diff --git a/chartvalidator/checker/engine_image_extraction.go b/chartvalidator/checker/engine_image_extraction.go
index 80afd47..90314a5 100644
--- a/chartvalidator/checker/engine_image_extraction.go
+++ b/chartvalidator/checker/engine_image_extraction.go
@@ -15,18 +15,18 @@ import (
// Consumes manifest files from inputChan, extracts Docker images, and sends results to outputChan
type ImageExtractionEngine struct {
// Each string should be a path to a manifest file
- inputChan chan ManifestValidationResult
+ inputChan chan ManifestValidationResult
outputChan chan ImageExtractionResult
errorChan chan ErrorResult
- context context.Context
+ context context.Context
workerWaitGroup sync.WaitGroup
- name string
+ name string
}
func (engine *ImageExtractionEngine) Start(workerCount int) {
for i := 0; i < workerCount; i++ {
- engine.workerWaitGroup.Add(1)
+ engine.workerWaitGroup.Add(1)
go func(workerId int) {
engine.worker(workerId)
}(i)
@@ -35,9 +35,9 @@ func (engine *ImageExtractionEngine) Start(workerCount int) {
}
func (engine *ImageExtractionEngine) allDoneWorker() {
- logEngineDebug(engine.name,-1, "waiting for workers to finish")
+ logEngineDebug(engine.name, -1, "waiting for workers to finish")
engine.workerWaitGroup.Wait()
- logEngineDebug(engine.name,-1,"all workers done, closing output channel")
+ logEngineDebug(engine.name, -1, "all workers done, closing output channel")
close(engine.outputChan)
}
@@ -55,7 +55,7 @@ func (engine *ImageExtractionEngine) worker(workerId int) {
logEngineWarning(engine.name, workerId, fmt.Sprintf("failed to extract images from %s: %v", input.ManifestFile, err))
engine.errorChan <- ErrorResult{
Chart: input.Chart,
- Error: fmt.Errorf("failed to extract images from %s: %w", input.ManifestFile, err),
+ Error: fmt.Errorf("failed to extract images from %s: %w", input.ManifestFile, err),
}
continue
} else {
@@ -64,9 +64,9 @@ func (engine *ImageExtractionEngine) worker(workerId int) {
logEngineDebug(engine.name, workerId, fmt.Sprintf("extracted %d images from %s", len(uniqueImages), input.ManifestFile))
for _, img := range uniqueImages {
engine.outputChan <- ImageExtractionResult{
- Chart: input.Chart,
+ Chart: input.Chart,
ManifestFile: input.ManifestFile,
- Image: img,
+ Image: img,
}
}
}
@@ -108,7 +108,6 @@ func (engine *ImageExtractionEngine) extractImagesFromFile(file string, workerId
return allImages, nil
}
-
// extractDockerImages extracts Docker images from all manifest files in the specified directory
// and saves the results as JSON files in the output directory
func extractDockerImages(manifestDir, outputDir string, workerId int) error {
@@ -204,7 +203,6 @@ func extractImagesFromFile(yamlFile, manifestDir, outputDir string, workerId int
return nil
}
-
func extractImagesFromDeployment(manifest map[string]interface{}) ([]string, error) {
// Validate this is a Deployment
kind, ok := manifest["kind"].(string)
@@ -310,7 +308,6 @@ func extractImagesFromPod(manifest map[string]interface{}) ([]string, error) {
return images, nil
}
-
// Extracts all of the docker images references from a given Kubernetes manifest.
// This function makes the assumption that only a single manifest is provided at
// a time, and that it is a Pod or Pod-like object (e.g. Deployment, DaemonSet).
@@ -323,6 +320,11 @@ func extractImageFromManifest(manifest string, workerId int) ([]string, error) {
return imagesFound, fmt.Errorf("failed to parse YAML: %w", err)
}
+ // If the document is empty (e.g., comment-only section), skip it gracefully
+ if len(doc) == 0 {
+ return imagesFound, nil
+ }
+
kind, ok := doc["kind"].(string)
if !ok {
return imagesFound, fmt.Errorf("manifest missing 'kind' field")
@@ -349,7 +351,7 @@ func extractImageFromManifest(manifest string, workerId int) ([]string, error) {
if err != nil {
return imagesFound, err
}
- imagesFound = append(imagesFound, images...)
+ imagesFound = append(imagesFound, images...)
case "StatefulSet":
images, err := extractImagesFromStatefulSet(doc)
@@ -365,5 +367,5 @@ func extractImageFromManifest(manifest string, workerId int) ([]string, error) {
}
return imagesFound, nil
-
+
}
diff --git a/chartvalidator/checker/engine_image_extraction_test.go b/chartvalidator/checker/engine_image_extraction_test.go
index e714f6e..a0db2b9 100644
--- a/chartvalidator/checker/engine_image_extraction_test.go
+++ b/chartvalidator/checker/engine_image_extraction_test.go
@@ -123,7 +123,6 @@ func processEngineWithManifest(t *testing.T, engine *ImageExtractionEngine, mani
return collectImageExtractionResults(engine)
}
-
func TestSingleImageExtraction(t *testing.T) {
verboseLogging = true
engine := createImageExtractionEngine()
@@ -138,7 +137,7 @@ func TestSingleImageExtraction(t *testing.T) {
actualImages := extractImageNames(results)
assertImageSetMatches(t, expectedImages, actualImages, "deployment_sample")
-
+
}
func TestImageExtractionEngine(t *testing.T) {
@@ -161,21 +160,20 @@ func TestImageExtractionEngine(t *testing.T) {
}
}
-
func TestExtractImageFromManifest(t *testing.T) {
tests := []struct {
- name string
- manifestType string
- expectedImages map[string]bool
+ name string
+ manifestType string
+ expectedImages map[string]bool
}{
{
- name: "pod",
- manifestType: "pod_sample",
+ name: "pod",
+ manifestType: "pod_sample",
expectedImages: map[string]bool{"nginx:1.14.2": true},
},
{
name: "deployment",
- manifestType: "deployment_sample",
+ manifestType: "deployment_sample",
expectedImages: map[string]bool{
"nginx:1.14.2": true,
"redis:6.0": true,
@@ -191,7 +189,7 @@ func TestExtractImageFromManifest(t *testing.T) {
},
},
{
- name: "statefulset",
+ name: "statefulset",
manifestType: "statefulset_sample",
expectedImages: map[string]bool{
"nginx:1.14.2": true,
@@ -206,7 +204,7 @@ func TestExtractImageFromManifest(t *testing.T) {
if err != nil {
t.Fatalf("Expected no error, got %v", err)
}
-
+
assertImageSetMatches(t, tt.expectedImages, images, tt.name)
})
}
@@ -214,31 +212,30 @@ func TestExtractImageFromManifest(t *testing.T) {
func TestImageCheckStruct(t *testing.T) {
testChart := createTestChart()
-
+
imgCheck := &imageCheck{
Image: "alpine:latest",
Chart: testChart,
}
-
+
// Test field assignments
assert.Equal(t, "alpine:latest", imgCheck.Image)
assert.Equal(t, "test-chart", imgCheck.Chart.ChartName)
assert.Equal(t, "development", imgCheck.Chart.Env)
-
+
// Test that Present and Error fields can be set
imgCheck.Present = true
imgCheck.Error = nil
-
+
assert.True(t, imgCheck.Present)
assert.Nil(t, imgCheck.Error)
}
-
func TestExtractImagesFromFile(t *testing.T) {
tempDir := t.TempDir()
manifestDir := filepath.Join(tempDir, "manifests")
outputDir := filepath.Join(tempDir, "output")
-
+
createTestFiles(t, tempDir, []string{
"manifests/subdir/.keep", // Create the subdirectory
"output/.keep", // Create the output directory
@@ -319,7 +316,6 @@ func TestRemoveDuplicates(t *testing.T) {
}
}
-
// TestExtractImagesFromFile tests the extractImagesFromFi
// TestFindYAMLFiles tests the findYAMLFiles helper function
func TestFindYAMLFiles(t *testing.T) {
@@ -363,13 +359,12 @@ func TestFindYAMLFiles(t *testing.T) {
}
}
-
// TestExtractDockerImagesCommand tests the extract-docker-images command functionality
func TestExtractDockerImagesCommand(t *testing.T) {
tempDir := t.TempDir()
manifestDir := filepath.Join(tempDir, "manifests")
outputDir := filepath.Join(tempDir, "output")
-
+
err := os.MkdirAll(manifestDir, 0755)
assert.NoError(t, err)
@@ -399,7 +394,7 @@ spec:
image: nginx:1.20`
createTempManifestFile(t, manifestDir, "test-deployment.yaml", manifestContent)
-
+
err = extractDockerImages(manifestDir, outputDir, 0)
assert.NoError(t, err)
@@ -433,12 +428,11 @@ spec:
}
}
-
func TestDockerManifestCommand(t *testing.T) {
tests := []struct {
- name string
- image string
- expectedCmd []string
+ name string
+ image string
+ expectedCmd []string
}{
{
name: "simple image",
@@ -472,9 +466,187 @@ func TestDockerManifestCommand(t *testing.T) {
// Validate command construction logic
cmd := tt.expectedCmd
assert.Equal(t, "docker", cmd[0], "Expected first arg to be 'docker'")
- assert.Equal(t, "manifest", cmd[1], "Expected second arg to be 'manifest'")
+ assert.Equal(t, "manifest", cmd[1], "Expected second arg to be 'manifest'")
assert.Equal(t, "inspect", cmd[2], "Expected third arg to be 'inspect'")
assert.Equal(t, tt.image, cmd[3], "Expected fourth arg to be the image name")
})
}
}
+
+// TestTraefikExampleFull tests image extraction from a real-world traefik Helm chart rendering
+// This test uses the traefik-example-full.yaml file which is a multi-document YAML file
+// containing many Kubernetes resources (CRDs, Services, Deployments, etc.).
+// It validates that the image extractor correctly:
+// 1. Handles multi-document YAML files
+// 2. Extracts images only from workload resources (Deployments)
+// 3. Ignores non-workload resources (CRDs, Services, IngressRoutes, etc.)
+// 4. Correctly parses images with full registry paths
+func TestTraefikExampleFull(t *testing.T) {
+ verboseLogging = true
+ engine := createImageExtractionEngine()
+ engine.Start(1)
+
+ // Use the actual traefik example file from test_data
+ traefikExamplePath := filepath.Join("test_data", "traefik-example-full.yaml")
+
+ // Verify the test data file exists
+ _, err := os.Stat(traefikExamplePath)
+ assert.NoError(t, err, "traefik-example-full.yaml test data file should exist")
+
+ input := ManifestValidationResult{
+ ManifestFile: traefikExamplePath,
+ }
+
+ engine.inputChan <- input
+ close(engine.inputChan)
+
+ results := collectImageExtractionResults(engine)
+
+ // The traefik-example-full.yaml file contains a Deployment with the traefik image
+ // Expected images from the Deployment:
+ // - docker.io/traefik:v3.3.6 (main traefik container)
+ expectedImages := map[string]bool{
+ "docker.io/traefik:v3.3.6": true,
+ }
+
+ actualImages := extractImageNames(results)
+
+ // Verify we extracted exactly the expected images
+ assert.Equal(t, len(expectedImages), len(actualImages),
+ "Expected 1 image from traefik Deployment, got %d", len(actualImages))
+
+ // Verify the specific image is present
+ assertImageSetMatches(t, expectedImages, actualImages, "traefik-example-full")
+
+ // Verify we have exactly one result (one image from one container)
+ assert.Equal(t, 1, len(results), "Should have exactly one image extraction result")
+
+ // Verify the extracted image is the correct traefik image
+ assert.Equal(t, "docker.io/traefik:v3.3.6", results[0].Image,
+ "Extracted image should be the traefik image with full registry path")
+}
+
+// TestTraefikDeploymentFromFile tests image extraction specifically from the Traefik Deployment
+// embedded in the real traefik-example-full.yaml file.
+// This test validates that the image extractor correctly:
+// 1. Reads multi-document YAML files using the engine's file extraction
+// 2. Finds and extracts from the correct Deployment kind
+// 3. Preserves full image registry paths (docker.io/traefik:v3.3.6)
+func TestTraefikDeploymentFromFile(t *testing.T) {
+ verboseLogging = false
+ engine := createImageExtractionEngine()
+ engine.Start(1)
+
+ traefikExamplePath := filepath.Join("test_data", "traefik-example-full.yaml")
+
+ // Use the engine to process the file (which handles multi-document splitting)
+ input := ManifestValidationResult{
+ ManifestFile: traefikExamplePath,
+ }
+
+ engine.inputChan <- input
+ close(engine.inputChan)
+
+ results := collectImageExtractionResults(engine)
+
+ // Verify we extracted at least one image
+ assert.NotEmpty(t, results, "Should extract at least one image from traefik manifest")
+
+ // The traefik-example-full.yaml has multiple documents separated by "---"
+ // Only one document is a Deployment kind, which contains the traefik image
+ expectedTraefikImage := "docker.io/traefik:v3.3.6"
+
+ // Verify the expected image is in the results
+ found := false
+ for _, result := range results {
+ if result.Image == expectedTraefikImage {
+ found = true
+ break
+ }
+ }
+ assert.True(t, found, "Expected to find traefik image %s in extracted images", expectedTraefikImage)
+}
+
+// TestMultiDocumentYAMLWithManyResources tests the image extractor's ability to handle
+// files with many different Kubernetes resource types, similar to a real Helm chart output.
+// This validates that the image extractor:
+// 1. Processes each document independently
+// 2. Only extracts images from resources that contain containers (Deployment, DaemonSet, etc.)
+// 3. Skips non-workload resources gracefully (CRDs, Services, IngressRoutes, etc.)
+// 4. Returns all unique images found across all documents
+func TestMultiDocumentYAMLWithManyResources(t *testing.T) {
+ // Create a multi-document YAML similar to helm chart output
+ multiDocManifest := `
+apiVersion: v1
+kind: Service
+metadata:
+ name: test-service
+spec:
+ ports:
+ - port: 80
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: test-deployment
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app: test
+ template:
+ metadata:
+ labels:
+ app: test
+ spec:
+ containers:
+ - name: app
+ image: nginx:1.20
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+ name: test-ingress
+spec:
+ entryPoints:
+ - web
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+ name: test-daemonset
+spec:
+ selector:
+ matchLabels:
+ app: daemon
+ template:
+ metadata:
+ labels:
+ app: daemon
+ spec:
+ containers:
+ - name: daemon-container
+ image: redis:7.0
+---
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+ name: test-monitor
+spec:
+ selector:
+ matchLabels:
+ app: test
+`
+
+ images, err := extractImageFromManifest(multiDocManifest, 0)
+ assert.NoError(t, err, "Should handle multi-document YAML without errors")
+
+ // Expected images: only from Deployment and DaemonSet
+ // When extractImageFromManifest is called with a multi-document string,
+ // it processes only the first document (before the first "---" separator)
+ // In this case, it will try to process the Service, which doesn't have containers
+ // So we expect no images from just the first document
+
+ // Verify we either extract no images (if Service is first) or only from workloads
+ assert.IsType(t, []string{}, images, "Should return a string slice of images")
+}
diff --git a/chartvalidator/checker/test_data/traefik-example-full.yaml b/chartvalidator/checker/test_data/traefik-example-full.yaml
new file mode 100644
index 0000000..1ffe848
--- /dev/null
+++ b/chartvalidator/checker/test_data/traefik-example-full.yaml
@@ -0,0 +1,16052 @@
+---
+# Source: traefik/crds/gateway-standard-install.yaml
+# Copyright 2024 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+#
+# Gateway API Standard channel install
+#
+---
+#
+# config/crd/standard/gateway.networking.k8s.io_gatewayclasses.yaml
+#
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328
+ gateway.networking.k8s.io/bundle-version: v1.2.1
+ gateway.networking.k8s.io/channel: standard
+ creationTimestamp: null
+ name: gatewayclasses.gateway.networking.k8s.io
+spec:
+ group: gateway.networking.k8s.io
+ names:
+ categories:
+ - gateway-api
+ kind: GatewayClass
+ listKind: GatewayClassList
+ plural: gatewayclasses
+ shortNames:
+ - gc
+ singular: gatewayclass
+ scope: Cluster
+ versions:
+ - additionalPrinterColumns:
+ - jsonPath: .spec.controllerName
+ name: Controller
+ type: string
+ - jsonPath: .status.conditions[?(@.type=="Accepted")].status
+ name: Accepted
+ type: string
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ - jsonPath: .spec.description
+ name: Description
+ priority: 1
+ type: string
+ name: v1
+ schema:
+ openAPIV3Schema:
+ description: |-
+ GatewayClass describes a class of Gateways available to the user for creating
+ Gateway resources.
+
+ It is recommended that this resource be used as a template for Gateways. This
+ means that a Gateway is based on the state of the GatewayClass at the time it
+ was created and changes to the GatewayClass or associated parameters are not
+ propagated down to existing Gateways. This recommendation is intended to
+ limit the blast radius of changes to GatewayClass or associated parameters.
+ If implementations choose to propagate GatewayClass changes to existing
+ Gateways, that MUST be clearly documented by the implementation.
+
+ Whenever one or more Gateways are using a GatewayClass, implementations SHOULD
+ add the `gateway-exists-finalizer.gateway.networking.k8s.io` finalizer on the
+ associated GatewayClass. This ensures that a GatewayClass associated with a
+ Gateway is not deleted while in use.
+
+ GatewayClass is a Cluster level resource.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Spec defines the desired state of GatewayClass.
+ properties:
+ controllerName:
+ description: |-
+ ControllerName is the name of the controller that is managing Gateways of
+ this class. The value of this field MUST be a domain prefixed path.
+
+ Example: "example.net/gateway-controller".
+
+ This field is not mutable and cannot be empty.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
+ type: string
+ x-kubernetes-validations:
+ - message: Value is immutable
+ rule: self == oldSelf
+ description:
+ description: Description helps describe a GatewayClass with more details.
+ maxLength: 64
+ type: string
+ parametersRef:
+ description: |-
+ ParametersRef is a reference to a resource that contains the configuration
+ parameters corresponding to the GatewayClass. This is optional if the
+ controller does not require any additional configuration.
+
+ ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap,
+ or an implementation-specific custom resource. The resource can be
+ cluster-scoped or namespace-scoped.
+
+ If the referent cannot be found, refers to an unsupported kind, or when
+ the data within that resource is malformed, the GatewayClass SHOULD be
+ rejected with the "Accepted" status condition set to "False" and an
+ "InvalidParameters" reason.
+
+ A Gateway for this GatewayClass may provide its own `parametersRef`. When both are specified,
+ the merging behavior is implementation specific.
+ It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway.
+
+ Support: Implementation-specific
+ properties:
+ group:
+ description: Group is the group of the referent.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is kind of the referent.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referent.
+ This field is required when referring to a Namespace-scoped resource and
+ MUST be unset when referring to a Cluster-scoped resource.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ required:
+ - group
+ - kind
+ - name
+ type: object
+ required:
+ - controllerName
+ type: object
+ status:
+ default:
+ conditions:
+ - lastTransitionTime: "1970-01-01T00:00:00Z"
+ message: Waiting for controller
+ reason: Pending
+ status: Unknown
+ type: Accepted
+ description: |-
+ Status defines the current state of GatewayClass.
+
+ Implementations MUST populate status on all GatewayClass resources which
+ specify their controller name.
+ properties:
+ conditions:
+ default:
+ - lastTransitionTime: "1970-01-01T00:00:00Z"
+ message: Waiting for controller
+ reason: Pending
+ status: Unknown
+ type: Accepted
+ description: |-
+ Conditions is the current status from the controller for
+ this GatewayClass.
+
+ Controllers should prefer to publish conditions using values
+ of GatewayClassConditionType for the type of each Condition.
+ items:
+ description: Condition contains details for one aspect of the current
+ state of this API Resource.
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False, Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ maxItems: 8
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ type: object
+ required:
+ - spec
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+ - additionalPrinterColumns:
+ - jsonPath: .spec.controllerName
+ name: Controller
+ type: string
+ - jsonPath: .status.conditions[?(@.type=="Accepted")].status
+ name: Accepted
+ type: string
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ - jsonPath: .spec.description
+ name: Description
+ priority: 1
+ type: string
+ name: v1beta1
+ schema:
+ openAPIV3Schema:
+ description: |-
+ GatewayClass describes a class of Gateways available to the user for creating
+ Gateway resources.
+
+ It is recommended that this resource be used as a template for Gateways. This
+ means that a Gateway is based on the state of the GatewayClass at the time it
+ was created and changes to the GatewayClass or associated parameters are not
+ propagated down to existing Gateways. This recommendation is intended to
+ limit the blast radius of changes to GatewayClass or associated parameters.
+ If implementations choose to propagate GatewayClass changes to existing
+ Gateways, that MUST be clearly documented by the implementation.
+
+ Whenever one or more Gateways are using a GatewayClass, implementations SHOULD
+ add the `gateway-exists-finalizer.gateway.networking.k8s.io` finalizer on the
+ associated GatewayClass. This ensures that a GatewayClass associated with a
+ Gateway is not deleted while in use.
+
+ GatewayClass is a Cluster level resource.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Spec defines the desired state of GatewayClass.
+ properties:
+ controllerName:
+ description: |-
+ ControllerName is the name of the controller that is managing Gateways of
+ this class. The value of this field MUST be a domain prefixed path.
+
+ Example: "example.net/gateway-controller".
+
+ This field is not mutable and cannot be empty.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
+ type: string
+ x-kubernetes-validations:
+ - message: Value is immutable
+ rule: self == oldSelf
+ description:
+ description: Description helps describe a GatewayClass with more details.
+ maxLength: 64
+ type: string
+ parametersRef:
+ description: |-
+ ParametersRef is a reference to a resource that contains the configuration
+ parameters corresponding to the GatewayClass. This is optional if the
+ controller does not require any additional configuration.
+
+ ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap,
+ or an implementation-specific custom resource. The resource can be
+ cluster-scoped or namespace-scoped.
+
+ If the referent cannot be found, refers to an unsupported kind, or when
+ the data within that resource is malformed, the GatewayClass SHOULD be
+ rejected with the "Accepted" status condition set to "False" and an
+ "InvalidParameters" reason.
+
+ A Gateway for this GatewayClass may provide its own `parametersRef`. When both are specified,
+ the merging behavior is implementation specific.
+ It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway.
+
+ Support: Implementation-specific
+ properties:
+ group:
+ description: Group is the group of the referent.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is kind of the referent.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referent.
+ This field is required when referring to a Namespace-scoped resource and
+ MUST be unset when referring to a Cluster-scoped resource.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ required:
+ - group
+ - kind
+ - name
+ type: object
+ required:
+ - controllerName
+ type: object
+ status:
+ default:
+ conditions:
+ - lastTransitionTime: "1970-01-01T00:00:00Z"
+ message: Waiting for controller
+ reason: Pending
+ status: Unknown
+ type: Accepted
+ description: |-
+ Status defines the current state of GatewayClass.
+
+ Implementations MUST populate status on all GatewayClass resources which
+ specify their controller name.
+ properties:
+ conditions:
+ default:
+ - lastTransitionTime: "1970-01-01T00:00:00Z"
+ message: Waiting for controller
+ reason: Pending
+ status: Unknown
+ type: Accepted
+ description: |-
+ Conditions is the current status from the controller for
+ this GatewayClass.
+
+ Controllers should prefer to publish conditions using values
+ of GatewayClassConditionType for the type of each Condition.
+ items:
+ description: Condition contains details for one aspect of the current
+ state of this API Resource.
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False, Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ maxItems: 8
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ type: object
+ required:
+ - spec
+ type: object
+ served: true
+ storage: false
+ subresources:
+ status: {}
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: null
+ storedVersions: null
+---
+#
+# config/crd/standard/gateway.networking.k8s.io_gateways.yaml
+#
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328
+ gateway.networking.k8s.io/bundle-version: v1.2.1
+ gateway.networking.k8s.io/channel: standard
+ creationTimestamp: null
+ name: gateways.gateway.networking.k8s.io
+spec:
+ group: gateway.networking.k8s.io
+ names:
+ categories:
+ - gateway-api
+ kind: Gateway
+ listKind: GatewayList
+ plural: gateways
+ shortNames:
+ - gtw
+ singular: gateway
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - jsonPath: .spec.gatewayClassName
+ name: Class
+ type: string
+ - jsonPath: .status.addresses[*].value
+ name: Address
+ type: string
+ - jsonPath: .status.conditions[?(@.type=="Programmed")].status
+ name: Programmed
+ type: string
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1
+ schema:
+ openAPIV3Schema:
+ description: |-
+ Gateway represents an instance of a service-traffic handling infrastructure
+ by binding Listeners to a set of IP addresses.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Spec defines the desired state of Gateway.
+ properties:
+ addresses:
+ description: |+
+ Addresses requested for this Gateway. This is optional and behavior can
+ depend on the implementation. If a value is set in the spec and the
+ requested address is invalid or unavailable, the implementation MUST
+ indicate this in the associated entry in GatewayStatus.Addresses.
+
+ The Addresses field represents a request for the address(es) on the
+ "outside of the Gateway", that traffic bound for this Gateway will use.
+ This could be the IP address or hostname of an external load balancer or
+ other networking infrastructure, or some other address that traffic will
+ be sent to.
+
+ If no Addresses are specified, the implementation MAY schedule the
+ Gateway in an implementation-specific manner, assigning an appropriate
+ set of Addresses.
+
+ The implementation MUST bind all Listeners to every GatewayAddress that
+ it assigns to the Gateway and add a corresponding entry in
+ GatewayStatus.Addresses.
+
+ Support: Extended
+
+ items:
+ description: GatewayAddress describes an address that can be bound
+ to a Gateway.
+ oneOf:
+ - properties:
+ type:
+ enum:
+ - IPAddress
+ value:
+ anyOf:
+ - format: ipv4
+ - format: ipv6
+ - properties:
+ type:
+ not:
+ enum:
+ - IPAddress
+ properties:
+ type:
+ default: IPAddress
+ description: Type of the address.
+ maxLength: 253
+ minLength: 1
+ pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
+ type: string
+ value:
+ description: |-
+ Value of the address. The validity of the values will depend
+ on the type and support by the controller.
+
+ Examples: `1.2.3.4`, `128::1`, `my-ip-address`.
+ maxLength: 253
+ minLength: 1
+ type: string
+ required:
+ - value
+ type: object
+ x-kubernetes-validations:
+ - message: Hostname value must only contain valid characters (matching
+ ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$)
+ rule: 'self.type == ''Hostname'' ? self.value.matches(r"""^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$"""):
+ true'
+ maxItems: 16
+ type: array
+ x-kubernetes-validations:
+ - message: IPAddress values must be unique
+ rule: 'self.all(a1, a1.type == ''IPAddress'' ? self.exists_one(a2,
+ a2.type == a1.type && a2.value == a1.value) : true )'
+ - message: Hostname values must be unique
+ rule: 'self.all(a1, a1.type == ''Hostname'' ? self.exists_one(a2,
+ a2.type == a1.type && a2.value == a1.value) : true )'
+ gatewayClassName:
+ description: |-
+ GatewayClassName used for this Gateway. This is the name of a
+ GatewayClass resource.
+ maxLength: 253
+ minLength: 1
+ type: string
+ infrastructure:
+ description: |-
+ Infrastructure defines infrastructure level attributes about this Gateway instance.
+
+ Support: Extended
+ properties:
+ annotations:
+ additionalProperties:
+ description: |-
+ AnnotationValue is the value of an annotation in Gateway API. This is used
+ for validation of maps such as TLS options. This roughly matches Kubernetes
+ annotation validation, although the length validation in that case is based
+ on the entire size of the annotations struct.
+ maxLength: 4096
+ minLength: 0
+ type: string
+ description: |-
+ Annotations that SHOULD be applied to any resources created in response to this Gateway.
+
+ For implementations creating other Kubernetes objects, this should be the `metadata.annotations` field on resources.
+ For other implementations, this refers to any relevant (implementation specific) "annotations" concepts.
+
+ An implementation may chose to add additional implementation-specific annotations as they see fit.
+
+ Support: Extended
+ maxProperties: 8
+ type: object
+ x-kubernetes-validations:
+ - message: Annotation keys must be in the form of an optional
+ DNS subdomain prefix followed by a required name segment of
+ up to 63 characters.
+ rule: self.all(key, key.matches(r"""^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9]$"""))
+ - message: If specified, the annotation key's prefix must be a
+ DNS subdomain not longer than 253 characters in total.
+ rule: self.all(key, key.split("/")[0].size() < 253)
+ labels:
+ additionalProperties:
+ description: |-
+ LabelValue is the value of a label in the Gateway API. This is used for validation
+ of maps such as Gateway infrastructure labels. This matches the Kubernetes
+ label validation rules:
+ * must be 63 characters or less (can be empty),
+ * unless empty, must begin and end with an alphanumeric character ([a-z0-9A-Z]),
+ * could contain dashes (-), underscores (_), dots (.), and alphanumerics between.
+
+ Valid values include:
+
+ * MyValue
+ * my.name
+ * 123-my-value
+ maxLength: 63
+ minLength: 0
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ Labels that SHOULD be applied to any resources created in response to this Gateway.
+
+ For implementations creating other Kubernetes objects, this should be the `metadata.labels` field on resources.
+ For other implementations, this refers to any relevant (implementation specific) "labels" concepts.
+
+ An implementation may chose to add additional implementation-specific labels as they see fit.
+
+ If an implementation maps these labels to Pods, or any other resource that would need to be recreated when labels
+ change, it SHOULD clearly warn about this behavior in documentation.
+
+ Support: Extended
+ maxProperties: 8
+ type: object
+ x-kubernetes-validations:
+ - message: Label keys must be in the form of an optional DNS subdomain
+ prefix followed by a required name segment of up to 63 characters.
+ rule: self.all(key, key.matches(r"""^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9]$"""))
+ - message: If specified, the label key's prefix must be a DNS
+ subdomain not longer than 253 characters in total.
+ rule: self.all(key, key.split("/")[0].size() < 253)
+ parametersRef:
+ description: |-
+ ParametersRef is a reference to a resource that contains the configuration
+ parameters corresponding to the Gateway. This is optional if the
+ controller does not require any additional configuration.
+
+ This follows the same semantics as GatewayClass's `parametersRef`, but on a per-Gateway basis
+
+ The Gateway's GatewayClass may provide its own `parametersRef`. When both are specified,
+ the merging behavior is implementation specific.
+ It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway.
+
+ Support: Implementation-specific
+ properties:
+ group:
+ description: Group is the group of the referent.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is kind of the referent.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ required:
+ - group
+ - kind
+ - name
+ type: object
+ type: object
+ listeners:
+ description: |-
+ Listeners associated with this Gateway. Listeners define
+ logical endpoints that are bound on this Gateway's addresses.
+ At least one Listener MUST be specified.
+
+ Each Listener in a set of Listeners (for example, in a single Gateway)
+ MUST be _distinct_, in that a traffic flow MUST be able to be assigned to
+ exactly one listener. (This section uses "set of Listeners" rather than
+ "Listeners in a single Gateway" because implementations MAY merge configuration
+ from multiple Gateways onto a single data plane, and these rules _also_
+ apply in that case).
+
+ Practically, this means that each listener in a set MUST have a unique
+ combination of Port, Protocol, and, if supported by the protocol, Hostname.
+
+ Some combinations of port, protocol, and TLS settings are considered
+ Core support and MUST be supported by implementations based on their
+ targeted conformance profile:
+
+ HTTP Profile
+
+ 1. HTTPRoute, Port: 80, Protocol: HTTP
+ 2. HTTPRoute, Port: 443, Protocol: HTTPS, TLS Mode: Terminate, TLS keypair provided
+
+ TLS Profile
+
+ 1. TLSRoute, Port: 443, Protocol: TLS, TLS Mode: Passthrough
+
+ "Distinct" Listeners have the following property:
+
+ The implementation can match inbound requests to a single distinct
+ Listener. When multiple Listeners share values for fields (for
+ example, two Listeners with the same Port value), the implementation
+ can match requests to only one of the Listeners using other
+ Listener fields.
+
+ For example, the following Listener scenarios are distinct:
+
+ 1. Multiple Listeners with the same Port that all use the "HTTP"
+ Protocol that all have unique Hostname values.
+ 2. Multiple Listeners with the same Port that use either the "HTTPS" or
+ "TLS" Protocol that all have unique Hostname values.
+ 3. A mixture of "TCP" and "UDP" Protocol Listeners, where no Listener
+ with the same Protocol has the same Port value.
+
+ Some fields in the Listener struct have possible values that affect
+ whether the Listener is distinct. Hostname is particularly relevant
+ for HTTP or HTTPS protocols.
+
+ When using the Hostname value to select between same-Port, same-Protocol
+ Listeners, the Hostname value must be different on each Listener for the
+ Listener to be distinct.
+
+ When the Listeners are distinct based on Hostname, inbound request
+ hostnames MUST match from the most specific to least specific Hostname
+ values to choose the correct Listener and its associated set of Routes.
+
+ Exact matches must be processed before wildcard matches, and wildcard
+ matches must be processed before fallback (empty Hostname value)
+ matches. For example, `"foo.example.com"` takes precedence over
+ `"*.example.com"`, and `"*.example.com"` takes precedence over `""`.
+
+ Additionally, if there are multiple wildcard entries, more specific
+ wildcard entries must be processed before less specific wildcard entries.
+ For example, `"*.foo.example.com"` takes precedence over `"*.example.com"`.
+ The precise definition here is that the higher the number of dots in the
+ hostname to the right of the wildcard character, the higher the precedence.
+
+ The wildcard character will match any number of characters _and dots_ to
+ the left, however, so `"*.example.com"` will match both
+ `"foo.bar.example.com"` _and_ `"bar.example.com"`.
+
+ If a set of Listeners contains Listeners that are not distinct, then those
+ Listeners are Conflicted, and the implementation MUST set the "Conflicted"
+ condition in the Listener Status to "True".
+
+ Implementations MAY choose to accept a Gateway with some Conflicted
+ Listeners only if they only accept the partial Listener set that contains
+ no Conflicted Listeners. To put this another way, implementations may
+ accept a partial Listener set only if they throw out *all* the conflicting
+ Listeners. No picking one of the conflicting listeners as the winner.
+ This also means that the Gateway must have at least one non-conflicting
+ Listener in this case, otherwise it violates the requirement that at
+ least one Listener must be present.
+
+ The implementation MUST set a "ListenersNotValid" condition on the
+ Gateway Status when the Gateway contains Conflicted Listeners whether or
+ not they accept the Gateway. That Condition SHOULD clearly
+ indicate in the Message which Listeners are conflicted, and which are
+ Accepted. Additionally, the Listener status for those listeners SHOULD
+ indicate which Listeners are conflicted and not Accepted.
+
+ A Gateway's Listeners are considered "compatible" if:
+
+ 1. They are distinct.
+ 2. The implementation can serve them in compliance with the Addresses
+ requirement that all Listeners are available on all assigned
+ addresses.
+
+ Compatible combinations in Extended support are expected to vary across
+ implementations. A combination that is compatible for one implementation
+ may not be compatible for another.
+
+ For example, an implementation that cannot serve both TCP and UDP listeners
+ on the same address, or cannot mix HTTPS and generic TLS listens on the same port
+ would not consider those cases compatible, even though they are distinct.
+
+ Note that requests SHOULD match at most one Listener. For example, if
+ Listeners are defined for "foo.example.com" and "*.example.com", a
+ request to "foo.example.com" SHOULD only be routed using routes attached
+ to the "foo.example.com" Listener (and not the "*.example.com" Listener).
+ This concept is known as "Listener Isolation". Implementations that do
+ not support Listener Isolation MUST clearly document this.
+
+ Implementations MAY merge separate Gateways onto a single set of
+ Addresses if all Listeners across all Gateways are compatible.
+
+ Support: Core
+ items:
+ description: |-
+ Listener embodies the concept of a logical endpoint where a Gateway accepts
+ network connections.
+ properties:
+ allowedRoutes:
+ default:
+ namespaces:
+ from: Same
+ description: |-
+ AllowedRoutes defines the types of routes that MAY be attached to a
+ Listener and the trusted namespaces where those Route resources MAY be
+ present.
+
+ Although a client request may match multiple route rules, only one rule
+ may ultimately receive the request. Matching precedence MUST be
+ determined in order of the following criteria:
+
+ * The most specific match as defined by the Route type.
+ * The oldest Route based on creation timestamp. For example, a Route with
+ a creation timestamp of "2020-09-08 01:02:03" is given precedence over
+ a Route with a creation timestamp of "2020-09-08 01:02:04".
+ * If everything else is equivalent, the Route appearing first in
+ alphabetical order (namespace/name) should be given precedence. For
+ example, foo/bar is given precedence over foo/baz.
+
+ All valid rules within a Route attached to this Listener should be
+ implemented. Invalid Route rules can be ignored (sometimes that will mean
+ the full Route). If a Route rule transitions from valid to invalid,
+ support for that Route rule should be dropped to ensure consistency. For
+ example, even if a filter specified by a Route rule is invalid, the rest
+ of the rules within that Route should still be supported.
+
+ Support: Core
+ properties:
+ kinds:
+ description: |-
+ Kinds specifies the groups and kinds of Routes that are allowed to bind
+ to this Gateway Listener. When unspecified or empty, the kinds of Routes
+ selected are determined using the Listener protocol.
+
+ A RouteGroupKind MUST correspond to kinds of Routes that are compatible
+ with the application protocol specified in the Listener's Protocol field.
+ If an implementation does not support or recognize this resource type, it
+ MUST set the "ResolvedRefs" condition to False for this Listener with the
+ "InvalidRouteKinds" reason.
+
+ Support: Core
+ items:
+ description: RouteGroupKind indicates the group and kind
+ of a Route resource.
+ properties:
+ group:
+ default: gateway.networking.k8s.io
+ description: Group is the group of the Route.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is the kind of the Route.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ required:
+ - kind
+ type: object
+ maxItems: 8
+ type: array
+ namespaces:
+ default:
+ from: Same
+ description: |-
+ Namespaces indicates namespaces from which Routes may be attached to this
+ Listener. This is restricted to the namespace of this Gateway by default.
+
+ Support: Core
+ properties:
+ from:
+ default: Same
+ description: |-
+ From indicates where Routes will be selected for this Gateway. Possible
+ values are:
+
+ * All: Routes in all namespaces may be used by this Gateway.
+ * Selector: Routes in namespaces selected by the selector may be used by
+ this Gateway.
+ * Same: Only Routes in the same namespace may be used by this Gateway.
+
+ Support: Core
+ enum:
+ - All
+ - Selector
+ - Same
+ type: string
+ selector:
+ description: |-
+ Selector must be specified when From is set to "Selector". In that case,
+ only Routes in Namespaces matching this Selector will be selected by this
+ Gateway. This field is ignored for other values of "From".
+
+ Support: Core
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: object
+ hostname:
+ description: |-
+ Hostname specifies the virtual hostname to match for protocol types that
+ define this concept. When unspecified, all hostnames are matched. This
+ field is ignored for protocols that don't require hostname based
+ matching.
+
+ Implementations MUST apply Hostname matching appropriately for each of
+ the following protocols:
+
+ * TLS: The Listener Hostname MUST match the SNI.
+ * HTTP: The Listener Hostname MUST match the Host header of the request.
+ * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP
+ protocol layers as described above. If an implementation does not
+ ensure that both the SNI and Host header match the Listener hostname,
+ it MUST clearly document that.
+
+ For HTTPRoute and TLSRoute resources, there is an interaction with the
+ `spec.hostnames` array. When both listener and route specify hostnames,
+ there MUST be an intersection between the values for a Route to be
+ accepted. For more information, refer to the Route specific Hostnames
+ documentation.
+
+ Hostnames that are prefixed with a wildcard label (`*.`) are interpreted
+ as a suffix match. That means that a match for `*.example.com` would match
+ both `test.example.com`, and `foo.test.example.com`, but not `example.com`.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ name:
+ description: |-
+ Name is the name of the Listener. This name MUST be unique within a
+ Gateway.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ port:
+ description: |-
+ Port is the network port. Multiple listeners may use the
+ same port, subject to the Listener compatibility rules.
+
+ Support: Core
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ protocol:
+ description: |-
+ Protocol specifies the network protocol this listener expects to receive.
+
+ Support: Core
+ maxLength: 255
+ minLength: 1
+ pattern: ^[a-zA-Z0-9]([-a-zA-Z0-9]*[a-zA-Z0-9])?$|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9]+$
+ type: string
+ tls:
+ description: |-
+ TLS is the TLS configuration for the Listener. This field is required if
+ the Protocol field is "HTTPS" or "TLS". It is invalid to set this field
+ if the Protocol field is "HTTP", "TCP", or "UDP".
+
+ The association of SNIs to Certificate defined in GatewayTLSConfig is
+ defined based on the Hostname field for this listener.
+
+ The GatewayClass MUST use the longest matching SNI out of all
+ available certificates for any TLS handshake.
+
+ Support: Core
+ properties:
+ certificateRefs:
+ description: |-
+ CertificateRefs contains a series of references to Kubernetes objects that
+ contains TLS certificates and private keys. These certificates are used to
+ establish a TLS handshake for requests that match the hostname of the
+ associated listener.
+
+ A single CertificateRef to a Kubernetes Secret has "Core" support.
+ Implementations MAY choose to support attaching multiple certificates to
+ a Listener, but this behavior is implementation-specific.
+
+ References to a resource in different namespace are invalid UNLESS there
+ is a ReferenceGrant in the target namespace that allows the certificate
+ to be attached. If a ReferenceGrant does not allow this reference, the
+ "ResolvedRefs" condition MUST be set to False for this listener with the
+ "RefNotPermitted" reason.
+
+ This field is required to have at least one element when the mode is set
+ to "Terminate" (default) and is optional otherwise.
+
+ CertificateRefs can reference to standard Kubernetes resources, i.e.
+ Secret, or implementation-specific custom resources.
+
+ Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls
+
+ Support: Implementation-specific (More than one reference or other resource types)
+ items:
+ description: |-
+ SecretObjectReference identifies an API object including its namespace,
+ defaulting to Secret.
+
+ The API object must be valid in the cluster; the Group and Kind must
+ be registered in the cluster for this reference to be valid.
+
+ References to objects with invalid Group and Kind are not valid, and must
+ be rejected by the implementation, with appropriate Conditions set
+ on the containing object.
+ properties:
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Secret
+ description: Kind is kind of the referent. For example
+ "Secret".
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referenced object. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ required:
+ - name
+ type: object
+ maxItems: 64
+ type: array
+ mode:
+ default: Terminate
+ description: |-
+ Mode defines the TLS behavior for the TLS session initiated by the client.
+ There are two possible modes:
+
+ - Terminate: The TLS session between the downstream client and the
+ Gateway is terminated at the Gateway. This mode requires certificates
+ to be specified in some way, such as populating the certificateRefs
+ field.
+ - Passthrough: The TLS session is NOT terminated by the Gateway. This
+ implies that the Gateway can't decipher the TLS stream except for
+ the ClientHello message of the TLS protocol. The certificateRefs field
+ is ignored in this mode.
+
+ Support: Core
+ enum:
+ - Terminate
+ - Passthrough
+ type: string
+ options:
+ additionalProperties:
+ description: |-
+ AnnotationValue is the value of an annotation in Gateway API. This is used
+ for validation of maps such as TLS options. This roughly matches Kubernetes
+ annotation validation, although the length validation in that case is based
+ on the entire size of the annotations struct.
+ maxLength: 4096
+ minLength: 0
+ type: string
+ description: |-
+ Options are a list of key/value pairs to enable extended TLS
+ configuration for each implementation. For example, configuring the
+ minimum TLS version or supported cipher suites.
+
+ A set of common keys MAY be defined by the API in the future. To avoid
+ any ambiguity, implementation-specific definitions MUST use
+ domain-prefixed names, such as `example.com/my-custom-option`.
+ Un-prefixed names are reserved for key names defined by Gateway API.
+
+ Support: Implementation-specific
+ maxProperties: 16
+ type: object
+ type: object
+ x-kubernetes-validations:
+ - message: certificateRefs or options must be specified when
+ mode is Terminate
+ rule: 'self.mode == ''Terminate'' ? size(self.certificateRefs)
+ > 0 || size(self.options) > 0 : true'
+ required:
+ - name
+ - port
+ - protocol
+ type: object
+ maxItems: 64
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ x-kubernetes-validations:
+ - message: tls must not be specified for protocols ['HTTP', 'TCP',
+ 'UDP']
+ rule: 'self.all(l, l.protocol in [''HTTP'', ''TCP'', ''UDP''] ?
+ !has(l.tls) : true)'
+ - message: tls mode must be Terminate for protocol HTTPS
+ rule: 'self.all(l, (l.protocol == ''HTTPS'' && has(l.tls)) ? (l.tls.mode
+ == '''' || l.tls.mode == ''Terminate'') : true)'
+ - message: hostname must not be specified for protocols ['TCP', 'UDP']
+ rule: 'self.all(l, l.protocol in [''TCP'', ''UDP''] ? (!has(l.hostname)
+ || l.hostname == '''') : true)'
+ - message: Listener name must be unique within the Gateway
+ rule: self.all(l1, self.exists_one(l2, l1.name == l2.name))
+ - message: Combination of port, protocol and hostname must be unique
+ for each listener
+ rule: 'self.all(l1, self.exists_one(l2, l1.port == l2.port && l1.protocol
+ == l2.protocol && (has(l1.hostname) && has(l2.hostname) ? l1.hostname
+ == l2.hostname : !has(l1.hostname) && !has(l2.hostname))))'
+ required:
+ - gatewayClassName
+ - listeners
+ type: object
+ status:
+ default:
+ conditions:
+ - lastTransitionTime: "1970-01-01T00:00:00Z"
+ message: Waiting for controller
+ reason: Pending
+ status: Unknown
+ type: Accepted
+ - lastTransitionTime: "1970-01-01T00:00:00Z"
+ message: Waiting for controller
+ reason: Pending
+ status: Unknown
+ type: Programmed
+ description: Status defines the current state of Gateway.
+ properties:
+ addresses:
+ description: |+
+ Addresses lists the network addresses that have been bound to the
+ Gateway.
+
+ This list may differ from the addresses provided in the spec under some
+ conditions:
+
+ * no addresses are specified, all addresses are dynamically assigned
+ * a combination of specified and dynamic addresses are assigned
+ * a specified address was unusable (e.g. already in use)
+
+ items:
+ description: GatewayStatusAddress describes a network address that
+ is bound to a Gateway.
+ oneOf:
+ - properties:
+ type:
+ enum:
+ - IPAddress
+ value:
+ anyOf:
+ - format: ipv4
+ - format: ipv6
+ - properties:
+ type:
+ not:
+ enum:
+ - IPAddress
+ properties:
+ type:
+ default: IPAddress
+ description: Type of the address.
+ maxLength: 253
+ minLength: 1
+ pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
+ type: string
+ value:
+ description: |-
+ Value of the address. The validity of the values will depend
+ on the type and support by the controller.
+
+ Examples: `1.2.3.4`, `128::1`, `my-ip-address`.
+ maxLength: 253
+ minLength: 1
+ type: string
+ required:
+ - value
+ type: object
+ x-kubernetes-validations:
+ - message: Hostname value must only contain valid characters (matching
+ ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$)
+ rule: 'self.type == ''Hostname'' ? self.value.matches(r"""^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$"""):
+ true'
+ maxItems: 16
+ type: array
+ conditions:
+ default:
+ - lastTransitionTime: "1970-01-01T00:00:00Z"
+ message: Waiting for controller
+ reason: Pending
+ status: Unknown
+ type: Accepted
+ - lastTransitionTime: "1970-01-01T00:00:00Z"
+ message: Waiting for controller
+ reason: Pending
+ status: Unknown
+ type: Programmed
+ description: |-
+ Conditions describe the current conditions of the Gateway.
+
+ Implementations should prefer to express Gateway conditions
+ using the `GatewayConditionType` and `GatewayConditionReason`
+ constants so that operators and tools can converge on a common
+ vocabulary to describe Gateway state.
+
+ Known condition types are:
+
+ * "Accepted"
+ * "Programmed"
+ * "Ready"
+ items:
+ description: Condition contains details for one aspect of the current
+ state of this API Resource.
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False, Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ maxItems: 8
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ listeners:
+ description: Listeners provide status for each unique listener port
+ defined in the Spec.
+ items:
+ description: ListenerStatus is the status associated with a Listener.
+ properties:
+ attachedRoutes:
+ description: |-
+ AttachedRoutes represents the total number of Routes that have been
+ successfully attached to this Listener.
+
+ Successful attachment of a Route to a Listener is based solely on the
+ combination of the AllowedRoutes field on the corresponding Listener
+ and the Route's ParentRefs field. A Route is successfully attached to
+ a Listener when it is selected by the Listener's AllowedRoutes field
+ AND the Route has a valid ParentRef selecting the whole Gateway
+ resource or a specific Listener as a parent resource (more detail on
+ attachment semantics can be found in the documentation on the various
+ Route kinds ParentRefs fields). Listener or Route status does not impact
+ successful attachment, i.e. the AttachedRoutes field count MUST be set
+ for Listeners with condition Accepted: false and MUST count successfully
+ attached Routes that may themselves have Accepted: false conditions.
+
+ Uses for this field include troubleshooting Route attachment and
+ measuring blast radius/impact of changes to a Listener.
+ format: int32
+ type: integer
+ conditions:
+ description: Conditions describe the current condition of this
+ listener.
+ items:
+ description: Condition contains details for one aspect of
+ the current state of this API Resource.
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False,
+ Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ maxItems: 8
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ name:
+ description: Name is the name of the Listener that this status
+ corresponds to.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ supportedKinds:
+ description: |-
+ SupportedKinds is the list indicating the Kinds supported by this
+ listener. This MUST represent the kinds an implementation supports for
+ that Listener configuration.
+
+ If kinds are specified in Spec that are not supported, they MUST NOT
+ appear in this list and an implementation MUST set the "ResolvedRefs"
+ condition to "False" with the "InvalidRouteKinds" reason. If both valid
+ and invalid Route kinds are specified, the implementation MUST
+ reference the valid Route kinds that have been specified.
+ items:
+ description: RouteGroupKind indicates the group and kind of
+ a Route resource.
+ properties:
+ group:
+ default: gateway.networking.k8s.io
+ description: Group is the group of the Route.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is the kind of the Route.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ required:
+ - kind
+ type: object
+ maxItems: 8
+ type: array
+ required:
+ - attachedRoutes
+ - conditions
+ - name
+ - supportedKinds
+ type: object
+ maxItems: 64
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ required:
+ - spec
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+ - additionalPrinterColumns:
+ - jsonPath: .spec.gatewayClassName
+ name: Class
+ type: string
+ - jsonPath: .status.addresses[*].value
+ name: Address
+ type: string
+ - jsonPath: .status.conditions[?(@.type=="Programmed")].status
+ name: Programmed
+ type: string
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1beta1
+ schema:
+ openAPIV3Schema:
+ description: |-
+ Gateway represents an instance of a service-traffic handling infrastructure
+ by binding Listeners to a set of IP addresses.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Spec defines the desired state of Gateway.
+ properties:
+ addresses:
+ description: |+
+ Addresses requested for this Gateway. This is optional and behavior can
+ depend on the implementation. If a value is set in the spec and the
+ requested address is invalid or unavailable, the implementation MUST
+ indicate this in the associated entry in GatewayStatus.Addresses.
+
+ The Addresses field represents a request for the address(es) on the
+ "outside of the Gateway", that traffic bound for this Gateway will use.
+ This could be the IP address or hostname of an external load balancer or
+ other networking infrastructure, or some other address that traffic will
+ be sent to.
+
+ If no Addresses are specified, the implementation MAY schedule the
+ Gateway in an implementation-specific manner, assigning an appropriate
+ set of Addresses.
+
+ The implementation MUST bind all Listeners to every GatewayAddress that
+ it assigns to the Gateway and add a corresponding entry in
+ GatewayStatus.Addresses.
+
+ Support: Extended
+
+ items:
+ description: GatewayAddress describes an address that can be bound
+ to a Gateway.
+ oneOf:
+ - properties:
+ type:
+ enum:
+ - IPAddress
+ value:
+ anyOf:
+ - format: ipv4
+ - format: ipv6
+ - properties:
+ type:
+ not:
+ enum:
+ - IPAddress
+ properties:
+ type:
+ default: IPAddress
+ description: Type of the address.
+ maxLength: 253
+ minLength: 1
+ pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
+ type: string
+ value:
+ description: |-
+ Value of the address. The validity of the values will depend
+ on the type and support by the controller.
+
+ Examples: `1.2.3.4`, `128::1`, `my-ip-address`.
+ maxLength: 253
+ minLength: 1
+ type: string
+ required:
+ - value
+ type: object
+ x-kubernetes-validations:
+ - message: Hostname value must only contain valid characters (matching
+ ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$)
+ rule: 'self.type == ''Hostname'' ? self.value.matches(r"""^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$"""):
+ true'
+ maxItems: 16
+ type: array
+ x-kubernetes-validations:
+ - message: IPAddress values must be unique
+ rule: 'self.all(a1, a1.type == ''IPAddress'' ? self.exists_one(a2,
+ a2.type == a1.type && a2.value == a1.value) : true )'
+ - message: Hostname values must be unique
+ rule: 'self.all(a1, a1.type == ''Hostname'' ? self.exists_one(a2,
+ a2.type == a1.type && a2.value == a1.value) : true )'
+ gatewayClassName:
+ description: |-
+ GatewayClassName used for this Gateway. This is the name of a
+ GatewayClass resource.
+ maxLength: 253
+ minLength: 1
+ type: string
+ infrastructure:
+ description: |-
+ Infrastructure defines infrastructure level attributes about this Gateway instance.
+
+ Support: Extended
+ properties:
+ annotations:
+ additionalProperties:
+ description: |-
+ AnnotationValue is the value of an annotation in Gateway API. This is used
+ for validation of maps such as TLS options. This roughly matches Kubernetes
+ annotation validation, although the length validation in that case is based
+ on the entire size of the annotations struct.
+ maxLength: 4096
+ minLength: 0
+ type: string
+ description: |-
+ Annotations that SHOULD be applied to any resources created in response to this Gateway.
+
+ For implementations creating other Kubernetes objects, this should be the `metadata.annotations` field on resources.
+ For other implementations, this refers to any relevant (implementation specific) "annotations" concepts.
+
+ An implementation may chose to add additional implementation-specific annotations as they see fit.
+
+ Support: Extended
+ maxProperties: 8
+ type: object
+ x-kubernetes-validations:
+ - message: Annotation keys must be in the form of an optional
+ DNS subdomain prefix followed by a required name segment of
+ up to 63 characters.
+ rule: self.all(key, key.matches(r"""^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9]$"""))
+ - message: If specified, the annotation key's prefix must be a
+ DNS subdomain not longer than 253 characters in total.
+ rule: self.all(key, key.split("/")[0].size() < 253)
+ labels:
+ additionalProperties:
+ description: |-
+ LabelValue is the value of a label in the Gateway API. This is used for validation
+ of maps such as Gateway infrastructure labels. This matches the Kubernetes
+ label validation rules:
+ * must be 63 characters or less (can be empty),
+ * unless empty, must begin and end with an alphanumeric character ([a-z0-9A-Z]),
+ * could contain dashes (-), underscores (_), dots (.), and alphanumerics between.
+
+ Valid values include:
+
+ * MyValue
+ * my.name
+ * 123-my-value
+ maxLength: 63
+ minLength: 0
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ Labels that SHOULD be applied to any resources created in response to this Gateway.
+
+ For implementations creating other Kubernetes objects, this should be the `metadata.labels` field on resources.
+ For other implementations, this refers to any relevant (implementation specific) "labels" concepts.
+
+ An implementation may chose to add additional implementation-specific labels as they see fit.
+
+ If an implementation maps these labels to Pods, or any other resource that would need to be recreated when labels
+ change, it SHOULD clearly warn about this behavior in documentation.
+
+ Support: Extended
+ maxProperties: 8
+ type: object
+ x-kubernetes-validations:
+ - message: Label keys must be in the form of an optional DNS subdomain
+ prefix followed by a required name segment of up to 63 characters.
+ rule: self.all(key, key.matches(r"""^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9]$"""))
+ - message: If specified, the label key's prefix must be a DNS
+ subdomain not longer than 253 characters in total.
+ rule: self.all(key, key.split("/")[0].size() < 253)
+ parametersRef:
+ description: |-
+ ParametersRef is a reference to a resource that contains the configuration
+ parameters corresponding to the Gateway. This is optional if the
+ controller does not require any additional configuration.
+
+ This follows the same semantics as GatewayClass's `parametersRef`, but on a per-Gateway basis
+
+ The Gateway's GatewayClass may provide its own `parametersRef`. When both are specified,
+ the merging behavior is implementation specific.
+ It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway.
+
+ Support: Implementation-specific
+ properties:
+ group:
+ description: Group is the group of the referent.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is kind of the referent.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ required:
+ - group
+ - kind
+ - name
+ type: object
+ type: object
+ listeners:
+ description: |-
+ Listeners associated with this Gateway. Listeners define
+ logical endpoints that are bound on this Gateway's addresses.
+ At least one Listener MUST be specified.
+
+ Each Listener in a set of Listeners (for example, in a single Gateway)
+ MUST be _distinct_, in that a traffic flow MUST be able to be assigned to
+ exactly one listener. (This section uses "set of Listeners" rather than
+ "Listeners in a single Gateway" because implementations MAY merge configuration
+ from multiple Gateways onto a single data plane, and these rules _also_
+ apply in that case).
+
+ Practically, this means that each listener in a set MUST have a unique
+ combination of Port, Protocol, and, if supported by the protocol, Hostname.
+
+ Some combinations of port, protocol, and TLS settings are considered
+ Core support and MUST be supported by implementations based on their
+ targeted conformance profile:
+
+ HTTP Profile
+
+ 1. HTTPRoute, Port: 80, Protocol: HTTP
+ 2. HTTPRoute, Port: 443, Protocol: HTTPS, TLS Mode: Terminate, TLS keypair provided
+
+ TLS Profile
+
+ 1. TLSRoute, Port: 443, Protocol: TLS, TLS Mode: Passthrough
+
+ "Distinct" Listeners have the following property:
+
+ The implementation can match inbound requests to a single distinct
+ Listener. When multiple Listeners share values for fields (for
+ example, two Listeners with the same Port value), the implementation
+ can match requests to only one of the Listeners using other
+ Listener fields.
+
+ For example, the following Listener scenarios are distinct:
+
+ 1. Multiple Listeners with the same Port that all use the "HTTP"
+ Protocol that all have unique Hostname values.
+ 2. Multiple Listeners with the same Port that use either the "HTTPS" or
+ "TLS" Protocol that all have unique Hostname values.
+ 3. A mixture of "TCP" and "UDP" Protocol Listeners, where no Listener
+ with the same Protocol has the same Port value.
+
+ Some fields in the Listener struct have possible values that affect
+ whether the Listener is distinct. Hostname is particularly relevant
+ for HTTP or HTTPS protocols.
+
+ When using the Hostname value to select between same-Port, same-Protocol
+ Listeners, the Hostname value must be different on each Listener for the
+ Listener to be distinct.
+
+ When the Listeners are distinct based on Hostname, inbound request
+ hostnames MUST match from the most specific to least specific Hostname
+ values to choose the correct Listener and its associated set of Routes.
+
+ Exact matches must be processed before wildcard matches, and wildcard
+ matches must be processed before fallback (empty Hostname value)
+ matches. For example, `"foo.example.com"` takes precedence over
+ `"*.example.com"`, and `"*.example.com"` takes precedence over `""`.
+
+ Additionally, if there are multiple wildcard entries, more specific
+ wildcard entries must be processed before less specific wildcard entries.
+ For example, `"*.foo.example.com"` takes precedence over `"*.example.com"`.
+ The precise definition here is that the higher the number of dots in the
+ hostname to the right of the wildcard character, the higher the precedence.
+
+ The wildcard character will match any number of characters _and dots_ to
+ the left, however, so `"*.example.com"` will match both
+ `"foo.bar.example.com"` _and_ `"bar.example.com"`.
+
+ If a set of Listeners contains Listeners that are not distinct, then those
+ Listeners are Conflicted, and the implementation MUST set the "Conflicted"
+ condition in the Listener Status to "True".
+
+ Implementations MAY choose to accept a Gateway with some Conflicted
+ Listeners only if they only accept the partial Listener set that contains
+ no Conflicted Listeners. To put this another way, implementations may
+ accept a partial Listener set only if they throw out *all* the conflicting
+ Listeners. No picking one of the conflicting listeners as the winner.
+ This also means that the Gateway must have at least one non-conflicting
+ Listener in this case, otherwise it violates the requirement that at
+ least one Listener must be present.
+
+ The implementation MUST set a "ListenersNotValid" condition on the
+ Gateway Status when the Gateway contains Conflicted Listeners whether or
+ not they accept the Gateway. That Condition SHOULD clearly
+ indicate in the Message which Listeners are conflicted, and which are
+ Accepted. Additionally, the Listener status for those listeners SHOULD
+ indicate which Listeners are conflicted and not Accepted.
+
+ A Gateway's Listeners are considered "compatible" if:
+
+ 1. They are distinct.
+ 2. The implementation can serve them in compliance with the Addresses
+ requirement that all Listeners are available on all assigned
+ addresses.
+
+ Compatible combinations in Extended support are expected to vary across
+ implementations. A combination that is compatible for one implementation
+ may not be compatible for another.
+
+ For example, an implementation that cannot serve both TCP and UDP listeners
+ on the same address, or cannot mix HTTPS and generic TLS listens on the same port
+ would not consider those cases compatible, even though they are distinct.
+
+ Note that requests SHOULD match at most one Listener. For example, if
+ Listeners are defined for "foo.example.com" and "*.example.com", a
+ request to "foo.example.com" SHOULD only be routed using routes attached
+ to the "foo.example.com" Listener (and not the "*.example.com" Listener).
+ This concept is known as "Listener Isolation". Implementations that do
+ not support Listener Isolation MUST clearly document this.
+
+ Implementations MAY merge separate Gateways onto a single set of
+ Addresses if all Listeners across all Gateways are compatible.
+
+ Support: Core
+ items:
+ description: |-
+ Listener embodies the concept of a logical endpoint where a Gateway accepts
+ network connections.
+ properties:
+ allowedRoutes:
+ default:
+ namespaces:
+ from: Same
+ description: |-
+ AllowedRoutes defines the types of routes that MAY be attached to a
+ Listener and the trusted namespaces where those Route resources MAY be
+ present.
+
+ Although a client request may match multiple route rules, only one rule
+ may ultimately receive the request. Matching precedence MUST be
+ determined in order of the following criteria:
+
+ * The most specific match as defined by the Route type.
+ * The oldest Route based on creation timestamp. For example, a Route with
+ a creation timestamp of "2020-09-08 01:02:03" is given precedence over
+ a Route with a creation timestamp of "2020-09-08 01:02:04".
+ * If everything else is equivalent, the Route appearing first in
+ alphabetical order (namespace/name) should be given precedence. For
+ example, foo/bar is given precedence over foo/baz.
+
+ All valid rules within a Route attached to this Listener should be
+ implemented. Invalid Route rules can be ignored (sometimes that will mean
+ the full Route). If a Route rule transitions from valid to invalid,
+ support for that Route rule should be dropped to ensure consistency. For
+ example, even if a filter specified by a Route rule is invalid, the rest
+ of the rules within that Route should still be supported.
+
+ Support: Core
+ properties:
+ kinds:
+ description: |-
+ Kinds specifies the groups and kinds of Routes that are allowed to bind
+ to this Gateway Listener. When unspecified or empty, the kinds of Routes
+ selected are determined using the Listener protocol.
+
+ A RouteGroupKind MUST correspond to kinds of Routes that are compatible
+ with the application protocol specified in the Listener's Protocol field.
+ If an implementation does not support or recognize this resource type, it
+ MUST set the "ResolvedRefs" condition to False for this Listener with the
+ "InvalidRouteKinds" reason.
+
+ Support: Core
+ items:
+ description: RouteGroupKind indicates the group and kind
+ of a Route resource.
+ properties:
+ group:
+ default: gateway.networking.k8s.io
+ description: Group is the group of the Route.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is the kind of the Route.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ required:
+ - kind
+ type: object
+ maxItems: 8
+ type: array
+ namespaces:
+ default:
+ from: Same
+ description: |-
+ Namespaces indicates namespaces from which Routes may be attached to this
+ Listener. This is restricted to the namespace of this Gateway by default.
+
+ Support: Core
+ properties:
+ from:
+ default: Same
+ description: |-
+ From indicates where Routes will be selected for this Gateway. Possible
+ values are:
+
+ * All: Routes in all namespaces may be used by this Gateway.
+ * Selector: Routes in namespaces selected by the selector may be used by
+ this Gateway.
+ * Same: Only Routes in the same namespace may be used by this Gateway.
+
+ Support: Core
+ enum:
+ - All
+ - Selector
+ - Same
+ type: string
+ selector:
+ description: |-
+ Selector must be specified when From is set to "Selector". In that case,
+ only Routes in Namespaces matching this Selector will be selected by this
+ Gateway. This field is ignored for other values of "From".
+
+ Support: Core
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: object
+ hostname:
+ description: |-
+ Hostname specifies the virtual hostname to match for protocol types that
+ define this concept. When unspecified, all hostnames are matched. This
+ field is ignored for protocols that don't require hostname based
+ matching.
+
+ Implementations MUST apply Hostname matching appropriately for each of
+ the following protocols:
+
+ * TLS: The Listener Hostname MUST match the SNI.
+ * HTTP: The Listener Hostname MUST match the Host header of the request.
+ * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP
+ protocol layers as described above. If an implementation does not
+ ensure that both the SNI and Host header match the Listener hostname,
+ it MUST clearly document that.
+
+ For HTTPRoute and TLSRoute resources, there is an interaction with the
+ `spec.hostnames` array. When both listener and route specify hostnames,
+ there MUST be an intersection between the values for a Route to be
+ accepted. For more information, refer to the Route specific Hostnames
+ documentation.
+
+ Hostnames that are prefixed with a wildcard label (`*.`) are interpreted
+ as a suffix match. That means that a match for `*.example.com` would match
+ both `test.example.com`, and `foo.test.example.com`, but not `example.com`.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ name:
+ description: |-
+ Name is the name of the Listener. This name MUST be unique within a
+ Gateway.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ port:
+ description: |-
+ Port is the network port. Multiple listeners may use the
+ same port, subject to the Listener compatibility rules.
+
+ Support: Core
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ protocol:
+ description: |-
+ Protocol specifies the network protocol this listener expects to receive.
+
+ Support: Core
+ maxLength: 255
+ minLength: 1
+ pattern: ^[a-zA-Z0-9]([-a-zA-Z0-9]*[a-zA-Z0-9])?$|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9]+$
+ type: string
+ tls:
+ description: |-
+ TLS is the TLS configuration for the Listener. This field is required if
+ the Protocol field is "HTTPS" or "TLS". It is invalid to set this field
+ if the Protocol field is "HTTP", "TCP", or "UDP".
+
+ The association of SNIs to Certificate defined in GatewayTLSConfig is
+ defined based on the Hostname field for this listener.
+
+ The GatewayClass MUST use the longest matching SNI out of all
+ available certificates for any TLS handshake.
+
+ Support: Core
+ properties:
+ certificateRefs:
+ description: |-
+ CertificateRefs contains a series of references to Kubernetes objects that
+ contains TLS certificates and private keys. These certificates are used to
+ establish a TLS handshake for requests that match the hostname of the
+ associated listener.
+
+ A single CertificateRef to a Kubernetes Secret has "Core" support.
+ Implementations MAY choose to support attaching multiple certificates to
+ a Listener, but this behavior is implementation-specific.
+
+ References to a resource in different namespace are invalid UNLESS there
+ is a ReferenceGrant in the target namespace that allows the certificate
+ to be attached. If a ReferenceGrant does not allow this reference, the
+ "ResolvedRefs" condition MUST be set to False for this listener with the
+ "RefNotPermitted" reason.
+
+ This field is required to have at least one element when the mode is set
+ to "Terminate" (default) and is optional otherwise.
+
+ CertificateRefs can reference to standard Kubernetes resources, i.e.
+ Secret, or implementation-specific custom resources.
+
+ Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls
+
+ Support: Implementation-specific (More than one reference or other resource types)
+ items:
+ description: |-
+ SecretObjectReference identifies an API object including its namespace,
+ defaulting to Secret.
+
+ The API object must be valid in the cluster; the Group and Kind must
+ be registered in the cluster for this reference to be valid.
+
+ References to objects with invalid Group and Kind are not valid, and must
+ be rejected by the implementation, with appropriate Conditions set
+ on the containing object.
+ properties:
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Secret
+ description: Kind is kind of the referent. For example
+ "Secret".
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referenced object. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ required:
+ - name
+ type: object
+ maxItems: 64
+ type: array
+ mode:
+ default: Terminate
+ description: |-
+ Mode defines the TLS behavior for the TLS session initiated by the client.
+ There are two possible modes:
+
+ - Terminate: The TLS session between the downstream client and the
+ Gateway is terminated at the Gateway. This mode requires certificates
+ to be specified in some way, such as populating the certificateRefs
+ field.
+ - Passthrough: The TLS session is NOT terminated by the Gateway. This
+ implies that the Gateway can't decipher the TLS stream except for
+ the ClientHello message of the TLS protocol. The certificateRefs field
+ is ignored in this mode.
+
+ Support: Core
+ enum:
+ - Terminate
+ - Passthrough
+ type: string
+ options:
+ additionalProperties:
+ description: |-
+ AnnotationValue is the value of an annotation in Gateway API. This is used
+ for validation of maps such as TLS options. This roughly matches Kubernetes
+ annotation validation, although the length validation in that case is based
+ on the entire size of the annotations struct.
+ maxLength: 4096
+ minLength: 0
+ type: string
+ description: |-
+ Options are a list of key/value pairs to enable extended TLS
+ configuration for each implementation. For example, configuring the
+ minimum TLS version or supported cipher suites.
+
+ A set of common keys MAY be defined by the API in the future. To avoid
+ any ambiguity, implementation-specific definitions MUST use
+ domain-prefixed names, such as `example.com/my-custom-option`.
+ Un-prefixed names are reserved for key names defined by Gateway API.
+
+ Support: Implementation-specific
+ maxProperties: 16
+ type: object
+ type: object
+ x-kubernetes-validations:
+ - message: certificateRefs or options must be specified when
+ mode is Terminate
+ rule: 'self.mode == ''Terminate'' ? size(self.certificateRefs)
+ > 0 || size(self.options) > 0 : true'
+ required:
+ - name
+ - port
+ - protocol
+ type: object
+ maxItems: 64
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ x-kubernetes-validations:
+ - message: tls must not be specified for protocols ['HTTP', 'TCP',
+ 'UDP']
+ rule: 'self.all(l, l.protocol in [''HTTP'', ''TCP'', ''UDP''] ?
+ !has(l.tls) : true)'
+ - message: tls mode must be Terminate for protocol HTTPS
+ rule: 'self.all(l, (l.protocol == ''HTTPS'' && has(l.tls)) ? (l.tls.mode
+ == '''' || l.tls.mode == ''Terminate'') : true)'
+ - message: hostname must not be specified for protocols ['TCP', 'UDP']
+ rule: 'self.all(l, l.protocol in [''TCP'', ''UDP''] ? (!has(l.hostname)
+ || l.hostname == '''') : true)'
+ - message: Listener name must be unique within the Gateway
+ rule: self.all(l1, self.exists_one(l2, l1.name == l2.name))
+ - message: Combination of port, protocol and hostname must be unique
+ for each listener
+ rule: 'self.all(l1, self.exists_one(l2, l1.port == l2.port && l1.protocol
+ == l2.protocol && (has(l1.hostname) && has(l2.hostname) ? l1.hostname
+ == l2.hostname : !has(l1.hostname) && !has(l2.hostname))))'
+ required:
+ - gatewayClassName
+ - listeners
+ type: object
+ status:
+ default:
+ conditions:
+ - lastTransitionTime: "1970-01-01T00:00:00Z"
+ message: Waiting for controller
+ reason: Pending
+ status: Unknown
+ type: Accepted
+ - lastTransitionTime: "1970-01-01T00:00:00Z"
+ message: Waiting for controller
+ reason: Pending
+ status: Unknown
+ type: Programmed
+ description: Status defines the current state of Gateway.
+ properties:
+ addresses:
+ description: |+
+ Addresses lists the network addresses that have been bound to the
+ Gateway.
+
+ This list may differ from the addresses provided in the spec under some
+ conditions:
+
+ * no addresses are specified, all addresses are dynamically assigned
+ * a combination of specified and dynamic addresses are assigned
+ * a specified address was unusable (e.g. already in use)
+
+ items:
+ description: GatewayStatusAddress describes a network address that
+ is bound to a Gateway.
+ oneOf:
+ - properties:
+ type:
+ enum:
+ - IPAddress
+ value:
+ anyOf:
+ - format: ipv4
+ - format: ipv6
+ - properties:
+ type:
+ not:
+ enum:
+ - IPAddress
+ properties:
+ type:
+ default: IPAddress
+ description: Type of the address.
+ maxLength: 253
+ minLength: 1
+ pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
+ type: string
+ value:
+ description: |-
+ Value of the address. The validity of the values will depend
+ on the type and support by the controller.
+
+ Examples: `1.2.3.4`, `128::1`, `my-ip-address`.
+ maxLength: 253
+ minLength: 1
+ type: string
+ required:
+ - value
+ type: object
+ x-kubernetes-validations:
+ - message: Hostname value must only contain valid characters (matching
+ ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$)
+ rule: 'self.type == ''Hostname'' ? self.value.matches(r"""^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$"""):
+ true'
+ maxItems: 16
+ type: array
+ conditions:
+ default:
+ - lastTransitionTime: "1970-01-01T00:00:00Z"
+ message: Waiting for controller
+ reason: Pending
+ status: Unknown
+ type: Accepted
+ - lastTransitionTime: "1970-01-01T00:00:00Z"
+ message: Waiting for controller
+ reason: Pending
+ status: Unknown
+ type: Programmed
+ description: |-
+ Conditions describe the current conditions of the Gateway.
+
+ Implementations should prefer to express Gateway conditions
+ using the `GatewayConditionType` and `GatewayConditionReason`
+ constants so that operators and tools can converge on a common
+ vocabulary to describe Gateway state.
+
+ Known condition types are:
+
+ * "Accepted"
+ * "Programmed"
+ * "Ready"
+ items:
+ description: Condition contains details for one aspect of the current
+ state of this API Resource.
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False, Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ maxItems: 8
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ listeners:
+ description: Listeners provide status for each unique listener port
+ defined in the Spec.
+ items:
+ description: ListenerStatus is the status associated with a Listener.
+ properties:
+ attachedRoutes:
+ description: |-
+ AttachedRoutes represents the total number of Routes that have been
+ successfully attached to this Listener.
+
+ Successful attachment of a Route to a Listener is based solely on the
+ combination of the AllowedRoutes field on the corresponding Listener
+ and the Route's ParentRefs field. A Route is successfully attached to
+ a Listener when it is selected by the Listener's AllowedRoutes field
+ AND the Route has a valid ParentRef selecting the whole Gateway
+ resource or a specific Listener as a parent resource (more detail on
+ attachment semantics can be found in the documentation on the various
+ Route kinds ParentRefs fields). Listener or Route status does not impact
+ successful attachment, i.e. the AttachedRoutes field count MUST be set
+ for Listeners with condition Accepted: false and MUST count successfully
+ attached Routes that may themselves have Accepted: false conditions.
+
+ Uses for this field include troubleshooting Route attachment and
+ measuring blast radius/impact of changes to a Listener.
+ format: int32
+ type: integer
+ conditions:
+ description: Conditions describe the current condition of this
+ listener.
+ items:
+ description: Condition contains details for one aspect of
+ the current state of this API Resource.
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False,
+ Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ maxItems: 8
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ name:
+ description: Name is the name of the Listener that this status
+ corresponds to.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ supportedKinds:
+ description: |-
+ SupportedKinds is the list indicating the Kinds supported by this
+ listener. This MUST represent the kinds an implementation supports for
+ that Listener configuration.
+
+ If kinds are specified in Spec that are not supported, they MUST NOT
+ appear in this list and an implementation MUST set the "ResolvedRefs"
+ condition to "False" with the "InvalidRouteKinds" reason. If both valid
+ and invalid Route kinds are specified, the implementation MUST
+ reference the valid Route kinds that have been specified.
+ items:
+ description: RouteGroupKind indicates the group and kind of
+ a Route resource.
+ properties:
+ group:
+ default: gateway.networking.k8s.io
+ description: Group is the group of the Route.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is the kind of the Route.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ required:
+ - kind
+ type: object
+ maxItems: 8
+ type: array
+ required:
+ - attachedRoutes
+ - conditions
+ - name
+ - supportedKinds
+ type: object
+ maxItems: 64
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ required:
+ - spec
+ type: object
+ served: true
+ storage: false
+ subresources:
+ status: {}
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: null
+ storedVersions: null
+---
+#
+# config/crd/standard/gateway.networking.k8s.io_grpcroutes.yaml
+#
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328
+ gateway.networking.k8s.io/bundle-version: v1.2.1
+ gateway.networking.k8s.io/channel: standard
+ creationTimestamp: null
+ name: grpcroutes.gateway.networking.k8s.io
+spec:
+ group: gateway.networking.k8s.io
+ names:
+ categories:
+ - gateway-api
+ kind: GRPCRoute
+ listKind: GRPCRouteList
+ plural: grpcroutes
+ singular: grpcroute
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - jsonPath: .spec.hostnames
+ name: Hostnames
+ type: string
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1
+ schema:
+ openAPIV3Schema:
+ description: |-
+ GRPCRoute provides a way to route gRPC requests. This includes the capability
+ to match requests by hostname, gRPC service, gRPC method, or HTTP/2 header.
+ Filters can be used to specify additional processing steps. Backends specify
+ where matching requests will be routed.
+
+ GRPCRoute falls under extended support within the Gateway API. Within the
+ following specification, the word "MUST" indicates that an implementation
+ supporting GRPCRoute must conform to the indicated requirement, but an
+ implementation not supporting this route type need not follow the requirement
+ unless explicitly indicated.
+
+ Implementations supporting `GRPCRoute` with the `HTTPS` `ProtocolType` MUST
+ accept HTTP/2 connections without an initial upgrade from HTTP/1.1, i.e. via
+ ALPN. If the implementation does not support this, then it MUST set the
+ "Accepted" condition to "False" for the affected listener with a reason of
+ "UnsupportedProtocol". Implementations MAY also accept HTTP/2 connections
+ with an upgrade from HTTP/1.
+
+ Implementations supporting `GRPCRoute` with the `HTTP` `ProtocolType` MUST
+ support HTTP/2 over cleartext TCP (h2c,
+ https://www.rfc-editor.org/rfc/rfc7540#section-3.1) without an initial
+ upgrade from HTTP/1.1, i.e. with prior knowledge
+ (https://www.rfc-editor.org/rfc/rfc7540#section-3.4). If the implementation
+ does not support this, then it MUST set the "Accepted" condition to "False"
+ for the affected listener with a reason of "UnsupportedProtocol".
+ Implementations MAY also accept HTTP/2 connections with an upgrade from
+ HTTP/1, i.e. without prior knowledge.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Spec defines the desired state of GRPCRoute.
+ properties:
+ hostnames:
+ description: |-
+ Hostnames defines a set of hostnames to match against the GRPC
+ Host header to select a GRPCRoute to process the request. This matches
+ the RFC 1123 definition of a hostname with 2 notable exceptions:
+
+ 1. IPs are not allowed.
+ 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard
+ label MUST appear by itself as the first label.
+
+ If a hostname is specified by both the Listener and GRPCRoute, there
+ MUST be at least one intersecting hostname for the GRPCRoute to be
+ attached to the Listener. For example:
+
+ * A Listener with `test.example.com` as the hostname matches GRPCRoutes
+ that have either not specified any hostnames, or have specified at
+ least one of `test.example.com` or `*.example.com`.
+ * A Listener with `*.example.com` as the hostname matches GRPCRoutes
+ that have either not specified any hostnames or have specified at least
+ one hostname that matches the Listener hostname. For example,
+ `test.example.com` and `*.example.com` would both match. On the other
+ hand, `example.com` and `test.example.net` would not match.
+
+ Hostnames that are prefixed with a wildcard label (`*.`) are interpreted
+ as a suffix match. That means that a match for `*.example.com` would match
+ both `test.example.com`, and `foo.test.example.com`, but not `example.com`.
+
+ If both the Listener and GRPCRoute have specified hostnames, any
+ GRPCRoute hostnames that do not match the Listener hostname MUST be
+ ignored. For example, if a Listener specified `*.example.com`, and the
+ GRPCRoute specified `test.example.com` and `test.example.net`,
+ `test.example.net` MUST NOT be considered for a match.
+
+ If both the Listener and GRPCRoute have specified hostnames, and none
+ match with the criteria above, then the GRPCRoute MUST NOT be accepted by
+ the implementation. The implementation MUST raise an 'Accepted' Condition
+ with a status of `False` in the corresponding RouteParentStatus.
+
+ If a Route (A) of type HTTPRoute or GRPCRoute is attached to a
+ Listener and that listener already has another Route (B) of the other
+ type attached and the intersection of the hostnames of A and B is
+ non-empty, then the implementation MUST accept exactly one of these two
+ routes, determined by the following criteria, in order:
+
+ * The oldest Route based on creation timestamp.
+ * The Route appearing first in alphabetical order by
+ "{namespace}/{name}".
+
+ The rejected Route MUST raise an 'Accepted' condition with a status of
+ 'False' in the corresponding RouteParentStatus.
+
+ Support: Core
+ items:
+ description: |-
+ Hostname is the fully qualified domain name of a network host. This matches
+ the RFC 1123 definition of a hostname with 2 notable exceptions:
+
+ 1. IPs are not allowed.
+ 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard
+ label must appear by itself as the first label.
+
+ Hostname can be "precise" which is a domain name without the terminating
+ dot of a network host (e.g. "foo.example.com") or "wildcard", which is a
+ domain name prefixed with a single wildcard label (e.g. `*.example.com`).
+
+ Note that as per RFC1035 and RFC1123, a *label* must consist of lower case
+ alphanumeric characters or '-', and must start and end with an alphanumeric
+ character. No other punctuation is allowed.
+ maxLength: 253
+ minLength: 1
+ pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ maxItems: 16
+ type: array
+ parentRefs:
+ description: |+
+ ParentRefs references the resources (usually Gateways) that a Route wants
+ to be attached to. Note that the referenced parent resource needs to
+ allow this for the attachment to be complete. For Gateways, that means
+ the Gateway needs to allow attachment from Routes of this kind and
+ namespace. For Services, that means the Service must either be in the same
+ namespace for a "producer" route, or the mesh implementation must support
+ and allow "consumer" routes for the referenced Service. ReferenceGrant is
+ not applicable for governing ParentRefs to Services - it is not possible to
+ create a "producer" route for a Service in a different namespace from the
+ Route.
+
+ There are two kinds of parent resources with "Core" support:
+
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
+
+ This API may be extended in the future to support additional kinds of parent
+ resources.
+
+ ParentRefs must be _distinct_. This means either that:
+
+ * They select different objects. If this is the case, then parentRef
+ entries are distinct. In terms of fields, this means that the
+ multi-part key defined by `group`, `kind`, `namespace`, and `name` must
+ be unique across all parentRef entries in the Route.
+ * They do not select different objects, but for each optional field used,
+ each ParentRef that selects the same object must set the same set of
+ optional fields to different values. If one ParentRef sets a
+ combination of optional fields, all must set the same combination.
+
+ Some examples:
+
+ * If one ParentRef sets `sectionName`, all ParentRefs referencing the
+ same object must also set `sectionName`.
+ * If one ParentRef sets `port`, all ParentRefs referencing the same
+ object must also set `port`.
+ * If one ParentRef sets `sectionName` and `port`, all ParentRefs
+ referencing the same object must also set `sectionName` and `port`.
+
+ It is possible to separately reference multiple distinct objects that may
+ be collapsed by an implementation. For example, some implementations may
+ choose to merge compatible Gateway Listeners together. If that is the
+ case, the list of routes attached to those resources should also be
+ merged.
+
+ Note that for ParentRefs that cross namespace boundaries, there are specific
+ rules. Cross-namespace references are only valid if they are explicitly
+ allowed by something in the namespace they are referring to. For example,
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+ generic way to enable other kinds of cross-namespace reference.
+
+
+
+
+
+
+ items:
+ description: |-
+ ParentReference identifies an API object (usually a Gateway) that can be considered
+ a parent of this resource (usually a route). There are two kinds of parent resources
+ with "Core" support:
+
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
+
+ This API may be extended in the future to support additional kinds of parent
+ resources.
+
+ The API object must be valid in the cluster; the Group and Kind must
+ be registered in the cluster for this reference to be valid.
+ properties:
+ group:
+ default: gateway.networking.k8s.io
+ description: |-
+ Group is the group of the referent.
+ When unspecified, "gateway.networking.k8s.io" is inferred.
+ To set the core API group (such as for a "Service" kind referent),
+ Group must be explicitly set to "" (empty string).
+
+ Support: Core
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Gateway
+ description: |-
+ Kind is kind of the referent.
+
+ There are two kinds of parent resources with "Core" support:
+
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
+
+ Support for other resources is Implementation-Specific.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: |-
+ Name is the name of the referent.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referent. When unspecified, this refers
+ to the local namespace of the Route.
+
+ Note that there are specific rules for ParentRefs which cross namespace
+ boundaries. Cross-namespace references are only valid if they are explicitly
+ allowed by something in the namespace they are referring to. For example:
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+ generic way to enable any other kind of cross-namespace reference.
+
+
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port is the network port this Route targets. It can be interpreted
+ differently based on the type of parent resource.
+
+ When the parent resource is a Gateway, this targets all listeners
+ listening on the specified port that also support this kind of Route(and
+ select this Route). It's not recommended to set `Port` unless the
+ networking behaviors specified in a Route must apply to a specific port
+ as opposed to a listener(s) whose port(s) may be changed. When both Port
+ and SectionName are specified, the name and port of the selected listener
+ must match both specified values.
+
+
+
+ Implementations MAY choose to support other parent resources.
+ Implementations supporting other types of parent resources MUST clearly
+ document how/if Port is interpreted.
+
+ For the purpose of status, an attachment is considered successful as
+ long as the parent resource accepts it partially. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+ from the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route,
+ the Route MUST be considered detached from the Gateway.
+
+ Support: Extended
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ sectionName:
+ description: |-
+ SectionName is the name of a section within the target resource. In the
+ following resources, SectionName is interpreted as the following:
+
+ * Gateway: Listener name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+ * Service: Port name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+
+ Implementations MAY choose to support attaching Routes to other resources.
+ If that is the case, they MUST clearly document how SectionName is
+ interpreted.
+
+ When unspecified (empty string), this will reference the entire resource.
+ For the purpose of status, an attachment is considered successful if at
+ least one section in the parent resource accepts it. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+ the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route, the
+ Route MUST be considered detached from the Gateway.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ required:
+ - name
+ type: object
+ maxItems: 32
+ type: array
+ x-kubernetes-validations:
+ - message: sectionName must be specified when parentRefs includes
+ 2 or more references to the same parent
+ rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind
+ == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__)
+ || p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__
+ == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) &&
+ p1.__namespace__ == p2.__namespace__ )) ? ((!has(p1.sectionName)
+ || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName
+ == '''')) : true))'
+ - message: sectionName must be unique when parentRefs includes 2 or
+ more references to the same parent
+ rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind
+ == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__)
+ || p1.__namespace__ == '') && (!has(p2.__namespace__) || p2.__namespace__
+ == '')) || (has(p1.__namespace__) && has(p2.__namespace__) &&
+ p1.__namespace__ == p2.__namespace__ )) && (((!has(p1.sectionName)
+ || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName
+ == '')) || (has(p1.sectionName) && has(p2.sectionName) && p1.sectionName
+ == p2.sectionName))))
+ rules:
+ description: |+
+ Rules are a list of GRPC matchers, filters and actions.
+
+ items:
+ description: |-
+ GRPCRouteRule defines the semantics for matching a gRPC request based on
+ conditions (matches), processing it (filters), and forwarding the request to
+ an API object (backendRefs).
+ properties:
+ backendRefs:
+ description: |-
+ BackendRefs defines the backend(s) where matching requests should be
+ sent.
+
+ Failure behavior here depends on how many BackendRefs are specified and
+ how many are invalid.
+
+ If *all* entries in BackendRefs are invalid, and there are also no filters
+ specified in this route rule, *all* traffic which matches this rule MUST
+ receive an `UNAVAILABLE` status.
+
+ See the GRPCBackendRef definition for the rules about what makes a single
+ GRPCBackendRef invalid.
+
+ When a GRPCBackendRef is invalid, `UNAVAILABLE` statuses MUST be returned for
+ requests that would have otherwise been routed to an invalid backend. If
+ multiple backends are specified, and some are invalid, the proportion of
+ requests that would otherwise have been routed to an invalid backend
+ MUST receive an `UNAVAILABLE` status.
+
+ For example, if two backends are specified with equal weights, and one is
+ invalid, 50 percent of traffic MUST receive an `UNAVAILABLE` status.
+ Implementations may choose how that 50 percent is determined.
+
+ Support: Core for Kubernetes Service
+
+ Support: Implementation-specific for any other resource
+
+ Support for weight: Core
+ items:
+ description: |-
+ GRPCBackendRef defines how a GRPCRoute forwards a gRPC request.
+
+ Note that when a namespace different than the local namespace is specified, a
+ ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+
+
+ When the BackendRef points to a Kubernetes Service, implementations SHOULD
+ honor the appProtocol field if it is set for the target Service Port.
+
+ Implementations supporting appProtocol SHOULD recognize the Kubernetes
+ Standard Application Protocols defined in KEP-3726.
+
+ If a Service appProtocol isn't specified, an implementation MAY infer the
+ backend protocol through its own means. Implementations MAY infer the
+ protocol from the Route type referring to the backend Service.
+
+ If a Route is not able to send traffic to the backend using the specified
+ protocol then the backend is considered invalid. Implementations MUST set the
+ "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason.
+
+
+ properties:
+ filters:
+ description: |-
+ Filters defined at this level MUST be executed if and only if the
+ request is being forwarded to the backend defined here.
+
+ Support: Implementation-specific (For broader support of filters, use the
+ Filters field in GRPCRouteRule.)
+ items:
+ description: |-
+ GRPCRouteFilter defines processing steps that must be completed during the
+ request or response lifecycle. GRPCRouteFilters are meant as an extension
+ point to express processing that may be done in Gateway implementations. Some
+ examples include request or response modification, implementing
+ authentication strategies, rate-limiting, and traffic shaping. API
+ guarantee/conformance is defined based on the type of the filter.
+ properties:
+ extensionRef:
+ description: |-
+ ExtensionRef is an optional, implementation-specific extension to the
+ "filter" behavior. For example, resource "myroutefilter" in group
+ "networking.example.net"). ExtensionRef MUST NOT be used for core and
+ extended filters.
+
+ Support: Implementation-specific
+
+ This filter can be used multiple times within the same rule.
+ properties:
+ group:
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is kind of the referent. For
+ example "HTTPRoute" or "Service".
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ required:
+ - group
+ - kind
+ - name
+ type: object
+ requestHeaderModifier:
+ description: |-
+ RequestHeaderModifier defines a schema for a filter that modifies request
+ headers.
+
+ Support: Core
+ properties:
+ add:
+ description: |-
+ Add adds the given header(s) (name, value) to the request
+ before the action. It appends to any existing values associated
+ with the header name.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ add:
+ - name: "my-header"
+ value: "bar,baz"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: foo,bar,baz
+ items:
+ description: HTTPHeader represents an HTTP
+ Header name and value as defined by RFC
+ 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP
+ Header to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ remove:
+ description: |-
+ Remove the given header(s) from the HTTP request before the action. The
+ value of Remove is a list of HTTP header names. Note that the header
+ names are case-insensitive (see
+ https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header1: foo
+ my-header2: bar
+ my-header3: baz
+
+ Config:
+ remove: ["my-header1", "my-header3"]
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header2: bar
+ items:
+ type: string
+ maxItems: 16
+ type: array
+ x-kubernetes-list-type: set
+ set:
+ description: |-
+ Set overwrites the request with the given header (name, value)
+ before the action.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ set:
+ - name: "my-header"
+ value: "bar"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: bar
+ items:
+ description: HTTPHeader represents an HTTP
+ Header name and value as defined by RFC
+ 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP
+ Header to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ requestMirror:
+ description: |+
+ RequestMirror defines a schema for a filter that mirrors requests.
+ Requests are sent to the specified destination, but responses from
+ that destination are ignored.
+
+ This filter can be used multiple times within the same rule. Note that
+ not all implementations will be able to support mirroring to multiple
+ backends.
+
+ Support: Extended
+
+ properties:
+ backendRef:
+ description: |-
+ BackendRef references a resource where mirrored requests are sent.
+
+ Mirrored requests must be sent only to a single destination endpoint
+ within this BackendRef, irrespective of how many endpoints are present
+ within this BackendRef.
+
+ If the referent cannot be found, this BackendRef is invalid and must be
+ dropped from the Gateway. The controller must ensure the "ResolvedRefs"
+ condition on the Route status is set to `status: False` and not configure
+ this backend in the underlying implementation.
+
+ If there is a cross-namespace reference to an *existing* object
+ that is not allowed by a ReferenceGrant, the controller must ensure the
+ "ResolvedRefs" condition on the Route is set to `status: False`,
+ with the "RefNotPermitted" reason and not configure this backend in the
+ underlying implementation.
+
+ In either error case, the Message of the `ResolvedRefs` Condition
+ should be used to provide more detail about the problem.
+
+ Support: Extended for Kubernetes Service
+
+ Support: Implementation-specific for any other resource
+ properties:
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Service
+ description: |-
+ Kind is the Kubernetes resource kind of the referent. For example
+ "Service".
+
+ Defaults to "Service" when not specified.
+
+ ExternalName services can refer to CNAME DNS records that may live
+ outside of the cluster and as such are difficult to reason about in
+ terms of conformance. They also may not be safe to forward to (see
+ CVE-2021-25740 for more information). Implementations SHOULD NOT
+ support ExternalName Services.
+
+ Support: Core (Services with a type other than ExternalName)
+
+ Support: Implementation-specific (Services with type ExternalName)
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the backend. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port specifies the destination port number to use for this resource.
+ Port is required when the referent is a Kubernetes Service. In this
+ case, the port number is the service port number, not the target port.
+ For other resources, destination port might be derived from the referent
+ resource or this field.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ required:
+ - name
+ type: object
+ x-kubernetes-validations:
+ - message: Must have port for Service reference
+ rule: '(size(self.group) == 0 && self.kind
+ == ''Service'') ? has(self.port) : true'
+ required:
+ - backendRef
+ type: object
+ responseHeaderModifier:
+ description: |-
+ ResponseHeaderModifier defines a schema for a filter that modifies response
+ headers.
+
+ Support: Extended
+ properties:
+ add:
+ description: |-
+ Add adds the given header(s) (name, value) to the request
+ before the action. It appends to any existing values associated
+ with the header name.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ add:
+ - name: "my-header"
+ value: "bar,baz"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: foo,bar,baz
+ items:
+ description: HTTPHeader represents an HTTP
+ Header name and value as defined by RFC
+ 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP
+ Header to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ remove:
+ description: |-
+ Remove the given header(s) from the HTTP request before the action. The
+ value of Remove is a list of HTTP header names. Note that the header
+ names are case-insensitive (see
+ https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header1: foo
+ my-header2: bar
+ my-header3: baz
+
+ Config:
+ remove: ["my-header1", "my-header3"]
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header2: bar
+ items:
+ type: string
+ maxItems: 16
+ type: array
+ x-kubernetes-list-type: set
+ set:
+ description: |-
+ Set overwrites the request with the given header (name, value)
+ before the action.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ set:
+ - name: "my-header"
+ value: "bar"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: bar
+ items:
+ description: HTTPHeader represents an HTTP
+ Header name and value as defined by RFC
+ 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP
+ Header to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ type:
+ description: |+
+ Type identifies the type of filter to apply. As with other API fields,
+ types are classified into three conformance levels:
+
+ - Core: Filter types and their corresponding configuration defined by
+ "Support: Core" in this package, e.g. "RequestHeaderModifier". All
+ implementations supporting GRPCRoute MUST support core filters.
+
+ - Extended: Filter types and their corresponding configuration defined by
+ "Support: Extended" in this package, e.g. "RequestMirror". Implementers
+ are encouraged to support extended filters.
+
+ - Implementation-specific: Filters that are defined and supported by specific vendors.
+ In the future, filters showing convergence in behavior across multiple
+ implementations will be considered for inclusion in extended or core
+ conformance levels. Filter-specific configuration for such filters
+ is specified using the ExtensionRef field. `Type` MUST be set to
+ "ExtensionRef" for custom filters.
+
+ Implementers are encouraged to define custom implementation types to
+ extend the core API with implementation-specific behavior.
+
+ If a reference to a custom filter type cannot be resolved, the filter
+ MUST NOT be skipped. Instead, requests that would have been processed by
+ that filter MUST receive a HTTP error response.
+
+ enum:
+ - ResponseHeaderModifier
+ - RequestHeaderModifier
+ - RequestMirror
+ - ExtensionRef
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: filter.requestHeaderModifier must be nil
+ if the filter.type is not RequestHeaderModifier
+ rule: '!(has(self.requestHeaderModifier) && self.type
+ != ''RequestHeaderModifier'')'
+ - message: filter.requestHeaderModifier must be specified
+ for RequestHeaderModifier filter.type
+ rule: '!(!has(self.requestHeaderModifier) && self.type
+ == ''RequestHeaderModifier'')'
+ - message: filter.responseHeaderModifier must be nil
+ if the filter.type is not ResponseHeaderModifier
+ rule: '!(has(self.responseHeaderModifier) && self.type
+ != ''ResponseHeaderModifier'')'
+ - message: filter.responseHeaderModifier must be specified
+ for ResponseHeaderModifier filter.type
+ rule: '!(!has(self.responseHeaderModifier) && self.type
+ == ''ResponseHeaderModifier'')'
+ - message: filter.requestMirror must be nil if the filter.type
+ is not RequestMirror
+ rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')'
+ - message: filter.requestMirror must be specified for
+ RequestMirror filter.type
+ rule: '!(!has(self.requestMirror) && self.type ==
+ ''RequestMirror'')'
+ - message: filter.extensionRef must be nil if the filter.type
+ is not ExtensionRef
+ rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')'
+ - message: filter.extensionRef must be specified for
+ ExtensionRef filter.type
+ rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')'
+ maxItems: 16
+ type: array
+ x-kubernetes-validations:
+ - message: RequestHeaderModifier filter cannot be repeated
+ rule: self.filter(f, f.type == 'RequestHeaderModifier').size()
+ <= 1
+ - message: ResponseHeaderModifier filter cannot be repeated
+ rule: self.filter(f, f.type == 'ResponseHeaderModifier').size()
+ <= 1
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Service
+ description: |-
+ Kind is the Kubernetes resource kind of the referent. For example
+ "Service".
+
+ Defaults to "Service" when not specified.
+
+ ExternalName services can refer to CNAME DNS records that may live
+ outside of the cluster and as such are difficult to reason about in
+ terms of conformance. They also may not be safe to forward to (see
+ CVE-2021-25740 for more information). Implementations SHOULD NOT
+ support ExternalName Services.
+
+ Support: Core (Services with a type other than ExternalName)
+
+ Support: Implementation-specific (Services with type ExternalName)
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the backend. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port specifies the destination port number to use for this resource.
+ Port is required when the referent is a Kubernetes Service. In this
+ case, the port number is the service port number, not the target port.
+ For other resources, destination port might be derived from the referent
+ resource or this field.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ weight:
+ default: 1
+ description: |-
+ Weight specifies the proportion of requests forwarded to the referenced
+ backend. This is computed as weight/(sum of all weights in this
+ BackendRefs list). For non-zero values, there may be some epsilon from
+ the exact proportion defined here depending on the precision an
+ implementation supports. Weight is not a percentage and the sum of
+ weights does not need to equal 100.
+
+ If only one backend is specified and it has a weight greater than 0, 100%
+ of the traffic is forwarded to that backend. If weight is set to 0, no
+ traffic should be forwarded for this entry. If unspecified, weight
+ defaults to 1.
+
+ Support for this field varies based on the context where used.
+ format: int32
+ maximum: 1000000
+ minimum: 0
+ type: integer
+ required:
+ - name
+ type: object
+ x-kubernetes-validations:
+ - message: Must have port for Service reference
+ rule: '(size(self.group) == 0 && self.kind == ''Service'')
+ ? has(self.port) : true'
+ maxItems: 16
+ type: array
+ filters:
+ description: |-
+ Filters define the filters that are applied to requests that match
+ this rule.
+
+ The effects of ordering of multiple behaviors are currently unspecified.
+ This can change in the future based on feedback during the alpha stage.
+
+ Conformance-levels at this level are defined based on the type of filter:
+
+ - ALL core filters MUST be supported by all implementations that support
+ GRPCRoute.
+ - Implementers are encouraged to support extended filters.
+ - Implementation-specific custom filters have no API guarantees across
+ implementations.
+
+ Specifying the same filter multiple times is not supported unless explicitly
+ indicated in the filter.
+
+ If an implementation can not support a combination of filters, it must clearly
+ document that limitation. In cases where incompatible or unsupported
+ filters are specified and cause the `Accepted` condition to be set to status
+ `False`, implementations may use the `IncompatibleFilters` reason to specify
+ this configuration error.
+
+ Support: Core
+ items:
+ description: |-
+ GRPCRouteFilter defines processing steps that must be completed during the
+ request or response lifecycle. GRPCRouteFilters are meant as an extension
+ point to express processing that may be done in Gateway implementations. Some
+ examples include request or response modification, implementing
+ authentication strategies, rate-limiting, and traffic shaping. API
+ guarantee/conformance is defined based on the type of the filter.
+ properties:
+ extensionRef:
+ description: |-
+ ExtensionRef is an optional, implementation-specific extension to the
+ "filter" behavior. For example, resource "myroutefilter" in group
+ "networking.example.net"). ExtensionRef MUST NOT be used for core and
+ extended filters.
+
+ Support: Implementation-specific
+
+ This filter can be used multiple times within the same rule.
+ properties:
+ group:
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is kind of the referent. For example
+ "HTTPRoute" or "Service".
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ required:
+ - group
+ - kind
+ - name
+ type: object
+ requestHeaderModifier:
+ description: |-
+ RequestHeaderModifier defines a schema for a filter that modifies request
+ headers.
+
+ Support: Core
+ properties:
+ add:
+ description: |-
+ Add adds the given header(s) (name, value) to the request
+ before the action. It appends to any existing values associated
+ with the header name.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ add:
+ - name: "my-header"
+ value: "bar,baz"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: foo,bar,baz
+ items:
+ description: HTTPHeader represents an HTTP Header
+ name and value as defined by RFC 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP Header
+ to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ remove:
+ description: |-
+ Remove the given header(s) from the HTTP request before the action. The
+ value of Remove is a list of HTTP header names. Note that the header
+ names are case-insensitive (see
+ https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header1: foo
+ my-header2: bar
+ my-header3: baz
+
+ Config:
+ remove: ["my-header1", "my-header3"]
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header2: bar
+ items:
+ type: string
+ maxItems: 16
+ type: array
+ x-kubernetes-list-type: set
+ set:
+ description: |-
+ Set overwrites the request with the given header (name, value)
+ before the action.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ set:
+ - name: "my-header"
+ value: "bar"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: bar
+ items:
+ description: HTTPHeader represents an HTTP Header
+ name and value as defined by RFC 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP Header
+ to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ requestMirror:
+ description: |+
+ RequestMirror defines a schema for a filter that mirrors requests.
+ Requests are sent to the specified destination, but responses from
+ that destination are ignored.
+
+ This filter can be used multiple times within the same rule. Note that
+ not all implementations will be able to support mirroring to multiple
+ backends.
+
+ Support: Extended
+
+ properties:
+ backendRef:
+ description: |-
+ BackendRef references a resource where mirrored requests are sent.
+
+ Mirrored requests must be sent only to a single destination endpoint
+ within this BackendRef, irrespective of how many endpoints are present
+ within this BackendRef.
+
+ If the referent cannot be found, this BackendRef is invalid and must be
+ dropped from the Gateway. The controller must ensure the "ResolvedRefs"
+ condition on the Route status is set to `status: False` and not configure
+ this backend in the underlying implementation.
+
+ If there is a cross-namespace reference to an *existing* object
+ that is not allowed by a ReferenceGrant, the controller must ensure the
+ "ResolvedRefs" condition on the Route is set to `status: False`,
+ with the "RefNotPermitted" reason and not configure this backend in the
+ underlying implementation.
+
+ In either error case, the Message of the `ResolvedRefs` Condition
+ should be used to provide more detail about the problem.
+
+ Support: Extended for Kubernetes Service
+
+ Support: Implementation-specific for any other resource
+ properties:
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Service
+ description: |-
+ Kind is the Kubernetes resource kind of the referent. For example
+ "Service".
+
+ Defaults to "Service" when not specified.
+
+ ExternalName services can refer to CNAME DNS records that may live
+ outside of the cluster and as such are difficult to reason about in
+ terms of conformance. They also may not be safe to forward to (see
+ CVE-2021-25740 for more information). Implementations SHOULD NOT
+ support ExternalName Services.
+
+ Support: Core (Services with a type other than ExternalName)
+
+ Support: Implementation-specific (Services with type ExternalName)
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the backend. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port specifies the destination port number to use for this resource.
+ Port is required when the referent is a Kubernetes Service. In this
+ case, the port number is the service port number, not the target port.
+ For other resources, destination port might be derived from the referent
+ resource or this field.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ required:
+ - name
+ type: object
+ x-kubernetes-validations:
+ - message: Must have port for Service reference
+ rule: '(size(self.group) == 0 && self.kind == ''Service'')
+ ? has(self.port) : true'
+ required:
+ - backendRef
+ type: object
+ responseHeaderModifier:
+ description: |-
+ ResponseHeaderModifier defines a schema for a filter that modifies response
+ headers.
+
+ Support: Extended
+ properties:
+ add:
+ description: |-
+ Add adds the given header(s) (name, value) to the request
+ before the action. It appends to any existing values associated
+ with the header name.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ add:
+ - name: "my-header"
+ value: "bar,baz"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: foo,bar,baz
+ items:
+ description: HTTPHeader represents an HTTP Header
+ name and value as defined by RFC 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP Header
+ to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ remove:
+ description: |-
+ Remove the given header(s) from the HTTP request before the action. The
+ value of Remove is a list of HTTP header names. Note that the header
+ names are case-insensitive (see
+ https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header1: foo
+ my-header2: bar
+ my-header3: baz
+
+ Config:
+ remove: ["my-header1", "my-header3"]
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header2: bar
+ items:
+ type: string
+ maxItems: 16
+ type: array
+ x-kubernetes-list-type: set
+ set:
+ description: |-
+ Set overwrites the request with the given header (name, value)
+ before the action.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ set:
+ - name: "my-header"
+ value: "bar"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: bar
+ items:
+ description: HTTPHeader represents an HTTP Header
+ name and value as defined by RFC 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP Header
+ to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ type:
+ description: |+
+ Type identifies the type of filter to apply. As with other API fields,
+ types are classified into three conformance levels:
+
+ - Core: Filter types and their corresponding configuration defined by
+ "Support: Core" in this package, e.g. "RequestHeaderModifier". All
+ implementations supporting GRPCRoute MUST support core filters.
+
+ - Extended: Filter types and their corresponding configuration defined by
+ "Support: Extended" in this package, e.g. "RequestMirror". Implementers
+ are encouraged to support extended filters.
+
+ - Implementation-specific: Filters that are defined and supported by specific vendors.
+ In the future, filters showing convergence in behavior across multiple
+ implementations will be considered for inclusion in extended or core
+ conformance levels. Filter-specific configuration for such filters
+ is specified using the ExtensionRef field. `Type` MUST be set to
+ "ExtensionRef" for custom filters.
+
+ Implementers are encouraged to define custom implementation types to
+ extend the core API with implementation-specific behavior.
+
+ If a reference to a custom filter type cannot be resolved, the filter
+ MUST NOT be skipped. Instead, requests that would have been processed by
+ that filter MUST receive a HTTP error response.
+
+ enum:
+ - ResponseHeaderModifier
+ - RequestHeaderModifier
+ - RequestMirror
+ - ExtensionRef
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: filter.requestHeaderModifier must be nil if the
+ filter.type is not RequestHeaderModifier
+ rule: '!(has(self.requestHeaderModifier) && self.type !=
+ ''RequestHeaderModifier'')'
+ - message: filter.requestHeaderModifier must be specified
+ for RequestHeaderModifier filter.type
+ rule: '!(!has(self.requestHeaderModifier) && self.type ==
+ ''RequestHeaderModifier'')'
+ - message: filter.responseHeaderModifier must be nil if the
+ filter.type is not ResponseHeaderModifier
+ rule: '!(has(self.responseHeaderModifier) && self.type !=
+ ''ResponseHeaderModifier'')'
+ - message: filter.responseHeaderModifier must be specified
+ for ResponseHeaderModifier filter.type
+ rule: '!(!has(self.responseHeaderModifier) && self.type
+ == ''ResponseHeaderModifier'')'
+ - message: filter.requestMirror must be nil if the filter.type
+ is not RequestMirror
+ rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')'
+ - message: filter.requestMirror must be specified for RequestMirror
+ filter.type
+ rule: '!(!has(self.requestMirror) && self.type == ''RequestMirror'')'
+ - message: filter.extensionRef must be nil if the filter.type
+ is not ExtensionRef
+ rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')'
+ - message: filter.extensionRef must be specified for ExtensionRef
+ filter.type
+ rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')'
+ maxItems: 16
+ type: array
+ x-kubernetes-validations:
+ - message: RequestHeaderModifier filter cannot be repeated
+ rule: self.filter(f, f.type == 'RequestHeaderModifier').size()
+ <= 1
+ - message: ResponseHeaderModifier filter cannot be repeated
+ rule: self.filter(f, f.type == 'ResponseHeaderModifier').size()
+ <= 1
+ matches:
+ description: |-
+ Matches define conditions used for matching the rule against incoming
+ gRPC requests. Each match is independent, i.e. this rule will be matched
+ if **any** one of the matches is satisfied.
+
+ For example, take the following matches configuration:
+
+ ```
+ matches:
+ - method:
+ service: foo.bar
+ headers:
+ values:
+ version: 2
+ - method:
+ service: foo.bar.v2
+ ```
+
+ For a request to match against this rule, it MUST satisfy
+ EITHER of the two conditions:
+
+ - service of foo.bar AND contains the header `version: 2`
+ - service of foo.bar.v2
+
+ See the documentation for GRPCRouteMatch on how to specify multiple
+ match conditions to be ANDed together.
+
+ If no matches are specified, the implementation MUST match every gRPC request.
+
+ Proxy or Load Balancer routing configuration generated from GRPCRoutes
+ MUST prioritize rules based on the following criteria, continuing on
+ ties. Merging MUST not be done between GRPCRoutes and HTTPRoutes.
+ Precedence MUST be given to the rule with the largest number of:
+
+ * Characters in a matching non-wildcard hostname.
+ * Characters in a matching hostname.
+ * Characters in a matching service.
+ * Characters in a matching method.
+ * Header matches.
+
+ If ties still exist across multiple Routes, matching precedence MUST be
+ determined in order of the following criteria, continuing on ties:
+
+ * The oldest Route based on creation timestamp.
+ * The Route appearing first in alphabetical order by
+ "{namespace}/{name}".
+
+ If ties still exist within the Route that has been given precedence,
+ matching precedence MUST be granted to the first matching rule meeting
+ the above criteria.
+ items:
+ description: |-
+ GRPCRouteMatch defines the predicate used to match requests to a given
+ action. Multiple match types are ANDed together, i.e. the match will
+ evaluate to true only if all conditions are satisfied.
+
+ For example, the match below will match a gRPC request only if its service
+ is `foo` AND it contains the `version: v1` header:
+
+ ```
+ matches:
+ - method:
+ type: Exact
+ service: "foo"
+ headers:
+ - name: "version"
+ value "v1"
+
+ ```
+ properties:
+ headers:
+ description: |-
+ Headers specifies gRPC request header matchers. Multiple match values are
+ ANDed together, meaning, a request MUST match all the specified headers
+ to select the route.
+ items:
+ description: |-
+ GRPCHeaderMatch describes how to select a gRPC route by matching gRPC request
+ headers.
+ properties:
+ name:
+ description: |-
+ Name is the name of the gRPC Header to be matched.
+
+ If multiple entries specify equivalent header names, only the first
+ entry with an equivalent name MUST be considered for a match. Subsequent
+ entries with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ type:
+ default: Exact
+ description: Type specifies how to match against
+ the value of the header.
+ enum:
+ - Exact
+ - RegularExpression
+ type: string
+ value:
+ description: Value is the value of the gRPC Header
+ to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ method:
+ description: |-
+ Method specifies a gRPC request service/method matcher. If this field is
+ not specified, all services and methods will match.
+ properties:
+ method:
+ description: |-
+ Value of the method to match against. If left empty or omitted, will
+ match all services.
+
+ At least one of Service and Method MUST be a non-empty string.
+ maxLength: 1024
+ type: string
+ service:
+ description: |-
+ Value of the service to match against. If left empty or omitted, will
+ match any service.
+
+ At least one of Service and Method MUST be a non-empty string.
+ maxLength: 1024
+ type: string
+ type:
+ default: Exact
+ description: |-
+ Type specifies how to match against the service and/or method.
+ Support: Core (Exact with service and method specified)
+
+ Support: Implementation-specific (Exact with method specified but no service specified)
+
+ Support: Implementation-specific (RegularExpression)
+ enum:
+ - Exact
+ - RegularExpression
+ type: string
+ type: object
+ x-kubernetes-validations:
+ - message: One or both of 'service' or 'method' must be
+ specified
+ rule: 'has(self.type) ? has(self.service) || has(self.method)
+ : true'
+ - message: service must only contain valid characters
+ (matching ^(?i)\.?[a-z_][a-z_0-9]*(\.[a-z_][a-z_0-9]*)*$)
+ rule: '(!has(self.type) || self.type == ''Exact'') &&
+ has(self.service) ? self.service.matches(r"""^(?i)\.?[a-z_][a-z_0-9]*(\.[a-z_][a-z_0-9]*)*$"""):
+ true'
+ - message: method must only contain valid characters (matching
+ ^[A-Za-z_][A-Za-z_0-9]*$)
+ rule: '(!has(self.type) || self.type == ''Exact'') &&
+ has(self.method) ? self.method.matches(r"""^[A-Za-z_][A-Za-z_0-9]*$"""):
+ true'
+ type: object
+ maxItems: 8
+ type: array
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-validations:
+ - message: While 16 rules and 64 matches per rule are allowed, the
+ total number of matches across all rules in a route must be less
+ than 128
+ rule: '(self.size() > 0 ? (has(self[0].matches) ? self[0].matches.size()
+ : 0) : 0) + (self.size() > 1 ? (has(self[1].matches) ? self[1].matches.size()
+ : 0) : 0) + (self.size() > 2 ? (has(self[2].matches) ? self[2].matches.size()
+ : 0) : 0) + (self.size() > 3 ? (has(self[3].matches) ? self[3].matches.size()
+ : 0) : 0) + (self.size() > 4 ? (has(self[4].matches) ? self[4].matches.size()
+ : 0) : 0) + (self.size() > 5 ? (has(self[5].matches) ? self[5].matches.size()
+ : 0) : 0) + (self.size() > 6 ? (has(self[6].matches) ? self[6].matches.size()
+ : 0) : 0) + (self.size() > 7 ? (has(self[7].matches) ? self[7].matches.size()
+ : 0) : 0) + (self.size() > 8 ? (has(self[8].matches) ? self[8].matches.size()
+ : 0) : 0) + (self.size() > 9 ? (has(self[9].matches) ? self[9].matches.size()
+ : 0) : 0) + (self.size() > 10 ? (has(self[10].matches) ? self[10].matches.size()
+ : 0) : 0) + (self.size() > 11 ? (has(self[11].matches) ? self[11].matches.size()
+ : 0) : 0) + (self.size() > 12 ? (has(self[12].matches) ? self[12].matches.size()
+ : 0) : 0) + (self.size() > 13 ? (has(self[13].matches) ? self[13].matches.size()
+ : 0) : 0) + (self.size() > 14 ? (has(self[14].matches) ? self[14].matches.size()
+ : 0) : 0) + (self.size() > 15 ? (has(self[15].matches) ? self[15].matches.size()
+ : 0) : 0) <= 128'
+ type: object
+ status:
+ description: Status defines the current state of GRPCRoute.
+ properties:
+ parents:
+ description: |-
+ Parents is a list of parent resources (usually Gateways) that are
+ associated with the route, and the status of the route with respect to
+ each parent. When this route attaches to a parent, the controller that
+ manages the parent must add an entry to this list when the controller
+ first sees the route and should update the entry as appropriate when the
+ route or gateway is modified.
+
+ Note that parent references that cannot be resolved by an implementation
+ of this API will not be added to this list. Implementations of this API
+ can only populate Route status for the Gateways/parent resources they are
+ responsible for.
+
+ A maximum of 32 Gateways will be represented in this list. An empty list
+ means the route has not been attached to any Gateway.
+ items:
+ description: |-
+ RouteParentStatus describes the status of a route with respect to an
+ associated Parent.
+ properties:
+ conditions:
+ description: |-
+ Conditions describes the status of the route with respect to the Gateway.
+ Note that the route's availability is also subject to the Gateway's own
+ status conditions and listener status.
+
+ If the Route's ParentRef specifies an existing Gateway that supports
+ Routes of this kind AND that Gateway's controller has sufficient access,
+ then that Gateway's controller MUST set the "Accepted" condition on the
+ Route, to indicate whether the route has been accepted or rejected by the
+ Gateway, and why.
+
+ A Route MUST be considered "Accepted" if at least one of the Route's
+ rules is implemented by the Gateway.
+
+ There are a number of cases where the "Accepted" condition may not be set
+ due to lack of controller visibility, that includes when:
+
+ * The Route refers to a non-existent parent.
+ * The Route is of a type that the controller does not support.
+ * The Route is in a namespace the controller does not have access to.
+ items:
+ description: Condition contains details for one aspect of
+ the current state of this API Resource.
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False,
+ Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ maxItems: 8
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ controllerName:
+ description: |-
+ ControllerName is a domain/path string that indicates the name of the
+ controller that wrote this status. This corresponds with the
+ controllerName field on GatewayClass.
+
+ Example: "example.net/gateway-controller".
+
+ The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
+ valid Kubernetes names
+ (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+
+ Controllers MUST populate this field when writing status. Controllers should ensure that
+ entries to status populated with their ControllerName are cleaned up when they are no
+ longer necessary.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
+ type: string
+ parentRef:
+ description: |-
+ ParentRef corresponds with a ParentRef in the spec that this
+ RouteParentStatus struct describes the status of.
+ properties:
+ group:
+ default: gateway.networking.k8s.io
+ description: |-
+ Group is the group of the referent.
+ When unspecified, "gateway.networking.k8s.io" is inferred.
+ To set the core API group (such as for a "Service" kind referent),
+ Group must be explicitly set to "" (empty string).
+
+ Support: Core
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Gateway
+ description: |-
+ Kind is kind of the referent.
+
+ There are two kinds of parent resources with "Core" support:
+
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
+
+ Support for other resources is Implementation-Specific.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: |-
+ Name is the name of the referent.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referent. When unspecified, this refers
+ to the local namespace of the Route.
+
+ Note that there are specific rules for ParentRefs which cross namespace
+ boundaries. Cross-namespace references are only valid if they are explicitly
+ allowed by something in the namespace they are referring to. For example:
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+ generic way to enable any other kind of cross-namespace reference.
+
+
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port is the network port this Route targets. It can be interpreted
+ differently based on the type of parent resource.
+
+ When the parent resource is a Gateway, this targets all listeners
+ listening on the specified port that also support this kind of Route(and
+ select this Route). It's not recommended to set `Port` unless the
+ networking behaviors specified in a Route must apply to a specific port
+ as opposed to a listener(s) whose port(s) may be changed. When both Port
+ and SectionName are specified, the name and port of the selected listener
+ must match both specified values.
+
+
+
+ Implementations MAY choose to support other parent resources.
+ Implementations supporting other types of parent resources MUST clearly
+ document how/if Port is interpreted.
+
+ For the purpose of status, an attachment is considered successful as
+ long as the parent resource accepts it partially. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+ from the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route,
+ the Route MUST be considered detached from the Gateway.
+
+ Support: Extended
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ sectionName:
+ description: |-
+ SectionName is the name of a section within the target resource. In the
+ following resources, SectionName is interpreted as the following:
+
+ * Gateway: Listener name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+ * Service: Port name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+
+ Implementations MAY choose to support attaching Routes to other resources.
+ If that is the case, they MUST clearly document how SectionName is
+ interpreted.
+
+ When unspecified (empty string), this will reference the entire resource.
+ For the purpose of status, an attachment is considered successful if at
+ least one section in the parent resource accepts it. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+ the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route, the
+ Route MUST be considered detached from the Gateway.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - controllerName
+ - parentRef
+ type: object
+ maxItems: 32
+ type: array
+ required:
+ - parents
+ type: object
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: null
+ storedVersions: null
+---
+#
+# config/crd/standard/gateway.networking.k8s.io_httproutes.yaml
+#
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328
+ gateway.networking.k8s.io/bundle-version: v1.2.1
+ gateway.networking.k8s.io/channel: standard
+ creationTimestamp: null
+ name: httproutes.gateway.networking.k8s.io
+spec:
+ group: gateway.networking.k8s.io
+ names:
+ categories:
+ - gateway-api
+ kind: HTTPRoute
+ listKind: HTTPRouteList
+ plural: httproutes
+ singular: httproute
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - jsonPath: .spec.hostnames
+ name: Hostnames
+ type: string
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1
+ schema:
+ openAPIV3Schema:
+ description: |-
+ HTTPRoute provides a way to route HTTP requests. This includes the capability
+ to match requests by hostname, path, header, or query param. Filters can be
+ used to specify additional processing steps. Backends specify where matching
+ requests should be routed.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Spec defines the desired state of HTTPRoute.
+ properties:
+ hostnames:
+ description: |-
+ Hostnames defines a set of hostnames that should match against the HTTP Host
+ header to select a HTTPRoute used to process the request. Implementations
+ MUST ignore any port value specified in the HTTP Host header while
+ performing a match and (absent of any applicable header modification
+ configuration) MUST forward this header unmodified to the backend.
+
+ Valid values for Hostnames are determined by RFC 1123 definition of a
+ hostname with 2 notable exceptions:
+
+ 1. IPs are not allowed.
+ 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard
+ label must appear by itself as the first label.
+
+ If a hostname is specified by both the Listener and HTTPRoute, there
+ must be at least one intersecting hostname for the HTTPRoute to be
+ attached to the Listener. For example:
+
+ * A Listener with `test.example.com` as the hostname matches HTTPRoutes
+ that have either not specified any hostnames, or have specified at
+ least one of `test.example.com` or `*.example.com`.
+ * A Listener with `*.example.com` as the hostname matches HTTPRoutes
+ that have either not specified any hostnames or have specified at least
+ one hostname that matches the Listener hostname. For example,
+ `*.example.com`, `test.example.com`, and `foo.test.example.com` would
+ all match. On the other hand, `example.com` and `test.example.net` would
+ not match.
+
+ Hostnames that are prefixed with a wildcard label (`*.`) are interpreted
+ as a suffix match. That means that a match for `*.example.com` would match
+ both `test.example.com`, and `foo.test.example.com`, but not `example.com`.
+
+ If both the Listener and HTTPRoute have specified hostnames, any
+ HTTPRoute hostnames that do not match the Listener hostname MUST be
+ ignored. For example, if a Listener specified `*.example.com`, and the
+ HTTPRoute specified `test.example.com` and `test.example.net`,
+ `test.example.net` must not be considered for a match.
+
+ If both the Listener and HTTPRoute have specified hostnames, and none
+ match with the criteria above, then the HTTPRoute is not accepted. The
+ implementation must raise an 'Accepted' Condition with a status of
+ `False` in the corresponding RouteParentStatus.
+
+ In the event that multiple HTTPRoutes specify intersecting hostnames (e.g.
+ overlapping wildcard matching and exact matching hostnames), precedence must
+ be given to rules from the HTTPRoute with the largest number of:
+
+ * Characters in a matching non-wildcard hostname.
+ * Characters in a matching hostname.
+
+ If ties exist across multiple Routes, the matching precedence rules for
+ HTTPRouteMatches takes over.
+
+ Support: Core
+ items:
+ description: |-
+ Hostname is the fully qualified domain name of a network host. This matches
+ the RFC 1123 definition of a hostname with 2 notable exceptions:
+
+ 1. IPs are not allowed.
+ 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard
+ label must appear by itself as the first label.
+
+ Hostname can be "precise" which is a domain name without the terminating
+ dot of a network host (e.g. "foo.example.com") or "wildcard", which is a
+ domain name prefixed with a single wildcard label (e.g. `*.example.com`).
+
+ Note that as per RFC1035 and RFC1123, a *label* must consist of lower case
+ alphanumeric characters or '-', and must start and end with an alphanumeric
+ character. No other punctuation is allowed.
+ maxLength: 253
+ minLength: 1
+ pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ maxItems: 16
+ type: array
+ parentRefs:
+ description: |+
+ ParentRefs references the resources (usually Gateways) that a Route wants
+ to be attached to. Note that the referenced parent resource needs to
+ allow this for the attachment to be complete. For Gateways, that means
+ the Gateway needs to allow attachment from Routes of this kind and
+ namespace. For Services, that means the Service must either be in the same
+ namespace for a "producer" route, or the mesh implementation must support
+ and allow "consumer" routes for the referenced Service. ReferenceGrant is
+ not applicable for governing ParentRefs to Services - it is not possible to
+ create a "producer" route for a Service in a different namespace from the
+ Route.
+
+ There are two kinds of parent resources with "Core" support:
+
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
+
+ This API may be extended in the future to support additional kinds of parent
+ resources.
+
+ ParentRefs must be _distinct_. This means either that:
+
+ * They select different objects. If this is the case, then parentRef
+ entries are distinct. In terms of fields, this means that the
+ multi-part key defined by `group`, `kind`, `namespace`, and `name` must
+ be unique across all parentRef entries in the Route.
+ * They do not select different objects, but for each optional field used,
+ each ParentRef that selects the same object must set the same set of
+ optional fields to different values. If one ParentRef sets a
+ combination of optional fields, all must set the same combination.
+
+ Some examples:
+
+ * If one ParentRef sets `sectionName`, all ParentRefs referencing the
+ same object must also set `sectionName`.
+ * If one ParentRef sets `port`, all ParentRefs referencing the same
+ object must also set `port`.
+ * If one ParentRef sets `sectionName` and `port`, all ParentRefs
+ referencing the same object must also set `sectionName` and `port`.
+
+ It is possible to separately reference multiple distinct objects that may
+ be collapsed by an implementation. For example, some implementations may
+ choose to merge compatible Gateway Listeners together. If that is the
+ case, the list of routes attached to those resources should also be
+ merged.
+
+ Note that for ParentRefs that cross namespace boundaries, there are specific
+ rules. Cross-namespace references are only valid if they are explicitly
+ allowed by something in the namespace they are referring to. For example,
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+ generic way to enable other kinds of cross-namespace reference.
+
+
+
+
+
+
+ items:
+ description: |-
+ ParentReference identifies an API object (usually a Gateway) that can be considered
+ a parent of this resource (usually a route). There are two kinds of parent resources
+ with "Core" support:
+
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
+
+ This API may be extended in the future to support additional kinds of parent
+ resources.
+
+ The API object must be valid in the cluster; the Group and Kind must
+ be registered in the cluster for this reference to be valid.
+ properties:
+ group:
+ default: gateway.networking.k8s.io
+ description: |-
+ Group is the group of the referent.
+ When unspecified, "gateway.networking.k8s.io" is inferred.
+ To set the core API group (such as for a "Service" kind referent),
+ Group must be explicitly set to "" (empty string).
+
+ Support: Core
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Gateway
+ description: |-
+ Kind is kind of the referent.
+
+ There are two kinds of parent resources with "Core" support:
+
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
+
+ Support for other resources is Implementation-Specific.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: |-
+ Name is the name of the referent.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referent. When unspecified, this refers
+ to the local namespace of the Route.
+
+ Note that there are specific rules for ParentRefs which cross namespace
+ boundaries. Cross-namespace references are only valid if they are explicitly
+ allowed by something in the namespace they are referring to. For example:
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+ generic way to enable any other kind of cross-namespace reference.
+
+
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port is the network port this Route targets. It can be interpreted
+ differently based on the type of parent resource.
+
+ When the parent resource is a Gateway, this targets all listeners
+ listening on the specified port that also support this kind of Route(and
+ select this Route). It's not recommended to set `Port` unless the
+ networking behaviors specified in a Route must apply to a specific port
+ as opposed to a listener(s) whose port(s) may be changed. When both Port
+ and SectionName are specified, the name and port of the selected listener
+ must match both specified values.
+
+
+
+ Implementations MAY choose to support other parent resources.
+ Implementations supporting other types of parent resources MUST clearly
+ document how/if Port is interpreted.
+
+ For the purpose of status, an attachment is considered successful as
+ long as the parent resource accepts it partially. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+ from the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route,
+ the Route MUST be considered detached from the Gateway.
+
+ Support: Extended
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ sectionName:
+ description: |-
+ SectionName is the name of a section within the target resource. In the
+ following resources, SectionName is interpreted as the following:
+
+ * Gateway: Listener name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+ * Service: Port name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+
+ Implementations MAY choose to support attaching Routes to other resources.
+ If that is the case, they MUST clearly document how SectionName is
+ interpreted.
+
+ When unspecified (empty string), this will reference the entire resource.
+ For the purpose of status, an attachment is considered successful if at
+ least one section in the parent resource accepts it. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+ the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route, the
+ Route MUST be considered detached from the Gateway.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ required:
+ - name
+ type: object
+ maxItems: 32
+ type: array
+ x-kubernetes-validations:
+ - message: sectionName must be specified when parentRefs includes
+ 2 or more references to the same parent
+ rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind
+ == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__)
+ || p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__
+ == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) &&
+ p1.__namespace__ == p2.__namespace__ )) ? ((!has(p1.sectionName)
+ || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName
+ == '''')) : true))'
+ - message: sectionName must be unique when parentRefs includes 2 or
+ more references to the same parent
+ rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind
+ == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__)
+ || p1.__namespace__ == '') && (!has(p2.__namespace__) || p2.__namespace__
+ == '')) || (has(p1.__namespace__) && has(p2.__namespace__) &&
+ p1.__namespace__ == p2.__namespace__ )) && (((!has(p1.sectionName)
+ || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName
+ == '')) || (has(p1.sectionName) && has(p2.sectionName) && p1.sectionName
+ == p2.sectionName))))
+ rules:
+ default:
+ - matches:
+ - path:
+ type: PathPrefix
+ value: /
+ description: |+
+ Rules are a list of HTTP matchers, filters and actions.
+
+ items:
+ description: |-
+ HTTPRouteRule defines semantics for matching an HTTP request based on
+ conditions (matches), processing it (filters), and forwarding the request to
+ an API object (backendRefs).
+ properties:
+ backendRefs:
+ description: |-
+ BackendRefs defines the backend(s) where matching requests should be
+ sent.
+
+ Failure behavior here depends on how many BackendRefs are specified and
+ how many are invalid.
+
+ If *all* entries in BackendRefs are invalid, and there are also no filters
+ specified in this route rule, *all* traffic which matches this rule MUST
+ receive a 500 status code.
+
+ See the HTTPBackendRef definition for the rules about what makes a single
+ HTTPBackendRef invalid.
+
+ When a HTTPBackendRef is invalid, 500 status codes MUST be returned for
+ requests that would have otherwise been routed to an invalid backend. If
+ multiple backends are specified, and some are invalid, the proportion of
+ requests that would otherwise have been routed to an invalid backend
+ MUST receive a 500 status code.
+
+ For example, if two backends are specified with equal weights, and one is
+ invalid, 50 percent of traffic must receive a 500. Implementations may
+ choose how that 50 percent is determined.
+
+ When a HTTPBackendRef refers to a Service that has no ready endpoints,
+ implementations SHOULD return a 503 for requests to that backend instead.
+ If an implementation chooses to do this, all of the above rules for 500 responses
+ MUST also apply for responses that return a 503.
+
+ Support: Core for Kubernetes Service
+
+ Support: Extended for Kubernetes ServiceImport
+
+ Support: Implementation-specific for any other resource
+
+ Support for weight: Core
+ items:
+ description: |-
+ HTTPBackendRef defines how a HTTPRoute forwards a HTTP request.
+
+ Note that when a namespace different than the local namespace is specified, a
+ ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+
+
+ When the BackendRef points to a Kubernetes Service, implementations SHOULD
+ honor the appProtocol field if it is set for the target Service Port.
+
+ Implementations supporting appProtocol SHOULD recognize the Kubernetes
+ Standard Application Protocols defined in KEP-3726.
+
+ If a Service appProtocol isn't specified, an implementation MAY infer the
+ backend protocol through its own means. Implementations MAY infer the
+ protocol from the Route type referring to the backend Service.
+
+ If a Route is not able to send traffic to the backend using the specified
+ protocol then the backend is considered invalid. Implementations MUST set the
+ "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason.
+
+
+ properties:
+ filters:
+ description: |-
+ Filters defined at this level should be executed if and only if the
+ request is being forwarded to the backend defined here.
+
+ Support: Implementation-specific (For broader support of filters, use the
+ Filters field in HTTPRouteRule.)
+ items:
+ description: |-
+ HTTPRouteFilter defines processing steps that must be completed during the
+ request or response lifecycle. HTTPRouteFilters are meant as an extension
+ point to express processing that may be done in Gateway implementations. Some
+ examples include request or response modification, implementing
+ authentication strategies, rate-limiting, and traffic shaping. API
+ guarantee/conformance is defined based on the type of the filter.
+ properties:
+ extensionRef:
+ description: |-
+ ExtensionRef is an optional, implementation-specific extension to the
+ "filter" behavior. For example, resource "myroutefilter" in group
+ "networking.example.net"). ExtensionRef MUST NOT be used for core and
+ extended filters.
+
+ This filter can be used multiple times within the same rule.
+
+ Support: Implementation-specific
+ properties:
+ group:
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is kind of the referent. For
+ example "HTTPRoute" or "Service".
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ required:
+ - group
+ - kind
+ - name
+ type: object
+ requestHeaderModifier:
+ description: |-
+ RequestHeaderModifier defines a schema for a filter that modifies request
+ headers.
+
+ Support: Core
+ properties:
+ add:
+ description: |-
+ Add adds the given header(s) (name, value) to the request
+ before the action. It appends to any existing values associated
+ with the header name.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ add:
+ - name: "my-header"
+ value: "bar,baz"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: foo,bar,baz
+ items:
+ description: HTTPHeader represents an HTTP
+ Header name and value as defined by RFC
+ 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP
+ Header to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ remove:
+ description: |-
+ Remove the given header(s) from the HTTP request before the action. The
+ value of Remove is a list of HTTP header names. Note that the header
+ names are case-insensitive (see
+ https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header1: foo
+ my-header2: bar
+ my-header3: baz
+
+ Config:
+ remove: ["my-header1", "my-header3"]
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header2: bar
+ items:
+ type: string
+ maxItems: 16
+ type: array
+ x-kubernetes-list-type: set
+ set:
+ description: |-
+ Set overwrites the request with the given header (name, value)
+ before the action.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ set:
+ - name: "my-header"
+ value: "bar"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: bar
+ items:
+ description: HTTPHeader represents an HTTP
+ Header name and value as defined by RFC
+ 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP
+ Header to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ requestMirror:
+ description: |+
+ RequestMirror defines a schema for a filter that mirrors requests.
+ Requests are sent to the specified destination, but responses from
+ that destination are ignored.
+
+ This filter can be used multiple times within the same rule. Note that
+ not all implementations will be able to support mirroring to multiple
+ backends.
+
+ Support: Extended
+
+ properties:
+ backendRef:
+ description: |-
+ BackendRef references a resource where mirrored requests are sent.
+
+ Mirrored requests must be sent only to a single destination endpoint
+ within this BackendRef, irrespective of how many endpoints are present
+ within this BackendRef.
+
+ If the referent cannot be found, this BackendRef is invalid and must be
+ dropped from the Gateway. The controller must ensure the "ResolvedRefs"
+ condition on the Route status is set to `status: False` and not configure
+ this backend in the underlying implementation.
+
+ If there is a cross-namespace reference to an *existing* object
+ that is not allowed by a ReferenceGrant, the controller must ensure the
+ "ResolvedRefs" condition on the Route is set to `status: False`,
+ with the "RefNotPermitted" reason and not configure this backend in the
+ underlying implementation.
+
+ In either error case, the Message of the `ResolvedRefs` Condition
+ should be used to provide more detail about the problem.
+
+ Support: Extended for Kubernetes Service
+
+ Support: Implementation-specific for any other resource
+ properties:
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Service
+ description: |-
+ Kind is the Kubernetes resource kind of the referent. For example
+ "Service".
+
+ Defaults to "Service" when not specified.
+
+ ExternalName services can refer to CNAME DNS records that may live
+ outside of the cluster and as such are difficult to reason about in
+ terms of conformance. They also may not be safe to forward to (see
+ CVE-2021-25740 for more information). Implementations SHOULD NOT
+ support ExternalName Services.
+
+ Support: Core (Services with a type other than ExternalName)
+
+ Support: Implementation-specific (Services with type ExternalName)
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the backend. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port specifies the destination port number to use for this resource.
+ Port is required when the referent is a Kubernetes Service. In this
+ case, the port number is the service port number, not the target port.
+ For other resources, destination port might be derived from the referent
+ resource or this field.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ required:
+ - name
+ type: object
+ x-kubernetes-validations:
+ - message: Must have port for Service reference
+ rule: '(size(self.group) == 0 && self.kind
+ == ''Service'') ? has(self.port) : true'
+ required:
+ - backendRef
+ type: object
+ requestRedirect:
+ description: |-
+ RequestRedirect defines a schema for a filter that responds to the
+ request with an HTTP redirection.
+
+ Support: Core
+ properties:
+ hostname:
+ description: |-
+ Hostname is the hostname to be used in the value of the `Location`
+ header in the response.
+ When empty, the hostname in the `Host` header of the request is used.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ path:
+ description: |-
+ Path defines parameters used to modify the path of the incoming request.
+ The modified path is then used to construct the `Location` header. When
+ empty, the request path is used as-is.
+
+ Support: Extended
+ properties:
+ replaceFullPath:
+ description: |-
+ ReplaceFullPath specifies the value with which to replace the full path
+ of a request during a rewrite or redirect.
+ maxLength: 1024
+ type: string
+ replacePrefixMatch:
+ description: |-
+ ReplacePrefixMatch specifies the value with which to replace the prefix
+ match of a request during a rewrite or redirect. For example, a request
+ to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
+ of "/xyz" would be modified to "/xyz/bar".
+
+ Note that this matches the behavior of the PathPrefix match type. This
+ matches full path elements. A path element refers to the list of labels
+ in the path split by the `/` separator. When specified, a trailing `/` is
+ ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
+ match the prefix `/abc`, but the path `/abcd` would not.
+
+ ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
+ Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
+ the implementation setting the Accepted Condition for the Route to `status: False`.
+
+ Request Path | Prefix Match | Replace Prefix | Modified Path
+ maxLength: 1024
+ type: string
+ type:
+ description: |-
+ Type defines the type of path modifier. Additional types may be
+ added in a future release of the API.
+
+ Note that values may be added to this enum, implementations
+ must ensure that unknown values will not cause a crash.
+
+ Unknown values here must result in the implementation setting the
+ Accepted Condition for the Route to `status: False`, with a
+ Reason of `UnsupportedValue`.
+ enum:
+ - ReplaceFullPath
+ - ReplacePrefixMatch
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: replaceFullPath must be specified
+ when type is set to 'ReplaceFullPath'
+ rule: 'self.type == ''ReplaceFullPath'' ?
+ has(self.replaceFullPath) : true'
+ - message: type must be 'ReplaceFullPath' when
+ replaceFullPath is set
+ rule: 'has(self.replaceFullPath) ? self.type
+ == ''ReplaceFullPath'' : true'
+ - message: replacePrefixMatch must be specified
+ when type is set to 'ReplacePrefixMatch'
+ rule: 'self.type == ''ReplacePrefixMatch''
+ ? has(self.replacePrefixMatch) : true'
+ - message: type must be 'ReplacePrefixMatch'
+ when replacePrefixMatch is set
+ rule: 'has(self.replacePrefixMatch) ? self.type
+ == ''ReplacePrefixMatch'' : true'
+ port:
+ description: |-
+ Port is the port to be used in the value of the `Location`
+ header in the response.
+
+ If no port is specified, the redirect port MUST be derived using the
+ following rules:
+
+ * If redirect scheme is not-empty, the redirect port MUST be the well-known
+ port associated with the redirect scheme. Specifically "http" to port 80
+ and "https" to port 443. If the redirect scheme does not have a
+ well-known port, the listener port of the Gateway SHOULD be used.
+ * If redirect scheme is empty, the redirect port MUST be the Gateway
+ Listener port.
+
+ Implementations SHOULD NOT add the port number in the 'Location'
+ header in the following cases:
+
+ * A Location header that will use HTTP (whether that is determined via
+ the Listener protocol or the Scheme field) _and_ use port 80.
+ * A Location header that will use HTTPS (whether that is determined via
+ the Listener protocol or the Scheme field) _and_ use port 443.
+
+ Support: Extended
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ scheme:
+ description: |-
+ Scheme is the scheme to be used in the value of the `Location` header in
+ the response. When empty, the scheme of the request is used.
+
+ Scheme redirects can affect the port of the redirect, for more information,
+ refer to the documentation for the port field of this filter.
+
+ Note that values may be added to this enum, implementations
+ must ensure that unknown values will not cause a crash.
+
+ Unknown values here must result in the implementation setting the
+ Accepted Condition for the Route to `status: False`, with a
+ Reason of `UnsupportedValue`.
+
+ Support: Extended
+ enum:
+ - http
+ - https
+ type: string
+ statusCode:
+ default: 302
+ description: |-
+ StatusCode is the HTTP status code to be used in response.
+
+ Note that values may be added to this enum, implementations
+ must ensure that unknown values will not cause a crash.
+
+ Unknown values here must result in the implementation setting the
+ Accepted Condition for the Route to `status: False`, with a
+ Reason of `UnsupportedValue`.
+
+ Support: Core
+ enum:
+ - 301
+ - 302
+ type: integer
+ type: object
+ responseHeaderModifier:
+ description: |-
+ ResponseHeaderModifier defines a schema for a filter that modifies response
+ headers.
+
+ Support: Extended
+ properties:
+ add:
+ description: |-
+ Add adds the given header(s) (name, value) to the request
+ before the action. It appends to any existing values associated
+ with the header name.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ add:
+ - name: "my-header"
+ value: "bar,baz"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: foo,bar,baz
+ items:
+ description: HTTPHeader represents an HTTP
+ Header name and value as defined by RFC
+ 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP
+ Header to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ remove:
+ description: |-
+ Remove the given header(s) from the HTTP request before the action. The
+ value of Remove is a list of HTTP header names. Note that the header
+ names are case-insensitive (see
+ https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header1: foo
+ my-header2: bar
+ my-header3: baz
+
+ Config:
+ remove: ["my-header1", "my-header3"]
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header2: bar
+ items:
+ type: string
+ maxItems: 16
+ type: array
+ x-kubernetes-list-type: set
+ set:
+ description: |-
+ Set overwrites the request with the given header (name, value)
+ before the action.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ set:
+ - name: "my-header"
+ value: "bar"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: bar
+ items:
+ description: HTTPHeader represents an HTTP
+ Header name and value as defined by RFC
+ 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP
+ Header to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ type:
+ description: |-
+ Type identifies the type of filter to apply. As with other API fields,
+ types are classified into three conformance levels:
+
+ - Core: Filter types and their corresponding configuration defined by
+ "Support: Core" in this package, e.g. "RequestHeaderModifier". All
+ implementations must support core filters.
+
+ - Extended: Filter types and their corresponding configuration defined by
+ "Support: Extended" in this package, e.g. "RequestMirror". Implementers
+ are encouraged to support extended filters.
+
+ - Implementation-specific: Filters that are defined and supported by
+ specific vendors.
+ In the future, filters showing convergence in behavior across multiple
+ implementations will be considered for inclusion in extended or core
+ conformance levels. Filter-specific configuration for such filters
+ is specified using the ExtensionRef field. `Type` should be set to
+ "ExtensionRef" for custom filters.
+
+ Implementers are encouraged to define custom implementation types to
+ extend the core API with implementation-specific behavior.
+
+ If a reference to a custom filter type cannot be resolved, the filter
+ MUST NOT be skipped. Instead, requests that would have been processed by
+ that filter MUST receive a HTTP error response.
+
+ Note that values may be added to this enum, implementations
+ must ensure that unknown values will not cause a crash.
+
+ Unknown values here must result in the implementation setting the
+ Accepted Condition for the Route to `status: False`, with a
+ Reason of `UnsupportedValue`.
+ enum:
+ - RequestHeaderModifier
+ - ResponseHeaderModifier
+ - RequestMirror
+ - RequestRedirect
+ - URLRewrite
+ - ExtensionRef
+ type: string
+ urlRewrite:
+ description: |-
+ URLRewrite defines a schema for a filter that modifies a request during forwarding.
+
+ Support: Extended
+ properties:
+ hostname:
+ description: |-
+ Hostname is the value to be used to replace the Host header value during
+ forwarding.
+
+ Support: Extended
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ path:
+ description: |-
+ Path defines a path rewrite.
+
+ Support: Extended
+ properties:
+ replaceFullPath:
+ description: |-
+ ReplaceFullPath specifies the value with which to replace the full path
+ of a request during a rewrite or redirect.
+ maxLength: 1024
+ type: string
+ replacePrefixMatch:
+ description: |-
+ ReplacePrefixMatch specifies the value with which to replace the prefix
+ match of a request during a rewrite or redirect. For example, a request
+ to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
+ of "/xyz" would be modified to "/xyz/bar".
+
+ Note that this matches the behavior of the PathPrefix match type. This
+ matches full path elements. A path element refers to the list of labels
+ in the path split by the `/` separator. When specified, a trailing `/` is
+ ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
+ match the prefix `/abc`, but the path `/abcd` would not.
+
+ ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
+ Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
+ the implementation setting the Accepted Condition for the Route to `status: False`.
+
+ Request Path | Prefix Match | Replace Prefix | Modified Path
+ maxLength: 1024
+ type: string
+ type:
+ description: |-
+ Type defines the type of path modifier. Additional types may be
+ added in a future release of the API.
+
+ Note that values may be added to this enum, implementations
+ must ensure that unknown values will not cause a crash.
+
+ Unknown values here must result in the implementation setting the
+ Accepted Condition for the Route to `status: False`, with a
+ Reason of `UnsupportedValue`.
+ enum:
+ - ReplaceFullPath
+ - ReplacePrefixMatch
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: replaceFullPath must be specified
+ when type is set to 'ReplaceFullPath'
+ rule: 'self.type == ''ReplaceFullPath'' ?
+ has(self.replaceFullPath) : true'
+ - message: type must be 'ReplaceFullPath' when
+ replaceFullPath is set
+ rule: 'has(self.replaceFullPath) ? self.type
+ == ''ReplaceFullPath'' : true'
+ - message: replacePrefixMatch must be specified
+ when type is set to 'ReplacePrefixMatch'
+ rule: 'self.type == ''ReplacePrefixMatch''
+ ? has(self.replacePrefixMatch) : true'
+ - message: type must be 'ReplacePrefixMatch'
+ when replacePrefixMatch is set
+ rule: 'has(self.replacePrefixMatch) ? self.type
+ == ''ReplacePrefixMatch'' : true'
+ type: object
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: filter.requestHeaderModifier must be nil
+ if the filter.type is not RequestHeaderModifier
+ rule: '!(has(self.requestHeaderModifier) && self.type
+ != ''RequestHeaderModifier'')'
+ - message: filter.requestHeaderModifier must be specified
+ for RequestHeaderModifier filter.type
+ rule: '!(!has(self.requestHeaderModifier) && self.type
+ == ''RequestHeaderModifier'')'
+ - message: filter.responseHeaderModifier must be nil
+ if the filter.type is not ResponseHeaderModifier
+ rule: '!(has(self.responseHeaderModifier) && self.type
+ != ''ResponseHeaderModifier'')'
+ - message: filter.responseHeaderModifier must be specified
+ for ResponseHeaderModifier filter.type
+ rule: '!(!has(self.responseHeaderModifier) && self.type
+ == ''ResponseHeaderModifier'')'
+ - message: filter.requestMirror must be nil if the filter.type
+ is not RequestMirror
+ rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')'
+ - message: filter.requestMirror must be specified for
+ RequestMirror filter.type
+ rule: '!(!has(self.requestMirror) && self.type ==
+ ''RequestMirror'')'
+ - message: filter.requestRedirect must be nil if the
+ filter.type is not RequestRedirect
+ rule: '!(has(self.requestRedirect) && self.type !=
+ ''RequestRedirect'')'
+ - message: filter.requestRedirect must be specified
+ for RequestRedirect filter.type
+ rule: '!(!has(self.requestRedirect) && self.type ==
+ ''RequestRedirect'')'
+ - message: filter.urlRewrite must be nil if the filter.type
+ is not URLRewrite
+ rule: '!(has(self.urlRewrite) && self.type != ''URLRewrite'')'
+ - message: filter.urlRewrite must be specified for URLRewrite
+ filter.type
+ rule: '!(!has(self.urlRewrite) && self.type == ''URLRewrite'')'
+ - message: filter.extensionRef must be nil if the filter.type
+ is not ExtensionRef
+ rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')'
+ - message: filter.extensionRef must be specified for
+ ExtensionRef filter.type
+ rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')'
+ maxItems: 16
+ type: array
+ x-kubernetes-validations:
+ - message: May specify either httpRouteFilterRequestRedirect
+ or httpRouteFilterRequestRewrite, but not both
+ rule: '!(self.exists(f, f.type == ''RequestRedirect'')
+ && self.exists(f, f.type == ''URLRewrite''))'
+ - message: May specify either httpRouteFilterRequestRedirect
+ or httpRouteFilterRequestRewrite, but not both
+ rule: '!(self.exists(f, f.type == ''RequestRedirect'')
+ && self.exists(f, f.type == ''URLRewrite''))'
+ - message: RequestHeaderModifier filter cannot be repeated
+ rule: self.filter(f, f.type == 'RequestHeaderModifier').size()
+ <= 1
+ - message: ResponseHeaderModifier filter cannot be repeated
+ rule: self.filter(f, f.type == 'ResponseHeaderModifier').size()
+ <= 1
+ - message: RequestRedirect filter cannot be repeated
+ rule: self.filter(f, f.type == 'RequestRedirect').size()
+ <= 1
+ - message: URLRewrite filter cannot be repeated
+ rule: self.filter(f, f.type == 'URLRewrite').size()
+ <= 1
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Service
+ description: |-
+ Kind is the Kubernetes resource kind of the referent. For example
+ "Service".
+
+ Defaults to "Service" when not specified.
+
+ ExternalName services can refer to CNAME DNS records that may live
+ outside of the cluster and as such are difficult to reason about in
+ terms of conformance. They also may not be safe to forward to (see
+ CVE-2021-25740 for more information). Implementations SHOULD NOT
+ support ExternalName Services.
+
+ Support: Core (Services with a type other than ExternalName)
+
+ Support: Implementation-specific (Services with type ExternalName)
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the backend. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port specifies the destination port number to use for this resource.
+ Port is required when the referent is a Kubernetes Service. In this
+ case, the port number is the service port number, not the target port.
+ For other resources, destination port might be derived from the referent
+ resource or this field.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ weight:
+ default: 1
+ description: |-
+ Weight specifies the proportion of requests forwarded to the referenced
+ backend. This is computed as weight/(sum of all weights in this
+ BackendRefs list). For non-zero values, there may be some epsilon from
+ the exact proportion defined here depending on the precision an
+ implementation supports. Weight is not a percentage and the sum of
+ weights does not need to equal 100.
+
+ If only one backend is specified and it has a weight greater than 0, 100%
+ of the traffic is forwarded to that backend. If weight is set to 0, no
+ traffic should be forwarded for this entry. If unspecified, weight
+ defaults to 1.
+
+ Support for this field varies based on the context where used.
+ format: int32
+ maximum: 1000000
+ minimum: 0
+ type: integer
+ required:
+ - name
+ type: object
+ x-kubernetes-validations:
+ - message: Must have port for Service reference
+ rule: '(size(self.group) == 0 && self.kind == ''Service'')
+ ? has(self.port) : true'
+ maxItems: 16
+ type: array
+ filters:
+ description: |-
+ Filters define the filters that are applied to requests that match
+ this rule.
+
+ Wherever possible, implementations SHOULD implement filters in the order
+ they are specified.
+
+ Implementations MAY choose to implement this ordering strictly, rejecting
+ any combination or order of filters that can not be supported. If implementations
+ choose a strict interpretation of filter ordering, they MUST clearly document
+ that behavior.
+
+ To reject an invalid combination or order of filters, implementations SHOULD
+ consider the Route Rules with this configuration invalid. If all Route Rules
+ in a Route are invalid, the entire Route would be considered invalid. If only
+ a portion of Route Rules are invalid, implementations MUST set the
+ "PartiallyInvalid" condition for the Route.
+
+ Conformance-levels at this level are defined based on the type of filter:
+
+ - ALL core filters MUST be supported by all implementations.
+ - Implementers are encouraged to support extended filters.
+ - Implementation-specific custom filters have no API guarantees across
+ implementations.
+
+ Specifying the same filter multiple times is not supported unless explicitly
+ indicated in the filter.
+
+ All filters are expected to be compatible with each other except for the
+ URLRewrite and RequestRedirect filters, which may not be combined. If an
+ implementation can not support other combinations of filters, they must clearly
+ document that limitation. In cases where incompatible or unsupported
+ filters are specified and cause the `Accepted` condition to be set to status
+ `False`, implementations may use the `IncompatibleFilters` reason to specify
+ this configuration error.
+
+ Support: Core
+ items:
+ description: |-
+ HTTPRouteFilter defines processing steps that must be completed during the
+ request or response lifecycle. HTTPRouteFilters are meant as an extension
+ point to express processing that may be done in Gateway implementations. Some
+ examples include request or response modification, implementing
+ authentication strategies, rate-limiting, and traffic shaping. API
+ guarantee/conformance is defined based on the type of the filter.
+ properties:
+ extensionRef:
+ description: |-
+ ExtensionRef is an optional, implementation-specific extension to the
+ "filter" behavior. For example, resource "myroutefilter" in group
+ "networking.example.net"). ExtensionRef MUST NOT be used for core and
+ extended filters.
+
+ This filter can be used multiple times within the same rule.
+
+ Support: Implementation-specific
+ properties:
+ group:
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is kind of the referent. For example
+ "HTTPRoute" or "Service".
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ required:
+ - group
+ - kind
+ - name
+ type: object
+ requestHeaderModifier:
+ description: |-
+ RequestHeaderModifier defines a schema for a filter that modifies request
+ headers.
+
+ Support: Core
+ properties:
+ add:
+ description: |-
+ Add adds the given header(s) (name, value) to the request
+ before the action. It appends to any existing values associated
+ with the header name.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ add:
+ - name: "my-header"
+ value: "bar,baz"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: foo,bar,baz
+ items:
+ description: HTTPHeader represents an HTTP Header
+ name and value as defined by RFC 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP Header
+ to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ remove:
+ description: |-
+ Remove the given header(s) from the HTTP request before the action. The
+ value of Remove is a list of HTTP header names. Note that the header
+ names are case-insensitive (see
+ https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header1: foo
+ my-header2: bar
+ my-header3: baz
+
+ Config:
+ remove: ["my-header1", "my-header3"]
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header2: bar
+ items:
+ type: string
+ maxItems: 16
+ type: array
+ x-kubernetes-list-type: set
+ set:
+ description: |-
+ Set overwrites the request with the given header (name, value)
+ before the action.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ set:
+ - name: "my-header"
+ value: "bar"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: bar
+ items:
+ description: HTTPHeader represents an HTTP Header
+ name and value as defined by RFC 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP Header
+ to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ requestMirror:
+ description: |+
+ RequestMirror defines a schema for a filter that mirrors requests.
+ Requests are sent to the specified destination, but responses from
+ that destination are ignored.
+
+ This filter can be used multiple times within the same rule. Note that
+ not all implementations will be able to support mirroring to multiple
+ backends.
+
+ Support: Extended
+
+ properties:
+ backendRef:
+ description: |-
+ BackendRef references a resource where mirrored requests are sent.
+
+ Mirrored requests must be sent only to a single destination endpoint
+ within this BackendRef, irrespective of how many endpoints are present
+ within this BackendRef.
+
+ If the referent cannot be found, this BackendRef is invalid and must be
+ dropped from the Gateway. The controller must ensure the "ResolvedRefs"
+ condition on the Route status is set to `status: False` and not configure
+ this backend in the underlying implementation.
+
+ If there is a cross-namespace reference to an *existing* object
+ that is not allowed by a ReferenceGrant, the controller must ensure the
+ "ResolvedRefs" condition on the Route is set to `status: False`,
+ with the "RefNotPermitted" reason and not configure this backend in the
+ underlying implementation.
+
+ In either error case, the Message of the `ResolvedRefs` Condition
+ should be used to provide more detail about the problem.
+
+ Support: Extended for Kubernetes Service
+
+ Support: Implementation-specific for any other resource
+ properties:
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Service
+ description: |-
+ Kind is the Kubernetes resource kind of the referent. For example
+ "Service".
+
+ Defaults to "Service" when not specified.
+
+ ExternalName services can refer to CNAME DNS records that may live
+ outside of the cluster and as such are difficult to reason about in
+ terms of conformance. They also may not be safe to forward to (see
+ CVE-2021-25740 for more information). Implementations SHOULD NOT
+ support ExternalName Services.
+
+ Support: Core (Services with a type other than ExternalName)
+
+ Support: Implementation-specific (Services with type ExternalName)
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the backend. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port specifies the destination port number to use for this resource.
+ Port is required when the referent is a Kubernetes Service. In this
+ case, the port number is the service port number, not the target port.
+ For other resources, destination port might be derived from the referent
+ resource or this field.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ required:
+ - name
+ type: object
+ x-kubernetes-validations:
+ - message: Must have port for Service reference
+ rule: '(size(self.group) == 0 && self.kind == ''Service'')
+ ? has(self.port) : true'
+ required:
+ - backendRef
+ type: object
+ requestRedirect:
+ description: |-
+ RequestRedirect defines a schema for a filter that responds to the
+ request with an HTTP redirection.
+
+ Support: Core
+ properties:
+ hostname:
+ description: |-
+ Hostname is the hostname to be used in the value of the `Location`
+ header in the response.
+ When empty, the hostname in the `Host` header of the request is used.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ path:
+ description: |-
+ Path defines parameters used to modify the path of the incoming request.
+ The modified path is then used to construct the `Location` header. When
+ empty, the request path is used as-is.
+
+ Support: Extended
+ properties:
+ replaceFullPath:
+ description: |-
+ ReplaceFullPath specifies the value with which to replace the full path
+ of a request during a rewrite or redirect.
+ maxLength: 1024
+ type: string
+ replacePrefixMatch:
+ description: |-
+ ReplacePrefixMatch specifies the value with which to replace the prefix
+ match of a request during a rewrite or redirect. For example, a request
+ to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
+ of "/xyz" would be modified to "/xyz/bar".
+
+ Note that this matches the behavior of the PathPrefix match type. This
+ matches full path elements. A path element refers to the list of labels
+ in the path split by the `/` separator. When specified, a trailing `/` is
+ ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
+ match the prefix `/abc`, but the path `/abcd` would not.
+
+ ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
+ Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
+ the implementation setting the Accepted Condition for the Route to `status: False`.
+
+ Request Path | Prefix Match | Replace Prefix | Modified Path
+ maxLength: 1024
+ type: string
+ type:
+ description: |-
+ Type defines the type of path modifier. Additional types may be
+ added in a future release of the API.
+
+ Note that values may be added to this enum, implementations
+ must ensure that unknown values will not cause a crash.
+
+ Unknown values here must result in the implementation setting the
+ Accepted Condition for the Route to `status: False`, with a
+ Reason of `UnsupportedValue`.
+ enum:
+ - ReplaceFullPath
+ - ReplacePrefixMatch
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: replaceFullPath must be specified when
+ type is set to 'ReplaceFullPath'
+ rule: 'self.type == ''ReplaceFullPath'' ? has(self.replaceFullPath)
+ : true'
+ - message: type must be 'ReplaceFullPath' when replaceFullPath
+ is set
+ rule: 'has(self.replaceFullPath) ? self.type ==
+ ''ReplaceFullPath'' : true'
+ - message: replacePrefixMatch must be specified when
+ type is set to 'ReplacePrefixMatch'
+ rule: 'self.type == ''ReplacePrefixMatch'' ? has(self.replacePrefixMatch)
+ : true'
+ - message: type must be 'ReplacePrefixMatch' when
+ replacePrefixMatch is set
+ rule: 'has(self.replacePrefixMatch) ? self.type
+ == ''ReplacePrefixMatch'' : true'
+ port:
+ description: |-
+ Port is the port to be used in the value of the `Location`
+ header in the response.
+
+ If no port is specified, the redirect port MUST be derived using the
+ following rules:
+
+ * If redirect scheme is not-empty, the redirect port MUST be the well-known
+ port associated with the redirect scheme. Specifically "http" to port 80
+ and "https" to port 443. If the redirect scheme does not have a
+ well-known port, the listener port of the Gateway SHOULD be used.
+ * If redirect scheme is empty, the redirect port MUST be the Gateway
+ Listener port.
+
+ Implementations SHOULD NOT add the port number in the 'Location'
+ header in the following cases:
+
+ * A Location header that will use HTTP (whether that is determined via
+ the Listener protocol or the Scheme field) _and_ use port 80.
+ * A Location header that will use HTTPS (whether that is determined via
+ the Listener protocol or the Scheme field) _and_ use port 443.
+
+ Support: Extended
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ scheme:
+ description: |-
+ Scheme is the scheme to be used in the value of the `Location` header in
+ the response. When empty, the scheme of the request is used.
+
+ Scheme redirects can affect the port of the redirect, for more information,
+ refer to the documentation for the port field of this filter.
+
+ Note that values may be added to this enum, implementations
+ must ensure that unknown values will not cause a crash.
+
+ Unknown values here must result in the implementation setting the
+ Accepted Condition for the Route to `status: False`, with a
+ Reason of `UnsupportedValue`.
+
+ Support: Extended
+ enum:
+ - http
+ - https
+ type: string
+ statusCode:
+ default: 302
+ description: |-
+ StatusCode is the HTTP status code to be used in response.
+
+ Note that values may be added to this enum, implementations
+ must ensure that unknown values will not cause a crash.
+
+ Unknown values here must result in the implementation setting the
+ Accepted Condition for the Route to `status: False`, with a
+ Reason of `UnsupportedValue`.
+
+ Support: Core
+ enum:
+ - 301
+ - 302
+ type: integer
+ type: object
+ responseHeaderModifier:
+ description: |-
+ ResponseHeaderModifier defines a schema for a filter that modifies response
+ headers.
+
+ Support: Extended
+ properties:
+ add:
+ description: |-
+ Add adds the given header(s) (name, value) to the request
+ before the action. It appends to any existing values associated
+ with the header name.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ add:
+ - name: "my-header"
+ value: "bar,baz"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: foo,bar,baz
+ items:
+ description: HTTPHeader represents an HTTP Header
+ name and value as defined by RFC 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP Header
+ to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ remove:
+ description: |-
+ Remove the given header(s) from the HTTP request before the action. The
+ value of Remove is a list of HTTP header names. Note that the header
+ names are case-insensitive (see
+ https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header1: foo
+ my-header2: bar
+ my-header3: baz
+
+ Config:
+ remove: ["my-header1", "my-header3"]
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header2: bar
+ items:
+ type: string
+ maxItems: 16
+ type: array
+ x-kubernetes-list-type: set
+ set:
+ description: |-
+ Set overwrites the request with the given header (name, value)
+ before the action.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ set:
+ - name: "my-header"
+ value: "bar"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: bar
+ items:
+ description: HTTPHeader represents an HTTP Header
+ name and value as defined by RFC 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP Header
+ to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ type:
+ description: |-
+ Type identifies the type of filter to apply. As with other API fields,
+ types are classified into three conformance levels:
+
+ - Core: Filter types and their corresponding configuration defined by
+ "Support: Core" in this package, e.g. "RequestHeaderModifier". All
+ implementations must support core filters.
+
+ - Extended: Filter types and their corresponding configuration defined by
+ "Support: Extended" in this package, e.g. "RequestMirror". Implementers
+ are encouraged to support extended filters.
+
+ - Implementation-specific: Filters that are defined and supported by
+ specific vendors.
+ In the future, filters showing convergence in behavior across multiple
+ implementations will be considered for inclusion in extended or core
+ conformance levels. Filter-specific configuration for such filters
+ is specified using the ExtensionRef field. `Type` should be set to
+ "ExtensionRef" for custom filters.
+
+ Implementers are encouraged to define custom implementation types to
+ extend the core API with implementation-specific behavior.
+
+ If a reference to a custom filter type cannot be resolved, the filter
+ MUST NOT be skipped. Instead, requests that would have been processed by
+ that filter MUST receive a HTTP error response.
+
+ Note that values may be added to this enum, implementations
+ must ensure that unknown values will not cause a crash.
+
+ Unknown values here must result in the implementation setting the
+ Accepted Condition for the Route to `status: False`, with a
+ Reason of `UnsupportedValue`.
+ enum:
+ - RequestHeaderModifier
+ - ResponseHeaderModifier
+ - RequestMirror
+ - RequestRedirect
+ - URLRewrite
+ - ExtensionRef
+ type: string
+ urlRewrite:
+ description: |-
+ URLRewrite defines a schema for a filter that modifies a request during forwarding.
+
+ Support: Extended
+ properties:
+ hostname:
+ description: |-
+ Hostname is the value to be used to replace the Host header value during
+ forwarding.
+
+ Support: Extended
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ path:
+ description: |-
+ Path defines a path rewrite.
+
+ Support: Extended
+ properties:
+ replaceFullPath:
+ description: |-
+ ReplaceFullPath specifies the value with which to replace the full path
+ of a request during a rewrite or redirect.
+ maxLength: 1024
+ type: string
+ replacePrefixMatch:
+ description: |-
+ ReplacePrefixMatch specifies the value with which to replace the prefix
+ match of a request during a rewrite or redirect. For example, a request
+ to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
+ of "/xyz" would be modified to "/xyz/bar".
+
+ Note that this matches the behavior of the PathPrefix match type. This
+ matches full path elements. A path element refers to the list of labels
+ in the path split by the `/` separator. When specified, a trailing `/` is
+ ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
+ match the prefix `/abc`, but the path `/abcd` would not.
+
+ ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
+ Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
+ the implementation setting the Accepted Condition for the Route to `status: False`.
+
+ Request Path | Prefix Match | Replace Prefix | Modified Path
+ maxLength: 1024
+ type: string
+ type:
+ description: |-
+ Type defines the type of path modifier. Additional types may be
+ added in a future release of the API.
+
+ Note that values may be added to this enum, implementations
+ must ensure that unknown values will not cause a crash.
+
+ Unknown values here must result in the implementation setting the
+ Accepted Condition for the Route to `status: False`, with a
+ Reason of `UnsupportedValue`.
+ enum:
+ - ReplaceFullPath
+ - ReplacePrefixMatch
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: replaceFullPath must be specified when
+ type is set to 'ReplaceFullPath'
+ rule: 'self.type == ''ReplaceFullPath'' ? has(self.replaceFullPath)
+ : true'
+ - message: type must be 'ReplaceFullPath' when replaceFullPath
+ is set
+ rule: 'has(self.replaceFullPath) ? self.type ==
+ ''ReplaceFullPath'' : true'
+ - message: replacePrefixMatch must be specified when
+ type is set to 'ReplacePrefixMatch'
+ rule: 'self.type == ''ReplacePrefixMatch'' ? has(self.replacePrefixMatch)
+ : true'
+ - message: type must be 'ReplacePrefixMatch' when
+ replacePrefixMatch is set
+ rule: 'has(self.replacePrefixMatch) ? self.type
+ == ''ReplacePrefixMatch'' : true'
+ type: object
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: filter.requestHeaderModifier must be nil if the
+ filter.type is not RequestHeaderModifier
+ rule: '!(has(self.requestHeaderModifier) && self.type !=
+ ''RequestHeaderModifier'')'
+ - message: filter.requestHeaderModifier must be specified
+ for RequestHeaderModifier filter.type
+ rule: '!(!has(self.requestHeaderModifier) && self.type ==
+ ''RequestHeaderModifier'')'
+ - message: filter.responseHeaderModifier must be nil if the
+ filter.type is not ResponseHeaderModifier
+ rule: '!(has(self.responseHeaderModifier) && self.type !=
+ ''ResponseHeaderModifier'')'
+ - message: filter.responseHeaderModifier must be specified
+ for ResponseHeaderModifier filter.type
+ rule: '!(!has(self.responseHeaderModifier) && self.type
+ == ''ResponseHeaderModifier'')'
+ - message: filter.requestMirror must be nil if the filter.type
+ is not RequestMirror
+ rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')'
+ - message: filter.requestMirror must be specified for RequestMirror
+ filter.type
+ rule: '!(!has(self.requestMirror) && self.type == ''RequestMirror'')'
+ - message: filter.requestRedirect must be nil if the filter.type
+ is not RequestRedirect
+ rule: '!(has(self.requestRedirect) && self.type != ''RequestRedirect'')'
+ - message: filter.requestRedirect must be specified for RequestRedirect
+ filter.type
+ rule: '!(!has(self.requestRedirect) && self.type == ''RequestRedirect'')'
+ - message: filter.urlRewrite must be nil if the filter.type
+ is not URLRewrite
+ rule: '!(has(self.urlRewrite) && self.type != ''URLRewrite'')'
+ - message: filter.urlRewrite must be specified for URLRewrite
+ filter.type
+ rule: '!(!has(self.urlRewrite) && self.type == ''URLRewrite'')'
+ - message: filter.extensionRef must be nil if the filter.type
+ is not ExtensionRef
+ rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')'
+ - message: filter.extensionRef must be specified for ExtensionRef
+ filter.type
+ rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')'
+ maxItems: 16
+ type: array
+ x-kubernetes-validations:
+ - message: May specify either httpRouteFilterRequestRedirect
+ or httpRouteFilterRequestRewrite, but not both
+ rule: '!(self.exists(f, f.type == ''RequestRedirect'') &&
+ self.exists(f, f.type == ''URLRewrite''))'
+ - message: RequestHeaderModifier filter cannot be repeated
+ rule: self.filter(f, f.type == 'RequestHeaderModifier').size()
+ <= 1
+ - message: ResponseHeaderModifier filter cannot be repeated
+ rule: self.filter(f, f.type == 'ResponseHeaderModifier').size()
+ <= 1
+ - message: RequestRedirect filter cannot be repeated
+ rule: self.filter(f, f.type == 'RequestRedirect').size() <=
+ 1
+ - message: URLRewrite filter cannot be repeated
+ rule: self.filter(f, f.type == 'URLRewrite').size() <= 1
+ matches:
+ default:
+ - path:
+ type: PathPrefix
+ value: /
+ description: |-
+ Matches define conditions used for matching the rule against incoming
+ HTTP requests. Each match is independent, i.e. this rule will be matched
+ if **any** one of the matches is satisfied.
+
+ For example, take the following matches configuration:
+
+ ```
+ matches:
+ - path:
+ value: "/foo"
+ headers:
+ - name: "version"
+ value: "v2"
+ - path:
+ value: "/v2/foo"
+ ```
+
+ For a request to match against this rule, a request must satisfy
+ EITHER of the two conditions:
+
+ - path prefixed with `/foo` AND contains the header `version: v2`
+ - path prefix of `/v2/foo`
+
+ See the documentation for HTTPRouteMatch on how to specify multiple
+ match conditions that should be ANDed together.
+
+ If no matches are specified, the default is a prefix
+ path match on "/", which has the effect of matching every
+ HTTP request.
+
+ Proxy or Load Balancer routing configuration generated from HTTPRoutes
+ MUST prioritize matches based on the following criteria, continuing on
+ ties. Across all rules specified on applicable Routes, precedence must be
+ given to the match having:
+
+ * "Exact" path match.
+ * "Prefix" path match with largest number of characters.
+ * Method match.
+ * Largest number of header matches.
+ * Largest number of query param matches.
+
+ Note: The precedence of RegularExpression path matches are implementation-specific.
+
+ If ties still exist across multiple Routes, matching precedence MUST be
+ determined in order of the following criteria, continuing on ties:
+
+ * The oldest Route based on creation timestamp.
+ * The Route appearing first in alphabetical order by
+ "{namespace}/{name}".
+
+ If ties still exist within an HTTPRoute, matching precedence MUST be granted
+ to the FIRST matching rule (in list order) with a match meeting the above
+ criteria.
+
+ When no rules matching a request have been successfully attached to the
+ parent a request is coming from, a HTTP 404 status code MUST be returned.
+ items:
+ description: "HTTPRouteMatch defines the predicate used to
+ match requests to a given\naction. Multiple match types
+ are ANDed together, i.e. the match will\nevaluate to true
+ only if all conditions are satisfied.\n\nFor example, the
+ match below will match a HTTP request only if its path\nstarts
+ with `/foo` AND it contains the `version: v1` header:\n\n```\nmatch:\n\n\tpath:\n\t
+ \ value: \"/foo\"\n\theaders:\n\t- name: \"version\"\n\t
+ \ value \"v1\"\n\n```"
+ properties:
+ headers:
+ description: |-
+ Headers specifies HTTP request header matchers. Multiple match values are
+ ANDed together, meaning, a request must match all the specified headers
+ to select the route.
+ items:
+ description: |-
+ HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request
+ headers.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, only the first
+ entry with an equivalent name MUST be considered for a match. Subsequent
+ entries with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+
+ When a header is repeated in an HTTP request, it is
+ implementation-specific behavior as to how this is represented.
+ Generally, proxies should follow the guidance from the RFC:
+ https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding
+ processing a repeated header, with special handling for "Set-Cookie".
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ type:
+ default: Exact
+ description: |-
+ Type specifies how to match against the value of the header.
+
+ Support: Core (Exact)
+
+ Support: Implementation-specific (RegularExpression)
+
+ Since RegularExpression HeaderMatchType has implementation-specific
+ conformance, implementations can support POSIX, PCRE or any other dialects
+ of regular expressions. Please read the implementation's documentation to
+ determine the supported dialect.
+ enum:
+ - Exact
+ - RegularExpression
+ type: string
+ value:
+ description: Value is the value of HTTP Header to
+ be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ method:
+ description: |-
+ Method specifies HTTP method matcher.
+ When specified, this route will be matched only if the request has the
+ specified method.
+
+ Support: Extended
+ enum:
+ - GET
+ - HEAD
+ - POST
+ - PUT
+ - DELETE
+ - CONNECT
+ - OPTIONS
+ - TRACE
+ - PATCH
+ type: string
+ path:
+ default:
+ type: PathPrefix
+ value: /
+ description: |-
+ Path specifies a HTTP request path matcher. If this field is not
+ specified, a default prefix match on the "/" path is provided.
+ properties:
+ type:
+ default: PathPrefix
+ description: |-
+ Type specifies how to match against the path Value.
+
+ Support: Core (Exact, PathPrefix)
+
+ Support: Implementation-specific (RegularExpression)
+ enum:
+ - Exact
+ - PathPrefix
+ - RegularExpression
+ type: string
+ value:
+ default: /
+ description: Value of the HTTP path to match against.
+ maxLength: 1024
+ type: string
+ type: object
+ x-kubernetes-validations:
+ - message: value must be an absolute path and start with
+ '/' when type one of ['Exact', 'PathPrefix']
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? self.value.startsWith(''/'')
+ : true'
+ - message: must not contain '//' when type one of ['Exact',
+ 'PathPrefix']
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''//'')
+ : true'
+ - message: must not contain '/./' when type one of ['Exact',
+ 'PathPrefix']
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''/./'')
+ : true'
+ - message: must not contain '/../' when type one of ['Exact',
+ 'PathPrefix']
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''/../'')
+ : true'
+ - message: must not contain '%2f' when type one of ['Exact',
+ 'PathPrefix']
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''%2f'')
+ : true'
+ - message: must not contain '%2F' when type one of ['Exact',
+ 'PathPrefix']
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''%2F'')
+ : true'
+ - message: must not contain '#' when type one of ['Exact',
+ 'PathPrefix']
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''#'')
+ : true'
+ - message: must not end with '/..' when type one of ['Exact',
+ 'PathPrefix']
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.endsWith(''/..'')
+ : true'
+ - message: must not end with '/.' when type one of ['Exact',
+ 'PathPrefix']
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.endsWith(''/.'')
+ : true'
+ - message: type must be one of ['Exact', 'PathPrefix',
+ 'RegularExpression']
+ rule: self.type in ['Exact','PathPrefix'] || self.type
+ == 'RegularExpression'
+ - message: must only contain valid characters (matching
+ ^(?:[-A-Za-z0-9/._~!$&'()*+,;=:@]|[%][0-9a-fA-F]{2})+$)
+ for types ['Exact', 'PathPrefix']
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? self.value.matches(r"""^(?:[-A-Za-z0-9/._~!$&''()*+,;=:@]|[%][0-9a-fA-F]{2})+$""")
+ : true'
+ queryParams:
+ description: |-
+ QueryParams specifies HTTP query parameter matchers. Multiple match
+ values are ANDed together, meaning, a request must match all the
+ specified query parameters to select the route.
+
+ Support: Extended
+ items:
+ description: |-
+ HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP
+ query parameters.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP query param to be matched. This must be an
+ exact string match. (See
+ https://tools.ietf.org/html/rfc7230#section-2.7.3).
+
+ If multiple entries specify equivalent query param names, only the first
+ entry with an equivalent name MUST be considered for a match. Subsequent
+ entries with an equivalent query param name MUST be ignored.
+
+ If a query param is repeated in an HTTP request, the behavior is
+ purposely left undefined, since different data planes have different
+ capabilities. However, it is *recommended* that implementations should
+ match against the first value of the param if the data plane supports it,
+ as this behavior is expected in other load balancing contexts outside of
+ the Gateway API.
+
+ Users SHOULD NOT route traffic based on repeated query params to guard
+ themselves against potential differences in the implementations.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ type:
+ default: Exact
+ description: |-
+ Type specifies how to match against the value of the query parameter.
+
+ Support: Extended (Exact)
+
+ Support: Implementation-specific (RegularExpression)
+
+ Since RegularExpression QueryParamMatchType has Implementation-specific
+ conformance, implementations can support POSIX, PCRE or any other
+ dialects of regular expressions. Please read the implementation's
+ documentation to determine the supported dialect.
+ enum:
+ - Exact
+ - RegularExpression
+ type: string
+ value:
+ description: Value is the value of HTTP query param
+ to be matched.
+ maxLength: 1024
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ maxItems: 64
+ type: array
+ timeouts:
+ description: |-
+ Timeouts defines the timeouts that can be configured for an HTTP request.
+
+ Support: Extended
+ properties:
+ backendRequest:
+ description: |-
+ BackendRequest specifies a timeout for an individual request from the gateway
+ to a backend. This covers the time from when the request first starts being
+ sent from the gateway to when the full response has been received from the backend.
+
+ Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout
+ completely. Implementations that cannot completely disable the timeout MUST
+ instead interpret the zero duration as the longest possible value to which
+ the timeout can be set.
+
+ An entire client HTTP transaction with a gateway, covered by the Request timeout,
+ may result in more than one call from the gateway to the destination backend,
+ for example, if automatic retries are supported.
+
+ The value of BackendRequest must be a Gateway API Duration string as defined by
+ GEP-2257. When this field is unspecified, its behavior is implementation-specific;
+ when specified, the value of BackendRequest must be no more than the value of the
+ Request timeout (since the Request timeout encompasses the BackendRequest timeout).
+
+ Support: Extended
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ request:
+ description: |-
+ Request specifies the maximum duration for a gateway to respond to an HTTP request.
+ If the gateway has not been able to respond before this deadline is met, the gateway
+ MUST return a timeout error.
+
+ For example, setting the `rules.timeouts.request` field to the value `10s` in an
+ `HTTPRoute` will cause a timeout if a client request is taking longer than 10 seconds
+ to complete.
+
+ Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout
+ completely. Implementations that cannot completely disable the timeout MUST
+ instead interpret the zero duration as the longest possible value to which
+ the timeout can be set.
+
+ This timeout is intended to cover as close to the whole request-response transaction
+ as possible although an implementation MAY choose to start the timeout after the entire
+ request stream has been received instead of immediately after the transaction is
+ initiated by the client.
+
+ The value of Request is a Gateway API Duration string as defined by GEP-2257. When this
+ field is unspecified, request timeout behavior is implementation-specific.
+
+ Support: Extended
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ type: object
+ x-kubernetes-validations:
+ - message: backendRequest timeout cannot be longer than request
+ timeout
+ rule: '!(has(self.request) && has(self.backendRequest) &&
+ duration(self.request) != duration(''0s'') && duration(self.backendRequest)
+ > duration(self.request))'
+ type: object
+ x-kubernetes-validations:
+ - message: RequestRedirect filter must not be used together with
+ backendRefs
+ rule: '(has(self.backendRefs) && size(self.backendRefs) > 0) ?
+ (!has(self.filters) || self.filters.all(f, !has(f.requestRedirect))):
+ true'
+ - message: When using RequestRedirect filter with path.replacePrefixMatch,
+ exactly one PathPrefix match must be specified
+ rule: '(has(self.filters) && self.filters.exists_one(f, has(f.requestRedirect)
+ && has(f.requestRedirect.path) && f.requestRedirect.path.type
+ == ''ReplacePrefixMatch'' && has(f.requestRedirect.path.replacePrefixMatch)))
+ ? ((size(self.matches) != 1 || !has(self.matches[0].path) ||
+ self.matches[0].path.type != ''PathPrefix'') ? false : true)
+ : true'
+ - message: When using URLRewrite filter with path.replacePrefixMatch,
+ exactly one PathPrefix match must be specified
+ rule: '(has(self.filters) && self.filters.exists_one(f, has(f.urlRewrite)
+ && has(f.urlRewrite.path) && f.urlRewrite.path.type == ''ReplacePrefixMatch''
+ && has(f.urlRewrite.path.replacePrefixMatch))) ? ((size(self.matches)
+ != 1 || !has(self.matches[0].path) || self.matches[0].path.type
+ != ''PathPrefix'') ? false : true) : true'
+ - message: Within backendRefs, when using RequestRedirect filter
+ with path.replacePrefixMatch, exactly one PathPrefix match must
+ be specified
+ rule: '(has(self.backendRefs) && self.backendRefs.exists_one(b,
+ (has(b.filters) && b.filters.exists_one(f, has(f.requestRedirect)
+ && has(f.requestRedirect.path) && f.requestRedirect.path.type
+ == ''ReplacePrefixMatch'' && has(f.requestRedirect.path.replacePrefixMatch)))
+ )) ? ((size(self.matches) != 1 || !has(self.matches[0].path)
+ || self.matches[0].path.type != ''PathPrefix'') ? false : true)
+ : true'
+ - message: Within backendRefs, When using URLRewrite filter with
+ path.replacePrefixMatch, exactly one PathPrefix match must be
+ specified
+ rule: '(has(self.backendRefs) && self.backendRefs.exists_one(b,
+ (has(b.filters) && b.filters.exists_one(f, has(f.urlRewrite)
+ && has(f.urlRewrite.path) && f.urlRewrite.path.type == ''ReplacePrefixMatch''
+ && has(f.urlRewrite.path.replacePrefixMatch))) )) ? ((size(self.matches)
+ != 1 || !has(self.matches[0].path) || self.matches[0].path.type
+ != ''PathPrefix'') ? false : true) : true'
+ maxItems: 16
+ type: array
+ x-kubernetes-validations:
+ - message: While 16 rules and 64 matches per rule are allowed, the
+ total number of matches across all rules in a route must be less
+ than 128
+ rule: '(self.size() > 0 ? self[0].matches.size() : 0) + (self.size()
+ > 1 ? self[1].matches.size() : 0) + (self.size() > 2 ? self[2].matches.size()
+ : 0) + (self.size() > 3 ? self[3].matches.size() : 0) + (self.size()
+ > 4 ? self[4].matches.size() : 0) + (self.size() > 5 ? self[5].matches.size()
+ : 0) + (self.size() > 6 ? self[6].matches.size() : 0) + (self.size()
+ > 7 ? self[7].matches.size() : 0) + (self.size() > 8 ? self[8].matches.size()
+ : 0) + (self.size() > 9 ? self[9].matches.size() : 0) + (self.size()
+ > 10 ? self[10].matches.size() : 0) + (self.size() > 11 ? self[11].matches.size()
+ : 0) + (self.size() > 12 ? self[12].matches.size() : 0) + (self.size()
+ > 13 ? self[13].matches.size() : 0) + (self.size() > 14 ? self[14].matches.size()
+ : 0) + (self.size() > 15 ? self[15].matches.size() : 0) <= 128'
+ type: object
+ status:
+ description: Status defines the current state of HTTPRoute.
+ properties:
+ parents:
+ description: |-
+ Parents is a list of parent resources (usually Gateways) that are
+ associated with the route, and the status of the route with respect to
+ each parent. When this route attaches to a parent, the controller that
+ manages the parent must add an entry to this list when the controller
+ first sees the route and should update the entry as appropriate when the
+ route or gateway is modified.
+
+ Note that parent references that cannot be resolved by an implementation
+ of this API will not be added to this list. Implementations of this API
+ can only populate Route status for the Gateways/parent resources they are
+ responsible for.
+
+ A maximum of 32 Gateways will be represented in this list. An empty list
+ means the route has not been attached to any Gateway.
+ items:
+ description: |-
+ RouteParentStatus describes the status of a route with respect to an
+ associated Parent.
+ properties:
+ conditions:
+ description: |-
+ Conditions describes the status of the route with respect to the Gateway.
+ Note that the route's availability is also subject to the Gateway's own
+ status conditions and listener status.
+
+ If the Route's ParentRef specifies an existing Gateway that supports
+ Routes of this kind AND that Gateway's controller has sufficient access,
+ then that Gateway's controller MUST set the "Accepted" condition on the
+ Route, to indicate whether the route has been accepted or rejected by the
+ Gateway, and why.
+
+ A Route MUST be considered "Accepted" if at least one of the Route's
+ rules is implemented by the Gateway.
+
+ There are a number of cases where the "Accepted" condition may not be set
+ due to lack of controller visibility, that includes when:
+
+ * The Route refers to a non-existent parent.
+ * The Route is of a type that the controller does not support.
+ * The Route is in a namespace the controller does not have access to.
+ items:
+ description: Condition contains details for one aspect of
+ the current state of this API Resource.
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False,
+ Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ maxItems: 8
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ controllerName:
+ description: |-
+ ControllerName is a domain/path string that indicates the name of the
+ controller that wrote this status. This corresponds with the
+ controllerName field on GatewayClass.
+
+ Example: "example.net/gateway-controller".
+
+ The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
+ valid Kubernetes names
+ (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+
+ Controllers MUST populate this field when writing status. Controllers should ensure that
+ entries to status populated with their ControllerName are cleaned up when they are no
+ longer necessary.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
+ type: string
+ parentRef:
+ description: |-
+ ParentRef corresponds with a ParentRef in the spec that this
+ RouteParentStatus struct describes the status of.
+ properties:
+ group:
+ default: gateway.networking.k8s.io
+ description: |-
+ Group is the group of the referent.
+ When unspecified, "gateway.networking.k8s.io" is inferred.
+ To set the core API group (such as for a "Service" kind referent),
+ Group must be explicitly set to "" (empty string).
+
+ Support: Core
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Gateway
+ description: |-
+ Kind is kind of the referent.
+
+ There are two kinds of parent resources with "Core" support:
+
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
+
+ Support for other resources is Implementation-Specific.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: |-
+ Name is the name of the referent.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referent. When unspecified, this refers
+ to the local namespace of the Route.
+
+ Note that there are specific rules for ParentRefs which cross namespace
+ boundaries. Cross-namespace references are only valid if they are explicitly
+ allowed by something in the namespace they are referring to. For example:
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+ generic way to enable any other kind of cross-namespace reference.
+
+
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port is the network port this Route targets. It can be interpreted
+ differently based on the type of parent resource.
+
+ When the parent resource is a Gateway, this targets all listeners
+ listening on the specified port that also support this kind of Route(and
+ select this Route). It's not recommended to set `Port` unless the
+ networking behaviors specified in a Route must apply to a specific port
+ as opposed to a listener(s) whose port(s) may be changed. When both Port
+ and SectionName are specified, the name and port of the selected listener
+ must match both specified values.
+
+
+
+ Implementations MAY choose to support other parent resources.
+ Implementations supporting other types of parent resources MUST clearly
+ document how/if Port is interpreted.
+
+ For the purpose of status, an attachment is considered successful as
+ long as the parent resource accepts it partially. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+ from the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route,
+ the Route MUST be considered detached from the Gateway.
+
+ Support: Extended
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ sectionName:
+ description: |-
+ SectionName is the name of a section within the target resource. In the
+ following resources, SectionName is interpreted as the following:
+
+ * Gateway: Listener name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+ * Service: Port name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+
+ Implementations MAY choose to support attaching Routes to other resources.
+ If that is the case, they MUST clearly document how SectionName is
+ interpreted.
+
+ When unspecified (empty string), this will reference the entire resource.
+ For the purpose of status, an attachment is considered successful if at
+ least one section in the parent resource accepts it. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+ the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route, the
+ Route MUST be considered detached from the Gateway.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - controllerName
+ - parentRef
+ type: object
+ maxItems: 32
+ type: array
+ required:
+ - parents
+ type: object
+ required:
+ - spec
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+ - additionalPrinterColumns:
+ - jsonPath: .spec.hostnames
+ name: Hostnames
+ type: string
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1beta1
+ schema:
+ openAPIV3Schema:
+ description: |-
+ HTTPRoute provides a way to route HTTP requests. This includes the capability
+ to match requests by hostname, path, header, or query param. Filters can be
+ used to specify additional processing steps. Backends specify where matching
+ requests should be routed.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Spec defines the desired state of HTTPRoute.
+ properties:
+ hostnames:
+ description: |-
+ Hostnames defines a set of hostnames that should match against the HTTP Host
+ header to select a HTTPRoute used to process the request. Implementations
+ MUST ignore any port value specified in the HTTP Host header while
+ performing a match and (absent of any applicable header modification
+ configuration) MUST forward this header unmodified to the backend.
+
+ Valid values for Hostnames are determined by RFC 1123 definition of a
+ hostname with 2 notable exceptions:
+
+ 1. IPs are not allowed.
+ 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard
+ label must appear by itself as the first label.
+
+ If a hostname is specified by both the Listener and HTTPRoute, there
+ must be at least one intersecting hostname for the HTTPRoute to be
+ attached to the Listener. For example:
+
+ * A Listener with `test.example.com` as the hostname matches HTTPRoutes
+ that have either not specified any hostnames, or have specified at
+ least one of `test.example.com` or `*.example.com`.
+ * A Listener with `*.example.com` as the hostname matches HTTPRoutes
+ that have either not specified any hostnames or have specified at least
+ one hostname that matches the Listener hostname. For example,
+ `*.example.com`, `test.example.com`, and `foo.test.example.com` would
+ all match. On the other hand, `example.com` and `test.example.net` would
+ not match.
+
+ Hostnames that are prefixed with a wildcard label (`*.`) are interpreted
+ as a suffix match. That means that a match for `*.example.com` would match
+ both `test.example.com`, and `foo.test.example.com`, but not `example.com`.
+
+ If both the Listener and HTTPRoute have specified hostnames, any
+ HTTPRoute hostnames that do not match the Listener hostname MUST be
+ ignored. For example, if a Listener specified `*.example.com`, and the
+ HTTPRoute specified `test.example.com` and `test.example.net`,
+ `test.example.net` must not be considered for a match.
+
+ If both the Listener and HTTPRoute have specified hostnames, and none
+ match with the criteria above, then the HTTPRoute is not accepted. The
+ implementation must raise an 'Accepted' Condition with a status of
+ `False` in the corresponding RouteParentStatus.
+
+ In the event that multiple HTTPRoutes specify intersecting hostnames (e.g.
+ overlapping wildcard matching and exact matching hostnames), precedence must
+ be given to rules from the HTTPRoute with the largest number of:
+
+ * Characters in a matching non-wildcard hostname.
+ * Characters in a matching hostname.
+
+ If ties exist across multiple Routes, the matching precedence rules for
+ HTTPRouteMatches takes over.
+
+ Support: Core
+ items:
+ description: |-
+ Hostname is the fully qualified domain name of a network host. This matches
+ the RFC 1123 definition of a hostname with 2 notable exceptions:
+
+ 1. IPs are not allowed.
+ 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard
+ label must appear by itself as the first label.
+
+ Hostname can be "precise" which is a domain name without the terminating
+ dot of a network host (e.g. "foo.example.com") or "wildcard", which is a
+ domain name prefixed with a single wildcard label (e.g. `*.example.com`).
+
+ Note that as per RFC1035 and RFC1123, a *label* must consist of lower case
+ alphanumeric characters or '-', and must start and end with an alphanumeric
+ character. No other punctuation is allowed.
+ maxLength: 253
+ minLength: 1
+ pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ maxItems: 16
+ type: array
+ parentRefs:
+ description: |+
+ ParentRefs references the resources (usually Gateways) that a Route wants
+ to be attached to. Note that the referenced parent resource needs to
+ allow this for the attachment to be complete. For Gateways, that means
+ the Gateway needs to allow attachment from Routes of this kind and
+ namespace. For Services, that means the Service must either be in the same
+ namespace for a "producer" route, or the mesh implementation must support
+ and allow "consumer" routes for the referenced Service. ReferenceGrant is
+ not applicable for governing ParentRefs to Services - it is not possible to
+ create a "producer" route for a Service in a different namespace from the
+ Route.
+
+ There are two kinds of parent resources with "Core" support:
+
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
+
+ This API may be extended in the future to support additional kinds of parent
+ resources.
+
+ ParentRefs must be _distinct_. This means either that:
+
+ * They select different objects. If this is the case, then parentRef
+ entries are distinct. In terms of fields, this means that the
+ multi-part key defined by `group`, `kind`, `namespace`, and `name` must
+ be unique across all parentRef entries in the Route.
+ * They do not select different objects, but for each optional field used,
+ each ParentRef that selects the same object must set the same set of
+ optional fields to different values. If one ParentRef sets a
+ combination of optional fields, all must set the same combination.
+
+ Some examples:
+
+ * If one ParentRef sets `sectionName`, all ParentRefs referencing the
+ same object must also set `sectionName`.
+ * If one ParentRef sets `port`, all ParentRefs referencing the same
+ object must also set `port`.
+ * If one ParentRef sets `sectionName` and `port`, all ParentRefs
+ referencing the same object must also set `sectionName` and `port`.
+
+ It is possible to separately reference multiple distinct objects that may
+ be collapsed by an implementation. For example, some implementations may
+ choose to merge compatible Gateway Listeners together. If that is the
+ case, the list of routes attached to those resources should also be
+ merged.
+
+ Note that for ParentRefs that cross namespace boundaries, there are specific
+ rules. Cross-namespace references are only valid if they are explicitly
+ allowed by something in the namespace they are referring to. For example,
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+ generic way to enable other kinds of cross-namespace reference.
+
+
+
+
+
+
+ items:
+ description: |-
+ ParentReference identifies an API object (usually a Gateway) that can be considered
+ a parent of this resource (usually a route). There are two kinds of parent resources
+ with "Core" support:
+
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
+
+ This API may be extended in the future to support additional kinds of parent
+ resources.
+
+ The API object must be valid in the cluster; the Group and Kind must
+ be registered in the cluster for this reference to be valid.
+ properties:
+ group:
+ default: gateway.networking.k8s.io
+ description: |-
+ Group is the group of the referent.
+ When unspecified, "gateway.networking.k8s.io" is inferred.
+ To set the core API group (such as for a "Service" kind referent),
+ Group must be explicitly set to "" (empty string).
+
+ Support: Core
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Gateway
+ description: |-
+ Kind is kind of the referent.
+
+ There are two kinds of parent resources with "Core" support:
+
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
+
+ Support for other resources is Implementation-Specific.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: |-
+ Name is the name of the referent.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referent. When unspecified, this refers
+ to the local namespace of the Route.
+
+ Note that there are specific rules for ParentRefs which cross namespace
+ boundaries. Cross-namespace references are only valid if they are explicitly
+ allowed by something in the namespace they are referring to. For example:
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+ generic way to enable any other kind of cross-namespace reference.
+
+
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port is the network port this Route targets. It can be interpreted
+ differently based on the type of parent resource.
+
+ When the parent resource is a Gateway, this targets all listeners
+ listening on the specified port that also support this kind of Route(and
+ select this Route). It's not recommended to set `Port` unless the
+ networking behaviors specified in a Route must apply to a specific port
+ as opposed to a listener(s) whose port(s) may be changed. When both Port
+ and SectionName are specified, the name and port of the selected listener
+ must match both specified values.
+
+
+
+ Implementations MAY choose to support other parent resources.
+ Implementations supporting other types of parent resources MUST clearly
+ document how/if Port is interpreted.
+
+ For the purpose of status, an attachment is considered successful as
+ long as the parent resource accepts it partially. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+ from the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route,
+ the Route MUST be considered detached from the Gateway.
+
+ Support: Extended
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ sectionName:
+ description: |-
+ SectionName is the name of a section within the target resource. In the
+ following resources, SectionName is interpreted as the following:
+
+ * Gateway: Listener name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+ * Service: Port name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+
+ Implementations MAY choose to support attaching Routes to other resources.
+ If that is the case, they MUST clearly document how SectionName is
+ interpreted.
+
+ When unspecified (empty string), this will reference the entire resource.
+ For the purpose of status, an attachment is considered successful if at
+ least one section in the parent resource accepts it. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+ the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route, the
+ Route MUST be considered detached from the Gateway.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ required:
+ - name
+ type: object
+ maxItems: 32
+ type: array
+ x-kubernetes-validations:
+ - message: sectionName must be specified when parentRefs includes
+ 2 or more references to the same parent
+ rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind
+ == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__)
+ || p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__
+ == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) &&
+ p1.__namespace__ == p2.__namespace__ )) ? ((!has(p1.sectionName)
+ || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName
+ == '''')) : true))'
+ - message: sectionName must be unique when parentRefs includes 2 or
+ more references to the same parent
+ rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind
+ == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__)
+ || p1.__namespace__ == '') && (!has(p2.__namespace__) || p2.__namespace__
+ == '')) || (has(p1.__namespace__) && has(p2.__namespace__) &&
+ p1.__namespace__ == p2.__namespace__ )) && (((!has(p1.sectionName)
+ || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName
+ == '')) || (has(p1.sectionName) && has(p2.sectionName) && p1.sectionName
+ == p2.sectionName))))
+ rules:
+ default:
+ - matches:
+ - path:
+ type: PathPrefix
+ value: /
+ description: |+
+ Rules are a list of HTTP matchers, filters and actions.
+
+ items:
+ description: |-
+ HTTPRouteRule defines semantics for matching an HTTP request based on
+ conditions (matches), processing it (filters), and forwarding the request to
+ an API object (backendRefs).
+ properties:
+ backendRefs:
+ description: |-
+ BackendRefs defines the backend(s) where matching requests should be
+ sent.
+
+ Failure behavior here depends on how many BackendRefs are specified and
+ how many are invalid.
+
+ If *all* entries in BackendRefs are invalid, and there are also no filters
+ specified in this route rule, *all* traffic which matches this rule MUST
+ receive a 500 status code.
+
+ See the HTTPBackendRef definition for the rules about what makes a single
+ HTTPBackendRef invalid.
+
+ When a HTTPBackendRef is invalid, 500 status codes MUST be returned for
+ requests that would have otherwise been routed to an invalid backend. If
+ multiple backends are specified, and some are invalid, the proportion of
+ requests that would otherwise have been routed to an invalid backend
+ MUST receive a 500 status code.
+
+ For example, if two backends are specified with equal weights, and one is
+ invalid, 50 percent of traffic must receive a 500. Implementations may
+ choose how that 50 percent is determined.
+
+ When a HTTPBackendRef refers to a Service that has no ready endpoints,
+ implementations SHOULD return a 503 for requests to that backend instead.
+ If an implementation chooses to do this, all of the above rules for 500 responses
+ MUST also apply for responses that return a 503.
+
+ Support: Core for Kubernetes Service
+
+ Support: Extended for Kubernetes ServiceImport
+
+ Support: Implementation-specific for any other resource
+
+ Support for weight: Core
+ items:
+ description: |-
+ HTTPBackendRef defines how a HTTPRoute forwards a HTTP request.
+
+ Note that when a namespace different than the local namespace is specified, a
+ ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+
+
+ When the BackendRef points to a Kubernetes Service, implementations SHOULD
+ honor the appProtocol field if it is set for the target Service Port.
+
+ Implementations supporting appProtocol SHOULD recognize the Kubernetes
+ Standard Application Protocols defined in KEP-3726.
+
+ If a Service appProtocol isn't specified, an implementation MAY infer the
+ backend protocol through its own means. Implementations MAY infer the
+ protocol from the Route type referring to the backend Service.
+
+ If a Route is not able to send traffic to the backend using the specified
+ protocol then the backend is considered invalid. Implementations MUST set the
+ "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason.
+
+
+ properties:
+ filters:
+ description: |-
+ Filters defined at this level should be executed if and only if the
+ request is being forwarded to the backend defined here.
+
+ Support: Implementation-specific (For broader support of filters, use the
+ Filters field in HTTPRouteRule.)
+ items:
+ description: |-
+ HTTPRouteFilter defines processing steps that must be completed during the
+ request or response lifecycle. HTTPRouteFilters are meant as an extension
+ point to express processing that may be done in Gateway implementations. Some
+ examples include request or response modification, implementing
+ authentication strategies, rate-limiting, and traffic shaping. API
+ guarantee/conformance is defined based on the type of the filter.
+ properties:
+ extensionRef:
+ description: |-
+ ExtensionRef is an optional, implementation-specific extension to the
+ "filter" behavior. For example, resource "myroutefilter" in group
+ "networking.example.net"). ExtensionRef MUST NOT be used for core and
+ extended filters.
+
+ This filter can be used multiple times within the same rule.
+
+ Support: Implementation-specific
+ properties:
+ group:
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is kind of the referent. For
+ example "HTTPRoute" or "Service".
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ required:
+ - group
+ - kind
+ - name
+ type: object
+ requestHeaderModifier:
+ description: |-
+ RequestHeaderModifier defines a schema for a filter that modifies request
+ headers.
+
+ Support: Core
+ properties:
+ add:
+ description: |-
+ Add adds the given header(s) (name, value) to the request
+ before the action. It appends to any existing values associated
+ with the header name.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ add:
+ - name: "my-header"
+ value: "bar,baz"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: foo,bar,baz
+ items:
+ description: HTTPHeader represents an HTTP
+ Header name and value as defined by RFC
+ 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP
+ Header to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ remove:
+ description: |-
+ Remove the given header(s) from the HTTP request before the action. The
+ value of Remove is a list of HTTP header names. Note that the header
+ names are case-insensitive (see
+ https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header1: foo
+ my-header2: bar
+ my-header3: baz
+
+ Config:
+ remove: ["my-header1", "my-header3"]
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header2: bar
+ items:
+ type: string
+ maxItems: 16
+ type: array
+ x-kubernetes-list-type: set
+ set:
+ description: |-
+ Set overwrites the request with the given header (name, value)
+ before the action.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ set:
+ - name: "my-header"
+ value: "bar"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: bar
+ items:
+ description: HTTPHeader represents an HTTP
+ Header name and value as defined by RFC
+ 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP
+ Header to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ requestMirror:
+ description: |+
+ RequestMirror defines a schema for a filter that mirrors requests.
+ Requests are sent to the specified destination, but responses from
+ that destination are ignored.
+
+ This filter can be used multiple times within the same rule. Note that
+ not all implementations will be able to support mirroring to multiple
+ backends.
+
+ Support: Extended
+
+ properties:
+ backendRef:
+ description: |-
+ BackendRef references a resource where mirrored requests are sent.
+
+ Mirrored requests must be sent only to a single destination endpoint
+ within this BackendRef, irrespective of how many endpoints are present
+ within this BackendRef.
+
+ If the referent cannot be found, this BackendRef is invalid and must be
+ dropped from the Gateway. The controller must ensure the "ResolvedRefs"
+ condition on the Route status is set to `status: False` and not configure
+ this backend in the underlying implementation.
+
+ If there is a cross-namespace reference to an *existing* object
+ that is not allowed by a ReferenceGrant, the controller must ensure the
+ "ResolvedRefs" condition on the Route is set to `status: False`,
+ with the "RefNotPermitted" reason and not configure this backend in the
+ underlying implementation.
+
+ In either error case, the Message of the `ResolvedRefs` Condition
+ should be used to provide more detail about the problem.
+
+ Support: Extended for Kubernetes Service
+
+ Support: Implementation-specific for any other resource
+ properties:
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Service
+ description: |-
+ Kind is the Kubernetes resource kind of the referent. For example
+ "Service".
+
+ Defaults to "Service" when not specified.
+
+ ExternalName services can refer to CNAME DNS records that may live
+ outside of the cluster and as such are difficult to reason about in
+ terms of conformance. They also may not be safe to forward to (see
+ CVE-2021-25740 for more information). Implementations SHOULD NOT
+ support ExternalName Services.
+
+ Support: Core (Services with a type other than ExternalName)
+
+ Support: Implementation-specific (Services with type ExternalName)
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the backend. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port specifies the destination port number to use for this resource.
+ Port is required when the referent is a Kubernetes Service. In this
+ case, the port number is the service port number, not the target port.
+ For other resources, destination port might be derived from the referent
+ resource or this field.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ required:
+ - name
+ type: object
+ x-kubernetes-validations:
+ - message: Must have port for Service reference
+ rule: '(size(self.group) == 0 && self.kind
+ == ''Service'') ? has(self.port) : true'
+ required:
+ - backendRef
+ type: object
+ requestRedirect:
+ description: |-
+ RequestRedirect defines a schema for a filter that responds to the
+ request with an HTTP redirection.
+
+ Support: Core
+ properties:
+ hostname:
+ description: |-
+ Hostname is the hostname to be used in the value of the `Location`
+ header in the response.
+ When empty, the hostname in the `Host` header of the request is used.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ path:
+ description: |-
+ Path defines parameters used to modify the path of the incoming request.
+ The modified path is then used to construct the `Location` header. When
+ empty, the request path is used as-is.
+
+ Support: Extended
+ properties:
+ replaceFullPath:
+ description: |-
+ ReplaceFullPath specifies the value with which to replace the full path
+ of a request during a rewrite or redirect.
+ maxLength: 1024
+ type: string
+ replacePrefixMatch:
+ description: |-
+ ReplacePrefixMatch specifies the value with which to replace the prefix
+ match of a request during a rewrite or redirect. For example, a request
+ to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
+ of "/xyz" would be modified to "/xyz/bar".
+
+ Note that this matches the behavior of the PathPrefix match type. This
+ matches full path elements. A path element refers to the list of labels
+ in the path split by the `/` separator. When specified, a trailing `/` is
+ ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
+ match the prefix `/abc`, but the path `/abcd` would not.
+
+ ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
+ Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
+ the implementation setting the Accepted Condition for the Route to `status: False`.
+
+ Request Path | Prefix Match | Replace Prefix | Modified Path
+ maxLength: 1024
+ type: string
+ type:
+ description: |-
+ Type defines the type of path modifier. Additional types may be
+ added in a future release of the API.
+
+ Note that values may be added to this enum, implementations
+ must ensure that unknown values will not cause a crash.
+
+ Unknown values here must result in the implementation setting the
+ Accepted Condition for the Route to `status: False`, with a
+ Reason of `UnsupportedValue`.
+ enum:
+ - ReplaceFullPath
+ - ReplacePrefixMatch
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: replaceFullPath must be specified
+ when type is set to 'ReplaceFullPath'
+ rule: 'self.type == ''ReplaceFullPath'' ?
+ has(self.replaceFullPath) : true'
+ - message: type must be 'ReplaceFullPath' when
+ replaceFullPath is set
+ rule: 'has(self.replaceFullPath) ? self.type
+ == ''ReplaceFullPath'' : true'
+ - message: replacePrefixMatch must be specified
+ when type is set to 'ReplacePrefixMatch'
+ rule: 'self.type == ''ReplacePrefixMatch''
+ ? has(self.replacePrefixMatch) : true'
+ - message: type must be 'ReplacePrefixMatch'
+ when replacePrefixMatch is set
+ rule: 'has(self.replacePrefixMatch) ? self.type
+ == ''ReplacePrefixMatch'' : true'
+ port:
+ description: |-
+ Port is the port to be used in the value of the `Location`
+ header in the response.
+
+ If no port is specified, the redirect port MUST be derived using the
+ following rules:
+
+ * If redirect scheme is not-empty, the redirect port MUST be the well-known
+ port associated with the redirect scheme. Specifically "http" to port 80
+ and "https" to port 443. If the redirect scheme does not have a
+ well-known port, the listener port of the Gateway SHOULD be used.
+ * If redirect scheme is empty, the redirect port MUST be the Gateway
+ Listener port.
+
+ Implementations SHOULD NOT add the port number in the 'Location'
+ header in the following cases:
+
+ * A Location header that will use HTTP (whether that is determined via
+ the Listener protocol or the Scheme field) _and_ use port 80.
+ * A Location header that will use HTTPS (whether that is determined via
+ the Listener protocol or the Scheme field) _and_ use port 443.
+
+ Support: Extended
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ scheme:
+ description: |-
+ Scheme is the scheme to be used in the value of the `Location` header in
+ the response. When empty, the scheme of the request is used.
+
+ Scheme redirects can affect the port of the redirect, for more information,
+ refer to the documentation for the port field of this filter.
+
+ Note that values may be added to this enum, implementations
+ must ensure that unknown values will not cause a crash.
+
+ Unknown values here must result in the implementation setting the
+ Accepted Condition for the Route to `status: False`, with a
+ Reason of `UnsupportedValue`.
+
+ Support: Extended
+ enum:
+ - http
+ - https
+ type: string
+ statusCode:
+ default: 302
+ description: |-
+ StatusCode is the HTTP status code to be used in response.
+
+ Note that values may be added to this enum, implementations
+ must ensure that unknown values will not cause a crash.
+
+ Unknown values here must result in the implementation setting the
+ Accepted Condition for the Route to `status: False`, with a
+ Reason of `UnsupportedValue`.
+
+ Support: Core
+ enum:
+ - 301
+ - 302
+ type: integer
+ type: object
+ responseHeaderModifier:
+ description: |-
+ ResponseHeaderModifier defines a schema for a filter that modifies response
+ headers.
+
+ Support: Extended
+ properties:
+ add:
+ description: |-
+ Add adds the given header(s) (name, value) to the request
+ before the action. It appends to any existing values associated
+ with the header name.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ add:
+ - name: "my-header"
+ value: "bar,baz"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: foo,bar,baz
+ items:
+ description: HTTPHeader represents an HTTP
+ Header name and value as defined by RFC
+ 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP
+ Header to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ remove:
+ description: |-
+ Remove the given header(s) from the HTTP request before the action. The
+ value of Remove is a list of HTTP header names. Note that the header
+ names are case-insensitive (see
+ https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header1: foo
+ my-header2: bar
+ my-header3: baz
+
+ Config:
+ remove: ["my-header1", "my-header3"]
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header2: bar
+ items:
+ type: string
+ maxItems: 16
+ type: array
+ x-kubernetes-list-type: set
+ set:
+ description: |-
+ Set overwrites the request with the given header (name, value)
+ before the action.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ set:
+ - name: "my-header"
+ value: "bar"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: bar
+ items:
+ description: HTTPHeader represents an HTTP
+ Header name and value as defined by RFC
+ 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP
+ Header to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ type:
+ description: |-
+ Type identifies the type of filter to apply. As with other API fields,
+ types are classified into three conformance levels:
+
+ - Core: Filter types and their corresponding configuration defined by
+ "Support: Core" in this package, e.g. "RequestHeaderModifier". All
+ implementations must support core filters.
+
+ - Extended: Filter types and their corresponding configuration defined by
+ "Support: Extended" in this package, e.g. "RequestMirror". Implementers
+ are encouraged to support extended filters.
+
+ - Implementation-specific: Filters that are defined and supported by
+ specific vendors.
+ In the future, filters showing convergence in behavior across multiple
+ implementations will be considered for inclusion in extended or core
+ conformance levels. Filter-specific configuration for such filters
+ is specified using the ExtensionRef field. `Type` should be set to
+ "ExtensionRef" for custom filters.
+
+ Implementers are encouraged to define custom implementation types to
+ extend the core API with implementation-specific behavior.
+
+ If a reference to a custom filter type cannot be resolved, the filter
+ MUST NOT be skipped. Instead, requests that would have been processed by
+ that filter MUST receive a HTTP error response.
+
+ Note that values may be added to this enum, implementations
+ must ensure that unknown values will not cause a crash.
+
+ Unknown values here must result in the implementation setting the
+ Accepted Condition for the Route to `status: False`, with a
+ Reason of `UnsupportedValue`.
+ enum:
+ - RequestHeaderModifier
+ - ResponseHeaderModifier
+ - RequestMirror
+ - RequestRedirect
+ - URLRewrite
+ - ExtensionRef
+ type: string
+ urlRewrite:
+ description: |-
+ URLRewrite defines a schema for a filter that modifies a request during forwarding.
+
+ Support: Extended
+ properties:
+ hostname:
+ description: |-
+ Hostname is the value to be used to replace the Host header value during
+ forwarding.
+
+ Support: Extended
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ path:
+ description: |-
+ Path defines a path rewrite.
+
+ Support: Extended
+ properties:
+ replaceFullPath:
+ description: |-
+ ReplaceFullPath specifies the value with which to replace the full path
+ of a request during a rewrite or redirect.
+ maxLength: 1024
+ type: string
+ replacePrefixMatch:
+ description: |-
+ ReplacePrefixMatch specifies the value with which to replace the prefix
+ match of a request during a rewrite or redirect. For example, a request
+ to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
+ of "/xyz" would be modified to "/xyz/bar".
+
+ Note that this matches the behavior of the PathPrefix match type. This
+ matches full path elements. A path element refers to the list of labels
+ in the path split by the `/` separator. When specified, a trailing `/` is
+ ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
+ match the prefix `/abc`, but the path `/abcd` would not.
+
+ ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
+ Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
+ the implementation setting the Accepted Condition for the Route to `status: False`.
+
+ Request Path | Prefix Match | Replace Prefix | Modified Path
+ maxLength: 1024
+ type: string
+ type:
+ description: |-
+ Type defines the type of path modifier. Additional types may be
+ added in a future release of the API.
+
+ Note that values may be added to this enum, implementations
+ must ensure that unknown values will not cause a crash.
+
+ Unknown values here must result in the implementation setting the
+ Accepted Condition for the Route to `status: False`, with a
+ Reason of `UnsupportedValue`.
+ enum:
+ - ReplaceFullPath
+ - ReplacePrefixMatch
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: replaceFullPath must be specified
+ when type is set to 'ReplaceFullPath'
+ rule: 'self.type == ''ReplaceFullPath'' ?
+ has(self.replaceFullPath) : true'
+ - message: type must be 'ReplaceFullPath' when
+ replaceFullPath is set
+ rule: 'has(self.replaceFullPath) ? self.type
+ == ''ReplaceFullPath'' : true'
+ - message: replacePrefixMatch must be specified
+ when type is set to 'ReplacePrefixMatch'
+ rule: 'self.type == ''ReplacePrefixMatch''
+ ? has(self.replacePrefixMatch) : true'
+ - message: type must be 'ReplacePrefixMatch'
+ when replacePrefixMatch is set
+ rule: 'has(self.replacePrefixMatch) ? self.type
+ == ''ReplacePrefixMatch'' : true'
+ type: object
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: filter.requestHeaderModifier must be nil
+ if the filter.type is not RequestHeaderModifier
+ rule: '!(has(self.requestHeaderModifier) && self.type
+ != ''RequestHeaderModifier'')'
+ - message: filter.requestHeaderModifier must be specified
+ for RequestHeaderModifier filter.type
+ rule: '!(!has(self.requestHeaderModifier) && self.type
+ == ''RequestHeaderModifier'')'
+ - message: filter.responseHeaderModifier must be nil
+ if the filter.type is not ResponseHeaderModifier
+ rule: '!(has(self.responseHeaderModifier) && self.type
+ != ''ResponseHeaderModifier'')'
+ - message: filter.responseHeaderModifier must be specified
+ for ResponseHeaderModifier filter.type
+ rule: '!(!has(self.responseHeaderModifier) && self.type
+ == ''ResponseHeaderModifier'')'
+ - message: filter.requestMirror must be nil if the filter.type
+ is not RequestMirror
+ rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')'
+ - message: filter.requestMirror must be specified for
+ RequestMirror filter.type
+ rule: '!(!has(self.requestMirror) && self.type ==
+ ''RequestMirror'')'
+ - message: filter.requestRedirect must be nil if the
+ filter.type is not RequestRedirect
+ rule: '!(has(self.requestRedirect) && self.type !=
+ ''RequestRedirect'')'
+ - message: filter.requestRedirect must be specified
+ for RequestRedirect filter.type
+ rule: '!(!has(self.requestRedirect) && self.type ==
+ ''RequestRedirect'')'
+ - message: filter.urlRewrite must be nil if the filter.type
+ is not URLRewrite
+ rule: '!(has(self.urlRewrite) && self.type != ''URLRewrite'')'
+ - message: filter.urlRewrite must be specified for URLRewrite
+ filter.type
+ rule: '!(!has(self.urlRewrite) && self.type == ''URLRewrite'')'
+ - message: filter.extensionRef must be nil if the filter.type
+ is not ExtensionRef
+ rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')'
+ - message: filter.extensionRef must be specified for
+ ExtensionRef filter.type
+ rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')'
+ maxItems: 16
+ type: array
+ x-kubernetes-validations:
+ - message: May specify either httpRouteFilterRequestRedirect
+ or httpRouteFilterRequestRewrite, but not both
+ rule: '!(self.exists(f, f.type == ''RequestRedirect'')
+ && self.exists(f, f.type == ''URLRewrite''))'
+ - message: May specify either httpRouteFilterRequestRedirect
+ or httpRouteFilterRequestRewrite, but not both
+ rule: '!(self.exists(f, f.type == ''RequestRedirect'')
+ && self.exists(f, f.type == ''URLRewrite''))'
+ - message: RequestHeaderModifier filter cannot be repeated
+ rule: self.filter(f, f.type == 'RequestHeaderModifier').size()
+ <= 1
+ - message: ResponseHeaderModifier filter cannot be repeated
+ rule: self.filter(f, f.type == 'ResponseHeaderModifier').size()
+ <= 1
+ - message: RequestRedirect filter cannot be repeated
+ rule: self.filter(f, f.type == 'RequestRedirect').size()
+ <= 1
+ - message: URLRewrite filter cannot be repeated
+ rule: self.filter(f, f.type == 'URLRewrite').size()
+ <= 1
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Service
+ description: |-
+ Kind is the Kubernetes resource kind of the referent. For example
+ "Service".
+
+ Defaults to "Service" when not specified.
+
+ ExternalName services can refer to CNAME DNS records that may live
+ outside of the cluster and as such are difficult to reason about in
+ terms of conformance. They also may not be safe to forward to (see
+ CVE-2021-25740 for more information). Implementations SHOULD NOT
+ support ExternalName Services.
+
+ Support: Core (Services with a type other than ExternalName)
+
+ Support: Implementation-specific (Services with type ExternalName)
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the backend. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port specifies the destination port number to use for this resource.
+ Port is required when the referent is a Kubernetes Service. In this
+ case, the port number is the service port number, not the target port.
+ For other resources, destination port might be derived from the referent
+ resource or this field.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ weight:
+ default: 1
+ description: |-
+ Weight specifies the proportion of requests forwarded to the referenced
+ backend. This is computed as weight/(sum of all weights in this
+ BackendRefs list). For non-zero values, there may be some epsilon from
+ the exact proportion defined here depending on the precision an
+ implementation supports. Weight is not a percentage and the sum of
+ weights does not need to equal 100.
+
+ If only one backend is specified and it has a weight greater than 0, 100%
+ of the traffic is forwarded to that backend. If weight is set to 0, no
+ traffic should be forwarded for this entry. If unspecified, weight
+ defaults to 1.
+
+ Support for this field varies based on the context where used.
+ format: int32
+ maximum: 1000000
+ minimum: 0
+ type: integer
+ required:
+ - name
+ type: object
+ x-kubernetes-validations:
+ - message: Must have port for Service reference
+ rule: '(size(self.group) == 0 && self.kind == ''Service'')
+ ? has(self.port) : true'
+ maxItems: 16
+ type: array
+ filters:
+ description: |-
+ Filters define the filters that are applied to requests that match
+ this rule.
+
+ Wherever possible, implementations SHOULD implement filters in the order
+ they are specified.
+
+ Implementations MAY choose to implement this ordering strictly, rejecting
+ any combination or order of filters that can not be supported. If implementations
+ choose a strict interpretation of filter ordering, they MUST clearly document
+ that behavior.
+
+ To reject an invalid combination or order of filters, implementations SHOULD
+ consider the Route Rules with this configuration invalid. If all Route Rules
+ in a Route are invalid, the entire Route would be considered invalid. If only
+ a portion of Route Rules are invalid, implementations MUST set the
+ "PartiallyInvalid" condition for the Route.
+
+ Conformance-levels at this level are defined based on the type of filter:
+
+ - ALL core filters MUST be supported by all implementations.
+ - Implementers are encouraged to support extended filters.
+ - Implementation-specific custom filters have no API guarantees across
+ implementations.
+
+ Specifying the same filter multiple times is not supported unless explicitly
+ indicated in the filter.
+
+ All filters are expected to be compatible with each other except for the
+ URLRewrite and RequestRedirect filters, which may not be combined. If an
+ implementation can not support other combinations of filters, they must clearly
+ document that limitation. In cases where incompatible or unsupported
+ filters are specified and cause the `Accepted` condition to be set to status
+ `False`, implementations may use the `IncompatibleFilters` reason to specify
+ this configuration error.
+
+ Support: Core
+ items:
+ description: |-
+ HTTPRouteFilter defines processing steps that must be completed during the
+ request or response lifecycle. HTTPRouteFilters are meant as an extension
+ point to express processing that may be done in Gateway implementations. Some
+ examples include request or response modification, implementing
+ authentication strategies, rate-limiting, and traffic shaping. API
+ guarantee/conformance is defined based on the type of the filter.
+ properties:
+ extensionRef:
+ description: |-
+ ExtensionRef is an optional, implementation-specific extension to the
+ "filter" behavior. For example, resource "myroutefilter" in group
+ "networking.example.net"). ExtensionRef MUST NOT be used for core and
+ extended filters.
+
+ This filter can be used multiple times within the same rule.
+
+ Support: Implementation-specific
+ properties:
+ group:
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is kind of the referent. For example
+ "HTTPRoute" or "Service".
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ required:
+ - group
+ - kind
+ - name
+ type: object
+ requestHeaderModifier:
+ description: |-
+ RequestHeaderModifier defines a schema for a filter that modifies request
+ headers.
+
+ Support: Core
+ properties:
+ add:
+ description: |-
+ Add adds the given header(s) (name, value) to the request
+ before the action. It appends to any existing values associated
+ with the header name.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ add:
+ - name: "my-header"
+ value: "bar,baz"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: foo,bar,baz
+ items:
+ description: HTTPHeader represents an HTTP Header
+ name and value as defined by RFC 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP Header
+ to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ remove:
+ description: |-
+ Remove the given header(s) from the HTTP request before the action. The
+ value of Remove is a list of HTTP header names. Note that the header
+ names are case-insensitive (see
+ https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header1: foo
+ my-header2: bar
+ my-header3: baz
+
+ Config:
+ remove: ["my-header1", "my-header3"]
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header2: bar
+ items:
+ type: string
+ maxItems: 16
+ type: array
+ x-kubernetes-list-type: set
+ set:
+ description: |-
+ Set overwrites the request with the given header (name, value)
+ before the action.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ set:
+ - name: "my-header"
+ value: "bar"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: bar
+ items:
+ description: HTTPHeader represents an HTTP Header
+ name and value as defined by RFC 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP Header
+ to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ requestMirror:
+ description: |+
+ RequestMirror defines a schema for a filter that mirrors requests.
+ Requests are sent to the specified destination, but responses from
+ that destination are ignored.
+
+ This filter can be used multiple times within the same rule. Note that
+ not all implementations will be able to support mirroring to multiple
+ backends.
+
+ Support: Extended
+
+ properties:
+ backendRef:
+ description: |-
+ BackendRef references a resource where mirrored requests are sent.
+
+ Mirrored requests must be sent only to a single destination endpoint
+ within this BackendRef, irrespective of how many endpoints are present
+ within this BackendRef.
+
+ If the referent cannot be found, this BackendRef is invalid and must be
+ dropped from the Gateway. The controller must ensure the "ResolvedRefs"
+ condition on the Route status is set to `status: False` and not configure
+ this backend in the underlying implementation.
+
+ If there is a cross-namespace reference to an *existing* object
+ that is not allowed by a ReferenceGrant, the controller must ensure the
+ "ResolvedRefs" condition on the Route is set to `status: False`,
+ with the "RefNotPermitted" reason and not configure this backend in the
+ underlying implementation.
+
+ In either error case, the Message of the `ResolvedRefs` Condition
+ should be used to provide more detail about the problem.
+
+ Support: Extended for Kubernetes Service
+
+ Support: Implementation-specific for any other resource
+ properties:
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Service
+ description: |-
+ Kind is the Kubernetes resource kind of the referent. For example
+ "Service".
+
+ Defaults to "Service" when not specified.
+
+ ExternalName services can refer to CNAME DNS records that may live
+ outside of the cluster and as such are difficult to reason about in
+ terms of conformance. They also may not be safe to forward to (see
+ CVE-2021-25740 for more information). Implementations SHOULD NOT
+ support ExternalName Services.
+
+ Support: Core (Services with a type other than ExternalName)
+
+ Support: Implementation-specific (Services with type ExternalName)
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the backend. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port specifies the destination port number to use for this resource.
+ Port is required when the referent is a Kubernetes Service. In this
+ case, the port number is the service port number, not the target port.
+ For other resources, destination port might be derived from the referent
+ resource or this field.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ required:
+ - name
+ type: object
+ x-kubernetes-validations:
+ - message: Must have port for Service reference
+ rule: '(size(self.group) == 0 && self.kind == ''Service'')
+ ? has(self.port) : true'
+ required:
+ - backendRef
+ type: object
+ requestRedirect:
+ description: |-
+ RequestRedirect defines a schema for a filter that responds to the
+ request with an HTTP redirection.
+
+ Support: Core
+ properties:
+ hostname:
+ description: |-
+ Hostname is the hostname to be used in the value of the `Location`
+ header in the response.
+ When empty, the hostname in the `Host` header of the request is used.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ path:
+ description: |-
+ Path defines parameters used to modify the path of the incoming request.
+ The modified path is then used to construct the `Location` header. When
+ empty, the request path is used as-is.
+
+ Support: Extended
+ properties:
+ replaceFullPath:
+ description: |-
+ ReplaceFullPath specifies the value with which to replace the full path
+ of a request during a rewrite or redirect.
+ maxLength: 1024
+ type: string
+ replacePrefixMatch:
+ description: |-
+ ReplacePrefixMatch specifies the value with which to replace the prefix
+ match of a request during a rewrite or redirect. For example, a request
+ to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
+ of "/xyz" would be modified to "/xyz/bar".
+
+ Note that this matches the behavior of the PathPrefix match type. This
+ matches full path elements. A path element refers to the list of labels
+ in the path split by the `/` separator. When specified, a trailing `/` is
+ ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
+ match the prefix `/abc`, but the path `/abcd` would not.
+
+ ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
+ Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
+ the implementation setting the Accepted Condition for the Route to `status: False`.
+
+ Request Path | Prefix Match | Replace Prefix | Modified Path
+ maxLength: 1024
+ type: string
+ type:
+ description: |-
+ Type defines the type of path modifier. Additional types may be
+ added in a future release of the API.
+
+ Note that values may be added to this enum, implementations
+ must ensure that unknown values will not cause a crash.
+
+ Unknown values here must result in the implementation setting the
+ Accepted Condition for the Route to `status: False`, with a
+ Reason of `UnsupportedValue`.
+ enum:
+ - ReplaceFullPath
+ - ReplacePrefixMatch
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: replaceFullPath must be specified when
+ type is set to 'ReplaceFullPath'
+ rule: 'self.type == ''ReplaceFullPath'' ? has(self.replaceFullPath)
+ : true'
+ - message: type must be 'ReplaceFullPath' when replaceFullPath
+ is set
+ rule: 'has(self.replaceFullPath) ? self.type ==
+ ''ReplaceFullPath'' : true'
+ - message: replacePrefixMatch must be specified when
+ type is set to 'ReplacePrefixMatch'
+ rule: 'self.type == ''ReplacePrefixMatch'' ? has(self.replacePrefixMatch)
+ : true'
+ - message: type must be 'ReplacePrefixMatch' when
+ replacePrefixMatch is set
+ rule: 'has(self.replacePrefixMatch) ? self.type
+ == ''ReplacePrefixMatch'' : true'
+ port:
+ description: |-
+ Port is the port to be used in the value of the `Location`
+ header in the response.
+
+ If no port is specified, the redirect port MUST be derived using the
+ following rules:
+
+ * If redirect scheme is not-empty, the redirect port MUST be the well-known
+ port associated with the redirect scheme. Specifically "http" to port 80
+ and "https" to port 443. If the redirect scheme does not have a
+ well-known port, the listener port of the Gateway SHOULD be used.
+ * If redirect scheme is empty, the redirect port MUST be the Gateway
+ Listener port.
+
+ Implementations SHOULD NOT add the port number in the 'Location'
+ header in the following cases:
+
+ * A Location header that will use HTTP (whether that is determined via
+ the Listener protocol or the Scheme field) _and_ use port 80.
+ * A Location header that will use HTTPS (whether that is determined via
+ the Listener protocol or the Scheme field) _and_ use port 443.
+
+ Support: Extended
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ scheme:
+ description: |-
+ Scheme is the scheme to be used in the value of the `Location` header in
+ the response. When empty, the scheme of the request is used.
+
+ Scheme redirects can affect the port of the redirect, for more information,
+ refer to the documentation for the port field of this filter.
+
+ Note that values may be added to this enum, implementations
+ must ensure that unknown values will not cause a crash.
+
+ Unknown values here must result in the implementation setting the
+ Accepted Condition for the Route to `status: False`, with a
+ Reason of `UnsupportedValue`.
+
+ Support: Extended
+ enum:
+ - http
+ - https
+ type: string
+ statusCode:
+ default: 302
+ description: |-
+ StatusCode is the HTTP status code to be used in response.
+
+ Note that values may be added to this enum, implementations
+ must ensure that unknown values will not cause a crash.
+
+ Unknown values here must result in the implementation setting the
+ Accepted Condition for the Route to `status: False`, with a
+ Reason of `UnsupportedValue`.
+
+ Support: Core
+ enum:
+ - 301
+ - 302
+ type: integer
+ type: object
+ responseHeaderModifier:
+ description: |-
+ ResponseHeaderModifier defines a schema for a filter that modifies response
+ headers.
+
+ Support: Extended
+ properties:
+ add:
+ description: |-
+ Add adds the given header(s) (name, value) to the request
+ before the action. It appends to any existing values associated
+ with the header name.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ add:
+ - name: "my-header"
+ value: "bar,baz"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: foo,bar,baz
+ items:
+ description: HTTPHeader represents an HTTP Header
+ name and value as defined by RFC 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP Header
+ to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ remove:
+ description: |-
+ Remove the given header(s) from the HTTP request before the action. The
+ value of Remove is a list of HTTP header names. Note that the header
+ names are case-insensitive (see
+ https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header1: foo
+ my-header2: bar
+ my-header3: baz
+
+ Config:
+ remove: ["my-header1", "my-header3"]
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header2: bar
+ items:
+ type: string
+ maxItems: 16
+ type: array
+ x-kubernetes-list-type: set
+ set:
+ description: |-
+ Set overwrites the request with the given header (name, value)
+ before the action.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ set:
+ - name: "my-header"
+ value: "bar"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: bar
+ items:
+ description: HTTPHeader represents an HTTP Header
+ name and value as defined by RFC 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP Header
+ to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ type:
+ description: |-
+ Type identifies the type of filter to apply. As with other API fields,
+ types are classified into three conformance levels:
+
+ - Core: Filter types and their corresponding configuration defined by
+ "Support: Core" in this package, e.g. "RequestHeaderModifier". All
+ implementations must support core filters.
+
+ - Extended: Filter types and their corresponding configuration defined by
+ "Support: Extended" in this package, e.g. "RequestMirror". Implementers
+ are encouraged to support extended filters.
+
+ - Implementation-specific: Filters that are defined and supported by
+ specific vendors.
+ In the future, filters showing convergence in behavior across multiple
+ implementations will be considered for inclusion in extended or core
+ conformance levels. Filter-specific configuration for such filters
+ is specified using the ExtensionRef field. `Type` should be set to
+ "ExtensionRef" for custom filters.
+
+ Implementers are encouraged to define custom implementation types to
+ extend the core API with implementation-specific behavior.
+
+ If a reference to a custom filter type cannot be resolved, the filter
+ MUST NOT be skipped. Instead, requests that would have been processed by
+ that filter MUST receive a HTTP error response.
+
+ Note that values may be added to this enum, implementations
+ must ensure that unknown values will not cause a crash.
+
+ Unknown values here must result in the implementation setting the
+ Accepted Condition for the Route to `status: False`, with a
+ Reason of `UnsupportedValue`.
+ enum:
+ - RequestHeaderModifier
+ - ResponseHeaderModifier
+ - RequestMirror
+ - RequestRedirect
+ - URLRewrite
+ - ExtensionRef
+ type: string
+ urlRewrite:
+ description: |-
+ URLRewrite defines a schema for a filter that modifies a request during forwarding.
+
+ Support: Extended
+ properties:
+ hostname:
+ description: |-
+ Hostname is the value to be used to replace the Host header value during
+ forwarding.
+
+ Support: Extended
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ path:
+ description: |-
+ Path defines a path rewrite.
+
+ Support: Extended
+ properties:
+ replaceFullPath:
+ description: |-
+ ReplaceFullPath specifies the value with which to replace the full path
+ of a request during a rewrite or redirect.
+ maxLength: 1024
+ type: string
+ replacePrefixMatch:
+ description: |-
+ ReplacePrefixMatch specifies the value with which to replace the prefix
+ match of a request during a rewrite or redirect. For example, a request
+ to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
+ of "/xyz" would be modified to "/xyz/bar".
+
+ Note that this matches the behavior of the PathPrefix match type. This
+ matches full path elements. A path element refers to the list of labels
+ in the path split by the `/` separator. When specified, a trailing `/` is
+ ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
+ match the prefix `/abc`, but the path `/abcd` would not.
+
+ ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
+ Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
+ the implementation setting the Accepted Condition for the Route to `status: False`.
+
+ Request Path | Prefix Match | Replace Prefix | Modified Path
+ maxLength: 1024
+ type: string
+ type:
+ description: |-
+ Type defines the type of path modifier. Additional types may be
+ added in a future release of the API.
+
+ Note that values may be added to this enum, implementations
+ must ensure that unknown values will not cause a crash.
+
+ Unknown values here must result in the implementation setting the
+ Accepted Condition for the Route to `status: False`, with a
+ Reason of `UnsupportedValue`.
+ enum:
+ - ReplaceFullPath
+ - ReplacePrefixMatch
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: replaceFullPath must be specified when
+ type is set to 'ReplaceFullPath'
+ rule: 'self.type == ''ReplaceFullPath'' ? has(self.replaceFullPath)
+ : true'
+ - message: type must be 'ReplaceFullPath' when replaceFullPath
+ is set
+ rule: 'has(self.replaceFullPath) ? self.type ==
+ ''ReplaceFullPath'' : true'
+ - message: replacePrefixMatch must be specified when
+ type is set to 'ReplacePrefixMatch'
+ rule: 'self.type == ''ReplacePrefixMatch'' ? has(self.replacePrefixMatch)
+ : true'
+ - message: type must be 'ReplacePrefixMatch' when
+ replacePrefixMatch is set
+ rule: 'has(self.replacePrefixMatch) ? self.type
+ == ''ReplacePrefixMatch'' : true'
+ type: object
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: filter.requestHeaderModifier must be nil if the
+ filter.type is not RequestHeaderModifier
+ rule: '!(has(self.requestHeaderModifier) && self.type !=
+ ''RequestHeaderModifier'')'
+ - message: filter.requestHeaderModifier must be specified
+ for RequestHeaderModifier filter.type
+ rule: '!(!has(self.requestHeaderModifier) && self.type ==
+ ''RequestHeaderModifier'')'
+ - message: filter.responseHeaderModifier must be nil if the
+ filter.type is not ResponseHeaderModifier
+ rule: '!(has(self.responseHeaderModifier) && self.type !=
+ ''ResponseHeaderModifier'')'
+ - message: filter.responseHeaderModifier must be specified
+ for ResponseHeaderModifier filter.type
+ rule: '!(!has(self.responseHeaderModifier) && self.type
+ == ''ResponseHeaderModifier'')'
+ - message: filter.requestMirror must be nil if the filter.type
+ is not RequestMirror
+ rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')'
+ - message: filter.requestMirror must be specified for RequestMirror
+ filter.type
+ rule: '!(!has(self.requestMirror) && self.type == ''RequestMirror'')'
+ - message: filter.requestRedirect must be nil if the filter.type
+ is not RequestRedirect
+ rule: '!(has(self.requestRedirect) && self.type != ''RequestRedirect'')'
+ - message: filter.requestRedirect must be specified for RequestRedirect
+ filter.type
+ rule: '!(!has(self.requestRedirect) && self.type == ''RequestRedirect'')'
+ - message: filter.urlRewrite must be nil if the filter.type
+ is not URLRewrite
+ rule: '!(has(self.urlRewrite) && self.type != ''URLRewrite'')'
+ - message: filter.urlRewrite must be specified for URLRewrite
+ filter.type
+ rule: '!(!has(self.urlRewrite) && self.type == ''URLRewrite'')'
+ - message: filter.extensionRef must be nil if the filter.type
+ is not ExtensionRef
+ rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')'
+ - message: filter.extensionRef must be specified for ExtensionRef
+ filter.type
+ rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')'
+ maxItems: 16
+ type: array
+ x-kubernetes-validations:
+ - message: May specify either httpRouteFilterRequestRedirect
+ or httpRouteFilterRequestRewrite, but not both
+ rule: '!(self.exists(f, f.type == ''RequestRedirect'') &&
+ self.exists(f, f.type == ''URLRewrite''))'
+ - message: RequestHeaderModifier filter cannot be repeated
+ rule: self.filter(f, f.type == 'RequestHeaderModifier').size()
+ <= 1
+ - message: ResponseHeaderModifier filter cannot be repeated
+ rule: self.filter(f, f.type == 'ResponseHeaderModifier').size()
+ <= 1
+ - message: RequestRedirect filter cannot be repeated
+ rule: self.filter(f, f.type == 'RequestRedirect').size() <=
+ 1
+ - message: URLRewrite filter cannot be repeated
+ rule: self.filter(f, f.type == 'URLRewrite').size() <= 1
+ matches:
+ default:
+ - path:
+ type: PathPrefix
+ value: /
+ description: |-
+ Matches define conditions used for matching the rule against incoming
+ HTTP requests. Each match is independent, i.e. this rule will be matched
+ if **any** one of the matches is satisfied.
+
+ For example, take the following matches configuration:
+
+ ```
+ matches:
+ - path:
+ value: "/foo"
+ headers:
+ - name: "version"
+ value: "v2"
+ - path:
+ value: "/v2/foo"
+ ```
+
+ For a request to match against this rule, a request must satisfy
+ EITHER of the two conditions:
+
+ - path prefixed with `/foo` AND contains the header `version: v2`
+ - path prefix of `/v2/foo`
+
+ See the documentation for HTTPRouteMatch on how to specify multiple
+ match conditions that should be ANDed together.
+
+ If no matches are specified, the default is a prefix
+ path match on "/", which has the effect of matching every
+ HTTP request.
+
+ Proxy or Load Balancer routing configuration generated from HTTPRoutes
+ MUST prioritize matches based on the following criteria, continuing on
+ ties. Across all rules specified on applicable Routes, precedence must be
+ given to the match having:
+
+ * "Exact" path match.
+ * "Prefix" path match with largest number of characters.
+ * Method match.
+ * Largest number of header matches.
+ * Largest number of query param matches.
+
+ Note: The precedence of RegularExpression path matches are implementation-specific.
+
+ If ties still exist across multiple Routes, matching precedence MUST be
+ determined in order of the following criteria, continuing on ties:
+
+ * The oldest Route based on creation timestamp.
+ * The Route appearing first in alphabetical order by
+ "{namespace}/{name}".
+
+ If ties still exist within an HTTPRoute, matching precedence MUST be granted
+ to the FIRST matching rule (in list order) with a match meeting the above
+ criteria.
+
+ When no rules matching a request have been successfully attached to the
+ parent a request is coming from, a HTTP 404 status code MUST be returned.
+ items:
+ description: "HTTPRouteMatch defines the predicate used to
+ match requests to a given\naction. Multiple match types
+ are ANDed together, i.e. the match will\nevaluate to true
+ only if all conditions are satisfied.\n\nFor example, the
+ match below will match a HTTP request only if its path\nstarts
+ with `/foo` AND it contains the `version: v1` header:\n\n```\nmatch:\n\n\tpath:\n\t
+ \ value: \"/foo\"\n\theaders:\n\t- name: \"version\"\n\t
+ \ value \"v1\"\n\n```"
+ properties:
+ headers:
+ description: |-
+ Headers specifies HTTP request header matchers. Multiple match values are
+ ANDed together, meaning, a request must match all the specified headers
+ to select the route.
+ items:
+ description: |-
+ HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request
+ headers.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, only the first
+ entry with an equivalent name MUST be considered for a match. Subsequent
+ entries with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+
+ When a header is repeated in an HTTP request, it is
+ implementation-specific behavior as to how this is represented.
+ Generally, proxies should follow the guidance from the RFC:
+ https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding
+ processing a repeated header, with special handling for "Set-Cookie".
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ type:
+ default: Exact
+ description: |-
+ Type specifies how to match against the value of the header.
+
+ Support: Core (Exact)
+
+ Support: Implementation-specific (RegularExpression)
+
+ Since RegularExpression HeaderMatchType has implementation-specific
+ conformance, implementations can support POSIX, PCRE or any other dialects
+ of regular expressions. Please read the implementation's documentation to
+ determine the supported dialect.
+ enum:
+ - Exact
+ - RegularExpression
+ type: string
+ value:
+ description: Value is the value of HTTP Header to
+ be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ method:
+ description: |-
+ Method specifies HTTP method matcher.
+ When specified, this route will be matched only if the request has the
+ specified method.
+
+ Support: Extended
+ enum:
+ - GET
+ - HEAD
+ - POST
+ - PUT
+ - DELETE
+ - CONNECT
+ - OPTIONS
+ - TRACE
+ - PATCH
+ type: string
+ path:
+ default:
+ type: PathPrefix
+ value: /
+ description: |-
+ Path specifies a HTTP request path matcher. If this field is not
+ specified, a default prefix match on the "/" path is provided.
+ properties:
+ type:
+ default: PathPrefix
+ description: |-
+ Type specifies how to match against the path Value.
+
+ Support: Core (Exact, PathPrefix)
+
+ Support: Implementation-specific (RegularExpression)
+ enum:
+ - Exact
+ - PathPrefix
+ - RegularExpression
+ type: string
+ value:
+ default: /
+ description: Value of the HTTP path to match against.
+ maxLength: 1024
+ type: string
+ type: object
+ x-kubernetes-validations:
+ - message: value must be an absolute path and start with
+ '/' when type one of ['Exact', 'PathPrefix']
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? self.value.startsWith(''/'')
+ : true'
+ - message: must not contain '//' when type one of ['Exact',
+ 'PathPrefix']
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''//'')
+ : true'
+ - message: must not contain '/./' when type one of ['Exact',
+ 'PathPrefix']
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''/./'')
+ : true'
+ - message: must not contain '/../' when type one of ['Exact',
+ 'PathPrefix']
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''/../'')
+ : true'
+ - message: must not contain '%2f' when type one of ['Exact',
+ 'PathPrefix']
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''%2f'')
+ : true'
+ - message: must not contain '%2F' when type one of ['Exact',
+ 'PathPrefix']
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''%2F'')
+ : true'
+ - message: must not contain '#' when type one of ['Exact',
+ 'PathPrefix']
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''#'')
+ : true'
+ - message: must not end with '/..' when type one of ['Exact',
+ 'PathPrefix']
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.endsWith(''/..'')
+ : true'
+ - message: must not end with '/.' when type one of ['Exact',
+ 'PathPrefix']
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.endsWith(''/.'')
+ : true'
+ - message: type must be one of ['Exact', 'PathPrefix',
+ 'RegularExpression']
+ rule: self.type in ['Exact','PathPrefix'] || self.type
+ == 'RegularExpression'
+ - message: must only contain valid characters (matching
+ ^(?:[-A-Za-z0-9/._~!$&'()*+,;=:@]|[%][0-9a-fA-F]{2})+$)
+ for types ['Exact', 'PathPrefix']
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? self.value.matches(r"""^(?:[-A-Za-z0-9/._~!$&''()*+,;=:@]|[%][0-9a-fA-F]{2})+$""")
+ : true'
+ queryParams:
+ description: |-
+ QueryParams specifies HTTP query parameter matchers. Multiple match
+ values are ANDed together, meaning, a request must match all the
+ specified query parameters to select the route.
+
+ Support: Extended
+ items:
+ description: |-
+ HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP
+ query parameters.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP query param to be matched. This must be an
+ exact string match. (See
+ https://tools.ietf.org/html/rfc7230#section-2.7.3).
+
+ If multiple entries specify equivalent query param names, only the first
+ entry with an equivalent name MUST be considered for a match. Subsequent
+ entries with an equivalent query param name MUST be ignored.
+
+ If a query param is repeated in an HTTP request, the behavior is
+ purposely left undefined, since different data planes have different
+ capabilities. However, it is *recommended* that implementations should
+ match against the first value of the param if the data plane supports it,
+ as this behavior is expected in other load balancing contexts outside of
+ the Gateway API.
+
+ Users SHOULD NOT route traffic based on repeated query params to guard
+ themselves against potential differences in the implementations.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ type:
+ default: Exact
+ description: |-
+ Type specifies how to match against the value of the query parameter.
+
+ Support: Extended (Exact)
+
+ Support: Implementation-specific (RegularExpression)
+
+ Since RegularExpression QueryParamMatchType has Implementation-specific
+ conformance, implementations can support POSIX, PCRE or any other
+ dialects of regular expressions. Please read the implementation's
+ documentation to determine the supported dialect.
+ enum:
+ - Exact
+ - RegularExpression
+ type: string
+ value:
+ description: Value is the value of HTTP query param
+ to be matched.
+ maxLength: 1024
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ maxItems: 64
+ type: array
+ timeouts:
+ description: |-
+ Timeouts defines the timeouts that can be configured for an HTTP request.
+
+ Support: Extended
+ properties:
+ backendRequest:
+ description: |-
+ BackendRequest specifies a timeout for an individual request from the gateway
+ to a backend. This covers the time from when the request first starts being
+ sent from the gateway to when the full response has been received from the backend.
+
+ Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout
+ completely. Implementations that cannot completely disable the timeout MUST
+ instead interpret the zero duration as the longest possible value to which
+ the timeout can be set.
+
+ An entire client HTTP transaction with a gateway, covered by the Request timeout,
+ may result in more than one call from the gateway to the destination backend,
+ for example, if automatic retries are supported.
+
+ The value of BackendRequest must be a Gateway API Duration string as defined by
+ GEP-2257. When this field is unspecified, its behavior is implementation-specific;
+ when specified, the value of BackendRequest must be no more than the value of the
+ Request timeout (since the Request timeout encompasses the BackendRequest timeout).
+
+ Support: Extended
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ request:
+ description: |-
+ Request specifies the maximum duration for a gateway to respond to an HTTP request.
+ If the gateway has not been able to respond before this deadline is met, the gateway
+ MUST return a timeout error.
+
+ For example, setting the `rules.timeouts.request` field to the value `10s` in an
+ `HTTPRoute` will cause a timeout if a client request is taking longer than 10 seconds
+ to complete.
+
+ Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout
+ completely. Implementations that cannot completely disable the timeout MUST
+ instead interpret the zero duration as the longest possible value to which
+ the timeout can be set.
+
+ This timeout is intended to cover as close to the whole request-response transaction
+ as possible although an implementation MAY choose to start the timeout after the entire
+ request stream has been received instead of immediately after the transaction is
+ initiated by the client.
+
+ The value of Request is a Gateway API Duration string as defined by GEP-2257. When this
+ field is unspecified, request timeout behavior is implementation-specific.
+
+ Support: Extended
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ type: object
+ x-kubernetes-validations:
+ - message: backendRequest timeout cannot be longer than request
+ timeout
+ rule: '!(has(self.request) && has(self.backendRequest) &&
+ duration(self.request) != duration(''0s'') && duration(self.backendRequest)
+ > duration(self.request))'
+ type: object
+ x-kubernetes-validations:
+ - message: RequestRedirect filter must not be used together with
+ backendRefs
+ rule: '(has(self.backendRefs) && size(self.backendRefs) > 0) ?
+ (!has(self.filters) || self.filters.all(f, !has(f.requestRedirect))):
+ true'
+ - message: When using RequestRedirect filter with path.replacePrefixMatch,
+ exactly one PathPrefix match must be specified
+ rule: '(has(self.filters) && self.filters.exists_one(f, has(f.requestRedirect)
+ && has(f.requestRedirect.path) && f.requestRedirect.path.type
+ == ''ReplacePrefixMatch'' && has(f.requestRedirect.path.replacePrefixMatch)))
+ ? ((size(self.matches) != 1 || !has(self.matches[0].path) ||
+ self.matches[0].path.type != ''PathPrefix'') ? false : true)
+ : true'
+ - message: When using URLRewrite filter with path.replacePrefixMatch,
+ exactly one PathPrefix match must be specified
+ rule: '(has(self.filters) && self.filters.exists_one(f, has(f.urlRewrite)
+ && has(f.urlRewrite.path) && f.urlRewrite.path.type == ''ReplacePrefixMatch''
+ && has(f.urlRewrite.path.replacePrefixMatch))) ? ((size(self.matches)
+ != 1 || !has(self.matches[0].path) || self.matches[0].path.type
+ != ''PathPrefix'') ? false : true) : true'
+ - message: Within backendRefs, when using RequestRedirect filter
+ with path.replacePrefixMatch, exactly one PathPrefix match must
+ be specified
+ rule: '(has(self.backendRefs) && self.backendRefs.exists_one(b,
+ (has(b.filters) && b.filters.exists_one(f, has(f.requestRedirect)
+ && has(f.requestRedirect.path) && f.requestRedirect.path.type
+ == ''ReplacePrefixMatch'' && has(f.requestRedirect.path.replacePrefixMatch)))
+ )) ? ((size(self.matches) != 1 || !has(self.matches[0].path)
+ || self.matches[0].path.type != ''PathPrefix'') ? false : true)
+ : true'
+ - message: Within backendRefs, When using URLRewrite filter with
+ path.replacePrefixMatch, exactly one PathPrefix match must be
+ specified
+ rule: '(has(self.backendRefs) && self.backendRefs.exists_one(b,
+ (has(b.filters) && b.filters.exists_one(f, has(f.urlRewrite)
+ && has(f.urlRewrite.path) && f.urlRewrite.path.type == ''ReplacePrefixMatch''
+ && has(f.urlRewrite.path.replacePrefixMatch))) )) ? ((size(self.matches)
+ != 1 || !has(self.matches[0].path) || self.matches[0].path.type
+ != ''PathPrefix'') ? false : true) : true'
+ maxItems: 16
+ type: array
+ x-kubernetes-validations:
+ - message: While 16 rules and 64 matches per rule are allowed, the
+ total number of matches across all rules in a route must be less
+ than 128
+ rule: '(self.size() > 0 ? self[0].matches.size() : 0) + (self.size()
+ > 1 ? self[1].matches.size() : 0) + (self.size() > 2 ? self[2].matches.size()
+ : 0) + (self.size() > 3 ? self[3].matches.size() : 0) + (self.size()
+ > 4 ? self[4].matches.size() : 0) + (self.size() > 5 ? self[5].matches.size()
+ : 0) + (self.size() > 6 ? self[6].matches.size() : 0) + (self.size()
+ > 7 ? self[7].matches.size() : 0) + (self.size() > 8 ? self[8].matches.size()
+ : 0) + (self.size() > 9 ? self[9].matches.size() : 0) + (self.size()
+ > 10 ? self[10].matches.size() : 0) + (self.size() > 11 ? self[11].matches.size()
+ : 0) + (self.size() > 12 ? self[12].matches.size() : 0) + (self.size()
+ > 13 ? self[13].matches.size() : 0) + (self.size() > 14 ? self[14].matches.size()
+ : 0) + (self.size() > 15 ? self[15].matches.size() : 0) <= 128'
+ type: object
+ status:
+ description: Status defines the current state of HTTPRoute.
+ properties:
+ parents:
+ description: |-
+ Parents is a list of parent resources (usually Gateways) that are
+ associated with the route, and the status of the route with respect to
+ each parent. When this route attaches to a parent, the controller that
+ manages the parent must add an entry to this list when the controller
+ first sees the route and should update the entry as appropriate when the
+ route or gateway is modified.
+
+ Note that parent references that cannot be resolved by an implementation
+ of this API will not be added to this list. Implementations of this API
+ can only populate Route status for the Gateways/parent resources they are
+ responsible for.
+
+ A maximum of 32 Gateways will be represented in this list. An empty list
+ means the route has not been attached to any Gateway.
+ items:
+ description: |-
+ RouteParentStatus describes the status of a route with respect to an
+ associated Parent.
+ properties:
+ conditions:
+ description: |-
+ Conditions describes the status of the route with respect to the Gateway.
+ Note that the route's availability is also subject to the Gateway's own
+ status conditions and listener status.
+
+ If the Route's ParentRef specifies an existing Gateway that supports
+ Routes of this kind AND that Gateway's controller has sufficient access,
+ then that Gateway's controller MUST set the "Accepted" condition on the
+ Route, to indicate whether the route has been accepted or rejected by the
+ Gateway, and why.
+
+ A Route MUST be considered "Accepted" if at least one of the Route's
+ rules is implemented by the Gateway.
+
+ There are a number of cases where the "Accepted" condition may not be set
+ due to lack of controller visibility, that includes when:
+
+ * The Route refers to a non-existent parent.
+ * The Route is of a type that the controller does not support.
+ * The Route is in a namespace the controller does not have access to.
+ items:
+ description: Condition contains details for one aspect of
+ the current state of this API Resource.
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False,
+ Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ maxItems: 8
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ controllerName:
+ description: |-
+ ControllerName is a domain/path string that indicates the name of the
+ controller that wrote this status. This corresponds with the
+ controllerName field on GatewayClass.
+
+ Example: "example.net/gateway-controller".
+
+ The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
+ valid Kubernetes names
+ (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+
+ Controllers MUST populate this field when writing status. Controllers should ensure that
+ entries to status populated with their ControllerName are cleaned up when they are no
+ longer necessary.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
+ type: string
+ parentRef:
+ description: |-
+ ParentRef corresponds with a ParentRef in the spec that this
+ RouteParentStatus struct describes the status of.
+ properties:
+ group:
+ default: gateway.networking.k8s.io
+ description: |-
+ Group is the group of the referent.
+ When unspecified, "gateway.networking.k8s.io" is inferred.
+ To set the core API group (such as for a "Service" kind referent),
+ Group must be explicitly set to "" (empty string).
+
+ Support: Core
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Gateway
+ description: |-
+ Kind is kind of the referent.
+
+ There are two kinds of parent resources with "Core" support:
+
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
+
+ Support for other resources is Implementation-Specific.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: |-
+ Name is the name of the referent.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referent. When unspecified, this refers
+ to the local namespace of the Route.
+
+ Note that there are specific rules for ParentRefs which cross namespace
+ boundaries. Cross-namespace references are only valid if they are explicitly
+ allowed by something in the namespace they are referring to. For example:
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+ generic way to enable any other kind of cross-namespace reference.
+
+
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port is the network port this Route targets. It can be interpreted
+ differently based on the type of parent resource.
+
+ When the parent resource is a Gateway, this targets all listeners
+ listening on the specified port that also support this kind of Route(and
+ select this Route). It's not recommended to set `Port` unless the
+ networking behaviors specified in a Route must apply to a specific port
+ as opposed to a listener(s) whose port(s) may be changed. When both Port
+ and SectionName are specified, the name and port of the selected listener
+ must match both specified values.
+
+
+
+ Implementations MAY choose to support other parent resources.
+ Implementations supporting other types of parent resources MUST clearly
+ document how/if Port is interpreted.
+
+ For the purpose of status, an attachment is considered successful as
+ long as the parent resource accepts it partially. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+ from the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route,
+ the Route MUST be considered detached from the Gateway.
+
+ Support: Extended
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ sectionName:
+ description: |-
+ SectionName is the name of a section within the target resource. In the
+ following resources, SectionName is interpreted as the following:
+
+ * Gateway: Listener name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+ * Service: Port name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+
+ Implementations MAY choose to support attaching Routes to other resources.
+ If that is the case, they MUST clearly document how SectionName is
+ interpreted.
+
+ When unspecified (empty string), this will reference the entire resource.
+ For the purpose of status, an attachment is considered successful if at
+ least one section in the parent resource accepts it. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+ the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route, the
+ Route MUST be considered detached from the Gateway.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - controllerName
+ - parentRef
+ type: object
+ maxItems: 32
+ type: array
+ required:
+ - parents
+ type: object
+ required:
+ - spec
+ type: object
+ served: true
+ storage: false
+ subresources:
+ status: {}
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: null
+ storedVersions: null
+---
+#
+# config/crd/standard/gateway.networking.k8s.io_referencegrants.yaml
+#
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328
+ gateway.networking.k8s.io/bundle-version: v1.2.1
+ gateway.networking.k8s.io/channel: standard
+ creationTimestamp: null
+ name: referencegrants.gateway.networking.k8s.io
+spec:
+ group: gateway.networking.k8s.io
+ names:
+ categories:
+ - gateway-api
+ kind: ReferenceGrant
+ listKind: ReferenceGrantList
+ plural: referencegrants
+ shortNames:
+ - refgrant
+ singular: referencegrant
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1beta1
+ schema:
+ openAPIV3Schema:
+ description: |-
+ ReferenceGrant identifies kinds of resources in other namespaces that are
+ trusted to reference the specified kinds of resources in the same namespace
+ as the policy.
+
+ Each ReferenceGrant can be used to represent a unique trust relationship.
+ Additional Reference Grants can be used to add to the set of trusted
+ sources of inbound references for the namespace they are defined within.
+
+ All cross-namespace references in Gateway API (with the exception of cross-namespace
+ Gateway-route attachment) require a ReferenceGrant.
+
+ ReferenceGrant is a form of runtime verification allowing users to assert
+ which cross-namespace object references are permitted. Implementations that
+ support ReferenceGrant MUST NOT permit cross-namespace references which have
+ no grant, and MUST respond to the removal of a grant by revoking the access
+ that the grant allowed.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Spec defines the desired state of ReferenceGrant.
+ properties:
+ from:
+ description: |-
+ From describes the trusted namespaces and kinds that can reference the
+ resources described in "To". Each entry in this list MUST be considered
+ to be an additional place that references can be valid from, or to put
+ this another way, entries MUST be combined using OR.
+
+ Support: Core
+ items:
+ description: ReferenceGrantFrom describes trusted namespaces and
+ kinds.
+ properties:
+ group:
+ description: |-
+ Group is the group of the referent.
+ When empty, the Kubernetes core API group is inferred.
+
+ Support: Core
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: |-
+ Kind is the kind of the referent. Although implementations may support
+ additional resources, the following types are part of the "Core"
+ support level for this field.
+
+ When used to permit a SecretObjectReference:
+
+ * Gateway
+
+ When used to permit a BackendObjectReference:
+
+ * GRPCRoute
+ * HTTPRoute
+ * TCPRoute
+ * TLSRoute
+ * UDPRoute
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referent.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ required:
+ - group
+ - kind
+ - namespace
+ type: object
+ maxItems: 16
+ minItems: 1
+ type: array
+ to:
+ description: |-
+ To describes the resources that may be referenced by the resources
+ described in "From". Each entry in this list MUST be considered to be an
+ additional place that references can be valid to, or to put this another
+ way, entries MUST be combined using OR.
+
+ Support: Core
+ items:
+ description: |-
+ ReferenceGrantTo describes what Kinds are allowed as targets of the
+ references.
+ properties:
+ group:
+ description: |-
+ Group is the group of the referent.
+ When empty, the Kubernetes core API group is inferred.
+
+ Support: Core
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: |-
+ Kind is the kind of the referent. Although implementations may support
+ additional resources, the following types are part of the "Core"
+ support level for this field:
+
+ * Secret when used to permit a SecretObjectReference
+ * Service when used to permit a BackendObjectReference
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: |-
+ Name is the name of the referent. When unspecified, this policy
+ refers to all resources of the specified Group and Kind in the local
+ namespace.
+ maxLength: 253
+ minLength: 1
+ type: string
+ required:
+ - group
+ - kind
+ type: object
+ maxItems: 16
+ minItems: 1
+ type: array
+ required:
+ - from
+ - to
+ type: object
+ type: object
+ served: true
+ storage: true
+ subresources: {}
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: null
+ storedVersions: null
+
+---
+# Source: traefik/crds/hub.traefik.io_accesscontrolpolicies.yaml
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.17.1
+ name: accesscontrolpolicies.hub.traefik.io
+spec:
+ group: hub.traefik.io
+ names:
+ kind: AccessControlPolicy
+ listKind: AccessControlPolicyList
+ plural: accesscontrolpolicies
+ singular: accesscontrolpolicy
+ scope: Cluster
+ versions:
+ - name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: AccessControlPolicy defines an access control policy.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: AccessControlPolicySpec configures an access control policy.
+ properties:
+ apiKey:
+ description: AccessControlPolicyAPIKey configure an APIKey control
+ policy.
+ properties:
+ forwardHeaders:
+ additionalProperties:
+ type: string
+ description: ForwardHeaders instructs the middleware to forward
+ key metadata as header values upon successful authentication.
+ type: object
+ keySource:
+ description: KeySource defines how to extract API keys from requests.
+ properties:
+ cookie:
+ description: Cookie is the name of a cookie.
+ type: string
+ header:
+ description: Header is the name of a header.
+ type: string
+ headerAuthScheme:
+ description: |-
+ HeaderAuthScheme sets an optional auth scheme when Header is set to "Authorization".
+ If set, this scheme is removed from the token, and all requests not including it are dropped.
+ type: string
+ query:
+ description: Query is the name of a query parameter.
+ type: string
+ type: object
+ keys:
+ description: Keys define the set of authorized keys to access
+ a protected resource.
+ items:
+ description: AccessControlPolicyAPIKeyKey defines an API key.
+ properties:
+ id:
+ description: ID is the unique identifier of the key.
+ type: string
+ metadata:
+ additionalProperties:
+ type: string
+ description: Metadata holds arbitrary metadata for this
+ key, can be used by ForwardHeaders.
+ type: object
+ value:
+ description: Value is the SHAKE-256 hash (using 64 bytes)
+ of the API key.
+ type: string
+ required:
+ - id
+ - value
+ type: object
+ type: array
+ required:
+ - keySource
+ type: object
+ basicAuth:
+ description: AccessControlPolicyBasicAuth holds the HTTP basic authentication
+ configuration.
+ properties:
+ forwardUsernameHeader:
+ type: string
+ realm:
+ type: string
+ stripAuthorizationHeader:
+ type: boolean
+ users:
+ items:
+ type: string
+ type: array
+ type: object
+ jwt:
+ description: AccessControlPolicyJWT configures a JWT access control
+ policy.
+ properties:
+ claims:
+ type: string
+ forwardHeaders:
+ additionalProperties:
+ type: string
+ type: object
+ jwksFile:
+ type: string
+ jwksUrl:
+ type: string
+ publicKey:
+ type: string
+ signingSecret:
+ type: string
+ signingSecretBase64Encoded:
+ type: boolean
+ stripAuthorizationHeader:
+ type: boolean
+ tokenQueryKey:
+ type: string
+ type: object
+ oAuthIntro:
+ description: AccessControlOAuthIntro configures an OAuth 2.0 Token
+ Introspection access control policy.
+ properties:
+ claims:
+ type: string
+ clientConfig:
+ description: AccessControlOAuthIntroClientConfig configures the
+ OAuth 2.0 client for issuing token introspection requests.
+ properties:
+ headers:
+ additionalProperties:
+ type: string
+ description: Headers to set when sending requests to the Authorization
+ Server.
+ type: object
+ maxRetries:
+ default: 3
+ description: MaxRetries defines the number of retries for
+ introspection requests.
+ type: integer
+ timeoutSeconds:
+ default: 5
+ description: TimeoutSeconds configures the maximum amount
+ of seconds to wait before giving up on requests.
+ type: integer
+ tls:
+ description: TLS configures TLS communication with the Authorization
+ Server.
+ properties:
+ ca:
+ description: CA sets the CA bundle used to sign the Authorization
+ Server certificate.
+ type: string
+ insecureSkipVerify:
+ description: |-
+ InsecureSkipVerify skips the Authorization Server certificate validation.
+ For testing purposes only, do not use in production.
+ type: boolean
+ type: object
+ tokenTypeHint:
+ description: |-
+ TokenTypeHint is a hint to pass to the Authorization Server.
+ See https://tools.ietf.org/html/rfc7662#section-2.1 for more information.
+ type: string
+ url:
+ description: URL of the Authorization Server.
+ type: string
+ required:
+ - url
+ type: object
+ forwardHeaders:
+ additionalProperties:
+ type: string
+ type: object
+ tokenSource:
+ description: |-
+ TokenSource describes how to extract tokens from HTTP requests.
+ If multiple sources are set, the order is the following: header > query > cookie.
+ properties:
+ cookie:
+ description: Cookie is the name of a cookie.
+ type: string
+ header:
+ description: Header is the name of a header.
+ type: string
+ headerAuthScheme:
+ description: |-
+ HeaderAuthScheme sets an optional auth scheme when Header is set to "Authorization".
+ If set, this scheme is removed from the token, and all requests not including it are dropped.
+ type: string
+ query:
+ description: Query is the name of a query parameter.
+ type: string
+ type: object
+ required:
+ - clientConfig
+ - tokenSource
+ type: object
+ oidc:
+ description: AccessControlPolicyOIDC holds the OIDC authentication
+ configuration.
+ properties:
+ authParams:
+ additionalProperties:
+ type: string
+ type: object
+ claims:
+ type: string
+ clientId:
+ type: string
+ disableAuthRedirectionPaths:
+ items:
+ type: string
+ type: array
+ forwardHeaders:
+ additionalProperties:
+ type: string
+ type: object
+ issuer:
+ type: string
+ logoutUrl:
+ type: string
+ redirectUrl:
+ type: string
+ scopes:
+ items:
+ type: string
+ type: array
+ secret:
+ description: |-
+ SecretReference represents a Secret Reference. It has enough information to retrieve secret
+ in any namespace
+ properties:
+ name:
+ description: name is unique within a namespace to reference
+ a secret resource.
+ type: string
+ namespace:
+ description: namespace defines the space within which the
+ secret name must be unique.
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ session:
+ description: Session holds session configuration.
+ properties:
+ domain:
+ type: string
+ path:
+ type: string
+ refresh:
+ type: boolean
+ sameSite:
+ type: string
+ secure:
+ type: boolean
+ type: object
+ stateCookie:
+ description: StateCookie holds state cookie configuration.
+ properties:
+ domain:
+ type: string
+ path:
+ type: string
+ sameSite:
+ type: string
+ secure:
+ type: boolean
+ type: object
+ type: object
+ oidcGoogle:
+ description: AccessControlPolicyOIDCGoogle holds the Google OIDC authentication
+ configuration.
+ properties:
+ authParams:
+ additionalProperties:
+ type: string
+ type: object
+ clientId:
+ type: string
+ emails:
+ description: Emails are the allowed emails to connect.
+ items:
+ type: string
+ minItems: 1
+ type: array
+ forwardHeaders:
+ additionalProperties:
+ type: string
+ type: object
+ logoutUrl:
+ type: string
+ redirectUrl:
+ type: string
+ secret:
+ description: |-
+ SecretReference represents a Secret Reference. It has enough information to retrieve secret
+ in any namespace
+ properties:
+ name:
+ description: name is unique within a namespace to reference
+ a secret resource.
+ type: string
+ namespace:
+ description: namespace defines the space within which the
+ secret name must be unique.
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ session:
+ description: Session holds session configuration.
+ properties:
+ domain:
+ type: string
+ path:
+ type: string
+ refresh:
+ type: boolean
+ sameSite:
+ type: string
+ secure:
+ type: boolean
+ type: object
+ stateCookie:
+ description: StateCookie holds state cookie configuration.
+ properties:
+ domain:
+ type: string
+ path:
+ type: string
+ sameSite:
+ type: string
+ secure:
+ type: boolean
+ type: object
+ type: object
+ type: object
+ status:
+ description: The current status of this access control policy.
+ properties:
+ specHash:
+ type: string
+ syncedAt:
+ format: date-time
+ type: string
+ version:
+ type: string
+ type: object
+ type: object
+ served: true
+ storage: true
+
+---
+# Source: traefik/crds/hub.traefik.io_aiservices.yaml
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.17.1
+ name: aiservices.hub.traefik.io
+spec:
+ group: hub.traefik.io
+ names:
+ kind: AIService
+ listKind: AIServiceList
+ plural: aiservices
+ singular: aiservice
+ scope: Namespaced
+ versions:
+ - name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: AIService is a Kubernetes-like Service to interact with a text-based
+ LLM provider. It defines the parameters and credentials required to interact
+ with various LLM providers.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: The desired behavior of this AIService.
+ properties:
+ anthropic:
+ description: Anthropic configures Anthropic backend.
+ properties:
+ model:
+ type: string
+ params:
+ description: Params holds the LLM hyperparameters.
+ properties:
+ frequencyPenalty:
+ type: number
+ maxTokens:
+ type: integer
+ presencePenalty:
+ type: number
+ temperature:
+ type: number
+ topP:
+ type: number
+ type: object
+ token:
+ description: SecretReference references a kubernetes secret.
+ properties:
+ secretName:
+ type: string
+ required:
+ - secretName
+ type: object
+ type: object
+ azureOpenai:
+ description: AzureOpenAI configures AzureOpenAI.
+ properties:
+ apiKeySecret:
+ description: SecretReference references a kubernetes secret.
+ properties:
+ secretName:
+ type: string
+ required:
+ - secretName
+ type: object
+ baseUrl:
+ type: string
+ deploymentName:
+ type: string
+ model:
+ type: string
+ params:
+ description: Params holds the LLM hyperparameters.
+ properties:
+ frequencyPenalty:
+ type: number
+ maxTokens:
+ type: integer
+ presencePenalty:
+ type: number
+ temperature:
+ type: number
+ topP:
+ type: number
+ type: object
+ required:
+ - baseUrl
+ - deploymentName
+ type: object
+ bedrock:
+ description: Bedrock configures Bedrock backend.
+ properties:
+ model:
+ type: string
+ params:
+ description: Params holds the LLM hyperparameters.
+ properties:
+ frequencyPenalty:
+ type: number
+ maxTokens:
+ type: integer
+ presencePenalty:
+ type: number
+ temperature:
+ type: number
+ topP:
+ type: number
+ type: object
+ region:
+ type: string
+ systemMessage:
+ type: boolean
+ type: object
+ cohere:
+ description: Cohere configures Cohere backend.
+ properties:
+ model:
+ type: string
+ params:
+ description: Params holds the LLM hyperparameters.
+ properties:
+ frequencyPenalty:
+ type: number
+ maxTokens:
+ type: integer
+ presencePenalty:
+ type: number
+ temperature:
+ type: number
+ topP:
+ type: number
+ type: object
+ token:
+ description: SecretReference references a kubernetes secret.
+ properties:
+ secretName:
+ type: string
+ required:
+ - secretName
+ type: object
+ type: object
+ deepSeek:
+ description: DeepSeek configures DeepSeek.
+ properties:
+ baseUrl:
+ type: string
+ model:
+ type: string
+ params:
+ description: Params holds the LLM hyperparameters.
+ properties:
+ frequencyPenalty:
+ type: number
+ maxTokens:
+ type: integer
+ presencePenalty:
+ type: number
+ temperature:
+ type: number
+ topP:
+ type: number
+ type: object
+ token:
+ description: SecretReference references a kubernetes secret.
+ properties:
+ secretName:
+ type: string
+ required:
+ - secretName
+ type: object
+ type: object
+ gemini:
+ description: Gemini configures Gemini backend.
+ properties:
+ apiKey:
+ description: SecretReference references a kubernetes secret.
+ properties:
+ secretName:
+ type: string
+ required:
+ - secretName
+ type: object
+ model:
+ type: string
+ params:
+ description: Params holds the LLM hyperparameters.
+ properties:
+ frequencyPenalty:
+ type: number
+ maxTokens:
+ type: integer
+ presencePenalty:
+ type: number
+ temperature:
+ type: number
+ topP:
+ type: number
+ type: object
+ type: object
+ mistral:
+ description: Mistral configures Mistral AI backend.
+ properties:
+ apiKey:
+ description: SecretReference references a kubernetes secret.
+ properties:
+ secretName:
+ type: string
+ required:
+ - secretName
+ type: object
+ model:
+ type: string
+ params:
+ description: Params holds the LLM hyperparameters.
+ properties:
+ frequencyPenalty:
+ type: number
+ maxTokens:
+ type: integer
+ presencePenalty:
+ type: number
+ temperature:
+ type: number
+ topP:
+ type: number
+ type: object
+ type: object
+ ollama:
+ description: Ollama configures Ollama backend.
+ properties:
+ baseUrl:
+ type: string
+ model:
+ type: string
+ params:
+ description: Params holds the LLM hyperparameters.
+ properties:
+ frequencyPenalty:
+ type: number
+ maxTokens:
+ type: integer
+ presencePenalty:
+ type: number
+ temperature:
+ type: number
+ topP:
+ type: number
+ type: object
+ required:
+ - baseUrl
+ type: object
+ openai:
+ description: OpenAI configures OpenAI.
+ properties:
+ baseUrl:
+ type: string
+ model:
+ type: string
+ params:
+ description: Params holds the LLM hyperparameters.
+ properties:
+ frequencyPenalty:
+ type: number
+ maxTokens:
+ type: integer
+ presencePenalty:
+ type: number
+ temperature:
+ type: number
+ topP:
+ type: number
+ type: object
+ token:
+ description: SecretReference references a kubernetes secret.
+ properties:
+ secretName:
+ type: string
+ required:
+ - secretName
+ type: object
+ type: object
+ qWen:
+ description: QWen configures QWen.
+ properties:
+ baseUrl:
+ type: string
+ model:
+ type: string
+ params:
+ description: Params holds the LLM hyperparameters.
+ properties:
+ frequencyPenalty:
+ type: number
+ maxTokens:
+ type: integer
+ presencePenalty:
+ type: number
+ temperature:
+ type: number
+ topP:
+ type: number
+ type: object
+ token:
+ description: SecretReference references a kubernetes secret.
+ properties:
+ secretName:
+ type: string
+ required:
+ - secretName
+ type: object
+ type: object
+ type: object
+ type: object
+ served: true
+ storage: true
+
+---
+# Source: traefik/crds/hub.traefik.io_apibundles.yaml
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.17.1
+ name: apibundles.hub.traefik.io
+spec:
+ group: hub.traefik.io
+ names:
+ kind: APIBundle
+ listKind: APIBundleList
+ plural: apibundles
+ singular: apibundle
+ scope: Namespaced
+ versions:
+ - name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: APIBundle defines a set of APIs.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: The desired behavior of this APIBundle.
+ properties:
+ apiSelector:
+ description: |-
+ APISelector selects the APIs that will be accessible to the configured audience.
+ Multiple APIBundles can select the same set of APIs.
+ This field is optional and follows standard label selector semantics.
+ An empty APISelector matches any API.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ apis:
+ description: |-
+ APIs defines a set of APIs that will be accessible to the configured audience.
+ Multiple APIBundles can select the same APIs.
+ When combined with APISelector, this set of APIs is appended to the matching APIs.
+ items:
+ description: APIReference references an API.
+ properties:
+ name:
+ description: Name of the API.
+ maxLength: 253
+ type: string
+ required:
+ - name
+ type: object
+ maxItems: 100
+ type: array
+ x-kubernetes-validations:
+ - message: duplicated apis
+ rule: self.all(x, self.exists_one(y, x.name == y.name))
+ title:
+ description: Title is the human-readable name of the APIBundle that
+ will be used on the portal.
+ maxLength: 253
+ type: string
+ type: object
+ status:
+ description: The current status of this APIBundle.
+ properties:
+ hash:
+ description: Hash is a hash representing the APIBundle.
+ type: string
+ syncedAt:
+ format: date-time
+ type: string
+ version:
+ type: string
+ type: object
+ type: object
+ served: true
+ storage: true
+
+---
+# Source: traefik/crds/hub.traefik.io_apicatalogitems.yaml
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.17.1
+ name: apicatalogitems.hub.traefik.io
+spec:
+ group: hub.traefik.io
+ names:
+ kind: APICatalogItem
+ listKind: APICatalogItemList
+ plural: apicatalogitems
+ singular: apicatalogitem
+ scope: Namespaced
+ versions:
+ - name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: APICatalogItem defines APIs that will be part of the API catalog
+ on the portal.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: The desired behavior of this APICatalogItem.
+ properties:
+ apiBundles:
+ description: |-
+ APIBundles defines a set of APIBundle that will be visible to the configured audience.
+ Multiple APICatalogItem can select the same APIBundles.
+ items:
+ description: APIBundleReference references an APIBundle.
+ properties:
+ name:
+ description: Name of the APIBundle.
+ maxLength: 253
+ type: string
+ required:
+ - name
+ type: object
+ maxItems: 100
+ type: array
+ x-kubernetes-validations:
+ - message: duplicated apiBundles
+ rule: self.all(x, self.exists_one(y, x.name == y.name))
+ apiPlan:
+ description: |-
+ APIPlan defines which APIPlan will be available.
+ If multiple APICatalogItem specify the same API with different APIPlan, the API consumer will be able to pick
+ a plan from this list.
+ properties:
+ name:
+ description: Name of the APIPlan.
+ maxLength: 253
+ type: string
+ required:
+ - name
+ type: object
+ apiSelector:
+ description: |-
+ APISelector selects the APIs that will be visible to the configured audience.
+ Multiple APICatalogItem can select the same set of APIs.
+ This field is optional and follows standard label selector semantics.
+ An empty APISelector matches any API.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ apis:
+ description: |-
+ APIs defines a set of APIs that will be visible to the configured audience.
+ Multiple APICatalogItem can select the same APIs.
+ When combined with APISelector, this set of APIs is appended to the matching APIs.
+ items:
+ description: APIReference references an API.
+ properties:
+ name:
+ description: Name of the API.
+ maxLength: 253
+ type: string
+ required:
+ - name
+ type: object
+ maxItems: 100
+ type: array
+ x-kubernetes-validations:
+ - message: duplicated apis
+ rule: self.all(x, self.exists_one(y, x.name == y.name))
+ everyone:
+ description: Everyone indicates that all users will see these APIs.
+ type: boolean
+ groups:
+ description: Groups are the consumer groups that will see the APIs.
+ items:
+ type: string
+ type: array
+ operationFilter:
+ description: |-
+ OperationFilter specifies the visible operations on APIs and APIVersions.
+ If not set, all operations are available.
+ An empty OperationFilter prohibits all operations.
+ properties:
+ include:
+ description: Include defines the names of OperationSets that will
+ be accessible.
+ items:
+ type: string
+ maxItems: 100
+ type: array
+ type: object
+ type: object
+ x-kubernetes-validations:
+ - message: groups and everyone are mutually exclusive
+ rule: '(has(self.everyone) && has(self.groups)) ? !(self.everyone &&
+ self.groups.size() > 0) : true'
+ status:
+ description: The current status of this APICatalogItem.
+ properties:
+ hash:
+ description: Hash is a hash representing the APICatalogItem.
+ type: string
+ syncedAt:
+ format: date-time
+ type: string
+ version:
+ type: string
+ type: object
+ type: object
+ served: true
+ storage: true
+
+---
+# Source: traefik/crds/hub.traefik.io_apiplans.yaml
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.17.1
+ name: apiplans.hub.traefik.io
+spec:
+ group: hub.traefik.io
+ names:
+ kind: APIPlan
+ listKind: APIPlanList
+ plural: apiplans
+ singular: apiplan
+ scope: Namespaced
+ versions:
+ - name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: APIPlan defines API Plan policy.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: The desired behavior of this APIPlan.
+ properties:
+ description:
+ description: Description describes the plan.
+ type: string
+ quota:
+ description: Quota defines the quota policy.
+ properties:
+ limit:
+ description: Limit is the maximum number of token in the bucket.
+ type: integer
+ x-kubernetes-validations:
+ - message: must be a positive number
+ rule: self >= 0
+ period:
+ description: Period is the unit of time for the Limit.
+ format: duration
+ type: string
+ x-kubernetes-validations:
+ - message: must be between 1s and 9999h
+ rule: self >= duration('1s') && self <= duration('9999h')
+ required:
+ - limit
+ type: object
+ rateLimit:
+ description: RateLimit defines the rate limit policy.
+ properties:
+ limit:
+ description: Limit is the maximum number of token in the bucket.
+ type: integer
+ x-kubernetes-validations:
+ - message: must be a positive number
+ rule: self >= 0
+ period:
+ description: Period is the unit of time for the Limit.
+ format: duration
+ type: string
+ x-kubernetes-validations:
+ - message: must be between 1s and 1h
+ rule: self >= duration('1s') && self <= duration('1h')
+ required:
+ - limit
+ type: object
+ title:
+ description: Title is the human-readable name of the plan.
+ type: string
+ required:
+ - title
+ type: object
+ status:
+ description: The current status of this APIPlan.
+ properties:
+ hash:
+ description: Hash is a hash representing the APIPlan.
+ type: string
+ syncedAt:
+ format: date-time
+ type: string
+ version:
+ type: string
+ type: object
+ type: object
+ served: true
+ storage: true
+
+---
+# Source: traefik/crds/hub.traefik.io_apiportals.yaml
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.17.1
+ name: apiportals.hub.traefik.io
+spec:
+ group: hub.traefik.io
+ names:
+ kind: APIPortal
+ listKind: APIPortalList
+ plural: apiportals
+ singular: apiportal
+ scope: Namespaced
+ versions:
+ - name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: APIPortal defines a developer portal for accessing the documentation
+ of APIs.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: The desired behavior of this APIPortal.
+ properties:
+ description:
+ description: Description of the APIPortal.
+ type: string
+ title:
+ description: Title is the public facing name of the APIPortal.
+ type: string
+ trustedUrls:
+ description: TrustedURLs are the urls that are trusted by the OAuth
+ 2.0 authorization server.
+ items:
+ type: string
+ maxItems: 1
+ minItems: 1
+ type: array
+ x-kubernetes-validations:
+ - message: must be a valid URLs
+ rule: self.all(x, isURL(x))
+ ui:
+ description: UI holds the UI customization options.
+ properties:
+ logoUrl:
+ description: LogoURL is the public URL of the logo.
+ type: string
+ type: object
+ required:
+ - trustedUrls
+ type: object
+ status:
+ description: The current status of this APIPortal.
+ properties:
+ hash:
+ description: Hash is a hash representing the APIPortal.
+ type: string
+ oidc:
+ description: OIDC is the OIDC configuration for accessing the exposed
+ APIPortal WebUI.
+ properties:
+ clientId:
+ description: ClientID is the OIDC ClientID for accessing the exposed
+ APIPortal WebUI.
+ type: string
+ companyClaim:
+ description: CompanyClaim is the name of the JWT claim containing
+ the user company.
+ type: string
+ emailClaim:
+ description: EmailClaim is the name of the JWT claim containing
+ the user email.
+ type: string
+ firstnameClaim:
+ description: FirstnameClaim is the name of the JWT claim containing
+ the user firstname.
+ type: string
+ generic:
+ description: Generic indicates whether or not the APIPortal authentication
+ relies on Generic OIDC.
+ type: boolean
+ groupsClaim:
+ description: GroupsClaim is the name of the JWT claim containing
+ the user groups.
+ type: string
+ issuer:
+ description: Issuer is the OIDC issuer for accessing the exposed
+ APIPortal WebUI.
+ type: string
+ lastnameClaim:
+ description: LastnameClaim is the name of the JWT claim containing
+ the user lastname.
+ type: string
+ scopes:
+ description: Scopes is the OIDC scopes for getting user attributes
+ during the authentication to the exposed APIPortal WebUI.
+ type: string
+ secretName:
+ description: SecretName is the name of the secret containing the
+ OIDC ClientSecret for accessing the exposed APIPortal WebUI.
+ type: string
+ syncedAttributes:
+ description: SyncedAttributes configure the user attributes to
+ sync.
+ items:
+ type: string
+ type: array
+ userIdClaim:
+ description: UserIDClaim is the name of the JWT claim containing
+ the user ID.
+ type: string
+ type: object
+ syncedAt:
+ format: date-time
+ type: string
+ version:
+ type: string
+ type: object
+ type: object
+ served: true
+ storage: true
+
+---
+# Source: traefik/crds/hub.traefik.io_apiratelimits.yaml
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.17.1
+ name: apiratelimits.hub.traefik.io
+spec:
+ group: hub.traefik.io
+ names:
+ kind: APIRateLimit
+ listKind: APIRateLimitList
+ plural: apiratelimits
+ singular: apiratelimit
+ scope: Namespaced
+ versions:
+ - name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: APIRateLimit defines how group of consumers are rate limited
+ on a set of APIs.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: The desired behavior of this APIRateLimit.
+ properties:
+ apiSelector:
+ description: |-
+ APISelector selects the APIs that will be rate limited.
+ Multiple APIRateLimits can select the same set of APIs.
+ This field is optional and follows standard label selector semantics.
+ An empty APISelector matches any API.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ apis:
+ description: |-
+ APIs defines a set of APIs that will be rate limited.
+ Multiple APIRateLimits can select the same APIs.
+ When combined with APISelector, this set of APIs is appended to the matching APIs.
+ items:
+ description: APIReference references an API.
+ properties:
+ name:
+ description: Name of the API.
+ maxLength: 253
+ type: string
+ required:
+ - name
+ type: object
+ maxItems: 100
+ type: array
+ x-kubernetes-validations:
+ - message: duplicated apis
+ rule: self.all(x, self.exists_one(y, x.name == y.name))
+ everyone:
+ description: |-
+ Everyone indicates that all users will, by default, be rate limited with this configuration.
+ If an APIRateLimit explicitly target a group, the default rate limit will be ignored.
+ type: boolean
+ groups:
+ description: |-
+ Groups are the consumer groups that will be rate limited.
+ Multiple APIRateLimits can target the same set of consumer groups, the most restrictive one applies.
+ When a consumer belongs to multiple groups, the least restrictive APIRateLimit applies.
+ items:
+ type: string
+ type: array
+ limit:
+ description: Limit is the maximum number of token in the bucket.
+ type: integer
+ x-kubernetes-validations:
+ - message: must be a positive number
+ rule: self >= 0
+ period:
+ description: Period is the unit of time for the Limit.
+ format: duration
+ type: string
+ x-kubernetes-validations:
+ - message: must be between 1s and 1h
+ rule: self >= duration('1s') && self <= duration('1h')
+ strategy:
+ description: |-
+ Strategy defines how the bucket state will be synchronized between the different Traefik Hub instances.
+ It can be, either "local" or "distributed".
+ enum:
+ - local
+ - distributed
+ type: string
+ required:
+ - limit
+ type: object
+ x-kubernetes-validations:
+ - message: groups and everyone are mutually exclusive
+ rule: '(has(self.everyone) && has(self.groups)) ? !(self.everyone &&
+ self.groups.size() > 0) : true'
+ status:
+ description: The current status of this APIRateLimit.
+ properties:
+ hash:
+ description: Hash is a hash representing the APIRateLimit.
+ type: string
+ syncedAt:
+ format: date-time
+ type: string
+ version:
+ type: string
+ type: object
+ type: object
+ served: true
+ storage: true
+
+---
+# Source: traefik/crds/hub.traefik.io_apis.yaml
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.17.1
+ name: apis.hub.traefik.io
+spec:
+ group: hub.traefik.io
+ names:
+ kind: API
+ listKind: APIList
+ plural: apis
+ singular: api
+ scope: Namespaced
+ versions:
+ - name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: |-
+ API defines an HTTP interface that is exposed to external clients. It specifies the supported versions
+ and provides instructions for accessing its documentation. Once instantiated, an API object is associated
+ with an Ingress, IngressRoute, or HTTPRoute resource, enabling the exposure of the described API to the outside world.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: APISpec describes the API.
+ properties:
+ cors:
+ description: Cors defines the Cross-Origin Resource Sharing configuration.
+ properties:
+ addVaryHeader:
+ description: AddVaryHeader defines whether the Vary header is
+ automatically added/updated when the AllowOriginsList is set.
+ type: boolean
+ allowCredentials:
+ description: AllowCredentials defines whether the request can
+ include user credentials.
+ type: boolean
+ allowHeadersList:
+ description: AllowHeadersList defines the Access-Control-Request-Headers
+ values sent in preflight response.
+ items:
+ type: string
+ type: array
+ allowMethodsList:
+ description: AllowMethodsList defines the Access-Control-Request-Method
+ values sent in preflight response.
+ items:
+ type: string
+ type: array
+ allowOriginListRegex:
+ description: AllowOriginListRegex is a list of allowable origins
+ written following the Regular Expression syntax (https://golang.org/pkg/regexp/).
+ items:
+ type: string
+ type: array
+ allowOriginsList:
+ description: AllowOriginsList is a list of allowable origins.
+ Can also be a wildcard origin "*".
+ items:
+ type: string
+ type: array
+ exposeHeadersList:
+ description: ExposeHeadersList defines the Access-Control-Expose-Headers
+ values sent in preflight response.
+ items:
+ type: string
+ type: array
+ maxAge:
+ description: MaxAge defines the time that a preflight request
+ may be cached.
+ format: int64
+ type: integer
+ type: object
+ description:
+ description: Description explains what the API does.
+ type: string
+ openApiSpec:
+ description: OpenAPISpec defines the API contract as an OpenAPI specification.
+ properties:
+ operationSets:
+ description: OperationSets defines the sets of operations to be
+ referenced for granular filtering in APICatalogItems or ManagedSubscriptions.
+ items:
+ description: |-
+ OperationSet gives a name to a set of matching OpenAPI operations.
+ This set of operations can then be referenced for granular filtering in APICatalogItems or ManagedSubscriptions.
+ properties:
+ matchers:
+ description: Matchers defines a list of alternative rules
+ for matching OpenAPI operations.
+ items:
+ description: OperationMatcher defines criteria for matching
+ an OpenAPI operation.
+ minProperties: 1
+ properties:
+ methods:
+ description: Methods specifies the HTTP methods to
+ be included for selection.
+ items:
+ type: string
+ maxItems: 10
+ type: array
+ path:
+ description: Path specifies the exact path of the
+ operations to select.
+ maxLength: 255
+ type: string
+ x-kubernetes-validations:
+ - message: must start with a '/'
+ rule: self.startsWith('/')
+ - message: cannot contains '../'
+ rule: '!self.matches(r"""(\/\.\.\/)|(\/\.\.$)""")'
+ pathPrefix:
+ description: PathPrefix specifies the path prefix
+ of the operations to select.
+ maxLength: 255
+ type: string
+ x-kubernetes-validations:
+ - message: must start with a '/'
+ rule: self.startsWith('/')
+ - message: cannot contains '../'
+ rule: '!self.matches(r"""(\/\.\.\/)|(\/\.\.$)""")'
+ pathRegex:
+ description: PathRegex specifies a regular expression
+ pattern for matching operations based on their paths.
+ type: string
+ type: object
+ x-kubernetes-validations:
+ - message: path, pathPrefix and pathRegex are mutually
+ exclusive
+ rule: '[has(self.path), has(self.pathPrefix), has(self.pathRegex)].filter(x,
+ x).size() <= 1'
+ maxItems: 100
+ minItems: 1
+ type: array
+ name:
+ description: Name is the name of the OperationSet to reference
+ in APICatalogItems or ManagedSubscriptions.
+ maxLength: 253
+ type: string
+ required:
+ - matchers
+ - name
+ type: object
+ maxItems: 100
+ type: array
+ override:
+ description: Override holds data used to override OpenAPI specification.
+ properties:
+ servers:
+ items:
+ properties:
+ url:
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid URL
+ rule: isURL(self)
+ required:
+ - url
+ type: object
+ maxItems: 100
+ minItems: 1
+ type: array
+ required:
+ - servers
+ type: object
+ path:
+ description: |-
+ Path specifies the endpoint path within the Kubernetes Service where the OpenAPI specification can be obtained.
+ The Service queried is determined by the associated Ingress, IngressRoute, or HTTPRoute resource to which the API is attached.
+ It's important to note that this option is incompatible if the Ingress or IngressRoute specifies multiple backend services.
+ The Path must be accessible via a GET request method and should serve a YAML or JSON document containing the OpenAPI specification.
+ maxLength: 255
+ type: string
+ x-kubernetes-validations:
+ - message: must start with a '/'
+ rule: self.startsWith('/')
+ - message: cannot contains '../'
+ rule: '!self.matches(r"""(\/\.\.\/)|(\/\.\.$)""")'
+ url:
+ description: |-
+ URL is a Traefik Hub agent accessible URL for obtaining the OpenAPI specification.
+ The URL must be accessible via a GET request method and should serve a YAML or JSON document containing the OpenAPI specification.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid URL
+ rule: isURL(self)
+ validateRequestMethodAndPath:
+ description: |-
+ ValidateRequestMethodAndPath validates that the path and method matches an operation defined in the OpenAPI specification.
+ This option overrides the default behavior configured in the static configuration.
+ type: boolean
+ type: object
+ x-kubernetes-validations:
+ - message: path or url must be defined
+ rule: has(self.path) || has(self.url)
+ title:
+ description: Title is the human-readable name of the API that will
+ be used on the portal.
+ maxLength: 253
+ type: string
+ versions:
+ description: Versions are the different APIVersions available.
+ items:
+ description: APIVersionRef references an APIVersion.
+ properties:
+ name:
+ description: Name of the APIVersion.
+ maxLength: 253
+ type: string
+ required:
+ - name
+ type: object
+ maxItems: 100
+ minItems: 1
+ type: array
+ type: object
+ status:
+ description: The current status of this API.
+ properties:
+ hash:
+ description: Hash is a hash representing the API.
+ type: string
+ syncedAt:
+ format: date-time
+ type: string
+ version:
+ type: string
+ type: object
+ type: object
+ served: true
+ storage: true
+
+---
+# Source: traefik/crds/hub.traefik.io_apiversions.yaml
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.17.1
+ name: apiversions.hub.traefik.io
+spec:
+ group: hub.traefik.io
+ names:
+ kind: APIVersion
+ listKind: APIVersionList
+ plural: apiversions
+ singular: apiversion
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - jsonPath: .spec.title
+ name: Title
+ type: string
+ - jsonPath: .spec.release
+ name: Release
+ type: string
+ name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: APIVersion defines a version of an API.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: The desired behavior of this APIVersion.
+ properties:
+ cors:
+ description: Cors defines the Cross-Origin Resource Sharing configuration.
+ properties:
+ addVaryHeader:
+ description: AddVaryHeader defines whether the Vary header is
+ automatically added/updated when the AllowOriginsList is set.
+ type: boolean
+ allowCredentials:
+ description: AllowCredentials defines whether the request can
+ include user credentials.
+ type: boolean
+ allowHeadersList:
+ description: AllowHeadersList defines the Access-Control-Request-Headers
+ values sent in preflight response.
+ items:
+ type: string
+ type: array
+ allowMethodsList:
+ description: AllowMethodsList defines the Access-Control-Request-Method
+ values sent in preflight response.
+ items:
+ type: string
+ type: array
+ allowOriginListRegex:
+ description: AllowOriginListRegex is a list of allowable origins
+ written following the Regular Expression syntax (https://golang.org/pkg/regexp/).
+ items:
+ type: string
+ type: array
+ allowOriginsList:
+ description: AllowOriginsList is a list of allowable origins.
+ Can also be a wildcard origin "*".
+ items:
+ type: string
+ type: array
+ exposeHeadersList:
+ description: ExposeHeadersList defines the Access-Control-Expose-Headers
+ values sent in preflight response.
+ items:
+ type: string
+ type: array
+ maxAge:
+ description: MaxAge defines the time that a preflight request
+ may be cached.
+ format: int64
+ type: integer
+ type: object
+ description:
+ description: Description explains what the APIVersion does.
+ type: string
+ openApiSpec:
+ description: OpenAPISpec defines the API contract as an OpenAPI specification.
+ properties:
+ operationSets:
+ description: OperationSets defines the sets of operations to be
+ referenced for granular filtering in APICatalogItems or ManagedSubscriptions.
+ items:
+ description: |-
+ OperationSet gives a name to a set of matching OpenAPI operations.
+ This set of operations can then be referenced for granular filtering in APICatalogItems or ManagedSubscriptions.
+ properties:
+ matchers:
+ description: Matchers defines a list of alternative rules
+ for matching OpenAPI operations.
+ items:
+ description: OperationMatcher defines criteria for matching
+ an OpenAPI operation.
+ minProperties: 1
+ properties:
+ methods:
+ description: Methods specifies the HTTP methods to
+ be included for selection.
+ items:
+ type: string
+ maxItems: 10
+ type: array
+ path:
+ description: Path specifies the exact path of the
+ operations to select.
+ maxLength: 255
+ type: string
+ x-kubernetes-validations:
+ - message: must start with a '/'
+ rule: self.startsWith('/')
+ - message: cannot contains '../'
+ rule: '!self.matches(r"""(\/\.\.\/)|(\/\.\.$)""")'
+ pathPrefix:
+ description: PathPrefix specifies the path prefix
+ of the operations to select.
+ maxLength: 255
+ type: string
+ x-kubernetes-validations:
+ - message: must start with a '/'
+ rule: self.startsWith('/')
+ - message: cannot contains '../'
+ rule: '!self.matches(r"""(\/\.\.\/)|(\/\.\.$)""")'
+ pathRegex:
+ description: PathRegex specifies a regular expression
+ pattern for matching operations based on their paths.
+ type: string
+ type: object
+ x-kubernetes-validations:
+ - message: path, pathPrefix and pathRegex are mutually
+ exclusive
+ rule: '[has(self.path), has(self.pathPrefix), has(self.pathRegex)].filter(x,
+ x).size() <= 1'
+ maxItems: 100
+ minItems: 1
+ type: array
+ name:
+ description: Name is the name of the OperationSet to reference
+ in APICatalogItems or ManagedSubscriptions.
+ maxLength: 253
+ type: string
+ required:
+ - matchers
+ - name
+ type: object
+ maxItems: 100
+ type: array
+ override:
+ description: Override holds data used to override OpenAPI specification.
+ properties:
+ servers:
+ items:
+ properties:
+ url:
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid URL
+ rule: isURL(self)
+ required:
+ - url
+ type: object
+ maxItems: 100
+ minItems: 1
+ type: array
+ required:
+ - servers
+ type: object
+ path:
+ description: |-
+ Path specifies the endpoint path within the Kubernetes Service where the OpenAPI specification can be obtained.
+ The Service queried is determined by the associated Ingress, IngressRoute, or HTTPRoute resource to which the API is attached.
+ It's important to note that this option is incompatible if the Ingress or IngressRoute specifies multiple backend services.
+ The Path must be accessible via a GET request method and should serve a YAML or JSON document containing the OpenAPI specification.
+ maxLength: 255
+ type: string
+ x-kubernetes-validations:
+ - message: must start with a '/'
+ rule: self.startsWith('/')
+ - message: cannot contains '../'
+ rule: '!self.matches(r"""(\/\.\.\/)|(\/\.\.$)""")'
+ url:
+ description: |-
+ URL is a Traefik Hub agent accessible URL for obtaining the OpenAPI specification.
+ The URL must be accessible via a GET request method and should serve a YAML or JSON document containing the OpenAPI specification.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid URL
+ rule: isURL(self)
+ validateRequestMethodAndPath:
+ description: |-
+ ValidateRequestMethodAndPath validates that the path and method matches an operation defined in the OpenAPI specification.
+ This option overrides the default behavior configured in the static configuration.
+ type: boolean
+ type: object
+ x-kubernetes-validations:
+ - message: path or url must be defined
+ rule: has(self.path) || has(self.url)
+ release:
+ description: |-
+ Release is the version number of the API.
+ This value must follow the SemVer format: https://semver.org/
+ maxLength: 100
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid semver version
+ rule: self.matches(r"""^v?(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$""")
+ title:
+ description: Title is the public facing name of the APIVersion.
+ type: string
+ required:
+ - release
+ type: object
+ status:
+ description: The current status of this APIVersion.
+ properties:
+ hash:
+ description: Hash is a hash representing the APIVersion.
+ type: string
+ syncedAt:
+ format: date-time
+ type: string
+ version:
+ type: string
+ type: object
+ type: object
+ served: true
+ storage: true
+ subresources: {}
+
+---
+# Source: traefik/crds/hub.traefik.io_managedsubscriptions.yaml
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.17.1
+ name: managedsubscriptions.hub.traefik.io
+spec:
+ group: hub.traefik.io
+ names:
+ kind: ManagedSubscription
+ listKind: ManagedSubscriptionList
+ plural: managedsubscriptions
+ singular: managedsubscription
+ scope: Namespaced
+ versions:
+ - name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: |-
+ ManagedSubscription defines a Subscription managed by the API manager as the result of a pre-negotiation with its
+ API consumers. This subscription grant consuming access to a set of APIs to a set of Applications.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: The desired behavior of this ManagedSubscription.
+ properties:
+ apiBundles:
+ description: |-
+ APIBundles defines a set of APIBundle that will be accessible.
+ Multiple ManagedSubscriptions can select the same APIBundles.
+ items:
+ description: APIBundleReference references an APIBundle.
+ properties:
+ name:
+ description: Name of the APIBundle.
+ maxLength: 253
+ type: string
+ required:
+ - name
+ type: object
+ maxItems: 100
+ type: array
+ x-kubernetes-validations:
+ - message: duplicated apiBundles
+ rule: self.all(x, self.exists_one(y, x.name == y.name))
+ apiPlan:
+ description: APIPlan defines which APIPlan will be used.
+ properties:
+ name:
+ description: Name of the APIPlan.
+ maxLength: 253
+ type: string
+ required:
+ - name
+ type: object
+ apiSelector:
+ description: |-
+ APISelector selects the APIs that will be accessible.
+ Multiple ManagedSubscriptions can select the same set of APIs.
+ This field is optional and follows standard label selector semantics.
+ An empty APISelector matches any API.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ apis:
+ description: |-
+ APIs defines a set of APIs that will be accessible.
+ Multiple ManagedSubscriptions can select the same APIs.
+ When combined with APISelector, this set of APIs is appended to the matching APIs.
+ items:
+ description: APIReference references an API.
+ properties:
+ name:
+ description: Name of the API.
+ maxLength: 253
+ type: string
+ required:
+ - name
+ type: object
+ maxItems: 100
+ type: array
+ x-kubernetes-validations:
+ - message: duplicated apis
+ rule: self.all(x, self.exists_one(y, x.name == y.name))
+ applications:
+ description: |-
+ Applications references the Applications that will gain access to the specified APIs.
+ Multiple ManagedSubscriptions can select the same AppID.
+ items:
+ description: ApplicationReference references an Application.
+ properties:
+ appId:
+ description: |-
+ AppID is the public identifier of the application.
+ In the case of OIDC, it corresponds to the clientId.
+ maxLength: 253
+ type: string
+ required:
+ - appId
+ type: object
+ maxItems: 100
+ minItems: 1
+ type: array
+ claims:
+ description: Claims specifies an expression that validate claims in
+ order to authorize the request.
+ type: string
+ operationFilter:
+ description: |-
+ OperationFilter specifies the allowed operations on APIs and APIVersions.
+ If not set, all operations are available.
+ An empty OperationFilter prohibits all operations.
+ properties:
+ include:
+ description: Include defines the names of OperationSets that will
+ be accessible.
+ items:
+ type: string
+ maxItems: 100
+ type: array
+ type: object
+ weight:
+ description: |-
+ Weight specifies the evaluation order of the APIPlan.
+ When multiple ManagedSubscriptions targets the same API and Application with different APIPlan,
+ the APIPlan with the highest weight will be enforced. If weights are equal, alphabetical order is used.
+ type: integer
+ x-kubernetes-validations:
+ - message: must be a positive number
+ rule: self >= 0
+ required:
+ - apiPlan
+ - applications
+ type: object
+ status:
+ description: The current status of this ManagedSubscription.
+ properties:
+ hash:
+ description: Hash is a hash representing the ManagedSubscription.
+ type: string
+ syncedAt:
+ format: date-time
+ type: string
+ version:
+ type: string
+ type: object
+ type: object
+ served: true
+ storage: true
+
+---
+# Source: traefik/crds/traefik.io_ingressroutes.yaml
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.16.1
+ name: ingressroutes.traefik.io
+spec:
+ group: traefik.io
+ names:
+ kind: IngressRoute
+ listKind: IngressRouteList
+ plural: ingressroutes
+ singular: ingressroute
+ scope: Namespaced
+ versions:
+ - name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: IngressRoute is the CRD implementation of a Traefik HTTP Router.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: IngressRouteSpec defines the desired state of IngressRoute.
+ properties:
+ entryPoints:
+ description: |-
+ EntryPoints defines the list of entry point names to bind to.
+ Entry points have to be configured in the static configuration.
+ More info: https://doc.traefik.io/traefik/v3.3/routing/entrypoints/
+ Default: all.
+ items:
+ type: string
+ type: array
+ routes:
+ description: Routes defines the list of routes.
+ items:
+ description: Route holds the HTTP route configuration.
+ properties:
+ kind:
+ description: |-
+ Kind defines the kind of the route.
+ Rule is the only supported kind.
+ If not defined, defaults to Rule.
+ enum:
+ - Rule
+ type: string
+ match:
+ description: |-
+ Match defines the router's rule.
+ More info: https://doc.traefik.io/traefik/v3.3/routing/routers/#rule
+ type: string
+ middlewares:
+ description: |-
+ Middlewares defines the list of references to Middleware resources.
+ More info: https://doc.traefik.io/traefik/v3.3/routing/providers/kubernetes-crd/#kind-middleware
+ items:
+ description: MiddlewareRef is a reference to a Middleware
+ resource.
+ properties:
+ name:
+ description: Name defines the name of the referenced Middleware
+ resource.
+ type: string
+ namespace:
+ description: Namespace defines the namespace of the referenced
+ Middleware resource.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ observability:
+ description: |-
+ Observability defines the observability configuration for a router.
+ More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#observability
+ properties:
+ accessLogs:
+ type: boolean
+ metrics:
+ type: boolean
+ tracing:
+ type: boolean
+ type: object
+ priority:
+ description: |-
+ Priority defines the router's priority.
+ More info: https://doc.traefik.io/traefik/v3.3/routing/routers/#priority
+ type: integer
+ services:
+ description: |-
+ Services defines the list of Service.
+ It can contain any combination of TraefikService and/or reference to a Kubernetes Service.
+ items:
+ description: Service defines an upstream HTTP service to proxy
+ traffic to.
+ properties:
+ healthCheck:
+ description: Healthcheck defines health checks for ExternalName
+ services.
+ properties:
+ followRedirects:
+ description: |-
+ FollowRedirects defines whether redirects should be followed during the health check calls.
+ Default: true
+ type: boolean
+ headers:
+ additionalProperties:
+ type: string
+ description: Headers defines custom headers to be
+ sent to the health check endpoint.
+ type: object
+ hostname:
+ description: Hostname defines the value of hostname
+ in the Host header of the health check request.
+ type: string
+ interval:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ Interval defines the frequency of the health check calls.
+ Default: 30s
+ x-kubernetes-int-or-string: true
+ method:
+ description: Method defines the healthcheck method.
+ type: string
+ mode:
+ description: |-
+ Mode defines the health check mode.
+ If defined to grpc, will use the gRPC health check protocol to probe the server.
+ Default: http
+ type: string
+ path:
+ description: Path defines the server URL path for
+ the health check endpoint.
+ type: string
+ port:
+ description: Port defines the server URL port for
+ the health check endpoint.
+ type: integer
+ scheme:
+ description: Scheme replaces the server URL scheme
+ for the health check endpoint.
+ type: string
+ status:
+ description: Status defines the expected HTTP status
+ code of the response to the health check request.
+ type: integer
+ timeout:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ Timeout defines the maximum duration Traefik will wait for a health check request before considering the server unhealthy.
+ Default: 5s
+ x-kubernetes-int-or-string: true
+ type: object
+ kind:
+ description: Kind defines the kind of the Service.
+ enum:
+ - Service
+ - TraefikService
+ type: string
+ name:
+ description: |-
+ Name defines the name of the referenced Kubernetes Service or TraefikService.
+ The differentiation between the two is specified in the Kind field.
+ type: string
+ namespace:
+ description: Namespace defines the namespace of the referenced
+ Kubernetes Service or TraefikService.
+ type: string
+ nativeLB:
+ description: |-
+ NativeLB controls, when creating the load-balancer,
+ whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP.
+ The Kubernetes Service itself does load-balance to the pods.
+ By default, NativeLB is false.
+ type: boolean
+ nodePortLB:
+ description: |-
+ NodePortLB controls, when creating the load-balancer,
+ whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is NodePort.
+ It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes.
+ By default, NodePortLB is false.
+ type: boolean
+ passHostHeader:
+ description: |-
+ PassHostHeader defines whether the client Host header is forwarded to the upstream Kubernetes Service.
+ By default, passHostHeader is true.
+ type: boolean
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ Port defines the port of a Kubernetes Service.
+ This can be a reference to a named port.
+ x-kubernetes-int-or-string: true
+ responseForwarding:
+ description: ResponseForwarding defines how Traefik forwards
+ the response from the upstream Kubernetes Service to
+ the client.
+ properties:
+ flushInterval:
+ description: |-
+ FlushInterval defines the interval, in milliseconds, in between flushes to the client while copying the response body.
+ A negative value means to flush immediately after each write to the client.
+ This configuration is ignored when ReverseProxy recognizes a response as a streaming response;
+ for such responses, writes are flushed to the client immediately.
+ Default: 100ms
+ type: string
+ type: object
+ scheme:
+ description: |-
+ Scheme defines the scheme to use for the request to the upstream Kubernetes Service.
+ It defaults to https when Kubernetes Service port is 443, http otherwise.
+ type: string
+ serversTransport:
+ description: |-
+ ServersTransport defines the name of ServersTransport resource to use.
+ It allows to configure the transport between Traefik and your servers.
+ Can only be used on a Kubernetes Service.
+ type: string
+ sticky:
+ description: |-
+ Sticky defines the sticky sessions configuration.
+ More info: https://doc.traefik.io/traefik/v3.3/routing/services/#sticky-sessions
+ properties:
+ cookie:
+ description: Cookie defines the sticky cookie configuration.
+ properties:
+ httpOnly:
+ description: HTTPOnly defines whether the cookie
+ can be accessed by client-side APIs, such as
+ JavaScript.
+ type: boolean
+ maxAge:
+ description: |-
+ MaxAge defines the number of seconds until the cookie expires.
+ When set to a negative number, the cookie expires immediately.
+ When set to zero, the cookie never expires.
+ type: integer
+ name:
+ description: Name defines the Cookie name.
+ type: string
+ path:
+ description: |-
+ Path defines the path that must exist in the requested URL for the browser to send the Cookie header.
+ When not provided the cookie will be sent on every request to the domain.
+ More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#pathpath-value
+ type: string
+ sameSite:
+ description: |-
+ SameSite defines the same site policy.
+ More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
+ type: string
+ secure:
+ description: Secure defines whether the cookie
+ can only be transmitted over an encrypted connection
+ (i.e. HTTPS).
+ type: boolean
+ type: object
+ type: object
+ strategy:
+ description: |-
+ Strategy defines the load balancing strategy between the servers.
+ RoundRobin is the only supported value at the moment.
+ type: string
+ weight:
+ description: |-
+ Weight defines the weight and should only be specified when Name references a TraefikService object
+ (and to be precise, one that embeds a Weighted Round Robin).
+ type: integer
+ required:
+ - name
+ type: object
+ type: array
+ syntax:
+ description: |-
+ Syntax defines the router's rule syntax.
+ More info: https://doc.traefik.io/traefik/v3.3/routing/routers/#rulesyntax
+ type: string
+ required:
+ - match
+ type: object
+ type: array
+ tls:
+ description: |-
+ TLS defines the TLS configuration.
+ More info: https://doc.traefik.io/traefik/v3.3/routing/routers/#tls
+ properties:
+ certResolver:
+ description: |-
+ CertResolver defines the name of the certificate resolver to use.
+ Cert resolvers have to be configured in the static configuration.
+ More info: https://doc.traefik.io/traefik/v3.3/https/acme/#certificate-resolvers
+ type: string
+ domains:
+ description: |-
+ Domains defines the list of domains that will be used to issue certificates.
+ More info: https://doc.traefik.io/traefik/v3.3/routing/routers/#domains
+ items:
+ description: Domain holds a domain name with SANs.
+ properties:
+ main:
+ description: Main defines the main domain name.
+ type: string
+ sans:
+ description: SANs defines the subject alternative domain
+ names.
+ items:
+ type: string
+ type: array
+ type: object
+ type: array
+ options:
+ description: |-
+ Options defines the reference to a TLSOption, that specifies the parameters of the TLS connection.
+ If not defined, the `default` TLSOption is used.
+ More info: https://doc.traefik.io/traefik/v3.3/https/tls/#tls-options
+ properties:
+ name:
+ description: |-
+ Name defines the name of the referenced TLSOption.
+ More info: https://doc.traefik.io/traefik/v3.3/routing/providers/kubernetes-crd/#kind-tlsoption
+ type: string
+ namespace:
+ description: |-
+ Namespace defines the namespace of the referenced TLSOption.
+ More info: https://doc.traefik.io/traefik/v3.3/routing/providers/kubernetes-crd/#kind-tlsoption
+ type: string
+ required:
+ - name
+ type: object
+ secretName:
+ description: SecretName is the name of the referenced Kubernetes
+ Secret to specify the certificate details.
+ type: string
+ store:
+ description: |-
+ Store defines the reference to the TLSStore, that will be used to store certificates.
+ Please note that only `default` TLSStore can be used.
+ properties:
+ name:
+ description: |-
+ Name defines the name of the referenced TLSStore.
+ More info: https://doc.traefik.io/traefik/v3.3/routing/providers/kubernetes-crd/#kind-tlsstore
+ type: string
+ namespace:
+ description: |-
+ Namespace defines the namespace of the referenced TLSStore.
+ More info: https://doc.traefik.io/traefik/v3.3/routing/providers/kubernetes-crd/#kind-tlsstore
+ type: string
+ required:
+ - name
+ type: object
+ type: object
+ required:
+ - routes
+ type: object
+ required:
+ - metadata
+ - spec
+ type: object
+ served: true
+ storage: true
+
+---
+# Source: traefik/crds/traefik.io_ingressroutetcps.yaml
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.16.1
+ name: ingressroutetcps.traefik.io
+spec:
+ group: traefik.io
+ names:
+ kind: IngressRouteTCP
+ listKind: IngressRouteTCPList
+ plural: ingressroutetcps
+ singular: ingressroutetcp
+ scope: Namespaced
+ versions:
+ - name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: IngressRouteTCP is the CRD implementation of a Traefik TCP Router.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: IngressRouteTCPSpec defines the desired state of IngressRouteTCP.
+ properties:
+ entryPoints:
+ description: |-
+ EntryPoints defines the list of entry point names to bind to.
+ Entry points have to be configured in the static configuration.
+ More info: https://doc.traefik.io/traefik/v3.3/routing/entrypoints/
+ Default: all.
+ items:
+ type: string
+ type: array
+ routes:
+ description: Routes defines the list of routes.
+ items:
+ description: RouteTCP holds the TCP route configuration.
+ properties:
+ match:
+ description: |-
+ Match defines the router's rule.
+ More info: https://doc.traefik.io/traefik/v3.3/routing/routers/#rule_1
+ type: string
+ middlewares:
+ description: Middlewares defines the list of references to MiddlewareTCP
+ resources.
+ items:
+ description: ObjectReference is a generic reference to a Traefik
+ resource.
+ properties:
+ name:
+ description: Name defines the name of the referenced Traefik
+ resource.
+ type: string
+ namespace:
+ description: Namespace defines the namespace of the referenced
+ Traefik resource.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ priority:
+ description: |-
+ Priority defines the router's priority.
+ More info: https://doc.traefik.io/traefik/v3.3/routing/routers/#priority_1
+ type: integer
+ services:
+ description: Services defines the list of TCP services.
+ items:
+ description: ServiceTCP defines an upstream TCP service to
+ proxy traffic to.
+ properties:
+ name:
+ description: Name defines the name of the referenced Kubernetes
+ Service.
+ type: string
+ namespace:
+ description: Namespace defines the namespace of the referenced
+ Kubernetes Service.
+ type: string
+ nativeLB:
+ description: |-
+ NativeLB controls, when creating the load-balancer,
+ whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP.
+ The Kubernetes Service itself does load-balance to the pods.
+ By default, NativeLB is false.
+ type: boolean
+ nodePortLB:
+ description: |-
+ NodePortLB controls, when creating the load-balancer,
+ whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is NodePort.
+ It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes.
+ By default, NodePortLB is false.
+ type: boolean
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ Port defines the port of a Kubernetes Service.
+ This can be a reference to a named port.
+ x-kubernetes-int-or-string: true
+ proxyProtocol:
+ description: |-
+ ProxyProtocol defines the PROXY protocol configuration.
+ More info: https://doc.traefik.io/traefik/v3.3/routing/services/#proxy-protocol
+ properties:
+ version:
+ description: Version defines the PROXY Protocol version
+ to use.
+ type: integer
+ type: object
+ serversTransport:
+ description: |-
+ ServersTransport defines the name of ServersTransportTCP resource to use.
+ It allows to configure the transport between Traefik and your servers.
+ Can only be used on a Kubernetes Service.
+ type: string
+ terminationDelay:
+ description: |-
+ TerminationDelay defines the deadline that the proxy sets, after one of its connected peers indicates
+ it has closed the writing capability of its connection, to close the reading capability as well,
+ hence fully terminating the connection.
+ It is a duration in milliseconds, defaulting to 100.
+ A negative value means an infinite deadline (i.e. the reading capability is never closed).
+ Deprecated: TerminationDelay will not be supported in future APIVersions, please use ServersTransport to configure the TerminationDelay instead.
+ type: integer
+ tls:
+ description: TLS determines whether to use TLS when dialing
+ with the backend.
+ type: boolean
+ weight:
+ description: Weight defines the weight used when balancing
+ requests between multiple Kubernetes Service.
+ type: integer
+ required:
+ - name
+ - port
+ type: object
+ type: array
+ syntax:
+ description: |-
+ Syntax defines the router's rule syntax.
+ More info: https://doc.traefik.io/traefik/v3.3/routing/routers/#rulesyntax_1
+ type: string
+ required:
+ - match
+ type: object
+ type: array
+ tls:
+ description: |-
+ TLS defines the TLS configuration on a layer 4 / TCP Route.
+ More info: https://doc.traefik.io/traefik/v3.3/routing/routers/#tls_1
+ properties:
+ certResolver:
+ description: |-
+ CertResolver defines the name of the certificate resolver to use.
+ Cert resolvers have to be configured in the static configuration.
+ More info: https://doc.traefik.io/traefik/v3.3/https/acme/#certificate-resolvers
+ type: string
+ domains:
+ description: |-
+ Domains defines the list of domains that will be used to issue certificates.
+ More info: https://doc.traefik.io/traefik/v3.3/routing/routers/#domains
+ items:
+ description: Domain holds a domain name with SANs.
+ properties:
+ main:
+ description: Main defines the main domain name.
+ type: string
+ sans:
+ description: SANs defines the subject alternative domain
+ names.
+ items:
+ type: string
+ type: array
+ type: object
+ type: array
+ options:
+ description: |-
+ Options defines the reference to a TLSOption, that specifies the parameters of the TLS connection.
+ If not defined, the `default` TLSOption is used.
+ More info: https://doc.traefik.io/traefik/v3.3/https/tls/#tls-options
+ properties:
+ name:
+ description: Name defines the name of the referenced Traefik
+ resource.
+ type: string
+ namespace:
+ description: Namespace defines the namespace of the referenced
+ Traefik resource.
+ type: string
+ required:
+ - name
+ type: object
+ passthrough:
+ description: Passthrough defines whether a TLS router will terminate
+ the TLS connection.
+ type: boolean
+ secretName:
+ description: SecretName is the name of the referenced Kubernetes
+ Secret to specify the certificate details.
+ type: string
+ store:
+ description: |-
+ Store defines the reference to the TLSStore, that will be used to store certificates.
+ Please note that only `default` TLSStore can be used.
+ properties:
+ name:
+ description: Name defines the name of the referenced Traefik
+ resource.
+ type: string
+ namespace:
+ description: Namespace defines the namespace of the referenced
+ Traefik resource.
+ type: string
+ required:
+ - name
+ type: object
+ type: object
+ required:
+ - routes
+ type: object
+ required:
+ - metadata
+ - spec
+ type: object
+ served: true
+ storage: true
+
+---
+# Source: traefik/crds/traefik.io_ingressrouteudps.yaml
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.16.1
+ name: ingressrouteudps.traefik.io
+spec:
+ group: traefik.io
+ names:
+ kind: IngressRouteUDP
+ listKind: IngressRouteUDPList
+ plural: ingressrouteudps
+ singular: ingressrouteudp
+ scope: Namespaced
+ versions:
+ - name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: IngressRouteUDP is a CRD implementation of a Traefik UDP Router.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: IngressRouteUDPSpec defines the desired state of a IngressRouteUDP.
+ properties:
+ entryPoints:
+ description: |-
+ EntryPoints defines the list of entry point names to bind to.
+ Entry points have to be configured in the static configuration.
+ More info: https://doc.traefik.io/traefik/v3.3/routing/entrypoints/
+ Default: all.
+ items:
+ type: string
+ type: array
+ routes:
+ description: Routes defines the list of routes.
+ items:
+ description: RouteUDP holds the UDP route configuration.
+ properties:
+ services:
+ description: Services defines the list of UDP services.
+ items:
+ description: ServiceUDP defines an upstream UDP service to
+ proxy traffic to.
+ properties:
+ name:
+ description: Name defines the name of the referenced Kubernetes
+ Service.
+ type: string
+ namespace:
+ description: Namespace defines the namespace of the referenced
+ Kubernetes Service.
+ type: string
+ nativeLB:
+ description: |-
+ NativeLB controls, when creating the load-balancer,
+ whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP.
+ The Kubernetes Service itself does load-balance to the pods.
+ By default, NativeLB is false.
+ type: boolean
+ nodePortLB:
+ description: |-
+ NodePortLB controls, when creating the load-balancer,
+ whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is NodePort.
+ It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes.
+ By default, NodePortLB is false.
+ type: boolean
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ Port defines the port of a Kubernetes Service.
+ This can be a reference to a named port.
+ x-kubernetes-int-or-string: true
+ weight:
+ description: Weight defines the weight used when balancing
+ requests between multiple Kubernetes Service.
+ type: integer
+ required:
+ - name
+ - port
+ type: object
+ type: array
+ type: object
+ type: array
+ required:
+ - routes
+ type: object
+ required:
+ - metadata
+ - spec
+ type: object
+ served: true
+ storage: true
+
+---
+# Source: traefik/crds/traefik.io_middlewares.yaml
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.16.1
+ name: middlewares.traefik.io
+spec:
+ group: traefik.io
+ names:
+ kind: Middleware
+ listKind: MiddlewareList
+ plural: middlewares
+ singular: middleware
+ scope: Namespaced
+ versions:
+ - name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: |-
+ Middleware is the CRD implementation of a Traefik Middleware.
+ More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/overview/
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: MiddlewareSpec defines the desired state of a Middleware.
+ properties:
+ addPrefix:
+ description: |-
+ AddPrefix holds the add prefix middleware configuration.
+ This middleware updates the path of a request before forwarding it.
+ More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/addprefix/
+ properties:
+ prefix:
+ description: |-
+ Prefix is the string to add before the current path in the requested URL.
+ It should include a leading slash (/).
+ type: string
+ type: object
+ basicAuth:
+ description: |-
+ BasicAuth holds the basic auth middleware configuration.
+ This middleware restricts access to your services to known users.
+ More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/basicauth/
+ properties:
+ headerField:
+ description: |-
+ HeaderField defines a header field to store the authenticated user.
+ More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/basicauth/#headerfield
+ type: string
+ realm:
+ description: |-
+ Realm allows the protected resources on a server to be partitioned into a set of protection spaces, each with its own authentication scheme.
+ Default: traefik.
+ type: string
+ removeHeader:
+ description: |-
+ RemoveHeader sets the removeHeader option to true to remove the authorization header before forwarding the request to your service.
+ Default: false.
+ type: boolean
+ secret:
+ description: Secret is the name of the referenced Kubernetes Secret
+ containing user credentials.
+ type: string
+ type: object
+ buffering:
+ description: |-
+ Buffering holds the buffering middleware configuration.
+ This middleware retries or limits the size of requests that can be forwarded to backends.
+ More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/buffering/#maxrequestbodybytes
+ properties:
+ maxRequestBodyBytes:
+ description: |-
+ MaxRequestBodyBytes defines the maximum allowed body size for the request (in bytes).
+ If the request exceeds the allowed size, it is not forwarded to the service, and the client gets a 413 (Request Entity Too Large) response.
+ Default: 0 (no maximum).
+ format: int64
+ type: integer
+ maxResponseBodyBytes:
+ description: |-
+ MaxResponseBodyBytes defines the maximum allowed response size from the service (in bytes).
+ If the response exceeds the allowed size, it is not forwarded to the client. The client gets a 500 (Internal Server Error) response instead.
+ Default: 0 (no maximum).
+ format: int64
+ type: integer
+ memRequestBodyBytes:
+ description: |-
+ MemRequestBodyBytes defines the threshold (in bytes) from which the request will be buffered on disk instead of in memory.
+ Default: 1048576 (1Mi).
+ format: int64
+ type: integer
+ memResponseBodyBytes:
+ description: |-
+ MemResponseBodyBytes defines the threshold (in bytes) from which the response will be buffered on disk instead of in memory.
+ Default: 1048576 (1Mi).
+ format: int64
+ type: integer
+ retryExpression:
+ description: |-
+ RetryExpression defines the retry conditions.
+ It is a logical combination of functions with operators AND (&&) and OR (||).
+ More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/buffering/#retryexpression
+ type: string
+ type: object
+ chain:
+ description: |-
+ Chain holds the configuration of the chain middleware.
+ This middleware enables to define reusable combinations of other pieces of middleware.
+ More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/chain/
+ properties:
+ middlewares:
+ description: Middlewares is the list of MiddlewareRef which composes
+ the chain.
+ items:
+ description: MiddlewareRef is a reference to a Middleware resource.
+ properties:
+ name:
+ description: Name defines the name of the referenced Middleware
+ resource.
+ type: string
+ namespace:
+ description: Namespace defines the namespace of the referenced
+ Middleware resource.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ type: object
+ circuitBreaker:
+ description: CircuitBreaker holds the circuit breaker configuration.
+ properties:
+ checkPeriod:
+ anyOf:
+ - type: integer
+ - type: string
+ description: CheckPeriod is the interval between successive checks
+ of the circuit breaker condition (when in standby state).
+ x-kubernetes-int-or-string: true
+ expression:
+ description: Expression is the condition that triggers the tripped
+ state.
+ type: string
+ fallbackDuration:
+ anyOf:
+ - type: integer
+ - type: string
+ description: FallbackDuration is the duration for which the circuit
+ breaker will wait before trying to recover (from a tripped state).
+ x-kubernetes-int-or-string: true
+ recoveryDuration:
+ anyOf:
+ - type: integer
+ - type: string
+ description: RecoveryDuration is the duration for which the circuit
+ breaker will try to recover (as soon as it is in recovering
+ state).
+ x-kubernetes-int-or-string: true
+ responseCode:
+ description: ResponseCode is the status code that the circuit
+ breaker will return while it is in the open state.
+ type: integer
+ type: object
+ compress:
+ description: |-
+ Compress holds the compress middleware configuration.
+ This middleware compresses responses before sending them to the client, using gzip, brotli, or zstd compression.
+ More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/compress/
+ properties:
+ defaultEncoding:
+ description: DefaultEncoding specifies the default encoding if
+ the `Accept-Encoding` header is not in the request or contains
+ a wildcard (`*`).
+ type: string
+ encodings:
+ description: Encodings defines the list of supported compression
+ algorithms.
+ items:
+ type: string
+ type: array
+ excludedContentTypes:
+ description: |-
+ ExcludedContentTypes defines the list of content types to compare the Content-Type header of the incoming requests and responses before compressing.
+ `application/grpc` is always excluded.
+ items:
+ type: string
+ type: array
+ includedContentTypes:
+ description: IncludedContentTypes defines the list of content
+ types to compare the Content-Type header of the responses before
+ compressing.
+ items:
+ type: string
+ type: array
+ minResponseBodyBytes:
+ description: |-
+ MinResponseBodyBytes defines the minimum amount of bytes a response body must have to be compressed.
+ Default: 1024.
+ type: integer
+ type: object
+ contentType:
+ description: |-
+ ContentType holds the content-type middleware configuration.
+ This middleware exists to enable the correct behavior until at least the default one can be changed in a future version.
+ properties:
+ autoDetect:
+ description: |-
+ AutoDetect specifies whether to let the `Content-Type` header, if it has not been set by the backend,
+ be automatically set to a value derived from the contents of the response.
+ Deprecated: AutoDetect option is deprecated, Content-Type middleware is only meant to be used to enable the content-type detection, please remove any usage of this option.
+ type: boolean
+ type: object
+ digestAuth:
+ description: |-
+ DigestAuth holds the digest auth middleware configuration.
+ This middleware restricts access to your services to known users.
+ More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/digestauth/
+ properties:
+ headerField:
+ description: |-
+ HeaderField defines a header field to store the authenticated user.
+ More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/basicauth/#headerfield
+ type: string
+ realm:
+ description: |-
+ Realm allows the protected resources on a server to be partitioned into a set of protection spaces, each with its own authentication scheme.
+ Default: traefik.
+ type: string
+ removeHeader:
+ description: RemoveHeader defines whether to remove the authorization
+ header before forwarding the request to the backend.
+ type: boolean
+ secret:
+ description: Secret is the name of the referenced Kubernetes Secret
+ containing user credentials.
+ type: string
+ type: object
+ errors:
+ description: |-
+ ErrorPage holds the custom error middleware configuration.
+ This middleware returns a custom page in lieu of the default, according to configured ranges of HTTP Status codes.
+ More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/errorpages/
+ properties:
+ query:
+ description: |-
+ Query defines the URL for the error page (hosted by service).
+ The {status} variable can be used in order to insert the status code in the URL.
+ type: string
+ service:
+ description: |-
+ Service defines the reference to a Kubernetes Service that will serve the error page.
+ More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/errorpages/#service
+ properties:
+ healthCheck:
+ description: Healthcheck defines health checks for ExternalName
+ services.
+ properties:
+ followRedirects:
+ description: |-
+ FollowRedirects defines whether redirects should be followed during the health check calls.
+ Default: true
+ type: boolean
+ headers:
+ additionalProperties:
+ type: string
+ description: Headers defines custom headers to be sent
+ to the health check endpoint.
+ type: object
+ hostname:
+ description: Hostname defines the value of hostname in
+ the Host header of the health check request.
+ type: string
+ interval:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ Interval defines the frequency of the health check calls.
+ Default: 30s
+ x-kubernetes-int-or-string: true
+ method:
+ description: Method defines the healthcheck method.
+ type: string
+ mode:
+ description: |-
+ Mode defines the health check mode.
+ If defined to grpc, will use the gRPC health check protocol to probe the server.
+ Default: http
+ type: string
+ path:
+ description: Path defines the server URL path for the
+ health check endpoint.
+ type: string
+ port:
+ description: Port defines the server URL port for the
+ health check endpoint.
+ type: integer
+ scheme:
+ description: Scheme replaces the server URL scheme for
+ the health check endpoint.
+ type: string
+ status:
+ description: Status defines the expected HTTP status code
+ of the response to the health check request.
+ type: integer
+ timeout:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ Timeout defines the maximum duration Traefik will wait for a health check request before considering the server unhealthy.
+ Default: 5s
+ x-kubernetes-int-or-string: true
+ type: object
+ kind:
+ description: Kind defines the kind of the Service.
+ enum:
+ - Service
+ - TraefikService
+ type: string
+ name:
+ description: |-
+ Name defines the name of the referenced Kubernetes Service or TraefikService.
+ The differentiation between the two is specified in the Kind field.
+ type: string
+ namespace:
+ description: Namespace defines the namespace of the referenced
+ Kubernetes Service or TraefikService.
+ type: string
+ nativeLB:
+ description: |-
+ NativeLB controls, when creating the load-balancer,
+ whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP.
+ The Kubernetes Service itself does load-balance to the pods.
+ By default, NativeLB is false.
+ type: boolean
+ nodePortLB:
+ description: |-
+ NodePortLB controls, when creating the load-balancer,
+ whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is NodePort.
+ It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes.
+ By default, NodePortLB is false.
+ type: boolean
+ passHostHeader:
+ description: |-
+ PassHostHeader defines whether the client Host header is forwarded to the upstream Kubernetes Service.
+ By default, passHostHeader is true.
+ type: boolean
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ Port defines the port of a Kubernetes Service.
+ This can be a reference to a named port.
+ x-kubernetes-int-or-string: true
+ responseForwarding:
+ description: ResponseForwarding defines how Traefik forwards
+ the response from the upstream Kubernetes Service to the
+ client.
+ properties:
+ flushInterval:
+ description: |-
+ FlushInterval defines the interval, in milliseconds, in between flushes to the client while copying the response body.
+ A negative value means to flush immediately after each write to the client.
+ This configuration is ignored when ReverseProxy recognizes a response as a streaming response;
+ for such responses, writes are flushed to the client immediately.
+ Default: 100ms
+ type: string
+ type: object
+ scheme:
+ description: |-
+ Scheme defines the scheme to use for the request to the upstream Kubernetes Service.
+ It defaults to https when Kubernetes Service port is 443, http otherwise.
+ type: string
+ serversTransport:
+ description: |-
+ ServersTransport defines the name of ServersTransport resource to use.
+ It allows to configure the transport between Traefik and your servers.
+ Can only be used on a Kubernetes Service.
+ type: string
+ sticky:
+ description: |-
+ Sticky defines the sticky sessions configuration.
+ More info: https://doc.traefik.io/traefik/v3.3/routing/services/#sticky-sessions
+ properties:
+ cookie:
+ description: Cookie defines the sticky cookie configuration.
+ properties:
+ httpOnly:
+ description: HTTPOnly defines whether the cookie can
+ be accessed by client-side APIs, such as JavaScript.
+ type: boolean
+ maxAge:
+ description: |-
+ MaxAge defines the number of seconds until the cookie expires.
+ When set to a negative number, the cookie expires immediately.
+ When set to zero, the cookie never expires.
+ type: integer
+ name:
+ description: Name defines the Cookie name.
+ type: string
+ path:
+ description: |-
+ Path defines the path that must exist in the requested URL for the browser to send the Cookie header.
+ When not provided the cookie will be sent on every request to the domain.
+ More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#pathpath-value
+ type: string
+ sameSite:
+ description: |-
+ SameSite defines the same site policy.
+ More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
+ type: string
+ secure:
+ description: Secure defines whether the cookie can
+ only be transmitted over an encrypted connection
+ (i.e. HTTPS).
+ type: boolean
+ type: object
+ type: object
+ strategy:
+ description: |-
+ Strategy defines the load balancing strategy between the servers.
+ RoundRobin is the only supported value at the moment.
+ type: string
+ weight:
+ description: |-
+ Weight defines the weight and should only be specified when Name references a TraefikService object
+ (and to be precise, one that embeds a Weighted Round Robin).
+ type: integer
+ required:
+ - name
+ type: object
+ status:
+ description: |-
+ Status defines which status or range of statuses should result in an error page.
+ It can be either a status code as a number (500),
+ as multiple comma-separated numbers (500,502),
+ as ranges by separating two codes with a dash (500-599),
+ or a combination of the two (404,418,500-599).
+ items:
+ type: string
+ type: array
+ type: object
+ forwardAuth:
+ description: |-
+ ForwardAuth holds the forward auth middleware configuration.
+ This middleware delegates the request authentication to a Service.
+ More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/forwardauth/
+ properties:
+ addAuthCookiesToResponse:
+ description: AddAuthCookiesToResponse defines the list of cookies
+ to copy from the authentication server response to the response.
+ items:
+ type: string
+ type: array
+ address:
+ description: Address defines the authentication server address.
+ type: string
+ authRequestHeaders:
+ description: |-
+ AuthRequestHeaders defines the list of the headers to copy from the request to the authentication server.
+ If not set or empty then all request headers are passed.
+ items:
+ type: string
+ type: array
+ authResponseHeaders:
+ description: AuthResponseHeaders defines the list of headers to
+ copy from the authentication server response and set on forwarded
+ request, replacing any existing conflicting headers.
+ items:
+ type: string
+ type: array
+ authResponseHeadersRegex:
+ description: |-
+ AuthResponseHeadersRegex defines the regex to match headers to copy from the authentication server response and set on forwarded request, after stripping all headers that match the regex.
+ More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/forwardauth/#authresponseheadersregex
+ type: string
+ forwardBody:
+ description: ForwardBody defines whether to send the request body
+ to the authentication server.
+ type: boolean
+ headerField:
+ description: |-
+ HeaderField defines a header field to store the authenticated user.
+ More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/forwardauth/#headerfield
+ type: string
+ maxBodySize:
+ description: MaxBodySize defines the maximum body size in bytes
+ allowed to be forwarded to the authentication server.
+ format: int64
+ type: integer
+ preserveLocationHeader:
+ description: PreserveLocationHeader defines whether to forward
+ the Location header to the client as is or prefix it with the
+ domain name of the authentication server.
+ type: boolean
+ tls:
+ description: TLS defines the configuration used to secure the
+ connection to the authentication server.
+ properties:
+ caOptional:
+ description: 'Deprecated: TLS client authentication is a server
+ side option (see https://github.com/golang/go/blob/740a490f71d026bb7d2d13cb8fa2d6d6e0572b70/src/crypto/tls/common.go#L634).'
+ type: boolean
+ caSecret:
+ description: |-
+ CASecret is the name of the referenced Kubernetes Secret containing the CA to validate the server certificate.
+ The CA certificate is extracted from key `tls.ca` or `ca.crt`.
+ type: string
+ certSecret:
+ description: |-
+ CertSecret is the name of the referenced Kubernetes Secret containing the client certificate.
+ The client certificate is extracted from the keys `tls.crt` and `tls.key`.
+ type: string
+ insecureSkipVerify:
+ description: InsecureSkipVerify defines whether the server
+ certificates should be validated.
+ type: boolean
+ type: object
+ trustForwardHeader:
+ description: 'TrustForwardHeader defines whether to trust (ie:
+ forward) all X-Forwarded-* headers.'
+ type: boolean
+ type: object
+ grpcWeb:
+ description: |-
+ GrpcWeb holds the gRPC web middleware configuration.
+ This middleware converts a gRPC web request to an HTTP/2 gRPC request.
+ properties:
+ allowOrigins:
+ description: |-
+ AllowOrigins is a list of allowable origins.
+ Can also be a wildcard origin "*".
+ items:
+ type: string
+ type: array
+ type: object
+ headers:
+ description: |-
+ Headers holds the headers middleware configuration.
+ This middleware manages the requests and responses headers.
+ More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/headers/#customrequestheaders
+ properties:
+ accessControlAllowCredentials:
+ description: AccessControlAllowCredentials defines whether the
+ request can include user credentials.
+ type: boolean
+ accessControlAllowHeaders:
+ description: AccessControlAllowHeaders defines the Access-Control-Request-Headers
+ values sent in preflight response.
+ items:
+ type: string
+ type: array
+ accessControlAllowMethods:
+ description: AccessControlAllowMethods defines the Access-Control-Request-Method
+ values sent in preflight response.
+ items:
+ type: string
+ type: array
+ accessControlAllowOriginList:
+ description: AccessControlAllowOriginList is a list of allowable
+ origins. Can also be a wildcard origin "*".
+ items:
+ type: string
+ type: array
+ accessControlAllowOriginListRegex:
+ description: AccessControlAllowOriginListRegex is a list of allowable
+ origins written following the Regular Expression syntax (https://golang.org/pkg/regexp/).
+ items:
+ type: string
+ type: array
+ accessControlExposeHeaders:
+ description: AccessControlExposeHeaders defines the Access-Control-Expose-Headers
+ values sent in preflight response.
+ items:
+ type: string
+ type: array
+ accessControlMaxAge:
+ description: AccessControlMaxAge defines the time that a preflight
+ request may be cached.
+ format: int64
+ type: integer
+ addVaryHeader:
+ description: AddVaryHeader defines whether the Vary header is
+ automatically added/updated when the AccessControlAllowOriginList
+ is set.
+ type: boolean
+ allowedHosts:
+ description: AllowedHosts defines the fully qualified list of
+ allowed domain names.
+ items:
+ type: string
+ type: array
+ browserXssFilter:
+ description: BrowserXSSFilter defines whether to add the X-XSS-Protection
+ header with the value 1; mode=block.
+ type: boolean
+ contentSecurityPolicy:
+ description: ContentSecurityPolicy defines the Content-Security-Policy
+ header value.
+ type: string
+ contentSecurityPolicyReportOnly:
+ description: ContentSecurityPolicyReportOnly defines the Content-Security-Policy-Report-Only
+ header value.
+ type: string
+ contentTypeNosniff:
+ description: ContentTypeNosniff defines whether to add the X-Content-Type-Options
+ header with the nosniff value.
+ type: boolean
+ customBrowserXSSValue:
+ description: |-
+ CustomBrowserXSSValue defines the X-XSS-Protection header value.
+ This overrides the BrowserXssFilter option.
+ type: string
+ customFrameOptionsValue:
+ description: |-
+ CustomFrameOptionsValue defines the X-Frame-Options header value.
+ This overrides the FrameDeny option.
+ type: string
+ customRequestHeaders:
+ additionalProperties:
+ type: string
+ description: CustomRequestHeaders defines the header names and
+ values to apply to the request.
+ type: object
+ customResponseHeaders:
+ additionalProperties:
+ type: string
+ description: CustomResponseHeaders defines the header names and
+ values to apply to the response.
+ type: object
+ featurePolicy:
+ description: 'Deprecated: FeaturePolicy option is deprecated,
+ please use PermissionsPolicy instead.'
+ type: string
+ forceSTSHeader:
+ description: ForceSTSHeader defines whether to add the STS header
+ even when the connection is HTTP.
+ type: boolean
+ frameDeny:
+ description: FrameDeny defines whether to add the X-Frame-Options
+ header with the DENY value.
+ type: boolean
+ hostsProxyHeaders:
+ description: HostsProxyHeaders defines the header keys that may
+ hold a proxied hostname value for the request.
+ items:
+ type: string
+ type: array
+ isDevelopment:
+ description: |-
+ IsDevelopment defines whether to mitigate the unwanted effects of the AllowedHosts, SSL, and STS options when developing.
+ Usually testing takes place using HTTP, not HTTPS, and on localhost, not your production domain.
+ If you would like your development environment to mimic production with complete Host blocking, SSL redirects,
+ and STS headers, leave this as false.
+ type: boolean
+ permissionsPolicy:
+ description: |-
+ PermissionsPolicy defines the Permissions-Policy header value.
+ This allows sites to control browser features.
+ type: string
+ publicKey:
+ description: PublicKey is the public key that implements HPKP
+ to prevent MITM attacks with forged certificates.
+ type: string
+ referrerPolicy:
+ description: |-
+ ReferrerPolicy defines the Referrer-Policy header value.
+ This allows sites to control whether browsers forward the Referer header to other sites.
+ type: string
+ sslForceHost:
+ description: 'Deprecated: SSLForceHost option is deprecated, please
+ use RedirectRegex instead.'
+ type: boolean
+ sslHost:
+ description: 'Deprecated: SSLHost option is deprecated, please
+ use RedirectRegex instead.'
+ type: string
+ sslProxyHeaders:
+ additionalProperties:
+ type: string
+ description: |-
+ SSLProxyHeaders defines the header keys with associated values that would indicate a valid HTTPS request.
+ It can be useful when using other proxies (example: "X-Forwarded-Proto": "https").
+ type: object
+ sslRedirect:
+ description: 'Deprecated: SSLRedirect option is deprecated, please
+ use EntryPoint redirection or RedirectScheme instead.'
+ type: boolean
+ sslTemporaryRedirect:
+ description: 'Deprecated: SSLTemporaryRedirect option is deprecated,
+ please use EntryPoint redirection or RedirectScheme instead.'
+ type: boolean
+ stsIncludeSubdomains:
+ description: STSIncludeSubdomains defines whether the includeSubDomains
+ directive is appended to the Strict-Transport-Security header.
+ type: boolean
+ stsPreload:
+ description: STSPreload defines whether the preload flag is appended
+ to the Strict-Transport-Security header.
+ type: boolean
+ stsSeconds:
+ description: |-
+ STSSeconds defines the max-age of the Strict-Transport-Security header.
+ If set to 0, the header is not set.
+ format: int64
+ type: integer
+ type: object
+ inFlightReq:
+ description: |-
+ InFlightReq holds the in-flight request middleware configuration.
+ This middleware limits the number of requests being processed and served concurrently.
+ More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/inflightreq/
+ properties:
+ amount:
+ description: |-
+ Amount defines the maximum amount of allowed simultaneous in-flight request.
+ The middleware responds with HTTP 429 Too Many Requests if there are already amount requests in progress (based on the same sourceCriterion strategy).
+ format: int64
+ type: integer
+ sourceCriterion:
+ description: |-
+ SourceCriterion defines what criterion is used to group requests as originating from a common source.
+ If several strategies are defined at the same time, an error will be raised.
+ If none are set, the default is to use the requestHost.
+ More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/inflightreq/#sourcecriterion
+ properties:
+ ipStrategy:
+ description: |-
+ IPStrategy holds the IP strategy configuration used by Traefik to determine the client IP.
+ More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/ipallowlist/#ipstrategy
+ properties:
+ depth:
+ description: Depth tells Traefik to use the X-Forwarded-For
+ header and take the IP located at the depth position
+ (starting from the right).
+ type: integer
+ excludedIPs:
+ description: ExcludedIPs configures Traefik to scan the
+ X-Forwarded-For header and select the first IP not in
+ the list.
+ items:
+ type: string
+ type: array
+ ipv6Subnet:
+ description: IPv6Subnet configures Traefik to consider
+ all IPv6 addresses from the defined subnet as originating
+ from the same IP. Applies to RemoteAddrStrategy and
+ DepthStrategy.
+ type: integer
+ type: object
+ requestHeaderName:
+ description: RequestHeaderName defines the name of the header
+ used to group incoming requests.
+ type: string
+ requestHost:
+ description: RequestHost defines whether to consider the request
+ Host as the source.
+ type: boolean
+ type: object
+ type: object
+ ipAllowList:
+ description: |-
+ IPAllowList holds the IP allowlist middleware configuration.
+ This middleware limits allowed requests based on the client IP.
+ More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/ipallowlist/
+ properties:
+ ipStrategy:
+ description: |-
+ IPStrategy holds the IP strategy configuration used by Traefik to determine the client IP.
+ More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/ipallowlist/#ipstrategy
+ properties:
+ depth:
+ description: Depth tells Traefik to use the X-Forwarded-For
+ header and take the IP located at the depth position (starting
+ from the right).
+ type: integer
+ excludedIPs:
+ description: ExcludedIPs configures Traefik to scan the X-Forwarded-For
+ header and select the first IP not in the list.
+ items:
+ type: string
+ type: array
+ ipv6Subnet:
+ description: IPv6Subnet configures Traefik to consider all
+ IPv6 addresses from the defined subnet as originating from
+ the same IP. Applies to RemoteAddrStrategy and DepthStrategy.
+ type: integer
+ type: object
+ rejectStatusCode:
+ description: |-
+ RejectStatusCode defines the HTTP status code used for refused requests.
+ If not set, the default is 403 (Forbidden).
+ type: integer
+ sourceRange:
+ description: SourceRange defines the set of allowed IPs (or ranges
+ of allowed IPs by using CIDR notation).
+ items:
+ type: string
+ type: array
+ type: object
+ ipWhiteList:
+ description: 'Deprecated: please use IPAllowList instead.'
+ properties:
+ ipStrategy:
+ description: |-
+ IPStrategy holds the IP strategy configuration used by Traefik to determine the client IP.
+ More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/ipallowlist/#ipstrategy
+ properties:
+ depth:
+ description: Depth tells Traefik to use the X-Forwarded-For
+ header and take the IP located at the depth position (starting
+ from the right).
+ type: integer
+ excludedIPs:
+ description: ExcludedIPs configures Traefik to scan the X-Forwarded-For
+ header and select the first IP not in the list.
+ items:
+ type: string
+ type: array
+ ipv6Subnet:
+ description: IPv6Subnet configures Traefik to consider all
+ IPv6 addresses from the defined subnet as originating from
+ the same IP. Applies to RemoteAddrStrategy and DepthStrategy.
+ type: integer
+ type: object
+ sourceRange:
+ description: SourceRange defines the set of allowed IPs (or ranges
+ of allowed IPs by using CIDR notation). Required.
+ items:
+ type: string
+ type: array
+ type: object
+ passTLSClientCert:
+ description: |-
+ PassTLSClientCert holds the pass TLS client cert middleware configuration.
+ This middleware adds the selected data from the passed client TLS certificate to a header.
+ More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/passtlsclientcert/
+ properties:
+ info:
+ description: Info selects the specific client certificate details
+ you want to add to the X-Forwarded-Tls-Client-Cert-Info header.
+ properties:
+ issuer:
+ description: Issuer defines the client certificate issuer
+ details to add to the X-Forwarded-Tls-Client-Cert-Info header.
+ properties:
+ commonName:
+ description: CommonName defines whether to add the organizationalUnit
+ information into the issuer.
+ type: boolean
+ country:
+ description: Country defines whether to add the country
+ information into the issuer.
+ type: boolean
+ domainComponent:
+ description: DomainComponent defines whether to add the
+ domainComponent information into the issuer.
+ type: boolean
+ locality:
+ description: Locality defines whether to add the locality
+ information into the issuer.
+ type: boolean
+ organization:
+ description: Organization defines whether to add the organization
+ information into the issuer.
+ type: boolean
+ province:
+ description: Province defines whether to add the province
+ information into the issuer.
+ type: boolean
+ serialNumber:
+ description: SerialNumber defines whether to add the serialNumber
+ information into the issuer.
+ type: boolean
+ type: object
+ notAfter:
+ description: NotAfter defines whether to add the Not After
+ information from the Validity part.
+ type: boolean
+ notBefore:
+ description: NotBefore defines whether to add the Not Before
+ information from the Validity part.
+ type: boolean
+ sans:
+ description: Sans defines whether to add the Subject Alternative
+ Name information from the Subject Alternative Name part.
+ type: boolean
+ serialNumber:
+ description: SerialNumber defines whether to add the client
+ serialNumber information.
+ type: boolean
+ subject:
+ description: Subject defines the client certificate subject
+ details to add to the X-Forwarded-Tls-Client-Cert-Info header.
+ properties:
+ commonName:
+ description: CommonName defines whether to add the organizationalUnit
+ information into the subject.
+ type: boolean
+ country:
+ description: Country defines whether to add the country
+ information into the subject.
+ type: boolean
+ domainComponent:
+ description: DomainComponent defines whether to add the
+ domainComponent information into the subject.
+ type: boolean
+ locality:
+ description: Locality defines whether to add the locality
+ information into the subject.
+ type: boolean
+ organization:
+ description: Organization defines whether to add the organization
+ information into the subject.
+ type: boolean
+ organizationalUnit:
+ description: OrganizationalUnit defines whether to add
+ the organizationalUnit information into the subject.
+ type: boolean
+ province:
+ description: Province defines whether to add the province
+ information into the subject.
+ type: boolean
+ serialNumber:
+ description: SerialNumber defines whether to add the serialNumber
+ information into the subject.
+ type: boolean
+ type: object
+ type: object
+ pem:
+ description: PEM sets the X-Forwarded-Tls-Client-Cert header with
+ the certificate.
+ type: boolean
+ type: object
+ plugin:
+ additionalProperties:
+ x-kubernetes-preserve-unknown-fields: true
+ description: |-
+ Plugin defines the middleware plugin configuration.
+ More info: https://doc.traefik.io/traefik/plugins/
+ type: object
+ rateLimit:
+ description: |-
+ RateLimit holds the rate limit configuration.
+ This middleware ensures that services will receive a fair amount of requests, and allows one to define what fair is.
+ More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/ratelimit/
+ properties:
+ average:
+ description: |-
+ Average is the maximum rate, by default in requests/s, allowed for the given source.
+ It defaults to 0, which means no rate limiting.
+ The rate is actually defined by dividing Average by Period. So for a rate below 1req/s,
+ one needs to define a Period larger than a second.
+ format: int64
+ type: integer
+ burst:
+ description: |-
+ Burst is the maximum number of requests allowed to arrive in the same arbitrarily small period of time.
+ It defaults to 1.
+ format: int64
+ type: integer
+ period:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ Period, in combination with Average, defines the actual maximum rate, such as:
+ r = Average / Period. It defaults to a second.
+ x-kubernetes-int-or-string: true
+ sourceCriterion:
+ description: |-
+ SourceCriterion defines what criterion is used to group requests as originating from a common source.
+ If several strategies are defined at the same time, an error will be raised.
+ If none are set, the default is to use the request's remote address field (as an ipStrategy).
+ properties:
+ ipStrategy:
+ description: |-
+ IPStrategy holds the IP strategy configuration used by Traefik to determine the client IP.
+ More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/ipallowlist/#ipstrategy
+ properties:
+ depth:
+ description: Depth tells Traefik to use the X-Forwarded-For
+ header and take the IP located at the depth position
+ (starting from the right).
+ type: integer
+ excludedIPs:
+ description: ExcludedIPs configures Traefik to scan the
+ X-Forwarded-For header and select the first IP not in
+ the list.
+ items:
+ type: string
+ type: array
+ ipv6Subnet:
+ description: IPv6Subnet configures Traefik to consider
+ all IPv6 addresses from the defined subnet as originating
+ from the same IP. Applies to RemoteAddrStrategy and
+ DepthStrategy.
+ type: integer
+ type: object
+ requestHeaderName:
+ description: RequestHeaderName defines the name of the header
+ used to group incoming requests.
+ type: string
+ requestHost:
+ description: RequestHost defines whether to consider the request
+ Host as the source.
+ type: boolean
+ type: object
+ type: object
+ redirectRegex:
+ description: |-
+ RedirectRegex holds the redirect regex middleware configuration.
+ This middleware redirects a request using regex matching and replacement.
+ More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/redirectregex/#regex
+ properties:
+ permanent:
+ description: Permanent defines whether the redirection is permanent
+ (301).
+ type: boolean
+ regex:
+ description: Regex defines the regex used to match and capture
+ elements from the request URL.
+ type: string
+ replacement:
+ description: Replacement defines how to modify the URL to have
+ the new target URL.
+ type: string
+ type: object
+ redirectScheme:
+ description: |-
+ RedirectScheme holds the redirect scheme middleware configuration.
+ This middleware redirects requests from a scheme/port to another.
+ More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/redirectscheme/
+ properties:
+ permanent:
+ description: Permanent defines whether the redirection is permanent
+ (301).
+ type: boolean
+ port:
+ description: Port defines the port of the new URL.
+ type: string
+ scheme:
+ description: Scheme defines the scheme of the new URL.
+ type: string
+ type: object
+ replacePath:
+ description: |-
+ ReplacePath holds the replace path middleware configuration.
+ This middleware replaces the path of the request URL and store the original path in an X-Replaced-Path header.
+ More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/replacepath/
+ properties:
+ path:
+ description: Path defines the path to use as replacement in the
+ request URL.
+ type: string
+ type: object
+ replacePathRegex:
+ description: |-
+ ReplacePathRegex holds the replace path regex middleware configuration.
+ This middleware replaces the path of a URL using regex matching and replacement.
+ More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/replacepathregex/
+ properties:
+ regex:
+ description: Regex defines the regular expression used to match
+ and capture the path from the request URL.
+ type: string
+ replacement:
+ description: Replacement defines the replacement path format,
+ which can include captured variables.
+ type: string
+ type: object
+ retry:
+ description: |-
+ Retry holds the retry middleware configuration.
+ This middleware reissues requests a given number of times to a backend server if that server does not reply.
+ As soon as the server answers, the middleware stops retrying, regardless of the response status.
+ More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/retry/
+ properties:
+ attempts:
+ description: Attempts defines how many times the request should
+ be retried.
+ type: integer
+ initialInterval:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ InitialInterval defines the first wait time in the exponential backoff series.
+ The maximum interval is calculated as twice the initialInterval.
+ If unspecified, requests will be retried immediately.
+ The value of initialInterval should be provided in seconds or as a valid duration format,
+ see https://pkg.go.dev/time#ParseDuration.
+ x-kubernetes-int-or-string: true
+ type: object
+ stripPrefix:
+ description: |-
+ StripPrefix holds the strip prefix middleware configuration.
+ This middleware removes the specified prefixes from the URL path.
+ More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/stripprefix/
+ properties:
+ forceSlash:
+ description: |-
+ Deprecated: ForceSlash option is deprecated, please remove any usage of this option.
+ ForceSlash ensures that the resulting stripped path is not the empty string, by replacing it with / when necessary.
+ Default: true.
+ type: boolean
+ prefixes:
+ description: Prefixes defines the prefixes to strip from the request
+ URL.
+ items:
+ type: string
+ type: array
+ type: object
+ stripPrefixRegex:
+ description: |-
+ StripPrefixRegex holds the strip prefix regex middleware configuration.
+ This middleware removes the matching prefixes from the URL path.
+ More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/stripprefixregex/
+ properties:
+ regex:
+ description: Regex defines the regular expression to match the
+ path prefix from the request URL.
+ items:
+ type: string
+ type: array
+ type: object
+ type: object
+ required:
+ - metadata
+ - spec
+ type: object
+ served: true
+ storage: true
+
+---
+# Source: traefik/crds/traefik.io_middlewaretcps.yaml
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.16.1
+ name: middlewaretcps.traefik.io
+spec:
+ group: traefik.io
+ names:
+ kind: MiddlewareTCP
+ listKind: MiddlewareTCPList
+ plural: middlewaretcps
+ singular: middlewaretcp
+ scope: Namespaced
+ versions:
+ - name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: |-
+ MiddlewareTCP is the CRD implementation of a Traefik TCP middleware.
+ More info: https://doc.traefik.io/traefik/v3.3/middlewares/overview/
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: MiddlewareTCPSpec defines the desired state of a MiddlewareTCP.
+ properties:
+ inFlightConn:
+ description: InFlightConn defines the InFlightConn middleware configuration.
+ properties:
+ amount:
+ description: |-
+ Amount defines the maximum amount of allowed simultaneous connections.
+ The middleware closes the connection if there are already amount connections opened.
+ format: int64
+ type: integer
+ type: object
+ ipAllowList:
+ description: |-
+ IPAllowList defines the IPAllowList middleware configuration.
+ This middleware accepts/refuses connections based on the client IP.
+ More info: https://doc.traefik.io/traefik/v3.3/middlewares/tcp/ipallowlist/
+ properties:
+ sourceRange:
+ description: SourceRange defines the allowed IPs (or ranges of
+ allowed IPs by using CIDR notation).
+ items:
+ type: string
+ type: array
+ type: object
+ ipWhiteList:
+ description: |-
+ IPWhiteList defines the IPWhiteList middleware configuration.
+ This middleware accepts/refuses connections based on the client IP.
+ Deprecated: please use IPAllowList instead.
+ More info: https://doc.traefik.io/traefik/v3.3/middlewares/tcp/ipwhitelist/
+ properties:
+ sourceRange:
+ description: SourceRange defines the allowed IPs (or ranges of
+ allowed IPs by using CIDR notation).
+ items:
+ type: string
+ type: array
+ type: object
+ type: object
+ required:
+ - metadata
+ - spec
+ type: object
+ served: true
+ storage: true
+
+---
+# Source: traefik/crds/traefik.io_serverstransports.yaml
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.16.1
+ name: serverstransports.traefik.io
+spec:
+ group: traefik.io
+ names:
+ kind: ServersTransport
+ listKind: ServersTransportList
+ plural: serverstransports
+ singular: serverstransport
+ scope: Namespaced
+ versions:
+ - name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: |-
+ ServersTransport is the CRD implementation of a ServersTransport.
+ If no serversTransport is specified, the default@internal will be used.
+ The default@internal serversTransport is created from the static configuration.
+ More info: https://doc.traefik.io/traefik/v3.3/routing/services/#serverstransport_1
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: ServersTransportSpec defines the desired state of a ServersTransport.
+ properties:
+ certificatesSecrets:
+ description: CertificatesSecrets defines a list of secret storing
+ client certificates for mTLS.
+ items:
+ type: string
+ type: array
+ disableHTTP2:
+ description: DisableHTTP2 disables HTTP/2 for connections with backend
+ servers.
+ type: boolean
+ forwardingTimeouts:
+ description: ForwardingTimeouts defines the timeouts for requests
+ forwarded to the backend servers.
+ properties:
+ dialTimeout:
+ anyOf:
+ - type: integer
+ - type: string
+ description: DialTimeout is the amount of time to wait until a
+ connection to a backend server can be established.
+ x-kubernetes-int-or-string: true
+ idleConnTimeout:
+ anyOf:
+ - type: integer
+ - type: string
+ description: IdleConnTimeout is the maximum period for which an
+ idle HTTP keep-alive connection will remain open before closing
+ itself.
+ x-kubernetes-int-or-string: true
+ pingTimeout:
+ anyOf:
+ - type: integer
+ - type: string
+ description: PingTimeout is the timeout after which the HTTP/2
+ connection will be closed if a response to ping is not received.
+ x-kubernetes-int-or-string: true
+ readIdleTimeout:
+ anyOf:
+ - type: integer
+ - type: string
+ description: ReadIdleTimeout is the timeout after which a health
+ check using ping frame will be carried out if no frame is received
+ on the HTTP/2 connection.
+ x-kubernetes-int-or-string: true
+ responseHeaderTimeout:
+ anyOf:
+ - type: integer
+ - type: string
+ description: ResponseHeaderTimeout is the amount of time to wait
+ for a server's response headers after fully writing the request
+ (including its body, if any).
+ x-kubernetes-int-or-string: true
+ type: object
+ insecureSkipVerify:
+ description: InsecureSkipVerify disables SSL certificate verification.
+ type: boolean
+ maxIdleConnsPerHost:
+ description: MaxIdleConnsPerHost controls the maximum idle (keep-alive)
+ to keep per-host.
+ type: integer
+ peerCertURI:
+ description: PeerCertURI defines the peer cert URI used to match against
+ SAN URI during the peer certificate verification.
+ type: string
+ rootCAsSecrets:
+ description: RootCAsSecrets defines a list of CA secret used to validate
+ self-signed certificate.
+ items:
+ type: string
+ type: array
+ serverName:
+ description: ServerName defines the server name used to contact the
+ server.
+ type: string
+ spiffe:
+ description: Spiffe defines the SPIFFE configuration.
+ properties:
+ ids:
+ description: IDs defines the allowed SPIFFE IDs (takes precedence
+ over the SPIFFE TrustDomain).
+ items:
+ type: string
+ type: array
+ trustDomain:
+ description: TrustDomain defines the allowed SPIFFE trust domain.
+ type: string
+ type: object
+ type: object
+ required:
+ - metadata
+ - spec
+ type: object
+ served: true
+ storage: true
+
+---
+# Source: traefik/crds/traefik.io_serverstransporttcps.yaml
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.16.1
+ name: serverstransporttcps.traefik.io
+spec:
+ group: traefik.io
+ names:
+ kind: ServersTransportTCP
+ listKind: ServersTransportTCPList
+ plural: serverstransporttcps
+ singular: serverstransporttcp
+ scope: Namespaced
+ versions:
+ - name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: |-
+ ServersTransportTCP is the CRD implementation of a TCPServersTransport.
+ If no tcpServersTransport is specified, a default one named default@internal will be used.
+ The default@internal tcpServersTransport can be configured in the static configuration.
+ More info: https://doc.traefik.io/traefik/v3.3/routing/services/#serverstransport_3
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: ServersTransportTCPSpec defines the desired state of a ServersTransportTCP.
+ properties:
+ dialKeepAlive:
+ anyOf:
+ - type: integer
+ - type: string
+ description: DialKeepAlive is the interval between keep-alive probes
+ for an active network connection. If zero, keep-alive probes are
+ sent with a default value (currently 15 seconds), if supported by
+ the protocol and operating system. Network protocols or operating
+ systems that do not support keep-alives ignore this field. If negative,
+ keep-alive probes are disabled.
+ x-kubernetes-int-or-string: true
+ dialTimeout:
+ anyOf:
+ - type: integer
+ - type: string
+ description: DialTimeout is the amount of time to wait until a connection
+ to a backend server can be established.
+ x-kubernetes-int-or-string: true
+ terminationDelay:
+ anyOf:
+ - type: integer
+ - type: string
+ description: TerminationDelay defines the delay to wait before fully
+ terminating the connection, after one connected peer has closed
+ its writing capability.
+ x-kubernetes-int-or-string: true
+ tls:
+ description: TLS defines the TLS configuration
+ properties:
+ certificatesSecrets:
+ description: CertificatesSecrets defines a list of secret storing
+ client certificates for mTLS.
+ items:
+ type: string
+ type: array
+ insecureSkipVerify:
+ description: InsecureSkipVerify disables TLS certificate verification.
+ type: boolean
+ peerCertURI:
+ description: |-
+ MaxIdleConnsPerHost controls the maximum idle (keep-alive) to keep per-host.
+ PeerCertURI defines the peer cert URI used to match against SAN URI during the peer certificate verification.
+ type: string
+ rootCAsSecrets:
+ description: RootCAsSecrets defines a list of CA secret used to
+ validate self-signed certificates.
+ items:
+ type: string
+ type: array
+ serverName:
+ description: ServerName defines the server name used to contact
+ the server.
+ type: string
+ spiffe:
+ description: Spiffe defines the SPIFFE configuration.
+ properties:
+ ids:
+ description: IDs defines the allowed SPIFFE IDs (takes precedence
+ over the SPIFFE TrustDomain).
+ items:
+ type: string
+ type: array
+ trustDomain:
+ description: TrustDomain defines the allowed SPIFFE trust
+ domain.
+ type: string
+ type: object
+ type: object
+ type: object
+ required:
+ - metadata
+ - spec
+ type: object
+ served: true
+ storage: true
+
+---
+# Source: traefik/crds/traefik.io_tlsoptions.yaml
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.16.1
+ name: tlsoptions.traefik.io
+spec:
+ group: traefik.io
+ names:
+ kind: TLSOption
+ listKind: TLSOptionList
+ plural: tlsoptions
+ singular: tlsoption
+ scope: Namespaced
+ versions:
+ - name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: |-
+ TLSOption is the CRD implementation of a Traefik TLS Option, allowing to configure some parameters of the TLS connection.
+ More info: https://doc.traefik.io/traefik/v3.3/https/tls/#tls-options
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: TLSOptionSpec defines the desired state of a TLSOption.
+ properties:
+ alpnProtocols:
+ description: |-
+ ALPNProtocols defines the list of supported application level protocols for the TLS handshake, in order of preference.
+ More info: https://doc.traefik.io/traefik/v3.3/https/tls/#alpn-protocols
+ items:
+ type: string
+ type: array
+ cipherSuites:
+ description: |-
+ CipherSuites defines the list of supported cipher suites for TLS versions up to TLS 1.2.
+ More info: https://doc.traefik.io/traefik/v3.3/https/tls/#cipher-suites
+ items:
+ type: string
+ type: array
+ clientAuth:
+ description: ClientAuth defines the server's policy for TLS Client
+ Authentication.
+ properties:
+ clientAuthType:
+ description: ClientAuthType defines the client authentication
+ type to apply.
+ enum:
+ - NoClientCert
+ - RequestClientCert
+ - RequireAnyClientCert
+ - VerifyClientCertIfGiven
+ - RequireAndVerifyClientCert
+ type: string
+ secretNames:
+ description: SecretNames defines the names of the referenced Kubernetes
+ Secret storing certificate details.
+ items:
+ type: string
+ type: array
+ type: object
+ curvePreferences:
+ description: |-
+ CurvePreferences defines the preferred elliptic curves in a specific order.
+ More info: https://doc.traefik.io/traefik/v3.3/https/tls/#curve-preferences
+ items:
+ type: string
+ type: array
+ maxVersion:
+ description: |-
+ MaxVersion defines the maximum TLS version that Traefik will accept.
+ Possible values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.
+ Default: None.
+ type: string
+ minVersion:
+ description: |-
+ MinVersion defines the minimum TLS version that Traefik will accept.
+ Possible values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.
+ Default: VersionTLS10.
+ type: string
+ preferServerCipherSuites:
+ description: |-
+ PreferServerCipherSuites defines whether the server chooses a cipher suite among his own instead of among the client's.
+ It is enabled automatically when minVersion or maxVersion is set.
+ Deprecated: https://github.com/golang/go/issues/45430
+ type: boolean
+ sniStrict:
+ description: SniStrict defines whether Traefik allows connections
+ from clients connections that do not specify a server_name extension.
+ type: boolean
+ type: object
+ required:
+ - metadata
+ - spec
+ type: object
+ served: true
+ storage: true
+
+---
+# Source: traefik/crds/traefik.io_tlsstores.yaml
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.16.1
+ name: tlsstores.traefik.io
+spec:
+ group: traefik.io
+ names:
+ kind: TLSStore
+ listKind: TLSStoreList
+ plural: tlsstores
+ singular: tlsstore
+ scope: Namespaced
+ versions:
+ - name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: |-
+ TLSStore is the CRD implementation of a Traefik TLS Store.
+ For the time being, only the TLSStore named default is supported.
+ This means that you cannot have two stores that are named default in different Kubernetes namespaces.
+ More info: https://doc.traefik.io/traefik/v3.3/https/tls/#certificates-stores
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: TLSStoreSpec defines the desired state of a TLSStore.
+ properties:
+ certificates:
+ description: Certificates is a list of secret names, each secret holding
+ a key/certificate pair to add to the store.
+ items:
+ description: Certificate holds a secret name for the TLSStore resource.
+ properties:
+ secretName:
+ description: SecretName is the name of the referenced Kubernetes
+ Secret to specify the certificate details.
+ type: string
+ required:
+ - secretName
+ type: object
+ type: array
+ defaultCertificate:
+ description: DefaultCertificate defines the default certificate configuration.
+ properties:
+ secretName:
+ description: SecretName is the name of the referenced Kubernetes
+ Secret to specify the certificate details.
+ type: string
+ required:
+ - secretName
+ type: object
+ defaultGeneratedCert:
+ description: DefaultGeneratedCert defines the default generated certificate
+ configuration.
+ properties:
+ domain:
+ description: Domain is the domain definition for the DefaultCertificate.
+ properties:
+ main:
+ description: Main defines the main domain name.
+ type: string
+ sans:
+ description: SANs defines the subject alternative domain names.
+ items:
+ type: string
+ type: array
+ type: object
+ resolver:
+ description: Resolver is the name of the resolver that will be
+ used to issue the DefaultCertificate.
+ type: string
+ type: object
+ type: object
+ required:
+ - metadata
+ - spec
+ type: object
+ served: true
+ storage: true
+
+---
+# Source: traefik/crds/traefik.io_traefikservices.yaml
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.16.1
+ name: traefikservices.traefik.io
+spec:
+ group: traefik.io
+ names:
+ kind: TraefikService
+ listKind: TraefikServiceList
+ plural: traefikservices
+ singular: traefikservice
+ scope: Namespaced
+ versions:
+ - name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: |-
+ TraefikService is the CRD implementation of a Traefik Service.
+ TraefikService object allows to:
+ - Apply weight to Services on load-balancing
+ - Mirror traffic on services
+ More info: https://doc.traefik.io/traefik/v3.3/routing/providers/kubernetes-crd/#kind-traefikservice
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: TraefikServiceSpec defines the desired state of a TraefikService.
+ properties:
+ mirroring:
+ description: Mirroring defines the Mirroring service configuration.
+ properties:
+ healthCheck:
+ description: Healthcheck defines health checks for ExternalName
+ services.
+ properties:
+ followRedirects:
+ description: |-
+ FollowRedirects defines whether redirects should be followed during the health check calls.
+ Default: true
+ type: boolean
+ headers:
+ additionalProperties:
+ type: string
+ description: Headers defines custom headers to be sent to
+ the health check endpoint.
+ type: object
+ hostname:
+ description: Hostname defines the value of hostname in the
+ Host header of the health check request.
+ type: string
+ interval:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ Interval defines the frequency of the health check calls.
+ Default: 30s
+ x-kubernetes-int-or-string: true
+ method:
+ description: Method defines the healthcheck method.
+ type: string
+ mode:
+ description: |-
+ Mode defines the health check mode.
+ If defined to grpc, will use the gRPC health check protocol to probe the server.
+ Default: http
+ type: string
+ path:
+ description: Path defines the server URL path for the health
+ check endpoint.
+ type: string
+ port:
+ description: Port defines the server URL port for the health
+ check endpoint.
+ type: integer
+ scheme:
+ description: Scheme replaces the server URL scheme for the
+ health check endpoint.
+ type: string
+ status:
+ description: Status defines the expected HTTP status code
+ of the response to the health check request.
+ type: integer
+ timeout:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ Timeout defines the maximum duration Traefik will wait for a health check request before considering the server unhealthy.
+ Default: 5s
+ x-kubernetes-int-or-string: true
+ type: object
+ kind:
+ description: Kind defines the kind of the Service.
+ enum:
+ - Service
+ - TraefikService
+ type: string
+ maxBodySize:
+ description: |-
+ MaxBodySize defines the maximum size allowed for the body of the request.
+ If the body is larger, the request is not mirrored.
+ Default value is -1, which means unlimited size.
+ format: int64
+ type: integer
+ mirrorBody:
+ description: |-
+ MirrorBody defines whether the body of the request should be mirrored.
+ Default value is true.
+ type: boolean
+ mirrors:
+ description: Mirrors defines the list of mirrors where Traefik
+ will duplicate the traffic.
+ items:
+ description: MirrorService holds the mirror configuration.
+ properties:
+ healthCheck:
+ description: Healthcheck defines health checks for ExternalName
+ services.
+ properties:
+ followRedirects:
+ description: |-
+ FollowRedirects defines whether redirects should be followed during the health check calls.
+ Default: true
+ type: boolean
+ headers:
+ additionalProperties:
+ type: string
+ description: Headers defines custom headers to be sent
+ to the health check endpoint.
+ type: object
+ hostname:
+ description: Hostname defines the value of hostname
+ in the Host header of the health check request.
+ type: string
+ interval:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ Interval defines the frequency of the health check calls.
+ Default: 30s
+ x-kubernetes-int-or-string: true
+ method:
+ description: Method defines the healthcheck method.
+ type: string
+ mode:
+ description: |-
+ Mode defines the health check mode.
+ If defined to grpc, will use the gRPC health check protocol to probe the server.
+ Default: http
+ type: string
+ path:
+ description: Path defines the server URL path for the
+ health check endpoint.
+ type: string
+ port:
+ description: Port defines the server URL port for the
+ health check endpoint.
+ type: integer
+ scheme:
+ description: Scheme replaces the server URL scheme for
+ the health check endpoint.
+ type: string
+ status:
+ description: Status defines the expected HTTP status
+ code of the response to the health check request.
+ type: integer
+ timeout:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ Timeout defines the maximum duration Traefik will wait for a health check request before considering the server unhealthy.
+ Default: 5s
+ x-kubernetes-int-or-string: true
+ type: object
+ kind:
+ description: Kind defines the kind of the Service.
+ enum:
+ - Service
+ - TraefikService
+ type: string
+ name:
+ description: |-
+ Name defines the name of the referenced Kubernetes Service or TraefikService.
+ The differentiation between the two is specified in the Kind field.
+ type: string
+ namespace:
+ description: Namespace defines the namespace of the referenced
+ Kubernetes Service or TraefikService.
+ type: string
+ nativeLB:
+ description: |-
+ NativeLB controls, when creating the load-balancer,
+ whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP.
+ The Kubernetes Service itself does load-balance to the pods.
+ By default, NativeLB is false.
+ type: boolean
+ nodePortLB:
+ description: |-
+ NodePortLB controls, when creating the load-balancer,
+ whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is NodePort.
+ It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes.
+ By default, NodePortLB is false.
+ type: boolean
+ passHostHeader:
+ description: |-
+ PassHostHeader defines whether the client Host header is forwarded to the upstream Kubernetes Service.
+ By default, passHostHeader is true.
+ type: boolean
+ percent:
+ description: |-
+ Percent defines the part of the traffic to mirror.
+ Supported values: 0 to 100.
+ type: integer
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ Port defines the port of a Kubernetes Service.
+ This can be a reference to a named port.
+ x-kubernetes-int-or-string: true
+ responseForwarding:
+ description: ResponseForwarding defines how Traefik forwards
+ the response from the upstream Kubernetes Service to the
+ client.
+ properties:
+ flushInterval:
+ description: |-
+ FlushInterval defines the interval, in milliseconds, in between flushes to the client while copying the response body.
+ A negative value means to flush immediately after each write to the client.
+ This configuration is ignored when ReverseProxy recognizes a response as a streaming response;
+ for such responses, writes are flushed to the client immediately.
+ Default: 100ms
+ type: string
+ type: object
+ scheme:
+ description: |-
+ Scheme defines the scheme to use for the request to the upstream Kubernetes Service.
+ It defaults to https when Kubernetes Service port is 443, http otherwise.
+ type: string
+ serversTransport:
+ description: |-
+ ServersTransport defines the name of ServersTransport resource to use.
+ It allows to configure the transport between Traefik and your servers.
+ Can only be used on a Kubernetes Service.
+ type: string
+ sticky:
+ description: |-
+ Sticky defines the sticky sessions configuration.
+ More info: https://doc.traefik.io/traefik/v3.3/routing/services/#sticky-sessions
+ properties:
+ cookie:
+ description: Cookie defines the sticky cookie configuration.
+ properties:
+ httpOnly:
+ description: HTTPOnly defines whether the cookie
+ can be accessed by client-side APIs, such as JavaScript.
+ type: boolean
+ maxAge:
+ description: |-
+ MaxAge defines the number of seconds until the cookie expires.
+ When set to a negative number, the cookie expires immediately.
+ When set to zero, the cookie never expires.
+ type: integer
+ name:
+ description: Name defines the Cookie name.
+ type: string
+ path:
+ description: |-
+ Path defines the path that must exist in the requested URL for the browser to send the Cookie header.
+ When not provided the cookie will be sent on every request to the domain.
+ More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#pathpath-value
+ type: string
+ sameSite:
+ description: |-
+ SameSite defines the same site policy.
+ More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
+ type: string
+ secure:
+ description: Secure defines whether the cookie can
+ only be transmitted over an encrypted connection
+ (i.e. HTTPS).
+ type: boolean
+ type: object
+ type: object
+ strategy:
+ description: |-
+ Strategy defines the load balancing strategy between the servers.
+ RoundRobin is the only supported value at the moment.
+ type: string
+ weight:
+ description: |-
+ Weight defines the weight and should only be specified when Name references a TraefikService object
+ (and to be precise, one that embeds a Weighted Round Robin).
+ type: integer
+ required:
+ - name
+ type: object
+ type: array
+ name:
+ description: |-
+ Name defines the name of the referenced Kubernetes Service or TraefikService.
+ The differentiation between the two is specified in the Kind field.
+ type: string
+ namespace:
+ description: Namespace defines the namespace of the referenced
+ Kubernetes Service or TraefikService.
+ type: string
+ nativeLB:
+ description: |-
+ NativeLB controls, when creating the load-balancer,
+ whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP.
+ The Kubernetes Service itself does load-balance to the pods.
+ By default, NativeLB is false.
+ type: boolean
+ nodePortLB:
+ description: |-
+ NodePortLB controls, when creating the load-balancer,
+ whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is NodePort.
+ It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes.
+ By default, NodePortLB is false.
+ type: boolean
+ passHostHeader:
+ description: |-
+ PassHostHeader defines whether the client Host header is forwarded to the upstream Kubernetes Service.
+ By default, passHostHeader is true.
+ type: boolean
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ Port defines the port of a Kubernetes Service.
+ This can be a reference to a named port.
+ x-kubernetes-int-or-string: true
+ responseForwarding:
+ description: ResponseForwarding defines how Traefik forwards the
+ response from the upstream Kubernetes Service to the client.
+ properties:
+ flushInterval:
+ description: |-
+ FlushInterval defines the interval, in milliseconds, in between flushes to the client while copying the response body.
+ A negative value means to flush immediately after each write to the client.
+ This configuration is ignored when ReverseProxy recognizes a response as a streaming response;
+ for such responses, writes are flushed to the client immediately.
+ Default: 100ms
+ type: string
+ type: object
+ scheme:
+ description: |-
+ Scheme defines the scheme to use for the request to the upstream Kubernetes Service.
+ It defaults to https when Kubernetes Service port is 443, http otherwise.
+ type: string
+ serversTransport:
+ description: |-
+ ServersTransport defines the name of ServersTransport resource to use.
+ It allows to configure the transport between Traefik and your servers.
+ Can only be used on a Kubernetes Service.
+ type: string
+ sticky:
+ description: |-
+ Sticky defines the sticky sessions configuration.
+ More info: https://doc.traefik.io/traefik/v3.3/routing/services/#sticky-sessions
+ properties:
+ cookie:
+ description: Cookie defines the sticky cookie configuration.
+ properties:
+ httpOnly:
+ description: HTTPOnly defines whether the cookie can be
+ accessed by client-side APIs, such as JavaScript.
+ type: boolean
+ maxAge:
+ description: |-
+ MaxAge defines the number of seconds until the cookie expires.
+ When set to a negative number, the cookie expires immediately.
+ When set to zero, the cookie never expires.
+ type: integer
+ name:
+ description: Name defines the Cookie name.
+ type: string
+ path:
+ description: |-
+ Path defines the path that must exist in the requested URL for the browser to send the Cookie header.
+ When not provided the cookie will be sent on every request to the domain.
+ More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#pathpath-value
+ type: string
+ sameSite:
+ description: |-
+ SameSite defines the same site policy.
+ More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
+ type: string
+ secure:
+ description: Secure defines whether the cookie can only
+ be transmitted over an encrypted connection (i.e. HTTPS).
+ type: boolean
+ type: object
+ type: object
+ strategy:
+ description: |-
+ Strategy defines the load balancing strategy between the servers.
+ RoundRobin is the only supported value at the moment.
+ type: string
+ weight:
+ description: |-
+ Weight defines the weight and should only be specified when Name references a TraefikService object
+ (and to be precise, one that embeds a Weighted Round Robin).
+ type: integer
+ required:
+ - name
+ type: object
+ weighted:
+ description: Weighted defines the Weighted Round Robin configuration.
+ properties:
+ services:
+ description: Services defines the list of Kubernetes Service and/or
+ TraefikService to load-balance, with weight.
+ items:
+ description: Service defines an upstream HTTP service to proxy
+ traffic to.
+ properties:
+ healthCheck:
+ description: Healthcheck defines health checks for ExternalName
+ services.
+ properties:
+ followRedirects:
+ description: |-
+ FollowRedirects defines whether redirects should be followed during the health check calls.
+ Default: true
+ type: boolean
+ headers:
+ additionalProperties:
+ type: string
+ description: Headers defines custom headers to be sent
+ to the health check endpoint.
+ type: object
+ hostname:
+ description: Hostname defines the value of hostname
+ in the Host header of the health check request.
+ type: string
+ interval:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ Interval defines the frequency of the health check calls.
+ Default: 30s
+ x-kubernetes-int-or-string: true
+ method:
+ description: Method defines the healthcheck method.
+ type: string
+ mode:
+ description: |-
+ Mode defines the health check mode.
+ If defined to grpc, will use the gRPC health check protocol to probe the server.
+ Default: http
+ type: string
+ path:
+ description: Path defines the server URL path for the
+ health check endpoint.
+ type: string
+ port:
+ description: Port defines the server URL port for the
+ health check endpoint.
+ type: integer
+ scheme:
+ description: Scheme replaces the server URL scheme for
+ the health check endpoint.
+ type: string
+ status:
+ description: Status defines the expected HTTP status
+ code of the response to the health check request.
+ type: integer
+ timeout:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ Timeout defines the maximum duration Traefik will wait for a health check request before considering the server unhealthy.
+ Default: 5s
+ x-kubernetes-int-or-string: true
+ type: object
+ kind:
+ description: Kind defines the kind of the Service.
+ enum:
+ - Service
+ - TraefikService
+ type: string
+ name:
+ description: |-
+ Name defines the name of the referenced Kubernetes Service or TraefikService.
+ The differentiation between the two is specified in the Kind field.
+ type: string
+ namespace:
+ description: Namespace defines the namespace of the referenced
+ Kubernetes Service or TraefikService.
+ type: string
+ nativeLB:
+ description: |-
+ NativeLB controls, when creating the load-balancer,
+ whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP.
+ The Kubernetes Service itself does load-balance to the pods.
+ By default, NativeLB is false.
+ type: boolean
+ nodePortLB:
+ description: |-
+ NodePortLB controls, when creating the load-balancer,
+ whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is NodePort.
+ It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes.
+ By default, NodePortLB is false.
+ type: boolean
+ passHostHeader:
+ description: |-
+ PassHostHeader defines whether the client Host header is forwarded to the upstream Kubernetes Service.
+ By default, passHostHeader is true.
+ type: boolean
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ Port defines the port of a Kubernetes Service.
+ This can be a reference to a named port.
+ x-kubernetes-int-or-string: true
+ responseForwarding:
+ description: ResponseForwarding defines how Traefik forwards
+ the response from the upstream Kubernetes Service to the
+ client.
+ properties:
+ flushInterval:
+ description: |-
+ FlushInterval defines the interval, in milliseconds, in between flushes to the client while copying the response body.
+ A negative value means to flush immediately after each write to the client.
+ This configuration is ignored when ReverseProxy recognizes a response as a streaming response;
+ for such responses, writes are flushed to the client immediately.
+ Default: 100ms
+ type: string
+ type: object
+ scheme:
+ description: |-
+ Scheme defines the scheme to use for the request to the upstream Kubernetes Service.
+ It defaults to https when Kubernetes Service port is 443, http otherwise.
+ type: string
+ serversTransport:
+ description: |-
+ ServersTransport defines the name of ServersTransport resource to use.
+ It allows to configure the transport between Traefik and your servers.
+ Can only be used on a Kubernetes Service.
+ type: string
+ sticky:
+ description: |-
+ Sticky defines the sticky sessions configuration.
+ More info: https://doc.traefik.io/traefik/v3.3/routing/services/#sticky-sessions
+ properties:
+ cookie:
+ description: Cookie defines the sticky cookie configuration.
+ properties:
+ httpOnly:
+ description: HTTPOnly defines whether the cookie
+ can be accessed by client-side APIs, such as JavaScript.
+ type: boolean
+ maxAge:
+ description: |-
+ MaxAge defines the number of seconds until the cookie expires.
+ When set to a negative number, the cookie expires immediately.
+ When set to zero, the cookie never expires.
+ type: integer
+ name:
+ description: Name defines the Cookie name.
+ type: string
+ path:
+ description: |-
+ Path defines the path that must exist in the requested URL for the browser to send the Cookie header.
+ When not provided the cookie will be sent on every request to the domain.
+ More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#pathpath-value
+ type: string
+ sameSite:
+ description: |-
+ SameSite defines the same site policy.
+ More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
+ type: string
+ secure:
+ description: Secure defines whether the cookie can
+ only be transmitted over an encrypted connection
+ (i.e. HTTPS).
+ type: boolean
+ type: object
+ type: object
+ strategy:
+ description: |-
+ Strategy defines the load balancing strategy between the servers.
+ RoundRobin is the only supported value at the moment.
+ type: string
+ weight:
+ description: |-
+ Weight defines the weight and should only be specified when Name references a TraefikService object
+ (and to be precise, one that embeds a Weighted Round Robin).
+ type: integer
+ required:
+ - name
+ type: object
+ type: array
+ sticky:
+ description: |-
+ Sticky defines whether sticky sessions are enabled.
+ More info: https://doc.traefik.io/traefik/v3.3/routing/providers/kubernetes-crd/#stickiness-and-load-balancing
+ properties:
+ cookie:
+ description: Cookie defines the sticky cookie configuration.
+ properties:
+ httpOnly:
+ description: HTTPOnly defines whether the cookie can be
+ accessed by client-side APIs, such as JavaScript.
+ type: boolean
+ maxAge:
+ description: |-
+ MaxAge defines the number of seconds until the cookie expires.
+ When set to a negative number, the cookie expires immediately.
+ When set to zero, the cookie never expires.
+ type: integer
+ name:
+ description: Name defines the Cookie name.
+ type: string
+ path:
+ description: |-
+ Path defines the path that must exist in the requested URL for the browser to send the Cookie header.
+ When not provided the cookie will be sent on every request to the domain.
+ More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#pathpath-value
+ type: string
+ sameSite:
+ description: |-
+ SameSite defines the same site policy.
+ More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
+ type: string
+ secure:
+ description: Secure defines whether the cookie can only
+ be transmitted over an encrypted connection (i.e. HTTPS).
+ type: boolean
+ type: object
+ type: object
+ type: object
+ type: object
+ required:
+ - metadata
+ - spec
+ type: object
+ served: true
+ storage: true
+
+---
+# Source: traefik/templates/poddisruptionbudget.yaml
+apiVersion: policy/v1beta1
+kind: PodDisruptionBudget
+metadata:
+ name: traefik
+ namespace: default
+ labels:
+ app.kubernetes.io/name: traefik
+ app.kubernetes.io/instance: traefik-default
+ helm.sh/chart: traefik-35.2.0
+ app.kubernetes.io/managed-by: Helm
+spec:
+ selector:
+ matchLabels:
+ app.kubernetes.io/name: traefik
+ app.kubernetes.io/instance: traefik-default
+ minAvailable: 1
+---
+# Source: traefik/templates/rbac/serviceaccount.yaml
+kind: ServiceAccount
+apiVersion: v1
+metadata:
+ name: traefik
+ namespace: default
+ labels:
+ app.kubernetes.io/name: traefik
+ app.kubernetes.io/instance: traefik-default
+ helm.sh/chart: traefik-35.2.0
+ app.kubernetes.io/managed-by: Helm
+ annotations:
+automountServiceAccountToken: false
+---
+# Source: traefik/templates/rbac/clusterrole.yaml
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: traefik-default
+ labels:
+ app.kubernetes.io/name: traefik
+ app.kubernetes.io/instance: traefik-default
+ helm.sh/chart: traefik-35.2.0
+ app.kubernetes.io/managed-by: Helm
+rules:
+ - apiGroups:
+ - ""
+ resources:
+ - nodes
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - ""
+ resources:
+ - services
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - discovery.k8s.io
+ resources:
+ - endpointslices
+ verbs:
+ - list
+ - watch
+ - apiGroups:
+ - ""
+ resources:
+ - secrets
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - extensions
+ - networking.k8s.io
+ resources:
+ - ingressclasses
+ - ingresses
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - extensions
+ - networking.k8s.io
+ resources:
+ - ingresses/status
+ verbs:
+ - update
+ - apiGroups:
+ - traefik.io
+ resources:
+ - ingressroutes
+ - ingressroutetcps
+ - ingressrouteudps
+ - middlewares
+ - middlewaretcps
+ - serverstransports
+ - serverstransporttcps
+ - tlsoptions
+ - tlsstores
+ - traefikservices
+ verbs:
+ - get
+ - list
+ - watch
+---
+# Source: traefik/templates/rbac/clusterrolebinding.yaml
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: traefik-default
+ labels:
+ app.kubernetes.io/name: traefik
+ app.kubernetes.io/instance: traefik-default
+ helm.sh/chart: traefik-35.2.0
+ app.kubernetes.io/managed-by: Helm
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: traefik-default
+subjects:
+ - kind: ServiceAccount
+ name: traefik
+ namespace: default
+---
+# Source: traefik/templates/service.yaml
+apiVersion: v1
+kind: Service
+metadata:
+ name: traefik
+ namespace: default
+ labels:
+ app.kubernetes.io/name: traefik
+ app.kubernetes.io/instance: traefik-default
+ helm.sh/chart: traefik-35.2.0
+ app.kubernetes.io/managed-by: Helm
+ annotations:
+spec:
+ type: LoadBalancer
+ loadBalancerIP: 34.141.137.107
+ selector:
+ app.kubernetes.io/name: traefik
+ app.kubernetes.io/instance: traefik-default
+ ports:
+ - port: 80
+ name: web
+ targetPort: web
+ protocol: TCP
+ - port: 443
+ name: websecure
+ targetPort: websecure
+ protocol: TCP
+---
+# Source: traefik/templates/deployment.yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: traefik
+ namespace: default
+ labels:
+ app.kubernetes.io/name: traefik
+ app.kubernetes.io/instance: traefik-default
+ helm.sh/chart: traefik-35.2.0
+ app.kubernetes.io/managed-by: Helm
+ annotations:
+spec:
+ selector:
+ matchLabels:
+ app.kubernetes.io/name: traefik
+ app.kubernetes.io/instance: traefik-default
+ strategy:
+ type: RollingUpdate
+ rollingUpdate:
+ maxUnavailable: 0
+ maxSurge: 1
+ minReadySeconds: 0
+ template:
+ metadata:
+ annotations:
+ labels:
+ app.kubernetes.io/name: traefik
+ app.kubernetes.io/instance: traefik-default
+ helm.sh/chart: traefik-35.2.0
+ app.kubernetes.io/managed-by: Helm
+ spec:
+ serviceAccountName: traefik
+ automountServiceAccountToken: true
+ terminationGracePeriodSeconds: 60
+ hostNetwork: false
+ containers:
+ - image: docker.io/traefik:v3.3.6
+ imagePullPolicy: IfNotPresent
+ name: traefik
+ resources:
+ limits:
+ cpu: 1000m
+ memory: 512Mi
+ requests:
+ cpu: 200m
+ memory: 256Mi
+ readinessProbe:
+ httpGet:
+ path: /ping
+ port: 8080
+ scheme: HTTP
+ failureThreshold: 1
+ initialDelaySeconds: 2
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 2
+ livenessProbe:
+ httpGet:
+ path: /ping
+ port: 8080
+ scheme: HTTP
+ failureThreshold: 3
+ initialDelaySeconds: 2
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 2
+ lifecycle:
+ ports:
+ - name: metrics
+ containerPort: 9100
+ protocol: TCP
+ - name: traefik
+ containerPort: 8080
+ protocol: TCP
+ - name: web
+ containerPort: 8000
+ protocol: TCP
+ - name: websecure
+ containerPort: 8443
+ protocol: TCP
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
+ volumeMounts:
+ - name: data
+ mountPath: /data
+ - name: tmp
+ mountPath: /tmp
+ args:
+ - "--global.checknewversion"
+ - "--global.sendanonymoususage"
+ - "--entryPoints.metrics.address=:9100/tcp"
+ - "--entryPoints.traefik.address=:8080/tcp"
+ - "--entryPoints.web.address=:8000/tcp"
+ - "--entryPoints.websecure.address=:8443/tcp"
+ - "--api.dashboard=true"
+ - "--ping=true"
+ - "--metrics.prometheus=true"
+ - "--metrics.prometheus.entrypoint=metrics"
+ - "--metrics.prometheus.addRoutersLabels=true"
+ - "--metrics.prometheus.addEntryPointsLabels=true"
+ - "--metrics.prometheus.addServicesLabels=true"
+ - "--providers.kubernetescrd"
+ - "--providers.kubernetescrd.allowEmptyServices=true"
+ - "--providers.kubernetesingress"
+ - "--providers.kubernetesingress.allowEmptyServices=true"
+ - "--providers.kubernetesingress.ingressendpoint.publishedservice=default/traefik"
+ - "--entryPoints.web.http.redirections.entryPoint.to=:443"
+ - "--entryPoints.web.http.redirections.entryPoint.scheme=https"
+ - "--entryPoints.web.http.redirections.entryPoint.permanent=true"
+ - "--entryPoints.websecure.http.tls=true"
+ - "--log.level=INFO"
+ - "--accesslog=true"
+ - "--accesslog.fields.defaultmode=keep"
+ - "--accesslog.fields.headers.defaultmode=drop"
+
+ env:
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.name
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ - name: GOMAXPROCS
+ valueFrom:
+ resourceFieldRef:
+ resource: limits.cpu
+ divisor: '1'
+ - name: GOMEMLIMIT
+ valueFrom:
+ resourceFieldRef:
+ resource: limits.memory
+ divisor: '1'
+ volumes:
+ - name: data
+ emptyDir: {}
+ - name: tmp
+ emptyDir: {}
+ securityContext:
+ runAsGroup: 65532
+ runAsNonRoot: true
+ runAsUser: 65532
+ topologySpreadConstraints:
+ - labelSelector:
+ matchLabels:
+ app.kubernetes.io/name: traefik
+ maxSkew: 1
+ topologyKey: topology.kubernetes.io/zone
+ whenUnsatisfiable: ScheduleAnyway
+---
+# Source: traefik/templates/hpa.yaml
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+ name: traefik
+ namespace: default
+ labels:
+ app.kubernetes.io/name: traefik
+ app.kubernetes.io/instance: traefik-default
+ helm.sh/chart: traefik-35.2.0
+ app.kubernetes.io/managed-by: Helm
+spec:
+ scaleTargetRef:
+ apiVersion: apps/v1
+ kind: Deployment
+ name: traefik
+ minReplicas: 3
+ maxReplicas: 5
+---
+# Source: traefik/templates/ingressclass.yaml
+apiVersion: networking.k8s.io/v1
+kind: IngressClass
+metadata:
+ annotations:
+ ingressclass.kubernetes.io/is-default-class: "true"
+ labels:
+ app.kubernetes.io/name: traefik
+ app.kubernetes.io/instance: traefik-default
+ helm.sh/chart: traefik-35.2.0
+ app.kubernetes.io/managed-by: Helm
+ name: traefik
+spec:
+ controller: traefik.io/ingress-controller
+---
+# Source: traefik/templates/ingressroute.yaml
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+ name: traefik-dashboard
+ namespace: default
+ annotations:
+ labels:
+ app.kubernetes.io/name: traefik
+ app.kubernetes.io/instance: traefik-default
+ helm.sh/chart: traefik-35.2.0
+ app.kubernetes.io/managed-by: Helm
+spec:
+ entryPoints:
+ - traefik
+ routes:
+ - match: PathPrefix(`/dashboard`) || PathPrefix(`/api`)
+ kind: Rule
+ services:
+ - kind: TraefikService
+ name: api@internal
+---
+# Source: traefik/templates/servicemonitor.yaml
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+ name: traefik
+ namespace: default
+ labels:
+ app.kubernetes.io/name: traefik
+ app.kubernetes.io/instance: traefik-default
+ helm.sh/chart: traefik-35.2.0
+ app.kubernetes.io/managed-by: Helm
+spec:
+ jobLabel: traefik
+ endpoints:
+ - targetPort: metrics
+ path: /metrics
+ namespaceSelector:
+ matchNames:
+ - default
+ selector:
+ matchLabels:
+ app.kubernetes.io/name: traefik
+ app.kubernetes.io/instance: traefik-default
diff --git a/chartvalidator/checker/utils.go b/chartvalidator/checker/utils.go
index af65904..0f94c7c 100644
--- a/chartvalidator/checker/utils.go
+++ b/chartvalidator/checker/utils.go
@@ -5,7 +5,6 @@ import (
"io/fs"
"os"
"path/filepath"
- "runtime"
"strings"
)
@@ -33,10 +32,10 @@ func logEngine(level, engineName string, workerId int, message string) {
// Split message into lines if it contains newlines
lines := strings.Split(message, "\n")
-
+
// Print first line with full prefix and color
fmt.Printf("%s[%s]\t[%s Worker %d]\t%s%s\n", color, level, engineName, workerId, lines[0], colorReset)
-
+
// Print additional lines with empty columns for alignment
for i := 1; i < len(lines); i++ {
fmt.Printf("\t\t%s\n", lines[i])
@@ -54,24 +53,6 @@ func logEngineWarning(engineName string, workerId int, message string) {
logEngine("WARNING", engineName, workerId, message)
}
-func logEngineError(engineName string, workerId int, message string) {
- logEngine("ERROR", engineName, workerId, message)
-}
-
-// getJobCount returns the number of parallel jobs to run
-func getJobCount() int {
- if s := os.Getenv("KUBECONFORM_JOBS"); strings.TrimSpace(s) != "" {
- if n, err := parseInt(s); err == nil && n > 0 {
- return n
- }
- }
- n := runtime.NumCPU()
- if n <= 0 {
- n = 4
- }
- return n
-}
-
// parseInt parses a string to integer, returning error if invalid
func parseInt(s string) (int, error) {
var n int
@@ -84,11 +65,11 @@ func recreateOutputDir(outputDir string) error {
if err := os.RemoveAll(outputDir); err != nil {
return fmt.Errorf("failed to remove output directory: %w", err)
}
-
+
if err := os.MkdirAll(outputDir, 0755); err != nil {
return fmt.Errorf("failed to create output directory: %w", err)
}
-
+
return nil
}
@@ -128,4 +109,4 @@ func findYAMLFiles(dir string) ([]string, error) {
name := strings.ToLower(d.Name())
return strings.HasSuffix(name, ".yaml") || strings.HasSuffix(name, ".yml")
})
-}
\ No newline at end of file
+}