diff --git a/docs/content/migrate/v3.md b/docs/content/migrate/v3.md
index a326b3400..25e4dde1b 100644
--- a/docs/content/migrate/v3.md
+++ b/docs/content/migrate/v3.md
@@ -653,6 +653,26 @@ Therefore, in the corresponding RBACs (see [KubernetesIngressNGINX](../reference
...
```
+### Kubernetes Gateway API Provider
+
+Starting with `v3.7.0`, the Kubernetes Gateway API provider supports version [v1.5.1](https://github.com/kubernetes-sigs/gateway-api/releases/tag/v1.5.1) of the specification,
+which requires the Gateway API CRDs to be updated.
+
+`TLSRoute` has graduated to the Standard channel and no longer requires the `experimentalChannel` option.
+The `experimentalChannel` option is now only needed for `TCPRoute`.
+
+**Apply Updated CRDs:**
+
+```shell
+kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.5.1/standard-install.yaml
+```
+
+For the experimental channel:
+
+```shell
+kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.5.1/experimental-install.yaml
+```
+
### Kubernetes CRD Provider
To use the new options of the `retry` middleware with the Kubernetes CRD provider, you need to update your CRDs.
diff --git a/docs/content/providers/kubernetes-gateway.md b/docs/content/providers/kubernetes-gateway.md
index 27fa805a8..ffe5c1687 100644
--- a/docs/content/providers/kubernetes-gateway.md
+++ b/docs/content/providers/kubernetes-gateway.md
@@ -8,11 +8,11 @@ description: "Learn how to use the Kubernetes Gateway API as a provider for conf
The Kubernetes Gateway provider is a Traefik implementation of the [Gateway API](https://gateway-api.sigs.k8s.io/)
specification from the Kubernetes Special Interest Groups (SIGs).
-This provider supports Standard version [v1.4.0](https://github.com/kubernetes-sigs/gateway-api/releases/tag/v1.4.0) of the Gateway API specification.
+This provider supports Standard version [v1.5.1](https://github.com/kubernetes-sigs/gateway-api/releases/tag/v1.5.1) of the Gateway API specification.
-It fully supports all HTTP core and some extended features, as well as the `TCPRoute` and `TLSRoute` resources from the [Experimental channel](https://gateway-api.sigs.k8s.io/concepts/versioning/?h=#release-channels).
+It fully supports all HTTP core and some extended features, as well as `TLSRoute` (Standard channel) and `TCPRoute` (Experimental channel via the [`experimentalChannel`](#experimentalchannel) option).
-For more details, check out the conformance [report](https://github.com/kubernetes-sigs/gateway-api/tree/main/conformance/reports/v1.4.0/traefik-traefik).
+For more details, check out the conformance [report](https://github.com/kubernetes-sigs/gateway-api/tree/main/conformance/reports/v1.5.1/traefik-traefik).
## Requirements
@@ -27,7 +27,7 @@ For more details, check out the conformance [report](https://github.com/kubernet
```bash
# Install Gateway API CRDs from the Standard channel.
- kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.4.0/standard-install.yaml
+ kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.5.1/standard-install.yaml
```
2. Install the additional Traefik RBAC required for Gateway API.
@@ -251,7 +251,7 @@ providers:
_Optional, Default: false_
Toggles support for the Experimental Channel resources ([Gateway API release channels documentation](https://gateway-api.sigs.k8s.io/concepts/versioning/#release-channels)).
-This option currently enables support for `TCPRoute` and `TLSRoute`.
+This option currently enables support for `TCPRoute`.
```yaml tab="File (YAML)"
providers:
@@ -275,7 +275,7 @@ providers:
```bash
# Install Gateway API CRDs from the Experimental channel.
- kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.4.0/experimental-install.yaml
+ kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.5.1/experimental-install.yaml
```
### `labelselector`
diff --git a/docs/content/reference/install-configuration/providers/kubernetes/kubernetes-gateway.md b/docs/content/reference/install-configuration/providers/kubernetes/kubernetes-gateway.md
index 2d7298689..b43b2b9fd 100644
--- a/docs/content/reference/install-configuration/providers/kubernetes/kubernetes-gateway.md
+++ b/docs/content/reference/install-configuration/providers/kubernetes/kubernetes-gateway.md
@@ -8,11 +8,11 @@ description: "Learn how to use the Kubernetes Gateway API as a provider for conf
The Kubernetes Gateway provider is a Traefik implementation of the [Gateway API](https://gateway-api.sigs.k8s.io/)
specification from the Kubernetes Special Interest Groups (SIGs).
-This provider supports Standard version [v1.4.0](https://github.com/kubernetes-sigs/gateway-api/releases/tag/v1.4.0) of the Gateway API specification.
+This provider supports Standard version [v1.5.1](https://github.com/kubernetes-sigs/gateway-api/releases/tag/v1.5.1) of the Gateway API specification.
-It fully supports all `HTTPRoute` core and some extended features, like `BackendTLSPolicy`, and `GRPCRoute` resources from the [Standard channel](https://gateway-api.sigs.k8s.io/concepts/versioning/?h=#release-channels), as well as `TCPRoute`, and `TLSRoute` resources from the [Experimental channel](https://gateway-api.sigs.k8s.io/concepts/versioning/?h=#release-channels).
+It fully supports all `HTTPRoute` core and some extended features, like `BackendTLSPolicy`, `GRPCRoute`, and `TLSRoute` resources from the [Standard channel](https://gateway-api.sigs.k8s.io/concepts/versioning/?h=#release-channels), as well as `TCPRoute` from the [Experimental channel](https://gateway-api.sigs.k8s.io/concepts/versioning/?h=#release-channels).
-For more details, check out the conformance [report](https://github.com/kubernetes-sigs/gateway-api/tree/main/conformance/reports/v1.4.0/traefik-traefik).
+For more details, check out the conformance [report](https://github.com/kubernetes-sigs/gateway-api/tree/main/conformance/reports/v1.5.1/traefik-traefik).
!!! info "Using The Helm Chart"
@@ -27,7 +27,7 @@ For more details, check out the conformance [report](https://github.com/kubernet
```bash
# Install Gateway API CRDs from the Standard channel.
- kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.4.0/standard-install.yaml
+ kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.5.1/standard-install.yaml
```
2. Install/update the Traefik [RBAC](../../../dynamic-configuration/kubernetes-gateway-rbac.yml).
@@ -71,7 +71,7 @@ providers:
|:----------------------------------------------------------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:--------|:---------|
| `providers.providersThrottleDuration` | Minimum amount of time to wait for, after a configuration reload, before taking into account any new configuration refresh event.
If multiple events occur within this time, only the most recent one is taken into account, and all others are discarded.
**This option cannot be set per provider, but the throttling algorithm applies to each of them independently.** | 2s | No |
| `providers.kubernetesGateway.endpoint` | Server endpoint URL.
More information [here](#endpoint). | "" | No |
-| `providers.kubernetesGateway.experimentalChannel` | Toggles support for the Experimental Channel resources ([Gateway API release channels documentation](https://gateway-api.sigs.k8s.io/concepts/versioning/#release-channels)).
(ex: `TCPRoute` and `TLSRoute`) | false | No |
+| `providers.kubernetesGateway.experimentalChannel` | Toggles support for the Experimental Channel resources ([Gateway API release channels documentation](https://gateway-api.sigs.k8s.io/concepts/versioning/#release-channels)).
(ex: `TCPRoute`) | false | No |
| `providers.kubernetesGateway.token` | Bearer token used for the Kubernetes client configuration. | "" | No |
| `providers.kubernetesGateway.certAuthFilePath` | Path to the certificate authority file.
Used for the Kubernetes client configuration. | "" | No |
| `providers.kubernetesGateway.namespaces` | Array of namespaces to watch.
If left empty, watch all namespaces. | [] | No |
diff --git a/docs/content/reference/routing-configuration/kubernetes/gateway-api.md b/docs/content/reference/routing-configuration/kubernetes/gateway-api.md
index 675fa7a8d..31fdc5dd5 100644
--- a/docs/content/reference/routing-configuration/kubernetes/gateway-api.md
+++ b/docs/content/reference/routing-configuration/kubernetes/gateway-api.md
@@ -8,11 +8,11 @@ description: "The Kubernetes Gateway API can be used as a provider for routing a
When using the Kubernetes Gateway API provider, Traefik leverages the Gateway API Custom Resource Definitions (CRDs) to obtain its routing configuration.
For detailed information on the Gateway API concepts and resources, refer to the official [documentation](https://gateway-api.sigs.k8s.io/).
-The Kubernetes Gateway API provider supports version [v1.4.0](https://github.com/kubernetes-sigs/gateway-api/releases/tag/v1.4.0) of the specification.
+The Kubernetes Gateway API provider supports version [v1.5.1](https://github.com/kubernetes-sigs/gateway-api/releases/tag/v1.5.1) of the specification.
-It fully supports all `HTTPRoute` core and some extended features, like `BackendTLSPolicy`, and `GRPCRoute` resources from the [Standard channel](https://gateway-api.sigs.k8s.io/concepts/versioning/?h=#release-channels), as well as `TCPRoute`, and `TLSRoute` resources from the [Experimental channel](https://gateway-api.sigs.k8s.io/concepts/versioning/?h=#release-channels).
+It fully supports all `HTTPRoute` core and some extended features, like `BackendTLSPolicy`, `GRPCRoute`, and `TLSRoute` resources from the [Standard channel](https://gateway-api.sigs.k8s.io/concepts/versioning/?h=#release-channels), as well as `TCPRoute` from the [Experimental channel](https://gateway-api.sigs.k8s.io/concepts/versioning/?h=#release-channels).
-For more details, check out the conformance [report](https://github.com/kubernetes-sigs/gateway-api/tree/main/conformance/reports/v1.4.0/traefik-traefik).
+For more details, check out the conformance [report](https://github.com/kubernetes-sigs/gateway-api/tree/main/conformance/reports/v1.5.1/traefik-traefik).
## Deploying a Gateway
diff --git a/docs/content/routing/providers/kubernetes-gateway.md b/docs/content/routing/providers/kubernetes-gateway.md
index 4ff202e50..ea7663021 100644
--- a/docs/content/routing/providers/kubernetes-gateway.md
+++ b/docs/content/routing/providers/kubernetes-gateway.md
@@ -8,11 +8,11 @@ description: "The Kubernetes Gateway API can be used as a provider for routing a
When using the Kubernetes Gateway API provider, Traefik leverages the Gateway API Custom Resource Definitions (CRDs) to obtain its routing configuration.
For detailed information on the Gateway API concepts and resources, refer to the official [documentation](https://gateway-api.sigs.k8s.io/).
-The Kubernetes Gateway API provider supports version [v1.4.0](https://github.com/kubernetes-sigs/gateway-api/releases/tag/v1.4.0) of the specification.
+The Kubernetes Gateway API provider supports version [v1.5.1](https://github.com/kubernetes-sigs/gateway-api/releases/tag/v1.5.1) of the specification.
-It fully supports all `HTTPRoute` core and some extended features, like `GRPCRoute`, as well as the `TCPRoute` and `TLSRoute` resources from the [Experimental channel](https://gateway-api.sigs.k8s.io/concepts/versioning/?h=#release-channels).
+It fully supports all `HTTPRoute` core and some extended features, like `GRPCRoute` and `TLSRoute` (Standard channel), as well as `TCPRoute` from the [Experimental channel](https://gateway-api.sigs.k8s.io/concepts/versioning/?h=#release-channels).
-For more details, check out the conformance [report](https://github.com/kubernetes-sigs/gateway-api/tree/main/conformance/reports/v1.4.0/traefik-traefik).
+For more details, check out the conformance [report](https://github.com/kubernetes-sigs/gateway-api/tree/main/conformance/reports/v1.5.1/traefik-traefik).
## Deploying a Gateway
diff --git a/go.mod b/go.mod
index d7a2da9a4..3667cef52 100644
--- a/go.mod
+++ b/go.mod
@@ -108,17 +108,18 @@ require (
google.golang.org/grpc v1.79.1
gopkg.in/natefinch/lumberjack.v2 v2.2.1
gopkg.in/yaml.v3 v3.0.1
- k8s.io/api v0.34.3
- k8s.io/apiextensions-apiserver v0.34.3
- k8s.io/apimachinery v0.34.3
- k8s.io/client-go v0.34.3
- k8s.io/utils v0.0.0-20250820121507-0af2bda4dd1d // No tag on the repo.
+ k8s.io/api v0.35.2
+ k8s.io/apiextensions-apiserver v0.35.2
+ k8s.io/apimachinery v0.35.2
+ k8s.io/client-go v0.35.2
+ k8s.io/utils v0.0.0-20260108192941-914a6e750570 // No tag on the repo.
knative.dev/networking v0.0.0-20251217020127-11890a5dabea
knative.dev/pkg v0.0.0-20251216153728-9c8140b780d1
mvdan.cc/xurls/v2 v2.5.0
- sigs.k8s.io/controller-runtime v0.22.1
- sigs.k8s.io/gateway-api v1.4.0
- sigs.k8s.io/structured-merge-diff/v6 v6.3.1
+ sigs.k8s.io/controller-runtime v0.23.3
+ sigs.k8s.io/gateway-api v1.5.1
+ sigs.k8s.io/gateway-api/conformance v1.5.1
+ sigs.k8s.io/structured-merge-diff/v6 v6.3.2
sigs.k8s.io/yaml v1.6.0
)
@@ -148,7 +149,7 @@ require (
github.com/AzureAD/microsoft-authentication-library-for-go v1.6.0 // indirect
github.com/HdrHistogram/hdrhistogram-go v1.1.2 // indirect
github.com/Masterminds/goutils v1.1.1 // indirect
- github.com/Masterminds/semver/v3 v3.3.1 // indirect
+ github.com/Masterminds/semver/v3 v3.4.0 // indirect
github.com/Microsoft/go-winio v0.6.2 // indirect
github.com/VividCortex/gohistogram v1.0.0 // indirect
github.com/akamai/AkamaiOPEN-edgegrid-golang/v11 v11.1.0 // indirect
@@ -236,7 +237,6 @@ require (
github.com/google/gnostic-models v0.7.0 // indirect
github.com/google/go-cmp v0.7.0 // indirect
github.com/google/go-querystring v1.2.0 // indirect
- github.com/google/pprof v0.0.0-20250403155104-27863c87afa6 // indirect
github.com/google/s2a-go v0.1.9 // indirect
github.com/google/uuid v1.6.0 // indirect
github.com/googleapis/enterprise-certificate-proxy v0.3.11 // indirect
@@ -278,7 +278,7 @@ require (
github.com/mailgun/minheap v0.0.0-20170619185613-3dbe6c6bf55f // indirect
github.com/mailgun/multibuf v0.1.2 // indirect
github.com/mailgun/timetools v0.0.0-20141028012446-7e6055773c51 // indirect
- github.com/mailru/easyjson v0.9.0 // indirect
+ github.com/mailru/easyjson v0.9.1 // indirect
github.com/mattn/go-colorable v0.1.14 // indirect
github.com/mattn/go-isatty v0.0.20 // indirect
github.com/mimuret/golang-iij-dpf v0.9.1 // indirect
@@ -369,9 +369,9 @@ require (
github.com/yandex-cloud/go-sdk/v2 v2.56.0 // indirect
github.com/youmark/pkcs8 v0.0.0-20240726163527-a2c0da244d78 // indirect
github.com/yusufpapurcu/wmi v1.2.4 // indirect
- go.etcd.io/etcd/api/v3 v3.6.4 // indirect
- go.etcd.io/etcd/client/pkg/v3 v3.6.4 // indirect
- go.etcd.io/etcd/client/v3 v3.6.4 // indirect
+ go.etcd.io/etcd/api/v3 v3.6.5 // indirect
+ go.etcd.io/etcd/client/pkg/v3 v3.6.5 // indirect
+ go.etcd.io/etcd/client/v3 v3.6.5 // indirect
go.mongodb.org/mongo-driver v1.13.1 // indirect
go.opentelemetry.io/auto/sdk v1.2.1 // indirect
go.opentelemetry.io/collector/featuregate v1.41.0 // indirect
@@ -402,7 +402,7 @@ require (
gopkg.in/ns1/ns1-go.v2 v2.17.2 // indirect
gopkg.in/yaml.v2 v2.4.0 // indirect
k8s.io/klog/v2 v2.130.1 // indirect
- k8s.io/kube-openapi v0.0.0-20250814151709-d7b6acb124c3 // indirect
+ k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 // indirect
nhooyr.io/websocket v1.8.7 // indirect
sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect
sigs.k8s.io/randfill v1.0.0 // indirect
diff --git a/go.sum b/go.sum
index 3c185a366..0ccb525e9 100644
--- a/go.sum
+++ b/go.sum
@@ -105,8 +105,8 @@ github.com/Knetic/govaluate v3.0.1-0.20171022003610-9aa49832a739+incompatible/go
github.com/Masterminds/goutils v1.1.1 h1:5nUrii3FMTL5diU80unEVvNevw1nH4+ZV4DSLVJLSYI=
github.com/Masterminds/goutils v1.1.1/go.mod h1:8cTjp+g8YejhMuvIA5y2vz3BpJxksy863GQaJW2MFNU=
github.com/Masterminds/semver/v3 v3.2.0/go.mod h1:qvl/7zhW3nngYb5+80sSMF+FG2BjYrf8m9wsX0PNOMQ=
-github.com/Masterminds/semver/v3 v3.3.1 h1:QtNSWtVZ3nBfk8mAOu/B6v7FMJ+NHTIgUPi7rj+4nv4=
-github.com/Masterminds/semver/v3 v3.3.1/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM=
+github.com/Masterminds/semver/v3 v3.4.0 h1:Zog+i5UMtVoCU8oKka5P7i9q9HgrJeGzI9SA1Xbatp0=
+github.com/Masterminds/semver/v3 v3.4.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM=
github.com/Masterminds/sprig/v3 v3.2.3 h1:eL2fZNezLomi0uOLqjQoN6BfsDD+fyLtgbJMAj9n6YA=
github.com/Masterminds/sprig/v3 v3.2.3/go.mod h1:rXcFaZ2zZbLRJv/xSysmlgIM1u11eBaRMhvYXJNkGuM=
github.com/Microsoft/go-winio v0.6.0/go.mod h1:cTAf44im0RAYeL23bpB+fzCyDH2MJiz2BO69KH/soAE=
@@ -605,8 +605,8 @@ github.com/google/pprof v0.0.0-20200229191704-1ebb73c60ed3/go.mod h1:ZgVRPoUq/hf
github.com/google/pprof v0.0.0-20200430221834-fc25d7d30c6d/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
github.com/google/pprof v0.0.0-20200708004538-1a94d8640e99/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
-github.com/google/pprof v0.0.0-20250403155104-27863c87afa6 h1:BHT72Gu3keYf3ZEu2J0b1vyeLSOYI8bm5wbJM/8yDe8=
-github.com/google/pprof v0.0.0-20250403155104-27863c87afa6/go.mod h1:boTsfXsheKC2y+lKOCMpSfarhxDeIzfZG1jqGcPl3cA=
+github.com/google/pprof v0.0.0-20260115054156-294ebfa9ad83 h1:z2ogiKUYzX5Is6zr/vP9vJGqPwcdqsWjOt+V8J7+bTc=
+github.com/google/pprof v0.0.0-20260115054156-294ebfa9ad83/go.mod h1:MxpfABSjhmINe3F1It9d+8exIHFvUqtLIRCdOGNXqiI=
github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
github.com/google/s2a-go v0.1.9 h1:LGD7gtMgezd8a/Xak7mEWL0PjoTQFvpRudN895yqKW0=
github.com/google/s2a-go v0.1.9/go.mod h1:YA0Ei2ZQL3acow2O62kdp9UlnvMmU7kA6Eutn0dXayM=
@@ -854,8 +854,8 @@ github.com/mailgun/ttlmap v0.0.0-20170619185759-c1c17f74874f h1:ZZYhg16XocqSKPGN
github.com/mailgun/ttlmap v0.0.0-20170619185759-c1c17f74874f/go.mod h1:8heskWJ5c0v5J9WH89ADhyal1DOZcayll8fSbhB+/9A=
github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
-github.com/mailru/easyjson v0.9.0 h1:PrnmzHw7262yW8sTBwxi1PdJA3Iw/EKBa8psRf7d9a4=
-github.com/mailru/easyjson v0.9.0/go.mod h1:1+xMtQp2MRNVL/V1bOzuP3aP8VNwRW55fQUto+XFtTU=
+github.com/mailru/easyjson v0.9.1 h1:LbtsOm5WAswyWbvTEOqhypdPeZzHavpZx96/n553mR8=
+github.com/mailru/easyjson v0.9.1/go.mod h1:1+xMtQp2MRNVL/V1bOzuP3aP8VNwRW55fQUto+XFtTU=
github.com/matryer/moq v0.0.0-20190312154309-6cfb0558e1bd/go.mod h1:9ELz6aaclSIGnZBoaSLZ3NAl1VTufbOrXBPvtcy6WiQ=
github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU=
github.com/mattn/go-colorable v0.1.2/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE=
@@ -1012,16 +1012,16 @@ github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE=
github.com/onsi/ginkgo v1.16.5/go.mod h1:+E8gABHa3K6zRBolWtd+ROzc/U5bkGt0FwiG042wbpU=
github.com/onsi/ginkgo/v2 v2.0.0/go.mod h1:vw5CSIxN1JObi/U8gcbwft7ZxR2dgaR70JSE3/PpL4c=
github.com/onsi/ginkgo/v2 v2.1.3/go.mod h1:vw5CSIxN1JObi/U8gcbwft7ZxR2dgaR70JSE3/PpL4c=
-github.com/onsi/ginkgo/v2 v2.23.3 h1:edHxnszytJ4lD9D5Jjc4tiDkPBZ3siDeJJkUZJJVkp0=
-github.com/onsi/ginkgo/v2 v2.23.3/go.mod h1:zXTP6xIp3U8aVuXN8ENK9IXRaTjFnpVB9mGmaSRvxnM=
+github.com/onsi/ginkgo/v2 v2.28.0 h1:Rrf+lVLmtlBIKv6KrIGJCjyY8N36vDVcutbGJkyqjJc=
+github.com/onsi/ginkgo/v2 v2.28.0/go.mod h1:ArE1D/XhNXBXCBkKOLkbsb2c81dQHCRcF5zwn/ykDRo=
github.com/onsi/gomega v1.4.3/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY=
github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo=
github.com/onsi/gomega v1.13.0/go.mod h1:lRk9szgn8TxENtWd0Tp4c3wjlRfMTMH27I+3Je41yGY=
github.com/onsi/gomega v1.17.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAlGdZY=
github.com/onsi/gomega v1.18.1/go.mod h1:0q+aL8jAiMXy9hbwj2mr5GziHiwhAIQpFmmtT5hitRs=
-github.com/onsi/gomega v1.37.0 h1:CdEG8g0S133B4OswTDC/5XPSzE1OeP29QOioj2PID2Y=
-github.com/onsi/gomega v1.37.0/go.mod h1:8D9+Txp43QWKhM24yyOBEdpkzN8FvJyAwecBgsU4KU0=
+github.com/onsi/gomega v1.39.1 h1:1IJLAad4zjPn2PsnhH70V4DKRFlrCzGBNrNaru+Vf28=
+github.com/onsi/gomega v1.39.1/go.mod h1:hL6yVALoTOxeWudERyfppUcZXjMwIMLnuSfruD2lcfg=
github.com/op/go-logging v0.0.0-20160315200505-970db520ece7/go.mod h1:HzydrMdWErDVzsI23lYNej1Htcns9BCg93Dk0bBINWk=
github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
@@ -1340,15 +1340,15 @@ github.com/yusufpapurcu/wmi v1.2.4 h1:zFUKzehAFReQwLys1b/iSMl+JQGSCSjtVqQn9bBrPo
github.com/yusufpapurcu/wmi v1.2.4/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQmPyzfmi0=
go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
go.etcd.io/etcd/api/v3 v3.5.0/go.mod h1:cbVKeC6lCfl7j/8jBhAK6aIYO9XOjdptoxU/nLQcPvs=
-go.etcd.io/etcd/api/v3 v3.6.4 h1:7F6N7toCKcV72QmoUKa23yYLiiljMrT4xCeBL9BmXdo=
-go.etcd.io/etcd/api/v3 v3.6.4/go.mod h1:eFhhvfR8Px1P6SEuLT600v+vrhdDTdcfMzmnxVXXSbk=
+go.etcd.io/etcd/api/v3 v3.6.5 h1:pMMc42276sgR1j1raO/Qv3QI9Af/AuyQUW6CBAWuntA=
+go.etcd.io/etcd/api/v3 v3.6.5/go.mod h1:ob0/oWA/UQQlT1BmaEkWQzI0sJ1M0Et0mMpaABxguOQ=
go.etcd.io/etcd/client/pkg/v3 v3.5.0/go.mod h1:IJHfcCEKxYu1Os13ZdwCwIUTUVGYTSAM3YSwc9/Ac1g=
-go.etcd.io/etcd/client/pkg/v3 v3.6.4 h1:9HBYrjppeOfFjBjaMTRxT3R7xT0GLK8EJMVC4xg6ok0=
-go.etcd.io/etcd/client/pkg/v3 v3.6.4/go.mod h1:sbdzr2cl3HzVmxNw//PH7aLGVtY4QySjQFuaCgcRFAI=
+go.etcd.io/etcd/client/pkg/v3 v3.6.5 h1:Duz9fAzIZFhYWgRjp/FgNq2gO1jId9Yae/rLn3RrBP8=
+go.etcd.io/etcd/client/pkg/v3 v3.6.5/go.mod h1:8Wx3eGRPiy0qOFMZT/hfvdos+DjEaPxdIDiCDUv/FQk=
go.etcd.io/etcd/client/v2 v2.305.0/go.mod h1:h9puh54ZTgAKtEbut2oe9P4L/oqKCVB6xsXlzd7alYQ=
go.etcd.io/etcd/client/v3 v3.5.0/go.mod h1:AIKXXVX/DQXtfTEqBryiLTUXwON+GuvO6Z7lLS/oTh0=
-go.etcd.io/etcd/client/v3 v3.6.4 h1:YOMrCfMhRzY8NgtzUsHl8hC2EBSnuqbR3dh84Uryl7A=
-go.etcd.io/etcd/client/v3 v3.6.4/go.mod h1:jaNNHCyg2FdALyKWnd7hxZXZxZANb0+KGY+YQaEMISo=
+go.etcd.io/etcd/client/v3 v3.6.5 h1:yRwZNFBx/35VKHTcLDeO7XVLbCBFbPi+XV4OC3QJf2U=
+go.etcd.io/etcd/client/v3 v3.6.5/go.mod h1:ZqwG/7TAFZ0BJ0jXRPoJjKQJtbFo/9NIY8uoFFKcCyo=
go.mongodb.org/mongo-driver v1.13.1 h1:YIc7HTYsKndGK4RFzJ3covLz1byri52x0IoMB0Pt/vk=
go.mongodb.org/mongo-driver v1.13.1/go.mod h1:wcDf1JBCXy2mOW0bWHwO/IOYqdca1MPCwDtFu/Z9+eo=
go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
@@ -1991,20 +1991,20 @@ honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWh
honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
-k8s.io/api v0.34.3 h1:D12sTP257/jSH2vHV2EDYrb16bS7ULlHpdNdNhEw2S4=
-k8s.io/api v0.34.3/go.mod h1:PyVQBF886Q5RSQZOim7DybQjAbVs8g7gwJNhGtY5MBk=
-k8s.io/apiextensions-apiserver v0.34.3 h1:p10fGlkDY09eWKOTeUSioxwLukJnm+KuDZdrW71y40g=
-k8s.io/apiextensions-apiserver v0.34.3/go.mod h1:aujxvqGFRdb/cmXYfcRTeppN7S2XV/t7WMEc64zB5A0=
-k8s.io/apimachinery v0.34.3 h1:/TB+SFEiQvN9HPldtlWOTp0hWbJ+fjU+wkxysf/aQnE=
-k8s.io/apimachinery v0.34.3/go.mod h1:/GwIlEcWuTX9zKIg2mbw0LRFIsXwrfoVxn+ef0X13lw=
-k8s.io/client-go v0.34.3 h1:wtYtpzy/OPNYf7WyNBTj3iUA0XaBHVqhv4Iv3tbrF5A=
-k8s.io/client-go v0.34.3/go.mod h1:OxxeYagaP9Kdf78UrKLa3YZixMCfP6bgPwPwNBQBzpM=
+k8s.io/api v0.35.2 h1:tW7mWc2RpxW7HS4CoRXhtYHSzme1PN1UjGHJ1bdrtdw=
+k8s.io/api v0.35.2/go.mod h1:7AJfqGoAZcwSFhOjcGM7WV05QxMMgUaChNfLTXDRE60=
+k8s.io/apiextensions-apiserver v0.35.2 h1:iyStXHoJZsUXPh/nFAsjC29rjJWdSgUmG1XpApE29c0=
+k8s.io/apiextensions-apiserver v0.35.2/go.mod h1:OdyGvcO1FtMDWQ+rRh/Ei3b6X3g2+ZDHd0MSRGeS8rU=
+k8s.io/apimachinery v0.35.2 h1:NqsM/mmZA7sHW02JZ9RTtk3wInRgbVxL8MPfzSANAK8=
+k8s.io/apimachinery v0.35.2/go.mod h1:jQCgFZFR1F4Ik7hvr2g84RTJSZegBc8yHgFWKn//hns=
+k8s.io/client-go v0.35.2 h1:YUfPefdGJA4aljDdayAXkc98DnPkIetMl4PrKX97W9o=
+k8s.io/client-go v0.35.2/go.mod h1:4QqEwh4oQpeK8AaefZ0jwTFJw/9kIjdQi0jpKeYvz7g=
k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
-k8s.io/kube-openapi v0.0.0-20250814151709-d7b6acb124c3 h1:liMHz39T5dJO1aOKHLvwaCjDbf07wVh6yaUlTpunnkE=
-k8s.io/kube-openapi v0.0.0-20250814151709-d7b6acb124c3/go.mod h1:UZ2yyWbFTpuhSbFhv24aGNOdoRdJZgsIObGBUaYVsts=
-k8s.io/utils v0.0.0-20250820121507-0af2bda4dd1d h1:wAhiDyZ4Tdtt7e46e9M5ZSAJ/MnPGPs+Ki1gHw4w1R0=
-k8s.io/utils v0.0.0-20250820121507-0af2bda4dd1d/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
+k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 h1:Y3gxNAuB0OBLImH611+UDZcmKS3g6CthxToOb37KgwE=
+k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912/go.mod h1:kdmbQkyfwUagLfXIad1y2TdrjPFWp2Q89B3qkRwf/pQ=
+k8s.io/utils v0.0.0-20260108192941-914a6e750570 h1:JT4W8lsdrGENg9W+YwwdLJxklIuKWdRm+BC+xt33FOY=
+k8s.io/utils v0.0.0-20260108192941-914a6e750570/go.mod h1:xDxuJ0whA3d0I4mf/C4ppKHxXynQ+fxnkmQH0vTHnuk=
knative.dev/networking v0.0.0-20251217020127-11890a5dabea h1:CsVi1M+NbPIfvBPWI9DQOwlzBG6+w+mAfhUDqw1jeXM=
knative.dev/networking v0.0.0-20251217020127-11890a5dabea/go.mod h1:gPzztUiSYDSB3yHx85xr4j2ZccEdiZDWlLsYHr7fQtg=
knative.dev/pkg v0.0.0-20251216153728-9c8140b780d1 h1:pSZ4sRKm/Kq1ec+7Yhow6jUH0FKZjzrUHpPsy6Lu8pE=
@@ -2017,16 +2017,18 @@ rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8
rsc.io/pdf v0.1.1/go.mod h1:n8OzWcQ6Sp37PL01nO98y4iUCRdTGarVfzxY20ICaU4=
rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
-sigs.k8s.io/controller-runtime v0.22.1 h1:Ah1T7I+0A7ize291nJZdS1CabF/lB4E++WizgV24Eqg=
-sigs.k8s.io/controller-runtime v0.22.1/go.mod h1:FwiwRjkRPbiN+zp2QRp7wlTCzbUXxZ/D4OzuQUDwBHY=
-sigs.k8s.io/gateway-api v1.4.0 h1:ZwlNM6zOHq0h3WUX2gfByPs2yAEsy/EenYJB78jpQfQ=
-sigs.k8s.io/gateway-api v1.4.0/go.mod h1:AR5RSqciWP98OPckEjOjh2XJhAe2Na4LHyXD2FUY7Qk=
+sigs.k8s.io/controller-runtime v0.23.3 h1:VjB/vhoPoA9l1kEKZHBMnQF33tdCLQKJtydy4iqwZ80=
+sigs.k8s.io/controller-runtime v0.23.3/go.mod h1:B6COOxKptp+YaUT5q4l6LqUJTRpizbgf9KSRNdQGns0=
+sigs.k8s.io/gateway-api v1.5.1 h1:RqVRIlkhLhUO8wOHKTLnTJA6o/1un4po4/6M1nRzdd0=
+sigs.k8s.io/gateway-api v1.5.1/go.mod h1:GvCETiaMAlLym5CovLxGjS0NysqFk3+Yuq3/rh6QL2o=
+sigs.k8s.io/gateway-api/conformance v1.5.1 h1:5eruSMKcwKnkX42PFek8oO6BgPNBD5FbWbTcRV76KIw=
+sigs.k8s.io/gateway-api/conformance v1.5.1/go.mod h1:mcvYR0Zll1i5hmcKn+jNbWdZTBls6s5GU+FPUFIceXw=
sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 h1:IpInykpT6ceI+QxKBbEflcR5EXP7sU1kvOlxwZh5txg=
sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU=
sigs.k8s.io/randfill v1.0.0/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY=
-sigs.k8s.io/structured-merge-diff/v6 v6.3.1 h1:JrhdFMqOd/+3ByqlP2I45kTOZmTRLBUm5pvRjeheg7E=
-sigs.k8s.io/structured-merge-diff/v6 v6.3.1/go.mod h1:M3W8sfWvn2HhQDIbGWj3S099YozAsymCo/wrT5ohRUE=
+sigs.k8s.io/structured-merge-diff/v6 v6.3.2 h1:kwVWMx5yS1CrnFWA/2QHyRVJ8jM6dBA80uLmm0wJkk8=
+sigs.k8s.io/structured-merge-diff/v6 v6.3.2/go.mod h1:M3W8sfWvn2HhQDIbGWj3S099YozAsymCo/wrT5ohRUE=
sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc=
sigs.k8s.io/yaml v1.6.0 h1:G8fkbMSAFqgEFgh4b1wmtzDnioxFCUgTZhlbj5P9QYs=
sigs.k8s.io/yaml v1.6.0/go.mod h1:796bPqUfzR/0jLAl6XjHl3Ck7MiyVv8dbTdyT3/pMf4=
diff --git a/integration/fixtures/gateway-api-conformance/00-experimental-v1.4.0.yml b/integration/fixtures/gateway-api-conformance/00-experimental-v1.5.1.yml
similarity index 91%
rename from integration/fixtures/gateway-api-conformance/00-experimental-v1.4.0.yml
rename to integration/fixtures/gateway-api-conformance/00-experimental-v1.5.1.yml
index b1e7bd2f2..449907fe2 100644
--- a/integration/fixtures/gateway-api-conformance/00-experimental-v1.4.0.yml
+++ b/integration/fixtures/gateway-api-conformance/00-experimental-v1.5.1.yml
@@ -1,4 +1,4 @@
-# Copyright 2025 The Kubernetes Authors.
+# Copyright The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -23,8 +23,8 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328
- gateway.networking.k8s.io/bundle-version: v1.4.0
+ api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/4530
+ gateway.networking.k8s.io/bundle-version: v1.5.1
gateway.networking.k8s.io/channel: experimental
labels:
gateway.networking.k8s.io/policy: Direct
@@ -99,8 +99,6 @@ spec:
targetRefs:
description: |-
TargetRefs identifies an API object to apply the policy to.
- Only Services have Extended support. Implementations MAY support
- additional objects, with Implementation Specific support.
Note that this config applies to the entire referenced resource
by default, but this default may change in the future to provide
a more granular application of the policy.
@@ -121,17 +119,42 @@ spec:
example, a policy with a creation timestamp of "2021-07-15
01:02:03" MUST be given precedence over a policy with a
creation timestamp of "2021-07-15 01:02:04".
- * The policy appearing first in alphabetical order by {name}.
- For example, a policy named `bar` is given precedence over a
- policy named `baz`.
+ * The policy appearing first in alphabetical order by {namespace}/{name}.
+ For example, a policy named `foo/bar` is given precedence over a
+ policy named `foo/baz`.
For any BackendTLSPolicy that does not take precedence, the
implementation MUST ensure the `Accepted` Condition is set to
`status: False`, with Reason `Conflicted`.
- Support: Extended for Kubernetes Service
+ Implementations SHOULD NOT support more than one targetRef at this
+ time. Although the API technically allows for this, the current guidance
+ for conflict resolution and status handling is lacking. Until that can be
+ clarified in a future release, the safest approach is to support a single
+ targetRef.
- Support: Implementation-specific for any other resource
+ Support Levels:
+
+ * Extended: Kubernetes Service referenced by HTTPRoute backendRefs.
+
+ * Implementation-Specific: Services not connected via HTTPRoute, and any
+ other kind of backend. Implementations MAY use BackendTLSPolicy for:
+ - Services not referenced by any Route (e.g., infrastructure services)
+ - Gateway feature backends (e.g., ExternalAuth, rate-limiting services)
+ - Service mesh workload-to-service communication
+ - Other resource types beyond Service
+
+ Implementations SHOULD aim to ensure that BackendTLSPolicy behavior is consistent,
+ even outside of the extended HTTPRoute -(backendRef) -> Service path.
+ They SHOULD clearly document how BackendTLSPolicy is interpreted in these
+ scenarios, including:
+ - Which resources beyond Service are supported
+ - How the policy is discovered and applied
+ - Any implementation-specific semantics or restrictions
+
+ Note that this config applies to the entire referenced resource
+ by default, but this default may change in the future to provide
+ a more granular application of the policy.
items:
description: |-
LocalPolicyTargetReferenceWithSectionName identifies an API object to apply a
@@ -370,8 +393,8 @@ spec:
x-kubernetes-list-type: atomic
wellKnownCACertificates:
description: |-
- WellKnownCACertificates specifies whether system CA certificates may be used in
- the TLS handshake between the gateway and backend pod.
+ WellKnownCACertificates specifies whether a well-known set of CA certificates
+ may be used in the TLS handshake between the gateway and backend pod.
If WellKnownCACertificates is unspecified or empty (""), then CACertificateRefs
must be specified with at least one entry for a valid configuration. Only one of
@@ -381,9 +404,17 @@ spec:
`Accepted` Condition on the BackendTLSPolicy is set to `status: False`, with
a Reason `Invalid`.
+ Valid values include:
+ * "System" - indicates that well-known system CA certificates should be used.
+
+ Implementations MAY define their own sets of CA certificates. Such definitions
+ MUST use an implementation-specific, prefixed name, such as
+ `mycompany.com/my-custom-ca-certificates`.
+
Support: Implementation-specific
- enum:
- - System
+ maxLength: 253
+ minLength: 1
+ pattern: ^(System|([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9]))$
type: string
required:
- hostname
@@ -762,8 +793,6 @@ spec:
targetRefs:
description: |-
TargetRefs identifies an API object to apply the policy to.
- Only Services have Extended support. Implementations MAY support
- additional objects, with Implementation Specific support.
Note that this config applies to the entire referenced resource
by default, but this default may change in the future to provide
a more granular application of the policy.
@@ -784,17 +813,42 @@ spec:
example, a policy with a creation timestamp of "2021-07-15
01:02:03" MUST be given precedence over a policy with a
creation timestamp of "2021-07-15 01:02:04".
- * The policy appearing first in alphabetical order by {name}.
- For example, a policy named `bar` is given precedence over a
- policy named `baz`.
+ * The policy appearing first in alphabetical order by {namespace}/{name}.
+ For example, a policy named `foo/bar` is given precedence over a
+ policy named `foo/baz`.
For any BackendTLSPolicy that does not take precedence, the
implementation MUST ensure the `Accepted` Condition is set to
`status: False`, with Reason `Conflicted`.
- Support: Extended for Kubernetes Service
+ Implementations SHOULD NOT support more than one targetRef at this
+ time. Although the API technically allows for this, the current guidance
+ for conflict resolution and status handling is lacking. Until that can be
+ clarified in a future release, the safest approach is to support a single
+ targetRef.
- Support: Implementation-specific for any other resource
+ Support Levels:
+
+ * Extended: Kubernetes Service referenced by HTTPRoute backendRefs.
+
+ * Implementation-Specific: Services not connected via HTTPRoute, and any
+ other kind of backend. Implementations MAY use BackendTLSPolicy for:
+ - Services not referenced by any Route (e.g., infrastructure services)
+ - Gateway feature backends (e.g., ExternalAuth, rate-limiting services)
+ - Service mesh workload-to-service communication
+ - Other resource types beyond Service
+
+ Implementations SHOULD aim to ensure that BackendTLSPolicy behavior is consistent,
+ even outside of the extended HTTPRoute -(backendRef) -> Service path.
+ They SHOULD clearly document how BackendTLSPolicy is interpreted in these
+ scenarios, including:
+ - Which resources beyond Service are supported
+ - How the policy is discovered and applied
+ - Any implementation-specific semantics or restrictions
+
+ Note that this config applies to the entire referenced resource
+ by default, but this default may change in the future to provide
+ a more granular application of the policy.
items:
description: |-
LocalPolicyTargetReferenceWithSectionName identifies an API object to apply a
@@ -1033,8 +1087,8 @@ spec:
x-kubernetes-list-type: atomic
wellKnownCACertificates:
description: |-
- WellKnownCACertificates specifies whether system CA certificates may be used in
- the TLS handshake between the gateway and backend pod.
+ WellKnownCACertificates specifies whether a well-known set of CA certificates
+ may be used in the TLS handshake between the gateway and backend pod.
If WellKnownCACertificates is unspecified or empty (""), then CACertificateRefs
must be specified with at least one entry for a valid configuration. Only one of
@@ -1044,9 +1098,17 @@ spec:
`Accepted` Condition on the BackendTLSPolicy is set to `status: False`, with
a Reason `Invalid`.
+ Valid values include:
+ * "System" - indicates that well-known system CA certificates should be used.
+
+ Implementations MAY define their own sets of CA certificates. Such definitions
+ MUST use an implementation-specific, prefixed name, such as
+ `mycompany.com/my-custom-ca-certificates`.
+
Support: Implementation-specific
- enum:
- - System
+ maxLength: 253
+ minLength: 1
+ pattern: ^(System|([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9]))$
type: string
required:
- hostname
@@ -1367,6 +1429,8 @@ spec:
type: object
served: true
storage: false
+ subresources:
+ status: {}
status:
acceptedNames:
kind: ""
@@ -1381,8 +1445,8 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328
- gateway.networking.k8s.io/bundle-version: v1.4.0
+ api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/4530
+ gateway.networking.k8s.io/bundle-version: v1.5.1
gateway.networking.k8s.io/channel: experimental
name: gatewayclasses.gateway.networking.k8s.io
spec:
@@ -1900,8 +1964,8 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328
- gateway.networking.k8s.io/bundle-version: v1.4.0
+ api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/4530
+ gateway.networking.k8s.io/bundle-version: v1.5.1
gateway.networking.k8s.io/channel: experimental
name: gateways.gateway.networking.k8s.io
spec:
@@ -2036,14 +2100,14 @@ spec:
allowedListeners:
description: |-
AllowedListeners defines which ListenerSets can be attached to this Gateway.
- While this feature is experimental, the default value is to allow no ListenerSets.
+ The default value is to allow no ListenerSets.
properties:
namespaces:
default:
from: None
description: |-
Namespaces defines which namespaces ListenerSets can be attached to this Gateway.
- While this feature is experimental, the default value is to allow no ListenerSets.
+ The default value is to allow no ListenerSets.
properties:
from:
default: None
@@ -2056,7 +2120,7 @@ spec:
* All: ListenerSets in all namespaces may be attached to this Gateway.
* None: Only listeners defined in the Gateway's spec are allowed
- While this feature is experimental, the default value None
+ The default value None
enum:
- All
- Selector
@@ -2605,7 +2669,7 @@ spec:
the Gateway SHOULD return a 421.
* If the current Listener (selected by SNI matching during ClientHello)
does not match the Host:
- * If another Listener does match the Host the Gateway SHOULD return a
+ * If another Listener does match the Host, the Gateway SHOULD return a
421.
* If no other Listener matches the Host, the Gateway MUST return a
404.
@@ -2816,6 +2880,9 @@ spec:
- message: tls mode must be Terminate for protocol HTTPS
rule: 'self.all(l, (l.protocol == ''HTTPS'' && has(l.tls)) ? (l.tls.mode
== '''' || l.tls.mode == ''Terminate'') : true)'
+ - message: tls mode must be set for protocol TLS
+ rule: 'self.all(l, (l.protocol == ''TLS'' ? has(l.tls) && has(l.tls.mode)
+ && l.tls.mode != '''' : true))'
- message: hostname must not be specified for protocols ['TCP', 'UDP']
rule: 'self.all(l, l.protocol in [''TCP'', ''UDP''] ? (!has(l.hostname)
|| l.hostname == '''') : true)'
@@ -2845,19 +2912,30 @@ spec:
properties:
clientCertificateRef:
description: |-
- ClientCertificateRef is a reference to an object that contains a Client
- Certificate and the associated private key.
+ ClientCertificateRef references an object that contains a client certificate
+ and its associated private key. It can reference standard Kubernetes resources,
+ i.e., Secret, or implementation-specific custom resources.
- References to a resource in different namespace are invalid UNLESS there
- is a ReferenceGrant in the target namespace that allows the certificate
- to be attached. If a ReferenceGrant does not allow this reference, the
- "ResolvedRefs" condition MUST be set to False for this listener with the
- "RefNotPermitted" reason.
+ A ClientCertificateRef is considered invalid if:
- ClientCertificateRef can reference to standard Kubernetes resources, i.e.
- Secret, or implementation-specific custom resources.
+ * It refers to a resource that cannot be resolved (e.g., the referenced resource
+ does not exist) or is misconfigured (e.g., a Secret does not contain the keys
+ named `tls.crt` and `tls.key`). In this case, the `ResolvedRefs` condition
+ on the Gateway MUST be set to False with the Reason `InvalidClientCertificateRef`
+ and the Message of the Condition MUST indicate why the reference is invalid.
- Support: Core
+ * It refers to a resource in another namespace UNLESS there is a ReferenceGrant
+ in the target namespace that allows the certificate to be attached.
+ If a ReferenceGrant does not allow this reference, the `ResolvedRefs` condition
+ on the Gateway MUST be set to False with the Reason `RefNotPermitted`.
+
+ Implementations MAY choose to perform further validation of the certificate
+ content (e.g., checking expiry or enforcing specific formats). In such cases,
+ an implementation-specific Reason and Message MUST be set.
+
+ Support: Core - Reference to a Kubernetes TLS Secret (with the type `kubernetes.io/tls`).
+ Support: Implementation-specific - Other resource kinds or Secrets with a
+ different type (e.g., `Opaque`).
properties:
group:
default: ""
@@ -2924,27 +3002,49 @@ spec:
properties:
caCertificateRefs:
description: |-
- CACertificateRefs contains one or more references to
- Kubernetes objects that contain TLS certificates of
- the Certificate Authorities that can be used
- as a trust anchor to validate the certificates presented by the client.
+ CACertificateRefs contains one or more references to Kubernetes
+ objects that contain a PEM-encoded TLS CA certificate bundle, which
+ is used as a trust anchor to validate the certificates presented by
+ the client.
- A single CA certificate reference to a Kubernetes ConfigMap
- has "Core" support.
- Implementations MAY choose to support attaching multiple CA certificates to
- a Listener, but this behavior is implementation-specific.
+ A CACertificateRef is invalid if:
- Support: Core - A single reference to a Kubernetes ConfigMap
- with the CA certificate in a key named `ca.crt`.
+ * It refers to a resource that cannot be resolved (e.g., the
+ referenced resource does not exist) or is misconfigured (e.g., a
+ ConfigMap does not contain a key named `ca.crt`). In this case, the
+ Reason on all matching HTTPS listeners must be set to `InvalidCACertificateRef`
+ and the Message of the Condition must indicate which reference is invalid and why.
- Support: Implementation-specific (More than one certificate in a ConfigMap
- with different keys or more than one reference, or other kinds of resources).
+ * It refers to an unknown or unsupported kind of resource. In this
+ case, the Reason on all matching HTTPS listeners must be set to
+ `InvalidCACertificateKind` and the Message of the Condition must explain
+ which kind of resource is unknown or unsupported.
- References to a resource in a different namespace are invalid UNLESS there
- is a ReferenceGrant in the target namespace that allows the certificate
- to be attached. If a ReferenceGrant does not allow this reference, the
- "ResolvedRefs" condition MUST be set to False for this listener with the
- "RefNotPermitted" reason.
+ * It refers to a resource in another namespace UNLESS there is a
+ ReferenceGrant in the target namespace that allows the CA
+ certificate to be attached. If a ReferenceGrant does not allow this
+ reference, the `ResolvedRefs` on all matching HTTPS listeners condition
+ MUST be set with the Reason `RefNotPermitted`.
+
+ Implementations MAY choose to perform further validation of the
+ certificate content (e.g., checking expiry or enforcing specific formats).
+ In such cases, an implementation-specific Reason and Message MUST be set.
+
+ In all cases, the implementation MUST ensure that the `ResolvedRefs`
+ condition is set to `status: False` on all targeted listeners (i.e.,
+ listeners serving HTTPS on a matching port). The condition MUST
+ include a Reason and Message that indicate the cause of the error. If
+ ALL CACertificateRefs are invalid, the implementation MUST also ensure
+ the `Accepted` condition on the listener is set to `status: False`, with
+ the Reason `NoValidCACertificate`.
+ Implementations MAY choose to support attaching multiple CA certificates
+ to a listener, but this behavior is implementation-specific.
+
+ Support: Core - A single reference to a Kubernetes ConfigMap, with the
+ CA certificate in a key named `ca.crt`.
+
+ Support: Implementation-specific - More than one reference, other kinds
+ of resources, or a single reference that includes multiple certificates.
items:
description: |-
ObjectReference identifies an API object including its namespace.
@@ -3067,27 +3167,49 @@ spec:
properties:
caCertificateRefs:
description: |-
- CACertificateRefs contains one or more references to
- Kubernetes objects that contain TLS certificates of
- the Certificate Authorities that can be used
- as a trust anchor to validate the certificates presented by the client.
+ CACertificateRefs contains one or more references to Kubernetes
+ objects that contain a PEM-encoded TLS CA certificate bundle, which
+ is used as a trust anchor to validate the certificates presented by
+ the client.
- A single CA certificate reference to a Kubernetes ConfigMap
- has "Core" support.
- Implementations MAY choose to support attaching multiple CA certificates to
- a Listener, but this behavior is implementation-specific.
+ A CACertificateRef is invalid if:
- Support: Core - A single reference to a Kubernetes ConfigMap
- with the CA certificate in a key named `ca.crt`.
+ * It refers to a resource that cannot be resolved (e.g., the
+ referenced resource does not exist) or is misconfigured (e.g., a
+ ConfigMap does not contain a key named `ca.crt`). In this case, the
+ Reason on all matching HTTPS listeners must be set to `InvalidCACertificateRef`
+ and the Message of the Condition must indicate which reference is invalid and why.
- Support: Implementation-specific (More than one certificate in a ConfigMap
- with different keys or more than one reference, or other kinds of resources).
+ * It refers to an unknown or unsupported kind of resource. In this
+ case, the Reason on all matching HTTPS listeners must be set to
+ `InvalidCACertificateKind` and the Message of the Condition must explain
+ which kind of resource is unknown or unsupported.
- References to a resource in a different namespace are invalid UNLESS there
- is a ReferenceGrant in the target namespace that allows the certificate
- to be attached. If a ReferenceGrant does not allow this reference, the
- "ResolvedRefs" condition MUST be set to False for this listener with the
- "RefNotPermitted" reason.
+ * It refers to a resource in another namespace UNLESS there is a
+ ReferenceGrant in the target namespace that allows the CA
+ certificate to be attached. If a ReferenceGrant does not allow this
+ reference, the `ResolvedRefs` on all matching HTTPS listeners condition
+ MUST be set with the Reason `RefNotPermitted`.
+
+ Implementations MAY choose to perform further validation of the
+ certificate content (e.g., checking expiry or enforcing specific formats).
+ In such cases, an implementation-specific Reason and Message MUST be set.
+
+ In all cases, the implementation MUST ensure that the `ResolvedRefs`
+ condition is set to `status: False` on all targeted listeners (i.e.,
+ listeners serving HTTPS on a matching port). The condition MUST
+ include a Reason and Message that indicate the cause of the error. If
+ ALL CACertificateRefs are invalid, the implementation MUST also ensure
+ the `Accepted` condition on the listener is set to `status: False`, with
+ the Reason `NoValidCACertificate`.
+ Implementations MAY choose to support attaching multiple CA certificates
+ to a listener, but this behavior is implementation-specific.
+
+ Support: Core - A single reference to a Kubernetes ConfigMap, with the
+ CA certificate in a key named `ca.crt`.
+
+ Support: Implementation-specific - More than one reference, other kinds
+ of resources, or a single reference that includes multiple certificates.
items:
description: |-
ObjectReference identifies an API object including its namespace.
@@ -3261,6 +3383,20 @@ spec:
maxItems: 16
type: array
x-kubernetes-list-type: atomic
+ attachedListenerSets:
+ description: |-
+ AttachedListenerSets represents the total number of ListenerSets that have been
+ successfully attached to this Gateway.
+
+ A ListenerSet is successfully attached to a Gateway when all the following conditions are met:
+ - The ListenerSet is selected by the Gateway's AllowedListeners field
+ - The ListenerSet has a valid ParentRef selecting the Gateway
+ - The ListenerSet's status has the condition "Accepted: true"
+
+ Uses for this field include troubleshooting AttachedListenerSets attachment and
+ measuring blast radius/impact of changes to a Gateway.
+ format: int32
+ type: integer
conditions:
default:
- lastTransitionTime: "1970-01-01T00:00:00Z"
@@ -3365,8 +3501,11 @@ spec:
attachment semantics can be found in the documentation on the various
Route kinds ParentRefs fields). Listener or Route status does not impact
successful attachment, i.e. the AttachedRoutes field count MUST be set
- for Listeners with condition Accepted: false and MUST count successfully
- attached Routes that may themselves have Accepted: false conditions.
+ for Listeners, even if the Accepted condition of an individual Listener is set
+ to "False". The AttachedRoutes number represents the number of Routes with
+ the Accepted condition set to "True" that have been attached to this Listener.
+ Routes with any other value for the Accepted condition MUST NOT be included
+ in this count.
Uses for this field include troubleshooting Route attachment and
measuring blast radius/impact of changes to a Listener.
@@ -3445,7 +3584,7 @@ spec:
supportedKinds:
description: |-
SupportedKinds is the list indicating the Kinds supported by this
- listener. This MUST represent the kinds an implementation supports for
+ listener. This MUST represent the kinds supported by an implementation for
that Listener configuration.
If kinds are specified in Spec that are not supported, they MUST NOT
@@ -3479,7 +3618,6 @@ spec:
- attachedRoutes
- conditions
- name
- - supportedKinds
type: object
maxItems: 64
type: array
@@ -3613,14 +3751,14 @@ spec:
allowedListeners:
description: |-
AllowedListeners defines which ListenerSets can be attached to this Gateway.
- While this feature is experimental, the default value is to allow no ListenerSets.
+ The default value is to allow no ListenerSets.
properties:
namespaces:
default:
from: None
description: |-
Namespaces defines which namespaces ListenerSets can be attached to this Gateway.
- While this feature is experimental, the default value is to allow no ListenerSets.
+ The default value is to allow no ListenerSets.
properties:
from:
default: None
@@ -3633,7 +3771,7 @@ spec:
* All: ListenerSets in all namespaces may be attached to this Gateway.
* None: Only listeners defined in the Gateway's spec are allowed
- While this feature is experimental, the default value None
+ The default value None
enum:
- All
- Selector
@@ -4182,7 +4320,7 @@ spec:
the Gateway SHOULD return a 421.
* If the current Listener (selected by SNI matching during ClientHello)
does not match the Host:
- * If another Listener does match the Host the Gateway SHOULD return a
+ * If another Listener does match the Host, the Gateway SHOULD return a
421.
* If no other Listener matches the Host, the Gateway MUST return a
404.
@@ -4393,6 +4531,9 @@ spec:
- message: tls mode must be Terminate for protocol HTTPS
rule: 'self.all(l, (l.protocol == ''HTTPS'' && has(l.tls)) ? (l.tls.mode
== '''' || l.tls.mode == ''Terminate'') : true)'
+ - message: tls mode must be set for protocol TLS
+ rule: 'self.all(l, (l.protocol == ''TLS'' ? has(l.tls) && has(l.tls.mode)
+ && l.tls.mode != '''' : true))'
- message: hostname must not be specified for protocols ['TCP', 'UDP']
rule: 'self.all(l, l.protocol in [''TCP'', ''UDP''] ? (!has(l.hostname)
|| l.hostname == '''') : true)'
@@ -4422,19 +4563,30 @@ spec:
properties:
clientCertificateRef:
description: |-
- ClientCertificateRef is a reference to an object that contains a Client
- Certificate and the associated private key.
+ ClientCertificateRef references an object that contains a client certificate
+ and its associated private key. It can reference standard Kubernetes resources,
+ i.e., Secret, or implementation-specific custom resources.
- References to a resource in different namespace are invalid UNLESS there
- is a ReferenceGrant in the target namespace that allows the certificate
- to be attached. If a ReferenceGrant does not allow this reference, the
- "ResolvedRefs" condition MUST be set to False for this listener with the
- "RefNotPermitted" reason.
+ A ClientCertificateRef is considered invalid if:
- ClientCertificateRef can reference to standard Kubernetes resources, i.e.
- Secret, or implementation-specific custom resources.
+ * It refers to a resource that cannot be resolved (e.g., the referenced resource
+ does not exist) or is misconfigured (e.g., a Secret does not contain the keys
+ named `tls.crt` and `tls.key`). In this case, the `ResolvedRefs` condition
+ on the Gateway MUST be set to False with the Reason `InvalidClientCertificateRef`
+ and the Message of the Condition MUST indicate why the reference is invalid.
- Support: Core
+ * It refers to a resource in another namespace UNLESS there is a ReferenceGrant
+ in the target namespace that allows the certificate to be attached.
+ If a ReferenceGrant does not allow this reference, the `ResolvedRefs` condition
+ on the Gateway MUST be set to False with the Reason `RefNotPermitted`.
+
+ Implementations MAY choose to perform further validation of the certificate
+ content (e.g., checking expiry or enforcing specific formats). In such cases,
+ an implementation-specific Reason and Message MUST be set.
+
+ Support: Core - Reference to a Kubernetes TLS Secret (with the type `kubernetes.io/tls`).
+ Support: Implementation-specific - Other resource kinds or Secrets with a
+ different type (e.g., `Opaque`).
properties:
group:
default: ""
@@ -4501,27 +4653,49 @@ spec:
properties:
caCertificateRefs:
description: |-
- CACertificateRefs contains one or more references to
- Kubernetes objects that contain TLS certificates of
- the Certificate Authorities that can be used
- as a trust anchor to validate the certificates presented by the client.
+ CACertificateRefs contains one or more references to Kubernetes
+ objects that contain a PEM-encoded TLS CA certificate bundle, which
+ is used as a trust anchor to validate the certificates presented by
+ the client.
- A single CA certificate reference to a Kubernetes ConfigMap
- has "Core" support.
- Implementations MAY choose to support attaching multiple CA certificates to
- a Listener, but this behavior is implementation-specific.
+ A CACertificateRef is invalid if:
- Support: Core - A single reference to a Kubernetes ConfigMap
- with the CA certificate in a key named `ca.crt`.
+ * It refers to a resource that cannot be resolved (e.g., the
+ referenced resource does not exist) or is misconfigured (e.g., a
+ ConfigMap does not contain a key named `ca.crt`). In this case, the
+ Reason on all matching HTTPS listeners must be set to `InvalidCACertificateRef`
+ and the Message of the Condition must indicate which reference is invalid and why.
- Support: Implementation-specific (More than one certificate in a ConfigMap
- with different keys or more than one reference, or other kinds of resources).
+ * It refers to an unknown or unsupported kind of resource. In this
+ case, the Reason on all matching HTTPS listeners must be set to
+ `InvalidCACertificateKind` and the Message of the Condition must explain
+ which kind of resource is unknown or unsupported.
- References to a resource in a different namespace are invalid UNLESS there
- is a ReferenceGrant in the target namespace that allows the certificate
- to be attached. If a ReferenceGrant does not allow this reference, the
- "ResolvedRefs" condition MUST be set to False for this listener with the
- "RefNotPermitted" reason.
+ * It refers to a resource in another namespace UNLESS there is a
+ ReferenceGrant in the target namespace that allows the CA
+ certificate to be attached. If a ReferenceGrant does not allow this
+ reference, the `ResolvedRefs` on all matching HTTPS listeners condition
+ MUST be set with the Reason `RefNotPermitted`.
+
+ Implementations MAY choose to perform further validation of the
+ certificate content (e.g., checking expiry or enforcing specific formats).
+ In such cases, an implementation-specific Reason and Message MUST be set.
+
+ In all cases, the implementation MUST ensure that the `ResolvedRefs`
+ condition is set to `status: False` on all targeted listeners (i.e.,
+ listeners serving HTTPS on a matching port). The condition MUST
+ include a Reason and Message that indicate the cause of the error. If
+ ALL CACertificateRefs are invalid, the implementation MUST also ensure
+ the `Accepted` condition on the listener is set to `status: False`, with
+ the Reason `NoValidCACertificate`.
+ Implementations MAY choose to support attaching multiple CA certificates
+ to a listener, but this behavior is implementation-specific.
+
+ Support: Core - A single reference to a Kubernetes ConfigMap, with the
+ CA certificate in a key named `ca.crt`.
+
+ Support: Implementation-specific - More than one reference, other kinds
+ of resources, or a single reference that includes multiple certificates.
items:
description: |-
ObjectReference identifies an API object including its namespace.
@@ -4644,27 +4818,49 @@ spec:
properties:
caCertificateRefs:
description: |-
- CACertificateRefs contains one or more references to
- Kubernetes objects that contain TLS certificates of
- the Certificate Authorities that can be used
- as a trust anchor to validate the certificates presented by the client.
+ CACertificateRefs contains one or more references to Kubernetes
+ objects that contain a PEM-encoded TLS CA certificate bundle, which
+ is used as a trust anchor to validate the certificates presented by
+ the client.
- A single CA certificate reference to a Kubernetes ConfigMap
- has "Core" support.
- Implementations MAY choose to support attaching multiple CA certificates to
- a Listener, but this behavior is implementation-specific.
+ A CACertificateRef is invalid if:
- Support: Core - A single reference to a Kubernetes ConfigMap
- with the CA certificate in a key named `ca.crt`.
+ * It refers to a resource that cannot be resolved (e.g., the
+ referenced resource does not exist) or is misconfigured (e.g., a
+ ConfigMap does not contain a key named `ca.crt`). In this case, the
+ Reason on all matching HTTPS listeners must be set to `InvalidCACertificateRef`
+ and the Message of the Condition must indicate which reference is invalid and why.
- Support: Implementation-specific (More than one certificate in a ConfigMap
- with different keys or more than one reference, or other kinds of resources).
+ * It refers to an unknown or unsupported kind of resource. In this
+ case, the Reason on all matching HTTPS listeners must be set to
+ `InvalidCACertificateKind` and the Message of the Condition must explain
+ which kind of resource is unknown or unsupported.
- References to a resource in a different namespace are invalid UNLESS there
- is a ReferenceGrant in the target namespace that allows the certificate
- to be attached. If a ReferenceGrant does not allow this reference, the
- "ResolvedRefs" condition MUST be set to False for this listener with the
- "RefNotPermitted" reason.
+ * It refers to a resource in another namespace UNLESS there is a
+ ReferenceGrant in the target namespace that allows the CA
+ certificate to be attached. If a ReferenceGrant does not allow this
+ reference, the `ResolvedRefs` on all matching HTTPS listeners condition
+ MUST be set with the Reason `RefNotPermitted`.
+
+ Implementations MAY choose to perform further validation of the
+ certificate content (e.g., checking expiry or enforcing specific formats).
+ In such cases, an implementation-specific Reason and Message MUST be set.
+
+ In all cases, the implementation MUST ensure that the `ResolvedRefs`
+ condition is set to `status: False` on all targeted listeners (i.e.,
+ listeners serving HTTPS on a matching port). The condition MUST
+ include a Reason and Message that indicate the cause of the error. If
+ ALL CACertificateRefs are invalid, the implementation MUST also ensure
+ the `Accepted` condition on the listener is set to `status: False`, with
+ the Reason `NoValidCACertificate`.
+ Implementations MAY choose to support attaching multiple CA certificates
+ to a listener, but this behavior is implementation-specific.
+
+ Support: Core - A single reference to a Kubernetes ConfigMap, with the
+ CA certificate in a key named `ca.crt`.
+
+ Support: Implementation-specific - More than one reference, other kinds
+ of resources, or a single reference that includes multiple certificates.
items:
description: |-
ObjectReference identifies an API object including its namespace.
@@ -4838,6 +5034,20 @@ spec:
maxItems: 16
type: array
x-kubernetes-list-type: atomic
+ attachedListenerSets:
+ description: |-
+ AttachedListenerSets represents the total number of ListenerSets that have been
+ successfully attached to this Gateway.
+
+ A ListenerSet is successfully attached to a Gateway when all the following conditions are met:
+ - The ListenerSet is selected by the Gateway's AllowedListeners field
+ - The ListenerSet has a valid ParentRef selecting the Gateway
+ - The ListenerSet's status has the condition "Accepted: true"
+
+ Uses for this field include troubleshooting AttachedListenerSets attachment and
+ measuring blast radius/impact of changes to a Gateway.
+ format: int32
+ type: integer
conditions:
default:
- lastTransitionTime: "1970-01-01T00:00:00Z"
@@ -4942,8 +5152,11 @@ spec:
attachment semantics can be found in the documentation on the various
Route kinds ParentRefs fields). Listener or Route status does not impact
successful attachment, i.e. the AttachedRoutes field count MUST be set
- for Listeners with condition Accepted: false and MUST count successfully
- attached Routes that may themselves have Accepted: false conditions.
+ for Listeners, even if the Accepted condition of an individual Listener is set
+ to "False". The AttachedRoutes number represents the number of Routes with
+ the Accepted condition set to "True" that have been attached to this Listener.
+ Routes with any other value for the Accepted condition MUST NOT be included
+ in this count.
Uses for this field include troubleshooting Route attachment and
measuring blast radius/impact of changes to a Listener.
@@ -5022,7 +5235,7 @@ spec:
supportedKinds:
description: |-
SupportedKinds is the list indicating the Kinds supported by this
- listener. This MUST represent the kinds an implementation supports for
+ listener. This MUST represent the kinds supported by an implementation for
that Listener configuration.
If kinds are specified in Spec that are not supported, they MUST NOT
@@ -5056,7 +5269,6 @@ spec:
- attachedRoutes
- conditions
- name
- - supportedKinds
type: object
maxItems: 64
type: array
@@ -5085,8 +5297,8 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328
- gateway.networking.k8s.io/bundle-version: v1.4.0
+ api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/4530
+ gateway.networking.k8s.io/bundle-version: v1.5.1
gateway.networking.k8s.io/channel: experimental
name: grpcroutes.gateway.networking.k8s.io
spec:
@@ -5628,10 +5840,14 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: Value is the value of HTTP
- Header to be matched.
+ description: |-
+ Value is the value of HTTP Header to be matched.
+
+ Must consist of printable US-ASCII characters, optionally separated
+ by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
maxLength: 4096
minLength: 1
+ pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -5703,10 +5919,14 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: Value is the value of HTTP
- Header to be matched.
+ description: |-
+ Value is the value of HTTP Header to be matched.
+
+ Must consist of printable US-ASCII characters, optionally separated
+ by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
maxLength: 4096
minLength: 1
+ pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -5911,10 +6131,14 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: Value is the value of HTTP
- Header to be matched.
+ description: |-
+ Value is the value of HTTP Header to be matched.
+
+ Must consist of printable US-ASCII characters, optionally separated
+ by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
maxLength: 4096
minLength: 1
+ pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -5986,10 +6210,14 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: Value is the value of HTTP
- Header to be matched.
+ description: |-
+ Value is the value of HTTP Header to be matched.
+
+ Must consist of printable US-ASCII characters, optionally separated
+ by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
maxLength: 4096
minLength: 1
+ pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -6280,10 +6508,14 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: Value is the value of HTTP Header
- to be matched.
+ description: |-
+ Value is the value of HTTP Header to be matched.
+
+ Must consist of printable US-ASCII characters, optionally separated
+ by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
maxLength: 4096
minLength: 1
+ pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -6354,10 +6586,14 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: Value is the value of HTTP Header
- to be matched.
+ description: |-
+ Value is the value of HTTP Header to be matched.
+
+ Must consist of printable US-ASCII characters, optionally separated
+ by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
maxLength: 4096
minLength: 1
+ pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -6561,10 +6797,14 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: Value is the value of HTTP Header
- to be matched.
+ description: |-
+ Value is the value of HTTP Header to be matched.
+
+ Must consist of printable US-ASCII characters, optionally separated
+ by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
maxLength: 4096
minLength: 1
+ pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -6635,10 +6875,14 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: Value is the value of HTTP Header
- to be matched.
+ description: |-
+ Value is the value of HTTP Header to be matched.
+
+ Must consist of printable US-ASCII characters, optionally separated
+ by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
maxLength: 4096
minLength: 1
+ pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -6789,8 +7033,8 @@ spec:
- method:
type: Exact
service: "foo"
- headers:
- - name: "version"
+ - headers:
+ name: "version"
value "v1"
```
@@ -6977,7 +7221,7 @@ spec:
default: Cookie
description: |-
Type defines the type of session persistence such as through
- the use a header or cookie. Defaults to cookie based session
+ the use of a header or cookie. Defaults to cookie based session
persistence.
Support: Core for "Cookie" type
@@ -6993,6 +7237,8 @@ spec:
is Permanent
rule: '!has(self.cookieConfig) || !has(self.cookieConfig.lifetimeType)
|| self.cookieConfig.lifetimeType != ''Permanent'' || has(self.absoluteTimeout)'
+ - message: cookieConfig can only be set with type Cookie
+ rule: '!has(self.cookieConfig) || self.type == ''Cookie'''
type: object
maxItems: 16
type: array
@@ -7084,7 +7330,7 @@ spec:
* The Route refers to a nonexistent parent.
* The Route is of a type that the controller does not support.
- * The Route is in a namespace the controller does not have access to.
+ * The Route is in a namespace to which the controller does not have access.
items:
description: Condition contains details for one aspect of
the current state of this API Resource.
@@ -7334,8 +7580,8 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328
- gateway.networking.k8s.io/bundle-version: v1.4.0
+ api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/4530
+ gateway.networking.k8s.io/bundle-version: v1.5.1
gateway.networking.k8s.io/channel: experimental
name: httproutes.gateway.networking.k8s.io
spec:
@@ -7815,7 +8061,7 @@ spec:
AllowHeaders indicates which HTTP request headers are supported for
accessing the requested resource.
- Header names are not case sensitive.
+ Header names are not case-sensitive.
Multiple header names in the value of the `Access-Control-Allow-Headers`
response header are separated by a comma (",").
@@ -7834,18 +8080,21 @@ spec:
client side.
A wildcard indicates that the requests with all HTTP headers are allowed.
- The `Access-Control-Allow-Headers` response header can only use `*`
- wildcard as value when the `AllowCredentials` field is false or omitted.
+ If config contains the wildcard "*" in allowHeaders and the request is
+ not credentialed, the `Access-Control-Allow-Headers` response header
+ can either use the `*` wildcard or the value of
+ Access-Control-Request-Headers from the request.
- When the `AllowCredentials` field is true and `AllowHeaders` field
- specified with the `*` wildcard, the gateway must specify one or more
+ When the request is credentialed, the gateway must not specify the `*`
+ wildcard in the `Access-Control-Allow-Headers` response header. When
+ also the `AllowCredentials` field is true and `AllowHeaders` field
+ is specified with the `*` wildcard, the gateway must specify one or more
HTTP headers in the value of the `Access-Control-Allow-Headers` response
header. The value of the header `Access-Control-Allow-Headers` is same as
the `Access-Control-Request-Headers` header provided by the client. If
the header `Access-Control-Request-Headers` is not included in the
request, the gateway will omit the `Access-Control-Allow-Headers`
- response header, instead of specifying the `*` wildcard. A Gateway
- implementation may choose to add implementation-specific default headers.
+ response header, instead of specifying the `*` wildcard.
Support: Extended
items:
@@ -7869,6 +8118,10 @@ spec:
maxItems: 64
type: array
x-kubernetes-list-type: set
+ x-kubernetes-validations:
+ - message: AllowHeaders cannot contain '*' alongside
+ other methods
+ rule: '!(''*'' in self && self.size() > 1)'
allowMethods:
description: |-
AllowMethods indicates which HTTP methods are supported for accessing the
@@ -7877,7 +8130,7 @@ spec:
Valid values are any method defined by RFC9110, along with the special
value `*`, which represents all HTTP methods are allowed.
- Method names are case sensitive, so these values are also case-sensitive.
+ Method names are case-sensitive, so these values are also case-sensitive.
(See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1)
Multiple method names in the value of the `Access-Control-Allow-Methods`
@@ -7897,18 +8150,21 @@ spec:
`Access-Control-Allow-Methods`, it will present an error on the client
side.
- The `Access-Control-Allow-Methods` response header can only use `*`
- wildcard as value when the `AllowCredentials` field is false or omitted.
+ If config contains the wildcard "*" in allowMethods and the request is
+ not credentialed, the `Access-Control-Allow-Methods` response header
+ can either use the `*` wildcard or the value of
+ Access-Control-Request-Method from the request.
- When the `AllowCredentials` field is true and `AllowMethods` field
+ When the request is credentialed, the gateway must not specify the `*`
+ wildcard in the `Access-Control-Allow-Methods` response header. When
+ also the `AllowCredentials` field is true and `AllowMethods` field
specified with the `*` wildcard, the gateway must specify one HTTP method
in the value of the Access-Control-Allow-Methods response header. The
value of the header `Access-Control-Allow-Methods` is same as the
`Access-Control-Request-Method` header provided by the client. If the
header `Access-Control-Request-Method` is not included in the request,
the gateway will omit the `Access-Control-Allow-Methods` response header,
- instead of specifying the `*` wildcard. A Gateway implementation may
- choose to add implementation-specific default methods.
+ instead of specifying the `*` wildcard.
Support: Extended
items:
@@ -7975,10 +8231,19 @@ spec:
the CORS headers. The cross-origin request fails on the client side.
Therefore, the client doesn't attempt the actual cross-origin request.
- The `Access-Control-Allow-Origin` response header can only use `*`
- wildcard as value when the `AllowCredentials` field is false or omitted.
+ Conversely, if the request `Origin` matches one of the configured
+ allowed origins, the gateway sets the response header
+ `Access-Control-Allow-Origin` to the same value as the `Origin`
+ header provided by the client.
- When the `AllowCredentials` field is true and `AllowOrigins` field
+ When config has the wildcard ("*") in allowOrigins, and the request
+ is not credentialed (e.g., it is a preflight request), the
+ `Access-Control-Allow-Origin` response header either contains the
+ wildcard as well or the Origin from the request.
+
+ When the request is credentialed, the gateway must not specify the `*`
+ wildcard in the `Access-Control-Allow-Origin` response header. When
+ also the `AllowCredentials` field is true and `AllowOrigins` field
specified with the `*` wildcard, the gateway must return a single origin
in the value of the `Access-Control-Allow-Origin` response header,
instead of specifying the `*` wildcard. The value of the header
@@ -7990,12 +8255,12 @@ spec:
description: |-
The CORSOrigin MUST NOT be a relative URI, and it MUST follow the URI syntax and
encoding rules specified in RFC3986. The CORSOrigin MUST include both a
- scheme (e.g., "http" or "spiffe") and a scheme-specific-part, or it should be a single '*' character.
+ scheme ("http" or "https") and a scheme-specific-part, or it should be a single '*' character.
URIs that include an authority MUST include a fully qualified domain name or
IP address as the host.
maxLength: 253
minLength: 1
- pattern: (^\*$)|(^([a-zA-Z][a-zA-Z0-9+\-.]+):\/\/([^:/?#]+)(:([0-9]{1,5}))?$)
+ pattern: (^\*$)|(^(http(s)?):\/\/(((\*\.)?([a-zA-Z0-9\-]+\.)*[a-zA-Z0-9-]+|\*)(:([0-9]{1,5}))?)$)
type: string
maxItems: 64
type: array
@@ -8026,14 +8291,18 @@ spec:
this additional header will be exposed as part of the response to the
client.
- Header names are not case sensitive.
+ Header names are not case-sensitive.
Multiple header names in the value of the `Access-Control-Expose-Headers`
response header are separated by a comma (",").
A wildcard indicates that the responses with all HTTP headers are exposed
to clients. The `Access-Control-Expose-Headers` response header can only
- use `*` wildcard as value when the `AllowCredentials` field is false or omitted.
+ use `*` wildcard as value when the request is not credentialed.
+
+ When the `exposeHeaders` config field contains the "*" wildcard and
+ the request is credentialed, the gateway cannot use the `*` wildcard in
+ the `Access-Control-Expose-Headers` response header.
Support: Extended
items:
@@ -8069,6 +8338,9 @@ spec:
The default value of `Access-Control-Max-Age` response header is 5
(seconds).
+
+ When the `MaxAge` field is unspecified, the gateway sets the response
+ header "Access-Control-Max-Age: 5" by default.
format: int32
minimum: 1
type: integer
@@ -8247,6 +8519,7 @@ spec:
If the list has entries, only those entries must be sent.
items:
type: string
+ maxItems: 64
type: array
x-kubernetes-list-type: set
type: object
@@ -8285,6 +8558,7 @@ spec:
request must be set to the actual number of bytes forwarded.
items:
type: string
+ maxItems: 64
type: array
x-kubernetes-list-type: set
allowedResponseHeaders:
@@ -8296,6 +8570,7 @@ spec:
except Authority or Host must be copied.
items:
type: string
+ maxItems: 64
type: array
x-kubernetes-list-type: set
path:
@@ -8400,10 +8675,14 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: Value is the value of HTTP
- Header to be matched.
+ description: |-
+ Value is the value of HTTP Header to be matched.
+
+ Must consist of printable US-ASCII characters, optionally separated
+ by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
maxLength: 4096
minLength: 1
+ pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -8475,10 +8754,14 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: Value is the value of HTTP
- Header to be matched.
+ description: |-
+ Value is the value of HTTP Header to be matched.
+
+ Must consist of printable US-ASCII characters, optionally separated
+ by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
maxLength: 4096
minLength: 1
+ pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -8789,6 +9072,9 @@ spec:
enum:
- 301
- 302
+ - 303
+ - 307
+ - 308
type: integer
type: object
responseHeaderModifier:
@@ -8836,10 +9122,14 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: Value is the value of HTTP
- Header to be matched.
+ description: |-
+ Value is the value of HTTP Header to be matched.
+
+ Must consist of printable US-ASCII characters, optionally separated
+ by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
maxLength: 4096
minLength: 1
+ pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -8911,10 +9201,14 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: Value is the value of HTTP
- Header to be matched.
+ description: |-
+ Value is the value of HTTP Header to be matched.
+
+ Must consist of printable US-ASCII characters, optionally separated
+ by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
maxLength: 4096
minLength: 1
+ pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -9058,6 +9352,11 @@ spec:
- type
type: object
x-kubernetes-validations:
+ - message: filter.cors must be nil if the filter.type
+ is not CORS
+ rule: '!(has(self.cors) && self.type != ''CORS'')'
+ - message: filter.cors must be specified for CORS filter.type
+ rule: '!(!has(self.cors) && self.type == ''CORS'')'
- message: filter.requestHeaderModifier must be nil
if the filter.type is not RequestHeaderModifier
rule: '!(has(self.requestHeaderModifier) && self.type
@@ -9101,11 +9400,6 @@ spec:
- message: filter.extensionRef must be specified for
ExtensionRef filter.type
rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')'
- - message: filter.cors must be nil if the filter.type
- is not CORS
- rule: '!(has(self.cors) && self.type != ''CORS'')'
- - message: filter.cors must be specified for CORS filter.type
- rule: '!(!has(self.cors) && self.type == ''CORS'')'
- message: filter.externalAuth must be nil if the filter.type
is not ExternalAuth
rule: '!(has(self.externalAuth) && self.type != ''ExternalAuth'')'
@@ -9120,6 +9414,8 @@ spec:
or httpRouteFilterRequestRewrite, but not both
rule: '!(self.exists(f, f.type == ''RequestRedirect'')
&& self.exists(f, f.type == ''URLRewrite''))'
+ - message: CORS filter cannot be repeated
+ rule: self.filter(f, f.type == 'CORS').size() <= 1
- message: RequestHeaderModifier filter cannot be repeated
rule: self.filter(f, f.type == 'RequestHeaderModifier').size()
<= 1
@@ -9295,7 +9591,7 @@ spec:
AllowHeaders indicates which HTTP request headers are supported for
accessing the requested resource.
- Header names are not case sensitive.
+ Header names are not case-sensitive.
Multiple header names in the value of the `Access-Control-Allow-Headers`
response header are separated by a comma (",").
@@ -9314,18 +9610,21 @@ spec:
client side.
A wildcard indicates that the requests with all HTTP headers are allowed.
- The `Access-Control-Allow-Headers` response header can only use `*`
- wildcard as value when the `AllowCredentials` field is false or omitted.
+ If config contains the wildcard "*" in allowHeaders and the request is
+ not credentialed, the `Access-Control-Allow-Headers` response header
+ can either use the `*` wildcard or the value of
+ Access-Control-Request-Headers from the request.
- When the `AllowCredentials` field is true and `AllowHeaders` field
- specified with the `*` wildcard, the gateway must specify one or more
+ When the request is credentialed, the gateway must not specify the `*`
+ wildcard in the `Access-Control-Allow-Headers` response header. When
+ also the `AllowCredentials` field is true and `AllowHeaders` field
+ is specified with the `*` wildcard, the gateway must specify one or more
HTTP headers in the value of the `Access-Control-Allow-Headers` response
header. The value of the header `Access-Control-Allow-Headers` is same as
the `Access-Control-Request-Headers` header provided by the client. If
the header `Access-Control-Request-Headers` is not included in the
request, the gateway will omit the `Access-Control-Allow-Headers`
- response header, instead of specifying the `*` wildcard. A Gateway
- implementation may choose to add implementation-specific default headers.
+ response header, instead of specifying the `*` wildcard.
Support: Extended
items:
@@ -9349,6 +9648,10 @@ spec:
maxItems: 64
type: array
x-kubernetes-list-type: set
+ x-kubernetes-validations:
+ - message: AllowHeaders cannot contain '*' alongside
+ other methods
+ rule: '!(''*'' in self && self.size() > 1)'
allowMethods:
description: |-
AllowMethods indicates which HTTP methods are supported for accessing the
@@ -9357,7 +9660,7 @@ spec:
Valid values are any method defined by RFC9110, along with the special
value `*`, which represents all HTTP methods are allowed.
- Method names are case sensitive, so these values are also case-sensitive.
+ Method names are case-sensitive, so these values are also case-sensitive.
(See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1)
Multiple method names in the value of the `Access-Control-Allow-Methods`
@@ -9377,18 +9680,21 @@ spec:
`Access-Control-Allow-Methods`, it will present an error on the client
side.
- The `Access-Control-Allow-Methods` response header can only use `*`
- wildcard as value when the `AllowCredentials` field is false or omitted.
+ If config contains the wildcard "*" in allowMethods and the request is
+ not credentialed, the `Access-Control-Allow-Methods` response header
+ can either use the `*` wildcard or the value of
+ Access-Control-Request-Method from the request.
- When the `AllowCredentials` field is true and `AllowMethods` field
+ When the request is credentialed, the gateway must not specify the `*`
+ wildcard in the `Access-Control-Allow-Methods` response header. When
+ also the `AllowCredentials` field is true and `AllowMethods` field
specified with the `*` wildcard, the gateway must specify one HTTP method
in the value of the Access-Control-Allow-Methods response header. The
value of the header `Access-Control-Allow-Methods` is same as the
`Access-Control-Request-Method` header provided by the client. If the
header `Access-Control-Request-Method` is not included in the request,
the gateway will omit the `Access-Control-Allow-Methods` response header,
- instead of specifying the `*` wildcard. A Gateway implementation may
- choose to add implementation-specific default methods.
+ instead of specifying the `*` wildcard.
Support: Extended
items:
@@ -9455,10 +9761,19 @@ spec:
the CORS headers. The cross-origin request fails on the client side.
Therefore, the client doesn't attempt the actual cross-origin request.
- The `Access-Control-Allow-Origin` response header can only use `*`
- wildcard as value when the `AllowCredentials` field is false or omitted.
+ Conversely, if the request `Origin` matches one of the configured
+ allowed origins, the gateway sets the response header
+ `Access-Control-Allow-Origin` to the same value as the `Origin`
+ header provided by the client.
- When the `AllowCredentials` field is true and `AllowOrigins` field
+ When config has the wildcard ("*") in allowOrigins, and the request
+ is not credentialed (e.g., it is a preflight request), the
+ `Access-Control-Allow-Origin` response header either contains the
+ wildcard as well or the Origin from the request.
+
+ When the request is credentialed, the gateway must not specify the `*`
+ wildcard in the `Access-Control-Allow-Origin` response header. When
+ also the `AllowCredentials` field is true and `AllowOrigins` field
specified with the `*` wildcard, the gateway must return a single origin
in the value of the `Access-Control-Allow-Origin` response header,
instead of specifying the `*` wildcard. The value of the header
@@ -9470,12 +9785,12 @@ spec:
description: |-
The CORSOrigin MUST NOT be a relative URI, and it MUST follow the URI syntax and
encoding rules specified in RFC3986. The CORSOrigin MUST include both a
- scheme (e.g., "http" or "spiffe") and a scheme-specific-part, or it should be a single '*' character.
+ scheme ("http" or "https") and a scheme-specific-part, or it should be a single '*' character.
URIs that include an authority MUST include a fully qualified domain name or
IP address as the host.
maxLength: 253
minLength: 1
- pattern: (^\*$)|(^([a-zA-Z][a-zA-Z0-9+\-.]+):\/\/([^:/?#]+)(:([0-9]{1,5}))?$)
+ pattern: (^\*$)|(^(http(s)?):\/\/(((\*\.)?([a-zA-Z0-9\-]+\.)*[a-zA-Z0-9-]+|\*)(:([0-9]{1,5}))?)$)
type: string
maxItems: 64
type: array
@@ -9506,14 +9821,18 @@ spec:
this additional header will be exposed as part of the response to the
client.
- Header names are not case sensitive.
+ Header names are not case-sensitive.
Multiple header names in the value of the `Access-Control-Expose-Headers`
response header are separated by a comma (",").
A wildcard indicates that the responses with all HTTP headers are exposed
to clients. The `Access-Control-Expose-Headers` response header can only
- use `*` wildcard as value when the `AllowCredentials` field is false or omitted.
+ use `*` wildcard as value when the request is not credentialed.
+
+ When the `exposeHeaders` config field contains the "*" wildcard and
+ the request is credentialed, the gateway cannot use the `*` wildcard in
+ the `Access-Control-Expose-Headers` response header.
Support: Extended
items:
@@ -9549,6 +9868,9 @@ spec:
The default value of `Access-Control-Max-Age` response header is 5
(seconds).
+
+ When the `MaxAge` field is unspecified, the gateway sets the response
+ header "Access-Control-Max-Age: 5" by default.
format: int32
minimum: 1
type: integer
@@ -9727,6 +10049,7 @@ spec:
If the list has entries, only those entries must be sent.
items:
type: string
+ maxItems: 64
type: array
x-kubernetes-list-type: set
type: object
@@ -9765,6 +10088,7 @@ spec:
request must be set to the actual number of bytes forwarded.
items:
type: string
+ maxItems: 64
type: array
x-kubernetes-list-type: set
allowedResponseHeaders:
@@ -9776,6 +10100,7 @@ spec:
except Authority or Host must be copied.
items:
type: string
+ maxItems: 64
type: array
x-kubernetes-list-type: set
path:
@@ -9877,10 +10202,14 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: Value is the value of HTTP Header
- to be matched.
+ description: |-
+ Value is the value of HTTP Header to be matched.
+
+ Must consist of printable US-ASCII characters, optionally separated
+ by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
maxLength: 4096
minLength: 1
+ pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -9951,10 +10280,14 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: Value is the value of HTTP Header
- to be matched.
+ description: |-
+ Value is the value of HTTP Header to be matched.
+
+ Must consist of printable US-ASCII characters, optionally separated
+ by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
maxLength: 4096
minLength: 1
+ pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -10265,6 +10598,9 @@ spec:
enum:
- 301
- 302
+ - 303
+ - 307
+ - 308
type: integer
type: object
responseHeaderModifier:
@@ -10311,10 +10647,14 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: Value is the value of HTTP Header
- to be matched.
+ description: |-
+ Value is the value of HTTP Header to be matched.
+
+ Must consist of printable US-ASCII characters, optionally separated
+ by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
maxLength: 4096
minLength: 1
+ pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -10385,10 +10725,14 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: Value is the value of HTTP Header
- to be matched.
+ description: |-
+ Value is the value of HTTP Header to be matched.
+
+ Must consist of printable US-ASCII characters, optionally separated
+ by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
maxLength: 4096
minLength: 1
+ pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -10532,6 +10876,11 @@ spec:
- type
type: object
x-kubernetes-validations:
+ - message: filter.cors must be nil if the filter.type is not
+ CORS
+ rule: '!(has(self.cors) && self.type != ''CORS'')'
+ - message: filter.cors must be specified for CORS filter.type
+ rule: '!(!has(self.cors) && self.type == ''CORS'')'
- message: filter.requestHeaderModifier must be nil if the
filter.type is not RequestHeaderModifier
rule: '!(has(self.requestHeaderModifier) && self.type !=
@@ -10572,11 +10921,6 @@ spec:
- message: filter.extensionRef must be specified for ExtensionRef
filter.type
rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')'
- - message: filter.cors must be nil if the filter.type is not
- CORS
- rule: '!(has(self.cors) && self.type != ''CORS'')'
- - message: filter.cors must be specified for CORS filter.type
- rule: '!(!has(self.cors) && self.type == ''CORS'')'
- message: filter.externalAuth must be nil if the filter.type
is not ExternalAuth
rule: '!(has(self.externalAuth) && self.type != ''ExternalAuth'')'
@@ -10591,6 +10935,8 @@ spec:
or httpRouteFilterRequestRewrite, but not both
rule: '!(self.exists(f, f.type == ''RequestRedirect'') &&
self.exists(f, f.type == ''URLRewrite''))'
+ - message: CORS filter cannot be repeated
+ rule: self.filter(f, f.type == 'CORS').size() <= 1
- message: RequestHeaderModifier filter cannot be repeated
rule: self.filter(f, f.type == 'RequestHeaderModifier').size()
<= 1
@@ -10722,10 +11068,14 @@ spec:
- RegularExpression
type: string
value:
- description: Value is the value of HTTP Header to
- be matched.
+ description: |-
+ Value is the value of HTTP Header to be matched.
+
+ Must consist of printable US-ASCII characters, optionally separated
+ by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
maxLength: 4096
minLength: 1
+ pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -10934,7 +11284,7 @@ spec:
For example, setting the `rules[].retry.backoff` field to the value
`100ms` will cause a backend request to first be retried approximately
100 milliseconds after timing out or receiving a response code configured
- to be retryable.
+ to be retriable.
An implementation MAY use an exponential or alternative backoff strategy
for subsequent retry attempts, MAY cap the maximum backoff duration to
@@ -10977,7 +11327,7 @@ spec:
HTTPRouteRetryStatusCode defines an HTTP response status code for
which a backend request should be retried.
- Implementations MUST support the following status codes as retryable:
+ Implementations MUST support the following status codes as retriable:
* 500
* 502
@@ -11068,7 +11418,7 @@ spec:
default: Cookie
description: |-
Type defines the type of session persistence such as through
- the use a header or cookie. Defaults to cookie based session
+ the use of a header or cookie. Defaults to cookie based session
persistence.
Support: Core for "Cookie" type
@@ -11084,6 +11434,8 @@ spec:
is Permanent
rule: '!has(self.cookieConfig) || !has(self.cookieConfig.lifetimeType)
|| self.cookieConfig.lifetimeType != ''Permanent'' || has(self.absoluteTimeout)'
+ - message: cookieConfig can only be set with type Cookie
+ rule: '!has(self.cookieConfig) || self.type == ''Cookie'''
timeouts:
description: |-
Timeouts defines the timeouts that can be configured for an HTTP request.
@@ -11188,6 +11540,7 @@ spec:
!= 1 || !has(self.matches[0].path) || self.matches[0].path.type
!= ''PathPrefix'') ? false : true) : true'
maxItems: 16
+ minItems: 1
type: array
x-kubernetes-list-type: atomic
x-kubernetes-validations:
@@ -11271,7 +11624,7 @@ spec:
* The Route refers to a nonexistent parent.
* The Route is of a type that the controller does not support.
- * The Route is in a namespace the controller does not have access to.
+ * The Route is in a namespace to which the controller does not have access.
items:
description: Condition contains details for one aspect of
the current state of this API Resource.
@@ -11973,7 +12326,7 @@ spec:
AllowHeaders indicates which HTTP request headers are supported for
accessing the requested resource.
- Header names are not case sensitive.
+ Header names are not case-sensitive.
Multiple header names in the value of the `Access-Control-Allow-Headers`
response header are separated by a comma (",").
@@ -11992,18 +12345,21 @@ spec:
client side.
A wildcard indicates that the requests with all HTTP headers are allowed.
- The `Access-Control-Allow-Headers` response header can only use `*`
- wildcard as value when the `AllowCredentials` field is false or omitted.
+ If config contains the wildcard "*" in allowHeaders and the request is
+ not credentialed, the `Access-Control-Allow-Headers` response header
+ can either use the `*` wildcard or the value of
+ Access-Control-Request-Headers from the request.
- When the `AllowCredentials` field is true and `AllowHeaders` field
- specified with the `*` wildcard, the gateway must specify one or more
+ When the request is credentialed, the gateway must not specify the `*`
+ wildcard in the `Access-Control-Allow-Headers` response header. When
+ also the `AllowCredentials` field is true and `AllowHeaders` field
+ is specified with the `*` wildcard, the gateway must specify one or more
HTTP headers in the value of the `Access-Control-Allow-Headers` response
header. The value of the header `Access-Control-Allow-Headers` is same as
the `Access-Control-Request-Headers` header provided by the client. If
the header `Access-Control-Request-Headers` is not included in the
request, the gateway will omit the `Access-Control-Allow-Headers`
- response header, instead of specifying the `*` wildcard. A Gateway
- implementation may choose to add implementation-specific default headers.
+ response header, instead of specifying the `*` wildcard.
Support: Extended
items:
@@ -12027,6 +12383,10 @@ spec:
maxItems: 64
type: array
x-kubernetes-list-type: set
+ x-kubernetes-validations:
+ - message: AllowHeaders cannot contain '*' alongside
+ other methods
+ rule: '!(''*'' in self && self.size() > 1)'
allowMethods:
description: |-
AllowMethods indicates which HTTP methods are supported for accessing the
@@ -12035,7 +12395,7 @@ spec:
Valid values are any method defined by RFC9110, along with the special
value `*`, which represents all HTTP methods are allowed.
- Method names are case sensitive, so these values are also case-sensitive.
+ Method names are case-sensitive, so these values are also case-sensitive.
(See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1)
Multiple method names in the value of the `Access-Control-Allow-Methods`
@@ -12055,18 +12415,21 @@ spec:
`Access-Control-Allow-Methods`, it will present an error on the client
side.
- The `Access-Control-Allow-Methods` response header can only use `*`
- wildcard as value when the `AllowCredentials` field is false or omitted.
+ If config contains the wildcard "*" in allowMethods and the request is
+ not credentialed, the `Access-Control-Allow-Methods` response header
+ can either use the `*` wildcard or the value of
+ Access-Control-Request-Method from the request.
- When the `AllowCredentials` field is true and `AllowMethods` field
+ When the request is credentialed, the gateway must not specify the `*`
+ wildcard in the `Access-Control-Allow-Methods` response header. When
+ also the `AllowCredentials` field is true and `AllowMethods` field
specified with the `*` wildcard, the gateway must specify one HTTP method
in the value of the Access-Control-Allow-Methods response header. The
value of the header `Access-Control-Allow-Methods` is same as the
`Access-Control-Request-Method` header provided by the client. If the
header `Access-Control-Request-Method` is not included in the request,
the gateway will omit the `Access-Control-Allow-Methods` response header,
- instead of specifying the `*` wildcard. A Gateway implementation may
- choose to add implementation-specific default methods.
+ instead of specifying the `*` wildcard.
Support: Extended
items:
@@ -12133,10 +12496,19 @@ spec:
the CORS headers. The cross-origin request fails on the client side.
Therefore, the client doesn't attempt the actual cross-origin request.
- The `Access-Control-Allow-Origin` response header can only use `*`
- wildcard as value when the `AllowCredentials` field is false or omitted.
+ Conversely, if the request `Origin` matches one of the configured
+ allowed origins, the gateway sets the response header
+ `Access-Control-Allow-Origin` to the same value as the `Origin`
+ header provided by the client.
- When the `AllowCredentials` field is true and `AllowOrigins` field
+ When config has the wildcard ("*") in allowOrigins, and the request
+ is not credentialed (e.g., it is a preflight request), the
+ `Access-Control-Allow-Origin` response header either contains the
+ wildcard as well or the Origin from the request.
+
+ When the request is credentialed, the gateway must not specify the `*`
+ wildcard in the `Access-Control-Allow-Origin` response header. When
+ also the `AllowCredentials` field is true and `AllowOrigins` field
specified with the `*` wildcard, the gateway must return a single origin
in the value of the `Access-Control-Allow-Origin` response header,
instead of specifying the `*` wildcard. The value of the header
@@ -12148,12 +12520,12 @@ spec:
description: |-
The CORSOrigin MUST NOT be a relative URI, and it MUST follow the URI syntax and
encoding rules specified in RFC3986. The CORSOrigin MUST include both a
- scheme (e.g., "http" or "spiffe") and a scheme-specific-part, or it should be a single '*' character.
+ scheme ("http" or "https") and a scheme-specific-part, or it should be a single '*' character.
URIs that include an authority MUST include a fully qualified domain name or
IP address as the host.
maxLength: 253
minLength: 1
- pattern: (^\*$)|(^([a-zA-Z][a-zA-Z0-9+\-.]+):\/\/([^:/?#]+)(:([0-9]{1,5}))?$)
+ pattern: (^\*$)|(^(http(s)?):\/\/(((\*\.)?([a-zA-Z0-9\-]+\.)*[a-zA-Z0-9-]+|\*)(:([0-9]{1,5}))?)$)
type: string
maxItems: 64
type: array
@@ -12184,14 +12556,18 @@ spec:
this additional header will be exposed as part of the response to the
client.
- Header names are not case sensitive.
+ Header names are not case-sensitive.
Multiple header names in the value of the `Access-Control-Expose-Headers`
response header are separated by a comma (",").
A wildcard indicates that the responses with all HTTP headers are exposed
to clients. The `Access-Control-Expose-Headers` response header can only
- use `*` wildcard as value when the `AllowCredentials` field is false or omitted.
+ use `*` wildcard as value when the request is not credentialed.
+
+ When the `exposeHeaders` config field contains the "*" wildcard and
+ the request is credentialed, the gateway cannot use the `*` wildcard in
+ the `Access-Control-Expose-Headers` response header.
Support: Extended
items:
@@ -12227,6 +12603,9 @@ spec:
The default value of `Access-Control-Max-Age` response header is 5
(seconds).
+
+ When the `MaxAge` field is unspecified, the gateway sets the response
+ header "Access-Control-Max-Age: 5" by default.
format: int32
minimum: 1
type: integer
@@ -12405,6 +12784,7 @@ spec:
If the list has entries, only those entries must be sent.
items:
type: string
+ maxItems: 64
type: array
x-kubernetes-list-type: set
type: object
@@ -12443,6 +12823,7 @@ spec:
request must be set to the actual number of bytes forwarded.
items:
type: string
+ maxItems: 64
type: array
x-kubernetes-list-type: set
allowedResponseHeaders:
@@ -12454,6 +12835,7 @@ spec:
except Authority or Host must be copied.
items:
type: string
+ maxItems: 64
type: array
x-kubernetes-list-type: set
path:
@@ -12558,10 +12940,14 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: Value is the value of HTTP
- Header to be matched.
+ description: |-
+ Value is the value of HTTP Header to be matched.
+
+ Must consist of printable US-ASCII characters, optionally separated
+ by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
maxLength: 4096
minLength: 1
+ pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -12633,10 +13019,14 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: Value is the value of HTTP
- Header to be matched.
+ description: |-
+ Value is the value of HTTP Header to be matched.
+
+ Must consist of printable US-ASCII characters, optionally separated
+ by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
maxLength: 4096
minLength: 1
+ pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -12947,6 +13337,9 @@ spec:
enum:
- 301
- 302
+ - 303
+ - 307
+ - 308
type: integer
type: object
responseHeaderModifier:
@@ -12994,10 +13387,14 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: Value is the value of HTTP
- Header to be matched.
+ description: |-
+ Value is the value of HTTP Header to be matched.
+
+ Must consist of printable US-ASCII characters, optionally separated
+ by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
maxLength: 4096
minLength: 1
+ pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -13069,10 +13466,14 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: Value is the value of HTTP
- Header to be matched.
+ description: |-
+ Value is the value of HTTP Header to be matched.
+
+ Must consist of printable US-ASCII characters, optionally separated
+ by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
maxLength: 4096
minLength: 1
+ pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -13216,6 +13617,11 @@ spec:
- type
type: object
x-kubernetes-validations:
+ - message: filter.cors must be nil if the filter.type
+ is not CORS
+ rule: '!(has(self.cors) && self.type != ''CORS'')'
+ - message: filter.cors must be specified for CORS filter.type
+ rule: '!(!has(self.cors) && self.type == ''CORS'')'
- message: filter.requestHeaderModifier must be nil
if the filter.type is not RequestHeaderModifier
rule: '!(has(self.requestHeaderModifier) && self.type
@@ -13259,11 +13665,6 @@ spec:
- message: filter.extensionRef must be specified for
ExtensionRef filter.type
rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')'
- - message: filter.cors must be nil if the filter.type
- is not CORS
- rule: '!(has(self.cors) && self.type != ''CORS'')'
- - message: filter.cors must be specified for CORS filter.type
- rule: '!(!has(self.cors) && self.type == ''CORS'')'
- message: filter.externalAuth must be nil if the filter.type
is not ExternalAuth
rule: '!(has(self.externalAuth) && self.type != ''ExternalAuth'')'
@@ -13278,6 +13679,8 @@ spec:
or httpRouteFilterRequestRewrite, but not both
rule: '!(self.exists(f, f.type == ''RequestRedirect'')
&& self.exists(f, f.type == ''URLRewrite''))'
+ - message: CORS filter cannot be repeated
+ rule: self.filter(f, f.type == 'CORS').size() <= 1
- message: RequestHeaderModifier filter cannot be repeated
rule: self.filter(f, f.type == 'RequestHeaderModifier').size()
<= 1
@@ -13453,7 +13856,7 @@ spec:
AllowHeaders indicates which HTTP request headers are supported for
accessing the requested resource.
- Header names are not case sensitive.
+ Header names are not case-sensitive.
Multiple header names in the value of the `Access-Control-Allow-Headers`
response header are separated by a comma (",").
@@ -13472,18 +13875,21 @@ spec:
client side.
A wildcard indicates that the requests with all HTTP headers are allowed.
- The `Access-Control-Allow-Headers` response header can only use `*`
- wildcard as value when the `AllowCredentials` field is false or omitted.
+ If config contains the wildcard "*" in allowHeaders and the request is
+ not credentialed, the `Access-Control-Allow-Headers` response header
+ can either use the `*` wildcard or the value of
+ Access-Control-Request-Headers from the request.
- When the `AllowCredentials` field is true and `AllowHeaders` field
- specified with the `*` wildcard, the gateway must specify one or more
+ When the request is credentialed, the gateway must not specify the `*`
+ wildcard in the `Access-Control-Allow-Headers` response header. When
+ also the `AllowCredentials` field is true and `AllowHeaders` field
+ is specified with the `*` wildcard, the gateway must specify one or more
HTTP headers in the value of the `Access-Control-Allow-Headers` response
header. The value of the header `Access-Control-Allow-Headers` is same as
the `Access-Control-Request-Headers` header provided by the client. If
the header `Access-Control-Request-Headers` is not included in the
request, the gateway will omit the `Access-Control-Allow-Headers`
- response header, instead of specifying the `*` wildcard. A Gateway
- implementation may choose to add implementation-specific default headers.
+ response header, instead of specifying the `*` wildcard.
Support: Extended
items:
@@ -13507,6 +13913,10 @@ spec:
maxItems: 64
type: array
x-kubernetes-list-type: set
+ x-kubernetes-validations:
+ - message: AllowHeaders cannot contain '*' alongside
+ other methods
+ rule: '!(''*'' in self && self.size() > 1)'
allowMethods:
description: |-
AllowMethods indicates which HTTP methods are supported for accessing the
@@ -13515,7 +13925,7 @@ spec:
Valid values are any method defined by RFC9110, along with the special
value `*`, which represents all HTTP methods are allowed.
- Method names are case sensitive, so these values are also case-sensitive.
+ Method names are case-sensitive, so these values are also case-sensitive.
(See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1)
Multiple method names in the value of the `Access-Control-Allow-Methods`
@@ -13535,18 +13945,21 @@ spec:
`Access-Control-Allow-Methods`, it will present an error on the client
side.
- The `Access-Control-Allow-Methods` response header can only use `*`
- wildcard as value when the `AllowCredentials` field is false or omitted.
+ If config contains the wildcard "*" in allowMethods and the request is
+ not credentialed, the `Access-Control-Allow-Methods` response header
+ can either use the `*` wildcard or the value of
+ Access-Control-Request-Method from the request.
- When the `AllowCredentials` field is true and `AllowMethods` field
+ When the request is credentialed, the gateway must not specify the `*`
+ wildcard in the `Access-Control-Allow-Methods` response header. When
+ also the `AllowCredentials` field is true and `AllowMethods` field
specified with the `*` wildcard, the gateway must specify one HTTP method
in the value of the Access-Control-Allow-Methods response header. The
value of the header `Access-Control-Allow-Methods` is same as the
`Access-Control-Request-Method` header provided by the client. If the
header `Access-Control-Request-Method` is not included in the request,
the gateway will omit the `Access-Control-Allow-Methods` response header,
- instead of specifying the `*` wildcard. A Gateway implementation may
- choose to add implementation-specific default methods.
+ instead of specifying the `*` wildcard.
Support: Extended
items:
@@ -13613,10 +14026,19 @@ spec:
the CORS headers. The cross-origin request fails on the client side.
Therefore, the client doesn't attempt the actual cross-origin request.
- The `Access-Control-Allow-Origin` response header can only use `*`
- wildcard as value when the `AllowCredentials` field is false or omitted.
+ Conversely, if the request `Origin` matches one of the configured
+ allowed origins, the gateway sets the response header
+ `Access-Control-Allow-Origin` to the same value as the `Origin`
+ header provided by the client.
- When the `AllowCredentials` field is true and `AllowOrigins` field
+ When config has the wildcard ("*") in allowOrigins, and the request
+ is not credentialed (e.g., it is a preflight request), the
+ `Access-Control-Allow-Origin` response header either contains the
+ wildcard as well or the Origin from the request.
+
+ When the request is credentialed, the gateway must not specify the `*`
+ wildcard in the `Access-Control-Allow-Origin` response header. When
+ also the `AllowCredentials` field is true and `AllowOrigins` field
specified with the `*` wildcard, the gateway must return a single origin
in the value of the `Access-Control-Allow-Origin` response header,
instead of specifying the `*` wildcard. The value of the header
@@ -13628,12 +14050,12 @@ spec:
description: |-
The CORSOrigin MUST NOT be a relative URI, and it MUST follow the URI syntax and
encoding rules specified in RFC3986. The CORSOrigin MUST include both a
- scheme (e.g., "http" or "spiffe") and a scheme-specific-part, or it should be a single '*' character.
+ scheme ("http" or "https") and a scheme-specific-part, or it should be a single '*' character.
URIs that include an authority MUST include a fully qualified domain name or
IP address as the host.
maxLength: 253
minLength: 1
- pattern: (^\*$)|(^([a-zA-Z][a-zA-Z0-9+\-.]+):\/\/([^:/?#]+)(:([0-9]{1,5}))?$)
+ pattern: (^\*$)|(^(http(s)?):\/\/(((\*\.)?([a-zA-Z0-9\-]+\.)*[a-zA-Z0-9-]+|\*)(:([0-9]{1,5}))?)$)
type: string
maxItems: 64
type: array
@@ -13664,14 +14086,18 @@ spec:
this additional header will be exposed as part of the response to the
client.
- Header names are not case sensitive.
+ Header names are not case-sensitive.
Multiple header names in the value of the `Access-Control-Expose-Headers`
response header are separated by a comma (",").
A wildcard indicates that the responses with all HTTP headers are exposed
to clients. The `Access-Control-Expose-Headers` response header can only
- use `*` wildcard as value when the `AllowCredentials` field is false or omitted.
+ use `*` wildcard as value when the request is not credentialed.
+
+ When the `exposeHeaders` config field contains the "*" wildcard and
+ the request is credentialed, the gateway cannot use the `*` wildcard in
+ the `Access-Control-Expose-Headers` response header.
Support: Extended
items:
@@ -13707,6 +14133,9 @@ spec:
The default value of `Access-Control-Max-Age` response header is 5
(seconds).
+
+ When the `MaxAge` field is unspecified, the gateway sets the response
+ header "Access-Control-Max-Age: 5" by default.
format: int32
minimum: 1
type: integer
@@ -13885,6 +14314,7 @@ spec:
If the list has entries, only those entries must be sent.
items:
type: string
+ maxItems: 64
type: array
x-kubernetes-list-type: set
type: object
@@ -13923,6 +14353,7 @@ spec:
request must be set to the actual number of bytes forwarded.
items:
type: string
+ maxItems: 64
type: array
x-kubernetes-list-type: set
allowedResponseHeaders:
@@ -13934,6 +14365,7 @@ spec:
except Authority or Host must be copied.
items:
type: string
+ maxItems: 64
type: array
x-kubernetes-list-type: set
path:
@@ -14035,10 +14467,14 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: Value is the value of HTTP Header
- to be matched.
+ description: |-
+ Value is the value of HTTP Header to be matched.
+
+ Must consist of printable US-ASCII characters, optionally separated
+ by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
maxLength: 4096
minLength: 1
+ pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -14109,10 +14545,14 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: Value is the value of HTTP Header
- to be matched.
+ description: |-
+ Value is the value of HTTP Header to be matched.
+
+ Must consist of printable US-ASCII characters, optionally separated
+ by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
maxLength: 4096
minLength: 1
+ pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -14423,6 +14863,9 @@ spec:
enum:
- 301
- 302
+ - 303
+ - 307
+ - 308
type: integer
type: object
responseHeaderModifier:
@@ -14469,10 +14912,14 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: Value is the value of HTTP Header
- to be matched.
+ description: |-
+ Value is the value of HTTP Header to be matched.
+
+ Must consist of printable US-ASCII characters, optionally separated
+ by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
maxLength: 4096
minLength: 1
+ pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -14543,10 +14990,14 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: Value is the value of HTTP Header
- to be matched.
+ description: |-
+ Value is the value of HTTP Header to be matched.
+
+ Must consist of printable US-ASCII characters, optionally separated
+ by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
maxLength: 4096
minLength: 1
+ pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -14690,6 +15141,11 @@ spec:
- type
type: object
x-kubernetes-validations:
+ - message: filter.cors must be nil if the filter.type is not
+ CORS
+ rule: '!(has(self.cors) && self.type != ''CORS'')'
+ - message: filter.cors must be specified for CORS filter.type
+ rule: '!(!has(self.cors) && self.type == ''CORS'')'
- message: filter.requestHeaderModifier must be nil if the
filter.type is not RequestHeaderModifier
rule: '!(has(self.requestHeaderModifier) && self.type !=
@@ -14730,11 +15186,6 @@ spec:
- message: filter.extensionRef must be specified for ExtensionRef
filter.type
rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')'
- - message: filter.cors must be nil if the filter.type is not
- CORS
- rule: '!(has(self.cors) && self.type != ''CORS'')'
- - message: filter.cors must be specified for CORS filter.type
- rule: '!(!has(self.cors) && self.type == ''CORS'')'
- message: filter.externalAuth must be nil if the filter.type
is not ExternalAuth
rule: '!(has(self.externalAuth) && self.type != ''ExternalAuth'')'
@@ -14749,6 +15200,8 @@ spec:
or httpRouteFilterRequestRewrite, but not both
rule: '!(self.exists(f, f.type == ''RequestRedirect'') &&
self.exists(f, f.type == ''URLRewrite''))'
+ - message: CORS filter cannot be repeated
+ rule: self.filter(f, f.type == 'CORS').size() <= 1
- message: RequestHeaderModifier filter cannot be repeated
rule: self.filter(f, f.type == 'RequestHeaderModifier').size()
<= 1
@@ -14880,10 +15333,14 @@ spec:
- RegularExpression
type: string
value:
- description: Value is the value of HTTP Header to
- be matched.
+ description: |-
+ Value is the value of HTTP Header to be matched.
+
+ Must consist of printable US-ASCII characters, optionally separated
+ by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
maxLength: 4096
minLength: 1
+ pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -15092,7 +15549,7 @@ spec:
For example, setting the `rules[].retry.backoff` field to the value
`100ms` will cause a backend request to first be retried approximately
100 milliseconds after timing out or receiving a response code configured
- to be retryable.
+ to be retriable.
An implementation MAY use an exponential or alternative backoff strategy
for subsequent retry attempts, MAY cap the maximum backoff duration to
@@ -15135,7 +15592,7 @@ spec:
HTTPRouteRetryStatusCode defines an HTTP response status code for
which a backend request should be retried.
- Implementations MUST support the following status codes as retryable:
+ Implementations MUST support the following status codes as retriable:
* 500
* 502
@@ -15226,7 +15683,7 @@ spec:
default: Cookie
description: |-
Type defines the type of session persistence such as through
- the use a header or cookie. Defaults to cookie based session
+ the use of a header or cookie. Defaults to cookie based session
persistence.
Support: Core for "Cookie" type
@@ -15242,6 +15699,8 @@ spec:
is Permanent
rule: '!has(self.cookieConfig) || !has(self.cookieConfig.lifetimeType)
|| self.cookieConfig.lifetimeType != ''Permanent'' || has(self.absoluteTimeout)'
+ - message: cookieConfig can only be set with type Cookie
+ rule: '!has(self.cookieConfig) || self.type == ''Cookie'''
timeouts:
description: |-
Timeouts defines the timeouts that can be configured for an HTTP request.
@@ -15346,6 +15805,7 @@ spec:
!= 1 || !has(self.matches[0].path) || self.matches[0].path.type
!= ''PathPrefix'') ? false : true) : true'
maxItems: 16
+ minItems: 1
type: array
x-kubernetes-list-type: atomic
x-kubernetes-validations:
@@ -15429,7 +15889,7 @@ spec:
* The Route refers to a nonexistent parent.
* The Route is of a type that the controller does not support.
- * The Route is in a namespace the controller does not have access to.
+ * The Route is in a namespace to which the controller does not have access.
items:
description: Condition contains details for one aspect of
the current state of this API Resource.
@@ -15673,14 +16133,798 @@ status:
storedVersions: null
---
#
+# config/crd/experimental/gateway.networking.k8s.io_listenersets.yaml
+#
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/4530
+ gateway.networking.k8s.io/bundle-version: v1.5.1
+ gateway.networking.k8s.io/channel: experimental
+ name: listenersets.gateway.networking.k8s.io
+spec:
+ group: gateway.networking.k8s.io
+ names:
+ categories:
+ - gateway-api
+ kind: ListenerSet
+ listKind: ListenerSetList
+ plural: listenersets
+ shortNames:
+ - lset
+ singular: listenerset
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - jsonPath: .status.conditions[?(@.type=="Accepted")].status
+ name: Accepted
+ type: string
+ - jsonPath: .status.conditions[?(@.type=="Programmed")].status
+ name: Programmed
+ type: string
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1
+ schema:
+ openAPIV3Schema:
+ description: |-
+ ListenerSet defines a set of additional listeners to attach to an existing Gateway.
+ This resource provides a mechanism to merge multiple listeners into a single Gateway.
+
+ The parent Gateway must explicitly allow ListenerSet attachment through its
+ AllowedListeners configuration. By default, Gateways do not allow ListenerSet
+ attachment.
+
+ Routes can attach to a ListenerSet by specifying it as a parentRef, and can
+ optionally target specific listeners using the sectionName field.
+
+ Policy Attachment:
+ - Policies that attach to a ListenerSet apply to all listeners defined in that resource
+ - Policies do not impact listeners in the parent Gateway
+ - Different ListenerSets attached to the same Gateway can have different policies
+ - If an implementation cannot apply a policy to specific listeners, it should reject the policy
+
+ ReferenceGrant Semantics:
+ - ReferenceGrants applied to a Gateway are not inherited by child ListenerSets
+ - ReferenceGrants applied to a ListenerSet do not grant permission to the parent Gateway's listeners
+ - A ListenerSet can reference secrets/backends in its own namespace without a ReferenceGrant
+
+ Gateway Integration:
+ - The parent Gateway's status will include "AttachedListenerSets"
+ which is the count of ListenerSets that have successfully attached to a Gateway
+ A ListenerSet is successfully attached to a Gateway when all the following conditions are met:
+ - The ListenerSet is selected by the Gateway's AllowedListeners field
+ - The ListenerSet has a valid ParentRef selecting the Gateway
+ - The ListenerSet's status has the condition "Accepted: true"
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Spec defines the desired state of ListenerSet.
+ properties:
+ listeners:
+ description: |-
+ Listeners associated with this ListenerSet. Listeners define
+ logical endpoints that are bound on this referenced parent Gateway's addresses.
+
+ Listeners in a `Gateway` and their attached `ListenerSets` are concatenated
+ as a list when programming the underlying infrastructure. Each listener
+ name does not need to be unique across the Gateway and ListenerSets.
+ See ListenerEntry.Name for more details.
+
+ Implementations MUST treat the parent Gateway as having the merged
+ list of all listeners from itself and attached ListenerSets using
+ the following precedence:
+
+ 1. "parent" Gateway
+ 2. ListenerSet ordered by creation time (oldest first)
+ 3. ListenerSet ordered alphabetically by "{namespace}/{name}".
+
+ An implementation MAY reject listeners by setting the ListenerEntryStatus
+ `Accepted` condition to False with the Reason `TooManyListeners`
+
+ If a listener has a conflict, this will be reported in the
+ Status.ListenerEntryStatus setting the `Conflicted` condition to True.
+
+ Implementations SHOULD be cautious about what information from the
+ parent or siblings are reported to avoid accidentally leaking
+ sensitive information that the child would not otherwise have access
+ to. This can include contents of secrets etc.
+ items:
+ properties:
+ allowedRoutes:
+ default:
+ namespaces:
+ from: Same
+ description: |-
+ AllowedRoutes defines the types of routes that MAY be attached to a
+ Listener and the trusted namespaces where those Route resources MAY be
+ present.
+
+ Although a client request may match multiple route rules, only one rule
+ may ultimately receive the request. Matching precedence MUST be
+ determined in order of the following criteria:
+
+ * The most specific match as defined by the Route type.
+ * The oldest Route based on creation timestamp. For example, a Route with
+ a creation timestamp of "2020-09-08 01:02:03" is given precedence over
+ a Route with a creation timestamp of "2020-09-08 01:02:04".
+ * If everything else is equivalent, the Route appearing first in
+ alphabetical order (namespace/name) should be given precedence. For
+ example, foo/bar is given precedence over foo/baz.
+
+ All valid rules within a Route attached to this Listener should be
+ implemented. Invalid Route rules can be ignored (sometimes that will mean
+ the full Route). If a Route rule transitions from valid to invalid,
+ support for that Route rule should be dropped to ensure consistency. For
+ example, even if a filter specified by a Route rule is invalid, the rest
+ of the rules within that Route should still be supported.
+ properties:
+ kinds:
+ description: |-
+ Kinds specifies the groups and kinds of Routes that are allowed to bind
+ to this Gateway Listener. When unspecified or empty, the kinds of Routes
+ selected are determined using the Listener protocol.
+
+ A RouteGroupKind MUST correspond to kinds of Routes that are compatible
+ with the application protocol specified in the Listener's Protocol field.
+ If an implementation does not support or recognize this resource type, it
+ MUST set the "ResolvedRefs" condition to False for this Listener with the
+ "InvalidRouteKinds" reason.
+
+ Support: Core
+ items:
+ description: RouteGroupKind indicates the group and kind
+ of a Route resource.
+ properties:
+ group:
+ default: gateway.networking.k8s.io
+ description: Group is the group of the Route.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is the kind of the Route.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ required:
+ - kind
+ type: object
+ maxItems: 8
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaces:
+ default:
+ from: Same
+ description: |-
+ Namespaces indicates namespaces from which Routes may be attached to this
+ Listener. This is restricted to the namespace of this Gateway by default.
+
+ Support: Core
+ properties:
+ from:
+ default: Same
+ description: |-
+ From indicates where Routes will be selected for this Gateway. Possible
+ values are:
+
+ * All: Routes in all namespaces may be used by this Gateway.
+ * Selector: Routes in namespaces selected by the selector may be used by
+ this Gateway.
+ * Same: Only Routes in the same namespace may be used by this Gateway.
+
+ Support: Core
+ enum:
+ - All
+ - Selector
+ - Same
+ type: string
+ selector:
+ description: |-
+ Selector must be specified when From is set to "Selector". In that case,
+ only Routes in Namespaces matching this Selector will be selected by this
+ Gateway. This field is ignored for other values of "From".
+
+ Support: Core
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: object
+ hostname:
+ description: |-
+ Hostname specifies the virtual hostname to match for protocol types that
+ define this concept. When unspecified, all hostnames are matched. This
+ field is ignored for protocols that don't require hostname based
+ matching.
+
+ Implementations MUST apply Hostname matching appropriately for each of
+ the following protocols:
+
+ * TLS: The Listener Hostname MUST match the SNI.
+ * HTTP: The Listener Hostname MUST match the Host header of the request.
+ * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP
+ protocol layers as described above. If an implementation does not
+ ensure that both the SNI and Host header match the Listener hostname,
+ it MUST clearly document that.
+
+ For HTTPRoute and TLSRoute resources, there is an interaction with the
+ `spec.hostnames` array. When both listener and route specify hostnames,
+ there MUST be an intersection between the values for a Route to be
+ accepted. For more information, refer to the Route specific Hostnames
+ documentation.
+
+ Hostnames that are prefixed with a wildcard label (`*.`) are interpreted
+ as a suffix match. That means that a match for `*.example.com` would match
+ both `test.example.com`, and `foo.test.example.com`, but not `example.com`.
+ maxLength: 253
+ minLength: 1
+ pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ name:
+ description: |-
+ Name is the name of the Listener. This name MUST be unique within a
+ ListenerSet.
+
+ Name is not required to be unique across a Gateway and ListenerSets.
+ Routes can attach to a Listener by having a ListenerSet as a parentRef
+ and setting the SectionName
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ port:
+ description: |-
+ Port is the network port. Multiple listeners may use the
+ same port, subject to the Listener compatibility rules.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ protocol:
+ description: Protocol specifies the network protocol this listener
+ expects to receive.
+ maxLength: 255
+ minLength: 1
+ pattern: ^[a-zA-Z0-9]([-a-zA-Z0-9]*[a-zA-Z0-9])?$|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9]+$
+ type: string
+ tls:
+ description: |-
+ TLS is the TLS configuration for the Listener. This field is required if
+ the Protocol field is "HTTPS" or "TLS". It is invalid to set this field
+ if the Protocol field is "HTTP", "TCP", or "UDP".
+
+ The association of SNIs to Certificate defined in ListenerTLSConfig is
+ defined based on the Hostname field for this listener.
+
+ The GatewayClass MUST use the longest matching SNI out of all
+ available certificates for any TLS handshake.
+ properties:
+ certificateRefs:
+ description: |-
+ CertificateRefs contains a series of references to Kubernetes objects that
+ contains TLS certificates and private keys. These certificates are used to
+ establish a TLS handshake for requests that match the hostname of the
+ associated listener.
+
+ A single CertificateRef to a Kubernetes Secret has "Core" support.
+ Implementations MAY choose to support attaching multiple certificates to
+ a Listener, but this behavior is implementation-specific.
+
+ References to a resource in different namespace are invalid UNLESS there
+ is a ReferenceGrant in the target namespace that allows the certificate
+ to be attached. If a ReferenceGrant does not allow this reference, the
+ "ResolvedRefs" condition MUST be set to False for this listener with the
+ "RefNotPermitted" reason.
+
+ This field is required to have at least one element when the mode is set
+ to "Terminate" (default) and is optional otherwise.
+
+ CertificateRefs can reference to standard Kubernetes resources, i.e.
+ Secret, or implementation-specific custom resources.
+
+ Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls
+
+ Support: Implementation-specific (More than one reference or other resource types)
+ items:
+ description: |-
+ SecretObjectReference identifies an API object including its namespace,
+ defaulting to Secret.
+
+ The API object must be valid in the cluster; the Group and Kind must
+ be registered in the cluster for this reference to be valid.
+
+ References to objects with invalid Group and Kind are not valid, and must
+ be rejected by the implementation, with appropriate Conditions set
+ on the containing object.
+ properties:
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Secret
+ description: Kind is kind of the referent. For example
+ "Secret".
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referenced object. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ required:
+ - name
+ type: object
+ maxItems: 64
+ type: array
+ x-kubernetes-list-type: atomic
+ mode:
+ default: Terminate
+ description: |-
+ Mode defines the TLS behavior for the TLS session initiated by the client.
+ There are two possible modes:
+
+ - Terminate: The TLS session between the downstream client and the
+ Gateway is terminated at the Gateway. This mode requires certificates
+ to be specified in some way, such as populating the certificateRefs
+ field.
+ - Passthrough: The TLS session is NOT terminated by the Gateway. This
+ implies that the Gateway can't decipher the TLS stream except for
+ the ClientHello message of the TLS protocol. The certificateRefs field
+ is ignored in this mode.
+
+ Support: Core
+ enum:
+ - Terminate
+ - Passthrough
+ type: string
+ options:
+ additionalProperties:
+ description: |-
+ AnnotationValue is the value of an annotation in Gateway API. This is used
+ for validation of maps such as TLS options. This roughly matches Kubernetes
+ annotation validation, although the length validation in that case is based
+ on the entire size of the annotations struct.
+ maxLength: 4096
+ minLength: 0
+ type: string
+ description: |-
+ Options are a list of key/value pairs to enable extended TLS
+ configuration for each implementation. For example, configuring the
+ minimum TLS version or supported cipher suites.
+
+ A set of common keys MAY be defined by the API in the future. To avoid
+ any ambiguity, implementation-specific definitions MUST use
+ domain-prefixed names, such as `example.com/my-custom-option`.
+ Un-prefixed names are reserved for key names defined by Gateway API.
+
+ Support: Implementation-specific
+ maxProperties: 16
+ type: object
+ type: object
+ x-kubernetes-validations:
+ - message: certificateRefs or options must be specified when
+ mode is Terminate
+ rule: 'self.mode == ''Terminate'' ? size(self.certificateRefs)
+ > 0 || size(self.options) > 0 : true'
+ required:
+ - name
+ - port
+ - protocol
+ type: object
+ maxItems: 64
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ x-kubernetes-validations:
+ - message: tls must not be specified for protocols ['HTTP', 'TCP',
+ 'UDP']
+ rule: 'self.all(l, l.protocol in [''HTTP'', ''TCP'', ''UDP''] ?
+ !has(l.tls) : true)'
+ - message: tls mode must be Terminate for protocol HTTPS
+ rule: 'self.all(l, (l.protocol == ''HTTPS'' && has(l.tls)) ? (l.tls.mode
+ == '''' || l.tls.mode == ''Terminate'') : true)'
+ - message: tls mode must be set for protocol TLS
+ rule: 'self.all(l, (l.protocol == ''TLS'' ? has(l.tls) && has(l.tls.mode)
+ && l.tls.mode != '''' : true))'
+ - message: hostname must not be specified for protocols ['TCP', 'UDP']
+ rule: 'self.all(l, l.protocol in [''TCP'', ''UDP''] ? (!has(l.hostname)
+ || l.hostname == '''') : true)'
+ - message: Listener name must be unique within the Gateway
+ rule: self.all(l1, self.exists_one(l2, l1.name == l2.name))
+ - message: Combination of port, protocol and hostname must be unique
+ for each listener
+ rule: 'self.all(l1, !has(l1.port) || self.exists_one(l2, has(l2.port)
+ && l1.port == l2.port && l1.protocol == l2.protocol && (has(l1.hostname)
+ && has(l2.hostname) ? l1.hostname == l2.hostname : !has(l1.hostname)
+ && !has(l2.hostname))))'
+ parentRef:
+ description: ParentRef references the Gateway that the listeners are
+ attached to.
+ properties:
+ group:
+ default: gateway.networking.k8s.io
+ description: Group is the group of the referent.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Gateway
+ description: Kind is kind of the referent. For example "Gateway".
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referent. If not present,
+ the namespace of the referent is assumed to be the same as
+ the namespace of the referring object.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - listeners
+ - parentRef
+ type: object
+ status:
+ default:
+ conditions:
+ - lastTransitionTime: "1970-01-01T00:00:00Z"
+ message: Waiting for controller
+ reason: Pending
+ status: Unknown
+ type: Accepted
+ - lastTransitionTime: "1970-01-01T00:00:00Z"
+ message: Waiting for controller
+ reason: Pending
+ status: Unknown
+ type: Programmed
+ description: Status defines the current state of ListenerSet.
+ properties:
+ conditions:
+ default:
+ - lastTransitionTime: "1970-01-01T00:00:00Z"
+ message: Waiting for controller
+ reason: Pending
+ status: Unknown
+ type: Accepted
+ - lastTransitionTime: "1970-01-01T00:00:00Z"
+ message: Waiting for controller
+ reason: Pending
+ status: Unknown
+ type: Programmed
+ description: |-
+ Conditions describe the current conditions of the ListenerSet.
+
+ Implementations MUST express ListenerSet conditions using the
+ `ListenerSetConditionType` and `ListenerSetConditionReason`
+ constants so that operators and tools can converge on a common
+ vocabulary to describe ListenerSet state.
+
+ Known condition types are:
+
+ * "Accepted"
+ * "Programmed"
+ items:
+ description: Condition contains details for one aspect of the current
+ state of this API Resource.
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False, Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ maxItems: 8
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ listeners:
+ description: Listeners provide status for each unique listener port
+ defined in the Spec.
+ items:
+ description: ListenerStatus is the status associated with a Listener.
+ properties:
+ attachedRoutes:
+ description: |-
+ AttachedRoutes represents the total number of Routes that have been
+ successfully attached to this Listener.
+
+ Successful attachment of a Route to a Listener is based solely on the
+ combination of the AllowedRoutes field on the corresponding Listener
+ and the Route's ParentRefs field. A Route is successfully attached to
+ a Listener when it is selected by the Listener's AllowedRoutes field
+ AND the Route has a valid ParentRef selecting the whole Gateway
+ resource or a specific Listener as a parent resource (more detail on
+ attachment semantics can be found in the documentation on the various
+ Route kinds ParentRefs fields). Listener status does not impact
+ successful attachment, i.e. the AttachedRoutes field count MUST be set
+ for Listeners, even if the Accepted condition of an individual Listener is set
+ to "False". The AttachedRoutes number represents the number of Routes with
+ the Accepted condition set to "True" that have been attached to this Listener.
+ Routes with any other value for the Accepted condition MUST NOT be included
+ in this count.
+
+ Uses for this field include troubleshooting Route attachment and
+ measuring blast radius/impact of changes to a Listener.
+ format: int32
+ type: integer
+ conditions:
+ description: Conditions describe the current condition of this
+ listener.
+ items:
+ description: Condition contains details for one aspect of
+ the current state of this API Resource.
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False,
+ Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ maxItems: 8
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ name:
+ description: Name is the name of the Listener that this status
+ corresponds to.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ supportedKinds:
+ description: |-
+ SupportedKinds is the list indicating the Kinds supported by this
+ listener. This MUST represent the kinds supported by an implementation for
+ that Listener configuration.
+
+ If kinds are specified in Spec that are not supported, they MUST NOT
+ appear in this list and an implementation MUST set the "ResolvedRefs"
+ condition to "False" with the "InvalidRouteKinds" reason. If both valid
+ and invalid Route kinds are specified, the implementation MUST
+ reference the valid Route kinds that have been specified.
+ items:
+ description: RouteGroupKind indicates the group and kind of
+ a Route resource.
+ properties:
+ group:
+ default: gateway.networking.k8s.io
+ description: Group is the group of the Route.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is the kind of the Route.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ required:
+ - kind
+ type: object
+ maxItems: 8
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - attachedRoutes
+ - conditions
+ - name
+ type: object
+ maxItems: 64
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ required:
+ - spec
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: null
+ storedVersions: null
+---
+#
# config/crd/experimental/gateway.networking.k8s.io_referencegrants.yaml
#
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328
- gateway.networking.k8s.io/bundle-version: v1.4.0
+ api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/4530
+ gateway.networking.k8s.io/bundle-version: v1.5.1
gateway.networking.k8s.io/channel: experimental
name: referencegrants.gateway.networking.k8s.io
spec:
@@ -15696,6 +16940,169 @@ spec:
singular: referencegrant
scope: Namespaced
versions:
+ - additionalPrinterColumns:
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1
+ schema:
+ openAPIV3Schema:
+ description: |-
+ ReferenceGrant identifies kinds of resources in other namespaces that are
+ trusted to reference the specified kinds of resources in the same namespace
+ as the policy.
+
+ Each ReferenceGrant can be used to represent a unique trust relationship.
+ Additional Reference Grants can be used to add to the set of trusted
+ sources of inbound references for the namespace they are defined within.
+
+ All cross-namespace references in Gateway API (with the exception of cross-namespace
+ Gateway-route attachment) require a ReferenceGrant.
+
+ ReferenceGrant is a form of runtime verification allowing users to assert
+ which cross-namespace object references are permitted. Implementations that
+ support ReferenceGrant MUST NOT permit cross-namespace references which have
+ no grant, and MUST respond to the removal of a grant by revoking the access
+ that the grant allowed.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Spec defines the desired state of ReferenceGrant.
+ properties:
+ from:
+ description: |-
+ From describes the trusted namespaces and kinds that can reference the
+ resources described in "To". Each entry in this list MUST be considered
+ to be an additional place that references can be valid from, or to put
+ this another way, entries MUST be combined using OR.
+
+ Support: Core
+ items:
+ description: ReferenceGrantFrom describes trusted namespaces and
+ kinds.
+ properties:
+ group:
+ description: |-
+ Group is the group of the referent.
+ When empty, the Kubernetes core API group is inferred.
+
+ Support: Core
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: |-
+ Kind is the kind of the referent. Although implementations may support
+ additional resources, the following types are part of the "Core"
+ support level for this field.
+
+ When used to permit a SecretObjectReference:
+
+ * Gateway
+
+ When used to permit a BackendObjectReference:
+
+ * GRPCRoute
+ * HTTPRoute
+ * TCPRoute
+ * TLSRoute
+ * UDPRoute
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referent.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ required:
+ - group
+ - kind
+ - namespace
+ type: object
+ maxItems: 16
+ minItems: 1
+ type: array
+ x-kubernetes-list-type: atomic
+ to:
+ description: |-
+ To describes the resources that may be referenced by the resources
+ described in "From". Each entry in this list MUST be considered to be an
+ additional place that references can be valid to, or to put this another
+ way, entries MUST be combined using OR.
+
+ Support: Core
+ items:
+ description: |-
+ ReferenceGrantTo describes what Kinds are allowed as targets of the
+ references.
+ properties:
+ group:
+ description: |-
+ Group is the group of the referent.
+ When empty, the Kubernetes core API group is inferred.
+
+ Support: Core
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: |-
+ Kind is the kind of the referent. Although implementations may support
+ additional resources, the following types are part of the "Core"
+ support level for this field:
+
+ * Secret when used to permit a SecretObjectReference
+ * Service when used to permit a BackendObjectReference
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: |-
+ Name is the name of the referent. When unspecified, this policy
+ refers to all resources of the specified Group and Kind in the local
+ namespace.
+ maxLength: 253
+ minLength: 1
+ type: string
+ required:
+ - group
+ - kind
+ type: object
+ maxItems: 16
+ minItems: 1
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - from
+ - to
+ type: object
+ type: object
+ served: true
+ storage: false
+ subresources: {}
- additionalPrinterColumns:
- jsonPath: .metadata.creationTimestamp
name: Age
@@ -15873,8 +17280,8 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328
- gateway.networking.k8s.io/bundle-version: v1.4.0
+ api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/4530
+ gateway.networking.k8s.io/bundle-version: v1.5.1
gateway.networking.k8s.io/channel: experimental
name: tcproutes.gateway.networking.k8s.io
spec:
@@ -16383,7 +17790,7 @@ spec:
* The Route refers to a nonexistent parent.
* The Route is of a type that the controller does not support.
- * The Route is in a namespace the controller does not have access to.
+ * The Route is in a namespace to which the controller does not have access.
items:
description: Condition contains details for one aspect of
the current state of this API Resource.
@@ -16633,8 +18040,8 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328
- gateway.networking.k8s.io/bundle-version: v1.4.0
+ api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/4530
+ gateway.networking.k8s.io/bundle-version: v1.5.1
gateway.networking.k8s.io/channel: experimental
name: tlsroutes.gateway.networking.k8s.io
spec:
@@ -16652,7 +18059,7 @@ spec:
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
- name: v1alpha2
+ name: v1
schema:
openAPIV3Schema:
description: |-
@@ -16662,6 +18069,781 @@ spec:
If you need to forward traffic to a single target for a TLS listener, you
could choose to use a TCPRoute with a TLS listener.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Spec defines the desired state of TLSRoute.
+ properties:
+ hostnames:
+ description: |-
+ Hostnames defines a set of SNI hostnames that should match against the
+ SNI attribute of TLS ClientHello message in TLS handshake. This matches
+ the RFC 1123 definition of a hostname with 2 notable exceptions:
+
+ 1. IPs are not allowed in SNI hostnames per RFC 6066.
+ 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard
+ label must appear by itself as the first label.
+ items:
+ description: |-
+ Hostname is the fully qualified domain name of a network host. This matches
+ the RFC 1123 definition of a hostname with 2 notable exceptions:
+
+ 1. IPs are not allowed.
+ 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard
+ label must appear by itself as the first label.
+
+ Hostname can be "precise" which is a domain name without the terminating
+ dot of a network host (e.g. "foo.example.com") or "wildcard", which is a
+ domain name prefixed with a single wildcard label (e.g. `*.example.com`).
+
+ Note that as per RFC1035 and RFC1123, a *label* must consist of lower case
+ alphanumeric characters or '-', and must start and end with an alphanumeric
+ character. No other punctuation is allowed.
+ maxLength: 253
+ minLength: 1
+ pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ maxItems: 16
+ minItems: 1
+ type: array
+ x-kubernetes-list-type: atomic
+ x-kubernetes-validations:
+ - message: Hostnames cannot contain an IP
+ rule: self.all(h, !isIP(h))
+ - message: Hostnames must be valid based on RFC-1123
+ rule: 'self.all(h, !h.contains(''*'') ? h.matches(''^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*)$'')
+ : true)'
+ - message: Wildcards on hostnames must be the first label, and the
+ rest of hostname must be valid based on RFC-1123
+ rule: 'self.all(h, h.contains(''*'') ? (h.startsWith(''*.'') &&
+ h.substring(2).matches(''^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*)$''))
+ : true)'
+ parentRefs:
+ description: |-
+ ParentRefs references the resources (usually Gateways) that a Route wants
+ to be attached to. Note that the referenced parent resource needs to
+ allow this for the attachment to be complete. For Gateways, that means
+ the Gateway needs to allow attachment from Routes of this kind and
+ namespace. For Services, that means the Service must either be in the same
+ namespace for a "producer" route, or the mesh implementation must support
+ and allow "consumer" routes for the referenced Service. ReferenceGrant is
+ not applicable for governing ParentRefs to Services - it is not possible to
+ create a "producer" route for a Service in a different namespace from the
+ Route.
+
+ There are two kinds of parent resources with "Core" support:
+
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
+
+ This API may be extended in the future to support additional kinds of parent
+ resources.
+
+ ParentRefs must be _distinct_. This means either that:
+
+ * They select different objects. If this is the case, then parentRef
+ entries are distinct. In terms of fields, this means that the
+ multi-part key defined by `group`, `kind`, `namespace`, and `name` must
+ be unique across all parentRef entries in the Route.
+ * They do not select different objects, but for each optional field used,
+ each ParentRef that selects the same object must set the same set of
+ optional fields to different values. If one ParentRef sets a
+ combination of optional fields, all must set the same combination.
+
+ Some examples:
+
+ * If one ParentRef sets `sectionName`, all ParentRefs referencing the
+ same object must also set `sectionName`.
+ * If one ParentRef sets `port`, all ParentRefs referencing the same
+ object must also set `port`.
+ * If one ParentRef sets `sectionName` and `port`, all ParentRefs
+ referencing the same object must also set `sectionName` and `port`.
+
+ It is possible to separately reference multiple distinct objects that may
+ be collapsed by an implementation. For example, some implementations may
+ choose to merge compatible Gateway Listeners together. If that is the
+ case, the list of routes attached to those resources should also be
+ merged.
+
+ Note that for ParentRefs that cross namespace boundaries, there are specific
+ rules. Cross-namespace references are only valid if they are explicitly
+ allowed by something in the namespace they are referring to. For example,
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+ generic way to enable other kinds of cross-namespace reference.
+
+
+ ParentRefs from a Route to a Service in the same namespace are "producer"
+ routes, which apply default routing rules to inbound connections from
+ any namespace to the Service.
+
+ ParentRefs from a Route to a Service in a different namespace are
+ "consumer" routes, and these routing rules are only applied to outbound
+ connections originating from the same namespace as the Route, for which
+ the intended destination of the connections are a Service targeted as a
+ ParentRef of the Route.
+ items:
+ description: |-
+ ParentReference identifies an API object (usually a Gateway) that can be considered
+ a parent of this resource (usually a route). There are two kinds of parent resources
+ with "Core" support:
+
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
+
+ This API may be extended in the future to support additional kinds of parent
+ resources.
+
+ The API object must be valid in the cluster; the Group and Kind must
+ be registered in the cluster for this reference to be valid.
+ properties:
+ group:
+ default: gateway.networking.k8s.io
+ description: |-
+ Group is the group of the referent.
+ When unspecified, "gateway.networking.k8s.io" is inferred.
+ To set the core API group (such as for a "Service" kind referent),
+ Group must be explicitly set to "" (empty string).
+
+ Support: Core
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Gateway
+ description: |-
+ Kind is kind of the referent.
+
+ There are two kinds of parent resources with "Core" support:
+
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
+
+ Support for other resources is Implementation-Specific.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: |-
+ Name is the name of the referent.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referent. When unspecified, this refers
+ to the local namespace of the Route.
+
+ Note that there are specific rules for ParentRefs which cross namespace
+ boundaries. Cross-namespace references are only valid if they are explicitly
+ allowed by something in the namespace they are referring to. For example:
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+ generic way to enable any other kind of cross-namespace reference.
+
+
+ ParentRefs from a Route to a Service in the same namespace are "producer"
+ routes, which apply default routing rules to inbound connections from
+ any namespace to the Service.
+
+ ParentRefs from a Route to a Service in a different namespace are
+ "consumer" routes, and these routing rules are only applied to outbound
+ connections originating from the same namespace as the Route, for which
+ the intended destination of the connections are a Service targeted as a
+ ParentRef of the Route.
+
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port is the network port this Route targets. It can be interpreted
+ differently based on the type of parent resource.
+
+ When the parent resource is a Gateway, this targets all listeners
+ listening on the specified port that also support this kind of Route(and
+ select this Route). It's not recommended to set `Port` unless the
+ networking behaviors specified in a Route must apply to a specific port
+ as opposed to a listener(s) whose port(s) may be changed. When both Port
+ and SectionName are specified, the name and port of the selected listener
+ must match both specified values.
+
+
+ When the parent resource is a Service, this targets a specific port in the
+ Service spec. When both Port (experimental) and SectionName are specified,
+ the name and port of the selected port must match both specified values.
+
+
+ Implementations MAY choose to support other parent resources.
+ Implementations supporting other types of parent resources MUST clearly
+ document how/if Port is interpreted.
+
+ For the purpose of status, an attachment is considered successful as
+ long as the parent resource accepts it partially. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+ from the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route,
+ the Route MUST be considered detached from the Gateway.
+
+ Support: Extended
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ sectionName:
+ description: |-
+ SectionName is the name of a section within the target resource. In the
+ following resources, SectionName is interpreted as the following:
+
+ * Gateway: Listener name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+ * Service: Port name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+
+ Implementations MAY choose to support attaching Routes to other resources.
+ If that is the case, they MUST clearly document how SectionName is
+ interpreted.
+
+ When unspecified (empty string), this will reference the entire resource.
+ For the purpose of status, an attachment is considered successful if at
+ least one section in the parent resource accepts it. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+ the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route, the
+ Route MUST be considered detached from the Gateway.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ required:
+ - name
+ type: object
+ maxItems: 32
+ type: array
+ x-kubernetes-list-type: atomic
+ x-kubernetes-validations:
+ - message: sectionName or port must be specified when parentRefs includes
+ 2 or more references to the same parent
+ rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind
+ == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__)
+ || p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__
+ == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) &&
+ p1.__namespace__ == p2.__namespace__)) ? ((!has(p1.sectionName)
+ || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName
+ == '''') && (!has(p1.port) || p1.port == 0) == (!has(p2.port)
+ || p2.port == 0)): true))'
+ - message: sectionName or port must be unique when parentRefs includes
+ 2 or more references to the same parent
+ rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind
+ == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__)
+ || p1.__namespace__ == '') && (!has(p2.__namespace__) || p2.__namespace__
+ == '')) || (has(p1.__namespace__) && has(p2.__namespace__) &&
+ p1.__namespace__ == p2.__namespace__ )) && (((!has(p1.sectionName)
+ || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName
+ == '')) || ( has(p1.sectionName) && has(p2.sectionName) && p1.sectionName
+ == p2.sectionName)) && (((!has(p1.port) || p1.port == 0) && (!has(p2.port)
+ || p2.port == 0)) || (has(p1.port) && has(p2.port) && p1.port
+ == p2.port))))
+ rules:
+ description: Rules are a list of actions.
+ items:
+ description: TLSRouteRule is the configuration for a given rule.
+ properties:
+ backendRefs:
+ description: |-
+ BackendRefs defines the backend(s) where matching requests should be
+ sent. If unspecified or invalid (refers to a nonexistent resource or
+ a Service with no endpoints), the rule performs no forwarding; if no
+ filters are specified that would result in a response being sent, the
+ underlying implementation must actively reject request attempts to this
+ backend, by rejecting the connection. Request rejections must respect
+ weight; if an invalid backend is requested to have 80% of requests, then
+ 80% of requests must be rejected instead.
+
+ Support: Core for Kubernetes Service
+
+ Support: Extended for Kubernetes ServiceImport
+
+ Support: Implementation-specific for any other resource
+
+ Support for weight: Extended
+ items:
+ description: |-
+ BackendRef defines how a Route should forward a request to a Kubernetes
+ resource.
+
+ Note that when a namespace different than the local namespace is specified, a
+ ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+
+ When the BackendRef points to a Kubernetes Service, implementations SHOULD
+ honor the appProtocol field if it is set for the target Service Port.
+
+ Implementations supporting appProtocol SHOULD recognize the Kubernetes
+ Standard Application Protocols defined in KEP-3726.
+
+ If a Service appProtocol isn't specified, an implementation MAY infer the
+ backend protocol through its own means. Implementations MAY infer the
+ protocol from the Route type referring to the backend Service.
+
+ If a Route is not able to send traffic to the backend using the specified
+ protocol then the backend is considered invalid. Implementations MUST set the
+ "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason.
+
+
+ Note that when the BackendTLSPolicy object is enabled by the implementation,
+ there are some extra rules about validity to consider here. See the fields
+ where this struct is used for more information about the exact behavior.
+ properties:
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Service
+ description: |-
+ Kind is the Kubernetes resource kind of the referent. For example
+ "Service".
+
+ Defaults to "Service" when not specified.
+
+ ExternalName services can refer to CNAME DNS records that may live
+ outside of the cluster and as such are difficult to reason about in
+ terms of conformance. They also may not be safe to forward to (see
+ CVE-2021-25740 for more information). Implementations SHOULD NOT
+ support ExternalName Services.
+
+ Support: Core (Services with a type other than ExternalName)
+
+ Support: Implementation-specific (Services with type ExternalName)
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the backend. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port specifies the destination port number to use for this resource.
+ Port is required when the referent is a Kubernetes Service. In this
+ case, the port number is the service port number, not the target port.
+ For other resources, destination port might be derived from the referent
+ resource or this field.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ weight:
+ default: 1
+ description: |-
+ Weight specifies the proportion of requests forwarded to the referenced
+ backend. This is computed as weight/(sum of all weights in this
+ BackendRefs list). For non-zero values, there may be some epsilon from
+ the exact proportion defined here depending on the precision an
+ implementation supports. Weight is not a percentage and the sum of
+ weights does not need to equal 100.
+
+ If only one backend is specified and it has a weight greater than 0, 100%
+ of the traffic is forwarded to that backend. If weight is set to 0, no
+ traffic should be forwarded for this entry. If unspecified, weight
+ defaults to 1.
+
+ Support for this field varies based on the context where used.
+ format: int32
+ maximum: 1000000
+ minimum: 0
+ type: integer
+ required:
+ - name
+ type: object
+ x-kubernetes-validations:
+ - message: Must have port for Service reference
+ rule: '(size(self.group) == 0 && self.kind == ''Service'')
+ ? has(self.port) : true'
+ maxItems: 16
+ minItems: 1
+ type: array
+ x-kubernetes-list-type: atomic
+ name:
+ description: Name is the name of the route rule. This name MUST
+ be unique within a Route if it is set.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ required:
+ - backendRefs
+ type: object
+ maxItems: 1
+ minItems: 1
+ type: array
+ x-kubernetes-list-type: atomic
+ useDefaultGateways:
+ description: |-
+ UseDefaultGateways indicates the default Gateway scope to use for this
+ Route. If unset (the default) or set to None, the Route will not be
+ attached to any default Gateway; if set, it will be attached to any
+ default Gateway supporting the named scope, subject to the usual rules
+ about which Routes a Gateway is allowed to claim.
+
+ Think carefully before using this functionality! The set of default
+ Gateways supporting the requested scope can change over time without
+ any notice to the Route author, and in many situations it will not be
+ appropriate to request a default Gateway for a given Route -- for
+ example, a Route with specific security requirements should almost
+ certainly not use a default Gateway.
+ enum:
+ - All
+ - None
+ type: string
+ required:
+ - hostnames
+ - rules
+ type: object
+ status:
+ description: Status defines the current state of TLSRoute.
+ properties:
+ parents:
+ description: |-
+ Parents is a list of parent resources (usually Gateways) that are
+ associated with the route, and the status of the route with respect to
+ each parent. When this route attaches to a parent, the controller that
+ manages the parent must add an entry to this list when the controller
+ first sees the route and should update the entry as appropriate when the
+ route or gateway is modified.
+
+ Note that parent references that cannot be resolved by an implementation
+ of this API will not be added to this list. Implementations of this API
+ can only populate Route status for the Gateways/parent resources they are
+ responsible for.
+
+ A maximum of 32 Gateways will be represented in this list. An empty list
+ means the route has not been attached to any Gateway.
+ items:
+ description: |-
+ RouteParentStatus describes the status of a route with respect to an
+ associated Parent.
+ properties:
+ conditions:
+ description: |-
+ Conditions describes the status of the route with respect to the Gateway.
+ Note that the route's availability is also subject to the Gateway's own
+ status conditions and listener status.
+
+ If the Route's ParentRef specifies an existing Gateway that supports
+ Routes of this kind AND that Gateway's controller has sufficient access,
+ then that Gateway's controller MUST set the "Accepted" condition on the
+ Route, to indicate whether the route has been accepted or rejected by the
+ Gateway, and why.
+
+ A Route MUST be considered "Accepted" if at least one of the Route's
+ rules is implemented by the Gateway.
+
+ There are a number of cases where the "Accepted" condition may not be set
+ due to lack of controller visibility, that includes when:
+
+ * The Route refers to a nonexistent parent.
+ * The Route is of a type that the controller does not support.
+ * The Route is in a namespace to which the controller does not have access.
+ items:
+ description: Condition contains details for one aspect of
+ the current state of this API Resource.
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False,
+ Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ maxItems: 8
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ controllerName:
+ description: |-
+ ControllerName is a domain/path string that indicates the name of the
+ controller that wrote this status. This corresponds with the
+ controllerName field on GatewayClass.
+
+ Example: "example.net/gateway-controller".
+
+ The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
+ valid Kubernetes names
+ (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+
+ Controllers MUST populate this field when writing status. Controllers should ensure that
+ entries to status populated with their ControllerName are cleaned up when they are no
+ longer necessary.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
+ type: string
+ parentRef:
+ description: |-
+ ParentRef corresponds with a ParentRef in the spec that this
+ RouteParentStatus struct describes the status of.
+ properties:
+ group:
+ default: gateway.networking.k8s.io
+ description: |-
+ Group is the group of the referent.
+ When unspecified, "gateway.networking.k8s.io" is inferred.
+ To set the core API group (such as for a "Service" kind referent),
+ Group must be explicitly set to "" (empty string).
+
+ Support: Core
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Gateway
+ description: |-
+ Kind is kind of the referent.
+
+ There are two kinds of parent resources with "Core" support:
+
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
+
+ Support for other resources is Implementation-Specific.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: |-
+ Name is the name of the referent.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referent. When unspecified, this refers
+ to the local namespace of the Route.
+
+ Note that there are specific rules for ParentRefs which cross namespace
+ boundaries. Cross-namespace references are only valid if they are explicitly
+ allowed by something in the namespace they are referring to. For example:
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+ generic way to enable any other kind of cross-namespace reference.
+
+
+ ParentRefs from a Route to a Service in the same namespace are "producer"
+ routes, which apply default routing rules to inbound connections from
+ any namespace to the Service.
+
+ ParentRefs from a Route to a Service in a different namespace are
+ "consumer" routes, and these routing rules are only applied to outbound
+ connections originating from the same namespace as the Route, for which
+ the intended destination of the connections are a Service targeted as a
+ ParentRef of the Route.
+
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port is the network port this Route targets. It can be interpreted
+ differently based on the type of parent resource.
+
+ When the parent resource is a Gateway, this targets all listeners
+ listening on the specified port that also support this kind of Route(and
+ select this Route). It's not recommended to set `Port` unless the
+ networking behaviors specified in a Route must apply to a specific port
+ as opposed to a listener(s) whose port(s) may be changed. When both Port
+ and SectionName are specified, the name and port of the selected listener
+ must match both specified values.
+
+
+ When the parent resource is a Service, this targets a specific port in the
+ Service spec. When both Port (experimental) and SectionName are specified,
+ the name and port of the selected port must match both specified values.
+
+
+ Implementations MAY choose to support other parent resources.
+ Implementations supporting other types of parent resources MUST clearly
+ document how/if Port is interpreted.
+
+ For the purpose of status, an attachment is considered successful as
+ long as the parent resource accepts it partially. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+ from the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route,
+ the Route MUST be considered detached from the Gateway.
+
+ Support: Extended
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ sectionName:
+ description: |-
+ SectionName is the name of a section within the target resource. In the
+ following resources, SectionName is interpreted as the following:
+
+ * Gateway: Listener name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+ * Service: Port name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+
+ Implementations MAY choose to support attaching Routes to other resources.
+ If that is the case, they MUST clearly document how SectionName is
+ interpreted.
+
+ When unspecified (empty string), this will reference the entire resource.
+ For the purpose of status, an attachment is considered successful if at
+ least one section in the parent resource accepts it. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+ the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route, the
+ Route MUST be considered detached from the Gateway.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - conditions
+ - controllerName
+ - parentRef
+ type: object
+ maxItems: 32
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - parents
+ type: object
+ required:
+ - spec
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+ - additionalPrinterColumns:
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ deprecated: true
+ deprecationWarning: The v1alpha2 version of TLSRoute has been deprecated and will
+ be removed in a future release of the API. Please upgrade to v1.
+ name: v1alpha2
+ schema:
+ openAPIV3Schema:
+ description: |-
+ The TLSRoute resource is similar to TCPRoute, but can be configured
+ to match against TLS-specific metadata. This allows more flexibility
+ in matching streams for a given TLS listener.
properties:
apiVersion:
description: |-
@@ -16989,10 +19171,9 @@ spec:
a Service with no endpoints), the rule performs no forwarding; if no
filters are specified that would result in a response being sent, the
underlying implementation must actively reject request attempts to this
- backend, by rejecting the connection or returning a 500 status code.
- Request rejections must respect weight; if an invalid backend is
- requested to have 80% of requests, then 80% of requests must be rejected
- instead.
+ backend, by rejecting the connection. Request rejections must respect
+ weight; if an invalid backend is requested to have 80% of requests, then
+ 80% of requests must be rejected instead.
Support: Core for Kubernetes Service
@@ -17123,10 +19304,8 @@ spec:
type: array
x-kubernetes-list-type: atomic
name:
- description: |-
- Name is the name of the route rule. This name MUST be unique within a Route if it is set.
-
- Support: Extended
+ description: Name is the name of the route rule. This name MUST
+ be unique within a Route if it is set.
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
@@ -17207,7 +19386,7 @@ spec:
* The Route refers to a nonexistent parent.
* The Route is of a type that the controller does not support.
- * The Route is in a namespace the controller does not have access to.
+ * The Route is in a namespace to which the controller does not have access.
items:
description: Condition contains details for one aspect of
the current state of this API Resource.
@@ -17447,6 +19626,9 @@ spec:
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
+ deprecated: true
+ deprecationWarning: The v1alpha3 version of TLSRoute has been deprecated and will
+ be removed in a future release of the API. Please upgrade to v1.
name: v1alpha3
schema:
openAPIV3Schema:
@@ -17487,32 +19669,6 @@ spec:
1. IPs are not allowed in SNI hostnames per RFC 6066.
2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard
label must appear by itself as the first label.
-
- If a hostname is specified by both the Listener and TLSRoute, there
- must be at least one intersecting hostname for the TLSRoute to be
- attached to the Listener. For example:
-
- * A Listener with `test.example.com` as the hostname matches TLSRoutes
- that have specified at least one of `test.example.com` or
- `*.example.com`.
- * A Listener with `*.example.com` as the hostname matches TLSRoutes
- that have specified at least one hostname that matches the Listener
- hostname. For example, `test.example.com` and `*.example.com` would both
- match. On the other hand, `example.com` and `test.example.net` would not
- match.
-
- If both the Listener and TLSRoute have specified hostnames, any
- TLSRoute hostnames that do not match the Listener hostname MUST be
- ignored. For example, if a Listener specified `*.example.com`, and the
- TLSRoute specified `test.example.com` and `test.example.net`,
- `test.example.net` must not be considered for a match.
-
- If both the Listener and TLSRoute have specified hostnames, and none
- match with the criteria above, then the TLSRoute is not accepted. The
- implementation must raise an 'Accepted' Condition with a status of
- `False` in the corresponding RouteParentStatus.
-
- Support: Core
items:
description: |-
Hostname is the fully qualified domain name of a network host. This matches
@@ -17537,6 +19693,17 @@ spec:
minItems: 1
type: array
x-kubernetes-list-type: atomic
+ x-kubernetes-validations:
+ - message: Hostnames cannot contain an IP
+ rule: self.all(h, !isIP(h))
+ - message: Hostnames must be valid based on RFC-1123
+ rule: 'self.all(h, !h.contains(''*'') ? h.matches(''^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*)$'')
+ : true)'
+ - message: Wildcards on hostnames must be the first label, and the
+ rest of hostname must be valid based on RFC-1123
+ rule: 'self.all(h, h.contains(''*'') ? (h.startsWith(''*.'') &&
+ h.substring(2).matches(''^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*)$''))
+ : true)'
parentRefs:
description: |-
ParentRefs references the resources (usually Gateways) that a Route wants
@@ -17785,10 +19952,9 @@ spec:
a Service with no endpoints), the rule performs no forwarding; if no
filters are specified that would result in a response being sent, the
underlying implementation must actively reject request attempts to this
- backend, by rejecting the connection or returning a 500 status code.
- Request rejections must respect weight; if an invalid backend is
- requested to have 80% of requests, then 80% of requests must be rejected
- instead.
+ backend, by rejecting the connection. Request rejections must respect
+ weight; if an invalid backend is requested to have 80% of requests, then
+ 80% of requests must be rejected instead.
Support: Core for Kubernetes Service
@@ -17919,10 +20085,8 @@ spec:
type: array
x-kubernetes-list-type: atomic
name:
- description: |-
- Name is the name of the route rule. This name MUST be unique within a Route if it is set.
-
- Support: Extended
+ description: Name is the name of the route rule. This name MUST
+ be unique within a Route if it is set.
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
@@ -17934,10 +20098,6 @@ spec:
minItems: 1
type: array
x-kubernetes-list-type: atomic
- x-kubernetes-validations:
- - message: Rule name must be unique within the route
- rule: self.all(l1, !has(l1.name) || self.exists_one(l2, has(l2.name)
- && l1.name == l2.name))
useDefaultGateways:
description: |-
UseDefaultGateways indicates the default Gateway scope to use for this
@@ -18004,7 +20164,7 @@ spec:
* The Route refers to a nonexistent parent.
* The Route is of a type that the controller does not support.
- * The Route is in a namespace the controller does not have access to.
+ * The Route is in a namespace to which the controller does not have access.
items:
description: Condition contains details for one aspect of
the current state of this API Resource.
@@ -18237,7 +20397,7 @@ spec:
- spec
type: object
served: true
- storage: true
+ storage: false
subresources:
status: {}
status:
@@ -18254,8 +20414,8 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328
- gateway.networking.k8s.io/bundle-version: v1.4.0
+ api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/4530
+ gateway.networking.k8s.io/bundle-version: v1.5.1
gateway.networking.k8s.io/channel: experimental
name: udproutes.gateway.networking.k8s.io
spec:
@@ -18764,7 +20924,7 @@ spec:
* The Route refers to a nonexistent parent.
* The Route is of a type that the controller does not support.
- * The Route is in a namespace the controller does not have access to.
+ * The Route is in a namespace to which the controller does not have access.
items:
description: Condition contains details for one aspect of
the current state of this API Resource.
@@ -19008,14 +21168,66 @@ status:
storedVersions: null
---
#
+# config/crd/experimental/gateway.networking.k8s.io_vap_safeupgrades.yaml
+#
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicy
+metadata:
+ annotations:
+ gateway.networking.k8s.io/bundle-version: v1.5.0-dev
+ gateway.networking.k8s.io/channel: standard
+ name: "safe-upgrades.gateway.networking.k8s.io"
+spec:
+ failurePolicy: Fail
+ matchConstraints:
+ resourceRules:
+ - apiGroups: ["apiextensions.k8s.io"]
+ apiVersions: ["v1"]
+ operations: ["CREATE", "UPDATE"]
+ resources: ["*"]
+ validations:
+ - expression: "object.spec.group != 'gateway.networking.k8s.io' || oldObject == null || (
+ has(object.metadata.annotations) && object.metadata.annotations.exists(k, k == 'gateway.networking.k8s.io/channel') &&
+ object.metadata.annotations['gateway.networking.k8s.io/channel'] == 'standard' ) || (
+ oldObject != null && has(oldObject.metadata.annotations) && oldObject.metadata.annotations.exists(k, k == 'gateway.networking.k8s.io/channel') &&
+ oldObject.metadata.annotations['gateway.networking.k8s.io/channel'] == 'experimental' )"
+ message: "Installing experimental CRDs on top of standard channel CRDs is prohibited by default. Uninstall ValidatingAdmissionPolicy safe-upgrades.gateway.networking.k8s.io to install experimental CRDs on top of standard channel CRDs."
+ reason: Invalid
+ - expression: "object.spec.group != 'gateway.networking.k8s.io' ||
+ (has(object.metadata.annotations) && object.metadata.annotations.exists(k, k == 'gateway.networking.k8s.io/bundle-version') &&
+ !matches(object.metadata.annotations['gateway.networking.k8s.io/bundle-version'], 'v1.[0-4].\\\\d+') &&
+ !matches(object.metadata.annotations['gateway.networking.k8s.io/bundle-version'], 'v0'))" #TODO Kubernetes 1.37: Migrate to kubernetes semver library
+ message: "Installing CRDs with version before v1.5.0 is prohibited by default. Uninstall ValidatingAdmissionPolicy safe-upgrades.gateway.networking.k8s.io to install older versions."
+ reason: Invalid
+
+---
+
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+ annotations:
+ gateway.networking.k8s.io/bundle-version: v1.5.0-dev
+ gateway.networking.k8s.io/channel: standard
+ name: safe-upgrades.gateway.networking.k8s.io
+spec:
+ policyName: safe-upgrades.gateway.networking.k8s.io
+ validationActions: [Deny]
+ matchResources:
+ resourceRules:
+ - apiGroups: ["apiextensions.k8s.io"]
+ apiVersions: ["v1"]
+ resources: ["customresourcedefinitions"]
+ operations: ["CREATE", "UPDATE"]
+---
+#
# config/crd/experimental/gateway.networking.x-k8s.io_xbackendtrafficpolicies.yaml
#
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328
- gateway.networking.k8s.io/bundle-version: v1.4.0
+ api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/4530
+ gateway.networking.k8s.io/bundle-version: v1.5.1
gateway.networking.k8s.io/channel: experimental
labels:
gateway.networking.k8s.io/policy: Direct
@@ -19112,7 +21324,7 @@ spec:
pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
x-kubernetes-validations:
- - message: interval can not be greater than one hour or less
+ - message: interval cannot be greater than one hour or less
than one second
rule: '!(duration(self) < duration(''1s'') || duration(self)
> duration(''1h''))'
@@ -19162,7 +21374,7 @@ spec:
pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
x-kubernetes-validations:
- - message: interval can not be greater than one hour
+ - message: interval cannot be greater than one hour
rule: '!(duration(self) == duration(''0s'') || duration(self)
> duration(''1h''))'
type: object
@@ -19240,7 +21452,7 @@ spec:
default: Cookie
description: |-
Type defines the type of session persistence such as through
- the use a header or cookie. Defaults to cookie based session
+ the use of a header or cookie. Defaults to cookie based session
persistence.
Support: Core for "Cookie" type
@@ -19256,6 +21468,8 @@ spec:
is Permanent
rule: '!has(self.cookieConfig) || !has(self.cookieConfig.lifetimeType)
|| self.cookieConfig.lifetimeType != ''Permanent'' || has(self.absoluteTimeout)'
+ - message: cookieConfig can only be set with type Cookie
+ rule: '!has(self.cookieConfig) || self.type == ''Cookie'''
targetRefs:
description: |-
TargetRefs identifies API object(s) to apply this policy to.
@@ -19263,7 +21477,7 @@ spec:
ServiceImport, or any implementation-specific backendRef) are the only
valid API target references.
- Currently, a TargetRef can not be scoped to a specific port on a
+ Currently, a TargetRef cannot be scoped to a specific port on a
Service.
items:
description: |-
@@ -19618,805 +21832,14 @@ status:
storedVersions: null
---
#
-# config/crd/experimental/gateway.networking.x-k8s.io_xlistenersets.yaml
-#
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- annotations:
- api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328
- gateway.networking.k8s.io/bundle-version: v1.4.0
- gateway.networking.k8s.io/channel: experimental
- name: xlistenersets.gateway.networking.x-k8s.io
-spec:
- group: gateway.networking.x-k8s.io
- names:
- categories:
- - gateway-api
- kind: XListenerSet
- listKind: XListenerSetList
- plural: xlistenersets
- shortNames:
- - lset
- singular: xlistenerset
- scope: Namespaced
- versions:
- - additionalPrinterColumns:
- - jsonPath: .status.conditions[?(@.type=="Accepted")].status
- name: Accepted
- type: string
- - jsonPath: .status.conditions[?(@.type=="Programmed")].status
- name: Programmed
- type: string
- - jsonPath: .metadata.creationTimestamp
- name: Age
- type: date
- name: v1alpha1
- schema:
- openAPIV3Schema:
- description: |-
- XListenerSet defines a set of additional listeners to attach to an existing Gateway.
- This resource provides a mechanism to merge multiple listeners into a single Gateway.
-
- The parent Gateway must explicitly allow ListenerSet attachment through its
- AllowedListeners configuration. By default, Gateways do not allow ListenerSet
- attachment.
-
- Routes can attach to a ListenerSet by specifying it as a parentRef, and can
- optionally target specific listeners using the sectionName field.
-
- Policy Attachment:
- - Policies that attach to a ListenerSet apply to all listeners defined in that resource
- - Policies do not impact listeners in the parent Gateway
- - Different ListenerSets attached to the same Gateway can have different policies
- - If an implementation cannot apply a policy to specific listeners, it should reject the policy
-
- ReferenceGrant Semantics:
- - ReferenceGrants applied to a Gateway are not inherited by child ListenerSets
- - ReferenceGrants applied to a ListenerSet do not grant permission to the parent Gateway's listeners
- - A ListenerSet can reference secrets/backends in its own namespace without a ReferenceGrant
-
- Gateway Integration:
- - The parent Gateway's status will include an "AttachedListenerSets" condition
- - This condition will be:
- - True: when AllowedListeners is set and at least one child ListenerSet is attached
- - False: when AllowedListeners is set but no valid listeners are attached, or when AllowedListeners is not set or false
- - Unknown: when no AllowedListeners config is present
- properties:
- apiVersion:
- description: |-
- APIVersion defines the versioned schema of this representation of an object.
- Servers should convert recognized schemas to the latest internal value, and
- may reject unrecognized values.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
- type: string
- kind:
- description: |-
- Kind is a string value representing the REST resource this object represents.
- Servers may infer this from the endpoint the client submits requests to.
- Cannot be updated.
- In CamelCase.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
- type: string
- metadata:
- type: object
- spec:
- description: Spec defines the desired state of ListenerSet.
- properties:
- listeners:
- description: |-
- Listeners associated with this ListenerSet. Listeners define
- logical endpoints that are bound on this referenced parent Gateway's addresses.
-
- Listeners in a `Gateway` and their attached `ListenerSets` are concatenated
- as a list when programming the underlying infrastructure. Each listener
- name does not need to be unique across the Gateway and ListenerSets.
- See ListenerEntry.Name for more details.
-
- Implementations MUST treat the parent Gateway as having the merged
- list of all listeners from itself and attached ListenerSets using
- the following precedence:
-
- 1. "parent" Gateway
- 2. ListenerSet ordered by creation time (oldest first)
- 3. ListenerSet ordered alphabetically by "{namespace}/{name}".
-
- An implementation MAY reject listeners by setting the ListenerEntryStatus
- `Accepted` condition to False with the Reason `TooManyListeners`
-
- If a listener has a conflict, this will be reported in the
- Status.ListenerEntryStatus setting the `Conflicted` condition to True.
-
- Implementations SHOULD be cautious about what information from the
- parent or siblings are reported to avoid accidentally leaking
- sensitive information that the child would not otherwise have access
- to. This can include contents of secrets etc.
- items:
- properties:
- allowedRoutes:
- default:
- namespaces:
- from: Same
- description: |-
- AllowedRoutes defines the types of routes that MAY be attached to a
- Listener and the trusted namespaces where those Route resources MAY be
- present.
-
- Although a client request may match multiple route rules, only one rule
- may ultimately receive the request. Matching precedence MUST be
- determined in order of the following criteria:
-
- * The most specific match as defined by the Route type.
- * The oldest Route based on creation timestamp. For example, a Route with
- a creation timestamp of "2020-09-08 01:02:03" is given precedence over
- a Route with a creation timestamp of "2020-09-08 01:02:04".
- * If everything else is equivalent, the Route appearing first in
- alphabetical order (namespace/name) should be given precedence. For
- example, foo/bar is given precedence over foo/baz.
-
- All valid rules within a Route attached to this Listener should be
- implemented. Invalid Route rules can be ignored (sometimes that will mean
- the full Route). If a Route rule transitions from valid to invalid,
- support for that Route rule should be dropped to ensure consistency. For
- example, even if a filter specified by a Route rule is invalid, the rest
- of the rules within that Route should still be supported.
- properties:
- kinds:
- description: |-
- Kinds specifies the groups and kinds of Routes that are allowed to bind
- to this Gateway Listener. When unspecified or empty, the kinds of Routes
- selected are determined using the Listener protocol.
-
- A RouteGroupKind MUST correspond to kinds of Routes that are compatible
- with the application protocol specified in the Listener's Protocol field.
- If an implementation does not support or recognize this resource type, it
- MUST set the "ResolvedRefs" condition to False for this Listener with the
- "InvalidRouteKinds" reason.
-
- Support: Core
- items:
- description: RouteGroupKind indicates the group and kind
- of a Route resource.
- properties:
- group:
- default: gateway.networking.k8s.io
- description: Group is the group of the Route.
- maxLength: 253
- pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- kind:
- description: Kind is the kind of the Route.
- maxLength: 63
- minLength: 1
- pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
- type: string
- required:
- - kind
- type: object
- maxItems: 8
- type: array
- x-kubernetes-list-type: atomic
- namespaces:
- default:
- from: Same
- description: |-
- Namespaces indicates namespaces from which Routes may be attached to this
- Listener. This is restricted to the namespace of this Gateway by default.
-
- Support: Core
- properties:
- from:
- default: Same
- description: |-
- From indicates where Routes will be selected for this Gateway. Possible
- values are:
-
- * All: Routes in all namespaces may be used by this Gateway.
- * Selector: Routes in namespaces selected by the selector may be used by
- this Gateway.
- * Same: Only Routes in the same namespace may be used by this Gateway.
-
- Support: Core
- enum:
- - All
- - Selector
- - Same
- type: string
- selector:
- description: |-
- Selector must be specified when From is set to "Selector". In that case,
- only Routes in Namespaces matching this Selector will be selected by this
- Gateway. This field is ignored for other values of "From".
-
- Support: Core
- properties:
- matchExpressions:
- description: matchExpressions is a list of label
- selector requirements. The requirements are ANDed.
- items:
- description: |-
- A label selector requirement is a selector that contains values, a key, and an operator that
- relates the key and values.
- properties:
- key:
- description: key is the label key that the
- selector applies to.
- type: string
- operator:
- description: |-
- operator represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: |-
- values is an array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. This array is replaced during a strategic
- merge patch.
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- required:
- - key
- - operator
- type: object
- type: array
- x-kubernetes-list-type: atomic
- matchLabels:
- additionalProperties:
- type: string
- description: |-
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions, whose key field is "key", the
- operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- type: object
- x-kubernetes-map-type: atomic
- type: object
- type: object
- hostname:
- description: |-
- Hostname specifies the virtual hostname to match for protocol types that
- define this concept. When unspecified, all hostnames are matched. This
- field is ignored for protocols that don't require hostname based
- matching.
-
- Implementations MUST apply Hostname matching appropriately for each of
- the following protocols:
-
- * TLS: The Listener Hostname MUST match the SNI.
- * HTTP: The Listener Hostname MUST match the Host header of the request.
- * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP
- protocol layers as described above. If an implementation does not
- ensure that both the SNI and Host header match the Listener hostname,
- it MUST clearly document that.
-
- For HTTPRoute and TLSRoute resources, there is an interaction with the
- `spec.hostnames` array. When both listener and route specify hostnames,
- there MUST be an intersection between the values for a Route to be
- accepted. For more information, refer to the Route specific Hostnames
- documentation.
-
- Hostnames that are prefixed with a wildcard label (`*.`) are interpreted
- as a suffix match. That means that a match for `*.example.com` would match
- both `test.example.com`, and `foo.test.example.com`, but not `example.com`.
- maxLength: 253
- minLength: 1
- pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- name:
- description: |-
- Name is the name of the Listener. This name MUST be unique within a
- ListenerSet.
-
- Name is not required to be unique across a Gateway and ListenerSets.
- Routes can attach to a Listener by having a ListenerSet as a parentRef
- and setting the SectionName
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- port:
- default: 0
- description: |-
- Port is the network port. Multiple listeners may use the
- same port, subject to the Listener compatibility rules.
-
- If the port is not set or specified as zero, the implementation will assign
- a unique port. If the implementation does not support dynamic port
- assignment, it MUST set `Accepted` condition to `False` with the
- `UnsupportedPort` reason.
- format: int32
- maximum: 65535
- minimum: 0
- type: integer
- protocol:
- description: Protocol specifies the network protocol this listener
- expects to receive.
- maxLength: 255
- minLength: 1
- pattern: ^[a-zA-Z0-9]([-a-zA-Z0-9]*[a-zA-Z0-9])?$|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9]+$
- type: string
- tls:
- description: |-
- TLS is the TLS configuration for the Listener. This field is required if
- the Protocol field is "HTTPS" or "TLS". It is invalid to set this field
- if the Protocol field is "HTTP", "TCP", or "UDP".
-
- The association of SNIs to Certificate defined in ListenerTLSConfig is
- defined based on the Hostname field for this listener.
-
- The GatewayClass MUST use the longest matching SNI out of all
- available certificates for any TLS handshake.
- properties:
- certificateRefs:
- description: |-
- CertificateRefs contains a series of references to Kubernetes objects that
- contains TLS certificates and private keys. These certificates are used to
- establish a TLS handshake for requests that match the hostname of the
- associated listener.
-
- A single CertificateRef to a Kubernetes Secret has "Core" support.
- Implementations MAY choose to support attaching multiple certificates to
- a Listener, but this behavior is implementation-specific.
-
- References to a resource in different namespace are invalid UNLESS there
- is a ReferenceGrant in the target namespace that allows the certificate
- to be attached. If a ReferenceGrant does not allow this reference, the
- "ResolvedRefs" condition MUST be set to False for this listener with the
- "RefNotPermitted" reason.
-
- This field is required to have at least one element when the mode is set
- to "Terminate" (default) and is optional otherwise.
-
- CertificateRefs can reference to standard Kubernetes resources, i.e.
- Secret, or implementation-specific custom resources.
-
- Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls
-
- Support: Implementation-specific (More than one reference or other resource types)
- items:
- description: |-
- SecretObjectReference identifies an API object including its namespace,
- defaulting to Secret.
-
- The API object must be valid in the cluster; the Group and Kind must
- be registered in the cluster for this reference to be valid.
-
- References to objects with invalid Group and Kind are not valid, and must
- be rejected by the implementation, with appropriate Conditions set
- on the containing object.
- properties:
- group:
- default: ""
- description: |-
- Group is the group of the referent. For example, "gateway.networking.k8s.io".
- When unspecified or empty string, core API group is inferred.
- maxLength: 253
- pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- kind:
- default: Secret
- description: Kind is kind of the referent. For example
- "Secret".
- maxLength: 63
- minLength: 1
- pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
- type: string
- name:
- description: Name is the name of the referent.
- maxLength: 253
- minLength: 1
- type: string
- namespace:
- description: |-
- Namespace is the namespace of the referenced object. When unspecified, the local
- namespace is inferred.
-
- Note that when a namespace different than the local namespace is specified,
- a ReferenceGrant object is required in the referent namespace to allow that
- namespace's owner to accept the reference. See the ReferenceGrant
- documentation for details.
-
- Support: Core
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- required:
- - name
- type: object
- maxItems: 64
- type: array
- x-kubernetes-list-type: atomic
- mode:
- default: Terminate
- description: |-
- Mode defines the TLS behavior for the TLS session initiated by the client.
- There are two possible modes:
-
- - Terminate: The TLS session between the downstream client and the
- Gateway is terminated at the Gateway. This mode requires certificates
- to be specified in some way, such as populating the certificateRefs
- field.
- - Passthrough: The TLS session is NOT terminated by the Gateway. This
- implies that the Gateway can't decipher the TLS stream except for
- the ClientHello message of the TLS protocol. The certificateRefs field
- is ignored in this mode.
-
- Support: Core
- enum:
- - Terminate
- - Passthrough
- type: string
- options:
- additionalProperties:
- description: |-
- AnnotationValue is the value of an annotation in Gateway API. This is used
- for validation of maps such as TLS options. This roughly matches Kubernetes
- annotation validation, although the length validation in that case is based
- on the entire size of the annotations struct.
- maxLength: 4096
- minLength: 0
- type: string
- description: |-
- Options are a list of key/value pairs to enable extended TLS
- configuration for each implementation. For example, configuring the
- minimum TLS version or supported cipher suites.
-
- A set of common keys MAY be defined by the API in the future. To avoid
- any ambiguity, implementation-specific definitions MUST use
- domain-prefixed names, such as `example.com/my-custom-option`.
- Un-prefixed names are reserved for key names defined by Gateway API.
-
- Support: Implementation-specific
- maxProperties: 16
- type: object
- type: object
- x-kubernetes-validations:
- - message: certificateRefs or options must be specified when
- mode is Terminate
- rule: 'self.mode == ''Terminate'' ? size(self.certificateRefs)
- > 0 || size(self.options) > 0 : true'
- required:
- - name
- - protocol
- type: object
- maxItems: 64
- minItems: 1
- type: array
- x-kubernetes-list-map-keys:
- - name
- x-kubernetes-list-type: map
- x-kubernetes-validations:
- - message: tls must not be specified for protocols ['HTTP', 'TCP',
- 'UDP']
- rule: 'self.all(l, l.protocol in [''HTTP'', ''TCP'', ''UDP''] ?
- !has(l.tls) : true)'
- - message: tls mode must be Terminate for protocol HTTPS
- rule: 'self.all(l, (l.protocol == ''HTTPS'' && has(l.tls)) ? (l.tls.mode
- == '''' || l.tls.mode == ''Terminate'') : true)'
- - message: hostname must not be specified for protocols ['TCP', 'UDP']
- rule: 'self.all(l, l.protocol in [''TCP'', ''UDP''] ? (!has(l.hostname)
- || l.hostname == '''') : true)'
- - message: Listener name must be unique within the Gateway
- rule: self.all(l1, self.exists_one(l2, l1.name == l2.name))
- - message: Combination of port, protocol and hostname must be unique
- for each listener
- rule: 'self.all(l1, !has(l1.port) || self.exists_one(l2, has(l2.port)
- && l1.port == l2.port && l1.protocol == l2.protocol && (has(l1.hostname)
- && has(l2.hostname) ? l1.hostname == l2.hostname : !has(l1.hostname)
- && !has(l2.hostname))))'
- parentRef:
- description: ParentRef references the Gateway that the listeners are
- attached to.
- properties:
- group:
- default: gateway.networking.k8s.io
- description: Group is the group of the referent.
- maxLength: 253
- pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- kind:
- default: Gateway
- description: Kind is kind of the referent. For example "Gateway".
- maxLength: 63
- minLength: 1
- pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
- type: string
- name:
- description: Name is the name of the referent.
- maxLength: 253
- minLength: 1
- type: string
- namespace:
- description: |-
- Namespace is the namespace of the referent. If not present,
- the namespace of the referent is assumed to be the same as
- the namespace of the referring object.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- required:
- - name
- type: object
- required:
- - listeners
- - parentRef
- type: object
- status:
- default:
- conditions:
- - lastTransitionTime: "1970-01-01T00:00:00Z"
- message: Waiting for controller
- reason: Pending
- status: Unknown
- type: Accepted
- - lastTransitionTime: "1970-01-01T00:00:00Z"
- message: Waiting for controller
- reason: Pending
- status: Unknown
- type: Programmed
- description: Status defines the current state of ListenerSet.
- properties:
- conditions:
- default:
- - lastTransitionTime: "1970-01-01T00:00:00Z"
- message: Waiting for controller
- reason: Pending
- status: Unknown
- type: Accepted
- - lastTransitionTime: "1970-01-01T00:00:00Z"
- message: Waiting for controller
- reason: Pending
- status: Unknown
- type: Programmed
- description: |-
- Conditions describe the current conditions of the ListenerSet.
-
- Implementations MUST express ListenerSet conditions using the
- `ListenerSetConditionType` and `ListenerSetConditionReason`
- constants so that operators and tools can converge on a common
- vocabulary to describe ListenerSet state.
-
- Known condition types are:
-
- * "Accepted"
- * "Programmed"
- items:
- description: Condition contains details for one aspect of the current
- state of this API Resource.
- properties:
- lastTransitionTime:
- description: |-
- lastTransitionTime is the last time the condition transitioned from one status to another.
- This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
- format: date-time
- type: string
- message:
- description: |-
- message is a human readable message indicating details about the transition.
- This may be an empty string.
- maxLength: 32768
- type: string
- observedGeneration:
- description: |-
- observedGeneration represents the .metadata.generation that the condition was set based upon.
- For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
- with respect to the current state of the instance.
- format: int64
- minimum: 0
- type: integer
- reason:
- description: |-
- reason contains a programmatic identifier indicating the reason for the condition's last transition.
- Producers of specific condition types may define expected values and meanings for this field,
- and whether the values are considered a guaranteed API.
- The value should be a CamelCase string.
- This field may not be empty.
- maxLength: 1024
- minLength: 1
- pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
- type: string
- status:
- description: status of the condition, one of True, False, Unknown.
- enum:
- - "True"
- - "False"
- - Unknown
- type: string
- type:
- description: type of condition in CamelCase or in foo.example.com/CamelCase.
- maxLength: 316
- pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
- type: string
- required:
- - lastTransitionTime
- - message
- - reason
- - status
- - type
- type: object
- maxItems: 8
- type: array
- x-kubernetes-list-map-keys:
- - type
- x-kubernetes-list-type: map
- listeners:
- description: Listeners provide status for each unique listener port
- defined in the Spec.
- items:
- description: ListenerStatus is the status associated with a Listener.
- properties:
- attachedRoutes:
- description: |-
- AttachedRoutes represents the total number of Routes that have been
- successfully attached to this Listener.
-
- Successful attachment of a Route to a Listener is based solely on the
- combination of the AllowedRoutes field on the corresponding Listener
- and the Route's ParentRefs field. A Route is successfully attached to
- a Listener when it is selected by the Listener's AllowedRoutes field
- AND the Route has a valid ParentRef selecting the whole Gateway
- resource or a specific Listener as a parent resource (more detail on
- attachment semantics can be found in the documentation on the various
- Route kinds ParentRefs fields). Listener or Route status does not impact
- successful attachment, i.e. the AttachedRoutes field count MUST be set
- for Listeners with condition Accepted: false and MUST count successfully
- attached Routes that may themselves have Accepted: false conditions.
-
- Uses for this field include troubleshooting Route attachment and
- measuring blast radius/impact of changes to a Listener.
- format: int32
- type: integer
- conditions:
- description: Conditions describe the current condition of this
- listener.
- items:
- description: Condition contains details for one aspect of
- the current state of this API Resource.
- properties:
- lastTransitionTime:
- description: |-
- lastTransitionTime is the last time the condition transitioned from one status to another.
- This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
- format: date-time
- type: string
- message:
- description: |-
- message is a human readable message indicating details about the transition.
- This may be an empty string.
- maxLength: 32768
- type: string
- observedGeneration:
- description: |-
- observedGeneration represents the .metadata.generation that the condition was set based upon.
- For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
- with respect to the current state of the instance.
- format: int64
- minimum: 0
- type: integer
- reason:
- description: |-
- reason contains a programmatic identifier indicating the reason for the condition's last transition.
- Producers of specific condition types may define expected values and meanings for this field,
- and whether the values are considered a guaranteed API.
- The value should be a CamelCase string.
- This field may not be empty.
- maxLength: 1024
- minLength: 1
- pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
- type: string
- status:
- description: status of the condition, one of True, False,
- Unknown.
- enum:
- - "True"
- - "False"
- - Unknown
- type: string
- type:
- description: type of condition in CamelCase or in foo.example.com/CamelCase.
- maxLength: 316
- pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
- type: string
- required:
- - lastTransitionTime
- - message
- - reason
- - status
- - type
- type: object
- maxItems: 8
- type: array
- x-kubernetes-list-map-keys:
- - type
- x-kubernetes-list-type: map
- name:
- description: Name is the name of the Listener that this status
- corresponds to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- port:
- description: Port is the network port the listener is configured
- to listen on.
- format: int32
- maximum: 65535
- minimum: 1
- type: integer
- supportedKinds:
- description: |-
- SupportedKinds is the list indicating the Kinds supported by this
- listener. This MUST represent the kinds an implementation supports for
- that Listener configuration.
-
- If kinds are specified in Spec that are not supported, they MUST NOT
- appear in this list and an implementation MUST set the "ResolvedRefs"
- condition to "False" with the "InvalidRouteKinds" reason. If both valid
- and invalid Route kinds are specified, the implementation MUST
- reference the valid Route kinds that have been specified.
- items:
- description: RouteGroupKind indicates the group and kind of
- a Route resource.
- properties:
- group:
- default: gateway.networking.k8s.io
- description: Group is the group of the Route.
- maxLength: 253
- pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- kind:
- description: Kind is the kind of the Route.
- maxLength: 63
- minLength: 1
- pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
- type: string
- required:
- - kind
- type: object
- maxItems: 8
- type: array
- x-kubernetes-list-type: atomic
- required:
- - attachedRoutes
- - conditions
- - name
- - port
- - supportedKinds
- type: object
- maxItems: 64
- type: array
- x-kubernetes-list-map-keys:
- - name
- x-kubernetes-list-type: map
- type: object
- required:
- - spec
- type: object
- served: true
- storage: true
- subresources:
- status: {}
-status:
- acceptedNames:
- kind: ""
- plural: ""
- conditions: null
- storedVersions: null
----
-#
# config/crd/experimental/gateway.networking.x-k8s.io_xmeshes.yaml
#
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328
- gateway.networking.k8s.io/bundle-version: v1.4.0
+ api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/4530
+ gateway.networking.k8s.io/bundle-version: v1.5.1
gateway.networking.k8s.io/channel: experimental
name: xmeshes.gateway.networking.x-k8s.io
spec:
diff --git a/integration/fixtures/gateway-api-conformance/02-traefik.yml b/integration/fixtures/gateway-api-conformance/02-traefik.yml
index c03c7d852..4d021b70c 100644
--- a/integration/fixtures/gateway-api-conformance/02-traefik.yml
+++ b/integration/fixtures/gateway-api-conformance/02-traefik.yml
@@ -49,6 +49,8 @@ spec:
- --entrypoints.web.address=:80
- --entrypoints.websecure.address=:443
- --entrypoints.web8080.address=:8080
+ - --entrypoints.tls8443.address=:8443
+ - --entrypoints.tls8883.address=:8883
- --entrypoints.traefik.address=:9000
- --providers.kubernetesgateway.experimentalChannel
- --providers.kubernetesgateway.statusaddress.service.namespace=traefik
@@ -60,6 +62,10 @@ spec:
containerPort: 443
- name: web8080
containerPort: 8080
+ - name: tls8443
+ containerPort: 8443
+ - name: tls8883
+ containerPort: 8883
- name: traefik
containerPort: 9000
@@ -83,6 +89,12 @@ spec:
- port: 8080
name: web8080
targetPort: web8080
+ - port: 8443
+ name: tls8443
+ targetPort: tls8443
+ - port: 8883
+ name: tls8883
+ targetPort: tls8883
- port: 9000
name: traefik
targetPort: traefik
diff --git a/integration/fixtures/k8s/00-experimental-v1.4.0.yml b/integration/fixtures/k8s/00-experimental-v1.5.1.yml
similarity index 91%
rename from integration/fixtures/k8s/00-experimental-v1.4.0.yml
rename to integration/fixtures/k8s/00-experimental-v1.5.1.yml
index b1e7bd2f2..449907fe2 100644
--- a/integration/fixtures/k8s/00-experimental-v1.4.0.yml
+++ b/integration/fixtures/k8s/00-experimental-v1.5.1.yml
@@ -1,4 +1,4 @@
-# Copyright 2025 The Kubernetes Authors.
+# Copyright The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -23,8 +23,8 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328
- gateway.networking.k8s.io/bundle-version: v1.4.0
+ api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/4530
+ gateway.networking.k8s.io/bundle-version: v1.5.1
gateway.networking.k8s.io/channel: experimental
labels:
gateway.networking.k8s.io/policy: Direct
@@ -99,8 +99,6 @@ spec:
targetRefs:
description: |-
TargetRefs identifies an API object to apply the policy to.
- Only Services have Extended support. Implementations MAY support
- additional objects, with Implementation Specific support.
Note that this config applies to the entire referenced resource
by default, but this default may change in the future to provide
a more granular application of the policy.
@@ -121,17 +119,42 @@ spec:
example, a policy with a creation timestamp of "2021-07-15
01:02:03" MUST be given precedence over a policy with a
creation timestamp of "2021-07-15 01:02:04".
- * The policy appearing first in alphabetical order by {name}.
- For example, a policy named `bar` is given precedence over a
- policy named `baz`.
+ * The policy appearing first in alphabetical order by {namespace}/{name}.
+ For example, a policy named `foo/bar` is given precedence over a
+ policy named `foo/baz`.
For any BackendTLSPolicy that does not take precedence, the
implementation MUST ensure the `Accepted` Condition is set to
`status: False`, with Reason `Conflicted`.
- Support: Extended for Kubernetes Service
+ Implementations SHOULD NOT support more than one targetRef at this
+ time. Although the API technically allows for this, the current guidance
+ for conflict resolution and status handling is lacking. Until that can be
+ clarified in a future release, the safest approach is to support a single
+ targetRef.
- Support: Implementation-specific for any other resource
+ Support Levels:
+
+ * Extended: Kubernetes Service referenced by HTTPRoute backendRefs.
+
+ * Implementation-Specific: Services not connected via HTTPRoute, and any
+ other kind of backend. Implementations MAY use BackendTLSPolicy for:
+ - Services not referenced by any Route (e.g., infrastructure services)
+ - Gateway feature backends (e.g., ExternalAuth, rate-limiting services)
+ - Service mesh workload-to-service communication
+ - Other resource types beyond Service
+
+ Implementations SHOULD aim to ensure that BackendTLSPolicy behavior is consistent,
+ even outside of the extended HTTPRoute -(backendRef) -> Service path.
+ They SHOULD clearly document how BackendTLSPolicy is interpreted in these
+ scenarios, including:
+ - Which resources beyond Service are supported
+ - How the policy is discovered and applied
+ - Any implementation-specific semantics or restrictions
+
+ Note that this config applies to the entire referenced resource
+ by default, but this default may change in the future to provide
+ a more granular application of the policy.
items:
description: |-
LocalPolicyTargetReferenceWithSectionName identifies an API object to apply a
@@ -370,8 +393,8 @@ spec:
x-kubernetes-list-type: atomic
wellKnownCACertificates:
description: |-
- WellKnownCACertificates specifies whether system CA certificates may be used in
- the TLS handshake between the gateway and backend pod.
+ WellKnownCACertificates specifies whether a well-known set of CA certificates
+ may be used in the TLS handshake between the gateway and backend pod.
If WellKnownCACertificates is unspecified or empty (""), then CACertificateRefs
must be specified with at least one entry for a valid configuration. Only one of
@@ -381,9 +404,17 @@ spec:
`Accepted` Condition on the BackendTLSPolicy is set to `status: False`, with
a Reason `Invalid`.
+ Valid values include:
+ * "System" - indicates that well-known system CA certificates should be used.
+
+ Implementations MAY define their own sets of CA certificates. Such definitions
+ MUST use an implementation-specific, prefixed name, such as
+ `mycompany.com/my-custom-ca-certificates`.
+
Support: Implementation-specific
- enum:
- - System
+ maxLength: 253
+ minLength: 1
+ pattern: ^(System|([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9]))$
type: string
required:
- hostname
@@ -762,8 +793,6 @@ spec:
targetRefs:
description: |-
TargetRefs identifies an API object to apply the policy to.
- Only Services have Extended support. Implementations MAY support
- additional objects, with Implementation Specific support.
Note that this config applies to the entire referenced resource
by default, but this default may change in the future to provide
a more granular application of the policy.
@@ -784,17 +813,42 @@ spec:
example, a policy with a creation timestamp of "2021-07-15
01:02:03" MUST be given precedence over a policy with a
creation timestamp of "2021-07-15 01:02:04".
- * The policy appearing first in alphabetical order by {name}.
- For example, a policy named `bar` is given precedence over a
- policy named `baz`.
+ * The policy appearing first in alphabetical order by {namespace}/{name}.
+ For example, a policy named `foo/bar` is given precedence over a
+ policy named `foo/baz`.
For any BackendTLSPolicy that does not take precedence, the
implementation MUST ensure the `Accepted` Condition is set to
`status: False`, with Reason `Conflicted`.
- Support: Extended for Kubernetes Service
+ Implementations SHOULD NOT support more than one targetRef at this
+ time. Although the API technically allows for this, the current guidance
+ for conflict resolution and status handling is lacking. Until that can be
+ clarified in a future release, the safest approach is to support a single
+ targetRef.
- Support: Implementation-specific for any other resource
+ Support Levels:
+
+ * Extended: Kubernetes Service referenced by HTTPRoute backendRefs.
+
+ * Implementation-Specific: Services not connected via HTTPRoute, and any
+ other kind of backend. Implementations MAY use BackendTLSPolicy for:
+ - Services not referenced by any Route (e.g., infrastructure services)
+ - Gateway feature backends (e.g., ExternalAuth, rate-limiting services)
+ - Service mesh workload-to-service communication
+ - Other resource types beyond Service
+
+ Implementations SHOULD aim to ensure that BackendTLSPolicy behavior is consistent,
+ even outside of the extended HTTPRoute -(backendRef) -> Service path.
+ They SHOULD clearly document how BackendTLSPolicy is interpreted in these
+ scenarios, including:
+ - Which resources beyond Service are supported
+ - How the policy is discovered and applied
+ - Any implementation-specific semantics or restrictions
+
+ Note that this config applies to the entire referenced resource
+ by default, but this default may change in the future to provide
+ a more granular application of the policy.
items:
description: |-
LocalPolicyTargetReferenceWithSectionName identifies an API object to apply a
@@ -1033,8 +1087,8 @@ spec:
x-kubernetes-list-type: atomic
wellKnownCACertificates:
description: |-
- WellKnownCACertificates specifies whether system CA certificates may be used in
- the TLS handshake between the gateway and backend pod.
+ WellKnownCACertificates specifies whether a well-known set of CA certificates
+ may be used in the TLS handshake between the gateway and backend pod.
If WellKnownCACertificates is unspecified or empty (""), then CACertificateRefs
must be specified with at least one entry for a valid configuration. Only one of
@@ -1044,9 +1098,17 @@ spec:
`Accepted` Condition on the BackendTLSPolicy is set to `status: False`, with
a Reason `Invalid`.
+ Valid values include:
+ * "System" - indicates that well-known system CA certificates should be used.
+
+ Implementations MAY define their own sets of CA certificates. Such definitions
+ MUST use an implementation-specific, prefixed name, such as
+ `mycompany.com/my-custom-ca-certificates`.
+
Support: Implementation-specific
- enum:
- - System
+ maxLength: 253
+ minLength: 1
+ pattern: ^(System|([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9]))$
type: string
required:
- hostname
@@ -1367,6 +1429,8 @@ spec:
type: object
served: true
storage: false
+ subresources:
+ status: {}
status:
acceptedNames:
kind: ""
@@ -1381,8 +1445,8 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328
- gateway.networking.k8s.io/bundle-version: v1.4.0
+ api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/4530
+ gateway.networking.k8s.io/bundle-version: v1.5.1
gateway.networking.k8s.io/channel: experimental
name: gatewayclasses.gateway.networking.k8s.io
spec:
@@ -1900,8 +1964,8 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328
- gateway.networking.k8s.io/bundle-version: v1.4.0
+ api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/4530
+ gateway.networking.k8s.io/bundle-version: v1.5.1
gateway.networking.k8s.io/channel: experimental
name: gateways.gateway.networking.k8s.io
spec:
@@ -2036,14 +2100,14 @@ spec:
allowedListeners:
description: |-
AllowedListeners defines which ListenerSets can be attached to this Gateway.
- While this feature is experimental, the default value is to allow no ListenerSets.
+ The default value is to allow no ListenerSets.
properties:
namespaces:
default:
from: None
description: |-
Namespaces defines which namespaces ListenerSets can be attached to this Gateway.
- While this feature is experimental, the default value is to allow no ListenerSets.
+ The default value is to allow no ListenerSets.
properties:
from:
default: None
@@ -2056,7 +2120,7 @@ spec:
* All: ListenerSets in all namespaces may be attached to this Gateway.
* None: Only listeners defined in the Gateway's spec are allowed
- While this feature is experimental, the default value None
+ The default value None
enum:
- All
- Selector
@@ -2605,7 +2669,7 @@ spec:
the Gateway SHOULD return a 421.
* If the current Listener (selected by SNI matching during ClientHello)
does not match the Host:
- * If another Listener does match the Host the Gateway SHOULD return a
+ * If another Listener does match the Host, the Gateway SHOULD return a
421.
* If no other Listener matches the Host, the Gateway MUST return a
404.
@@ -2816,6 +2880,9 @@ spec:
- message: tls mode must be Terminate for protocol HTTPS
rule: 'self.all(l, (l.protocol == ''HTTPS'' && has(l.tls)) ? (l.tls.mode
== '''' || l.tls.mode == ''Terminate'') : true)'
+ - message: tls mode must be set for protocol TLS
+ rule: 'self.all(l, (l.protocol == ''TLS'' ? has(l.tls) && has(l.tls.mode)
+ && l.tls.mode != '''' : true))'
- message: hostname must not be specified for protocols ['TCP', 'UDP']
rule: 'self.all(l, l.protocol in [''TCP'', ''UDP''] ? (!has(l.hostname)
|| l.hostname == '''') : true)'
@@ -2845,19 +2912,30 @@ spec:
properties:
clientCertificateRef:
description: |-
- ClientCertificateRef is a reference to an object that contains a Client
- Certificate and the associated private key.
+ ClientCertificateRef references an object that contains a client certificate
+ and its associated private key. It can reference standard Kubernetes resources,
+ i.e., Secret, or implementation-specific custom resources.
- References to a resource in different namespace are invalid UNLESS there
- is a ReferenceGrant in the target namespace that allows the certificate
- to be attached. If a ReferenceGrant does not allow this reference, the
- "ResolvedRefs" condition MUST be set to False for this listener with the
- "RefNotPermitted" reason.
+ A ClientCertificateRef is considered invalid if:
- ClientCertificateRef can reference to standard Kubernetes resources, i.e.
- Secret, or implementation-specific custom resources.
+ * It refers to a resource that cannot be resolved (e.g., the referenced resource
+ does not exist) or is misconfigured (e.g., a Secret does not contain the keys
+ named `tls.crt` and `tls.key`). In this case, the `ResolvedRefs` condition
+ on the Gateway MUST be set to False with the Reason `InvalidClientCertificateRef`
+ and the Message of the Condition MUST indicate why the reference is invalid.
- Support: Core
+ * It refers to a resource in another namespace UNLESS there is a ReferenceGrant
+ in the target namespace that allows the certificate to be attached.
+ If a ReferenceGrant does not allow this reference, the `ResolvedRefs` condition
+ on the Gateway MUST be set to False with the Reason `RefNotPermitted`.
+
+ Implementations MAY choose to perform further validation of the certificate
+ content (e.g., checking expiry or enforcing specific formats). In such cases,
+ an implementation-specific Reason and Message MUST be set.
+
+ Support: Core - Reference to a Kubernetes TLS Secret (with the type `kubernetes.io/tls`).
+ Support: Implementation-specific - Other resource kinds or Secrets with a
+ different type (e.g., `Opaque`).
properties:
group:
default: ""
@@ -2924,27 +3002,49 @@ spec:
properties:
caCertificateRefs:
description: |-
- CACertificateRefs contains one or more references to
- Kubernetes objects that contain TLS certificates of
- the Certificate Authorities that can be used
- as a trust anchor to validate the certificates presented by the client.
+ CACertificateRefs contains one or more references to Kubernetes
+ objects that contain a PEM-encoded TLS CA certificate bundle, which
+ is used as a trust anchor to validate the certificates presented by
+ the client.
- A single CA certificate reference to a Kubernetes ConfigMap
- has "Core" support.
- Implementations MAY choose to support attaching multiple CA certificates to
- a Listener, but this behavior is implementation-specific.
+ A CACertificateRef is invalid if:
- Support: Core - A single reference to a Kubernetes ConfigMap
- with the CA certificate in a key named `ca.crt`.
+ * It refers to a resource that cannot be resolved (e.g., the
+ referenced resource does not exist) or is misconfigured (e.g., a
+ ConfigMap does not contain a key named `ca.crt`). In this case, the
+ Reason on all matching HTTPS listeners must be set to `InvalidCACertificateRef`
+ and the Message of the Condition must indicate which reference is invalid and why.
- Support: Implementation-specific (More than one certificate in a ConfigMap
- with different keys or more than one reference, or other kinds of resources).
+ * It refers to an unknown or unsupported kind of resource. In this
+ case, the Reason on all matching HTTPS listeners must be set to
+ `InvalidCACertificateKind` and the Message of the Condition must explain
+ which kind of resource is unknown or unsupported.
- References to a resource in a different namespace are invalid UNLESS there
- is a ReferenceGrant in the target namespace that allows the certificate
- to be attached. If a ReferenceGrant does not allow this reference, the
- "ResolvedRefs" condition MUST be set to False for this listener with the
- "RefNotPermitted" reason.
+ * It refers to a resource in another namespace UNLESS there is a
+ ReferenceGrant in the target namespace that allows the CA
+ certificate to be attached. If a ReferenceGrant does not allow this
+ reference, the `ResolvedRefs` on all matching HTTPS listeners condition
+ MUST be set with the Reason `RefNotPermitted`.
+
+ Implementations MAY choose to perform further validation of the
+ certificate content (e.g., checking expiry or enforcing specific formats).
+ In such cases, an implementation-specific Reason and Message MUST be set.
+
+ In all cases, the implementation MUST ensure that the `ResolvedRefs`
+ condition is set to `status: False` on all targeted listeners (i.e.,
+ listeners serving HTTPS on a matching port). The condition MUST
+ include a Reason and Message that indicate the cause of the error. If
+ ALL CACertificateRefs are invalid, the implementation MUST also ensure
+ the `Accepted` condition on the listener is set to `status: False`, with
+ the Reason `NoValidCACertificate`.
+ Implementations MAY choose to support attaching multiple CA certificates
+ to a listener, but this behavior is implementation-specific.
+
+ Support: Core - A single reference to a Kubernetes ConfigMap, with the
+ CA certificate in a key named `ca.crt`.
+
+ Support: Implementation-specific - More than one reference, other kinds
+ of resources, or a single reference that includes multiple certificates.
items:
description: |-
ObjectReference identifies an API object including its namespace.
@@ -3067,27 +3167,49 @@ spec:
properties:
caCertificateRefs:
description: |-
- CACertificateRefs contains one or more references to
- Kubernetes objects that contain TLS certificates of
- the Certificate Authorities that can be used
- as a trust anchor to validate the certificates presented by the client.
+ CACertificateRefs contains one or more references to Kubernetes
+ objects that contain a PEM-encoded TLS CA certificate bundle, which
+ is used as a trust anchor to validate the certificates presented by
+ the client.
- A single CA certificate reference to a Kubernetes ConfigMap
- has "Core" support.
- Implementations MAY choose to support attaching multiple CA certificates to
- a Listener, but this behavior is implementation-specific.
+ A CACertificateRef is invalid if:
- Support: Core - A single reference to a Kubernetes ConfigMap
- with the CA certificate in a key named `ca.crt`.
+ * It refers to a resource that cannot be resolved (e.g., the
+ referenced resource does not exist) or is misconfigured (e.g., a
+ ConfigMap does not contain a key named `ca.crt`). In this case, the
+ Reason on all matching HTTPS listeners must be set to `InvalidCACertificateRef`
+ and the Message of the Condition must indicate which reference is invalid and why.
- Support: Implementation-specific (More than one certificate in a ConfigMap
- with different keys or more than one reference, or other kinds of resources).
+ * It refers to an unknown or unsupported kind of resource. In this
+ case, the Reason on all matching HTTPS listeners must be set to
+ `InvalidCACertificateKind` and the Message of the Condition must explain
+ which kind of resource is unknown or unsupported.
- References to a resource in a different namespace are invalid UNLESS there
- is a ReferenceGrant in the target namespace that allows the certificate
- to be attached. If a ReferenceGrant does not allow this reference, the
- "ResolvedRefs" condition MUST be set to False for this listener with the
- "RefNotPermitted" reason.
+ * It refers to a resource in another namespace UNLESS there is a
+ ReferenceGrant in the target namespace that allows the CA
+ certificate to be attached. If a ReferenceGrant does not allow this
+ reference, the `ResolvedRefs` on all matching HTTPS listeners condition
+ MUST be set with the Reason `RefNotPermitted`.
+
+ Implementations MAY choose to perform further validation of the
+ certificate content (e.g., checking expiry or enforcing specific formats).
+ In such cases, an implementation-specific Reason and Message MUST be set.
+
+ In all cases, the implementation MUST ensure that the `ResolvedRefs`
+ condition is set to `status: False` on all targeted listeners (i.e.,
+ listeners serving HTTPS on a matching port). The condition MUST
+ include a Reason and Message that indicate the cause of the error. If
+ ALL CACertificateRefs are invalid, the implementation MUST also ensure
+ the `Accepted` condition on the listener is set to `status: False`, with
+ the Reason `NoValidCACertificate`.
+ Implementations MAY choose to support attaching multiple CA certificates
+ to a listener, but this behavior is implementation-specific.
+
+ Support: Core - A single reference to a Kubernetes ConfigMap, with the
+ CA certificate in a key named `ca.crt`.
+
+ Support: Implementation-specific - More than one reference, other kinds
+ of resources, or a single reference that includes multiple certificates.
items:
description: |-
ObjectReference identifies an API object including its namespace.
@@ -3261,6 +3383,20 @@ spec:
maxItems: 16
type: array
x-kubernetes-list-type: atomic
+ attachedListenerSets:
+ description: |-
+ AttachedListenerSets represents the total number of ListenerSets that have been
+ successfully attached to this Gateway.
+
+ A ListenerSet is successfully attached to a Gateway when all the following conditions are met:
+ - The ListenerSet is selected by the Gateway's AllowedListeners field
+ - The ListenerSet has a valid ParentRef selecting the Gateway
+ - The ListenerSet's status has the condition "Accepted: true"
+
+ Uses for this field include troubleshooting AttachedListenerSets attachment and
+ measuring blast radius/impact of changes to a Gateway.
+ format: int32
+ type: integer
conditions:
default:
- lastTransitionTime: "1970-01-01T00:00:00Z"
@@ -3365,8 +3501,11 @@ spec:
attachment semantics can be found in the documentation on the various
Route kinds ParentRefs fields). Listener or Route status does not impact
successful attachment, i.e. the AttachedRoutes field count MUST be set
- for Listeners with condition Accepted: false and MUST count successfully
- attached Routes that may themselves have Accepted: false conditions.
+ for Listeners, even if the Accepted condition of an individual Listener is set
+ to "False". The AttachedRoutes number represents the number of Routes with
+ the Accepted condition set to "True" that have been attached to this Listener.
+ Routes with any other value for the Accepted condition MUST NOT be included
+ in this count.
Uses for this field include troubleshooting Route attachment and
measuring blast radius/impact of changes to a Listener.
@@ -3445,7 +3584,7 @@ spec:
supportedKinds:
description: |-
SupportedKinds is the list indicating the Kinds supported by this
- listener. This MUST represent the kinds an implementation supports for
+ listener. This MUST represent the kinds supported by an implementation for
that Listener configuration.
If kinds are specified in Spec that are not supported, they MUST NOT
@@ -3479,7 +3618,6 @@ spec:
- attachedRoutes
- conditions
- name
- - supportedKinds
type: object
maxItems: 64
type: array
@@ -3613,14 +3751,14 @@ spec:
allowedListeners:
description: |-
AllowedListeners defines which ListenerSets can be attached to this Gateway.
- While this feature is experimental, the default value is to allow no ListenerSets.
+ The default value is to allow no ListenerSets.
properties:
namespaces:
default:
from: None
description: |-
Namespaces defines which namespaces ListenerSets can be attached to this Gateway.
- While this feature is experimental, the default value is to allow no ListenerSets.
+ The default value is to allow no ListenerSets.
properties:
from:
default: None
@@ -3633,7 +3771,7 @@ spec:
* All: ListenerSets in all namespaces may be attached to this Gateway.
* None: Only listeners defined in the Gateway's spec are allowed
- While this feature is experimental, the default value None
+ The default value None
enum:
- All
- Selector
@@ -4182,7 +4320,7 @@ spec:
the Gateway SHOULD return a 421.
* If the current Listener (selected by SNI matching during ClientHello)
does not match the Host:
- * If another Listener does match the Host the Gateway SHOULD return a
+ * If another Listener does match the Host, the Gateway SHOULD return a
421.
* If no other Listener matches the Host, the Gateway MUST return a
404.
@@ -4393,6 +4531,9 @@ spec:
- message: tls mode must be Terminate for protocol HTTPS
rule: 'self.all(l, (l.protocol == ''HTTPS'' && has(l.tls)) ? (l.tls.mode
== '''' || l.tls.mode == ''Terminate'') : true)'
+ - message: tls mode must be set for protocol TLS
+ rule: 'self.all(l, (l.protocol == ''TLS'' ? has(l.tls) && has(l.tls.mode)
+ && l.tls.mode != '''' : true))'
- message: hostname must not be specified for protocols ['TCP', 'UDP']
rule: 'self.all(l, l.protocol in [''TCP'', ''UDP''] ? (!has(l.hostname)
|| l.hostname == '''') : true)'
@@ -4422,19 +4563,30 @@ spec:
properties:
clientCertificateRef:
description: |-
- ClientCertificateRef is a reference to an object that contains a Client
- Certificate and the associated private key.
+ ClientCertificateRef references an object that contains a client certificate
+ and its associated private key. It can reference standard Kubernetes resources,
+ i.e., Secret, or implementation-specific custom resources.
- References to a resource in different namespace are invalid UNLESS there
- is a ReferenceGrant in the target namespace that allows the certificate
- to be attached. If a ReferenceGrant does not allow this reference, the
- "ResolvedRefs" condition MUST be set to False for this listener with the
- "RefNotPermitted" reason.
+ A ClientCertificateRef is considered invalid if:
- ClientCertificateRef can reference to standard Kubernetes resources, i.e.
- Secret, or implementation-specific custom resources.
+ * It refers to a resource that cannot be resolved (e.g., the referenced resource
+ does not exist) or is misconfigured (e.g., a Secret does not contain the keys
+ named `tls.crt` and `tls.key`). In this case, the `ResolvedRefs` condition
+ on the Gateway MUST be set to False with the Reason `InvalidClientCertificateRef`
+ and the Message of the Condition MUST indicate why the reference is invalid.
- Support: Core
+ * It refers to a resource in another namespace UNLESS there is a ReferenceGrant
+ in the target namespace that allows the certificate to be attached.
+ If a ReferenceGrant does not allow this reference, the `ResolvedRefs` condition
+ on the Gateway MUST be set to False with the Reason `RefNotPermitted`.
+
+ Implementations MAY choose to perform further validation of the certificate
+ content (e.g., checking expiry or enforcing specific formats). In such cases,
+ an implementation-specific Reason and Message MUST be set.
+
+ Support: Core - Reference to a Kubernetes TLS Secret (with the type `kubernetes.io/tls`).
+ Support: Implementation-specific - Other resource kinds or Secrets with a
+ different type (e.g., `Opaque`).
properties:
group:
default: ""
@@ -4501,27 +4653,49 @@ spec:
properties:
caCertificateRefs:
description: |-
- CACertificateRefs contains one or more references to
- Kubernetes objects that contain TLS certificates of
- the Certificate Authorities that can be used
- as a trust anchor to validate the certificates presented by the client.
+ CACertificateRefs contains one or more references to Kubernetes
+ objects that contain a PEM-encoded TLS CA certificate bundle, which
+ is used as a trust anchor to validate the certificates presented by
+ the client.
- A single CA certificate reference to a Kubernetes ConfigMap
- has "Core" support.
- Implementations MAY choose to support attaching multiple CA certificates to
- a Listener, but this behavior is implementation-specific.
+ A CACertificateRef is invalid if:
- Support: Core - A single reference to a Kubernetes ConfigMap
- with the CA certificate in a key named `ca.crt`.
+ * It refers to a resource that cannot be resolved (e.g., the
+ referenced resource does not exist) or is misconfigured (e.g., a
+ ConfigMap does not contain a key named `ca.crt`). In this case, the
+ Reason on all matching HTTPS listeners must be set to `InvalidCACertificateRef`
+ and the Message of the Condition must indicate which reference is invalid and why.
- Support: Implementation-specific (More than one certificate in a ConfigMap
- with different keys or more than one reference, or other kinds of resources).
+ * It refers to an unknown or unsupported kind of resource. In this
+ case, the Reason on all matching HTTPS listeners must be set to
+ `InvalidCACertificateKind` and the Message of the Condition must explain
+ which kind of resource is unknown or unsupported.
- References to a resource in a different namespace are invalid UNLESS there
- is a ReferenceGrant in the target namespace that allows the certificate
- to be attached. If a ReferenceGrant does not allow this reference, the
- "ResolvedRefs" condition MUST be set to False for this listener with the
- "RefNotPermitted" reason.
+ * It refers to a resource in another namespace UNLESS there is a
+ ReferenceGrant in the target namespace that allows the CA
+ certificate to be attached. If a ReferenceGrant does not allow this
+ reference, the `ResolvedRefs` on all matching HTTPS listeners condition
+ MUST be set with the Reason `RefNotPermitted`.
+
+ Implementations MAY choose to perform further validation of the
+ certificate content (e.g., checking expiry or enforcing specific formats).
+ In such cases, an implementation-specific Reason and Message MUST be set.
+
+ In all cases, the implementation MUST ensure that the `ResolvedRefs`
+ condition is set to `status: False` on all targeted listeners (i.e.,
+ listeners serving HTTPS on a matching port). The condition MUST
+ include a Reason and Message that indicate the cause of the error. If
+ ALL CACertificateRefs are invalid, the implementation MUST also ensure
+ the `Accepted` condition on the listener is set to `status: False`, with
+ the Reason `NoValidCACertificate`.
+ Implementations MAY choose to support attaching multiple CA certificates
+ to a listener, but this behavior is implementation-specific.
+
+ Support: Core - A single reference to a Kubernetes ConfigMap, with the
+ CA certificate in a key named `ca.crt`.
+
+ Support: Implementation-specific - More than one reference, other kinds
+ of resources, or a single reference that includes multiple certificates.
items:
description: |-
ObjectReference identifies an API object including its namespace.
@@ -4644,27 +4818,49 @@ spec:
properties:
caCertificateRefs:
description: |-
- CACertificateRefs contains one or more references to
- Kubernetes objects that contain TLS certificates of
- the Certificate Authorities that can be used
- as a trust anchor to validate the certificates presented by the client.
+ CACertificateRefs contains one or more references to Kubernetes
+ objects that contain a PEM-encoded TLS CA certificate bundle, which
+ is used as a trust anchor to validate the certificates presented by
+ the client.
- A single CA certificate reference to a Kubernetes ConfigMap
- has "Core" support.
- Implementations MAY choose to support attaching multiple CA certificates to
- a Listener, but this behavior is implementation-specific.
+ A CACertificateRef is invalid if:
- Support: Core - A single reference to a Kubernetes ConfigMap
- with the CA certificate in a key named `ca.crt`.
+ * It refers to a resource that cannot be resolved (e.g., the
+ referenced resource does not exist) or is misconfigured (e.g., a
+ ConfigMap does not contain a key named `ca.crt`). In this case, the
+ Reason on all matching HTTPS listeners must be set to `InvalidCACertificateRef`
+ and the Message of the Condition must indicate which reference is invalid and why.
- Support: Implementation-specific (More than one certificate in a ConfigMap
- with different keys or more than one reference, or other kinds of resources).
+ * It refers to an unknown or unsupported kind of resource. In this
+ case, the Reason on all matching HTTPS listeners must be set to
+ `InvalidCACertificateKind` and the Message of the Condition must explain
+ which kind of resource is unknown or unsupported.
- References to a resource in a different namespace are invalid UNLESS there
- is a ReferenceGrant in the target namespace that allows the certificate
- to be attached. If a ReferenceGrant does not allow this reference, the
- "ResolvedRefs" condition MUST be set to False for this listener with the
- "RefNotPermitted" reason.
+ * It refers to a resource in another namespace UNLESS there is a
+ ReferenceGrant in the target namespace that allows the CA
+ certificate to be attached. If a ReferenceGrant does not allow this
+ reference, the `ResolvedRefs` on all matching HTTPS listeners condition
+ MUST be set with the Reason `RefNotPermitted`.
+
+ Implementations MAY choose to perform further validation of the
+ certificate content (e.g., checking expiry or enforcing specific formats).
+ In such cases, an implementation-specific Reason and Message MUST be set.
+
+ In all cases, the implementation MUST ensure that the `ResolvedRefs`
+ condition is set to `status: False` on all targeted listeners (i.e.,
+ listeners serving HTTPS on a matching port). The condition MUST
+ include a Reason and Message that indicate the cause of the error. If
+ ALL CACertificateRefs are invalid, the implementation MUST also ensure
+ the `Accepted` condition on the listener is set to `status: False`, with
+ the Reason `NoValidCACertificate`.
+ Implementations MAY choose to support attaching multiple CA certificates
+ to a listener, but this behavior is implementation-specific.
+
+ Support: Core - A single reference to a Kubernetes ConfigMap, with the
+ CA certificate in a key named `ca.crt`.
+
+ Support: Implementation-specific - More than one reference, other kinds
+ of resources, or a single reference that includes multiple certificates.
items:
description: |-
ObjectReference identifies an API object including its namespace.
@@ -4838,6 +5034,20 @@ spec:
maxItems: 16
type: array
x-kubernetes-list-type: atomic
+ attachedListenerSets:
+ description: |-
+ AttachedListenerSets represents the total number of ListenerSets that have been
+ successfully attached to this Gateway.
+
+ A ListenerSet is successfully attached to a Gateway when all the following conditions are met:
+ - The ListenerSet is selected by the Gateway's AllowedListeners field
+ - The ListenerSet has a valid ParentRef selecting the Gateway
+ - The ListenerSet's status has the condition "Accepted: true"
+
+ Uses for this field include troubleshooting AttachedListenerSets attachment and
+ measuring blast radius/impact of changes to a Gateway.
+ format: int32
+ type: integer
conditions:
default:
- lastTransitionTime: "1970-01-01T00:00:00Z"
@@ -4942,8 +5152,11 @@ spec:
attachment semantics can be found in the documentation on the various
Route kinds ParentRefs fields). Listener or Route status does not impact
successful attachment, i.e. the AttachedRoutes field count MUST be set
- for Listeners with condition Accepted: false and MUST count successfully
- attached Routes that may themselves have Accepted: false conditions.
+ for Listeners, even if the Accepted condition of an individual Listener is set
+ to "False". The AttachedRoutes number represents the number of Routes with
+ the Accepted condition set to "True" that have been attached to this Listener.
+ Routes with any other value for the Accepted condition MUST NOT be included
+ in this count.
Uses for this field include troubleshooting Route attachment and
measuring blast radius/impact of changes to a Listener.
@@ -5022,7 +5235,7 @@ spec:
supportedKinds:
description: |-
SupportedKinds is the list indicating the Kinds supported by this
- listener. This MUST represent the kinds an implementation supports for
+ listener. This MUST represent the kinds supported by an implementation for
that Listener configuration.
If kinds are specified in Spec that are not supported, they MUST NOT
@@ -5056,7 +5269,6 @@ spec:
- attachedRoutes
- conditions
- name
- - supportedKinds
type: object
maxItems: 64
type: array
@@ -5085,8 +5297,8 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328
- gateway.networking.k8s.io/bundle-version: v1.4.0
+ api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/4530
+ gateway.networking.k8s.io/bundle-version: v1.5.1
gateway.networking.k8s.io/channel: experimental
name: grpcroutes.gateway.networking.k8s.io
spec:
@@ -5628,10 +5840,14 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: Value is the value of HTTP
- Header to be matched.
+ description: |-
+ Value is the value of HTTP Header to be matched.
+
+ Must consist of printable US-ASCII characters, optionally separated
+ by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
maxLength: 4096
minLength: 1
+ pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -5703,10 +5919,14 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: Value is the value of HTTP
- Header to be matched.
+ description: |-
+ Value is the value of HTTP Header to be matched.
+
+ Must consist of printable US-ASCII characters, optionally separated
+ by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
maxLength: 4096
minLength: 1
+ pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -5911,10 +6131,14 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: Value is the value of HTTP
- Header to be matched.
+ description: |-
+ Value is the value of HTTP Header to be matched.
+
+ Must consist of printable US-ASCII characters, optionally separated
+ by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
maxLength: 4096
minLength: 1
+ pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -5986,10 +6210,14 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: Value is the value of HTTP
- Header to be matched.
+ description: |-
+ Value is the value of HTTP Header to be matched.
+
+ Must consist of printable US-ASCII characters, optionally separated
+ by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
maxLength: 4096
minLength: 1
+ pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -6280,10 +6508,14 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: Value is the value of HTTP Header
- to be matched.
+ description: |-
+ Value is the value of HTTP Header to be matched.
+
+ Must consist of printable US-ASCII characters, optionally separated
+ by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
maxLength: 4096
minLength: 1
+ pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -6354,10 +6586,14 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: Value is the value of HTTP Header
- to be matched.
+ description: |-
+ Value is the value of HTTP Header to be matched.
+
+ Must consist of printable US-ASCII characters, optionally separated
+ by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
maxLength: 4096
minLength: 1
+ pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -6561,10 +6797,14 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: Value is the value of HTTP Header
- to be matched.
+ description: |-
+ Value is the value of HTTP Header to be matched.
+
+ Must consist of printable US-ASCII characters, optionally separated
+ by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
maxLength: 4096
minLength: 1
+ pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -6635,10 +6875,14 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: Value is the value of HTTP Header
- to be matched.
+ description: |-
+ Value is the value of HTTP Header to be matched.
+
+ Must consist of printable US-ASCII characters, optionally separated
+ by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
maxLength: 4096
minLength: 1
+ pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -6789,8 +7033,8 @@ spec:
- method:
type: Exact
service: "foo"
- headers:
- - name: "version"
+ - headers:
+ name: "version"
value "v1"
```
@@ -6977,7 +7221,7 @@ spec:
default: Cookie
description: |-
Type defines the type of session persistence such as through
- the use a header or cookie. Defaults to cookie based session
+ the use of a header or cookie. Defaults to cookie based session
persistence.
Support: Core for "Cookie" type
@@ -6993,6 +7237,8 @@ spec:
is Permanent
rule: '!has(self.cookieConfig) || !has(self.cookieConfig.lifetimeType)
|| self.cookieConfig.lifetimeType != ''Permanent'' || has(self.absoluteTimeout)'
+ - message: cookieConfig can only be set with type Cookie
+ rule: '!has(self.cookieConfig) || self.type == ''Cookie'''
type: object
maxItems: 16
type: array
@@ -7084,7 +7330,7 @@ spec:
* The Route refers to a nonexistent parent.
* The Route is of a type that the controller does not support.
- * The Route is in a namespace the controller does not have access to.
+ * The Route is in a namespace to which the controller does not have access.
items:
description: Condition contains details for one aspect of
the current state of this API Resource.
@@ -7334,8 +7580,8 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328
- gateway.networking.k8s.io/bundle-version: v1.4.0
+ api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/4530
+ gateway.networking.k8s.io/bundle-version: v1.5.1
gateway.networking.k8s.io/channel: experimental
name: httproutes.gateway.networking.k8s.io
spec:
@@ -7815,7 +8061,7 @@ spec:
AllowHeaders indicates which HTTP request headers are supported for
accessing the requested resource.
- Header names are not case sensitive.
+ Header names are not case-sensitive.
Multiple header names in the value of the `Access-Control-Allow-Headers`
response header are separated by a comma (",").
@@ -7834,18 +8080,21 @@ spec:
client side.
A wildcard indicates that the requests with all HTTP headers are allowed.
- The `Access-Control-Allow-Headers` response header can only use `*`
- wildcard as value when the `AllowCredentials` field is false or omitted.
+ If config contains the wildcard "*" in allowHeaders and the request is
+ not credentialed, the `Access-Control-Allow-Headers` response header
+ can either use the `*` wildcard or the value of
+ Access-Control-Request-Headers from the request.
- When the `AllowCredentials` field is true and `AllowHeaders` field
- specified with the `*` wildcard, the gateway must specify one or more
+ When the request is credentialed, the gateway must not specify the `*`
+ wildcard in the `Access-Control-Allow-Headers` response header. When
+ also the `AllowCredentials` field is true and `AllowHeaders` field
+ is specified with the `*` wildcard, the gateway must specify one or more
HTTP headers in the value of the `Access-Control-Allow-Headers` response
header. The value of the header `Access-Control-Allow-Headers` is same as
the `Access-Control-Request-Headers` header provided by the client. If
the header `Access-Control-Request-Headers` is not included in the
request, the gateway will omit the `Access-Control-Allow-Headers`
- response header, instead of specifying the `*` wildcard. A Gateway
- implementation may choose to add implementation-specific default headers.
+ response header, instead of specifying the `*` wildcard.
Support: Extended
items:
@@ -7869,6 +8118,10 @@ spec:
maxItems: 64
type: array
x-kubernetes-list-type: set
+ x-kubernetes-validations:
+ - message: AllowHeaders cannot contain '*' alongside
+ other methods
+ rule: '!(''*'' in self && self.size() > 1)'
allowMethods:
description: |-
AllowMethods indicates which HTTP methods are supported for accessing the
@@ -7877,7 +8130,7 @@ spec:
Valid values are any method defined by RFC9110, along with the special
value `*`, which represents all HTTP methods are allowed.
- Method names are case sensitive, so these values are also case-sensitive.
+ Method names are case-sensitive, so these values are also case-sensitive.
(See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1)
Multiple method names in the value of the `Access-Control-Allow-Methods`
@@ -7897,18 +8150,21 @@ spec:
`Access-Control-Allow-Methods`, it will present an error on the client
side.
- The `Access-Control-Allow-Methods` response header can only use `*`
- wildcard as value when the `AllowCredentials` field is false or omitted.
+ If config contains the wildcard "*" in allowMethods and the request is
+ not credentialed, the `Access-Control-Allow-Methods` response header
+ can either use the `*` wildcard or the value of
+ Access-Control-Request-Method from the request.
- When the `AllowCredentials` field is true and `AllowMethods` field
+ When the request is credentialed, the gateway must not specify the `*`
+ wildcard in the `Access-Control-Allow-Methods` response header. When
+ also the `AllowCredentials` field is true and `AllowMethods` field
specified with the `*` wildcard, the gateway must specify one HTTP method
in the value of the Access-Control-Allow-Methods response header. The
value of the header `Access-Control-Allow-Methods` is same as the
`Access-Control-Request-Method` header provided by the client. If the
header `Access-Control-Request-Method` is not included in the request,
the gateway will omit the `Access-Control-Allow-Methods` response header,
- instead of specifying the `*` wildcard. A Gateway implementation may
- choose to add implementation-specific default methods.
+ instead of specifying the `*` wildcard.
Support: Extended
items:
@@ -7975,10 +8231,19 @@ spec:
the CORS headers. The cross-origin request fails on the client side.
Therefore, the client doesn't attempt the actual cross-origin request.
- The `Access-Control-Allow-Origin` response header can only use `*`
- wildcard as value when the `AllowCredentials` field is false or omitted.
+ Conversely, if the request `Origin` matches one of the configured
+ allowed origins, the gateway sets the response header
+ `Access-Control-Allow-Origin` to the same value as the `Origin`
+ header provided by the client.
- When the `AllowCredentials` field is true and `AllowOrigins` field
+ When config has the wildcard ("*") in allowOrigins, and the request
+ is not credentialed (e.g., it is a preflight request), the
+ `Access-Control-Allow-Origin` response header either contains the
+ wildcard as well or the Origin from the request.
+
+ When the request is credentialed, the gateway must not specify the `*`
+ wildcard in the `Access-Control-Allow-Origin` response header. When
+ also the `AllowCredentials` field is true and `AllowOrigins` field
specified with the `*` wildcard, the gateway must return a single origin
in the value of the `Access-Control-Allow-Origin` response header,
instead of specifying the `*` wildcard. The value of the header
@@ -7990,12 +8255,12 @@ spec:
description: |-
The CORSOrigin MUST NOT be a relative URI, and it MUST follow the URI syntax and
encoding rules specified in RFC3986. The CORSOrigin MUST include both a
- scheme (e.g., "http" or "spiffe") and a scheme-specific-part, or it should be a single '*' character.
+ scheme ("http" or "https") and a scheme-specific-part, or it should be a single '*' character.
URIs that include an authority MUST include a fully qualified domain name or
IP address as the host.
maxLength: 253
minLength: 1
- pattern: (^\*$)|(^([a-zA-Z][a-zA-Z0-9+\-.]+):\/\/([^:/?#]+)(:([0-9]{1,5}))?$)
+ pattern: (^\*$)|(^(http(s)?):\/\/(((\*\.)?([a-zA-Z0-9\-]+\.)*[a-zA-Z0-9-]+|\*)(:([0-9]{1,5}))?)$)
type: string
maxItems: 64
type: array
@@ -8026,14 +8291,18 @@ spec:
this additional header will be exposed as part of the response to the
client.
- Header names are not case sensitive.
+ Header names are not case-sensitive.
Multiple header names in the value of the `Access-Control-Expose-Headers`
response header are separated by a comma (",").
A wildcard indicates that the responses with all HTTP headers are exposed
to clients. The `Access-Control-Expose-Headers` response header can only
- use `*` wildcard as value when the `AllowCredentials` field is false or omitted.
+ use `*` wildcard as value when the request is not credentialed.
+
+ When the `exposeHeaders` config field contains the "*" wildcard and
+ the request is credentialed, the gateway cannot use the `*` wildcard in
+ the `Access-Control-Expose-Headers` response header.
Support: Extended
items:
@@ -8069,6 +8338,9 @@ spec:
The default value of `Access-Control-Max-Age` response header is 5
(seconds).
+
+ When the `MaxAge` field is unspecified, the gateway sets the response
+ header "Access-Control-Max-Age: 5" by default.
format: int32
minimum: 1
type: integer
@@ -8247,6 +8519,7 @@ spec:
If the list has entries, only those entries must be sent.
items:
type: string
+ maxItems: 64
type: array
x-kubernetes-list-type: set
type: object
@@ -8285,6 +8558,7 @@ spec:
request must be set to the actual number of bytes forwarded.
items:
type: string
+ maxItems: 64
type: array
x-kubernetes-list-type: set
allowedResponseHeaders:
@@ -8296,6 +8570,7 @@ spec:
except Authority or Host must be copied.
items:
type: string
+ maxItems: 64
type: array
x-kubernetes-list-type: set
path:
@@ -8400,10 +8675,14 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: Value is the value of HTTP
- Header to be matched.
+ description: |-
+ Value is the value of HTTP Header to be matched.
+
+ Must consist of printable US-ASCII characters, optionally separated
+ by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
maxLength: 4096
minLength: 1
+ pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -8475,10 +8754,14 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: Value is the value of HTTP
- Header to be matched.
+ description: |-
+ Value is the value of HTTP Header to be matched.
+
+ Must consist of printable US-ASCII characters, optionally separated
+ by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
maxLength: 4096
minLength: 1
+ pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -8789,6 +9072,9 @@ spec:
enum:
- 301
- 302
+ - 303
+ - 307
+ - 308
type: integer
type: object
responseHeaderModifier:
@@ -8836,10 +9122,14 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: Value is the value of HTTP
- Header to be matched.
+ description: |-
+ Value is the value of HTTP Header to be matched.
+
+ Must consist of printable US-ASCII characters, optionally separated
+ by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
maxLength: 4096
minLength: 1
+ pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -8911,10 +9201,14 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: Value is the value of HTTP
- Header to be matched.
+ description: |-
+ Value is the value of HTTP Header to be matched.
+
+ Must consist of printable US-ASCII characters, optionally separated
+ by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
maxLength: 4096
minLength: 1
+ pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -9058,6 +9352,11 @@ spec:
- type
type: object
x-kubernetes-validations:
+ - message: filter.cors must be nil if the filter.type
+ is not CORS
+ rule: '!(has(self.cors) && self.type != ''CORS'')'
+ - message: filter.cors must be specified for CORS filter.type
+ rule: '!(!has(self.cors) && self.type == ''CORS'')'
- message: filter.requestHeaderModifier must be nil
if the filter.type is not RequestHeaderModifier
rule: '!(has(self.requestHeaderModifier) && self.type
@@ -9101,11 +9400,6 @@ spec:
- message: filter.extensionRef must be specified for
ExtensionRef filter.type
rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')'
- - message: filter.cors must be nil if the filter.type
- is not CORS
- rule: '!(has(self.cors) && self.type != ''CORS'')'
- - message: filter.cors must be specified for CORS filter.type
- rule: '!(!has(self.cors) && self.type == ''CORS'')'
- message: filter.externalAuth must be nil if the filter.type
is not ExternalAuth
rule: '!(has(self.externalAuth) && self.type != ''ExternalAuth'')'
@@ -9120,6 +9414,8 @@ spec:
or httpRouteFilterRequestRewrite, but not both
rule: '!(self.exists(f, f.type == ''RequestRedirect'')
&& self.exists(f, f.type == ''URLRewrite''))'
+ - message: CORS filter cannot be repeated
+ rule: self.filter(f, f.type == 'CORS').size() <= 1
- message: RequestHeaderModifier filter cannot be repeated
rule: self.filter(f, f.type == 'RequestHeaderModifier').size()
<= 1
@@ -9295,7 +9591,7 @@ spec:
AllowHeaders indicates which HTTP request headers are supported for
accessing the requested resource.
- Header names are not case sensitive.
+ Header names are not case-sensitive.
Multiple header names in the value of the `Access-Control-Allow-Headers`
response header are separated by a comma (",").
@@ -9314,18 +9610,21 @@ spec:
client side.
A wildcard indicates that the requests with all HTTP headers are allowed.
- The `Access-Control-Allow-Headers` response header can only use `*`
- wildcard as value when the `AllowCredentials` field is false or omitted.
+ If config contains the wildcard "*" in allowHeaders and the request is
+ not credentialed, the `Access-Control-Allow-Headers` response header
+ can either use the `*` wildcard or the value of
+ Access-Control-Request-Headers from the request.
- When the `AllowCredentials` field is true and `AllowHeaders` field
- specified with the `*` wildcard, the gateway must specify one or more
+ When the request is credentialed, the gateway must not specify the `*`
+ wildcard in the `Access-Control-Allow-Headers` response header. When
+ also the `AllowCredentials` field is true and `AllowHeaders` field
+ is specified with the `*` wildcard, the gateway must specify one or more
HTTP headers in the value of the `Access-Control-Allow-Headers` response
header. The value of the header `Access-Control-Allow-Headers` is same as
the `Access-Control-Request-Headers` header provided by the client. If
the header `Access-Control-Request-Headers` is not included in the
request, the gateway will omit the `Access-Control-Allow-Headers`
- response header, instead of specifying the `*` wildcard. A Gateway
- implementation may choose to add implementation-specific default headers.
+ response header, instead of specifying the `*` wildcard.
Support: Extended
items:
@@ -9349,6 +9648,10 @@ spec:
maxItems: 64
type: array
x-kubernetes-list-type: set
+ x-kubernetes-validations:
+ - message: AllowHeaders cannot contain '*' alongside
+ other methods
+ rule: '!(''*'' in self && self.size() > 1)'
allowMethods:
description: |-
AllowMethods indicates which HTTP methods are supported for accessing the
@@ -9357,7 +9660,7 @@ spec:
Valid values are any method defined by RFC9110, along with the special
value `*`, which represents all HTTP methods are allowed.
- Method names are case sensitive, so these values are also case-sensitive.
+ Method names are case-sensitive, so these values are also case-sensitive.
(See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1)
Multiple method names in the value of the `Access-Control-Allow-Methods`
@@ -9377,18 +9680,21 @@ spec:
`Access-Control-Allow-Methods`, it will present an error on the client
side.
- The `Access-Control-Allow-Methods` response header can only use `*`
- wildcard as value when the `AllowCredentials` field is false or omitted.
+ If config contains the wildcard "*" in allowMethods and the request is
+ not credentialed, the `Access-Control-Allow-Methods` response header
+ can either use the `*` wildcard or the value of
+ Access-Control-Request-Method from the request.
- When the `AllowCredentials` field is true and `AllowMethods` field
+ When the request is credentialed, the gateway must not specify the `*`
+ wildcard in the `Access-Control-Allow-Methods` response header. When
+ also the `AllowCredentials` field is true and `AllowMethods` field
specified with the `*` wildcard, the gateway must specify one HTTP method
in the value of the Access-Control-Allow-Methods response header. The
value of the header `Access-Control-Allow-Methods` is same as the
`Access-Control-Request-Method` header provided by the client. If the
header `Access-Control-Request-Method` is not included in the request,
the gateway will omit the `Access-Control-Allow-Methods` response header,
- instead of specifying the `*` wildcard. A Gateway implementation may
- choose to add implementation-specific default methods.
+ instead of specifying the `*` wildcard.
Support: Extended
items:
@@ -9455,10 +9761,19 @@ spec:
the CORS headers. The cross-origin request fails on the client side.
Therefore, the client doesn't attempt the actual cross-origin request.
- The `Access-Control-Allow-Origin` response header can only use `*`
- wildcard as value when the `AllowCredentials` field is false or omitted.
+ Conversely, if the request `Origin` matches one of the configured
+ allowed origins, the gateway sets the response header
+ `Access-Control-Allow-Origin` to the same value as the `Origin`
+ header provided by the client.
- When the `AllowCredentials` field is true and `AllowOrigins` field
+ When config has the wildcard ("*") in allowOrigins, and the request
+ is not credentialed (e.g., it is a preflight request), the
+ `Access-Control-Allow-Origin` response header either contains the
+ wildcard as well or the Origin from the request.
+
+ When the request is credentialed, the gateway must not specify the `*`
+ wildcard in the `Access-Control-Allow-Origin` response header. When
+ also the `AllowCredentials` field is true and `AllowOrigins` field
specified with the `*` wildcard, the gateway must return a single origin
in the value of the `Access-Control-Allow-Origin` response header,
instead of specifying the `*` wildcard. The value of the header
@@ -9470,12 +9785,12 @@ spec:
description: |-
The CORSOrigin MUST NOT be a relative URI, and it MUST follow the URI syntax and
encoding rules specified in RFC3986. The CORSOrigin MUST include both a
- scheme (e.g., "http" or "spiffe") and a scheme-specific-part, or it should be a single '*' character.
+ scheme ("http" or "https") and a scheme-specific-part, or it should be a single '*' character.
URIs that include an authority MUST include a fully qualified domain name or
IP address as the host.
maxLength: 253
minLength: 1
- pattern: (^\*$)|(^([a-zA-Z][a-zA-Z0-9+\-.]+):\/\/([^:/?#]+)(:([0-9]{1,5}))?$)
+ pattern: (^\*$)|(^(http(s)?):\/\/(((\*\.)?([a-zA-Z0-9\-]+\.)*[a-zA-Z0-9-]+|\*)(:([0-9]{1,5}))?)$)
type: string
maxItems: 64
type: array
@@ -9506,14 +9821,18 @@ spec:
this additional header will be exposed as part of the response to the
client.
- Header names are not case sensitive.
+ Header names are not case-sensitive.
Multiple header names in the value of the `Access-Control-Expose-Headers`
response header are separated by a comma (",").
A wildcard indicates that the responses with all HTTP headers are exposed
to clients. The `Access-Control-Expose-Headers` response header can only
- use `*` wildcard as value when the `AllowCredentials` field is false or omitted.
+ use `*` wildcard as value when the request is not credentialed.
+
+ When the `exposeHeaders` config field contains the "*" wildcard and
+ the request is credentialed, the gateway cannot use the `*` wildcard in
+ the `Access-Control-Expose-Headers` response header.
Support: Extended
items:
@@ -9549,6 +9868,9 @@ spec:
The default value of `Access-Control-Max-Age` response header is 5
(seconds).
+
+ When the `MaxAge` field is unspecified, the gateway sets the response
+ header "Access-Control-Max-Age: 5" by default.
format: int32
minimum: 1
type: integer
@@ -9727,6 +10049,7 @@ spec:
If the list has entries, only those entries must be sent.
items:
type: string
+ maxItems: 64
type: array
x-kubernetes-list-type: set
type: object
@@ -9765,6 +10088,7 @@ spec:
request must be set to the actual number of bytes forwarded.
items:
type: string
+ maxItems: 64
type: array
x-kubernetes-list-type: set
allowedResponseHeaders:
@@ -9776,6 +10100,7 @@ spec:
except Authority or Host must be copied.
items:
type: string
+ maxItems: 64
type: array
x-kubernetes-list-type: set
path:
@@ -9877,10 +10202,14 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: Value is the value of HTTP Header
- to be matched.
+ description: |-
+ Value is the value of HTTP Header to be matched.
+
+ Must consist of printable US-ASCII characters, optionally separated
+ by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
maxLength: 4096
minLength: 1
+ pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -9951,10 +10280,14 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: Value is the value of HTTP Header
- to be matched.
+ description: |-
+ Value is the value of HTTP Header to be matched.
+
+ Must consist of printable US-ASCII characters, optionally separated
+ by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
maxLength: 4096
minLength: 1
+ pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -10265,6 +10598,9 @@ spec:
enum:
- 301
- 302
+ - 303
+ - 307
+ - 308
type: integer
type: object
responseHeaderModifier:
@@ -10311,10 +10647,14 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: Value is the value of HTTP Header
- to be matched.
+ description: |-
+ Value is the value of HTTP Header to be matched.
+
+ Must consist of printable US-ASCII characters, optionally separated
+ by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
maxLength: 4096
minLength: 1
+ pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -10385,10 +10725,14 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: Value is the value of HTTP Header
- to be matched.
+ description: |-
+ Value is the value of HTTP Header to be matched.
+
+ Must consist of printable US-ASCII characters, optionally separated
+ by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
maxLength: 4096
minLength: 1
+ pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -10532,6 +10876,11 @@ spec:
- type
type: object
x-kubernetes-validations:
+ - message: filter.cors must be nil if the filter.type is not
+ CORS
+ rule: '!(has(self.cors) && self.type != ''CORS'')'
+ - message: filter.cors must be specified for CORS filter.type
+ rule: '!(!has(self.cors) && self.type == ''CORS'')'
- message: filter.requestHeaderModifier must be nil if the
filter.type is not RequestHeaderModifier
rule: '!(has(self.requestHeaderModifier) && self.type !=
@@ -10572,11 +10921,6 @@ spec:
- message: filter.extensionRef must be specified for ExtensionRef
filter.type
rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')'
- - message: filter.cors must be nil if the filter.type is not
- CORS
- rule: '!(has(self.cors) && self.type != ''CORS'')'
- - message: filter.cors must be specified for CORS filter.type
- rule: '!(!has(self.cors) && self.type == ''CORS'')'
- message: filter.externalAuth must be nil if the filter.type
is not ExternalAuth
rule: '!(has(self.externalAuth) && self.type != ''ExternalAuth'')'
@@ -10591,6 +10935,8 @@ spec:
or httpRouteFilterRequestRewrite, but not both
rule: '!(self.exists(f, f.type == ''RequestRedirect'') &&
self.exists(f, f.type == ''URLRewrite''))'
+ - message: CORS filter cannot be repeated
+ rule: self.filter(f, f.type == 'CORS').size() <= 1
- message: RequestHeaderModifier filter cannot be repeated
rule: self.filter(f, f.type == 'RequestHeaderModifier').size()
<= 1
@@ -10722,10 +11068,14 @@ spec:
- RegularExpression
type: string
value:
- description: Value is the value of HTTP Header to
- be matched.
+ description: |-
+ Value is the value of HTTP Header to be matched.
+
+ Must consist of printable US-ASCII characters, optionally separated
+ by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
maxLength: 4096
minLength: 1
+ pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -10934,7 +11284,7 @@ spec:
For example, setting the `rules[].retry.backoff` field to the value
`100ms` will cause a backend request to first be retried approximately
100 milliseconds after timing out or receiving a response code configured
- to be retryable.
+ to be retriable.
An implementation MAY use an exponential or alternative backoff strategy
for subsequent retry attempts, MAY cap the maximum backoff duration to
@@ -10977,7 +11327,7 @@ spec:
HTTPRouteRetryStatusCode defines an HTTP response status code for
which a backend request should be retried.
- Implementations MUST support the following status codes as retryable:
+ Implementations MUST support the following status codes as retriable:
* 500
* 502
@@ -11068,7 +11418,7 @@ spec:
default: Cookie
description: |-
Type defines the type of session persistence such as through
- the use a header or cookie. Defaults to cookie based session
+ the use of a header or cookie. Defaults to cookie based session
persistence.
Support: Core for "Cookie" type
@@ -11084,6 +11434,8 @@ spec:
is Permanent
rule: '!has(self.cookieConfig) || !has(self.cookieConfig.lifetimeType)
|| self.cookieConfig.lifetimeType != ''Permanent'' || has(self.absoluteTimeout)'
+ - message: cookieConfig can only be set with type Cookie
+ rule: '!has(self.cookieConfig) || self.type == ''Cookie'''
timeouts:
description: |-
Timeouts defines the timeouts that can be configured for an HTTP request.
@@ -11188,6 +11540,7 @@ spec:
!= 1 || !has(self.matches[0].path) || self.matches[0].path.type
!= ''PathPrefix'') ? false : true) : true'
maxItems: 16
+ minItems: 1
type: array
x-kubernetes-list-type: atomic
x-kubernetes-validations:
@@ -11271,7 +11624,7 @@ spec:
* The Route refers to a nonexistent parent.
* The Route is of a type that the controller does not support.
- * The Route is in a namespace the controller does not have access to.
+ * The Route is in a namespace to which the controller does not have access.
items:
description: Condition contains details for one aspect of
the current state of this API Resource.
@@ -11973,7 +12326,7 @@ spec:
AllowHeaders indicates which HTTP request headers are supported for
accessing the requested resource.
- Header names are not case sensitive.
+ Header names are not case-sensitive.
Multiple header names in the value of the `Access-Control-Allow-Headers`
response header are separated by a comma (",").
@@ -11992,18 +12345,21 @@ spec:
client side.
A wildcard indicates that the requests with all HTTP headers are allowed.
- The `Access-Control-Allow-Headers` response header can only use `*`
- wildcard as value when the `AllowCredentials` field is false or omitted.
+ If config contains the wildcard "*" in allowHeaders and the request is
+ not credentialed, the `Access-Control-Allow-Headers` response header
+ can either use the `*` wildcard or the value of
+ Access-Control-Request-Headers from the request.
- When the `AllowCredentials` field is true and `AllowHeaders` field
- specified with the `*` wildcard, the gateway must specify one or more
+ When the request is credentialed, the gateway must not specify the `*`
+ wildcard in the `Access-Control-Allow-Headers` response header. When
+ also the `AllowCredentials` field is true and `AllowHeaders` field
+ is specified with the `*` wildcard, the gateway must specify one or more
HTTP headers in the value of the `Access-Control-Allow-Headers` response
header. The value of the header `Access-Control-Allow-Headers` is same as
the `Access-Control-Request-Headers` header provided by the client. If
the header `Access-Control-Request-Headers` is not included in the
request, the gateway will omit the `Access-Control-Allow-Headers`
- response header, instead of specifying the `*` wildcard. A Gateway
- implementation may choose to add implementation-specific default headers.
+ response header, instead of specifying the `*` wildcard.
Support: Extended
items:
@@ -12027,6 +12383,10 @@ spec:
maxItems: 64
type: array
x-kubernetes-list-type: set
+ x-kubernetes-validations:
+ - message: AllowHeaders cannot contain '*' alongside
+ other methods
+ rule: '!(''*'' in self && self.size() > 1)'
allowMethods:
description: |-
AllowMethods indicates which HTTP methods are supported for accessing the
@@ -12035,7 +12395,7 @@ spec:
Valid values are any method defined by RFC9110, along with the special
value `*`, which represents all HTTP methods are allowed.
- Method names are case sensitive, so these values are also case-sensitive.
+ Method names are case-sensitive, so these values are also case-sensitive.
(See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1)
Multiple method names in the value of the `Access-Control-Allow-Methods`
@@ -12055,18 +12415,21 @@ spec:
`Access-Control-Allow-Methods`, it will present an error on the client
side.
- The `Access-Control-Allow-Methods` response header can only use `*`
- wildcard as value when the `AllowCredentials` field is false or omitted.
+ If config contains the wildcard "*" in allowMethods and the request is
+ not credentialed, the `Access-Control-Allow-Methods` response header
+ can either use the `*` wildcard or the value of
+ Access-Control-Request-Method from the request.
- When the `AllowCredentials` field is true and `AllowMethods` field
+ When the request is credentialed, the gateway must not specify the `*`
+ wildcard in the `Access-Control-Allow-Methods` response header. When
+ also the `AllowCredentials` field is true and `AllowMethods` field
specified with the `*` wildcard, the gateway must specify one HTTP method
in the value of the Access-Control-Allow-Methods response header. The
value of the header `Access-Control-Allow-Methods` is same as the
`Access-Control-Request-Method` header provided by the client. If the
header `Access-Control-Request-Method` is not included in the request,
the gateway will omit the `Access-Control-Allow-Methods` response header,
- instead of specifying the `*` wildcard. A Gateway implementation may
- choose to add implementation-specific default methods.
+ instead of specifying the `*` wildcard.
Support: Extended
items:
@@ -12133,10 +12496,19 @@ spec:
the CORS headers. The cross-origin request fails on the client side.
Therefore, the client doesn't attempt the actual cross-origin request.
- The `Access-Control-Allow-Origin` response header can only use `*`
- wildcard as value when the `AllowCredentials` field is false or omitted.
+ Conversely, if the request `Origin` matches one of the configured
+ allowed origins, the gateway sets the response header
+ `Access-Control-Allow-Origin` to the same value as the `Origin`
+ header provided by the client.
- When the `AllowCredentials` field is true and `AllowOrigins` field
+ When config has the wildcard ("*") in allowOrigins, and the request
+ is not credentialed (e.g., it is a preflight request), the
+ `Access-Control-Allow-Origin` response header either contains the
+ wildcard as well or the Origin from the request.
+
+ When the request is credentialed, the gateway must not specify the `*`
+ wildcard in the `Access-Control-Allow-Origin` response header. When
+ also the `AllowCredentials` field is true and `AllowOrigins` field
specified with the `*` wildcard, the gateway must return a single origin
in the value of the `Access-Control-Allow-Origin` response header,
instead of specifying the `*` wildcard. The value of the header
@@ -12148,12 +12520,12 @@ spec:
description: |-
The CORSOrigin MUST NOT be a relative URI, and it MUST follow the URI syntax and
encoding rules specified in RFC3986. The CORSOrigin MUST include both a
- scheme (e.g., "http" or "spiffe") and a scheme-specific-part, or it should be a single '*' character.
+ scheme ("http" or "https") and a scheme-specific-part, or it should be a single '*' character.
URIs that include an authority MUST include a fully qualified domain name or
IP address as the host.
maxLength: 253
minLength: 1
- pattern: (^\*$)|(^([a-zA-Z][a-zA-Z0-9+\-.]+):\/\/([^:/?#]+)(:([0-9]{1,5}))?$)
+ pattern: (^\*$)|(^(http(s)?):\/\/(((\*\.)?([a-zA-Z0-9\-]+\.)*[a-zA-Z0-9-]+|\*)(:([0-9]{1,5}))?)$)
type: string
maxItems: 64
type: array
@@ -12184,14 +12556,18 @@ spec:
this additional header will be exposed as part of the response to the
client.
- Header names are not case sensitive.
+ Header names are not case-sensitive.
Multiple header names in the value of the `Access-Control-Expose-Headers`
response header are separated by a comma (",").
A wildcard indicates that the responses with all HTTP headers are exposed
to clients. The `Access-Control-Expose-Headers` response header can only
- use `*` wildcard as value when the `AllowCredentials` field is false or omitted.
+ use `*` wildcard as value when the request is not credentialed.
+
+ When the `exposeHeaders` config field contains the "*" wildcard and
+ the request is credentialed, the gateway cannot use the `*` wildcard in
+ the `Access-Control-Expose-Headers` response header.
Support: Extended
items:
@@ -12227,6 +12603,9 @@ spec:
The default value of `Access-Control-Max-Age` response header is 5
(seconds).
+
+ When the `MaxAge` field is unspecified, the gateway sets the response
+ header "Access-Control-Max-Age: 5" by default.
format: int32
minimum: 1
type: integer
@@ -12405,6 +12784,7 @@ spec:
If the list has entries, only those entries must be sent.
items:
type: string
+ maxItems: 64
type: array
x-kubernetes-list-type: set
type: object
@@ -12443,6 +12823,7 @@ spec:
request must be set to the actual number of bytes forwarded.
items:
type: string
+ maxItems: 64
type: array
x-kubernetes-list-type: set
allowedResponseHeaders:
@@ -12454,6 +12835,7 @@ spec:
except Authority or Host must be copied.
items:
type: string
+ maxItems: 64
type: array
x-kubernetes-list-type: set
path:
@@ -12558,10 +12940,14 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: Value is the value of HTTP
- Header to be matched.
+ description: |-
+ Value is the value of HTTP Header to be matched.
+
+ Must consist of printable US-ASCII characters, optionally separated
+ by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
maxLength: 4096
minLength: 1
+ pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -12633,10 +13019,14 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: Value is the value of HTTP
- Header to be matched.
+ description: |-
+ Value is the value of HTTP Header to be matched.
+
+ Must consist of printable US-ASCII characters, optionally separated
+ by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
maxLength: 4096
minLength: 1
+ pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -12947,6 +13337,9 @@ spec:
enum:
- 301
- 302
+ - 303
+ - 307
+ - 308
type: integer
type: object
responseHeaderModifier:
@@ -12994,10 +13387,14 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: Value is the value of HTTP
- Header to be matched.
+ description: |-
+ Value is the value of HTTP Header to be matched.
+
+ Must consist of printable US-ASCII characters, optionally separated
+ by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
maxLength: 4096
minLength: 1
+ pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -13069,10 +13466,14 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: Value is the value of HTTP
- Header to be matched.
+ description: |-
+ Value is the value of HTTP Header to be matched.
+
+ Must consist of printable US-ASCII characters, optionally separated
+ by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
maxLength: 4096
minLength: 1
+ pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -13216,6 +13617,11 @@ spec:
- type
type: object
x-kubernetes-validations:
+ - message: filter.cors must be nil if the filter.type
+ is not CORS
+ rule: '!(has(self.cors) && self.type != ''CORS'')'
+ - message: filter.cors must be specified for CORS filter.type
+ rule: '!(!has(self.cors) && self.type == ''CORS'')'
- message: filter.requestHeaderModifier must be nil
if the filter.type is not RequestHeaderModifier
rule: '!(has(self.requestHeaderModifier) && self.type
@@ -13259,11 +13665,6 @@ spec:
- message: filter.extensionRef must be specified for
ExtensionRef filter.type
rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')'
- - message: filter.cors must be nil if the filter.type
- is not CORS
- rule: '!(has(self.cors) && self.type != ''CORS'')'
- - message: filter.cors must be specified for CORS filter.type
- rule: '!(!has(self.cors) && self.type == ''CORS'')'
- message: filter.externalAuth must be nil if the filter.type
is not ExternalAuth
rule: '!(has(self.externalAuth) && self.type != ''ExternalAuth'')'
@@ -13278,6 +13679,8 @@ spec:
or httpRouteFilterRequestRewrite, but not both
rule: '!(self.exists(f, f.type == ''RequestRedirect'')
&& self.exists(f, f.type == ''URLRewrite''))'
+ - message: CORS filter cannot be repeated
+ rule: self.filter(f, f.type == 'CORS').size() <= 1
- message: RequestHeaderModifier filter cannot be repeated
rule: self.filter(f, f.type == 'RequestHeaderModifier').size()
<= 1
@@ -13453,7 +13856,7 @@ spec:
AllowHeaders indicates which HTTP request headers are supported for
accessing the requested resource.
- Header names are not case sensitive.
+ Header names are not case-sensitive.
Multiple header names in the value of the `Access-Control-Allow-Headers`
response header are separated by a comma (",").
@@ -13472,18 +13875,21 @@ spec:
client side.
A wildcard indicates that the requests with all HTTP headers are allowed.
- The `Access-Control-Allow-Headers` response header can only use `*`
- wildcard as value when the `AllowCredentials` field is false or omitted.
+ If config contains the wildcard "*" in allowHeaders and the request is
+ not credentialed, the `Access-Control-Allow-Headers` response header
+ can either use the `*` wildcard or the value of
+ Access-Control-Request-Headers from the request.
- When the `AllowCredentials` field is true and `AllowHeaders` field
- specified with the `*` wildcard, the gateway must specify one or more
+ When the request is credentialed, the gateway must not specify the `*`
+ wildcard in the `Access-Control-Allow-Headers` response header. When
+ also the `AllowCredentials` field is true and `AllowHeaders` field
+ is specified with the `*` wildcard, the gateway must specify one or more
HTTP headers in the value of the `Access-Control-Allow-Headers` response
header. The value of the header `Access-Control-Allow-Headers` is same as
the `Access-Control-Request-Headers` header provided by the client. If
the header `Access-Control-Request-Headers` is not included in the
request, the gateway will omit the `Access-Control-Allow-Headers`
- response header, instead of specifying the `*` wildcard. A Gateway
- implementation may choose to add implementation-specific default headers.
+ response header, instead of specifying the `*` wildcard.
Support: Extended
items:
@@ -13507,6 +13913,10 @@ spec:
maxItems: 64
type: array
x-kubernetes-list-type: set
+ x-kubernetes-validations:
+ - message: AllowHeaders cannot contain '*' alongside
+ other methods
+ rule: '!(''*'' in self && self.size() > 1)'
allowMethods:
description: |-
AllowMethods indicates which HTTP methods are supported for accessing the
@@ -13515,7 +13925,7 @@ spec:
Valid values are any method defined by RFC9110, along with the special
value `*`, which represents all HTTP methods are allowed.
- Method names are case sensitive, so these values are also case-sensitive.
+ Method names are case-sensitive, so these values are also case-sensitive.
(See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1)
Multiple method names in the value of the `Access-Control-Allow-Methods`
@@ -13535,18 +13945,21 @@ spec:
`Access-Control-Allow-Methods`, it will present an error on the client
side.
- The `Access-Control-Allow-Methods` response header can only use `*`
- wildcard as value when the `AllowCredentials` field is false or omitted.
+ If config contains the wildcard "*" in allowMethods and the request is
+ not credentialed, the `Access-Control-Allow-Methods` response header
+ can either use the `*` wildcard or the value of
+ Access-Control-Request-Method from the request.
- When the `AllowCredentials` field is true and `AllowMethods` field
+ When the request is credentialed, the gateway must not specify the `*`
+ wildcard in the `Access-Control-Allow-Methods` response header. When
+ also the `AllowCredentials` field is true and `AllowMethods` field
specified with the `*` wildcard, the gateway must specify one HTTP method
in the value of the Access-Control-Allow-Methods response header. The
value of the header `Access-Control-Allow-Methods` is same as the
`Access-Control-Request-Method` header provided by the client. If the
header `Access-Control-Request-Method` is not included in the request,
the gateway will omit the `Access-Control-Allow-Methods` response header,
- instead of specifying the `*` wildcard. A Gateway implementation may
- choose to add implementation-specific default methods.
+ instead of specifying the `*` wildcard.
Support: Extended
items:
@@ -13613,10 +14026,19 @@ spec:
the CORS headers. The cross-origin request fails on the client side.
Therefore, the client doesn't attempt the actual cross-origin request.
- The `Access-Control-Allow-Origin` response header can only use `*`
- wildcard as value when the `AllowCredentials` field is false or omitted.
+ Conversely, if the request `Origin` matches one of the configured
+ allowed origins, the gateway sets the response header
+ `Access-Control-Allow-Origin` to the same value as the `Origin`
+ header provided by the client.
- When the `AllowCredentials` field is true and `AllowOrigins` field
+ When config has the wildcard ("*") in allowOrigins, and the request
+ is not credentialed (e.g., it is a preflight request), the
+ `Access-Control-Allow-Origin` response header either contains the
+ wildcard as well or the Origin from the request.
+
+ When the request is credentialed, the gateway must not specify the `*`
+ wildcard in the `Access-Control-Allow-Origin` response header. When
+ also the `AllowCredentials` field is true and `AllowOrigins` field
specified with the `*` wildcard, the gateway must return a single origin
in the value of the `Access-Control-Allow-Origin` response header,
instead of specifying the `*` wildcard. The value of the header
@@ -13628,12 +14050,12 @@ spec:
description: |-
The CORSOrigin MUST NOT be a relative URI, and it MUST follow the URI syntax and
encoding rules specified in RFC3986. The CORSOrigin MUST include both a
- scheme (e.g., "http" or "spiffe") and a scheme-specific-part, or it should be a single '*' character.
+ scheme ("http" or "https") and a scheme-specific-part, or it should be a single '*' character.
URIs that include an authority MUST include a fully qualified domain name or
IP address as the host.
maxLength: 253
minLength: 1
- pattern: (^\*$)|(^([a-zA-Z][a-zA-Z0-9+\-.]+):\/\/([^:/?#]+)(:([0-9]{1,5}))?$)
+ pattern: (^\*$)|(^(http(s)?):\/\/(((\*\.)?([a-zA-Z0-9\-]+\.)*[a-zA-Z0-9-]+|\*)(:([0-9]{1,5}))?)$)
type: string
maxItems: 64
type: array
@@ -13664,14 +14086,18 @@ spec:
this additional header will be exposed as part of the response to the
client.
- Header names are not case sensitive.
+ Header names are not case-sensitive.
Multiple header names in the value of the `Access-Control-Expose-Headers`
response header are separated by a comma (",").
A wildcard indicates that the responses with all HTTP headers are exposed
to clients. The `Access-Control-Expose-Headers` response header can only
- use `*` wildcard as value when the `AllowCredentials` field is false or omitted.
+ use `*` wildcard as value when the request is not credentialed.
+
+ When the `exposeHeaders` config field contains the "*" wildcard and
+ the request is credentialed, the gateway cannot use the `*` wildcard in
+ the `Access-Control-Expose-Headers` response header.
Support: Extended
items:
@@ -13707,6 +14133,9 @@ spec:
The default value of `Access-Control-Max-Age` response header is 5
(seconds).
+
+ When the `MaxAge` field is unspecified, the gateway sets the response
+ header "Access-Control-Max-Age: 5" by default.
format: int32
minimum: 1
type: integer
@@ -13885,6 +14314,7 @@ spec:
If the list has entries, only those entries must be sent.
items:
type: string
+ maxItems: 64
type: array
x-kubernetes-list-type: set
type: object
@@ -13923,6 +14353,7 @@ spec:
request must be set to the actual number of bytes forwarded.
items:
type: string
+ maxItems: 64
type: array
x-kubernetes-list-type: set
allowedResponseHeaders:
@@ -13934,6 +14365,7 @@ spec:
except Authority or Host must be copied.
items:
type: string
+ maxItems: 64
type: array
x-kubernetes-list-type: set
path:
@@ -14035,10 +14467,14 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: Value is the value of HTTP Header
- to be matched.
+ description: |-
+ Value is the value of HTTP Header to be matched.
+
+ Must consist of printable US-ASCII characters, optionally separated
+ by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
maxLength: 4096
minLength: 1
+ pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -14109,10 +14545,14 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: Value is the value of HTTP Header
- to be matched.
+ description: |-
+ Value is the value of HTTP Header to be matched.
+
+ Must consist of printable US-ASCII characters, optionally separated
+ by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
maxLength: 4096
minLength: 1
+ pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -14423,6 +14863,9 @@ spec:
enum:
- 301
- 302
+ - 303
+ - 307
+ - 308
type: integer
type: object
responseHeaderModifier:
@@ -14469,10 +14912,14 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: Value is the value of HTTP Header
- to be matched.
+ description: |-
+ Value is the value of HTTP Header to be matched.
+
+ Must consist of printable US-ASCII characters, optionally separated
+ by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
maxLength: 4096
minLength: 1
+ pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -14543,10 +14990,14 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: Value is the value of HTTP Header
- to be matched.
+ description: |-
+ Value is the value of HTTP Header to be matched.
+
+ Must consist of printable US-ASCII characters, optionally separated
+ by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
maxLength: 4096
minLength: 1
+ pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -14690,6 +15141,11 @@ spec:
- type
type: object
x-kubernetes-validations:
+ - message: filter.cors must be nil if the filter.type is not
+ CORS
+ rule: '!(has(self.cors) && self.type != ''CORS'')'
+ - message: filter.cors must be specified for CORS filter.type
+ rule: '!(!has(self.cors) && self.type == ''CORS'')'
- message: filter.requestHeaderModifier must be nil if the
filter.type is not RequestHeaderModifier
rule: '!(has(self.requestHeaderModifier) && self.type !=
@@ -14730,11 +15186,6 @@ spec:
- message: filter.extensionRef must be specified for ExtensionRef
filter.type
rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')'
- - message: filter.cors must be nil if the filter.type is not
- CORS
- rule: '!(has(self.cors) && self.type != ''CORS'')'
- - message: filter.cors must be specified for CORS filter.type
- rule: '!(!has(self.cors) && self.type == ''CORS'')'
- message: filter.externalAuth must be nil if the filter.type
is not ExternalAuth
rule: '!(has(self.externalAuth) && self.type != ''ExternalAuth'')'
@@ -14749,6 +15200,8 @@ spec:
or httpRouteFilterRequestRewrite, but not both
rule: '!(self.exists(f, f.type == ''RequestRedirect'') &&
self.exists(f, f.type == ''URLRewrite''))'
+ - message: CORS filter cannot be repeated
+ rule: self.filter(f, f.type == 'CORS').size() <= 1
- message: RequestHeaderModifier filter cannot be repeated
rule: self.filter(f, f.type == 'RequestHeaderModifier').size()
<= 1
@@ -14880,10 +15333,14 @@ spec:
- RegularExpression
type: string
value:
- description: Value is the value of HTTP Header to
- be matched.
+ description: |-
+ Value is the value of HTTP Header to be matched.
+
+ Must consist of printable US-ASCII characters, optionally separated
+ by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
maxLength: 4096
minLength: 1
+ pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -15092,7 +15549,7 @@ spec:
For example, setting the `rules[].retry.backoff` field to the value
`100ms` will cause a backend request to first be retried approximately
100 milliseconds after timing out or receiving a response code configured
- to be retryable.
+ to be retriable.
An implementation MAY use an exponential or alternative backoff strategy
for subsequent retry attempts, MAY cap the maximum backoff duration to
@@ -15135,7 +15592,7 @@ spec:
HTTPRouteRetryStatusCode defines an HTTP response status code for
which a backend request should be retried.
- Implementations MUST support the following status codes as retryable:
+ Implementations MUST support the following status codes as retriable:
* 500
* 502
@@ -15226,7 +15683,7 @@ spec:
default: Cookie
description: |-
Type defines the type of session persistence such as through
- the use a header or cookie. Defaults to cookie based session
+ the use of a header or cookie. Defaults to cookie based session
persistence.
Support: Core for "Cookie" type
@@ -15242,6 +15699,8 @@ spec:
is Permanent
rule: '!has(self.cookieConfig) || !has(self.cookieConfig.lifetimeType)
|| self.cookieConfig.lifetimeType != ''Permanent'' || has(self.absoluteTimeout)'
+ - message: cookieConfig can only be set with type Cookie
+ rule: '!has(self.cookieConfig) || self.type == ''Cookie'''
timeouts:
description: |-
Timeouts defines the timeouts that can be configured for an HTTP request.
@@ -15346,6 +15805,7 @@ spec:
!= 1 || !has(self.matches[0].path) || self.matches[0].path.type
!= ''PathPrefix'') ? false : true) : true'
maxItems: 16
+ minItems: 1
type: array
x-kubernetes-list-type: atomic
x-kubernetes-validations:
@@ -15429,7 +15889,7 @@ spec:
* The Route refers to a nonexistent parent.
* The Route is of a type that the controller does not support.
- * The Route is in a namespace the controller does not have access to.
+ * The Route is in a namespace to which the controller does not have access.
items:
description: Condition contains details for one aspect of
the current state of this API Resource.
@@ -15673,14 +16133,798 @@ status:
storedVersions: null
---
#
+# config/crd/experimental/gateway.networking.k8s.io_listenersets.yaml
+#
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/4530
+ gateway.networking.k8s.io/bundle-version: v1.5.1
+ gateway.networking.k8s.io/channel: experimental
+ name: listenersets.gateway.networking.k8s.io
+spec:
+ group: gateway.networking.k8s.io
+ names:
+ categories:
+ - gateway-api
+ kind: ListenerSet
+ listKind: ListenerSetList
+ plural: listenersets
+ shortNames:
+ - lset
+ singular: listenerset
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - jsonPath: .status.conditions[?(@.type=="Accepted")].status
+ name: Accepted
+ type: string
+ - jsonPath: .status.conditions[?(@.type=="Programmed")].status
+ name: Programmed
+ type: string
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1
+ schema:
+ openAPIV3Schema:
+ description: |-
+ ListenerSet defines a set of additional listeners to attach to an existing Gateway.
+ This resource provides a mechanism to merge multiple listeners into a single Gateway.
+
+ The parent Gateway must explicitly allow ListenerSet attachment through its
+ AllowedListeners configuration. By default, Gateways do not allow ListenerSet
+ attachment.
+
+ Routes can attach to a ListenerSet by specifying it as a parentRef, and can
+ optionally target specific listeners using the sectionName field.
+
+ Policy Attachment:
+ - Policies that attach to a ListenerSet apply to all listeners defined in that resource
+ - Policies do not impact listeners in the parent Gateway
+ - Different ListenerSets attached to the same Gateway can have different policies
+ - If an implementation cannot apply a policy to specific listeners, it should reject the policy
+
+ ReferenceGrant Semantics:
+ - ReferenceGrants applied to a Gateway are not inherited by child ListenerSets
+ - ReferenceGrants applied to a ListenerSet do not grant permission to the parent Gateway's listeners
+ - A ListenerSet can reference secrets/backends in its own namespace without a ReferenceGrant
+
+ Gateway Integration:
+ - The parent Gateway's status will include "AttachedListenerSets"
+ which is the count of ListenerSets that have successfully attached to a Gateway
+ A ListenerSet is successfully attached to a Gateway when all the following conditions are met:
+ - The ListenerSet is selected by the Gateway's AllowedListeners field
+ - The ListenerSet has a valid ParentRef selecting the Gateway
+ - The ListenerSet's status has the condition "Accepted: true"
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Spec defines the desired state of ListenerSet.
+ properties:
+ listeners:
+ description: |-
+ Listeners associated with this ListenerSet. Listeners define
+ logical endpoints that are bound on this referenced parent Gateway's addresses.
+
+ Listeners in a `Gateway` and their attached `ListenerSets` are concatenated
+ as a list when programming the underlying infrastructure. Each listener
+ name does not need to be unique across the Gateway and ListenerSets.
+ See ListenerEntry.Name for more details.
+
+ Implementations MUST treat the parent Gateway as having the merged
+ list of all listeners from itself and attached ListenerSets using
+ the following precedence:
+
+ 1. "parent" Gateway
+ 2. ListenerSet ordered by creation time (oldest first)
+ 3. ListenerSet ordered alphabetically by "{namespace}/{name}".
+
+ An implementation MAY reject listeners by setting the ListenerEntryStatus
+ `Accepted` condition to False with the Reason `TooManyListeners`
+
+ If a listener has a conflict, this will be reported in the
+ Status.ListenerEntryStatus setting the `Conflicted` condition to True.
+
+ Implementations SHOULD be cautious about what information from the
+ parent or siblings are reported to avoid accidentally leaking
+ sensitive information that the child would not otherwise have access
+ to. This can include contents of secrets etc.
+ items:
+ properties:
+ allowedRoutes:
+ default:
+ namespaces:
+ from: Same
+ description: |-
+ AllowedRoutes defines the types of routes that MAY be attached to a
+ Listener and the trusted namespaces where those Route resources MAY be
+ present.
+
+ Although a client request may match multiple route rules, only one rule
+ may ultimately receive the request. Matching precedence MUST be
+ determined in order of the following criteria:
+
+ * The most specific match as defined by the Route type.
+ * The oldest Route based on creation timestamp. For example, a Route with
+ a creation timestamp of "2020-09-08 01:02:03" is given precedence over
+ a Route with a creation timestamp of "2020-09-08 01:02:04".
+ * If everything else is equivalent, the Route appearing first in
+ alphabetical order (namespace/name) should be given precedence. For
+ example, foo/bar is given precedence over foo/baz.
+
+ All valid rules within a Route attached to this Listener should be
+ implemented. Invalid Route rules can be ignored (sometimes that will mean
+ the full Route). If a Route rule transitions from valid to invalid,
+ support for that Route rule should be dropped to ensure consistency. For
+ example, even if a filter specified by a Route rule is invalid, the rest
+ of the rules within that Route should still be supported.
+ properties:
+ kinds:
+ description: |-
+ Kinds specifies the groups and kinds of Routes that are allowed to bind
+ to this Gateway Listener. When unspecified or empty, the kinds of Routes
+ selected are determined using the Listener protocol.
+
+ A RouteGroupKind MUST correspond to kinds of Routes that are compatible
+ with the application protocol specified in the Listener's Protocol field.
+ If an implementation does not support or recognize this resource type, it
+ MUST set the "ResolvedRefs" condition to False for this Listener with the
+ "InvalidRouteKinds" reason.
+
+ Support: Core
+ items:
+ description: RouteGroupKind indicates the group and kind
+ of a Route resource.
+ properties:
+ group:
+ default: gateway.networking.k8s.io
+ description: Group is the group of the Route.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is the kind of the Route.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ required:
+ - kind
+ type: object
+ maxItems: 8
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaces:
+ default:
+ from: Same
+ description: |-
+ Namespaces indicates namespaces from which Routes may be attached to this
+ Listener. This is restricted to the namespace of this Gateway by default.
+
+ Support: Core
+ properties:
+ from:
+ default: Same
+ description: |-
+ From indicates where Routes will be selected for this Gateway. Possible
+ values are:
+
+ * All: Routes in all namespaces may be used by this Gateway.
+ * Selector: Routes in namespaces selected by the selector may be used by
+ this Gateway.
+ * Same: Only Routes in the same namespace may be used by this Gateway.
+
+ Support: Core
+ enum:
+ - All
+ - Selector
+ - Same
+ type: string
+ selector:
+ description: |-
+ Selector must be specified when From is set to "Selector". In that case,
+ only Routes in Namespaces matching this Selector will be selected by this
+ Gateway. This field is ignored for other values of "From".
+
+ Support: Core
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: object
+ hostname:
+ description: |-
+ Hostname specifies the virtual hostname to match for protocol types that
+ define this concept. When unspecified, all hostnames are matched. This
+ field is ignored for protocols that don't require hostname based
+ matching.
+
+ Implementations MUST apply Hostname matching appropriately for each of
+ the following protocols:
+
+ * TLS: The Listener Hostname MUST match the SNI.
+ * HTTP: The Listener Hostname MUST match the Host header of the request.
+ * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP
+ protocol layers as described above. If an implementation does not
+ ensure that both the SNI and Host header match the Listener hostname,
+ it MUST clearly document that.
+
+ For HTTPRoute and TLSRoute resources, there is an interaction with the
+ `spec.hostnames` array. When both listener and route specify hostnames,
+ there MUST be an intersection between the values for a Route to be
+ accepted. For more information, refer to the Route specific Hostnames
+ documentation.
+
+ Hostnames that are prefixed with a wildcard label (`*.`) are interpreted
+ as a suffix match. That means that a match for `*.example.com` would match
+ both `test.example.com`, and `foo.test.example.com`, but not `example.com`.
+ maxLength: 253
+ minLength: 1
+ pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ name:
+ description: |-
+ Name is the name of the Listener. This name MUST be unique within a
+ ListenerSet.
+
+ Name is not required to be unique across a Gateway and ListenerSets.
+ Routes can attach to a Listener by having a ListenerSet as a parentRef
+ and setting the SectionName
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ port:
+ description: |-
+ Port is the network port. Multiple listeners may use the
+ same port, subject to the Listener compatibility rules.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ protocol:
+ description: Protocol specifies the network protocol this listener
+ expects to receive.
+ maxLength: 255
+ minLength: 1
+ pattern: ^[a-zA-Z0-9]([-a-zA-Z0-9]*[a-zA-Z0-9])?$|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9]+$
+ type: string
+ tls:
+ description: |-
+ TLS is the TLS configuration for the Listener. This field is required if
+ the Protocol field is "HTTPS" or "TLS". It is invalid to set this field
+ if the Protocol field is "HTTP", "TCP", or "UDP".
+
+ The association of SNIs to Certificate defined in ListenerTLSConfig is
+ defined based on the Hostname field for this listener.
+
+ The GatewayClass MUST use the longest matching SNI out of all
+ available certificates for any TLS handshake.
+ properties:
+ certificateRefs:
+ description: |-
+ CertificateRefs contains a series of references to Kubernetes objects that
+ contains TLS certificates and private keys. These certificates are used to
+ establish a TLS handshake for requests that match the hostname of the
+ associated listener.
+
+ A single CertificateRef to a Kubernetes Secret has "Core" support.
+ Implementations MAY choose to support attaching multiple certificates to
+ a Listener, but this behavior is implementation-specific.
+
+ References to a resource in different namespace are invalid UNLESS there
+ is a ReferenceGrant in the target namespace that allows the certificate
+ to be attached. If a ReferenceGrant does not allow this reference, the
+ "ResolvedRefs" condition MUST be set to False for this listener with the
+ "RefNotPermitted" reason.
+
+ This field is required to have at least one element when the mode is set
+ to "Terminate" (default) and is optional otherwise.
+
+ CertificateRefs can reference to standard Kubernetes resources, i.e.
+ Secret, or implementation-specific custom resources.
+
+ Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls
+
+ Support: Implementation-specific (More than one reference or other resource types)
+ items:
+ description: |-
+ SecretObjectReference identifies an API object including its namespace,
+ defaulting to Secret.
+
+ The API object must be valid in the cluster; the Group and Kind must
+ be registered in the cluster for this reference to be valid.
+
+ References to objects with invalid Group and Kind are not valid, and must
+ be rejected by the implementation, with appropriate Conditions set
+ on the containing object.
+ properties:
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Secret
+ description: Kind is kind of the referent. For example
+ "Secret".
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referenced object. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ required:
+ - name
+ type: object
+ maxItems: 64
+ type: array
+ x-kubernetes-list-type: atomic
+ mode:
+ default: Terminate
+ description: |-
+ Mode defines the TLS behavior for the TLS session initiated by the client.
+ There are two possible modes:
+
+ - Terminate: The TLS session between the downstream client and the
+ Gateway is terminated at the Gateway. This mode requires certificates
+ to be specified in some way, such as populating the certificateRefs
+ field.
+ - Passthrough: The TLS session is NOT terminated by the Gateway. This
+ implies that the Gateway can't decipher the TLS stream except for
+ the ClientHello message of the TLS protocol. The certificateRefs field
+ is ignored in this mode.
+
+ Support: Core
+ enum:
+ - Terminate
+ - Passthrough
+ type: string
+ options:
+ additionalProperties:
+ description: |-
+ AnnotationValue is the value of an annotation in Gateway API. This is used
+ for validation of maps such as TLS options. This roughly matches Kubernetes
+ annotation validation, although the length validation in that case is based
+ on the entire size of the annotations struct.
+ maxLength: 4096
+ minLength: 0
+ type: string
+ description: |-
+ Options are a list of key/value pairs to enable extended TLS
+ configuration for each implementation. For example, configuring the
+ minimum TLS version or supported cipher suites.
+
+ A set of common keys MAY be defined by the API in the future. To avoid
+ any ambiguity, implementation-specific definitions MUST use
+ domain-prefixed names, such as `example.com/my-custom-option`.
+ Un-prefixed names are reserved for key names defined by Gateway API.
+
+ Support: Implementation-specific
+ maxProperties: 16
+ type: object
+ type: object
+ x-kubernetes-validations:
+ - message: certificateRefs or options must be specified when
+ mode is Terminate
+ rule: 'self.mode == ''Terminate'' ? size(self.certificateRefs)
+ > 0 || size(self.options) > 0 : true'
+ required:
+ - name
+ - port
+ - protocol
+ type: object
+ maxItems: 64
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ x-kubernetes-validations:
+ - message: tls must not be specified for protocols ['HTTP', 'TCP',
+ 'UDP']
+ rule: 'self.all(l, l.protocol in [''HTTP'', ''TCP'', ''UDP''] ?
+ !has(l.tls) : true)'
+ - message: tls mode must be Terminate for protocol HTTPS
+ rule: 'self.all(l, (l.protocol == ''HTTPS'' && has(l.tls)) ? (l.tls.mode
+ == '''' || l.tls.mode == ''Terminate'') : true)'
+ - message: tls mode must be set for protocol TLS
+ rule: 'self.all(l, (l.protocol == ''TLS'' ? has(l.tls) && has(l.tls.mode)
+ && l.tls.mode != '''' : true))'
+ - message: hostname must not be specified for protocols ['TCP', 'UDP']
+ rule: 'self.all(l, l.protocol in [''TCP'', ''UDP''] ? (!has(l.hostname)
+ || l.hostname == '''') : true)'
+ - message: Listener name must be unique within the Gateway
+ rule: self.all(l1, self.exists_one(l2, l1.name == l2.name))
+ - message: Combination of port, protocol and hostname must be unique
+ for each listener
+ rule: 'self.all(l1, !has(l1.port) || self.exists_one(l2, has(l2.port)
+ && l1.port == l2.port && l1.protocol == l2.protocol && (has(l1.hostname)
+ && has(l2.hostname) ? l1.hostname == l2.hostname : !has(l1.hostname)
+ && !has(l2.hostname))))'
+ parentRef:
+ description: ParentRef references the Gateway that the listeners are
+ attached to.
+ properties:
+ group:
+ default: gateway.networking.k8s.io
+ description: Group is the group of the referent.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Gateway
+ description: Kind is kind of the referent. For example "Gateway".
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referent. If not present,
+ the namespace of the referent is assumed to be the same as
+ the namespace of the referring object.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - listeners
+ - parentRef
+ type: object
+ status:
+ default:
+ conditions:
+ - lastTransitionTime: "1970-01-01T00:00:00Z"
+ message: Waiting for controller
+ reason: Pending
+ status: Unknown
+ type: Accepted
+ - lastTransitionTime: "1970-01-01T00:00:00Z"
+ message: Waiting for controller
+ reason: Pending
+ status: Unknown
+ type: Programmed
+ description: Status defines the current state of ListenerSet.
+ properties:
+ conditions:
+ default:
+ - lastTransitionTime: "1970-01-01T00:00:00Z"
+ message: Waiting for controller
+ reason: Pending
+ status: Unknown
+ type: Accepted
+ - lastTransitionTime: "1970-01-01T00:00:00Z"
+ message: Waiting for controller
+ reason: Pending
+ status: Unknown
+ type: Programmed
+ description: |-
+ Conditions describe the current conditions of the ListenerSet.
+
+ Implementations MUST express ListenerSet conditions using the
+ `ListenerSetConditionType` and `ListenerSetConditionReason`
+ constants so that operators and tools can converge on a common
+ vocabulary to describe ListenerSet state.
+
+ Known condition types are:
+
+ * "Accepted"
+ * "Programmed"
+ items:
+ description: Condition contains details for one aspect of the current
+ state of this API Resource.
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False, Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ maxItems: 8
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ listeners:
+ description: Listeners provide status for each unique listener port
+ defined in the Spec.
+ items:
+ description: ListenerStatus is the status associated with a Listener.
+ properties:
+ attachedRoutes:
+ description: |-
+ AttachedRoutes represents the total number of Routes that have been
+ successfully attached to this Listener.
+
+ Successful attachment of a Route to a Listener is based solely on the
+ combination of the AllowedRoutes field on the corresponding Listener
+ and the Route's ParentRefs field. A Route is successfully attached to
+ a Listener when it is selected by the Listener's AllowedRoutes field
+ AND the Route has a valid ParentRef selecting the whole Gateway
+ resource or a specific Listener as a parent resource (more detail on
+ attachment semantics can be found in the documentation on the various
+ Route kinds ParentRefs fields). Listener status does not impact
+ successful attachment, i.e. the AttachedRoutes field count MUST be set
+ for Listeners, even if the Accepted condition of an individual Listener is set
+ to "False". The AttachedRoutes number represents the number of Routes with
+ the Accepted condition set to "True" that have been attached to this Listener.
+ Routes with any other value for the Accepted condition MUST NOT be included
+ in this count.
+
+ Uses for this field include troubleshooting Route attachment and
+ measuring blast radius/impact of changes to a Listener.
+ format: int32
+ type: integer
+ conditions:
+ description: Conditions describe the current condition of this
+ listener.
+ items:
+ description: Condition contains details for one aspect of
+ the current state of this API Resource.
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False,
+ Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ maxItems: 8
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ name:
+ description: Name is the name of the Listener that this status
+ corresponds to.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ supportedKinds:
+ description: |-
+ SupportedKinds is the list indicating the Kinds supported by this
+ listener. This MUST represent the kinds supported by an implementation for
+ that Listener configuration.
+
+ If kinds are specified in Spec that are not supported, they MUST NOT
+ appear in this list and an implementation MUST set the "ResolvedRefs"
+ condition to "False" with the "InvalidRouteKinds" reason. If both valid
+ and invalid Route kinds are specified, the implementation MUST
+ reference the valid Route kinds that have been specified.
+ items:
+ description: RouteGroupKind indicates the group and kind of
+ a Route resource.
+ properties:
+ group:
+ default: gateway.networking.k8s.io
+ description: Group is the group of the Route.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is the kind of the Route.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ required:
+ - kind
+ type: object
+ maxItems: 8
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - attachedRoutes
+ - conditions
+ - name
+ type: object
+ maxItems: 64
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ required:
+ - spec
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: null
+ storedVersions: null
+---
+#
# config/crd/experimental/gateway.networking.k8s.io_referencegrants.yaml
#
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328
- gateway.networking.k8s.io/bundle-version: v1.4.0
+ api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/4530
+ gateway.networking.k8s.io/bundle-version: v1.5.1
gateway.networking.k8s.io/channel: experimental
name: referencegrants.gateway.networking.k8s.io
spec:
@@ -15696,6 +16940,169 @@ spec:
singular: referencegrant
scope: Namespaced
versions:
+ - additionalPrinterColumns:
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1
+ schema:
+ openAPIV3Schema:
+ description: |-
+ ReferenceGrant identifies kinds of resources in other namespaces that are
+ trusted to reference the specified kinds of resources in the same namespace
+ as the policy.
+
+ Each ReferenceGrant can be used to represent a unique trust relationship.
+ Additional Reference Grants can be used to add to the set of trusted
+ sources of inbound references for the namespace they are defined within.
+
+ All cross-namespace references in Gateway API (with the exception of cross-namespace
+ Gateway-route attachment) require a ReferenceGrant.
+
+ ReferenceGrant is a form of runtime verification allowing users to assert
+ which cross-namespace object references are permitted. Implementations that
+ support ReferenceGrant MUST NOT permit cross-namespace references which have
+ no grant, and MUST respond to the removal of a grant by revoking the access
+ that the grant allowed.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Spec defines the desired state of ReferenceGrant.
+ properties:
+ from:
+ description: |-
+ From describes the trusted namespaces and kinds that can reference the
+ resources described in "To". Each entry in this list MUST be considered
+ to be an additional place that references can be valid from, or to put
+ this another way, entries MUST be combined using OR.
+
+ Support: Core
+ items:
+ description: ReferenceGrantFrom describes trusted namespaces and
+ kinds.
+ properties:
+ group:
+ description: |-
+ Group is the group of the referent.
+ When empty, the Kubernetes core API group is inferred.
+
+ Support: Core
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: |-
+ Kind is the kind of the referent. Although implementations may support
+ additional resources, the following types are part of the "Core"
+ support level for this field.
+
+ When used to permit a SecretObjectReference:
+
+ * Gateway
+
+ When used to permit a BackendObjectReference:
+
+ * GRPCRoute
+ * HTTPRoute
+ * TCPRoute
+ * TLSRoute
+ * UDPRoute
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referent.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ required:
+ - group
+ - kind
+ - namespace
+ type: object
+ maxItems: 16
+ minItems: 1
+ type: array
+ x-kubernetes-list-type: atomic
+ to:
+ description: |-
+ To describes the resources that may be referenced by the resources
+ described in "From". Each entry in this list MUST be considered to be an
+ additional place that references can be valid to, or to put this another
+ way, entries MUST be combined using OR.
+
+ Support: Core
+ items:
+ description: |-
+ ReferenceGrantTo describes what Kinds are allowed as targets of the
+ references.
+ properties:
+ group:
+ description: |-
+ Group is the group of the referent.
+ When empty, the Kubernetes core API group is inferred.
+
+ Support: Core
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: |-
+ Kind is the kind of the referent. Although implementations may support
+ additional resources, the following types are part of the "Core"
+ support level for this field:
+
+ * Secret when used to permit a SecretObjectReference
+ * Service when used to permit a BackendObjectReference
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: |-
+ Name is the name of the referent. When unspecified, this policy
+ refers to all resources of the specified Group and Kind in the local
+ namespace.
+ maxLength: 253
+ minLength: 1
+ type: string
+ required:
+ - group
+ - kind
+ type: object
+ maxItems: 16
+ minItems: 1
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - from
+ - to
+ type: object
+ type: object
+ served: true
+ storage: false
+ subresources: {}
- additionalPrinterColumns:
- jsonPath: .metadata.creationTimestamp
name: Age
@@ -15873,8 +17280,8 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328
- gateway.networking.k8s.io/bundle-version: v1.4.0
+ api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/4530
+ gateway.networking.k8s.io/bundle-version: v1.5.1
gateway.networking.k8s.io/channel: experimental
name: tcproutes.gateway.networking.k8s.io
spec:
@@ -16383,7 +17790,7 @@ spec:
* The Route refers to a nonexistent parent.
* The Route is of a type that the controller does not support.
- * The Route is in a namespace the controller does not have access to.
+ * The Route is in a namespace to which the controller does not have access.
items:
description: Condition contains details for one aspect of
the current state of this API Resource.
@@ -16633,8 +18040,8 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328
- gateway.networking.k8s.io/bundle-version: v1.4.0
+ api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/4530
+ gateway.networking.k8s.io/bundle-version: v1.5.1
gateway.networking.k8s.io/channel: experimental
name: tlsroutes.gateway.networking.k8s.io
spec:
@@ -16652,7 +18059,7 @@ spec:
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
- name: v1alpha2
+ name: v1
schema:
openAPIV3Schema:
description: |-
@@ -16662,6 +18069,781 @@ spec:
If you need to forward traffic to a single target for a TLS listener, you
could choose to use a TCPRoute with a TLS listener.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Spec defines the desired state of TLSRoute.
+ properties:
+ hostnames:
+ description: |-
+ Hostnames defines a set of SNI hostnames that should match against the
+ SNI attribute of TLS ClientHello message in TLS handshake. This matches
+ the RFC 1123 definition of a hostname with 2 notable exceptions:
+
+ 1. IPs are not allowed in SNI hostnames per RFC 6066.
+ 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard
+ label must appear by itself as the first label.
+ items:
+ description: |-
+ Hostname is the fully qualified domain name of a network host. This matches
+ the RFC 1123 definition of a hostname with 2 notable exceptions:
+
+ 1. IPs are not allowed.
+ 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard
+ label must appear by itself as the first label.
+
+ Hostname can be "precise" which is a domain name without the terminating
+ dot of a network host (e.g. "foo.example.com") or "wildcard", which is a
+ domain name prefixed with a single wildcard label (e.g. `*.example.com`).
+
+ Note that as per RFC1035 and RFC1123, a *label* must consist of lower case
+ alphanumeric characters or '-', and must start and end with an alphanumeric
+ character. No other punctuation is allowed.
+ maxLength: 253
+ minLength: 1
+ pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ maxItems: 16
+ minItems: 1
+ type: array
+ x-kubernetes-list-type: atomic
+ x-kubernetes-validations:
+ - message: Hostnames cannot contain an IP
+ rule: self.all(h, !isIP(h))
+ - message: Hostnames must be valid based on RFC-1123
+ rule: 'self.all(h, !h.contains(''*'') ? h.matches(''^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*)$'')
+ : true)'
+ - message: Wildcards on hostnames must be the first label, and the
+ rest of hostname must be valid based on RFC-1123
+ rule: 'self.all(h, h.contains(''*'') ? (h.startsWith(''*.'') &&
+ h.substring(2).matches(''^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*)$''))
+ : true)'
+ parentRefs:
+ description: |-
+ ParentRefs references the resources (usually Gateways) that a Route wants
+ to be attached to. Note that the referenced parent resource needs to
+ allow this for the attachment to be complete. For Gateways, that means
+ the Gateway needs to allow attachment from Routes of this kind and
+ namespace. For Services, that means the Service must either be in the same
+ namespace for a "producer" route, or the mesh implementation must support
+ and allow "consumer" routes for the referenced Service. ReferenceGrant is
+ not applicable for governing ParentRefs to Services - it is not possible to
+ create a "producer" route for a Service in a different namespace from the
+ Route.
+
+ There are two kinds of parent resources with "Core" support:
+
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
+
+ This API may be extended in the future to support additional kinds of parent
+ resources.
+
+ ParentRefs must be _distinct_. This means either that:
+
+ * They select different objects. If this is the case, then parentRef
+ entries are distinct. In terms of fields, this means that the
+ multi-part key defined by `group`, `kind`, `namespace`, and `name` must
+ be unique across all parentRef entries in the Route.
+ * They do not select different objects, but for each optional field used,
+ each ParentRef that selects the same object must set the same set of
+ optional fields to different values. If one ParentRef sets a
+ combination of optional fields, all must set the same combination.
+
+ Some examples:
+
+ * If one ParentRef sets `sectionName`, all ParentRefs referencing the
+ same object must also set `sectionName`.
+ * If one ParentRef sets `port`, all ParentRefs referencing the same
+ object must also set `port`.
+ * If one ParentRef sets `sectionName` and `port`, all ParentRefs
+ referencing the same object must also set `sectionName` and `port`.
+
+ It is possible to separately reference multiple distinct objects that may
+ be collapsed by an implementation. For example, some implementations may
+ choose to merge compatible Gateway Listeners together. If that is the
+ case, the list of routes attached to those resources should also be
+ merged.
+
+ Note that for ParentRefs that cross namespace boundaries, there are specific
+ rules. Cross-namespace references are only valid if they are explicitly
+ allowed by something in the namespace they are referring to. For example,
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+ generic way to enable other kinds of cross-namespace reference.
+
+
+ ParentRefs from a Route to a Service in the same namespace are "producer"
+ routes, which apply default routing rules to inbound connections from
+ any namespace to the Service.
+
+ ParentRefs from a Route to a Service in a different namespace are
+ "consumer" routes, and these routing rules are only applied to outbound
+ connections originating from the same namespace as the Route, for which
+ the intended destination of the connections are a Service targeted as a
+ ParentRef of the Route.
+ items:
+ description: |-
+ ParentReference identifies an API object (usually a Gateway) that can be considered
+ a parent of this resource (usually a route). There are two kinds of parent resources
+ with "Core" support:
+
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
+
+ This API may be extended in the future to support additional kinds of parent
+ resources.
+
+ The API object must be valid in the cluster; the Group and Kind must
+ be registered in the cluster for this reference to be valid.
+ properties:
+ group:
+ default: gateway.networking.k8s.io
+ description: |-
+ Group is the group of the referent.
+ When unspecified, "gateway.networking.k8s.io" is inferred.
+ To set the core API group (such as for a "Service" kind referent),
+ Group must be explicitly set to "" (empty string).
+
+ Support: Core
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Gateway
+ description: |-
+ Kind is kind of the referent.
+
+ There are two kinds of parent resources with "Core" support:
+
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
+
+ Support for other resources is Implementation-Specific.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: |-
+ Name is the name of the referent.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referent. When unspecified, this refers
+ to the local namespace of the Route.
+
+ Note that there are specific rules for ParentRefs which cross namespace
+ boundaries. Cross-namespace references are only valid if they are explicitly
+ allowed by something in the namespace they are referring to. For example:
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+ generic way to enable any other kind of cross-namespace reference.
+
+
+ ParentRefs from a Route to a Service in the same namespace are "producer"
+ routes, which apply default routing rules to inbound connections from
+ any namespace to the Service.
+
+ ParentRefs from a Route to a Service in a different namespace are
+ "consumer" routes, and these routing rules are only applied to outbound
+ connections originating from the same namespace as the Route, for which
+ the intended destination of the connections are a Service targeted as a
+ ParentRef of the Route.
+
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port is the network port this Route targets. It can be interpreted
+ differently based on the type of parent resource.
+
+ When the parent resource is a Gateway, this targets all listeners
+ listening on the specified port that also support this kind of Route(and
+ select this Route). It's not recommended to set `Port` unless the
+ networking behaviors specified in a Route must apply to a specific port
+ as opposed to a listener(s) whose port(s) may be changed. When both Port
+ and SectionName are specified, the name and port of the selected listener
+ must match both specified values.
+
+
+ When the parent resource is a Service, this targets a specific port in the
+ Service spec. When both Port (experimental) and SectionName are specified,
+ the name and port of the selected port must match both specified values.
+
+
+ Implementations MAY choose to support other parent resources.
+ Implementations supporting other types of parent resources MUST clearly
+ document how/if Port is interpreted.
+
+ For the purpose of status, an attachment is considered successful as
+ long as the parent resource accepts it partially. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+ from the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route,
+ the Route MUST be considered detached from the Gateway.
+
+ Support: Extended
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ sectionName:
+ description: |-
+ SectionName is the name of a section within the target resource. In the
+ following resources, SectionName is interpreted as the following:
+
+ * Gateway: Listener name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+ * Service: Port name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+
+ Implementations MAY choose to support attaching Routes to other resources.
+ If that is the case, they MUST clearly document how SectionName is
+ interpreted.
+
+ When unspecified (empty string), this will reference the entire resource.
+ For the purpose of status, an attachment is considered successful if at
+ least one section in the parent resource accepts it. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+ the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route, the
+ Route MUST be considered detached from the Gateway.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ required:
+ - name
+ type: object
+ maxItems: 32
+ type: array
+ x-kubernetes-list-type: atomic
+ x-kubernetes-validations:
+ - message: sectionName or port must be specified when parentRefs includes
+ 2 or more references to the same parent
+ rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind
+ == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__)
+ || p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__
+ == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) &&
+ p1.__namespace__ == p2.__namespace__)) ? ((!has(p1.sectionName)
+ || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName
+ == '''') && (!has(p1.port) || p1.port == 0) == (!has(p2.port)
+ || p2.port == 0)): true))'
+ - message: sectionName or port must be unique when parentRefs includes
+ 2 or more references to the same parent
+ rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind
+ == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__)
+ || p1.__namespace__ == '') && (!has(p2.__namespace__) || p2.__namespace__
+ == '')) || (has(p1.__namespace__) && has(p2.__namespace__) &&
+ p1.__namespace__ == p2.__namespace__ )) && (((!has(p1.sectionName)
+ || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName
+ == '')) || ( has(p1.sectionName) && has(p2.sectionName) && p1.sectionName
+ == p2.sectionName)) && (((!has(p1.port) || p1.port == 0) && (!has(p2.port)
+ || p2.port == 0)) || (has(p1.port) && has(p2.port) && p1.port
+ == p2.port))))
+ rules:
+ description: Rules are a list of actions.
+ items:
+ description: TLSRouteRule is the configuration for a given rule.
+ properties:
+ backendRefs:
+ description: |-
+ BackendRefs defines the backend(s) where matching requests should be
+ sent. If unspecified or invalid (refers to a nonexistent resource or
+ a Service with no endpoints), the rule performs no forwarding; if no
+ filters are specified that would result in a response being sent, the
+ underlying implementation must actively reject request attempts to this
+ backend, by rejecting the connection. Request rejections must respect
+ weight; if an invalid backend is requested to have 80% of requests, then
+ 80% of requests must be rejected instead.
+
+ Support: Core for Kubernetes Service
+
+ Support: Extended for Kubernetes ServiceImport
+
+ Support: Implementation-specific for any other resource
+
+ Support for weight: Extended
+ items:
+ description: |-
+ BackendRef defines how a Route should forward a request to a Kubernetes
+ resource.
+
+ Note that when a namespace different than the local namespace is specified, a
+ ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+
+ When the BackendRef points to a Kubernetes Service, implementations SHOULD
+ honor the appProtocol field if it is set for the target Service Port.
+
+ Implementations supporting appProtocol SHOULD recognize the Kubernetes
+ Standard Application Protocols defined in KEP-3726.
+
+ If a Service appProtocol isn't specified, an implementation MAY infer the
+ backend protocol through its own means. Implementations MAY infer the
+ protocol from the Route type referring to the backend Service.
+
+ If a Route is not able to send traffic to the backend using the specified
+ protocol then the backend is considered invalid. Implementations MUST set the
+ "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason.
+
+
+ Note that when the BackendTLSPolicy object is enabled by the implementation,
+ there are some extra rules about validity to consider here. See the fields
+ where this struct is used for more information about the exact behavior.
+ properties:
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Service
+ description: |-
+ Kind is the Kubernetes resource kind of the referent. For example
+ "Service".
+
+ Defaults to "Service" when not specified.
+
+ ExternalName services can refer to CNAME DNS records that may live
+ outside of the cluster and as such are difficult to reason about in
+ terms of conformance. They also may not be safe to forward to (see
+ CVE-2021-25740 for more information). Implementations SHOULD NOT
+ support ExternalName Services.
+
+ Support: Core (Services with a type other than ExternalName)
+
+ Support: Implementation-specific (Services with type ExternalName)
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the backend. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port specifies the destination port number to use for this resource.
+ Port is required when the referent is a Kubernetes Service. In this
+ case, the port number is the service port number, not the target port.
+ For other resources, destination port might be derived from the referent
+ resource or this field.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ weight:
+ default: 1
+ description: |-
+ Weight specifies the proportion of requests forwarded to the referenced
+ backend. This is computed as weight/(sum of all weights in this
+ BackendRefs list). For non-zero values, there may be some epsilon from
+ the exact proportion defined here depending on the precision an
+ implementation supports. Weight is not a percentage and the sum of
+ weights does not need to equal 100.
+
+ If only one backend is specified and it has a weight greater than 0, 100%
+ of the traffic is forwarded to that backend. If weight is set to 0, no
+ traffic should be forwarded for this entry. If unspecified, weight
+ defaults to 1.
+
+ Support for this field varies based on the context where used.
+ format: int32
+ maximum: 1000000
+ minimum: 0
+ type: integer
+ required:
+ - name
+ type: object
+ x-kubernetes-validations:
+ - message: Must have port for Service reference
+ rule: '(size(self.group) == 0 && self.kind == ''Service'')
+ ? has(self.port) : true'
+ maxItems: 16
+ minItems: 1
+ type: array
+ x-kubernetes-list-type: atomic
+ name:
+ description: Name is the name of the route rule. This name MUST
+ be unique within a Route if it is set.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ required:
+ - backendRefs
+ type: object
+ maxItems: 1
+ minItems: 1
+ type: array
+ x-kubernetes-list-type: atomic
+ useDefaultGateways:
+ description: |-
+ UseDefaultGateways indicates the default Gateway scope to use for this
+ Route. If unset (the default) or set to None, the Route will not be
+ attached to any default Gateway; if set, it will be attached to any
+ default Gateway supporting the named scope, subject to the usual rules
+ about which Routes a Gateway is allowed to claim.
+
+ Think carefully before using this functionality! The set of default
+ Gateways supporting the requested scope can change over time without
+ any notice to the Route author, and in many situations it will not be
+ appropriate to request a default Gateway for a given Route -- for
+ example, a Route with specific security requirements should almost
+ certainly not use a default Gateway.
+ enum:
+ - All
+ - None
+ type: string
+ required:
+ - hostnames
+ - rules
+ type: object
+ status:
+ description: Status defines the current state of TLSRoute.
+ properties:
+ parents:
+ description: |-
+ Parents is a list of parent resources (usually Gateways) that are
+ associated with the route, and the status of the route with respect to
+ each parent. When this route attaches to a parent, the controller that
+ manages the parent must add an entry to this list when the controller
+ first sees the route and should update the entry as appropriate when the
+ route or gateway is modified.
+
+ Note that parent references that cannot be resolved by an implementation
+ of this API will not be added to this list. Implementations of this API
+ can only populate Route status for the Gateways/parent resources they are
+ responsible for.
+
+ A maximum of 32 Gateways will be represented in this list. An empty list
+ means the route has not been attached to any Gateway.
+ items:
+ description: |-
+ RouteParentStatus describes the status of a route with respect to an
+ associated Parent.
+ properties:
+ conditions:
+ description: |-
+ Conditions describes the status of the route with respect to the Gateway.
+ Note that the route's availability is also subject to the Gateway's own
+ status conditions and listener status.
+
+ If the Route's ParentRef specifies an existing Gateway that supports
+ Routes of this kind AND that Gateway's controller has sufficient access,
+ then that Gateway's controller MUST set the "Accepted" condition on the
+ Route, to indicate whether the route has been accepted or rejected by the
+ Gateway, and why.
+
+ A Route MUST be considered "Accepted" if at least one of the Route's
+ rules is implemented by the Gateway.
+
+ There are a number of cases where the "Accepted" condition may not be set
+ due to lack of controller visibility, that includes when:
+
+ * The Route refers to a nonexistent parent.
+ * The Route is of a type that the controller does not support.
+ * The Route is in a namespace to which the controller does not have access.
+ items:
+ description: Condition contains details for one aspect of
+ the current state of this API Resource.
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False,
+ Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ maxItems: 8
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ controllerName:
+ description: |-
+ ControllerName is a domain/path string that indicates the name of the
+ controller that wrote this status. This corresponds with the
+ controllerName field on GatewayClass.
+
+ Example: "example.net/gateway-controller".
+
+ The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
+ valid Kubernetes names
+ (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+
+ Controllers MUST populate this field when writing status. Controllers should ensure that
+ entries to status populated with their ControllerName are cleaned up when they are no
+ longer necessary.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
+ type: string
+ parentRef:
+ description: |-
+ ParentRef corresponds with a ParentRef in the spec that this
+ RouteParentStatus struct describes the status of.
+ properties:
+ group:
+ default: gateway.networking.k8s.io
+ description: |-
+ Group is the group of the referent.
+ When unspecified, "gateway.networking.k8s.io" is inferred.
+ To set the core API group (such as for a "Service" kind referent),
+ Group must be explicitly set to "" (empty string).
+
+ Support: Core
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Gateway
+ description: |-
+ Kind is kind of the referent.
+
+ There are two kinds of parent resources with "Core" support:
+
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
+
+ Support for other resources is Implementation-Specific.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: |-
+ Name is the name of the referent.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referent. When unspecified, this refers
+ to the local namespace of the Route.
+
+ Note that there are specific rules for ParentRefs which cross namespace
+ boundaries. Cross-namespace references are only valid if they are explicitly
+ allowed by something in the namespace they are referring to. For example:
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+ generic way to enable any other kind of cross-namespace reference.
+
+
+ ParentRefs from a Route to a Service in the same namespace are "producer"
+ routes, which apply default routing rules to inbound connections from
+ any namespace to the Service.
+
+ ParentRefs from a Route to a Service in a different namespace are
+ "consumer" routes, and these routing rules are only applied to outbound
+ connections originating from the same namespace as the Route, for which
+ the intended destination of the connections are a Service targeted as a
+ ParentRef of the Route.
+
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port is the network port this Route targets. It can be interpreted
+ differently based on the type of parent resource.
+
+ When the parent resource is a Gateway, this targets all listeners
+ listening on the specified port that also support this kind of Route(and
+ select this Route). It's not recommended to set `Port` unless the
+ networking behaviors specified in a Route must apply to a specific port
+ as opposed to a listener(s) whose port(s) may be changed. When both Port
+ and SectionName are specified, the name and port of the selected listener
+ must match both specified values.
+
+
+ When the parent resource is a Service, this targets a specific port in the
+ Service spec. When both Port (experimental) and SectionName are specified,
+ the name and port of the selected port must match both specified values.
+
+
+ Implementations MAY choose to support other parent resources.
+ Implementations supporting other types of parent resources MUST clearly
+ document how/if Port is interpreted.
+
+ For the purpose of status, an attachment is considered successful as
+ long as the parent resource accepts it partially. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+ from the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route,
+ the Route MUST be considered detached from the Gateway.
+
+ Support: Extended
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ sectionName:
+ description: |-
+ SectionName is the name of a section within the target resource. In the
+ following resources, SectionName is interpreted as the following:
+
+ * Gateway: Listener name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+ * Service: Port name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+
+ Implementations MAY choose to support attaching Routes to other resources.
+ If that is the case, they MUST clearly document how SectionName is
+ interpreted.
+
+ When unspecified (empty string), this will reference the entire resource.
+ For the purpose of status, an attachment is considered successful if at
+ least one section in the parent resource accepts it. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+ the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route, the
+ Route MUST be considered detached from the Gateway.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - conditions
+ - controllerName
+ - parentRef
+ type: object
+ maxItems: 32
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - parents
+ type: object
+ required:
+ - spec
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+ - additionalPrinterColumns:
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ deprecated: true
+ deprecationWarning: The v1alpha2 version of TLSRoute has been deprecated and will
+ be removed in a future release of the API. Please upgrade to v1.
+ name: v1alpha2
+ schema:
+ openAPIV3Schema:
+ description: |-
+ The TLSRoute resource is similar to TCPRoute, but can be configured
+ to match against TLS-specific metadata. This allows more flexibility
+ in matching streams for a given TLS listener.
properties:
apiVersion:
description: |-
@@ -16989,10 +19171,9 @@ spec:
a Service with no endpoints), the rule performs no forwarding; if no
filters are specified that would result in a response being sent, the
underlying implementation must actively reject request attempts to this
- backend, by rejecting the connection or returning a 500 status code.
- Request rejections must respect weight; if an invalid backend is
- requested to have 80% of requests, then 80% of requests must be rejected
- instead.
+ backend, by rejecting the connection. Request rejections must respect
+ weight; if an invalid backend is requested to have 80% of requests, then
+ 80% of requests must be rejected instead.
Support: Core for Kubernetes Service
@@ -17123,10 +19304,8 @@ spec:
type: array
x-kubernetes-list-type: atomic
name:
- description: |-
- Name is the name of the route rule. This name MUST be unique within a Route if it is set.
-
- Support: Extended
+ description: Name is the name of the route rule. This name MUST
+ be unique within a Route if it is set.
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
@@ -17207,7 +19386,7 @@ spec:
* The Route refers to a nonexistent parent.
* The Route is of a type that the controller does not support.
- * The Route is in a namespace the controller does not have access to.
+ * The Route is in a namespace to which the controller does not have access.
items:
description: Condition contains details for one aspect of
the current state of this API Resource.
@@ -17447,6 +19626,9 @@ spec:
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
+ deprecated: true
+ deprecationWarning: The v1alpha3 version of TLSRoute has been deprecated and will
+ be removed in a future release of the API. Please upgrade to v1.
name: v1alpha3
schema:
openAPIV3Schema:
@@ -17487,32 +19669,6 @@ spec:
1. IPs are not allowed in SNI hostnames per RFC 6066.
2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard
label must appear by itself as the first label.
-
- If a hostname is specified by both the Listener and TLSRoute, there
- must be at least one intersecting hostname for the TLSRoute to be
- attached to the Listener. For example:
-
- * A Listener with `test.example.com` as the hostname matches TLSRoutes
- that have specified at least one of `test.example.com` or
- `*.example.com`.
- * A Listener with `*.example.com` as the hostname matches TLSRoutes
- that have specified at least one hostname that matches the Listener
- hostname. For example, `test.example.com` and `*.example.com` would both
- match. On the other hand, `example.com` and `test.example.net` would not
- match.
-
- If both the Listener and TLSRoute have specified hostnames, any
- TLSRoute hostnames that do not match the Listener hostname MUST be
- ignored. For example, if a Listener specified `*.example.com`, and the
- TLSRoute specified `test.example.com` and `test.example.net`,
- `test.example.net` must not be considered for a match.
-
- If both the Listener and TLSRoute have specified hostnames, and none
- match with the criteria above, then the TLSRoute is not accepted. The
- implementation must raise an 'Accepted' Condition with a status of
- `False` in the corresponding RouteParentStatus.
-
- Support: Core
items:
description: |-
Hostname is the fully qualified domain name of a network host. This matches
@@ -17537,6 +19693,17 @@ spec:
minItems: 1
type: array
x-kubernetes-list-type: atomic
+ x-kubernetes-validations:
+ - message: Hostnames cannot contain an IP
+ rule: self.all(h, !isIP(h))
+ - message: Hostnames must be valid based on RFC-1123
+ rule: 'self.all(h, !h.contains(''*'') ? h.matches(''^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*)$'')
+ : true)'
+ - message: Wildcards on hostnames must be the first label, and the
+ rest of hostname must be valid based on RFC-1123
+ rule: 'self.all(h, h.contains(''*'') ? (h.startsWith(''*.'') &&
+ h.substring(2).matches(''^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*)$''))
+ : true)'
parentRefs:
description: |-
ParentRefs references the resources (usually Gateways) that a Route wants
@@ -17785,10 +19952,9 @@ spec:
a Service with no endpoints), the rule performs no forwarding; if no
filters are specified that would result in a response being sent, the
underlying implementation must actively reject request attempts to this
- backend, by rejecting the connection or returning a 500 status code.
- Request rejections must respect weight; if an invalid backend is
- requested to have 80% of requests, then 80% of requests must be rejected
- instead.
+ backend, by rejecting the connection. Request rejections must respect
+ weight; if an invalid backend is requested to have 80% of requests, then
+ 80% of requests must be rejected instead.
Support: Core for Kubernetes Service
@@ -17919,10 +20085,8 @@ spec:
type: array
x-kubernetes-list-type: atomic
name:
- description: |-
- Name is the name of the route rule. This name MUST be unique within a Route if it is set.
-
- Support: Extended
+ description: Name is the name of the route rule. This name MUST
+ be unique within a Route if it is set.
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
@@ -17934,10 +20098,6 @@ spec:
minItems: 1
type: array
x-kubernetes-list-type: atomic
- x-kubernetes-validations:
- - message: Rule name must be unique within the route
- rule: self.all(l1, !has(l1.name) || self.exists_one(l2, has(l2.name)
- && l1.name == l2.name))
useDefaultGateways:
description: |-
UseDefaultGateways indicates the default Gateway scope to use for this
@@ -18004,7 +20164,7 @@ spec:
* The Route refers to a nonexistent parent.
* The Route is of a type that the controller does not support.
- * The Route is in a namespace the controller does not have access to.
+ * The Route is in a namespace to which the controller does not have access.
items:
description: Condition contains details for one aspect of
the current state of this API Resource.
@@ -18237,7 +20397,7 @@ spec:
- spec
type: object
served: true
- storage: true
+ storage: false
subresources:
status: {}
status:
@@ -18254,8 +20414,8 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328
- gateway.networking.k8s.io/bundle-version: v1.4.0
+ api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/4530
+ gateway.networking.k8s.io/bundle-version: v1.5.1
gateway.networking.k8s.io/channel: experimental
name: udproutes.gateway.networking.k8s.io
spec:
@@ -18764,7 +20924,7 @@ spec:
* The Route refers to a nonexistent parent.
* The Route is of a type that the controller does not support.
- * The Route is in a namespace the controller does not have access to.
+ * The Route is in a namespace to which the controller does not have access.
items:
description: Condition contains details for one aspect of
the current state of this API Resource.
@@ -19008,14 +21168,66 @@ status:
storedVersions: null
---
#
+# config/crd/experimental/gateway.networking.k8s.io_vap_safeupgrades.yaml
+#
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicy
+metadata:
+ annotations:
+ gateway.networking.k8s.io/bundle-version: v1.5.0-dev
+ gateway.networking.k8s.io/channel: standard
+ name: "safe-upgrades.gateway.networking.k8s.io"
+spec:
+ failurePolicy: Fail
+ matchConstraints:
+ resourceRules:
+ - apiGroups: ["apiextensions.k8s.io"]
+ apiVersions: ["v1"]
+ operations: ["CREATE", "UPDATE"]
+ resources: ["*"]
+ validations:
+ - expression: "object.spec.group != 'gateway.networking.k8s.io' || oldObject == null || (
+ has(object.metadata.annotations) && object.metadata.annotations.exists(k, k == 'gateway.networking.k8s.io/channel') &&
+ object.metadata.annotations['gateway.networking.k8s.io/channel'] == 'standard' ) || (
+ oldObject != null && has(oldObject.metadata.annotations) && oldObject.metadata.annotations.exists(k, k == 'gateway.networking.k8s.io/channel') &&
+ oldObject.metadata.annotations['gateway.networking.k8s.io/channel'] == 'experimental' )"
+ message: "Installing experimental CRDs on top of standard channel CRDs is prohibited by default. Uninstall ValidatingAdmissionPolicy safe-upgrades.gateway.networking.k8s.io to install experimental CRDs on top of standard channel CRDs."
+ reason: Invalid
+ - expression: "object.spec.group != 'gateway.networking.k8s.io' ||
+ (has(object.metadata.annotations) && object.metadata.annotations.exists(k, k == 'gateway.networking.k8s.io/bundle-version') &&
+ !matches(object.metadata.annotations['gateway.networking.k8s.io/bundle-version'], 'v1.[0-4].\\\\d+') &&
+ !matches(object.metadata.annotations['gateway.networking.k8s.io/bundle-version'], 'v0'))" #TODO Kubernetes 1.37: Migrate to kubernetes semver library
+ message: "Installing CRDs with version before v1.5.0 is prohibited by default. Uninstall ValidatingAdmissionPolicy safe-upgrades.gateway.networking.k8s.io to install older versions."
+ reason: Invalid
+
+---
+
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+ annotations:
+ gateway.networking.k8s.io/bundle-version: v1.5.0-dev
+ gateway.networking.k8s.io/channel: standard
+ name: safe-upgrades.gateway.networking.k8s.io
+spec:
+ policyName: safe-upgrades.gateway.networking.k8s.io
+ validationActions: [Deny]
+ matchResources:
+ resourceRules:
+ - apiGroups: ["apiextensions.k8s.io"]
+ apiVersions: ["v1"]
+ resources: ["customresourcedefinitions"]
+ operations: ["CREATE", "UPDATE"]
+---
+#
# config/crd/experimental/gateway.networking.x-k8s.io_xbackendtrafficpolicies.yaml
#
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328
- gateway.networking.k8s.io/bundle-version: v1.4.0
+ api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/4530
+ gateway.networking.k8s.io/bundle-version: v1.5.1
gateway.networking.k8s.io/channel: experimental
labels:
gateway.networking.k8s.io/policy: Direct
@@ -19112,7 +21324,7 @@ spec:
pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
x-kubernetes-validations:
- - message: interval can not be greater than one hour or less
+ - message: interval cannot be greater than one hour or less
than one second
rule: '!(duration(self) < duration(''1s'') || duration(self)
> duration(''1h''))'
@@ -19162,7 +21374,7 @@ spec:
pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
x-kubernetes-validations:
- - message: interval can not be greater than one hour
+ - message: interval cannot be greater than one hour
rule: '!(duration(self) == duration(''0s'') || duration(self)
> duration(''1h''))'
type: object
@@ -19240,7 +21452,7 @@ spec:
default: Cookie
description: |-
Type defines the type of session persistence such as through
- the use a header or cookie. Defaults to cookie based session
+ the use of a header or cookie. Defaults to cookie based session
persistence.
Support: Core for "Cookie" type
@@ -19256,6 +21468,8 @@ spec:
is Permanent
rule: '!has(self.cookieConfig) || !has(self.cookieConfig.lifetimeType)
|| self.cookieConfig.lifetimeType != ''Permanent'' || has(self.absoluteTimeout)'
+ - message: cookieConfig can only be set with type Cookie
+ rule: '!has(self.cookieConfig) || self.type == ''Cookie'''
targetRefs:
description: |-
TargetRefs identifies API object(s) to apply this policy to.
@@ -19263,7 +21477,7 @@ spec:
ServiceImport, or any implementation-specific backendRef) are the only
valid API target references.
- Currently, a TargetRef can not be scoped to a specific port on a
+ Currently, a TargetRef cannot be scoped to a specific port on a
Service.
items:
description: |-
@@ -19618,805 +21832,14 @@ status:
storedVersions: null
---
#
-# config/crd/experimental/gateway.networking.x-k8s.io_xlistenersets.yaml
-#
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- annotations:
- api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328
- gateway.networking.k8s.io/bundle-version: v1.4.0
- gateway.networking.k8s.io/channel: experimental
- name: xlistenersets.gateway.networking.x-k8s.io
-spec:
- group: gateway.networking.x-k8s.io
- names:
- categories:
- - gateway-api
- kind: XListenerSet
- listKind: XListenerSetList
- plural: xlistenersets
- shortNames:
- - lset
- singular: xlistenerset
- scope: Namespaced
- versions:
- - additionalPrinterColumns:
- - jsonPath: .status.conditions[?(@.type=="Accepted")].status
- name: Accepted
- type: string
- - jsonPath: .status.conditions[?(@.type=="Programmed")].status
- name: Programmed
- type: string
- - jsonPath: .metadata.creationTimestamp
- name: Age
- type: date
- name: v1alpha1
- schema:
- openAPIV3Schema:
- description: |-
- XListenerSet defines a set of additional listeners to attach to an existing Gateway.
- This resource provides a mechanism to merge multiple listeners into a single Gateway.
-
- The parent Gateway must explicitly allow ListenerSet attachment through its
- AllowedListeners configuration. By default, Gateways do not allow ListenerSet
- attachment.
-
- Routes can attach to a ListenerSet by specifying it as a parentRef, and can
- optionally target specific listeners using the sectionName field.
-
- Policy Attachment:
- - Policies that attach to a ListenerSet apply to all listeners defined in that resource
- - Policies do not impact listeners in the parent Gateway
- - Different ListenerSets attached to the same Gateway can have different policies
- - If an implementation cannot apply a policy to specific listeners, it should reject the policy
-
- ReferenceGrant Semantics:
- - ReferenceGrants applied to a Gateway are not inherited by child ListenerSets
- - ReferenceGrants applied to a ListenerSet do not grant permission to the parent Gateway's listeners
- - A ListenerSet can reference secrets/backends in its own namespace without a ReferenceGrant
-
- Gateway Integration:
- - The parent Gateway's status will include an "AttachedListenerSets" condition
- - This condition will be:
- - True: when AllowedListeners is set and at least one child ListenerSet is attached
- - False: when AllowedListeners is set but no valid listeners are attached, or when AllowedListeners is not set or false
- - Unknown: when no AllowedListeners config is present
- properties:
- apiVersion:
- description: |-
- APIVersion defines the versioned schema of this representation of an object.
- Servers should convert recognized schemas to the latest internal value, and
- may reject unrecognized values.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
- type: string
- kind:
- description: |-
- Kind is a string value representing the REST resource this object represents.
- Servers may infer this from the endpoint the client submits requests to.
- Cannot be updated.
- In CamelCase.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
- type: string
- metadata:
- type: object
- spec:
- description: Spec defines the desired state of ListenerSet.
- properties:
- listeners:
- description: |-
- Listeners associated with this ListenerSet. Listeners define
- logical endpoints that are bound on this referenced parent Gateway's addresses.
-
- Listeners in a `Gateway` and their attached `ListenerSets` are concatenated
- as a list when programming the underlying infrastructure. Each listener
- name does not need to be unique across the Gateway and ListenerSets.
- See ListenerEntry.Name for more details.
-
- Implementations MUST treat the parent Gateway as having the merged
- list of all listeners from itself and attached ListenerSets using
- the following precedence:
-
- 1. "parent" Gateway
- 2. ListenerSet ordered by creation time (oldest first)
- 3. ListenerSet ordered alphabetically by "{namespace}/{name}".
-
- An implementation MAY reject listeners by setting the ListenerEntryStatus
- `Accepted` condition to False with the Reason `TooManyListeners`
-
- If a listener has a conflict, this will be reported in the
- Status.ListenerEntryStatus setting the `Conflicted` condition to True.
-
- Implementations SHOULD be cautious about what information from the
- parent or siblings are reported to avoid accidentally leaking
- sensitive information that the child would not otherwise have access
- to. This can include contents of secrets etc.
- items:
- properties:
- allowedRoutes:
- default:
- namespaces:
- from: Same
- description: |-
- AllowedRoutes defines the types of routes that MAY be attached to a
- Listener and the trusted namespaces where those Route resources MAY be
- present.
-
- Although a client request may match multiple route rules, only one rule
- may ultimately receive the request. Matching precedence MUST be
- determined in order of the following criteria:
-
- * The most specific match as defined by the Route type.
- * The oldest Route based on creation timestamp. For example, a Route with
- a creation timestamp of "2020-09-08 01:02:03" is given precedence over
- a Route with a creation timestamp of "2020-09-08 01:02:04".
- * If everything else is equivalent, the Route appearing first in
- alphabetical order (namespace/name) should be given precedence. For
- example, foo/bar is given precedence over foo/baz.
-
- All valid rules within a Route attached to this Listener should be
- implemented. Invalid Route rules can be ignored (sometimes that will mean
- the full Route). If a Route rule transitions from valid to invalid,
- support for that Route rule should be dropped to ensure consistency. For
- example, even if a filter specified by a Route rule is invalid, the rest
- of the rules within that Route should still be supported.
- properties:
- kinds:
- description: |-
- Kinds specifies the groups and kinds of Routes that are allowed to bind
- to this Gateway Listener. When unspecified or empty, the kinds of Routes
- selected are determined using the Listener protocol.
-
- A RouteGroupKind MUST correspond to kinds of Routes that are compatible
- with the application protocol specified in the Listener's Protocol field.
- If an implementation does not support or recognize this resource type, it
- MUST set the "ResolvedRefs" condition to False for this Listener with the
- "InvalidRouteKinds" reason.
-
- Support: Core
- items:
- description: RouteGroupKind indicates the group and kind
- of a Route resource.
- properties:
- group:
- default: gateway.networking.k8s.io
- description: Group is the group of the Route.
- maxLength: 253
- pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- kind:
- description: Kind is the kind of the Route.
- maxLength: 63
- minLength: 1
- pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
- type: string
- required:
- - kind
- type: object
- maxItems: 8
- type: array
- x-kubernetes-list-type: atomic
- namespaces:
- default:
- from: Same
- description: |-
- Namespaces indicates namespaces from which Routes may be attached to this
- Listener. This is restricted to the namespace of this Gateway by default.
-
- Support: Core
- properties:
- from:
- default: Same
- description: |-
- From indicates where Routes will be selected for this Gateway. Possible
- values are:
-
- * All: Routes in all namespaces may be used by this Gateway.
- * Selector: Routes in namespaces selected by the selector may be used by
- this Gateway.
- * Same: Only Routes in the same namespace may be used by this Gateway.
-
- Support: Core
- enum:
- - All
- - Selector
- - Same
- type: string
- selector:
- description: |-
- Selector must be specified when From is set to "Selector". In that case,
- only Routes in Namespaces matching this Selector will be selected by this
- Gateway. This field is ignored for other values of "From".
-
- Support: Core
- properties:
- matchExpressions:
- description: matchExpressions is a list of label
- selector requirements. The requirements are ANDed.
- items:
- description: |-
- A label selector requirement is a selector that contains values, a key, and an operator that
- relates the key and values.
- properties:
- key:
- description: key is the label key that the
- selector applies to.
- type: string
- operator:
- description: |-
- operator represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: |-
- values is an array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. This array is replaced during a strategic
- merge patch.
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- required:
- - key
- - operator
- type: object
- type: array
- x-kubernetes-list-type: atomic
- matchLabels:
- additionalProperties:
- type: string
- description: |-
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions, whose key field is "key", the
- operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- type: object
- x-kubernetes-map-type: atomic
- type: object
- type: object
- hostname:
- description: |-
- Hostname specifies the virtual hostname to match for protocol types that
- define this concept. When unspecified, all hostnames are matched. This
- field is ignored for protocols that don't require hostname based
- matching.
-
- Implementations MUST apply Hostname matching appropriately for each of
- the following protocols:
-
- * TLS: The Listener Hostname MUST match the SNI.
- * HTTP: The Listener Hostname MUST match the Host header of the request.
- * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP
- protocol layers as described above. If an implementation does not
- ensure that both the SNI and Host header match the Listener hostname,
- it MUST clearly document that.
-
- For HTTPRoute and TLSRoute resources, there is an interaction with the
- `spec.hostnames` array. When both listener and route specify hostnames,
- there MUST be an intersection between the values for a Route to be
- accepted. For more information, refer to the Route specific Hostnames
- documentation.
-
- Hostnames that are prefixed with a wildcard label (`*.`) are interpreted
- as a suffix match. That means that a match for `*.example.com` would match
- both `test.example.com`, and `foo.test.example.com`, but not `example.com`.
- maxLength: 253
- minLength: 1
- pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- name:
- description: |-
- Name is the name of the Listener. This name MUST be unique within a
- ListenerSet.
-
- Name is not required to be unique across a Gateway and ListenerSets.
- Routes can attach to a Listener by having a ListenerSet as a parentRef
- and setting the SectionName
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- port:
- default: 0
- description: |-
- Port is the network port. Multiple listeners may use the
- same port, subject to the Listener compatibility rules.
-
- If the port is not set or specified as zero, the implementation will assign
- a unique port. If the implementation does not support dynamic port
- assignment, it MUST set `Accepted` condition to `False` with the
- `UnsupportedPort` reason.
- format: int32
- maximum: 65535
- minimum: 0
- type: integer
- protocol:
- description: Protocol specifies the network protocol this listener
- expects to receive.
- maxLength: 255
- minLength: 1
- pattern: ^[a-zA-Z0-9]([-a-zA-Z0-9]*[a-zA-Z0-9])?$|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9]+$
- type: string
- tls:
- description: |-
- TLS is the TLS configuration for the Listener. This field is required if
- the Protocol field is "HTTPS" or "TLS". It is invalid to set this field
- if the Protocol field is "HTTP", "TCP", or "UDP".
-
- The association of SNIs to Certificate defined in ListenerTLSConfig is
- defined based on the Hostname field for this listener.
-
- The GatewayClass MUST use the longest matching SNI out of all
- available certificates for any TLS handshake.
- properties:
- certificateRefs:
- description: |-
- CertificateRefs contains a series of references to Kubernetes objects that
- contains TLS certificates and private keys. These certificates are used to
- establish a TLS handshake for requests that match the hostname of the
- associated listener.
-
- A single CertificateRef to a Kubernetes Secret has "Core" support.
- Implementations MAY choose to support attaching multiple certificates to
- a Listener, but this behavior is implementation-specific.
-
- References to a resource in different namespace are invalid UNLESS there
- is a ReferenceGrant in the target namespace that allows the certificate
- to be attached. If a ReferenceGrant does not allow this reference, the
- "ResolvedRefs" condition MUST be set to False for this listener with the
- "RefNotPermitted" reason.
-
- This field is required to have at least one element when the mode is set
- to "Terminate" (default) and is optional otherwise.
-
- CertificateRefs can reference to standard Kubernetes resources, i.e.
- Secret, or implementation-specific custom resources.
-
- Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls
-
- Support: Implementation-specific (More than one reference or other resource types)
- items:
- description: |-
- SecretObjectReference identifies an API object including its namespace,
- defaulting to Secret.
-
- The API object must be valid in the cluster; the Group and Kind must
- be registered in the cluster for this reference to be valid.
-
- References to objects with invalid Group and Kind are not valid, and must
- be rejected by the implementation, with appropriate Conditions set
- on the containing object.
- properties:
- group:
- default: ""
- description: |-
- Group is the group of the referent. For example, "gateway.networking.k8s.io".
- When unspecified or empty string, core API group is inferred.
- maxLength: 253
- pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- kind:
- default: Secret
- description: Kind is kind of the referent. For example
- "Secret".
- maxLength: 63
- minLength: 1
- pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
- type: string
- name:
- description: Name is the name of the referent.
- maxLength: 253
- minLength: 1
- type: string
- namespace:
- description: |-
- Namespace is the namespace of the referenced object. When unspecified, the local
- namespace is inferred.
-
- Note that when a namespace different than the local namespace is specified,
- a ReferenceGrant object is required in the referent namespace to allow that
- namespace's owner to accept the reference. See the ReferenceGrant
- documentation for details.
-
- Support: Core
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- required:
- - name
- type: object
- maxItems: 64
- type: array
- x-kubernetes-list-type: atomic
- mode:
- default: Terminate
- description: |-
- Mode defines the TLS behavior for the TLS session initiated by the client.
- There are two possible modes:
-
- - Terminate: The TLS session between the downstream client and the
- Gateway is terminated at the Gateway. This mode requires certificates
- to be specified in some way, such as populating the certificateRefs
- field.
- - Passthrough: The TLS session is NOT terminated by the Gateway. This
- implies that the Gateway can't decipher the TLS stream except for
- the ClientHello message of the TLS protocol. The certificateRefs field
- is ignored in this mode.
-
- Support: Core
- enum:
- - Terminate
- - Passthrough
- type: string
- options:
- additionalProperties:
- description: |-
- AnnotationValue is the value of an annotation in Gateway API. This is used
- for validation of maps such as TLS options. This roughly matches Kubernetes
- annotation validation, although the length validation in that case is based
- on the entire size of the annotations struct.
- maxLength: 4096
- minLength: 0
- type: string
- description: |-
- Options are a list of key/value pairs to enable extended TLS
- configuration for each implementation. For example, configuring the
- minimum TLS version or supported cipher suites.
-
- A set of common keys MAY be defined by the API in the future. To avoid
- any ambiguity, implementation-specific definitions MUST use
- domain-prefixed names, such as `example.com/my-custom-option`.
- Un-prefixed names are reserved for key names defined by Gateway API.
-
- Support: Implementation-specific
- maxProperties: 16
- type: object
- type: object
- x-kubernetes-validations:
- - message: certificateRefs or options must be specified when
- mode is Terminate
- rule: 'self.mode == ''Terminate'' ? size(self.certificateRefs)
- > 0 || size(self.options) > 0 : true'
- required:
- - name
- - protocol
- type: object
- maxItems: 64
- minItems: 1
- type: array
- x-kubernetes-list-map-keys:
- - name
- x-kubernetes-list-type: map
- x-kubernetes-validations:
- - message: tls must not be specified for protocols ['HTTP', 'TCP',
- 'UDP']
- rule: 'self.all(l, l.protocol in [''HTTP'', ''TCP'', ''UDP''] ?
- !has(l.tls) : true)'
- - message: tls mode must be Terminate for protocol HTTPS
- rule: 'self.all(l, (l.protocol == ''HTTPS'' && has(l.tls)) ? (l.tls.mode
- == '''' || l.tls.mode == ''Terminate'') : true)'
- - message: hostname must not be specified for protocols ['TCP', 'UDP']
- rule: 'self.all(l, l.protocol in [''TCP'', ''UDP''] ? (!has(l.hostname)
- || l.hostname == '''') : true)'
- - message: Listener name must be unique within the Gateway
- rule: self.all(l1, self.exists_one(l2, l1.name == l2.name))
- - message: Combination of port, protocol and hostname must be unique
- for each listener
- rule: 'self.all(l1, !has(l1.port) || self.exists_one(l2, has(l2.port)
- && l1.port == l2.port && l1.protocol == l2.protocol && (has(l1.hostname)
- && has(l2.hostname) ? l1.hostname == l2.hostname : !has(l1.hostname)
- && !has(l2.hostname))))'
- parentRef:
- description: ParentRef references the Gateway that the listeners are
- attached to.
- properties:
- group:
- default: gateway.networking.k8s.io
- description: Group is the group of the referent.
- maxLength: 253
- pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- kind:
- default: Gateway
- description: Kind is kind of the referent. For example "Gateway".
- maxLength: 63
- minLength: 1
- pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
- type: string
- name:
- description: Name is the name of the referent.
- maxLength: 253
- minLength: 1
- type: string
- namespace:
- description: |-
- Namespace is the namespace of the referent. If not present,
- the namespace of the referent is assumed to be the same as
- the namespace of the referring object.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- required:
- - name
- type: object
- required:
- - listeners
- - parentRef
- type: object
- status:
- default:
- conditions:
- - lastTransitionTime: "1970-01-01T00:00:00Z"
- message: Waiting for controller
- reason: Pending
- status: Unknown
- type: Accepted
- - lastTransitionTime: "1970-01-01T00:00:00Z"
- message: Waiting for controller
- reason: Pending
- status: Unknown
- type: Programmed
- description: Status defines the current state of ListenerSet.
- properties:
- conditions:
- default:
- - lastTransitionTime: "1970-01-01T00:00:00Z"
- message: Waiting for controller
- reason: Pending
- status: Unknown
- type: Accepted
- - lastTransitionTime: "1970-01-01T00:00:00Z"
- message: Waiting for controller
- reason: Pending
- status: Unknown
- type: Programmed
- description: |-
- Conditions describe the current conditions of the ListenerSet.
-
- Implementations MUST express ListenerSet conditions using the
- `ListenerSetConditionType` and `ListenerSetConditionReason`
- constants so that operators and tools can converge on a common
- vocabulary to describe ListenerSet state.
-
- Known condition types are:
-
- * "Accepted"
- * "Programmed"
- items:
- description: Condition contains details for one aspect of the current
- state of this API Resource.
- properties:
- lastTransitionTime:
- description: |-
- lastTransitionTime is the last time the condition transitioned from one status to another.
- This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
- format: date-time
- type: string
- message:
- description: |-
- message is a human readable message indicating details about the transition.
- This may be an empty string.
- maxLength: 32768
- type: string
- observedGeneration:
- description: |-
- observedGeneration represents the .metadata.generation that the condition was set based upon.
- For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
- with respect to the current state of the instance.
- format: int64
- minimum: 0
- type: integer
- reason:
- description: |-
- reason contains a programmatic identifier indicating the reason for the condition's last transition.
- Producers of specific condition types may define expected values and meanings for this field,
- and whether the values are considered a guaranteed API.
- The value should be a CamelCase string.
- This field may not be empty.
- maxLength: 1024
- minLength: 1
- pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
- type: string
- status:
- description: status of the condition, one of True, False, Unknown.
- enum:
- - "True"
- - "False"
- - Unknown
- type: string
- type:
- description: type of condition in CamelCase or in foo.example.com/CamelCase.
- maxLength: 316
- pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
- type: string
- required:
- - lastTransitionTime
- - message
- - reason
- - status
- - type
- type: object
- maxItems: 8
- type: array
- x-kubernetes-list-map-keys:
- - type
- x-kubernetes-list-type: map
- listeners:
- description: Listeners provide status for each unique listener port
- defined in the Spec.
- items:
- description: ListenerStatus is the status associated with a Listener.
- properties:
- attachedRoutes:
- description: |-
- AttachedRoutes represents the total number of Routes that have been
- successfully attached to this Listener.
-
- Successful attachment of a Route to a Listener is based solely on the
- combination of the AllowedRoutes field on the corresponding Listener
- and the Route's ParentRefs field. A Route is successfully attached to
- a Listener when it is selected by the Listener's AllowedRoutes field
- AND the Route has a valid ParentRef selecting the whole Gateway
- resource or a specific Listener as a parent resource (more detail on
- attachment semantics can be found in the documentation on the various
- Route kinds ParentRefs fields). Listener or Route status does not impact
- successful attachment, i.e. the AttachedRoutes field count MUST be set
- for Listeners with condition Accepted: false and MUST count successfully
- attached Routes that may themselves have Accepted: false conditions.
-
- Uses for this field include troubleshooting Route attachment and
- measuring blast radius/impact of changes to a Listener.
- format: int32
- type: integer
- conditions:
- description: Conditions describe the current condition of this
- listener.
- items:
- description: Condition contains details for one aspect of
- the current state of this API Resource.
- properties:
- lastTransitionTime:
- description: |-
- lastTransitionTime is the last time the condition transitioned from one status to another.
- This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
- format: date-time
- type: string
- message:
- description: |-
- message is a human readable message indicating details about the transition.
- This may be an empty string.
- maxLength: 32768
- type: string
- observedGeneration:
- description: |-
- observedGeneration represents the .metadata.generation that the condition was set based upon.
- For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
- with respect to the current state of the instance.
- format: int64
- minimum: 0
- type: integer
- reason:
- description: |-
- reason contains a programmatic identifier indicating the reason for the condition's last transition.
- Producers of specific condition types may define expected values and meanings for this field,
- and whether the values are considered a guaranteed API.
- The value should be a CamelCase string.
- This field may not be empty.
- maxLength: 1024
- minLength: 1
- pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
- type: string
- status:
- description: status of the condition, one of True, False,
- Unknown.
- enum:
- - "True"
- - "False"
- - Unknown
- type: string
- type:
- description: type of condition in CamelCase or in foo.example.com/CamelCase.
- maxLength: 316
- pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
- type: string
- required:
- - lastTransitionTime
- - message
- - reason
- - status
- - type
- type: object
- maxItems: 8
- type: array
- x-kubernetes-list-map-keys:
- - type
- x-kubernetes-list-type: map
- name:
- description: Name is the name of the Listener that this status
- corresponds to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- port:
- description: Port is the network port the listener is configured
- to listen on.
- format: int32
- maximum: 65535
- minimum: 1
- type: integer
- supportedKinds:
- description: |-
- SupportedKinds is the list indicating the Kinds supported by this
- listener. This MUST represent the kinds an implementation supports for
- that Listener configuration.
-
- If kinds are specified in Spec that are not supported, they MUST NOT
- appear in this list and an implementation MUST set the "ResolvedRefs"
- condition to "False" with the "InvalidRouteKinds" reason. If both valid
- and invalid Route kinds are specified, the implementation MUST
- reference the valid Route kinds that have been specified.
- items:
- description: RouteGroupKind indicates the group and kind of
- a Route resource.
- properties:
- group:
- default: gateway.networking.k8s.io
- description: Group is the group of the Route.
- maxLength: 253
- pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- kind:
- description: Kind is the kind of the Route.
- maxLength: 63
- minLength: 1
- pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
- type: string
- required:
- - kind
- type: object
- maxItems: 8
- type: array
- x-kubernetes-list-type: atomic
- required:
- - attachedRoutes
- - conditions
- - name
- - port
- - supportedKinds
- type: object
- maxItems: 64
- type: array
- x-kubernetes-list-map-keys:
- - name
- x-kubernetes-list-type: map
- type: object
- required:
- - spec
- type: object
- served: true
- storage: true
- subresources:
- status: {}
-status:
- acceptedNames:
- kind: ""
- plural: ""
- conditions: null
- storedVersions: null
----
-#
# config/crd/experimental/gateway.networking.x-k8s.io_xmeshes.yaml
#
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328
- gateway.networking.k8s.io/bundle-version: v1.4.0
+ api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/4530
+ gateway.networking.k8s.io/bundle-version: v1.5.1
gateway.networking.k8s.io/channel: experimental
name: xmeshes.gateway.networking.x-k8s.io
spec:
diff --git a/integration/gateway-api-conformance-reports/v1.4.0/experimental-v3.7-default-report.yaml b/integration/gateway-api-conformance-reports/v1.5.1/experimental-v3.7-default-report.yaml
similarity index 57%
rename from integration/gateway-api-conformance-reports/v1.4.0/experimental-v3.7-default-report.yaml
rename to integration/gateway-api-conformance-reports/v1.5.1/experimental-v3.7-default-report.yaml
index e6961a03d..8b963c2e1 100644
--- a/integration/gateway-api-conformance-reports/v1.4.0/experimental-v3.7-default-report.yaml
+++ b/integration/gateway-api-conformance-reports/v1.5.1/experimental-v3.7-default-report.yaml
@@ -1,7 +1,7 @@
apiVersion: gateway.networking.k8s.io/v1
date: '-'
gatewayAPIChannel: experimental
-gatewayAPIVersion: v1.4.0
+gatewayAPIVersion: v1.5.1
implementation:
contact:
- '@traefik/maintainers'
@@ -30,9 +30,10 @@ profiles:
result: success
statistics:
Failed: 0
- Passed: 15
+ Passed: 20
Skipped: 0
supportedFeatures:
+ - BackendTLSPolicy
- GatewayPort8080
- HTTPRouteBackendProtocolH2C
- HTTPRouteBackendProtocolWebSocket
@@ -47,10 +48,18 @@ profiles:
- HTTPRouteResponseHeaderModification
- HTTPRouteSchemeRedirect
unsupportedFeatures:
+ - BackendTLSPolicySANValidation
- GatewayAddressEmpty
+ - GatewayBackendClientCertificate
+ - GatewayFrontendClientCertificateValidation
+ - GatewayFrontendClientCertificateValidationInsecureFallback
- GatewayHTTPListenerIsolation
+ - GatewayHTTPSListenerDetectMisdirectedRequests
- GatewayInfrastructurePropagation
- GatewayStaticAddresses
+ - HTTPRoute303RedirectStatusCode
+ - HTTPRoute307RedirectStatusCode
+ - HTTPRoute308RedirectStatusCode
- HTTPRouteBackendTimeout
- HTTPRouteCORS
- HTTPRouteNamedRouteRule
@@ -59,13 +68,37 @@ profiles:
- HTTPRouteRequestMultipleMirrors
- HTTPRouteRequestPercentageMirror
- HTTPRouteRequestTimeout
+ - ListenerSet
name: GATEWAY-HTTP
summary: Core tests succeeded. Extended tests succeeded.
- core:
result: success
statistics:
Failed: 0
- Passed: 11
+ Passed: 18
Skipped: 0
+ extended:
+ result: success
+ statistics:
+ Failed: 0
+ Passed: 4
+ Skipped: 0
+ supportedFeatures:
+ - GatewayPort8080
+ - TLSRouteModeMixed
+ - TLSRouteModeTerminate
+ unsupportedFeatures:
+ - GatewayAddressEmpty
+ - GatewayBackendClientCertificate
+ - GatewayFrontendClientCertificateValidation
+ - GatewayFrontendClientCertificateValidationInsecureFallback
+ - GatewayHTTPListenerIsolation
+ - GatewayHTTPSListenerDetectMisdirectedRequests
+ - GatewayInfrastructurePropagation
+ - GatewayStaticAddresses
+ - ListenerSet
name: GATEWAY-TLS
- summary: Core tests succeeded.
+ summary: Core tests succeeded. Extended tests succeeded.
+succeededProvisionalTests:
+- TLSRouteMixedTerminationSameNamespace
+- TLSRouteTerminateSimpleSameNamespace
diff --git a/integration/gateway_api_conformance_test.go b/integration/gateway_api_conformance_test.go
index 9a25125d6..2625adb23 100644
--- a/integration/gateway_api_conformance_test.go
+++ b/integration/gateway_api_conformance_test.go
@@ -80,7 +80,7 @@ func (s *GatewayAPIConformanceSuite) SetupSuite() {
s.k3sContainer, err = k3s.Run(ctx,
k3sImage,
- k3s.WithManifest("./fixtures/gateway-api-conformance/00-experimental-v1.4.0.yml"),
+ k3s.WithManifest("./fixtures/gateway-api-conformance/00-experimental-v1.5.1.yml"),
k3s.WithManifest("./fixtures/gateway-api-conformance/01-rbac.yml"),
k3s.WithManifest("./fixtures/gateway-api-conformance/02-traefik.yml"),
network.WithNetwork(nil, s.network),
diff --git a/integration/testdata/rawdata-gateway.json b/integration/testdata/rawdata-gateway.json
index 2ac7e1ba4..35a9e6bc4 100644
--- a/integration/testdata/rawdata-gateway.json
+++ b/integration/testdata/rawdata-gateway.json
@@ -5,7 +5,7 @@
"traefik"
],
"service": "api@internal",
- "rule": "PathPrefix(\"/api\")",
+ "rule": "PathPrefix(`/api`)",
"ruleSyntax": "default",
"priority": 9223372036854775806,
"observability": {
@@ -28,7 +28,7 @@
"dashboard_stripprefix@internal"
],
"service": "dashboard@internal",
- "rule": "PathPrefix(\"/\")",
+ "rule": "PathPrefix(`/`)",
"ruleSyntax": "default",
"priority": 9223372036854775805,
"observability": {
@@ -127,7 +127,7 @@
"url": "http://10.42.0.4:80"
},
{
- "url": "http://10.42.0.6:80"
+ "url": "http://10.42.0.8:80"
}
],
"strategy": "wrr",
@@ -139,7 +139,7 @@
"status": "enabled",
"serverStatus": {
"http://10.42.0.4:80": "UP",
- "http://10.42.0.6:80": "UP"
+ "http://10.42.0.8:80": "UP"
}
},
"httproute-default-http-app-1-gw-default-my-gateway-ep-web-0-af329269dd38031b03e3-wrr@kubernetesgateway": {
@@ -175,6 +175,29 @@
}
},
"tcpRouters": {
+ "deny-unknown-host@kubernetesgateway": {
+ "entryPoints": [
+ "footcp",
+ "footlspassthrough",
+ "footlsterminate",
+ "web",
+ "websecure"
+ ],
+ "service": "deny-unknown-host",
+ "rule": "HostSNI(`*`) \u0026\u0026 !ALPN(`h2`) \u0026\u0026 !ALPN(`http/1.1`)",
+ "priority": 1,
+ "tls": {
+ "passthrough": false
+ },
+ "status": "enabled",
+ "using": [
+ "footcp",
+ "footlspassthrough",
+ "footlsterminate",
+ "web",
+ "websecure"
+ ]
+ },
"tcproute-default-tcp-app-1-gw-default-my-tcp-gateway-ep-footcp-0-e3b0c44298fc1c149afb@kubernetesgateway": {
"entryPoints": [
"footcp"
@@ -188,22 +211,6 @@
"footcp"
]
},
- "tcproute-default-tcp-app-1-gw-default-my-tls-gateway-ep-footlsterminate-0-e3b0c44298fc1c149afb@kubernetesgateway": {
- "entryPoints": [
- "footlsterminate"
- ],
- "service": "tcproute-default-tcp-app-1-gw-default-my-tls-gateway-ep-footlsterminate-0-e3b0c44298fc1c149afb-wrr",
- "rule": "HostSNI(\"*\")",
- "ruleSyntax": "default",
- "priority": -1,
- "tls": {
- "passthrough": false
- },
- "status": "enabled",
- "using": [
- "footlsterminate"
- ]
- },
"tlsroute-default-tls-app-1-gw-default-my-tls-gateway-ep-footlspassthrough-0-e3b0c44298fc1c149afb@kubernetesgateway": {
"entryPoints": [
"footlspassthrough"
@@ -226,19 +233,26 @@
"loadBalancer": {
"servers": [
{
- "address": "10.42.0.2:8080"
+ "address": "10.42.0.6:8080"
},
{
- "address": "10.42.0.3:8080"
+ "address": "10.42.0.9:8080"
}
]
},
"status": "enabled",
"serverStatus": {
- "10.42.0.2:8080": "UP",
- "10.42.0.6:8080": "UP"
+ "10.42.0.6:8080": "UP",
+ "10.42.0.9:8080": "UP"
}
},
+ "deny-unknown-host@kubernetesgateway": {
+ "loadBalancer": {},
+ "status": "enabled",
+ "usedBy": [
+ "deny-unknown-host@kubernetesgateway"
+ ]
+ },
"tcproute-default-tcp-app-1-gw-default-my-tcp-gateway-ep-footcp-0-e3b0c44298fc1c149afb-wrr@kubernetesgateway": {
"weighted": {
"services": [
@@ -253,20 +267,6 @@
"tcproute-default-tcp-app-1-gw-default-my-tcp-gateway-ep-footcp-0-e3b0c44298fc1c149afb@kubernetesgateway"
]
},
- "tcproute-default-tcp-app-1-gw-default-my-tls-gateway-ep-footlsterminate-0-e3b0c44298fc1c149afb-wrr@kubernetesgateway": {
- "weighted": {
- "services": [
- {
- "name": "default-whoamitcp-8080",
- "weight": 1
- }
- ]
- },
- "status": "enabled",
- "usedBy": [
- "tcproute-default-tcp-app-1-gw-default-my-tls-gateway-ep-footlsterminate-0-e3b0c44298fc1c149afb@kubernetesgateway"
- ]
- },
"tlsroute-default-tls-app-1-gw-default-my-tls-gateway-ep-footlspassthrough-0-e3b0c44298fc1c149afb-wrr@kubernetesgateway": {
"weighted": {
"services": [
diff --git a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/basicauth.go b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/basicauth.go
index d903414dc..ef7251281 100644
--- a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/basicauth.go
+++ b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/basicauth.go
@@ -28,11 +28,22 @@ package v1alpha1
// BasicAuthApplyConfiguration represents a declarative configuration of the BasicAuth type for use
// with apply.
+//
+// BasicAuth holds the basic auth middleware configuration.
+// This middleware restricts access to your services to known users.
+// More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/http/middlewares/basicauth/
type BasicAuthApplyConfiguration struct {
- Secret *string `json:"secret,omitempty"`
- Realm *string `json:"realm,omitempty"`
- RemoveHeader *bool `json:"removeHeader,omitempty"`
- HeaderField *string `json:"headerField,omitempty"`
+ // Secret is the name of the referenced Kubernetes Secret containing user credentials.
+ Secret *string `json:"secret,omitempty"`
+ // Realm allows the protected resources on a server to be partitioned into a set of protection spaces, each with its own authentication scheme.
+ // Default: traefik.
+ Realm *string `json:"realm,omitempty"`
+ // RemoveHeader sets the removeHeader option to true to remove the authorization header before forwarding the request to your service.
+ // Default: false.
+ RemoveHeader *bool `json:"removeHeader,omitempty"`
+ // HeaderField defines a header field to store the authenticated user.
+ // More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/http/middlewares/basicauth/#headerfield
+ HeaderField *string `json:"headerField,omitempty"`
}
// BasicAuthApplyConfiguration constructs a declarative configuration of the BasicAuth type for use with
diff --git a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/buffering.go b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/buffering.go
index 47ed405d8..bd702df19 100644
--- a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/buffering.go
+++ b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/buffering.go
@@ -28,12 +28,29 @@ package v1alpha1
// BufferingApplyConfiguration represents a declarative configuration of the Buffering type for use
// with apply.
+//
+// Buffering holds the buffering middleware configuration.
+// This middleware retries or limits the size of requests that can be forwarded to backends.
+// More info: https://doc.traefik.io/traefik/v3.7/middlewares/http/buffering/#maxrequestbodybytes
type BufferingApplyConfiguration struct {
- MaxRequestBodyBytes *int64 `json:"maxRequestBodyBytes,omitempty"`
- MemRequestBodyBytes *int64 `json:"memRequestBodyBytes,omitempty"`
- MaxResponseBodyBytes *int64 `json:"maxResponseBodyBytes,omitempty"`
- MemResponseBodyBytes *int64 `json:"memResponseBodyBytes,omitempty"`
- RetryExpression *string `json:"retryExpression,omitempty"`
+ // MaxRequestBodyBytes defines the maximum allowed body size for the request (in bytes).
+ // If the request exceeds the allowed size, it is not forwarded to the service, and the client gets a 413 (Request Entity Too Large) response.
+ // Default: 0 (no maximum).
+ MaxRequestBodyBytes *int64 `json:"maxRequestBodyBytes,omitempty"`
+ // MemRequestBodyBytes defines the threshold (in bytes) from which the request will be buffered on disk instead of in memory.
+ // Default: 1048576 (1Mi).
+ MemRequestBodyBytes *int64 `json:"memRequestBodyBytes,omitempty"`
+ // MaxResponseBodyBytes defines the maximum allowed response size from the service (in bytes).
+ // If the response exceeds the allowed size, it is not forwarded to the client. The client gets a 500 (Internal Server Error) response instead.
+ // Default: 0 (no maximum).
+ MaxResponseBodyBytes *int64 `json:"maxResponseBodyBytes,omitempty"`
+ // MemResponseBodyBytes defines the threshold (in bytes) from which the response will be buffered on disk instead of in memory.
+ // Default: 1048576 (1Mi).
+ MemResponseBodyBytes *int64 `json:"memResponseBodyBytes,omitempty"`
+ // RetryExpression defines the retry conditions.
+ // It is a logical combination of functions with operators AND (&&) and OR (||).
+ // More info: https://doc.traefik.io/traefik/v3.7/middlewares/http/buffering/#retryexpression
+ RetryExpression *string `json:"retryExpression,omitempty"`
}
// BufferingApplyConfiguration constructs a declarative configuration of the Buffering type for use with
diff --git a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/certificate.go b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/certificate.go
index 33f85d146..a67123305 100644
--- a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/certificate.go
+++ b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/certificate.go
@@ -28,7 +28,10 @@ package v1alpha1
// CertificateApplyConfiguration represents a declarative configuration of the Certificate type for use
// with apply.
+//
+// Certificate holds a secret name for the TLSStore resource.
type CertificateApplyConfiguration struct {
+ // SecretName is the name of the referenced Kubernetes Secret to specify the certificate details.
SecretName *string `json:"secretName,omitempty"`
}
diff --git a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/chain.go b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/chain.go
index 221da3315..976dfcc7e 100644
--- a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/chain.go
+++ b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/chain.go
@@ -28,7 +28,12 @@ package v1alpha1
// ChainApplyConfiguration represents a declarative configuration of the Chain type for use
// with apply.
+//
+// Chain holds the configuration of the chain middleware.
+// This middleware enables to define reusable combinations of other pieces of middleware.
+// More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/http/middlewares/chain/
type ChainApplyConfiguration struct {
+ // Middlewares is the list of MiddlewareRef which composes the chain.
Middlewares []MiddlewareRefApplyConfiguration `json:"middlewares,omitempty"`
}
diff --git a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/circuitbreaker.go b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/circuitbreaker.go
index 551041f0f..b705f1b36 100644
--- a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/circuitbreaker.go
+++ b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/circuitbreaker.go
@@ -32,12 +32,19 @@ import (
// CircuitBreakerApplyConfiguration represents a declarative configuration of the CircuitBreaker type for use
// with apply.
+//
+// CircuitBreaker holds the circuit breaker configuration.
type CircuitBreakerApplyConfiguration struct {
- Expression *string `json:"expression,omitempty"`
- CheckPeriod *intstr.IntOrString `json:"checkPeriod,omitempty"`
+ // Expression is the condition that triggers the tripped state.
+ Expression *string `json:"expression,omitempty"`
+ // CheckPeriod is the interval between successive checks of the circuit breaker condition (when in standby state).
+ CheckPeriod *intstr.IntOrString `json:"checkPeriod,omitempty"`
+ // FallbackDuration is the duration for which the circuit breaker will wait before trying to recover (from a tripped state).
FallbackDuration *intstr.IntOrString `json:"fallbackDuration,omitempty"`
+ // RecoveryDuration is the duration for which the circuit breaker will try to recover (as soon as it is in recovering state).
RecoveryDuration *intstr.IntOrString `json:"recoveryDuration,omitempty"`
- ResponseCode *int `json:"responseCode,omitempty"`
+ // ResponseCode is the status code that the circuit breaker will return while it is in the open state.
+ ResponseCode *int `json:"responseCode,omitempty"`
}
// CircuitBreakerApplyConfiguration constructs a declarative configuration of the CircuitBreaker type for use with
diff --git a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/clientauth.go b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/clientauth.go
index 6227ffdc7..456b57da3 100644
--- a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/clientauth.go
+++ b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/clientauth.go
@@ -28,9 +28,13 @@ package v1alpha1
// ClientAuthApplyConfiguration represents a declarative configuration of the ClientAuth type for use
// with apply.
+//
+// ClientAuth holds the TLS client authentication configuration.
type ClientAuthApplyConfiguration struct {
- SecretNames []string `json:"secretNames,omitempty"`
- ClientAuthType *string `json:"clientAuthType,omitempty"`
+ // SecretNames defines the names of the referenced Kubernetes Secret storing certificate details.
+ SecretNames []string `json:"secretNames,omitempty"`
+ // ClientAuthType defines the client authentication type to apply.
+ ClientAuthType *string `json:"clientAuthType,omitempty"`
}
// ClientAuthApplyConfiguration constructs a declarative configuration of the ClientAuth type for use with
diff --git a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/clienttls.go b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/clienttls.go
index dd5f3c2bc..ff04e3864 100644
--- a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/clienttls.go
+++ b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/clienttls.go
@@ -28,10 +28,17 @@ package v1alpha1
// ClientTLSApplyConfiguration represents a declarative configuration of the ClientTLS type for use
// with apply.
+//
+// ClientTLS holds the client TLS configuration.
type ClientTLSApplyConfiguration struct {
- CASecret *string `json:"caSecret,omitempty"`
- CertSecret *string `json:"certSecret,omitempty"`
- InsecureSkipVerify *bool `json:"insecureSkipVerify,omitempty"`
+ // CASecret is the name of the referenced Kubernetes Secret containing the CA to validate the server certificate.
+ // The CA certificate is extracted from key `tls.ca` or `ca.crt`.
+ CASecret *string `json:"caSecret,omitempty"`
+ // CertSecret is the name of the referenced Kubernetes Secret containing the client certificate.
+ // The client certificate is extracted from the keys `tls.crt` and `tls.key`.
+ CertSecret *string `json:"certSecret,omitempty"`
+ // InsecureSkipVerify defines whether the server certificates should be validated.
+ InsecureSkipVerify *bool `json:"insecureSkipVerify,omitempty"`
}
// ClientTLSApplyConfiguration constructs a declarative configuration of the ClientTLS type for use with
diff --git a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/clienttlswithcaoptional.go b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/clienttlswithcaoptional.go
index d5e4e90ef..d5b2bc75f 100644
--- a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/clienttlswithcaoptional.go
+++ b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/clienttlswithcaoptional.go
@@ -28,9 +28,13 @@ package v1alpha1
// ClientTLSWithCAOptionalApplyConfiguration represents a declarative configuration of the ClientTLSWithCAOptional type for use
// with apply.
+//
+// ClientTLSWithCAOptional holds the client TLS configuration.
+// TODO: This has to be removed once the CAOptional option is removed.
type ClientTLSWithCAOptionalApplyConfiguration struct {
ClientTLSApplyConfiguration `json:",inline"`
- CAOptional *bool `json:"caOptional,omitempty"`
+ // Deprecated: TLS client authentication is a server side option (see https://github.com/golang/go/blob/740a490f71d026bb7d2d13cb8fa2d6d6e0572b70/src/crypto/tls/common.go#L634).
+ CAOptional *bool `json:"caOptional,omitempty"`
}
// ClientTLSWithCAOptionalApplyConfiguration constructs a declarative configuration of the ClientTLSWithCAOptional type for use with
diff --git a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/compress.go b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/compress.go
index 5e5eea00c..4b3d07fdc 100644
--- a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/compress.go
+++ b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/compress.go
@@ -28,12 +28,23 @@ package v1alpha1
// CompressApplyConfiguration represents a declarative configuration of the Compress type for use
// with apply.
+//
+// Compress holds the compress middleware configuration.
+// This middleware compresses responses before sending them to the client, using gzip, brotli, or zstd compression.
+// More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/http/middlewares/compress/
type CompressApplyConfiguration struct {
+ // ExcludedContentTypes defines the list of content types to compare the Content-Type header of the incoming requests and responses before compressing.
+ // `application/grpc` is always excluded.
ExcludedContentTypes []string `json:"excludedContentTypes,omitempty"`
+ // IncludedContentTypes defines the list of content types to compare the Content-Type header of the responses before compressing.
IncludedContentTypes []string `json:"includedContentTypes,omitempty"`
- MinResponseBodyBytes *int `json:"minResponseBodyBytes,omitempty"`
- Encodings []string `json:"encodings,omitempty"`
- DefaultEncoding *string `json:"defaultEncoding,omitempty"`
+ // MinResponseBodyBytes defines the minimum amount of bytes a response body must have to be compressed.
+ // Default: 1024.
+ MinResponseBodyBytes *int `json:"minResponseBodyBytes,omitempty"`
+ // Encodings defines the list of supported compression algorithms.
+ Encodings []string `json:"encodings,omitempty"`
+ // DefaultEncoding specifies the default encoding if the `Accept-Encoding` header is not in the request or contains a wildcard (`*`).
+ DefaultEncoding *string `json:"defaultEncoding,omitempty"`
}
// CompressApplyConfiguration constructs a declarative configuration of the Compress type for use with
diff --git a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/digestauth.go b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/digestauth.go
index 70bf9b3b9..3eb744807 100644
--- a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/digestauth.go
+++ b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/digestauth.go
@@ -28,11 +28,21 @@ package v1alpha1
// DigestAuthApplyConfiguration represents a declarative configuration of the DigestAuth type for use
// with apply.
+//
+// DigestAuth holds the digest auth middleware configuration.
+// This middleware restricts access to your services to known users.
+// More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/http/middlewares/digestauth/
type DigestAuthApplyConfiguration struct {
- Secret *string `json:"secret,omitempty"`
- RemoveHeader *bool `json:"removeHeader,omitempty"`
- Realm *string `json:"realm,omitempty"`
- HeaderField *string `json:"headerField,omitempty"`
+ // Secret is the name of the referenced Kubernetes Secret containing user credentials.
+ Secret *string `json:"secret,omitempty"`
+ // RemoveHeader defines whether to remove the authorization header before forwarding the request to the backend.
+ RemoveHeader *bool `json:"removeHeader,omitempty"`
+ // Realm allows the protected resources on a server to be partitioned into a set of protection spaces, each with its own authentication scheme.
+ // Default: traefik.
+ Realm *string `json:"realm,omitempty"`
+ // HeaderField defines a header field to store the authenticated user.
+ // More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/http/middlewares/digestauth/#headerfield
+ HeaderField *string `json:"headerField,omitempty"`
}
// DigestAuthApplyConfiguration constructs a declarative configuration of the DigestAuth type for use with
diff --git a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/errorpage.go b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/errorpage.go
index 3273eb655..9e77d4c3e 100644
--- a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/errorpage.go
+++ b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/errorpage.go
@@ -28,11 +28,28 @@ package v1alpha1
// ErrorPageApplyConfiguration represents a declarative configuration of the ErrorPage type for use
// with apply.
+//
+// ErrorPage holds the custom error middleware configuration.
+// This middleware returns a custom page in lieu of the default, according to configured ranges of HTTP Status codes.
+// More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/http/middlewares/errorpages/
type ErrorPageApplyConfiguration struct {
- Status []string `json:"status,omitempty"`
- StatusRewrites map[string]int `json:"statusRewrites,omitempty"`
- Service *ServiceApplyConfiguration `json:"service,omitempty"`
- Query *string `json:"query,omitempty"`
+ // Status defines which status or range of statuses should result in an error page.
+ // It can be either a status code as a number (500),
+ // as multiple comma-separated numbers (500,502),
+ // as ranges by separating two codes with a dash (500-599),
+ // or a combination of the two (404,418,500-599).
+ Status []string `json:"status,omitempty"`
+ // StatusRewrites defines a mapping of status codes that should be returned instead of the original error status codes.
+ // For example: "418": 404 or "410-418": 404
+ StatusRewrites map[string]int `json:"statusRewrites,omitempty"`
+ // Service defines the reference to a Kubernetes Service that will serve the error page.
+ // More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/http/middlewares/errorpages/#service
+ Service *ServiceApplyConfiguration `json:"service,omitempty"`
+ // Query defines the URL for the error page (hosted by service).
+ // The {status} variable can be used in order to insert the status code in the URL.
+ // The {originalStatus} variable can be used in order to insert the upstream status code in the URL.
+ // The {url} variable can be used in order to insert the escaped request URL.
+ Query *string `json:"query,omitempty"`
}
// ErrorPageApplyConfiguration constructs a declarative configuration of the ErrorPage type for use with
diff --git a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/failover.go b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/failover.go
index 1e2b5288a..36bb131d6 100644
--- a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/failover.go
+++ b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/failover.go
@@ -28,10 +28,15 @@ package v1alpha1
// FailoverApplyConfiguration represents a declarative configuration of the Failover type for use
// with apply.
+//
+// Failover holds the Failover configuration.
type FailoverApplyConfiguration struct {
- Service *LoadBalancerSpecApplyConfiguration `json:"service,omitempty"`
+ // Service defines the main service to use.
+ Service *LoadBalancerSpecApplyConfiguration `json:"service,omitempty"`
+ // Fallback defines the fallback service to use when the main service returns an error.
Fallback *LoadBalancerSpecApplyConfiguration `json:"fallback,omitempty"`
- Errors *FailoverErrorApplyConfiguration `json:"errors,omitempty"`
+ // Errors defines which errors should trigger the use of the fallback service.
+ Errors *FailoverErrorApplyConfiguration `json:"errors,omitempty"`
}
// FailoverApplyConfiguration constructs a declarative configuration of the Failover type for use with
diff --git a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/failovererror.go b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/failovererror.go
index 0d3380f55..a04b11558 100644
--- a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/failovererror.go
+++ b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/failovererror.go
@@ -28,9 +28,14 @@ package v1alpha1
// FailoverErrorApplyConfiguration represents a declarative configuration of the FailoverError type for use
// with apply.
+//
+// FailoverError holds errors configuration for a Failover service.
type FailoverErrorApplyConfiguration struct {
- Status []string `json:"status,omitempty"`
- MaxRequestBodyBytes *int64 `json:"maxRequestBodyBytes,omitempty"`
+ // Status defines the list of status code ranges for which the fallback service should be used.
+ Status []string `json:"status,omitempty"`
+ // MaxRequestBodyBytes defines the maximum size allowed for the body of the request.
+ // Default value is -1, which means unlimited size.
+ MaxRequestBodyBytes *int64 `json:"maxRequestBodyBytes,omitempty"`
}
// FailoverErrorApplyConfiguration constructs a declarative configuration of the FailoverError type for use with
diff --git a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/forwardauth.go b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/forwardauth.go
index 1295b78c0..a9c68e280 100644
--- a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/forwardauth.go
+++ b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/forwardauth.go
@@ -28,21 +28,42 @@ package v1alpha1
// ForwardAuthApplyConfiguration represents a declarative configuration of the ForwardAuth type for use
// with apply.
+//
+// ForwardAuth holds the forward auth middleware configuration.
+// This middleware delegates the request authentication to a Service.
+// More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/http/middlewares/forwardauth/
type ForwardAuthApplyConfiguration struct {
- Address *string `json:"address,omitempty"`
- TrustForwardHeader *bool `json:"trustForwardHeader,omitempty"`
- AuthResponseHeaders []string `json:"authResponseHeaders,omitempty"`
- AuthResponseHeadersRegex *string `json:"authResponseHeadersRegex,omitempty"`
- AuthRequestHeaders []string `json:"authRequestHeaders,omitempty"`
- TLS *ClientTLSWithCAOptionalApplyConfiguration `json:"tls,omitempty"`
- MaxResponseBodySize *int64 `json:"maxResponseBodySize,omitempty"`
- AddAuthCookiesToResponse []string `json:"addAuthCookiesToResponse,omitempty"`
- HeaderField *string `json:"headerField,omitempty"`
- ForwardBody *bool `json:"forwardBody,omitempty"`
- MaxBodySize *int64 `json:"maxBodySize,omitempty"`
- PreserveLocationHeader *bool `json:"preserveLocationHeader,omitempty"`
- PreserveRequestMethod *bool `json:"preserveRequestMethod,omitempty"`
- AuthSigninURL *string `json:"authSigninURL,omitempty"`
+ // Address defines the authentication server address.
+ Address *string `json:"address,omitempty"`
+ // TrustForwardHeader defines whether to trust (ie: forward) all X-Forwarded-* headers.
+ TrustForwardHeader *bool `json:"trustForwardHeader,omitempty"`
+ // AuthResponseHeaders defines the list of headers to copy from the authentication server response and set on forwarded request, replacing any existing conflicting headers.
+ AuthResponseHeaders []string `json:"authResponseHeaders,omitempty"`
+ // AuthResponseHeadersRegex defines the regex to match headers to copy from the authentication server response and set on forwarded request, after stripping all headers that match the regex.
+ // More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/http/middlewares/forwardauth/#authresponseheadersregex
+ AuthResponseHeadersRegex *string `json:"authResponseHeadersRegex,omitempty"`
+ // AuthRequestHeaders defines the list of the headers to copy from the request to the authentication server.
+ // If not set or empty then all request headers are passed.
+ AuthRequestHeaders []string `json:"authRequestHeaders,omitempty"`
+ // TLS defines the configuration used to secure the connection to the authentication server.
+ TLS *ClientTLSWithCAOptionalApplyConfiguration `json:"tls,omitempty"`
+ // MaxResponseBodySize defines the maximum body size in bytes allowed in the response from the authentication server.
+ MaxResponseBodySize *int64 `json:"maxResponseBodySize,omitempty"`
+ // AddAuthCookiesToResponse defines the list of cookies to copy from the authentication server response to the response.
+ AddAuthCookiesToResponse []string `json:"addAuthCookiesToResponse,omitempty"`
+ // HeaderField defines a header field to store the authenticated user.
+ // More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/http/middlewares/forwardauth/#headerfield
+ HeaderField *string `json:"headerField,omitempty"`
+ // ForwardBody defines whether to send the request body to the authentication server.
+ ForwardBody *bool `json:"forwardBody,omitempty"`
+ // MaxBodySize defines the maximum body size in bytes allowed to be forwarded to the authentication server.
+ MaxBodySize *int64 `json:"maxBodySize,omitempty"`
+ // PreserveLocationHeader defines whether to forward the Location header to the client as is or prefix it with the domain name of the authentication server.
+ PreserveLocationHeader *bool `json:"preserveLocationHeader,omitempty"`
+ // PreserveRequestMethod defines whether to preserve the original request method while forwarding the request to the authentication server.
+ PreserveRequestMethod *bool `json:"preserveRequestMethod,omitempty"`
+ // AuthSigninURL specifies the URL to redirect to when the authentication server returns 401 Unauthorized.
+ AuthSigninURL *string `json:"authSigninURL,omitempty"`
}
// ForwardAuthApplyConfiguration constructs a declarative configuration of the ForwardAuth type for use with
diff --git a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/forwardingtimeouts.go b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/forwardingtimeouts.go
index b24bb3501..028e85fd1 100644
--- a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/forwardingtimeouts.go
+++ b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/forwardingtimeouts.go
@@ -32,12 +32,19 @@ import (
// ForwardingTimeoutsApplyConfiguration represents a declarative configuration of the ForwardingTimeouts type for use
// with apply.
+//
+// ForwardingTimeouts holds the timeout configurations for forwarding requests to the backend servers.
type ForwardingTimeoutsApplyConfiguration struct {
- DialTimeout *intstr.IntOrString `json:"dialTimeout,omitempty"`
+ // DialTimeout is the amount of time to wait until a connection to a backend server can be established.
+ DialTimeout *intstr.IntOrString `json:"dialTimeout,omitempty"`
+ // ResponseHeaderTimeout is the amount of time to wait for a server's response headers after fully writing the request (including its body, if any).
ResponseHeaderTimeout *intstr.IntOrString `json:"responseHeaderTimeout,omitempty"`
- IdleConnTimeout *intstr.IntOrString `json:"idleConnTimeout,omitempty"`
- ReadIdleTimeout *intstr.IntOrString `json:"readIdleTimeout,omitempty"`
- PingTimeout *intstr.IntOrString `json:"pingTimeout,omitempty"`
+ // IdleConnTimeout is the maximum period for which an idle HTTP keep-alive connection will remain open before closing itself.
+ IdleConnTimeout *intstr.IntOrString `json:"idleConnTimeout,omitempty"`
+ // ReadIdleTimeout is the timeout after which a health check using ping frame will be carried out if no frame is received on the HTTP/2 connection.
+ ReadIdleTimeout *intstr.IntOrString `json:"readIdleTimeout,omitempty"`
+ // PingTimeout is the timeout after which the HTTP/2 connection will be closed if a response to ping is not received.
+ PingTimeout *intstr.IntOrString `json:"pingTimeout,omitempty"`
}
// ForwardingTimeoutsApplyConfiguration constructs a declarative configuration of the ForwardingTimeouts type for use with
diff --git a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/highestrandomweight.go b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/highestrandomweight.go
index f96acf722..97a5d87ef 100644
--- a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/highestrandomweight.go
+++ b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/highestrandomweight.go
@@ -28,7 +28,11 @@ package v1alpha1
// HighestRandomWeightApplyConfiguration represents a declarative configuration of the HighestRandomWeight type for use
// with apply.
+//
+// HighestRandomWeight holds the highest random weight configuration.
+// More info: https://doc.traefik.io/traefik/v3.7/routing/services/#highest-random-configuration
type HighestRandomWeightApplyConfiguration struct {
+ // Services defines the list of Kubernetes Service and/or TraefikService to load-balance, with weight.
Services []ServiceApplyConfiguration `json:"services,omitempty"`
}
diff --git a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/ingressroute.go b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/ingressroute.go
index 500cb6192..77f937d97 100644
--- a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/ingressroute.go
+++ b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/ingressroute.go
@@ -34,8 +34,12 @@ import (
// IngressRouteApplyConfiguration represents a declarative configuration of the IngressRoute type for use
// with apply.
+//
+// IngressRoute is the CRD implementation of a Traefik HTTP Router.
type IngressRouteApplyConfiguration struct {
- v1.TypeMetaApplyConfiguration `json:",inline"`
+ v1.TypeMetaApplyConfiguration `json:",inline"`
+ // Standard object's metadata.
+ // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
Spec *IngressRouteSpecApplyConfiguration `json:"spec,omitempty"`
}
@@ -50,6 +54,7 @@ func IngressRoute(name, namespace string) *IngressRouteApplyConfiguration {
b.WithAPIVersion("traefik.io/v1alpha1")
return b
}
+
func (b IngressRouteApplyConfiguration) IsApplyConfiguration() {}
// WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/ingressrouteref.go b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/ingressrouteref.go
index aba2dac46..be600628e 100644
--- a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/ingressrouteref.go
+++ b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/ingressrouteref.go
@@ -28,8 +28,12 @@ package v1alpha1
// IngressRouteRefApplyConfiguration represents a declarative configuration of the IngressRouteRef type for use
// with apply.
+//
+// IngressRouteRef is a reference to an IngressRoute resource.
type IngressRouteRefApplyConfiguration struct {
- Name *string `json:"name,omitempty"`
+ // Name defines the name of the referenced IngressRoute resource.
+ Name *string `json:"name,omitempty"`
+ // Namespace defines the namespace of the referenced IngressRoute resource.
Namespace *string `json:"namespace,omitempty"`
}
diff --git a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/ingressroutespec.go b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/ingressroutespec.go
index ee6513f3b..55278a89e 100644
--- a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/ingressroutespec.go
+++ b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/ingressroutespec.go
@@ -28,12 +28,25 @@ package v1alpha1
// IngressRouteSpecApplyConfiguration represents a declarative configuration of the IngressRouteSpec type for use
// with apply.
+//
+// IngressRouteSpec defines the desired state of IngressRoute.
type IngressRouteSpecApplyConfiguration struct {
- IngressClassName *string `json:"ingressClassName,omitempty"`
- EntryPoints []string `json:"entryPoints,omitempty"`
- Routes []RouteApplyConfiguration `json:"routes,omitempty"`
- TLS *TLSApplyConfiguration `json:"tls,omitempty"`
- ParentRefs []IngressRouteRefApplyConfiguration `json:"parentRefs,omitempty"`
+ // IngressClassName defines the name of the IngressClass cluster resource.
+ IngressClassName *string `json:"ingressClassName,omitempty"`
+ // EntryPoints defines the list of entry point names to bind to.
+ // Entry points have to be configured in the static configuration.
+ // More info: https://doc.traefik.io/traefik/v3.7/reference/install-configuration/entrypoints/
+ // Default: all.
+ EntryPoints []string `json:"entryPoints,omitempty"`
+ // Routes defines the list of routes.
+ Routes []RouteApplyConfiguration `json:"routes,omitempty"`
+ // TLS defines the TLS configuration.
+ // More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/http/routing/router/#tls
+ TLS *TLSApplyConfiguration `json:"tls,omitempty"`
+ // ParentRefs defines references to parent IngressRoute resources for multi-layer routing.
+ // When set, this IngressRoute's routers will be children of the referenced parent IngressRoute's routers.
+ // More info: https://doc.traefik.io/traefik/v3.7/routing/routers/#parentrefs
+ ParentRefs []IngressRouteRefApplyConfiguration `json:"parentRefs,omitempty"`
}
// IngressRouteSpecApplyConfiguration constructs a declarative configuration of the IngressRouteSpec type for use with
diff --git a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/ingressroutetcp.go b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/ingressroutetcp.go
index 7a07a2d40..741383ccc 100644
--- a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/ingressroutetcp.go
+++ b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/ingressroutetcp.go
@@ -34,8 +34,12 @@ import (
// IngressRouteTCPApplyConfiguration represents a declarative configuration of the IngressRouteTCP type for use
// with apply.
+//
+// IngressRouteTCP is the CRD implementation of a Traefik TCP Router.
type IngressRouteTCPApplyConfiguration struct {
- v1.TypeMetaApplyConfiguration `json:",inline"`
+ v1.TypeMetaApplyConfiguration `json:",inline"`
+ // Standard object's metadata.
+ // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
Spec *IngressRouteTCPSpecApplyConfiguration `json:"spec,omitempty"`
}
@@ -50,6 +54,7 @@ func IngressRouteTCP(name, namespace string) *IngressRouteTCPApplyConfiguration
b.WithAPIVersion("traefik.io/v1alpha1")
return b
}
+
func (b IngressRouteTCPApplyConfiguration) IsApplyConfiguration() {}
// WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/ingressroutetcpspec.go b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/ingressroutetcpspec.go
index 016fd2eda..bc41171e8 100644
--- a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/ingressroutetcpspec.go
+++ b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/ingressroutetcpspec.go
@@ -28,11 +28,21 @@ package v1alpha1
// IngressRouteTCPSpecApplyConfiguration represents a declarative configuration of the IngressRouteTCPSpec type for use
// with apply.
+//
+// IngressRouteTCPSpec defines the desired state of IngressRouteTCP.
type IngressRouteTCPSpecApplyConfiguration struct {
- IngressClassName *string `json:"ingressClassName,omitempty"`
- EntryPoints []string `json:"entryPoints,omitempty"`
- Routes []RouteTCPApplyConfiguration `json:"routes,omitempty"`
- TLS *TLSTCPApplyConfiguration `json:"tls,omitempty"`
+ // IngressClassName defines the name of the IngressClass cluster resource.
+ IngressClassName *string `json:"ingressClassName,omitempty"`
+ // EntryPoints defines the list of entry point names to bind to.
+ // Entry points have to be configured in the static configuration.
+ // More info: https://doc.traefik.io/traefik/v3.7/reference/install-configuration/entrypoints/
+ // Default: all.
+ EntryPoints []string `json:"entryPoints,omitempty"`
+ // Routes defines the list of routes.
+ Routes []RouteTCPApplyConfiguration `json:"routes,omitempty"`
+ // TLS defines the TLS configuration on a layer 4 / TCP Route.
+ // More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/tcp/routing/router/#tls
+ TLS *TLSTCPApplyConfiguration `json:"tls,omitempty"`
}
// IngressRouteTCPSpecApplyConfiguration constructs a declarative configuration of the IngressRouteTCPSpec type for use with
diff --git a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/ingressrouteudp.go b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/ingressrouteudp.go
index 487e9c87a..cd94067cb 100644
--- a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/ingressrouteudp.go
+++ b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/ingressrouteudp.go
@@ -34,8 +34,12 @@ import (
// IngressRouteUDPApplyConfiguration represents a declarative configuration of the IngressRouteUDP type for use
// with apply.
+//
+// IngressRouteUDP is a CRD implementation of a Traefik UDP Router.
type IngressRouteUDPApplyConfiguration struct {
- v1.TypeMetaApplyConfiguration `json:",inline"`
+ v1.TypeMetaApplyConfiguration `json:",inline"`
+ // Standard object's metadata.
+ // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
Spec *IngressRouteUDPSpecApplyConfiguration `json:"spec,omitempty"`
}
@@ -50,6 +54,7 @@ func IngressRouteUDP(name, namespace string) *IngressRouteUDPApplyConfiguration
b.WithAPIVersion("traefik.io/v1alpha1")
return b
}
+
func (b IngressRouteUDPApplyConfiguration) IsApplyConfiguration() {}
// WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/ingressrouteudpspec.go b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/ingressrouteudpspec.go
index cb40ee030..240c38445 100644
--- a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/ingressrouteudpspec.go
+++ b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/ingressrouteudpspec.go
@@ -28,10 +28,18 @@ package v1alpha1
// IngressRouteUDPSpecApplyConfiguration represents a declarative configuration of the IngressRouteUDPSpec type for use
// with apply.
+//
+// IngressRouteUDPSpec defines the desired state of a IngressRouteUDP.
type IngressRouteUDPSpecApplyConfiguration struct {
- IngressClassName *string `json:"ingressClassName,omitempty"`
- EntryPoints []string `json:"entryPoints,omitempty"`
- Routes []RouteUDPApplyConfiguration `json:"routes,omitempty"`
+ // IngressClassName defines the name of the IngressClass cluster resource.
+ IngressClassName *string `json:"ingressClassName,omitempty"`
+ // EntryPoints defines the list of entry point names to bind to.
+ // Entry points have to be configured in the static configuration.
+ // More info: https://doc.traefik.io/traefik/v3.7/reference/install-configuration/entrypoints/
+ // Default: all.
+ EntryPoints []string `json:"entryPoints,omitempty"`
+ // Routes defines the list of routes.
+ Routes []RouteUDPApplyConfiguration `json:"routes,omitempty"`
}
// IngressRouteUDPSpecApplyConfiguration constructs a declarative configuration of the IngressRouteUDPSpec type for use with
diff --git a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/loadbalancerspec.go b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/loadbalancerspec.go
index d4fffd444..89081e0f0 100644
--- a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/loadbalancerspec.go
+++ b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/loadbalancerspec.go
@@ -33,22 +33,59 @@ import (
// LoadBalancerSpecApplyConfiguration represents a declarative configuration of the LoadBalancerSpec type for use
// with apply.
+//
+// LoadBalancerSpec defines the desired state of LoadBalancer.
+// It can reference either a Kubernetes Service object (a load-balancer of servers),
+// or a TraefikService object (a load-balancer of Traefik services).
type LoadBalancerSpecApplyConfiguration struct {
- Name *string `json:"name,omitempty"`
- Kind *string `json:"kind,omitempty"`
- Namespace *string `json:"namespace,omitempty"`
- Middlewares []MiddlewareRefApplyConfiguration `json:"middlewares,omitempty"`
- Sticky *dynamic.Sticky `json:"sticky,omitempty"`
- Port *intstr.IntOrString `json:"port,omitempty"`
- Scheme *string `json:"scheme,omitempty"`
- Strategy *dynamic.BalancerStrategy `json:"strategy,omitempty"`
- PassHostHeader *bool `json:"passHostHeader,omitempty"`
- ResponseForwarding *ResponseForwardingApplyConfiguration `json:"responseForwarding,omitempty"`
- ServersTransport *string `json:"serversTransport,omitempty"`
- Weight *int `json:"weight,omitempty"`
- NativeLB *bool `json:"nativeLB,omitempty"`
- NodePortLB *bool `json:"nodePortLB,omitempty"`
- HealthCheck *ServerHealthCheckApplyConfiguration `json:"healthCheck,omitempty"`
+ // Name defines the name of the referenced Kubernetes Service or TraefikService.
+ // The differentiation between the two is specified in the Kind field.
+ Name *string `json:"name,omitempty"`
+ // Kind defines the kind of the Service.
+ Kind *string `json:"kind,omitempty"`
+ // Namespace defines the namespace of the referenced Kubernetes Service or TraefikService.
+ Namespace *string `json:"namespace,omitempty"`
+ // Middlewares defines the list of references to Middleware resources to apply to the service.
+ Middlewares []MiddlewareRefApplyConfiguration `json:"middlewares,omitempty"`
+ // Sticky defines the sticky sessions configuration.
+ // More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/http/load-balancing/service/#sticky-sessions
+ Sticky *dynamic.Sticky `json:"sticky,omitempty"`
+ // Port defines the port of a Kubernetes Service.
+ // This can be a reference to a named port.
+ Port *intstr.IntOrString `json:"port,omitempty"`
+ // Scheme defines the scheme to use for the request to the upstream Kubernetes Service.
+ // It defaults to https when Kubernetes Service port is 443, http otherwise.
+ Scheme *string `json:"scheme,omitempty"`
+ // Strategy defines the load balancing strategy between the servers.
+ // Supported values are: wrr (Weighed round-robin), p2c (Power of two choices), hrw (Highest Random Weight), and leasttime (Least-Time).
+ // RoundRobin value is deprecated and supported for backward compatibility.
+ // TODO: when the deprecated RoundRobin value will be removed, set the default kubebuilder value to wrr.
+ Strategy *dynamic.BalancerStrategy `json:"strategy,omitempty"`
+ // PassHostHeader defines whether the client Host header is forwarded to the upstream Kubernetes Service.
+ // By default, passHostHeader is true.
+ PassHostHeader *bool `json:"passHostHeader,omitempty"`
+ // ResponseForwarding defines how Traefik forwards the response from the upstream Kubernetes Service to the client.
+ ResponseForwarding *ResponseForwardingApplyConfiguration `json:"responseForwarding,omitempty"`
+ // ServersTransport defines the name of ServersTransport resource to use.
+ // It allows to configure the transport between Traefik and your servers.
+ // Can only be used on a Kubernetes Service.
+ ServersTransport *string `json:"serversTransport,omitempty"`
+ // Weight defines the weight and should only be specified when Name references a TraefikService object
+ // (and to be precise, one that embeds a Weighted Round Robin).
+ Weight *int `json:"weight,omitempty"`
+ // NativeLB controls, when creating the load-balancer,
+ // whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP.
+ // The Kubernetes Service itself does load-balance to the pods.
+ // By default, NativeLB is false.
+ NativeLB *bool `json:"nativeLB,omitempty"`
+ // NodePortLB controls, when creating the load-balancer,
+ // whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is NodePort.
+ // It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes.
+ // By default, NodePortLB is false.
+ NodePortLB *bool `json:"nodePortLB,omitempty"`
+ // Healthcheck defines health checks for ExternalName services.
+ HealthCheck *ServerHealthCheckApplyConfiguration `json:"healthCheck,omitempty"`
+ // PassiveHealthCheck defines passive health checks for ExternalName services.
PassiveHealthCheck *PassiveServerHealthCheckApplyConfiguration `json:"passiveHealthCheck,omitempty"`
}
diff --git a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/middleware.go b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/middleware.go
index 98cbf2853..6b63dad25 100644
--- a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/middleware.go
+++ b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/middleware.go
@@ -34,8 +34,13 @@ import (
// MiddlewareApplyConfiguration represents a declarative configuration of the Middleware type for use
// with apply.
+//
+// Middleware is the CRD implementation of a Traefik Middleware.
+// More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/http/middlewares/overview/
type MiddlewareApplyConfiguration struct {
- v1.TypeMetaApplyConfiguration `json:",inline"`
+ v1.TypeMetaApplyConfiguration `json:",inline"`
+ // Standard object's metadata.
+ // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
Spec *MiddlewareSpecApplyConfiguration `json:"spec,omitempty"`
}
@@ -50,6 +55,7 @@ func Middleware(name, namespace string) *MiddlewareApplyConfiguration {
b.WithAPIVersion("traefik.io/v1alpha1")
return b
}
+
func (b MiddlewareApplyConfiguration) IsApplyConfiguration() {}
// WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/middlewareref.go b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/middlewareref.go
index 393a71232..8396d6e10 100644
--- a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/middlewareref.go
+++ b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/middlewareref.go
@@ -28,8 +28,12 @@ package v1alpha1
// MiddlewareRefApplyConfiguration represents a declarative configuration of the MiddlewareRef type for use
// with apply.
+//
+// MiddlewareRef is a reference to a Middleware resource.
type MiddlewareRefApplyConfiguration struct {
- Name *string `json:"name,omitempty"`
+ // Name defines the name of the referenced Middleware resource.
+ Name *string `json:"name,omitempty"`
+ // Namespace defines the namespace of the referenced Middleware resource.
Namespace *string `json:"namespace,omitempty"`
}
diff --git a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/middlewarespec.go b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/middlewarespec.go
index 138aecb49..cfede5936 100644
--- a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/middlewarespec.go
+++ b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/middlewarespec.go
@@ -33,13 +33,16 @@ import (
// MiddlewareSpecApplyConfiguration represents a declarative configuration of the MiddlewareSpec type for use
// with apply.
+//
+// MiddlewareSpec defines the desired state of a Middleware.
type MiddlewareSpecApplyConfiguration struct {
- AddPrefix *dynamic.AddPrefix `json:"addPrefix,omitempty"`
- StripPrefix *dynamic.StripPrefix `json:"stripPrefix,omitempty"`
- StripPrefixRegex *dynamic.StripPrefixRegex `json:"stripPrefixRegex,omitempty"`
- ReplacePath *dynamic.ReplacePath `json:"replacePath,omitempty"`
- ReplacePathRegex *dynamic.ReplacePathRegex `json:"replacePathRegex,omitempty"`
- Chain *ChainApplyConfiguration `json:"chain,omitempty"`
+ AddPrefix *dynamic.AddPrefix `json:"addPrefix,omitempty"`
+ StripPrefix *dynamic.StripPrefix `json:"stripPrefix,omitempty"`
+ StripPrefixRegex *dynamic.StripPrefixRegex `json:"stripPrefixRegex,omitempty"`
+ ReplacePath *dynamic.ReplacePath `json:"replacePath,omitempty"`
+ ReplacePathRegex *dynamic.ReplacePathRegex `json:"replacePathRegex,omitempty"`
+ Chain *ChainApplyConfiguration `json:"chain,omitempty"`
+ // Deprecated: please use IPAllowList instead.
IPWhiteList *dynamic.IPWhiteList `json:"ipWhiteList,omitempty"`
IPAllowList *dynamic.IPAllowList `json:"ipAllowList,omitempty"`
Headers *dynamic.Headers `json:"headers,omitempty"`
@@ -59,7 +62,9 @@ type MiddlewareSpecApplyConfiguration struct {
Retry *RetryApplyConfiguration `json:"retry,omitempty"`
ContentType *dynamic.ContentType `json:"contentType,omitempty"`
GrpcWeb *dynamic.GrpcWeb `json:"grpcWeb,omitempty"`
- Plugin map[string]v1.JSON `json:"plugin,omitempty"`
+ // Plugin defines the middleware plugin configuration.
+ // More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/http/middlewares/overview/#community-middlewares
+ Plugin map[string]v1.JSON `json:"plugin,omitempty"`
}
// MiddlewareSpecApplyConfiguration constructs a declarative configuration of the MiddlewareSpec type for use with
diff --git a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/middlewaretcp.go b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/middlewaretcp.go
index 7a8b92f55..4c2917751 100644
--- a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/middlewaretcp.go
+++ b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/middlewaretcp.go
@@ -34,8 +34,13 @@ import (
// MiddlewareTCPApplyConfiguration represents a declarative configuration of the MiddlewareTCP type for use
// with apply.
+//
+// MiddlewareTCP is the CRD implementation of a Traefik TCP middleware.
+// More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/tcp/middlewares/overview/
type MiddlewareTCPApplyConfiguration struct {
- v1.TypeMetaApplyConfiguration `json:",inline"`
+ v1.TypeMetaApplyConfiguration `json:",inline"`
+ // Standard object's metadata.
+ // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
Spec *MiddlewareTCPSpecApplyConfiguration `json:"spec,omitempty"`
}
@@ -50,6 +55,7 @@ func MiddlewareTCP(name, namespace string) *MiddlewareTCPApplyConfiguration {
b.WithAPIVersion("traefik.io/v1alpha1")
return b
}
+
func (b MiddlewareTCPApplyConfiguration) IsApplyConfiguration() {}
// WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/middlewaretcpspec.go b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/middlewaretcpspec.go
index 81e751c57..c456452fc 100644
--- a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/middlewaretcpspec.go
+++ b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/middlewaretcpspec.go
@@ -32,10 +32,21 @@ import (
// MiddlewareTCPSpecApplyConfiguration represents a declarative configuration of the MiddlewareTCPSpec type for use
// with apply.
+//
+// MiddlewareTCPSpec defines the desired state of a MiddlewareTCP.
type MiddlewareTCPSpecApplyConfiguration struct {
+ // InFlightConn defines the InFlightConn middleware configuration.
InFlightConn *dynamic.TCPInFlightConn `json:"inFlightConn,omitempty"`
- IPWhiteList *dynamic.TCPIPWhiteList `json:"ipWhiteList,omitempty"`
- IPAllowList *dynamic.TCPIPAllowList `json:"ipAllowList,omitempty"`
+ // IPWhiteList defines the IPWhiteList middleware configuration.
+ // This middleware accepts/refuses connections based on the client IP.
+ // More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/tcp/middlewares/ipwhitelist/
+ //
+ // Deprecated: please use IPAllowList instead.
+ IPWhiteList *dynamic.TCPIPWhiteList `json:"ipWhiteList,omitempty"`
+ // IPAllowList defines the IPAllowList middleware configuration.
+ // This middleware accepts/refuses connections based on the client IP.
+ // More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/tcp/middlewares/ipallowlist/
+ IPAllowList *dynamic.TCPIPAllowList `json:"ipAllowList,omitempty"`
}
// MiddlewareTCPSpecApplyConfiguration constructs a declarative configuration of the MiddlewareTCPSpec type for use with
diff --git a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/mirroring.go b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/mirroring.go
index 1c7981fbf..e2d01275c 100644
--- a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/mirroring.go
+++ b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/mirroring.go
@@ -33,11 +33,20 @@ import (
// MirroringApplyConfiguration represents a declarative configuration of the Mirroring type for use
// with apply.
+//
+// Mirroring holds the mirroring service configuration.
+// More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/http/load-balancing/service/#mirroring
type MirroringApplyConfiguration struct {
LoadBalancerSpecApplyConfiguration `json:",inline"`
- MirrorBody *bool `json:"mirrorBody,omitempty"`
- MaxBodySize *int64 `json:"maxBodySize,omitempty"`
- Mirrors []MirrorServiceApplyConfiguration `json:"mirrors,omitempty"`
+ // MirrorBody defines whether the body of the request should be mirrored.
+ // Default value is true.
+ MirrorBody *bool `json:"mirrorBody,omitempty"`
+ // MaxBodySize defines the maximum size allowed for the body of the request.
+ // If the body is larger, the request is not mirrored.
+ // Default value is -1, which means unlimited size.
+ MaxBodySize *int64 `json:"maxBodySize,omitempty"`
+ // Mirrors defines the list of mirrors where Traefik will duplicate the traffic.
+ Mirrors []MirrorServiceApplyConfiguration `json:"mirrors,omitempty"`
}
// MirroringApplyConfiguration constructs a declarative configuration of the Mirroring type for use with
diff --git a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/mirrorservice.go b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/mirrorservice.go
index 79dd60441..7272f6af8 100644
--- a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/mirrorservice.go
+++ b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/mirrorservice.go
@@ -33,9 +33,13 @@ import (
// MirrorServiceApplyConfiguration represents a declarative configuration of the MirrorService type for use
// with apply.
+//
+// MirrorService holds the mirror configuration.
type MirrorServiceApplyConfiguration struct {
LoadBalancerSpecApplyConfiguration `json:",inline"`
- Percent *int `json:"percent,omitempty"`
+ // Percent defines the part of the traffic to mirror.
+ // Supported values: 0 to 100.
+ Percent *int `json:"percent,omitempty"`
}
// MirrorServiceApplyConfiguration constructs a declarative configuration of the MirrorService type for use with
diff --git a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/objectreference.go b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/objectreference.go
index bf48afb3e..165dec4ae 100644
--- a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/objectreference.go
+++ b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/objectreference.go
@@ -28,8 +28,12 @@ package v1alpha1
// ObjectReferenceApplyConfiguration represents a declarative configuration of the ObjectReference type for use
// with apply.
+//
+// ObjectReference is a generic reference to a Traefik resource.
type ObjectReferenceApplyConfiguration struct {
- Name *string `json:"name,omitempty"`
+ // Name defines the name of the referenced Traefik resource.
+ Name *string `json:"name,omitempty"`
+ // Namespace defines the namespace of the referenced Traefik resource.
Namespace *string `json:"namespace,omitempty"`
}
diff --git a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/passiveserverhealthcheck.go b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/passiveserverhealthcheck.go
index f584e214c..5c8514cf8 100644
--- a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/passiveserverhealthcheck.go
+++ b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/passiveserverhealthcheck.go
@@ -33,8 +33,10 @@ import (
// PassiveServerHealthCheckApplyConfiguration represents a declarative configuration of the PassiveServerHealthCheck type for use
// with apply.
type PassiveServerHealthCheckApplyConfiguration struct {
- FailureWindow *intstr.IntOrString `json:"failureWindow,omitempty"`
- MaxFailedAttempts *int `json:"maxFailedAttempts,omitempty"`
+ // FailureWindow defines the time window during which the failed attempts must occur for the server to be marked as unhealthy. It also defines for how long the server will be considered unhealthy.
+ FailureWindow *intstr.IntOrString `json:"failureWindow,omitempty"`
+ // MaxFailedAttempts is the number of consecutive failed attempts allowed within the failure window before marking the server as unhealthy.
+ MaxFailedAttempts *int `json:"maxFailedAttempts,omitempty"`
}
// PassiveServerHealthCheckApplyConfiguration constructs a declarative configuration of the PassiveServerHealthCheck type for use with
diff --git a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/ratelimit.go b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/ratelimit.go
index 8af058d67..1081548d6 100644
--- a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/ratelimit.go
+++ b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/ratelimit.go
@@ -33,12 +33,28 @@ import (
// RateLimitApplyConfiguration represents a declarative configuration of the RateLimit type for use
// with apply.
+//
+// RateLimit holds the rate limit configuration.
+// This middleware ensures that services will receive a fair amount of requests, and allows one to define what fair is.
+// More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/http/middlewares/ratelimit/
type RateLimitApplyConfiguration struct {
- Average *int64 `json:"average,omitempty"`
- Period *intstr.IntOrString `json:"period,omitempty"`
- Burst *int64 `json:"burst,omitempty"`
+ // Average is the maximum rate, by default in requests/s, allowed for the given source.
+ // It defaults to 0, which means no rate limiting.
+ // The rate is actually defined by dividing Average by Period. So for a rate below 1req/s,
+ // one needs to define a Period larger than a second.
+ Average *int64 `json:"average,omitempty"`
+ // Period, in combination with Average, defines the actual maximum rate, such as:
+ // r = Average / Period. It defaults to a second.
+ Period *intstr.IntOrString `json:"period,omitempty"`
+ // Burst is the maximum number of requests allowed to arrive in the same arbitrarily small period of time.
+ // It defaults to 1.
+ Burst *int64 `json:"burst,omitempty"`
+ // SourceCriterion defines what criterion is used to group requests as originating from a common source.
+ // If several strategies are defined at the same time, an error will be raised.
+ // If none are set, the default is to use the request's remote address field (as an ipStrategy).
SourceCriterion *dynamic.SourceCriterion `json:"sourceCriterion,omitempty"`
- Redis *RedisApplyConfiguration `json:"redis,omitempty"`
+ // Redis hold the configs of Redis as bucket in rate limiter.
+ Redis *RedisApplyConfiguration `json:"redis,omitempty"`
}
// RateLimitApplyConfiguration constructs a declarative configuration of the RateLimit type for use with
diff --git a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/redis.go b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/redis.go
index f402ac375..fc6b00fc7 100644
--- a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/redis.go
+++ b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/redis.go
@@ -32,17 +32,40 @@ import (
// RedisApplyConfiguration represents a declarative configuration of the Redis type for use
// with apply.
+//
+// Redis contains the configuration for using Redis in middleware.
+// In a Kubernetes setup, the username and password are stored in a Secret file within the same namespace as the middleware.
type RedisApplyConfiguration struct {
- Endpoints []string `json:"endpoints,omitempty"`
- TLS *ClientTLSApplyConfiguration `json:"tls,omitempty"`
- Secret *string `json:"secret,omitempty"`
- DB *int `json:"db,omitempty"`
- PoolSize *int `json:"poolSize,omitempty"`
- MinIdleConns *int `json:"minIdleConns,omitempty"`
- MaxActiveConns *int `json:"maxActiveConns,omitempty"`
- ReadTimeout *intstr.IntOrString `json:"readTimeout,omitempty"`
- WriteTimeout *intstr.IntOrString `json:"writeTimeout,omitempty"`
- DialTimeout *intstr.IntOrString `json:"dialTimeout,omitempty"`
+ // Endpoints contains either a single address or a seed list of host:port addresses.
+ // Default value is ["localhost:6379"].
+ Endpoints []string `json:"endpoints,omitempty"`
+ // TLS defines TLS-specific configurations, including the CA, certificate, and key,
+ // which can be provided as a file path or file content.
+ TLS *ClientTLSApplyConfiguration `json:"tls,omitempty"`
+ // Secret defines the name of the referenced Kubernetes Secret containing Redis credentials.
+ Secret *string `json:"secret,omitempty"`
+ // DB defines the Redis database that will be selected after connecting to the server.
+ DB *int `json:"db,omitempty"`
+ // PoolSize defines the initial number of socket connections.
+ // If the pool runs out of available connections, additional ones will be created beyond PoolSize.
+ // This can be limited using MaxActiveConns.
+ // // Default value is 0, meaning 10 connections per every available CPU as reported by runtime.GOMAXPROCS.
+ PoolSize *int `json:"poolSize,omitempty"`
+ // MinIdleConns defines the minimum number of idle connections.
+ // Default value is 0, and idle connections are not closed by default.
+ MinIdleConns *int `json:"minIdleConns,omitempty"`
+ // MaxActiveConns defines the maximum number of connections allocated by the pool at a given time.
+ // Default value is 0, meaning there is no limit.
+ MaxActiveConns *int `json:"maxActiveConns,omitempty"`
+ // ReadTimeout defines the timeout for socket read operations.
+ // Default value is 3 seconds.
+ ReadTimeout *intstr.IntOrString `json:"readTimeout,omitempty"`
+ // WriteTimeout defines the timeout for socket write operations.
+ // Default value is 3 seconds.
+ WriteTimeout *intstr.IntOrString `json:"writeTimeout,omitempty"`
+ // DialTimeout sets the timeout for establishing new connections.
+ // Default value is 5 seconds.
+ DialTimeout *intstr.IntOrString `json:"dialTimeout,omitempty"`
}
// RedisApplyConfiguration constructs a declarative configuration of the Redis type for use with
diff --git a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/responseforwarding.go b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/responseforwarding.go
index 73b5936f6..819bdfcf1 100644
--- a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/responseforwarding.go
+++ b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/responseforwarding.go
@@ -29,6 +29,11 @@ package v1alpha1
// ResponseForwardingApplyConfiguration represents a declarative configuration of the ResponseForwarding type for use
// with apply.
type ResponseForwardingApplyConfiguration struct {
+ // FlushInterval defines the interval, in milliseconds, in between flushes to the client while copying the response body.
+ // A negative value means to flush immediately after each write to the client.
+ // This configuration is ignored when ReverseProxy recognizes a response as a streaming response;
+ // for such responses, writes are flushed to the client immediately.
+ // Default: 100ms
FlushInterval *string `json:"flushInterval,omitempty"`
}
diff --git a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/retry.go b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/retry.go
index 611903dd1..cdf61c8a9 100644
--- a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/retry.go
+++ b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/retry.go
@@ -32,14 +32,33 @@ import (
// RetryApplyConfiguration represents a declarative configuration of the Retry type for use
// with apply.
+//
+// Retry holds the retry middleware configuration.
+// This middleware reissues requests a given number of times to a backend server if that server does not reply.
+// As soon as the server answers, the middleware stops retrying, regardless of the response status.
+// More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/http/middlewares/retry/
type RetryApplyConfiguration struct {
- Attempts *int `json:"attempts,omitempty"`
- Timeout *intstr.IntOrString `json:"timeout,omitempty"`
- InitialInterval *intstr.IntOrString `json:"initialInterval,omitempty"`
- MaxRequestBodyBytes *int64 `json:"maxRequestBodyBytes,omitempty"`
- Status []string `json:"status,omitempty"`
- DisableRetryOnNetworkError *bool `json:"disableRetryOnNetworkError,omitempty"`
- RetryNonIdempotentMethod *bool `json:"retryNonIdempotentMethod,omitempty"`
+ // Attempts defines how many times the request should be retried.
+ Attempts *int `json:"attempts,omitempty"`
+ // Timeout defines how much time the middleware is allowed to retry the request.
+ // The value of timeout should be provided in seconds or as a valid duration format,
+ // see https://pkg.go.dev/time#ParseDuration.
+ Timeout *intstr.IntOrString `json:"timeout,omitempty"`
+ // InitialInterval defines the first wait time in the exponential backoff series.
+ // The maximum interval is calculated as twice the initialInterval.
+ // If unspecified, requests will be retried immediately.
+ // The value of initialInterval should be provided in seconds or as a valid duration format,
+ // see https://pkg.go.dev/time#ParseDuration.
+ InitialInterval *intstr.IntOrString `json:"initialInterval,omitempty"`
+ // MaxRequestBodyBytes defines the maximum size for the request body.
+ // Default is `-1`, which means no limit.
+ MaxRequestBodyBytes *int64 `json:"maxRequestBodyBytes,omitempty"`
+ // Status defines the range of HTTP status codes to retry on.
+ Status []string `json:"status,omitempty"`
+ // DisableRetryOnNetworkError defines whether to disable the retry if an error occurs when transmitting the request to the server.
+ DisableRetryOnNetworkError *bool `json:"disableRetryOnNetworkError,omitempty"`
+ // RetryNonIdempotentMethod activates the retry for non-idempotent methods (POST, LOCK, PATCH)
+ RetryNonIdempotentMethod *bool `json:"retryNonIdempotentMethod,omitempty"`
}
// RetryApplyConfiguration constructs a declarative configuration of the Retry type for use with
diff --git a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/rootca.go b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/rootca.go
index 04df7315a..127af7e0a 100644
--- a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/rootca.go
+++ b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/rootca.go
@@ -28,8 +28,15 @@ package v1alpha1
// RootCAApplyConfiguration represents a declarative configuration of the RootCA type for use
// with apply.
+//
+// RootCA defines a reference to a Secret or a ConfigMap that holds a CA certificate.
+// If both a Secret and a ConfigMap reference are defined, the Secret reference takes precedence.
type RootCAApplyConfiguration struct {
- Secret *string `json:"secret,omitempty"`
+ // Secret defines the name of a Secret that holds a CA certificate.
+ // The referenced Secret must contain a certificate under either a tls.ca or a ca.crt key.
+ Secret *string `json:"secret,omitempty"`
+ // ConfigMap defines the name of a ConfigMap that holds a CA certificate.
+ // The referenced ConfigMap must contain a certificate under either a tls.ca or a ca.crt key.
ConfigMap *string `json:"configMap,omitempty"`
}
diff --git a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/route.go b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/route.go
index ef9703108..bdb04f4d3 100644
--- a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/route.go
+++ b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/route.go
@@ -32,13 +32,32 @@ import (
// RouteApplyConfiguration represents a declarative configuration of the Route type for use
// with apply.
+//
+// Route holds the HTTP route configuration.
type RouteApplyConfiguration struct {
- Match *string `json:"match,omitempty"`
- Kind *string `json:"kind,omitempty"`
- Priority *int `json:"priority,omitempty"`
- Syntax *string `json:"syntax,omitempty"`
- Services []ServiceApplyConfiguration `json:"services,omitempty"`
- Middlewares []MiddlewareRefApplyConfiguration `json:"middlewares,omitempty"`
+ // Match defines the router's rule.
+ // More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/http/routing/rules-and-priority/
+ Match *string `json:"match,omitempty"`
+ // Kind defines the kind of the route.
+ // Rule is the only supported kind.
+ // If not defined, defaults to Rule.
+ Kind *string `json:"kind,omitempty"`
+ // Priority defines the router's priority.
+ // More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/http/routing/rules-and-priority/#priority
+ Priority *int `json:"priority,omitempty"`
+ // Syntax defines the router's rule syntax.
+ // More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/http/routing/rules-and-priority/#rulesyntax
+ //
+ // Deprecated: Please do not use this field and rewrite the router rules to use the v3 syntax.
+ Syntax *string `json:"syntax,omitempty"`
+ // Services defines the list of Service.
+ // It can contain any combination of TraefikService and/or reference to a Kubernetes Service.
+ Services []ServiceApplyConfiguration `json:"services,omitempty"`
+ // Middlewares defines the list of references to Middleware resources.
+ // More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/kubernetes/crd/http/middleware/
+ Middlewares []MiddlewareRefApplyConfiguration `json:"middlewares,omitempty"`
+ // Observability defines the observability configuration for a router.
+ // More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/http/routing/observability/
Observability *dynamic.RouterObservabilityConfig `json:"observability,omitempty"`
}
diff --git a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/routetcp.go b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/routetcp.go
index a6e7c263e..bc701653f 100644
--- a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/routetcp.go
+++ b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/routetcp.go
@@ -28,11 +28,23 @@ package v1alpha1
// RouteTCPApplyConfiguration represents a declarative configuration of the RouteTCP type for use
// with apply.
+//
+// RouteTCP holds the TCP route configuration.
type RouteTCPApplyConfiguration struct {
- Match *string `json:"match,omitempty"`
- Priority *int `json:"priority,omitempty"`
- Syntax *string `json:"syntax,omitempty"`
- Services []ServiceTCPApplyConfiguration `json:"services,omitempty"`
+ // Match defines the router's rule.
+ // More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/tcp/routing/rules-and-priority/
+ Match *string `json:"match,omitempty"`
+ // Priority defines the router's priority.
+ // More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/tcp/routing/rules-and-priority/#priority
+ Priority *int `json:"priority,omitempty"`
+ // Syntax defines the router's rule syntax.
+ // More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/tcp/routing/rules-and-priority/#rulesyntax
+ //
+ // Deprecated: Please do not use this field and rewrite the router rules to use the v3 syntax.
+ Syntax *string `json:"syntax,omitempty"`
+ // Services defines the list of TCP services.
+ Services []ServiceTCPApplyConfiguration `json:"services,omitempty"`
+ // Middlewares defines the list of references to MiddlewareTCP resources.
Middlewares []ObjectReferenceApplyConfiguration `json:"middlewares,omitempty"`
}
diff --git a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/routeudp.go b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/routeudp.go
index 13a49e2ed..080079023 100644
--- a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/routeudp.go
+++ b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/routeudp.go
@@ -28,7 +28,10 @@ package v1alpha1
// RouteUDPApplyConfiguration represents a declarative configuration of the RouteUDP type for use
// with apply.
+//
+// RouteUDP holds the UDP route configuration.
type RouteUDPApplyConfiguration struct {
+ // Services defines the list of UDP services.
Services []ServiceUDPApplyConfiguration `json:"services,omitempty"`
}
diff --git a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/serverhealthcheck.go b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/serverhealthcheck.go
index c39a2ac05..f47e54393 100644
--- a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/serverhealthcheck.go
+++ b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/serverhealthcheck.go
@@ -33,18 +33,37 @@ import (
// ServerHealthCheckApplyConfiguration represents a declarative configuration of the ServerHealthCheck type for use
// with apply.
type ServerHealthCheckApplyConfiguration struct {
- Scheme *string `json:"scheme,omitempty"`
- Mode *string `json:"mode,omitempty"`
- Path *string `json:"path,omitempty"`
- Method *string `json:"method,omitempty"`
- Status *int `json:"status,omitempty"`
- Port *int `json:"port,omitempty"`
- Interval *intstr.IntOrString `json:"interval,omitempty"`
+ // Scheme replaces the server URL scheme for the health check endpoint.
+ Scheme *string `json:"scheme,omitempty"`
+ // Mode defines the health check mode.
+ // If defined to grpc, will use the gRPC health check protocol to probe the server.
+ // Default: http
+ Mode *string `json:"mode,omitempty"`
+ // Path defines the server URL path for the health check endpoint.
+ Path *string `json:"path,omitempty"`
+ // Method defines the healthcheck method.
+ Method *string `json:"method,omitempty"`
+ // Status defines the expected HTTP status code of the response to the health check request.
+ Status *int `json:"status,omitempty"`
+ // Port defines the server URL port for the health check endpoint.
+ Port *int `json:"port,omitempty"`
+ // Interval defines the frequency of the health check calls for healthy targets.
+ // Default: 30s
+ Interval *intstr.IntOrString `json:"interval,omitempty"`
+ // UnhealthyInterval defines the frequency of the health check calls for unhealthy targets.
+ // When UnhealthyInterval is not defined, it defaults to the Interval value.
+ // Default: 30s
UnhealthyInterval *intstr.IntOrString `json:"unhealthyInterval,omitempty"`
- Timeout *intstr.IntOrString `json:"timeout,omitempty"`
- Hostname *string `json:"hostname,omitempty"`
- FollowRedirects *bool `json:"followRedirects,omitempty"`
- Headers map[string]string `json:"headers,omitempty"`
+ // Timeout defines the maximum duration Traefik will wait for a health check request before considering the server unhealthy.
+ // Default: 5s
+ Timeout *intstr.IntOrString `json:"timeout,omitempty"`
+ // Hostname defines the value of hostname in the Host header of the health check request.
+ Hostname *string `json:"hostname,omitempty"`
+ // FollowRedirects defines whether redirects should be followed during the health check calls.
+ // Default: true
+ FollowRedirects *bool `json:"followRedirects,omitempty"`
+ // Headers defines custom headers to be sent to the health check endpoint.
+ Headers map[string]string `json:"headers,omitempty"`
}
// ServerHealthCheckApplyConfiguration constructs a declarative configuration of the ServerHealthCheck type for use with
diff --git a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/serverstransport.go b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/serverstransport.go
index 95cd7848e..65d109eb1 100644
--- a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/serverstransport.go
+++ b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/serverstransport.go
@@ -34,8 +34,15 @@ import (
// ServersTransportApplyConfiguration represents a declarative configuration of the ServersTransport type for use
// with apply.
+//
+// ServersTransport is the CRD implementation of a ServersTransport.
+// If no serversTransport is specified, the default@internal will be used.
+// The default@internal serversTransport is created from the static configuration.
+// More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/http/load-balancing/serverstransport/
type ServersTransportApplyConfiguration struct {
- v1.TypeMetaApplyConfiguration `json:",inline"`
+ v1.TypeMetaApplyConfiguration `json:",inline"`
+ // Standard object's metadata.
+ // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
Spec *ServersTransportSpecApplyConfiguration `json:"spec,omitempty"`
}
@@ -50,6 +57,7 @@ func ServersTransport(name, namespace string) *ServersTransportApplyConfiguratio
b.WithAPIVersion("traefik.io/v1alpha1")
return b
}
+
func (b ServersTransportApplyConfiguration) IsApplyConfiguration() {}
// WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/serverstransportspec.go b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/serverstransportspec.go
index 28058caf0..53f409159 100644
--- a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/serverstransportspec.go
+++ b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/serverstransportspec.go
@@ -32,20 +32,37 @@ import (
// ServersTransportSpecApplyConfiguration represents a declarative configuration of the ServersTransportSpec type for use
// with apply.
+//
+// ServersTransportSpec defines the desired state of a ServersTransport.
type ServersTransportSpecApplyConfiguration struct {
- ServerName *string `json:"serverName,omitempty"`
- InsecureSkipVerify *bool `json:"insecureSkipVerify,omitempty"`
- RootCAs []RootCAApplyConfiguration `json:"rootCAs,omitempty"`
- RootCAsSecrets []string `json:"rootCAsSecrets,omitempty"`
- CertificatesSecrets []string `json:"certificatesSecrets,omitempty"`
- CipherSuites []string `json:"cipherSuites,omitempty"`
- MinVersion *string `json:"minVersion,omitempty"`
- MaxVersion *string `json:"maxVersion,omitempty"`
- MaxIdleConnsPerHost *int `json:"maxIdleConnsPerHost,omitempty"`
- ForwardingTimeouts *ForwardingTimeoutsApplyConfiguration `json:"forwardingTimeouts,omitempty"`
- DisableHTTP2 *bool `json:"disableHTTP2,omitempty"`
- PeerCertURI *string `json:"peerCertURI,omitempty"`
- Spiffe *dynamic.Spiffe `json:"spiffe,omitempty"`
+ // ServerName defines the server name used to contact the server.
+ ServerName *string `json:"serverName,omitempty"`
+ // InsecureSkipVerify disables SSL certificate verification.
+ InsecureSkipVerify *bool `json:"insecureSkipVerify,omitempty"`
+ // RootCAs defines a list of CA certificate Secrets or ConfigMaps used to validate server certificates.
+ RootCAs []RootCAApplyConfiguration `json:"rootCAs,omitempty"`
+ // RootCAsSecrets defines a list of CA secret used to validate self-signed certificate.
+ //
+ // Deprecated: RootCAsSecrets is deprecated, please use the RootCAs option instead.
+ RootCAsSecrets []string `json:"rootCAsSecrets,omitempty"`
+ // CertificatesSecrets defines a list of secret storing client certificates for mTLS.
+ CertificatesSecrets []string `json:"certificatesSecrets,omitempty"`
+ // CipherSuites defines the cipher suites to use when contacting backend servers.
+ CipherSuites []string `json:"cipherSuites,omitempty"`
+ // MinVersion defines the minimum TLS version to use when contacting backend servers.
+ MinVersion *string `json:"minVersion,omitempty"`
+ // MaxVersion defines the maximum TLS version to use when contacting backend servers.
+ MaxVersion *string `json:"maxVersion,omitempty"`
+ // MaxIdleConnsPerHost controls the maximum idle (keep-alive) to keep per-host.
+ MaxIdleConnsPerHost *int `json:"maxIdleConnsPerHost,omitempty"`
+ // ForwardingTimeouts defines the timeouts for requests forwarded to the backend servers.
+ ForwardingTimeouts *ForwardingTimeoutsApplyConfiguration `json:"forwardingTimeouts,omitempty"`
+ // DisableHTTP2 disables HTTP/2 for connections with backend servers.
+ DisableHTTP2 *bool `json:"disableHTTP2,omitempty"`
+ // PeerCertURI defines the peer cert URI used to match against SAN URI during the peer certificate verification.
+ PeerCertURI *string `json:"peerCertURI,omitempty"`
+ // Spiffe defines the SPIFFE configuration.
+ Spiffe *dynamic.Spiffe `json:"spiffe,omitempty"`
}
// ServersTransportSpecApplyConfiguration constructs a declarative configuration of the ServersTransportSpec type for use with
diff --git a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/serverstransporttcp.go b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/serverstransporttcp.go
index 46b9ac7a1..6c2fab7b0 100644
--- a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/serverstransporttcp.go
+++ b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/serverstransporttcp.go
@@ -34,8 +34,15 @@ import (
// ServersTransportTCPApplyConfiguration represents a declarative configuration of the ServersTransportTCP type for use
// with apply.
+//
+// ServersTransportTCP is the CRD implementation of a TCPServersTransport.
+// If no tcpServersTransport is specified, a default one named default@internal will be used.
+// The default@internal tcpServersTransport can be configured in the static configuration.
+// More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/tcp/serverstransport/
type ServersTransportTCPApplyConfiguration struct {
- v1.TypeMetaApplyConfiguration `json:",inline"`
+ v1.TypeMetaApplyConfiguration `json:",inline"`
+ // Standard object's metadata.
+ // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
Spec *ServersTransportTCPSpecApplyConfiguration `json:"spec,omitempty"`
}
@@ -50,6 +57,7 @@ func ServersTransportTCP(name, namespace string) *ServersTransportTCPApplyConfig
b.WithAPIVersion("traefik.io/v1alpha1")
return b
}
+
func (b ServersTransportTCPApplyConfiguration) IsApplyConfiguration() {}
// WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/serverstransporttcpspec.go b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/serverstransporttcpspec.go
index 157012eac..766c5f34f 100644
--- a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/serverstransporttcpspec.go
+++ b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/serverstransporttcpspec.go
@@ -33,12 +33,19 @@ import (
// ServersTransportTCPSpecApplyConfiguration represents a declarative configuration of the ServersTransportTCPSpec type for use
// with apply.
+//
+// ServersTransportTCPSpec defines the desired state of a ServersTransportTCP.
type ServersTransportTCPSpecApplyConfiguration struct {
- DialTimeout *intstr.IntOrString `json:"dialTimeout,omitempty"`
- DialKeepAlive *intstr.IntOrString `json:"dialKeepAlive,omitempty"`
- ProxyProtocol *dynamic.ProxyProtocol `json:"proxyProtocol,omitempty"`
- TerminationDelay *intstr.IntOrString `json:"terminationDelay,omitempty"`
- TLS *TLSClientConfigApplyConfiguration `json:"tls,omitempty"`
+ // DialTimeout is the amount of time to wait until a connection to a backend server can be established.
+ DialTimeout *intstr.IntOrString `json:"dialTimeout,omitempty"`
+ // DialKeepAlive is the interval between keep-alive probes for an active network connection. If zero, keep-alive probes are sent with a default value (currently 15 seconds), if supported by the protocol and operating system. Network protocols or operating systems that do not support keep-alives ignore this field. If negative, keep-alive probes are disabled.
+ DialKeepAlive *intstr.IntOrString `json:"dialKeepAlive,omitempty"`
+ // ProxyProtocol holds the PROXY Protocol configuration.
+ ProxyProtocol *dynamic.ProxyProtocol `json:"proxyProtocol,omitempty"`
+ // TerminationDelay defines the delay to wait before fully terminating the connection, after one connected peer has closed its writing capability.
+ TerminationDelay *intstr.IntOrString `json:"terminationDelay,omitempty"`
+ // TLS defines the TLS configuration
+ TLS *TLSClientConfigApplyConfiguration `json:"tls,omitempty"`
}
// ServersTransportTCPSpecApplyConfiguration constructs a declarative configuration of the ServersTransportTCPSpec type for use with
diff --git a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/service.go b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/service.go
index 3b3dcfd41..62f596454 100644
--- a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/service.go
+++ b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/service.go
@@ -33,6 +33,8 @@ import (
// ServiceApplyConfiguration represents a declarative configuration of the Service type for use
// with apply.
+//
+// Service defines an upstream HTTP service to proxy traffic to.
type ServiceApplyConfiguration struct {
LoadBalancerSpecApplyConfiguration `json:",inline"`
}
diff --git a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/servicetcp.go b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/servicetcp.go
index b5bdc0833..d159c6500 100644
--- a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/servicetcp.go
+++ b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/servicetcp.go
@@ -33,17 +33,47 @@ import (
// ServiceTCPApplyConfiguration represents a declarative configuration of the ServiceTCP type for use
// with apply.
+//
+// ServiceTCP defines an upstream TCP service to proxy traffic to.
type ServiceTCPApplyConfiguration struct {
- Name *string `json:"name,omitempty"`
- Namespace *string `json:"namespace,omitempty"`
- Port *intstr.IntOrString `json:"port,omitempty"`
- Weight *int `json:"weight,omitempty"`
- TerminationDelay *int `json:"terminationDelay,omitempty"`
- ProxyProtocol *dynamic.ProxyProtocol `json:"proxyProtocol,omitempty"`
- ServersTransport *string `json:"serversTransport,omitempty"`
- TLS *bool `json:"tls,omitempty"`
- NativeLB *bool `json:"nativeLB,omitempty"`
- NodePortLB *bool `json:"nodePortLB,omitempty"`
+ // Name defines the name of the referenced Kubernetes Service.
+ Name *string `json:"name,omitempty"`
+ // Namespace defines the namespace of the referenced Kubernetes Service.
+ Namespace *string `json:"namespace,omitempty"`
+ // Port defines the port of a Kubernetes Service.
+ // This can be a reference to a named port.
+ Port *intstr.IntOrString `json:"port,omitempty"`
+ // Weight defines the weight used when balancing requests between multiple Kubernetes Service.
+ Weight *int `json:"weight,omitempty"`
+ // TerminationDelay defines the deadline that the proxy sets, after one of its connected peers indicates
+ // it has closed the writing capability of its connection, to close the reading capability as well,
+ // hence fully terminating the connection.
+ // It is a duration in milliseconds, defaulting to 100.
+ // A negative value means an infinite deadline (i.e. the reading capability is never closed).
+ //
+ // Deprecated: TerminationDelay will not be supported in future APIVersions, please use ServersTransport to configure the TerminationDelay instead.
+ TerminationDelay *int `json:"terminationDelay,omitempty"`
+ // ProxyProtocol defines the PROXY protocol configuration.
+ // More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/tcp/service/#proxy-protocol
+ //
+ // Deprecated: ProxyProtocol will not be supported in future APIVersions, please use ServersTransport to configure ProxyProtocol instead.
+ ProxyProtocol *dynamic.ProxyProtocol `json:"proxyProtocol,omitempty"`
+ // ServersTransport defines the name of ServersTransportTCP resource to use.
+ // It allows to configure the transport between Traefik and your servers.
+ // Can only be used on a Kubernetes Service.
+ ServersTransport *string `json:"serversTransport,omitempty"`
+ // TLS determines whether to use TLS when dialing with the backend.
+ TLS *bool `json:"tls,omitempty"`
+ // NativeLB controls, when creating the load-balancer,
+ // whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP.
+ // The Kubernetes Service itself does load-balance to the pods.
+ // By default, NativeLB is false.
+ NativeLB *bool `json:"nativeLB,omitempty"`
+ // NodePortLB controls, when creating the load-balancer,
+ // whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is NodePort.
+ // It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes.
+ // By default, NodePortLB is false.
+ NodePortLB *bool `json:"nodePortLB,omitempty"`
}
// ServiceTCPApplyConfiguration constructs a declarative configuration of the ServiceTCP type for use with
diff --git a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/serviceudp.go b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/serviceudp.go
index 325b83c33..efe3337ae 100644
--- a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/serviceudp.go
+++ b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/serviceudp.go
@@ -32,13 +32,28 @@ import (
// ServiceUDPApplyConfiguration represents a declarative configuration of the ServiceUDP type for use
// with apply.
+//
+// ServiceUDP defines an upstream UDP service to proxy traffic to.
type ServiceUDPApplyConfiguration struct {
- Name *string `json:"name,omitempty"`
- Namespace *string `json:"namespace,omitempty"`
- Port *intstr.IntOrString `json:"port,omitempty"`
- Weight *int `json:"weight,omitempty"`
- NativeLB *bool `json:"nativeLB,omitempty"`
- NodePortLB *bool `json:"nodePortLB,omitempty"`
+ // Name defines the name of the referenced Kubernetes Service.
+ Name *string `json:"name,omitempty"`
+ // Namespace defines the namespace of the referenced Kubernetes Service.
+ Namespace *string `json:"namespace,omitempty"`
+ // Port defines the port of a Kubernetes Service.
+ // This can be a reference to a named port.
+ Port *intstr.IntOrString `json:"port,omitempty"`
+ // Weight defines the weight used when balancing requests between multiple Kubernetes Service.
+ Weight *int `json:"weight,omitempty"`
+ // NativeLB controls, when creating the load-balancer,
+ // whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP.
+ // The Kubernetes Service itself does load-balance to the pods.
+ // By default, NativeLB is false.
+ NativeLB *bool `json:"nativeLB,omitempty"`
+ // NodePortLB controls, when creating the load-balancer,
+ // whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is NodePort.
+ // It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes.
+ // By default, NodePortLB is false.
+ NodePortLB *bool `json:"nodePortLB,omitempty"`
}
// ServiceUDPApplyConfiguration constructs a declarative configuration of the ServiceUDP type for use with
diff --git a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/tls.go b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/tls.go
index 9e628535b..dc90942f3 100644
--- a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/tls.go
+++ b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/tls.go
@@ -32,12 +32,26 @@ import (
// TLSApplyConfiguration represents a declarative configuration of the TLS type for use
// with apply.
+//
+// TLS holds the TLS configuration.
+// More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/http/tls/overview/
type TLSApplyConfiguration struct {
- SecretName *string `json:"secretName,omitempty"`
- Options *TLSOptionRefApplyConfiguration `json:"options,omitempty"`
- Store *TLSStoreRefApplyConfiguration `json:"store,omitempty"`
- CertResolver *string `json:"certResolver,omitempty"`
- Domains []types.Domain `json:"domains,omitempty"`
+ // SecretName is the name of the referenced Kubernetes Secret to specify the certificate details.
+ SecretName *string `json:"secretName,omitempty"`
+ // Options defines the reference to a TLSOption, that specifies the parameters of the TLS connection.
+ // If not defined, the `default` TLSOption is used.
+ // More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/http/tls/tls-options/
+ Options *TLSOptionRefApplyConfiguration `json:"options,omitempty"`
+ // Store defines the reference to the TLSStore, that will be used to store certificates.
+ // Please note that only `default` TLSStore can be used.
+ Store *TLSStoreRefApplyConfiguration `json:"store,omitempty"`
+ // CertResolver defines the name of the certificate resolver to use.
+ // Cert resolvers have to be configured in the static configuration.
+ // More info: https://doc.traefik.io/traefik/v3.7/reference/install-configuration/tls/certificate-resolvers/acme/
+ CertResolver *string `json:"certResolver,omitempty"`
+ // Domains defines the list of domains that will be used to issue certificates.
+ // More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/http/tls/tls-certificates/#domains
+ Domains []types.Domain `json:"domains,omitempty"`
}
// TLSApplyConfiguration constructs a declarative configuration of the TLS type for use with
diff --git a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/tlsclientconfig.go b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/tlsclientconfig.go
index db409216d..0455c8a9a 100644
--- a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/tlsclientconfig.go
+++ b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/tlsclientconfig.go
@@ -32,14 +32,26 @@ import (
// TLSClientConfigApplyConfiguration represents a declarative configuration of the TLSClientConfig type for use
// with apply.
+//
+// TLSClientConfig defines the desired state of a TLSClientConfig.
type TLSClientConfigApplyConfiguration struct {
- ServerName *string `json:"serverName,omitempty"`
- InsecureSkipVerify *bool `json:"insecureSkipVerify,omitempty"`
- RootCAs []RootCAApplyConfiguration `json:"rootCAs,omitempty"`
- RootCAsSecrets []string `json:"rootCAsSecrets,omitempty"`
- CertificatesSecrets []string `json:"certificatesSecrets,omitempty"`
- PeerCertURI *string `json:"peerCertURI,omitempty"`
- Spiffe *dynamic.Spiffe `json:"spiffe,omitempty"`
+ // ServerName defines the server name used to contact the server.
+ ServerName *string `json:"serverName,omitempty"`
+ // InsecureSkipVerify disables TLS certificate verification.
+ InsecureSkipVerify *bool `json:"insecureSkipVerify,omitempty"`
+ // RootCAs defines a list of CA certificate Secrets or ConfigMaps used to validate server certificates.
+ RootCAs []RootCAApplyConfiguration `json:"rootCAs,omitempty"`
+ // RootCAsSecrets defines a list of CA secret used to validate self-signed certificate.
+ //
+ // Deprecated: RootCAsSecrets is deprecated, please use the RootCAs option instead.
+ RootCAsSecrets []string `json:"rootCAsSecrets,omitempty"`
+ // CertificatesSecrets defines a list of secret storing client certificates for mTLS.
+ CertificatesSecrets []string `json:"certificatesSecrets,omitempty"`
+ // MaxIdleConnsPerHost controls the maximum idle (keep-alive) to keep per-host.
+ // PeerCertURI defines the peer cert URI used to match against SAN URI during the peer certificate verification.
+ PeerCertURI *string `json:"peerCertURI,omitempty"`
+ // Spiffe defines the SPIFFE configuration.
+ Spiffe *dynamic.Spiffe `json:"spiffe,omitempty"`
}
// TLSClientConfigApplyConfiguration constructs a declarative configuration of the TLSClientConfig type for use with
diff --git a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/tlsoption.go b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/tlsoption.go
index e391978ec..45f6c913e 100644
--- a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/tlsoption.go
+++ b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/tlsoption.go
@@ -34,8 +34,13 @@ import (
// TLSOptionApplyConfiguration represents a declarative configuration of the TLSOption type for use
// with apply.
+//
+// TLSOption is the CRD implementation of a Traefik TLS Option, allowing to configure some parameters of the TLS connection.
+// More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/http/tls/tls-certificates/#certificates-stores#tls-options
type TLSOptionApplyConfiguration struct {
- v1.TypeMetaApplyConfiguration `json:",inline"`
+ v1.TypeMetaApplyConfiguration `json:",inline"`
+ // Standard object's metadata.
+ // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
Spec *TLSOptionSpecApplyConfiguration `json:"spec,omitempty"`
}
@@ -50,6 +55,7 @@ func TLSOption(name, namespace string) *TLSOptionApplyConfiguration {
b.WithAPIVersion("traefik.io/v1alpha1")
return b
}
+
func (b TLSOptionApplyConfiguration) IsApplyConfiguration() {}
// WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/tlsoptionref.go b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/tlsoptionref.go
index a3abfd27a..2185bfb58 100644
--- a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/tlsoptionref.go
+++ b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/tlsoptionref.go
@@ -28,8 +28,14 @@ package v1alpha1
// TLSOptionRefApplyConfiguration represents a declarative configuration of the TLSOptionRef type for use
// with apply.
+//
+// TLSOptionRef is a reference to a TLSOption resource.
type TLSOptionRefApplyConfiguration struct {
- Name *string `json:"name,omitempty"`
+ // Name defines the name of the referenced TLSOption.
+ // More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/kubernetes/crd/http/tlsoption/
+ Name *string `json:"name,omitempty"`
+ // Namespace defines the namespace of the referenced TLSOption.
+ // More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/kubernetes/crd/http/tlsoption/
Namespace *string `json:"namespace,omitempty"`
}
diff --git a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/tlsoptionspec.go b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/tlsoptionspec.go
index adf256b6e..e0cca35f4 100644
--- a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/tlsoptionspec.go
+++ b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/tlsoptionspec.go
@@ -28,16 +28,37 @@ package v1alpha1
// TLSOptionSpecApplyConfiguration represents a declarative configuration of the TLSOptionSpec type for use
// with apply.
+//
+// TLSOptionSpec defines the desired state of a TLSOption.
type TLSOptionSpecApplyConfiguration struct {
- MinVersion *string `json:"minVersion,omitempty"`
- MaxVersion *string `json:"maxVersion,omitempty"`
- CipherSuites []string `json:"cipherSuites,omitempty"`
- CurvePreferences []string `json:"curvePreferences,omitempty"`
- ClientAuth *ClientAuthApplyConfiguration `json:"clientAuth,omitempty"`
- SniStrict *bool `json:"sniStrict,omitempty"`
- ALPNProtocols []string `json:"alpnProtocols,omitempty"`
- DisableSessionTickets *bool `json:"disableSessionTickets,omitempty"`
- PreferServerCipherSuites *bool `json:"preferServerCipherSuites,omitempty"`
+ // MinVersion defines the minimum TLS version that Traefik will accept.
+ // Possible values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.
+ // Default: VersionTLS10.
+ MinVersion *string `json:"minVersion,omitempty"`
+ // MaxVersion defines the maximum TLS version that Traefik will accept.
+ // Possible values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.
+ // Default: None.
+ MaxVersion *string `json:"maxVersion,omitempty"`
+ // CipherSuites defines the list of supported cipher suites for TLS versions up to TLS 1.2.
+ // More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/http/tls/tls-certificates/#certificates-stores#cipher-suites
+ CipherSuites []string `json:"cipherSuites,omitempty"`
+ // CurvePreferences defines the preferred elliptic curves.
+ // More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/http/tls/tls-certificates/#certificates-stores#curve-preferences
+ CurvePreferences []string `json:"curvePreferences,omitempty"`
+ // ClientAuth defines the server's policy for TLS Client Authentication.
+ ClientAuth *ClientAuthApplyConfiguration `json:"clientAuth,omitempty"`
+ // SniStrict defines whether Traefik allows connections from clients connections that do not specify a server_name extension.
+ SniStrict *bool `json:"sniStrict,omitempty"`
+ // ALPNProtocols defines the list of supported application level protocols for the TLS handshake, in order of preference.
+ // More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/http/tls/tls-certificates/#certificates-stores#alpn-protocols
+ ALPNProtocols []string `json:"alpnProtocols,omitempty"`
+ // DisableSessionTickets disables TLS session resumption via session tickets.
+ DisableSessionTickets *bool `json:"disableSessionTickets,omitempty"`
+ // PreferServerCipherSuites defines whether the server chooses a cipher suite among his own instead of among the client's.
+ // It is enabled automatically when minVersion or maxVersion is set.
+ //
+ // Deprecated: https://github.com/golang/go/issues/45430
+ PreferServerCipherSuites *bool `json:"preferServerCipherSuites,omitempty"`
}
// TLSOptionSpecApplyConfiguration constructs a declarative configuration of the TLSOptionSpec type for use with
diff --git a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/tlsstore.go b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/tlsstore.go
index 1f0a2858d..f60492d72 100644
--- a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/tlsstore.go
+++ b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/tlsstore.go
@@ -34,8 +34,15 @@ import (
// TLSStoreApplyConfiguration represents a declarative configuration of the TLSStore type for use
// with apply.
+//
+// TLSStore is the CRD implementation of a Traefik TLS Store.
+// For the time being, only the TLSStore named default is supported.
+// This means that you cannot have two stores that are named default in different Kubernetes namespaces.
+// More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/http/tls/tls-certificates/#certificates-stores#certificates-stores
type TLSStoreApplyConfiguration struct {
- v1.TypeMetaApplyConfiguration `json:",inline"`
+ v1.TypeMetaApplyConfiguration `json:",inline"`
+ // Standard object's metadata.
+ // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
Spec *TLSStoreSpecApplyConfiguration `json:"spec,omitempty"`
}
@@ -50,6 +57,7 @@ func TLSStore(name, namespace string) *TLSStoreApplyConfiguration {
b.WithAPIVersion("traefik.io/v1alpha1")
return b
}
+
func (b TLSStoreApplyConfiguration) IsApplyConfiguration() {}
// WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/tlsstoreref.go b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/tlsstoreref.go
index ac89490c8..539ed4de4 100644
--- a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/tlsstoreref.go
+++ b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/tlsstoreref.go
@@ -28,8 +28,14 @@ package v1alpha1
// TLSStoreRefApplyConfiguration represents a declarative configuration of the TLSStoreRef type for use
// with apply.
+//
+// TLSStoreRef is a reference to a TLSStore resource.
type TLSStoreRefApplyConfiguration struct {
- Name *string `json:"name,omitempty"`
+ // Name defines the name of the referenced TLSStore.
+ // More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/kubernetes/crd/http/tlsstore/
+ Name *string `json:"name,omitempty"`
+ // Namespace defines the namespace of the referenced TLSStore.
+ // More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/kubernetes/crd/http/tlsstore/
Namespace *string `json:"namespace,omitempty"`
}
diff --git a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/tlsstorespec.go b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/tlsstorespec.go
index 344ef8104..25a1037f6 100644
--- a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/tlsstorespec.go
+++ b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/tlsstorespec.go
@@ -32,10 +32,15 @@ import (
// TLSStoreSpecApplyConfiguration represents a declarative configuration of the TLSStoreSpec type for use
// with apply.
+//
+// TLSStoreSpec defines the desired state of a TLSStore.
type TLSStoreSpecApplyConfiguration struct {
- DefaultCertificate *CertificateApplyConfiguration `json:"defaultCertificate,omitempty"`
- DefaultGeneratedCert *tls.GeneratedCert `json:"defaultGeneratedCert,omitempty"`
- Certificates []CertificateApplyConfiguration `json:"certificates,omitempty"`
+ // DefaultCertificate defines the default certificate configuration.
+ DefaultCertificate *CertificateApplyConfiguration `json:"defaultCertificate,omitempty"`
+ // DefaultGeneratedCert defines the default generated certificate configuration.
+ DefaultGeneratedCert *tls.GeneratedCert `json:"defaultGeneratedCert,omitempty"`
+ // Certificates is a list of secret names, each secret holding a key/certificate pair to add to the store.
+ Certificates []CertificateApplyConfiguration `json:"certificates,omitempty"`
}
// TLSStoreSpecApplyConfiguration constructs a declarative configuration of the TLSStoreSpec type for use with
diff --git a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/tlstcp.go b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/tlstcp.go
index 8728fbd2a..0a93b8a46 100644
--- a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/tlstcp.go
+++ b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/tlstcp.go
@@ -32,13 +32,28 @@ import (
// TLSTCPApplyConfiguration represents a declarative configuration of the TLSTCP type for use
// with apply.
+//
+// TLSTCP holds the TLS configuration for an IngressRouteTCP.
+// More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/tcp/tls/
type TLSTCPApplyConfiguration struct {
- SecretName *string `json:"secretName,omitempty"`
- Passthrough *bool `json:"passthrough,omitempty"`
- Options *ObjectReferenceApplyConfiguration `json:"options,omitempty"`
- Store *ObjectReferenceApplyConfiguration `json:"store,omitempty"`
- CertResolver *string `json:"certResolver,omitempty"`
- Domains []types.Domain `json:"domains,omitempty"`
+ // SecretName is the name of the referenced Kubernetes Secret to specify the certificate details.
+ SecretName *string `json:"secretName,omitempty"`
+ // Passthrough defines whether a TLS router will terminate the TLS connection.
+ Passthrough *bool `json:"passthrough,omitempty"`
+ // Options defines the reference to a TLSOption, that specifies the parameters of the TLS connection.
+ // If not defined, the `default` TLSOption is used.
+ // More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/tcp/tls/#tls-options
+ Options *ObjectReferenceApplyConfiguration `json:"options,omitempty"`
+ // Store defines the reference to the TLSStore, that will be used to store certificates.
+ // Please note that only `default` TLSStore can be used.
+ Store *ObjectReferenceApplyConfiguration `json:"store,omitempty"`
+ // CertResolver defines the name of the certificate resolver to use.
+ // Cert resolvers have to be configured in the static configuration.
+ // More info: https://doc.traefik.io/traefik/v3.7/reference/install-configuration/tls/certificate-resolvers/acme/
+ CertResolver *string `json:"certResolver,omitempty"`
+ // Domains defines the list of domains that will be used to issue certificates.
+ // More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/tcp/tls/#domains
+ Domains []types.Domain `json:"domains,omitempty"`
}
// TLSTCPApplyConfiguration constructs a declarative configuration of the TLSTCP type for use with
diff --git a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/traefikservice.go b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/traefikservice.go
index 908418aae..6afdd2314 100644
--- a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/traefikservice.go
+++ b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/traefikservice.go
@@ -34,8 +34,16 @@ import (
// TraefikServiceApplyConfiguration represents a declarative configuration of the TraefikService type for use
// with apply.
+//
+// TraefikService is the CRD implementation of a Traefik Service.
+// TraefikService object allows to:
+// - Apply weight to Services on load-balancing
+// - Mirror traffic on services
+// More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/kubernetes/crd/http/traefikservice/
type TraefikServiceApplyConfiguration struct {
- v1.TypeMetaApplyConfiguration `json:",inline"`
+ v1.TypeMetaApplyConfiguration `json:",inline"`
+ // Standard object's metadata.
+ // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
Spec *TraefikServiceSpecApplyConfiguration `json:"spec,omitempty"`
}
@@ -50,6 +58,7 @@ func TraefikService(name, namespace string) *TraefikServiceApplyConfiguration {
b.WithAPIVersion("traefik.io/v1alpha1")
return b
}
+
func (b TraefikServiceApplyConfiguration) IsApplyConfiguration() {}
// WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/traefikservicespec.go b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/traefikservicespec.go
index 038e8a073..bc131a1a9 100644
--- a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/traefikservicespec.go
+++ b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/traefikservicespec.go
@@ -28,11 +28,17 @@ package v1alpha1
// TraefikServiceSpecApplyConfiguration represents a declarative configuration of the TraefikServiceSpec type for use
// with apply.
+//
+// TraefikServiceSpec defines the desired state of a TraefikService.
type TraefikServiceSpecApplyConfiguration struct {
- Weighted *WeightedRoundRobinApplyConfiguration `json:"weighted,omitempty"`
- Mirroring *MirroringApplyConfiguration `json:"mirroring,omitempty"`
+ // Weighted defines the Weighted Round Robin configuration.
+ Weighted *WeightedRoundRobinApplyConfiguration `json:"weighted,omitempty"`
+ // Mirroring defines the Mirroring service configuration.
+ Mirroring *MirroringApplyConfiguration `json:"mirroring,omitempty"`
+ // HighestRandomWeight defines the highest random weight service configuration.
HighestRandomWeight *HighestRandomWeightApplyConfiguration `json:"highestRandomWeight,omitempty"`
- Failover *FailoverApplyConfiguration `json:"failover,omitempty"`
+ // Failover defines the Failover service configuration.
+ Failover *FailoverApplyConfiguration `json:"failover,omitempty"`
}
// TraefikServiceSpecApplyConfiguration constructs a declarative configuration of the TraefikServiceSpec type for use with
diff --git a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/weightedroundrobin.go b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/weightedroundrobin.go
index 691e9d09e..dc55b3ac5 100644
--- a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/weightedroundrobin.go
+++ b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/weightedroundrobin.go
@@ -32,9 +32,15 @@ import (
// WeightedRoundRobinApplyConfiguration represents a declarative configuration of the WeightedRoundRobin type for use
// with apply.
+//
+// WeightedRoundRobin holds the weighted round-robin configuration.
+// More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/http/load-balancing/service/#weighted-round-robin-wrr
type WeightedRoundRobinApplyConfiguration struct {
+ // Services defines the list of Kubernetes Service and/or TraefikService to load-balance, with weight.
Services []ServiceApplyConfiguration `json:"services,omitempty"`
- Sticky *dynamic.Sticky `json:"sticky,omitempty"`
+ // Sticky defines whether sticky sessions are enabled.
+ // More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/kubernetes/crd/http/traefikservice/#stickiness-and-load-balancing
+ Sticky *dynamic.Sticky `json:"sticky,omitempty"`
}
// WeightedRoundRobinApplyConfiguration constructs a declarative configuration of the WeightedRoundRobin type for use with
diff --git a/pkg/provider/kubernetes/crd/generated/clientset/versioned/fake/clientset_generated.go b/pkg/provider/kubernetes/crd/generated/clientset/versioned/fake/clientset_generated.go
index b8091758d..1d8abc8e8 100644
--- a/pkg/provider/kubernetes/crd/generated/clientset/versioned/fake/clientset_generated.go
+++ b/pkg/provider/kubernetes/crd/generated/clientset/versioned/fake/clientset_generated.go
@@ -44,7 +44,7 @@ import (
// without applying any field management, validations and/or defaults. It shouldn't be considered a replacement
// for a real clientset and is mostly useful in simple unit tests.
//
-// DEPRECATED: NewClientset replaces this with support for field management, which significantly improves
+// Deprecated: NewClientset replaces this with support for field management, which significantly improves
// server side apply testing. NewClientset is only available when apply configurations are generated (e.g.
// via --with-applyconfig).
func NewSimpleClientset(objects ...runtime.Object) *Clientset {
@@ -60,8 +60,8 @@ func NewSimpleClientset(objects ...runtime.Object) *Clientset {
cs.AddReactor("*", "*", testing.ObjectReaction(o))
cs.AddWatchReactor("*", func(action testing.Action) (handled bool, ret watch.Interface, err error) {
var opts metav1.ListOptions
- if watchActcion, ok := action.(testing.WatchActionImpl); ok {
- opts = watchActcion.ListOptions
+ if watchAction, ok := action.(testing.WatchActionImpl); ok {
+ opts = watchAction.ListOptions
}
gvr := action.GetResource()
ns := action.GetNamespace()
@@ -92,6 +92,17 @@ func (c *Clientset) Tracker() testing.ObjectTracker {
return c.tracker
}
+// IsWatchListSemanticsSupported informs the reflector that this client
+// doesn't support WatchList semantics.
+//
+// This is a synthetic method whose sole purpose is to satisfy the optional
+// interface check performed by the reflector.
+// Returning true signals that WatchList can NOT be used.
+// No additional logic is implemented here.
+func (c *Clientset) IsWatchListSemanticsUnSupported() bool {
+ return true
+}
+
// NewClientset returns a clientset that will respond with the provided objects.
// It's backed by a very simple object tracker that processes creates, updates and deletions as-is,
// without applying any validations and/or defaults. It shouldn't be considered a replacement
diff --git a/pkg/provider/kubernetes/crd/generated/informers/externalversions/factory.go b/pkg/provider/kubernetes/crd/generated/informers/externalversions/factory.go
index 41ed66f44..4d3dc8903 100644
--- a/pkg/provider/kubernetes/crd/generated/informers/externalversions/factory.go
+++ b/pkg/provider/kubernetes/crd/generated/informers/externalversions/factory.go
@@ -105,6 +105,7 @@ func NewSharedInformerFactory(client versioned.Interface, defaultResync time.Dur
// NewFilteredSharedInformerFactory constructs a new instance of sharedInformerFactory.
// Listers obtained via this SharedInformerFactory will be subject to the same filters
// as specified here.
+//
// Deprecated: Please use NewSharedInformerFactoryWithOptions instead
func NewFilteredSharedInformerFactory(client versioned.Interface, defaultResync time.Duration, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) SharedInformerFactory {
return NewSharedInformerFactoryWithOptions(client, defaultResync, WithNamespace(namespace), WithTweakListOptions(tweakListOptions))
@@ -212,7 +213,7 @@ func (f *sharedInformerFactory) InformerFor(obj runtime.Object, newFunc internal
//
// It is typically used like this:
//
-// ctx, cancel := context.Background()
+// ctx, cancel := context.WithCancel(context.Background())
// defer cancel()
// factory := NewSharedInformerFactory(client, resyncPeriod)
// defer factory.WaitForStop() // Returns immediately if nothing was started.
diff --git a/pkg/provider/kubernetes/crd/generated/informers/externalversions/traefikio/v1alpha1/ingressroute.go b/pkg/provider/kubernetes/crd/generated/informers/externalversions/traefikio/v1alpha1/ingressroute.go
index 5bfc88702..a84f2f43f 100644
--- a/pkg/provider/kubernetes/crd/generated/informers/externalversions/traefikio/v1alpha1/ingressroute.go
+++ b/pkg/provider/kubernetes/crd/generated/informers/externalversions/traefikio/v1alpha1/ingressroute.go
@@ -65,7 +65,7 @@ func NewIngressRouteInformer(client versioned.Interface, namespace string, resyn
// one. This reduces memory footprint and number of connections to the server.
func NewFilteredIngressRouteInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
return cache.NewSharedIndexInformer(
- &cache.ListWatch{
+ cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
if tweakListOptions != nil {
tweakListOptions(&options)
@@ -90,7 +90,7 @@ func NewFilteredIngressRouteInformer(client versioned.Interface, namespace strin
}
return client.TraefikV1alpha1().IngressRoutes(namespace).Watch(ctx, options)
},
- },
+ }, client),
&crdtraefikiov1alpha1.IngressRoute{},
resyncPeriod,
indexers,
diff --git a/pkg/provider/kubernetes/crd/generated/informers/externalversions/traefikio/v1alpha1/ingressroutetcp.go b/pkg/provider/kubernetes/crd/generated/informers/externalversions/traefikio/v1alpha1/ingressroutetcp.go
index 52405235a..4c3c531bf 100644
--- a/pkg/provider/kubernetes/crd/generated/informers/externalversions/traefikio/v1alpha1/ingressroutetcp.go
+++ b/pkg/provider/kubernetes/crd/generated/informers/externalversions/traefikio/v1alpha1/ingressroutetcp.go
@@ -65,7 +65,7 @@ func NewIngressRouteTCPInformer(client versioned.Interface, namespace string, re
// one. This reduces memory footprint and number of connections to the server.
func NewFilteredIngressRouteTCPInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
return cache.NewSharedIndexInformer(
- &cache.ListWatch{
+ cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
if tweakListOptions != nil {
tweakListOptions(&options)
@@ -90,7 +90,7 @@ func NewFilteredIngressRouteTCPInformer(client versioned.Interface, namespace st
}
return client.TraefikV1alpha1().IngressRouteTCPs(namespace).Watch(ctx, options)
},
- },
+ }, client),
&crdtraefikiov1alpha1.IngressRouteTCP{},
resyncPeriod,
indexers,
diff --git a/pkg/provider/kubernetes/crd/generated/informers/externalversions/traefikio/v1alpha1/ingressrouteudp.go b/pkg/provider/kubernetes/crd/generated/informers/externalversions/traefikio/v1alpha1/ingressrouteudp.go
index 273dfe7b2..c0867a9f5 100644
--- a/pkg/provider/kubernetes/crd/generated/informers/externalversions/traefikio/v1alpha1/ingressrouteudp.go
+++ b/pkg/provider/kubernetes/crd/generated/informers/externalversions/traefikio/v1alpha1/ingressrouteudp.go
@@ -65,7 +65,7 @@ func NewIngressRouteUDPInformer(client versioned.Interface, namespace string, re
// one. This reduces memory footprint and number of connections to the server.
func NewFilteredIngressRouteUDPInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
return cache.NewSharedIndexInformer(
- &cache.ListWatch{
+ cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
if tweakListOptions != nil {
tweakListOptions(&options)
@@ -90,7 +90,7 @@ func NewFilteredIngressRouteUDPInformer(client versioned.Interface, namespace st
}
return client.TraefikV1alpha1().IngressRouteUDPs(namespace).Watch(ctx, options)
},
- },
+ }, client),
&crdtraefikiov1alpha1.IngressRouteUDP{},
resyncPeriod,
indexers,
diff --git a/pkg/provider/kubernetes/crd/generated/informers/externalversions/traefikio/v1alpha1/middleware.go b/pkg/provider/kubernetes/crd/generated/informers/externalversions/traefikio/v1alpha1/middleware.go
index 324c5219d..69fc10beb 100644
--- a/pkg/provider/kubernetes/crd/generated/informers/externalversions/traefikio/v1alpha1/middleware.go
+++ b/pkg/provider/kubernetes/crd/generated/informers/externalversions/traefikio/v1alpha1/middleware.go
@@ -65,7 +65,7 @@ func NewMiddlewareInformer(client versioned.Interface, namespace string, resyncP
// one. This reduces memory footprint and number of connections to the server.
func NewFilteredMiddlewareInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
return cache.NewSharedIndexInformer(
- &cache.ListWatch{
+ cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
if tweakListOptions != nil {
tweakListOptions(&options)
@@ -90,7 +90,7 @@ func NewFilteredMiddlewareInformer(client versioned.Interface, namespace string,
}
return client.TraefikV1alpha1().Middlewares(namespace).Watch(ctx, options)
},
- },
+ }, client),
&crdtraefikiov1alpha1.Middleware{},
resyncPeriod,
indexers,
diff --git a/pkg/provider/kubernetes/crd/generated/informers/externalversions/traefikio/v1alpha1/middlewaretcp.go b/pkg/provider/kubernetes/crd/generated/informers/externalversions/traefikio/v1alpha1/middlewaretcp.go
index e8cacfd41..f2c0d4cb9 100644
--- a/pkg/provider/kubernetes/crd/generated/informers/externalversions/traefikio/v1alpha1/middlewaretcp.go
+++ b/pkg/provider/kubernetes/crd/generated/informers/externalversions/traefikio/v1alpha1/middlewaretcp.go
@@ -65,7 +65,7 @@ func NewMiddlewareTCPInformer(client versioned.Interface, namespace string, resy
// one. This reduces memory footprint and number of connections to the server.
func NewFilteredMiddlewareTCPInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
return cache.NewSharedIndexInformer(
- &cache.ListWatch{
+ cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
if tweakListOptions != nil {
tweakListOptions(&options)
@@ -90,7 +90,7 @@ func NewFilteredMiddlewareTCPInformer(client versioned.Interface, namespace stri
}
return client.TraefikV1alpha1().MiddlewareTCPs(namespace).Watch(ctx, options)
},
- },
+ }, client),
&crdtraefikiov1alpha1.MiddlewareTCP{},
resyncPeriod,
indexers,
diff --git a/pkg/provider/kubernetes/crd/generated/informers/externalversions/traefikio/v1alpha1/serverstransport.go b/pkg/provider/kubernetes/crd/generated/informers/externalversions/traefikio/v1alpha1/serverstransport.go
index 8b091354d..2f6b2f714 100644
--- a/pkg/provider/kubernetes/crd/generated/informers/externalversions/traefikio/v1alpha1/serverstransport.go
+++ b/pkg/provider/kubernetes/crd/generated/informers/externalversions/traefikio/v1alpha1/serverstransport.go
@@ -65,7 +65,7 @@ func NewServersTransportInformer(client versioned.Interface, namespace string, r
// one. This reduces memory footprint and number of connections to the server.
func NewFilteredServersTransportInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
return cache.NewSharedIndexInformer(
- &cache.ListWatch{
+ cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
if tweakListOptions != nil {
tweakListOptions(&options)
@@ -90,7 +90,7 @@ func NewFilteredServersTransportInformer(client versioned.Interface, namespace s
}
return client.TraefikV1alpha1().ServersTransports(namespace).Watch(ctx, options)
},
- },
+ }, client),
&crdtraefikiov1alpha1.ServersTransport{},
resyncPeriod,
indexers,
diff --git a/pkg/provider/kubernetes/crd/generated/informers/externalversions/traefikio/v1alpha1/serverstransporttcp.go b/pkg/provider/kubernetes/crd/generated/informers/externalversions/traefikio/v1alpha1/serverstransporttcp.go
index 824c67cae..3d9aa23d9 100644
--- a/pkg/provider/kubernetes/crd/generated/informers/externalversions/traefikio/v1alpha1/serverstransporttcp.go
+++ b/pkg/provider/kubernetes/crd/generated/informers/externalversions/traefikio/v1alpha1/serverstransporttcp.go
@@ -65,7 +65,7 @@ func NewServersTransportTCPInformer(client versioned.Interface, namespace string
// one. This reduces memory footprint and number of connections to the server.
func NewFilteredServersTransportTCPInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
return cache.NewSharedIndexInformer(
- &cache.ListWatch{
+ cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
if tweakListOptions != nil {
tweakListOptions(&options)
@@ -90,7 +90,7 @@ func NewFilteredServersTransportTCPInformer(client versioned.Interface, namespac
}
return client.TraefikV1alpha1().ServersTransportTCPs(namespace).Watch(ctx, options)
},
- },
+ }, client),
&crdtraefikiov1alpha1.ServersTransportTCP{},
resyncPeriod,
indexers,
diff --git a/pkg/provider/kubernetes/crd/generated/informers/externalversions/traefikio/v1alpha1/tlsoption.go b/pkg/provider/kubernetes/crd/generated/informers/externalversions/traefikio/v1alpha1/tlsoption.go
index fbc03787a..1ba7610d7 100644
--- a/pkg/provider/kubernetes/crd/generated/informers/externalversions/traefikio/v1alpha1/tlsoption.go
+++ b/pkg/provider/kubernetes/crd/generated/informers/externalversions/traefikio/v1alpha1/tlsoption.go
@@ -65,7 +65,7 @@ func NewTLSOptionInformer(client versioned.Interface, namespace string, resyncPe
// one. This reduces memory footprint and number of connections to the server.
func NewFilteredTLSOptionInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
return cache.NewSharedIndexInformer(
- &cache.ListWatch{
+ cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
if tweakListOptions != nil {
tweakListOptions(&options)
@@ -90,7 +90,7 @@ func NewFilteredTLSOptionInformer(client versioned.Interface, namespace string,
}
return client.TraefikV1alpha1().TLSOptions(namespace).Watch(ctx, options)
},
- },
+ }, client),
&crdtraefikiov1alpha1.TLSOption{},
resyncPeriod,
indexers,
diff --git a/pkg/provider/kubernetes/crd/generated/informers/externalversions/traefikio/v1alpha1/tlsstore.go b/pkg/provider/kubernetes/crd/generated/informers/externalversions/traefikio/v1alpha1/tlsstore.go
index 02eea4cf8..aa0ee5933 100644
--- a/pkg/provider/kubernetes/crd/generated/informers/externalversions/traefikio/v1alpha1/tlsstore.go
+++ b/pkg/provider/kubernetes/crd/generated/informers/externalversions/traefikio/v1alpha1/tlsstore.go
@@ -65,7 +65,7 @@ func NewTLSStoreInformer(client versioned.Interface, namespace string, resyncPer
// one. This reduces memory footprint and number of connections to the server.
func NewFilteredTLSStoreInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
return cache.NewSharedIndexInformer(
- &cache.ListWatch{
+ cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
if tweakListOptions != nil {
tweakListOptions(&options)
@@ -90,7 +90,7 @@ func NewFilteredTLSStoreInformer(client versioned.Interface, namespace string, r
}
return client.TraefikV1alpha1().TLSStores(namespace).Watch(ctx, options)
},
- },
+ }, client),
&crdtraefikiov1alpha1.TLSStore{},
resyncPeriod,
indexers,
diff --git a/pkg/provider/kubernetes/crd/generated/informers/externalversions/traefikio/v1alpha1/traefikservice.go b/pkg/provider/kubernetes/crd/generated/informers/externalversions/traefikio/v1alpha1/traefikservice.go
index 272be98cb..b68e58313 100644
--- a/pkg/provider/kubernetes/crd/generated/informers/externalversions/traefikio/v1alpha1/traefikservice.go
+++ b/pkg/provider/kubernetes/crd/generated/informers/externalversions/traefikio/v1alpha1/traefikservice.go
@@ -65,7 +65,7 @@ func NewTraefikServiceInformer(client versioned.Interface, namespace string, res
// one. This reduces memory footprint and number of connections to the server.
func NewFilteredTraefikServiceInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
return cache.NewSharedIndexInformer(
- &cache.ListWatch{
+ cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
if tweakListOptions != nil {
tweakListOptions(&options)
@@ -90,7 +90,7 @@ func NewFilteredTraefikServiceInformer(client versioned.Interface, namespace str
}
return client.TraefikV1alpha1().TraefikServices(namespace).Watch(ctx, options)
},
- },
+ }, client),
&crdtraefikiov1alpha1.TraefikService{},
resyncPeriod,
indexers,
diff --git a/pkg/provider/kubernetes/gateway/client.go b/pkg/provider/kubernetes/gateway/client.go
index fd383d89e..4c1652553 100644
--- a/pkg/provider/kubernetes/gateway/client.go
+++ b/pkg/provider/kubernetes/gateway/client.go
@@ -194,15 +194,16 @@ func (c *clientWrapper) WatchAll(namespaces []string, stopCh <-chan struct{}) (<
return nil, err
}
+ _, err = factoryGateway.Gateway().V1().TLSRoutes().Informer().AddEventHandler(eventHandler)
+ if err != nil {
+ return nil, err
+ }
+
if c.experimentalChannel {
_, err = factoryGateway.Gateway().V1alpha2().TCPRoutes().Informer().AddEventHandler(eventHandler)
if err != nil {
return nil, err
}
- _, err = factoryGateway.Gateway().V1alpha2().TLSRoutes().Informer().AddEventHandler(eventHandler)
- if err != nil {
- return nil, err
- }
}
factorySecret := kinformers.NewSharedInformerFactoryWithOptions(c.csKube, resyncPeriod, kinformers.WithNamespace(ns), kinformers.WithTweakListOptions(notOwnedByHelm))
@@ -319,10 +320,10 @@ func (c *clientWrapper) ListTCPRoutes() ([]*gatev1alpha2.TCPRoute, error) {
return tcpRoutes, nil
}
-func (c *clientWrapper) ListTLSRoutes() ([]*gatev1alpha2.TLSRoute, error) {
- var tlsRoutes []*gatev1alpha2.TLSRoute
+func (c *clientWrapper) ListTLSRoutes() ([]*gatev1.TLSRoute, error) {
+ var tlsRoutes []*gatev1.TLSRoute
for _, namespace := range c.watchedNamespaces {
- routes, err := c.factoriesGateway[c.lookupNamespace(namespace)].Gateway().V1alpha2().TLSRoutes().Lister().TLSRoutes(namespace).List(labels.Everything())
+ routes, err := c.factoriesGateway[c.lookupNamespace(namespace)].Gateway().V1().TLSRoutes().Lister().TLSRoutes(namespace).List(labels.Everything())
if err != nil {
return nil, fmt.Errorf("listing TLS routes in namespace %s", namespace)
}
@@ -650,13 +651,13 @@ func (c *clientWrapper) UpdateTCPRouteStatus(ctx context.Context, route ktypes.N
return nil
}
-func (c *clientWrapper) UpdateTLSRouteStatus(ctx context.Context, route ktypes.NamespacedName, status gatev1alpha2.TLSRouteStatus) error {
+func (c *clientWrapper) UpdateTLSRouteStatus(ctx context.Context, route ktypes.NamespacedName, status gatev1.TLSRouteStatus) error {
if !c.isWatchedNamespace(route.Namespace) {
return fmt.Errorf("updating TLSRoute status %s/%s: namespace is not within watched namespaces", route.Namespace, route.Name)
}
err := retry.RetryOnConflict(retry.DefaultRetry, func() error {
- currentRoute, err := c.factoriesGateway[c.lookupNamespace(route.Namespace)].Gateway().V1alpha2().TLSRoutes().Lister().TLSRoutes(route.Namespace).Get(route.Name)
+ currentRoute, err := c.factoriesGateway[c.lookupNamespace(route.Namespace)].Gateway().V1().TLSRoutes().Lister().TLSRoutes(route.Namespace).Get(route.Name)
if err != nil {
// We have to return err itself here (not wrapped inside another error)
// so that RetryOnConflict can identify it correctly.
@@ -680,13 +681,13 @@ func (c *clientWrapper) UpdateTLSRouteStatus(ctx context.Context, route ktypes.N
}
currentRoute = currentRoute.DeepCopy()
- currentRoute.Status = gatev1alpha2.TLSRouteStatus{
+ currentRoute.Status = gatev1.TLSRouteStatus{
RouteStatus: gatev1.RouteStatus{
Parents: parentStatuses,
},
}
- if _, err = c.csGateway.GatewayV1alpha2().TLSRoutes(route.Namespace).UpdateStatus(ctx, currentRoute, metav1.UpdateOptions{}); err != nil {
+ if _, err = c.csGateway.GatewayV1().TLSRoutes(route.Namespace).UpdateStatus(ctx, currentRoute, metav1.UpdateOptions{}); err != nil {
// We have to return err itself here (not wrapped inside another error)
// so that RetryOnConflict can identify it correctly.
return err
@@ -814,13 +815,13 @@ func policyAncestorStatusEqual(sA, sB gatev1.PolicyAncestorStatus) bool {
conditionsEqual(sA.Conditions, sB.Conditions)
}
-func routeParentStatusesEqual(routeParentStatusesA, routeParentStatusesB []gatev1alpha2.RouteParentStatus) bool {
+func routeParentStatusesEqual(routeParentStatusesA, routeParentStatusesB []gatev1.RouteParentStatus) bool {
if len(routeParentStatusesA) != len(routeParentStatusesB) {
return false
}
for _, sA := range routeParentStatusesA {
- if !slices.ContainsFunc(routeParentStatusesB, func(sB gatev1alpha2.RouteParentStatus) bool {
+ if !slices.ContainsFunc(routeParentStatusesB, func(sB gatev1.RouteParentStatus) bool {
return routeParentStatusEqual(sB, sA)
}) {
return false
@@ -828,7 +829,7 @@ func routeParentStatusesEqual(routeParentStatusesA, routeParentStatusesB []gatev
}
for _, sB := range routeParentStatusesB {
- if !slices.ContainsFunc(routeParentStatusesA, func(sA gatev1alpha2.RouteParentStatus) bool {
+ if !slices.ContainsFunc(routeParentStatusesA, func(sA gatev1.RouteParentStatus) bool {
return routeParentStatusEqual(sA, sB)
}) {
return false
@@ -838,7 +839,7 @@ func routeParentStatusesEqual(routeParentStatusesA, routeParentStatusesB []gatev
return true
}
-func routeParentStatusEqual(sA, sB gatev1alpha2.RouteParentStatus) bool {
+func routeParentStatusEqual(sA, sB gatev1.RouteParentStatus) bool {
return sA.ControllerName == sB.ControllerName &&
reflect.DeepEqual(sA.ParentRef, sB.ParentRef) &&
conditionsEqual(sA.Conditions, sB.Conditions)
diff --git a/pkg/provider/kubernetes/gateway/features.go b/pkg/provider/kubernetes/gateway/features.go
index 5c63c4078..e8c8bd1c5 100644
--- a/pkg/provider/kubernetes/gateway/features.go
+++ b/pkg/provider/kubernetes/gateway/features.go
@@ -16,7 +16,8 @@ var SupportedFeatures = sync.OnceValue(func() []features.FeatureName {
Insert(features.ReferenceGrantCoreFeatures.UnsortedList()...).
Insert(features.BackendTLSPolicyCoreFeatures.UnsortedList()...).
Insert(features.GRPCRouteCoreFeatures.UnsortedList()...).
- Insert(features.TLSRouteCoreFeatures.UnsortedList()...)
+ Insert(features.TLSRouteCoreFeatures.UnsortedList()...).
+ Insert(features.TLSRouteExtendedFeatures.Intersection(extendedTLSRouteFeatures()).UnsortedList()...)
featureNames := make([]features.FeatureName, 0, featureSet.Len())
for f := range featureSet {
@@ -30,6 +31,14 @@ func extendedGatewayFeatures() sets.Set[features.Feature] {
return sets.New(features.GatewayPort8080Feature)
}
+// extendedTLSRouteFeatures returns the supported extended TLS Route features.
+func extendedTLSRouteFeatures() sets.Set[features.Feature] {
+ return sets.New(
+ features.TLSRouteModeTerminateFeature,
+ features.TLSRouteModeMixedFeature,
+ )
+}
+
// extendedHTTPRouteFeatures returns the supported extended HTTP Route features.
func extendedHTTPRouteFeatures() sets.Set[features.Feature] {
return sets.New(
diff --git a/pkg/provider/kubernetes/gateway/fixtures/mixed/simple.yml b/pkg/provider/kubernetes/gateway/fixtures/mixed/simple.yml
index 35bd833e4..170167bda 100644
--- a/pkg/provider/kubernetes/gateway/fixtures/mixed/simple.yml
+++ b/pkg/provider/kubernetes/gateway/fixtures/mixed/simple.yml
@@ -148,7 +148,7 @@ spec:
---
kind: TLSRoute
-apiVersion: gateway.networking.k8s.io/v1alpha2
+apiVersion: gateway.networking.k8s.io/v1
metadata:
name: tls-app-1
namespace: default
diff --git a/pkg/provider/kubernetes/gateway/fixtures/mixed/with_core_group.yml b/pkg/provider/kubernetes/gateway/fixtures/mixed/with_core_group.yml
index 3294e3a73..090520ee3 100644
--- a/pkg/provider/kubernetes/gateway/fixtures/mixed/with_core_group.yml
+++ b/pkg/provider/kubernetes/gateway/fixtures/mixed/with_core_group.yml
@@ -121,7 +121,7 @@ spec:
---
kind: TLSRoute
-apiVersion: gateway.networking.k8s.io/v1alpha2
+apiVersion: gateway.networking.k8s.io/v1
metadata:
name: tls-app-default
namespace: default
diff --git a/pkg/provider/kubernetes/gateway/fixtures/mixed/with_multiple_listeners_using_same_hostname_port_protocol.yml b/pkg/provider/kubernetes/gateway/fixtures/mixed/with_multiple_listeners_using_same_hostname_port_protocol.yml
index cb0e19a60..e38fa3563 100644
--- a/pkg/provider/kubernetes/gateway/fixtures/mixed/with_multiple_listeners_using_same_hostname_port_protocol.yml
+++ b/pkg/provider/kubernetes/gateway/fixtures/mixed/with_multiple_listeners_using_same_hostname_port_protocol.yml
@@ -166,7 +166,7 @@ spec:
---
kind: TLSRoute
-apiVersion: gateway.networking.k8s.io/v1alpha2
+apiVersion: gateway.networking.k8s.io/v1
metadata:
name: tls-app-1
namespace: default
diff --git a/pkg/provider/kubernetes/gateway/fixtures/mixed/with_namespace_all.yml b/pkg/provider/kubernetes/gateway/fixtures/mixed/with_namespace_all.yml
index 263302204..d3a4c4946 100644
--- a/pkg/provider/kubernetes/gateway/fixtures/mixed/with_namespace_all.yml
+++ b/pkg/provider/kubernetes/gateway/fixtures/mixed/with_namespace_all.yml
@@ -144,7 +144,7 @@ spec:
---
kind: TLSRoute
-apiVersion: gateway.networking.k8s.io/v1alpha2
+apiVersion: gateway.networking.k8s.io/v1
metadata:
name: tls-app-default
namespace: default
@@ -220,7 +220,7 @@ spec:
---
kind: TLSRoute
-apiVersion: gateway.networking.k8s.io/v1alpha2
+apiVersion: gateway.networking.k8s.io/v1
metadata:
name: tls-app-bar
namespace: bar
diff --git a/pkg/provider/kubernetes/gateway/fixtures/mixed/with_namespace_same.yml b/pkg/provider/kubernetes/gateway/fixtures/mixed/with_namespace_same.yml
index 6bf1df73b..0bc063bf3 100644
--- a/pkg/provider/kubernetes/gateway/fixtures/mixed/with_namespace_same.yml
+++ b/pkg/provider/kubernetes/gateway/fixtures/mixed/with_namespace_same.yml
@@ -144,7 +144,7 @@ spec:
---
kind: TLSRoute
-apiVersion: gateway.networking.k8s.io/v1alpha2
+apiVersion: gateway.networking.k8s.io/v1
metadata:
name: tls-app-default
namespace: default
@@ -220,7 +220,7 @@ spec:
---
kind: TLSRoute
-apiVersion: gateway.networking.k8s.io/v1alpha2
+apiVersion: gateway.networking.k8s.io/v1
metadata:
name: tls-app-bar
namespace: bar
diff --git a/pkg/provider/kubernetes/gateway/fixtures/mixed/with_namespace_selector.yml b/pkg/provider/kubernetes/gateway/fixtures/mixed/with_namespace_selector.yml
index 7fa26a504..bf42d5185 100644
--- a/pkg/provider/kubernetes/gateway/fixtures/mixed/with_namespace_selector.yml
+++ b/pkg/provider/kubernetes/gateway/fixtures/mixed/with_namespace_selector.yml
@@ -167,7 +167,7 @@ spec:
---
kind: TLSRoute
-apiVersion: gateway.networking.k8s.io/v1alpha2
+apiVersion: gateway.networking.k8s.io/v1
metadata:
name: tls-app-default
namespace: default
@@ -243,7 +243,7 @@ spec:
---
kind: TLSRoute
-apiVersion: gateway.networking.k8s.io/v1alpha2
+apiVersion: gateway.networking.k8s.io/v1
metadata:
name: tls-app-bar
namespace: bar
diff --git a/pkg/provider/kubernetes/gateway/fixtures/mixed/with_wrong_routes_selector.yml b/pkg/provider/kubernetes/gateway/fixtures/mixed/with_wrong_routes_selector.yml
index 9d915f3e6..cad2fa0c1 100644
--- a/pkg/provider/kubernetes/gateway/fixtures/mixed/with_wrong_routes_selector.yml
+++ b/pkg/provider/kubernetes/gateway/fixtures/mixed/with_wrong_routes_selector.yml
@@ -50,7 +50,7 @@ spec:
---
kind: TLSRoute
-apiVersion: gateway.networking.k8s.io/v1alpha2
+apiVersion: gateway.networking.k8s.io/v1
metadata:
name: tls-app-1
namespace: default
diff --git a/pkg/provider/kubernetes/gateway/fixtures/tlsroute/simple_TLS_to_TLSRoute.yml b/pkg/provider/kubernetes/gateway/fixtures/tlsroute/simple_TLS_to_TLSRoute.yml
index b908be3f0..8304e4650 100644
--- a/pkg/provider/kubernetes/gateway/fixtures/tlsroute/simple_TLS_to_TLSRoute.yml
+++ b/pkg/provider/kubernetes/gateway/fixtures/tlsroute/simple_TLS_to_TLSRoute.yml
@@ -42,7 +42,7 @@ spec:
---
kind: TLSRoute
-apiVersion: gateway.networking.k8s.io/v1alpha2
+apiVersion: gateway.networking.k8s.io/v1
metadata:
name: tls-app-1
namespace: default
diff --git a/pkg/provider/kubernetes/gateway/fixtures/tlsroute/simple_nativelb.yml b/pkg/provider/kubernetes/gateway/fixtures/tlsroute/simple_nativelb.yml
index fde70d51e..e9b92f0d0 100644
--- a/pkg/provider/kubernetes/gateway/fixtures/tlsroute/simple_nativelb.yml
+++ b/pkg/provider/kubernetes/gateway/fixtures/tlsroute/simple_nativelb.yml
@@ -42,7 +42,7 @@ spec:
---
kind: TLSRoute
-apiVersion: gateway.networking.k8s.io/v1alpha2
+apiVersion: gateway.networking.k8s.io/v1
metadata:
name: tls-app-1
namespace: default
diff --git a/pkg/provider/kubernetes/gateway/fixtures/tlsroute/with_SNI_matching.yml b/pkg/provider/kubernetes/gateway/fixtures/tlsroute/with_SNI_matching.yml
index fa61b383f..80bee6c49 100644
--- a/pkg/provider/kubernetes/gateway/fixtures/tlsroute/with_SNI_matching.yml
+++ b/pkg/provider/kubernetes/gateway/fixtures/tlsroute/with_SNI_matching.yml
@@ -30,7 +30,7 @@ spec:
---
kind: TLSRoute
-apiVersion: gateway.networking.k8s.io/v1alpha2
+apiVersion: gateway.networking.k8s.io/v1
metadata:
name: tls-app-1
namespace: default
diff --git a/pkg/provider/kubernetes/gateway/fixtures/tlsroute/with_multiple_SNI_matching.yml b/pkg/provider/kubernetes/gateway/fixtures/tlsroute/with_multiple_SNI_matching.yml
index a99ac3ac5..ca486eeba 100644
--- a/pkg/provider/kubernetes/gateway/fixtures/tlsroute/with_multiple_SNI_matching.yml
+++ b/pkg/provider/kubernetes/gateway/fixtures/tlsroute/with_multiple_SNI_matching.yml
@@ -30,7 +30,7 @@ spec:
---
kind: TLSRoute
-apiVersion: gateway.networking.k8s.io/v1alpha2
+apiVersion: gateway.networking.k8s.io/v1
metadata:
name: tls-app-1
namespace: default
diff --git a/pkg/provider/kubernetes/gateway/fixtures/tlsroute/with_multiple_routes_kind.yml b/pkg/provider/kubernetes/gateway/fixtures/tlsroute/with_multiple_routes_kind.yml
index 3c6afe86e..c5c5ec32f 100644
--- a/pkg/provider/kubernetes/gateway/fixtures/tlsroute/with_multiple_routes_kind.yml
+++ b/pkg/provider/kubernetes/gateway/fixtures/tlsroute/with_multiple_routes_kind.yml
@@ -76,7 +76,7 @@ spec:
---
kind: TLSRoute
-apiVersion: gateway.networking.k8s.io/v1alpha2
+apiVersion: gateway.networking.k8s.io/v1
metadata:
name: tls-app-1
namespace: default
diff --git a/pkg/provider/kubernetes/gateway/fixtures/tlsroute/with_multiple_rules.yml b/pkg/provider/kubernetes/gateway/fixtures/tlsroute/with_multiple_rules.yml
index 44cd37953..4139db5b2 100644
--- a/pkg/provider/kubernetes/gateway/fixtures/tlsroute/with_multiple_rules.yml
+++ b/pkg/provider/kubernetes/gateway/fixtures/tlsroute/with_multiple_rules.yml
@@ -30,7 +30,7 @@ spec:
---
kind: TLSRoute
-apiVersion: gateway.networking.k8s.io/v1alpha2
+apiVersion: gateway.networking.k8s.io/v1
metadata:
name: tls-app
namespace: default
diff --git a/pkg/provider/kubernetes/gateway/fixtures/tlsroute/with_namespace_all.yml b/pkg/provider/kubernetes/gateway/fixtures/tlsroute/with_namespace_all.yml
index 763ce9006..64d7efb9d 100644
--- a/pkg/provider/kubernetes/gateway/fixtures/tlsroute/with_namespace_all.yml
+++ b/pkg/provider/kubernetes/gateway/fixtures/tlsroute/with_namespace_all.yml
@@ -29,7 +29,7 @@ spec:
---
kind: TLSRoute
-apiVersion: gateway.networking.k8s.io/v1alpha2
+apiVersion: gateway.networking.k8s.io/v1
metadata:
name: tls-app-default
namespace: default
@@ -50,7 +50,7 @@ spec:
---
kind: TLSRoute
-apiVersion: gateway.networking.k8s.io/v1alpha2
+apiVersion: gateway.networking.k8s.io/v1
metadata:
name: tls-app-bar
namespace: bar
diff --git a/pkg/provider/kubernetes/gateway/fixtures/tlsroute/with_namespace_same.yml b/pkg/provider/kubernetes/gateway/fixtures/tlsroute/with_namespace_same.yml
index 473e7618b..260223d5a 100644
--- a/pkg/provider/kubernetes/gateway/fixtures/tlsroute/with_namespace_same.yml
+++ b/pkg/provider/kubernetes/gateway/fixtures/tlsroute/with_namespace_same.yml
@@ -29,7 +29,7 @@ spec:
---
kind: TLSRoute
-apiVersion: gateway.networking.k8s.io/v1alpha2
+apiVersion: gateway.networking.k8s.io/v1
metadata:
name: tls-app-default
namespace: default
@@ -50,7 +50,7 @@ spec:
---
kind: TLSRoute
-apiVersion: gateway.networking.k8s.io/v1alpha2
+apiVersion: gateway.networking.k8s.io/v1
metadata:
name: tls-app-bar
namespace: bar
diff --git a/pkg/provider/kubernetes/gateway/fixtures/tlsroute/with_namespace_selector.yml b/pkg/provider/kubernetes/gateway/fixtures/tlsroute/with_namespace_selector.yml
index 25cd31c65..3e2fee518 100644
--- a/pkg/provider/kubernetes/gateway/fixtures/tlsroute/with_namespace_selector.yml
+++ b/pkg/provider/kubernetes/gateway/fixtures/tlsroute/with_namespace_selector.yml
@@ -40,7 +40,7 @@ spec:
---
kind: TLSRoute
-apiVersion: gateway.networking.k8s.io/v1alpha2
+apiVersion: gateway.networking.k8s.io/v1
metadata:
name: tls-app-default
namespace: default
@@ -61,7 +61,7 @@ spec:
---
kind: TLSRoute
-apiVersion: gateway.networking.k8s.io/v1alpha2
+apiVersion: gateway.networking.k8s.io/v1
metadata:
name: tls-app-bar
namespace: bar
diff --git a/pkg/provider/kubernetes/gateway/fixtures/tlsroute/with_passthrough.yml b/pkg/provider/kubernetes/gateway/fixtures/tlsroute/with_passthrough.yml
index 149b4af98..d3bb207ed 100644
--- a/pkg/provider/kubernetes/gateway/fixtures/tlsroute/with_passthrough.yml
+++ b/pkg/provider/kubernetes/gateway/fixtures/tlsroute/with_passthrough.yml
@@ -30,7 +30,7 @@ spec:
---
kind: TLSRoute
-apiVersion: gateway.networking.k8s.io/v1alpha2
+apiVersion: gateway.networking.k8s.io/v1
metadata:
name: tls-app-1
namespace: default
diff --git a/pkg/provider/kubernetes/gateway/fixtures/tlsroute/with_passthrough_tls.yml b/pkg/provider/kubernetes/gateway/fixtures/tlsroute/with_passthrough_tls.yml
index 9ffc3a200..ec230e96c 100644
--- a/pkg/provider/kubernetes/gateway/fixtures/tlsroute/with_passthrough_tls.yml
+++ b/pkg/provider/kubernetes/gateway/fixtures/tlsroute/with_passthrough_tls.yml
@@ -46,7 +46,7 @@ spec:
---
kind: TLSRoute
-apiVersion: gateway.networking.k8s.io/v1alpha2
+apiVersion: gateway.networking.k8s.io/v1
metadata:
name: tls-app-1
namespace: default
diff --git a/pkg/provider/kubernetes/gateway/fixtures/tlsroute/with_protocol_http.yml b/pkg/provider/kubernetes/gateway/fixtures/tlsroute/with_protocol_http.yml
index 072f74477..f9534b036 100644
--- a/pkg/provider/kubernetes/gateway/fixtures/tlsroute/with_protocol_http.yml
+++ b/pkg/provider/kubernetes/gateway/fixtures/tlsroute/with_protocol_http.yml
@@ -25,7 +25,7 @@ spec:
---
kind: TLSRoute
-apiVersion: gateway.networking.k8s.io/v1alpha2
+apiVersion: gateway.networking.k8s.io/v1
metadata:
name: tls-app-1
namespace: default
diff --git a/pkg/provider/kubernetes/gateway/fixtures/tlsroute/with_protocol_https.yml b/pkg/provider/kubernetes/gateway/fixtures/tlsroute/with_protocol_https.yml
index 2b424d065..8b0d72160 100644
--- a/pkg/provider/kubernetes/gateway/fixtures/tlsroute/with_protocol_https.yml
+++ b/pkg/provider/kubernetes/gateway/fixtures/tlsroute/with_protocol_https.yml
@@ -41,7 +41,7 @@ spec:
---
kind: TLSRoute
-apiVersion: gateway.networking.k8s.io/v1alpha2
+apiVersion: gateway.networking.k8s.io/v1
metadata:
name: tls-app-1
namespace: default
diff --git a/pkg/provider/kubernetes/gateway/fixtures/tlsroute/with_protocol_tcp.yml b/pkg/provider/kubernetes/gateway/fixtures/tlsroute/with_protocol_tcp.yml
index 916506a4a..a712b471e 100644
--- a/pkg/provider/kubernetes/gateway/fixtures/tlsroute/with_protocol_tcp.yml
+++ b/pkg/provider/kubernetes/gateway/fixtures/tlsroute/with_protocol_tcp.yml
@@ -25,7 +25,7 @@ spec:
---
kind: TLSRoute
-apiVersion: gateway.networking.k8s.io/v1alpha2
+apiVersion: gateway.networking.k8s.io/v1
metadata:
name: tls-app-1
namespace: default
diff --git a/pkg/provider/kubernetes/gateway/fixtures/tlsroute/with_wrong_service_port.yml b/pkg/provider/kubernetes/gateway/fixtures/tlsroute/with_wrong_service_port.yml
index 37fafa2ad..ba3d2d783 100644
--- a/pkg/provider/kubernetes/gateway/fixtures/tlsroute/with_wrong_service_port.yml
+++ b/pkg/provider/kubernetes/gateway/fixtures/tlsroute/with_wrong_service_port.yml
@@ -43,7 +43,7 @@ spec:
---
kind: TLSRoute
-apiVersion: gateway.networking.k8s.io/v1alpha2
+apiVersion: gateway.networking.k8s.io/v1
metadata:
name: tls-app-1
namespace: default
diff --git a/pkg/provider/kubernetes/gateway/httproute.go b/pkg/provider/kubernetes/gateway/httproute.go
index 7a6ec4b89..9fb65dfc7 100644
--- a/pkg/provider/kubernetes/gateway/httproute.go
+++ b/pkg/provider/kubernetes/gateway/httproute.go
@@ -609,7 +609,7 @@ func (p *Provider) loadServersTransport(namespace string, policy *gatev1.Backend
}
caCRT, ok := configMap.Data["ca.crt"]
- if !ok {
+ if !ok || caCRT == "" {
return nil, metav1.Condition{
Type: string(gatev1.BackendTLSPolicyConditionResolvedRefs),
Status: metav1.ConditionFalse,
diff --git a/pkg/provider/kubernetes/gateway/kubernetes.go b/pkg/provider/kubernetes/gateway/kubernetes.go
index 6525a75c3..8b7ea1e68 100644
--- a/pkg/provider/kubernetes/gateway/kubernetes.go
+++ b/pkg/provider/kubernetes/gateway/kubernetes.go
@@ -382,9 +382,10 @@ func (p *Provider) loadConfigurationFromGateways(ctx context.Context) *dynamic.C
p.loadGRPCRoutes(ctx, gatewayListeners, conf)
+ p.loadTLSRoutes(ctx, gatewayListeners, conf)
+
if p.ExperimentalChannel {
p.loadTCPRoutes(ctx, gatewayListeners, conf)
- p.loadTLSRoutes(ctx, gatewayListeners, conf)
}
for _, gateway := range gateways {
@@ -555,8 +556,8 @@ func (p *Provider) loadGatewayListeners(ctx context.Context, gateway *gatev1.Gat
}
// Allowed configurations:
- // Protocol TLS -> Passthrough -> TLSRoute/TCPRoute
- // Protocol TLS -> Terminate -> TLSRoute/TCPRoute
+ // Protocol TLS -> Passthrough -> TLSRoute
+ // Protocol TLS -> Terminate -> TLSRoute
// Protocol HTTPS -> Terminate -> HTTPRoute
if listener.Protocol == gatev1.HTTPSProtocolType && isTLSPassthrough {
gatewayListeners[i].Status.Conditions = append(gatewayListeners[i].Status.Conditions, metav1.Condition{
@@ -995,20 +996,9 @@ func supportedRouteKinds(protocol gatev1.ProtocolType, experimentalChannel bool)
}, nil
case gatev1.TLSProtocolType:
- if experimentalChannel {
- return []gatev1.RouteGroupKind{
- {Kind: kindTCPRoute, Group: &group},
- {Kind: kindTLSRoute, Group: &group},
- }, nil
- }
-
- return nil, []metav1.Condition{{
- Type: string(gatev1.ListenerConditionConflicted),
- Status: metav1.ConditionTrue,
- LastTransitionTime: metav1.Now(),
- Reason: string(gatev1.ListenerReasonInvalidRouteKinds),
- Message: fmt.Sprintf("Protocol %q requires the experimental channel support to be enabled, please use the `experimentalChannel` option", protocol),
- }}
+ return []gatev1.RouteGroupKind{
+ {Kind: kindTLSRoute, Group: &group},
+ }, nil
}
return nil, []metav1.Condition{{
@@ -1098,7 +1088,8 @@ func findMatchingHostname(h1, h2 gatev1.Hostname) gatev1.Hostname {
return ""
}
- // since h1 is a suffix of h2, we know h2 is the more specific host
+ // h1 is a wildcard that encompasses h2, so h2 is always
+ // the more specific hostname (the correct intersection).
return h2
}
diff --git a/pkg/provider/kubernetes/gateway/kubernetes_test.go b/pkg/provider/kubernetes/gateway/kubernetes_test.go
index aebd3dd2c..ccb238265 100644
--- a/pkg/provider/kubernetes/gateway/kubernetes_test.go
+++ b/pkg/provider/kubernetes/gateway/kubernetes_test.go
@@ -4200,38 +4200,9 @@ func TestLoadTCPRoutes(t *testing.T) {
Services: map[string]*dynamic.UDPService{},
},
TCP: &dynamic.TCPConfiguration{
- Routers: map[string]*dynamic.TCPRouter{
- "tcproute-default-tcp-app-1-gw-default-my-gateway-ep-tls-0-e3b0c44298fc1c149afb": {
- EntryPoints: []string{"tls"},
- Service: "tcproute-default-tcp-app-1-gw-default-my-gateway-ep-tls-0-e3b0c44298fc1c149afb-wrr",
- Rule: `HostSNI("*")`,
- RuleSyntax: "default",
- TLS: &dynamic.RouterTCPTLSConfig{},
- },
- },
- Middlewares: map[string]*dynamic.TCPMiddleware{},
- Services: map[string]*dynamic.TCPService{
- "tcproute-default-tcp-app-1-gw-default-my-gateway-ep-tls-0-e3b0c44298fc1c149afb-wrr": {
- Weighted: &dynamic.TCPWeightedRoundRobin{
- Services: []dynamic.TCPWRRService{{
- Name: "default-whoamitcp-9000",
- Weight: ptr.To(1),
- }},
- },
- },
- "default-whoamitcp-9000": {
- LoadBalancer: &dynamic.TCPServersLoadBalancer{
- Servers: []dynamic.TCPServer{
- {
- Address: "10.10.0.9:9000",
- },
- {
- Address: "10.10.0.10:9000",
- },
- },
- },
- },
- },
+ Routers: map[string]*dynamic.TCPRouter{},
+ Middlewares: map[string]*dynamic.TCPMiddleware{},
+ Services: map[string]*dynamic.TCPService{},
ServersTransports: map[string]*dynamic.TCPServersTransport{},
},
HTTP: &dynamic.HTTPConfiguration{
@@ -4240,16 +4211,7 @@ func TestLoadTCPRoutes(t *testing.T) {
Services: map[string]*dynamic.Service{},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
- TLS: &dynamic.TLSConfiguration{
- Certificates: []*tls.CertAndStores{
- {
- Certificate: tls.Certificate{
- CertFile: types.FileOrContent(listenerCert),
- KeyFile: types.FileOrContent(listenerKey),
- },
- },
- },
- },
+ TLS: &dynamic.TLSConfiguration{},
},
},
{
@@ -4799,6 +4761,12 @@ func TestLoadTLSRoutes(t *testing.T) {
},
TCP: &dynamic.TCPConfiguration{
Routers: map[string]*dynamic.TCPRouter{
+ "deny-unknown-host": {
+ Rule: "HostSNI(`*`) && !ALPN(`h2`) && !ALPN(`http/1.1`)",
+ Priority: 1,
+ Service: "deny-unknown-host",
+ TLS: &dynamic.RouterTCPTLSConfig{},
+ },
"tlsroute-default-tls-app-1-gw-default-my-gateway-ep-TCP-0-e3b0c44298fc1c149afb": {
EntryPoints: []string{"TCP"},
Priority: 0,
@@ -4810,6 +4778,9 @@ func TestLoadTLSRoutes(t *testing.T) {
},
Middlewares: map[string]*dynamic.TCPMiddleware{},
Services: map[string]*dynamic.TCPService{
+ "deny-unknown-host": {
+ LoadBalancer: &dynamic.TCPServersLoadBalancer{},
+ },
"tlsroute-default-tls-app-1-gw-default-my-gateway-ep-TCP-0-e3b0c44298fc1c149afb-wrr": {
Weighted: &dynamic.TCPWeightedRoundRobin{
Services: []dynamic.TCPWRRService{{
@@ -4890,40 +4861,9 @@ func TestLoadTLSRoutes(t *testing.T) {
Services: map[string]*dynamic.UDPService{},
},
TCP: &dynamic.TCPConfiguration{
- Routers: map[string]*dynamic.TCPRouter{
- "tcproute-default-tcp-app-1-gw-default-my-tls-gateway-ep-tcp-0-e3b0c44298fc1c149afb": {
- EntryPoints: []string{"tcp"},
- Service: "tcproute-default-tcp-app-1-gw-default-my-tls-gateway-ep-tcp-0-e3b0c44298fc1c149afb-wrr",
- Rule: `HostSNI("*")`,
- RuleSyntax: "default",
- TLS: &dynamic.RouterTCPTLSConfig{},
- },
- },
- Middlewares: map[string]*dynamic.TCPMiddleware{},
- Services: map[string]*dynamic.TCPService{
- "tcproute-default-tcp-app-1-gw-default-my-tls-gateway-ep-tcp-0-e3b0c44298fc1c149afb-wrr": {
- Weighted: &dynamic.TCPWeightedRoundRobin{
- Services: []dynamic.TCPWRRService{
- {
- Name: "default-whoamitcp-9000",
- Weight: ptr.To(1),
- },
- },
- },
- },
- "default-whoamitcp-9000": {
- LoadBalancer: &dynamic.TCPServersLoadBalancer{
- Servers: []dynamic.TCPServer{
- {
- Address: "10.10.0.9:9000",
- },
- {
- Address: "10.10.0.10:9000",
- },
- },
- },
- },
- },
+ Routers: map[string]*dynamic.TCPRouter{},
+ Middlewares: map[string]*dynamic.TCPMiddleware{},
+ Services: map[string]*dynamic.TCPService{},
ServersTransports: map[string]*dynamic.TCPServersTransport{},
},
HTTP: &dynamic.HTTPConfiguration{
@@ -4932,16 +4872,7 @@ func TestLoadTLSRoutes(t *testing.T) {
Services: map[string]*dynamic.Service{},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
- TLS: &dynamic.TLSConfiguration{
- Certificates: []*tls.CertAndStores{
- {
- Certificate: tls.Certificate{
- CertFile: types.FileOrContent(listenerCert),
- KeyFile: types.FileOrContent(listenerKey),
- },
- },
- },
- },
+ TLS: &dynamic.TLSConfiguration{},
},
},
{
@@ -4956,42 +4887,9 @@ func TestLoadTLSRoutes(t *testing.T) {
Services: map[string]*dynamic.UDPService{},
},
TCP: &dynamic.TCPConfiguration{
- Routers: map[string]*dynamic.TCPRouter{
- "tcproute-default-tcp-app-1-gw-default-my-tls-gateway-ep-tcp-0-e3b0c44298fc1c149afb": {
- EntryPoints: []string{"tcp"},
- Service: "tcproute-default-tcp-app-1-gw-default-my-tls-gateway-ep-tcp-0-e3b0c44298fc1c149afb-wrr",
- Rule: `HostSNI("*")`,
- RuleSyntax: "default",
- TLS: &dynamic.RouterTCPTLSConfig{
- Passthrough: true,
- },
- },
- },
- Middlewares: map[string]*dynamic.TCPMiddleware{},
- Services: map[string]*dynamic.TCPService{
- "tcproute-default-tcp-app-1-gw-default-my-tls-gateway-ep-tcp-0-e3b0c44298fc1c149afb-wrr": {
- Weighted: &dynamic.TCPWeightedRoundRobin{
- Services: []dynamic.TCPWRRService{
- {
- Name: "default-whoamitcp-9000",
- Weight: ptr.To(1),
- },
- },
- },
- },
- "default-whoamitcp-9000": {
- LoadBalancer: &dynamic.TCPServersLoadBalancer{
- Servers: []dynamic.TCPServer{
- {
- Address: "10.10.0.9:9000",
- },
- {
- Address: "10.10.0.10:9000",
- },
- },
- },
- },
- },
+ Routers: map[string]*dynamic.TCPRouter{},
+ Middlewares: map[string]*dynamic.TCPMiddleware{},
+ Services: map[string]*dynamic.TCPService{},
ServersTransports: map[string]*dynamic.TCPServersTransport{},
},
HTTP: &dynamic.HTTPConfiguration{
@@ -5016,6 +4914,12 @@ func TestLoadTLSRoutes(t *testing.T) {
},
TCP: &dynamic.TCPConfiguration{
Routers: map[string]*dynamic.TCPRouter{
+ "deny-unknown-host": {
+ Rule: "HostSNI(`*`) && !ALPN(`h2`) && !ALPN(`http/1.1`)",
+ Priority: 1,
+ Service: "deny-unknown-host",
+ TLS: &dynamic.RouterTCPTLSConfig{},
+ },
"tlsroute-default-tls-app-1-gw-default-my-tls-gateway-ep-tcp-0-e3b0c44298fc1c149afb": {
EntryPoints: []string{"tcp"},
Service: "tlsroute-default-tls-app-1-gw-default-my-tls-gateway-ep-tcp-0-e3b0c44298fc1c149afb-wrr",
@@ -5029,6 +4933,9 @@ func TestLoadTLSRoutes(t *testing.T) {
},
Middlewares: map[string]*dynamic.TCPMiddleware{},
Services: map[string]*dynamic.TCPService{
+ "deny-unknown-host": {
+ LoadBalancer: &dynamic.TCPServersLoadBalancer{},
+ },
"tlsroute-default-tls-app-1-gw-default-my-tls-gateway-ep-tcp-0-e3b0c44298fc1c149afb-wrr": {
Weighted: &dynamic.TCPWeightedRoundRobin{
Services: []dynamic.TCPWRRService{
@@ -5077,12 +4984,11 @@ func TestLoadTLSRoutes(t *testing.T) {
},
TCP: &dynamic.TCPConfiguration{
Routers: map[string]*dynamic.TCPRouter{
- "tcproute-default-tcp-app-1-gw-default-my-tls-gateway-ep-tls-0-e3b0c44298fc1c149afb": {
- EntryPoints: []string{"tls"},
- Service: "tcproute-default-tcp-app-1-gw-default-my-tls-gateway-ep-tls-0-e3b0c44298fc1c149afb-wrr",
- Rule: `HostSNI("*")`,
- RuleSyntax: "default",
- TLS: &dynamic.RouterTCPTLSConfig{},
+ "deny-unknown-host": {
+ Rule: "HostSNI(`*`) && !ALPN(`h2`) && !ALPN(`http/1.1`)",
+ Priority: 1,
+ Service: "deny-unknown-host",
+ TLS: &dynamic.RouterTCPTLSConfig{},
},
"tlsroute-default-tls-app-1-gw-default-my-tls-gateway-ep-tcp-0-e3b0c44298fc1c149afb": {
EntryPoints: []string{"tcp"},
@@ -5097,15 +5003,8 @@ func TestLoadTLSRoutes(t *testing.T) {
},
Middlewares: map[string]*dynamic.TCPMiddleware{},
Services: map[string]*dynamic.TCPService{
- "tcproute-default-tcp-app-1-gw-default-my-tls-gateway-ep-tls-0-e3b0c44298fc1c149afb-wrr": {
- Weighted: &dynamic.TCPWeightedRoundRobin{
- Services: []dynamic.TCPWRRService{
- {
- Name: "default-whoamitcp-9000",
- Weight: ptr.To(1),
- },
- },
- },
+ "deny-unknown-host": {
+ LoadBalancer: &dynamic.TCPServersLoadBalancer{},
},
"tlsroute-default-tls-app-1-gw-default-my-tls-gateway-ep-tcp-0-e3b0c44298fc1c149afb-wrr": {
Weighted: &dynamic.TCPWeightedRoundRobin{
@@ -5117,18 +5016,6 @@ func TestLoadTLSRoutes(t *testing.T) {
},
},
},
- "default-whoamitcp-9000": {
- LoadBalancer: &dynamic.TCPServersLoadBalancer{
- Servers: []dynamic.TCPServer{
- {
- Address: "10.10.0.9:9000",
- },
- {
- Address: "10.10.0.10:9000",
- },
- },
- },
- },
"default-whoamitcp-10000": {
LoadBalancer: &dynamic.TCPServersLoadBalancer{
Servers: []dynamic.TCPServer{
@@ -5150,16 +5037,7 @@ func TestLoadTLSRoutes(t *testing.T) {
Services: map[string]*dynamic.Service{},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
- TLS: &dynamic.TLSConfiguration{
- Certificates: []*tls.CertAndStores{
- {
- Certificate: tls.Certificate{
- CertFile: types.FileOrContent(listenerCert),
- KeyFile: types.FileOrContent(listenerKey),
- },
- },
- },
- },
+ TLS: &dynamic.TLSConfiguration{},
},
},
{
@@ -5174,44 +5052,9 @@ func TestLoadTLSRoutes(t *testing.T) {
Services: map[string]*dynamic.UDPService{},
},
TCP: &dynamic.TCPConfiguration{
- Routers: map[string]*dynamic.TCPRouter{
- "tcproute-default-tcp-app-1-gw-default-my-gateway-ep-tls-0-e3b0c44298fc1c149afb": {
- EntryPoints: []string{"tls"},
- Service: "tcproute-default-tcp-app-1-gw-default-my-gateway-ep-tls-0-e3b0c44298fc1c149afb-wrr",
- Rule: `HostSNI("*")`,
- RuleSyntax: "default",
- TLS: &dynamic.RouterTCPTLSConfig{},
- },
- },
- Middlewares: map[string]*dynamic.TCPMiddleware{},
- Services: map[string]*dynamic.TCPService{
- "tcproute-default-tcp-app-1-gw-default-my-gateway-ep-tls-0-e3b0c44298fc1c149afb-wrr": {
- Weighted: &dynamic.TCPWeightedRoundRobin{
- Services: []dynamic.TCPWRRService{
- {
- Name: "service@file",
- Weight: ptr.To(1),
- },
- {
- Name: "default-whoamitcp-9000",
- Weight: ptr.To(1),
- },
- },
- },
- },
- "default-whoamitcp-9000": {
- LoadBalancer: &dynamic.TCPServersLoadBalancer{
- Servers: []dynamic.TCPServer{
- {
- Address: "10.10.0.9:9000",
- },
- {
- Address: "10.10.0.10:9000",
- },
- },
- },
- },
- },
+ Routers: map[string]*dynamic.TCPRouter{},
+ Middlewares: map[string]*dynamic.TCPMiddleware{},
+ Services: map[string]*dynamic.TCPService{},
ServersTransports: map[string]*dynamic.TCPServersTransport{},
},
HTTP: &dynamic.HTTPConfiguration{
@@ -5220,16 +5063,7 @@ func TestLoadTLSRoutes(t *testing.T) {
Services: map[string]*dynamic.Service{},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
- TLS: &dynamic.TLSConfiguration{
- Certificates: []*tls.CertAndStores{
- {
- Certificate: tls.Certificate{
- CertFile: types.FileOrContent(listenerCert),
- KeyFile: types.FileOrContent(listenerKey),
- },
- },
- },
- },
+ TLS: &dynamic.TLSConfiguration{},
},
},
{
@@ -5245,6 +5079,12 @@ func TestLoadTLSRoutes(t *testing.T) {
},
TCP: &dynamic.TCPConfiguration{
Routers: map[string]*dynamic.TCPRouter{
+ "deny-unknown-host": {
+ Rule: "HostSNI(`*`) && !ALPN(`h2`) && !ALPN(`http/1.1`)",
+ Priority: 1,
+ Service: "deny-unknown-host",
+ TLS: &dynamic.RouterTCPTLSConfig{},
+ },
"tlsroute-default-tls-app-1-gw-default-my-gateway-ep-tls-0-e3b0c44298fc1c149afb": {
EntryPoints: []string{"tls"},
Service: "tlsroute-default-tls-app-1-gw-default-my-gateway-ep-tls-0-e3b0c44298fc1c149afb-wrr",
@@ -5258,6 +5098,9 @@ func TestLoadTLSRoutes(t *testing.T) {
},
Middlewares: map[string]*dynamic.TCPMiddleware{},
Services: map[string]*dynamic.TCPService{
+ "deny-unknown-host": {
+ LoadBalancer: &dynamic.TCPServersLoadBalancer{},
+ },
"tlsroute-default-tls-app-1-gw-default-my-gateway-ep-tls-0-e3b0c44298fc1c149afb-wrr": {
Weighted: &dynamic.TCPWeightedRoundRobin{
Services: []dynamic.TCPWRRService{
@@ -5305,6 +5148,12 @@ func TestLoadTLSRoutes(t *testing.T) {
},
TCP: &dynamic.TCPConfiguration{
Routers: map[string]*dynamic.TCPRouter{
+ "deny-unknown-host": {
+ Rule: "HostSNI(`*`) && !ALPN(`h2`) && !ALPN(`http/1.1`)",
+ Priority: 1,
+ Service: "deny-unknown-host",
+ TLS: &dynamic.RouterTCPTLSConfig{},
+ },
"tlsroute-default-tls-app-1-gw-default-my-gateway-ep-tls-0-e3b0c44298fc1c149afb": {
EntryPoints: []string{"tls"},
Service: "tlsroute-default-tls-app-1-gw-default-my-gateway-ep-tls-0-e3b0c44298fc1c149afb-wrr",
@@ -5318,6 +5167,9 @@ func TestLoadTLSRoutes(t *testing.T) {
},
Middlewares: map[string]*dynamic.TCPMiddleware{},
Services: map[string]*dynamic.TCPService{
+ "deny-unknown-host": {
+ LoadBalancer: &dynamic.TCPServersLoadBalancer{},
+ },
"tlsroute-default-tls-app-1-gw-default-my-gateway-ep-tls-0-e3b0c44298fc1c149afb-wrr": {
Weighted: &dynamic.TCPWeightedRoundRobin{
Services: []dynamic.TCPWRRService{
@@ -5365,6 +5217,12 @@ func TestLoadTLSRoutes(t *testing.T) {
},
TCP: &dynamic.TCPConfiguration{
Routers: map[string]*dynamic.TCPRouter{
+ "deny-unknown-host": {
+ Rule: "HostSNI(`*`) && !ALPN(`h2`) && !ALPN(`http/1.1`)",
+ Priority: 1,
+ Service: "deny-unknown-host",
+ TLS: &dynamic.RouterTCPTLSConfig{},
+ },
"tlsroute-default-tls-app-1-gw-default-my-gateway-ep-tls-0-e3b0c44298fc1c149afb": {
EntryPoints: []string{"tls"},
Service: "tlsroute-default-tls-app-1-gw-default-my-gateway-ep-tls-0-e3b0c44298fc1c149afb-wrr",
@@ -5378,6 +5236,9 @@ func TestLoadTLSRoutes(t *testing.T) {
},
Middlewares: map[string]*dynamic.TCPMiddleware{},
Services: map[string]*dynamic.TCPService{
+ "deny-unknown-host": {
+ LoadBalancer: &dynamic.TCPServersLoadBalancer{},
+ },
"tlsroute-default-tls-app-1-gw-default-my-gateway-ep-tls-0-e3b0c44298fc1c149afb-wrr": {
Weighted: &dynamic.TCPWeightedRoundRobin{
Services: []dynamic.TCPWRRService{
@@ -5425,6 +5286,12 @@ func TestLoadTLSRoutes(t *testing.T) {
},
TCP: &dynamic.TCPConfiguration{
Routers: map[string]*dynamic.TCPRouter{
+ "deny-unknown-host": {
+ Rule: "HostSNI(`*`) && !ALPN(`h2`) && !ALPN(`http/1.1`)",
+ Priority: 1,
+ Service: "deny-unknown-host",
+ TLS: &dynamic.RouterTCPTLSConfig{},
+ },
"tlsroute-default-tls-app-1-gw-default-my-gateway-ep-tls-0-e3b0c44298fc1c149afb": {
EntryPoints: []string{"tls"},
Service: "tlsroute-default-tls-app-1-gw-default-my-gateway-ep-tls-0-e3b0c44298fc1c149afb-wrr",
@@ -5438,6 +5305,9 @@ func TestLoadTLSRoutes(t *testing.T) {
},
Middlewares: map[string]*dynamic.TCPMiddleware{},
Services: map[string]*dynamic.TCPService{
+ "deny-unknown-host": {
+ LoadBalancer: &dynamic.TCPServersLoadBalancer{},
+ },
"tlsroute-default-tls-app-1-gw-default-my-gateway-ep-tls-0-e3b0c44298fc1c149afb-wrr": {
Weighted: &dynamic.TCPWeightedRoundRobin{
Services: []dynamic.TCPWRRService{
@@ -5485,6 +5355,12 @@ func TestLoadTLSRoutes(t *testing.T) {
},
TCP: &dynamic.TCPConfiguration{
Routers: map[string]*dynamic.TCPRouter{
+ "deny-unknown-host": {
+ Rule: "HostSNI(`*`) && !ALPN(`h2`) && !ALPN(`http/1.1`)",
+ Priority: 1,
+ Service: "deny-unknown-host",
+ TLS: &dynamic.RouterTCPTLSConfig{},
+ },
"tlsroute-default-tls-app-default-gw-default-my-gateway-ep-tls-0-e3b0c44298fc1c149afb": {
EntryPoints: []string{"tls"},
Service: "tlsroute-default-tls-app-default-gw-default-my-gateway-ep-tls-0-e3b0c44298fc1c149afb-wrr",
@@ -5498,6 +5374,9 @@ func TestLoadTLSRoutes(t *testing.T) {
},
Middlewares: map[string]*dynamic.TCPMiddleware{},
Services: map[string]*dynamic.TCPService{
+ "deny-unknown-host": {
+ LoadBalancer: &dynamic.TCPServersLoadBalancer{},
+ },
"tlsroute-default-tls-app-default-gw-default-my-gateway-ep-tls-0-e3b0c44298fc1c149afb-wrr": {
Weighted: &dynamic.TCPWeightedRoundRobin{
Services: []dynamic.TCPWRRService{
@@ -5545,6 +5424,12 @@ func TestLoadTLSRoutes(t *testing.T) {
},
TCP: &dynamic.TCPConfiguration{
Routers: map[string]*dynamic.TCPRouter{
+ "deny-unknown-host": {
+ Rule: "HostSNI(`*`) && !ALPN(`h2`) && !ALPN(`http/1.1`)",
+ Priority: 1,
+ Service: "deny-unknown-host",
+ TLS: &dynamic.RouterTCPTLSConfig{},
+ },
"tlsroute-default-tls-app-default-gw-default-my-gateway-ep-tls-0-e3b0c44298fc1c149afb": {
EntryPoints: []string{"tls"},
Service: "tlsroute-default-tls-app-default-gw-default-my-gateway-ep-tls-0-e3b0c44298fc1c149afb-wrr",
@@ -5568,6 +5453,9 @@ func TestLoadTLSRoutes(t *testing.T) {
},
Middlewares: map[string]*dynamic.TCPMiddleware{},
Services: map[string]*dynamic.TCPService{
+ "deny-unknown-host": {
+ LoadBalancer: &dynamic.TCPServersLoadBalancer{},
+ },
"tlsroute-default-tls-app-default-gw-default-my-gateway-ep-tls-0-e3b0c44298fc1c149afb-wrr": {
Weighted: &dynamic.TCPWeightedRoundRobin{
Services: []dynamic.TCPWRRService{
@@ -5637,6 +5525,12 @@ func TestLoadTLSRoutes(t *testing.T) {
},
TCP: &dynamic.TCPConfiguration{
Routers: map[string]*dynamic.TCPRouter{
+ "deny-unknown-host": {
+ Rule: "HostSNI(`*`) && !ALPN(`h2`) && !ALPN(`http/1.1`)",
+ Priority: 1,
+ Service: "deny-unknown-host",
+ TLS: &dynamic.RouterTCPTLSConfig{},
+ },
"tlsroute-bar-tls-app-bar-gw-default-my-gateway-ep-tls-0-e3b0c44298fc1c149afb": {
EntryPoints: []string{"tls"},
Service: "tlsroute-bar-tls-app-bar-gw-default-my-gateway-ep-tls-0-e3b0c44298fc1c149afb-wrr",
@@ -5650,6 +5544,9 @@ func TestLoadTLSRoutes(t *testing.T) {
},
Middlewares: map[string]*dynamic.TCPMiddleware{},
Services: map[string]*dynamic.TCPService{
+ "deny-unknown-host": {
+ LoadBalancer: &dynamic.TCPServersLoadBalancer{},
+ },
"tlsroute-bar-tls-app-bar-gw-default-my-gateway-ep-tls-0-e3b0c44298fc1c149afb-wrr": {
Weighted: &dynamic.TCPWeightedRoundRobin{
Services: []dynamic.TCPWRRService{
@@ -5697,6 +5594,12 @@ func TestLoadTLSRoutes(t *testing.T) {
},
TCP: &dynamic.TCPConfiguration{
Routers: map[string]*dynamic.TCPRouter{
+ "deny-unknown-host": {
+ Rule: "HostSNI(`*`) && !ALPN(`h2`) && !ALPN(`http/1.1`)",
+ Priority: 1,
+ Service: "deny-unknown-host",
+ TLS: &dynamic.RouterTCPTLSConfig{},
+ },
"tlsroute-default-tls-app-gw-default-my-gateway-ep-tcp-1-0-e3b0c44298fc1c149afb": {
EntryPoints: []string{"tcp-1"},
Service: "tlsroute-default-tls-app-gw-default-my-gateway-ep-tcp-1-0-e3b0c44298fc1c149afb-wrr",
@@ -5720,6 +5623,9 @@ func TestLoadTLSRoutes(t *testing.T) {
},
Middlewares: map[string]*dynamic.TCPMiddleware{},
Services: map[string]*dynamic.TCPService{
+ "deny-unknown-host": {
+ LoadBalancer: &dynamic.TCPServersLoadBalancer{},
+ },
"tlsroute-default-tls-app-gw-default-my-gateway-ep-tcp-1-0-e3b0c44298fc1c149afb-wrr": {
Weighted: &dynamic.TCPWeightedRoundRobin{
Services: []dynamic.TCPWRRService{
@@ -5790,6 +5696,12 @@ func TestLoadTLSRoutes(t *testing.T) {
},
TCP: &dynamic.TCPConfiguration{
Routers: map[string]*dynamic.TCPRouter{
+ "deny-unknown-host": {
+ Rule: "HostSNI(`*`) && !ALPN(`h2`) && !ALPN(`http/1.1`)",
+ Priority: 1,
+ Service: "deny-unknown-host",
+ TLS: &dynamic.RouterTCPTLSConfig{},
+ },
"tlsroute-default-tls-app-1-gw-default-my-tls-gateway-ep-tcp-0-e3b0c44298fc1c149afb": {
EntryPoints: []string{"tcp"},
Service: "tlsroute-default-tls-app-1-gw-default-my-tls-gateway-ep-tcp-0-e3b0c44298fc1c149afb-wrr",
@@ -5803,6 +5715,9 @@ func TestLoadTLSRoutes(t *testing.T) {
},
Middlewares: map[string]*dynamic.TCPMiddleware{},
Services: map[string]*dynamic.TCPService{
+ "deny-unknown-host": {
+ LoadBalancer: &dynamic.TCPServersLoadBalancer{},
+ },
"tlsroute-default-tls-app-1-gw-default-my-tls-gateway-ep-tcp-0-e3b0c44298fc1c149afb-wrr": {
Weighted: &dynamic.TCPWeightedRoundRobin{
Services: []dynamic.TCPWRRService{
@@ -5847,6 +5762,12 @@ func TestLoadTLSRoutes(t *testing.T) {
},
TCP: &dynamic.TCPConfiguration{
Routers: map[string]*dynamic.TCPRouter{
+ "deny-unknown-host": {
+ Rule: "HostSNI(`*`) && !ALPN(`h2`) && !ALPN(`http/1.1`)",
+ Priority: 1,
+ Service: "deny-unknown-host",
+ TLS: &dynamic.RouterTCPTLSConfig{},
+ },
"tlsroute-default-tls-app-1-gw-default-my-tls-gateway-ep-tcp-0-e3b0c44298fc1c149afb": {
EntryPoints: []string{"tcp"},
Service: "tlsroute-default-tls-app-1-gw-default-my-tls-gateway-ep-tcp-0-e3b0c44298fc1c149afb-wrr",
@@ -5860,6 +5781,9 @@ func TestLoadTLSRoutes(t *testing.T) {
},
Middlewares: map[string]*dynamic.TCPMiddleware{},
Services: map[string]*dynamic.TCPService{
+ "deny-unknown-host": {
+ LoadBalancer: &dynamic.TCPServersLoadBalancer{},
+ },
"tlsroute-default-tls-app-1-gw-default-my-tls-gateway-ep-tcp-0-e3b0c44298fc1c149afb-wrr": {
Weighted: &dynamic.TCPWeightedRoundRobin{
Services: []dynamic.TCPWRRService{
@@ -6057,19 +5981,18 @@ func TestLoadMixedRoutes(t *testing.T) {
},
TCP: &dynamic.TCPConfiguration{
Routers: map[string]*dynamic.TCPRouter{
+ "deny-unknown-host": {
+ Rule: "HostSNI(`*`) && !ALPN(`h2`) && !ALPN(`http/1.1`)",
+ Priority: 1,
+ Service: "deny-unknown-host",
+ TLS: &dynamic.RouterTCPTLSConfig{},
+ },
"tcproute-default-tcp-app-1-gw-default-my-gateway-ep-tcp-0-e3b0c44298fc1c149afb": {
EntryPoints: []string{"tcp"},
Service: "tcproute-default-tcp-app-1-gw-default-my-gateway-ep-tcp-0-e3b0c44298fc1c149afb-wrr",
Rule: `HostSNI("*")`,
RuleSyntax: "default",
},
- "tcproute-default-tcp-app-1-gw-default-my-gateway-ep-tls-1-0-e3b0c44298fc1c149afb": {
- EntryPoints: []string{"tls-1"},
- Service: "tcproute-default-tcp-app-1-gw-default-my-gateway-ep-tls-1-0-e3b0c44298fc1c149afb-wrr",
- Rule: `HostSNI("*")`,
- RuleSyntax: "default",
- TLS: &dynamic.RouterTCPTLSConfig{},
- },
"tlsroute-default-tls-app-1-gw-default-my-gateway-ep-tls-2-0-e3b0c44298fc1c149afb": {
EntryPoints: []string{"tls-2"},
Service: "tlsroute-default-tls-app-1-gw-default-my-gateway-ep-tls-2-0-e3b0c44298fc1c149afb-wrr",
@@ -6083,17 +6006,10 @@ func TestLoadMixedRoutes(t *testing.T) {
},
Middlewares: map[string]*dynamic.TCPMiddleware{},
Services: map[string]*dynamic.TCPService{
- "tcproute-default-tcp-app-1-gw-default-my-gateway-ep-tcp-0-e3b0c44298fc1c149afb-wrr": {
- Weighted: &dynamic.TCPWeightedRoundRobin{
- Services: []dynamic.TCPWRRService{
- {
- Name: "default-whoamitcp-9000",
- Weight: ptr.To(1),
- },
- },
- },
+ "deny-unknown-host": {
+ LoadBalancer: &dynamic.TCPServersLoadBalancer{},
},
- "tcproute-default-tcp-app-1-gw-default-my-gateway-ep-tls-1-0-e3b0c44298fc1c149afb-wrr": {
+ "tcproute-default-tcp-app-1-gw-default-my-gateway-ep-tcp-0-e3b0c44298fc1c149afb-wrr": {
Weighted: &dynamic.TCPWeightedRoundRobin{
Services: []dynamic.TCPWRRService{
{
@@ -6246,19 +6162,18 @@ func TestLoadMixedRoutes(t *testing.T) {
},
TCP: &dynamic.TCPConfiguration{
Routers: map[string]*dynamic.TCPRouter{
+ "deny-unknown-host": {
+ Rule: "HostSNI(`*`) && !ALPN(`h2`) && !ALPN(`http/1.1`)",
+ Priority: 1,
+ Service: "deny-unknown-host",
+ TLS: &dynamic.RouterTCPTLSConfig{},
+ },
"tcproute-default-tcp-app-default-gw-default-my-gateway-ep-tcp-0-e3b0c44298fc1c149afb": {
EntryPoints: []string{"tcp"},
Service: "tcproute-default-tcp-app-default-gw-default-my-gateway-ep-tcp-0-e3b0c44298fc1c149afb-wrr",
Rule: `HostSNI("*")`,
RuleSyntax: "default",
},
- "tcproute-default-tcp-app-default-gw-default-my-gateway-ep-tls-1-0-e3b0c44298fc1c149afb": {
- EntryPoints: []string{"tls-1"},
- Service: "tcproute-default-tcp-app-default-gw-default-my-gateway-ep-tls-1-0-e3b0c44298fc1c149afb-wrr",
- Rule: `HostSNI("*")`,
- RuleSyntax: "default",
- TLS: &dynamic.RouterTCPTLSConfig{},
- },
"tlsroute-default-tls-app-default-gw-default-my-gateway-ep-tls-2-0-e3b0c44298fc1c149afb": {
EntryPoints: []string{"tls-2"},
Service: "tlsroute-default-tls-app-default-gw-default-my-gateway-ep-tls-2-0-e3b0c44298fc1c149afb-wrr",
@@ -6272,17 +6187,10 @@ func TestLoadMixedRoutes(t *testing.T) {
},
Middlewares: map[string]*dynamic.TCPMiddleware{},
Services: map[string]*dynamic.TCPService{
- "tcproute-default-tcp-app-default-gw-default-my-gateway-ep-tcp-0-e3b0c44298fc1c149afb-wrr": {
- Weighted: &dynamic.TCPWeightedRoundRobin{
- Services: []dynamic.TCPWRRService{
- {
- Name: "default-whoamitcp-9000",
- Weight: ptr.To(1),
- },
- },
- },
+ "deny-unknown-host": {
+ LoadBalancer: &dynamic.TCPServersLoadBalancer{},
},
- "tcproute-default-tcp-app-default-gw-default-my-gateway-ep-tls-1-0-e3b0c44298fc1c149afb-wrr": {
+ "tcproute-default-tcp-app-default-gw-default-my-gateway-ep-tcp-0-e3b0c44298fc1c149afb-wrr": {
Weighted: &dynamic.TCPWeightedRoundRobin{
Services: []dynamic.TCPWRRService{
{
@@ -6407,19 +6315,18 @@ func TestLoadMixedRoutes(t *testing.T) {
},
TCP: &dynamic.TCPConfiguration{
Routers: map[string]*dynamic.TCPRouter{
+ "deny-unknown-host": {
+ Rule: "HostSNI(`*`) && !ALPN(`h2`) && !ALPN(`http/1.1`)",
+ Priority: 1,
+ Service: "deny-unknown-host",
+ TLS: &dynamic.RouterTCPTLSConfig{},
+ },
"tcproute-default-tcp-app-default-gw-default-my-gateway-ep-tcp-0-e3b0c44298fc1c149afb": {
EntryPoints: []string{"tcp"},
Service: "tcproute-default-tcp-app-default-gw-default-my-gateway-ep-tcp-0-e3b0c44298fc1c149afb-wrr",
Rule: `HostSNI("*")`,
RuleSyntax: "default",
},
- "tcproute-default-tcp-app-default-gw-default-my-gateway-ep-tls-1-0-e3b0c44298fc1c149afb": {
- EntryPoints: []string{"tls-1"},
- Service: "tcproute-default-tcp-app-default-gw-default-my-gateway-ep-tls-1-0-e3b0c44298fc1c149afb-wrr",
- Rule: `HostSNI("*")`,
- RuleSyntax: "default",
- TLS: &dynamic.RouterTCPTLSConfig{},
- },
"tlsroute-default-tls-app-default-gw-default-my-gateway-ep-tls-2-0-e3b0c44298fc1c149afb": {
EntryPoints: []string{"tls-2"},
Service: "tlsroute-default-tls-app-default-gw-default-my-gateway-ep-tls-2-0-e3b0c44298fc1c149afb-wrr",
@@ -6436,27 +6343,13 @@ func TestLoadMixedRoutes(t *testing.T) {
Rule: `HostSNI("*")`,
RuleSyntax: "default",
},
- "tcproute-bar-tcp-app-bar-gw-default-my-gateway-ep-tls-1-0-e3b0c44298fc1c149afb": {
- EntryPoints: []string{"tls-1"},
- Service: "tcproute-bar-tcp-app-bar-gw-default-my-gateway-ep-tls-1-0-e3b0c44298fc1c149afb-wrr",
- Rule: `HostSNI("*")`,
- RuleSyntax: "default",
- TLS: &dynamic.RouterTCPTLSConfig{},
- },
},
Middlewares: map[string]*dynamic.TCPMiddleware{},
Services: map[string]*dynamic.TCPService{
- "tcproute-default-tcp-app-default-gw-default-my-gateway-ep-tcp-0-e3b0c44298fc1c149afb-wrr": {
- Weighted: &dynamic.TCPWeightedRoundRobin{
- Services: []dynamic.TCPWRRService{
- {
- Name: "default-whoamitcp-9000",
- Weight: ptr.To(1),
- },
- },
- },
+ "deny-unknown-host": {
+ LoadBalancer: &dynamic.TCPServersLoadBalancer{},
},
- "tcproute-default-tcp-app-default-gw-default-my-gateway-ep-tls-1-0-e3b0c44298fc1c149afb-wrr": {
+ "tcproute-default-tcp-app-default-gw-default-my-gateway-ep-tcp-0-e3b0c44298fc1c149afb-wrr": {
Weighted: &dynamic.TCPWeightedRoundRobin{
Services: []dynamic.TCPWRRService{
{
@@ -6510,16 +6403,6 @@ func TestLoadMixedRoutes(t *testing.T) {
},
},
},
- "tcproute-bar-tcp-app-bar-gw-default-my-gateway-ep-tls-1-0-e3b0c44298fc1c149afb-wrr": {
- Weighted: &dynamic.TCPWeightedRoundRobin{
- Services: []dynamic.TCPWRRService{
- {
- Name: "bar-whoamitcp-bar-9000",
- Weight: ptr.To(1),
- },
- },
- },
- },
},
ServersTransports: map[string]*dynamic.TCPServersTransport{},
},
@@ -6665,19 +6548,18 @@ func TestLoadMixedRoutes(t *testing.T) {
},
TCP: &dynamic.TCPConfiguration{
Routers: map[string]*dynamic.TCPRouter{
+ "deny-unknown-host": {
+ Rule: "HostSNI(`*`) && !ALPN(`h2`) && !ALPN(`http/1.1`)",
+ Priority: 1,
+ Service: "deny-unknown-host",
+ TLS: &dynamic.RouterTCPTLSConfig{},
+ },
"tcproute-bar-tcp-app-bar-gw-default-my-gateway-ep-tcp-0-e3b0c44298fc1c149afb": {
EntryPoints: []string{"tcp"},
Service: "tcproute-bar-tcp-app-bar-gw-default-my-gateway-ep-tcp-0-e3b0c44298fc1c149afb-wrr",
Rule: `HostSNI("*")`,
RuleSyntax: "default",
},
- "tcproute-bar-tcp-app-bar-gw-default-my-gateway-ep-tls-1-0-e3b0c44298fc1c149afb": {
- EntryPoints: []string{"tls-1"},
- Service: "tcproute-bar-tcp-app-bar-gw-default-my-gateway-ep-tls-1-0-e3b0c44298fc1c149afb-wrr",
- Rule: `HostSNI("*")`,
- RuleSyntax: "default",
- TLS: &dynamic.RouterTCPTLSConfig{},
- },
"tlsroute-bar-tls-app-bar-gw-default-my-gateway-ep-tls-2-0-e3b0c44298fc1c149afb": {
EntryPoints: []string{"tls-2"},
Service: "tlsroute-bar-tls-app-bar-gw-default-my-gateway-ep-tls-2-0-e3b0c44298fc1c149afb-wrr",
@@ -6691,6 +6573,9 @@ func TestLoadMixedRoutes(t *testing.T) {
},
Middlewares: map[string]*dynamic.TCPMiddleware{},
Services: map[string]*dynamic.TCPService{
+ "deny-unknown-host": {
+ LoadBalancer: &dynamic.TCPServersLoadBalancer{},
+ },
"bar-whoamitcp-bar-9000": {
LoadBalancer: &dynamic.TCPServersLoadBalancer{
Servers: []dynamic.TCPServer{
@@ -6713,16 +6598,6 @@ func TestLoadMixedRoutes(t *testing.T) {
},
},
},
- "tcproute-bar-tcp-app-bar-gw-default-my-gateway-ep-tls-1-0-e3b0c44298fc1c149afb-wrr": {
- Weighted: &dynamic.TCPWeightedRoundRobin{
- Services: []dynamic.TCPWRRService{
- {
- Name: "bar-whoamitcp-bar-9000",
- Weight: ptr.To(1),
- },
- },
- },
- },
"tlsroute-bar-tls-app-bar-gw-default-my-gateway-ep-tls-2-0-e3b0c44298fc1c149afb-wrr": {
Weighted: &dynamic.TCPWeightedRoundRobin{
Services: []dynamic.TCPWRRService{
@@ -6831,13 +6706,6 @@ func TestLoadMixedRoutes(t *testing.T) {
Rule: `HostSNI("*")`,
RuleSyntax: "default",
},
- "tcproute-default-tcp-app-default-gw-default-my-gateway-ep-tls-0-e3b0c44298fc1c149afb": {
- EntryPoints: []string{"tls"},
- Service: "tcproute-default-tcp-app-default-gw-default-my-gateway-ep-tls-0-e3b0c44298fc1c149afb-wrr",
- Rule: `HostSNI("*")`,
- RuleSyntax: "default",
- TLS: &dynamic.RouterTCPTLSConfig{},
- },
},
Middlewares: map[string]*dynamic.TCPMiddleware{},
Services: map[string]*dynamic.TCPService{
@@ -6851,16 +6719,6 @@ func TestLoadMixedRoutes(t *testing.T) {
},
},
},
- "tcproute-default-tcp-app-default-gw-default-my-gateway-ep-tls-0-e3b0c44298fc1c149afb-wrr": {
- Weighted: &dynamic.TCPWeightedRoundRobin{
- Services: []dynamic.TCPWRRService{
- {
- Name: "default-whoamitcp-9000",
- Weight: ptr.To(1),
- },
- },
- },
- },
"default-whoamitcp-9000": {
LoadBalancer: &dynamic.TCPServersLoadBalancer{
Servers: []dynamic.TCPServer{
@@ -7108,38 +6966,9 @@ func TestLoadRoutesWithReferenceGrants(t *testing.T) {
Services: map[string]*dynamic.UDPService{},
},
TCP: &dynamic.TCPConfiguration{
- Routers: map[string]*dynamic.TCPRouter{
- "tcproute-default-tcp-app-1-gw-default-my-gateway-ep-tls-0-e3b0c44298fc1c149afb": {
- EntryPoints: []string{"tls"},
- Service: "tcproute-default-tcp-app-1-gw-default-my-gateway-ep-tls-0-e3b0c44298fc1c149afb-wrr",
- Rule: `HostSNI("*")`,
- RuleSyntax: "default",
- TLS: &dynamic.RouterTCPTLSConfig{},
- },
- },
- Middlewares: map[string]*dynamic.TCPMiddleware{},
- Services: map[string]*dynamic.TCPService{
- "tcproute-default-tcp-app-1-gw-default-my-gateway-ep-tls-0-e3b0c44298fc1c149afb-wrr": {
- Weighted: &dynamic.TCPWeightedRoundRobin{
- Services: []dynamic.TCPWRRService{{
- Name: "default-whoamitcp-9000",
- Weight: ptr.To(1),
- }},
- },
- },
- "default-whoamitcp-9000": {
- LoadBalancer: &dynamic.TCPServersLoadBalancer{
- Servers: []dynamic.TCPServer{
- {
- Address: "10.10.0.9:9000",
- },
- {
- Address: "10.10.0.10:9000",
- },
- },
- },
- },
- },
+ Routers: map[string]*dynamic.TCPRouter{},
+ Middlewares: map[string]*dynamic.TCPMiddleware{},
+ Services: map[string]*dynamic.TCPService{},
ServersTransports: map[string]*dynamic.TCPServersTransport{},
},
HTTP: &dynamic.HTTPConfiguration{
@@ -7148,16 +6977,7 @@ func TestLoadRoutesWithReferenceGrants(t *testing.T) {
Services: map[string]*dynamic.Service{},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
- TLS: &dynamic.TLSConfiguration{
- Certificates: []*tls.CertAndStores{
- {
- Certificate: tls.Certificate{
- CertFile: types.FileOrContent(listenerCert),
- KeyFile: types.FileOrContent(listenerKey),
- },
- },
- },
- },
+ TLS: &dynamic.TLSConfiguration{},
},
},
{
@@ -7652,6 +7472,13 @@ func Test_findMatchingHostnames(t *testing.T) {
want: []gatev1.Hostname{"bar.foo.com"},
wantOk: true,
},
+ {
+ desc: "Matching subdomain wildcard with listener wildcard",
+ listenerHostname: ptr.To(gatev1.Hostname("*.foo.com")),
+ routeHostnames: []gatev1.Hostname{"*.bar.foo.com"},
+ want: []gatev1.Hostname{"*.bar.foo.com"},
+ wantOk: true,
+ },
{
desc: "Matching subsubdomain with listener wildcard",
listenerHostname: ptr.To(gatev1.Hostname("*.foo.com")),
diff --git a/pkg/provider/kubernetes/gateway/tlsroute.go b/pkg/provider/kubernetes/gateway/tlsroute.go
index 4252e04e8..d1fa8169b 100644
--- a/pkg/provider/kubernetes/gateway/tlsroute.go
+++ b/pkg/provider/kubernetes/gateway/tlsroute.go
@@ -16,7 +16,6 @@ import (
ktypes "k8s.io/apimachinery/pkg/types"
"k8s.io/utils/ptr"
gatev1 "sigs.k8s.io/gateway-api/apis/v1"
- gatev1alpha2 "sigs.k8s.io/gateway-api/apis/v1alpha2"
)
func (p *Provider) loadTLSRoutes(ctx context.Context, gatewayListeners []gatewayListener, conf *dynamic.Configuration) {
@@ -37,9 +36,9 @@ func (p *Provider) loadTLSRoutes(ctx context.Context, gatewayListeners []gateway
continue
}
- var parentStatuses []gatev1alpha2.RouteParentStatus
+ var parentStatuses []gatev1.RouteParentStatus
for _, parentRef := range route.Spec.ParentRefs {
- parentStatus := &gatev1alpha2.RouteParentStatus{
+ parentStatus := &gatev1.RouteParentStatus{
ParentRef: parentRef,
ControllerName: controllerName,
Conditions: []metav1.Condition{
@@ -84,8 +83,22 @@ func (p *Provider) loadTLSRoutes(ctx context.Context, gatewayListeners []gateway
parentStatuses = append(parentStatuses, *parentStatus)
}
- routeStatus := gatev1alpha2.TLSRouteStatus{
- RouteStatus: gatev1alpha2.RouteStatus{
+ // When there is at least one TLS listener, we add a default deny-all route to avoid accepting traffic for undefined hosts.
+ // Note that when there is HTTPS listeners this will predate the traffic and reject the connection to undefined hosts instead of returning a 404.
+ if len(conf.TCP.Routers) > 0 {
+ conf.TCP.Routers["deny-unknown-host"] = &dynamic.TCPRouter{
+ Rule: "HostSNI(`*`) && !ALPN(`h2`) && !ALPN(`http/1.1`)",
+ Priority: 1,
+ Service: "deny-unknown-host",
+ TLS: &dynamic.RouterTCPTLSConfig{},
+ }
+ conf.TCP.Services["deny-unknown-host"] = &dynamic.TCPService{
+ LoadBalancer: &dynamic.TCPServersLoadBalancer{},
+ }
+ }
+
+ routeStatus := gatev1.TLSRouteStatus{
+ RouteStatus: gatev1.RouteStatus{
Parents: parentStatuses,
},
}
@@ -97,7 +110,7 @@ func (p *Provider) loadTLSRoutes(ctx context.Context, gatewayListeners []gateway
}
}
-func (p *Provider) loadTLSRoute(listener gatewayListener, route *gatev1alpha2.TLSRoute, hostnames []gatev1.Hostname) (*dynamic.Configuration, metav1.Condition) {
+func (p *Provider) loadTLSRoute(listener gatewayListener, route *gatev1.TLSRoute, hostnames []gatev1.Hostname) (*dynamic.Configuration, metav1.Condition) {
conf := &dynamic.Configuration{
TCP: &dynamic.TCPConfiguration{
Routers: make(map[string]*dynamic.TCPRouter),
@@ -157,7 +170,7 @@ func (p *Provider) loadTLSRoute(listener gatewayListener, route *gatev1alpha2.TL
}
// loadTLSWRRService is generating a WRR service, even when there is only one target.
-func (p *Provider) loadTLSWRRService(conf *dynamic.Configuration, routeKey string, backendRefs []gatev1.BackendRef, route *gatev1alpha2.TLSRoute) (string, *metav1.Condition) {
+func (p *Provider) loadTLSWRRService(conf *dynamic.Configuration, routeKey string, backendRefs []gatev1.BackendRef, route *gatev1.TLSRoute) (string, *metav1.Condition) {
name := routeKey + "-wrr"
if _, ok := conf.TCP.Services[name]; ok {
return name, nil
@@ -200,7 +213,7 @@ func (p *Provider) loadTLSWRRService(conf *dynamic.Configuration, routeKey strin
return name, condition
}
-func (p *Provider) loadTLSService(route *gatev1alpha2.TLSRoute, backendRef gatev1.BackendRef) (string, *dynamic.TCPService, *metav1.Condition) {
+func (p *Provider) loadTLSService(route *gatev1.TLSRoute, backendRef gatev1.BackendRef) (string, *dynamic.TCPService, *metav1.Condition) {
kind := ptr.Deref(backendRef.Kind, kindService)
group := groupCore
@@ -265,7 +278,7 @@ func (p *Provider) loadTLSService(route *gatev1alpha2.TLSRoute, backendRef gatev
return serviceName, &dynamic.TCPService{LoadBalancer: lb}, nil
}
-func (p *Provider) loadTLSServers(namespace string, route *gatev1alpha2.TLSRoute, backendRef gatev1.BackendRef) (*dynamic.TCPServersLoadBalancer, *metav1.Condition) {
+func (p *Provider) loadTLSServers(namespace string, route *gatev1.TLSRoute, backendRef gatev1.BackendRef) (*dynamic.TCPServersLoadBalancer, *metav1.Condition) {
backendAddresses, svcPort, err := p.getBackendAddresses(namespace, backendRef)
if err != nil {
return nil, &metav1.Condition{
@@ -331,7 +344,7 @@ func hostSNIRule(hostnames []gatev1.Hostname) (string, int) {
continue
}
- host = strings.Replace(regexp.QuoteMeta(host), `\*\.`, `[a-z0-9-\.]+\.`, 1)
+ host = strings.Replace(regexp.QuoteMeta(host), `\*\.`, `[a-z0-9-]+\.`, 1)
rules = append(rules, fmt.Sprintf("HostSNIRegexp(%q)", fmt.Sprintf("^%s$", host)))
}
diff --git a/pkg/provider/kubernetes/gateway/tlsroute_test.go b/pkg/provider/kubernetes/gateway/tlsroute_test.go
index af66b65f7..6e1a9636b 100644
--- a/pkg/provider/kubernetes/gateway/tlsroute_test.go
+++ b/pkg/provider/kubernetes/gateway/tlsroute_test.go
@@ -29,7 +29,7 @@ func Test_hostSNIRule(t *testing.T) {
{
desc: "Supported wildcard",
hostnames: []gatev1.Hostname{"*.foo"},
- expectedRule: `HostSNIRegexp("^[a-z0-9-\\.]+\\.foo$")`,
+ expectedRule: `HostSNIRegexp("^[a-z0-9-]+\\.foo$")`,
expectedPriority: 4,
},
{
@@ -53,7 +53,7 @@ func Test_hostSNIRule(t *testing.T) {
{
desc: "Multiple valid hostnames with wildcard",
hostnames: []gatev1.Hostname{"bar.foo", "foo.foo", "*.foo"},
- expectedRule: `HostSNI("bar.foo") || HostSNI("foo.foo") || HostSNIRegexp("^[a-z0-9-\\.]+\\.foo$")`,
+ expectedRule: `HostSNI("bar.foo") || HostSNI("foo.foo") || HostSNIRegexp("^[a-z0-9-]+\\.foo$")`,
expectedPriority: 7,
},
{
diff --git a/pkg/provider/kubernetes/knative/kubernetes_test.go b/pkg/provider/kubernetes/knative/kubernetes_test.go
index 08ea0e2c3..ad7b5e761 100644
--- a/pkg/provider/kubernetes/knative/kubernetes_test.go
+++ b/pkg/provider/kubernetes/knative/kubernetes_test.go
@@ -12,6 +12,8 @@ import (
"github.com/traefik/traefik/v3/pkg/config/dynamic"
"github.com/traefik/traefik/v3/pkg/provider/kubernetes/k8s"
"k8s.io/apimachinery/pkg/runtime"
+ clientfeatures "k8s.io/client-go/features"
+ clientfeaturestesting "k8s.io/client-go/features/testing"
kubefake "k8s.io/client-go/kubernetes/fake"
kscheme "k8s.io/client-go/kubernetes/scheme"
"k8s.io/utils/ptr"
@@ -264,6 +266,11 @@ func Test_loadConfiguration(t *testing.T) {
},
}
+ // Disable WatchListClient because the knative informers (third-party dependency)
+ // don't wrap their ListWatch with cache.ToListWatcherWithWatchListSemantics,
+ // which causes fake clients to hang waiting for bookmark events.
+ clientfeaturestesting.SetFeatureDuringTest(t, clientfeatures.WatchListClient, false)
+
for _, testCase := range testCases {
t.Run(testCase.desc, func(t *testing.T) {
t.Parallel()
diff --git a/script/code-gen.sh b/script/code-gen.sh
index 3f0112f35..bf1cc97ed 100755
--- a/script/code-gen.sh
+++ b/script/code-gen.sh
@@ -4,7 +4,7 @@ set -e -o pipefail
PROJECT_MODULE="github.com/traefik/traefik"
MODULE_VERSION="v3"
-KUBE_VERSION=v0.34.3
+KUBE_VERSION=v0.35.2
CURRENT_DIR="$(pwd)"
go install "k8s.io/code-generator/cmd/deepcopy-gen@${KUBE_VERSION}"