (namespace/name) should be given precedence. For + example, foo/bar is given precedence over foo/baz. + + All valid rules within a Route attached to this + Listener should be + + implemented. Invalid Route rules can be ignored + (sometimes that will mean + + the full Route). If a Route rule transitions from + valid to invalid, + + support for that Route rule should be dropped to + ensure consistency. For + + example, even if a filter specified by a Route rule is + invalid, the rest + + of the rules within that Route should still be + supported. + + + Support: Core + properties: + kinds: + description: >- + Kinds specifies the groups and kinds of Routes + that are allowed to bind + + to this Gateway Listener. When unspecified or + empty, the kinds of Routes + + selected are determined using the Listener + protocol. + + + A RouteGroupKind MUST correspond to kinds of + Routes that are compatible + + with the application protocol specified in the + Listener's Protocol field. + + If an implementation does not support or recognize + this resource type, it + + MUST set the "ResolvedRefs" condition to False for + this Listener with the + + "InvalidRouteKinds" reason. + + + Support: Core + items: + description: >- + RouteGroupKind indicates the group and kind of a + Route resource. + properties: + group: + default: gateway.networking.k8s.io + description: Group is the group of the Route. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is the kind of the Route. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + required: + - kind + type: object + maxItems: 8 + type: array + x-kubernetes-list-type: atomic + namespaces: + default: + from: Same + description: >- + Namespaces indicates namespaces from which Routes + may be attached to this + + Listener. This is restricted to the namespace of + this Gateway by default. + + + Support: Core + properties: + from: + default: Same + description: >- + From indicates where Routes will be selected + for this Gateway. Possible + + values are: + + + * All: Routes in all namespaces may be used by + this Gateway. + + * Selector: Routes in namespaces selected by + the selector may be used by + this Gateway. + * Same: Only Routes in the same namespace may + be used by this Gateway. + + + Support: Core + enum: + - All + - Selector + - Same + type: string + selector: + description: >- + Selector must be specified when From is set to + "Selector". In that case, + + only Routes in Namespaces matching this + Selector will be selected by this + + Gateway. This field is ignored for other + values of "From". + + + Support: Core + properties: + matchExpressions: + description: >- + matchExpressions is a list of label + selector requirements. The requirements + are ANDed. + items: + description: >- + A label selector requirement is a + selector that contains values, a key, + and an operator that + + relates the key and values. + properties: + key: + description: >- + key is the label key that the selector + applies to. + type: string + operator: + description: >- + operator represents a key's relationship + to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: >- + values is an array of string values. If + the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: >- + matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is + "key", the + + operator is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + type: object + hostname: + description: >- + Hostname specifies the virtual hostname to match for + protocol types that + + define this concept. When unspecified, all hostnames + are matched. This + + field is ignored for protocols that don't require + hostname based + + matching. + + + Implementations MUST apply Hostname matching + appropriately for each of + + the following protocols: + + + * TLS: The Listener Hostname MUST match the SNI. + + * HTTP: The Listener Hostname MUST match the Host + header of the request. + + * HTTPS: The Listener Hostname SHOULD match both the + SNI and Host header. + Note that this does not require the SNI and Host header to be the same. + The semantics of this are described in more detail below. + + To ensure security, Section 11.1 of RFC-6066 + emphasizes that server + + implementations that rely on SNI hostname matching + MUST also verify + + hostnames within the application protocol. + + + Section 9.1.2 of RFC-7540 provides a mechanism for + servers to reject the + + reuse of a connection by responding with the HTTP 421 + Misdirected Request + + status code. This indicates that the origin server has + rejected the + + request because it appears to have been misdirected. + + + To detect misdirected requests, Gateways SHOULD match + the authority of + + the requests with all the SNI hostname(s) configured + across all the + + Gateway Listeners on the same port and protocol: + + + * If another Listener has an exact match or more + specific wildcard entry, + the Gateway SHOULD return a 421. + * If the current Listener (selected by SNI matching + during ClientHello) + does not match the Host: + * If another Listener does match the Host, the Gateway SHOULD return a + 421. + * If no other Listener matches the Host, the Gateway MUST return a + 404. + + For HTTPRoute and TLSRoute resources, there is an + interaction with the + + `spec.hostnames` array. When both listener and route + specify hostnames, + + there MUST be an intersection between the values for a + Route to be + + accepted. For more information, refer to the Route + specific Hostnames + + documentation. + + + Hostnames that are prefixed with a wildcard label + (`*.`) are interpreted + + as a suffix match. That means that a match for + `*.example.com` would match + + both `test.example.com`, and `foo.test.example.com`, + but not `example.com`. + + + Support: Core + maxLength: 253 + minLength: 1 + pattern: >- + ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + name: + description: >- + Name is the name of the Listener. This name MUST be + unique within a + + Gateway. + + + Support: Core + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + port: + description: >- + Port is the network port. Multiple listeners may use + the + + same port, subject to the Listener compatibility + rules. + + + Support: Core + format: int32 + maximum: 65535 + minimum: 1 + type: integer + protocol: + description: >- + Protocol specifies the network protocol this listener + expects to receive. + + + Support: Core + maxLength: 255 + minLength: 1 + pattern: >- + ^[a-zA-Z0-9]([-a-zA-Z0-9]*[a-zA-Z0-9])?$|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9]+$ + type: string + tls: + description: >- + TLS is the TLS configuration for the Listener. This + field is required if + + the Protocol field is "HTTPS" or "TLS". It is invalid + to set this field + + if the Protocol field is "HTTP", "TCP", or "UDP". + + + The association of SNIs to Certificate defined in + ListenerTLSConfig is + + defined based on the Hostname field for this listener. + + + The GatewayClass MUST use the longest matching SNI out + of all + + available certificates for any TLS handshake. + + + Support: Core + properties: + certificateRefs: + description: >- + CertificateRefs contains a series of references to + Kubernetes objects that + + contains TLS certificates and private keys. These + certificates are used to + + establish a TLS handshake for requests that match + the hostname of the + + associated listener. + + + A single CertificateRef to a Kubernetes Secret has + "Core" support. + + Implementations MAY choose to support attaching + multiple certificates to + + a Listener, but this behavior is + implementation-specific. + + + References to a resource in different namespace + are invalid UNLESS there + + is a ReferenceGrant in the target namespace that + allows the certificate + + to be attached. If a ReferenceGrant does not allow + this reference, the + + "ResolvedRefs" condition MUST be set to False for + this listener with the + + "RefNotPermitted" reason. + + + This field is required to have at least one + element when the mode is set + + to "Terminate" (default) and is optional + otherwise. + + + CertificateRefs can reference to standard + Kubernetes resources, i.e. + + Secret, or implementation-specific custom + resources. + + + Support: Core - A single reference to a Kubernetes + Secret of type kubernetes.io/tls + + + Support: Implementation-specific (More than one + reference or other resource types) + items: + description: >- + SecretObjectReference identifies an API object + including its namespace, + + defaulting to Secret. + + + The API object must be valid in the cluster; the + Group and Kind must + + be registered in the cluster for this reference + to be valid. + + + References to objects with invalid Group and + Kind are not valid, and must + + be rejected by the implementation, with + appropriate Conditions set + + on the containing object. + properties: + group: + default: '' + description: >- + Group is the group of the referent. For + example, "gateway.networking.k8s.io". + + When unspecified or empty string, core API + group is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Secret + description: >- + Kind is kind of the referent. For example + "Secret". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the referenced + object. When unspecified, the local + + namespace is inferred. + + + Note that when a namespace different than + the local namespace is specified, + + a ReferenceGrant object is required in the + referent namespace to allow that + + namespace's owner to accept the reference. + See the ReferenceGrant + + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + maxItems: 64 + type: array + x-kubernetes-list-type: atomic + mode: + default: Terminate + description: >- + Mode defines the TLS behavior for the TLS session + initiated by the client. + + There are two possible modes: + + + - Terminate: The TLS session between the + downstream client and the + Gateway is terminated at the Gateway. This mode requires certificates + to be specified in some way, such as populating the certificateRefs + field. + - Passthrough: The TLS session is NOT terminated + by the Gateway. This + implies that the Gateway can't decipher the TLS stream except for + the ClientHello message of the TLS protocol. The certificateRefs field + is ignored in this mode. + + Support: Core + enum: + - Terminate + - Passthrough + type: string + options: + additionalProperties: + description: >- + AnnotationValue is the value of an annotation in + Gateway API. This is used + + for validation of maps such as TLS options. This + roughly matches Kubernetes + + annotation validation, although the length + validation in that case is based + + on the entire size of the annotations struct. + maxLength: 4096 + minLength: 0 + type: string + description: >- + Options are a list of key/value pairs to enable + extended TLS + + configuration for each implementation. For + example, configuring the + + minimum TLS version or supported cipher suites. + + + A set of common keys MAY be defined by the API in + the future. To avoid + + any ambiguity, implementation-specific definitions + MUST use + + domain-prefixed names, such as + `example.com/my-custom-option`. + + Un-prefixed names are reserved for key names + defined by Gateway API. + + + Support: Implementation-specific + maxProperties: 16 + type: object + type: object + x-kubernetes-validations: + - message: >- + certificateRefs or options must be specified when + mode is Terminate + rule: >- + self.mode == 'Terminate' ? + size(self.certificateRefs) > 0 || + size(self.options) > 0 : true + required: + - name + - port + - protocol + type: object + maxItems: 64 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: >- + tls must not be specified for protocols ['HTTP', 'TCP', + 'UDP'] + rule: >- + self.all(l, l.protocol in ['HTTP', 'TCP', 'UDP'] ? + !has(l.tls) : true) + - message: tls mode must be Terminate for protocol HTTPS + rule: >- + self.all(l, (l.protocol == 'HTTPS' && has(l.tls)) ? + (l.tls.mode == '' || l.tls.mode == 'Terminate') : true) + - message: tls mode must be set for protocol TLS + rule: >- + self.all(l, (l.protocol == 'TLS' ? has(l.tls) && + has(l.tls.mode) && l.tls.mode != '' : true)) + - message: >- + hostname must not be specified for protocols ['TCP', + 'UDP'] + rule: >- + self.all(l, l.protocol in ['TCP', 'UDP'] ? + (!has(l.hostname) || l.hostname == '') : true) + - message: Listener name must be unique within the Gateway + rule: self.all(l1, self.exists_one(l2, l1.name == l2.name)) + - message: >- + Combination of port, protocol and hostname must be + unique for each listener + rule: >- + self.all(l1, self.exists_one(l2, l1.port == l2.port && + l1.protocol == l2.protocol && (has(l1.hostname) && + has(l2.hostname) ? l1.hostname == l2.hostname : + !has(l1.hostname) && !has(l2.hostname)))) + tls: + description: >- + TLS specifies frontend and backend tls configuration for + entire gateway. + + + Support: Extended + properties: + backend: + description: >- + Backend describes TLS configuration for gateway when + connecting + + to backends. + + + Note that this contains only details for the Gateway as + a TLS client, + + and does _not_ imply behavior about how to choose which + backend should + + get a TLS connection. That is determined by the presence + of a BackendTLSPolicy. + + + Support: Core + properties: + clientCertificateRef: + description: >- + ClientCertificateRef references an object that + contains a client certificate + + and its associated private key. It can reference + standard Kubernetes resources, + + i.e., Secret, or implementation-specific custom + resources. + + + A ClientCertificateRef is considered invalid if: + + + * It refers to a resource that cannot be resolved + (e.g., the referenced resource + does not exist) or is misconfigured (e.g., a Secret does not contain the keys + named `tls.crt` and `tls.key`). In this case, the `ResolvedRefs` condition + on the Gateway MUST be set to False with the Reason `InvalidClientCertificateRef` + and the Message of the Condition MUST indicate why the reference is invalid. + + * It refers to a resource in another namespace + UNLESS there is a ReferenceGrant + in the target namespace that allows the certificate to be attached. + If a ReferenceGrant does not allow this reference, the `ResolvedRefs` condition + on the Gateway MUST be set to False with the Reason `RefNotPermitted`. + + Implementations MAY choose to perform further + validation of the certificate + + content (e.g., checking expiry or enforcing specific + formats). In such cases, + + an implementation-specific Reason and Message MUST + be set. + + + Support: Core - Reference to a Kubernetes TLS Secret + (with the type `kubernetes.io/tls`). + + Support: Implementation-specific - Other resource + kinds or Secrets with a + + different type (e.g., `Opaque`). + properties: + group: + default: '' + description: >- + Group is the group of the referent. For example, + "gateway.networking.k8s.io". + + When unspecified or empty string, core API group + is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Secret + description: >- + Kind is kind of the referent. For example + "Secret". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the referenced + object. When unspecified, the local + + namespace is inferred. + + + Note that when a namespace different than the + local namespace is specified, + + a ReferenceGrant object is required in the + referent namespace to allow that + + namespace's owner to accept the reference. See + the ReferenceGrant + + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + type: object + frontend: + description: >- + Frontend describes TLS config when client connects to + Gateway. + + Support: Core + properties: + default: + description: >- + Default specifies the default client certificate + validation configuration + + for all Listeners handling HTTPS traffic, unless a + per-port configuration + + is defined. + + + support: Core + properties: + validation: + description: >- + Validation holds configuration information for + validating the frontend (client). + + Setting this field will result in mutual + authentication when connecting to the gateway. + + In browsers this may result in a dialog + appearing + + that requests a user to specify the client + certificate. + + The maximum depth of a certificate chain + accepted in verification is Implementation + specific. + + + Support: Core + properties: + caCertificateRefs: + description: >- + CACertificateRefs contains one or more + references to Kubernetes + + objects that contain a PEM-encoded TLS CA + certificate bundle, which + + is used as a trust anchor to validate the + certificates presented by + + the client. + + + A CACertificateRef is invalid if: + + + * It refers to a resource that cannot be + resolved (e.g., the + referenced resource does not exist) or is misconfigured (e.g., a + ConfigMap does not contain a key named `ca.crt`). In this case, the + Reason on all matching HTTPS listeners must be set to `InvalidCACertificateRef` + and the Message of the Condition must indicate which reference is invalid and why. + + * It refers to an unknown or unsupported + kind of resource. In this + case, the Reason on all matching HTTPS listeners must be set to + `InvalidCACertificateKind` and the Message of the Condition must explain + which kind of resource is unknown or unsupported. + + * It refers to a resource in another + namespace UNLESS there is a + ReferenceGrant in the target namespace that allows the CA + certificate to be attached. If a ReferenceGrant does not allow this + reference, the `ResolvedRefs` on all matching HTTPS listeners condition + MUST be set with the Reason `RefNotPermitted`. + + Implementations MAY choose to perform + further validation of the + + certificate content (e.g., checking expiry + or enforcing specific formats). + + In such cases, an implementation-specific + Reason and Message MUST be set. + + + In all cases, the implementation MUST ensure + that the `ResolvedRefs` + + condition is set to `status: False` on all + targeted listeners (i.e., + + listeners serving HTTPS on a matching port). + The condition MUST + + include a Reason and Message that indicate + the cause of the error. If + + ALL CACertificateRefs are invalid, the + implementation MUST also ensure + + the `Accepted` condition on the listener is + set to `status: False`, with + + the Reason `NoValidCACertificate`. + + Implementations MAY choose to support + attaching multiple CA certificates + + to a listener, but this behavior is + implementation-specific. + + + Support: Core - A single reference to a + Kubernetes ConfigMap, with the + + CA certificate in a key named `ca.crt`. + + + Support: Implementation-specific - More than + one reference, other kinds + + of resources, or a single reference that + includes multiple certificates. + items: + description: >- + ObjectReference identifies an API object + including its namespace. + + + The API object must be valid in the + cluster; the Group and Kind must + + be registered in the cluster for this + reference to be valid. + + + References to objects with invalid Group + and Kind are not valid, and must + + be rejected by the implementation, with + appropriate Conditions set + + on the containing object. + properties: + group: + description: >- + Group is the group of the referent. For + example, "gateway.networking.k8s.io". + + When set to the empty string, core API + group is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: >- + Kind is kind of the referent. For + example "ConfigMap" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the + referenced object. When unspecified, the + local + + namespace is inferred. + + + Note that when a namespace different + than the local namespace is specified, + + a ReferenceGrant object is required in + the referent namespace to allow that + + namespace's owner to accept the + reference. See the ReferenceGrant + + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - name + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + mode: + default: AllowValidOnly + description: >- + FrontendValidationMode defines the mode for + validating the client certificate. + + There are two possible modes: + + + - AllowValidOnly: In this mode, the gateway + will accept connections only if + the client presents a valid certificate. This certificate must successfully + pass validation against the CA certificates specified in `CACertificateRefs`. + - AllowInsecureFallback: In this mode, the + gateway will accept connections + even if the client certificate is not presented or fails verification. + + This approach delegates client authorization to the backend and introduce + a significant security risk. It should be used in testing environments or + on a temporary basis in non-testing environments. + + Defaults to AllowValidOnly. + + + Support: Core + enum: + - AllowValidOnly + - AllowInsecureFallback + type: string + required: + - caCertificateRefs + type: object + type: object + perPort: + description: >- + PerPort specifies tls configuration assigned per + port. + + Per port configuration is optional. Once set this + configuration overrides + + the default configuration for all Listeners handling + HTTPS traffic + + that match this port. + + Each override port requires a unique TLS + configuration. + + + support: Core + items: + properties: + port: + description: >- + The Port indicates the Port Number to which + the TLS configuration will be + + applied. This configuration will be applied to + all Listeners handling HTTPS + + traffic that match this port. + + + Support: Core + format: int32 + maximum: 65535 + minimum: 1 + type: integer + tls: + description: >- + TLS store the configuration that will be + applied to all Listeners handling + + HTTPS traffic and matching given port. + + + Support: Core + properties: + validation: + description: >- + Validation holds configuration information + for validating the frontend (client). + + Setting this field will result in mutual + authentication when connecting to the + gateway. + + In browsers this may result in a dialog + appearing + + that requests a user to specify the client + certificate. + + The maximum depth of a certificate chain + accepted in verification is Implementation + specific. + + + Support: Core + properties: + caCertificateRefs: + description: >- + CACertificateRefs contains one or more + references to Kubernetes + + objects that contain a PEM-encoded TLS + CA certificate bundle, which + + is used as a trust anchor to validate + the certificates presented by + + the client. + + + A CACertificateRef is invalid if: + + + * It refers to a resource that cannot be + resolved (e.g., the + referenced resource does not exist) or is misconfigured (e.g., a + ConfigMap does not contain a key named `ca.crt`). In this case, the + Reason on all matching HTTPS listeners must be set to `InvalidCACertificateRef` + and the Message of the Condition must indicate which reference is invalid and why. + + * It refers to an unknown or unsupported + kind of resource. In this + case, the Reason on all matching HTTPS listeners must be set to + `InvalidCACertificateKind` and the Message of the Condition must explain + which kind of resource is unknown or unsupported. + + * It refers to a resource in another + namespace UNLESS there is a + ReferenceGrant in the target namespace that allows the CA + certificate to be attached. If a ReferenceGrant does not allow this + reference, the `ResolvedRefs` on all matching HTTPS listeners condition + MUST be set with the Reason `RefNotPermitted`. + + Implementations MAY choose to perform + further validation of the + + certificate content (e.g., checking + expiry or enforcing specific formats). + + In such cases, an + implementation-specific Reason and + Message MUST be set. + + + In all cases, the implementation MUST + ensure that the `ResolvedRefs` + + condition is set to `status: False` on + all targeted listeners (i.e., + + listeners serving HTTPS on a matching + port). The condition MUST + + include a Reason and Message that + indicate the cause of the error. If + + ALL CACertificateRefs are invalid, the + implementation MUST also ensure + + the `Accepted` condition on the listener + is set to `status: False`, with + + the Reason `NoValidCACertificate`. + + Implementations MAY choose to support + attaching multiple CA certificates + + to a listener, but this behavior is + implementation-specific. + + + Support: Core - A single reference to a + Kubernetes ConfigMap, with the + + CA certificate in a key named `ca.crt`. + + + Support: Implementation-specific - More + than one reference, other kinds + + of resources, or a single reference that + includes multiple certificates. + items: + description: >- + ObjectReference identifies an API object + including its namespace. + + + The API object must be valid in the + cluster; the Group and Kind must + + be registered in the cluster for this + reference to be valid. + + + References to objects with invalid Group + and Kind are not valid, and must + + be rejected by the implementation, with + appropriate Conditions set + + on the containing object. + properties: + group: + description: >- + Group is the group of the referent. For + example, "gateway.networking.k8s.io". + + When set to the empty string, core API + group is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: >- + Kind is kind of the referent. For + example "ConfigMap" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the + referenced object. When unspecified, the + local + + namespace is inferred. + + + Note that when a namespace different + than the local namespace is specified, + + a ReferenceGrant object is required in + the referent namespace to allow that + + namespace's owner to accept the + reference. See the ReferenceGrant + + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - name + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + mode: + default: AllowValidOnly + description: >- + FrontendValidationMode defines the mode + for validating the client certificate. + + There are two possible modes: + + + - AllowValidOnly: In this mode, the + gateway will accept connections only if + the client presents a valid certificate. This certificate must successfully + pass validation against the CA certificates specified in `CACertificateRefs`. + - AllowInsecureFallback: In this mode, + the gateway will accept connections + even if the client certificate is not presented or fails verification. + + This approach delegates client authorization to the backend and introduce + a significant security risk. It should be used in testing environments or + on a temporary basis in non-testing environments. + + Defaults to AllowValidOnly. + + + Support: Core + enum: + - AllowValidOnly + - AllowInsecureFallback + type: string + required: + - caCertificateRefs + type: object + type: object + required: + - port + - tls + type: object + maxItems: 64 + type: array + x-kubernetes-list-map-keys: + - port + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: >- + Port for TLS configuration must be unique within + the Gateway + rule: >- + self.all(t1, self.exists_one(t2, t1.port == + t2.port)) + required: + - default + type: object + type: object + required: + - gatewayClassName + - listeners + type: object + status: + default: + conditions: + - lastTransitionTime: '1970-01-01T00:00:00Z' + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + - lastTransitionTime: '1970-01-01T00:00:00Z' + message: Waiting for controller + reason: Pending + status: Unknown + type: Programmed + description: Status defines the current state of Gateway. + properties: + addresses: + description: >- + Addresses lists the network addresses that have been bound + to the + + Gateway. + + + This list may differ from the addresses provided in the spec + under some + + conditions: + + * no addresses are specified, all addresses are dynamically assigned + * a combination of specified and dynamic addresses are assigned + * a specified address was unusable (e.g. already in use) + items: + description: >- + GatewayStatusAddress describes a network address that is + bound to a Gateway. + oneOf: + - properties: + type: + enum: + - IPAddress + value: + anyOf: + - format: ipv4 + - format: ipv6 + - properties: + type: + not: + enum: + - IPAddress + properties: + type: + default: IPAddress + description: Type of the address. + maxLength: 253 + minLength: 1 + pattern: >- + ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + value: + description: >- + Value of the address. The validity of the values will + depend + + on the type and support by the controller. + + + Examples: `1.2.3.4`, `128::1`, `my-ip-address`. + maxLength: 253 + minLength: 1 + type: string + required: + - value + type: object + x-kubernetes-validations: + - message: >- + Hostname value must only contain valid characters + (matching + ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$) + rule: >- + self.type == 'Hostname' ? + self.value.matches(r"""^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$"""): + true + maxItems: 16 + type: array + x-kubernetes-list-type: atomic + attachedListenerSets: + description: >- + AttachedListenerSets represents the total number of + ListenerSets that have been + + successfully attached to this Gateway. + + + A ListenerSet is successfully attached to a Gateway when all + the following conditions are met: + + - The ListenerSet is selected by the Gateway's + AllowedListeners field + + - The ListenerSet has a valid ParentRef selecting the + Gateway + + - The ListenerSet's status has the condition "Accepted: + true" + + + Uses for this field include troubleshooting + AttachedListenerSets attachment and + + measuring blast radius/impact of changes to a Gateway. + format: int32 + type: integer + conditions: + default: + - lastTransitionTime: '1970-01-01T00:00:00Z' + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + - lastTransitionTime: '1970-01-01T00:00:00Z' + message: Waiting for controller + reason: Pending + status: Unknown + type: Programmed + description: >- + Conditions describe the current conditions of the Gateway. + + + Implementations should prefer to express Gateway conditions + + using the `GatewayConditionType` and + `GatewayConditionReason` + + constants so that operators and tools can converge on a + common + + vocabulary to describe Gateway state. + + + Known condition types are: + + + * "Accepted" + + * "Programmed" + + * "Ready" + items: + description: >- + Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: >- + lastTransitionTime is the last time the condition + transitioned from one status to another. + + This should be when the underlying condition changed. + If that is not known, then using the time when the API + field changed is acceptable. + format: date-time + type: string + message: + description: >- + message is a human readable message indicating details + about the transition. + + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: >- + observedGeneration represents the .metadata.generation + that the condition was set based upon. + + For instance, if .metadata.generation is currently 12, + but the .status.conditions[x].observedGeneration is 9, + the condition is out of date + + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: >- + reason contains a programmatic identifier indicating + the reason for the condition's last transition. + + Producers of specific condition types may define + expected values and meanings for this field, + + and whether the values are considered a guaranteed + API. + + The value should be a CamelCase string. + + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - 'True' + - 'False' + - Unknown + type: string + type: + description: >- + type of condition in CamelCase or in + foo.example.com/CamelCase. + maxLength: 316 + pattern: >- + ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + listeners: + description: >- + Listeners provide status for each unique listener port + defined in the Spec. + items: + description: ListenerStatus is the status associated with a Listener. + properties: + attachedRoutes: + description: >- + AttachedRoutes represents the total number of Routes + that have been + + successfully attached to this Listener. + + + Successful attachment of a Route to a Listener is + based solely on the + + combination of the AllowedRoutes field on the + corresponding Listener + + and the Route's ParentRefs field. A Route is + successfully attached to + + a Listener when it is selected by the Listener's + AllowedRoutes field + + AND the Route has a valid ParentRef selecting the + whole Gateway + + resource or a specific Listener as a parent resource + (more detail on + + attachment semantics can be found in the documentation + on the various + + Route kinds ParentRefs fields). Listener or Route + status does not impact + + successful attachment, i.e. the AttachedRoutes field + count MUST be set + + for Listeners, even if the Accepted condition of an + individual Listener is set + + to "False". The AttachedRoutes number represents the + number of Routes with + + the Accepted condition set to "True" that have been + attached to this Listener. + + Routes with any other value for the Accepted condition + MUST NOT be included + + in this count. + + + Uses for this field include troubleshooting Route + attachment and + + measuring blast radius/impact of changes to a + Listener. + format: int32 + type: integer + conditions: + description: >- + Conditions describe the current condition of this + listener. + items: + description: >- + Condition contains details for one aspect of the + current state of this API Resource. + properties: + lastTransitionTime: + description: >- + lastTransitionTime is the last time the + condition transitioned from one status to + another. + + This should be when the underlying condition + changed. If that is not known, then using the + time when the API field changed is acceptable. + format: date-time + type: string + message: + description: >- + message is a human readable message indicating + details about the transition. + + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: >- + observedGeneration represents the + .metadata.generation that the condition was set + based upon. + + For instance, if .metadata.generation is + currently 12, but the + .status.conditions[x].observedGeneration is 9, + the condition is out of date + + with respect to the current state of the + instance. + format: int64 + minimum: 0 + type: integer + reason: + description: >- + reason contains a programmatic identifier + indicating the reason for the condition's last + transition. + + Producers of specific condition types may define + expected values and meanings for this field, + + and whether the values are considered a + guaranteed API. + + The value should be a CamelCase string. + + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: >- + status of the condition, one of True, False, + Unknown. + enum: + - 'True' + - 'False' + - Unknown + type: string + type: + description: >- + type of condition in CamelCase or in + foo.example.com/CamelCase. + maxLength: 316 + pattern: >- + ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + name: + description: >- + Name is the name of the Listener that this status + corresponds to. + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + supportedKinds: + description: >- + SupportedKinds is the list indicating the Kinds + supported by this + + listener. This MUST represent the kinds supported by + an implementation for + + that Listener configuration. + + + If kinds are specified in Spec that are not supported, + they MUST NOT + + appear in this list and an implementation MUST set the + "ResolvedRefs" + + condition to "False" with the "InvalidRouteKinds" + reason. If both valid + + and invalid Route kinds are specified, the + implementation MUST + + reference the valid Route kinds that have been + specified. + items: + description: >- + RouteGroupKind indicates the group and kind of a + Route resource. + properties: + group: + default: gateway.networking.k8s.io + description: Group is the group of the Route. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is the kind of the Route. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + required: + - kind + type: object + maxItems: 8 + type: array + x-kubernetes-list-type: atomic + required: + - attachedRoutes + - conditions + - name + type: object + maxItems: 64 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} +status: + acceptedNames: + kind: '' + plural: '' + conditions: null + storedVersions: null diff --git a/_/CustomResourceDefinition/grpcroutes.gateway.networking.k8s.io.yaml b/_/CustomResourceDefinition/grpcroutes.gateway.networking.k8s.io.yaml new file mode 100644 index 0000000..7fa7882 --- /dev/null +++ b/_/CustomResourceDefinition/grpcroutes.gateway.networking.k8s.io.yaml @@ -0,0 +1,3295 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/4530 + gateway.networking.k8s.io/bundle-version: v1.5.1 + gateway.networking.k8s.io/channel: standard + name: grpcroutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: GRPCRoute + listKind: GRPCRouteList + plural: grpcroutes + singular: grpcroute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.hostnames + name: Hostnames + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: >- + GRPCRoute provides a way to route gRPC requests. This includes the + capability + + to match requests by hostname, gRPC service, gRPC method, or HTTP/2 + header. + + Filters can be used to specify additional processing steps. Backends + specify + + where matching requests will be routed. + + + GRPCRoute falls under extended support within the Gateway API. + Within the + + following specification, the word "MUST" indicates that an + implementation + + supporting GRPCRoute must conform to the indicated requirement, but + an + + implementation not supporting this route type need not follow the + requirement + + unless explicitly indicated. + + + Implementations supporting `GRPCRoute` with the `HTTPS` + `ProtocolType` MUST + + accept HTTP/2 connections without an initial upgrade from HTTP/1.1, + i.e. via + + ALPN. If the implementation does not support this, then it MUST set + the + + "Accepted" condition to "False" for the affected listener with a + reason of + + "UnsupportedProtocol". Implementations MAY also accept HTTP/2 + connections + + with an upgrade from HTTP/1. + + + Implementations supporting `GRPCRoute` with the `HTTP` + `ProtocolType` MUST + + support HTTP/2 over cleartext TCP (h2c, + + https://www.rfc-editor.org/rfc/rfc7540#section-3.1) without an + initial + + upgrade from HTTP/1.1, i.e. with prior knowledge + + (https://www.rfc-editor.org/rfc/rfc7540#section-3.4). If the + implementation + + does not support this, then it MUST set the "Accepted" condition to + "False" + + for the affected listener with a reason of "UnsupportedProtocol". + + Implementations MAY also accept HTTP/2 connections with an upgrade + from + + HTTP/1, i.e. without prior knowledge. + properties: + apiVersion: + description: >- + APIVersion defines the versioned schema of this representation + of an object. + + Servers should convert recognized schemas to the latest internal + value, and + + may reject unrecognized values. + + More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: >- + Kind is a string value representing the REST resource this + object represents. + + Servers may infer this from the endpoint the client submits + requests to. + + Cannot be updated. + + In CamelCase. + + More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of GRPCRoute. + properties: + hostnames: + description: >- + Hostnames defines a set of hostnames to match against the + GRPC + + Host header to select a GRPCRoute to process the request. + This matches + + the RFC 1123 definition of a hostname with 2 notable + exceptions: + + + 1. IPs are not allowed. + + 2. A hostname may be prefixed with a wildcard label (`*.`). + The wildcard + label MUST appear by itself as the first label. + + If a hostname is specified by both the Listener and + GRPCRoute, there + + MUST be at least one intersecting hostname for the GRPCRoute + to be + + attached to the Listener. For example: + + + * A Listener with `test.example.com` as the hostname matches + GRPCRoutes + that have either not specified any hostnames, or have specified at + least one of `test.example.com` or `*.example.com`. + * A Listener with `*.example.com` as the hostname matches + GRPCRoutes + that have either not specified any hostnames or have specified at least + one hostname that matches the Listener hostname. For example, + `test.example.com` and `*.example.com` would both match. On the other + hand, `example.com` and `test.example.net` would not match. + + Hostnames that are prefixed with a wildcard label (`*.`) are + interpreted + + as a suffix match. That means that a match for + `*.example.com` would match + + both `test.example.com`, and `foo.test.example.com`, but not + `example.com`. + + + If both the Listener and GRPCRoute have specified hostnames, + any + + GRPCRoute hostnames that do not match the Listener hostname + MUST be + + ignored. For example, if a Listener specified + `*.example.com`, and the + + GRPCRoute specified `test.example.com` and + `test.example.net`, + + `test.example.net` MUST NOT be considered for a match. + + + If both the Listener and GRPCRoute have specified hostnames, + and none + + match with the criteria above, then the GRPCRoute MUST NOT + be accepted by + + the implementation. The implementation MUST raise an + 'Accepted' Condition + + with a status of `False` in the corresponding + RouteParentStatus. + + + If a Route (A) of type HTTPRoute or GRPCRoute is attached to + a + + Listener and that listener already has another Route (B) of + the other + + type attached and the intersection of the hostnames of A and + B is + + non-empty, then the implementation MUST accept exactly one + of these two + + routes, determined by the following criteria, in order: + + + * The oldest Route based on creation timestamp. + + * The Route appearing first in alphabetical order by + "{namespace}/{name}". + + The rejected Route MUST raise an 'Accepted' condition with a + status of + + 'False' in the corresponding RouteParentStatus. + + + Support: Core + items: + description: >- + Hostname is the fully qualified domain name of a network + host. This matches + + the RFC 1123 definition of a hostname with 2 notable + exceptions: + + 1. IPs are not allowed. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. + + Hostname can be "precise" which is a domain name without + the terminating + + dot of a network host (e.g. "foo.example.com") or + "wildcard", which is a + + domain name prefixed with a single wildcard label (e.g. + `*.example.com`). + + + Note that as per RFC1035 and RFC1123, a *label* must + consist of lower case + + alphanumeric characters or '-', and must start and end + with an alphanumeric + + character. No other punctuation is allowed. + maxLength: 253 + minLength: 1 + pattern: >- + ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: atomic + parentRefs: + description: >- + ParentRefs references the resources (usually Gateways) that + a Route wants + + to be attached to. Note that the referenced parent resource + needs to + + allow this for the attachment to be complete. For Gateways, + that means + + the Gateway needs to allow attachment from Routes of this + kind and + + namespace. For Services, that means the Service must either + be in the same + + namespace for a "producer" route, or the mesh implementation + must support + + and allow "consumer" routes for the referenced Service. + ReferenceGrant is + + not applicable for governing ParentRefs to Services - it is + not possible to + + create a "producer" route for a Service in a different + namespace from the + + Route. + + + There are two kinds of parent resources with "Core" support: + + + * Gateway (Gateway conformance profile) + + * Service (Mesh conformance profile, ClusterIP Services + only) + + + This API may be extended in the future to support additional + kinds of parent + + resources. + + + ParentRefs must be _distinct_. This means either that: + + + * They select different objects. If this is the case, then + parentRef + entries are distinct. In terms of fields, this means that the + multi-part key defined by `group`, `kind`, `namespace`, and `name` must + be unique across all parentRef entries in the Route. + * They do not select different objects, but for each + optional field used, + each ParentRef that selects the same object must set the same set of + optional fields to different values. If one ParentRef sets a + combination of optional fields, all must set the same combination. + + Some examples: + + + * If one ParentRef sets `sectionName`, all ParentRefs + referencing the + same object must also set `sectionName`. + * If one ParentRef sets `port`, all ParentRefs referencing + the same + object must also set `port`. + * If one ParentRef sets `sectionName` and `port`, all + ParentRefs + referencing the same object must also set `sectionName` and `port`. + + It is possible to separately reference multiple distinct + objects that may + + be collapsed by an implementation. For example, some + implementations may + + choose to merge compatible Gateway Listeners together. If + that is the + + case, the list of routes attached to those resources should + also be + + merged. + + + Note that for ParentRefs that cross namespace boundaries, + there are specific + + rules. Cross-namespace references are only valid if they are + explicitly + + allowed by something in the namespace they are referring to. + For example, + + Gateway has the AllowedRoutes field, and ReferenceGrant + provides a + + generic way to enable other kinds of cross-namespace + reference. + items: + description: >- + ParentReference identifies an API object (usually a + Gateway) that can be considered + + a parent of this resource (usually a route). There are two + kinds of parent resources + + with "Core" support: + + + * Gateway (Gateway conformance profile) + + * Service (Mesh conformance profile, ClusterIP Services + only) + + + This API may be extended in the future to support + additional kinds of parent + + resources. + + + The API object must be valid in the cluster; the Group and + Kind must + + be registered in the cluster for this reference to be + valid. + properties: + group: + default: gateway.networking.k8s.io + description: >- + Group is the group of the referent. + + When unspecified, "gateway.networking.k8s.io" is + inferred. + + To set the core API group (such as for a "Service" + kind referent), + + Group must be explicitly set to "" (empty string). + + + Support: Core + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: >- + Kind is kind of the referent. + + + There are two kinds of parent resources with "Core" + support: + + + * Gateway (Gateway conformance profile) + + * Service (Mesh conformance profile, ClusterIP + Services only) + + + Support for other resources is + Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the referent. When + unspecified, this refers + + to the local namespace of the Route. + + + Note that there are specific rules for ParentRefs + which cross namespace + + boundaries. Cross-namespace references are only valid + if they are explicitly + + allowed by something in the namespace they are + referring to. For example: + + Gateway has the AllowedRoutes field, and + ReferenceGrant provides a + + generic way to enable any other kind of + cross-namespace reference. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: >- + Port is the network port this Route targets. It can be + interpreted + + differently based on the type of parent resource. + + + When the parent resource is a Gateway, this targets + all listeners + + listening on the specified port that also support this + kind of Route(and + + select this Route). It's not recommended to set `Port` + unless the + + networking behaviors specified in a Route must apply + to a specific port + + as opposed to a listener(s) whose port(s) may be + changed. When both Port + + and SectionName are specified, the name and port of + the selected listener + + must match both specified values. + + + Implementations MAY choose to support other parent + resources. + + Implementations supporting other types of parent + resources MUST clearly + + document how/if Port is interpreted. + + + For the purpose of status, an attachment is considered + successful as + + long as the parent resource accepts it partially. For + example, Gateway + + listeners can restrict which Routes can attach to them + by Route kind, + + namespace, or hostname. If 1 of 2 Gateway listeners + accept attachment + + from the referencing Route, the Route MUST be + considered successfully + + attached. If no Gateway listeners accept attachment + from this Route, + + the Route MUST be considered detached from the + Gateway. + + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: >- + SectionName is the name of a section within the target + resource. In the + + following resources, SectionName is interpreted as the + following: + + + * Gateway: Listener name. When both Port + (experimental) and SectionName + + are specified, the name and port of the selected + listener must match + + both specified values. + + * Service: Port name. When both Port (experimental) + and SectionName + + are specified, the name and port of the selected + listener must match + + both specified values. + + + Implementations MAY choose to support attaching Routes + to other resources. + + If that is the case, they MUST clearly document how + SectionName is + + interpreted. + + + When unspecified (empty string), this will reference + the entire resource. + + For the purpose of status, an attachment is considered + successful if at + + least one section in the parent resource accepts it. + For example, Gateway + + listeners can restrict which Routes can attach to them + by Route kind, + + namespace, or hostname. If 1 of 2 Gateway listeners + accept attachment from + + the referencing Route, the Route MUST be considered + successfully + + attached. If no Gateway listeners accept attachment + from this Route, the + + Route MUST be considered detached from the Gateway. + + + Support: Core + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: >- + sectionName must be specified when parentRefs includes 2 + or more references to the same parent + rule: >- + self.all(p1, self.all(p2, p1.group == p2.group && + p1.kind == p2.kind && p1.name == p2.name && + (((!has(p1.__namespace__) || p1.__namespace__ == '') && + (!has(p2.__namespace__) || p2.__namespace__ == '')) || + (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__ )) ? + ((!has(p1.sectionName) || p1.sectionName == '') == + (!has(p2.sectionName) || p2.sectionName == '')) : true)) + - message: >- + sectionName must be unique when parentRefs includes 2 or + more references to the same parent + rule: >- + self.all(p1, self.exists_one(p2, p1.group == p2.group && + p1.kind == p2.kind && p1.name == p2.name && + (((!has(p1.__namespace__) || p1.__namespace__ == '') && + (!has(p2.__namespace__) || p2.__namespace__ == '')) || + (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__ )) && + (((!has(p1.sectionName) || p1.sectionName == '') && + (!has(p2.sectionName) || p2.sectionName == '')) || + (has(p1.sectionName) && has(p2.sectionName) && + p1.sectionName == p2.sectionName)))) + rules: + description: Rules are a list of GRPC matchers, filters and actions. + items: + description: >- + GRPCRouteRule defines the semantics for matching a gRPC + request based on + + conditions (matches), processing it (filters), and + forwarding the request to + + an API object (backendRefs). + properties: + backendRefs: + description: >- + BackendRefs defines the backend(s) where matching + requests should be + + sent. + + + Failure behavior here depends on how many BackendRefs + are specified and + + how many are invalid. + + + If *all* entries in BackendRefs are invalid, and there + are also no filters + + specified in this route rule, *all* traffic which + matches this rule MUST + + receive an `UNAVAILABLE` status. + + + See the GRPCBackendRef definition for the rules about + what makes a single + + GRPCBackendRef invalid. + + + When a GRPCBackendRef is invalid, `UNAVAILABLE` + statuses MUST be returned for + + requests that would have otherwise been routed to an + invalid backend. If + + multiple backends are specified, and some are invalid, + the proportion of + + requests that would otherwise have been routed to an + invalid backend + + MUST receive an `UNAVAILABLE` status. + + + For example, if two backends are specified with equal + weights, and one is + + invalid, 50 percent of traffic MUST receive an + `UNAVAILABLE` status. + + Implementations may choose how that 50 percent is + determined. + + + Support: Core for Kubernetes Service + + + Support: Implementation-specific for any other + resource + + + Support for weight: Core + items: + description: >- + GRPCBackendRef defines how a GRPCRoute forwards a + gRPC request. + + + Note that when a namespace different than the local + namespace is specified, a + + ReferenceGrant object is required in the referent + namespace to allow that + + namespace's owner to accept the reference. See the + ReferenceGrant + + documentation for details. + properties: + filters: + description: >- + Filters defined at this level MUST be executed + if and only if the + + request is being forwarded to the backend + defined here. + + + Support: Implementation-specific (For broader + support of filters, use the + + Filters field in GRPCRouteRule.) + items: + description: >- + GRPCRouteFilter defines processing steps that + must be completed during the + + request or response lifecycle. + GRPCRouteFilters are meant as an extension + + point to express processing that may be done + in Gateway implementations. Some + + examples include request or response + modification, implementing + + authentication strategies, rate-limiting, and + traffic shaping. API + + guarantee/conformance is defined based on the + type of the filter. + properties: + extensionRef: + description: >- + ExtensionRef is an optional, + implementation-specific extension to the + + "filter" behavior. For example, resource + "myroutefilter" in group + + "networking.example.net"). ExtensionRef + MUST NOT be used for core and + + extended filters. + + + Support: Implementation-specific + + + This filter can be used multiple times + within the same rule. + properties: + group: + description: >- + Group is the group of the referent. For + example, "gateway.networking.k8s.io". + + When unspecified or empty string, core + API group is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: >- + Kind is kind of the referent. For + example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: >- + RequestHeaderModifier defines a schema for + a filter that modifies request + + headers. + + + Support: Core + properties: + add: + description: >- + Add adds the given header(s) (name, + value) to the request + + before the action. It appends to any + existing values associated + + with the header name. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + add: + - name: "my-header" + value: "bar,baz" + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: >- + HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: >- + Name is the name of the HTTP Header to + be matched. Name matching MUST be + + case-insensitive. (See + https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent + header names, the first entry with + + an equivalent name MUST be considered + for a match. Subsequent entries + + with an equivalent header name MUST be + ignored. Due to the + + case-insensitivity of header names, + "foo" and "Foo" are considered + + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: >- + Value is the value of HTTP Header to be + matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: >- + Remove the given header(s) from the HTTP + request before the action. The + + value of Remove is a list of HTTP header + names. Note that the header + + names are case-insensitive (see + + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + Config: + remove: ["my-header1", "my-header3"] + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: >- + Set overwrites the request with the + given header (name, value) + + before the action. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + set: + - name: "my-header" + value: "bar" + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: >- + HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: >- + Name is the name of the HTTP Header to + be matched. Name matching MUST be + + case-insensitive. (See + https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent + header names, the first entry with + + an equivalent name MUST be considered + for a match. Subsequent entries + + with an equivalent header name MUST be + ignored. Due to the + + case-insensitivity of header names, + "foo" and "Foo" are considered + + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: >- + Value is the value of HTTP Header to be + matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: >- + RequestMirror defines a schema for a + filter that mirrors requests. + + Requests are sent to the specified + destination, but responses from + + that destination are ignored. + + + This filter can be used multiple times + within the same rule. Note that + + not all implementations will be able to + support mirroring to multiple + + backends. + + + Support: Extended + properties: + backendRef: + description: >- + BackendRef references a resource where + mirrored requests are sent. + + + Mirrored requests must be sent only to a + single destination endpoint + + within this BackendRef, irrespective of + how many endpoints are present + + within this BackendRef. + + + If the referent cannot be found, this + BackendRef is invalid and must be + + dropped from the Gateway. The controller + must ensure the "ResolvedRefs" + + condition on the Route status is set to + `status: False` and not configure + + this backend in the underlying + implementation. + + + If there is a cross-namespace reference + to an *existing* object + + that is not allowed by a ReferenceGrant, + the controller must ensure the + + "ResolvedRefs" condition on the Route + is set to `status: False`, + + with the "RefNotPermitted" reason and + not configure this backend in the + + underlying implementation. + + + In either error case, the Message of the + `ResolvedRefs` Condition + + should be used to provide more detail + about the problem. + + + Support: Extended for Kubernetes Service + + + Support: Implementation-specific for any + other resource + properties: + group: + default: '' + description: >- + Group is the group of the referent. For + example, "gateway.networking.k8s.io". + + When unspecified or empty string, core + API group is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: >- + Kind is the Kubernetes resource kind of + the referent. For example + + "Service". + + + Defaults to "Service" when not + specified. + + + ExternalName services can refer to CNAME + DNS records that may live + + outside of the cluster and as such are + difficult to reason about in + + terms of conformance. They also may not + be safe to forward to (see + + CVE-2021-25740 for more information). + Implementations SHOULD NOT + + support ExternalName Services. + + + Support: Core (Services with a type + other than ExternalName) + + + Support: Implementation-specific + (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the + backend. When unspecified, the local + + namespace is inferred. + + + Note that when a namespace different + than the local namespace is specified, + + a ReferenceGrant object is required in + the referent namespace to allow that + + namespace's owner to accept the + reference. See the ReferenceGrant + + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: >- + Port specifies the destination port + number to use for this resource. + + Port is required when the referent is a + Kubernetes Service. In this + + case, the port number is the service + port number, not the target port. + + For other resources, destination port + might be derived from the referent + + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: >- + (size(self.group) == 0 && self.kind == + 'Service') ? has(self.port) : true + fraction: + description: >- + Fraction represents the fraction of + requests that should be + + mirrored to BackendRef. + + + Only one of Fraction or Percent may be + specified. If neither field + + is specified, 100% of requests will be + mirrored. + properties: + denominator: + default: 100 + format: int32 + minimum: 1 + type: integer + numerator: + format: int32 + minimum: 0 + type: integer + required: + - numerator + type: object + x-kubernetes-validations: + - message: >- + numerator must be less than or equal to + denominator + rule: self.numerator <= self.denominator + percent: + description: >- + Percent represents the percentage of + requests that should be + + mirrored to BackendRef. Its minimum + value is 0 (indicating 0% of + + requests) and its maximum value is 100 + (indicating 100% of requests). + + + Only one of Fraction or Percent may be + specified. If neither field + + is specified, 100% of requests will be + mirrored. + format: int32 + maximum: 100 + minimum: 0 + type: integer + required: + - backendRef + type: object + x-kubernetes-validations: + - message: >- + Only one of percent or fraction may be + specified in HTTPRequestMirrorFilter + rule: >- + !(has(self.percent) && + has(self.fraction)) + responseHeaderModifier: + description: >- + ResponseHeaderModifier defines a schema + for a filter that modifies response + + headers. + + + Support: Extended + properties: + add: + description: >- + Add adds the given header(s) (name, + value) to the request + + before the action. It appends to any + existing values associated + + with the header name. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + add: + - name: "my-header" + value: "bar,baz" + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: >- + HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: >- + Name is the name of the HTTP Header to + be matched. Name matching MUST be + + case-insensitive. (See + https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent + header names, the first entry with + + an equivalent name MUST be considered + for a match. Subsequent entries + + with an equivalent header name MUST be + ignored. Due to the + + case-insensitivity of header names, + "foo" and "Foo" are considered + + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: >- + Value is the value of HTTP Header to be + matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: >- + Remove the given header(s) from the HTTP + request before the action. The + + value of Remove is a list of HTTP header + names. Note that the header + + names are case-insensitive (see + + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + Config: + remove: ["my-header1", "my-header3"] + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: >- + Set overwrites the request with the + given header (name, value) + + before the action. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + set: + - name: "my-header" + value: "bar" + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: >- + HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: >- + Name is the name of the HTTP Header to + be matched. Name matching MUST be + + case-insensitive. (See + https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent + header names, the first entry with + + an equivalent name MUST be considered + for a match. Subsequent entries + + with an equivalent header name MUST be + ignored. Due to the + + case-insensitivity of header names, + "foo" and "Foo" are considered + + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: >- + Value is the value of HTTP Header to be + matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: >- + Type identifies the type of filter to + apply. As with other API fields, + + types are classified into three + conformance levels: + + + - Core: Filter types and their + corresponding configuration defined by + "Support: Core" in this package, e.g. "RequestHeaderModifier". All + implementations supporting GRPCRoute MUST support core filters. + + - Extended: Filter types and their + corresponding configuration defined by + "Support: Extended" in this package, e.g. "RequestMirror". Implementers + are encouraged to support extended filters. + + - Implementation-specific: Filters that + are defined and supported by specific + vendors. + In the future, filters showing convergence in behavior across multiple + implementations will be considered for inclusion in extended or core + conformance levels. Filter-specific configuration for such filters + is specified using the ExtensionRef field. `Type` MUST be set to + "ExtensionRef" for custom filters. + + Implementers are encouraged to define + custom implementation types to + + extend the core API with + implementation-specific behavior. + + + If a reference to a custom filter type + cannot be resolved, the filter + + MUST NOT be skipped. Instead, requests + that would have been processed by + + that filter MUST receive a HTTP error + response. + enum: + - ResponseHeaderModifier + - RequestHeaderModifier + - RequestMirror + - ExtensionRef + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + filter.requestHeaderModifier must be nil + if the filter.type is not + RequestHeaderModifier + rule: >- + !(has(self.requestHeaderModifier) && + self.type != 'RequestHeaderModifier') + - message: >- + filter.requestHeaderModifier must be + specified for RequestHeaderModifier + filter.type + rule: >- + !(!has(self.requestHeaderModifier) && + self.type == 'RequestHeaderModifier') + - message: >- + filter.responseHeaderModifier must be nil + if the filter.type is not + ResponseHeaderModifier + rule: >- + !(has(self.responseHeaderModifier) && + self.type != 'ResponseHeaderModifier') + - message: >- + filter.responseHeaderModifier must be + specified for ResponseHeaderModifier + filter.type + rule: >- + !(!has(self.responseHeaderModifier) && + self.type == 'ResponseHeaderModifier') + - message: >- + filter.requestMirror must be nil if the + filter.type is not RequestMirror + rule: >- + !(has(self.requestMirror) && self.type != + 'RequestMirror') + - message: >- + filter.requestMirror must be specified for + RequestMirror filter.type + rule: >- + !(!has(self.requestMirror) && self.type == + 'RequestMirror') + - message: >- + filter.extensionRef must be nil if the + filter.type is not ExtensionRef + rule: >- + !(has(self.extensionRef) && self.type != + 'ExtensionRef') + - message: >- + filter.extensionRef must be specified for + ExtensionRef filter.type + rule: >- + !(!has(self.extensionRef) && self.type == + 'ExtensionRef') + maxItems: 16 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: >- + RequestHeaderModifier filter cannot be + repeated + rule: >- + self.filter(f, f.type == + 'RequestHeaderModifier').size() <= 1 + - message: >- + ResponseHeaderModifier filter cannot be + repeated + rule: >- + self.filter(f, f.type == + 'ResponseHeaderModifier').size() <= 1 + group: + default: '' + description: >- + Group is the group of the referent. For example, + "gateway.networking.k8s.io". + + When unspecified or empty string, core API group + is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: >- + Kind is the Kubernetes resource kind of the + referent. For example + + "Service". + + + Defaults to "Service" when not specified. + + + ExternalName services can refer to CNAME DNS + records that may live + + outside of the cluster and as such are difficult + to reason about in + + terms of conformance. They also may not be safe + to forward to (see + + CVE-2021-25740 for more information). + Implementations SHOULD NOT + + support ExternalName Services. + + + Support: Core (Services with a type other than + ExternalName) + + + Support: Implementation-specific (Services with + type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the backend. When + unspecified, the local + + namespace is inferred. + + + Note that when a namespace different than the + local namespace is specified, + + a ReferenceGrant object is required in the + referent namespace to allow that + + namespace's owner to accept the reference. See + the ReferenceGrant + + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: >- + Port specifies the destination port number to + use for this resource. + + Port is required when the referent is a + Kubernetes Service. In this + + case, the port number is the service port + number, not the target port. + + For other resources, destination port might be + derived from the referent + + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: >- + Weight specifies the proportion of requests + forwarded to the referenced + + backend. This is computed as weight/(sum of all + weights in this + + BackendRefs list). For non-zero values, there + may be some epsilon from + + the exact proportion defined here depending on + the precision an + + implementation supports. Weight is not a + percentage and the sum of + + weights does not need to equal 100. + + + If only one backend is specified and it has a + weight greater than 0, 100% + + of the traffic is forwarded to that backend. If + weight is set to 0, no + + traffic should be forwarded for this entry. If + unspecified, weight + + defaults to 1. + + + Support for this field varies based on the + context where used. + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: >- + (size(self.group) == 0 && self.kind == + 'Service') ? has(self.port) : true + maxItems: 16 + type: array + x-kubernetes-list-type: atomic + filters: + description: >- + Filters define the filters that are applied to + requests that match + + this rule. + + + The effects of ordering of multiple behaviors are + currently unspecified. + + This can change in the future based on feedback during + the alpha stage. + + + Conformance-levels at this level are defined based on + the type of filter: + + + - ALL core filters MUST be supported by all + implementations that support + GRPCRoute. + - Implementers are encouraged to support extended + filters. + + - Implementation-specific custom filters have no API + guarantees across + implementations. + + Specifying the same filter multiple times is not + supported unless explicitly + + indicated in the filter. + + + If an implementation cannot support a combination of + filters, it must clearly + + document that limitation. In cases where incompatible + or unsupported + + filters are specified and cause the `Accepted` + condition to be set to status + + `False`, implementations may use the + `IncompatibleFilters` reason to specify + + this configuration error. + + + Support: Core + items: + description: >- + GRPCRouteFilter defines processing steps that must + be completed during the + + request or response lifecycle. GRPCRouteFilters are + meant as an extension + + point to express processing that may be done in + Gateway implementations. Some + + examples include request or response modification, + implementing + + authentication strategies, rate-limiting, and + traffic shaping. API + + guarantee/conformance is defined based on the type + of the filter. + properties: + extensionRef: + description: >- + ExtensionRef is an optional, + implementation-specific extension to the + + "filter" behavior. For example, resource + "myroutefilter" in group + + "networking.example.net"). ExtensionRef MUST NOT + be used for core and + + extended filters. + + + Support: Implementation-specific + + + This filter can be used multiple times within + the same rule. + properties: + group: + description: >- + Group is the group of the referent. For + example, "gateway.networking.k8s.io". + + When unspecified or empty string, core API + group is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: >- + Kind is kind of the referent. For example + "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: >- + RequestHeaderModifier defines a schema for a + filter that modifies request + + headers. + + + Support: Core + properties: + add: + description: >- + Add adds the given header(s) (name, value) + to the request + + before the action. It appends to any + existing values associated + + with the header name. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + add: + - name: "my-header" + value: "bar,baz" + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: >- + HTTPHeader represents an HTTP Header name + and value as defined by RFC 7230. + properties: + name: + description: >- + Name is the name of the HTTP Header to + be matched. Name matching MUST be + + case-insensitive. (See + https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent + header names, the first entry with + + an equivalent name MUST be considered + for a match. Subsequent entries + + with an equivalent header name MUST be + ignored. Due to the + + case-insensitivity of header names, + "foo" and "Foo" are considered + + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: >- + Value is the value of HTTP Header to be + matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: >- + Remove the given header(s) from the HTTP + request before the action. The + + value of Remove is a list of HTTP header + names. Note that the header + + names are case-insensitive (see + + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + Config: + remove: ["my-header1", "my-header3"] + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: >- + Set overwrites the request with the given + header (name, value) + + before the action. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + set: + - name: "my-header" + value: "bar" + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: >- + HTTPHeader represents an HTTP Header name + and value as defined by RFC 7230. + properties: + name: + description: >- + Name is the name of the HTTP Header to + be matched. Name matching MUST be + + case-insensitive. (See + https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent + header names, the first entry with + + an equivalent name MUST be considered + for a match. Subsequent entries + + with an equivalent header name MUST be + ignored. Due to the + + case-insensitivity of header names, + "foo" and "Foo" are considered + + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: >- + Value is the value of HTTP Header to be + matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: >- + RequestMirror defines a schema for a filter that + mirrors requests. + + Requests are sent to the specified destination, + but responses from + + that destination are ignored. + + + This filter can be used multiple times within + the same rule. Note that + + not all implementations will be able to support + mirroring to multiple + + backends. + + + Support: Extended + properties: + backendRef: + description: >- + BackendRef references a resource where + mirrored requests are sent. + + + Mirrored requests must be sent only to a + single destination endpoint + + within this BackendRef, irrespective of how + many endpoints are present + + within this BackendRef. + + + If the referent cannot be found, this + BackendRef is invalid and must be + + dropped from the Gateway. The controller + must ensure the "ResolvedRefs" + + condition on the Route status is set to + `status: False` and not configure + + this backend in the underlying + implementation. + + + If there is a cross-namespace reference to + an *existing* object + + that is not allowed by a ReferenceGrant, the + controller must ensure the + + "ResolvedRefs" condition on the Route is + set to `status: False`, + + with the "RefNotPermitted" reason and not + configure this backend in the + + underlying implementation. + + + In either error case, the Message of the + `ResolvedRefs` Condition + + should be used to provide more detail about + the problem. + + + Support: Extended for Kubernetes Service + + + Support: Implementation-specific for any + other resource + properties: + group: + default: '' + description: >- + Group is the group of the referent. For + example, "gateway.networking.k8s.io". + + When unspecified or empty string, core + API group is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: >- + Kind is the Kubernetes resource kind of + the referent. For example + + "Service". + + + Defaults to "Service" when not + specified. + + + ExternalName services can refer to CNAME + DNS records that may live + + outside of the cluster and as such are + difficult to reason about in + + terms of conformance. They also may not + be safe to forward to (see + + CVE-2021-25740 for more information). + Implementations SHOULD NOT + + support ExternalName Services. + + + Support: Core (Services with a type + other than ExternalName) + + + Support: Implementation-specific + (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the + backend. When unspecified, the local + + namespace is inferred. + + + Note that when a namespace different + than the local namespace is specified, + + a ReferenceGrant object is required in + the referent namespace to allow that + + namespace's owner to accept the + reference. See the ReferenceGrant + + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: >- + Port specifies the destination port + number to use for this resource. + + Port is required when the referent is a + Kubernetes Service. In this + + case, the port number is the service + port number, not the target port. + + For other resources, destination port + might be derived from the referent + + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: >- + (size(self.group) == 0 && self.kind == + 'Service') ? has(self.port) : true + fraction: + description: >- + Fraction represents the fraction of requests + that should be + + mirrored to BackendRef. + + + Only one of Fraction or Percent may be + specified. If neither field + + is specified, 100% of requests will be + mirrored. + properties: + denominator: + default: 100 + format: int32 + minimum: 1 + type: integer + numerator: + format: int32 + minimum: 0 + type: integer + required: + - numerator + type: object + x-kubernetes-validations: + - message: >- + numerator must be less than or equal to + denominator + rule: self.numerator <= self.denominator + percent: + description: >- + Percent represents the percentage of + requests that should be + + mirrored to BackendRef. Its minimum value is + 0 (indicating 0% of + + requests) and its maximum value is 100 + (indicating 100% of requests). + + + Only one of Fraction or Percent may be + specified. If neither field + + is specified, 100% of requests will be + mirrored. + format: int32 + maximum: 100 + minimum: 0 + type: integer + required: + - backendRef + type: object + x-kubernetes-validations: + - message: >- + Only one of percent or fraction may be + specified in HTTPRequestMirrorFilter + rule: '!(has(self.percent) && has(self.fraction))' + responseHeaderModifier: + description: >- + ResponseHeaderModifier defines a schema for a + filter that modifies response + + headers. + + + Support: Extended + properties: + add: + description: >- + Add adds the given header(s) (name, value) + to the request + + before the action. It appends to any + existing values associated + + with the header name. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + add: + - name: "my-header" + value: "bar,baz" + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: >- + HTTPHeader represents an HTTP Header name + and value as defined by RFC 7230. + properties: + name: + description: >- + Name is the name of the HTTP Header to + be matched. Name matching MUST be + + case-insensitive. (See + https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent + header names, the first entry with + + an equivalent name MUST be considered + for a match. Subsequent entries + + with an equivalent header name MUST be + ignored. Due to the + + case-insensitivity of header names, + "foo" and "Foo" are considered + + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: >- + Value is the value of HTTP Header to be + matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: >- + Remove the given header(s) from the HTTP + request before the action. The + + value of Remove is a list of HTTP header + names. Note that the header + + names are case-insensitive (see + + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + Config: + remove: ["my-header1", "my-header3"] + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: >- + Set overwrites the request with the given + header (name, value) + + before the action. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + set: + - name: "my-header" + value: "bar" + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: >- + HTTPHeader represents an HTTP Header name + and value as defined by RFC 7230. + properties: + name: + description: >- + Name is the name of the HTTP Header to + be matched. Name matching MUST be + + case-insensitive. (See + https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent + header names, the first entry with + + an equivalent name MUST be considered + for a match. Subsequent entries + + with an equivalent header name MUST be + ignored. Due to the + + case-insensitivity of header names, + "foo" and "Foo" are considered + + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: >- + Value is the value of HTTP Header to be + matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: >- + Type identifies the type of filter to apply. As + with other API fields, + + types are classified into three conformance + levels: + + + - Core: Filter types and their corresponding + configuration defined by + "Support: Core" in this package, e.g. "RequestHeaderModifier". All + implementations supporting GRPCRoute MUST support core filters. + + - Extended: Filter types and their corresponding + configuration defined by + "Support: Extended" in this package, e.g. "RequestMirror". Implementers + are encouraged to support extended filters. + + - Implementation-specific: Filters that are + defined and supported by specific vendors. + In the future, filters showing convergence in behavior across multiple + implementations will be considered for inclusion in extended or core + conformance levels. Filter-specific configuration for such filters + is specified using the ExtensionRef field. `Type` MUST be set to + "ExtensionRef" for custom filters. + + Implementers are encouraged to define custom + implementation types to + + extend the core API with implementation-specific + behavior. + + + If a reference to a custom filter type cannot be + resolved, the filter + + MUST NOT be skipped. Instead, requests that + would have been processed by + + that filter MUST receive a HTTP error response. + enum: + - ResponseHeaderModifier + - RequestHeaderModifier + - RequestMirror + - ExtensionRef + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + filter.requestHeaderModifier must be nil if the + filter.type is not RequestHeaderModifier + rule: >- + !(has(self.requestHeaderModifier) && self.type + != 'RequestHeaderModifier') + - message: >- + filter.requestHeaderModifier must be specified + for RequestHeaderModifier filter.type + rule: >- + !(!has(self.requestHeaderModifier) && self.type + == 'RequestHeaderModifier') + - message: >- + filter.responseHeaderModifier must be nil if the + filter.type is not ResponseHeaderModifier + rule: >- + !(has(self.responseHeaderModifier) && self.type + != 'ResponseHeaderModifier') + - message: >- + filter.responseHeaderModifier must be specified + for ResponseHeaderModifier filter.type + rule: >- + !(!has(self.responseHeaderModifier) && self.type + == 'ResponseHeaderModifier') + - message: >- + filter.requestMirror must be nil if the + filter.type is not RequestMirror + rule: >- + !(has(self.requestMirror) && self.type != + 'RequestMirror') + - message: >- + filter.requestMirror must be specified for + RequestMirror filter.type + rule: >- + !(!has(self.requestMirror) && self.type == + 'RequestMirror') + - message: >- + filter.extensionRef must be nil if the + filter.type is not ExtensionRef + rule: >- + !(has(self.extensionRef) && self.type != + 'ExtensionRef') + - message: >- + filter.extensionRef must be specified for + ExtensionRef filter.type + rule: >- + !(!has(self.extensionRef) && self.type == + 'ExtensionRef') + maxItems: 16 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: RequestHeaderModifier filter cannot be repeated + rule: >- + self.filter(f, f.type == + 'RequestHeaderModifier').size() <= 1 + - message: ResponseHeaderModifier filter cannot be repeated + rule: >- + self.filter(f, f.type == + 'ResponseHeaderModifier').size() <= 1 + matches: + description: >- + Matches define conditions used for matching the rule + against incoming + + gRPC requests. Each match is independent, i.e. this + rule will be matched + + if **any** one of the matches is satisfied. + + + For example, take the following matches configuration: + + + ``` + + matches: + + - method: + service: foo.bar + headers: + values: + version: 2 + - method: + service: foo.bar.v2 + ``` + + + For a request to match against this rule, it MUST + satisfy + + EITHER of the two conditions: + + + - service of foo.bar AND contains the header `version: + 2` + + - service of foo.bar.v2 + + + See the documentation for GRPCRouteMatch on how to + specify multiple + + match conditions to be ANDed together. + + + If no matches are specified, the implementation MUST + match every gRPC request. + + + Proxy or Load Balancer routing configuration generated + from GRPCRoutes + + MUST prioritize rules based on the following criteria, + continuing on + + ties. Merging MUST not be done between GRPCRoutes and + HTTPRoutes. + + Precedence MUST be given to the rule with the largest + number of: + + + * Characters in a matching non-wildcard hostname. + + * Characters in a matching hostname. + + * Characters in a matching service. + + * Characters in a matching method. + + * Header matches. + + + If ties still exist across multiple Routes, matching + precedence MUST be + + determined in order of the following criteria, + continuing on ties: + + + * The oldest Route based on creation timestamp. + + * The Route appearing first in alphabetical order by + "{namespace}/{name}". + + If ties still exist within the Route that has been + given precedence, + + matching precedence MUST be granted to the first + matching rule meeting + + the above criteria. + items: + description: >- + GRPCRouteMatch defines the predicate used to match + requests to a given + + action. Multiple match types are ANDed together, + i.e. the match will + + evaluate to true only if all conditions are + satisfied. + + + For example, the match below will match a gRPC + request only if its service + + is `foo` AND it contains the `version: v1` header: + + + ``` + + matches: + - method: + type: Exact + service: "foo" + - headers: + name: "version" + value "v1" + + ``` + properties: + headers: + description: >- + Headers specifies gRPC request header matchers. + Multiple match values are + + ANDed together, meaning, a request MUST match + all the specified headers + + to select the route. + items: + description: >- + GRPCHeaderMatch describes how to select a gRPC + route by matching gRPC request + + headers. + properties: + name: + description: >- + Name is the name of the gRPC Header to be + matched. + + + If multiple entries specify equivalent + header names, only the first + + entry with an equivalent name MUST be + considered for a match. Subsequent + + entries with an equivalent header name + MUST be ignored. Due to the + + case-insensitivity of header names, "foo" + and "Foo" are considered + + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: >- + Type specifies how to match against the + value of the header. + enum: + - Exact + - RegularExpression + type: string + value: + description: >- + Value is the value of the gRPC Header to + be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + method: + description: >- + Method specifies a gRPC request service/method + matcher. If this field is + + not specified, all services and methods will + match. + properties: + method: + description: >- + Value of the method to match against. If + left empty or omitted, will + + match all services. + + + At least one of Service and Method MUST be a + non-empty string. + maxLength: 1024 + type: string + service: + description: >- + Value of the service to match against. If + left empty or omitted, will + + match any service. + + + At least one of Service and Method MUST be a + non-empty string. + maxLength: 1024 + type: string + type: + default: Exact + description: >- + Type specifies how to match against the + service and/or method. + + Support: Core (Exact with service and method + specified) + + + Support: Implementation-specific (Exact with + method specified but no service specified) + + + Support: Implementation-specific + (RegularExpression) + enum: + - Exact + - RegularExpression + type: string + type: object + x-kubernetes-validations: + - message: >- + One or both of 'service' or 'method' must be + specified + rule: >- + has(self.type) ? has(self.service) || + has(self.method) : true + - message: >- + service must only contain valid characters + (matching + ^(?i)\.?[a-z_][a-z_0-9]*(\.[a-z_][a-z_0-9]*)*$) + rule: >- + (!has(self.type) || self.type == 'Exact') && + has(self.service) ? + self.service.matches(r"""^(?i)\.?[a-z_][a-z_0-9]*(\.[a-z_][a-z_0-9]*)*$"""): + true + - message: >- + method must only contain valid characters + (matching ^[A-Za-z_][A-Za-z_0-9]*$) + rule: >- + (!has(self.type) || self.type == 'Exact') && + has(self.method) ? + self.method.matches(r"""^[A-Za-z_][A-Za-z_0-9]*$"""): + true + type: object + maxItems: 64 + type: array + x-kubernetes-list-type: atomic + name: + description: >- + Name is the name of the route rule. This name MUST be + unique within a Route if it is set. + + + Support: Extended + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + type: object + maxItems: 16 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: >- + While 16 rules and 64 matches per rule are allowed, the + total number of matches across all rules in a route must + be less than 128 + rule: >- + (self.size() > 0 ? (has(self[0].matches) ? + self[0].matches.size() : 0) : 0) + (self.size() > 1 ? + (has(self[1].matches) ? self[1].matches.size() : 0) : 0) + + (self.size() > 2 ? (has(self[2].matches) ? + self[2].matches.size() : 0) : 0) + (self.size() > 3 ? + (has(self[3].matches) ? self[3].matches.size() : 0) : 0) + + (self.size() > 4 ? (has(self[4].matches) ? + self[4].matches.size() : 0) : 0) + (self.size() > 5 ? + (has(self[5].matches) ? self[5].matches.size() : 0) : 0) + + (self.size() > 6 ? (has(self[6].matches) ? + self[6].matches.size() : 0) : 0) + (self.size() > 7 ? + (has(self[7].matches) ? self[7].matches.size() : 0) : 0) + + (self.size() > 8 ? (has(self[8].matches) ? + self[8].matches.size() : 0) : 0) + (self.size() > 9 ? + (has(self[9].matches) ? self[9].matches.size() : 0) : 0) + + (self.size() > 10 ? (has(self[10].matches) ? + self[10].matches.size() : 0) : 0) + (self.size() > 11 ? + (has(self[11].matches) ? self[11].matches.size() : 0) : + 0) + (self.size() > 12 ? (has(self[12].matches) ? + self[12].matches.size() : 0) : 0) + (self.size() > 13 ? + (has(self[13].matches) ? self[13].matches.size() : 0) : + 0) + (self.size() > 14 ? (has(self[14].matches) ? + self[14].matches.size() : 0) : 0) + (self.size() > 15 ? + (has(self[15].matches) ? self[15].matches.size() : 0) : + 0) <= 128 + type: object + status: + description: Status defines the current state of GRPCRoute. + properties: + parents: + description: >- + Parents is a list of parent resources (usually Gateways) + that are + + associated with the route, and the status of the route with + respect to + + each parent. When this route attaches to a parent, the + controller that + + manages the parent must add an entry to this list when the + controller + + first sees the route and should update the entry as + appropriate when the + + route or gateway is modified. + + + Note that parent references that cannot be resolved by an + implementation + + of this API will not be added to this list. Implementations + of this API + + can only populate Route status for the Gateways/parent + resources they are + + responsible for. + + + A maximum of 32 Gateways will be represented in this list. + An empty list + + means the route has not been attached to any Gateway. + items: + description: >- + RouteParentStatus describes the status of a route with + respect to an + + associated Parent. + properties: + conditions: + description: >- + Conditions describes the status of the route with + respect to the Gateway. + + Note that the route's availability is also subject to + the Gateway's own + + status conditions and listener status. + + + If the Route's ParentRef specifies an existing Gateway + that supports + + Routes of this kind AND that Gateway's controller has + sufficient access, + + then that Gateway's controller MUST set the "Accepted" + condition on the + + Route, to indicate whether the route has been accepted + or rejected by the + + Gateway, and why. + + + A Route MUST be considered "Accepted" if at least one + of the Route's + + rules is implemented by the Gateway. + + + There are a number of cases where the "Accepted" + condition may not be set + + due to lack of controller visibility, that includes + when: + + + * The Route refers to a nonexistent parent. + + * The Route is of a type that the controller does not + support. + + * The Route is in a namespace to which the controller + does not have access. + items: + description: >- + Condition contains details for one aspect of the + current state of this API Resource. + properties: + lastTransitionTime: + description: >- + lastTransitionTime is the last time the + condition transitioned from one status to + another. + + This should be when the underlying condition + changed. If that is not known, then using the + time when the API field changed is acceptable. + format: date-time + type: string + message: + description: >- + message is a human readable message indicating + details about the transition. + + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: >- + observedGeneration represents the + .metadata.generation that the condition was set + based upon. + + For instance, if .metadata.generation is + currently 12, but the + .status.conditions[x].observedGeneration is 9, + the condition is out of date + + with respect to the current state of the + instance. + format: int64 + minimum: 0 + type: integer + reason: + description: >- + reason contains a programmatic identifier + indicating the reason for the condition's last + transition. + + Producers of specific condition types may define + expected values and meanings for this field, + + and whether the values are considered a + guaranteed API. + + The value should be a CamelCase string. + + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: >- + status of the condition, one of True, False, + Unknown. + enum: + - 'True' + - 'False' + - Unknown + type: string + type: + description: >- + type of condition in CamelCase or in + foo.example.com/CamelCase. + maxLength: 316 + pattern: >- + ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: >- + ControllerName is a domain/path string that indicates + the name of the + + controller that wrote this status. This corresponds + with the + + controllerName field on GatewayClass. + + + Example: "example.net/gateway-controller". + + + The format of this field is DOMAIN "/" PATH, where + DOMAIN and PATH are + + valid Kubernetes names + + (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + + + Controllers MUST populate this field when writing + status. Controllers should ensure that + + entries to status populated with their ControllerName + are cleaned up when they are no + + longer necessary. + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: >- + ParentRef corresponds with a ParentRef in the spec + that this + + RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: >- + Group is the group of the referent. + + When unspecified, "gateway.networking.k8s.io" is + inferred. + + To set the core API group (such as for a "Service" + kind referent), + + Group must be explicitly set to "" (empty string). + + + Support: Core + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: >- + Kind is kind of the referent. + + + There are two kinds of parent resources with + "Core" support: + + + * Gateway (Gateway conformance profile) + + * Service (Mesh conformance profile, ClusterIP + Services only) + + + Support for other resources is + Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the referent. When + unspecified, this refers + + to the local namespace of the Route. + + + Note that there are specific rules for ParentRefs + which cross namespace + + boundaries. Cross-namespace references are only + valid if they are explicitly + + allowed by something in the namespace they are + referring to. For example: + + Gateway has the AllowedRoutes field, and + ReferenceGrant provides a + + generic way to enable any other kind of + cross-namespace reference. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: >- + Port is the network port this Route targets. It + can be interpreted + + differently based on the type of parent resource. + + + When the parent resource is a Gateway, this + targets all listeners + + listening on the specified port that also support + this kind of Route(and + + select this Route). It's not recommended to set + `Port` unless the + + networking behaviors specified in a Route must + apply to a specific port + + as opposed to a listener(s) whose port(s) may be + changed. When both Port + + and SectionName are specified, the name and port + of the selected listener + + must match both specified values. + + + Implementations MAY choose to support other parent + resources. + + Implementations supporting other types of parent + resources MUST clearly + + document how/if Port is interpreted. + + + For the purpose of status, an attachment is + considered successful as + + long as the parent resource accepts it partially. + For example, Gateway + + listeners can restrict which Routes can attach to + them by Route kind, + + namespace, or hostname. If 1 of 2 Gateway + listeners accept attachment + + from the referencing Route, the Route MUST be + considered successfully + + attached. If no Gateway listeners accept + attachment from this Route, + + the Route MUST be considered detached from the + Gateway. + + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: >- + SectionName is the name of a section within the + target resource. In the + + following resources, SectionName is interpreted as + the following: + + + * Gateway: Listener name. When both Port + (experimental) and SectionName + + are specified, the name and port of the selected + listener must match + + both specified values. + + * Service: Port name. When both Port + (experimental) and SectionName + + are specified, the name and port of the selected + listener must match + + both specified values. + + + Implementations MAY choose to support attaching + Routes to other resources. + + If that is the case, they MUST clearly document + how SectionName is + + interpreted. + + + When unspecified (empty string), this will + reference the entire resource. + + For the purpose of status, an attachment is + considered successful if at + + least one section in the parent resource accepts + it. For example, Gateway + + listeners can restrict which Routes can attach to + them by Route kind, + + namespace, or hostname. If 1 of 2 Gateway + listeners accept attachment from + + the referencing Route, the Route MUST be + considered successfully + + attached. If no Gateway listeners accept + attachment from this Route, the + + Route MUST be considered detached from the + Gateway. + + + Support: Core + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - conditions + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + x-kubernetes-list-type: atomic + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: '' + plural: '' + conditions: null + storedVersions: null diff --git a/_/CustomResourceDefinition/httproutefilters.gateway.envoyproxy.io.yaml b/_/CustomResourceDefinition/httproutefilters.gateway.envoyproxy.io.yaml new file mode 100644 index 0000000..75bddd1 --- /dev/null +++ b/_/CustomResourceDefinition/httproutefilters.gateway.envoyproxy.io.yaml @@ -0,0 +1,621 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.18.0 + name: httproutefilters.gateway.envoyproxy.io +spec: + group: gateway.envoyproxy.io + names: + categories: + - envoy-gateway + kind: HTTPRouteFilter + listKind: HTTPRouteFilterList + plural: httproutefilters + shortNames: + - hrf + singular: httproutefilter + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: >- + HTTPRouteFilter is a custom Envoy Gateway HTTPRouteFilter which + provides extended + + traffic processing options such as path regex rewrite, direct + response and more. + properties: + apiVersion: + description: >- + APIVersion defines the versioned schema of this representation + of an object. + + Servers should convert recognized schemas to the latest internal + value, and + + may reject unrecognized values. + + More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: >- + Kind is a string value representing the REST resource this + object represents. + + Servers may infer this from the endpoint the client submits + requests to. + + Cannot be updated. + + In CamelCase. + + More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of HTTPRouteFilter. + properties: + credentialInjection: + description: >- + HTTPCredentialInjectionFilter defines the configuration to + inject credentials into the request. + + This is useful when the backend service requires credentials + in the request, and the original + + request does not contain them. The filter can inject + credentials into the request before forwarding + + it to the backend service. + properties: + credential: + description: Credential is the credential to be injected. + properties: + valueRef: + description: >- + ValueRef is a reference to the secret containing the + credentials to be injected. + + This is an Opaque secret. The credential should be + stored in the key + + "credential", and the value should be the credential + to be injected. + + For example, for basic authentication, the value + should be "Basic ". + + for bearer token, the value should be "Bearer + ". + + Note: The secret must be in the same namespace as + the HTTPRouteFilter. + properties: + group: + default: '' + description: >- + Group is the group of the referent. For example, + "gateway.networking.k8s.io". + + When unspecified or empty string, core API group + is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Secret + description: >- + Kind is kind of the referent. For example + "Secret". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the referenced + object. When unspecified, the local + + namespace is inferred. + + + Note that when a namespace different than the + local namespace is specified, + + a ReferenceGrant object is required in the + referent namespace to allow that + + namespace's owner to accept the reference. See + the ReferenceGrant + + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + required: + - valueRef + type: object + header: + description: >- + Header is the name of the header where the credentials + are injected. + + If not specified, the credentials are injected into the + Authorization header. + type: string + overwrite: + description: >- + Whether to overwrite the value or not if the injected + headers already exist. + + If not specified, the default value is false. + type: boolean + required: + - credential + type: object + directResponse: + description: >- + HTTPDirectResponseFilter defines the configuration to return + a fixed response. + properties: + body: + description: Body of the direct response. + properties: + inline: + description: Inline contains the value as an inline string. + type: string + type: + allOf: + - enum: + - Inline + - ValueRef + - enum: + - Inline + - ValueRef + default: Inline + description: >- + Type is the type of method to use to read the body + value. + + Valid values are Inline and ValueRef, default is + Inline. + type: string + valueRef: + description: >- + ValueRef contains the contents of the body + + specified as a local object reference. + + Only a reference to ConfigMap is supported. + + + The value of key `response.body` in the ConfigMap + will be used as the response body. + + If the key is not found, the first value in the + ConfigMap will be used. + properties: + group: + description: >- + Group is the group of the referent. For example, + "gateway.networking.k8s.io". + + When unspecified or empty string, core API group + is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: >- + Kind is kind of the referent. For example + "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + required: + - type + type: object + x-kubernetes-validations: + - message: inline must be set for type Inline + rule: >- + (!has(self.type) || self.type == 'Inline')? + has(self.inline) : true + - message: valueRef must be set for type ValueRef + rule: >- + (has(self.type) && self.type == 'ValueRef')? + has(self.valueRef) : true + - message: only ConfigMap is supported for ValueRef + rule: >- + has(self.valueRef) ? self.valueRef.kind == + 'ConfigMap' : true + contentType: + description: >- + Content Type of the direct response. This will be set in + the Content-Type header. + type: string + header: + description: Header defines the headers of the direct response. + properties: + add: + description: >- + Add adds the given header(s) (name, value) to the + request + + before the action. It appends to any existing values + associated + + with the header name. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + add: + - name: "my-header" + value: "bar,baz" + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: >- + HTTPHeader represents an HTTP Header name and + value as defined by RFC 7230. + properties: + name: + description: >- + Name is the name of the HTTP Header to be + matched. Name matching MUST be + + case-insensitive. (See + https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent header + names, the first entry with + + an equivalent name MUST be considered for a + match. Subsequent entries + + with an equivalent header name MUST be + ignored. Due to the + + case-insensitivity of header names, "foo" and + "Foo" are considered + + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: >- + Value is the value of HTTP Header to be + matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: >- + Remove the given header(s) from the HTTP request + before the action. The + + value of Remove is a list of HTTP header names. Note + that the header + + names are case-insensitive (see + + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + Config: + remove: ["my-header1", "my-header3"] + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: >- + Set overwrites the request with the given header + (name, value) + + before the action. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + set: + - name: "my-header" + value: "bar" + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: >- + HTTPHeader represents an HTTP Header name and + value as defined by RFC 7230. + properties: + name: + description: >- + Name is the name of the HTTP Header to be + matched. Name matching MUST be + + case-insensitive. (See + https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent header + names, the first entry with + + an equivalent name MUST be considered for a + match. Subsequent entries + + with an equivalent header name MUST be + ignored. Due to the + + case-insensitivity of header names, "foo" and + "Foo" are considered + + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: >- + Value is the value of HTTP Header to be + matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + x-kubernetes-validations: + - message: header.remove is not supported for DirectResponse + rule: '!has(self.remove) || size(self.remove) == 0' + statusCode: + description: |- + Status Code of the HTTP response + If unset, defaults to 200. + type: integer + type: object + matches: + description: >- + Matches defines additional matching criteria for the + HTTPRoute rule. + + As with HTTPRouteRule.Matches, the rule is matched if any + one match applies. + + When both HTTPRouteRule.Matches and HTTPRouteFilter.Matches + are set, the + + effective matching is the logical AND of the two sets. + items: + description: >- + HTTPRouteMatchFilter defines additional matching criteria + for the HTTPRoute rule. + + At least one matcher must be specified. + minProperties: 1 + properties: + cookies: + description: >- + Cookies is a list of cookie matchers evaluated against + the HTTP request. + + All specified matchers must match. + items: + description: >- + HTTPCookieMatch defines how to match a single + cookie. + properties: + name: + description: Name is the cookie name to evaluate. + maxLength: 256 + minLength: 1 + type: string + type: + default: Exact + description: >- + Type specifies how to match against the value of + the cookie. + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the cookie value to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + minItems: 1 + type: array + type: object + maxItems: 8 + type: array + urlRewrite: + description: >- + HTTPURLRewriteFilter define rewrites of HTTP URL components + such as path and host + properties: + hostname: + description: >- + Hostname is the value to be used to replace the Host + header value during + + forwarding. + properties: + header: + description: >- + Header is the name of the header whose value would + be used to rewrite the Host header + type: string + type: + description: >- + HTTPPathModifierType defines the type of Hostname + rewrite. + enum: + - Header + - Backend + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: header must be nil if the type is not Header + rule: '!(has(self.header) && self.type != ''Header'')' + - message: header must be specified for Header type + rule: '!(!has(self.header) && self.type == ''Header'')' + path: + description: Path defines a path rewrite. + properties: + replaceRegexMatch: + description: >- + ReplaceRegexMatch defines a path regex rewrite. The + path portions matched by the regex pattern are + replaced by the defined substitution. + + https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#envoy-v3-api-field-config-route-v3-routeaction-regex-rewrite + + Some examples: + + (1) replaceRegexMatch: + pattern: ^/service/([^/]+)(/.*)$ + substitution: \2/instance/\1 + Would transform /service/foo/v1/api into /v1/api/instance/foo. + (2) replaceRegexMatch: + pattern: one + substitution: two + Would transform /xxx/one/yyy/one/zzz into /xxx/two/yyy/two/zzz. + (3) replaceRegexMatch: + pattern: ^(.*?)one(.*)$ + substitution: \1two\2 + Would transform /xxx/one/yyy/one/zzz into /xxx/two/yyy/one/zzz. + (3) replaceRegexMatch: + pattern: (?i)/xxx/ + substitution: /yyy/ + Would transform path /aaa/XxX/bbb into /aaa/yyy/bbb (case-insensitive). + properties: + pattern: + description: >- + Pattern matches a regular expression against the + value of the HTTP Path.The regex string must + + adhere to the syntax documented in + https://github.com/google/re2/wiki/Syntax. + minLength: 1 + type: string + substitution: + description: >- + Substitution is an expression that replaces the + matched portion.The expression may include + numbered + + capture groups that adhere to syntax documented + in https://github.com/google/re2/wiki/Syntax. + type: string + required: + - pattern + - substitution + type: object + type: + description: >- + HTTPPathModifierType defines the type of path + redirect or rewrite. + enum: + - ReplaceRegexMatch + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If HTTPPathModifier type is ReplaceRegexMatch, + replaceRegexMatch field needs to be set. + rule: >- + self.type == 'ReplaceRegexMatch' ? + has(self.replaceRegexMatch) : + !has(self.replaceRegexMatch) + type: object + type: object + required: + - spec + type: object + served: true + storage: true + subresources: {} diff --git a/_/CustomResourceDefinition/httproutes.gateway.networking.k8s.io.yaml b/_/CustomResourceDefinition/httproutes.gateway.networking.k8s.io.yaml new file mode 100644 index 0000000..c25a82e --- /dev/null +++ b/_/CustomResourceDefinition/httproutes.gateway.networking.k8s.io.yaml @@ -0,0 +1,11661 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/4530 + gateway.networking.k8s.io/bundle-version: v1.5.1 + gateway.networking.k8s.io/channel: standard + name: httproutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: HTTPRoute + listKind: HTTPRouteList + plural: httproutes + singular: httproute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.hostnames + name: Hostnames + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: >- + HTTPRoute provides a way to route HTTP requests. This includes the + capability + + to match requests by hostname, path, header, or query param. Filters + can be + + used to specify additional processing steps. Backends specify where + matching + + requests should be routed. + properties: + apiVersion: + description: >- + APIVersion defines the versioned schema of this representation + of an object. + + Servers should convert recognized schemas to the latest internal + value, and + + may reject unrecognized values. + + More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: >- + Kind is a string value representing the REST resource this + object represents. + + Servers may infer this from the endpoint the client submits + requests to. + + Cannot be updated. + + In CamelCase. + + More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of HTTPRoute. + properties: + hostnames: + description: >- + Hostnames defines a set of hostnames that should match + against the HTTP Host + + header to select a HTTPRoute used to process the request. + Implementations + + MUST ignore any port value specified in the HTTP Host header + while + + performing a match and (absent of any applicable header + modification + + configuration) MUST forward this header unmodified to the + backend. + + + Valid values for Hostnames are determined by RFC 1123 + definition of a + + hostname with 2 notable exceptions: + + + 1. IPs are not allowed. + + 2. A hostname may be prefixed with a wildcard label (`*.`). + The wildcard + label must appear by itself as the first label. + + If a hostname is specified by both the Listener and + HTTPRoute, there + + must be at least one intersecting hostname for the HTTPRoute + to be + + attached to the Listener. For example: + + + * A Listener with `test.example.com` as the hostname matches + HTTPRoutes + that have either not specified any hostnames, or have specified at + least one of `test.example.com` or `*.example.com`. + * A Listener with `*.example.com` as the hostname matches + HTTPRoutes + that have either not specified any hostnames or have specified at least + one hostname that matches the Listener hostname. For example, + `*.example.com`, `test.example.com`, and `foo.test.example.com` would + all match. On the other hand, `example.com` and `test.example.net` would + not match. + + Hostnames that are prefixed with a wildcard label (`*.`) are + interpreted + + as a suffix match. That means that a match for + `*.example.com` would match + + both `test.example.com`, and `foo.test.example.com`, but not + `example.com`. + + + If both the Listener and HTTPRoute have specified hostnames, + any + + HTTPRoute hostnames that do not match the Listener hostname + MUST be + + ignored. For example, if a Listener specified + `*.example.com`, and the + + HTTPRoute specified `test.example.com` and + `test.example.net`, + + `test.example.net` must not be considered for a match. + + + If both the Listener and HTTPRoute have specified hostnames, + and none + + match with the criteria above, then the HTTPRoute is not + accepted. The + + implementation must raise an 'Accepted' Condition with a + status of + + `False` in the corresponding RouteParentStatus. + + + In the event that multiple HTTPRoutes specify intersecting + hostnames (e.g. + + overlapping wildcard matching and exact matching hostnames), + precedence must + + be given to rules from the HTTPRoute with the largest number + of: + + + * Characters in a matching non-wildcard hostname. + + * Characters in a matching hostname. + + + If ties exist across multiple Routes, the matching + precedence rules for + + HTTPRouteMatches takes over. + + + Support: Core + items: + description: >- + Hostname is the fully qualified domain name of a network + host. This matches + + the RFC 1123 definition of a hostname with 2 notable + exceptions: + + 1. IPs are not allowed. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. + + Hostname can be "precise" which is a domain name without + the terminating + + dot of a network host (e.g. "foo.example.com") or + "wildcard", which is a + + domain name prefixed with a single wildcard label (e.g. + `*.example.com`). + + + Note that as per RFC1035 and RFC1123, a *label* must + consist of lower case + + alphanumeric characters or '-', and must start and end + with an alphanumeric + + character. No other punctuation is allowed. + maxLength: 253 + minLength: 1 + pattern: >- + ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: atomic + parentRefs: + description: >- + ParentRefs references the resources (usually Gateways) that + a Route wants + + to be attached to. Note that the referenced parent resource + needs to + + allow this for the attachment to be complete. For Gateways, + that means + + the Gateway needs to allow attachment from Routes of this + kind and + + namespace. For Services, that means the Service must either + be in the same + + namespace for a "producer" route, or the mesh implementation + must support + + and allow "consumer" routes for the referenced Service. + ReferenceGrant is + + not applicable for governing ParentRefs to Services - it is + not possible to + + create a "producer" route for a Service in a different + namespace from the + + Route. + + + There are two kinds of parent resources with "Core" support: + + + * Gateway (Gateway conformance profile) + + * Service (Mesh conformance profile, ClusterIP Services + only) + + + This API may be extended in the future to support additional + kinds of parent + + resources. + + + ParentRefs must be _distinct_. This means either that: + + + * They select different objects. If this is the case, then + parentRef + entries are distinct. In terms of fields, this means that the + multi-part key defined by `group`, `kind`, `namespace`, and `name` must + be unique across all parentRef entries in the Route. + * They do not select different objects, but for each + optional field used, + each ParentRef that selects the same object must set the same set of + optional fields to different values. If one ParentRef sets a + combination of optional fields, all must set the same combination. + + Some examples: + + + * If one ParentRef sets `sectionName`, all ParentRefs + referencing the + same object must also set `sectionName`. + * If one ParentRef sets `port`, all ParentRefs referencing + the same + object must also set `port`. + * If one ParentRef sets `sectionName` and `port`, all + ParentRefs + referencing the same object must also set `sectionName` and `port`. + + It is possible to separately reference multiple distinct + objects that may + + be collapsed by an implementation. For example, some + implementations may + + choose to merge compatible Gateway Listeners together. If + that is the + + case, the list of routes attached to those resources should + also be + + merged. + + + Note that for ParentRefs that cross namespace boundaries, + there are specific + + rules. Cross-namespace references are only valid if they are + explicitly + + allowed by something in the namespace they are referring to. + For example, + + Gateway has the AllowedRoutes field, and ReferenceGrant + provides a + + generic way to enable other kinds of cross-namespace + reference. + items: + description: >- + ParentReference identifies an API object (usually a + Gateway) that can be considered + + a parent of this resource (usually a route). There are two + kinds of parent resources + + with "Core" support: + + + * Gateway (Gateway conformance profile) + + * Service (Mesh conformance profile, ClusterIP Services + only) + + + This API may be extended in the future to support + additional kinds of parent + + resources. + + + The API object must be valid in the cluster; the Group and + Kind must + + be registered in the cluster for this reference to be + valid. + properties: + group: + default: gateway.networking.k8s.io + description: >- + Group is the group of the referent. + + When unspecified, "gateway.networking.k8s.io" is + inferred. + + To set the core API group (such as for a "Service" + kind referent), + + Group must be explicitly set to "" (empty string). + + + Support: Core + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: >- + Kind is kind of the referent. + + + There are two kinds of parent resources with "Core" + support: + + + * Gateway (Gateway conformance profile) + + * Service (Mesh conformance profile, ClusterIP + Services only) + + + Support for other resources is + Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the referent. When + unspecified, this refers + + to the local namespace of the Route. + + + Note that there are specific rules for ParentRefs + which cross namespace + + boundaries. Cross-namespace references are only valid + if they are explicitly + + allowed by something in the namespace they are + referring to. For example: + + Gateway has the AllowedRoutes field, and + ReferenceGrant provides a + + generic way to enable any other kind of + cross-namespace reference. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: >- + Port is the network port this Route targets. It can be + interpreted + + differently based on the type of parent resource. + + + When the parent resource is a Gateway, this targets + all listeners + + listening on the specified port that also support this + kind of Route(and + + select this Route). It's not recommended to set `Port` + unless the + + networking behaviors specified in a Route must apply + to a specific port + + as opposed to a listener(s) whose port(s) may be + changed. When both Port + + and SectionName are specified, the name and port of + the selected listener + + must match both specified values. + + + Implementations MAY choose to support other parent + resources. + + Implementations supporting other types of parent + resources MUST clearly + + document how/if Port is interpreted. + + + For the purpose of status, an attachment is considered + successful as + + long as the parent resource accepts it partially. For + example, Gateway + + listeners can restrict which Routes can attach to them + by Route kind, + + namespace, or hostname. If 1 of 2 Gateway listeners + accept attachment + + from the referencing Route, the Route MUST be + considered successfully + + attached. If no Gateway listeners accept attachment + from this Route, + + the Route MUST be considered detached from the + Gateway. + + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: >- + SectionName is the name of a section within the target + resource. In the + + following resources, SectionName is interpreted as the + following: + + + * Gateway: Listener name. When both Port + (experimental) and SectionName + + are specified, the name and port of the selected + listener must match + + both specified values. + + * Service: Port name. When both Port (experimental) + and SectionName + + are specified, the name and port of the selected + listener must match + + both specified values. + + + Implementations MAY choose to support attaching Routes + to other resources. + + If that is the case, they MUST clearly document how + SectionName is + + interpreted. + + + When unspecified (empty string), this will reference + the entire resource. + + For the purpose of status, an attachment is considered + successful if at + + least one section in the parent resource accepts it. + For example, Gateway + + listeners can restrict which Routes can attach to them + by Route kind, + + namespace, or hostname. If 1 of 2 Gateway listeners + accept attachment from + + the referencing Route, the Route MUST be considered + successfully + + attached. If no Gateway listeners accept attachment + from this Route, the + + Route MUST be considered detached from the Gateway. + + + Support: Core + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: >- + sectionName must be specified when parentRefs includes 2 + or more references to the same parent + rule: >- + self.all(p1, self.all(p2, p1.group == p2.group && + p1.kind == p2.kind && p1.name == p2.name && + (((!has(p1.__namespace__) || p1.__namespace__ == '') && + (!has(p2.__namespace__) || p2.__namespace__ == '')) || + (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__ )) ? + ((!has(p1.sectionName) || p1.sectionName == '') == + (!has(p2.sectionName) || p2.sectionName == '')) : true)) + - message: >- + sectionName must be unique when parentRefs includes 2 or + more references to the same parent + rule: >- + self.all(p1, self.exists_one(p2, p1.group == p2.group && + p1.kind == p2.kind && p1.name == p2.name && + (((!has(p1.__namespace__) || p1.__namespace__ == '') && + (!has(p2.__namespace__) || p2.__namespace__ == '')) || + (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__ )) && + (((!has(p1.sectionName) || p1.sectionName == '') && + (!has(p2.sectionName) || p2.sectionName == '')) || + (has(p1.sectionName) && has(p2.sectionName) && + p1.sectionName == p2.sectionName)))) + rules: + default: + - matches: + - path: + type: PathPrefix + value: / + description: Rules are a list of HTTP matchers, filters and actions. + items: + description: >- + HTTPRouteRule defines semantics for matching an HTTP + request based on + + conditions (matches), processing it (filters), and + forwarding the request to + + an API object (backendRefs). + properties: + backendRefs: + description: >- + BackendRefs defines the backend(s) where matching + requests should be + + sent. + + + Failure behavior here depends on how many BackendRefs + are specified and + + how many are invalid. + + + If *all* entries in BackendRefs are invalid, and there + are also no filters + + specified in this route rule, *all* traffic which + matches this rule MUST + + receive a 500 status code. + + + See the HTTPBackendRef definition for the rules about + what makes a single + + HTTPBackendRef invalid. + + + When a HTTPBackendRef is invalid, 500 status codes + MUST be returned for + + requests that would have otherwise been routed to an + invalid backend. If + + multiple backends are specified, and some are invalid, + the proportion of + + requests that would otherwise have been routed to an + invalid backend + + MUST receive a 500 status code. + + + For example, if two backends are specified with equal + weights, and one is + + invalid, 50 percent of traffic must receive a 500. + Implementations may + + choose how that 50 percent is determined. + + + When a HTTPBackendRef refers to a Service that has no + ready endpoints, + + implementations SHOULD return a 503 for requests to + that backend instead. + + If an implementation chooses to do this, all of the + above rules for 500 responses + + MUST also apply for responses that return a 503. + + + Support: Core for Kubernetes Service + + + Support: Extended for Kubernetes ServiceImport + + + Support: Implementation-specific for any other + resource + + + Support for weight: Core + items: + description: >- + HTTPBackendRef defines how a HTTPRoute forwards a + HTTP request. + + + Note that when a namespace different than the local + namespace is specified, a + + ReferenceGrant object is required in the referent + namespace to allow that + + namespace's owner to accept the reference. See the + ReferenceGrant + + documentation for details. + properties: + filters: + description: >- + Filters defined at this level should be executed + if and only if the + + request is being forwarded to the backend + defined here. + + + Support: Implementation-specific (For broader + support of filters, use the + + Filters field in HTTPRouteRule.) + items: + description: >- + HTTPRouteFilter defines processing steps that + must be completed during the + + request or response lifecycle. + HTTPRouteFilters are meant as an extension + + point to express processing that may be done + in Gateway implementations. Some + + examples include request or response + modification, implementing + + authentication strategies, rate-limiting, and + traffic shaping. API + + guarantee/conformance is defined based on the + type of the filter. + properties: + cors: + description: >- + CORS defines a schema for a filter that + responds to the + + cross-origin request based on HTTP + response header. + + + Support: Extended + properties: + allowCredentials: + description: >- + AllowCredentials indicates whether the + actual cross-origin request allows + + to include credentials. + + + When set to true, the gateway will + include the + `Access-Control-Allow-Credentials` + + response header with value true + (case-sensitive). + + + When set to false or omitted the gateway + will omit the header + + `Access-Control-Allow-Credentials` + entirely (this is the standard CORS + + behavior). + + + Support: Extended + type: boolean + allowHeaders: + description: >- + AllowHeaders indicates which HTTP + request headers are supported for + + accessing the requested resource. + + + Header names are not case-sensitive. + + + Multiple header names in the value of + the `Access-Control-Allow-Headers` + + response header are separated by a comma + (","). + + + When the `AllowHeaders` field is + configured with one or more headers, the + + gateway must return the + `Access-Control-Allow-Headers` response + header + + which value is present in the + `AllowHeaders` field. + + + If any header name in the + `Access-Control-Request-Headers` request + header + + is not included in the list of header + names specified by the response + + header `Access-Control-Allow-Headers`, + it will present an error on the + + client side. + + + If any header name in the + `Access-Control-Allow-Headers` response + header + + does not recognize by the client, it + will also occur an error on the + + client side. + + + A wildcard indicates that the requests + with all HTTP headers are allowed. + + If config contains the wildcard "*" in + allowHeaders and the request is + + not credentialed, the + `Access-Control-Allow-Headers` response + header + + can either use the `*` wildcard or the + value of + + Access-Control-Request-Headers from the + request. + + + When the request is credentialed, the + gateway must not specify the `*` + + wildcard in the + `Access-Control-Allow-Headers` response + header. When + + also the `AllowCredentials` field is + true and `AllowHeaders` field + + is specified with the `*` wildcard, the + gateway must specify one or more + + HTTP headers in the value of the + `Access-Control-Allow-Headers` response + + header. The value of the header + `Access-Control-Allow-Headers` is same + as + + the `Access-Control-Request-Headers` + header provided by the client. If + + the header + `Access-Control-Request-Headers` is not + included in the + + request, the gateway will omit the + `Access-Control-Allow-Headers` + + response header, instead of specifying + the `*` wildcard. + + + Support: Extended + items: + description: >- + HTTPHeaderName is the name of an HTTP + header. + + + Valid values include: + + + * "Authorization" + + * "Set-Cookie" + + + Invalid values include: + + - ":method" - ":" is an invalid character. This means that HTTP/2 pseudo + headers are not currently supported by this type. + - "/invalid" - "/ " is an invalid character + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + maxItems: 64 + type: array + x-kubernetes-list-type: set + x-kubernetes-validations: + - message: >- + AllowHeaders cannot contain '*' + alongside other methods + rule: '!(''*'' in self && self.size() > 1)' + allowMethods: + description: >- + AllowMethods indicates which HTTP + methods are supported for accessing the + + requested resource. + + + Valid values are any method defined by + RFC9110, along with the special + + value `*`, which represents all HTTP + methods are allowed. + + + Method names are case-sensitive, so + these values are also case-sensitive. + + (See + https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1) + + + Multiple method names in the value of + the `Access-Control-Allow-Methods` + + response header are separated by a comma + (","). + + + A CORS-safelisted method is a method + that is `GET`, `HEAD`, or `POST`. + + (See + https://fetch.spec.whatwg.org/#cors-safelisted-method) + The + + CORS-safelisted methods are always + allowed, regardless of whether they + + are specified in the `AllowMethods` + field. + + + When the `AllowMethods` field is + configured with one or more methods, the + + gateway must return the + `Access-Control-Allow-Methods` response + header + + which value is present in the + `AllowMethods` field. + + + If the HTTP method of the + `Access-Control-Request-Method` request + header + + is not included in the list of methods + specified by the response header + + `Access-Control-Allow-Methods`, it will + present an error on the client + + side. + + + If config contains the wildcard "*" in + allowMethods and the request is + + not credentialed, the + `Access-Control-Allow-Methods` response + header + + can either use the `*` wildcard or the + value of + + Access-Control-Request-Method from the + request. + + + When the request is credentialed, the + gateway must not specify the `*` + + wildcard in the + `Access-Control-Allow-Methods` response + header. When + + also the `AllowCredentials` field is + true and `AllowMethods` field + + specified with the `*` wildcard, the + gateway must specify one HTTP method + + in the value of the + Access-Control-Allow-Methods response + header. The + + value of the header + `Access-Control-Allow-Methods` is same + as the + + `Access-Control-Request-Method` header + provided by the client. If the + + header `Access-Control-Request-Method` + is not included in the request, + + the gateway will omit the + `Access-Control-Allow-Methods` response + header, + + instead of specifying the `*` wildcard. + + + Support: Extended + items: + enum: + - GET + - HEAD + - POST + - PUT + - DELETE + - CONNECT + - OPTIONS + - TRACE + - PATCH + - '*' + type: string + maxItems: 9 + type: array + x-kubernetes-list-type: set + x-kubernetes-validations: + - message: >- + AllowMethods cannot contain '*' + alongside other methods + rule: '!(''*'' in self && self.size() > 1)' + allowOrigins: + description: >- + AllowOrigins indicates whether the + response can be shared with requested + + resource from the given `Origin`. + + + The `Origin` consists of a scheme and a + host, with an optional port, and + + takes the form + `://(:)`. + + + Valid values for scheme are: `http` and + `https`. + + + Valid values for port are any integer + between 1 and 65535 (the list of + + available TCP/UDP ports). Note that, if + not included, port `80` is + + assumed for `http` scheme origins, and + port `443` is assumed for `https` + + origins. This may affect origin + matching. + + + The host part of the origin may contain + the wildcard character `*`. These + + wildcard characters behave as follows: + + + * `*` is a greedy match to the _left_, + including any number of + DNS labels to the left of its position. This also means that + `*` will include any number of period `.` characters to the + left of its position. + * A wildcard by itself matches all + hosts. + + + An origin value that includes _only_ the + `*` character indicates requests + + from all `Origin`s are allowed. + + + When the `AllowOrigins` field is + configured with multiple origins, it + + means the server supports clients from + multiple origins. If the request + + `Origin` matches the configured allowed + origins, the gateway must return + + the given `Origin` and sets value of the + header + + `Access-Control-Allow-Origin` same as + the `Origin` header provided by the + + client. + + + The status code of a successful response + to a "preflight" request is + + always an OK status (i.e., 204 or 200). + + + If the request `Origin` does not match + the configured allowed origins, + + the gateway returns 204/200 response but + doesn't set the relevant + + cross-origin response headers. + Alternatively, the gateway responds with + + 403 status to the "preflight" request is + denied, coupled with omitting + + the CORS headers. The cross-origin + request fails on the client side. + + Therefore, the client doesn't attempt + the actual cross-origin request. + + + Conversely, if the request `Origin` + matches one of the configured + + allowed origins, the gateway sets the + response header + + `Access-Control-Allow-Origin` to the + same value as the `Origin` + + header provided by the client. + + + When config has the wildcard ("*") in + allowOrigins, and the request + + is not credentialed (e.g., it is a + preflight request), the + + `Access-Control-Allow-Origin` response + header either contains the + + wildcard as well or the Origin from the + request. + + + When the request is credentialed, the + gateway must not specify the `*` + + wildcard in the + `Access-Control-Allow-Origin` response + header. When + + also the `AllowCredentials` field is + true and `AllowOrigins` field + + specified with the `*` wildcard, the + gateway must return a single origin + + in the value of the + `Access-Control-Allow-Origin` response + header, + + instead of specifying the `*` wildcard. + The value of the header + + `Access-Control-Allow-Origin` is same as + the `Origin` header provided by + + the client. + + + Support: Extended + items: + description: >- + The CORSOrigin MUST NOT be a relative + URI, and it MUST follow the URI syntax + and + + encoding rules specified in RFC3986. + The CORSOrigin MUST include both a + + scheme ("http" or "https") and a + scheme-specific-part, or it should be a + single '*' character. + + URIs that include an authority MUST + include a fully qualified domain name or + + IP address as the host. + maxLength: 253 + minLength: 1 + pattern: >- + (^\*$)|(^(http(s)?):\/\/(((\*\.)?([a-zA-Z0-9\-]+\.)*[a-zA-Z0-9-]+|\*)(:([0-9]{1,5}))?)$) + type: string + maxItems: 64 + type: array + x-kubernetes-list-type: set + x-kubernetes-validations: + - message: >- + AllowOrigins cannot contain '*' + alongside other origins + rule: '!(''*'' in self && self.size() > 1)' + exposeHeaders: + description: >- + ExposeHeaders indicates which HTTP + response headers can be exposed + + to client-side scripts in response to a + cross-origin request. + + + A CORS-safelisted response header is an + HTTP header in a CORS response + + that it is considered safe to expose to + the client scripts. + + The CORS-safelisted response headers + include the following headers: + + `Cache-Control` + + `Content-Language` + + `Content-Length` + + `Content-Type` + + `Expires` + + `Last-Modified` + + `Pragma` + + (See + https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name) + + The CORS-safelisted response headers are + exposed to client by default. + + + When an HTTP header name is specified + using the `ExposeHeaders` field, + + this additional header will be exposed + as part of the response to the + + client. + + + Header names are not case-sensitive. + + + Multiple header names in the value of + the `Access-Control-Expose-Headers` + + response header are separated by a comma + (","). + + + A wildcard indicates that the responses + with all HTTP headers are exposed + + to clients. The + `Access-Control-Expose-Headers` response + header can only + + use `*` wildcard as value when the + request is not credentialed. + + + When the `exposeHeaders` config field + contains the "*" wildcard and + + the request is credentialed, the gateway + cannot use the `*` wildcard in + + the `Access-Control-Expose-Headers` + response header. + + + Support: Extended + items: + description: >- + HTTPHeaderName is the name of an HTTP + header. + + + Valid values include: + + + * "Authorization" + + * "Set-Cookie" + + + Invalid values include: + + - ":method" - ":" is an invalid character. This means that HTTP/2 pseudo + headers are not currently supported by this type. + - "/invalid" - "/ " is an invalid character + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + maxItems: 64 + type: array + x-kubernetes-list-type: set + maxAge: + default: 5 + description: >- + MaxAge indicates the duration (in + seconds) for the client to cache the + + results of a "preflight" request. + + + The information provided by the + `Access-Control-Allow-Methods` and + + `Access-Control-Allow-Headers` response + headers can be cached by the + + client until the time specified by + `Access-Control-Max-Age` elapses. + + + The default value of + `Access-Control-Max-Age` response header + is 5 + + (seconds). + + + When the `MaxAge` field is unspecified, + the gateway sets the response + + header "Access-Control-Max-Age: 5" by + default. + format: int32 + minimum: 1 + type: integer + type: object + extensionRef: + description: >- + ExtensionRef is an optional, + implementation-specific extension to the + + "filter" behavior. For example, resource + "myroutefilter" in group + + "networking.example.net"). ExtensionRef + MUST NOT be used for core and + + extended filters. + + + This filter can be used multiple times + within the same rule. + + + Support: Implementation-specific + properties: + group: + description: >- + Group is the group of the referent. For + example, "gateway.networking.k8s.io". + + When unspecified or empty string, core + API group is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: >- + Kind is kind of the referent. For + example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: >- + RequestHeaderModifier defines a schema for + a filter that modifies request + + headers. + + + Support: Core + properties: + add: + description: >- + Add adds the given header(s) (name, + value) to the request + + before the action. It appends to any + existing values associated + + with the header name. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + add: + - name: "my-header" + value: "bar,baz" + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: >- + HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: >- + Name is the name of the HTTP Header to + be matched. Name matching MUST be + + case-insensitive. (See + https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent + header names, the first entry with + + an equivalent name MUST be considered + for a match. Subsequent entries + + with an equivalent header name MUST be + ignored. Due to the + + case-insensitivity of header names, + "foo" and "Foo" are considered + + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: >- + Value is the value of HTTP Header to be + matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: >- + Remove the given header(s) from the HTTP + request before the action. The + + value of Remove is a list of HTTP header + names. Note that the header + + names are case-insensitive (see + + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + Config: + remove: ["my-header1", "my-header3"] + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: >- + Set overwrites the request with the + given header (name, value) + + before the action. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + set: + - name: "my-header" + value: "bar" + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: >- + HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: >- + Name is the name of the HTTP Header to + be matched. Name matching MUST be + + case-insensitive. (See + https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent + header names, the first entry with + + an equivalent name MUST be considered + for a match. Subsequent entries + + with an equivalent header name MUST be + ignored. Due to the + + case-insensitivity of header names, + "foo" and "Foo" are considered + + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: >- + Value is the value of HTTP Header to be + matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: >- + RequestMirror defines a schema for a + filter that mirrors requests. + + Requests are sent to the specified + destination, but responses from + + that destination are ignored. + + + This filter can be used multiple times + within the same rule. Note that + + not all implementations will be able to + support mirroring to multiple + + backends. + + + Support: Extended + properties: + backendRef: + description: >- + BackendRef references a resource where + mirrored requests are sent. + + + Mirrored requests must be sent only to a + single destination endpoint + + within this BackendRef, irrespective of + how many endpoints are present + + within this BackendRef. + + + If the referent cannot be found, this + BackendRef is invalid and must be + + dropped from the Gateway. The controller + must ensure the "ResolvedRefs" + + condition on the Route status is set to + `status: False` and not configure + + this backend in the underlying + implementation. + + + If there is a cross-namespace reference + to an *existing* object + + that is not allowed by a ReferenceGrant, + the controller must ensure the + + "ResolvedRefs" condition on the Route + is set to `status: False`, + + with the "RefNotPermitted" reason and + not configure this backend in the + + underlying implementation. + + + In either error case, the Message of the + `ResolvedRefs` Condition + + should be used to provide more detail + about the problem. + + + Support: Extended for Kubernetes Service + + + Support: Implementation-specific for any + other resource + properties: + group: + default: '' + description: >- + Group is the group of the referent. For + example, "gateway.networking.k8s.io". + + When unspecified or empty string, core + API group is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: >- + Kind is the Kubernetes resource kind of + the referent. For example + + "Service". + + + Defaults to "Service" when not + specified. + + + ExternalName services can refer to CNAME + DNS records that may live + + outside of the cluster and as such are + difficult to reason about in + + terms of conformance. They also may not + be safe to forward to (see + + CVE-2021-25740 for more information). + Implementations SHOULD NOT + + support ExternalName Services. + + + Support: Core (Services with a type + other than ExternalName) + + + Support: Implementation-specific + (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the + backend. When unspecified, the local + + namespace is inferred. + + + Note that when a namespace different + than the local namespace is specified, + + a ReferenceGrant object is required in + the referent namespace to allow that + + namespace's owner to accept the + reference. See the ReferenceGrant + + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: >- + Port specifies the destination port + number to use for this resource. + + Port is required when the referent is a + Kubernetes Service. In this + + case, the port number is the service + port number, not the target port. + + For other resources, destination port + might be derived from the referent + + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: >- + (size(self.group) == 0 && self.kind == + 'Service') ? has(self.port) : true + fraction: + description: >- + Fraction represents the fraction of + requests that should be + + mirrored to BackendRef. + + + Only one of Fraction or Percent may be + specified. If neither field + + is specified, 100% of requests will be + mirrored. + properties: + denominator: + default: 100 + format: int32 + minimum: 1 + type: integer + numerator: + format: int32 + minimum: 0 + type: integer + required: + - numerator + type: object + x-kubernetes-validations: + - message: >- + numerator must be less than or equal to + denominator + rule: self.numerator <= self.denominator + percent: + description: >- + Percent represents the percentage of + requests that should be + + mirrored to BackendRef. Its minimum + value is 0 (indicating 0% of + + requests) and its maximum value is 100 + (indicating 100% of requests). + + + Only one of Fraction or Percent may be + specified. If neither field + + is specified, 100% of requests will be + mirrored. + format: int32 + maximum: 100 + minimum: 0 + type: integer + required: + - backendRef + type: object + x-kubernetes-validations: + - message: >- + Only one of percent or fraction may be + specified in HTTPRequestMirrorFilter + rule: >- + !(has(self.percent) && + has(self.fraction)) + requestRedirect: + description: >- + RequestRedirect defines a schema for a + filter that responds to the + + request with an HTTP redirection. + + + Support: Core + properties: + hostname: + description: >- + Hostname is the hostname to be used in + the value of the `Location` + + header in the response. + + When empty, the hostname in the `Host` + header of the request is used. + + + Support: Core + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: >- + Path defines parameters used to modify + the path of the incoming request. + + The modified path is then used to + construct the `Location` header. When + + empty, the request path is used as-is. + + + Support: Extended + properties: + replaceFullPath: + description: >- + ReplaceFullPath specifies the value with + which to replace the full path + + of a request during a rewrite or + redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: >- + ReplacePrefixMatch specifies the value + with which to replace the prefix + + match of a request during a rewrite or + redirect. For example, a request + + to "/foo/bar" with a prefix match of + "/foo" and a ReplacePrefixMatch + + of "/xyz" would be modified to + "/xyz/bar". + + + Note that this matches the behavior of + the PathPrefix match type. This + + matches full path elements. A path + element refers to the list of labels + + in the path split by the `/` separator. + When specified, a trailing `/` is + + ignored. For example, the paths `/abc`, + `/abc/`, and `/abc/def` would all + + match the prefix `/abc`, but the path + `/abcd` would not. + + + ReplacePrefixMatch is only compatible + with a `PathPrefix` HTTPRouteMatch. + + Using any other HTTPRouteMatch type on + the same HTTPRouteRule will result in + + the implementation setting the Accepted + Condition for the Route to `status: + False`. + + + Request Path | Prefix Match | Replace + Prefix | Modified Path + maxLength: 1024 + type: string + type: + description: >- + Type defines the type of path modifier. + Additional types may be + + added in a future release of the API. + + + Note that values may be added to this + enum, implementations + + must ensure that unknown values will not + cause a crash. + + + Unknown values here must result in the + implementation setting the + + Accepted Condition for the Route to + `status: False`, with a + + Reason of `UnsupportedValue`. + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + replaceFullPath must be specified when + type is set to 'ReplaceFullPath' + rule: >- + self.type == 'ReplaceFullPath' ? + has(self.replaceFullPath) : true + - message: >- + type must be 'ReplaceFullPath' when + replaceFullPath is set + rule: >- + has(self.replaceFullPath) ? self.type == + 'ReplaceFullPath' : true + - message: >- + replacePrefixMatch must be specified + when type is set to 'ReplacePrefixMatch' + rule: >- + self.type == 'ReplacePrefixMatch' ? + has(self.replacePrefixMatch) : true + - message: >- + type must be 'ReplacePrefixMatch' when + replacePrefixMatch is set + rule: >- + has(self.replacePrefixMatch) ? self.type + == 'ReplacePrefixMatch' : true + port: + description: >- + Port is the port to be used in the value + of the `Location` + + header in the response. + + + If no port is specified, the redirect + port MUST be derived using the + + following rules: + + + * If redirect scheme is not-empty, the + redirect port MUST be the well-known + port associated with the redirect scheme. Specifically "http" to port 80 + and "https" to port 443. If the redirect scheme does not have a + well-known port, the listener port of the Gateway SHOULD be used. + * If redirect scheme is empty, the + redirect port MUST be the Gateway + Listener port. + + Implementations SHOULD NOT add the port + number in the 'Location' + + header in the following cases: + + + * A Location header that will use HTTP + (whether that is determined via + the Listener protocol or the Scheme field) _and_ use port 80. + * A Location header that will use HTTPS + (whether that is determined via + the Listener protocol or the Scheme field) _and_ use port 443. + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: >- + Scheme is the scheme to be used in the + value of the `Location` header in + + the response. When empty, the scheme of + the request is used. + + + Scheme redirects can affect the port of + the redirect, for more information, + + refer to the documentation for the port + field of this filter. + + + Note that values may be added to this + enum, implementations + + must ensure that unknown values will not + cause a crash. + + + Unknown values here must result in the + implementation setting the + + Accepted Condition for the Route to + `status: False`, with a + + Reason of `UnsupportedValue`. + + + Support: Extended + enum: + - http + - https + type: string + statusCode: + default: 302 + description: >- + StatusCode is the HTTP status code to be + used in response. + + + Note that values may be added to this + enum, implementations + + must ensure that unknown values will not + cause a crash. + + + Unknown values here must result in the + implementation setting the + + Accepted Condition for the Route to + `status: False`, with a + + Reason of `UnsupportedValue`. + + + Support: Core + enum: + - 301 + - 302 + - 303 + - 307 + - 308 + type: integer + type: object + responseHeaderModifier: + description: >- + ResponseHeaderModifier defines a schema + for a filter that modifies response + + headers. + + + Support: Extended + properties: + add: + description: >- + Add adds the given header(s) (name, + value) to the request + + before the action. It appends to any + existing values associated + + with the header name. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + add: + - name: "my-header" + value: "bar,baz" + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: >- + HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: >- + Name is the name of the HTTP Header to + be matched. Name matching MUST be + + case-insensitive. (See + https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent + header names, the first entry with + + an equivalent name MUST be considered + for a match. Subsequent entries + + with an equivalent header name MUST be + ignored. Due to the + + case-insensitivity of header names, + "foo" and "Foo" are considered + + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: >- + Value is the value of HTTP Header to be + matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: >- + Remove the given header(s) from the HTTP + request before the action. The + + value of Remove is a list of HTTP header + names. Note that the header + + names are case-insensitive (see + + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + Config: + remove: ["my-header1", "my-header3"] + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: >- + Set overwrites the request with the + given header (name, value) + + before the action. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + set: + - name: "my-header" + value: "bar" + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: >- + HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: >- + Name is the name of the HTTP Header to + be matched. Name matching MUST be + + case-insensitive. (See + https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent + header names, the first entry with + + an equivalent name MUST be considered + for a match. Subsequent entries + + with an equivalent header name MUST be + ignored. Due to the + + case-insensitivity of header names, + "foo" and "Foo" are considered + + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: >- + Value is the value of HTTP Header to be + matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: >- + Type identifies the type of filter to + apply. As with other API fields, + + types are classified into three + conformance levels: + + + - Core: Filter types and their + corresponding configuration defined by + "Support: Core" in this package, e.g. "RequestHeaderModifier". All + implementations must support core filters. + + - Extended: Filter types and their + corresponding configuration defined by + "Support: Extended" in this package, e.g. "RequestMirror". Implementers + are encouraged to support extended filters. + + - Implementation-specific: Filters that + are defined and supported by + specific vendors. + In the future, filters showing convergence in behavior across multiple + implementations will be considered for inclusion in extended or core + conformance levels. Filter-specific configuration for such filters + is specified using the ExtensionRef field. `Type` should be set to + "ExtensionRef" for custom filters. + + Implementers are encouraged to define + custom implementation types to + + extend the core API with + implementation-specific behavior. + + + If a reference to a custom filter type + cannot be resolved, the filter + + MUST NOT be skipped. Instead, requests + that would have been processed by + + that filter MUST receive a HTTP error + response. + + + Note that values may be added to this + enum, implementations + + must ensure that unknown values will not + cause a crash. + + + Unknown values here must result in the + implementation setting the + + Accepted Condition for the Route to + `status: False`, with a + + Reason of `UnsupportedValue`. + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestMirror + - RequestRedirect + - URLRewrite + - ExtensionRef + - CORS + type: string + urlRewrite: + description: >- + URLRewrite defines a schema for a filter + that modifies a request during forwarding. + + + Support: Extended + properties: + hostname: + description: >- + Hostname is the value to be used to + replace the Host header value during + + forwarding. + + + Support: Extended + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: |- + Path defines a path rewrite. + + Support: Extended + properties: + replaceFullPath: + description: >- + ReplaceFullPath specifies the value with + which to replace the full path + + of a request during a rewrite or + redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: >- + ReplacePrefixMatch specifies the value + with which to replace the prefix + + match of a request during a rewrite or + redirect. For example, a request + + to "/foo/bar" with a prefix match of + "/foo" and a ReplacePrefixMatch + + of "/xyz" would be modified to + "/xyz/bar". + + + Note that this matches the behavior of + the PathPrefix match type. This + + matches full path elements. A path + element refers to the list of labels + + in the path split by the `/` separator. + When specified, a trailing `/` is + + ignored. For example, the paths `/abc`, + `/abc/`, and `/abc/def` would all + + match the prefix `/abc`, but the path + `/abcd` would not. + + + ReplacePrefixMatch is only compatible + with a `PathPrefix` HTTPRouteMatch. + + Using any other HTTPRouteMatch type on + the same HTTPRouteRule will result in + + the implementation setting the Accepted + Condition for the Route to `status: + False`. + + + Request Path | Prefix Match | Replace + Prefix | Modified Path + maxLength: 1024 + type: string + type: + description: >- + Type defines the type of path modifier. + Additional types may be + + added in a future release of the API. + + + Note that values may be added to this + enum, implementations + + must ensure that unknown values will not + cause a crash. + + + Unknown values here must result in the + implementation setting the + + Accepted Condition for the Route to + `status: False`, with a + + Reason of `UnsupportedValue`. + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + replaceFullPath must be specified when + type is set to 'ReplaceFullPath' + rule: >- + self.type == 'ReplaceFullPath' ? + has(self.replaceFullPath) : true + - message: >- + type must be 'ReplaceFullPath' when + replaceFullPath is set + rule: >- + has(self.replaceFullPath) ? self.type == + 'ReplaceFullPath' : true + - message: >- + replacePrefixMatch must be specified + when type is set to 'ReplacePrefixMatch' + rule: >- + self.type == 'ReplacePrefixMatch' ? + has(self.replacePrefixMatch) : true + - message: >- + type must be 'ReplacePrefixMatch' when + replacePrefixMatch is set + rule: >- + has(self.replacePrefixMatch) ? self.type + == 'ReplacePrefixMatch' : true + type: object + required: + - type + type: object + x-kubernetes-validations: + - message: >- + filter.cors must be nil if the filter.type + is not CORS + rule: '!(has(self.cors) && self.type != ''CORS'')' + - message: >- + filter.cors must be specified for CORS + filter.type + rule: '!(!has(self.cors) && self.type == ''CORS'')' + - message: >- + filter.requestHeaderModifier must be nil + if the filter.type is not + RequestHeaderModifier + rule: >- + !(has(self.requestHeaderModifier) && + self.type != 'RequestHeaderModifier') + - message: >- + filter.requestHeaderModifier must be + specified for RequestHeaderModifier + filter.type + rule: >- + !(!has(self.requestHeaderModifier) && + self.type == 'RequestHeaderModifier') + - message: >- + filter.responseHeaderModifier must be nil + if the filter.type is not + ResponseHeaderModifier + rule: >- + !(has(self.responseHeaderModifier) && + self.type != 'ResponseHeaderModifier') + - message: >- + filter.responseHeaderModifier must be + specified for ResponseHeaderModifier + filter.type + rule: >- + !(!has(self.responseHeaderModifier) && + self.type == 'ResponseHeaderModifier') + - message: >- + filter.requestMirror must be nil if the + filter.type is not RequestMirror + rule: >- + !(has(self.requestMirror) && self.type != + 'RequestMirror') + - message: >- + filter.requestMirror must be specified for + RequestMirror filter.type + rule: >- + !(!has(self.requestMirror) && self.type == + 'RequestMirror') + - message: >- + filter.requestRedirect must be nil if the + filter.type is not RequestRedirect + rule: >- + !(has(self.requestRedirect) && self.type + != 'RequestRedirect') + - message: >- + filter.requestRedirect must be specified + for RequestRedirect filter.type + rule: >- + !(!has(self.requestRedirect) && self.type + == 'RequestRedirect') + - message: >- + filter.urlRewrite must be nil if the + filter.type is not URLRewrite + rule: >- + !(has(self.urlRewrite) && self.type != + 'URLRewrite') + - message: >- + filter.urlRewrite must be specified for + URLRewrite filter.type + rule: >- + !(!has(self.urlRewrite) && self.type == + 'URLRewrite') + - message: >- + filter.extensionRef must be nil if the + filter.type is not ExtensionRef + rule: >- + !(has(self.extensionRef) && self.type != + 'ExtensionRef') + - message: >- + filter.extensionRef must be specified for + ExtensionRef filter.type + rule: >- + !(!has(self.extensionRef) && self.type == + 'ExtensionRef') + maxItems: 16 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: >- + May specify either + httpRouteFilterRequestRedirect or + httpRouteFilterRequestRewrite, but not both + rule: >- + !(self.exists(f, f.type == + 'RequestRedirect') && self.exists(f, f.type + == 'URLRewrite')) + - message: CORS filter cannot be repeated + rule: self.filter(f, f.type == 'CORS').size() <= 1 + - message: >- + RequestHeaderModifier filter cannot be + repeated + rule: >- + self.filter(f, f.type == + 'RequestHeaderModifier').size() <= 1 + - message: >- + ResponseHeaderModifier filter cannot be + repeated + rule: >- + self.filter(f, f.type == + 'ResponseHeaderModifier').size() <= 1 + - message: RequestRedirect filter cannot be repeated + rule: >- + self.filter(f, f.type == + 'RequestRedirect').size() <= 1 + - message: URLRewrite filter cannot be repeated + rule: >- + self.filter(f, f.type == + 'URLRewrite').size() <= 1 + group: + default: '' + description: >- + Group is the group of the referent. For example, + "gateway.networking.k8s.io". + + When unspecified or empty string, core API group + is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: >- + Kind is the Kubernetes resource kind of the + referent. For example + + "Service". + + + Defaults to "Service" when not specified. + + + ExternalName services can refer to CNAME DNS + records that may live + + outside of the cluster and as such are difficult + to reason about in + + terms of conformance. They also may not be safe + to forward to (see + + CVE-2021-25740 for more information). + Implementations SHOULD NOT + + support ExternalName Services. + + + Support: Core (Services with a type other than + ExternalName) + + + Support: Implementation-specific (Services with + type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the backend. When + unspecified, the local + + namespace is inferred. + + + Note that when a namespace different than the + local namespace is specified, + + a ReferenceGrant object is required in the + referent namespace to allow that + + namespace's owner to accept the reference. See + the ReferenceGrant + + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: >- + Port specifies the destination port number to + use for this resource. + + Port is required when the referent is a + Kubernetes Service. In this + + case, the port number is the service port + number, not the target port. + + For other resources, destination port might be + derived from the referent + + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: >- + Weight specifies the proportion of requests + forwarded to the referenced + + backend. This is computed as weight/(sum of all + weights in this + + BackendRefs list). For non-zero values, there + may be some epsilon from + + the exact proportion defined here depending on + the precision an + + implementation supports. Weight is not a + percentage and the sum of + + weights does not need to equal 100. + + + If only one backend is specified and it has a + weight greater than 0, 100% + + of the traffic is forwarded to that backend. If + weight is set to 0, no + + traffic should be forwarded for this entry. If + unspecified, weight + + defaults to 1. + + + Support for this field varies based on the + context where used. + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: >- + (size(self.group) == 0 && self.kind == + 'Service') ? has(self.port) : true + maxItems: 16 + type: array + x-kubernetes-list-type: atomic + filters: + description: >- + Filters define the filters that are applied to + requests that match + + this rule. + + + Wherever possible, implementations SHOULD implement + filters in the order + + they are specified. + + + Implementations MAY choose to implement this ordering + strictly, rejecting + + any combination or order of filters that cannot be + supported. If implementations + + choose a strict interpretation of filter ordering, + they MUST clearly document + + that behavior. + + + To reject an invalid combination or order of filters, + implementations SHOULD + + consider the Route Rules with this configuration + invalid. If all Route Rules + + in a Route are invalid, the entire Route would be + considered invalid. If only + + a portion of Route Rules are invalid, implementations + MUST set the + + "PartiallyInvalid" condition for the Route. + + + Conformance-levels at this level are defined based on + the type of filter: + + + - ALL core filters MUST be supported by all + implementations. + + - Implementers are encouraged to support extended + filters. + + - Implementation-specific custom filters have no API + guarantees across + implementations. + + Specifying the same filter multiple times is not + supported unless explicitly + + indicated in the filter. + + + All filters are expected to be compatible with each + other except for the + + URLRewrite and RequestRedirect filters, which may not + be combined. If an + + implementation cannot support other combinations of + filters, they must clearly + + document that limitation. In cases where incompatible + or unsupported + + filters are specified and cause the `Accepted` + condition to be set to status + + `False`, implementations may use the + `IncompatibleFilters` reason to specify + + this configuration error. + + + Support: Core + items: + description: >- + HTTPRouteFilter defines processing steps that must + be completed during the + + request or response lifecycle. HTTPRouteFilters are + meant as an extension + + point to express processing that may be done in + Gateway implementations. Some + + examples include request or response modification, + implementing + + authentication strategies, rate-limiting, and + traffic shaping. API + + guarantee/conformance is defined based on the type + of the filter. + properties: + cors: + description: >- + CORS defines a schema for a filter that responds + to the + + cross-origin request based on HTTP response + header. + + + Support: Extended + properties: + allowCredentials: + description: >- + AllowCredentials indicates whether the + actual cross-origin request allows + + to include credentials. + + + When set to true, the gateway will include + the `Access-Control-Allow-Credentials` + + response header with value true + (case-sensitive). + + + When set to false or omitted the gateway + will omit the header + + `Access-Control-Allow-Credentials` entirely + (this is the standard CORS + + behavior). + + + Support: Extended + type: boolean + allowHeaders: + description: >- + AllowHeaders indicates which HTTP request + headers are supported for + + accessing the requested resource. + + + Header names are not case-sensitive. + + + Multiple header names in the value of the + `Access-Control-Allow-Headers` + + response header are separated by a comma + (","). + + + When the `AllowHeaders` field is configured + with one or more headers, the + + gateway must return the + `Access-Control-Allow-Headers` response + header + + which value is present in the `AllowHeaders` + field. + + + If any header name in the + `Access-Control-Request-Headers` request + header + + is not included in the list of header names + specified by the response + + header `Access-Control-Allow-Headers`, it + will present an error on the + + client side. + + + If any header name in the + `Access-Control-Allow-Headers` response + header + + does not recognize by the client, it will + also occur an error on the + + client side. + + + A wildcard indicates that the requests with + all HTTP headers are allowed. + + If config contains the wildcard "*" in + allowHeaders and the request is + + not credentialed, the + `Access-Control-Allow-Headers` response + header + + can either use the `*` wildcard or the value + of + + Access-Control-Request-Headers from the + request. + + + When the request is credentialed, the + gateway must not specify the `*` + + wildcard in the + `Access-Control-Allow-Headers` response + header. When + + also the `AllowCredentials` field is true + and `AllowHeaders` field + + is specified with the `*` wildcard, the + gateway must specify one or more + + HTTP headers in the value of the + `Access-Control-Allow-Headers` response + + header. The value of the header + `Access-Control-Allow-Headers` is same as + + the `Access-Control-Request-Headers` header + provided by the client. If + + the header `Access-Control-Request-Headers` + is not included in the + + request, the gateway will omit the + `Access-Control-Allow-Headers` + + response header, instead of specifying the + `*` wildcard. + + + Support: Extended + items: + description: >- + HTTPHeaderName is the name of an HTTP + header. + + + Valid values include: + + + * "Authorization" + + * "Set-Cookie" + + + Invalid values include: + + - ":method" - ":" is an invalid character. This means that HTTP/2 pseudo + headers are not currently supported by this type. + - "/invalid" - "/ " is an invalid character + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + maxItems: 64 + type: array + x-kubernetes-list-type: set + x-kubernetes-validations: + - message: >- + AllowHeaders cannot contain '*' + alongside other methods + rule: '!(''*'' in self && self.size() > 1)' + allowMethods: + description: >- + AllowMethods indicates which HTTP methods + are supported for accessing the + + requested resource. + + + Valid values are any method defined by + RFC9110, along with the special + + value `*`, which represents all HTTP methods + are allowed. + + + Method names are case-sensitive, so these + values are also case-sensitive. + + (See + https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1) + + + Multiple method names in the value of the + `Access-Control-Allow-Methods` + + response header are separated by a comma + (","). + + + A CORS-safelisted method is a method that is + `GET`, `HEAD`, or `POST`. + + (See + https://fetch.spec.whatwg.org/#cors-safelisted-method) + The + + CORS-safelisted methods are always allowed, + regardless of whether they + + are specified in the `AllowMethods` field. + + + When the `AllowMethods` field is configured + with one or more methods, the + + gateway must return the + `Access-Control-Allow-Methods` response + header + + which value is present in the `AllowMethods` + field. + + + If the HTTP method of the + `Access-Control-Request-Method` request + header + + is not included in the list of methods + specified by the response header + + `Access-Control-Allow-Methods`, it will + present an error on the client + + side. + + + If config contains the wildcard "*" in + allowMethods and the request is + + not credentialed, the + `Access-Control-Allow-Methods` response + header + + can either use the `*` wildcard or the value + of + + Access-Control-Request-Method from the + request. + + + When the request is credentialed, the + gateway must not specify the `*` + + wildcard in the + `Access-Control-Allow-Methods` response + header. When + + also the `AllowCredentials` field is true + and `AllowMethods` field + + specified with the `*` wildcard, the gateway + must specify one HTTP method + + in the value of the + Access-Control-Allow-Methods response + header. The + + value of the header + `Access-Control-Allow-Methods` is same as + the + + `Access-Control-Request-Method` header + provided by the client. If the + + header `Access-Control-Request-Method` is + not included in the request, + + the gateway will omit the + `Access-Control-Allow-Methods` response + header, + + instead of specifying the `*` wildcard. + + + Support: Extended + items: + enum: + - GET + - HEAD + - POST + - PUT + - DELETE + - CONNECT + - OPTIONS + - TRACE + - PATCH + - '*' + type: string + maxItems: 9 + type: array + x-kubernetes-list-type: set + x-kubernetes-validations: + - message: >- + AllowMethods cannot contain '*' + alongside other methods + rule: '!(''*'' in self && self.size() > 1)' + allowOrigins: + description: >- + AllowOrigins indicates whether the response + can be shared with requested + + resource from the given `Origin`. + + + The `Origin` consists of a scheme and a + host, with an optional port, and + + takes the form `://(:)`. + + + Valid values for scheme are: `http` and + `https`. + + + Valid values for port are any integer + between 1 and 65535 (the list of + + available TCP/UDP ports). Note that, if not + included, port `80` is + + assumed for `http` scheme origins, and port + `443` is assumed for `https` + + origins. This may affect origin matching. + + + The host part of the origin may contain the + wildcard character `*`. These + + wildcard characters behave as follows: + + + * `*` is a greedy match to the _left_, + including any number of + DNS labels to the left of its position. This also means that + `*` will include any number of period `.` characters to the + left of its position. + * A wildcard by itself matches all hosts. + + + An origin value that includes _only_ the `*` + character indicates requests + + from all `Origin`s are allowed. + + + When the `AllowOrigins` field is configured + with multiple origins, it + + means the server supports clients from + multiple origins. If the request + + `Origin` matches the configured allowed + origins, the gateway must return + + the given `Origin` and sets value of the + header + + `Access-Control-Allow-Origin` same as the + `Origin` header provided by the + + client. + + + The status code of a successful response to + a "preflight" request is + + always an OK status (i.e., 204 or 200). + + + If the request `Origin` does not match the + configured allowed origins, + + the gateway returns 204/200 response but + doesn't set the relevant + + cross-origin response headers. + Alternatively, the gateway responds with + + 403 status to the "preflight" request is + denied, coupled with omitting + + the CORS headers. The cross-origin request + fails on the client side. + + Therefore, the client doesn't attempt the + actual cross-origin request. + + + Conversely, if the request `Origin` matches + one of the configured + + allowed origins, the gateway sets the + response header + + `Access-Control-Allow-Origin` to the same + value as the `Origin` + + header provided by the client. + + + When config has the wildcard ("*") in + allowOrigins, and the request + + is not credentialed (e.g., it is a preflight + request), the + + `Access-Control-Allow-Origin` response + header either contains the + + wildcard as well or the Origin from the + request. + + + When the request is credentialed, the + gateway must not specify the `*` + + wildcard in the + `Access-Control-Allow-Origin` response + header. When + + also the `AllowCredentials` field is true + and `AllowOrigins` field + + specified with the `*` wildcard, the gateway + must return a single origin + + in the value of the + `Access-Control-Allow-Origin` response + header, + + instead of specifying the `*` wildcard. The + value of the header + + `Access-Control-Allow-Origin` is same as the + `Origin` header provided by + + the client. + + + Support: Extended + items: + description: >- + The CORSOrigin MUST NOT be a relative URI, + and it MUST follow the URI syntax and + + encoding rules specified in RFC3986. The + CORSOrigin MUST include both a + + scheme ("http" or "https") and a + scheme-specific-part, or it should be a + single '*' character. + + URIs that include an authority MUST + include a fully qualified domain name or + + IP address as the host. + maxLength: 253 + minLength: 1 + pattern: >- + (^\*$)|(^(http(s)?):\/\/(((\*\.)?([a-zA-Z0-9\-]+\.)*[a-zA-Z0-9-]+|\*)(:([0-9]{1,5}))?)$) + type: string + maxItems: 64 + type: array + x-kubernetes-list-type: set + x-kubernetes-validations: + - message: >- + AllowOrigins cannot contain '*' + alongside other origins + rule: '!(''*'' in self && self.size() > 1)' + exposeHeaders: + description: >- + ExposeHeaders indicates which HTTP response + headers can be exposed + + to client-side scripts in response to a + cross-origin request. + + + A CORS-safelisted response header is an HTTP + header in a CORS response + + that it is considered safe to expose to the + client scripts. + + The CORS-safelisted response headers include + the following headers: + + `Cache-Control` + + `Content-Language` + + `Content-Length` + + `Content-Type` + + `Expires` + + `Last-Modified` + + `Pragma` + + (See + https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name) + + The CORS-safelisted response headers are + exposed to client by default. + + + When an HTTP header name is specified using + the `ExposeHeaders` field, + + this additional header will be exposed as + part of the response to the + + client. + + + Header names are not case-sensitive. + + + Multiple header names in the value of the + `Access-Control-Expose-Headers` + + response header are separated by a comma + (","). + + + A wildcard indicates that the responses with + all HTTP headers are exposed + + to clients. The + `Access-Control-Expose-Headers` response + header can only + + use `*` wildcard as value when the request + is not credentialed. + + + When the `exposeHeaders` config field + contains the "*" wildcard and + + the request is credentialed, the gateway + cannot use the `*` wildcard in + + the `Access-Control-Expose-Headers` response + header. + + + Support: Extended + items: + description: >- + HTTPHeaderName is the name of an HTTP + header. + + + Valid values include: + + + * "Authorization" + + * "Set-Cookie" + + + Invalid values include: + + - ":method" - ":" is an invalid character. This means that HTTP/2 pseudo + headers are not currently supported by this type. + - "/invalid" - "/ " is an invalid character + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + maxItems: 64 + type: array + x-kubernetes-list-type: set + maxAge: + default: 5 + description: >- + MaxAge indicates the duration (in seconds) + for the client to cache the + + results of a "preflight" request. + + + The information provided by the + `Access-Control-Allow-Methods` and + + `Access-Control-Allow-Headers` response + headers can be cached by the + + client until the time specified by + `Access-Control-Max-Age` elapses. + + + The default value of + `Access-Control-Max-Age` response header is + 5 + + (seconds). + + + When the `MaxAge` field is unspecified, the + gateway sets the response + + header "Access-Control-Max-Age: 5" by + default. + format: int32 + minimum: 1 + type: integer + type: object + extensionRef: + description: >- + ExtensionRef is an optional, + implementation-specific extension to the + + "filter" behavior. For example, resource + "myroutefilter" in group + + "networking.example.net"). ExtensionRef MUST NOT + be used for core and + + extended filters. + + + This filter can be used multiple times within + the same rule. + + + Support: Implementation-specific + properties: + group: + description: >- + Group is the group of the referent. For + example, "gateway.networking.k8s.io". + + When unspecified or empty string, core API + group is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: >- + Kind is kind of the referent. For example + "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: >- + RequestHeaderModifier defines a schema for a + filter that modifies request + + headers. + + + Support: Core + properties: + add: + description: >- + Add adds the given header(s) (name, value) + to the request + + before the action. It appends to any + existing values associated + + with the header name. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + add: + - name: "my-header" + value: "bar,baz" + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: >- + HTTPHeader represents an HTTP Header name + and value as defined by RFC 7230. + properties: + name: + description: >- + Name is the name of the HTTP Header to + be matched. Name matching MUST be + + case-insensitive. (See + https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent + header names, the first entry with + + an equivalent name MUST be considered + for a match. Subsequent entries + + with an equivalent header name MUST be + ignored. Due to the + + case-insensitivity of header names, + "foo" and "Foo" are considered + + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: >- + Value is the value of HTTP Header to be + matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: >- + Remove the given header(s) from the HTTP + request before the action. The + + value of Remove is a list of HTTP header + names. Note that the header + + names are case-insensitive (see + + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + Config: + remove: ["my-header1", "my-header3"] + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: >- + Set overwrites the request with the given + header (name, value) + + before the action. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + set: + - name: "my-header" + value: "bar" + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: >- + HTTPHeader represents an HTTP Header name + and value as defined by RFC 7230. + properties: + name: + description: >- + Name is the name of the HTTP Header to + be matched. Name matching MUST be + + case-insensitive. (See + https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent + header names, the first entry with + + an equivalent name MUST be considered + for a match. Subsequent entries + + with an equivalent header name MUST be + ignored. Due to the + + case-insensitivity of header names, + "foo" and "Foo" are considered + + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: >- + Value is the value of HTTP Header to be + matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: >- + RequestMirror defines a schema for a filter that + mirrors requests. + + Requests are sent to the specified destination, + but responses from + + that destination are ignored. + + + This filter can be used multiple times within + the same rule. Note that + + not all implementations will be able to support + mirroring to multiple + + backends. + + + Support: Extended + properties: + backendRef: + description: >- + BackendRef references a resource where + mirrored requests are sent. + + + Mirrored requests must be sent only to a + single destination endpoint + + within this BackendRef, irrespective of how + many endpoints are present + + within this BackendRef. + + + If the referent cannot be found, this + BackendRef is invalid and must be + + dropped from the Gateway. The controller + must ensure the "ResolvedRefs" + + condition on the Route status is set to + `status: False` and not configure + + this backend in the underlying + implementation. + + + If there is a cross-namespace reference to + an *existing* object + + that is not allowed by a ReferenceGrant, the + controller must ensure the + + "ResolvedRefs" condition on the Route is + set to `status: False`, + + with the "RefNotPermitted" reason and not + configure this backend in the + + underlying implementation. + + + In either error case, the Message of the + `ResolvedRefs` Condition + + should be used to provide more detail about + the problem. + + + Support: Extended for Kubernetes Service + + + Support: Implementation-specific for any + other resource + properties: + group: + default: '' + description: >- + Group is the group of the referent. For + example, "gateway.networking.k8s.io". + + When unspecified or empty string, core + API group is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: >- + Kind is the Kubernetes resource kind of + the referent. For example + + "Service". + + + Defaults to "Service" when not + specified. + + + ExternalName services can refer to CNAME + DNS records that may live + + outside of the cluster and as such are + difficult to reason about in + + terms of conformance. They also may not + be safe to forward to (see + + CVE-2021-25740 for more information). + Implementations SHOULD NOT + + support ExternalName Services. + + + Support: Core (Services with a type + other than ExternalName) + + + Support: Implementation-specific + (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the + backend. When unspecified, the local + + namespace is inferred. + + + Note that when a namespace different + than the local namespace is specified, + + a ReferenceGrant object is required in + the referent namespace to allow that + + namespace's owner to accept the + reference. See the ReferenceGrant + + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: >- + Port specifies the destination port + number to use for this resource. + + Port is required when the referent is a + Kubernetes Service. In this + + case, the port number is the service + port number, not the target port. + + For other resources, destination port + might be derived from the referent + + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: >- + (size(self.group) == 0 && self.kind == + 'Service') ? has(self.port) : true + fraction: + description: >- + Fraction represents the fraction of requests + that should be + + mirrored to BackendRef. + + + Only one of Fraction or Percent may be + specified. If neither field + + is specified, 100% of requests will be + mirrored. + properties: + denominator: + default: 100 + format: int32 + minimum: 1 + type: integer + numerator: + format: int32 + minimum: 0 + type: integer + required: + - numerator + type: object + x-kubernetes-validations: + - message: >- + numerator must be less than or equal to + denominator + rule: self.numerator <= self.denominator + percent: + description: >- + Percent represents the percentage of + requests that should be + + mirrored to BackendRef. Its minimum value is + 0 (indicating 0% of + + requests) and its maximum value is 100 + (indicating 100% of requests). + + + Only one of Fraction or Percent may be + specified. If neither field + + is specified, 100% of requests will be + mirrored. + format: int32 + maximum: 100 + minimum: 0 + type: integer + required: + - backendRef + type: object + x-kubernetes-validations: + - message: >- + Only one of percent or fraction may be + specified in HTTPRequestMirrorFilter + rule: '!(has(self.percent) && has(self.fraction))' + requestRedirect: + description: >- + RequestRedirect defines a schema for a filter + that responds to the + + request with an HTTP redirection. + + + Support: Core + properties: + hostname: + description: >- + Hostname is the hostname to be used in the + value of the `Location` + + header in the response. + + When empty, the hostname in the `Host` + header of the request is used. + + + Support: Core + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: >- + Path defines parameters used to modify the + path of the incoming request. + + The modified path is then used to construct + the `Location` header. When + + empty, the request path is used as-is. + + + Support: Extended + properties: + replaceFullPath: + description: >- + ReplaceFullPath specifies the value with + which to replace the full path + + of a request during a rewrite or + redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: >- + ReplacePrefixMatch specifies the value + with which to replace the prefix + + match of a request during a rewrite or + redirect. For example, a request + + to "/foo/bar" with a prefix match of + "/foo" and a ReplacePrefixMatch + + of "/xyz" would be modified to + "/xyz/bar". + + + Note that this matches the behavior of + the PathPrefix match type. This + + matches full path elements. A path + element refers to the list of labels + + in the path split by the `/` separator. + When specified, a trailing `/` is + + ignored. For example, the paths `/abc`, + `/abc/`, and `/abc/def` would all + + match the prefix `/abc`, but the path + `/abcd` would not. + + + ReplacePrefixMatch is only compatible + with a `PathPrefix` HTTPRouteMatch. + + Using any other HTTPRouteMatch type on + the same HTTPRouteRule will result in + + the implementation setting the Accepted + Condition for the Route to `status: + False`. + + + Request Path | Prefix Match | Replace + Prefix | Modified Path + maxLength: 1024 + type: string + type: + description: >- + Type defines the type of path modifier. + Additional types may be + + added in a future release of the API. + + + Note that values may be added to this + enum, implementations + + must ensure that unknown values will not + cause a crash. + + + Unknown values here must result in the + implementation setting the + + Accepted Condition for the Route to + `status: False`, with a + + Reason of `UnsupportedValue`. + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + replaceFullPath must be specified when + type is set to 'ReplaceFullPath' + rule: >- + self.type == 'ReplaceFullPath' ? + has(self.replaceFullPath) : true + - message: >- + type must be 'ReplaceFullPath' when + replaceFullPath is set + rule: >- + has(self.replaceFullPath) ? self.type == + 'ReplaceFullPath' : true + - message: >- + replacePrefixMatch must be specified + when type is set to 'ReplacePrefixMatch' + rule: >- + self.type == 'ReplacePrefixMatch' ? + has(self.replacePrefixMatch) : true + - message: >- + type must be 'ReplacePrefixMatch' when + replacePrefixMatch is set + rule: >- + has(self.replacePrefixMatch) ? self.type + == 'ReplacePrefixMatch' : true + port: + description: >- + Port is the port to be used in the value of + the `Location` + + header in the response. + + + If no port is specified, the redirect port + MUST be derived using the + + following rules: + + + * If redirect scheme is not-empty, the + redirect port MUST be the well-known + port associated with the redirect scheme. Specifically "http" to port 80 + and "https" to port 443. If the redirect scheme does not have a + well-known port, the listener port of the Gateway SHOULD be used. + * If redirect scheme is empty, the redirect + port MUST be the Gateway + Listener port. + + Implementations SHOULD NOT add the port + number in the 'Location' + + header in the following cases: + + + * A Location header that will use HTTP + (whether that is determined via + the Listener protocol or the Scheme field) _and_ use port 80. + * A Location header that will use HTTPS + (whether that is determined via + the Listener protocol or the Scheme field) _and_ use port 443. + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: >- + Scheme is the scheme to be used in the value + of the `Location` header in + + the response. When empty, the scheme of the + request is used. + + + Scheme redirects can affect the port of the + redirect, for more information, + + refer to the documentation for the port + field of this filter. + + + Note that values may be added to this enum, + implementations + + must ensure that unknown values will not + cause a crash. + + + Unknown values here must result in the + implementation setting the + + Accepted Condition for the Route to `status: + False`, with a + + Reason of `UnsupportedValue`. + + + Support: Extended + enum: + - http + - https + type: string + statusCode: + default: 302 + description: >- + StatusCode is the HTTP status code to be + used in response. + + + Note that values may be added to this enum, + implementations + + must ensure that unknown values will not + cause a crash. + + + Unknown values here must result in the + implementation setting the + + Accepted Condition for the Route to `status: + False`, with a + + Reason of `UnsupportedValue`. + + + Support: Core + enum: + - 301 + - 302 + - 303 + - 307 + - 308 + type: integer + type: object + responseHeaderModifier: + description: >- + ResponseHeaderModifier defines a schema for a + filter that modifies response + + headers. + + + Support: Extended + properties: + add: + description: >- + Add adds the given header(s) (name, value) + to the request + + before the action. It appends to any + existing values associated + + with the header name. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + add: + - name: "my-header" + value: "bar,baz" + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: >- + HTTPHeader represents an HTTP Header name + and value as defined by RFC 7230. + properties: + name: + description: >- + Name is the name of the HTTP Header to + be matched. Name matching MUST be + + case-insensitive. (See + https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent + header names, the first entry with + + an equivalent name MUST be considered + for a match. Subsequent entries + + with an equivalent header name MUST be + ignored. Due to the + + case-insensitivity of header names, + "foo" and "Foo" are considered + + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: >- + Value is the value of HTTP Header to be + matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: >- + Remove the given header(s) from the HTTP + request before the action. The + + value of Remove is a list of HTTP header + names. Note that the header + + names are case-insensitive (see + + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + Config: + remove: ["my-header1", "my-header3"] + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: >- + Set overwrites the request with the given + header (name, value) + + before the action. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + set: + - name: "my-header" + value: "bar" + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: >- + HTTPHeader represents an HTTP Header name + and value as defined by RFC 7230. + properties: + name: + description: >- + Name is the name of the HTTP Header to + be matched. Name matching MUST be + + case-insensitive. (See + https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent + header names, the first entry with + + an equivalent name MUST be considered + for a match. Subsequent entries + + with an equivalent header name MUST be + ignored. Due to the + + case-insensitivity of header names, + "foo" and "Foo" are considered + + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: >- + Value is the value of HTTP Header to be + matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: >- + Type identifies the type of filter to apply. As + with other API fields, + + types are classified into three conformance + levels: + + + - Core: Filter types and their corresponding + configuration defined by + "Support: Core" in this package, e.g. "RequestHeaderModifier". All + implementations must support core filters. + + - Extended: Filter types and their corresponding + configuration defined by + "Support: Extended" in this package, e.g. "RequestMirror". Implementers + are encouraged to support extended filters. + + - Implementation-specific: Filters that are + defined and supported by + specific vendors. + In the future, filters showing convergence in behavior across multiple + implementations will be considered for inclusion in extended or core + conformance levels. Filter-specific configuration for such filters + is specified using the ExtensionRef field. `Type` should be set to + "ExtensionRef" for custom filters. + + Implementers are encouraged to define custom + implementation types to + + extend the core API with implementation-specific + behavior. + + + If a reference to a custom filter type cannot be + resolved, the filter + + MUST NOT be skipped. Instead, requests that + would have been processed by + + that filter MUST receive a HTTP error response. + + + Note that values may be added to this enum, + implementations + + must ensure that unknown values will not cause a + crash. + + + Unknown values here must result in the + implementation setting the + + Accepted Condition for the Route to `status: + False`, with a + + Reason of `UnsupportedValue`. + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestMirror + - RequestRedirect + - URLRewrite + - ExtensionRef + - CORS + type: string + urlRewrite: + description: >- + URLRewrite defines a schema for a filter that + modifies a request during forwarding. + + + Support: Extended + properties: + hostname: + description: >- + Hostname is the value to be used to replace + the Host header value during + + forwarding. + + + Support: Extended + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: |- + Path defines a path rewrite. + + Support: Extended + properties: + replaceFullPath: + description: >- + ReplaceFullPath specifies the value with + which to replace the full path + + of a request during a rewrite or + redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: >- + ReplacePrefixMatch specifies the value + with which to replace the prefix + + match of a request during a rewrite or + redirect. For example, a request + + to "/foo/bar" with a prefix match of + "/foo" and a ReplacePrefixMatch + + of "/xyz" would be modified to + "/xyz/bar". + + + Note that this matches the behavior of + the PathPrefix match type. This + + matches full path elements. A path + element refers to the list of labels + + in the path split by the `/` separator. + When specified, a trailing `/` is + + ignored. For example, the paths `/abc`, + `/abc/`, and `/abc/def` would all + + match the prefix `/abc`, but the path + `/abcd` would not. + + + ReplacePrefixMatch is only compatible + with a `PathPrefix` HTTPRouteMatch. + + Using any other HTTPRouteMatch type on + the same HTTPRouteRule will result in + + the implementation setting the Accepted + Condition for the Route to `status: + False`. + + + Request Path | Prefix Match | Replace + Prefix | Modified Path + maxLength: 1024 + type: string + type: + description: >- + Type defines the type of path modifier. + Additional types may be + + added in a future release of the API. + + + Note that values may be added to this + enum, implementations + + must ensure that unknown values will not + cause a crash. + + + Unknown values here must result in the + implementation setting the + + Accepted Condition for the Route to + `status: False`, with a + + Reason of `UnsupportedValue`. + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + replaceFullPath must be specified when + type is set to 'ReplaceFullPath' + rule: >- + self.type == 'ReplaceFullPath' ? + has(self.replaceFullPath) : true + - message: >- + type must be 'ReplaceFullPath' when + replaceFullPath is set + rule: >- + has(self.replaceFullPath) ? self.type == + 'ReplaceFullPath' : true + - message: >- + replacePrefixMatch must be specified + when type is set to 'ReplacePrefixMatch' + rule: >- + self.type == 'ReplacePrefixMatch' ? + has(self.replacePrefixMatch) : true + - message: >- + type must be 'ReplacePrefixMatch' when + replacePrefixMatch is set + rule: >- + has(self.replacePrefixMatch) ? self.type + == 'ReplacePrefixMatch' : true + type: object + required: + - type + type: object + x-kubernetes-validations: + - message: >- + filter.cors must be nil if the filter.type is + not CORS + rule: '!(has(self.cors) && self.type != ''CORS'')' + - message: >- + filter.cors must be specified for CORS + filter.type + rule: '!(!has(self.cors) && self.type == ''CORS'')' + - message: >- + filter.requestHeaderModifier must be nil if the + filter.type is not RequestHeaderModifier + rule: >- + !(has(self.requestHeaderModifier) && self.type + != 'RequestHeaderModifier') + - message: >- + filter.requestHeaderModifier must be specified + for RequestHeaderModifier filter.type + rule: >- + !(!has(self.requestHeaderModifier) && self.type + == 'RequestHeaderModifier') + - message: >- + filter.responseHeaderModifier must be nil if the + filter.type is not ResponseHeaderModifier + rule: >- + !(has(self.responseHeaderModifier) && self.type + != 'ResponseHeaderModifier') + - message: >- + filter.responseHeaderModifier must be specified + for ResponseHeaderModifier filter.type + rule: >- + !(!has(self.responseHeaderModifier) && self.type + == 'ResponseHeaderModifier') + - message: >- + filter.requestMirror must be nil if the + filter.type is not RequestMirror + rule: >- + !(has(self.requestMirror) && self.type != + 'RequestMirror') + - message: >- + filter.requestMirror must be specified for + RequestMirror filter.type + rule: >- + !(!has(self.requestMirror) && self.type == + 'RequestMirror') + - message: >- + filter.requestRedirect must be nil if the + filter.type is not RequestRedirect + rule: >- + !(has(self.requestRedirect) && self.type != + 'RequestRedirect') + - message: >- + filter.requestRedirect must be specified for + RequestRedirect filter.type + rule: >- + !(!has(self.requestRedirect) && self.type == + 'RequestRedirect') + - message: >- + filter.urlRewrite must be nil if the filter.type + is not URLRewrite + rule: >- + !(has(self.urlRewrite) && self.type != + 'URLRewrite') + - message: >- + filter.urlRewrite must be specified for + URLRewrite filter.type + rule: >- + !(!has(self.urlRewrite) && self.type == + 'URLRewrite') + - message: >- + filter.extensionRef must be nil if the + filter.type is not ExtensionRef + rule: >- + !(has(self.extensionRef) && self.type != + 'ExtensionRef') + - message: >- + filter.extensionRef must be specified for + ExtensionRef filter.type + rule: >- + !(!has(self.extensionRef) && self.type == + 'ExtensionRef') + maxItems: 16 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: >- + May specify either httpRouteFilterRequestRedirect + or httpRouteFilterRequestRewrite, but not both + rule: >- + !(self.exists(f, f.type == 'RequestRedirect') && + self.exists(f, f.type == 'URLRewrite')) + - message: CORS filter cannot be repeated + rule: self.filter(f, f.type == 'CORS').size() <= 1 + - message: RequestHeaderModifier filter cannot be repeated + rule: >- + self.filter(f, f.type == + 'RequestHeaderModifier').size() <= 1 + - message: ResponseHeaderModifier filter cannot be repeated + rule: >- + self.filter(f, f.type == + 'ResponseHeaderModifier').size() <= 1 + - message: RequestRedirect filter cannot be repeated + rule: >- + self.filter(f, f.type == 'RequestRedirect').size() + <= 1 + - message: URLRewrite filter cannot be repeated + rule: self.filter(f, f.type == 'URLRewrite').size() <= 1 + matches: + default: + - path: + type: PathPrefix + value: / + description: >- + Matches define conditions used for matching the rule + against incoming + + HTTP requests. Each match is independent, i.e. this + rule will be matched + + if **any** one of the matches is satisfied. + + + For example, take the following matches configuration: + + + ``` + + matches: + + - path: + value: "/foo" + headers: + - name: "version" + value: "v2" + - path: + value: "/v2/foo" + ``` + + + For a request to match against this rule, a request + must satisfy + + EITHER of the two conditions: + + + - path prefixed with `/foo` AND contains the header + `version: v2` + + - path prefix of `/v2/foo` + + + See the documentation for HTTPRouteMatch on how to + specify multiple + + match conditions that should be ANDed together. + + + If no matches are specified, the default is a prefix + + path match on "/", which has the effect of matching + every + + HTTP request. + + + Proxy or Load Balancer routing configuration generated + from HTTPRoutes + + MUST prioritize matches based on the following + criteria, continuing on + + ties. Across all rules specified on applicable Routes, + precedence must be + + given to the match having: + + + * "Exact" path match. + + * "Prefix" path match with largest number of + characters. + + * Method match. + + * Largest number of header matches. + + * Largest number of query param matches. + + + Note: The precedence of RegularExpression path matches + are implementation-specific. + + + If ties still exist across multiple Routes, matching + precedence MUST be + + determined in order of the following criteria, + continuing on ties: + + + * The oldest Route based on creation timestamp. + + * The Route appearing first in alphabetical order by + "{namespace}/{name}". + + If ties still exist within an HTTPRoute, matching + precedence MUST be granted + + to the FIRST matching rule (in list order) with a + match meeting the above + + criteria. + + + When no rules matching a request have been + successfully attached to the + + parent a request is coming from, a HTTP 404 status + code MUST be returned. + items: + description: "HTTPRouteMatch defines the predicate used to match requests to a given\naction. Multiple match types are ANDed together, i.e. the match will\nevaluate to true only if all conditions are satisfied.\n\nFor example, the match below will match a HTTP request only if its path\nstarts with `/foo` AND it contains the `version: v1` header:\n\n```\nmatch:\n\n\tpath:\n\t value: \"/foo\"\n\theaders:\n\t- name: \"version\"\n\t value \"v1\"\n\n```" + properties: + headers: + description: >- + Headers specifies HTTP request header matchers. + Multiple match values are + + ANDed together, meaning, a request must match + all the specified headers + + to select the route. + items: + description: >- + HTTPHeaderMatch describes how to select a HTTP + route by matching HTTP request + + headers. + properties: + name: + description: >- + Name is the name of the HTTP Header to be + matched. Name matching MUST be + + case-insensitive. (See + https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent + header names, only the first + + entry with an equivalent name MUST be + considered for a match. Subsequent + + entries with an equivalent header name + MUST be ignored. Due to the + + case-insensitivity of header names, "foo" + and "Foo" are considered + + equivalent. + + + When a header is repeated in an HTTP + request, it is + + implementation-specific behavior as to how + this is represented. + + Generally, proxies should follow the + guidance from the RFC: + + https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 + regarding + + processing a repeated header, with special + handling for "Set-Cookie". + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: >- + Type specifies how to match against the + value of the header. + + + Support: Core (Exact) + + + Support: Implementation-specific + (RegularExpression) + + + Since RegularExpression HeaderMatchType + has implementation-specific + + conformance, implementations can support + POSIX, PCRE or any other dialects + + of regular expressions. Please read the + implementation's documentation to + + determine the supported dialect. + enum: + - Exact + - RegularExpression + type: string + value: + description: >- + Value is the value of HTTP Header to be + matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + method: + description: >- + Method specifies HTTP method matcher. + + When specified, this route will be matched only + if the request has the + + specified method. + + + Support: Extended + enum: + - GET + - HEAD + - POST + - PUT + - DELETE + - CONNECT + - OPTIONS + - TRACE + - PATCH + type: string + path: + default: + type: PathPrefix + value: / + description: >- + Path specifies a HTTP request path matcher. If + this field is not + + specified, a default prefix match on the "/" + path is provided. + properties: + type: + default: PathPrefix + description: >- + Type specifies how to match against the path + Value. + + + Support: Core (Exact, PathPrefix) + + + Support: Implementation-specific + (RegularExpression) + enum: + - Exact + - PathPrefix + - RegularExpression + type: string + value: + default: / + description: Value of the HTTP path to match against. + maxLength: 1024 + type: string + type: object + x-kubernetes-validations: + - message: >- + value must be an absolute path and start + with '/' when type one of ['Exact', + 'PathPrefix'] + rule: >- + (self.type in ['Exact','PathPrefix']) ? + self.value.startsWith('/') : true + - message: >- + must not contain '//' when type one of + ['Exact', 'PathPrefix'] + rule: >- + (self.type in ['Exact','PathPrefix']) ? + !self.value.contains('//') : true + - message: >- + must not contain '/./' when type one of + ['Exact', 'PathPrefix'] + rule: >- + (self.type in ['Exact','PathPrefix']) ? + !self.value.contains('/./') : true + - message: >- + must not contain '/../' when type one of + ['Exact', 'PathPrefix'] + rule: >- + (self.type in ['Exact','PathPrefix']) ? + !self.value.contains('/../') : true + - message: >- + must not contain '%2f' when type one of + ['Exact', 'PathPrefix'] + rule: >- + (self.type in ['Exact','PathPrefix']) ? + !self.value.contains('%2f') : true + - message: >- + must not contain '%2F' when type one of + ['Exact', 'PathPrefix'] + rule: >- + (self.type in ['Exact','PathPrefix']) ? + !self.value.contains('%2F') : true + - message: >- + must not contain '#' when type one of + ['Exact', 'PathPrefix'] + rule: >- + (self.type in ['Exact','PathPrefix']) ? + !self.value.contains('#') : true + - message: >- + must not end with '/..' when type one of + ['Exact', 'PathPrefix'] + rule: >- + (self.type in ['Exact','PathPrefix']) ? + !self.value.endsWith('/..') : true + - message: >- + must not end with '/.' when type one of + ['Exact', 'PathPrefix'] + rule: >- + (self.type in ['Exact','PathPrefix']) ? + !self.value.endsWith('/.') : true + - message: >- + type must be one of ['Exact', 'PathPrefix', + 'RegularExpression'] + rule: >- + self.type in ['Exact','PathPrefix'] || + self.type == 'RegularExpression' + - message: >- + must only contain valid characters (matching + ^(?:[-A-Za-z0-9/._~!$&'()*+,;=:@]|[%][0-9a-fA-F]{2})+$) + for types ['Exact', 'PathPrefix'] + rule: >- + (self.type in ['Exact','PathPrefix']) ? + self.value.matches(r"""^(?:[-A-Za-z0-9/._~!$&'()*+,;=:@]|[%][0-9a-fA-F]{2})+$""") + : true + queryParams: + description: >- + QueryParams specifies HTTP query parameter + matchers. Multiple match + + values are ANDed together, meaning, a request + must match all the + + specified query parameters to select the route. + + + Support: Extended + items: + description: >- + HTTPQueryParamMatch describes how to select a + HTTP route by matching HTTP + + query parameters. + properties: + name: + description: >- + Name is the name of the HTTP query param + to be matched. This must be an + + exact string match. (See + + https://tools.ietf.org/html/rfc7230#section-2.7.3). + + + If multiple entries specify equivalent + query param names, only the first + + entry with an equivalent name MUST be + considered for a match. Subsequent + + entries with an equivalent query param + name MUST be ignored. + + + If a query param is repeated in an HTTP + request, the behavior is + + purposely left undefined, since different + data planes have different + + capabilities. However, it is *recommended* + that implementations should + + match against the first value of the param + if the data plane supports it, + + as this behavior is expected in other load + balancing contexts outside of + + the Gateway API. + + + Users SHOULD NOT route traffic based on + repeated query params to guard + + themselves against potential differences + in the implementations. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: >- + Type specifies how to match against the + value of the query parameter. + + + Support: Extended (Exact) + + + Support: Implementation-specific + (RegularExpression) + + + Since RegularExpression + QueryParamMatchType has + Implementation-specific + + conformance, implementations can support + POSIX, PCRE or any other + + dialects of regular expressions. Please + read the implementation's + + documentation to determine the supported + dialect. + enum: + - Exact + - RegularExpression + type: string + value: + description: >- + Value is the value of HTTP query param to + be matched. + maxLength: 1024 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + maxItems: 64 + type: array + x-kubernetes-list-type: atomic + name: + description: >- + Name is the name of the route rule. This name MUST be + unique within a Route if it is set. + + + Support: Extended + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + timeouts: + description: >- + Timeouts defines the timeouts that can be configured + for an HTTP request. + + + Support: Extended + properties: + backendRequest: + description: >- + BackendRequest specifies a timeout for an + individual request from the gateway + + to a backend. This covers the time from when the + request first starts being + + sent from the gateway to when the full response + has been received from the backend. + + + Setting a timeout to the zero duration (e.g. "0s") + SHOULD disable the timeout + + completely. Implementations that cannot completely + disable the timeout MUST + + instead interpret the zero duration as the longest + possible value to which + + the timeout can be set. + + + An entire client HTTP transaction with a gateway, + covered by the Request timeout, + + may result in more than one call from the gateway + to the destination backend, + + for example, if automatic retries are supported. + + + The value of BackendRequest must be a Gateway API + Duration string as defined by + + GEP-2257. When this field is unspecified, its + behavior is implementation-specific; + + when specified, the value of BackendRequest must + be no more than the value of the + + Request timeout (since the Request timeout + encompasses the BackendRequest timeout). + + + Support: Extended + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + request: + description: >- + Request specifies the maximum duration for a + gateway to respond to an HTTP request. + + If the gateway has not been able to respond before + this deadline is met, the gateway + + MUST return a timeout error. + + + For example, setting the `rules.timeouts.request` + field to the value `10s` in an + + `HTTPRoute` will cause a timeout if a client + request is taking longer than 10 seconds + + to complete. + + + Setting a timeout to the zero duration (e.g. "0s") + SHOULD disable the timeout + + completely. Implementations that cannot completely + disable the timeout MUST + + instead interpret the zero duration as the longest + possible value to which + + the timeout can be set. + + + This timeout is intended to cover as close to the + whole request-response transaction + + as possible although an implementation MAY choose + to start the timeout after the entire + + request stream has been received instead of + immediately after the transaction is + + initiated by the client. + + + The value of Request is a Gateway API Duration + string as defined by GEP-2257. When this + + field is unspecified, request timeout behavior is + implementation-specific. + + + Support: Extended + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + x-kubernetes-validations: + - message: >- + backendRequest timeout cannot be longer than + request timeout + rule: >- + !(has(self.request) && has(self.backendRequest) && + duration(self.request) != duration('0s') && + duration(self.backendRequest) > + duration(self.request)) + type: object + x-kubernetes-validations: + - message: >- + RequestRedirect filter must not be used together with + backendRefs + rule: >- + (has(self.backendRefs) && size(self.backendRefs) > 0) + ? (!has(self.filters) || self.filters.all(f, + !has(f.requestRedirect))): true + - message: >- + When using RequestRedirect filter with + path.replacePrefixMatch, exactly one PathPrefix match + must be specified + rule: >- + (has(self.filters) && self.filters.exists_one(f, + has(f.requestRedirect) && has(f.requestRedirect.path) + && f.requestRedirect.path.type == 'ReplacePrefixMatch' + && has(f.requestRedirect.path.replacePrefixMatch))) ? + ((size(self.matches) != 1 || + !has(self.matches[0].path) || + self.matches[0].path.type != 'PathPrefix') ? false : + true) : true + - message: >- + When using URLRewrite filter with + path.replacePrefixMatch, exactly one PathPrefix match + must be specified + rule: >- + (has(self.filters) && self.filters.exists_one(f, + has(f.urlRewrite) && has(f.urlRewrite.path) && + f.urlRewrite.path.type == 'ReplacePrefixMatch' && + has(f.urlRewrite.path.replacePrefixMatch))) ? + ((size(self.matches) != 1 || + !has(self.matches[0].path) || + self.matches[0].path.type != 'PathPrefix') ? false : + true) : true + - message: >- + Within backendRefs, when using RequestRedirect filter + with path.replacePrefixMatch, exactly one PathPrefix + match must be specified + rule: >- + (has(self.backendRefs) && + self.backendRefs.exists_one(b, (has(b.filters) && + b.filters.exists_one(f, has(f.requestRedirect) && + has(f.requestRedirect.path) && + f.requestRedirect.path.type == 'ReplacePrefixMatch' && + has(f.requestRedirect.path.replacePrefixMatch))) )) ? + ((size(self.matches) != 1 || + !has(self.matches[0].path) || + self.matches[0].path.type != 'PathPrefix') ? false : + true) : true + - message: >- + Within backendRefs, When using URLRewrite filter with + path.replacePrefixMatch, exactly one PathPrefix match + must be specified + rule: >- + (has(self.backendRefs) && + self.backendRefs.exists_one(b, (has(b.filters) && + b.filters.exists_one(f, has(f.urlRewrite) && + has(f.urlRewrite.path) && f.urlRewrite.path.type == + 'ReplacePrefixMatch' && + has(f.urlRewrite.path.replacePrefixMatch))) )) ? + ((size(self.matches) != 1 || + !has(self.matches[0].path) || + self.matches[0].path.type != 'PathPrefix') ? false : + true) : true + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: >- + While 16 rules and 64 matches per rule are allowed, the + total number of matches across all rules in a route must + be less than 128 + rule: >- + (self.size() > 0 ? self[0].matches.size() : 0) + + (self.size() > 1 ? self[1].matches.size() : 0) + + (self.size() > 2 ? self[2].matches.size() : 0) + + (self.size() > 3 ? self[3].matches.size() : 0) + + (self.size() > 4 ? self[4].matches.size() : 0) + + (self.size() > 5 ? self[5].matches.size() : 0) + + (self.size() > 6 ? self[6].matches.size() : 0) + + (self.size() > 7 ? self[7].matches.size() : 0) + + (self.size() > 8 ? self[8].matches.size() : 0) + + (self.size() > 9 ? self[9].matches.size() : 0) + + (self.size() > 10 ? self[10].matches.size() : 0) + + (self.size() > 11 ? self[11].matches.size() : 0) + + (self.size() > 12 ? self[12].matches.size() : 0) + + (self.size() > 13 ? self[13].matches.size() : 0) + + (self.size() > 14 ? self[14].matches.size() : 0) + + (self.size() > 15 ? self[15].matches.size() : 0) <= 128 + type: object + status: + description: Status defines the current state of HTTPRoute. + properties: + parents: + description: >- + Parents is a list of parent resources (usually Gateways) + that are + + associated with the route, and the status of the route with + respect to + + each parent. When this route attaches to a parent, the + controller that + + manages the parent must add an entry to this list when the + controller + + first sees the route and should update the entry as + appropriate when the + + route or gateway is modified. + + + Note that parent references that cannot be resolved by an + implementation + + of this API will not be added to this list. Implementations + of this API + + can only populate Route status for the Gateways/parent + resources they are + + responsible for. + + + A maximum of 32 Gateways will be represented in this list. + An empty list + + means the route has not been attached to any Gateway. + items: + description: >- + RouteParentStatus describes the status of a route with + respect to an + + associated Parent. + properties: + conditions: + description: >- + Conditions describes the status of the route with + respect to the Gateway. + + Note that the route's availability is also subject to + the Gateway's own + + status conditions and listener status. + + + If the Route's ParentRef specifies an existing Gateway + that supports + + Routes of this kind AND that Gateway's controller has + sufficient access, + + then that Gateway's controller MUST set the "Accepted" + condition on the + + Route, to indicate whether the route has been accepted + or rejected by the + + Gateway, and why. + + + A Route MUST be considered "Accepted" if at least one + of the Route's + + rules is implemented by the Gateway. + + + There are a number of cases where the "Accepted" + condition may not be set + + due to lack of controller visibility, that includes + when: + + + * The Route refers to a nonexistent parent. + + * The Route is of a type that the controller does not + support. + + * The Route is in a namespace to which the controller + does not have access. + items: + description: >- + Condition contains details for one aspect of the + current state of this API Resource. + properties: + lastTransitionTime: + description: >- + lastTransitionTime is the last time the + condition transitioned from one status to + another. + + This should be when the underlying condition + changed. If that is not known, then using the + time when the API field changed is acceptable. + format: date-time + type: string + message: + description: >- + message is a human readable message indicating + details about the transition. + + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: >- + observedGeneration represents the + .metadata.generation that the condition was set + based upon. + + For instance, if .metadata.generation is + currently 12, but the + .status.conditions[x].observedGeneration is 9, + the condition is out of date + + with respect to the current state of the + instance. + format: int64 + minimum: 0 + type: integer + reason: + description: >- + reason contains a programmatic identifier + indicating the reason for the condition's last + transition. + + Producers of specific condition types may define + expected values and meanings for this field, + + and whether the values are considered a + guaranteed API. + + The value should be a CamelCase string. + + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: >- + status of the condition, one of True, False, + Unknown. + enum: + - 'True' + - 'False' + - Unknown + type: string + type: + description: >- + type of condition in CamelCase or in + foo.example.com/CamelCase. + maxLength: 316 + pattern: >- + ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: >- + ControllerName is a domain/path string that indicates + the name of the + + controller that wrote this status. This corresponds + with the + + controllerName field on GatewayClass. + + + Example: "example.net/gateway-controller". + + + The format of this field is DOMAIN "/" PATH, where + DOMAIN and PATH are + + valid Kubernetes names + + (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + + + Controllers MUST populate this field when writing + status. Controllers should ensure that + + entries to status populated with their ControllerName + are cleaned up when they are no + + longer necessary. + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: >- + ParentRef corresponds with a ParentRef in the spec + that this + + RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: >- + Group is the group of the referent. + + When unspecified, "gateway.networking.k8s.io" is + inferred. + + To set the core API group (such as for a "Service" + kind referent), + + Group must be explicitly set to "" (empty string). + + + Support: Core + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: >- + Kind is kind of the referent. + + + There are two kinds of parent resources with + "Core" support: + + + * Gateway (Gateway conformance profile) + + * Service (Mesh conformance profile, ClusterIP + Services only) + + + Support for other resources is + Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the referent. When + unspecified, this refers + + to the local namespace of the Route. + + + Note that there are specific rules for ParentRefs + which cross namespace + + boundaries. Cross-namespace references are only + valid if they are explicitly + + allowed by something in the namespace they are + referring to. For example: + + Gateway has the AllowedRoutes field, and + ReferenceGrant provides a + + generic way to enable any other kind of + cross-namespace reference. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: >- + Port is the network port this Route targets. It + can be interpreted + + differently based on the type of parent resource. + + + When the parent resource is a Gateway, this + targets all listeners + + listening on the specified port that also support + this kind of Route(and + + select this Route). It's not recommended to set + `Port` unless the + + networking behaviors specified in a Route must + apply to a specific port + + as opposed to a listener(s) whose port(s) may be + changed. When both Port + + and SectionName are specified, the name and port + of the selected listener + + must match both specified values. + + + Implementations MAY choose to support other parent + resources. + + Implementations supporting other types of parent + resources MUST clearly + + document how/if Port is interpreted. + + + For the purpose of status, an attachment is + considered successful as + + long as the parent resource accepts it partially. + For example, Gateway + + listeners can restrict which Routes can attach to + them by Route kind, + + namespace, or hostname. If 1 of 2 Gateway + listeners accept attachment + + from the referencing Route, the Route MUST be + considered successfully + + attached. If no Gateway listeners accept + attachment from this Route, + + the Route MUST be considered detached from the + Gateway. + + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: >- + SectionName is the name of a section within the + target resource. In the + + following resources, SectionName is interpreted as + the following: + + + * Gateway: Listener name. When both Port + (experimental) and SectionName + + are specified, the name and port of the selected + listener must match + + both specified values. + + * Service: Port name. When both Port + (experimental) and SectionName + + are specified, the name and port of the selected + listener must match + + both specified values. + + + Implementations MAY choose to support attaching + Routes to other resources. + + If that is the case, they MUST clearly document + how SectionName is + + interpreted. + + + When unspecified (empty string), this will + reference the entire resource. + + For the purpose of status, an attachment is + considered successful if at + + least one section in the parent resource accepts + it. For example, Gateway + + listeners can restrict which Routes can attach to + them by Route kind, + + namespace, or hostname. If 1 of 2 Gateway + listeners accept attachment from + + the referencing Route, the Route MUST be + considered successfully + + attached. If no Gateway listeners accept + attachment from this Route, the + + Route MUST be considered detached from the + Gateway. + + + Support: Core + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - conditions + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + x-kubernetes-list-type: atomic + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.hostnames + name: Hostnames + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: >- + HTTPRoute provides a way to route HTTP requests. This includes the + capability + + to match requests by hostname, path, header, or query param. Filters + can be + + used to specify additional processing steps. Backends specify where + matching + + requests should be routed. + properties: + apiVersion: + description: >- + APIVersion defines the versioned schema of this representation + of an object. + + Servers should convert recognized schemas to the latest internal + value, and + + may reject unrecognized values. + + More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: >- + Kind is a string value representing the REST resource this + object represents. + + Servers may infer this from the endpoint the client submits + requests to. + + Cannot be updated. + + In CamelCase. + + More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of HTTPRoute. + properties: + hostnames: + description: >- + Hostnames defines a set of hostnames that should match + against the HTTP Host + + header to select a HTTPRoute used to process the request. + Implementations + + MUST ignore any port value specified in the HTTP Host header + while + + performing a match and (absent of any applicable header + modification + + configuration) MUST forward this header unmodified to the + backend. + + + Valid values for Hostnames are determined by RFC 1123 + definition of a + + hostname with 2 notable exceptions: + + + 1. IPs are not allowed. + + 2. A hostname may be prefixed with a wildcard label (`*.`). + The wildcard + label must appear by itself as the first label. + + If a hostname is specified by both the Listener and + HTTPRoute, there + + must be at least one intersecting hostname for the HTTPRoute + to be + + attached to the Listener. For example: + + + * A Listener with `test.example.com` as the hostname matches + HTTPRoutes + that have either not specified any hostnames, or have specified at + least one of `test.example.com` or `*.example.com`. + * A Listener with `*.example.com` as the hostname matches + HTTPRoutes + that have either not specified any hostnames or have specified at least + one hostname that matches the Listener hostname. For example, + `*.example.com`, `test.example.com`, and `foo.test.example.com` would + all match. On the other hand, `example.com` and `test.example.net` would + not match. + + Hostnames that are prefixed with a wildcard label (`*.`) are + interpreted + + as a suffix match. That means that a match for + `*.example.com` would match + + both `test.example.com`, and `foo.test.example.com`, but not + `example.com`. + + + If both the Listener and HTTPRoute have specified hostnames, + any + + HTTPRoute hostnames that do not match the Listener hostname + MUST be + + ignored. For example, if a Listener specified + `*.example.com`, and the + + HTTPRoute specified `test.example.com` and + `test.example.net`, + + `test.example.net` must not be considered for a match. + + + If both the Listener and HTTPRoute have specified hostnames, + and none + + match with the criteria above, then the HTTPRoute is not + accepted. The + + implementation must raise an 'Accepted' Condition with a + status of + + `False` in the corresponding RouteParentStatus. + + + In the event that multiple HTTPRoutes specify intersecting + hostnames (e.g. + + overlapping wildcard matching and exact matching hostnames), + precedence must + + be given to rules from the HTTPRoute with the largest number + of: + + + * Characters in a matching non-wildcard hostname. + + * Characters in a matching hostname. + + + If ties exist across multiple Routes, the matching + precedence rules for + + HTTPRouteMatches takes over. + + + Support: Core + items: + description: >- + Hostname is the fully qualified domain name of a network + host. This matches + + the RFC 1123 definition of a hostname with 2 notable + exceptions: + + 1. IPs are not allowed. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. + + Hostname can be "precise" which is a domain name without + the terminating + + dot of a network host (e.g. "foo.example.com") or + "wildcard", which is a + + domain name prefixed with a single wildcard label (e.g. + `*.example.com`). + + + Note that as per RFC1035 and RFC1123, a *label* must + consist of lower case + + alphanumeric characters or '-', and must start and end + with an alphanumeric + + character. No other punctuation is allowed. + maxLength: 253 + minLength: 1 + pattern: >- + ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: atomic + parentRefs: + description: >- + ParentRefs references the resources (usually Gateways) that + a Route wants + + to be attached to. Note that the referenced parent resource + needs to + + allow this for the attachment to be complete. For Gateways, + that means + + the Gateway needs to allow attachment from Routes of this + kind and + + namespace. For Services, that means the Service must either + be in the same + + namespace for a "producer" route, or the mesh implementation + must support + + and allow "consumer" routes for the referenced Service. + ReferenceGrant is + + not applicable for governing ParentRefs to Services - it is + not possible to + + create a "producer" route for a Service in a different + namespace from the + + Route. + + + There are two kinds of parent resources with "Core" support: + + + * Gateway (Gateway conformance profile) + + * Service (Mesh conformance profile, ClusterIP Services + only) + + + This API may be extended in the future to support additional + kinds of parent + + resources. + + + ParentRefs must be _distinct_. This means either that: + + + * They select different objects. If this is the case, then + parentRef + entries are distinct. In terms of fields, this means that the + multi-part key defined by `group`, `kind`, `namespace`, and `name` must + be unique across all parentRef entries in the Route. + * They do not select different objects, but for each + optional field used, + each ParentRef that selects the same object must set the same set of + optional fields to different values. If one ParentRef sets a + combination of optional fields, all must set the same combination. + + Some examples: + + + * If one ParentRef sets `sectionName`, all ParentRefs + referencing the + same object must also set `sectionName`. + * If one ParentRef sets `port`, all ParentRefs referencing + the same + object must also set `port`. + * If one ParentRef sets `sectionName` and `port`, all + ParentRefs + referencing the same object must also set `sectionName` and `port`. + + It is possible to separately reference multiple distinct + objects that may + + be collapsed by an implementation. For example, some + implementations may + + choose to merge compatible Gateway Listeners together. If + that is the + + case, the list of routes attached to those resources should + also be + + merged. + + + Note that for ParentRefs that cross namespace boundaries, + there are specific + + rules. Cross-namespace references are only valid if they are + explicitly + + allowed by something in the namespace they are referring to. + For example, + + Gateway has the AllowedRoutes field, and ReferenceGrant + provides a + + generic way to enable other kinds of cross-namespace + reference. + items: + description: >- + ParentReference identifies an API object (usually a + Gateway) that can be considered + + a parent of this resource (usually a route). There are two + kinds of parent resources + + with "Core" support: + + + * Gateway (Gateway conformance profile) + + * Service (Mesh conformance profile, ClusterIP Services + only) + + + This API may be extended in the future to support + additional kinds of parent + + resources. + + + The API object must be valid in the cluster; the Group and + Kind must + + be registered in the cluster for this reference to be + valid. + properties: + group: + default: gateway.networking.k8s.io + description: >- + Group is the group of the referent. + + When unspecified, "gateway.networking.k8s.io" is + inferred. + + To set the core API group (such as for a "Service" + kind referent), + + Group must be explicitly set to "" (empty string). + + + Support: Core + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: >- + Kind is kind of the referent. + + + There are two kinds of parent resources with "Core" + support: + + + * Gateway (Gateway conformance profile) + + * Service (Mesh conformance profile, ClusterIP + Services only) + + + Support for other resources is + Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the referent. When + unspecified, this refers + + to the local namespace of the Route. + + + Note that there are specific rules for ParentRefs + which cross namespace + + boundaries. Cross-namespace references are only valid + if they are explicitly + + allowed by something in the namespace they are + referring to. For example: + + Gateway has the AllowedRoutes field, and + ReferenceGrant provides a + + generic way to enable any other kind of + cross-namespace reference. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: >- + Port is the network port this Route targets. It can be + interpreted + + differently based on the type of parent resource. + + + When the parent resource is a Gateway, this targets + all listeners + + listening on the specified port that also support this + kind of Route(and + + select this Route). It's not recommended to set `Port` + unless the + + networking behaviors specified in a Route must apply + to a specific port + + as opposed to a listener(s) whose port(s) may be + changed. When both Port + + and SectionName are specified, the name and port of + the selected listener + + must match both specified values. + + + Implementations MAY choose to support other parent + resources. + + Implementations supporting other types of parent + resources MUST clearly + + document how/if Port is interpreted. + + + For the purpose of status, an attachment is considered + successful as + + long as the parent resource accepts it partially. For + example, Gateway + + listeners can restrict which Routes can attach to them + by Route kind, + + namespace, or hostname. If 1 of 2 Gateway listeners + accept attachment + + from the referencing Route, the Route MUST be + considered successfully + + attached. If no Gateway listeners accept attachment + from this Route, + + the Route MUST be considered detached from the + Gateway. + + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: >- + SectionName is the name of a section within the target + resource. In the + + following resources, SectionName is interpreted as the + following: + + + * Gateway: Listener name. When both Port + (experimental) and SectionName + + are specified, the name and port of the selected + listener must match + + both specified values. + + * Service: Port name. When both Port (experimental) + and SectionName + + are specified, the name and port of the selected + listener must match + + both specified values. + + + Implementations MAY choose to support attaching Routes + to other resources. + + If that is the case, they MUST clearly document how + SectionName is + + interpreted. + + + When unspecified (empty string), this will reference + the entire resource. + + For the purpose of status, an attachment is considered + successful if at + + least one section in the parent resource accepts it. + For example, Gateway + + listeners can restrict which Routes can attach to them + by Route kind, + + namespace, or hostname. If 1 of 2 Gateway listeners + accept attachment from + + the referencing Route, the Route MUST be considered + successfully + + attached. If no Gateway listeners accept attachment + from this Route, the + + Route MUST be considered detached from the Gateway. + + + Support: Core + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: >- + sectionName must be specified when parentRefs includes 2 + or more references to the same parent + rule: >- + self.all(p1, self.all(p2, p1.group == p2.group && + p1.kind == p2.kind && p1.name == p2.name && + (((!has(p1.__namespace__) || p1.__namespace__ == '') && + (!has(p2.__namespace__) || p2.__namespace__ == '')) || + (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__ )) ? + ((!has(p1.sectionName) || p1.sectionName == '') == + (!has(p2.sectionName) || p2.sectionName == '')) : true)) + - message: >- + sectionName must be unique when parentRefs includes 2 or + more references to the same parent + rule: >- + self.all(p1, self.exists_one(p2, p1.group == p2.group && + p1.kind == p2.kind && p1.name == p2.name && + (((!has(p1.__namespace__) || p1.__namespace__ == '') && + (!has(p2.__namespace__) || p2.__namespace__ == '')) || + (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__ )) && + (((!has(p1.sectionName) || p1.sectionName == '') && + (!has(p2.sectionName) || p2.sectionName == '')) || + (has(p1.sectionName) && has(p2.sectionName) && + p1.sectionName == p2.sectionName)))) + rules: + default: + - matches: + - path: + type: PathPrefix + value: / + description: Rules are a list of HTTP matchers, filters and actions. + items: + description: >- + HTTPRouteRule defines semantics for matching an HTTP + request based on + + conditions (matches), processing it (filters), and + forwarding the request to + + an API object (backendRefs). + properties: + backendRefs: + description: >- + BackendRefs defines the backend(s) where matching + requests should be + + sent. + + + Failure behavior here depends on how many BackendRefs + are specified and + + how many are invalid. + + + If *all* entries in BackendRefs are invalid, and there + are also no filters + + specified in this route rule, *all* traffic which + matches this rule MUST + + receive a 500 status code. + + + See the HTTPBackendRef definition for the rules about + what makes a single + + HTTPBackendRef invalid. + + + When a HTTPBackendRef is invalid, 500 status codes + MUST be returned for + + requests that would have otherwise been routed to an + invalid backend. If + + multiple backends are specified, and some are invalid, + the proportion of + + requests that would otherwise have been routed to an + invalid backend + + MUST receive a 500 status code. + + + For example, if two backends are specified with equal + weights, and one is + + invalid, 50 percent of traffic must receive a 500. + Implementations may + + choose how that 50 percent is determined. + + + When a HTTPBackendRef refers to a Service that has no + ready endpoints, + + implementations SHOULD return a 503 for requests to + that backend instead. + + If an implementation chooses to do this, all of the + above rules for 500 responses + + MUST also apply for responses that return a 503. + + + Support: Core for Kubernetes Service + + + Support: Extended for Kubernetes ServiceImport + + + Support: Implementation-specific for any other + resource + + + Support for weight: Core + items: + description: >- + HTTPBackendRef defines how a HTTPRoute forwards a + HTTP request. + + + Note that when a namespace different than the local + namespace is specified, a + + ReferenceGrant object is required in the referent + namespace to allow that + + namespace's owner to accept the reference. See the + ReferenceGrant + + documentation for details. + properties: + filters: + description: >- + Filters defined at this level should be executed + if and only if the + + request is being forwarded to the backend + defined here. + + + Support: Implementation-specific (For broader + support of filters, use the + + Filters field in HTTPRouteRule.) + items: + description: >- + HTTPRouteFilter defines processing steps that + must be completed during the + + request or response lifecycle. + HTTPRouteFilters are meant as an extension + + point to express processing that may be done + in Gateway implementations. Some + + examples include request or response + modification, implementing + + authentication strategies, rate-limiting, and + traffic shaping. API + + guarantee/conformance is defined based on the + type of the filter. + properties: + cors: + description: >- + CORS defines a schema for a filter that + responds to the + + cross-origin request based on HTTP + response header. + + + Support: Extended + properties: + allowCredentials: + description: >- + AllowCredentials indicates whether the + actual cross-origin request allows + + to include credentials. + + + When set to true, the gateway will + include the + `Access-Control-Allow-Credentials` + + response header with value true + (case-sensitive). + + + When set to false or omitted the gateway + will omit the header + + `Access-Control-Allow-Credentials` + entirely (this is the standard CORS + + behavior). + + + Support: Extended + type: boolean + allowHeaders: + description: >- + AllowHeaders indicates which HTTP + request headers are supported for + + accessing the requested resource. + + + Header names are not case-sensitive. + + + Multiple header names in the value of + the `Access-Control-Allow-Headers` + + response header are separated by a comma + (","). + + + When the `AllowHeaders` field is + configured with one or more headers, the + + gateway must return the + `Access-Control-Allow-Headers` response + header + + which value is present in the + `AllowHeaders` field. + + + If any header name in the + `Access-Control-Request-Headers` request + header + + is not included in the list of header + names specified by the response + + header `Access-Control-Allow-Headers`, + it will present an error on the + + client side. + + + If any header name in the + `Access-Control-Allow-Headers` response + header + + does not recognize by the client, it + will also occur an error on the + + client side. + + + A wildcard indicates that the requests + with all HTTP headers are allowed. + + If config contains the wildcard "*" in + allowHeaders and the request is + + not credentialed, the + `Access-Control-Allow-Headers` response + header + + can either use the `*` wildcard or the + value of + + Access-Control-Request-Headers from the + request. + + + When the request is credentialed, the + gateway must not specify the `*` + + wildcard in the + `Access-Control-Allow-Headers` response + header. When + + also the `AllowCredentials` field is + true and `AllowHeaders` field + + is specified with the `*` wildcard, the + gateway must specify one or more + + HTTP headers in the value of the + `Access-Control-Allow-Headers` response + + header. The value of the header + `Access-Control-Allow-Headers` is same + as + + the `Access-Control-Request-Headers` + header provided by the client. If + + the header + `Access-Control-Request-Headers` is not + included in the + + request, the gateway will omit the + `Access-Control-Allow-Headers` + + response header, instead of specifying + the `*` wildcard. + + + Support: Extended + items: + description: >- + HTTPHeaderName is the name of an HTTP + header. + + + Valid values include: + + + * "Authorization" + + * "Set-Cookie" + + + Invalid values include: + + - ":method" - ":" is an invalid character. This means that HTTP/2 pseudo + headers are not currently supported by this type. + - "/invalid" - "/ " is an invalid character + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + maxItems: 64 + type: array + x-kubernetes-list-type: set + x-kubernetes-validations: + - message: >- + AllowHeaders cannot contain '*' + alongside other methods + rule: '!(''*'' in self && self.size() > 1)' + allowMethods: + description: >- + AllowMethods indicates which HTTP + methods are supported for accessing the + + requested resource. + + + Valid values are any method defined by + RFC9110, along with the special + + value `*`, which represents all HTTP + methods are allowed. + + + Method names are case-sensitive, so + these values are also case-sensitive. + + (See + https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1) + + + Multiple method names in the value of + the `Access-Control-Allow-Methods` + + response header are separated by a comma + (","). + + + A CORS-safelisted method is a method + that is `GET`, `HEAD`, or `POST`. + + (See + https://fetch.spec.whatwg.org/#cors-safelisted-method) + The + + CORS-safelisted methods are always + allowed, regardless of whether they + + are specified in the `AllowMethods` + field. + + + When the `AllowMethods` field is + configured with one or more methods, the + + gateway must return the + `Access-Control-Allow-Methods` response + header + + which value is present in the + `AllowMethods` field. + + + If the HTTP method of the + `Access-Control-Request-Method` request + header + + is not included in the list of methods + specified by the response header + + `Access-Control-Allow-Methods`, it will + present an error on the client + + side. + + + If config contains the wildcard "*" in + allowMethods and the request is + + not credentialed, the + `Access-Control-Allow-Methods` response + header + + can either use the `*` wildcard or the + value of + + Access-Control-Request-Method from the + request. + + + When the request is credentialed, the + gateway must not specify the `*` + + wildcard in the + `Access-Control-Allow-Methods` response + header. When + + also the `AllowCredentials` field is + true and `AllowMethods` field + + specified with the `*` wildcard, the + gateway must specify one HTTP method + + in the value of the + Access-Control-Allow-Methods response + header. The + + value of the header + `Access-Control-Allow-Methods` is same + as the + + `Access-Control-Request-Method` header + provided by the client. If the + + header `Access-Control-Request-Method` + is not included in the request, + + the gateway will omit the + `Access-Control-Allow-Methods` response + header, + + instead of specifying the `*` wildcard. + + + Support: Extended + items: + enum: + - GET + - HEAD + - POST + - PUT + - DELETE + - CONNECT + - OPTIONS + - TRACE + - PATCH + - '*' + type: string + maxItems: 9 + type: array + x-kubernetes-list-type: set + x-kubernetes-validations: + - message: >- + AllowMethods cannot contain '*' + alongside other methods + rule: '!(''*'' in self && self.size() > 1)' + allowOrigins: + description: >- + AllowOrigins indicates whether the + response can be shared with requested + + resource from the given `Origin`. + + + The `Origin` consists of a scheme and a + host, with an optional port, and + + takes the form + `://(:)`. + + + Valid values for scheme are: `http` and + `https`. + + + Valid values for port are any integer + between 1 and 65535 (the list of + + available TCP/UDP ports). Note that, if + not included, port `80` is + + assumed for `http` scheme origins, and + port `443` is assumed for `https` + + origins. This may affect origin + matching. + + + The host part of the origin may contain + the wildcard character `*`. These + + wildcard characters behave as follows: + + + * `*` is a greedy match to the _left_, + including any number of + DNS labels to the left of its position. This also means that + `*` will include any number of period `.` characters to the + left of its position. + * A wildcard by itself matches all + hosts. + + + An origin value that includes _only_ the + `*` character indicates requests + + from all `Origin`s are allowed. + + + When the `AllowOrigins` field is + configured with multiple origins, it + + means the server supports clients from + multiple origins. If the request + + `Origin` matches the configured allowed + origins, the gateway must return + + the given `Origin` and sets value of the + header + + `Access-Control-Allow-Origin` same as + the `Origin` header provided by the + + client. + + + The status code of a successful response + to a "preflight" request is + + always an OK status (i.e., 204 or 200). + + + If the request `Origin` does not match + the configured allowed origins, + + the gateway returns 204/200 response but + doesn't set the relevant + + cross-origin response headers. + Alternatively, the gateway responds with + + 403 status to the "preflight" request is + denied, coupled with omitting + + the CORS headers. The cross-origin + request fails on the client side. + + Therefore, the client doesn't attempt + the actual cross-origin request. + + + Conversely, if the request `Origin` + matches one of the configured + + allowed origins, the gateway sets the + response header + + `Access-Control-Allow-Origin` to the + same value as the `Origin` + + header provided by the client. + + + When config has the wildcard ("*") in + allowOrigins, and the request + + is not credentialed (e.g., it is a + preflight request), the + + `Access-Control-Allow-Origin` response + header either contains the + + wildcard as well or the Origin from the + request. + + + When the request is credentialed, the + gateway must not specify the `*` + + wildcard in the + `Access-Control-Allow-Origin` response + header. When + + also the `AllowCredentials` field is + true and `AllowOrigins` field + + specified with the `*` wildcard, the + gateway must return a single origin + + in the value of the + `Access-Control-Allow-Origin` response + header, + + instead of specifying the `*` wildcard. + The value of the header + + `Access-Control-Allow-Origin` is same as + the `Origin` header provided by + + the client. + + + Support: Extended + items: + description: >- + The CORSOrigin MUST NOT be a relative + URI, and it MUST follow the URI syntax + and + + encoding rules specified in RFC3986. + The CORSOrigin MUST include both a + + scheme ("http" or "https") and a + scheme-specific-part, or it should be a + single '*' character. + + URIs that include an authority MUST + include a fully qualified domain name or + + IP address as the host. + maxLength: 253 + minLength: 1 + pattern: >- + (^\*$)|(^(http(s)?):\/\/(((\*\.)?([a-zA-Z0-9\-]+\.)*[a-zA-Z0-9-]+|\*)(:([0-9]{1,5}))?)$) + type: string + maxItems: 64 + type: array + x-kubernetes-list-type: set + x-kubernetes-validations: + - message: >- + AllowOrigins cannot contain '*' + alongside other origins + rule: '!(''*'' in self && self.size() > 1)' + exposeHeaders: + description: >- + ExposeHeaders indicates which HTTP + response headers can be exposed + + to client-side scripts in response to a + cross-origin request. + + + A CORS-safelisted response header is an + HTTP header in a CORS response + + that it is considered safe to expose to + the client scripts. + + The CORS-safelisted response headers + include the following headers: + + `Cache-Control` + + `Content-Language` + + `Content-Length` + + `Content-Type` + + `Expires` + + `Last-Modified` + + `Pragma` + + (See + https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name) + + The CORS-safelisted response headers are + exposed to client by default. + + + When an HTTP header name is specified + using the `ExposeHeaders` field, + + this additional header will be exposed + as part of the response to the + + client. + + + Header names are not case-sensitive. + + + Multiple header names in the value of + the `Access-Control-Expose-Headers` + + response header are separated by a comma + (","). + + + A wildcard indicates that the responses + with all HTTP headers are exposed + + to clients. The + `Access-Control-Expose-Headers` response + header can only + + use `*` wildcard as value when the + request is not credentialed. + + + When the `exposeHeaders` config field + contains the "*" wildcard and + + the request is credentialed, the gateway + cannot use the `*` wildcard in + + the `Access-Control-Expose-Headers` + response header. + + + Support: Extended + items: + description: >- + HTTPHeaderName is the name of an HTTP + header. + + + Valid values include: + + + * "Authorization" + + * "Set-Cookie" + + + Invalid values include: + + - ":method" - ":" is an invalid character. This means that HTTP/2 pseudo + headers are not currently supported by this type. + - "/invalid" - "/ " is an invalid character + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + maxItems: 64 + type: array + x-kubernetes-list-type: set + maxAge: + default: 5 + description: >- + MaxAge indicates the duration (in + seconds) for the client to cache the + + results of a "preflight" request. + + + The information provided by the + `Access-Control-Allow-Methods` and + + `Access-Control-Allow-Headers` response + headers can be cached by the + + client until the time specified by + `Access-Control-Max-Age` elapses. + + + The default value of + `Access-Control-Max-Age` response header + is 5 + + (seconds). + + + When the `MaxAge` field is unspecified, + the gateway sets the response + + header "Access-Control-Max-Age: 5" by + default. + format: int32 + minimum: 1 + type: integer + type: object + extensionRef: + description: >- + ExtensionRef is an optional, + implementation-specific extension to the + + "filter" behavior. For example, resource + "myroutefilter" in group + + "networking.example.net"). ExtensionRef + MUST NOT be used for core and + + extended filters. + + + This filter can be used multiple times + within the same rule. + + + Support: Implementation-specific + properties: + group: + description: >- + Group is the group of the referent. For + example, "gateway.networking.k8s.io". + + When unspecified or empty string, core + API group is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: >- + Kind is kind of the referent. For + example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: >- + RequestHeaderModifier defines a schema for + a filter that modifies request + + headers. + + + Support: Core + properties: + add: + description: >- + Add adds the given header(s) (name, + value) to the request + + before the action. It appends to any + existing values associated + + with the header name. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + add: + - name: "my-header" + value: "bar,baz" + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: >- + HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: >- + Name is the name of the HTTP Header to + be matched. Name matching MUST be + + case-insensitive. (See + https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent + header names, the first entry with + + an equivalent name MUST be considered + for a match. Subsequent entries + + with an equivalent header name MUST be + ignored. Due to the + + case-insensitivity of header names, + "foo" and "Foo" are considered + + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: >- + Value is the value of HTTP Header to be + matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: >- + Remove the given header(s) from the HTTP + request before the action. The + + value of Remove is a list of HTTP header + names. Note that the header + + names are case-insensitive (see + + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + Config: + remove: ["my-header1", "my-header3"] + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: >- + Set overwrites the request with the + given header (name, value) + + before the action. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + set: + - name: "my-header" + value: "bar" + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: >- + HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: >- + Name is the name of the HTTP Header to + be matched. Name matching MUST be + + case-insensitive. (See + https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent + header names, the first entry with + + an equivalent name MUST be considered + for a match. Subsequent entries + + with an equivalent header name MUST be + ignored. Due to the + + case-insensitivity of header names, + "foo" and "Foo" are considered + + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: >- + Value is the value of HTTP Header to be + matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: >- + RequestMirror defines a schema for a + filter that mirrors requests. + + Requests are sent to the specified + destination, but responses from + + that destination are ignored. + + + This filter can be used multiple times + within the same rule. Note that + + not all implementations will be able to + support mirroring to multiple + + backends. + + + Support: Extended + properties: + backendRef: + description: >- + BackendRef references a resource where + mirrored requests are sent. + + + Mirrored requests must be sent only to a + single destination endpoint + + within this BackendRef, irrespective of + how many endpoints are present + + within this BackendRef. + + + If the referent cannot be found, this + BackendRef is invalid and must be + + dropped from the Gateway. The controller + must ensure the "ResolvedRefs" + + condition on the Route status is set to + `status: False` and not configure + + this backend in the underlying + implementation. + + + If there is a cross-namespace reference + to an *existing* object + + that is not allowed by a ReferenceGrant, + the controller must ensure the + + "ResolvedRefs" condition on the Route + is set to `status: False`, + + with the "RefNotPermitted" reason and + not configure this backend in the + + underlying implementation. + + + In either error case, the Message of the + `ResolvedRefs` Condition + + should be used to provide more detail + about the problem. + + + Support: Extended for Kubernetes Service + + + Support: Implementation-specific for any + other resource + properties: + group: + default: '' + description: >- + Group is the group of the referent. For + example, "gateway.networking.k8s.io". + + When unspecified or empty string, core + API group is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: >- + Kind is the Kubernetes resource kind of + the referent. For example + + "Service". + + + Defaults to "Service" when not + specified. + + + ExternalName services can refer to CNAME + DNS records that may live + + outside of the cluster and as such are + difficult to reason about in + + terms of conformance. They also may not + be safe to forward to (see + + CVE-2021-25740 for more information). + Implementations SHOULD NOT + + support ExternalName Services. + + + Support: Core (Services with a type + other than ExternalName) + + + Support: Implementation-specific + (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the + backend. When unspecified, the local + + namespace is inferred. + + + Note that when a namespace different + than the local namespace is specified, + + a ReferenceGrant object is required in + the referent namespace to allow that + + namespace's owner to accept the + reference. See the ReferenceGrant + + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: >- + Port specifies the destination port + number to use for this resource. + + Port is required when the referent is a + Kubernetes Service. In this + + case, the port number is the service + port number, not the target port. + + For other resources, destination port + might be derived from the referent + + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: >- + (size(self.group) == 0 && self.kind == + 'Service') ? has(self.port) : true + fraction: + description: >- + Fraction represents the fraction of + requests that should be + + mirrored to BackendRef. + + + Only one of Fraction or Percent may be + specified. If neither field + + is specified, 100% of requests will be + mirrored. + properties: + denominator: + default: 100 + format: int32 + minimum: 1 + type: integer + numerator: + format: int32 + minimum: 0 + type: integer + required: + - numerator + type: object + x-kubernetes-validations: + - message: >- + numerator must be less than or equal to + denominator + rule: self.numerator <= self.denominator + percent: + description: >- + Percent represents the percentage of + requests that should be + + mirrored to BackendRef. Its minimum + value is 0 (indicating 0% of + + requests) and its maximum value is 100 + (indicating 100% of requests). + + + Only one of Fraction or Percent may be + specified. If neither field + + is specified, 100% of requests will be + mirrored. + format: int32 + maximum: 100 + minimum: 0 + type: integer + required: + - backendRef + type: object + x-kubernetes-validations: + - message: >- + Only one of percent or fraction may be + specified in HTTPRequestMirrorFilter + rule: >- + !(has(self.percent) && + has(self.fraction)) + requestRedirect: + description: >- + RequestRedirect defines a schema for a + filter that responds to the + + request with an HTTP redirection. + + + Support: Core + properties: + hostname: + description: >- + Hostname is the hostname to be used in + the value of the `Location` + + header in the response. + + When empty, the hostname in the `Host` + header of the request is used. + + + Support: Core + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: >- + Path defines parameters used to modify + the path of the incoming request. + + The modified path is then used to + construct the `Location` header. When + + empty, the request path is used as-is. + + + Support: Extended + properties: + replaceFullPath: + description: >- + ReplaceFullPath specifies the value with + which to replace the full path + + of a request during a rewrite or + redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: >- + ReplacePrefixMatch specifies the value + with which to replace the prefix + + match of a request during a rewrite or + redirect. For example, a request + + to "/foo/bar" with a prefix match of + "/foo" and a ReplacePrefixMatch + + of "/xyz" would be modified to + "/xyz/bar". + + + Note that this matches the behavior of + the PathPrefix match type. This + + matches full path elements. A path + element refers to the list of labels + + in the path split by the `/` separator. + When specified, a trailing `/` is + + ignored. For example, the paths `/abc`, + `/abc/`, and `/abc/def` would all + + match the prefix `/abc`, but the path + `/abcd` would not. + + + ReplacePrefixMatch is only compatible + with a `PathPrefix` HTTPRouteMatch. + + Using any other HTTPRouteMatch type on + the same HTTPRouteRule will result in + + the implementation setting the Accepted + Condition for the Route to `status: + False`. + + + Request Path | Prefix Match | Replace + Prefix | Modified Path + maxLength: 1024 + type: string + type: + description: >- + Type defines the type of path modifier. + Additional types may be + + added in a future release of the API. + + + Note that values may be added to this + enum, implementations + + must ensure that unknown values will not + cause a crash. + + + Unknown values here must result in the + implementation setting the + + Accepted Condition for the Route to + `status: False`, with a + + Reason of `UnsupportedValue`. + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + replaceFullPath must be specified when + type is set to 'ReplaceFullPath' + rule: >- + self.type == 'ReplaceFullPath' ? + has(self.replaceFullPath) : true + - message: >- + type must be 'ReplaceFullPath' when + replaceFullPath is set + rule: >- + has(self.replaceFullPath) ? self.type == + 'ReplaceFullPath' : true + - message: >- + replacePrefixMatch must be specified + when type is set to 'ReplacePrefixMatch' + rule: >- + self.type == 'ReplacePrefixMatch' ? + has(self.replacePrefixMatch) : true + - message: >- + type must be 'ReplacePrefixMatch' when + replacePrefixMatch is set + rule: >- + has(self.replacePrefixMatch) ? self.type + == 'ReplacePrefixMatch' : true + port: + description: >- + Port is the port to be used in the value + of the `Location` + + header in the response. + + + If no port is specified, the redirect + port MUST be derived using the + + following rules: + + + * If redirect scheme is not-empty, the + redirect port MUST be the well-known + port associated with the redirect scheme. Specifically "http" to port 80 + and "https" to port 443. If the redirect scheme does not have a + well-known port, the listener port of the Gateway SHOULD be used. + * If redirect scheme is empty, the + redirect port MUST be the Gateway + Listener port. + + Implementations SHOULD NOT add the port + number in the 'Location' + + header in the following cases: + + + * A Location header that will use HTTP + (whether that is determined via + the Listener protocol or the Scheme field) _and_ use port 80. + * A Location header that will use HTTPS + (whether that is determined via + the Listener protocol or the Scheme field) _and_ use port 443. + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: >- + Scheme is the scheme to be used in the + value of the `Location` header in + + the response. When empty, the scheme of + the request is used. + + + Scheme redirects can affect the port of + the redirect, for more information, + + refer to the documentation for the port + field of this filter. + + + Note that values may be added to this + enum, implementations + + must ensure that unknown values will not + cause a crash. + + + Unknown values here must result in the + implementation setting the + + Accepted Condition for the Route to + `status: False`, with a + + Reason of `UnsupportedValue`. + + + Support: Extended + enum: + - http + - https + type: string + statusCode: + default: 302 + description: >- + StatusCode is the HTTP status code to be + used in response. + + + Note that values may be added to this + enum, implementations + + must ensure that unknown values will not + cause a crash. + + + Unknown values here must result in the + implementation setting the + + Accepted Condition for the Route to + `status: False`, with a + + Reason of `UnsupportedValue`. + + + Support: Core + enum: + - 301 + - 302 + - 303 + - 307 + - 308 + type: integer + type: object + responseHeaderModifier: + description: >- + ResponseHeaderModifier defines a schema + for a filter that modifies response + + headers. + + + Support: Extended + properties: + add: + description: >- + Add adds the given header(s) (name, + value) to the request + + before the action. It appends to any + existing values associated + + with the header name. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + add: + - name: "my-header" + value: "bar,baz" + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: >- + HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: >- + Name is the name of the HTTP Header to + be matched. Name matching MUST be + + case-insensitive. (See + https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent + header names, the first entry with + + an equivalent name MUST be considered + for a match. Subsequent entries + + with an equivalent header name MUST be + ignored. Due to the + + case-insensitivity of header names, + "foo" and "Foo" are considered + + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: >- + Value is the value of HTTP Header to be + matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: >- + Remove the given header(s) from the HTTP + request before the action. The + + value of Remove is a list of HTTP header + names. Note that the header + + names are case-insensitive (see + + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + Config: + remove: ["my-header1", "my-header3"] + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: >- + Set overwrites the request with the + given header (name, value) + + before the action. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + set: + - name: "my-header" + value: "bar" + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: >- + HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: >- + Name is the name of the HTTP Header to + be matched. Name matching MUST be + + case-insensitive. (See + https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent + header names, the first entry with + + an equivalent name MUST be considered + for a match. Subsequent entries + + with an equivalent header name MUST be + ignored. Due to the + + case-insensitivity of header names, + "foo" and "Foo" are considered + + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: >- + Value is the value of HTTP Header to be + matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: >- + Type identifies the type of filter to + apply. As with other API fields, + + types are classified into three + conformance levels: + + + - Core: Filter types and their + corresponding configuration defined by + "Support: Core" in this package, e.g. "RequestHeaderModifier". All + implementations must support core filters. + + - Extended: Filter types and their + corresponding configuration defined by + "Support: Extended" in this package, e.g. "RequestMirror". Implementers + are encouraged to support extended filters. + + - Implementation-specific: Filters that + are defined and supported by + specific vendors. + In the future, filters showing convergence in behavior across multiple + implementations will be considered for inclusion in extended or core + conformance levels. Filter-specific configuration for such filters + is specified using the ExtensionRef field. `Type` should be set to + "ExtensionRef" for custom filters. + + Implementers are encouraged to define + custom implementation types to + + extend the core API with + implementation-specific behavior. + + + If a reference to a custom filter type + cannot be resolved, the filter + + MUST NOT be skipped. Instead, requests + that would have been processed by + + that filter MUST receive a HTTP error + response. + + + Note that values may be added to this + enum, implementations + + must ensure that unknown values will not + cause a crash. + + + Unknown values here must result in the + implementation setting the + + Accepted Condition for the Route to + `status: False`, with a + + Reason of `UnsupportedValue`. + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestMirror + - RequestRedirect + - URLRewrite + - ExtensionRef + - CORS + type: string + urlRewrite: + description: >- + URLRewrite defines a schema for a filter + that modifies a request during forwarding. + + + Support: Extended + properties: + hostname: + description: >- + Hostname is the value to be used to + replace the Host header value during + + forwarding. + + + Support: Extended + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: |- + Path defines a path rewrite. + + Support: Extended + properties: + replaceFullPath: + description: >- + ReplaceFullPath specifies the value with + which to replace the full path + + of a request during a rewrite or + redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: >- + ReplacePrefixMatch specifies the value + with which to replace the prefix + + match of a request during a rewrite or + redirect. For example, a request + + to "/foo/bar" with a prefix match of + "/foo" and a ReplacePrefixMatch + + of "/xyz" would be modified to + "/xyz/bar". + + + Note that this matches the behavior of + the PathPrefix match type. This + + matches full path elements. A path + element refers to the list of labels + + in the path split by the `/` separator. + When specified, a trailing `/` is + + ignored. For example, the paths `/abc`, + `/abc/`, and `/abc/def` would all + + match the prefix `/abc`, but the path + `/abcd` would not. + + + ReplacePrefixMatch is only compatible + with a `PathPrefix` HTTPRouteMatch. + + Using any other HTTPRouteMatch type on + the same HTTPRouteRule will result in + + the implementation setting the Accepted + Condition for the Route to `status: + False`. + + + Request Path | Prefix Match | Replace + Prefix | Modified Path + maxLength: 1024 + type: string + type: + description: >- + Type defines the type of path modifier. + Additional types may be + + added in a future release of the API. + + + Note that values may be added to this + enum, implementations + + must ensure that unknown values will not + cause a crash. + + + Unknown values here must result in the + implementation setting the + + Accepted Condition for the Route to + `status: False`, with a + + Reason of `UnsupportedValue`. + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + replaceFullPath must be specified when + type is set to 'ReplaceFullPath' + rule: >- + self.type == 'ReplaceFullPath' ? + has(self.replaceFullPath) : true + - message: >- + type must be 'ReplaceFullPath' when + replaceFullPath is set + rule: >- + has(self.replaceFullPath) ? self.type == + 'ReplaceFullPath' : true + - message: >- + replacePrefixMatch must be specified + when type is set to 'ReplacePrefixMatch' + rule: >- + self.type == 'ReplacePrefixMatch' ? + has(self.replacePrefixMatch) : true + - message: >- + type must be 'ReplacePrefixMatch' when + replacePrefixMatch is set + rule: >- + has(self.replacePrefixMatch) ? self.type + == 'ReplacePrefixMatch' : true + type: object + required: + - type + type: object + x-kubernetes-validations: + - message: >- + filter.cors must be nil if the filter.type + is not CORS + rule: '!(has(self.cors) && self.type != ''CORS'')' + - message: >- + filter.cors must be specified for CORS + filter.type + rule: '!(!has(self.cors) && self.type == ''CORS'')' + - message: >- + filter.requestHeaderModifier must be nil + if the filter.type is not + RequestHeaderModifier + rule: >- + !(has(self.requestHeaderModifier) && + self.type != 'RequestHeaderModifier') + - message: >- + filter.requestHeaderModifier must be + specified for RequestHeaderModifier + filter.type + rule: >- + !(!has(self.requestHeaderModifier) && + self.type == 'RequestHeaderModifier') + - message: >- + filter.responseHeaderModifier must be nil + if the filter.type is not + ResponseHeaderModifier + rule: >- + !(has(self.responseHeaderModifier) && + self.type != 'ResponseHeaderModifier') + - message: >- + filter.responseHeaderModifier must be + specified for ResponseHeaderModifier + filter.type + rule: >- + !(!has(self.responseHeaderModifier) && + self.type == 'ResponseHeaderModifier') + - message: >- + filter.requestMirror must be nil if the + filter.type is not RequestMirror + rule: >- + !(has(self.requestMirror) && self.type != + 'RequestMirror') + - message: >- + filter.requestMirror must be specified for + RequestMirror filter.type + rule: >- + !(!has(self.requestMirror) && self.type == + 'RequestMirror') + - message: >- + filter.requestRedirect must be nil if the + filter.type is not RequestRedirect + rule: >- + !(has(self.requestRedirect) && self.type + != 'RequestRedirect') + - message: >- + filter.requestRedirect must be specified + for RequestRedirect filter.type + rule: >- + !(!has(self.requestRedirect) && self.type + == 'RequestRedirect') + - message: >- + filter.urlRewrite must be nil if the + filter.type is not URLRewrite + rule: >- + !(has(self.urlRewrite) && self.type != + 'URLRewrite') + - message: >- + filter.urlRewrite must be specified for + URLRewrite filter.type + rule: >- + !(!has(self.urlRewrite) && self.type == + 'URLRewrite') + - message: >- + filter.extensionRef must be nil if the + filter.type is not ExtensionRef + rule: >- + !(has(self.extensionRef) && self.type != + 'ExtensionRef') + - message: >- + filter.extensionRef must be specified for + ExtensionRef filter.type + rule: >- + !(!has(self.extensionRef) && self.type == + 'ExtensionRef') + maxItems: 16 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: >- + May specify either + httpRouteFilterRequestRedirect or + httpRouteFilterRequestRewrite, but not both + rule: >- + !(self.exists(f, f.type == + 'RequestRedirect') && self.exists(f, f.type + == 'URLRewrite')) + - message: CORS filter cannot be repeated + rule: self.filter(f, f.type == 'CORS').size() <= 1 + - message: >- + RequestHeaderModifier filter cannot be + repeated + rule: >- + self.filter(f, f.type == + 'RequestHeaderModifier').size() <= 1 + - message: >- + ResponseHeaderModifier filter cannot be + repeated + rule: >- + self.filter(f, f.type == + 'ResponseHeaderModifier').size() <= 1 + - message: RequestRedirect filter cannot be repeated + rule: >- + self.filter(f, f.type == + 'RequestRedirect').size() <= 1 + - message: URLRewrite filter cannot be repeated + rule: >- + self.filter(f, f.type == + 'URLRewrite').size() <= 1 + group: + default: '' + description: >- + Group is the group of the referent. For example, + "gateway.networking.k8s.io". + + When unspecified or empty string, core API group + is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: >- + Kind is the Kubernetes resource kind of the + referent. For example + + "Service". + + + Defaults to "Service" when not specified. + + + ExternalName services can refer to CNAME DNS + records that may live + + outside of the cluster and as such are difficult + to reason about in + + terms of conformance. They also may not be safe + to forward to (see + + CVE-2021-25740 for more information). + Implementations SHOULD NOT + + support ExternalName Services. + + + Support: Core (Services with a type other than + ExternalName) + + + Support: Implementation-specific (Services with + type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the backend. When + unspecified, the local + + namespace is inferred. + + + Note that when a namespace different than the + local namespace is specified, + + a ReferenceGrant object is required in the + referent namespace to allow that + + namespace's owner to accept the reference. See + the ReferenceGrant + + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: >- + Port specifies the destination port number to + use for this resource. + + Port is required when the referent is a + Kubernetes Service. In this + + case, the port number is the service port + number, not the target port. + + For other resources, destination port might be + derived from the referent + + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: >- + Weight specifies the proportion of requests + forwarded to the referenced + + backend. This is computed as weight/(sum of all + weights in this + + BackendRefs list). For non-zero values, there + may be some epsilon from + + the exact proportion defined here depending on + the precision an + + implementation supports. Weight is not a + percentage and the sum of + + weights does not need to equal 100. + + + If only one backend is specified and it has a + weight greater than 0, 100% + + of the traffic is forwarded to that backend. If + weight is set to 0, no + + traffic should be forwarded for this entry. If + unspecified, weight + + defaults to 1. + + + Support for this field varies based on the + context where used. + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: >- + (size(self.group) == 0 && self.kind == + 'Service') ? has(self.port) : true + maxItems: 16 + type: array + x-kubernetes-list-type: atomic + filters: + description: >- + Filters define the filters that are applied to + requests that match + + this rule. + + + Wherever possible, implementations SHOULD implement + filters in the order + + they are specified. + + + Implementations MAY choose to implement this ordering + strictly, rejecting + + any combination or order of filters that cannot be + supported. If implementations + + choose a strict interpretation of filter ordering, + they MUST clearly document + + that behavior. + + + To reject an invalid combination or order of filters, + implementations SHOULD + + consider the Route Rules with this configuration + invalid. If all Route Rules + + in a Route are invalid, the entire Route would be + considered invalid. If only + + a portion of Route Rules are invalid, implementations + MUST set the + + "PartiallyInvalid" condition for the Route. + + + Conformance-levels at this level are defined based on + the type of filter: + + + - ALL core filters MUST be supported by all + implementations. + + - Implementers are encouraged to support extended + filters. + + - Implementation-specific custom filters have no API + guarantees across + implementations. + + Specifying the same filter multiple times is not + supported unless explicitly + + indicated in the filter. + + + All filters are expected to be compatible with each + other except for the + + URLRewrite and RequestRedirect filters, which may not + be combined. If an + + implementation cannot support other combinations of + filters, they must clearly + + document that limitation. In cases where incompatible + or unsupported + + filters are specified and cause the `Accepted` + condition to be set to status + + `False`, implementations may use the + `IncompatibleFilters` reason to specify + + this configuration error. + + + Support: Core + items: + description: >- + HTTPRouteFilter defines processing steps that must + be completed during the + + request or response lifecycle. HTTPRouteFilters are + meant as an extension + + point to express processing that may be done in + Gateway implementations. Some + + examples include request or response modification, + implementing + + authentication strategies, rate-limiting, and + traffic shaping. API + + guarantee/conformance is defined based on the type + of the filter. + properties: + cors: + description: >- + CORS defines a schema for a filter that responds + to the + + cross-origin request based on HTTP response + header. + + + Support: Extended + properties: + allowCredentials: + description: >- + AllowCredentials indicates whether the + actual cross-origin request allows + + to include credentials. + + + When set to true, the gateway will include + the `Access-Control-Allow-Credentials` + + response header with value true + (case-sensitive). + + + When set to false or omitted the gateway + will omit the header + + `Access-Control-Allow-Credentials` entirely + (this is the standard CORS + + behavior). + + + Support: Extended + type: boolean + allowHeaders: + description: >- + AllowHeaders indicates which HTTP request + headers are supported for + + accessing the requested resource. + + + Header names are not case-sensitive. + + + Multiple header names in the value of the + `Access-Control-Allow-Headers` + + response header are separated by a comma + (","). + + + When the `AllowHeaders` field is configured + with one or more headers, the + + gateway must return the + `Access-Control-Allow-Headers` response + header + + which value is present in the `AllowHeaders` + field. + + + If any header name in the + `Access-Control-Request-Headers` request + header + + is not included in the list of header names + specified by the response + + header `Access-Control-Allow-Headers`, it + will present an error on the + + client side. + + + If any header name in the + `Access-Control-Allow-Headers` response + header + + does not recognize by the client, it will + also occur an error on the + + client side. + + + A wildcard indicates that the requests with + all HTTP headers are allowed. + + If config contains the wildcard "*" in + allowHeaders and the request is + + not credentialed, the + `Access-Control-Allow-Headers` response + header + + can either use the `*` wildcard or the value + of + + Access-Control-Request-Headers from the + request. + + + When the request is credentialed, the + gateway must not specify the `*` + + wildcard in the + `Access-Control-Allow-Headers` response + header. When + + also the `AllowCredentials` field is true + and `AllowHeaders` field + + is specified with the `*` wildcard, the + gateway must specify one or more + + HTTP headers in the value of the + `Access-Control-Allow-Headers` response + + header. The value of the header + `Access-Control-Allow-Headers` is same as + + the `Access-Control-Request-Headers` header + provided by the client. If + + the header `Access-Control-Request-Headers` + is not included in the + + request, the gateway will omit the + `Access-Control-Allow-Headers` + + response header, instead of specifying the + `*` wildcard. + + + Support: Extended + items: + description: >- + HTTPHeaderName is the name of an HTTP + header. + + + Valid values include: + + + * "Authorization" + + * "Set-Cookie" + + + Invalid values include: + + - ":method" - ":" is an invalid character. This means that HTTP/2 pseudo + headers are not currently supported by this type. + - "/invalid" - "/ " is an invalid character + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + maxItems: 64 + type: array + x-kubernetes-list-type: set + x-kubernetes-validations: + - message: >- + AllowHeaders cannot contain '*' + alongside other methods + rule: '!(''*'' in self && self.size() > 1)' + allowMethods: + description: >- + AllowMethods indicates which HTTP methods + are supported for accessing the + + requested resource. + + + Valid values are any method defined by + RFC9110, along with the special + + value `*`, which represents all HTTP methods + are allowed. + + + Method names are case-sensitive, so these + values are also case-sensitive. + + (See + https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1) + + + Multiple method names in the value of the + `Access-Control-Allow-Methods` + + response header are separated by a comma + (","). + + + A CORS-safelisted method is a method that is + `GET`, `HEAD`, or `POST`. + + (See + https://fetch.spec.whatwg.org/#cors-safelisted-method) + The + + CORS-safelisted methods are always allowed, + regardless of whether they + + are specified in the `AllowMethods` field. + + + When the `AllowMethods` field is configured + with one or more methods, the + + gateway must return the + `Access-Control-Allow-Methods` response + header + + which value is present in the `AllowMethods` + field. + + + If the HTTP method of the + `Access-Control-Request-Method` request + header + + is not included in the list of methods + specified by the response header + + `Access-Control-Allow-Methods`, it will + present an error on the client + + side. + + + If config contains the wildcard "*" in + allowMethods and the request is + + not credentialed, the + `Access-Control-Allow-Methods` response + header + + can either use the `*` wildcard or the value + of + + Access-Control-Request-Method from the + request. + + + When the request is credentialed, the + gateway must not specify the `*` + + wildcard in the + `Access-Control-Allow-Methods` response + header. When + + also the `AllowCredentials` field is true + and `AllowMethods` field + + specified with the `*` wildcard, the gateway + must specify one HTTP method + + in the value of the + Access-Control-Allow-Methods response + header. The + + value of the header + `Access-Control-Allow-Methods` is same as + the + + `Access-Control-Request-Method` header + provided by the client. If the + + header `Access-Control-Request-Method` is + not included in the request, + + the gateway will omit the + `Access-Control-Allow-Methods` response + header, + + instead of specifying the `*` wildcard. + + + Support: Extended + items: + enum: + - GET + - HEAD + - POST + - PUT + - DELETE + - CONNECT + - OPTIONS + - TRACE + - PATCH + - '*' + type: string + maxItems: 9 + type: array + x-kubernetes-list-type: set + x-kubernetes-validations: + - message: >- + AllowMethods cannot contain '*' + alongside other methods + rule: '!(''*'' in self && self.size() > 1)' + allowOrigins: + description: >- + AllowOrigins indicates whether the response + can be shared with requested + + resource from the given `Origin`. + + + The `Origin` consists of a scheme and a + host, with an optional port, and + + takes the form `://(:)`. + + + Valid values for scheme are: `http` and + `https`. + + + Valid values for port are any integer + between 1 and 65535 (the list of + + available TCP/UDP ports). Note that, if not + included, port `80` is + + assumed for `http` scheme origins, and port + `443` is assumed for `https` + + origins. This may affect origin matching. + + + The host part of the origin may contain the + wildcard character `*`. These + + wildcard characters behave as follows: + + + * `*` is a greedy match to the _left_, + including any number of + DNS labels to the left of its position. This also means that + `*` will include any number of period `.` characters to the + left of its position. + * A wildcard by itself matches all hosts. + + + An origin value that includes _only_ the `*` + character indicates requests + + from all `Origin`s are allowed. + + + When the `AllowOrigins` field is configured + with multiple origins, it + + means the server supports clients from + multiple origins. If the request + + `Origin` matches the configured allowed + origins, the gateway must return + + the given `Origin` and sets value of the + header + + `Access-Control-Allow-Origin` same as the + `Origin` header provided by the + + client. + + + The status code of a successful response to + a "preflight" request is + + always an OK status (i.e., 204 or 200). + + + If the request `Origin` does not match the + configured allowed origins, + + the gateway returns 204/200 response but + doesn't set the relevant + + cross-origin response headers. + Alternatively, the gateway responds with + + 403 status to the "preflight" request is + denied, coupled with omitting + + the CORS headers. The cross-origin request + fails on the client side. + + Therefore, the client doesn't attempt the + actual cross-origin request. + + + Conversely, if the request `Origin` matches + one of the configured + + allowed origins, the gateway sets the + response header + + `Access-Control-Allow-Origin` to the same + value as the `Origin` + + header provided by the client. + + + When config has the wildcard ("*") in + allowOrigins, and the request + + is not credentialed (e.g., it is a preflight + request), the + + `Access-Control-Allow-Origin` response + header either contains the + + wildcard as well or the Origin from the + request. + + + When the request is credentialed, the + gateway must not specify the `*` + + wildcard in the + `Access-Control-Allow-Origin` response + header. When + + also the `AllowCredentials` field is true + and `AllowOrigins` field + + specified with the `*` wildcard, the gateway + must return a single origin + + in the value of the + `Access-Control-Allow-Origin` response + header, + + instead of specifying the `*` wildcard. The + value of the header + + `Access-Control-Allow-Origin` is same as the + `Origin` header provided by + + the client. + + + Support: Extended + items: + description: >- + The CORSOrigin MUST NOT be a relative URI, + and it MUST follow the URI syntax and + + encoding rules specified in RFC3986. The + CORSOrigin MUST include both a + + scheme ("http" or "https") and a + scheme-specific-part, or it should be a + single '*' character. + + URIs that include an authority MUST + include a fully qualified domain name or + + IP address as the host. + maxLength: 253 + minLength: 1 + pattern: >- + (^\*$)|(^(http(s)?):\/\/(((\*\.)?([a-zA-Z0-9\-]+\.)*[a-zA-Z0-9-]+|\*)(:([0-9]{1,5}))?)$) + type: string + maxItems: 64 + type: array + x-kubernetes-list-type: set + x-kubernetes-validations: + - message: >- + AllowOrigins cannot contain '*' + alongside other origins + rule: '!(''*'' in self && self.size() > 1)' + exposeHeaders: + description: >- + ExposeHeaders indicates which HTTP response + headers can be exposed + + to client-side scripts in response to a + cross-origin request. + + + A CORS-safelisted response header is an HTTP + header in a CORS response + + that it is considered safe to expose to the + client scripts. + + The CORS-safelisted response headers include + the following headers: + + `Cache-Control` + + `Content-Language` + + `Content-Length` + + `Content-Type` + + `Expires` + + `Last-Modified` + + `Pragma` + + (See + https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name) + + The CORS-safelisted response headers are + exposed to client by default. + + + When an HTTP header name is specified using + the `ExposeHeaders` field, + + this additional header will be exposed as + part of the response to the + + client. + + + Header names are not case-sensitive. + + + Multiple header names in the value of the + `Access-Control-Expose-Headers` + + response header are separated by a comma + (","). + + + A wildcard indicates that the responses with + all HTTP headers are exposed + + to clients. The + `Access-Control-Expose-Headers` response + header can only + + use `*` wildcard as value when the request + is not credentialed. + + + When the `exposeHeaders` config field + contains the "*" wildcard and + + the request is credentialed, the gateway + cannot use the `*` wildcard in + + the `Access-Control-Expose-Headers` response + header. + + + Support: Extended + items: + description: >- + HTTPHeaderName is the name of an HTTP + header. + + + Valid values include: + + + * "Authorization" + + * "Set-Cookie" + + + Invalid values include: + + - ":method" - ":" is an invalid character. This means that HTTP/2 pseudo + headers are not currently supported by this type. + - "/invalid" - "/ " is an invalid character + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + maxItems: 64 + type: array + x-kubernetes-list-type: set + maxAge: + default: 5 + description: >- + MaxAge indicates the duration (in seconds) + for the client to cache the + + results of a "preflight" request. + + + The information provided by the + `Access-Control-Allow-Methods` and + + `Access-Control-Allow-Headers` response + headers can be cached by the + + client until the time specified by + `Access-Control-Max-Age` elapses. + + + The default value of + `Access-Control-Max-Age` response header is + 5 + + (seconds). + + + When the `MaxAge` field is unspecified, the + gateway sets the response + + header "Access-Control-Max-Age: 5" by + default. + format: int32 + minimum: 1 + type: integer + type: object + extensionRef: + description: >- + ExtensionRef is an optional, + implementation-specific extension to the + + "filter" behavior. For example, resource + "myroutefilter" in group + + "networking.example.net"). ExtensionRef MUST NOT + be used for core and + + extended filters. + + + This filter can be used multiple times within + the same rule. + + + Support: Implementation-specific + properties: + group: + description: >- + Group is the group of the referent. For + example, "gateway.networking.k8s.io". + + When unspecified or empty string, core API + group is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: >- + Kind is kind of the referent. For example + "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: >- + RequestHeaderModifier defines a schema for a + filter that modifies request + + headers. + + + Support: Core + properties: + add: + description: >- + Add adds the given header(s) (name, value) + to the request + + before the action. It appends to any + existing values associated + + with the header name. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + add: + - name: "my-header" + value: "bar,baz" + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: >- + HTTPHeader represents an HTTP Header name + and value as defined by RFC 7230. + properties: + name: + description: >- + Name is the name of the HTTP Header to + be matched. Name matching MUST be + + case-insensitive. (See + https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent + header names, the first entry with + + an equivalent name MUST be considered + for a match. Subsequent entries + + with an equivalent header name MUST be + ignored. Due to the + + case-insensitivity of header names, + "foo" and "Foo" are considered + + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: >- + Value is the value of HTTP Header to be + matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: >- + Remove the given header(s) from the HTTP + request before the action. The + + value of Remove is a list of HTTP header + names. Note that the header + + names are case-insensitive (see + + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + Config: + remove: ["my-header1", "my-header3"] + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: >- + Set overwrites the request with the given + header (name, value) + + before the action. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + set: + - name: "my-header" + value: "bar" + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: >- + HTTPHeader represents an HTTP Header name + and value as defined by RFC 7230. + properties: + name: + description: >- + Name is the name of the HTTP Header to + be matched. Name matching MUST be + + case-insensitive. (See + https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent + header names, the first entry with + + an equivalent name MUST be considered + for a match. Subsequent entries + + with an equivalent header name MUST be + ignored. Due to the + + case-insensitivity of header names, + "foo" and "Foo" are considered + + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: >- + Value is the value of HTTP Header to be + matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: >- + RequestMirror defines a schema for a filter that + mirrors requests. + + Requests are sent to the specified destination, + but responses from + + that destination are ignored. + + + This filter can be used multiple times within + the same rule. Note that + + not all implementations will be able to support + mirroring to multiple + + backends. + + + Support: Extended + properties: + backendRef: + description: >- + BackendRef references a resource where + mirrored requests are sent. + + + Mirrored requests must be sent only to a + single destination endpoint + + within this BackendRef, irrespective of how + many endpoints are present + + within this BackendRef. + + + If the referent cannot be found, this + BackendRef is invalid and must be + + dropped from the Gateway. The controller + must ensure the "ResolvedRefs" + + condition on the Route status is set to + `status: False` and not configure + + this backend in the underlying + implementation. + + + If there is a cross-namespace reference to + an *existing* object + + that is not allowed by a ReferenceGrant, the + controller must ensure the + + "ResolvedRefs" condition on the Route is + set to `status: False`, + + with the "RefNotPermitted" reason and not + configure this backend in the + + underlying implementation. + + + In either error case, the Message of the + `ResolvedRefs` Condition + + should be used to provide more detail about + the problem. + + + Support: Extended for Kubernetes Service + + + Support: Implementation-specific for any + other resource + properties: + group: + default: '' + description: >- + Group is the group of the referent. For + example, "gateway.networking.k8s.io". + + When unspecified or empty string, core + API group is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: >- + Kind is the Kubernetes resource kind of + the referent. For example + + "Service". + + + Defaults to "Service" when not + specified. + + + ExternalName services can refer to CNAME + DNS records that may live + + outside of the cluster and as such are + difficult to reason about in + + terms of conformance. They also may not + be safe to forward to (see + + CVE-2021-25740 for more information). + Implementations SHOULD NOT + + support ExternalName Services. + + + Support: Core (Services with a type + other than ExternalName) + + + Support: Implementation-specific + (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the + backend. When unspecified, the local + + namespace is inferred. + + + Note that when a namespace different + than the local namespace is specified, + + a ReferenceGrant object is required in + the referent namespace to allow that + + namespace's owner to accept the + reference. See the ReferenceGrant + + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: >- + Port specifies the destination port + number to use for this resource. + + Port is required when the referent is a + Kubernetes Service. In this + + case, the port number is the service + port number, not the target port. + + For other resources, destination port + might be derived from the referent + + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: >- + (size(self.group) == 0 && self.kind == + 'Service') ? has(self.port) : true + fraction: + description: >- + Fraction represents the fraction of requests + that should be + + mirrored to BackendRef. + + + Only one of Fraction or Percent may be + specified. If neither field + + is specified, 100% of requests will be + mirrored. + properties: + denominator: + default: 100 + format: int32 + minimum: 1 + type: integer + numerator: + format: int32 + minimum: 0 + type: integer + required: + - numerator + type: object + x-kubernetes-validations: + - message: >- + numerator must be less than or equal to + denominator + rule: self.numerator <= self.denominator + percent: + description: >- + Percent represents the percentage of + requests that should be + + mirrored to BackendRef. Its minimum value is + 0 (indicating 0% of + + requests) and its maximum value is 100 + (indicating 100% of requests). + + + Only one of Fraction or Percent may be + specified. If neither field + + is specified, 100% of requests will be + mirrored. + format: int32 + maximum: 100 + minimum: 0 + type: integer + required: + - backendRef + type: object + x-kubernetes-validations: + - message: >- + Only one of percent or fraction may be + specified in HTTPRequestMirrorFilter + rule: '!(has(self.percent) && has(self.fraction))' + requestRedirect: + description: >- + RequestRedirect defines a schema for a filter + that responds to the + + request with an HTTP redirection. + + + Support: Core + properties: + hostname: + description: >- + Hostname is the hostname to be used in the + value of the `Location` + + header in the response. + + When empty, the hostname in the `Host` + header of the request is used. + + + Support: Core + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: >- + Path defines parameters used to modify the + path of the incoming request. + + The modified path is then used to construct + the `Location` header. When + + empty, the request path is used as-is. + + + Support: Extended + properties: + replaceFullPath: + description: >- + ReplaceFullPath specifies the value with + which to replace the full path + + of a request during a rewrite or + redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: >- + ReplacePrefixMatch specifies the value + with which to replace the prefix + + match of a request during a rewrite or + redirect. For example, a request + + to "/foo/bar" with a prefix match of + "/foo" and a ReplacePrefixMatch + + of "/xyz" would be modified to + "/xyz/bar". + + + Note that this matches the behavior of + the PathPrefix match type. This + + matches full path elements. A path + element refers to the list of labels + + in the path split by the `/` separator. + When specified, a trailing `/` is + + ignored. For example, the paths `/abc`, + `/abc/`, and `/abc/def` would all + + match the prefix `/abc`, but the path + `/abcd` would not. + + + ReplacePrefixMatch is only compatible + with a `PathPrefix` HTTPRouteMatch. + + Using any other HTTPRouteMatch type on + the same HTTPRouteRule will result in + + the implementation setting the Accepted + Condition for the Route to `status: + False`. + + + Request Path | Prefix Match | Replace + Prefix | Modified Path + maxLength: 1024 + type: string + type: + description: >- + Type defines the type of path modifier. + Additional types may be + + added in a future release of the API. + + + Note that values may be added to this + enum, implementations + + must ensure that unknown values will not + cause a crash. + + + Unknown values here must result in the + implementation setting the + + Accepted Condition for the Route to + `status: False`, with a + + Reason of `UnsupportedValue`. + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + replaceFullPath must be specified when + type is set to 'ReplaceFullPath' + rule: >- + self.type == 'ReplaceFullPath' ? + has(self.replaceFullPath) : true + - message: >- + type must be 'ReplaceFullPath' when + replaceFullPath is set + rule: >- + has(self.replaceFullPath) ? self.type == + 'ReplaceFullPath' : true + - message: >- + replacePrefixMatch must be specified + when type is set to 'ReplacePrefixMatch' + rule: >- + self.type == 'ReplacePrefixMatch' ? + has(self.replacePrefixMatch) : true + - message: >- + type must be 'ReplacePrefixMatch' when + replacePrefixMatch is set + rule: >- + has(self.replacePrefixMatch) ? self.type + == 'ReplacePrefixMatch' : true + port: + description: >- + Port is the port to be used in the value of + the `Location` + + header in the response. + + + If no port is specified, the redirect port + MUST be derived using the + + following rules: + + + * If redirect scheme is not-empty, the + redirect port MUST be the well-known + port associated with the redirect scheme. Specifically "http" to port 80 + and "https" to port 443. If the redirect scheme does not have a + well-known port, the listener port of the Gateway SHOULD be used. + * If redirect scheme is empty, the redirect + port MUST be the Gateway + Listener port. + + Implementations SHOULD NOT add the port + number in the 'Location' + + header in the following cases: + + + * A Location header that will use HTTP + (whether that is determined via + the Listener protocol or the Scheme field) _and_ use port 80. + * A Location header that will use HTTPS + (whether that is determined via + the Listener protocol or the Scheme field) _and_ use port 443. + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: >- + Scheme is the scheme to be used in the value + of the `Location` header in + + the response. When empty, the scheme of the + request is used. + + + Scheme redirects can affect the port of the + redirect, for more information, + + refer to the documentation for the port + field of this filter. + + + Note that values may be added to this enum, + implementations + + must ensure that unknown values will not + cause a crash. + + + Unknown values here must result in the + implementation setting the + + Accepted Condition for the Route to `status: + False`, with a + + Reason of `UnsupportedValue`. + + + Support: Extended + enum: + - http + - https + type: string + statusCode: + default: 302 + description: >- + StatusCode is the HTTP status code to be + used in response. + + + Note that values may be added to this enum, + implementations + + must ensure that unknown values will not + cause a crash. + + + Unknown values here must result in the + implementation setting the + + Accepted Condition for the Route to `status: + False`, with a + + Reason of `UnsupportedValue`. + + + Support: Core + enum: + - 301 + - 302 + - 303 + - 307 + - 308 + type: integer + type: object + responseHeaderModifier: + description: >- + ResponseHeaderModifier defines a schema for a + filter that modifies response + + headers. + + + Support: Extended + properties: + add: + description: >- + Add adds the given header(s) (name, value) + to the request + + before the action. It appends to any + existing values associated + + with the header name. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + add: + - name: "my-header" + value: "bar,baz" + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: >- + HTTPHeader represents an HTTP Header name + and value as defined by RFC 7230. + properties: + name: + description: >- + Name is the name of the HTTP Header to + be matched. Name matching MUST be + + case-insensitive. (See + https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent + header names, the first entry with + + an equivalent name MUST be considered + for a match. Subsequent entries + + with an equivalent header name MUST be + ignored. Due to the + + case-insensitivity of header names, + "foo" and "Foo" are considered + + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: >- + Value is the value of HTTP Header to be + matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: >- + Remove the given header(s) from the HTTP + request before the action. The + + value of Remove is a list of HTTP header + names. Note that the header + + names are case-insensitive (see + + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + Config: + remove: ["my-header1", "my-header3"] + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: >- + Set overwrites the request with the given + header (name, value) + + before the action. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + set: + - name: "my-header" + value: "bar" + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: >- + HTTPHeader represents an HTTP Header name + and value as defined by RFC 7230. + properties: + name: + description: >- + Name is the name of the HTTP Header to + be matched. Name matching MUST be + + case-insensitive. (See + https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent + header names, the first entry with + + an equivalent name MUST be considered + for a match. Subsequent entries + + with an equivalent header name MUST be + ignored. Due to the + + case-insensitivity of header names, + "foo" and "Foo" are considered + + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: >- + Value is the value of HTTP Header to be + matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: >- + Type identifies the type of filter to apply. As + with other API fields, + + types are classified into three conformance + levels: + + + - Core: Filter types and their corresponding + configuration defined by + "Support: Core" in this package, e.g. "RequestHeaderModifier". All + implementations must support core filters. + + - Extended: Filter types and their corresponding + configuration defined by + "Support: Extended" in this package, e.g. "RequestMirror". Implementers + are encouraged to support extended filters. + + - Implementation-specific: Filters that are + defined and supported by + specific vendors. + In the future, filters showing convergence in behavior across multiple + implementations will be considered for inclusion in extended or core + conformance levels. Filter-specific configuration for such filters + is specified using the ExtensionRef field. `Type` should be set to + "ExtensionRef" for custom filters. + + Implementers are encouraged to define custom + implementation types to + + extend the core API with implementation-specific + behavior. + + + If a reference to a custom filter type cannot be + resolved, the filter + + MUST NOT be skipped. Instead, requests that + would have been processed by + + that filter MUST receive a HTTP error response. + + + Note that values may be added to this enum, + implementations + + must ensure that unknown values will not cause a + crash. + + + Unknown values here must result in the + implementation setting the + + Accepted Condition for the Route to `status: + False`, with a + + Reason of `UnsupportedValue`. + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestMirror + - RequestRedirect + - URLRewrite + - ExtensionRef + - CORS + type: string + urlRewrite: + description: >- + URLRewrite defines a schema for a filter that + modifies a request during forwarding. + + + Support: Extended + properties: + hostname: + description: >- + Hostname is the value to be used to replace + the Host header value during + + forwarding. + + + Support: Extended + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: |- + Path defines a path rewrite. + + Support: Extended + properties: + replaceFullPath: + description: >- + ReplaceFullPath specifies the value with + which to replace the full path + + of a request during a rewrite or + redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: >- + ReplacePrefixMatch specifies the value + with which to replace the prefix + + match of a request during a rewrite or + redirect. For example, a request + + to "/foo/bar" with a prefix match of + "/foo" and a ReplacePrefixMatch + + of "/xyz" would be modified to + "/xyz/bar". + + + Note that this matches the behavior of + the PathPrefix match type. This + + matches full path elements. A path + element refers to the list of labels + + in the path split by the `/` separator. + When specified, a trailing `/` is + + ignored. For example, the paths `/abc`, + `/abc/`, and `/abc/def` would all + + match the prefix `/abc`, but the path + `/abcd` would not. + + + ReplacePrefixMatch is only compatible + with a `PathPrefix` HTTPRouteMatch. + + Using any other HTTPRouteMatch type on + the same HTTPRouteRule will result in + + the implementation setting the Accepted + Condition for the Route to `status: + False`. + + + Request Path | Prefix Match | Replace + Prefix | Modified Path + maxLength: 1024 + type: string + type: + description: >- + Type defines the type of path modifier. + Additional types may be + + added in a future release of the API. + + + Note that values may be added to this + enum, implementations + + must ensure that unknown values will not + cause a crash. + + + Unknown values here must result in the + implementation setting the + + Accepted Condition for the Route to + `status: False`, with a + + Reason of `UnsupportedValue`. + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + replaceFullPath must be specified when + type is set to 'ReplaceFullPath' + rule: >- + self.type == 'ReplaceFullPath' ? + has(self.replaceFullPath) : true + - message: >- + type must be 'ReplaceFullPath' when + replaceFullPath is set + rule: >- + has(self.replaceFullPath) ? self.type == + 'ReplaceFullPath' : true + - message: >- + replacePrefixMatch must be specified + when type is set to 'ReplacePrefixMatch' + rule: >- + self.type == 'ReplacePrefixMatch' ? + has(self.replacePrefixMatch) : true + - message: >- + type must be 'ReplacePrefixMatch' when + replacePrefixMatch is set + rule: >- + has(self.replacePrefixMatch) ? self.type + == 'ReplacePrefixMatch' : true + type: object + required: + - type + type: object + x-kubernetes-validations: + - message: >- + filter.cors must be nil if the filter.type is + not CORS + rule: '!(has(self.cors) && self.type != ''CORS'')' + - message: >- + filter.cors must be specified for CORS + filter.type + rule: '!(!has(self.cors) && self.type == ''CORS'')' + - message: >- + filter.requestHeaderModifier must be nil if the + filter.type is not RequestHeaderModifier + rule: >- + !(has(self.requestHeaderModifier) && self.type + != 'RequestHeaderModifier') + - message: >- + filter.requestHeaderModifier must be specified + for RequestHeaderModifier filter.type + rule: >- + !(!has(self.requestHeaderModifier) && self.type + == 'RequestHeaderModifier') + - message: >- + filter.responseHeaderModifier must be nil if the + filter.type is not ResponseHeaderModifier + rule: >- + !(has(self.responseHeaderModifier) && self.type + != 'ResponseHeaderModifier') + - message: >- + filter.responseHeaderModifier must be specified + for ResponseHeaderModifier filter.type + rule: >- + !(!has(self.responseHeaderModifier) && self.type + == 'ResponseHeaderModifier') + - message: >- + filter.requestMirror must be nil if the + filter.type is not RequestMirror + rule: >- + !(has(self.requestMirror) && self.type != + 'RequestMirror') + - message: >- + filter.requestMirror must be specified for + RequestMirror filter.type + rule: >- + !(!has(self.requestMirror) && self.type == + 'RequestMirror') + - message: >- + filter.requestRedirect must be nil if the + filter.type is not RequestRedirect + rule: >- + !(has(self.requestRedirect) && self.type != + 'RequestRedirect') + - message: >- + filter.requestRedirect must be specified for + RequestRedirect filter.type + rule: >- + !(!has(self.requestRedirect) && self.type == + 'RequestRedirect') + - message: >- + filter.urlRewrite must be nil if the filter.type + is not URLRewrite + rule: >- + !(has(self.urlRewrite) && self.type != + 'URLRewrite') + - message: >- + filter.urlRewrite must be specified for + URLRewrite filter.type + rule: >- + !(!has(self.urlRewrite) && self.type == + 'URLRewrite') + - message: >- + filter.extensionRef must be nil if the + filter.type is not ExtensionRef + rule: >- + !(has(self.extensionRef) && self.type != + 'ExtensionRef') + - message: >- + filter.extensionRef must be specified for + ExtensionRef filter.type + rule: >- + !(!has(self.extensionRef) && self.type == + 'ExtensionRef') + maxItems: 16 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: >- + May specify either httpRouteFilterRequestRedirect + or httpRouteFilterRequestRewrite, but not both + rule: >- + !(self.exists(f, f.type == 'RequestRedirect') && + self.exists(f, f.type == 'URLRewrite')) + - message: CORS filter cannot be repeated + rule: self.filter(f, f.type == 'CORS').size() <= 1 + - message: RequestHeaderModifier filter cannot be repeated + rule: >- + self.filter(f, f.type == + 'RequestHeaderModifier').size() <= 1 + - message: ResponseHeaderModifier filter cannot be repeated + rule: >- + self.filter(f, f.type == + 'ResponseHeaderModifier').size() <= 1 + - message: RequestRedirect filter cannot be repeated + rule: >- + self.filter(f, f.type == 'RequestRedirect').size() + <= 1 + - message: URLRewrite filter cannot be repeated + rule: self.filter(f, f.type == 'URLRewrite').size() <= 1 + matches: + default: + - path: + type: PathPrefix + value: / + description: >- + Matches define conditions used for matching the rule + against incoming + + HTTP requests. Each match is independent, i.e. this + rule will be matched + + if **any** one of the matches is satisfied. + + + For example, take the following matches configuration: + + + ``` + + matches: + + - path: + value: "/foo" + headers: + - name: "version" + value: "v2" + - path: + value: "/v2/foo" + ``` + + + For a request to match against this rule, a request + must satisfy + + EITHER of the two conditions: + + + - path prefixed with `/foo` AND contains the header + `version: v2` + + - path prefix of `/v2/foo` + + + See the documentation for HTTPRouteMatch on how to + specify multiple + + match conditions that should be ANDed together. + + + If no matches are specified, the default is a prefix + + path match on "/", which has the effect of matching + every + + HTTP request. + + + Proxy or Load Balancer routing configuration generated + from HTTPRoutes + + MUST prioritize matches based on the following + criteria, continuing on + + ties. Across all rules specified on applicable Routes, + precedence must be + + given to the match having: + + + * "Exact" path match. + + * "Prefix" path match with largest number of + characters. + + * Method match. + + * Largest number of header matches. + + * Largest number of query param matches. + + + Note: The precedence of RegularExpression path matches + are implementation-specific. + + + If ties still exist across multiple Routes, matching + precedence MUST be + + determined in order of the following criteria, + continuing on ties: + + + * The oldest Route based on creation timestamp. + + * The Route appearing first in alphabetical order by + "{namespace}/{name}". + + If ties still exist within an HTTPRoute, matching + precedence MUST be granted + + to the FIRST matching rule (in list order) with a + match meeting the above + + criteria. + + + When no rules matching a request have been + successfully attached to the + + parent a request is coming from, a HTTP 404 status + code MUST be returned. + items: + description: "HTTPRouteMatch defines the predicate used to match requests to a given\naction. Multiple match types are ANDed together, i.e. the match will\nevaluate to true only if all conditions are satisfied.\n\nFor example, the match below will match a HTTP request only if its path\nstarts with `/foo` AND it contains the `version: v1` header:\n\n```\nmatch:\n\n\tpath:\n\t value: \"/foo\"\n\theaders:\n\t- name: \"version\"\n\t value \"v1\"\n\n```" + properties: + headers: + description: >- + Headers specifies HTTP request header matchers. + Multiple match values are + + ANDed together, meaning, a request must match + all the specified headers + + to select the route. + items: + description: >- + HTTPHeaderMatch describes how to select a HTTP + route by matching HTTP request + + headers. + properties: + name: + description: >- + Name is the name of the HTTP Header to be + matched. Name matching MUST be + + case-insensitive. (See + https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent + header names, only the first + + entry with an equivalent name MUST be + considered for a match. Subsequent + + entries with an equivalent header name + MUST be ignored. Due to the + + case-insensitivity of header names, "foo" + and "Foo" are considered + + equivalent. + + + When a header is repeated in an HTTP + request, it is + + implementation-specific behavior as to how + this is represented. + + Generally, proxies should follow the + guidance from the RFC: + + https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 + regarding + + processing a repeated header, with special + handling for "Set-Cookie". + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: >- + Type specifies how to match against the + value of the header. + + + Support: Core (Exact) + + + Support: Implementation-specific + (RegularExpression) + + + Since RegularExpression HeaderMatchType + has implementation-specific + + conformance, implementations can support + POSIX, PCRE or any other dialects + + of regular expressions. Please read the + implementation's documentation to + + determine the supported dialect. + enum: + - Exact + - RegularExpression + type: string + value: + description: >- + Value is the value of HTTP Header to be + matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + method: + description: >- + Method specifies HTTP method matcher. + + When specified, this route will be matched only + if the request has the + + specified method. + + + Support: Extended + enum: + - GET + - HEAD + - POST + - PUT + - DELETE + - CONNECT + - OPTIONS + - TRACE + - PATCH + type: string + path: + default: + type: PathPrefix + value: / + description: >- + Path specifies a HTTP request path matcher. If + this field is not + + specified, a default prefix match on the "/" + path is provided. + properties: + type: + default: PathPrefix + description: >- + Type specifies how to match against the path + Value. + + + Support: Core (Exact, PathPrefix) + + + Support: Implementation-specific + (RegularExpression) + enum: + - Exact + - PathPrefix + - RegularExpression + type: string + value: + default: / + description: Value of the HTTP path to match against. + maxLength: 1024 + type: string + type: object + x-kubernetes-validations: + - message: >- + value must be an absolute path and start + with '/' when type one of ['Exact', + 'PathPrefix'] + rule: >- + (self.type in ['Exact','PathPrefix']) ? + self.value.startsWith('/') : true + - message: >- + must not contain '//' when type one of + ['Exact', 'PathPrefix'] + rule: >- + (self.type in ['Exact','PathPrefix']) ? + !self.value.contains('//') : true + - message: >- + must not contain '/./' when type one of + ['Exact', 'PathPrefix'] + rule: >- + (self.type in ['Exact','PathPrefix']) ? + !self.value.contains('/./') : true + - message: >- + must not contain '/../' when type one of + ['Exact', 'PathPrefix'] + rule: >- + (self.type in ['Exact','PathPrefix']) ? + !self.value.contains('/../') : true + - message: >- + must not contain '%2f' when type one of + ['Exact', 'PathPrefix'] + rule: >- + (self.type in ['Exact','PathPrefix']) ? + !self.value.contains('%2f') : true + - message: >- + must not contain '%2F' when type one of + ['Exact', 'PathPrefix'] + rule: >- + (self.type in ['Exact','PathPrefix']) ? + !self.value.contains('%2F') : true + - message: >- + must not contain '#' when type one of + ['Exact', 'PathPrefix'] + rule: >- + (self.type in ['Exact','PathPrefix']) ? + !self.value.contains('#') : true + - message: >- + must not end with '/..' when type one of + ['Exact', 'PathPrefix'] + rule: >- + (self.type in ['Exact','PathPrefix']) ? + !self.value.endsWith('/..') : true + - message: >- + must not end with '/.' when type one of + ['Exact', 'PathPrefix'] + rule: >- + (self.type in ['Exact','PathPrefix']) ? + !self.value.endsWith('/.') : true + - message: >- + type must be one of ['Exact', 'PathPrefix', + 'RegularExpression'] + rule: >- + self.type in ['Exact','PathPrefix'] || + self.type == 'RegularExpression' + - message: >- + must only contain valid characters (matching + ^(?:[-A-Za-z0-9/._~!$&'()*+,;=:@]|[%][0-9a-fA-F]{2})+$) + for types ['Exact', 'PathPrefix'] + rule: >- + (self.type in ['Exact','PathPrefix']) ? + self.value.matches(r"""^(?:[-A-Za-z0-9/._~!$&'()*+,;=:@]|[%][0-9a-fA-F]{2})+$""") + : true + queryParams: + description: >- + QueryParams specifies HTTP query parameter + matchers. Multiple match + + values are ANDed together, meaning, a request + must match all the + + specified query parameters to select the route. + + + Support: Extended + items: + description: >- + HTTPQueryParamMatch describes how to select a + HTTP route by matching HTTP + + query parameters. + properties: + name: + description: >- + Name is the name of the HTTP query param + to be matched. This must be an + + exact string match. (See + + https://tools.ietf.org/html/rfc7230#section-2.7.3). + + + If multiple entries specify equivalent + query param names, only the first + + entry with an equivalent name MUST be + considered for a match. Subsequent + + entries with an equivalent query param + name MUST be ignored. + + + If a query param is repeated in an HTTP + request, the behavior is + + purposely left undefined, since different + data planes have different + + capabilities. However, it is *recommended* + that implementations should + + match against the first value of the param + if the data plane supports it, + + as this behavior is expected in other load + balancing contexts outside of + + the Gateway API. + + + Users SHOULD NOT route traffic based on + repeated query params to guard + + themselves against potential differences + in the implementations. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: >- + Type specifies how to match against the + value of the query parameter. + + + Support: Extended (Exact) + + + Support: Implementation-specific + (RegularExpression) + + + Since RegularExpression + QueryParamMatchType has + Implementation-specific + + conformance, implementations can support + POSIX, PCRE or any other + + dialects of regular expressions. Please + read the implementation's + + documentation to determine the supported + dialect. + enum: + - Exact + - RegularExpression + type: string + value: + description: >- + Value is the value of HTTP query param to + be matched. + maxLength: 1024 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + maxItems: 64 + type: array + x-kubernetes-list-type: atomic + name: + description: >- + Name is the name of the route rule. This name MUST be + unique within a Route if it is set. + + + Support: Extended + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + timeouts: + description: >- + Timeouts defines the timeouts that can be configured + for an HTTP request. + + + Support: Extended + properties: + backendRequest: + description: >- + BackendRequest specifies a timeout for an + individual request from the gateway + + to a backend. This covers the time from when the + request first starts being + + sent from the gateway to when the full response + has been received from the backend. + + + Setting a timeout to the zero duration (e.g. "0s") + SHOULD disable the timeout + + completely. Implementations that cannot completely + disable the timeout MUST + + instead interpret the zero duration as the longest + possible value to which + + the timeout can be set. + + + An entire client HTTP transaction with a gateway, + covered by the Request timeout, + + may result in more than one call from the gateway + to the destination backend, + + for example, if automatic retries are supported. + + + The value of BackendRequest must be a Gateway API + Duration string as defined by + + GEP-2257. When this field is unspecified, its + behavior is implementation-specific; + + when specified, the value of BackendRequest must + be no more than the value of the + + Request timeout (since the Request timeout + encompasses the BackendRequest timeout). + + + Support: Extended + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + request: + description: >- + Request specifies the maximum duration for a + gateway to respond to an HTTP request. + + If the gateway has not been able to respond before + this deadline is met, the gateway + + MUST return a timeout error. + + + For example, setting the `rules.timeouts.request` + field to the value `10s` in an + + `HTTPRoute` will cause a timeout if a client + request is taking longer than 10 seconds + + to complete. + + + Setting a timeout to the zero duration (e.g. "0s") + SHOULD disable the timeout + + completely. Implementations that cannot completely + disable the timeout MUST + + instead interpret the zero duration as the longest + possible value to which + + the timeout can be set. + + + This timeout is intended to cover as close to the + whole request-response transaction + + as possible although an implementation MAY choose + to start the timeout after the entire + + request stream has been received instead of + immediately after the transaction is + + initiated by the client. + + + The value of Request is a Gateway API Duration + string as defined by GEP-2257. When this + + field is unspecified, request timeout behavior is + implementation-specific. + + + Support: Extended + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + x-kubernetes-validations: + - message: >- + backendRequest timeout cannot be longer than + request timeout + rule: >- + !(has(self.request) && has(self.backendRequest) && + duration(self.request) != duration('0s') && + duration(self.backendRequest) > + duration(self.request)) + type: object + x-kubernetes-validations: + - message: >- + RequestRedirect filter must not be used together with + backendRefs + rule: >- + (has(self.backendRefs) && size(self.backendRefs) > 0) + ? (!has(self.filters) || self.filters.all(f, + !has(f.requestRedirect))): true + - message: >- + When using RequestRedirect filter with + path.replacePrefixMatch, exactly one PathPrefix match + must be specified + rule: >- + (has(self.filters) && self.filters.exists_one(f, + has(f.requestRedirect) && has(f.requestRedirect.path) + && f.requestRedirect.path.type == 'ReplacePrefixMatch' + && has(f.requestRedirect.path.replacePrefixMatch))) ? + ((size(self.matches) != 1 || + !has(self.matches[0].path) || + self.matches[0].path.type != 'PathPrefix') ? false : + true) : true + - message: >- + When using URLRewrite filter with + path.replacePrefixMatch, exactly one PathPrefix match + must be specified + rule: >- + (has(self.filters) && self.filters.exists_one(f, + has(f.urlRewrite) && has(f.urlRewrite.path) && + f.urlRewrite.path.type == 'ReplacePrefixMatch' && + has(f.urlRewrite.path.replacePrefixMatch))) ? + ((size(self.matches) != 1 || + !has(self.matches[0].path) || + self.matches[0].path.type != 'PathPrefix') ? false : + true) : true + - message: >- + Within backendRefs, when using RequestRedirect filter + with path.replacePrefixMatch, exactly one PathPrefix + match must be specified + rule: >- + (has(self.backendRefs) && + self.backendRefs.exists_one(b, (has(b.filters) && + b.filters.exists_one(f, has(f.requestRedirect) && + has(f.requestRedirect.path) && + f.requestRedirect.path.type == 'ReplacePrefixMatch' && + has(f.requestRedirect.path.replacePrefixMatch))) )) ? + ((size(self.matches) != 1 || + !has(self.matches[0].path) || + self.matches[0].path.type != 'PathPrefix') ? false : + true) : true + - message: >- + Within backendRefs, When using URLRewrite filter with + path.replacePrefixMatch, exactly one PathPrefix match + must be specified + rule: >- + (has(self.backendRefs) && + self.backendRefs.exists_one(b, (has(b.filters) && + b.filters.exists_one(f, has(f.urlRewrite) && + has(f.urlRewrite.path) && f.urlRewrite.path.type == + 'ReplacePrefixMatch' && + has(f.urlRewrite.path.replacePrefixMatch))) )) ? + ((size(self.matches) != 1 || + !has(self.matches[0].path) || + self.matches[0].path.type != 'PathPrefix') ? false : + true) : true + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: >- + While 16 rules and 64 matches per rule are allowed, the + total number of matches across all rules in a route must + be less than 128 + rule: >- + (self.size() > 0 ? self[0].matches.size() : 0) + + (self.size() > 1 ? self[1].matches.size() : 0) + + (self.size() > 2 ? self[2].matches.size() : 0) + + (self.size() > 3 ? self[3].matches.size() : 0) + + (self.size() > 4 ? self[4].matches.size() : 0) + + (self.size() > 5 ? self[5].matches.size() : 0) + + (self.size() > 6 ? self[6].matches.size() : 0) + + (self.size() > 7 ? self[7].matches.size() : 0) + + (self.size() > 8 ? self[8].matches.size() : 0) + + (self.size() > 9 ? self[9].matches.size() : 0) + + (self.size() > 10 ? self[10].matches.size() : 0) + + (self.size() > 11 ? self[11].matches.size() : 0) + + (self.size() > 12 ? self[12].matches.size() : 0) + + (self.size() > 13 ? self[13].matches.size() : 0) + + (self.size() > 14 ? self[14].matches.size() : 0) + + (self.size() > 15 ? self[15].matches.size() : 0) <= 128 + type: object + status: + description: Status defines the current state of HTTPRoute. + properties: + parents: + description: >- + Parents is a list of parent resources (usually Gateways) + that are + + associated with the route, and the status of the route with + respect to + + each parent. When this route attaches to a parent, the + controller that + + manages the parent must add an entry to this list when the + controller + + first sees the route and should update the entry as + appropriate when the + + route or gateway is modified. + + + Note that parent references that cannot be resolved by an + implementation + + of this API will not be added to this list. Implementations + of this API + + can only populate Route status for the Gateways/parent + resources they are + + responsible for. + + + A maximum of 32 Gateways will be represented in this list. + An empty list + + means the route has not been attached to any Gateway. + items: + description: >- + RouteParentStatus describes the status of a route with + respect to an + + associated Parent. + properties: + conditions: + description: >- + Conditions describes the status of the route with + respect to the Gateway. + + Note that the route's availability is also subject to + the Gateway's own + + status conditions and listener status. + + + If the Route's ParentRef specifies an existing Gateway + that supports + + Routes of this kind AND that Gateway's controller has + sufficient access, + + then that Gateway's controller MUST set the "Accepted" + condition on the + + Route, to indicate whether the route has been accepted + or rejected by the + + Gateway, and why. + + + A Route MUST be considered "Accepted" if at least one + of the Route's + + rules is implemented by the Gateway. + + + There are a number of cases where the "Accepted" + condition may not be set + + due to lack of controller visibility, that includes + when: + + + * The Route refers to a nonexistent parent. + + * The Route is of a type that the controller does not + support. + + * The Route is in a namespace to which the controller + does not have access. + items: + description: >- + Condition contains details for one aspect of the + current state of this API Resource. + properties: + lastTransitionTime: + description: >- + lastTransitionTime is the last time the + condition transitioned from one status to + another. + + This should be when the underlying condition + changed. If that is not known, then using the + time when the API field changed is acceptable. + format: date-time + type: string + message: + description: >- + message is a human readable message indicating + details about the transition. + + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: >- + observedGeneration represents the + .metadata.generation that the condition was set + based upon. + + For instance, if .metadata.generation is + currently 12, but the + .status.conditions[x].observedGeneration is 9, + the condition is out of date + + with respect to the current state of the + instance. + format: int64 + minimum: 0 + type: integer + reason: + description: >- + reason contains a programmatic identifier + indicating the reason for the condition's last + transition. + + Producers of specific condition types may define + expected values and meanings for this field, + + and whether the values are considered a + guaranteed API. + + The value should be a CamelCase string. + + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: >- + status of the condition, one of True, False, + Unknown. + enum: + - 'True' + - 'False' + - Unknown + type: string + type: + description: >- + type of condition in CamelCase or in + foo.example.com/CamelCase. + maxLength: 316 + pattern: >- + ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: >- + ControllerName is a domain/path string that indicates + the name of the + + controller that wrote this status. This corresponds + with the + + controllerName field on GatewayClass. + + + Example: "example.net/gateway-controller". + + + The format of this field is DOMAIN "/" PATH, where + DOMAIN and PATH are + + valid Kubernetes names + + (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + + + Controllers MUST populate this field when writing + status. Controllers should ensure that + + entries to status populated with their ControllerName + are cleaned up when they are no + + longer necessary. + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: >- + ParentRef corresponds with a ParentRef in the spec + that this + + RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: >- + Group is the group of the referent. + + When unspecified, "gateway.networking.k8s.io" is + inferred. + + To set the core API group (such as for a "Service" + kind referent), + + Group must be explicitly set to "" (empty string). + + + Support: Core + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: >- + Kind is kind of the referent. + + + There are two kinds of parent resources with + "Core" support: + + + * Gateway (Gateway conformance profile) + + * Service (Mesh conformance profile, ClusterIP + Services only) + + + Support for other resources is + Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the referent. When + unspecified, this refers + + to the local namespace of the Route. + + + Note that there are specific rules for ParentRefs + which cross namespace + + boundaries. Cross-namespace references are only + valid if they are explicitly + + allowed by something in the namespace they are + referring to. For example: + + Gateway has the AllowedRoutes field, and + ReferenceGrant provides a + + generic way to enable any other kind of + cross-namespace reference. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: >- + Port is the network port this Route targets. It + can be interpreted + + differently based on the type of parent resource. + + + When the parent resource is a Gateway, this + targets all listeners + + listening on the specified port that also support + this kind of Route(and + + select this Route). It's not recommended to set + `Port` unless the + + networking behaviors specified in a Route must + apply to a specific port + + as opposed to a listener(s) whose port(s) may be + changed. When both Port + + and SectionName are specified, the name and port + of the selected listener + + must match both specified values. + + + Implementations MAY choose to support other parent + resources. + + Implementations supporting other types of parent + resources MUST clearly + + document how/if Port is interpreted. + + + For the purpose of status, an attachment is + considered successful as + + long as the parent resource accepts it partially. + For example, Gateway + + listeners can restrict which Routes can attach to + them by Route kind, + + namespace, or hostname. If 1 of 2 Gateway + listeners accept attachment + + from the referencing Route, the Route MUST be + considered successfully + + attached. If no Gateway listeners accept + attachment from this Route, + + the Route MUST be considered detached from the + Gateway. + + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: >- + SectionName is the name of a section within the + target resource. In the + + following resources, SectionName is interpreted as + the following: + + + * Gateway: Listener name. When both Port + (experimental) and SectionName + + are specified, the name and port of the selected + listener must match + + both specified values. + + * Service: Port name. When both Port + (experimental) and SectionName + + are specified, the name and port of the selected + listener must match + + both specified values. + + + Implementations MAY choose to support attaching + Routes to other resources. + + If that is the case, they MUST clearly document + how SectionName is + + interpreted. + + + When unspecified (empty string), this will + reference the entire resource. + + For the purpose of status, an attachment is + considered successful if at + + least one section in the parent resource accepts + it. For example, Gateway + + listeners can restrict which Routes can attach to + them by Route kind, + + namespace, or hostname. If 1 of 2 Gateway + listeners accept attachment from + + the referencing Route, the Route MUST be + considered successfully + + attached. If no Gateway listeners accept + attachment from this Route, the + + Route MUST be considered detached from the + Gateway. + + + Support: Core + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - conditions + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + x-kubernetes-list-type: atomic + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} +status: + acceptedNames: + kind: '' + plural: '' + conditions: null + storedVersions: null diff --git a/_/CustomResourceDefinition/listenersets.gateway.networking.k8s.io.yaml b/_/CustomResourceDefinition/listenersets.gateway.networking.k8s.io.yaml new file mode 100644 index 0000000..dfe0333 --- /dev/null +++ b/_/CustomResourceDefinition/listenersets.gateway.networking.k8s.io.yaml @@ -0,0 +1,1201 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/4530 + gateway.networking.k8s.io/bundle-version: v1.5.1 + gateway.networking.k8s.io/channel: standard + name: listenersets.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: ListenerSet + listKind: ListenerSetList + plural: listenersets + shortNames: + - lset + singular: listenerset + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .status.conditions[?(@.type=="Accepted")].status + name: Accepted + type: string + - jsonPath: .status.conditions[?(@.type=="Programmed")].status + name: Programmed + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: >- + ListenerSet defines a set of additional listeners to attach to an + existing Gateway. + + This resource provides a mechanism to merge multiple listeners into + a single Gateway. + + + The parent Gateway must explicitly allow ListenerSet attachment + through its + + AllowedListeners configuration. By default, Gateways do not allow + ListenerSet + + attachment. + + + Routes can attach to a ListenerSet by specifying it as a parentRef, + and can + + optionally target specific listeners using the sectionName field. + + + Policy Attachment: + + - Policies that attach to a ListenerSet apply to all listeners + defined in that resource + + - Policies do not impact listeners in the parent Gateway + + - Different ListenerSets attached to the same Gateway can have + different policies + + - If an implementation cannot apply a policy to specific listeners, + it should reject the policy + + + ReferenceGrant Semantics: + + - ReferenceGrants applied to a Gateway are not inherited by child + ListenerSets + + - ReferenceGrants applied to a ListenerSet do not grant permission + to the parent Gateway's listeners + + - A ListenerSet can reference secrets/backends in its own namespace + without a ReferenceGrant + + + Gateway Integration: + - The parent Gateway's status will include "AttachedListenerSets" + which is the count of ListenerSets that have successfully attached to a Gateway + A ListenerSet is successfully attached to a Gateway when all the following conditions are met: + - The ListenerSet is selected by the Gateway's AllowedListeners field + - The ListenerSet has a valid ParentRef selecting the Gateway + - The ListenerSet's status has the condition "Accepted: true" + properties: + apiVersion: + description: >- + APIVersion defines the versioned schema of this representation + of an object. + + Servers should convert recognized schemas to the latest internal + value, and + + may reject unrecognized values. + + More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: >- + Kind is a string value representing the REST resource this + object represents. + + Servers may infer this from the endpoint the client submits + requests to. + + Cannot be updated. + + In CamelCase. + + More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of ListenerSet. + properties: + listeners: + description: >- + Listeners associated with this ListenerSet. Listeners define + + logical endpoints that are bound on this referenced parent + Gateway's addresses. + + + Listeners in a `Gateway` and their attached `ListenerSets` + are concatenated + + as a list when programming the underlying infrastructure. + Each listener + + name does not need to be unique across the Gateway and + ListenerSets. + + See ListenerEntry.Name for more details. + + + Implementations MUST treat the parent Gateway as having the + merged + + list of all listeners from itself and attached ListenerSets + using + + the following precedence: + + + 1. "parent" Gateway + + 2. ListenerSet ordered by creation time (oldest first) + + 3. ListenerSet ordered alphabetically by + "{namespace}/{name}". + + + An implementation MAY reject listeners by setting the + ListenerEntryStatus + + `Accepted` condition to False with the Reason + `TooManyListeners` + + + If a listener has a conflict, this will be reported in the + + Status.ListenerEntryStatus setting the `Conflicted` + condition to True. + + + Implementations SHOULD be cautious about what information + from the + + parent or siblings are reported to avoid accidentally + leaking + + sensitive information that the child would not otherwise + have access + + to. This can include contents of secrets etc. + items: + properties: + allowedRoutes: + default: + namespaces: + from: Same + description: >- + AllowedRoutes defines the types of routes that MAY be + attached to a + + Listener and the trusted namespaces where those Route + resources MAY be + + present. + + + Although a client request may match multiple route + rules, only one rule + + may ultimately receive the request. Matching + precedence MUST be + + determined in order of the following criteria: + + + * The most specific match as defined by the Route + type. + + * The oldest Route based on creation timestamp. For + example, a Route with + a creation timestamp of "2020-09-08 01:02:03" is given precedence over + a Route with a creation timestamp of "2020-09-08 01:02:04". + * If everything else is equivalent, the Route + appearing first in + alphabetical order (namespace/name) should be given precedence. For + example, foo/bar is given precedence over foo/baz. + + All valid rules within a Route attached to this + Listener should be + + implemented. Invalid Route rules can be ignored + (sometimes that will mean + + the full Route). If a Route rule transitions from + valid to invalid, + + support for that Route rule should be dropped to + ensure consistency. For + + example, even if a filter specified by a Route rule is + invalid, the rest + + of the rules within that Route should still be + supported. + properties: + kinds: + description: >- + Kinds specifies the groups and kinds of Routes + that are allowed to bind + + to this Gateway Listener. When unspecified or + empty, the kinds of Routes + + selected are determined using the Listener + protocol. + + + A RouteGroupKind MUST correspond to kinds of + Routes that are compatible + + with the application protocol specified in the + Listener's Protocol field. + + If an implementation does not support or recognize + this resource type, it + + MUST set the "ResolvedRefs" condition to False for + this Listener with the + + "InvalidRouteKinds" reason. + + + Support: Core + items: + description: >- + RouteGroupKind indicates the group and kind of a + Route resource. + properties: + group: + default: gateway.networking.k8s.io + description: Group is the group of the Route. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is the kind of the Route. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + required: + - kind + type: object + maxItems: 8 + type: array + x-kubernetes-list-type: atomic + namespaces: + default: + from: Same + description: >- + Namespaces indicates namespaces from which Routes + may be attached to this + + Listener. This is restricted to the namespace of + this Gateway by default. + + + Support: Core + properties: + from: + default: Same + description: >- + From indicates where Routes will be selected + for this Gateway. Possible + + values are: + + + * All: Routes in all namespaces may be used by + this Gateway. + + * Selector: Routes in namespaces selected by + the selector may be used by + this Gateway. + * Same: Only Routes in the same namespace may + be used by this Gateway. + + + Support: Core + enum: + - All + - Selector + - Same + type: string + selector: + description: >- + Selector must be specified when From is set to + "Selector". In that case, + + only Routes in Namespaces matching this + Selector will be selected by this + + Gateway. This field is ignored for other + values of "From". + + + Support: Core + properties: + matchExpressions: + description: >- + matchExpressions is a list of label + selector requirements. The requirements + are ANDed. + items: + description: >- + A label selector requirement is a + selector that contains values, a key, + and an operator that + + relates the key and values. + properties: + key: + description: >- + key is the label key that the selector + applies to. + type: string + operator: + description: >- + operator represents a key's relationship + to a set of values. + + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: >- + values is an array of string values. If + the operator is In or NotIn, + + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + + the values array must be empty. This + array is replaced during a strategic + + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: >- + matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels + + map is equivalent to an element of + matchExpressions, whose key field is + "key", the + + operator is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + type: object + hostname: + description: >- + Hostname specifies the virtual hostname to match for + protocol types that + + define this concept. When unspecified, all hostnames + are matched. This + + field is ignored for protocols that don't require + hostname based + + matching. + + + Implementations MUST apply Hostname matching + appropriately for each of + + the following protocols: + + + * TLS: The Listener Hostname MUST match the SNI. + + * HTTP: The Listener Hostname MUST match the Host + header of the request. + + * HTTPS: The Listener Hostname SHOULD match at both + the TLS and HTTP + protocol layers as described above. If an implementation does not + ensure that both the SNI and Host header match the Listener hostname, + it MUST clearly document that. + + For HTTPRoute and TLSRoute resources, there is an + interaction with the + + `spec.hostnames` array. When both listener and route + specify hostnames, + + there MUST be an intersection between the values for a + Route to be + + accepted. For more information, refer to the Route + specific Hostnames + + documentation. + + + Hostnames that are prefixed with a wildcard label + (`*.`) are interpreted + + as a suffix match. That means that a match for + `*.example.com` would match + + both `test.example.com`, and `foo.test.example.com`, + but not `example.com`. + maxLength: 253 + minLength: 1 + pattern: >- + ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + name: + description: >- + Name is the name of the Listener. This name MUST be + unique within a + + ListenerSet. + + + Name is not required to be unique across a Gateway and + ListenerSets. + + Routes can attach to a Listener by having a + ListenerSet as a parentRef + + and setting the SectionName + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + port: + description: >- + Port is the network port. Multiple listeners may use + the + + same port, subject to the Listener compatibility + rules. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + protocol: + description: >- + Protocol specifies the network protocol this listener + expects to receive. + maxLength: 255 + minLength: 1 + pattern: >- + ^[a-zA-Z0-9]([-a-zA-Z0-9]*[a-zA-Z0-9])?$|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9]+$ + type: string + tls: + description: >- + TLS is the TLS configuration for the Listener. This + field is required if + + the Protocol field is "HTTPS" or "TLS". It is invalid + to set this field + + if the Protocol field is "HTTP", "TCP", or "UDP". + + + The association of SNIs to Certificate defined in + ListenerTLSConfig is + + defined based on the Hostname field for this listener. + + + The GatewayClass MUST use the longest matching SNI out + of all + + available certificates for any TLS handshake. + properties: + certificateRefs: + description: >- + CertificateRefs contains a series of references to + Kubernetes objects that + + contains TLS certificates and private keys. These + certificates are used to + + establish a TLS handshake for requests that match + the hostname of the + + associated listener. + + + A single CertificateRef to a Kubernetes Secret has + "Core" support. + + Implementations MAY choose to support attaching + multiple certificates to + + a Listener, but this behavior is + implementation-specific. + + + References to a resource in different namespace + are invalid UNLESS there + + is a ReferenceGrant in the target namespace that + allows the certificate + + to be attached. If a ReferenceGrant does not allow + this reference, the + + "ResolvedRefs" condition MUST be set to False for + this listener with the + + "RefNotPermitted" reason. + + + This field is required to have at least one + element when the mode is set + + to "Terminate" (default) and is optional + otherwise. + + + CertificateRefs can reference to standard + Kubernetes resources, i.e. + + Secret, or implementation-specific custom + resources. + + + Support: Core - A single reference to a Kubernetes + Secret of type kubernetes.io/tls + + + Support: Implementation-specific (More than one + reference or other resource types) + items: + description: >- + SecretObjectReference identifies an API object + including its namespace, + + defaulting to Secret. + + + The API object must be valid in the cluster; the + Group and Kind must + + be registered in the cluster for this reference + to be valid. + + + References to objects with invalid Group and + Kind are not valid, and must + + be rejected by the implementation, with + appropriate Conditions set + + on the containing object. + properties: + group: + default: '' + description: >- + Group is the group of the referent. For + example, "gateway.networking.k8s.io". + + When unspecified or empty string, core API + group is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Secret + description: >- + Kind is kind of the referent. For example + "Secret". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the referenced + object. When unspecified, the local + + namespace is inferred. + + + Note that when a namespace different than + the local namespace is specified, + + a ReferenceGrant object is required in the + referent namespace to allow that + + namespace's owner to accept the reference. + See the ReferenceGrant + + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + maxItems: 64 + type: array + x-kubernetes-list-type: atomic + mode: + default: Terminate + description: >- + Mode defines the TLS behavior for the TLS session + initiated by the client. + + There are two possible modes: + + + - Terminate: The TLS session between the + downstream client and the + Gateway is terminated at the Gateway. This mode requires certificates + to be specified in some way, such as populating the certificateRefs + field. + - Passthrough: The TLS session is NOT terminated + by the Gateway. This + implies that the Gateway can't decipher the TLS stream except for + the ClientHello message of the TLS protocol. The certificateRefs field + is ignored in this mode. + + Support: Core + enum: + - Terminate + - Passthrough + type: string + options: + additionalProperties: + description: >- + AnnotationValue is the value of an annotation in + Gateway API. This is used + + for validation of maps such as TLS options. This + roughly matches Kubernetes + + annotation validation, although the length + validation in that case is based + + on the entire size of the annotations struct. + maxLength: 4096 + minLength: 0 + type: string + description: >- + Options are a list of key/value pairs to enable + extended TLS + + configuration for each implementation. For + example, configuring the + + minimum TLS version or supported cipher suites. + + + A set of common keys MAY be defined by the API in + the future. To avoid + + any ambiguity, implementation-specific definitions + MUST use + + domain-prefixed names, such as + `example.com/my-custom-option`. + + Un-prefixed names are reserved for key names + defined by Gateway API. + + + Support: Implementation-specific + maxProperties: 16 + type: object + type: object + x-kubernetes-validations: + - message: >- + certificateRefs or options must be specified when + mode is Terminate + rule: >- + self.mode == 'Terminate' ? + size(self.certificateRefs) > 0 || + size(self.options) > 0 : true + required: + - name + - port + - protocol + type: object + maxItems: 64 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: >- + tls must not be specified for protocols ['HTTP', 'TCP', + 'UDP'] + rule: >- + self.all(l, l.protocol in ['HTTP', 'TCP', 'UDP'] ? + !has(l.tls) : true) + - message: tls mode must be Terminate for protocol HTTPS + rule: >- + self.all(l, (l.protocol == 'HTTPS' && has(l.tls)) ? + (l.tls.mode == '' || l.tls.mode == 'Terminate') : true) + - message: tls mode must be set for protocol TLS + rule: >- + self.all(l, (l.protocol == 'TLS' ? has(l.tls) && + has(l.tls.mode) && l.tls.mode != '' : true)) + - message: >- + hostname must not be specified for protocols ['TCP', + 'UDP'] + rule: >- + self.all(l, l.protocol in ['TCP', 'UDP'] ? + (!has(l.hostname) || l.hostname == '') : true) + - message: Listener name must be unique within the Gateway + rule: self.all(l1, self.exists_one(l2, l1.name == l2.name)) + - message: >- + Combination of port, protocol and hostname must be + unique for each listener + rule: >- + self.all(l1, !has(l1.port) || self.exists_one(l2, + has(l2.port) && l1.port == l2.port && l1.protocol == + l2.protocol && (has(l1.hostname) && has(l2.hostname) ? + l1.hostname == l2.hostname : !has(l1.hostname) && + !has(l2.hostname)))) + parentRef: + description: >- + ParentRef references the Gateway that the listeners are + attached to. + properties: + group: + default: gateway.networking.k8s.io + description: Group is the group of the referent. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: Kind is kind of the referent. For example "Gateway". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the referent. If not + present, + + the namespace of the referent is assumed to be the same + as + + the namespace of the referring object. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + required: + - listeners + - parentRef + type: object + status: + default: + conditions: + - lastTransitionTime: '1970-01-01T00:00:00Z' + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + - lastTransitionTime: '1970-01-01T00:00:00Z' + message: Waiting for controller + reason: Pending + status: Unknown + type: Programmed + description: Status defines the current state of ListenerSet. + properties: + conditions: + default: + - lastTransitionTime: '1970-01-01T00:00:00Z' + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + - lastTransitionTime: '1970-01-01T00:00:00Z' + message: Waiting for controller + reason: Pending + status: Unknown + type: Programmed + description: >- + Conditions describe the current conditions of the + ListenerSet. + + + Implementations MUST express ListenerSet conditions using + the + + `ListenerSetConditionType` and `ListenerSetConditionReason` + + constants so that operators and tools can converge on a + common + + vocabulary to describe ListenerSet state. + + + Known condition types are: + + + * "Accepted" + + * "Programmed" + items: + description: >- + Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: >- + lastTransitionTime is the last time the condition + transitioned from one status to another. + + This should be when the underlying condition changed. + If that is not known, then using the time when the API + field changed is acceptable. + format: date-time + type: string + message: + description: >- + message is a human readable message indicating details + about the transition. + + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: >- + observedGeneration represents the .metadata.generation + that the condition was set based upon. + + For instance, if .metadata.generation is currently 12, + but the .status.conditions[x].observedGeneration is 9, + the condition is out of date + + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: >- + reason contains a programmatic identifier indicating + the reason for the condition's last transition. + + Producers of specific condition types may define + expected values and meanings for this field, + + and whether the values are considered a guaranteed + API. + + The value should be a CamelCase string. + + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - 'True' + - 'False' + - Unknown + type: string + type: + description: >- + type of condition in CamelCase or in + foo.example.com/CamelCase. + maxLength: 316 + pattern: >- + ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + listeners: + description: >- + Listeners provide status for each unique listener port + defined in the Spec. + items: + description: ListenerStatus is the status associated with a Listener. + properties: + attachedRoutes: + description: >- + AttachedRoutes represents the total number of Routes + that have been + + successfully attached to this Listener. + + + Successful attachment of a Route to a Listener is + based solely on the + + combination of the AllowedRoutes field on the + corresponding Listener + + and the Route's ParentRefs field. A Route is + successfully attached to + + a Listener when it is selected by the Listener's + AllowedRoutes field + + AND the Route has a valid ParentRef selecting the + whole Gateway + + resource or a specific Listener as a parent resource + (more detail on + + attachment semantics can be found in the documentation + on the various + + Route kinds ParentRefs fields). Listener status does + not impact + + successful attachment, i.e. the AttachedRoutes field + count MUST be set + + for Listeners, even if the Accepted condition of an + individual Listener is set + + to "False". The AttachedRoutes number represents the + number of Routes with + + the Accepted condition set to "True" that have been + attached to this Listener. + + Routes with any other value for the Accepted condition + MUST NOT be included + + in this count. + + + Uses for this field include troubleshooting Route + attachment and + + measuring blast radius/impact of changes to a + Listener. + format: int32 + type: integer + conditions: + description: >- + Conditions describe the current condition of this + listener. + items: + description: >- + Condition contains details for one aspect of the + current state of this API Resource. + properties: + lastTransitionTime: + description: >- + lastTransitionTime is the last time the + condition transitioned from one status to + another. + + This should be when the underlying condition + changed. If that is not known, then using the + time when the API field changed is acceptable. + format: date-time + type: string + message: + description: >- + message is a human readable message indicating + details about the transition. + + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: >- + observedGeneration represents the + .metadata.generation that the condition was set + based upon. + + For instance, if .metadata.generation is + currently 12, but the + .status.conditions[x].observedGeneration is 9, + the condition is out of date + + with respect to the current state of the + instance. + format: int64 + minimum: 0 + type: integer + reason: + description: >- + reason contains a programmatic identifier + indicating the reason for the condition's last + transition. + + Producers of specific condition types may define + expected values and meanings for this field, + + and whether the values are considered a + guaranteed API. + + The value should be a CamelCase string. + + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: >- + status of the condition, one of True, False, + Unknown. + enum: + - 'True' + - 'False' + - Unknown + type: string + type: + description: >- + type of condition in CamelCase or in + foo.example.com/CamelCase. + maxLength: 316 + pattern: >- + ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + name: + description: >- + Name is the name of the Listener that this status + corresponds to. + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + supportedKinds: + description: >- + SupportedKinds is the list indicating the Kinds + supported by this + + listener. This MUST represent the kinds supported by + an implementation for + + that Listener configuration. + + + If kinds are specified in Spec that are not supported, + they MUST NOT + + appear in this list and an implementation MUST set the + "ResolvedRefs" + + condition to "False" with the "InvalidRouteKinds" + reason. If both valid + + and invalid Route kinds are specified, the + implementation MUST + + reference the valid Route kinds that have been + specified. + items: + description: >- + RouteGroupKind indicates the group and kind of a + Route resource. + properties: + group: + default: gateway.networking.k8s.io + description: Group is the group of the Route. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is the kind of the Route. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + required: + - kind + type: object + maxItems: 8 + type: array + x-kubernetes-list-type: atomic + required: + - attachedRoutes + - conditions + - name + type: object + maxItems: 64 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: '' + plural: '' + conditions: null + storedVersions: null diff --git a/_/CustomResourceDefinition/referencegrants.gateway.networking.k8s.io.yaml b/_/CustomResourceDefinition/referencegrants.gateway.networking.k8s.io.yaml new file mode 100644 index 0000000..b1d0357 --- /dev/null +++ b/_/CustomResourceDefinition/referencegrants.gateway.networking.k8s.io.yaml @@ -0,0 +1,499 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/4530 + gateway.networking.k8s.io/bundle-version: v1.5.1 + gateway.networking.k8s.io/channel: standard + name: referencegrants.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: ReferenceGrant + listKind: ReferenceGrantList + plural: referencegrants + shortNames: + - refgrant + singular: referencegrant + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: >- + ReferenceGrant identifies kinds of resources in other namespaces + that are + + trusted to reference the specified kinds of resources in the same + namespace + + as the policy. + + + Each ReferenceGrant can be used to represent a unique trust + relationship. + + Additional Reference Grants can be used to add to the set of trusted + + sources of inbound references for the namespace they are defined + within. + + + All cross-namespace references in Gateway API (with the exception of + cross-namespace + + Gateway-route attachment) require a ReferenceGrant. + + + ReferenceGrant is a form of runtime verification allowing users to + assert + + which cross-namespace object references are permitted. + Implementations that + + support ReferenceGrant MUST NOT permit cross-namespace references + which have + + no grant, and MUST respond to the removal of a grant by revoking the + access + + that the grant allowed. + properties: + apiVersion: + description: >- + APIVersion defines the versioned schema of this representation + of an object. + + Servers should convert recognized schemas to the latest internal + value, and + + may reject unrecognized values. + + More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: >- + Kind is a string value representing the REST resource this + object represents. + + Servers may infer this from the endpoint the client submits + requests to. + + Cannot be updated. + + In CamelCase. + + More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of ReferenceGrant. + properties: + from: + description: >- + From describes the trusted namespaces and kinds that can + reference the + + resources described in "To". Each entry in this list MUST be + considered + + to be an additional place that references can be valid from, + or to put + + this another way, entries MUST be combined using OR. + + + Support: Core + items: + description: ReferenceGrantFrom describes trusted namespaces and kinds. + properties: + group: + description: |- + Group is the group of the referent. + When empty, the Kubernetes core API group is inferred. + + Support: Core + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: >- + Kind is the kind of the referent. Although + implementations may support + + additional resources, the following types are part of + the "Core" + + support level for this field. + + + When used to permit a SecretObjectReference: + + + * Gateway + + + When used to permit a BackendObjectReference: + + + * GRPCRoute + + * HTTPRoute + + * TCPRoute + + * TLSRoute + + * UDPRoute + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + namespace: + description: |- + Namespace is the namespace of the referent. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - namespace + type: object + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + to: + description: >- + To describes the resources that may be referenced by the + resources + + described in "From". Each entry in this list MUST be + considered to be an + + additional place that references can be valid to, or to put + this another + + way, entries MUST be combined using OR. + + + Support: Core + items: + description: >- + ReferenceGrantTo describes what Kinds are allowed as + targets of the + + references. + properties: + group: + description: |- + Group is the group of the referent. + When empty, the Kubernetes core API group is inferred. + + Support: Core + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: >- + Kind is the kind of the referent. Although + implementations may support + + additional resources, the following types are part of + the "Core" + + support level for this field: + + + * Secret when used to permit a SecretObjectReference + + * Service when used to permit a BackendObjectReference + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: >- + Name is the name of the referent. When unspecified, + this policy + + refers to all resources of the specified Group and + Kind in the local + + namespace. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + type: object + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + required: + - from + - to + type: object + type: object + served: true + storage: false + subresources: {} + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: >- + ReferenceGrant identifies kinds of resources in other namespaces + that are + + trusted to reference the specified kinds of resources in the same + namespace + + as the policy. + + + Each ReferenceGrant can be used to represent a unique trust + relationship. + + Additional Reference Grants can be used to add to the set of trusted + + sources of inbound references for the namespace they are defined + within. + + + All cross-namespace references in Gateway API (with the exception of + cross-namespace + + Gateway-route attachment) require a ReferenceGrant. + + + ReferenceGrant is a form of runtime verification allowing users to + assert + + which cross-namespace object references are permitted. + Implementations that + + support ReferenceGrant MUST NOT permit cross-namespace references + which have + + no grant, and MUST respond to the removal of a grant by revoking the + access + + that the grant allowed. + properties: + apiVersion: + description: >- + APIVersion defines the versioned schema of this representation + of an object. + + Servers should convert recognized schemas to the latest internal + value, and + + may reject unrecognized values. + + More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: >- + Kind is a string value representing the REST resource this + object represents. + + Servers may infer this from the endpoint the client submits + requests to. + + Cannot be updated. + + In CamelCase. + + More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of ReferenceGrant. + properties: + from: + description: >- + From describes the trusted namespaces and kinds that can + reference the + + resources described in "To". Each entry in this list MUST be + considered + + to be an additional place that references can be valid from, + or to put + + this another way, entries MUST be combined using OR. + + + Support: Core + items: + description: ReferenceGrantFrom describes trusted namespaces and kinds. + properties: + group: + description: |- + Group is the group of the referent. + When empty, the Kubernetes core API group is inferred. + + Support: Core + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: >- + Kind is the kind of the referent. Although + implementations may support + + additional resources, the following types are part of + the "Core" + + support level for this field. + + + When used to permit a SecretObjectReference: + + + * Gateway + + + When used to permit a BackendObjectReference: + + + * GRPCRoute + + * HTTPRoute + + * TCPRoute + + * TLSRoute + + * UDPRoute + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + namespace: + description: |- + Namespace is the namespace of the referent. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - namespace + type: object + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + to: + description: >- + To describes the resources that may be referenced by the + resources + + described in "From". Each entry in this list MUST be + considered to be an + + additional place that references can be valid to, or to put + this another + + way, entries MUST be combined using OR. + + + Support: Core + items: + description: >- + ReferenceGrantTo describes what Kinds are allowed as + targets of the + + references. + properties: + group: + description: |- + Group is the group of the referent. + When empty, the Kubernetes core API group is inferred. + + Support: Core + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: >- + Kind is the kind of the referent. Although + implementations may support + + additional resources, the following types are part of + the "Core" + + support level for this field: + + + * Secret when used to permit a SecretObjectReference + + * Service when used to permit a BackendObjectReference + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: >- + Name is the name of the referent. When unspecified, + this policy + + refers to all resources of the specified Group and + Kind in the local + + namespace. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + type: object + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + required: + - from + - to + type: object + type: object + served: true + storage: true + subresources: {} +status: + acceptedNames: + kind: '' + plural: '' + conditions: null + storedVersions: null diff --git a/_/CustomResourceDefinition/securitypolicies.gateway.envoyproxy.io.yaml b/_/CustomResourceDefinition/securitypolicies.gateway.envoyproxy.io.yaml new file mode 100644 index 0000000..d044e29 --- /dev/null +++ b/_/CustomResourceDefinition/securitypolicies.gateway.envoyproxy.io.yaml @@ -0,0 +1,9204 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.18.0 + name: securitypolicies.gateway.envoyproxy.io +spec: + group: gateway.envoyproxy.io + names: + categories: + - envoy-gateway + kind: SecurityPolicy + listKind: SecurityPolicyList + plural: securitypolicies + shortNames: + - sp + singular: securitypolicy + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: >- + SecurityPolicy allows the user to configure various security + settings for a + + Gateway. + properties: + apiVersion: + description: >- + APIVersion defines the versioned schema of this representation + of an object. + + Servers should convert recognized schemas to the latest internal + value, and + + may reject unrecognized values. + + More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: >- + Kind is a string value representing the REST resource this + object represents. + + Servers may infer this from the endpoint the client submits + requests to. + + Cannot be updated. + + In CamelCase. + + More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of SecurityPolicy. + properties: + apiKeyAuth: + description: >- + APIKeyAuth defines the configuration for the API Key + Authentication. + properties: + credentialRefs: + description: >- + CredentialRefs is the Kubernetes secret which contains + the API keys. + + This is an Opaque secret. + + Each API key is stored in the key representing the + client id. + + If the secrets have a key for a duplicated client, the + first one will be used. + items: + description: >- + SecretObjectReference identifies an API object + including its namespace, + + defaulting to Secret. + + + The API object must be valid in the cluster; the Group + and Kind must + + be registered in the cluster for this reference to be + valid. + + + References to objects with invalid Group and Kind are + not valid, and must + + be rejected by the implementation, with appropriate + Conditions set + + on the containing object. + properties: + group: + default: '' + description: >- + Group is the group of the referent. For example, + "gateway.networking.k8s.io". + + When unspecified or empty string, core API group + is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Secret + description: >- + Kind is kind of the referent. For example + "Secret". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the referenced + object. When unspecified, the local + + namespace is inferred. + + + Note that when a namespace different than the + local namespace is specified, + + a ReferenceGrant object is required in the + referent namespace to allow that + + namespace's owner to accept the reference. See the + ReferenceGrant + + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + type: array + extractFrom: + description: >- + ExtractFrom is where to fetch the key from the coming + request. + + The value from the first source that has a key will be + used. + items: + description: >- + ExtractFrom is where to fetch the key from the coming + request. + + Only one of header, param or cookie is supposed to be + specified. + properties: + cookies: + description: >- + Cookies is the names of the cookie to fetch the + key from. + + If multiple cookies are specified, envoy will look + for the api key in the order of the list. + + This field is optional, but only one of headers, + params or cookies is supposed to be specified. + items: + type: string + type: array + headers: + description: >- + Headers is the names of the header to fetch the + key from. + + If multiple headers are specified, envoy will look + for the api key in the order of the list. + + This field is optional, but only one of headers, + params or cookies is supposed to be specified. + items: + type: string + type: array + params: + description: >- + Params is the names of the query parameter to + fetch the key from. + + If multiple params are specified, envoy will look + for the api key in the order of the list. + + This field is optional, but only one of headers, + params or cookies is supposed to be specified. + items: + type: string + type: array + type: object + type: array + forwardClientIDHeader: + description: >- + ForwardClientIDHeader is the name of the header to + forward the client identity to the backend + + service. The header will be added to the request with + the client id as the value. + type: string + sanitize: + description: >- + Sanitize indicates whether to remove the API key from + the request before forwarding it to the backend service. + type: boolean + required: + - credentialRefs + - extractFrom + type: object + authorization: + description: Authorization defines the authorization configuration. + properties: + defaultAction: + description: >- + DefaultAction defines the default action to be taken if + no rules match. + + If not specified, the default action is Deny. + enum: + - Allow + - Deny + type: string + rules: + description: >- + Rules defines a list of authorization rules. + + These rules are evaluated in order, the first matching + rule will be applied, + + and the rest will be skipped. + + + For example, if there are two rules: the first rule + allows the request + + and the second rule denies it, when a request matches + both rules, it will be allowed. + items: + description: AuthorizationRule defines a single authorization rule. + properties: + action: + description: >- + Action defines the action to be taken if the rule + matches. + enum: + - Allow + - Deny + type: string + name: + description: >- + Name is a user-friendly name for the rule. + + If not specified, Envoy Gateway will generate a + unique name for the rule. + maxLength: 253 + minLength: 1 + type: string + operation: + description: >- + Operation specifies the operation of a request, + such as HTTP methods. + + If not specified, all operations are matched on. + properties: + methods: + description: >- + Methods are the HTTP methods of the request. + + If multiple methods are specified, all + specified methods are allowed or denied, based + on the action of the rule. + items: + description: >- + HTTPMethod describes how to select a HTTP + route by matching the HTTP + + method as defined by + + [RFC + 7231](https://datatracker.ietf.org/doc/html/rfc7231#section-4) + and + + [RFC + 5789](https://datatracker.ietf.org/doc/html/rfc5789#section-2). + + The value is expected in upper case. + + + Note that values may be added to this enum, + implementations + + must ensure that unknown values will not + cause a crash. + + + Unknown values here must result in the + implementation setting the + + Accepted Condition for the Route to `status: + False`, with a + + Reason of `UnsupportedValue`. + enum: + - GET + - HEAD + - POST + - PUT + - DELETE + - CONNECT + - OPTIONS + - TRACE + - PATCH + type: string + maxItems: 16 + minItems: 1 + type: array + required: + - methods + type: object + principal: + description: >- + Principal specifies the client identity of a + request. + + If there are multiple principal types, all + principals must match for the rule to match. + + For example, if there are two principals: one for + client IP and one for JWT claim, + + the rule will match only if both the client IP and + the JWT claim match. + properties: + clientCIDRs: + description: >- + ClientCIDRs are the IP CIDR ranges of the + client. + + Valid examples are "192.168.1.0/24" or + "2001:db8::/64" + + + If multiple CIDR ranges are specified, one of + the CIDR ranges must match + + the client IP for the rule to match. + + + The client IP is inferred from the + X-Forwarded-For header, a custom header, + + or the proxy protocol. + + You can use the `ClientIPDetection` or the + `ProxyProtocol` field in + + the `ClientTrafficPolicy` to configure how the + client IP is detected. + + + For TCPRoute targets (raw TCP connections), + HTTP headers such as + + X-Forwarded-For are not available. The client + IP is obtained from the + + TCP connection's peer address. If + intermediaries (load balancers, NAT) + + terminate or proxy TCP, the original client IP + will only be available + + if the intermediary preserves the source + address (for example by + + enabling the PROXY protocol or avoiding SNAT). + Ensure your L4 proxy is + + configured to preserve the source IP to enable + correct client-IP + + matching for TCPRoute targets. + items: + description: >- + CIDR defines a CIDR Address range. + + A CIDR can be an IPv4 address range such as + "192.168.1.0/24" or an IPv6 address range + such as "2001:0db8:11a3:09d7::/64". + pattern: >- + ((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([0-9]+))|((([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))\/([0-9]+)) + type: string + minItems: 1 + type: array + headers: + description: >- + Headers authorize the request based on user + identity extracted from custom headers. + + If multiple headers are specified, all headers + must match for the rule to match. + items: + description: >- + AuthorizationHeaderMatch specifies how to + match against the value of an HTTP header + within a authorization rule. + properties: + name: + description: >- + Name of the HTTP header. + + The header name is case-insensitive + unless PreserveHeaderCase is set to + true. + + For example, "Foo" and "foo" are + considered the same header. + maxLength: 256 + minLength: 1 + type: string + values: + description: >- + Values are the values that the header + must match. + + If multiple values are specified, the + rule will match if any of the values + match. + items: + type: string + maxItems: 256 + minItems: 1 + type: array + required: + - name + - values + type: object + maxItems: 256 + minItems: 1 + type: array + jwt: + description: >- + JWT authorize the request based on the JWT + claims and scopes. + + Note: in order to use JWT claims for + authorization, you must configure the + + JWT authentication in the same + `SecurityPolicy`. + properties: + claims: + description: >- + Claims are the claims in a JWT token. + + + If multiple claims are specified, all + claims must match for the rule to match. + + For example, if there are two claims: one + for the audience and one for the issuer, + + the rule will match only if both the + audience and the issuer match. + items: + description: >- + JWTClaim specifies a claim in a JWT + token. + properties: + name: + description: >- + Name is the name of the claim. + + If it is a nested claim, use a dot (.) + separated string as the name to + + represent the full path to the claim. + + For example, if the claim is in the + "department" field in the "organization" + field, + + the name should be + "organization.department". + maxLength: 253 + minLength: 1 + type: string + valueType: + default: String + description: >- + ValueType is the type of the claim + value. + + Only String and StringArray types are + supported for now. + enum: + - String + - StringArray + type: string + values: + description: >- + Values are the values that the claim + must match. + + If the claim is a string type, the + specified value must match exactly. + + If the claim is a string array type, the + specified value must match one of the + values in the array. + + If multiple values are specified, one of + the values must match for the rule to + match. + items: + type: string + maxItems: 128 + minItems: 1 + type: array + required: + - name + - values + type: object + maxItems: 16 + minItems: 1 + type: array + provider: + description: >- + Provider is the name of the JWT provider + that used to verify the JWT token. + + In order to use JWT claims for + authorization, you must configure the JWT + + authentication with the same provider in + the same `SecurityPolicy`. + maxLength: 253 + minLength: 1 + type: string + scopes: + description: >- + Scopes are a special type of claim in a + JWT token that represents the permissions + of the client. + + + The value of the scopes field should be a + space delimited string that is expected in + the + + scope (or scp) claim, as defined in RFC + 6749: + https://datatracker.ietf.org/doc/html/rfc6749#page-23. + + + If multiple scopes are specified, all + scopes must match for the rule to match. + items: + maxLength: 253 + minLength: 1 + type: string + maxItems: 16 + minItems: 1 + type: array + required: + - provider + type: object + x-kubernetes-validations: + - message: >- + at least one of claims or scopes must be + specified + rule: (has(self.claims) || has(self.scopes)) + sourceCIDRs: + description: >- + SourceCIDRs are the IP CIDR ranges of the + source (L4 peer IP). + + Valid examples are "192.168.1.0/24" or + "2001:db8::/64" + + + If multiple CIDR ranges are specified, one of + the CIDR ranges must match + + the source IP for the rule to match. + + + The source IP is the IP address of the peer + that connected to Envoy. + + This IP is obtained from the TCP connection's + peer address and is not + + affected by X-Forwarded-For or other IP + detection headers. + + If intermediaries (load balancers, NAT) + terminate or proxy TCP, + + the original client IP will only be available + if the intermediary + + preserves the source address (for example by + enabling the PROXY protocol + + or avoiding SNAT). + items: + description: >- + CIDR defines a CIDR Address range. + + A CIDR can be an IPv4 address range such as + "192.168.1.0/24" or an IPv6 address range + such as "2001:0db8:11a3:09d7::/64". + pattern: >- + ((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([0-9]+))|((([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))\/([0-9]+)) + type: string + minItems: 1 + type: array + type: object + x-kubernetes-validations: + - message: >- + at least one of clientCIDRs, jwt, or headers + must be specified + rule: >- + (has(self.clientCIDRs) || has(self.jwt) || + has(self.headers)) + required: + - action + - principal + type: object + type: array + type: object + basicAuth: + description: >- + BasicAuth defines the configuration for the HTTP Basic + Authentication. + properties: + forwardUsernameHeader: + description: >- + This field specifies the header name to forward a + successfully authenticated user to + + the backend. The header will be added to the request + with the username as the value. + + + If it is not specified, the username will not be + forwarded. + type: string + users: + description: >- + The Kubernetes secret which contains the + username-password pairs in + + htpasswd format, used to verify user credentials in the + "Authorization" + + header. + + + This is an Opaque secret. The username-password pairs + should be stored in + + the key ".htpasswd". As the key name indicates, the + value needs to be the + + htpasswd format, for example: + "user1:{SHA}hashed_user1_password". + + Right now, only SHA hash algorithm is supported. + + Reference to + https://httpd.apache.org/docs/2.4/programs/htpasswd.html + + for more details. + + + Note: The secret must be in the same namespace as the + SecurityPolicy. + properties: + group: + default: '' + description: >- + Group is the group of the referent. For example, + "gateway.networking.k8s.io". + + When unspecified or empty string, core API group is + inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Secret + description: Kind is kind of the referent. For example "Secret". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the referenced object. + When unspecified, the local + + namespace is inferred. + + + Note that when a namespace different than the local + namespace is specified, + + a ReferenceGrant object is required in the referent + namespace to allow that + + namespace's owner to accept the reference. See the + ReferenceGrant + + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + required: + - users + type: object + cors: + description: >- + CORS defines the configuration for Cross-Origin Resource + Sharing (CORS). + properties: + allowCredentials: + description: >- + AllowCredentials indicates whether a request can include + user credentials + + like cookies, authentication headers, or TLS client + certificates. + + It specifies the value in the + Access-Control-Allow-Credentials CORS response header. + type: boolean + allowHeaders: + description: >- + AllowHeaders defines the headers that are allowed to be + sent with requests. + + It specifies the allowed headers in the + Access-Control-Allow-Headers CORS response header.. + + The value "*" allows any header to be sent. + items: + type: string + type: array + allowMethods: + description: >- + AllowMethods defines the methods that are allowed to + make requests. + + It specifies the allowed methods in the + Access-Control-Allow-Methods CORS response header.. + + The value "*" allows any method to be used. + items: + type: string + type: array + allowOrigins: + description: >- + AllowOrigins defines the origins that are allowed to + make requests. + + It specifies the allowed origins in the + Access-Control-Allow-Origin CORS response header. + + The value "*" allows any origin to make requests. + items: + description: >- + Origin is defined by the scheme (protocol), hostname + (domain), and port of + + the URL used to access it. The hostname can be + "precise" which is just the + + domain name or "wildcard" which is a domain name + prefixed with a single + + wildcard label such as "*.example.com". + + In addition to that a single wildcard (with or without + scheme) can be + + configured to match any origin. + + + For example, the following are valid origins: + + - https://foo.example.com + + - https://*.example.com + + - http://foo.example.com:8080 + + - http://*.example.com:8080 + + - https://* + maxLength: 253 + minLength: 1 + pattern: >- + ^(\*|https?:\/\/(\*|(\*\.)?(([\w-]+\.?)+)?[\w-]+)(:\d{1,5})?)$ + type: string + type: array + exposeHeaders: + description: >- + ExposeHeaders defines which response headers should be + made accessible to + + scripts running in the browser. + + It specifies the headers in the + Access-Control-Expose-Headers CORS response header.. + + The value "*" allows any header to be exposed. + items: + type: string + type: array + maxAge: + description: >- + MaxAge defines how long the results of a preflight + request can be cached. + + It specifies the value in the Access-Control-Max-Age + CORS response header.. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + extAuth: + description: >- + ExtAuth defines the configuration for External + Authorization. + properties: + bodyToExtAuth: + description: >- + BodyToExtAuth defines the Body to Ext Auth + configuration. + properties: + maxRequestBytes: + description: >- + MaxRequestBytes is the maximum size of a message + body that the filter will hold in memory. + + Envoy will return HTTP 413 and will not initiate the + authorization process when buffer + + reaches the number set in this field. + + Note that this setting will have precedence over + failOpen mode. + format: int32 + minimum: 1 + type: integer + required: + - maxRequestBytes + type: object + contextExtensions: + description: >- + ContextExtensions are analogous to http_request.headers, + however these + + contents will not be sent to the upstream server. This + provides an + + extension mechanism for sending additional information + to the auth server + + without modifying the proto definition. It maps to the + internal opaque + + context in the filter chain. + items: + description: >- + ContextExtension is analogous to http_request.headers, + however these + + contents will not be sent to the upstream server. This + provides an + + extension mechanism for sending additional information + to the auth server + + without modifying the proto definition. It maps to the + internal opaque + + context in the filter chain. + properties: + name: + description: Name of the context extension. + type: string + type: + default: Value + description: >- + Type is the type of method to use to read the + ContextExtension value. + + Valid values are Value and ValueRef, default is + Value. + enum: + - Value + - ValueRef + type: string + value: + description: Value of the context extension. + type: string + valueRef: + description: ValueRef for the context extension's value. + properties: + group: + description: >- + Group is the group of the referent. For + example, "gateway.networking.k8s.io". + + When unspecified or empty string, core API + group is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + key: + description: The key to select. + type: string + kind: + description: >- + Kind is kind of the referent. For example + "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - key + - kind + - name + type: object + x-kubernetes-validations: + - message: >- + Only a reference to an object of kind + ConfigMap or Secret belonging to default v1 + API group is supported. + rule: >- + self.kind in ['ConfigMap', 'Secret'] && + self.group in ['', 'v1'] + required: + - name + - type + type: object + x-kubernetes-validations: + - message: >- + Exactly one of value or valueRef must be set with + correct type. + rule: >- + (self.type == 'Value' && has(self.value) && + !has(self.valueRef)) || (self.type == 'ValueRef' + && !has(self.value) && has(self.valueRef)) + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + failOpen: + default: false + description: >- + FailOpen is a switch used to control the behavior when a + response from the External Authorization service cannot + be obtained. + + If FailOpen is set to true, the system allows the + traffic to pass through. + + Otherwise, if it is set to false or not set (defaulting + to false), + + the system blocks the traffic and returns a HTTP 5xx + error, reflecting a fail-closed approach. + + This setting determines whether to prioritize + accessibility over strict security in case of + authorization service failure. + + + If set to true, the External Authorization will also be + bypassed if its configuration is invalid. + type: boolean + grpc: + description: |- + GRPC defines the gRPC External Authorization service. + Either GRPCService or HTTPService must be specified, + and only one of them can be provided. + properties: + backendRef: + description: >- + BackendRef references a Kubernetes object that + represents the + + backend server to which the authorization request + will be sent. + + + Deprecated: Use BackendRefs instead. + properties: + group: + default: '' + description: >- + Group is the group of the referent. For example, + "gateway.networking.k8s.io". + + When unspecified or empty string, core API group + is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: >- + Kind is the Kubernetes resource kind of the + referent. For example + + "Service". + + + Defaults to "Service" when not specified. + + + ExternalName services can refer to CNAME DNS + records that may live + + outside of the cluster and as such are difficult + to reason about in + + terms of conformance. They also may not be safe + to forward to (see + + CVE-2021-25740 for more information). + Implementations SHOULD NOT + + support ExternalName Services. + + + Support: Core (Services with a type other than + ExternalName) + + + Support: Implementation-specific (Services with + type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the backend. When + unspecified, the local + + namespace is inferred. + + + Note that when a namespace different than the + local namespace is specified, + + a ReferenceGrant object is required in the + referent namespace to allow that + + namespace's owner to accept the reference. See + the ReferenceGrant + + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: >- + Port specifies the destination port number to + use for this resource. + + Port is required when the referent is a + Kubernetes Service. In this + + case, the port number is the service port + number, not the target port. + + For other resources, destination port might be + derived from the referent + + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: >- + (size(self.group) == 0 && self.kind == + 'Service') ? has(self.port) : true + backendRefs: + description: >- + BackendRefs references a Kubernetes object that + represents the + + backend server to which the authorization request + will be sent. + items: + description: >- + BackendRef defines how an ObjectReference that is + specific to BackendRef. + properties: + fallback: + description: >- + Fallback indicates whether the backend is + designated as a fallback. + + Multiple fallback backends can be configured. + + It is highly recommended to configure active + or passive health checks to ensure that + failover can be detected + + when the active backends become unhealthy and + to automatically readjust once the primary + backends are healthy again. + + The overprovisioning factor is set to 1.4, + meaning the fallback backends will only start + receiving traffic when + + the health of the active backends falls below + 72%. + type: boolean + group: + default: '' + description: >- + Group is the group of the referent. For + example, "gateway.networking.k8s.io". + + When unspecified or empty string, core API + group is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: >- + Kind is the Kubernetes resource kind of the + referent. For example + + "Service". + + + Defaults to "Service" when not specified. + + + ExternalName services can refer to CNAME DNS + records that may live + + outside of the cluster and as such are + difficult to reason about in + + terms of conformance. They also may not be + safe to forward to (see + + CVE-2021-25740 for more information). + Implementations SHOULD NOT + + support ExternalName Services. + + + Support: Core (Services with a type other than + ExternalName) + + + Support: Implementation-specific (Services + with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the backend. + When unspecified, the local + + namespace is inferred. + + + Note that when a namespace different than the + local namespace is specified, + + a ReferenceGrant object is required in the + referent namespace to allow that + + namespace's owner to accept the reference. See + the ReferenceGrant + + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: >- + Port specifies the destination port number to + use for this resource. + + Port is required when the referent is a + Kubernetes Service. In this + + case, the port number is the service port + number, not the target port. + + For other resources, destination port might be + derived from the referent + + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: >- + Weight specifies the proportion of requests + forwarded to the referenced + + backend. This is computed as weight/(sum of + all weights in this + + BackendRefs list). For non-zero values, there + may be some epsilon from + + the exact proportion defined here depending on + the precision an + + implementation supports. Weight is not a + percentage and the sum of + + weights does not need to equal 100. + + + If only one backend is specified and it has a + weight greater than 0, 100% + + of the traffic is forwarded to that backend. + If weight is set to 0, no + + traffic should be forwarded for this entry. If + unspecified, weight + + defaults to 1. + + + Support for this field varies based on the + context where used. + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: >- + (size(self.group) == 0 && self.kind == + 'Service') ? has(self.port) : true + maxItems: 16 + type: array + backendSettings: + description: >- + BackendSettings holds configuration for managing the + connection + + to the backend. + properties: + circuitBreaker: + description: >- + Circuit Breaker settings for the upstream + connections and requests. + + If not set, circuit breakers will be enabled + with the default thresholds + properties: + maxConnections: + default: 1024 + description: >- + The maximum number of connections that Envoy + will establish to the referenced backend + defined within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxParallelRequests: + default: 1024 + description: >- + The maximum number of parallel requests that + Envoy will make to the referenced backend + defined within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxParallelRetries: + default: 1024 + description: >- + The maximum number of parallel retries that + Envoy will make to the referenced backend + defined within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxPendingRequests: + default: 1024 + description: >- + The maximum number of pending requests that + Envoy will queue to the referenced backend + defined within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxRequestsPerConnection: + description: >- + The maximum number of requests that Envoy + will make over a single connection to the + referenced backend defined within a xRoute + rule. + + Default: unlimited. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + perEndpoint: + description: >- + PerEndpoint defines Circuit Breakers that + will apply per-endpoint for an upstream + cluster + properties: + maxConnections: + default: 1024 + description: >- + MaxConnections configures the maximum + number of connections that Envoy will + establish per-endpoint to the referenced + backend defined within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + type: object + type: object + connection: + description: Connection includes backend connection settings. + properties: + bufferLimit: + allOf: + - pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: >- + BufferLimit Soft limit on size of the + cluster’s connections read and write + buffers. + + BufferLimit applies to connection streaming + (maybe non-streaming) channel between + processes, it's in user space. + + If unspecified, an implementation defined + default is applied (32768 bytes). + + For example, 20Mi, 1Gi, 256Ki etc. + + Note: that when the suffix is not provided, + the value is interpreted as bytes. + x-kubernetes-int-or-string: true + preconnect: + description: >- + Preconnect configures proactive upstream + connections to reduce latency by + establishing + + connections before they’re needed and + avoiding connection establishment overhead. + + + If unset, Envoy will fetch connections as + needed to serve in-flight requests. + properties: + perEndpointPercent: + description: >- + PerEndpointPercent configures how many + additional connections to maintain per + + upstream endpoint, useful for high-QPS + or latency sensitive services. Expressed + as a + + percentage of the connections required + by active streams + + (e.g. 100 = preconnect disabled, 105 = + 1.05x connections per-endpoint, 200 = + 2.00×). + + + Allowed value range is between 100-300. + When both PerEndpointPercent and + + PredictivePercent are set, Envoy ensures + both are satisfied (max of the two). + format: int32 + maximum: 300 + minimum: 100 + type: integer + predictivePercent: + description: >- + PredictivePercent configures how many + additional connections to maintain + + across the cluster by anticipating which + upstream endpoint the load balancer + + will select next, useful for low-QPS + services. Relies on deterministic + + loadbalancing and is only supported with + Random or RoundRobin. + + Expressed as a percentage of the + connections required by active streams + + (e.g. 100 = 1.0 (no preconnect), 105 = + 1.05× connections across the cluster, + 200 = 2.00×). + + + Minimum allowed value is 100. When both + PerEndpointPercent and PredictivePercent + are + + set Envoy ensures both are satisfied per + host (max of the two). + format: int32 + minimum: 100 + type: integer + type: object + socketBufferLimit: + allOf: + - pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: >- + SocketBufferLimit provides configuration for + the maximum buffer size in bytes for each + socket + + to backend. + + SocketBufferLimit applies to socket + streaming channel between TCP/IP stacks, + it's in kernel space. + + For example, 20Mi, 1Gi, 256Ki etc. + + Note that when the suffix is not provided, + the value is interpreted as bytes. + x-kubernetes-int-or-string: true + type: object + dns: + description: DNS includes dns resolution settings. + properties: + dnsRefreshRate: + description: >- + DNSRefreshRate specifies the rate at which + DNS records should be refreshed. + + Defaults to 30 seconds. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + lookupFamily: + description: >- + LookupFamily determines how Envoy would + resolve DNS for Routes where the backend is + specified as a fully qualified domain name + (FQDN). + + If set, this configuration overrides other + defaults. + enum: + - IPv4 + - IPv6 + - IPv4Preferred + - IPv6Preferred + - IPv4AndIPv6 + type: string + respectDnsTtl: + description: >- + RespectDNSTTL indicates whether the DNS + Time-To-Live (TTL) should be respected. + + If the value is set to true, the DNS refresh + rate will be set to the resource record’s + TTL. + + Defaults to true. + type: boolean + type: object + healthCheck: + description: >- + HealthCheck allows gateway to perform active + health checking on backends. + properties: + active: + description: Active health check configuration + properties: + grpc: + description: >- + GRPC defines the configuration of the + GRPC health checker. + + It's optional, and can only be used if + the specified type is GRPC. + properties: + service: + description: >- + Service to send in the health check + request. + + If this is not specified, then the + health check request applies to the + entire + + server and not to a specific service. + type: string + type: object + healthyThreshold: + default: 1 + description: >- + HealthyThreshold defines the number of + healthy health checks required before a + backend host is marked healthy. + format: int32 + minimum: 1 + type: integer + http: + description: >- + HTTP defines the configuration of http + health checker. + + It's required while the health checker + type is HTTP. + properties: + expectedResponse: + description: >- + ExpectedResponse defines a list of HTTP + expected responses to match. + properties: + binary: + description: Binary payload base64 encoded. + format: byte + type: string + text: + description: Text payload in plain text. + type: string + type: + allOf: + - enum: + - Text + - Binary + - enum: + - Text + - Binary + description: Type defines the type of the payload. + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If payload type is Text, text field + needs to be set. + rule: >- + self.type == 'Text' ? has(self.text) : + !has(self.text) + - message: >- + If payload type is Binary, binary field + needs to be set. + rule: >- + self.type == 'Binary' ? has(self.binary) + : !has(self.binary) + expectedStatuses: + description: >- + ExpectedStatuses defines a list of HTTP + response statuses considered healthy. + + Defaults to 200 only + items: + description: HTTPStatus defines the http status code. + maximum: 599 + minimum: 100 + type: integer + type: array + hostname: + description: >- + Hostname defines the HTTP Host header + used for active HTTP health checks. + + Host selection uses this order: this + field, the associated Backend endpoint + + hostname if available, then the + effective Route hostname. + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + method: + description: >- + Method defines the HTTP method used for + health checking. + + Defaults to GET + type: string + path: + description: >- + Path defines the HTTP path that will be + requested during health checking. + maxLength: 1024 + minLength: 1 + type: string + required: + - path + type: object + initialJitter: + description: >- + InitialJitter defines the maximum time + Envoy will wait before the first health + check. + + Envoy will randomly select a value + between 0 and the initial jitter value. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + interval: + default: 3s + description: >- + Interval defines the time between active + health checks. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + tcp: + description: >- + TCP defines the configuration of tcp + health checker. + + It's required while the health checker + type is TCP. + properties: + receive: + description: >- + Receive defines the expected response + payload. + properties: + binary: + description: Binary payload base64 encoded. + format: byte + type: string + text: + description: Text payload in plain text. + type: string + type: + allOf: + - enum: + - Text + - Binary + - enum: + - Text + - Binary + description: Type defines the type of the payload. + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If payload type is Text, text field + needs to be set. + rule: >- + self.type == 'Text' ? has(self.text) : + !has(self.text) + - message: >- + If payload type is Binary, binary field + needs to be set. + rule: >- + self.type == 'Binary' ? has(self.binary) + : !has(self.binary) + send: + description: Send defines the request payload. + properties: + binary: + description: Binary payload base64 encoded. + format: byte + type: string + text: + description: Text payload in plain text. + type: string + type: + allOf: + - enum: + - Text + - Binary + - enum: + - Text + - Binary + description: Type defines the type of the payload. + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If payload type is Text, text field + needs to be set. + rule: >- + self.type == 'Text' ? has(self.text) : + !has(self.text) + - message: >- + If payload type is Binary, binary field + needs to be set. + rule: >- + self.type == 'Binary' ? has(self.binary) + : !has(self.binary) + type: object + timeout: + default: 1s + description: >- + Timeout defines the time to wait for a + health check response. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: + allOf: + - enum: + - HTTP + - TCP + - GRPC + - enum: + - HTTP + - TCP + - GRPC + description: Type defines the type of health checker. + type: string + unhealthyThreshold: + default: 3 + description: >- + UnhealthyThreshold defines the number of + unhealthy health checks required before + a backend host is marked unhealthy. + format: int32 + minimum: 1 + type: integer + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If Health Checker type is HTTP, http + field needs to be set. + rule: >- + self.type == 'HTTP' ? has(self.http) : + !has(self.http) + - message: >- + If Health Checker type is TCP, tcp field + needs to be set. + rule: >- + self.type == 'TCP' ? has(self.tcp) : + !has(self.tcp) + - message: >- + The grpc field can only be set if the + Health Checker type is GRPC. + rule: >- + has(self.grpc) ? self.type == 'GRPC' : + true + panicThreshold: + description: >- + When number of unhealthy endpoints for a + backend reaches this threshold + + Envoy will disregard health status and + balance across all endpoints. + + It's designed to prevent a situation in + which host failures cascade throughout the + cluster + + as load increases. If not set, the default + value is 50%. To disable panic mode, set + value to `0`. + format: int32 + maximum: 100 + minimum: 0 + type: integer + passive: + description: Passive passive check configuration + properties: + baseEjectionTime: + default: 30s + description: >- + BaseEjectionTime defines the base + duration for which a host will be + ejected on consecutive failures. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + consecutive5XxErrors: + default: 5 + description: >- + Consecutive5xxErrors sets the number of + consecutive 5xx errors triggering + ejection. + format: int32 + type: integer + consecutiveGatewayErrors: + description: >- + ConsecutiveGatewayErrors sets the number + of consecutive gateway errors triggering + ejection. + format: int32 + type: integer + consecutiveLocalOriginFailures: + default: 5 + description: >- + ConsecutiveLocalOriginFailures sets the + number of consecutive local origin + failures triggering ejection. + + Parameter takes effect only when + split_external_local_origin_errors is + set to true. + format: int32 + type: integer + failurePercentageThreshold: + description: >- + FailurePercentageThreshold sets the + failure percentage threshold for outlier + detection. + + If the failure percentage of a given + host is greater than or equal to this + value, it will be ejected. + + Defaults to 85. + format: int32 + maximum: 100 + minimum: 0 + type: integer + interval: + default: 3s + description: >- + Interval defines the time between + passive health checks. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + maxEjectionPercent: + default: 10 + description: >- + MaxEjectionPercent sets the maximum + percentage of hosts in a cluster that + can be ejected. + format: int32 + type: integer + splitExternalLocalOriginErrors: + default: false + description: >- + SplitExternalLocalOriginErrors enables + splitting of errors between external and + local origin. + type: boolean + type: object + type: object + http2: + description: >- + HTTP2 provides HTTP/2 configuration for backend + connections. + properties: + initialConnectionWindowSize: + allOf: + - pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: >- + InitialConnectionWindowSize sets the initial + window size for HTTP/2 connections. + + If not set, the default value is 1 MiB. + x-kubernetes-int-or-string: true + initialStreamWindowSize: + allOf: + - pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: >- + InitialStreamWindowSize sets the initial + window size for HTTP/2 streams. + + If not set, the default value is 64 + KiB(64*1024). + x-kubernetes-int-or-string: true + maxConcurrentStreams: + description: >- + MaxConcurrentStreams sets the maximum number + of concurrent streams allowed per + connection. + + If not set, the default value is 100. + format: int32 + maximum: 2147483647 + minimum: 1 + type: integer + onInvalidMessage: + description: >- + OnInvalidMessage determines if Envoy will + terminate the connection or just the + offending stream in the event of HTTP + messaging error + + It's recommended for L2 Envoy deployments to + set this value to TerminateStream. + + https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/level_two + + Default: TerminateConnection + type: string + type: object + loadBalancer: + description: >- + LoadBalancer policy to apply when routing + traffic from the gateway to + + the backend endpoints. Defaults to + `LeastRequest`. + properties: + consistentHash: + description: >- + ConsistentHash defines the configuration + when the load balancer type is + + set to ConsistentHash + properties: + cookie: + description: >- + Cookie configures the cookie hash policy + when the consistent hash type is set to + Cookie. + properties: + attributes: + additionalProperties: + type: string + description: >- + Additional Attributes to set for the + generated cookie. + type: object + name: + description: >- + Name of the cookie to hash. + + If this cookie does not exist in the + request, Envoy will generate a cookie + and set + + the TTL on the response back to the + client based on Layer 4 + + attributes of the backend endpoint, to + ensure that these future requests + + go to the same backend endpoint. Make + sure to set the TTL field for this case. + type: string + ttl: + description: >- + TTL of the generated cookie if the + cookie is not present. This value sets + the + + Max-Age attribute value. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + required: + - name + type: object + header: + description: >- + Header configures the header hash policy + when the consistent hash type is set to + Header. + + + Deprecated: use Headers instead + properties: + name: + description: Name of the header to hash. + type: string + required: + - name + type: object + headers: + description: >- + Headers configures the header hash + policy for each header, when the + consistent hash type is set to Headers. + items: + description: >- + Header defines the header hashing + configuration for consistent hash based + + load balancing. + properties: + name: + description: Name of the header to hash. + type: string + required: + - name + type: object + type: array + queryParams: + description: >- + QueryParams configures the query + parameter hash policy when the + consistent hash type is set to + QueryParams. + items: + description: >- + QueryParam defines the query parameter + name hashing configuration for + consistent hash based + + load balancing. + properties: + name: + description: Name of the query param to hash. + type: string + required: + - name + type: object + type: array + tableSize: + default: 65537 + description: >- + The table size for consistent hashing, + must be prime number limited to 5000011. + format: int64 + maximum: 5000011 + minimum: 2 + type: integer + type: + description: >- + ConsistentHashType defines the type of + input to hash on. Valid Type values are + + "SourceIP", + + "Header", + + "Headers", + + "Cookie". + + "QueryParams". + enum: + - SourceIP + - Header + - Headers + - Cookie + - QueryParams + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If consistent hash type is header, the + header field must be set. + rule: >- + self.type == 'Header' ? has(self.header) + : !has(self.header) + - message: >- + If consistent hash type is headers, the + headers field must be set. + rule: >- + self.type == 'Headers' ? + has(self.headers) : !has(self.headers) + - message: >- + If consistent hash type is cookie, the + cookie field must be set. + rule: >- + self.type == 'Cookie' ? has(self.cookie) + : !has(self.cookie) + - message: >- + If consistent hash type is queryParams, + the queryParams field must be set. + rule: >- + self.type == 'QueryParams' ? + has(self.queryParams) : + !has(self.queryParams) + endpointOverride: + description: >- + EndpointOverride defines the configuration + for endpoint override. + + When specified, the load balancer will + attempt to route requests to endpoints + + based on the override information extracted + from request headers or metadata. + If the override endpoints are not available, the configured load balancer policy will be used as fallback. + properties: + extractFrom: + description: >- + ExtractFrom defines the sources to + extract endpoint override information + from. + items: + description: >- + EndpointOverrideExtractFrom defines a + source to extract endpoint override + information from. + properties: + header: + description: >- + Header defines the header to get the + override endpoint addresses. + + The header value must specify at least + one endpoint in `IP:Port` format or + multiple endpoints in + `IP:Port,IP:Port,...` format. + + For example `10.0.0.5:8080` or + `[2600:4040:5204::1574:24ae]:80`. + + The IPv6 address is enclosed in square + brackets. + type: string + type: object + maxItems: 10 + minItems: 1 + type: array + required: + - extractFrom + type: object + slowStart: + description: >- + SlowStart defines the configuration related + to the slow start load balancer policy. + + If set, during slow start window, traffic + sent to the newly added hosts will gradually + increase. + + Currently this is only supported for + RoundRobin and LeastRequest load balancers + properties: + window: + description: >- + Window defines the duration of the warm + up period for newly added host. + + During slow start window, traffic sent + to the newly added hosts will gradually + increase. + + Currently only supports linear growth of + traffic. For additional details, + + see + https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + required: + - window + type: object + type: + description: >- + Type decides the type of Load Balancer + policy. + + Valid LoadBalancerType values are + + "ConsistentHash", + + "LeastRequest", + + "Random", + + "RoundRobin". + enum: + - ConsistentHash + - LeastRequest + - Random + - RoundRobin + type: string + zoneAware: + description: >- + ZoneAware defines the configuration related + to the distribution of requests between + locality zones. + properties: + preferLocal: + description: >- + PreferLocalZone configures zone-aware + routing to prefer sending traffic to the + local locality zone. + properties: + force: + description: >- + ForceLocalZone defines override + configuration for forcing all traffic to + stay within the local zone instead of + the default behavior + + which maintains equal distribution among + upstream endpoints while sending as much + traffic as possible locally. + properties: + minEndpointsInZoneThreshold: + description: >- + MinEndpointsInZoneThreshold is the + minimum number of upstream endpoints in + the local zone required to honor the + forceLocalZone + + override. This is useful for protecting + zones with fewer endpoints. + format: int32 + type: integer + type: object + minEndpointsThreshold: + description: >- + MinEndpointsThreshold is the minimum + number of total upstream endpoints + across all zones required to enable + zone-aware routing. + format: int64 + type: integer + percentageEnabled: + description: >- + Configures percentage of requests that + will be considered for zone aware + routing if zone aware routing is + configured. If not specified, Envoy + defaults to 100%. + format: int32 + maximum: 100 + minimum: 0 + type: integer + type: object + type: object + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If LoadBalancer type is consistentHash, + consistentHash field needs to be set. + rule: >- + self.type == 'ConsistentHash' ? + has(self.consistentHash) : + !has(self.consistentHash) + - message: >- + Currently SlowStart is only supported for + RoundRobin and LeastRequest load balancers. + rule: >- + self.type in ['Random', 'ConsistentHash'] ? + !has(self.slowStart) : true + - message: >- + Currently ZoneAware is only supported for + LeastRequest, Random, and RoundRobin load + balancers. + rule: >- + self.type == 'ConsistentHash' ? + !has(self.zoneAware) : true + proxyProtocol: + description: >- + ProxyProtocol enables the Proxy Protocol when + communicating with the backend. + properties: + version: + description: |- + Version of ProxyProtol + Valid ProxyProtocolVersion values are + "V1" + "V2" + enum: + - V1 + - V2 + type: string + required: + - version + type: object + retry: + description: >- + Retry provides more advanced usage, allowing + users to customize the number of retries, retry + fallback strategy, and retry triggering + conditions. + + If not set, retry will be disabled. + properties: + numAttemptsPerPriority: + description: >- + NumAttemptsPerPriority defines the number of + requests (initial attempt + retries) + + that should be sent to the same priority + before switching to a different one. + + If not specified or set to 0, all requests + are sent to the highest priority that is + healthy. + format: int32 + type: integer + numRetries: + default: 2 + description: >- + NumRetries is the number of retries to be + attempted. Defaults to 2. + format: int32 + minimum: 0 + type: integer + perRetry: + description: >- + PerRetry is the retry policy to be applied + per retry attempt. + properties: + backOff: + description: >- + Backoff is the backoff policy to be + applied per retry attempt. gateway uses + a fully jittered exponential + + back-off algorithm for retries. For + additional details, + + see + https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#config-http-filters-router-x-envoy-max-retries + properties: + baseInterval: + description: >- + BaseInterval is the base interval + between retries. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + maxInterval: + description: >- + MaxInterval is the maximum interval + between retries. This parameter is + optional, but must be greater than or + equal to the base_interval if set. + + The default is 10 times the + base_interval + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + timeout: + description: >- + Timeout is the timeout per retry + attempt. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + retryOn: + description: >- + RetryOn specifies the retry trigger + condition. + + + If not specified, the default is to retry on + connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes(503). + properties: + httpStatusCodes: + description: >- + HttpStatusCodes specifies the http + status codes to be retried. + + The retriable-status-codes trigger must + also be configured for these status + codes to trigger a retry. + items: + description: HTTPStatus defines the http status code. + maximum: 599 + minimum: 100 + type: integer + type: array + triggers: + description: >- + Triggers specifies the retry trigger + condition(Http/Grpc). + items: + description: >- + TriggerEnum specifies the conditions + that trigger retries. + enum: + - 5xx + - gateway-error + - reset + - reset-before-request + - connect-failure + - retriable-4xx + - refused-stream + - retriable-status-codes + - cancelled + - deadline-exceeded + - internal + - resource-exhausted + - unavailable + type: string + type: array + type: object + type: object + tcpKeepalive: + description: >- + TcpKeepalive settings associated with the + upstream client connection. + + Disabled by default. + properties: + idleTime: + description: >- + The duration a connection needs to be idle + before keep-alive + + probes start being sent. + + The duration format is + + Defaults to `7200s`. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + interval: + description: |- + The duration between keep-alive probes. + Defaults to `75s`. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + probes: + description: >- + The total number of unacknowledged probes to + send before deciding + + the connection is dead. + + Defaults to 9. + format: int32 + type: integer + type: object + timeout: + description: Timeout settings for the backend connections. + properties: + http: + description: Timeout settings for HTTP. + properties: + connectionIdleTimeout: + description: >- + The idle timeout for an HTTP connection. + Idle time is defined as a period in + which there are no active requests in + the connection. + + Default: 1 hour. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + maxConnectionDuration: + description: >- + The maximum duration of an HTTP + connection. + + Default: unlimited. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + maxStreamDuration: + description: >- + MaxStreamDuration is the maximum + duration for a stream to complete. This + timeout measures the time + + from when the request is sent until the + response stream is fully consumed and + does not apply to + + non-streaming requests. + + When set to "0s", no max duration is + applied and streams can run + indefinitely. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + requestTimeout: + description: >- + RequestTimeout is the time until which + entire response is received from the + upstream. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + tcp: + description: Timeout settings for TCP. + properties: + connectTimeout: + description: >- + The timeout for network connection + establishment, including TCP and TLS + handshakes. + + Default: 10 seconds. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + type: object + type: object + x-kubernetes-validations: + - message: >- + predictivePercent in preconnect policy only + works with RoundRobin or Random load balancers + rule: >- + !((has(self.connection) && + has(self.connection.preconnect) && + has(self.connection.preconnect.predictivePercent)) + && !(has(self.loadBalancer) && + has(self.loadBalancer.type) && + self.loadBalancer.type in ['Random', + 'RoundRobin'])) + type: object + x-kubernetes-validations: + - message: backendRef or backendRefs needs to be set + rule: has(self.backendRef) || self.backendRefs.size() > 0 + - message: >- + BackendRefs only supports Service, ServiceImport, + and Backend kind. + rule: >- + has(self.backendRefs) ? self.backendRefs.all(f, + f.kind == 'Service' || f.kind == 'ServiceImport' || + f.kind == 'Backend') : true + - message: >- + BackendRefs only supports Core, + multicluster.x-k8s.io, and gateway.envoyproxy.io + groups. + rule: >- + has(self.backendRefs) ? (self.backendRefs.all(f, + f.group == "" || f.group == 'multicluster.x-k8s.io' + || f.group == 'gateway.envoyproxy.io')) : true + headersToExtAuth: + description: >- + HeadersToExtAuth defines the client request headers that + will be included + + in the request to the external authorization service. + + Note: If not specified, the default behavior for gRPC + and HTTP external + + authorization services is different due to backward + compatibility reasons. + + All headers will be included in the check request to a + gRPC authorization server. + + Only the following headers will be included in the check + request to an HTTP + + authorization server: Host, Method, Path, + Content-Length, and Authorization. + + And these headers will always be included to the check + request to an HTTP + + authorization server by default, no matter whether they + are specified + + in HeadersToExtAuth or not. + items: + type: string + type: array + http: + description: |- + HTTP defines the HTTP External Authorization service. + Either GRPCService or HTTPService must be specified, + and only one of them can be provided. + properties: + backendRef: + description: >- + BackendRef references a Kubernetes object that + represents the + + backend server to which the authorization request + will be sent. + + + Deprecated: Use BackendRefs instead. + properties: + group: + default: '' + description: >- + Group is the group of the referent. For example, + "gateway.networking.k8s.io". + + When unspecified or empty string, core API group + is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: >- + Kind is the Kubernetes resource kind of the + referent. For example + + "Service". + + + Defaults to "Service" when not specified. + + + ExternalName services can refer to CNAME DNS + records that may live + + outside of the cluster and as such are difficult + to reason about in + + terms of conformance. They also may not be safe + to forward to (see + + CVE-2021-25740 for more information). + Implementations SHOULD NOT + + support ExternalName Services. + + + Support: Core (Services with a type other than + ExternalName) + + + Support: Implementation-specific (Services with + type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the backend. When + unspecified, the local + + namespace is inferred. + + + Note that when a namespace different than the + local namespace is specified, + + a ReferenceGrant object is required in the + referent namespace to allow that + + namespace's owner to accept the reference. See + the ReferenceGrant + + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: >- + Port specifies the destination port number to + use for this resource. + + Port is required when the referent is a + Kubernetes Service. In this + + case, the port number is the service port + number, not the target port. + + For other resources, destination port might be + derived from the referent + + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: >- + (size(self.group) == 0 && self.kind == + 'Service') ? has(self.port) : true + backendRefs: + description: >- + BackendRefs references a Kubernetes object that + represents the + + backend server to which the authorization request + will be sent. + items: + description: >- + BackendRef defines how an ObjectReference that is + specific to BackendRef. + properties: + fallback: + description: >- + Fallback indicates whether the backend is + designated as a fallback. + + Multiple fallback backends can be configured. + + It is highly recommended to configure active + or passive health checks to ensure that + failover can be detected + + when the active backends become unhealthy and + to automatically readjust once the primary + backends are healthy again. + + The overprovisioning factor is set to 1.4, + meaning the fallback backends will only start + receiving traffic when + + the health of the active backends falls below + 72%. + type: boolean + group: + default: '' + description: >- + Group is the group of the referent. For + example, "gateway.networking.k8s.io". + + When unspecified or empty string, core API + group is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: >- + Kind is the Kubernetes resource kind of the + referent. For example + + "Service". + + + Defaults to "Service" when not specified. + + + ExternalName services can refer to CNAME DNS + records that may live + + outside of the cluster and as such are + difficult to reason about in + + terms of conformance. They also may not be + safe to forward to (see + + CVE-2021-25740 for more information). + Implementations SHOULD NOT + + support ExternalName Services. + + + Support: Core (Services with a type other than + ExternalName) + + + Support: Implementation-specific (Services + with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the backend. + When unspecified, the local + + namespace is inferred. + + + Note that when a namespace different than the + local namespace is specified, + + a ReferenceGrant object is required in the + referent namespace to allow that + + namespace's owner to accept the reference. See + the ReferenceGrant + + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: >- + Port specifies the destination port number to + use for this resource. + + Port is required when the referent is a + Kubernetes Service. In this + + case, the port number is the service port + number, not the target port. + + For other resources, destination port might be + derived from the referent + + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: >- + Weight specifies the proportion of requests + forwarded to the referenced + + backend. This is computed as weight/(sum of + all weights in this + + BackendRefs list). For non-zero values, there + may be some epsilon from + + the exact proportion defined here depending on + the precision an + + implementation supports. Weight is not a + percentage and the sum of + + weights does not need to equal 100. + + + If only one backend is specified and it has a + weight greater than 0, 100% + + of the traffic is forwarded to that backend. + If weight is set to 0, no + + traffic should be forwarded for this entry. If + unspecified, weight + + defaults to 1. + + + Support for this field varies based on the + context where used. + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: >- + (size(self.group) == 0 && self.kind == + 'Service') ? has(self.port) : true + maxItems: 16 + type: array + backendSettings: + description: >- + BackendSettings holds configuration for managing the + connection + + to the backend. + properties: + circuitBreaker: + description: >- + Circuit Breaker settings for the upstream + connections and requests. + + If not set, circuit breakers will be enabled + with the default thresholds + properties: + maxConnections: + default: 1024 + description: >- + The maximum number of connections that Envoy + will establish to the referenced backend + defined within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxParallelRequests: + default: 1024 + description: >- + The maximum number of parallel requests that + Envoy will make to the referenced backend + defined within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxParallelRetries: + default: 1024 + description: >- + The maximum number of parallel retries that + Envoy will make to the referenced backend + defined within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxPendingRequests: + default: 1024 + description: >- + The maximum number of pending requests that + Envoy will queue to the referenced backend + defined within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxRequestsPerConnection: + description: >- + The maximum number of requests that Envoy + will make over a single connection to the + referenced backend defined within a xRoute + rule. + + Default: unlimited. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + perEndpoint: + description: >- + PerEndpoint defines Circuit Breakers that + will apply per-endpoint for an upstream + cluster + properties: + maxConnections: + default: 1024 + description: >- + MaxConnections configures the maximum + number of connections that Envoy will + establish per-endpoint to the referenced + backend defined within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + type: object + type: object + connection: + description: Connection includes backend connection settings. + properties: + bufferLimit: + allOf: + - pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: >- + BufferLimit Soft limit on size of the + cluster’s connections read and write + buffers. + + BufferLimit applies to connection streaming + (maybe non-streaming) channel between + processes, it's in user space. + + If unspecified, an implementation defined + default is applied (32768 bytes). + + For example, 20Mi, 1Gi, 256Ki etc. + + Note: that when the suffix is not provided, + the value is interpreted as bytes. + x-kubernetes-int-or-string: true + preconnect: + description: >- + Preconnect configures proactive upstream + connections to reduce latency by + establishing + + connections before they’re needed and + avoiding connection establishment overhead. + + + If unset, Envoy will fetch connections as + needed to serve in-flight requests. + properties: + perEndpointPercent: + description: >- + PerEndpointPercent configures how many + additional connections to maintain per + + upstream endpoint, useful for high-QPS + or latency sensitive services. Expressed + as a + + percentage of the connections required + by active streams + + (e.g. 100 = preconnect disabled, 105 = + 1.05x connections per-endpoint, 200 = + 2.00×). + + + Allowed value range is between 100-300. + When both PerEndpointPercent and + + PredictivePercent are set, Envoy ensures + both are satisfied (max of the two). + format: int32 + maximum: 300 + minimum: 100 + type: integer + predictivePercent: + description: >- + PredictivePercent configures how many + additional connections to maintain + + across the cluster by anticipating which + upstream endpoint the load balancer + + will select next, useful for low-QPS + services. Relies on deterministic + + loadbalancing and is only supported with + Random or RoundRobin. + + Expressed as a percentage of the + connections required by active streams + + (e.g. 100 = 1.0 (no preconnect), 105 = + 1.05× connections across the cluster, + 200 = 2.00×). + + + Minimum allowed value is 100. When both + PerEndpointPercent and PredictivePercent + are + + set Envoy ensures both are satisfied per + host (max of the two). + format: int32 + minimum: 100 + type: integer + type: object + socketBufferLimit: + allOf: + - pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: >- + SocketBufferLimit provides configuration for + the maximum buffer size in bytes for each + socket + + to backend. + + SocketBufferLimit applies to socket + streaming channel between TCP/IP stacks, + it's in kernel space. + + For example, 20Mi, 1Gi, 256Ki etc. + + Note that when the suffix is not provided, + the value is interpreted as bytes. + x-kubernetes-int-or-string: true + type: object + dns: + description: DNS includes dns resolution settings. + properties: + dnsRefreshRate: + description: >- + DNSRefreshRate specifies the rate at which + DNS records should be refreshed. + + Defaults to 30 seconds. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + lookupFamily: + description: >- + LookupFamily determines how Envoy would + resolve DNS for Routes where the backend is + specified as a fully qualified domain name + (FQDN). + + If set, this configuration overrides other + defaults. + enum: + - IPv4 + - IPv6 + - IPv4Preferred + - IPv6Preferred + - IPv4AndIPv6 + type: string + respectDnsTtl: + description: >- + RespectDNSTTL indicates whether the DNS + Time-To-Live (TTL) should be respected. + + If the value is set to true, the DNS refresh + rate will be set to the resource record’s + TTL. + + Defaults to true. + type: boolean + type: object + healthCheck: + description: >- + HealthCheck allows gateway to perform active + health checking on backends. + properties: + active: + description: Active health check configuration + properties: + grpc: + description: >- + GRPC defines the configuration of the + GRPC health checker. + + It's optional, and can only be used if + the specified type is GRPC. + properties: + service: + description: >- + Service to send in the health check + request. + + If this is not specified, then the + health check request applies to the + entire + + server and not to a specific service. + type: string + type: object + healthyThreshold: + default: 1 + description: >- + HealthyThreshold defines the number of + healthy health checks required before a + backend host is marked healthy. + format: int32 + minimum: 1 + type: integer + http: + description: >- + HTTP defines the configuration of http + health checker. + + It's required while the health checker + type is HTTP. + properties: + expectedResponse: + description: >- + ExpectedResponse defines a list of HTTP + expected responses to match. + properties: + binary: + description: Binary payload base64 encoded. + format: byte + type: string + text: + description: Text payload in plain text. + type: string + type: + allOf: + - enum: + - Text + - Binary + - enum: + - Text + - Binary + description: Type defines the type of the payload. + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If payload type is Text, text field + needs to be set. + rule: >- + self.type == 'Text' ? has(self.text) : + !has(self.text) + - message: >- + If payload type is Binary, binary field + needs to be set. + rule: >- + self.type == 'Binary' ? has(self.binary) + : !has(self.binary) + expectedStatuses: + description: >- + ExpectedStatuses defines a list of HTTP + response statuses considered healthy. + + Defaults to 200 only + items: + description: HTTPStatus defines the http status code. + maximum: 599 + minimum: 100 + type: integer + type: array + hostname: + description: >- + Hostname defines the HTTP Host header + used for active HTTP health checks. + + Host selection uses this order: this + field, the associated Backend endpoint + + hostname if available, then the + effective Route hostname. + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + method: + description: >- + Method defines the HTTP method used for + health checking. + + Defaults to GET + type: string + path: + description: >- + Path defines the HTTP path that will be + requested during health checking. + maxLength: 1024 + minLength: 1 + type: string + required: + - path + type: object + initialJitter: + description: >- + InitialJitter defines the maximum time + Envoy will wait before the first health + check. + + Envoy will randomly select a value + between 0 and the initial jitter value. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + interval: + default: 3s + description: >- + Interval defines the time between active + health checks. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + tcp: + description: >- + TCP defines the configuration of tcp + health checker. + + It's required while the health checker + type is TCP. + properties: + receive: + description: >- + Receive defines the expected response + payload. + properties: + binary: + description: Binary payload base64 encoded. + format: byte + type: string + text: + description: Text payload in plain text. + type: string + type: + allOf: + - enum: + - Text + - Binary + - enum: + - Text + - Binary + description: Type defines the type of the payload. + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If payload type is Text, text field + needs to be set. + rule: >- + self.type == 'Text' ? has(self.text) : + !has(self.text) + - message: >- + If payload type is Binary, binary field + needs to be set. + rule: >- + self.type == 'Binary' ? has(self.binary) + : !has(self.binary) + send: + description: Send defines the request payload. + properties: + binary: + description: Binary payload base64 encoded. + format: byte + type: string + text: + description: Text payload in plain text. + type: string + type: + allOf: + - enum: + - Text + - Binary + - enum: + - Text + - Binary + description: Type defines the type of the payload. + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If payload type is Text, text field + needs to be set. + rule: >- + self.type == 'Text' ? has(self.text) : + !has(self.text) + - message: >- + If payload type is Binary, binary field + needs to be set. + rule: >- + self.type == 'Binary' ? has(self.binary) + : !has(self.binary) + type: object + timeout: + default: 1s + description: >- + Timeout defines the time to wait for a + health check response. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: + allOf: + - enum: + - HTTP + - TCP + - GRPC + - enum: + - HTTP + - TCP + - GRPC + description: Type defines the type of health checker. + type: string + unhealthyThreshold: + default: 3 + description: >- + UnhealthyThreshold defines the number of + unhealthy health checks required before + a backend host is marked unhealthy. + format: int32 + minimum: 1 + type: integer + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If Health Checker type is HTTP, http + field needs to be set. + rule: >- + self.type == 'HTTP' ? has(self.http) : + !has(self.http) + - message: >- + If Health Checker type is TCP, tcp field + needs to be set. + rule: >- + self.type == 'TCP' ? has(self.tcp) : + !has(self.tcp) + - message: >- + The grpc field can only be set if the + Health Checker type is GRPC. + rule: >- + has(self.grpc) ? self.type == 'GRPC' : + true + panicThreshold: + description: >- + When number of unhealthy endpoints for a + backend reaches this threshold + + Envoy will disregard health status and + balance across all endpoints. + + It's designed to prevent a situation in + which host failures cascade throughout the + cluster + + as load increases. If not set, the default + value is 50%. To disable panic mode, set + value to `0`. + format: int32 + maximum: 100 + minimum: 0 + type: integer + passive: + description: Passive passive check configuration + properties: + baseEjectionTime: + default: 30s + description: >- + BaseEjectionTime defines the base + duration for which a host will be + ejected on consecutive failures. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + consecutive5XxErrors: + default: 5 + description: >- + Consecutive5xxErrors sets the number of + consecutive 5xx errors triggering + ejection. + format: int32 + type: integer + consecutiveGatewayErrors: + description: >- + ConsecutiveGatewayErrors sets the number + of consecutive gateway errors triggering + ejection. + format: int32 + type: integer + consecutiveLocalOriginFailures: + default: 5 + description: >- + ConsecutiveLocalOriginFailures sets the + number of consecutive local origin + failures triggering ejection. + + Parameter takes effect only when + split_external_local_origin_errors is + set to true. + format: int32 + type: integer + failurePercentageThreshold: + description: >- + FailurePercentageThreshold sets the + failure percentage threshold for outlier + detection. + + If the failure percentage of a given + host is greater than or equal to this + value, it will be ejected. + + Defaults to 85. + format: int32 + maximum: 100 + minimum: 0 + type: integer + interval: + default: 3s + description: >- + Interval defines the time between + passive health checks. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + maxEjectionPercent: + default: 10 + description: >- + MaxEjectionPercent sets the maximum + percentage of hosts in a cluster that + can be ejected. + format: int32 + type: integer + splitExternalLocalOriginErrors: + default: false + description: >- + SplitExternalLocalOriginErrors enables + splitting of errors between external and + local origin. + type: boolean + type: object + type: object + http2: + description: >- + HTTP2 provides HTTP/2 configuration for backend + connections. + properties: + initialConnectionWindowSize: + allOf: + - pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: >- + InitialConnectionWindowSize sets the initial + window size for HTTP/2 connections. + + If not set, the default value is 1 MiB. + x-kubernetes-int-or-string: true + initialStreamWindowSize: + allOf: + - pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: >- + InitialStreamWindowSize sets the initial + window size for HTTP/2 streams. + + If not set, the default value is 64 + KiB(64*1024). + x-kubernetes-int-or-string: true + maxConcurrentStreams: + description: >- + MaxConcurrentStreams sets the maximum number + of concurrent streams allowed per + connection. + + If not set, the default value is 100. + format: int32 + maximum: 2147483647 + minimum: 1 + type: integer + onInvalidMessage: + description: >- + OnInvalidMessage determines if Envoy will + terminate the connection or just the + offending stream in the event of HTTP + messaging error + + It's recommended for L2 Envoy deployments to + set this value to TerminateStream. + + https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/level_two + + Default: TerminateConnection + type: string + type: object + loadBalancer: + description: >- + LoadBalancer policy to apply when routing + traffic from the gateway to + + the backend endpoints. Defaults to + `LeastRequest`. + properties: + consistentHash: + description: >- + ConsistentHash defines the configuration + when the load balancer type is + + set to ConsistentHash + properties: + cookie: + description: >- + Cookie configures the cookie hash policy + when the consistent hash type is set to + Cookie. + properties: + attributes: + additionalProperties: + type: string + description: >- + Additional Attributes to set for the + generated cookie. + type: object + name: + description: >- + Name of the cookie to hash. + + If this cookie does not exist in the + request, Envoy will generate a cookie + and set + + the TTL on the response back to the + client based on Layer 4 + + attributes of the backend endpoint, to + ensure that these future requests + + go to the same backend endpoint. Make + sure to set the TTL field for this case. + type: string + ttl: + description: >- + TTL of the generated cookie if the + cookie is not present. This value sets + the + + Max-Age attribute value. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + required: + - name + type: object + header: + description: >- + Header configures the header hash policy + when the consistent hash type is set to + Header. + + + Deprecated: use Headers instead + properties: + name: + description: Name of the header to hash. + type: string + required: + - name + type: object + headers: + description: >- + Headers configures the header hash + policy for each header, when the + consistent hash type is set to Headers. + items: + description: >- + Header defines the header hashing + configuration for consistent hash based + + load balancing. + properties: + name: + description: Name of the header to hash. + type: string + required: + - name + type: object + type: array + queryParams: + description: >- + QueryParams configures the query + parameter hash policy when the + consistent hash type is set to + QueryParams. + items: + description: >- + QueryParam defines the query parameter + name hashing configuration for + consistent hash based + + load balancing. + properties: + name: + description: Name of the query param to hash. + type: string + required: + - name + type: object + type: array + tableSize: + default: 65537 + description: >- + The table size for consistent hashing, + must be prime number limited to 5000011. + format: int64 + maximum: 5000011 + minimum: 2 + type: integer + type: + description: >- + ConsistentHashType defines the type of + input to hash on. Valid Type values are + + "SourceIP", + + "Header", + + "Headers", + + "Cookie". + + "QueryParams". + enum: + - SourceIP + - Header + - Headers + - Cookie + - QueryParams + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If consistent hash type is header, the + header field must be set. + rule: >- + self.type == 'Header' ? has(self.header) + : !has(self.header) + - message: >- + If consistent hash type is headers, the + headers field must be set. + rule: >- + self.type == 'Headers' ? + has(self.headers) : !has(self.headers) + - message: >- + If consistent hash type is cookie, the + cookie field must be set. + rule: >- + self.type == 'Cookie' ? has(self.cookie) + : !has(self.cookie) + - message: >- + If consistent hash type is queryParams, + the queryParams field must be set. + rule: >- + self.type == 'QueryParams' ? + has(self.queryParams) : + !has(self.queryParams) + endpointOverride: + description: >- + EndpointOverride defines the configuration + for endpoint override. + + When specified, the load balancer will + attempt to route requests to endpoints + + based on the override information extracted + from request headers or metadata. + If the override endpoints are not available, the configured load balancer policy will be used as fallback. + properties: + extractFrom: + description: >- + ExtractFrom defines the sources to + extract endpoint override information + from. + items: + description: >- + EndpointOverrideExtractFrom defines a + source to extract endpoint override + information from. + properties: + header: + description: >- + Header defines the header to get the + override endpoint addresses. + + The header value must specify at least + one endpoint in `IP:Port` format or + multiple endpoints in + `IP:Port,IP:Port,...` format. + + For example `10.0.0.5:8080` or + `[2600:4040:5204::1574:24ae]:80`. + + The IPv6 address is enclosed in square + brackets. + type: string + type: object + maxItems: 10 + minItems: 1 + type: array + required: + - extractFrom + type: object + slowStart: + description: >- + SlowStart defines the configuration related + to the slow start load balancer policy. + + If set, during slow start window, traffic + sent to the newly added hosts will gradually + increase. + + Currently this is only supported for + RoundRobin and LeastRequest load balancers + properties: + window: + description: >- + Window defines the duration of the warm + up period for newly added host. + + During slow start window, traffic sent + to the newly added hosts will gradually + increase. + + Currently only supports linear growth of + traffic. For additional details, + + see + https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + required: + - window + type: object + type: + description: >- + Type decides the type of Load Balancer + policy. + + Valid LoadBalancerType values are + + "ConsistentHash", + + "LeastRequest", + + "Random", + + "RoundRobin". + enum: + - ConsistentHash + - LeastRequest + - Random + - RoundRobin + type: string + zoneAware: + description: >- + ZoneAware defines the configuration related + to the distribution of requests between + locality zones. + properties: + preferLocal: + description: >- + PreferLocalZone configures zone-aware + routing to prefer sending traffic to the + local locality zone. + properties: + force: + description: >- + ForceLocalZone defines override + configuration for forcing all traffic to + stay within the local zone instead of + the default behavior + + which maintains equal distribution among + upstream endpoints while sending as much + traffic as possible locally. + properties: + minEndpointsInZoneThreshold: + description: >- + MinEndpointsInZoneThreshold is the + minimum number of upstream endpoints in + the local zone required to honor the + forceLocalZone + + override. This is useful for protecting + zones with fewer endpoints. + format: int32 + type: integer + type: object + minEndpointsThreshold: + description: >- + MinEndpointsThreshold is the minimum + number of total upstream endpoints + across all zones required to enable + zone-aware routing. + format: int64 + type: integer + percentageEnabled: + description: >- + Configures percentage of requests that + will be considered for zone aware + routing if zone aware routing is + configured. If not specified, Envoy + defaults to 100%. + format: int32 + maximum: 100 + minimum: 0 + type: integer + type: object + type: object + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If LoadBalancer type is consistentHash, + consistentHash field needs to be set. + rule: >- + self.type == 'ConsistentHash' ? + has(self.consistentHash) : + !has(self.consistentHash) + - message: >- + Currently SlowStart is only supported for + RoundRobin and LeastRequest load balancers. + rule: >- + self.type in ['Random', 'ConsistentHash'] ? + !has(self.slowStart) : true + - message: >- + Currently ZoneAware is only supported for + LeastRequest, Random, and RoundRobin load + balancers. + rule: >- + self.type == 'ConsistentHash' ? + !has(self.zoneAware) : true + proxyProtocol: + description: >- + ProxyProtocol enables the Proxy Protocol when + communicating with the backend. + properties: + version: + description: |- + Version of ProxyProtol + Valid ProxyProtocolVersion values are + "V1" + "V2" + enum: + - V1 + - V2 + type: string + required: + - version + type: object + retry: + description: >- + Retry provides more advanced usage, allowing + users to customize the number of retries, retry + fallback strategy, and retry triggering + conditions. + + If not set, retry will be disabled. + properties: + numAttemptsPerPriority: + description: >- + NumAttemptsPerPriority defines the number of + requests (initial attempt + retries) + + that should be sent to the same priority + before switching to a different one. + + If not specified or set to 0, all requests + are sent to the highest priority that is + healthy. + format: int32 + type: integer + numRetries: + default: 2 + description: >- + NumRetries is the number of retries to be + attempted. Defaults to 2. + format: int32 + minimum: 0 + type: integer + perRetry: + description: >- + PerRetry is the retry policy to be applied + per retry attempt. + properties: + backOff: + description: >- + Backoff is the backoff policy to be + applied per retry attempt. gateway uses + a fully jittered exponential + + back-off algorithm for retries. For + additional details, + + see + https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#config-http-filters-router-x-envoy-max-retries + properties: + baseInterval: + description: >- + BaseInterval is the base interval + between retries. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + maxInterval: + description: >- + MaxInterval is the maximum interval + between retries. This parameter is + optional, but must be greater than or + equal to the base_interval if set. + + The default is 10 times the + base_interval + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + timeout: + description: >- + Timeout is the timeout per retry + attempt. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + retryOn: + description: >- + RetryOn specifies the retry trigger + condition. + + + If not specified, the default is to retry on + connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes(503). + properties: + httpStatusCodes: + description: >- + HttpStatusCodes specifies the http + status codes to be retried. + + The retriable-status-codes trigger must + also be configured for these status + codes to trigger a retry. + items: + description: HTTPStatus defines the http status code. + maximum: 599 + minimum: 100 + type: integer + type: array + triggers: + description: >- + Triggers specifies the retry trigger + condition(Http/Grpc). + items: + description: >- + TriggerEnum specifies the conditions + that trigger retries. + enum: + - 5xx + - gateway-error + - reset + - reset-before-request + - connect-failure + - retriable-4xx + - refused-stream + - retriable-status-codes + - cancelled + - deadline-exceeded + - internal + - resource-exhausted + - unavailable + type: string + type: array + type: object + type: object + tcpKeepalive: + description: >- + TcpKeepalive settings associated with the + upstream client connection. + + Disabled by default. + properties: + idleTime: + description: >- + The duration a connection needs to be idle + before keep-alive + + probes start being sent. + + The duration format is + + Defaults to `7200s`. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + interval: + description: |- + The duration between keep-alive probes. + Defaults to `75s`. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + probes: + description: >- + The total number of unacknowledged probes to + send before deciding + + the connection is dead. + + Defaults to 9. + format: int32 + type: integer + type: object + timeout: + description: Timeout settings for the backend connections. + properties: + http: + description: Timeout settings for HTTP. + properties: + connectionIdleTimeout: + description: >- + The idle timeout for an HTTP connection. + Idle time is defined as a period in + which there are no active requests in + the connection. + + Default: 1 hour. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + maxConnectionDuration: + description: >- + The maximum duration of an HTTP + connection. + + Default: unlimited. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + maxStreamDuration: + description: >- + MaxStreamDuration is the maximum + duration for a stream to complete. This + timeout measures the time + + from when the request is sent until the + response stream is fully consumed and + does not apply to + + non-streaming requests. + + When set to "0s", no max duration is + applied and streams can run + indefinitely. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + requestTimeout: + description: >- + RequestTimeout is the time until which + entire response is received from the + upstream. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + tcp: + description: Timeout settings for TCP. + properties: + connectTimeout: + description: >- + The timeout for network connection + establishment, including TCP and TLS + handshakes. + + Default: 10 seconds. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + type: object + type: object + x-kubernetes-validations: + - message: >- + predictivePercent in preconnect policy only + works with RoundRobin or Random load balancers + rule: >- + !((has(self.connection) && + has(self.connection.preconnect) && + has(self.connection.preconnect.predictivePercent)) + && !(has(self.loadBalancer) && + has(self.loadBalancer.type) && + self.loadBalancer.type in ['Random', + 'RoundRobin'])) + headersToBackend: + description: >- + HeadersToBackend are the authorization response + headers that will be added + + to the original client request before sending it to + the backend server. + + Note that coexisting headers will be overridden. + + If not specified, no authorization response headers + will be added to the + + original client request. + items: + type: string + type: array + path: + description: >- + Path is the path of the HTTP External Authorization + service. + + If path is specified, the authorization request will + be sent to that path, + + or else the authorization request will use the path + of the original request. + + + Please note that the original request path will be + appended to the path specified here. + + For example, if the original request path is + "/hello", and the path specified here is "/auth", + + then the path of the authorization request will be + "/auth/hello". If the path is not specified, + + the path of the authorization request will be + "/hello". + type: string + type: object + x-kubernetes-validations: + - message: backendRef or backendRefs needs to be set + rule: has(self.backendRef) || self.backendRefs.size() > 0 + - message: >- + BackendRefs only supports Service, ServiceImport, + and Backend kind. + rule: >- + has(self.backendRefs) ? self.backendRefs.all(f, + f.kind == 'Service' || f.kind == 'ServiceImport' || + f.kind == 'Backend') : true + - message: >- + BackendRefs only supports Core, + multicluster.x-k8s.io, and gateway.envoyproxy.io + groups. + rule: >- + has(self.backendRefs) ? (self.backendRefs.all(f, + f.group == "" || f.group == 'multicluster.x-k8s.io' + || f.group == 'gateway.envoyproxy.io')) : true + recomputeRoute: + description: >- + RecomputeRoute clears the route cache and recalculates + the routing decision. + + This field must be enabled if the headers added or + modified by the ExtAuth are used for + + route matching decisions. If the recomputation selects a + new route, features targeting + + the new matched route will be applied. + type: boolean + timeout: + description: >- + Timeout defines the timeout for requests to the external + authorization service. + + If not specified, defaults to 10 seconds. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + x-kubernetes-validations: + - message: one of grpc or http must be specified + rule: (has(self.grpc) || has(self.http)) + - message: only one of grpc or http can be specified + rule: >- + (has(self.grpc) && !has(self.http)) || (!has(self.grpc) + && has(self.http)) + jwt: + description: >- + JWT defines the configuration for JSON Web Token (JWT) + authentication. + properties: + optional: + description: >- + Optional determines whether a missing JWT is acceptable, + defaulting to false if not specified. + + Note: Even if optional is set to true, JWT + authentication will still fail if an invalid JWT is + presented. + type: boolean + providers: + description: >- + Providers defines the JSON Web Token (JWT) + authentication provider type. + + When multiple JWT providers are specified, the JWT is + considered valid if + + any of the providers successfully validate the JWT. For + additional details, + + see + https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/jwt_authn_filter.html. + items: + description: >- + JWTProvider defines how a JSON Web Token (JWT) can be + verified. + properties: + audiences: + description: >- + Audiences is a list of JWT audiences allowed + access. For additional details, see + + https://tools.ietf.org/html/rfc7519#section-4.1.3. + If not provided, JWT audiences + + are not checked. + items: + type: string + maxItems: 8 + type: array + claimToHeaders: + description: >- + ClaimToHeaders is a list of JWT claims that must + be extracted into HTTP request headers + + For examples, following config: + + The claim must be of type; string, int, double, + bool. Array type claims are not supported + items: + description: >- + ClaimToHeader defines a configuration to convert + JWT claims into HTTP headers + properties: + claim: + description: >- + Claim is the JWT Claim that should be saved + into the header : it can be a nested claim + of type + + (eg. "claim.nested.key", "sub"). The nested + claim name must use dot "." + + to separate the JSON name path. + type: string + header: + description: >- + Header defines the name of the HTTP request + header that the JWT Claim will be saved + into. + type: string + required: + - claim + - header + type: object + type: array + extractFrom: + description: >- + ExtractFrom defines different ways to extract the + JWT token from HTTP request. + + If empty, it defaults to extract JWT token from + the Authorization HTTP request header using Bearer + schema + + or access_token from query parameters. + properties: + cookies: + description: >- + Cookies represents a list of cookie names to + extract the JWT token from. + items: + type: string + type: array + headers: + description: >- + Headers represents a list of HTTP request + headers to extract the JWT token from. + items: + description: >- + JWTHeaderExtractor defines an HTTP header + location to extract JWT token + properties: + name: + description: >- + Name is the HTTP header name to retrieve + the token + type: string + valuePrefix: + description: >- + ValuePrefix is the prefix that should be + stripped before extracting the token. + + The format would be used by Envoy like + "{ValuePrefix}". + + For example, "Authorization: Bearer + ", then the ValuePrefix="Bearer " + with a space at the end. + type: string + required: + - name + type: object + type: array + params: + description: >- + Params represents a list of query parameters + to extract the JWT token from. + items: + type: string + type: array + type: object + issuer: + description: >- + Issuer is the principal that issued the JWT and + takes the form of a URL or email address. + + For additional details, see + https://tools.ietf.org/html/rfc7519#section-4.1.1 + for + + URL format and + https://rfc-editor.org/rfc/rfc5322.html for email + format. If not provided, + + the JWT issuer is not checked. + maxLength: 253 + type: string + localJWKS: + description: >- + LocalJWKS defines how to get the JSON Web Key Sets + (JWKS) from a local source. + properties: + inline: + description: Inline contains the value as an inline string. + type: string + type: + default: Inline + description: >- + Type is the type of method to use to read the + body value. + + Valid values are Inline and ValueRef, default + is Inline. + enum: + - Inline + - ValueRef + type: string + valueRef: + description: >- + ValueRef is a reference to a local ConfigMap + that contains the JSON Web Key Sets (JWKS). + + + The value of key `jwks` in the ConfigMap will + be used. + + If the key is not found, the first value in + the ConfigMap will be used. + properties: + group: + description: >- + Group is the group of the referent. For + example, "gateway.networking.k8s.io". + + When unspecified or empty string, core API + group is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: >- + Kind is kind of the referent. For example + "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + required: + - type + type: object + x-kubernetes-validations: + - message: >- + Exactly one of inline or valueRef must be set + with correct type. + rule: >- + (self.type == 'Inline' && has(self.inline) && + !has(self.valueRef)) || (self.type == + 'ValueRef' && !has(self.inline) && + has(self.valueRef)) + name: + description: >- + Name defines a unique name for the JWT provider. A + name can have a variety of forms, + + including RFC1123 subdomains, RFC 1123 labels, or + RFC 1035 labels. + maxLength: 253 + minLength: 1 + type: string + recomputeRoute: + description: >- + RecomputeRoute clears the route cache and + recalculates the routing decision. + + This field must be enabled if the headers + generated from the claim are used for + + route matching decisions. If the recomputation + selects a new route, features targeting + + the new matched route will be applied. + type: boolean + remoteJWKS: + description: >- + RemoteJWKS defines how to fetch and cache JSON Web + Key Sets (JWKS) from a remote + + HTTP/HTTPS endpoint. + properties: + backendRef: + description: >- + BackendRef references a Kubernetes object that + represents the + + backend server to which the authorization + request will be sent. + + + Deprecated: Use BackendRefs instead. + properties: + group: + default: '' + description: >- + Group is the group of the referent. For + example, "gateway.networking.k8s.io". + + When unspecified or empty string, core API + group is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: >- + Kind is the Kubernetes resource kind of + the referent. For example + + "Service". + + + Defaults to "Service" when not specified. + + + ExternalName services can refer to CNAME + DNS records that may live + + outside of the cluster and as such are + difficult to reason about in + + terms of conformance. They also may not be + safe to forward to (see + + CVE-2021-25740 for more information). + Implementations SHOULD NOT + + support ExternalName Services. + + + Support: Core (Services with a type other + than ExternalName) + + + Support: Implementation-specific (Services + with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the backend. + When unspecified, the local + + namespace is inferred. + + + Note that when a namespace different than + the local namespace is specified, + + a ReferenceGrant object is required in the + referent namespace to allow that + + namespace's owner to accept the reference. + See the ReferenceGrant + + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: >- + Port specifies the destination port number + to use for this resource. + + Port is required when the referent is a + Kubernetes Service. In this + + case, the port number is the service port + number, not the target port. + + For other resources, destination port + might be derived from the referent + + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: >- + (size(self.group) == 0 && self.kind == + 'Service') ? has(self.port) : true + backendRefs: + description: >- + BackendRefs references a Kubernetes object + that represents the + + backend server to which the authorization + request will be sent. + items: + description: >- + BackendRef defines how an ObjectReference + that is specific to BackendRef. + properties: + fallback: + description: >- + Fallback indicates whether the backend + is designated as a fallback. + + Multiple fallback backends can be + configured. + + It is highly recommended to configure + active or passive health checks to + ensure that failover can be detected + + when the active backends become + unhealthy and to automatically readjust + once the primary backends are healthy + again. + + The overprovisioning factor is set to + 1.4, meaning the fallback backends will + only start receiving traffic when + + the health of the active backends falls + below 72%. + type: boolean + group: + default: '' + description: >- + Group is the group of the referent. For + example, "gateway.networking.k8s.io". + + When unspecified or empty string, core + API group is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: >- + Kind is the Kubernetes resource kind of + the referent. For example + + "Service". + + + Defaults to "Service" when not + specified. + + + ExternalName services can refer to CNAME + DNS records that may live + + outside of the cluster and as such are + difficult to reason about in + + terms of conformance. They also may not + be safe to forward to (see + + CVE-2021-25740 for more information). + Implementations SHOULD NOT + + support ExternalName Services. + + + Support: Core (Services with a type + other than ExternalName) + + + Support: Implementation-specific + (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the + backend. When unspecified, the local + + namespace is inferred. + + + Note that when a namespace different + than the local namespace is specified, + + a ReferenceGrant object is required in + the referent namespace to allow that + + namespace's owner to accept the + reference. See the ReferenceGrant + + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: >- + Port specifies the destination port + number to use for this resource. + + Port is required when the referent is a + Kubernetes Service. In this + + case, the port number is the service + port number, not the target port. + + For other resources, destination port + might be derived from the referent + + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: >- + Weight specifies the proportion of + requests forwarded to the referenced + + backend. This is computed as weight/(sum + of all weights in this + + BackendRefs list). For non-zero values, + there may be some epsilon from + + the exact proportion defined here + depending on the precision an + + implementation supports. Weight is not a + percentage and the sum of + + weights does not need to equal 100. + + + If only one backend is specified and it + has a weight greater than 0, 100% + + of the traffic is forwarded to that + backend. If weight is set to 0, no + + traffic should be forwarded for this + entry. If unspecified, weight + + defaults to 1. + + + Support for this field varies based on + the context where used. + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: >- + (size(self.group) == 0 && self.kind == + 'Service') ? has(self.port) : true + maxItems: 16 + type: array + backendSettings: + description: >- + BackendSettings holds configuration for + managing the connection + + to the backend. + properties: + circuitBreaker: + description: >- + Circuit Breaker settings for the upstream + connections and requests. + + If not set, circuit breakers will be + enabled with the default thresholds + properties: + maxConnections: + default: 1024 + description: >- + The maximum number of connections that + Envoy will establish to the referenced + backend defined within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxParallelRequests: + default: 1024 + description: >- + The maximum number of parallel requests + that Envoy will make to the referenced + backend defined within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxParallelRetries: + default: 1024 + description: >- + The maximum number of parallel retries + that Envoy will make to the referenced + backend defined within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxPendingRequests: + default: 1024 + description: >- + The maximum number of pending requests + that Envoy will queue to the referenced + backend defined within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxRequestsPerConnection: + description: >- + The maximum number of requests that + Envoy will make over a single connection + to the referenced backend defined within + a xRoute rule. + + Default: unlimited. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + perEndpoint: + description: >- + PerEndpoint defines Circuit Breakers + that will apply per-endpoint for an + upstream cluster + properties: + maxConnections: + default: 1024 + description: >- + MaxConnections configures the maximum + number of connections that Envoy will + establish per-endpoint to the referenced + backend defined within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + type: object + type: object + connection: + description: >- + Connection includes backend connection + settings. + properties: + bufferLimit: + allOf: + - pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: >- + BufferLimit Soft limit on size of the + cluster’s connections read and write + buffers. + + BufferLimit applies to connection + streaming (maybe non-streaming) channel + between processes, it's in user space. + + If unspecified, an implementation + defined default is applied (32768 + bytes). + + For example, 20Mi, 1Gi, 256Ki etc. + + Note: that when the suffix is not + provided, the value is interpreted as + bytes. + x-kubernetes-int-or-string: true + preconnect: + description: >- + Preconnect configures proactive upstream + connections to reduce latency by + establishing + + connections before they’re needed and + avoiding connection establishment + overhead. + + + If unset, Envoy will fetch connections + as needed to serve in-flight requests. + properties: + perEndpointPercent: + description: >- + PerEndpointPercent configures how many + additional connections to maintain per + + upstream endpoint, useful for high-QPS + or latency sensitive services. Expressed + as a + + percentage of the connections required + by active streams + + (e.g. 100 = preconnect disabled, 105 = + 1.05x connections per-endpoint, 200 = + 2.00×). + + + Allowed value range is between 100-300. + When both PerEndpointPercent and + + PredictivePercent are set, Envoy ensures + both are satisfied (max of the two). + format: int32 + maximum: 300 + minimum: 100 + type: integer + predictivePercent: + description: >- + PredictivePercent configures how many + additional connections to maintain + + across the cluster by anticipating which + upstream endpoint the load balancer + + will select next, useful for low-QPS + services. Relies on deterministic + + loadbalancing and is only supported with + Random or RoundRobin. + + Expressed as a percentage of the + connections required by active streams + + (e.g. 100 = 1.0 (no preconnect), 105 = + 1.05× connections across the cluster, + 200 = 2.00×). + + + Minimum allowed value is 100. When both + PerEndpointPercent and PredictivePercent + are + + set Envoy ensures both are satisfied per + host (max of the two). + format: int32 + minimum: 100 + type: integer + type: object + socketBufferLimit: + allOf: + - pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: >- + SocketBufferLimit provides configuration + for the maximum buffer size in bytes for + each socket + + to backend. + + SocketBufferLimit applies to socket + streaming channel between TCP/IP stacks, + it's in kernel space. + + For example, 20Mi, 1Gi, 256Ki etc. + + Note that when the suffix is not + provided, the value is interpreted as + bytes. + x-kubernetes-int-or-string: true + type: object + dns: + description: DNS includes dns resolution settings. + properties: + dnsRefreshRate: + description: >- + DNSRefreshRate specifies the rate at + which DNS records should be refreshed. + + Defaults to 30 seconds. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + lookupFamily: + description: >- + LookupFamily determines how Envoy would + resolve DNS for Routes where the backend + is specified as a fully qualified domain + name (FQDN). + + If set, this configuration overrides + other defaults. + enum: + - IPv4 + - IPv6 + - IPv4Preferred + - IPv6Preferred + - IPv4AndIPv6 + type: string + respectDnsTtl: + description: >- + RespectDNSTTL indicates whether the DNS + Time-To-Live (TTL) should be respected. + + If the value is set to true, the DNS + refresh rate will be set to the resource + record’s TTL. + + Defaults to true. + type: boolean + type: object + healthCheck: + description: >- + HealthCheck allows gateway to perform + active health checking on backends. + properties: + active: + description: Active health check configuration + properties: + grpc: + description: >- + GRPC defines the configuration of the + GRPC health checker. + + It's optional, and can only be used if + the specified type is GRPC. + properties: + service: + description: >- + Service to send in the health check + request. + + If this is not specified, then the + health check request applies to the + entire + + server and not to a specific service. + type: string + type: object + healthyThreshold: + default: 1 + description: >- + HealthyThreshold defines the number of + healthy health checks required before a + backend host is marked healthy. + format: int32 + minimum: 1 + type: integer + http: + description: >- + HTTP defines the configuration of http + health checker. + + It's required while the health checker + type is HTTP. + properties: + expectedResponse: + description: >- + ExpectedResponse defines a list of HTTP + expected responses to match. + properties: + binary: + description: Binary payload base64 encoded. + format: byte + type: string + text: + description: Text payload in plain text. + type: string + type: + allOf: + - enum: + - Text + - Binary + - enum: + - Text + - Binary + description: Type defines the type of the payload. + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If payload type is Text, text field + needs to be set. + rule: >- + self.type == 'Text' ? has(self.text) : + !has(self.text) + - message: >- + If payload type is Binary, binary field + needs to be set. + rule: >- + self.type == 'Binary' ? has(self.binary) + : !has(self.binary) + expectedStatuses: + description: >- + ExpectedStatuses defines a list of HTTP + response statuses considered healthy. + + Defaults to 200 only + items: + description: HTTPStatus defines the http status code. + maximum: 599 + minimum: 100 + type: integer + type: array + hostname: + description: >- + Hostname defines the HTTP Host header + used for active HTTP health checks. + + Host selection uses this order: this + field, the associated Backend endpoint + + hostname if available, then the + effective Route hostname. + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + method: + description: >- + Method defines the HTTP method used for + health checking. + + Defaults to GET + type: string + path: + description: >- + Path defines the HTTP path that will be + requested during health checking. + maxLength: 1024 + minLength: 1 + type: string + required: + - path + type: object + initialJitter: + description: >- + InitialJitter defines the maximum time + Envoy will wait before the first health + check. + + Envoy will randomly select a value + between 0 and the initial jitter value. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + interval: + default: 3s + description: >- + Interval defines the time between active + health checks. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + tcp: + description: >- + TCP defines the configuration of tcp + health checker. + + It's required while the health checker + type is TCP. + properties: + receive: + description: >- + Receive defines the expected response + payload. + properties: + binary: + description: Binary payload base64 encoded. + format: byte + type: string + text: + description: Text payload in plain text. + type: string + type: + allOf: + - enum: + - Text + - Binary + - enum: + - Text + - Binary + description: Type defines the type of the payload. + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If payload type is Text, text field + needs to be set. + rule: >- + self.type == 'Text' ? has(self.text) : + !has(self.text) + - message: >- + If payload type is Binary, binary field + needs to be set. + rule: >- + self.type == 'Binary' ? has(self.binary) + : !has(self.binary) + send: + description: Send defines the request payload. + properties: + binary: + description: Binary payload base64 encoded. + format: byte + type: string + text: + description: Text payload in plain text. + type: string + type: + allOf: + - enum: + - Text + - Binary + - enum: + - Text + - Binary + description: Type defines the type of the payload. + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If payload type is Text, text field + needs to be set. + rule: >- + self.type == 'Text' ? has(self.text) : + !has(self.text) + - message: >- + If payload type is Binary, binary field + needs to be set. + rule: >- + self.type == 'Binary' ? has(self.binary) + : !has(self.binary) + type: object + timeout: + default: 1s + description: >- + Timeout defines the time to wait for a + health check response. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: + allOf: + - enum: + - HTTP + - TCP + - GRPC + - enum: + - HTTP + - TCP + - GRPC + description: Type defines the type of health checker. + type: string + unhealthyThreshold: + default: 3 + description: >- + UnhealthyThreshold defines the number of + unhealthy health checks required before + a backend host is marked unhealthy. + format: int32 + minimum: 1 + type: integer + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If Health Checker type is HTTP, http + field needs to be set. + rule: >- + self.type == 'HTTP' ? has(self.http) : + !has(self.http) + - message: >- + If Health Checker type is TCP, tcp field + needs to be set. + rule: >- + self.type == 'TCP' ? has(self.tcp) : + !has(self.tcp) + - message: >- + The grpc field can only be set if the + Health Checker type is GRPC. + rule: >- + has(self.grpc) ? self.type == 'GRPC' : + true + panicThreshold: + description: >- + When number of unhealthy endpoints for a + backend reaches this threshold + + Envoy will disregard health status and + balance across all endpoints. + + It's designed to prevent a situation in + which host failures cascade throughout + the cluster + + as load increases. If not set, the + default value is 50%. To disable panic + mode, set value to `0`. + format: int32 + maximum: 100 + minimum: 0 + type: integer + passive: + description: Passive passive check configuration + properties: + baseEjectionTime: + default: 30s + description: >- + BaseEjectionTime defines the base + duration for which a host will be + ejected on consecutive failures. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + consecutive5XxErrors: + default: 5 + description: >- + Consecutive5xxErrors sets the number of + consecutive 5xx errors triggering + ejection. + format: int32 + type: integer + consecutiveGatewayErrors: + description: >- + ConsecutiveGatewayErrors sets the number + of consecutive gateway errors triggering + ejection. + format: int32 + type: integer + consecutiveLocalOriginFailures: + default: 5 + description: >- + ConsecutiveLocalOriginFailures sets the + number of consecutive local origin + failures triggering ejection. + + Parameter takes effect only when + split_external_local_origin_errors is + set to true. + format: int32 + type: integer + failurePercentageThreshold: + description: >- + FailurePercentageThreshold sets the + failure percentage threshold for outlier + detection. + + If the failure percentage of a given + host is greater than or equal to this + value, it will be ejected. + + Defaults to 85. + format: int32 + maximum: 100 + minimum: 0 + type: integer + interval: + default: 3s + description: >- + Interval defines the time between + passive health checks. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + maxEjectionPercent: + default: 10 + description: >- + MaxEjectionPercent sets the maximum + percentage of hosts in a cluster that + can be ejected. + format: int32 + type: integer + splitExternalLocalOriginErrors: + default: false + description: >- + SplitExternalLocalOriginErrors enables + splitting of errors between external and + local origin. + type: boolean + type: object + type: object + http2: + description: >- + HTTP2 provides HTTP/2 configuration for + backend connections. + properties: + initialConnectionWindowSize: + allOf: + - pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: >- + InitialConnectionWindowSize sets the + initial window size for HTTP/2 + connections. + + If not set, the default value is 1 MiB. + x-kubernetes-int-or-string: true + initialStreamWindowSize: + allOf: + - pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: >- + InitialStreamWindowSize sets the initial + window size for HTTP/2 streams. + + If not set, the default value is 64 + KiB(64*1024). + x-kubernetes-int-or-string: true + maxConcurrentStreams: + description: >- + MaxConcurrentStreams sets the maximum + number of concurrent streams allowed per + connection. + + If not set, the default value is 100. + format: int32 + maximum: 2147483647 + minimum: 1 + type: integer + onInvalidMessage: + description: >- + OnInvalidMessage determines if Envoy + will terminate the connection or just + the offending stream in the event of + HTTP messaging error + + It's recommended for L2 Envoy + deployments to set this value to + TerminateStream. + + https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/level_two + + Default: TerminateConnection + type: string + type: object + loadBalancer: + description: >- + LoadBalancer policy to apply when routing + traffic from the gateway to + + the backend endpoints. Defaults to + `LeastRequest`. + properties: + consistentHash: + description: >- + ConsistentHash defines the configuration + when the load balancer type is + + set to ConsistentHash + properties: + cookie: + description: >- + Cookie configures the cookie hash policy + when the consistent hash type is set to + Cookie. + properties: + attributes: + additionalProperties: + type: string + description: >- + Additional Attributes to set for the + generated cookie. + type: object + name: + description: >- + Name of the cookie to hash. + + If this cookie does not exist in the + request, Envoy will generate a cookie + and set + + the TTL on the response back to the + client based on Layer 4 + + attributes of the backend endpoint, to + ensure that these future requests + + go to the same backend endpoint. Make + sure to set the TTL field for this case. + type: string + ttl: + description: >- + TTL of the generated cookie if the + cookie is not present. This value sets + the + + Max-Age attribute value. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + required: + - name + type: object + header: + description: >- + Header configures the header hash policy + when the consistent hash type is set to + Header. + + + Deprecated: use Headers instead + properties: + name: + description: Name of the header to hash. + type: string + required: + - name + type: object + headers: + description: >- + Headers configures the header hash + policy for each header, when the + consistent hash type is set to Headers. + items: + description: >- + Header defines the header hashing + configuration for consistent hash based + + load balancing. + properties: + name: + description: Name of the header to hash. + type: string + required: + - name + type: object + type: array + queryParams: + description: >- + QueryParams configures the query + parameter hash policy when the + consistent hash type is set to + QueryParams. + items: + description: >- + QueryParam defines the query parameter + name hashing configuration for + consistent hash based + + load balancing. + properties: + name: + description: Name of the query param to hash. + type: string + required: + - name + type: object + type: array + tableSize: + default: 65537 + description: >- + The table size for consistent hashing, + must be prime number limited to 5000011. + format: int64 + maximum: 5000011 + minimum: 2 + type: integer + type: + description: >- + ConsistentHashType defines the type of + input to hash on. Valid Type values are + + "SourceIP", + + "Header", + + "Headers", + + "Cookie". + + "QueryParams". + enum: + - SourceIP + - Header + - Headers + - Cookie + - QueryParams + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If consistent hash type is header, the + header field must be set. + rule: >- + self.type == 'Header' ? has(self.header) + : !has(self.header) + - message: >- + If consistent hash type is headers, the + headers field must be set. + rule: >- + self.type == 'Headers' ? + has(self.headers) : !has(self.headers) + - message: >- + If consistent hash type is cookie, the + cookie field must be set. + rule: >- + self.type == 'Cookie' ? has(self.cookie) + : !has(self.cookie) + - message: >- + If consistent hash type is queryParams, + the queryParams field must be set. + rule: >- + self.type == 'QueryParams' ? + has(self.queryParams) : + !has(self.queryParams) + endpointOverride: + description: >- + EndpointOverride defines the + configuration for endpoint override. + + When specified, the load balancer will + attempt to route requests to endpoints + + based on the override information + extracted from request headers or + metadata. + If the override endpoints are not available, the configured load balancer policy will be used as fallback. + properties: + extractFrom: + description: >- + ExtractFrom defines the sources to + extract endpoint override information + from. + items: + description: >- + EndpointOverrideExtractFrom defines a + source to extract endpoint override + information from. + properties: + header: + description: >- + Header defines the header to get the + override endpoint addresses. + + The header value must specify at least + one endpoint in `IP:Port` format or + multiple endpoints in + `IP:Port,IP:Port,...` format. + + For example `10.0.0.5:8080` or + `[2600:4040:5204::1574:24ae]:80`. + + The IPv6 address is enclosed in square + brackets. + type: string + type: object + maxItems: 10 + minItems: 1 + type: array + required: + - extractFrom + type: object + slowStart: + description: >- + SlowStart defines the configuration + related to the slow start load balancer + policy. + + If set, during slow start window, + traffic sent to the newly added hosts + will gradually increase. + + Currently this is only supported for + RoundRobin and LeastRequest load + balancers + properties: + window: + description: >- + Window defines the duration of the warm + up period for newly added host. + + During slow start window, traffic sent + to the newly added hosts will gradually + increase. + + Currently only supports linear growth of + traffic. For additional details, + + see + https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + required: + - window + type: object + type: + description: >- + Type decides the type of Load Balancer + policy. + + Valid LoadBalancerType values are + + "ConsistentHash", + + "LeastRequest", + + "Random", + + "RoundRobin". + enum: + - ConsistentHash + - LeastRequest + - Random + - RoundRobin + type: string + zoneAware: + description: >- + ZoneAware defines the configuration + related to the distribution of requests + between locality zones. + properties: + preferLocal: + description: >- + PreferLocalZone configures zone-aware + routing to prefer sending traffic to the + local locality zone. + properties: + force: + description: >- + ForceLocalZone defines override + configuration for forcing all traffic to + stay within the local zone instead of + the default behavior + + which maintains equal distribution among + upstream endpoints while sending as much + traffic as possible locally. + properties: + minEndpointsInZoneThreshold: + description: >- + MinEndpointsInZoneThreshold is the + minimum number of upstream endpoints in + the local zone required to honor the + forceLocalZone + + override. This is useful for protecting + zones with fewer endpoints. + format: int32 + type: integer + type: object + minEndpointsThreshold: + description: >- + MinEndpointsThreshold is the minimum + number of total upstream endpoints + across all zones required to enable + zone-aware routing. + format: int64 + type: integer + percentageEnabled: + description: >- + Configures percentage of requests that + will be considered for zone aware + routing if zone aware routing is + configured. If not specified, Envoy + defaults to 100%. + format: int32 + maximum: 100 + minimum: 0 + type: integer + type: object + type: object + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If LoadBalancer type is consistentHash, + consistentHash field needs to be set. + rule: >- + self.type == 'ConsistentHash' ? + has(self.consistentHash) : + !has(self.consistentHash) + - message: >- + Currently SlowStart is only supported + for RoundRobin and LeastRequest load + balancers. + rule: >- + self.type in ['Random', + 'ConsistentHash'] ? !has(self.slowStart) + : true + - message: >- + Currently ZoneAware is only supported + for LeastRequest, Random, and RoundRobin + load balancers. + rule: >- + self.type == 'ConsistentHash' ? + !has(self.zoneAware) : true + proxyProtocol: + description: >- + ProxyProtocol enables the Proxy Protocol + when communicating with the backend. + properties: + version: + description: |- + Version of ProxyProtol + Valid ProxyProtocolVersion values are + "V1" + "V2" + enum: + - V1 + - V2 + type: string + required: + - version + type: object + retry: + description: >- + Retry provides more advanced usage, + allowing users to customize the number of + retries, retry fallback strategy, and + retry triggering conditions. + + If not set, retry will be disabled. + properties: + numAttemptsPerPriority: + description: >- + NumAttemptsPerPriority defines the + number of requests (initial attempt + + retries) + + that should be sent to the same priority + before switching to a different one. + + If not specified or set to 0, all + requests are sent to the highest + priority that is healthy. + format: int32 + type: integer + numRetries: + default: 2 + description: >- + NumRetries is the number of retries to + be attempted. Defaults to 2. + format: int32 + minimum: 0 + type: integer + perRetry: + description: >- + PerRetry is the retry policy to be + applied per retry attempt. + properties: + backOff: + description: >- + Backoff is the backoff policy to be + applied per retry attempt. gateway uses + a fully jittered exponential + + back-off algorithm for retries. For + additional details, + + see + https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#config-http-filters-router-x-envoy-max-retries + properties: + baseInterval: + description: >- + BaseInterval is the base interval + between retries. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + maxInterval: + description: >- + MaxInterval is the maximum interval + between retries. This parameter is + optional, but must be greater than or + equal to the base_interval if set. + + The default is 10 times the + base_interval + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + timeout: + description: >- + Timeout is the timeout per retry + attempt. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + retryOn: + description: >- + RetryOn specifies the retry trigger + condition. + + + If not specified, the default is to + retry on + connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes(503). + properties: + httpStatusCodes: + description: >- + HttpStatusCodes specifies the http + status codes to be retried. + + The retriable-status-codes trigger must + also be configured for these status + codes to trigger a retry. + items: + description: HTTPStatus defines the http status code. + maximum: 599 + minimum: 100 + type: integer + type: array + triggers: + description: >- + Triggers specifies the retry trigger + condition(Http/Grpc). + items: + description: >- + TriggerEnum specifies the conditions + that trigger retries. + enum: + - 5xx + - gateway-error + - reset + - reset-before-request + - connect-failure + - retriable-4xx + - refused-stream + - retriable-status-codes + - cancelled + - deadline-exceeded + - internal + - resource-exhausted + - unavailable + type: string + type: array + type: object + type: object + tcpKeepalive: + description: >- + TcpKeepalive settings associated with the + upstream client connection. + + Disabled by default. + properties: + idleTime: + description: >- + The duration a connection needs to be + idle before keep-alive + + probes start being sent. + + The duration format is + + Defaults to `7200s`. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + interval: + description: |- + The duration between keep-alive probes. + Defaults to `75s`. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + probes: + description: >- + The total number of unacknowledged + probes to send before deciding + + the connection is dead. + + Defaults to 9. + format: int32 + type: integer + type: object + timeout: + description: >- + Timeout settings for the backend + connections. + properties: + http: + description: Timeout settings for HTTP. + properties: + connectionIdleTimeout: + description: >- + The idle timeout for an HTTP connection. + Idle time is defined as a period in + which there are no active requests in + the connection. + + Default: 1 hour. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + maxConnectionDuration: + description: >- + The maximum duration of an HTTP + connection. + + Default: unlimited. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + maxStreamDuration: + description: >- + MaxStreamDuration is the maximum + duration for a stream to complete. This + timeout measures the time + + from when the request is sent until the + response stream is fully consumed and + does not apply to + + non-streaming requests. + + When set to "0s", no max duration is + applied and streams can run + indefinitely. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + requestTimeout: + description: >- + RequestTimeout is the time until which + entire response is received from the + upstream. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + tcp: + description: Timeout settings for TCP. + properties: + connectTimeout: + description: >- + The timeout for network connection + establishment, including TCP and TLS + handshakes. + + Default: 10 seconds. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + type: object + type: object + x-kubernetes-validations: + - message: >- + predictivePercent in preconnect policy + only works with RoundRobin or Random load + balancers + rule: >- + !((has(self.connection) && + has(self.connection.preconnect) && + has(self.connection.preconnect.predictivePercent)) + && !(has(self.loadBalancer) && + has(self.loadBalancer.type) && + self.loadBalancer.type in ['Random', + 'RoundRobin'])) + cacheDuration: + default: 300s + description: >- + Duration is a string value representing a + duration in time. The format is as specified + + in GEP-2257, a strict subset of the syntax + parsed by Golang time.ParseDuration. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + uri: + description: >- + URI is the HTTPS URI to fetch the JWKS. + Envoy's system trust bundle is used to + validate the server certificate. + + If a custom trust bundle is needed, it can be + specified in a BackendTLSConfig resource and + target the BackendRefs. + maxLength: 253 + minLength: 1 + type: string + required: + - uri + type: object + x-kubernetes-validations: + - message: >- + BackendRefs must be used, backendRef is not + supported. + rule: '!has(self.backendRef)' + - message: Retry timeout is not supported. + rule: >- + has(self.backendSettings)? + (has(self.backendSettings.retry)?(has(self.backendSettings.retry.perRetry)? + !has(self.backendSettings.retry.perRetry.timeout):true):true):true + - message: HTTPStatusCodes is not supported. + rule: >- + has(self.backendSettings)? + (has(self.backendSettings.retry)?(has(self.backendSettings.retry.retryOn)? + !has(self.backendSettings.retry.retryOn.httpStatusCodes):true):true):true + required: + - name + type: object + x-kubernetes-validations: + - message: >- + claimToHeaders must be specified if recomputeRoute + is enabled. + rule: >- + (has(self.recomputeRoute) && self.recomputeRoute) + ? size(self.claimToHeaders) > 0 : true + - message: either remoteJWKS or localJWKS must be specified. + rule: has(self.remoteJWKS) || has(self.localJWKS) + - message: remoteJWKS and localJWKS cannot both be specified. + rule: '!(has(self.remoteJWKS) && has(self.localJWKS))' + maxItems: 4 + minItems: 1 + type: array + required: + - providers + type: object + oidc: + description: >- + OIDC defines the configuration for the OpenID Connect (OIDC) + authentication. + properties: + clientID: + description: >- + The client ID to be used in the OIDC + + [Authentication + Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). + + + Only one of clientID or clientIDRef must be set. + minLength: 1 + type: string + clientIDRef: + description: >- + The Kubernetes secret which contains the client ID to be + used in the + + [Authentication + Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). + + Exactly one of clientID or clientIDRef must be set. + + This is an Opaque secret. The client ID should be stored + in the key "client-id". + + + Only one of clientID or clientIDRef must be set. + properties: + group: + default: '' + description: >- + Group is the group of the referent. For example, + "gateway.networking.k8s.io". + + When unspecified or empty string, core API group is + inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Secret + description: Kind is kind of the referent. For example "Secret". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the referenced object. + When unspecified, the local + + namespace is inferred. + + + Note that when a namespace different than the local + namespace is specified, + + a ReferenceGrant object is required in the referent + namespace to allow that + + namespace's owner to accept the reference. See the + ReferenceGrant + + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + clientSecret: + description: >- + The Kubernetes secret which contains the OIDC client + secret to be used in the + + [Authentication + Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). + + + This is an Opaque secret. The client secret should be + stored in the key + + "client-secret". + properties: + group: + default: '' + description: >- + Group is the group of the referent. For example, + "gateway.networking.k8s.io". + + When unspecified or empty string, core API group is + inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Secret + description: Kind is kind of the referent. For example "Secret". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the referenced object. + When unspecified, the local + + namespace is inferred. + + + Note that when a namespace different than the local + namespace is specified, + + a ReferenceGrant object is required in the referent + namespace to allow that + + namespace's owner to accept the reference. See the + ReferenceGrant + + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + cookieConfig: + description: >- + CookieConfigs allows setting the SameSite attribute for + OIDC cookies. + + By default, its unset. + properties: + sameSite: + enum: + - Lax + - Strict + - None + type: string + type: object + cookieDomain: + description: >- + The optional domain to set the access and ID token + cookies on. + + If not set, the cookies will default to the host of the + request, not including the subdomains. + + If set, the cookies will be set on the specified domain + and all subdomains. + + This means that requests to any subdomain will not + require reauthentication after users log in to the + parent domain. + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9]))*$ + type: string + cookieNames: + description: >- + The optional cookie name overrides to be used for Bearer + and IdToken cookies in the + + [Authentication + Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). + + If not specified, uses a randomly generated suffix + properties: + accessToken: + description: >- + The name of the cookie used to store the AccessToken + in the + + [Authentication + Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). + + If not specified, defaults to "AccessToken-(randomly + generated uid)" + type: string + idToken: + description: >- + The name of the cookie used to store the IdToken in + the + + [Authentication + Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). + + If not specified, defaults to "IdToken-(randomly + generated uid)" + type: string + type: object + csrfTokenTTL: + description: >- + CSRFTokenTTL defines how long the CSRF token generated + during the OAuth2 authorization flow remains valid. + + + This duration determines the lifetime of the CSRF + cookie, which is validated against the CSRF token + + in the "state" parameter when the provider redirects + back to the callback endpoint. + + + If omitted, Envoy Gateway defaults the token expiration + to 10 minutes. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + defaultRefreshTokenTTL: + description: >- + DefaultRefreshTokenTTL is the default lifetime of the + refresh token. + + This field is only used when the exp (expiration time) + claim is omitted in + + the refresh token or the refresh token is not JWT. + + + If not specified, defaults to 604800s (one week). + + Note: this field is only applicable when the + "refreshToken" field is set to true. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + defaultTokenTTL: + description: >- + DefaultTokenTTL is the default lifetime of the id token + and access token. + + Please note that Envoy will always use the expiry time + from the response + + of the authorization server if it is provided. This + field is only used when + + the expiry time is not provided by the authorization. + + + If not specified, defaults to 0. In this case, the + "expires_in" field in + + the authorization response must be set by the + authorization server, or the + + OAuth flow will fail. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + denyRedirect: + description: >- + Any request that matches any of the provided matchers + (with either tokens that are expired or missing tokens) + will not be redirected to the OIDC Provider. + + This behavior can be useful for AJAX or machine + requests. + properties: + headers: + description: >- + Defines the headers to match against the request to + deny redirect to the OIDC Provider. + items: + description: >- + OIDCDenyRedirectHeader defines how a header is + matched + properties: + name: + description: >- + Specifies the name of the header in the + request. + minLength: 1 + type: string + type: + default: Exact + description: Type specifies how to match against a string. + enum: + - Exact + - Prefix + - Suffix + - RegularExpression + type: string + value: + description: >- + Value specifies the string value that the + match must have. + maxLength: 1024 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + minItems: 1 + type: array + required: + - headers + type: object + disableTokenEncryption: + description: >- + Disable token encryption. When set to true, both the + access token and the ID token will be stored in plain + text. + + This option should only be used in secure environments + where token encryption is not required. + + Default is false (tokens are encrypted). + type: boolean + forwardAccessToken: + description: >- + ForwardAccessToken indicates whether the Envoy should + forward the access token + + via the Authorization header Bearer scheme to the + upstream. + + If not specified, defaults to false. + type: boolean + logoutPath: + description: >- + The path to log a user out, clearing their credential + cookies. + + + If not specified, uses a default logout path "/logout" + type: string + passThroughAuthHeader: + description: >- + Skips OIDC authentication when the request contains a + header that will be extracted by the JWT filter. Unless + + explicitly stated otherwise in the extractFrom field, + this will be the "Authorization: Bearer ..." header. + + + The passThroughAuthHeader option is typically used for + non-browser clients that may not be able to handle OIDC + + redirects and wish to directly supply a token instead. + + + If not specified, defaults to false. + type: boolean + provider: + description: The OIDC Provider configuration. + properties: + authorizationEndpoint: + description: >- + The OIDC Provider's [authorization + endpoint](https://openid.net/specs/openid-connect-core-1_0.html#AuthorizationEndpoint). + + If not provided, EG will try to discover it from the + provider's [Well-Known Configuration + Endpoint](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse). + type: string + backendRef: + description: >- + BackendRef references a Kubernetes object that + represents the + + backend server to which the authorization request + will be sent. + + + Deprecated: Use BackendRefs instead. + properties: + group: + default: '' + description: >- + Group is the group of the referent. For example, + "gateway.networking.k8s.io". + + When unspecified or empty string, core API group + is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: >- + Kind is the Kubernetes resource kind of the + referent. For example + + "Service". + + + Defaults to "Service" when not specified. + + + ExternalName services can refer to CNAME DNS + records that may live + + outside of the cluster and as such are difficult + to reason about in + + terms of conformance. They also may not be safe + to forward to (see + + CVE-2021-25740 for more information). + Implementations SHOULD NOT + + support ExternalName Services. + + + Support: Core (Services with a type other than + ExternalName) + + + Support: Implementation-specific (Services with + type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the backend. When + unspecified, the local + + namespace is inferred. + + + Note that when a namespace different than the + local namespace is specified, + + a ReferenceGrant object is required in the + referent namespace to allow that + + namespace's owner to accept the reference. See + the ReferenceGrant + + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: >- + Port specifies the destination port number to + use for this resource. + + Port is required when the referent is a + Kubernetes Service. In this + + case, the port number is the service port + number, not the target port. + + For other resources, destination port might be + derived from the referent + + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: >- + (size(self.group) == 0 && self.kind == + 'Service') ? has(self.port) : true + backendRefs: + description: >- + BackendRefs references a Kubernetes object that + represents the + + backend server to which the authorization request + will be sent. + items: + description: >- + BackendRef defines how an ObjectReference that is + specific to BackendRef. + properties: + fallback: + description: >- + Fallback indicates whether the backend is + designated as a fallback. + + Multiple fallback backends can be configured. + + It is highly recommended to configure active + or passive health checks to ensure that + failover can be detected + + when the active backends become unhealthy and + to automatically readjust once the primary + backends are healthy again. + + The overprovisioning factor is set to 1.4, + meaning the fallback backends will only start + receiving traffic when + + the health of the active backends falls below + 72%. + type: boolean + group: + default: '' + description: >- + Group is the group of the referent. For + example, "gateway.networking.k8s.io". + + When unspecified or empty string, core API + group is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: >- + Kind is the Kubernetes resource kind of the + referent. For example + + "Service". + + + Defaults to "Service" when not specified. + + + ExternalName services can refer to CNAME DNS + records that may live + + outside of the cluster and as such are + difficult to reason about in + + terms of conformance. They also may not be + safe to forward to (see + + CVE-2021-25740 for more information). + Implementations SHOULD NOT + + support ExternalName Services. + + + Support: Core (Services with a type other than + ExternalName) + + + Support: Implementation-specific (Services + with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the backend. + When unspecified, the local + + namespace is inferred. + + + Note that when a namespace different than the + local namespace is specified, + + a ReferenceGrant object is required in the + referent namespace to allow that + + namespace's owner to accept the reference. See + the ReferenceGrant + + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: >- + Port specifies the destination port number to + use for this resource. + + Port is required when the referent is a + Kubernetes Service. In this + + case, the port number is the service port + number, not the target port. + + For other resources, destination port might be + derived from the referent + + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: >- + Weight specifies the proportion of requests + forwarded to the referenced + + backend. This is computed as weight/(sum of + all weights in this + + BackendRefs list). For non-zero values, there + may be some epsilon from + + the exact proportion defined here depending on + the precision an + + implementation supports. Weight is not a + percentage and the sum of + + weights does not need to equal 100. + + + If only one backend is specified and it has a + weight greater than 0, 100% + + of the traffic is forwarded to that backend. + If weight is set to 0, no + + traffic should be forwarded for this entry. If + unspecified, weight + + defaults to 1. + + + Support for this field varies based on the + context where used. + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: >- + (size(self.group) == 0 && self.kind == + 'Service') ? has(self.port) : true + maxItems: 16 + type: array + backendSettings: + description: >- + BackendSettings holds configuration for managing the + connection + + to the backend. + properties: + circuitBreaker: + description: >- + Circuit Breaker settings for the upstream + connections and requests. + + If not set, circuit breakers will be enabled + with the default thresholds + properties: + maxConnections: + default: 1024 + description: >- + The maximum number of connections that Envoy + will establish to the referenced backend + defined within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxParallelRequests: + default: 1024 + description: >- + The maximum number of parallel requests that + Envoy will make to the referenced backend + defined within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxParallelRetries: + default: 1024 + description: >- + The maximum number of parallel retries that + Envoy will make to the referenced backend + defined within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxPendingRequests: + default: 1024 + description: >- + The maximum number of pending requests that + Envoy will queue to the referenced backend + defined within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxRequestsPerConnection: + description: >- + The maximum number of requests that Envoy + will make over a single connection to the + referenced backend defined within a xRoute + rule. + + Default: unlimited. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + perEndpoint: + description: >- + PerEndpoint defines Circuit Breakers that + will apply per-endpoint for an upstream + cluster + properties: + maxConnections: + default: 1024 + description: >- + MaxConnections configures the maximum + number of connections that Envoy will + establish per-endpoint to the referenced + backend defined within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + type: object + type: object + connection: + description: Connection includes backend connection settings. + properties: + bufferLimit: + allOf: + - pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: >- + BufferLimit Soft limit on size of the + cluster’s connections read and write + buffers. + + BufferLimit applies to connection streaming + (maybe non-streaming) channel between + processes, it's in user space. + + If unspecified, an implementation defined + default is applied (32768 bytes). + + For example, 20Mi, 1Gi, 256Ki etc. + + Note: that when the suffix is not provided, + the value is interpreted as bytes. + x-kubernetes-int-or-string: true + preconnect: + description: >- + Preconnect configures proactive upstream + connections to reduce latency by + establishing + + connections before they’re needed and + avoiding connection establishment overhead. + + + If unset, Envoy will fetch connections as + needed to serve in-flight requests. + properties: + perEndpointPercent: + description: >- + PerEndpointPercent configures how many + additional connections to maintain per + + upstream endpoint, useful for high-QPS + or latency sensitive services. Expressed + as a + + percentage of the connections required + by active streams + + (e.g. 100 = preconnect disabled, 105 = + 1.05x connections per-endpoint, 200 = + 2.00×). + + + Allowed value range is between 100-300. + When both PerEndpointPercent and + + PredictivePercent are set, Envoy ensures + both are satisfied (max of the two). + format: int32 + maximum: 300 + minimum: 100 + type: integer + predictivePercent: + description: >- + PredictivePercent configures how many + additional connections to maintain + + across the cluster by anticipating which + upstream endpoint the load balancer + + will select next, useful for low-QPS + services. Relies on deterministic + + loadbalancing and is only supported with + Random or RoundRobin. + + Expressed as a percentage of the + connections required by active streams + + (e.g. 100 = 1.0 (no preconnect), 105 = + 1.05× connections across the cluster, + 200 = 2.00×). + + + Minimum allowed value is 100. When both + PerEndpointPercent and PredictivePercent + are + + set Envoy ensures both are satisfied per + host (max of the two). + format: int32 + minimum: 100 + type: integer + type: object + socketBufferLimit: + allOf: + - pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: >- + SocketBufferLimit provides configuration for + the maximum buffer size in bytes for each + socket + + to backend. + + SocketBufferLimit applies to socket + streaming channel between TCP/IP stacks, + it's in kernel space. + + For example, 20Mi, 1Gi, 256Ki etc. + + Note that when the suffix is not provided, + the value is interpreted as bytes. + x-kubernetes-int-or-string: true + type: object + dns: + description: DNS includes dns resolution settings. + properties: + dnsRefreshRate: + description: >- + DNSRefreshRate specifies the rate at which + DNS records should be refreshed. + + Defaults to 30 seconds. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + lookupFamily: + description: >- + LookupFamily determines how Envoy would + resolve DNS for Routes where the backend is + specified as a fully qualified domain name + (FQDN). + + If set, this configuration overrides other + defaults. + enum: + - IPv4 + - IPv6 + - IPv4Preferred + - IPv6Preferred + - IPv4AndIPv6 + type: string + respectDnsTtl: + description: >- + RespectDNSTTL indicates whether the DNS + Time-To-Live (TTL) should be respected. + + If the value is set to true, the DNS refresh + rate will be set to the resource record’s + TTL. + + Defaults to true. + type: boolean + type: object + healthCheck: + description: >- + HealthCheck allows gateway to perform active + health checking on backends. + properties: + active: + description: Active health check configuration + properties: + grpc: + description: >- + GRPC defines the configuration of the + GRPC health checker. + + It's optional, and can only be used if + the specified type is GRPC. + properties: + service: + description: >- + Service to send in the health check + request. + + If this is not specified, then the + health check request applies to the + entire + + server and not to a specific service. + type: string + type: object + healthyThreshold: + default: 1 + description: >- + HealthyThreshold defines the number of + healthy health checks required before a + backend host is marked healthy. + format: int32 + minimum: 1 + type: integer + http: + description: >- + HTTP defines the configuration of http + health checker. + + It's required while the health checker + type is HTTP. + properties: + expectedResponse: + description: >- + ExpectedResponse defines a list of HTTP + expected responses to match. + properties: + binary: + description: Binary payload base64 encoded. + format: byte + type: string + text: + description: Text payload in plain text. + type: string + type: + allOf: + - enum: + - Text + - Binary + - enum: + - Text + - Binary + description: Type defines the type of the payload. + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If payload type is Text, text field + needs to be set. + rule: >- + self.type == 'Text' ? has(self.text) : + !has(self.text) + - message: >- + If payload type is Binary, binary field + needs to be set. + rule: >- + self.type == 'Binary' ? has(self.binary) + : !has(self.binary) + expectedStatuses: + description: >- + ExpectedStatuses defines a list of HTTP + response statuses considered healthy. + + Defaults to 200 only + items: + description: HTTPStatus defines the http status code. + maximum: 599 + minimum: 100 + type: integer + type: array + hostname: + description: >- + Hostname defines the HTTP Host header + used for active HTTP health checks. + + Host selection uses this order: this + field, the associated Backend endpoint + + hostname if available, then the + effective Route hostname. + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + method: + description: >- + Method defines the HTTP method used for + health checking. + + Defaults to GET + type: string + path: + description: >- + Path defines the HTTP path that will be + requested during health checking. + maxLength: 1024 + minLength: 1 + type: string + required: + - path + type: object + initialJitter: + description: >- + InitialJitter defines the maximum time + Envoy will wait before the first health + check. + + Envoy will randomly select a value + between 0 and the initial jitter value. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + interval: + default: 3s + description: >- + Interval defines the time between active + health checks. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + tcp: + description: >- + TCP defines the configuration of tcp + health checker. + + It's required while the health checker + type is TCP. + properties: + receive: + description: >- + Receive defines the expected response + payload. + properties: + binary: + description: Binary payload base64 encoded. + format: byte + type: string + text: + description: Text payload in plain text. + type: string + type: + allOf: + - enum: + - Text + - Binary + - enum: + - Text + - Binary + description: Type defines the type of the payload. + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If payload type is Text, text field + needs to be set. + rule: >- + self.type == 'Text' ? has(self.text) : + !has(self.text) + - message: >- + If payload type is Binary, binary field + needs to be set. + rule: >- + self.type == 'Binary' ? has(self.binary) + : !has(self.binary) + send: + description: Send defines the request payload. + properties: + binary: + description: Binary payload base64 encoded. + format: byte + type: string + text: + description: Text payload in plain text. + type: string + type: + allOf: + - enum: + - Text + - Binary + - enum: + - Text + - Binary + description: Type defines the type of the payload. + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If payload type is Text, text field + needs to be set. + rule: >- + self.type == 'Text' ? has(self.text) : + !has(self.text) + - message: >- + If payload type is Binary, binary field + needs to be set. + rule: >- + self.type == 'Binary' ? has(self.binary) + : !has(self.binary) + type: object + timeout: + default: 1s + description: >- + Timeout defines the time to wait for a + health check response. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: + allOf: + - enum: + - HTTP + - TCP + - GRPC + - enum: + - HTTP + - TCP + - GRPC + description: Type defines the type of health checker. + type: string + unhealthyThreshold: + default: 3 + description: >- + UnhealthyThreshold defines the number of + unhealthy health checks required before + a backend host is marked unhealthy. + format: int32 + minimum: 1 + type: integer + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If Health Checker type is HTTP, http + field needs to be set. + rule: >- + self.type == 'HTTP' ? has(self.http) : + !has(self.http) + - message: >- + If Health Checker type is TCP, tcp field + needs to be set. + rule: >- + self.type == 'TCP' ? has(self.tcp) : + !has(self.tcp) + - message: >- + The grpc field can only be set if the + Health Checker type is GRPC. + rule: >- + has(self.grpc) ? self.type == 'GRPC' : + true + panicThreshold: + description: >- + When number of unhealthy endpoints for a + backend reaches this threshold + + Envoy will disregard health status and + balance across all endpoints. + + It's designed to prevent a situation in + which host failures cascade throughout the + cluster + + as load increases. If not set, the default + value is 50%. To disable panic mode, set + value to `0`. + format: int32 + maximum: 100 + minimum: 0 + type: integer + passive: + description: Passive passive check configuration + properties: + baseEjectionTime: + default: 30s + description: >- + BaseEjectionTime defines the base + duration for which a host will be + ejected on consecutive failures. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + consecutive5XxErrors: + default: 5 + description: >- + Consecutive5xxErrors sets the number of + consecutive 5xx errors triggering + ejection. + format: int32 + type: integer + consecutiveGatewayErrors: + description: >- + ConsecutiveGatewayErrors sets the number + of consecutive gateway errors triggering + ejection. + format: int32 + type: integer + consecutiveLocalOriginFailures: + default: 5 + description: >- + ConsecutiveLocalOriginFailures sets the + number of consecutive local origin + failures triggering ejection. + + Parameter takes effect only when + split_external_local_origin_errors is + set to true. + format: int32 + type: integer + failurePercentageThreshold: + description: >- + FailurePercentageThreshold sets the + failure percentage threshold for outlier + detection. + + If the failure percentage of a given + host is greater than or equal to this + value, it will be ejected. + + Defaults to 85. + format: int32 + maximum: 100 + minimum: 0 + type: integer + interval: + default: 3s + description: >- + Interval defines the time between + passive health checks. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + maxEjectionPercent: + default: 10 + description: >- + MaxEjectionPercent sets the maximum + percentage of hosts in a cluster that + can be ejected. + format: int32 + type: integer + splitExternalLocalOriginErrors: + default: false + description: >- + SplitExternalLocalOriginErrors enables + splitting of errors between external and + local origin. + type: boolean + type: object + type: object + http2: + description: >- + HTTP2 provides HTTP/2 configuration for backend + connections. + properties: + initialConnectionWindowSize: + allOf: + - pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: >- + InitialConnectionWindowSize sets the initial + window size for HTTP/2 connections. + + If not set, the default value is 1 MiB. + x-kubernetes-int-or-string: true + initialStreamWindowSize: + allOf: + - pattern: >- + ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: >- + InitialStreamWindowSize sets the initial + window size for HTTP/2 streams. + + If not set, the default value is 64 + KiB(64*1024). + x-kubernetes-int-or-string: true + maxConcurrentStreams: + description: >- + MaxConcurrentStreams sets the maximum number + of concurrent streams allowed per + connection. + + If not set, the default value is 100. + format: int32 + maximum: 2147483647 + minimum: 1 + type: integer + onInvalidMessage: + description: >- + OnInvalidMessage determines if Envoy will + terminate the connection or just the + offending stream in the event of HTTP + messaging error + + It's recommended for L2 Envoy deployments to + set this value to TerminateStream. + + https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/level_two + + Default: TerminateConnection + type: string + type: object + loadBalancer: + description: >- + LoadBalancer policy to apply when routing + traffic from the gateway to + + the backend endpoints. Defaults to + `LeastRequest`. + properties: + consistentHash: + description: >- + ConsistentHash defines the configuration + when the load balancer type is + + set to ConsistentHash + properties: + cookie: + description: >- + Cookie configures the cookie hash policy + when the consistent hash type is set to + Cookie. + properties: + attributes: + additionalProperties: + type: string + description: >- + Additional Attributes to set for the + generated cookie. + type: object + name: + description: >- + Name of the cookie to hash. + + If this cookie does not exist in the + request, Envoy will generate a cookie + and set + + the TTL on the response back to the + client based on Layer 4 + + attributes of the backend endpoint, to + ensure that these future requests + + go to the same backend endpoint. Make + sure to set the TTL field for this case. + type: string + ttl: + description: >- + TTL of the generated cookie if the + cookie is not present. This value sets + the + + Max-Age attribute value. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + required: + - name + type: object + header: + description: >- + Header configures the header hash policy + when the consistent hash type is set to + Header. + + + Deprecated: use Headers instead + properties: + name: + description: Name of the header to hash. + type: string + required: + - name + type: object + headers: + description: >- + Headers configures the header hash + policy for each header, when the + consistent hash type is set to Headers. + items: + description: >- + Header defines the header hashing + configuration for consistent hash based + + load balancing. + properties: + name: + description: Name of the header to hash. + type: string + required: + - name + type: object + type: array + queryParams: + description: >- + QueryParams configures the query + parameter hash policy when the + consistent hash type is set to + QueryParams. + items: + description: >- + QueryParam defines the query parameter + name hashing configuration for + consistent hash based + + load balancing. + properties: + name: + description: Name of the query param to hash. + type: string + required: + - name + type: object + type: array + tableSize: + default: 65537 + description: >- + The table size for consistent hashing, + must be prime number limited to 5000011. + format: int64 + maximum: 5000011 + minimum: 2 + type: integer + type: + description: >- + ConsistentHashType defines the type of + input to hash on. Valid Type values are + + "SourceIP", + + "Header", + + "Headers", + + "Cookie". + + "QueryParams". + enum: + - SourceIP + - Header + - Headers + - Cookie + - QueryParams + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If consistent hash type is header, the + header field must be set. + rule: >- + self.type == 'Header' ? has(self.header) + : !has(self.header) + - message: >- + If consistent hash type is headers, the + headers field must be set. + rule: >- + self.type == 'Headers' ? + has(self.headers) : !has(self.headers) + - message: >- + If consistent hash type is cookie, the + cookie field must be set. + rule: >- + self.type == 'Cookie' ? has(self.cookie) + : !has(self.cookie) + - message: >- + If consistent hash type is queryParams, + the queryParams field must be set. + rule: >- + self.type == 'QueryParams' ? + has(self.queryParams) : + !has(self.queryParams) + endpointOverride: + description: >- + EndpointOverride defines the configuration + for endpoint override. + + When specified, the load balancer will + attempt to route requests to endpoints + + based on the override information extracted + from request headers or metadata. + If the override endpoints are not available, the configured load balancer policy will be used as fallback. + properties: + extractFrom: + description: >- + ExtractFrom defines the sources to + extract endpoint override information + from. + items: + description: >- + EndpointOverrideExtractFrom defines a + source to extract endpoint override + information from. + properties: + header: + description: >- + Header defines the header to get the + override endpoint addresses. + + The header value must specify at least + one endpoint in `IP:Port` format or + multiple endpoints in + `IP:Port,IP:Port,...` format. + + For example `10.0.0.5:8080` or + `[2600:4040:5204::1574:24ae]:80`. + + The IPv6 address is enclosed in square + brackets. + type: string + type: object + maxItems: 10 + minItems: 1 + type: array + required: + - extractFrom + type: object + slowStart: + description: >- + SlowStart defines the configuration related + to the slow start load balancer policy. + + If set, during slow start window, traffic + sent to the newly added hosts will gradually + increase. + + Currently this is only supported for + RoundRobin and LeastRequest load balancers + properties: + window: + description: >- + Window defines the duration of the warm + up period for newly added host. + + During slow start window, traffic sent + to the newly added hosts will gradually + increase. + + Currently only supports linear growth of + traffic. For additional details, + + see + https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + required: + - window + type: object + type: + description: >- + Type decides the type of Load Balancer + policy. + + Valid LoadBalancerType values are + + "ConsistentHash", + + "LeastRequest", + + "Random", + + "RoundRobin". + enum: + - ConsistentHash + - LeastRequest + - Random + - RoundRobin + type: string + zoneAware: + description: >- + ZoneAware defines the configuration related + to the distribution of requests between + locality zones. + properties: + preferLocal: + description: >- + PreferLocalZone configures zone-aware + routing to prefer sending traffic to the + local locality zone. + properties: + force: + description: >- + ForceLocalZone defines override + configuration for forcing all traffic to + stay within the local zone instead of + the default behavior + + which maintains equal distribution among + upstream endpoints while sending as much + traffic as possible locally. + properties: + minEndpointsInZoneThreshold: + description: >- + MinEndpointsInZoneThreshold is the + minimum number of upstream endpoints in + the local zone required to honor the + forceLocalZone + + override. This is useful for protecting + zones with fewer endpoints. + format: int32 + type: integer + type: object + minEndpointsThreshold: + description: >- + MinEndpointsThreshold is the minimum + number of total upstream endpoints + across all zones required to enable + zone-aware routing. + format: int64 + type: integer + percentageEnabled: + description: >- + Configures percentage of requests that + will be considered for zone aware + routing if zone aware routing is + configured. If not specified, Envoy + defaults to 100%. + format: int32 + maximum: 100 + minimum: 0 + type: integer + type: object + type: object + required: + - type + type: object + x-kubernetes-validations: + - message: >- + If LoadBalancer type is consistentHash, + consistentHash field needs to be set. + rule: >- + self.type == 'ConsistentHash' ? + has(self.consistentHash) : + !has(self.consistentHash) + - message: >- + Currently SlowStart is only supported for + RoundRobin and LeastRequest load balancers. + rule: >- + self.type in ['Random', 'ConsistentHash'] ? + !has(self.slowStart) : true + - message: >- + Currently ZoneAware is only supported for + LeastRequest, Random, and RoundRobin load + balancers. + rule: >- + self.type == 'ConsistentHash' ? + !has(self.zoneAware) : true + proxyProtocol: + description: >- + ProxyProtocol enables the Proxy Protocol when + communicating with the backend. + properties: + version: + description: |- + Version of ProxyProtol + Valid ProxyProtocolVersion values are + "V1" + "V2" + enum: + - V1 + - V2 + type: string + required: + - version + type: object + retry: + description: >- + Retry provides more advanced usage, allowing + users to customize the number of retries, retry + fallback strategy, and retry triggering + conditions. + + If not set, retry will be disabled. + properties: + numAttemptsPerPriority: + description: >- + NumAttemptsPerPriority defines the number of + requests (initial attempt + retries) + + that should be sent to the same priority + before switching to a different one. + + If not specified or set to 0, all requests + are sent to the highest priority that is + healthy. + format: int32 + type: integer + numRetries: + default: 2 + description: >- + NumRetries is the number of retries to be + attempted. Defaults to 2. + format: int32 + minimum: 0 + type: integer + perRetry: + description: >- + PerRetry is the retry policy to be applied + per retry attempt. + properties: + backOff: + description: >- + Backoff is the backoff policy to be + applied per retry attempt. gateway uses + a fully jittered exponential + + back-off algorithm for retries. For + additional details, + + see + https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#config-http-filters-router-x-envoy-max-retries + properties: + baseInterval: + description: >- + BaseInterval is the base interval + between retries. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + maxInterval: + description: >- + MaxInterval is the maximum interval + between retries. This parameter is + optional, but must be greater than or + equal to the base_interval if set. + + The default is 10 times the + base_interval + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + timeout: + description: >- + Timeout is the timeout per retry + attempt. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + retryOn: + description: >- + RetryOn specifies the retry trigger + condition. + + + If not specified, the default is to retry on + connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes(503). + properties: + httpStatusCodes: + description: >- + HttpStatusCodes specifies the http + status codes to be retried. + + The retriable-status-codes trigger must + also be configured for these status + codes to trigger a retry. + items: + description: HTTPStatus defines the http status code. + maximum: 599 + minimum: 100 + type: integer + type: array + triggers: + description: >- + Triggers specifies the retry trigger + condition(Http/Grpc). + items: + description: >- + TriggerEnum specifies the conditions + that trigger retries. + enum: + - 5xx + - gateway-error + - reset + - reset-before-request + - connect-failure + - retriable-4xx + - refused-stream + - retriable-status-codes + - cancelled + - deadline-exceeded + - internal + - resource-exhausted + - unavailable + type: string + type: array + type: object + type: object + tcpKeepalive: + description: >- + TcpKeepalive settings associated with the + upstream client connection. + + Disabled by default. + properties: + idleTime: + description: >- + The duration a connection needs to be idle + before keep-alive + + probes start being sent. + + The duration format is + + Defaults to `7200s`. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + interval: + description: |- + The duration between keep-alive probes. + Defaults to `75s`. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + probes: + description: >- + The total number of unacknowledged probes to + send before deciding + + the connection is dead. + + Defaults to 9. + format: int32 + type: integer + type: object + timeout: + description: Timeout settings for the backend connections. + properties: + http: + description: Timeout settings for HTTP. + properties: + connectionIdleTimeout: + description: >- + The idle timeout for an HTTP connection. + Idle time is defined as a period in + which there are no active requests in + the connection. + + Default: 1 hour. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + maxConnectionDuration: + description: >- + The maximum duration of an HTTP + connection. + + Default: unlimited. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + maxStreamDuration: + description: >- + MaxStreamDuration is the maximum + duration for a stream to complete. This + timeout measures the time + + from when the request is sent until the + response stream is fully consumed and + does not apply to + + non-streaming requests. + + When set to "0s", no max duration is + applied and streams can run + indefinitely. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + requestTimeout: + description: >- + RequestTimeout is the time until which + entire response is received from the + upstream. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + tcp: + description: Timeout settings for TCP. + properties: + connectTimeout: + description: >- + The timeout for network connection + establishment, including TCP and TLS + handshakes. + + Default: 10 seconds. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + type: object + type: object + x-kubernetes-validations: + - message: >- + predictivePercent in preconnect policy only + works with RoundRobin or Random load balancers + rule: >- + !((has(self.connection) && + has(self.connection.preconnect) && + has(self.connection.preconnect.predictivePercent)) + && !(has(self.loadBalancer) && + has(self.loadBalancer.type) && + self.loadBalancer.type in ['Random', + 'RoundRobin'])) + endSessionEndpoint: + description: >- + The OIDC Provider's [end session + endpoint](https://openid.net/specs/openid-connect-core-1_0.html#RPLogout). + + + If the end session endpoint is provided, EG will use + it to log out the user from the OIDC Provider when + the user accesses the logout path. + + EG will also try to discover the end session + endpoint from the provider's [Well-Known + Configuration + Endpoint](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse) + when authorizationEndpoint or tokenEndpoint is not + provided. + type: string + issuer: + description: >- + The OIDC Provider's [issuer + identifier](https://openid.net/specs/openid-connect-discovery-1_0.html#IssuerDiscovery). + + Issuer MUST be a URI RFC 3986 [RFC3986] with a + scheme component that MUST + + be https, a host component, and optionally, port and + path components and + + no query or fragment components. + minLength: 1 + type: string + tokenEndpoint: + description: >- + The OIDC Provider's [token + endpoint](https://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint). + + If not provided, EG will try to discover it from the + provider's [Well-Known Configuration + Endpoint](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse). + type: string + required: + - issuer + type: object + x-kubernetes-validations: + - message: >- + BackendRefs must be used, backendRef is not + supported. + rule: '!has(self.backendRef)' + - message: Retry timeout is not supported. + rule: >- + has(self.backendSettings)? + (has(self.backendSettings.retry)?(has(self.backendSettings.retry.perRetry)? + !has(self.backendSettings.retry.perRetry.timeout):true):true):true + - message: HTTPStatusCodes is not supported. + rule: >- + has(self.backendSettings)? + (has(self.backendSettings.retry)?(has(self.backendSettings.retry.retryOn)? + !has(self.backendSettings.retry.retryOn.httpStatusCodes):true):true):true + redirectURL: + description: >- + The redirect URL to be used in the OIDC + + [Authentication + Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). + + If not specified, uses the default redirect URI + "%REQ(x-forwarded-proto)%://%REQ(:authority)%/oauth2/callback" + type: string + refreshToken: + default: true + description: >- + RefreshToken indicates whether the Envoy should + automatically refresh the + + id token and access token when they expire. + + When set to true, the Envoy will use the refresh token + to get a new id token + + and access token when they expire. + + + If not specified, defaults to true. + type: boolean + resources: + description: >- + The OIDC resources to be used in the + + [Authentication + Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). + items: + type: string + type: array + scopes: + description: >- + The OIDC scopes to be used in the + + [Authentication + Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). + + The "openid" scope is always added to the list of scopes + if not already + + specified. + items: + type: string + type: array + required: + - clientSecret + - provider + type: object + x-kubernetes-validations: + - message: only one of clientID or clientIDRef must be set + rule: >- + (has(self.clientID) && !has(self.clientIDRef)) || + (!has(self.clientID) && has(self.clientIDRef)) + targetRef: + description: >- + TargetRef is the name of the resource this policy is being + attached to. + + This policy and the TargetRef MUST be in the same namespace + for this + + Policy to have effect + + + Deprecated: use targetRefs/targetSelectors instead + properties: + group: + description: Group is the group of the target resource. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + sectionName: + description: >- + SectionName is the name of a section within the target + resource. When + + unspecified, this targetRef targets the entire resource. + In the following + + resources, SectionName is interpreted as the following: + + + * Gateway: Listener name + + * HTTPRoute: HTTPRouteRule name + + * Service: Port name + + + If a SectionName is specified, but does not exist on the + targeted object, + + the Policy must fail to attach, and the policy + implementation should record + + a `ResolvedRefs` or similar Condition in the Policy's + status. + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - group + - kind + - name + type: object + targetRefs: + description: >- + TargetRefs are the names of the Gateway resources this + policy + + is being attached to. + items: + description: >- + LocalPolicyTargetReferenceWithSectionName identifies an + API object to apply a + + direct policy to. This should be used as part of Policy + resources that can + + target single resources. For more information on how this + policy attachment + + mode works, and a sample Policy resource, refer to the + policy attachment + + documentation for Gateway API. + + + Note: This should only be used for direct policy + attachment when references + + to SectionName are actually needed. In all other cases, + + LocalPolicyTargetReference should be used. + properties: + group: + description: Group is the group of the target resource. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + sectionName: + description: >- + SectionName is the name of a section within the target + resource. When + + unspecified, this targetRef targets the entire + resource. In the following + + resources, SectionName is interpreted as the + following: + + + * Gateway: Listener name + + * HTTPRoute: HTTPRouteRule name + + * Service: Port name + + + If a SectionName is specified, but does not exist on + the targeted object, + + the Policy must fail to attach, and the policy + implementation should record + + a `ResolvedRefs` or similar Condition in the Policy's + status. + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - group + - kind + - name + type: object + type: array + targetSelectors: + description: >- + TargetSelectors allow targeting resources for this policy + based on labels + items: + properties: + group: + default: gateway.networking.k8s.io + description: >- + Group is the group that this selector targets. + Defaults to gateway.networking.k8s.io + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is the resource kind that this selector targets. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + matchExpressions: + description: >- + MatchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: >- + A label selector requirement is a selector that + contains values, a key, and an operator that + + relates the key and values. + properties: + key: + description: >- + key is the label key that the selector applies + to. + type: string + operator: + description: >- + operator represents a key's relationship to a + set of values. + + Valid operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: >- + values is an array of string values. If the + operator is In or NotIn, + + the values array must be non-empty. If the + operator is Exists or DoesNotExist, + + the values array must be empty. This array is + replaced during a strategic + + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: >- + MatchLabels are the set of label selectors for + identifying the targeted resource + type: object + required: + - kind + type: object + x-kubernetes-validations: + - message: group must be gateway.networking.k8s.io + rule: >- + has(self.group) ? self.group == + 'gateway.networking.k8s.io' : true + type: array + type: object + x-kubernetes-validations: + - message: either targetRef or targetRefs must be used + rule: >- + (has(self.targetRef) && !has(self.targetRefs)) || + (!has(self.targetRef) && has(self.targetRefs)) || + (has(self.targetSelectors) && self.targetSelectors.size() > + 0) + - message: >- + this policy can only have a targetRef.group of + gateway.networking.k8s.io + rule: >- + has(self.targetRef) ? self.targetRef.group == + 'gateway.networking.k8s.io' : true + - message: >- + this policy can only have a targetRef.kind of + Gateway/HTTPRoute/GRPCRoute/TCPRoute + rule: >- + has(self.targetRef) ? self.targetRef.kind in ['Gateway', + 'HTTPRoute', 'GRPCRoute', 'TCPRoute'] : true + - message: >- + this policy can only have a targetRefs[*].group of + gateway.networking.k8s.io + rule: >- + has(self.targetRefs) ? self.targetRefs.all(ref, ref.group == + 'gateway.networking.k8s.io') : true + - message: >- + this policy can only have a targetRefs[*].kind of + Gateway/HTTPRoute/GRPCRoute/TCPRoute + rule: >- + has(self.targetRefs) ? self.targetRefs.all(ref, ref.kind in + ['Gateway', 'HTTPRoute', 'GRPCRoute', 'TCPRoute']) : true + - message: >- + if authorization.rules.principal.jwt is used, jwt must be + defined + rule: >- + (has(self.authorization) && has(self.authorization.rules) && + self.authorization.rules.exists(r, has(r.principal.jwt))) ? + has(self.jwt) : true + status: + description: Status defines the current status of SecurityPolicy. + properties: + ancestors: + description: >- + Ancestors is a list of ancestor resources (usually Gateways) + that are + + associated with the policy, and the status of the policy + with respect to + + each ancestor. When this policy attaches to a parent, the + controller that + + manages the parent and the ancestors MUST add an entry to + this list when + + the controller first sees the policy and SHOULD update the + entry as + + appropriate when the relevant ancestor is modified. + + + Note that choosing the relevant ancestor is left to the + Policy designers; + + an important part of Policy design is designing the right + object level at + + which to namespace this status. + + + Note also that implementations MUST ONLY populate ancestor + status for + + the Ancestor resources they are responsible for. + Implementations MUST + + use the ControllerName field to uniquely identify the + entries in this list + + that they are responsible for. + + + Note that to achieve this, the list of PolicyAncestorStatus + structs + + MUST be treated as a map with a composite key, made up of + the AncestorRef + + and ControllerName fields combined. + + + A maximum of 16 ancestors will be represented in this list. + An empty list + + means the Policy is not relevant for any ancestors. + + + If this slice is full, implementations MUST NOT add further + entries. + + Instead they MUST consider the policy unimplementable and + signal that + + on any related resources such as the ancestor that would be + referenced + + here. For example, if this list was full on + BackendTLSPolicy, no + + additional Gateways would be able to reference the Service + targeted by + + the BackendTLSPolicy. + items: + description: >- + PolicyAncestorStatus describes the status of a route with + respect to an + + associated Ancestor. + + + Ancestors refer to objects that are either the Target of a + policy or above it + + in terms of object hierarchy. For example, if a policy + targets a Service, the + + Policy's Ancestors are, in order, the Service, the + HTTPRoute, the Gateway, and + + the GatewayClass. Almost always, in this hierarchy, the + Gateway will be the most + + useful object to place Policy status on, so we recommend + that implementations + + SHOULD use Gateway as the PolicyAncestorStatus object + unless the designers + + have a _very_ good reason otherwise. + + + In the context of policy attachment, the Ancestor is used + to distinguish which + + resource results in a distinct application of this policy. + For example, if a policy + + targets a Service, it may have a distinct result per + attached Gateway. + + + Policies targeting the same resource may have different + effects depending on the + + ancestors of those resources. For example, different + Gateways targeting the same + + Service may have different capabilities, especially if + they have different underlying + + implementations. + + + For example, in BackendTLSPolicy, the Policy attaches to a + Service that is + + used as a backend in a HTTPRoute that is itself attached + to a Gateway. + + In this case, the relevant object for status is the + Gateway, and that is the + + ancestor object referred to in this status. + + + Note that a parent is also an ancestor, so for objects + where the parent is the + + relevant object for status, this struct SHOULD still be + used. + + + This struct is intended to be used in a slice that's + effectively a map, + + with a composite key made up of the AncestorRef and the + ControllerName. + properties: + ancestorRef: + description: >- + AncestorRef corresponds with a ParentRef in the spec + that this + + PolicyAncestorStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: >- + Group is the group of the referent. + + When unspecified, "gateway.networking.k8s.io" is + inferred. + + To set the core API group (such as for a "Service" + kind referent), + + Group must be explicitly set to "" (empty string). + + + Support: Core + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: >- + Kind is kind of the referent. + + + There are two kinds of parent resources with + "Core" support: + + + * Gateway (Gateway conformance profile) + + * Service (Mesh conformance profile, ClusterIP + Services only) + + + Support for other resources is + Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the referent. When + unspecified, this refers + + to the local namespace of the Route. + + + Note that there are specific rules for ParentRefs + which cross namespace + + boundaries. Cross-namespace references are only + valid if they are explicitly + + allowed by something in the namespace they are + referring to. For example: + + Gateway has the AllowedRoutes field, and + ReferenceGrant provides a + + generic way to enable any other kind of + cross-namespace reference. + + + + + ParentRefs from a Route to a Service in the same + namespace are "producer" + + routes, which apply default routing rules to + inbound connections from + + any namespace to the Service. + + + ParentRefs from a Route to a Service in a + different namespace are + + "consumer" routes, and these routing rules are + only applied to outbound + + connections originating from the same namespace as + the Route, for which + + the intended destination of the connections are a + Service targeted as a + + ParentRef of the Route. + + + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: >- + Port is the network port this Route targets. It + can be interpreted + + differently based on the type of parent resource. + + + When the parent resource is a Gateway, this + targets all listeners + + listening on the specified port that also support + this kind of Route(and + + select this Route). It's not recommended to set + `Port` unless the + + networking behaviors specified in a Route must + apply to a specific port + + as opposed to a listener(s) whose port(s) may be + changed. When both Port + + and SectionName are specified, the name and port + of the selected listener + + must match both specified values. + + + + + When the parent resource is a Service, this + targets a specific port in the + + Service spec. When both Port (experimental) and + SectionName are specified, + + the name and port of the selected port must match + both specified values. + + + + + Implementations MAY choose to support other parent + resources. + + Implementations supporting other types of parent + resources MUST clearly + + document how/if Port is interpreted. + + + For the purpose of status, an attachment is + considered successful as + + long as the parent resource accepts it partially. + For example, Gateway + + listeners can restrict which Routes can attach to + them by Route kind, + + namespace, or hostname. If 1 of 2 Gateway + listeners accept attachment + + from the referencing Route, the Route MUST be + considered successfully + + attached. If no Gateway listeners accept + attachment from this Route, + + the Route MUST be considered detached from the + Gateway. + + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: >- + SectionName is the name of a section within the + target resource. In the + + following resources, SectionName is interpreted as + the following: + + + * Gateway: Listener name. When both Port + (experimental) and SectionName + + are specified, the name and port of the selected + listener must match + + both specified values. + + * Service: Port name. When both Port + (experimental) and SectionName + + are specified, the name and port of the selected + listener must match + + both specified values. + + + Implementations MAY choose to support attaching + Routes to other resources. + + If that is the case, they MUST clearly document + how SectionName is + + interpreted. + + + When unspecified (empty string), this will + reference the entire resource. + + For the purpose of status, an attachment is + considered successful if at + + least one section in the parent resource accepts + it. For example, Gateway + + listeners can restrict which Routes can attach to + them by Route kind, + + namespace, or hostname. If 1 of 2 Gateway + listeners accept attachment from + + the referencing Route, the Route MUST be + considered successfully + + attached. If no Gateway listeners accept + attachment from this Route, the + + Route MUST be considered detached from the + Gateway. + + + Support: Core + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + conditions: + description: >- + Conditions describes the status of the Policy with + respect to the given Ancestor. + + + + + + Notes for implementors: + + + Conditions are a listType `map`, which means that they + function like a + + map with a key of the `type` field _in the k8s + apiserver_. + + + This means that implementations must obey some rules + when updating this + + section. + + + * Implementations MUST perform a read-modify-write + cycle on this field + before modifying it. That is, when modifying this field, implementations + must be confident they have fetched the most recent version of this field, + and ensure that changes they make are on that recent version. + * Implementations MUST NOT remove or reorder + Conditions that they are not + directly responsible for. For example, if an implementation sees a Condition + with type `special.io/SomeField`, it MUST NOT remove, change or update that + Condition. + * Implementations MUST always _merge_ changes into + Conditions of the same Type, + rather than creating more than one Condition of the same Type. + * Implementations MUST always update the + `observedGeneration` field of the + Condition to the `metadata.generation` of the Gateway at the time of update creation. + * If the `observedGeneration` of a Condition is + _greater than_ the value the + implementation knows about, then it MUST NOT perform the update on that Condition, + but must wait for a future reconciliation and status update. (The assumption is that + the implementation's copy of the object is stale and an update will be re-triggered + if relevant.) + + + items: + description: >- + Condition contains details for one aspect of the + current state of this API Resource. + properties: + lastTransitionTime: + description: >- + lastTransitionTime is the last time the + condition transitioned from one status to + another. + + This should be when the underlying condition + changed. If that is not known, then using the + time when the API field changed is acceptable. + format: date-time + type: string + message: + description: >- + message is a human readable message indicating + details about the transition. + + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: >- + observedGeneration represents the + .metadata.generation that the condition was set + based upon. + + For instance, if .metadata.generation is + currently 12, but the + .status.conditions[x].observedGeneration is 9, + the condition is out of date + + with respect to the current state of the + instance. + format: int64 + minimum: 0 + type: integer + reason: + description: >- + reason contains a programmatic identifier + indicating the reason for the condition's last + transition. + + Producers of specific condition types may define + expected values and meanings for this field, + + and whether the values are considered a + guaranteed API. + + The value should be a CamelCase string. + + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: >- + status of the condition, one of True, False, + Unknown. + enum: + - 'True' + - 'False' + - Unknown + type: string + type: + description: >- + type of condition in CamelCase or in + foo.example.com/CamelCase. + maxLength: 316 + pattern: >- + ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: >- + ControllerName is a domain/path string that indicates + the name of the + + controller that wrote this status. This corresponds + with the + + controllerName field on GatewayClass. + + + Example: "example.net/gateway-controller". + + + The format of this field is DOMAIN "/" PATH, where + DOMAIN and PATH are + + valid Kubernetes names + + (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + + + Controllers MUST populate this field when writing + status. Controllers should ensure that + + entries to status populated with their ControllerName + are cleaned up when they are no + + longer necessary. + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + required: + - ancestorRef + - conditions + - controllerName + type: object + maxItems: 16 + type: array + x-kubernetes-list-type: atomic + required: + - ancestors + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/_/CustomResourceDefinition/tlsroutes.gateway.networking.k8s.io.yaml b/_/CustomResourceDefinition/tlsroutes.gateway.networking.k8s.io.yaml new file mode 100644 index 0000000..7202c7e --- /dev/null +++ b/_/CustomResourceDefinition/tlsroutes.gateway.networking.k8s.io.yaml @@ -0,0 +1,3621 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/4530 + gateway.networking.k8s.io/bundle-version: v1.5.1 + gateway.networking.k8s.io/channel: standard + name: tlsroutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: TLSRoute + listKind: TLSRouteList + plural: tlsroutes + singular: tlsroute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: >- + The TLSRoute resource is similar to TCPRoute, but can be configured + + to match against TLS-specific metadata. This allows more flexibility + + in matching streams for a given TLS listener. + + + If you need to forward traffic to a single target for a TLS + listener, you + + could choose to use a TCPRoute with a TLS listener. + properties: + apiVersion: + description: >- + APIVersion defines the versioned schema of this representation + of an object. + + Servers should convert recognized schemas to the latest internal + value, and + + may reject unrecognized values. + + More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: >- + Kind is a string value representing the REST resource this + object represents. + + Servers may infer this from the endpoint the client submits + requests to. + + Cannot be updated. + + In CamelCase. + + More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of TLSRoute. + properties: + hostnames: + description: >- + Hostnames defines a set of SNI hostnames that should match + against the + + SNI attribute of TLS ClientHello message in TLS handshake. + This matches + + the RFC 1123 definition of a hostname with 2 notable + exceptions: + + + 1. IPs are not allowed in SNI hostnames per RFC 6066. + + 2. A hostname may be prefixed with a wildcard label (`*.`). + The wildcard + label must appear by itself as the first label. + items: + description: >- + Hostname is the fully qualified domain name of a network + host. This matches + + the RFC 1123 definition of a hostname with 2 notable + exceptions: + + 1. IPs are not allowed. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. + + Hostname can be "precise" which is a domain name without + the terminating + + dot of a network host (e.g. "foo.example.com") or + "wildcard", which is a + + domain name prefixed with a single wildcard label (e.g. + `*.example.com`). + + + Note that as per RFC1035 and RFC1123, a *label* must + consist of lower case + + alphanumeric characters or '-', and must start and end + with an alphanumeric + + character. No other punctuation is allowed. + maxLength: 253 + minLength: 1 + pattern: >- + ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: Hostnames cannot contain an IP + rule: self.all(h, !isIP(h)) + - message: Hostnames must be valid based on RFC-1123 + rule: >- + self.all(h, !h.contains('*') ? + h.matches('^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*)$') + : true) + - message: >- + Wildcards on hostnames must be the first label, and the + rest of hostname must be valid based on RFC-1123 + rule: >- + self.all(h, h.contains('*') ? (h.startsWith('*.') && + h.substring(2).matches('^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*)$')) + : true) + parentRefs: + description: >- + ParentRefs references the resources (usually Gateways) that + a Route wants + + to be attached to. Note that the referenced parent resource + needs to + + allow this for the attachment to be complete. For Gateways, + that means + + the Gateway needs to allow attachment from Routes of this + kind and + + namespace. For Services, that means the Service must either + be in the same + + namespace for a "producer" route, or the mesh implementation + must support + + and allow "consumer" routes for the referenced Service. + ReferenceGrant is + + not applicable for governing ParentRefs to Services - it is + not possible to + + create a "producer" route for a Service in a different + namespace from the + + Route. + + + There are two kinds of parent resources with "Core" support: + + + * Gateway (Gateway conformance profile) + + * Service (Mesh conformance profile, ClusterIP Services + only) + + + This API may be extended in the future to support additional + kinds of parent + + resources. + + + ParentRefs must be _distinct_. This means either that: + + + * They select different objects. If this is the case, then + parentRef + entries are distinct. In terms of fields, this means that the + multi-part key defined by `group`, `kind`, `namespace`, and `name` must + be unique across all parentRef entries in the Route. + * They do not select different objects, but for each + optional field used, + each ParentRef that selects the same object must set the same set of + optional fields to different values. If one ParentRef sets a + combination of optional fields, all must set the same combination. + + Some examples: + + + * If one ParentRef sets `sectionName`, all ParentRefs + referencing the + same object must also set `sectionName`. + * If one ParentRef sets `port`, all ParentRefs referencing + the same + object must also set `port`. + * If one ParentRef sets `sectionName` and `port`, all + ParentRefs + referencing the same object must also set `sectionName` and `port`. + + It is possible to separately reference multiple distinct + objects that may + + be collapsed by an implementation. For example, some + implementations may + + choose to merge compatible Gateway Listeners together. If + that is the + + case, the list of routes attached to those resources should + also be + + merged. + + + Note that for ParentRefs that cross namespace boundaries, + there are specific + + rules. Cross-namespace references are only valid if they are + explicitly + + allowed by something in the namespace they are referring to. + For example, + + Gateway has the AllowedRoutes field, and ReferenceGrant + provides a + + generic way to enable other kinds of cross-namespace + reference. + items: + description: >- + ParentReference identifies an API object (usually a + Gateway) that can be considered + + a parent of this resource (usually a route). There are two + kinds of parent resources + + with "Core" support: + + + * Gateway (Gateway conformance profile) + + * Service (Mesh conformance profile, ClusterIP Services + only) + + + This API may be extended in the future to support + additional kinds of parent + + resources. + + + The API object must be valid in the cluster; the Group and + Kind must + + be registered in the cluster for this reference to be + valid. + properties: + group: + default: gateway.networking.k8s.io + description: >- + Group is the group of the referent. + + When unspecified, "gateway.networking.k8s.io" is + inferred. + + To set the core API group (such as for a "Service" + kind referent), + + Group must be explicitly set to "" (empty string). + + + Support: Core + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: >- + Kind is kind of the referent. + + + There are two kinds of parent resources with "Core" + support: + + + * Gateway (Gateway conformance profile) + + * Service (Mesh conformance profile, ClusterIP + Services only) + + + Support for other resources is + Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the referent. When + unspecified, this refers + + to the local namespace of the Route. + + + Note that there are specific rules for ParentRefs + which cross namespace + + boundaries. Cross-namespace references are only valid + if they are explicitly + + allowed by something in the namespace they are + referring to. For example: + + Gateway has the AllowedRoutes field, and + ReferenceGrant provides a + + generic way to enable any other kind of + cross-namespace reference. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: >- + Port is the network port this Route targets. It can be + interpreted + + differently based on the type of parent resource. + + + When the parent resource is a Gateway, this targets + all listeners + + listening on the specified port that also support this + kind of Route(and + + select this Route). It's not recommended to set `Port` + unless the + + networking behaviors specified in a Route must apply + to a specific port + + as opposed to a listener(s) whose port(s) may be + changed. When both Port + + and SectionName are specified, the name and port of + the selected listener + + must match both specified values. + + + Implementations MAY choose to support other parent + resources. + + Implementations supporting other types of parent + resources MUST clearly + + document how/if Port is interpreted. + + + For the purpose of status, an attachment is considered + successful as + + long as the parent resource accepts it partially. For + example, Gateway + + listeners can restrict which Routes can attach to them + by Route kind, + + namespace, or hostname. If 1 of 2 Gateway listeners + accept attachment + + from the referencing Route, the Route MUST be + considered successfully + + attached. If no Gateway listeners accept attachment + from this Route, + + the Route MUST be considered detached from the + Gateway. + + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: >- + SectionName is the name of a section within the target + resource. In the + + following resources, SectionName is interpreted as the + following: + + + * Gateway: Listener name. When both Port + (experimental) and SectionName + + are specified, the name and port of the selected + listener must match + + both specified values. + + * Service: Port name. When both Port (experimental) + and SectionName + + are specified, the name and port of the selected + listener must match + + both specified values. + + + Implementations MAY choose to support attaching Routes + to other resources. + + If that is the case, they MUST clearly document how + SectionName is + + interpreted. + + + When unspecified (empty string), this will reference + the entire resource. + + For the purpose of status, an attachment is considered + successful if at + + least one section in the parent resource accepts it. + For example, Gateway + + listeners can restrict which Routes can attach to them + by Route kind, + + namespace, or hostname. If 1 of 2 Gateway listeners + accept attachment from + + the referencing Route, the Route MUST be considered + successfully + + attached. If no Gateway listeners accept attachment + from this Route, the + + Route MUST be considered detached from the Gateway. + + + Support: Core + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: >- + sectionName must be specified when parentRefs includes 2 + or more references to the same parent + rule: >- + self.all(p1, self.all(p2, p1.group == p2.group && + p1.kind == p2.kind && p1.name == p2.name && + (((!has(p1.__namespace__) || p1.__namespace__ == '') && + (!has(p2.__namespace__) || p2.__namespace__ == '')) || + (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__ )) ? + ((!has(p1.sectionName) || p1.sectionName == '') == + (!has(p2.sectionName) || p2.sectionName == '')) : true)) + - message: >- + sectionName must be unique when parentRefs includes 2 or + more references to the same parent + rule: >- + self.all(p1, self.exists_one(p2, p1.group == p2.group && + p1.kind == p2.kind && p1.name == p2.name && + (((!has(p1.__namespace__) || p1.__namespace__ == '') && + (!has(p2.__namespace__) || p2.__namespace__ == '')) || + (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__ )) && + (((!has(p1.sectionName) || p1.sectionName == '') && + (!has(p2.sectionName) || p2.sectionName == '')) || + (has(p1.sectionName) && has(p2.sectionName) && + p1.sectionName == p2.sectionName)))) + rules: + description: Rules are a list of actions. + items: + description: TLSRouteRule is the configuration for a given rule. + properties: + backendRefs: + description: >- + BackendRefs defines the backend(s) where matching + requests should be + + sent. If unspecified or invalid (refers to a + nonexistent resource or + + a Service with no endpoints), the rule performs no + forwarding; if no + + filters are specified that would result in a response + being sent, the + + underlying implementation must actively reject request + attempts to this + + backend, by rejecting the connection. Request + rejections must respect + + weight; if an invalid backend is requested to have 80% + of requests, then + + 80% of requests must be rejected instead. + + + Support: Core for Kubernetes Service + + + Support: Extended for Kubernetes ServiceImport + + + Support: Implementation-specific for any other + resource + + + Support for weight: Extended + items: + description: >- + BackendRef defines how a Route should forward a + request to a Kubernetes + + resource. + + + Note that when a namespace different than the local + namespace is specified, a + + ReferenceGrant object is required in the referent + namespace to allow that + + namespace's owner to accept the reference. See the + ReferenceGrant + + documentation for details. + + + Note that when the BackendTLSPolicy object is + enabled by the implementation, + + there are some extra rules about validity to + consider here. See the fields + + where this struct is used for more information about + the exact behavior. + properties: + group: + default: '' + description: >- + Group is the group of the referent. For example, + "gateway.networking.k8s.io". + + When unspecified or empty string, core API group + is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: >- + Kind is the Kubernetes resource kind of the + referent. For example + + "Service". + + + Defaults to "Service" when not specified. + + + ExternalName services can refer to CNAME DNS + records that may live + + outside of the cluster and as such are difficult + to reason about in + + terms of conformance. They also may not be safe + to forward to (see + + CVE-2021-25740 for more information). + Implementations SHOULD NOT + + support ExternalName Services. + + + Support: Core (Services with a type other than + ExternalName) + + + Support: Implementation-specific (Services with + type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the backend. When + unspecified, the local + + namespace is inferred. + + + Note that when a namespace different than the + local namespace is specified, + + a ReferenceGrant object is required in the + referent namespace to allow that + + namespace's owner to accept the reference. See + the ReferenceGrant + + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: >- + Port specifies the destination port number to + use for this resource. + + Port is required when the referent is a + Kubernetes Service. In this + + case, the port number is the service port + number, not the target port. + + For other resources, destination port might be + derived from the referent + + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: >- + Weight specifies the proportion of requests + forwarded to the referenced + + backend. This is computed as weight/(sum of all + weights in this + + BackendRefs list). For non-zero values, there + may be some epsilon from + + the exact proportion defined here depending on + the precision an + + implementation supports. Weight is not a + percentage and the sum of + + weights does not need to equal 100. + + + If only one backend is specified and it has a + weight greater than 0, 100% + + of the traffic is forwarded to that backend. If + weight is set to 0, no + + traffic should be forwarded for this entry. If + unspecified, weight + + defaults to 1. + + + Support for this field varies based on the + context where used. + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: >- + (size(self.group) == 0 && self.kind == + 'Service') ? has(self.port) : true + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + name: + description: >- + Name is the name of the route rule. This name MUST be + unique within a Route if it is set. + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - backendRefs + type: object + maxItems: 1 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + required: + - hostnames + - rules + type: object + status: + description: Status defines the current state of TLSRoute. + properties: + parents: + description: >- + Parents is a list of parent resources (usually Gateways) + that are + + associated with the route, and the status of the route with + respect to + + each parent. When this route attaches to a parent, the + controller that + + manages the parent must add an entry to this list when the + controller + + first sees the route and should update the entry as + appropriate when the + + route or gateway is modified. + + + Note that parent references that cannot be resolved by an + implementation + + of this API will not be added to this list. Implementations + of this API + + can only populate Route status for the Gateways/parent + resources they are + + responsible for. + + + A maximum of 32 Gateways will be represented in this list. + An empty list + + means the route has not been attached to any Gateway. + items: + description: >- + RouteParentStatus describes the status of a route with + respect to an + + associated Parent. + properties: + conditions: + description: >- + Conditions describes the status of the route with + respect to the Gateway. + + Note that the route's availability is also subject to + the Gateway's own + + status conditions and listener status. + + + If the Route's ParentRef specifies an existing Gateway + that supports + + Routes of this kind AND that Gateway's controller has + sufficient access, + + then that Gateway's controller MUST set the "Accepted" + condition on the + + Route, to indicate whether the route has been accepted + or rejected by the + + Gateway, and why. + + + A Route MUST be considered "Accepted" if at least one + of the Route's + + rules is implemented by the Gateway. + + + There are a number of cases where the "Accepted" + condition may not be set + + due to lack of controller visibility, that includes + when: + + + * The Route refers to a nonexistent parent. + + * The Route is of a type that the controller does not + support. + + * The Route is in a namespace to which the controller + does not have access. + items: + description: >- + Condition contains details for one aspect of the + current state of this API Resource. + properties: + lastTransitionTime: + description: >- + lastTransitionTime is the last time the + condition transitioned from one status to + another. + + This should be when the underlying condition + changed. If that is not known, then using the + time when the API field changed is acceptable. + format: date-time + type: string + message: + description: >- + message is a human readable message indicating + details about the transition. + + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: >- + observedGeneration represents the + .metadata.generation that the condition was set + based upon. + + For instance, if .metadata.generation is + currently 12, but the + .status.conditions[x].observedGeneration is 9, + the condition is out of date + + with respect to the current state of the + instance. + format: int64 + minimum: 0 + type: integer + reason: + description: >- + reason contains a programmatic identifier + indicating the reason for the condition's last + transition. + + Producers of specific condition types may define + expected values and meanings for this field, + + and whether the values are considered a + guaranteed API. + + The value should be a CamelCase string. + + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: >- + status of the condition, one of True, False, + Unknown. + enum: + - 'True' + - 'False' + - Unknown + type: string + type: + description: >- + type of condition in CamelCase or in + foo.example.com/CamelCase. + maxLength: 316 + pattern: >- + ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: >- + ControllerName is a domain/path string that indicates + the name of the + + controller that wrote this status. This corresponds + with the + + controllerName field on GatewayClass. + + + Example: "example.net/gateway-controller". + + + The format of this field is DOMAIN "/" PATH, where + DOMAIN and PATH are + + valid Kubernetes names + + (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + + + Controllers MUST populate this field when writing + status. Controllers should ensure that + + entries to status populated with their ControllerName + are cleaned up when they are no + + longer necessary. + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: >- + ParentRef corresponds with a ParentRef in the spec + that this + + RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: >- + Group is the group of the referent. + + When unspecified, "gateway.networking.k8s.io" is + inferred. + + To set the core API group (such as for a "Service" + kind referent), + + Group must be explicitly set to "" (empty string). + + + Support: Core + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: >- + Kind is kind of the referent. + + + There are two kinds of parent resources with + "Core" support: + + + * Gateway (Gateway conformance profile) + + * Service (Mesh conformance profile, ClusterIP + Services only) + + + Support for other resources is + Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the referent. When + unspecified, this refers + + to the local namespace of the Route. + + + Note that there are specific rules for ParentRefs + which cross namespace + + boundaries. Cross-namespace references are only + valid if they are explicitly + + allowed by something in the namespace they are + referring to. For example: + + Gateway has the AllowedRoutes field, and + ReferenceGrant provides a + + generic way to enable any other kind of + cross-namespace reference. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: >- + Port is the network port this Route targets. It + can be interpreted + + differently based on the type of parent resource. + + + When the parent resource is a Gateway, this + targets all listeners + + listening on the specified port that also support + this kind of Route(and + + select this Route). It's not recommended to set + `Port` unless the + + networking behaviors specified in a Route must + apply to a specific port + + as opposed to a listener(s) whose port(s) may be + changed. When both Port + + and SectionName are specified, the name and port + of the selected listener + + must match both specified values. + + + Implementations MAY choose to support other parent + resources. + + Implementations supporting other types of parent + resources MUST clearly + + document how/if Port is interpreted. + + + For the purpose of status, an attachment is + considered successful as + + long as the parent resource accepts it partially. + For example, Gateway + + listeners can restrict which Routes can attach to + them by Route kind, + + namespace, or hostname. If 1 of 2 Gateway + listeners accept attachment + + from the referencing Route, the Route MUST be + considered successfully + + attached. If no Gateway listeners accept + attachment from this Route, + + the Route MUST be considered detached from the + Gateway. + + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: >- + SectionName is the name of a section within the + target resource. In the + + following resources, SectionName is interpreted as + the following: + + + * Gateway: Listener name. When both Port + (experimental) and SectionName + + are specified, the name and port of the selected + listener must match + + both specified values. + + * Service: Port name. When both Port + (experimental) and SectionName + + are specified, the name and port of the selected + listener must match + + both specified values. + + + Implementations MAY choose to support attaching + Routes to other resources. + + If that is the case, they MUST clearly document + how SectionName is + + interpreted. + + + When unspecified (empty string), this will + reference the entire resource. + + For the purpose of status, an attachment is + considered successful if at + + least one section in the parent resource accepts + it. For example, Gateway + + listeners can restrict which Routes can attach to + them by Route kind, + + namespace, or hostname. If 1 of 2 Gateway + listeners accept attachment from + + the referencing Route, the Route MUST be + considered successfully + + attached. If no Gateway listeners accept + attachment from this Route, the + + Route MUST be considered detached from the + Gateway. + + + Support: Core + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - conditions + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + x-kubernetes-list-type: atomic + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + deprecated: true + deprecationWarning: >- + The v1alpha2 version of TLSRoute has been deprecated and will be removed + in a future release of the API. Please upgrade to v1. + name: v1alpha2 + schema: + openAPIV3Schema: + description: |- + The TLSRoute resource is similar to TCPRoute, but can be configured + to match against TLS-specific metadata. This allows more flexibility + in matching streams for a given TLS listener. + properties: + apiVersion: + description: >- + APIVersion defines the versioned schema of this representation + of an object. + + Servers should convert recognized schemas to the latest internal + value, and + + may reject unrecognized values. + + More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: >- + Kind is a string value representing the REST resource this + object represents. + + Servers may infer this from the endpoint the client submits + requests to. + + Cannot be updated. + + In CamelCase. + + More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of TLSRoute. + properties: + hostnames: + description: >- + Hostnames defines a set of SNI names that should match + against the + + SNI attribute of TLS ClientHello message in TLS handshake. + This matches + + the RFC 1123 definition of a hostname with 2 notable + exceptions: + + + 1. IPs are not allowed in SNI names per RFC 6066. + + 2. A hostname may be prefixed with a wildcard label (`*.`). + The wildcard + label must appear by itself as the first label. + + If a hostname is specified by both the Listener and + TLSRoute, there + + must be at least one intersecting hostname for the TLSRoute + to be + + attached to the Listener. For example: + + + * A Listener with `test.example.com` as the hostname matches + TLSRoutes + that have either not specified any hostnames, or have specified at + least one of `test.example.com` or `*.example.com`. + * A Listener with `*.example.com` as the hostname matches + TLSRoutes + that have either not specified any hostnames or have specified at least + one hostname that matches the Listener hostname. For example, + `test.example.com` and `*.example.com` would both match. On the other + hand, `example.com` and `test.example.net` would not match. + + If both the Listener and TLSRoute have specified hostnames, + any + + TLSRoute hostnames that do not match the Listener hostname + MUST be + + ignored. For example, if a Listener specified + `*.example.com`, and the + + TLSRoute specified `test.example.com` and + `test.example.net`, + + `test.example.net` must not be considered for a match. + + + If both the Listener and TLSRoute have specified hostnames, + and none + + match with the criteria above, then the TLSRoute is not + accepted. The + + implementation must raise an 'Accepted' Condition with a + status of + + `False` in the corresponding RouteParentStatus. + + + Support: Core + items: + description: >- + Hostname is the fully qualified domain name of a network + host. This matches + + the RFC 1123 definition of a hostname with 2 notable + exceptions: + + 1. IPs are not allowed. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. + + Hostname can be "precise" which is a domain name without + the terminating + + dot of a network host (e.g. "foo.example.com") or + "wildcard", which is a + + domain name prefixed with a single wildcard label (e.g. + `*.example.com`). + + + Note that as per RFC1035 and RFC1123, a *label* must + consist of lower case + + alphanumeric characters or '-', and must start and end + with an alphanumeric + + character. No other punctuation is allowed. + maxLength: 253 + minLength: 1 + pattern: >- + ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: atomic + parentRefs: + description: >- + ParentRefs references the resources (usually Gateways) that + a Route wants + + to be attached to. Note that the referenced parent resource + needs to + + allow this for the attachment to be complete. For Gateways, + that means + + the Gateway needs to allow attachment from Routes of this + kind and + + namespace. For Services, that means the Service must either + be in the same + + namespace for a "producer" route, or the mesh implementation + must support + + and allow "consumer" routes for the referenced Service. + ReferenceGrant is + + not applicable for governing ParentRefs to Services - it is + not possible to + + create a "producer" route for a Service in a different + namespace from the + + Route. + + + There are two kinds of parent resources with "Core" support: + + + * Gateway (Gateway conformance profile) + + * Service (Mesh conformance profile, ClusterIP Services + only) + + + This API may be extended in the future to support additional + kinds of parent + + resources. + + + ParentRefs must be _distinct_. This means either that: + + + * They select different objects. If this is the case, then + parentRef + entries are distinct. In terms of fields, this means that the + multi-part key defined by `group`, `kind`, `namespace`, and `name` must + be unique across all parentRef entries in the Route. + * They do not select different objects, but for each + optional field used, + each ParentRef that selects the same object must set the same set of + optional fields to different values. If one ParentRef sets a + combination of optional fields, all must set the same combination. + + Some examples: + + + * If one ParentRef sets `sectionName`, all ParentRefs + referencing the + same object must also set `sectionName`. + * If one ParentRef sets `port`, all ParentRefs referencing + the same + object must also set `port`. + * If one ParentRef sets `sectionName` and `port`, all + ParentRefs + referencing the same object must also set `sectionName` and `port`. + + It is possible to separately reference multiple distinct + objects that may + + be collapsed by an implementation. For example, some + implementations may + + choose to merge compatible Gateway Listeners together. If + that is the + + case, the list of routes attached to those resources should + also be + + merged. + + + Note that for ParentRefs that cross namespace boundaries, + there are specific + + rules. Cross-namespace references are only valid if they are + explicitly + + allowed by something in the namespace they are referring to. + For example, + + Gateway has the AllowedRoutes field, and ReferenceGrant + provides a + + generic way to enable other kinds of cross-namespace + reference. + items: + description: >- + ParentReference identifies an API object (usually a + Gateway) that can be considered + + a parent of this resource (usually a route). There are two + kinds of parent resources + + with "Core" support: + + + * Gateway (Gateway conformance profile) + + * Service (Mesh conformance profile, ClusterIP Services + only) + + + This API may be extended in the future to support + additional kinds of parent + + resources. + + + The API object must be valid in the cluster; the Group and + Kind must + + be registered in the cluster for this reference to be + valid. + properties: + group: + default: gateway.networking.k8s.io + description: >- + Group is the group of the referent. + + When unspecified, "gateway.networking.k8s.io" is + inferred. + + To set the core API group (such as for a "Service" + kind referent), + + Group must be explicitly set to "" (empty string). + + + Support: Core + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: >- + Kind is kind of the referent. + + + There are two kinds of parent resources with "Core" + support: + + + * Gateway (Gateway conformance profile) + + * Service (Mesh conformance profile, ClusterIP + Services only) + + + Support for other resources is + Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the referent. When + unspecified, this refers + + to the local namespace of the Route. + + + Note that there are specific rules for ParentRefs + which cross namespace + + boundaries. Cross-namespace references are only valid + if they are explicitly + + allowed by something in the namespace they are + referring to. For example: + + Gateway has the AllowedRoutes field, and + ReferenceGrant provides a + + generic way to enable any other kind of + cross-namespace reference. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: >- + Port is the network port this Route targets. It can be + interpreted + + differently based on the type of parent resource. + + + When the parent resource is a Gateway, this targets + all listeners + + listening on the specified port that also support this + kind of Route(and + + select this Route). It's not recommended to set `Port` + unless the + + networking behaviors specified in a Route must apply + to a specific port + + as opposed to a listener(s) whose port(s) may be + changed. When both Port + + and SectionName are specified, the name and port of + the selected listener + + must match both specified values. + + + Implementations MAY choose to support other parent + resources. + + Implementations supporting other types of parent + resources MUST clearly + + document how/if Port is interpreted. + + + For the purpose of status, an attachment is considered + successful as + + long as the parent resource accepts it partially. For + example, Gateway + + listeners can restrict which Routes can attach to them + by Route kind, + + namespace, or hostname. If 1 of 2 Gateway listeners + accept attachment + + from the referencing Route, the Route MUST be + considered successfully + + attached. If no Gateway listeners accept attachment + from this Route, + + the Route MUST be considered detached from the + Gateway. + + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: >- + SectionName is the name of a section within the target + resource. In the + + following resources, SectionName is interpreted as the + following: + + + * Gateway: Listener name. When both Port + (experimental) and SectionName + + are specified, the name and port of the selected + listener must match + + both specified values. + + * Service: Port name. When both Port (experimental) + and SectionName + + are specified, the name and port of the selected + listener must match + + both specified values. + + + Implementations MAY choose to support attaching Routes + to other resources. + + If that is the case, they MUST clearly document how + SectionName is + + interpreted. + + + When unspecified (empty string), this will reference + the entire resource. + + For the purpose of status, an attachment is considered + successful if at + + least one section in the parent resource accepts it. + For example, Gateway + + listeners can restrict which Routes can attach to them + by Route kind, + + namespace, or hostname. If 1 of 2 Gateway listeners + accept attachment from + + the referencing Route, the Route MUST be considered + successfully + + attached. If no Gateway listeners accept attachment + from this Route, the + + Route MUST be considered detached from the Gateway. + + + Support: Core + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: >- + sectionName must be specified when parentRefs includes 2 + or more references to the same parent + rule: >- + self.all(p1, self.all(p2, p1.group == p2.group && + p1.kind == p2.kind && p1.name == p2.name && + (((!has(p1.__namespace__) || p1.__namespace__ == '') && + (!has(p2.__namespace__) || p2.__namespace__ == '')) || + (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__ )) ? + ((!has(p1.sectionName) || p1.sectionName == '') == + (!has(p2.sectionName) || p2.sectionName == '')) : true)) + - message: >- + sectionName must be unique when parentRefs includes 2 or + more references to the same parent + rule: >- + self.all(p1, self.exists_one(p2, p1.group == p2.group && + p1.kind == p2.kind && p1.name == p2.name && + (((!has(p1.__namespace__) || p1.__namespace__ == '') && + (!has(p2.__namespace__) || p2.__namespace__ == '')) || + (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__ )) && + (((!has(p1.sectionName) || p1.sectionName == '') && + (!has(p2.sectionName) || p2.sectionName == '')) || + (has(p1.sectionName) && has(p2.sectionName) && + p1.sectionName == p2.sectionName)))) + rules: + description: Rules are a list of TLS matchers and actions. + items: + description: TLSRouteRule is the configuration for a given rule. + properties: + backendRefs: + description: >- + BackendRefs defines the backend(s) where matching + requests should be + + sent. If unspecified or invalid (refers to a + nonexistent resource or + + a Service with no endpoints), the rule performs no + forwarding; if no + + filters are specified that would result in a response + being sent, the + + underlying implementation must actively reject request + attempts to this + + backend, by rejecting the connection. Request + rejections must respect + + weight; if an invalid backend is requested to have 80% + of requests, then + + 80% of requests must be rejected instead. + + + Support: Core for Kubernetes Service + + + Support: Extended for Kubernetes ServiceImport + + + Support: Implementation-specific for any other + resource + + + Support for weight: Extended + items: + description: >- + BackendRef defines how a Route should forward a + request to a Kubernetes + + resource. + + + Note that when a namespace different than the local + namespace is specified, a + + ReferenceGrant object is required in the referent + namespace to allow that + + namespace's owner to accept the reference. See the + ReferenceGrant + + documentation for details. + + + Note that when the BackendTLSPolicy object is + enabled by the implementation, + + there are some extra rules about validity to + consider here. See the fields + + where this struct is used for more information about + the exact behavior. + properties: + group: + default: '' + description: >- + Group is the group of the referent. For example, + "gateway.networking.k8s.io". + + When unspecified or empty string, core API group + is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: >- + Kind is the Kubernetes resource kind of the + referent. For example + + "Service". + + + Defaults to "Service" when not specified. + + + ExternalName services can refer to CNAME DNS + records that may live + + outside of the cluster and as such are difficult + to reason about in + + terms of conformance. They also may not be safe + to forward to (see + + CVE-2021-25740 for more information). + Implementations SHOULD NOT + + support ExternalName Services. + + + Support: Core (Services with a type other than + ExternalName) + + + Support: Implementation-specific (Services with + type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the backend. When + unspecified, the local + + namespace is inferred. + + + Note that when a namespace different than the + local namespace is specified, + + a ReferenceGrant object is required in the + referent namespace to allow that + + namespace's owner to accept the reference. See + the ReferenceGrant + + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: >- + Port specifies the destination port number to + use for this resource. + + Port is required when the referent is a + Kubernetes Service. In this + + case, the port number is the service port + number, not the target port. + + For other resources, destination port might be + derived from the referent + + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: >- + Weight specifies the proportion of requests + forwarded to the referenced + + backend. This is computed as weight/(sum of all + weights in this + + BackendRefs list). For non-zero values, there + may be some epsilon from + + the exact proportion defined here depending on + the precision an + + implementation supports. Weight is not a + percentage and the sum of + + weights does not need to equal 100. + + + If only one backend is specified and it has a + weight greater than 0, 100% + + of the traffic is forwarded to that backend. If + weight is set to 0, no + + traffic should be forwarded for this entry. If + unspecified, weight + + defaults to 1. + + + Support for this field varies based on the + context where used. + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: >- + (size(self.group) == 0 && self.kind == + 'Service') ? has(self.port) : true + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + name: + description: >- + Name is the name of the route rule. This name MUST be + unique within a Route if it is set. + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - backendRefs + type: object + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + required: + - rules + type: object + status: + description: Status defines the current state of TLSRoute. + properties: + parents: + description: >- + Parents is a list of parent resources (usually Gateways) + that are + + associated with the route, and the status of the route with + respect to + + each parent. When this route attaches to a parent, the + controller that + + manages the parent must add an entry to this list when the + controller + + first sees the route and should update the entry as + appropriate when the + + route or gateway is modified. + + + Note that parent references that cannot be resolved by an + implementation + + of this API will not be added to this list. Implementations + of this API + + can only populate Route status for the Gateways/parent + resources they are + + responsible for. + + + A maximum of 32 Gateways will be represented in this list. + An empty list + + means the route has not been attached to any Gateway. + items: + description: >- + RouteParentStatus describes the status of a route with + respect to an + + associated Parent. + properties: + conditions: + description: >- + Conditions describes the status of the route with + respect to the Gateway. + + Note that the route's availability is also subject to + the Gateway's own + + status conditions and listener status. + + + If the Route's ParentRef specifies an existing Gateway + that supports + + Routes of this kind AND that Gateway's controller has + sufficient access, + + then that Gateway's controller MUST set the "Accepted" + condition on the + + Route, to indicate whether the route has been accepted + or rejected by the + + Gateway, and why. + + + A Route MUST be considered "Accepted" if at least one + of the Route's + + rules is implemented by the Gateway. + + + There are a number of cases where the "Accepted" + condition may not be set + + due to lack of controller visibility, that includes + when: + + + * The Route refers to a nonexistent parent. + + * The Route is of a type that the controller does not + support. + + * The Route is in a namespace to which the controller + does not have access. + items: + description: >- + Condition contains details for one aspect of the + current state of this API Resource. + properties: + lastTransitionTime: + description: >- + lastTransitionTime is the last time the + condition transitioned from one status to + another. + + This should be when the underlying condition + changed. If that is not known, then using the + time when the API field changed is acceptable. + format: date-time + type: string + message: + description: >- + message is a human readable message indicating + details about the transition. + + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: >- + observedGeneration represents the + .metadata.generation that the condition was set + based upon. + + For instance, if .metadata.generation is + currently 12, but the + .status.conditions[x].observedGeneration is 9, + the condition is out of date + + with respect to the current state of the + instance. + format: int64 + minimum: 0 + type: integer + reason: + description: >- + reason contains a programmatic identifier + indicating the reason for the condition's last + transition. + + Producers of specific condition types may define + expected values and meanings for this field, + + and whether the values are considered a + guaranteed API. + + The value should be a CamelCase string. + + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: >- + status of the condition, one of True, False, + Unknown. + enum: + - 'True' + - 'False' + - Unknown + type: string + type: + description: >- + type of condition in CamelCase or in + foo.example.com/CamelCase. + maxLength: 316 + pattern: >- + ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: >- + ControllerName is a domain/path string that indicates + the name of the + + controller that wrote this status. This corresponds + with the + + controllerName field on GatewayClass. + + + Example: "example.net/gateway-controller". + + + The format of this field is DOMAIN "/" PATH, where + DOMAIN and PATH are + + valid Kubernetes names + + (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + + + Controllers MUST populate this field when writing + status. Controllers should ensure that + + entries to status populated with their ControllerName + are cleaned up when they are no + + longer necessary. + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: >- + ParentRef corresponds with a ParentRef in the spec + that this + + RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: >- + Group is the group of the referent. + + When unspecified, "gateway.networking.k8s.io" is + inferred. + + To set the core API group (such as for a "Service" + kind referent), + + Group must be explicitly set to "" (empty string). + + + Support: Core + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: >- + Kind is kind of the referent. + + + There are two kinds of parent resources with + "Core" support: + + + * Gateway (Gateway conformance profile) + + * Service (Mesh conformance profile, ClusterIP + Services only) + + + Support for other resources is + Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the referent. When + unspecified, this refers + + to the local namespace of the Route. + + + Note that there are specific rules for ParentRefs + which cross namespace + + boundaries. Cross-namespace references are only + valid if they are explicitly + + allowed by something in the namespace they are + referring to. For example: + + Gateway has the AllowedRoutes field, and + ReferenceGrant provides a + + generic way to enable any other kind of + cross-namespace reference. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: >- + Port is the network port this Route targets. It + can be interpreted + + differently based on the type of parent resource. + + + When the parent resource is a Gateway, this + targets all listeners + + listening on the specified port that also support + this kind of Route(and + + select this Route). It's not recommended to set + `Port` unless the + + networking behaviors specified in a Route must + apply to a specific port + + as opposed to a listener(s) whose port(s) may be + changed. When both Port + + and SectionName are specified, the name and port + of the selected listener + + must match both specified values. + + + Implementations MAY choose to support other parent + resources. + + Implementations supporting other types of parent + resources MUST clearly + + document how/if Port is interpreted. + + + For the purpose of status, an attachment is + considered successful as + + long as the parent resource accepts it partially. + For example, Gateway + + listeners can restrict which Routes can attach to + them by Route kind, + + namespace, or hostname. If 1 of 2 Gateway + listeners accept attachment + + from the referencing Route, the Route MUST be + considered successfully + + attached. If no Gateway listeners accept + attachment from this Route, + + the Route MUST be considered detached from the + Gateway. + + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: >- + SectionName is the name of a section within the + target resource. In the + + following resources, SectionName is interpreted as + the following: + + + * Gateway: Listener name. When both Port + (experimental) and SectionName + + are specified, the name and port of the selected + listener must match + + both specified values. + + * Service: Port name. When both Port + (experimental) and SectionName + + are specified, the name and port of the selected + listener must match + + both specified values. + + + Implementations MAY choose to support attaching + Routes to other resources. + + If that is the case, they MUST clearly document + how SectionName is + + interpreted. + + + When unspecified (empty string), this will + reference the entire resource. + + For the purpose of status, an attachment is + considered successful if at + + least one section in the parent resource accepts + it. For example, Gateway + + listeners can restrict which Routes can attach to + them by Route kind, + + namespace, or hostname. If 1 of 2 Gateway + listeners accept attachment from + + the referencing Route, the Route MUST be + considered successfully + + attached. If no Gateway listeners accept + attachment from this Route, the + + Route MUST be considered detached from the + Gateway. + + + Support: Core + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - conditions + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + x-kubernetes-list-type: atomic + required: + - parents + type: object + required: + - spec + type: object + served: false + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + deprecated: true + deprecationWarning: >- + The v1alpha3 version of TLSRoute has been deprecated and will be removed + in a future release of the API. Please upgrade to v1. + name: v1alpha3 + schema: + openAPIV3Schema: + description: >- + The TLSRoute resource is similar to TCPRoute, but can be configured + + to match against TLS-specific metadata. This allows more flexibility + + in matching streams for a given TLS listener. + + + If you need to forward traffic to a single target for a TLS + listener, you + + could choose to use a TCPRoute with a TLS listener. + properties: + apiVersion: + description: >- + APIVersion defines the versioned schema of this representation + of an object. + + Servers should convert recognized schemas to the latest internal + value, and + + may reject unrecognized values. + + More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: >- + Kind is a string value representing the REST resource this + object represents. + + Servers may infer this from the endpoint the client submits + requests to. + + Cannot be updated. + + In CamelCase. + + More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of TLSRoute. + properties: + hostnames: + description: >- + Hostnames defines a set of SNI hostnames that should match + against the + + SNI attribute of TLS ClientHello message in TLS handshake. + This matches + + the RFC 1123 definition of a hostname with 2 notable + exceptions: + + + 1. IPs are not allowed in SNI hostnames per RFC 6066. + + 2. A hostname may be prefixed with a wildcard label (`*.`). + The wildcard + label must appear by itself as the first label. + items: + description: >- + Hostname is the fully qualified domain name of a network + host. This matches + + the RFC 1123 definition of a hostname with 2 notable + exceptions: + + 1. IPs are not allowed. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. + + Hostname can be "precise" which is a domain name without + the terminating + + dot of a network host (e.g. "foo.example.com") or + "wildcard", which is a + + domain name prefixed with a single wildcard label (e.g. + `*.example.com`). + + + Note that as per RFC1035 and RFC1123, a *label* must + consist of lower case + + alphanumeric characters or '-', and must start and end + with an alphanumeric + + character. No other punctuation is allowed. + maxLength: 253 + minLength: 1 + pattern: >- + ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: Hostnames cannot contain an IP + rule: self.all(h, !isIP(h)) + - message: Hostnames must be valid based on RFC-1123 + rule: >- + self.all(h, !h.contains('*') ? + h.matches('^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*)$') + : true) + - message: >- + Wildcards on hostnames must be the first label, and the + rest of hostname must be valid based on RFC-1123 + rule: >- + self.all(h, h.contains('*') ? (h.startsWith('*.') && + h.substring(2).matches('^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*)$')) + : true) + parentRefs: + description: >- + ParentRefs references the resources (usually Gateways) that + a Route wants + + to be attached to. Note that the referenced parent resource + needs to + + allow this for the attachment to be complete. For Gateways, + that means + + the Gateway needs to allow attachment from Routes of this + kind and + + namespace. For Services, that means the Service must either + be in the same + + namespace for a "producer" route, or the mesh implementation + must support + + and allow "consumer" routes for the referenced Service. + ReferenceGrant is + + not applicable for governing ParentRefs to Services - it is + not possible to + + create a "producer" route for a Service in a different + namespace from the + + Route. + + + There are two kinds of parent resources with "Core" support: + + + * Gateway (Gateway conformance profile) + + * Service (Mesh conformance profile, ClusterIP Services + only) + + + This API may be extended in the future to support additional + kinds of parent + + resources. + + + ParentRefs must be _distinct_. This means either that: + + + * They select different objects. If this is the case, then + parentRef + entries are distinct. In terms of fields, this means that the + multi-part key defined by `group`, `kind`, `namespace`, and `name` must + be unique across all parentRef entries in the Route. + * They do not select different objects, but for each + optional field used, + each ParentRef that selects the same object must set the same set of + optional fields to different values. If one ParentRef sets a + combination of optional fields, all must set the same combination. + + Some examples: + + + * If one ParentRef sets `sectionName`, all ParentRefs + referencing the + same object must also set `sectionName`. + * If one ParentRef sets `port`, all ParentRefs referencing + the same + object must also set `port`. + * If one ParentRef sets `sectionName` and `port`, all + ParentRefs + referencing the same object must also set `sectionName` and `port`. + + It is possible to separately reference multiple distinct + objects that may + + be collapsed by an implementation. For example, some + implementations may + + choose to merge compatible Gateway Listeners together. If + that is the + + case, the list of routes attached to those resources should + also be + + merged. + + + Note that for ParentRefs that cross namespace boundaries, + there are specific + + rules. Cross-namespace references are only valid if they are + explicitly + + allowed by something in the namespace they are referring to. + For example, + + Gateway has the AllowedRoutes field, and ReferenceGrant + provides a + + generic way to enable other kinds of cross-namespace + reference. + items: + description: >- + ParentReference identifies an API object (usually a + Gateway) that can be considered + + a parent of this resource (usually a route). There are two + kinds of parent resources + + with "Core" support: + + + * Gateway (Gateway conformance profile) + + * Service (Mesh conformance profile, ClusterIP Services + only) + + + This API may be extended in the future to support + additional kinds of parent + + resources. + + + The API object must be valid in the cluster; the Group and + Kind must + + be registered in the cluster for this reference to be + valid. + properties: + group: + default: gateway.networking.k8s.io + description: >- + Group is the group of the referent. + + When unspecified, "gateway.networking.k8s.io" is + inferred. + + To set the core API group (such as for a "Service" + kind referent), + + Group must be explicitly set to "" (empty string). + + + Support: Core + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: >- + Kind is kind of the referent. + + + There are two kinds of parent resources with "Core" + support: + + + * Gateway (Gateway conformance profile) + + * Service (Mesh conformance profile, ClusterIP + Services only) + + + Support for other resources is + Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the referent. When + unspecified, this refers + + to the local namespace of the Route. + + + Note that there are specific rules for ParentRefs + which cross namespace + + boundaries. Cross-namespace references are only valid + if they are explicitly + + allowed by something in the namespace they are + referring to. For example: + + Gateway has the AllowedRoutes field, and + ReferenceGrant provides a + + generic way to enable any other kind of + cross-namespace reference. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: >- + Port is the network port this Route targets. It can be + interpreted + + differently based on the type of parent resource. + + + When the parent resource is a Gateway, this targets + all listeners + + listening on the specified port that also support this + kind of Route(and + + select this Route). It's not recommended to set `Port` + unless the + + networking behaviors specified in a Route must apply + to a specific port + + as opposed to a listener(s) whose port(s) may be + changed. When both Port + + and SectionName are specified, the name and port of + the selected listener + + must match both specified values. + + + Implementations MAY choose to support other parent + resources. + + Implementations supporting other types of parent + resources MUST clearly + + document how/if Port is interpreted. + + + For the purpose of status, an attachment is considered + successful as + + long as the parent resource accepts it partially. For + example, Gateway + + listeners can restrict which Routes can attach to them + by Route kind, + + namespace, or hostname. If 1 of 2 Gateway listeners + accept attachment + + from the referencing Route, the Route MUST be + considered successfully + + attached. If no Gateway listeners accept attachment + from this Route, + + the Route MUST be considered detached from the + Gateway. + + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: >- + SectionName is the name of a section within the target + resource. In the + + following resources, SectionName is interpreted as the + following: + + + * Gateway: Listener name. When both Port + (experimental) and SectionName + + are specified, the name and port of the selected + listener must match + + both specified values. + + * Service: Port name. When both Port (experimental) + and SectionName + + are specified, the name and port of the selected + listener must match + + both specified values. + + + Implementations MAY choose to support attaching Routes + to other resources. + + If that is the case, they MUST clearly document how + SectionName is + + interpreted. + + + When unspecified (empty string), this will reference + the entire resource. + + For the purpose of status, an attachment is considered + successful if at + + least one section in the parent resource accepts it. + For example, Gateway + + listeners can restrict which Routes can attach to them + by Route kind, + + namespace, or hostname. If 1 of 2 Gateway listeners + accept attachment from + + the referencing Route, the Route MUST be considered + successfully + + attached. If no Gateway listeners accept attachment + from this Route, the + + Route MUST be considered detached from the Gateway. + + + Support: Core + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: >- + sectionName must be specified when parentRefs includes 2 + or more references to the same parent + rule: >- + self.all(p1, self.all(p2, p1.group == p2.group && + p1.kind == p2.kind && p1.name == p2.name && + (((!has(p1.__namespace__) || p1.__namespace__ == '') && + (!has(p2.__namespace__) || p2.__namespace__ == '')) || + (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__ )) ? + ((!has(p1.sectionName) || p1.sectionName == '') == + (!has(p2.sectionName) || p2.sectionName == '')) : true)) + - message: >- + sectionName must be unique when parentRefs includes 2 or + more references to the same parent + rule: >- + self.all(p1, self.exists_one(p2, p1.group == p2.group && + p1.kind == p2.kind && p1.name == p2.name && + (((!has(p1.__namespace__) || p1.__namespace__ == '') && + (!has(p2.__namespace__) || p2.__namespace__ == '')) || + (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__ )) && + (((!has(p1.sectionName) || p1.sectionName == '') && + (!has(p2.sectionName) || p2.sectionName == '')) || + (has(p1.sectionName) && has(p2.sectionName) && + p1.sectionName == p2.sectionName)))) + rules: + description: Rules are a list of actions. + items: + description: TLSRouteRule is the configuration for a given rule. + properties: + backendRefs: + description: >- + BackendRefs defines the backend(s) where matching + requests should be + + sent. If unspecified or invalid (refers to a + nonexistent resource or + + a Service with no endpoints), the rule performs no + forwarding; if no + + filters are specified that would result in a response + being sent, the + + underlying implementation must actively reject request + attempts to this + + backend, by rejecting the connection. Request + rejections must respect + + weight; if an invalid backend is requested to have 80% + of requests, then + + 80% of requests must be rejected instead. + + + Support: Core for Kubernetes Service + + + Support: Extended for Kubernetes ServiceImport + + + Support: Implementation-specific for any other + resource + + + Support for weight: Extended + items: + description: >- + BackendRef defines how a Route should forward a + request to a Kubernetes + + resource. + + + Note that when a namespace different than the local + namespace is specified, a + + ReferenceGrant object is required in the referent + namespace to allow that + + namespace's owner to accept the reference. See the + ReferenceGrant + + documentation for details. + + + Note that when the BackendTLSPolicy object is + enabled by the implementation, + + there are some extra rules about validity to + consider here. See the fields + + where this struct is used for more information about + the exact behavior. + properties: + group: + default: '' + description: >- + Group is the group of the referent. For example, + "gateway.networking.k8s.io". + + When unspecified or empty string, core API group + is inferred. + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: >- + Kind is the Kubernetes resource kind of the + referent. For example + + "Service". + + + Defaults to "Service" when not specified. + + + ExternalName services can refer to CNAME DNS + records that may live + + outside of the cluster and as such are difficult + to reason about in + + terms of conformance. They also may not be safe + to forward to (see + + CVE-2021-25740 for more information). + Implementations SHOULD NOT + + support ExternalName Services. + + + Support: Core (Services with a type other than + ExternalName) + + + Support: Implementation-specific (Services with + type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the backend. When + unspecified, the local + + namespace is inferred. + + + Note that when a namespace different than the + local namespace is specified, + + a ReferenceGrant object is required in the + referent namespace to allow that + + namespace's owner to accept the reference. See + the ReferenceGrant + + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: >- + Port specifies the destination port number to + use for this resource. + + Port is required when the referent is a + Kubernetes Service. In this + + case, the port number is the service port + number, not the target port. + + For other resources, destination port might be + derived from the referent + + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: >- + Weight specifies the proportion of requests + forwarded to the referenced + + backend. This is computed as weight/(sum of all + weights in this + + BackendRefs list). For non-zero values, there + may be some epsilon from + + the exact proportion defined here depending on + the precision an + + implementation supports. Weight is not a + percentage and the sum of + + weights does not need to equal 100. + + + If only one backend is specified and it has a + weight greater than 0, 100% + + of the traffic is forwarded to that backend. If + weight is set to 0, no + + traffic should be forwarded for this entry. If + unspecified, weight + + defaults to 1. + + + Support for this field varies based on the + context where used. + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: >- + (size(self.group) == 0 && self.kind == + 'Service') ? has(self.port) : true + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + name: + description: >- + Name is the name of the route rule. This name MUST be + unique within a Route if it is set. + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - backendRefs + type: object + maxItems: 1 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + required: + - hostnames + - rules + type: object + status: + description: Status defines the current state of TLSRoute. + properties: + parents: + description: >- + Parents is a list of parent resources (usually Gateways) + that are + + associated with the route, and the status of the route with + respect to + + each parent. When this route attaches to a parent, the + controller that + + manages the parent must add an entry to this list when the + controller + + first sees the route and should update the entry as + appropriate when the + + route or gateway is modified. + + + Note that parent references that cannot be resolved by an + implementation + + of this API will not be added to this list. Implementations + of this API + + can only populate Route status for the Gateways/parent + resources they are + + responsible for. + + + A maximum of 32 Gateways will be represented in this list. + An empty list + + means the route has not been attached to any Gateway. + items: + description: >- + RouteParentStatus describes the status of a route with + respect to an + + associated Parent. + properties: + conditions: + description: >- + Conditions describes the status of the route with + respect to the Gateway. + + Note that the route's availability is also subject to + the Gateway's own + + status conditions and listener status. + + + If the Route's ParentRef specifies an existing Gateway + that supports + + Routes of this kind AND that Gateway's controller has + sufficient access, + + then that Gateway's controller MUST set the "Accepted" + condition on the + + Route, to indicate whether the route has been accepted + or rejected by the + + Gateway, and why. + + + A Route MUST be considered "Accepted" if at least one + of the Route's + + rules is implemented by the Gateway. + + + There are a number of cases where the "Accepted" + condition may not be set + + due to lack of controller visibility, that includes + when: + + + * The Route refers to a nonexistent parent. + + * The Route is of a type that the controller does not + support. + + * The Route is in a namespace to which the controller + does not have access. + items: + description: >- + Condition contains details for one aspect of the + current state of this API Resource. + properties: + lastTransitionTime: + description: >- + lastTransitionTime is the last time the + condition transitioned from one status to + another. + + This should be when the underlying condition + changed. If that is not known, then using the + time when the API field changed is acceptable. + format: date-time + type: string + message: + description: >- + message is a human readable message indicating + details about the transition. + + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: >- + observedGeneration represents the + .metadata.generation that the condition was set + based upon. + + For instance, if .metadata.generation is + currently 12, but the + .status.conditions[x].observedGeneration is 9, + the condition is out of date + + with respect to the current state of the + instance. + format: int64 + minimum: 0 + type: integer + reason: + description: >- + reason contains a programmatic identifier + indicating the reason for the condition's last + transition. + + Producers of specific condition types may define + expected values and meanings for this field, + + and whether the values are considered a + guaranteed API. + + The value should be a CamelCase string. + + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: >- + status of the condition, one of True, False, + Unknown. + enum: + - 'True' + - 'False' + - Unknown + type: string + type: + description: >- + type of condition in CamelCase or in + foo.example.com/CamelCase. + maxLength: 316 + pattern: >- + ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: >- + ControllerName is a domain/path string that indicates + the name of the + + controller that wrote this status. This corresponds + with the + + controllerName field on GatewayClass. + + + Example: "example.net/gateway-controller". + + + The format of this field is DOMAIN "/" PATH, where + DOMAIN and PATH are + + valid Kubernetes names + + (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + + + Controllers MUST populate this field when writing + status. Controllers should ensure that + + entries to status populated with their ControllerName + are cleaned up when they are no + + longer necessary. + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: >- + ParentRef corresponds with a ParentRef in the spec + that this + + RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: >- + Group is the group of the referent. + + When unspecified, "gateway.networking.k8s.io" is + inferred. + + To set the core API group (such as for a "Service" + kind referent), + + Group must be explicitly set to "" (empty string). + + + Support: Core + maxLength: 253 + pattern: >- + ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: >- + Kind is kind of the referent. + + + There are two kinds of parent resources with + "Core" support: + + + * Gateway (Gateway conformance profile) + + * Service (Mesh conformance profile, ClusterIP + Services only) + + + Support for other resources is + Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Namespace is the namespace of the referent. When + unspecified, this refers + + to the local namespace of the Route. + + + Note that there are specific rules for ParentRefs + which cross namespace + + boundaries. Cross-namespace references are only + valid if they are explicitly + + allowed by something in the namespace they are + referring to. For example: + + Gateway has the AllowedRoutes field, and + ReferenceGrant provides a + + generic way to enable any other kind of + cross-namespace reference. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: >- + Port is the network port this Route targets. It + can be interpreted + + differently based on the type of parent resource. + + + When the parent resource is a Gateway, this + targets all listeners + + listening on the specified port that also support + this kind of Route(and + + select this Route). It's not recommended to set + `Port` unless the + + networking behaviors specified in a Route must + apply to a specific port + + as opposed to a listener(s) whose port(s) may be + changed. When both Port + + and SectionName are specified, the name and port + of the selected listener + + must match both specified values. + + + Implementations MAY choose to support other parent + resources. + + Implementations supporting other types of parent + resources MUST clearly + + document how/if Port is interpreted. + + + For the purpose of status, an attachment is + considered successful as + + long as the parent resource accepts it partially. + For example, Gateway + + listeners can restrict which Routes can attach to + them by Route kind, + + namespace, or hostname. If 1 of 2 Gateway + listeners accept attachment + + from the referencing Route, the Route MUST be + considered successfully + + attached. If no Gateway listeners accept + attachment from this Route, + + the Route MUST be considered detached from the + Gateway. + + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: >- + SectionName is the name of a section within the + target resource. In the + + following resources, SectionName is interpreted as + the following: + + + * Gateway: Listener name. When both Port + (experimental) and SectionName + + are specified, the name and port of the selected + listener must match + + both specified values. + + * Service: Port name. When both Port + (experimental) and SectionName + + are specified, the name and port of the selected + listener must match + + both specified values. + + + Implementations MAY choose to support attaching + Routes to other resources. + + If that is the case, they MUST clearly document + how SectionName is + + interpreted. + + + When unspecified (empty string), this will + reference the entire resource. + + For the purpose of status, an attachment is + considered successful if at + + least one section in the parent resource accepts + it. For example, Gateway + + listeners can restrict which Routes can attach to + them by Route kind, + + namespace, or hostname. If 1 of 2 Gateway + listeners accept attachment from + + the referencing Route, the Route MUST be + considered successfully + + attached. If no Gateway listeners accept + attachment from this Route, the + + Route MUST be considered detached from the + Gateway. + + + Support: Core + maxLength: 253 + minLength: 1 + pattern: >- + ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - conditions + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + x-kubernetes-list-type: atomic + required: + - parents + type: object + required: + - spec + type: object + served: false + storage: false + subresources: + status: {} +status: + acceptedNames: + kind: '' + plural: '' + conditions: null + storedVersions: null diff --git a/_/MutatingWebhookConfiguration/envoy-gateway-topology-injector.envoy-gateway-system.yaml b/_/MutatingWebhookConfiguration/envoy-gateway-topology-injector.envoy-gateway-system.yaml new file mode 100644 index 0000000..c084004 --- /dev/null +++ b/_/MutatingWebhookConfiguration/envoy-gateway-topology-injector.envoy-gateway-system.yaml @@ -0,0 +1,41 @@ +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + annotations: + helm.sh/hook: pre-install, pre-upgrade + helm.sh/hook-weight: '-1' + labels: + app.kubernetes.io/component: topology-injector + app.kubernetes.io/instance: envoy-gateway + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/version: v1.7.3 + helm.sh/chart: gateway-helm-v1.7.3 + name: envoy-gateway-topology-injector.envoy-gateway-system +webhooks: + - admissionReviewVersions: + - v1 + clientConfig: + service: + name: envoy-gateway + namespace: envoy-gateway-system + path: /inject-pod-topology + port: 9443 + failurePolicy: Ignore + name: topology.webhook.gateway.envoyproxy.io + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: In + values: + - envoy-gateway-system + rules: + - apiGroups: + - '' + apiVersions: + - v1 + operations: + - CREATE + resources: + - pods/binding + sideEffects: None diff --git a/_/Namespace/envoy-gateway-system.yaml b/_/Namespace/envoy-gateway-system.yaml new file mode 100644 index 0000000..6f4c14b --- /dev/null +++ b/_/Namespace/envoy-gateway-system.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: envoy-gateway-system diff --git a/_/ValidatingAdmissionPolicy/safe-upgrades.gateway.networking.k8s.io.yaml b/_/ValidatingAdmissionPolicy/safe-upgrades.gateway.networking.k8s.io.yaml new file mode 100644 index 0000000..a889476 --- /dev/null +++ b/_/ValidatingAdmissionPolicy/safe-upgrades.gateway.networking.k8s.io.yaml @@ -0,0 +1,53 @@ +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicy +metadata: + annotations: + gateway.networking.k8s.io/bundle-version: v1.5.0-dev + gateway.networking.k8s.io/channel: standard + name: safe-upgrades.gateway.networking.k8s.io +spec: + failurePolicy: Fail + matchConstraints: + resourceRules: + - apiGroups: + - apiextensions.k8s.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - '*' + validations: + - expression: >- + object.spec.group != 'gateway.networking.k8s.io' || oldObject == null || + ( has(object.metadata.annotations) && + object.metadata.annotations.exists(k, k == + 'gateway.networking.k8s.io/channel') && + object.metadata.annotations['gateway.networking.k8s.io/channel'] == + 'standard' ) || ( oldObject != null && + has(oldObject.metadata.annotations) && + oldObject.metadata.annotations.exists(k, k == + 'gateway.networking.k8s.io/channel') && + oldObject.metadata.annotations['gateway.networking.k8s.io/channel'] == + 'experimental' ) + message: >- + Installing experimental CRDs on top of standard channel CRDs is + prohibited by default. Uninstall ValidatingAdmissionPolicy + safe-upgrades.gateway.networking.k8s.io to install experimental CRDs on + top of standard channel CRDs. + reason: Invalid + - expression: >- + object.spec.group != 'gateway.networking.k8s.io' || + (has(object.metadata.annotations) && + object.metadata.annotations.exists(k, k == + 'gateway.networking.k8s.io/bundle-version') && + !matches(object.metadata.annotations['gateway.networking.k8s.io/bundle-version'], + 'v1.[0-4].\\d+') && + !matches(object.metadata.annotations['gateway.networking.k8s.io/bundle-version'], + 'v0')) + message: >- + Installing CRDs with version before v1.5.0 is prohibited by default. + Uninstall ValidatingAdmissionPolicy + safe-upgrades.gateway.networking.k8s.io to install older versions. + reason: Invalid diff --git a/_/ValidatingAdmissionPolicyBinding/safe-upgrades.gateway.networking.k8s.io.yaml b/_/ValidatingAdmissionPolicyBinding/safe-upgrades.gateway.networking.k8s.io.yaml new file mode 100644 index 0000000..730ce15 --- /dev/null +++ b/_/ValidatingAdmissionPolicyBinding/safe-upgrades.gateway.networking.k8s.io.yaml @@ -0,0 +1,22 @@ +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicyBinding +metadata: + annotations: + gateway.networking.k8s.io/bundle-version: v1.5.0-dev + gateway.networking.k8s.io/channel: standard + name: safe-upgrades.gateway.networking.k8s.io +spec: + matchResources: + resourceRules: + - apiGroups: + - apiextensions.k8s.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - customresourcedefinitions + policyName: safe-upgrades.gateway.networking.k8s.io + validationActions: + - Deny diff --git a/cert-manager/ConfigMap/cert-manager.yaml b/cert-manager/ConfigMap/cert-manager.yaml new file mode 100644 index 0000000..53a6819 --- /dev/null +++ b/cert-manager/ConfigMap/cert-manager.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +data: + config.yaml: | + apiVersion: controller.config.cert-manager.io/v1alpha1 + enableGatewayAPI: true + featureGates: + ListenerSet: true + kind: ControllerConfiguration +kind: ConfigMap +metadata: + labels: + app: cert-manager + app.kubernetes.io/component: controller + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: cert-manager + app.kubernetes.io/version: v1.20.2 + helm.sh/chart: cert-manager-v1.20.2 + name: cert-manager + namespace: cert-manager diff --git a/cert-manager/Deployment/cert-manager.yaml b/cert-manager/Deployment/cert-manager.yaml index 43337ac..f410a14 100644 --- a/cert-manager/Deployment/cert-manager.yaml +++ b/cert-manager/Deployment/cert-manager.yaml @@ -36,6 +36,7 @@ spec: containers: - args: - '--v=2' + - '--config=/var/cert-manager/config/config.yaml' - '--cluster-resource-namespace=$(POD_NAMESPACE)' - '--leader-election-namespace=kube-system' - >- @@ -76,6 +77,9 @@ spec: drop: - ALL readOnlyRootFilesystem: true + volumeMounts: + - mountPath: /var/cert-manager/config + name: config enableServiceLinks: false nodeSelector: kubernetes.io/os: linux @@ -84,3 +88,7 @@ spec: seccompProfile: type: RuntimeDefault serviceAccountName: cert-manager + volumes: + - configMap: + name: cert-manager + name: config diff --git a/envoy-gateway-system/ConfigMap/envoy-gateway-config.yaml b/envoy-gateway-system/ConfigMap/envoy-gateway-config.yaml new file mode 100644 index 0000000..7e10db6 --- /dev/null +++ b/envoy-gateway-system/ConfigMap/envoy-gateway-config.yaml @@ -0,0 +1,38 @@ +apiVersion: v1 +data: + envoy-gateway.yaml: | + apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: EnvoyGateway + extensionApis: {} + gateway: + controllerName: gateway.envoyproxy.io/gatewayclass-controller + logging: + level: + default: info + provider: + kubernetes: + rateLimitDeployment: + container: + image: docker.io/envoyproxy/ratelimit:05c08d03 + patch: + type: StrategicMerge + value: + spec: + template: + spec: + containers: + - imagePullPolicy: IfNotPresent + name: envoy-ratelimit + shutdownManager: + image: docker.io/envoyproxy/gateway:v1.7.3 + type: Kubernetes +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/instance: envoy-gateway + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/version: v1.7.3 + helm.sh/chart: gateway-helm-v1.7.3 + name: envoy-gateway-config + namespace: envoy-gateway-system diff --git a/envoy-gateway-system/Deployment/envoy-gateway.yaml b/envoy-gateway-system/Deployment/envoy-gateway.yaml new file mode 100644 index 0000000..61d7ce1 --- /dev/null +++ b/envoy-gateway-system/Deployment/envoy-gateway.yaml @@ -0,0 +1,102 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/instance: envoy-gateway + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/version: v1.7.3 + control-plane: envoy-gateway + helm.sh/chart: gateway-helm-v1.7.3 + name: envoy-gateway + namespace: envoy-gateway-system +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/instance: envoy-gateway + app.kubernetes.io/name: gateway-helm + control-plane: envoy-gateway + template: + metadata: + annotations: + prometheus.io/port: '19001' + prometheus.io/scrape: 'true' + labels: + app.kubernetes.io/instance: envoy-gateway + app.kubernetes.io/name: gateway-helm + control-plane: envoy-gateway + spec: + containers: + - args: + - server + - '--config-path=/config/envoy-gateway.yaml' + env: + - name: ENVOY_GATEWAY_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: KUBERNETES_CLUSTER_DOMAIN + value: cluster.local + image: docker.io/envoyproxy/gateway:v1.7.3 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + name: envoy-gateway + ports: + - containerPort: 18000 + name: grpc + - containerPort: 18001 + name: ratelimit + - containerPort: 18002 + name: wasm + - containerPort: 19001 + name: metrics + - containerPort: 9443 + name: webhook + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + limits: + memory: 1024Mi + requests: + cpu: 100m + memory: 256Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /config + name: envoy-gateway-config + readOnly: true + - mountPath: /certs + name: certs + readOnly: true + imagePullSecrets: [] + serviceAccountName: envoy-gateway + terminationGracePeriodSeconds: 10 + volumes: + - configMap: + defaultMode: 420 + name: envoy-gateway-config + name: envoy-gateway-config + - name: certs + secret: + secretName: envoy-gateway diff --git a/envoy-gateway-system/Job/envoy-gateway-gateway-helm-certgen.yaml b/envoy-gateway-system/Job/envoy-gateway-gateway-helm-certgen.yaml new file mode 100644 index 0000000..6ab98bd --- /dev/null +++ b/envoy-gateway-system/Job/envoy-gateway-gateway-helm-certgen.yaml @@ -0,0 +1,53 @@ +apiVersion: batch/v1 +kind: Job +metadata: + annotations: + helm.sh/hook: pre-install, pre-upgrade + labels: + app.kubernetes.io/instance: envoy-gateway + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/version: v1.7.3 + helm.sh/chart: gateway-helm-v1.7.3 + name: envoy-gateway-gateway-helm-certgen + namespace: envoy-gateway-system +spec: + backoffLimit: 1 + completions: 1 + parallelism: 1 + template: + metadata: + labels: + app: certgen + spec: + containers: + - command: + - envoy-gateway + - certgen + env: + - name: ENVOY_GATEWAY_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: KUBERNETES_CLUSTER_DOMAIN + value: cluster.local + image: docker.io/envoyproxy/gateway:v1.7.3 + imagePullPolicy: IfNotPresent + name: envoy-gateway-certgen + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault + imagePullSecrets: [] + restartPolicy: Never + serviceAccountName: envoy-gateway-gateway-helm-certgen + ttlSecondsAfterFinished: 30 diff --git a/envoy-gateway-system/Role/envoy-gateway-gateway-helm-certgen.yaml b/envoy-gateway-system/Role/envoy-gateway-gateway-helm-certgen.yaml new file mode 100644 index 0000000..aa42121 --- /dev/null +++ b/envoy-gateway-system/Role/envoy-gateway-gateway-helm-certgen.yaml @@ -0,0 +1,23 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + annotations: + helm.sh/hook: pre-install, pre-upgrade + helm.sh/hook-weight: '-1' + labels: + app.kubernetes.io/instance: envoy-gateway + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/version: v1.7.3 + helm.sh/chart: gateway-helm-v1.7.3 + name: envoy-gateway-gateway-helm-certgen + namespace: envoy-gateway-system +rules: + - apiGroups: + - '' + resources: + - secrets + verbs: + - get + - create + - update diff --git a/envoy-gateway-system/Role/envoy-gateway-gateway-helm-infra-manager.yaml b/envoy-gateway-system/Role/envoy-gateway-gateway-helm-infra-manager.yaml new file mode 100644 index 0000000..014daca --- /dev/null +++ b/envoy-gateway-system/Role/envoy-gateway-gateway-helm-infra-manager.yaml @@ -0,0 +1,57 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/instance: envoy-gateway + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/version: v1.7.3 + helm.sh/chart: gateway-helm-v1.7.3 + name: envoy-gateway-gateway-helm-infra-manager + namespace: envoy-gateway-system +rules: + - apiGroups: + - '' + resources: + - serviceaccounts + - services + - configmaps + verbs: + - create + - get + - list + - delete + - deletecollection + - patch + - apiGroups: + - apps + resources: + - deployments + - daemonsets + verbs: + - create + - get + - delete + - deletecollection + - patch + - apiGroups: + - autoscaling + - policy + resources: + - horizontalpodautoscalers + - poddisruptionbudgets + verbs: + - create + - get + - list + - delete + - deletecollection + - patch + - apiGroups: + - certificates.k8s.io + resources: + - clustertrustbundles + verbs: + - list + - get + - watch diff --git a/envoy-gateway-system/Role/envoy-gateway-gateway-helm-leader-election-role.yaml b/envoy-gateway-system/Role/envoy-gateway-gateway-helm-leader-election-role.yaml new file mode 100644 index 0000000..0ebc576 --- /dev/null +++ b/envoy-gateway-system/Role/envoy-gateway-gateway-helm-leader-election-role.yaml @@ -0,0 +1,43 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/instance: envoy-gateway + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/version: v1.7.3 + helm.sh/chart: gateway-helm-v1.7.3 + name: envoy-gateway-gateway-helm-leader-election-role + namespace: envoy-gateway-system +rules: + - apiGroups: + - '' + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - '' + resources: + - events + verbs: + - create + - patch diff --git a/envoy-gateway-system/RoleBinding/envoy-gateway-gateway-helm-certgen.yaml b/envoy-gateway-system/RoleBinding/envoy-gateway-gateway-helm-certgen.yaml new file mode 100644 index 0000000..3ee5811 --- /dev/null +++ b/envoy-gateway-system/RoleBinding/envoy-gateway-gateway-helm-certgen.yaml @@ -0,0 +1,22 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + annotations: + helm.sh/hook: pre-install, pre-upgrade + helm.sh/hook-weight: '-1' + labels: + app.kubernetes.io/instance: envoy-gateway + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/version: v1.7.3 + helm.sh/chart: gateway-helm-v1.7.3 + name: envoy-gateway-gateway-helm-certgen + namespace: envoy-gateway-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: envoy-gateway-gateway-helm-certgen +subjects: + - kind: ServiceAccount + name: envoy-gateway-gateway-helm-certgen + namespace: envoy-gateway-system diff --git a/envoy-gateway-system/RoleBinding/envoy-gateway-gateway-helm-infra-manager.yaml b/envoy-gateway-system/RoleBinding/envoy-gateway-gateway-helm-infra-manager.yaml new file mode 100644 index 0000000..ee2b95b --- /dev/null +++ b/envoy-gateway-system/RoleBinding/envoy-gateway-gateway-helm-infra-manager.yaml @@ -0,0 +1,19 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/instance: envoy-gateway + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/version: v1.7.3 + helm.sh/chart: gateway-helm-v1.7.3 + name: envoy-gateway-gateway-helm-infra-manager + namespace: envoy-gateway-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: envoy-gateway-gateway-helm-infra-manager +subjects: + - kind: ServiceAccount + name: envoy-gateway + namespace: envoy-gateway-system diff --git a/envoy-gateway-system/RoleBinding/envoy-gateway-gateway-helm-leader-election-rolebinding.yaml b/envoy-gateway-system/RoleBinding/envoy-gateway-gateway-helm-leader-election-rolebinding.yaml new file mode 100644 index 0000000..c0a7f4e --- /dev/null +++ b/envoy-gateway-system/RoleBinding/envoy-gateway-gateway-helm-leader-election-rolebinding.yaml @@ -0,0 +1,19 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/instance: envoy-gateway + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/version: v1.7.3 + helm.sh/chart: gateway-helm-v1.7.3 + name: envoy-gateway-gateway-helm-leader-election-rolebinding + namespace: envoy-gateway-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: envoy-gateway-gateway-helm-leader-election-role +subjects: + - kind: ServiceAccount + name: envoy-gateway + namespace: envoy-gateway-system diff --git a/envoy-gateway-system/Service/envoy-gateway.yaml b/envoy-gateway-system/Service/envoy-gateway.yaml new file mode 100644 index 0000000..22e94eb --- /dev/null +++ b/envoy-gateway-system/Service/envoy-gateway.yaml @@ -0,0 +1,34 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/instance: envoy-gateway + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/version: v1.7.3 + control-plane: envoy-gateway + helm.sh/chart: gateway-helm-v1.7.3 + name: envoy-gateway + namespace: envoy-gateway-system +spec: + ports: + - name: grpc + port: 18000 + targetPort: 18000 + - name: ratelimit + port: 18001 + targetPort: 18001 + - name: wasm + port: 18002 + targetPort: 18002 + - name: metrics + port: 19001 + targetPort: 19001 + - name: webhook + port: 9443 + targetPort: 9443 + selector: + app.kubernetes.io/instance: envoy-gateway + app.kubernetes.io/name: gateway-helm + control-plane: envoy-gateway + type: ClusterIP diff --git a/envoy-gateway-system/ServiceAccount/envoy-gateway-gateway-helm-certgen.yaml b/envoy-gateway-system/ServiceAccount/envoy-gateway-gateway-helm-certgen.yaml new file mode 100644 index 0000000..27b0dc5 --- /dev/null +++ b/envoy-gateway-system/ServiceAccount/envoy-gateway-gateway-helm-certgen.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: + helm.sh/hook: pre-install, pre-upgrade + helm.sh/hook-weight: '-1' + labels: + app.kubernetes.io/instance: envoy-gateway + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/version: v1.7.3 + helm.sh/chart: gateway-helm-v1.7.3 + name: envoy-gateway-gateway-helm-certgen + namespace: envoy-gateway-system diff --git a/envoy-gateway-system/ServiceAccount/envoy-gateway.yaml b/envoy-gateway-system/ServiceAccount/envoy-gateway.yaml new file mode 100644 index 0000000..e7a6107 --- /dev/null +++ b/envoy-gateway-system/ServiceAccount/envoy-gateway.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/instance: envoy-gateway + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/version: v1.7.3 + helm.sh/chart: gateway-helm-v1.7.3 + name: envoy-gateway + namespace: envoy-gateway-system