From 711bb738c5b0ebd18a45d180923179a560749d43 Mon Sep 17 00:00:00 2001 From: Daneyon Hansen Date: Mon, 10 May 2021 14:31:51 -0700 Subject: [PATCH] Updates Examples for Gateway API Support Signed-off-by: Daneyon Hansen --- Makefile | 1 + examples/gateway/00-common.yaml | 17 + examples/gateway/01-contour-config.yaml | 144 + examples/gateway/01-crds.yaml | 2470 ++++++++ examples/gateway/01-gateway-crds.yaml | 3329 +++++++++++ examples/gateway/02-job-certgen.yaml | 73 + examples/gateway/02-rbac.yaml | 15 + examples/gateway/02-role-contour.yaml | 153 + examples/gateway/02-service-contour.yaml | 15 + examples/gateway/03-contour.yaml | 104 + examples/gateway/03-envoy.yaml | 134 + examples/gateway/04-gatewayclass.yaml | 7 + examples/gateway/05-gateway.yaml | 16 + examples/render/contour-gateway.yaml | 6505 ++++++++++++++++++++++ hack/generate-gateway-deployment.sh | 41 + 15 files changed, 13024 insertions(+) create mode 100644 examples/gateway/00-common.yaml create mode 100644 examples/gateway/01-contour-config.yaml create mode 100644 examples/gateway/01-crds.yaml create mode 100644 examples/gateway/01-gateway-crds.yaml create mode 100644 examples/gateway/02-job-certgen.yaml create mode 100644 examples/gateway/02-rbac.yaml create mode 100644 examples/gateway/02-role-contour.yaml create mode 100644 examples/gateway/02-service-contour.yaml create mode 100644 examples/gateway/03-contour.yaml create mode 100644 examples/gateway/03-envoy.yaml create mode 100644 examples/gateway/04-gatewayclass.yaml create mode 100644 examples/gateway/05-gateway.yaml create mode 100644 examples/render/contour-gateway.yaml create mode 100755 hack/generate-gateway-deployment.sh diff --git a/Makefile b/Makefile index d8c280c5232..e1904f326fa 100644 --- a/Makefile +++ b/Makefile @@ -209,6 +209,7 @@ generate-crd-deepcopy: generate-deployment: @echo Generating example deployment files ... @./hack/generate-deployment.sh + @./hack/generate-gateway-deployment.sh .PHONY: generate-crd-yaml generate-crd-yaml: diff --git a/examples/gateway/00-common.yaml b/examples/gateway/00-common.yaml new file mode 100644 index 00000000000..c037ee61b48 --- /dev/null +++ b/examples/gateway/00-common.yaml @@ -0,0 +1,17 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: projectcontour +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: contour + namespace: projectcontour +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: envoy + namespace: projectcontour diff --git a/examples/gateway/01-contour-config.yaml b/examples/gateway/01-contour-config.yaml new file mode 100644 index 00000000000..7203217da5c --- /dev/null +++ b/examples/gateway/01-contour-config.yaml @@ -0,0 +1,144 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: contour + namespace: projectcontour +data: + contour.yaml: | + # + # server: + # determine which XDS Server implementation to utilize in Contour. + # xds-server-type: contour + # + # Specify the gateway-api Gateway Contour should watch. + gateway: + name: contour + namespace: projectcontour + # + # should contour expect to be running inside a k8s cluster + # incluster: true + # + # path to kubeconfig (if not running inside a k8s cluster) + # kubeconfig: /path/to/.kube/config + # + # Disable RFC-compliant behavior to strip "Content-Length" header if + # "Tranfer-Encoding: chunked" is also set. + # disableAllowChunkedLength: false + # Disable HTTPProxy permitInsecure field + disablePermitInsecure: false + tls: + # minimum TLS version that Contour will negotiate + # minimum-protocol-version: "1.2" + # TLS ciphers to be supported by Envoy TLS listeners when negotiating + # TLS 1.2. + # cipher-suites: + # - '[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]' + # - '[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]' + # - 'ECDHE-ECDSA-AES256-GCM-SHA384' + # - 'ECDHE-RSA-AES256-GCM-SHA384' + # Defines the Kubernetes name/namespace matching a secret to use + # as the fallback certificate when requests which don't match the + # SNI defined for a vhost. + fallback-certificate: + # name: fallback-secret-name + # namespace: projectcontour + envoy-client-certificate: + # name: envoy-client-cert-secret-name + # namespace: projectcontour + # The following config shows the defaults for the leader election. + # leaderelection: + # configmap-name: leader-elect + # configmap-namespace: projectcontour + ### Logging options + # Default setting + accesslog-format: envoy + # To enable JSON logging in Envoy + # accesslog-format: json + # The default fields that will be logged are specified below. + # To customise this list, just add or remove entries. + # The canonical list is available at + # https://godoc.org/github.com/projectcontour/contour/internal/envoy#JSONFields + # json-fields: + # - "@timestamp" + # - "authority" + # - "bytes_received" + # - "bytes_sent" + # - "downstream_local_address" + # - "downstream_remote_address" + # - "duration" + # - "method" + # - "path" + # - "protocol" + # - "request_id" + # - "requested_server_name" + # - "response_code" + # - "response_flags" + # - "uber_trace_id" + # - "upstream_cluster" + # - "upstream_host" + # - "upstream_local_address" + # - "upstream_service_time" + # - "user_agent" + # - "x_forwarded_for" + # + # default-http-versions: + # - "HTTP/2" + # - "HTTP/1.1" + # + # The following shows the default proxy timeout settings. + # timeouts: + # request-timeout: infinity + # connection-idle-timeout: 60s + # stream-idle-timeout: 5m + # max-connection-duration: infinity + # delayed-close-timeout: 1s + # connection-shutdown-grace-period: 5s + # + # Envoy cluster settings. + # cluster: + # configure the cluster dns lookup family + # valid options are: auto (default), v4, v6 + # dns-lookup-family: auto + # + # Envoy network settings. + # network: + # Configure the number of additional ingress proxy hops from the + # right side of the x-forwarded-for HTTP header to trust. + # num-trusted-hops: 0 + # + # Configure an optional global rate limit service. + # rateLimitService: + # Identifies the extension service defining the rate limit service, + # formatted as /. + # extensionService: projectcontour/ratelimit + # Defines the rate limit domain to pass to the rate limit service. + # Acts as a container for a set of rate limit definitions within + # the RLS. + # domain: contour + # Defines whether to allow requests to proceed when the rate limit + # service fails to respond with a valid rate limit decision within + # the timeout defined on the extension service. + # failOpen: false + # Defines whether to include the X-RateLimit headers X-RateLimit-Limit, + # X-RateLimit-Remaining, and X-RateLimit-Reset (as defined by the IETF + # Internet-Draft linked below), on responses to clients when the Rate + # Limit Service is consulted for a request. + # ref. https://tools.ietf.org/id/draft-polli-ratelimit-headers-03.html + # enableXRateLimitHeaders: false + # + # Global Policy settings. + # policy: + # # Default headers to set on all requests (unless set/removed on the HTTPProxy object itself) + # request-headers: + # set: + # # example: the hostname of the Envoy instance that proxied the request + # X-Envoy-Hostname: %HOSTNAME% + # # example: add a l5d-dst-override header to instruct Linkerd what service the request is destined for + # l5d-dst-override: %CONTOUR_SERVICE_NAME%.%CONTOUR_NAMESPACE%.svc.cluster.local:%CONTOUR_SERVICE_PORT% + # # default headers to set on all responses (unless set/removed on the HTTPProxy object itself) + # response-headers: + # set: + # # example: Envoy flags that provide additional details about the response or connection + # X-Envoy-Response-Flags: %RESPONSE_FLAGS% + # diff --git a/examples/gateway/01-crds.yaml b/examples/gateway/01-crds.yaml new file mode 100644 index 00000000000..085b3ab6363 --- /dev/null +++ b/examples/gateway/01-crds.yaml @@ -0,0 +1,2470 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.5.0 + creationTimestamp: null + name: extensionservices.projectcontour.io +spec: + preserveUnknownFields: false + group: projectcontour.io + names: + kind: ExtensionService + listKind: ExtensionServiceList + plural: extensionservices + shortNames: + - extensionservice + - extensionservices + singular: extensionservice + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: ExtensionService is the schema for the Contour extension services + API. An ExtensionService resource binds a network service to the Contour + API so that Contour API features can be implemented by collaborating components. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ExtensionServiceSpec defines the desired state of an ExtensionService + resource. + properties: + loadBalancerPolicy: + description: The policy for load balancing GRPC service requests. + Note that the `Cookie` and `RequestHash` load balancing strategies + cannot be used here. + properties: + requestHashPolicies: + description: RequestHashPolicies contains a list of hash policies + to apply when the `RequestHash` load balancing strategy is chosen. + If an element of the supplied list of hash policies is invalid, + it will be ignored. If the list of hash policies is empty after + validation, the load balancing strategy will fall back the the + default `RoundRobin`. + items: + description: RequestHashPolicy contains configuration for an + individual hash policy on a request attribute. + properties: + headerHashOptions: + description: HeaderHashOptions should be set when request + header hash based load balancing is desired. It must be + the only hash option field set, otherwise this request + hash policy object will be ignored. + properties: + headerName: + description: HeaderName is the name of the HTTP request + header that will be used to calculate the hash key. + If the header specified is not present on a request, + no hash will be produced. + minLength: 1 + type: string + type: object + terminal: + description: Terminal is a flag that allows for short-circuiting + computing of a hash for a given request. If set to true, + and the request attribute specified in the attribute hash + options is present, no further hash policies will be used + to calculate a hash for the request. + type: boolean + type: object + type: array + strategy: + description: Strategy specifies the policy used to balance requests + across the pool of backend pods. Valid policy names are `Random`, + `RoundRobin`, `WeightedLeastRequest`, `Cookie`, and `RequestHash`. + If an unknown strategy name is specified or no policy is supplied, + the default `RoundRobin` policy is used. + type: string + type: object + protocol: + description: Protocol may be used to specify (or override) the protocol + used to reach this Service. Values may be h2 or h2c. If omitted, + protocol-selection falls back on Service annotations. + enum: + - h2 + - h2c + type: string + protocolVersion: + description: This field sets the version of the GRPC protocol that + Envoy uses to send requests to the extension service. Since Contour + always uses the v3 Envoy API, this is currently fixed at "v3". However, + other protocol options will be available in future. + enum: + - v3 + type: string + services: + description: Services specifies the set of Kubernetes Service resources + that receive GRPC extension API requests. If no weights are specified + for any of the entries in this array, traffic will be spread evenly + across all the services. Otherwise, traffic is balanced proportionally + to the Weight field in each entry. + items: + description: ExtensionServiceTarget defines an Kubernetes Service + to target with extension service traffic. + properties: + name: + description: Name is the name of Kubernetes service that will + accept service traffic. + type: string + port: + description: Port (defined as Integer) to proxy traffic to since + a service can have multiple defined. + exclusiveMaximum: true + maximum: 65536 + minimum: 1 + type: integer + weight: + description: Weight defines proportion of traffic to balance + to the Kubernetes Service. + format: int32 + type: integer + required: + - name + - port + type: object + minItems: 1 + type: array + timeoutPolicy: + description: The timeout policy for requests to the services. + properties: + idle: + description: Timeout after which, if there are no active requests + for this route, the connection between Envoy and the backend + or Envoy and the external client will be closed. If not specified, + there is no per-route idle timeout, though a connection manager-wide + stream_idle_timeout default of 5m still applies. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + response: + description: Timeout for receiving a response from the server + after processing a request from client. If not supplied, Envoy's + default value of 15s applies. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + type: object + validation: + description: UpstreamValidation defines how to verify the backend + service's certificate + properties: + caSecret: + description: Name of the Kubernetes secret be used to validate + the certificate presented by the backend + type: string + subjectName: + description: Key which is expected to be present in the 'subjectAltName' + of the presented certificate + type: string + required: + - caSecret + - subjectName + type: object + required: + - services + type: object + status: + description: ExtensionServiceStatus defines the observed state of an ExtensionService + resource. + properties: + conditions: + description: "Conditions contains the current status of the ExtensionService + resource. \n Contour will update a single condition, `Valid`, that + is in normal-true polarity. \n Contour will not modify any other + Conditions set in this block, in case some other controller wants + to add a Condition." + items: + description: "DetailedCondition is an extension of the normal Kubernetes + conditions, with two extra fields to hold sub-conditions, which + provide more detailed reasons for the state (True or False) of + the condition. \n `errors` holds information about sub-conditions + which are fatal to that condition and render its state False. + \n `warnings` holds information about sub-conditions which are + not fatal to that condition and do not force the state to be False. + \n Remember that Conditions have a type, a status, and a reason. + \n The type is the type of the condition, the most important one + in this CRD set is `Valid`. `Valid` is a positive-polarity condition: + when it is `status: true` there are no problems. \n In more detail, + `status: true` means that the object is has been ingested into + Contour with no errors. `warnings` may still be present, and will + be indicated in the Reason field. There must be zero entries in + the `errors` slice in this case. \n `Valid`, `status: false` means + that the object has had one or more fatal errors during processing + into Contour. The details of the errors will be present under + the `errors` field. There must be at least one error in the `errors` + slice if `status` is `false`. \n For DetailedConditions of types + other than `Valid`, the Condition must be in the negative polarity. + When they have `status` `true`, there is an error. There must + be at least one entry in the `errors` Subcondition slice. When + they have `status` `false`, there are no serious errors, and there + must be zero entries in the `errors` slice. In either case, there + may be entries in the `warnings` slice. \n Regardless of the polarity, + the `reason` and `message` fields must be updated with either + the detail of the reason (if there is one and only one entry in + total across both the `errors` and `warnings` slices), or `MultipleReasons` + if there is more than one entry." + properties: + errors: + description: "Errors contains a slice of relevant error subconditions + for this object. \n Subconditions are expected to appear when + relevant (when there is a error), and disappear when not relevant. + An empty slice here indicates no errors." + items: + description: "SubCondition is a Condition-like type intended + for use as a subcondition inside a DetailedCondition. \n + It contains a subset of the Condition fields. \n It is intended + for warnings and errors, so `type` names should use abnormal-true + polarity, that is, they should be of the form \"ErrorPresent: + true\". \n The expected lifecycle for these errors is that + they should only be present when the error or warning is, + and should be removed when they are not relevant." + properties: + message: + description: "Message is a human readable message indicating + details about the transition. \n This may be an empty + string." + maxLength: 32768 + type: string + reason: + description: "Reason contains a programmatic identifier + indicating the reason for the condition's last transition. + Producers of specific condition types may define expected + values and meanings for this field, and whether the + values are considered a guaranteed API. \n The value + should be a CamelCase string. \n This field may not + be empty." + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: Status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: "Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. + \n This must be in abnormal-true polarity, that is, + `ErrorFound` or `controller.io/ErrorFound`. \n The regex + it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - message + - reason + - status + - type + type: object + type: array + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + warnings: + description: "Warnings contains a slice of relevant warning + subconditions for this object. \n Subconditions are expected + to appear when relevant (when there is a warning), and disappear + when not relevant. An empty slice here indicates no warnings." + items: + description: "SubCondition is a Condition-like type intended + for use as a subcondition inside a DetailedCondition. \n + It contains a subset of the Condition fields. \n It is intended + for warnings and errors, so `type` names should use abnormal-true + polarity, that is, they should be of the form \"ErrorPresent: + true\". \n The expected lifecycle for these errors is that + they should only be present when the error or warning is, + and should be removed when they are not relevant." + properties: + message: + description: "Message is a human readable message indicating + details about the transition. \n This may be an empty + string." + maxLength: 32768 + type: string + reason: + description: "Reason contains a programmatic identifier + indicating the reason for the condition's last transition. + Producers of specific condition types may define expected + values and meanings for this field, and whether the + values are considered a guaranteed API. \n The value + should be a CamelCase string. \n This field may not + be empty." + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: Status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: "Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. + \n This must be in abnormal-true polarity, that is, + `ErrorFound` or `controller.io/ErrorFound`. \n The regex + it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - message + - reason + - status + - type + type: object + type: array + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.5.0 + creationTimestamp: null + name: httpproxies.projectcontour.io +spec: + preserveUnknownFields: false + group: projectcontour.io + names: + kind: HTTPProxy + listKind: HTTPProxyList + plural: httpproxies + shortNames: + - proxy + - proxies + singular: httpproxy + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Fully qualified domain name + jsonPath: .spec.virtualhost.fqdn + name: FQDN + type: string + - description: Secret with TLS credentials + jsonPath: .spec.virtualhost.tls.secretName + name: TLS Secret + type: string + - description: The current status of the HTTPProxy + jsonPath: .status.currentStatus + name: Status + type: string + - description: Description of the current status + jsonPath: .status.description + name: Status Description + type: string + name: v1 + schema: + openAPIV3Schema: + description: HTTPProxy is an Ingress CRD specification. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: HTTPProxySpec defines the spec of the CRD. + properties: + includes: + description: Includes allow for specific routing configuration to + be included from another HTTPProxy, possibly in another namespace. + items: + description: Include describes a set of policies that can be applied + to an HTTPProxy in a namespace. + properties: + conditions: + description: 'Conditions are a set of rules that are applied + to included HTTPProxies. In effect, they are added onto the + Conditions of included HTTPProxy Route structs. When applied, + they are merged using AND, with one exception: There can be + only one Prefix MatchCondition per Conditions slice. More + than one Prefix, or contradictory Conditions, will make the + include invalid.' + items: + description: MatchCondition are a general holder for matching + rules for HTTPProxies. One of Prefix or Header must be provided. + properties: + header: + description: Header specifies the header condition to + match. + properties: + contains: + description: Contains specifies a substring that must + be present in the header value. + type: string + exact: + description: Exact specifies a string that the header + value must be equal to. + type: string + name: + description: Name is the name of the header to match + against. Name is required. Header names are case + insensitive. + type: string + notcontains: + description: NotContains specifies a substring that + must not be present in the header value. + type: string + notexact: + description: NoExact specifies a string that the header + value must not be equal to. The condition is true + if the header has any other value. + type: string + notpresent: + description: NotPresent specifies that condition is + true when the named header is not present. Note + that setting NotPresent to false does not make the + condition true if the named header is present. + type: boolean + present: + description: Present specifies that condition is true + when the named header is present, regardless of + its value. Note that setting Present to false does + not make the condition true if the named header + is absent. + type: boolean + required: + - name + type: object + prefix: + description: Prefix defines a prefix match for a request. + type: string + type: object + type: array + name: + description: Name of the HTTPProxy + type: string + namespace: + description: Namespace of the HTTPProxy to include. Defaults + to the current namespace if not supplied. + type: string + required: + - name + type: object + type: array + routes: + description: Routes are the ingress routes. If TCPProxy is present, + Routes is ignored. + items: + description: Route contains the set of routes for a virtual host. + properties: + authPolicy: + description: AuthPolicy updates the authorization policy that + was set on the root HTTPProxy object for client requests that + match this route. + properties: + context: + additionalProperties: + type: string + description: Context is a set of key/value pairs that are + sent to the authentication server in the check request. + If a context is provided at an enclosing scope, the entries + are merged such that the inner scope overrides matching + keys from the outer scope. + type: object + disabled: + description: When true, this field disables client request + authentication for the scope of the policy. + type: boolean + type: object + conditions: + description: 'Conditions are a set of rules that are applied + to a Route. When applied, they are merged using AND, with + one exception: There can be only one Prefix MatchCondition + per Conditions slice. More than one Prefix, or contradictory + Conditions, will make the route invalid.' + items: + description: MatchCondition are a general holder for matching + rules for HTTPProxies. One of Prefix or Header must be provided. + properties: + header: + description: Header specifies the header condition to + match. + properties: + contains: + description: Contains specifies a substring that must + be present in the header value. + type: string + exact: + description: Exact specifies a string that the header + value must be equal to. + type: string + name: + description: Name is the name of the header to match + against. Name is required. Header names are case + insensitive. + type: string + notcontains: + description: NotContains specifies a substring that + must not be present in the header value. + type: string + notexact: + description: NoExact specifies a string that the header + value must not be equal to. The condition is true + if the header has any other value. + type: string + notpresent: + description: NotPresent specifies that condition is + true when the named header is not present. Note + that setting NotPresent to false does not make the + condition true if the named header is present. + type: boolean + present: + description: Present specifies that condition is true + when the named header is present, regardless of + its value. Note that setting Present to false does + not make the condition true if the named header + is absent. + type: boolean + required: + - name + type: object + prefix: + description: Prefix defines a prefix match for a request. + type: string + type: object + type: array + enableWebsockets: + description: Enables websocket support for the route. + type: boolean + healthCheckPolicy: + description: The health check policy for this route. + properties: + healthyThresholdCount: + description: The number of healthy health checks required + before a host is marked healthy + format: int64 + minimum: 0 + type: integer + host: + description: The value of the host header in the HTTP health + check request. If left empty (default value), the name + "contour-envoy-healthcheck" will be used. + type: string + intervalSeconds: + description: The interval (seconds) between health checks + format: int64 + type: integer + path: + description: HTTP endpoint used to perform health checks + on upstream service + type: string + timeoutSeconds: + description: The time to wait (seconds) for a health check + response + format: int64 + type: integer + unhealthyThresholdCount: + description: The number of unhealthy health checks required + before a host is marked unhealthy + format: int64 + minimum: 0 + type: integer + required: + - path + type: object + loadBalancerPolicy: + description: The load balancing policy for this route. + properties: + requestHashPolicies: + description: RequestHashPolicies contains a list of hash + policies to apply when the `RequestHash` load balancing + strategy is chosen. If an element of the supplied list + of hash policies is invalid, it will be ignored. If the + list of hash policies is empty after validation, the load + balancing strategy will fall back the the default `RoundRobin`. + items: + description: RequestHashPolicy contains configuration + for an individual hash policy on a request attribute. + properties: + headerHashOptions: + description: HeaderHashOptions should be set when + request header hash based load balancing is desired. + It must be the only hash option field set, otherwise + this request hash policy object will be ignored. + properties: + headerName: + description: HeaderName is the name of the HTTP + request header that will be used to calculate + the hash key. If the header specified is not + present on a request, no hash will be produced. + minLength: 1 + type: string + type: object + terminal: + description: Terminal is a flag that allows for short-circuiting + computing of a hash for a given request. If set + to true, and the request attribute specified in + the attribute hash options is present, no further + hash policies will be used to calculate a hash for + the request. + type: boolean + type: object + type: array + strategy: + description: Strategy specifies the policy used to balance + requests across the pool of backend pods. Valid policy + names are `Random`, `RoundRobin`, `WeightedLeastRequest`, + `Cookie`, and `RequestHash`. If an unknown strategy name + is specified or no policy is supplied, the default `RoundRobin` + policy is used. + type: string + type: object + pathRewritePolicy: + description: The policy for rewriting the path of the request + URL after the request has been routed to a Service. + properties: + replacePrefix: + description: ReplacePrefix describes how the path prefix + should be replaced. + items: + description: ReplacePrefix describes a path prefix replacement. + properties: + prefix: + description: "Prefix specifies the URL path prefix + to be replaced. \n If Prefix is specified, it must + exactly match the MatchCondition prefix that is + rendered by the chain of including HTTPProxies and + only that path prefix will be replaced by Replacement. + This allows HTTPProxies that are included through + multiple roots to only replace specific path prefixes, + leaving others unmodified. \n If Prefix is not specified, + all routing prefixes rendered by the include chain + will be replaced." + minLength: 1 + type: string + replacement: + description: Replacement is the string that the routing + path prefix will be replaced with. This must not + be empty. + minLength: 1 + type: string + required: + - replacement + type: object + type: array + type: object + permitInsecure: + description: Allow this path to respond to insecure requests + over HTTP which are normally not permitted when a `virtualhost.tls` + block is present. + type: boolean + rateLimitPolicy: + description: The policy for rate limiting on the route. + properties: + global: + description: Global defines global rate limiting parameters, + i.e. parameters defining descriptors that are sent to + an external rate limit service (RLS) for a rate limit + decision on each request. + properties: + descriptors: + description: Descriptors defines the list of descriptors + that will be generated and sent to the rate limit + service. Each descriptor contains 1+ key-value pair + entries. + items: + description: RateLimitDescriptor defines a list of + key-value pair generators. + properties: + entries: + description: Entries is the list of key-value + pair generators. + items: + description: RateLimitDescriptorEntry is a key-value + pair generator. Exactly one field on this + struct must be non-nil. + properties: + genericKey: + description: GenericKey defines a descriptor + entry with a static key and value. + properties: + key: + description: Key defines the key of + the descriptor entry. If not set, + the key is set to "generic_key". + type: string + value: + description: Value defines the value + of the descriptor entry. + minLength: 1 + type: string + type: object + remoteAddress: + description: RemoteAddress defines a descriptor + entry with a key of "remote_address" and + a value equal to the client's IP address + (from x-forwarded-for). + type: object + requestHeader: + description: RequestHeader defines a descriptor + entry that's populated only if a given + header is present on the request. The + descriptor key is static, and the descriptor + value is equal to the value of the header. + properties: + descriptorKey: + description: DescriptorKey defines the + key to use on the descriptor entry. + minLength: 1 + type: string + headerName: + description: HeaderName defines the + name of the header to look for on + the request. + minLength: 1 + type: string + type: object + requestHeaderValueMatch: + description: RequestHeaderValueMatch defines + a descriptor entry that's populated if + the request's headers match a set of 1+ + match criteria. The descriptor key is + "header_match", and the descriptor value + is static. + properties: + expectMatch: + default: true + description: ExpectMatch defines whether + the request must positively match + the match criteria in order to generate + a descriptor entry (i.e. true), or + not match the match criteria in order + to generate a descriptor entry (i.e. + false). The default is true. + type: boolean + headers: + description: Headers is a list of 1+ + match criteria to apply against the + request to determine whether to populate + the descriptor entry or not. + items: + description: HeaderMatchCondition + specifies how to conditionally match + against HTTP headers. The Name field + is required, but only one of the + remaining fields should be be provided. + properties: + contains: + description: Contains specifies + a substring that must be present + in the header value. + type: string + exact: + description: Exact specifies a + string that the header value + must be equal to. + type: string + name: + description: Name is the name + of the header to match against. + Name is required. Header names + are case insensitive. + type: string + notcontains: + description: NotContains specifies + a substring that must not be + present in the header value. + type: string + notexact: + description: NoExact specifies + a string that the header value + must not be equal to. The condition + is true if the header has any + other value. + type: string + notpresent: + description: NotPresent specifies + that condition is true when + the named header is not present. + Note that setting NotPresent + to false does not make the condition + true if the named header is + present. + type: boolean + present: + description: Present specifies + that condition is true when + the named header is present, + regardless of its value. Note + that setting Present to false + does not make the condition + true if the named header is + absent. + type: boolean + required: + - name + type: object + minItems: 1 + type: array + value: + description: Value defines the value + of the descriptor entry. + minLength: 1 + type: string + type: object + type: object + minItems: 1 + type: array + type: object + minItems: 1 + type: array + type: object + local: + description: Local defines local rate limiting parameters, + i.e. parameters for rate limiting that occurs within each + Envoy pod as requests are handled. + properties: + burst: + description: Burst defines the number of requests above + the requests per unit that should be allowed within + a short period of time. + format: int32 + type: integer + requests: + description: Requests defines how many requests per + unit of time should be allowed before rate limiting + occurs. + format: int32 + minimum: 1 + type: integer + responseHeadersToAdd: + description: ResponseHeadersToAdd is an optional list + of response headers to set when a request is rate-limited. + items: + description: HeaderValue represents a header name/value + pair + properties: + name: + description: Name represents a key of a header + minLength: 1 + type: string + value: + description: Value represents the value of a header + specified by a key + minLength: 1 + type: string + required: + - name + - value + type: object + type: array + responseStatusCode: + description: ResponseStatusCode is the HTTP status code + to use for responses to rate-limited requests. Codes + must be in the 400-599 range (inclusive). If not specified, + the Envoy default of 429 (Too Many Requests) is used. + format: int32 + maximum: 599 + minimum: 400 + type: integer + unit: + description: Unit defines the period of time within + which requests over the limit will be rate limited. + Valid values are "second", "minute" and "hour". + enum: + - second + - minute + - hour + type: string + required: + - requests + - unit + type: object + type: object + requestHeadersPolicy: + description: The policy for managing request headers during + proxying. + properties: + remove: + description: Remove specifies a list of HTTP header names + to remove. + items: + type: string + type: array + set: + description: Set specifies a list of HTTP header values + that will be set in the HTTP header. If the header does + not exist it will be added, otherwise it will be overwritten + with the new value. + items: + description: HeaderValue represents a header name/value + pair + properties: + name: + description: Name represents a key of a header + minLength: 1 + type: string + value: + description: Value represents the value of a header + specified by a key + minLength: 1 + type: string + required: + - name + - value + type: object + type: array + type: object + responseHeadersPolicy: + description: The policy for managing response headers during + proxying. Rewriting the 'Host' header is not supported. + properties: + remove: + description: Remove specifies a list of HTTP header names + to remove. + items: + type: string + type: array + set: + description: Set specifies a list of HTTP header values + that will be set in the HTTP header. If the header does + not exist it will be added, otherwise it will be overwritten + with the new value. + items: + description: HeaderValue represents a header name/value + pair + properties: + name: + description: Name represents a key of a header + minLength: 1 + type: string + value: + description: Value represents the value of a header + specified by a key + minLength: 1 + type: string + required: + - name + - value + type: object + type: array + type: object + retryPolicy: + description: The retry policy for this route. + properties: + count: + description: NumRetries is maximum allowed number of retries. + If not supplied, the number of retries is one. + format: int64 + minimum: 0 + type: integer + perTryTimeout: + description: PerTryTimeout specifies the timeout per retry + attempt. Ignored if NumRetries is not supplied. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + retriableStatusCodes: + description: "RetriableStatusCodes specifies the HTTP status + codes that should be retried. \n This field is only respected + when you include `retriable-status-codes` in the `RetryOn` + field." + items: + format: int32 + type: integer + type: array + retryOn: + description: "RetryOn specifies the conditions on which + to retry a request. \n Supported [HTTP conditions](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#x-envoy-retry-on): + \n - `5xx` - `gateway-error` - `reset` - `connect-failure` + - `retriable-4xx` - `refused-stream` - `retriable-status-codes` + - `retriable-headers` \n Supported [gRPC conditions](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#x-envoy-retry-grpc-on): + \n - `cancelled` - `deadline-exceeded` - `internal` - + `resource-exhausted` - `unavailable`" + items: + description: RetryOn is a string type alias with validation + to ensure that the value is valid. + enum: + - 5xx + - gateway-error + - reset + - connect-failure + - retriable-4xx + - refused-stream + - retriable-status-codes + - retriable-headers + - cancelled + - deadline-exceeded + - internal + - resource-exhausted + - unavailable + type: string + type: array + type: object + services: + description: Services are the services to proxy traffic. + items: + description: Service defines an Kubernetes Service to proxy + traffic. + properties: + mirror: + description: If Mirror is true the Service will receive + a read only mirror of the traffic for this route. + type: boolean + name: + description: Name is the name of Kubernetes service to + proxy traffic. Names defined here will be used to look + up corresponding endpoints which contain the ips to + route. + type: string + port: + description: Port (defined as Integer) to proxy traffic + to since a service can have multiple defined. + exclusiveMaximum: true + maximum: 65536 + minimum: 1 + type: integer + protocol: + description: Protocol may be used to specify (or override) + the protocol used to reach this Service. Values may + be tls, h2, h2c. If omitted, protocol-selection falls + back on Service annotations. + enum: + - h2 + - h2c + - tls + type: string + requestHeadersPolicy: + description: The policy for managing request headers during + proxying. Rewriting the 'Host' header is not supported. + properties: + remove: + description: Remove specifies a list of HTTP header + names to remove. + items: + type: string + type: array + set: + description: Set specifies a list of HTTP header values + that will be set in the HTTP header. If the header + does not exist it will be added, otherwise it will + be overwritten with the new value. + items: + description: HeaderValue represents a header name/value + pair + properties: + name: + description: Name represents a key of a header + minLength: 1 + type: string + value: + description: Value represents the value of a + header specified by a key + minLength: 1 + type: string + required: + - name + - value + type: object + type: array + type: object + responseHeadersPolicy: + description: The policy for managing response headers + during proxying. Rewriting the 'Host' header is not + supported. + properties: + remove: + description: Remove specifies a list of HTTP header + names to remove. + items: + type: string + type: array + set: + description: Set specifies a list of HTTP header values + that will be set in the HTTP header. If the header + does not exist it will be added, otherwise it will + be overwritten with the new value. + items: + description: HeaderValue represents a header name/value + pair + properties: + name: + description: Name represents a key of a header + minLength: 1 + type: string + value: + description: Value represents the value of a + header specified by a key + minLength: 1 + type: string + required: + - name + - value + type: object + type: array + type: object + validation: + description: UpstreamValidation defines how to verify + the backend service's certificate + properties: + caSecret: + description: Name of the Kubernetes secret be used + to validate the certificate presented by the backend + type: string + subjectName: + description: Key which is expected to be present in + the 'subjectAltName' of the presented certificate + type: string + required: + - caSecret + - subjectName + type: object + weight: + description: Weight defines percentage of traffic to balance + traffic + format: int64 + minimum: 0 + type: integer + required: + - name + - port + type: object + minItems: 1 + type: array + timeoutPolicy: + description: The timeout policy for this route. + properties: + idle: + description: Timeout after which, if there are no active + requests for this route, the connection between Envoy + and the backend or Envoy and the external client will + be closed. If not specified, there is no per-route idle + timeout, though a connection manager-wide stream_idle_timeout + default of 5m still applies. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + response: + description: Timeout for receiving a response from the server + after processing a request from client. If not supplied, + Envoy's default value of 15s applies. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + type: object + required: + - services + type: object + type: array + tcpproxy: + description: TCPProxy holds TCP proxy information. + properties: + healthCheckPolicy: + description: The health check policy for this tcp proxy + properties: + healthyThresholdCount: + description: The number of healthy health checks required + before a host is marked healthy + format: int32 + type: integer + intervalSeconds: + description: The interval (seconds) between health checks + format: int64 + type: integer + timeoutSeconds: + description: The time to wait (seconds) for a health check + response + format: int64 + type: integer + unhealthyThresholdCount: + description: The number of unhealthy health checks required + before a host is marked unhealthy + format: int32 + type: integer + type: object + include: + description: Include specifies that this tcpproxy should be delegated + to another HTTPProxy. + properties: + name: + description: Name of the child HTTPProxy + type: string + namespace: + description: Namespace of the HTTPProxy to include. Defaults + to the current namespace if not supplied. + type: string + required: + - name + type: object + includes: + description: "IncludesDeprecated allow for specific routing configuration + to be appended to another HTTPProxy in another namespace. \n + Exists due to a mistake when developing HTTPProxy and the field + was marked plural when it should have been singular. This field + should stay to not break backwards compatibility to v1 users." + properties: + name: + description: Name of the child HTTPProxy + type: string + namespace: + description: Namespace of the HTTPProxy to include. Defaults + to the current namespace if not supplied. + type: string + required: + - name + type: object + loadBalancerPolicy: + description: The load balancing policy for the backend services. + Note that the `Cookie` and `RequestHash` load balancing strategies + cannot be used here. + properties: + requestHashPolicies: + description: RequestHashPolicies contains a list of hash policies + to apply when the `RequestHash` load balancing strategy + is chosen. If an element of the supplied list of hash policies + is invalid, it will be ignored. If the list of hash policies + is empty after validation, the load balancing strategy will + fall back the the default `RoundRobin`. + items: + description: RequestHashPolicy contains configuration for + an individual hash policy on a request attribute. + properties: + headerHashOptions: + description: HeaderHashOptions should be set when request + header hash based load balancing is desired. It must + be the only hash option field set, otherwise this + request hash policy object will be ignored. + properties: + headerName: + description: HeaderName is the name of the HTTP + request header that will be used to calculate + the hash key. If the header specified is not present + on a request, no hash will be produced. + minLength: 1 + type: string + type: object + terminal: + description: Terminal is a flag that allows for short-circuiting + computing of a hash for a given request. If set to + true, and the request attribute specified in the attribute + hash options is present, no further hash policies + will be used to calculate a hash for the request. + type: boolean + type: object + type: array + strategy: + description: Strategy specifies the policy used to balance + requests across the pool of backend pods. Valid policy names + are `Random`, `RoundRobin`, `WeightedLeastRequest`, `Cookie`, + and `RequestHash`. If an unknown strategy name is specified + or no policy is supplied, the default `RoundRobin` policy + is used. + type: string + type: object + services: + description: Services are the services to proxy traffic + items: + description: Service defines an Kubernetes Service to proxy + traffic. + properties: + mirror: + description: If Mirror is true the Service will receive + a read only mirror of the traffic for this route. + type: boolean + name: + description: Name is the name of Kubernetes service to proxy + traffic. Names defined here will be used to look up corresponding + endpoints which contain the ips to route. + type: string + port: + description: Port (defined as Integer) to proxy traffic + to since a service can have multiple defined. + exclusiveMaximum: true + maximum: 65536 + minimum: 1 + type: integer + protocol: + description: Protocol may be used to specify (or override) + the protocol used to reach this Service. Values may be + tls, h2, h2c. If omitted, protocol-selection falls back + on Service annotations. + enum: + - h2 + - h2c + - tls + type: string + requestHeadersPolicy: + description: The policy for managing request headers during + proxying. Rewriting the 'Host' header is not supported. + properties: + remove: + description: Remove specifies a list of HTTP header + names to remove. + items: + type: string + type: array + set: + description: Set specifies a list of HTTP header values + that will be set in the HTTP header. If the header + does not exist it will be added, otherwise it will + be overwritten with the new value. + items: + description: HeaderValue represents a header name/value + pair + properties: + name: + description: Name represents a key of a header + minLength: 1 + type: string + value: + description: Value represents the value of a header + specified by a key + minLength: 1 + type: string + required: + - name + - value + type: object + type: array + type: object + responseHeadersPolicy: + description: The policy for managing response headers during + proxying. Rewriting the 'Host' header is not supported. + properties: + remove: + description: Remove specifies a list of HTTP header + names to remove. + items: + type: string + type: array + set: + description: Set specifies a list of HTTP header values + that will be set in the HTTP header. If the header + does not exist it will be added, otherwise it will + be overwritten with the new value. + items: + description: HeaderValue represents a header name/value + pair + properties: + name: + description: Name represents a key of a header + minLength: 1 + type: string + value: + description: Value represents the value of a header + specified by a key + minLength: 1 + type: string + required: + - name + - value + type: object + type: array + type: object + validation: + description: UpstreamValidation defines how to verify the + backend service's certificate + properties: + caSecret: + description: Name of the Kubernetes secret be used to + validate the certificate presented by the backend + type: string + subjectName: + description: Key which is expected to be present in + the 'subjectAltName' of the presented certificate + type: string + required: + - caSecret + - subjectName + type: object + weight: + description: Weight defines percentage of traffic to balance + traffic + format: int64 + minimum: 0 + type: integer + required: + - name + - port + type: object + type: array + type: object + virtualhost: + description: Virtualhost appears at most once. If it is present, the + object is considered to be a "root" HTTPProxy. + properties: + authorization: + description: This field configures an extension service to perform + authorization for this virtual host. Authorization can only + be configured on virtual hosts that have TLS enabled. If the + TLS configuration requires client certificate validation, the + client certificate is always included in the authentication + check request. + properties: + authPolicy: + description: AuthPolicy sets a default authorization policy + for client requests. This policy will be used unless overridden + by individual routes. + properties: + context: + additionalProperties: + type: string + description: Context is a set of key/value pairs that + are sent to the authentication server in the check request. + If a context is provided at an enclosing scope, the + entries are merged such that the inner scope overrides + matching keys from the outer scope. + type: object + disabled: + description: When true, this field disables client request + authentication for the scope of the policy. + type: boolean + type: object + extensionRef: + description: ExtensionServiceRef specifies the extension resource + that will authorize client requests. + properties: + apiVersion: + description: API version of the referent. If this field + is not specified, the default "projectcontour.io/v1alpha1" + will be used + minLength: 1 + type: string + name: + description: "Name of the referent. \n More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" + minLength: 1 + type: string + namespace: + description: "Namespace of the referent. If this field + is not specifies, the namespace of the resource that + targets the referent will be used. \n More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/" + minLength: 1 + type: string + type: object + failOpen: + description: If FailOpen is true, the client request is forwarded + to the upstream service even if the authorization server + fails to respond. This field should not be set in most cases. + It is intended for use only while migrating applications + from internal authorization to Contour external authorization. + type: boolean + responseTimeout: + description: ResponseTimeout configures maximum time to wait + for a check response from the authorization server. Timeout + durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", + "h". The string "infinity" is also a valid input and specifies + no timeout. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + required: + - extensionRef + type: object + corsPolicy: + description: Specifies the cross-origin policy to apply to the + VirtualHost. + properties: + allowCredentials: + description: Specifies whether the resource allows credentials. + type: boolean + allowHeaders: + description: AllowHeaders specifies the content for the *access-control-allow-headers* + header. + items: + description: CORSHeaderValue specifies the value of the + string headers returned by a cross-domain request. + pattern: ^[a-zA-Z0-9!#$%&'*+.^_`|~-]+$ + type: string + type: array + allowMethods: + description: AllowMethods specifies the content for the *access-control-allow-methods* + header. + items: + description: CORSHeaderValue specifies the value of the + string headers returned by a cross-domain request. + pattern: ^[a-zA-Z0-9!#$%&'*+.^_`|~-]+$ + type: string + type: array + allowOrigin: + description: AllowOrigin specifies the origins that will be + allowed to do CORS requests. "*" means allow any origin. + items: + type: string + type: array + exposeHeaders: + description: ExposeHeaders Specifies the content for the *access-control-expose-headers* + header. + items: + description: CORSHeaderValue specifies the value of the + string headers returned by a cross-domain request. + pattern: ^[a-zA-Z0-9!#$%&'*+.^_`|~-]+$ + type: string + type: array + maxAge: + description: MaxAge indicates for how long the results of + a preflight request can be cached. MaxAge durations are + expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", + "h". Only positive values are allowed while 0 disables the + cache requiring a preflight OPTIONS check for all cross-origin + requests. + type: string + required: + - allowMethods + - allowOrigin + type: object + fqdn: + description: The fully qualified domain name of the root of the + ingress tree all leaves of the DAG rooted at this object relate + to the fqdn. + type: string + rateLimitPolicy: + description: The policy for rate limiting on the virtual host. + properties: + global: + description: Global defines global rate limiting parameters, + i.e. parameters defining descriptors that are sent to an + external rate limit service (RLS) for a rate limit decision + on each request. + properties: + descriptors: + description: Descriptors defines the list of descriptors + that will be generated and sent to the rate limit service. + Each descriptor contains 1+ key-value pair entries. + items: + description: RateLimitDescriptor defines a list of key-value + pair generators. + properties: + entries: + description: Entries is the list of key-value pair + generators. + items: + description: RateLimitDescriptorEntry is a key-value + pair generator. Exactly one field on this struct + must be non-nil. + properties: + genericKey: + description: GenericKey defines a descriptor + entry with a static key and value. + properties: + key: + description: Key defines the key of the + descriptor entry. If not set, the key + is set to "generic_key". + type: string + value: + description: Value defines the value of + the descriptor entry. + minLength: 1 + type: string + type: object + remoteAddress: + description: RemoteAddress defines a descriptor + entry with a key of "remote_address" and + a value equal to the client's IP address + (from x-forwarded-for). + type: object + requestHeader: + description: RequestHeader defines a descriptor + entry that's populated only if a given header + is present on the request. The descriptor + key is static, and the descriptor value + is equal to the value of the header. + properties: + descriptorKey: + description: DescriptorKey defines the + key to use on the descriptor entry. + minLength: 1 + type: string + headerName: + description: HeaderName defines the name + of the header to look for on the request. + minLength: 1 + type: string + type: object + requestHeaderValueMatch: + description: RequestHeaderValueMatch defines + a descriptor entry that's populated if the + request's headers match a set of 1+ match + criteria. The descriptor key is "header_match", + and the descriptor value is static. + properties: + expectMatch: + default: true + description: ExpectMatch defines whether + the request must positively match the + match criteria in order to generate + a descriptor entry (i.e. true), or not + match the match criteria in order to + generate a descriptor entry (i.e. false). + The default is true. + type: boolean + headers: + description: Headers is a list of 1+ match + criteria to apply against the request + to determine whether to populate the + descriptor entry or not. + items: + description: HeaderMatchCondition specifies + how to conditionally match against + HTTP headers. The Name field is required, + but only one of the remaining fields + should be be provided. + properties: + contains: + description: Contains specifies + a substring that must be present + in the header value. + type: string + exact: + description: Exact specifies a string + that the header value must be + equal to. + type: string + name: + description: Name is the name of + the header to match against. Name + is required. Header names are + case insensitive. + type: string + notcontains: + description: NotContains specifies + a substring that must not be present + in the header value. + type: string + notexact: + description: NoExact specifies a + string that the header value must + not be equal to. The condition + is true if the header has any + other value. + type: string + notpresent: + description: NotPresent specifies + that condition is true when the + named header is not present. Note + that setting NotPresent to false + does not make the condition true + if the named header is present. + type: boolean + present: + description: Present specifies that + condition is true when the named + header is present, regardless + of its value. Note that setting + Present to false does not make + the condition true if the named + header is absent. + type: boolean + required: + - name + type: object + minItems: 1 + type: array + value: + description: Value defines the value of + the descriptor entry. + minLength: 1 + type: string + type: object + type: object + minItems: 1 + type: array + type: object + minItems: 1 + type: array + type: object + local: + description: Local defines local rate limiting parameters, + i.e. parameters for rate limiting that occurs within each + Envoy pod as requests are handled. + properties: + burst: + description: Burst defines the number of requests above + the requests per unit that should be allowed within + a short period of time. + format: int32 + type: integer + requests: + description: Requests defines how many requests per unit + of time should be allowed before rate limiting occurs. + format: int32 + minimum: 1 + type: integer + responseHeadersToAdd: + description: ResponseHeadersToAdd is an optional list + of response headers to set when a request is rate-limited. + items: + description: HeaderValue represents a header name/value + pair + properties: + name: + description: Name represents a key of a header + minLength: 1 + type: string + value: + description: Value represents the value of a header + specified by a key + minLength: 1 + type: string + required: + - name + - value + type: object + type: array + responseStatusCode: + description: ResponseStatusCode is the HTTP status code + to use for responses to rate-limited requests. Codes + must be in the 400-599 range (inclusive). If not specified, + the Envoy default of 429 (Too Many Requests) is used. + format: int32 + maximum: 599 + minimum: 400 + type: integer + unit: + description: Unit defines the period of time within which + requests over the limit will be rate limited. Valid + values are "second", "minute" and "hour". + enum: + - second + - minute + - hour + type: string + required: + - requests + - unit + type: object + type: object + tls: + description: If present the fields describes TLS properties of + the virtual host. The SNI names that will be matched on are + described in fqdn, the tls.secretName secret must contain a + certificate that itself contains a name that matches the FQDN. + properties: + clientValidation: + description: "ClientValidation defines how to verify the client + certificate when an external client establishes a TLS connection + to Envoy. \n This setting: \n 1. Enables TLS client certificate + validation. 2. Specifies how the client certificate will + be validated (i.e. validation required or skipped). \n + Note: Setting client certificate validation to be skipped + should be only used in conjunction with an external authorization + server that performs client validation as Contour will ensure + client certificates are passed along." + properties: + caSecret: + description: Name of a Kubernetes secret that contains + a CA certificate bundle. The client certificate must + validate against the certificates in the bundle. + minLength: 1 + type: string + skipClientCertValidation: + description: SkipClientCertValidation disables downstream + client certificate validation. Defaults to false. This + field is intended to be used in conjunction with external + authorization in order to enable the external authorization + server to validate client certificates. When this field + is set to true, client certificates are requested but + not verified by Envoy. If external authorization is + in use, they are presented to the external authorization + server. + type: boolean + type: object + enableFallbackCertificate: + description: EnableFallbackCertificate defines if the vhost + should allow a default certificate to be applied which handles + all requests which don't match the SNI defined in this vhost. + type: boolean + minimumProtocolVersion: + description: MinimumProtocolVersion is the minimum TLS version + this vhost should negotiate. Valid options are `1.2` (default) + and `1.3`. Any other value defaults to TLS 1.2. + type: string + passthrough: + description: Passthrough defines whether the encrypted TLS + handshake will be passed through to the backing cluster. + Either Passthrough or SecretName must be specified, but + not both. + type: boolean + secretName: + description: SecretName is the name of a TLS secret in the + current namespace. Either SecretName or Passthrough must + be specified, but not both. If specified, the named secret + must contain a matching certificate for the virtual host's + FQDN. + type: string + type: object + required: + - fqdn + type: object + type: object + status: + description: Status is a container for computed information about the + HTTPProxy. + properties: + conditions: + description: "Conditions contains information about the current status + of the HTTPProxy, in an upstream-friendly container. \n Contour + will update a single condition, `Valid`, that is in normal-true + polarity. That is, when `currentStatus` is `valid`, the `Valid` + condition will be `status: true`, and vice versa. \n Contour will + leave untouched any other Conditions set in this block, in case + some other controller wants to add a Condition. \n If you are another + controller owner and wish to add a condition, you *should* namespace + your condition with a label, like `controller.domain.com/ConditionName`." + items: + description: "DetailedCondition is an extension of the normal Kubernetes + conditions, with two extra fields to hold sub-conditions, which + provide more detailed reasons for the state (True or False) of + the condition. \n `errors` holds information about sub-conditions + which are fatal to that condition and render its state False. + \n `warnings` holds information about sub-conditions which are + not fatal to that condition and do not force the state to be False. + \n Remember that Conditions have a type, a status, and a reason. + \n The type is the type of the condition, the most important one + in this CRD set is `Valid`. `Valid` is a positive-polarity condition: + when it is `status: true` there are no problems. \n In more detail, + `status: true` means that the object is has been ingested into + Contour with no errors. `warnings` may still be present, and will + be indicated in the Reason field. There must be zero entries in + the `errors` slice in this case. \n `Valid`, `status: false` means + that the object has had one or more fatal errors during processing + into Contour. The details of the errors will be present under + the `errors` field. There must be at least one error in the `errors` + slice if `status` is `false`. \n For DetailedConditions of types + other than `Valid`, the Condition must be in the negative polarity. + When they have `status` `true`, there is an error. There must + be at least one entry in the `errors` Subcondition slice. When + they have `status` `false`, there are no serious errors, and there + must be zero entries in the `errors` slice. In either case, there + may be entries in the `warnings` slice. \n Regardless of the polarity, + the `reason` and `message` fields must be updated with either + the detail of the reason (if there is one and only one entry in + total across both the `errors` and `warnings` slices), or `MultipleReasons` + if there is more than one entry." + properties: + errors: + description: "Errors contains a slice of relevant error subconditions + for this object. \n Subconditions are expected to appear when + relevant (when there is a error), and disappear when not relevant. + An empty slice here indicates no errors." + items: + description: "SubCondition is a Condition-like type intended + for use as a subcondition inside a DetailedCondition. \n + It contains a subset of the Condition fields. \n It is intended + for warnings and errors, so `type` names should use abnormal-true + polarity, that is, they should be of the form \"ErrorPresent: + true\". \n The expected lifecycle for these errors is that + they should only be present when the error or warning is, + and should be removed when they are not relevant." + properties: + message: + description: "Message is a human readable message indicating + details about the transition. \n This may be an empty + string." + maxLength: 32768 + type: string + reason: + description: "Reason contains a programmatic identifier + indicating the reason for the condition's last transition. + Producers of specific condition types may define expected + values and meanings for this field, and whether the + values are considered a guaranteed API. \n The value + should be a CamelCase string. \n This field may not + be empty." + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: Status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: "Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. + \n This must be in abnormal-true polarity, that is, + `ErrorFound` or `controller.io/ErrorFound`. \n The regex + it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - message + - reason + - status + - type + type: object + type: array + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + warnings: + description: "Warnings contains a slice of relevant warning + subconditions for this object. \n Subconditions are expected + to appear when relevant (when there is a warning), and disappear + when not relevant. An empty slice here indicates no warnings." + items: + description: "SubCondition is a Condition-like type intended + for use as a subcondition inside a DetailedCondition. \n + It contains a subset of the Condition fields. \n It is intended + for warnings and errors, so `type` names should use abnormal-true + polarity, that is, they should be of the form \"ErrorPresent: + true\". \n The expected lifecycle for these errors is that + they should only be present when the error or warning is, + and should be removed when they are not relevant." + properties: + message: + description: "Message is a human readable message indicating + details about the transition. \n This may be an empty + string." + maxLength: 32768 + type: string + reason: + description: "Reason contains a programmatic identifier + indicating the reason for the condition's last transition. + Producers of specific condition types may define expected + values and meanings for this field, and whether the + values are considered a guaranteed API. \n The value + should be a CamelCase string. \n This field may not + be empty." + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: Status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: "Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. + \n This must be in abnormal-true polarity, that is, + `ErrorFound` or `controller.io/ErrorFound`. \n The regex + it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - message + - reason + - status + - type + type: object + type: array + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + currentStatus: + type: string + description: + type: string + loadBalancer: + description: LoadBalancer contains the current status of the load + balancer. + properties: + ingress: + description: Ingress is a list containing ingress points for the + load-balancer. Traffic intended for the service should be sent + to these ingress points. + items: + description: 'LoadBalancerIngress represents the status of a + load-balancer ingress point: traffic intended for the service + should be sent to an ingress point.' + properties: + hostname: + description: Hostname is set for load-balancer ingress points + that are DNS based (typically AWS load-balancers) + type: string + ip: + description: IP is set for load-balancer ingress points + that are IP based (typically GCE or OpenStack load-balancers) + type: string + ports: + description: Ports is a list of records of service ports + If used, every port defined in the service should have + an entry in it + items: + properties: + error: + description: 'Error is to record the problem with + the service port The format of the error shall comply + with the following rules: - built-in error values + shall be specified in this file and those shall + use CamelCase names - cloud provider specific + error values must have names that comply with the format + foo.example.com/CamelCase. --- The regex it matches + is (dns1123SubdomainFmt/)?(qualifiedNameFmt)' + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + port: + description: Port is the port number of the service + port of which status is recorded here + format: int32 + type: integer + protocol: + default: TCP + description: 'Protocol is the protocol of the service + port of which status is recorded here The supported + values are: "TCP", "UDP", "SCTP"' + type: string + required: + - port + - protocol + type: object + type: array + x-kubernetes-list-type: atomic + type: object + type: array + type: object + type: object + required: + - metadata + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.5.0 + creationTimestamp: null + name: tlscertificatedelegations.projectcontour.io +spec: + preserveUnknownFields: false + group: projectcontour.io + names: + kind: TLSCertificateDelegation + listKind: TLSCertificateDelegationList + plural: tlscertificatedelegations + shortNames: + - tlscerts + singular: tlscertificatedelegation + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: TLSCertificateDelegation is an TLS Certificate Delegation CRD + specification. See design/tls-certificate-delegation.md for details. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: TLSCertificateDelegationSpec defines the spec of the CRD + properties: + delegations: + items: + description: CertificateDelegation maps the authority to reference + a secret in the current namespace to a set of namespaces. + properties: + secretName: + description: required, the name of a secret in the current namespace. + type: string + targetNamespaces: + description: required, the namespaces the authority to reference + the the secret will be delegated to. If TargetNamespaces is + nil or empty, the CertificateDelegation' is ignored. If the + TargetNamespace list contains the character, "*" the secret + will be delegated to all namespaces. + items: + type: string + type: array + required: + - secretName + - targetNamespaces + type: object + type: array + required: + - delegations + type: object + status: + description: TLSCertificateDelegationStatus allows for the status of the + delegation to be presented to the user. + properties: + conditions: + description: "Conditions contains information about the current status + of the HTTPProxy, in an upstream-friendly container. \n Contour + will update a single condition, `Valid`, that is in normal-true + polarity. That is, when `currentStatus` is `valid`, the `Valid` + condition will be `status: true`, and vice versa. \n Contour will + leave untouched any other Conditions set in this block, in case + some other controller wants to add a Condition. \n If you are another + controller owner and wish to add a condition, you *should* namespace + your condition with a label, like `controller.domain.com\\ConditionName`." + items: + description: "DetailedCondition is an extension of the normal Kubernetes + conditions, with two extra fields to hold sub-conditions, which + provide more detailed reasons for the state (True or False) of + the condition. \n `errors` holds information about sub-conditions + which are fatal to that condition and render its state False. + \n `warnings` holds information about sub-conditions which are + not fatal to that condition and do not force the state to be False. + \n Remember that Conditions have a type, a status, and a reason. + \n The type is the type of the condition, the most important one + in this CRD set is `Valid`. `Valid` is a positive-polarity condition: + when it is `status: true` there are no problems. \n In more detail, + `status: true` means that the object is has been ingested into + Contour with no errors. `warnings` may still be present, and will + be indicated in the Reason field. There must be zero entries in + the `errors` slice in this case. \n `Valid`, `status: false` means + that the object has had one or more fatal errors during processing + into Contour. The details of the errors will be present under + the `errors` field. There must be at least one error in the `errors` + slice if `status` is `false`. \n For DetailedConditions of types + other than `Valid`, the Condition must be in the negative polarity. + When they have `status` `true`, there is an error. There must + be at least one entry in the `errors` Subcondition slice. When + they have `status` `false`, there are no serious errors, and there + must be zero entries in the `errors` slice. In either case, there + may be entries in the `warnings` slice. \n Regardless of the polarity, + the `reason` and `message` fields must be updated with either + the detail of the reason (if there is one and only one entry in + total across both the `errors` and `warnings` slices), or `MultipleReasons` + if there is more than one entry." + properties: + errors: + description: "Errors contains a slice of relevant error subconditions + for this object. \n Subconditions are expected to appear when + relevant (when there is a error), and disappear when not relevant. + An empty slice here indicates no errors." + items: + description: "SubCondition is a Condition-like type intended + for use as a subcondition inside a DetailedCondition. \n + It contains a subset of the Condition fields. \n It is intended + for warnings and errors, so `type` names should use abnormal-true + polarity, that is, they should be of the form \"ErrorPresent: + true\". \n The expected lifecycle for these errors is that + they should only be present when the error or warning is, + and should be removed when they are not relevant." + properties: + message: + description: "Message is a human readable message indicating + details about the transition. \n This may be an empty + string." + maxLength: 32768 + type: string + reason: + description: "Reason contains a programmatic identifier + indicating the reason for the condition's last transition. + Producers of specific condition types may define expected + values and meanings for this field, and whether the + values are considered a guaranteed API. \n The value + should be a CamelCase string. \n This field may not + be empty." + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: Status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: "Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. + \n This must be in abnormal-true polarity, that is, + `ErrorFound` or `controller.io/ErrorFound`. \n The regex + it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - message + - reason + - status + - type + type: object + type: array + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + warnings: + description: "Warnings contains a slice of relevant warning + subconditions for this object. \n Subconditions are expected + to appear when relevant (when there is a warning), and disappear + when not relevant. An empty slice here indicates no warnings." + items: + description: "SubCondition is a Condition-like type intended + for use as a subcondition inside a DetailedCondition. \n + It contains a subset of the Condition fields. \n It is intended + for warnings and errors, so `type` names should use abnormal-true + polarity, that is, they should be of the form \"ErrorPresent: + true\". \n The expected lifecycle for these errors is that + they should only be present when the error or warning is, + and should be removed when they are not relevant." + properties: + message: + description: "Message is a human readable message indicating + details about the transition. \n This may be an empty + string." + maxLength: 32768 + type: string + reason: + description: "Reason contains a programmatic identifier + indicating the reason for the condition's last transition. + Producers of specific condition types may define expected + values and meanings for this field, and whether the + values are considered a guaranteed API. \n The value + should be a CamelCase string. \n This field may not + be empty." + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: Status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: "Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. + \n This must be in abnormal-true polarity, that is, + `ErrorFound` or `controller.io/ErrorFound`. \n The regex + it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - message + - reason + - status + - type + type: object + type: array + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + required: + - metadata + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/examples/gateway/01-gateway-crds.yaml b/examples/gateway/01-gateway-crds.yaml new file mode 100644 index 00000000000..8ab7db9e334 --- /dev/null +++ b/examples/gateway/01-gateway-crds.yaml @@ -0,0 +1,3329 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.5.0 + creationTimestamp: null + name: backendpolicies.networking.x-k8s.io +spec: + group: networking.x-k8s.io + names: + categories: + - gateway-api + kind: BackendPolicy + listKind: BackendPolicyList + plural: backendpolicies + shortNames: + - bp + singular: backendpolicy + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: BackendPolicy defines policies associated with backends. For + the purpose of this API, a backend is defined as any resource that a route + can forward traffic to. A common example of a backend is a Service. Configuration + that is implementation specific may be represented with similar implementation + specific custom resources. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of BackendPolicy. + properties: + backendRefs: + description: "BackendRefs define which backends this policy should + be applied to. This policy can only apply to backends within the + same namespace. If more than one BackendPolicy targets the same + backend, precedence must be given to the oldest BackendPolicy. \n + Support: Core" + items: + description: BackendRef identifies an API object within the same + namespace as the BackendPolicy. + properties: + group: + description: Group is the group of the referent. + maxLength: 253 + type: string + kind: + description: Kind is the kind of the referent. + maxLength: 253 + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + type: string + port: + description: Port is the port of the referent. If unspecified, + this policy applies to all ports on the backend. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - group + - kind + - name + type: object + maxItems: 16 + type: array + tls: + description: "TLS is the TLS configuration for these backends. \n + Support: Extended" + properties: + certificateAuthorityRef: + description: "CertificateAuthorityRef is a reference to a Kubernetes + object that contains one or more trusted CA certificates. The + CA certificates are used to establish a TLS handshake to backends + listed in BackendRefs. The referenced object MUST reside in + the same namespace as BackendPolicy. \n CertificateAuthorityRef + can reference a standard Kubernetes resource, i.e. ConfigMap, + or an implementation-specific custom resource. \n When stored + in a Secret, certificates must be PEM encoded and specified + within the \"ca.crt\" data field of the Secret. When multiple + certificates are specified, the certificates MUST be concatenated + by new lines. \n CertificateAuthorityRef can also reference + a standard Kubernetes resource, i.e. ConfigMap, or an implementation-specific + custom resource. \n Support: Extended" + properties: + group: + description: Group is the group of the referent. + maxLength: 253 + minLength: 1 + type: string + kind: + description: Kind is kind of the referent. + maxLength: 253 + minLength: 1 + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + options: + additionalProperties: + type: string + description: "Options are a list of key/value pairs to give extended + options to the provider. \n Support: Implementation-specific" + type: object + type: object + required: + - backendRefs + type: object + status: + description: Status defines the current state of BackendPolicy. + properties: + conditions: + description: Conditions describe the current conditions of the BackendPolicy. + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: + \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type + \ // +patchStrategy=merge // +listType=map // +listMapKey=type + \ Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` + \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.5.0 + creationTimestamp: null + name: gatewayclasses.networking.x-k8s.io +spec: + group: networking.x-k8s.io + names: + categories: + - gateway-api + kind: GatewayClass + listKind: GatewayClassList + plural: gatewayclasses + shortNames: + - gc + singular: gatewayclass + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.controller + name: Controller + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: "GatewayClass describes a class of Gateways available to the + user for creating Gateway resources. \n GatewayClass is a Cluster level + resource." + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of GatewayClass. + properties: + controller: + description: "Controller is a domain/path string that indicates the + controller that is managing Gateways of this class. \n Example: + \"acme.io/gateway-controller\". \n This field is not mutable and + cannot be empty. \n The format of this field is DOMAIN \"/\" PATH, + where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + \n Support: Core" + maxLength: 253 + type: string + parametersRef: + description: "ParametersRef is a reference to a resource that contains + the configuration parameters corresponding to the GatewayClass. + This is optional if the controller does not require any additional + configuration. \n ParametersRef can reference a standard Kubernetes + resource, i.e. ConfigMap, or an implementation-specific custom resource. + The resource can be cluster-scoped or namespace-scoped. \n If the + referent cannot be found, the GatewayClass's \"InvalidParameters\" + status condition will be true. \n Support: Custom" + properties: + group: + description: Group is the group of the referent. + maxLength: 253 + minLength: 1 + type: string + kind: + description: Kind is kind of the referent. + maxLength: 253 + minLength: 1 + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: Namespace is the namespace of the referent. This + field is required when scope is set to "Namespace" and ignored + when scope is set to "Cluster". + maxLength: 253 + minLength: 1 + type: string + scope: + default: Cluster + description: Scope represents if the referent is a Cluster or + Namespace scoped resource. This may be set to "Cluster" or "Namespace". + enum: + - Cluster + - Namespace + type: string + required: + - group + - kind + - name + type: object + required: + - controller + type: object + status: + default: + conditions: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Waiting + status: "False" + type: Admitted + description: Status defines the current state of GatewayClass. + properties: + conditions: + default: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Waiting + status: "False" + type: Admitted + description: "Conditions is the current status from the controller + for this GatewayClass. \n Controllers should prefer to publish conditions + using values of GatewayClassConditionType for the type of each Condition." + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: + \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type + \ // +patchStrategy=merge // +listType=map // +listMapKey=type + \ Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` + \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.5.0 + creationTimestamp: null + name: gateways.networking.x-k8s.io +spec: + group: networking.x-k8s.io + names: + categories: + - gateway-api + kind: Gateway + listKind: GatewayList + plural: gateways + shortNames: + - gtw + singular: gateway + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.gatewayClassName + name: Class + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: "Gateway represents an instantiation of a service-traffic handling + infrastructure by binding Listeners to a set of IP addresses. \n Implementations + should add the `gateway-exists-finalizer.networking.x-k8s.io` finalizer + on the associated GatewayClass whenever Gateway(s) is running. This ensures + that a GatewayClass associated with a Gateway(s) is not deleted while in + use." + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of Gateway. + properties: + addresses: + description: "Addresses requested for this gateway. This is optional + and behavior can depend on the GatewayClass. If a value is set in + the spec and the requested address is invalid, the GatewayClass + MUST indicate this in the associated entry in GatewayStatus.Addresses. + \n If no Addresses are specified, the GatewayClass may schedule + the Gateway in an implementation-defined manner, assigning an appropriate + set of Addresses. \n The GatewayClass MUST bind all Listeners to + every GatewayAddress that it assigns to the Gateway. \n Support: + Core" + items: + description: GatewayAddress describes an address that can be bound + to a Gateway. + properties: + type: + default: IPAddress + description: "Type of the address. \n Support: Extended" + enum: + - IPAddress + - NamedAddress + type: string + value: + description: "Value of the address. The validity of the values + will depend on the type and support by the controller. \n + Examples: `1.2.3.4`, `128::1`, `my-ip-address`." + maxLength: 253 + minLength: 1 + type: string + required: + - value + type: object + maxItems: 16 + type: array + gatewayClassName: + description: GatewayClassName used for this Gateway. This is the name + of a GatewayClass resource. + maxLength: 253 + minLength: 1 + type: string + listeners: + description: "Listeners associated with this Gateway. Listeners define + logical endpoints that are bound on this Gateway's addresses. At + least one Listener MUST be specified. \n An implementation MAY group + Listeners by Port and then collapse each group of Listeners into + a single Listener if the implementation determines that the Listeners + in the group are \"compatible\". An implementation MAY also group + together and collapse compatible Listeners belonging to different + Gateways. \n For example, an implementation might consider Listeners + to be compatible with each other if all of the following conditions + are met: \n 1. Either each Listener within the group specifies the + \"HTTP\" Protocol or each Listener within the group specifies + either the \"HTTPS\" or \"TLS\" Protocol. \n 2. Each Listener + within the group specifies a Hostname that is unique within the + group. \n 3. As a special case, one Listener within a group may + omit Hostname, in which case this Listener matches when no other + Listener matches. \n If the implementation does collapse compatible + Listeners, the hostname provided in the incoming client request + MUST be matched to a Listener to find the correct set of Routes. + The incoming hostname MUST be matched using the Hostname field for + each Listener in order of most to least specific. That is, exact + matches must be processed before wildcard matches. \n If this field + specifies multiple Listeners that have the same Port value but are + not compatible, the implementation must raise a \"Conflicted\" condition + in the Listener status. \n Support: Core" + items: + description: Listener embodies the concept of a logical endpoint + where a Gateway can accept network connections. Each listener + in a Gateway must have a unique combination of Hostname, Port, + and Protocol. This will be enforced by a validating webhook. + properties: + hostname: + description: "Hostname specifies the virtual hostname to match + for protocol types that define this concept. When unspecified, + \"\", or `*`, all hostnames are matched. This field can be + omitted for protocols that don't require hostname based matching. + \n Hostname is the fully qualified domain name of a network + host, as defined by RFC 3986. Note the following deviations + from the \"host\" part of the URI as defined in the RFC: \n + 1. IP literals are not allowed. 2. The `:` delimiter is not + respected because ports are not allowed. \n Hostname can be + \"precise\" which is a domain name without the terminating + dot of a network host (e.g. \"foo.example.com\") or \"wildcard\", + which is a domain name prefixed with a single wildcard label + (e.g. `*.example.com`). The wildcard character `*` must appear + by itself as the first DNS label and matches only a single + label. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + port: + description: "Port is the network port. Multiple listeners may + use the same port, subject to the Listener compatibility rules. + \n Support: Core" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + protocol: + description: "Protocol specifies the network protocol this listener + expects to receive. The GatewayClass MUST apply the Hostname + match appropriately for each protocol: \n * For the \"TLS\" + protocol, the Hostname match MUST be applied to the [SNI](https://tools.ietf.org/html/rfc6066#section-3) + \ server name offered by the client. * For the \"HTTP\" protocol, + the Hostname match MUST be applied to the host portion of + the [effective request URI](https://tools.ietf.org/html/rfc7230#section-5.5) + \ or the [:authority pseudo-header](https://tools.ietf.org/html/rfc7540#section-8.1.2.3) + * For the \"HTTPS\" protocol, the Hostname match MUST be applied + at both the TLS and HTTP protocol layers. \n Support: Core" + type: string + routes: + description: "Routes specifies a schema for associating routes + with the Listener using selectors. A Route is a resource capable + of servicing a request and allows a cluster operator to expose + a cluster resource (i.e. Service) by externally-reachable + URL, load-balance traffic and terminate SSL/TLS. Typically, + a route is a \"HTTPRoute\" or \"TCPRoute\" in group \"networking.x-k8s.io\", + however, an implementation may support other types of resources. + \n The Routes selector MUST select a set of objects that are + compatible with the application protocol specified in the + Protocol field. \n Although a client request may technically + match multiple route rules, only one rule may ultimately receive + the request. Matching precedence MUST be determined in order + of the following criteria: \n * The most specific match. For + example, the most specific HTTPRoute match is determined + by the longest matching combination of hostname and path. + * The oldest Route based on creation timestamp. For example, + a Route with a creation timestamp of \"2020-09-08 01:02:03\" + is given precedence over a Route with a creation timestamp + of \"2020-09-08 01:02:04\". * If everything else is equivalent, + the Route appearing first in alphabetical order (namespace/name) + should be given precedence. For example, foo/bar is given + precedence over foo/baz. \n All valid portions of a Route + selected by this field should be supported. Invalid portions + of a Route can be ignored (sometimes that will mean the full + Route). If a portion of a Route transitions from valid to + invalid, support for that portion of the Route should be dropped + to ensure consistency. For example, even if a filter specified + by a Route is invalid, the rest of the Route should still + be supported. \n Support: Core" + properties: + group: + default: networking.x-k8s.io + description: "Group is the group of the route resource to + select. Omitting the value or specifying the empty string + indicates the networking.x-k8s.io API group. For example, + use the following to select an HTTPRoute: \n routes: kind: + HTTPRoute \n Otherwise, if an alternative API group is + desired, specify the desired group: \n routes: group: + acme.io kind: FooRoute \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + kind: + description: "Kind is the kind of the route resource to + select. \n Kind MUST correspond to kinds of routes that + are compatible with the application protocol specified + in the Listener's Protocol field. \n If an implementation + does not support or recognize this resource type, it SHOULD + set the \"ResolvedRefs\" condition to false for this listener + with the \"InvalidRoutesRef\" reason. \n Support: Core" + type: string + namespaces: + default: + from: Same + description: "Namespaces indicates in which namespaces Routes + should be selected for this Gateway. This is restricted + to the namespace of this Gateway by default. \n Support: + Core" + properties: + from: + default: Same + description: "From indicates where Routes will be selected + for this Gateway. Possible values are: * All: Routes + in all namespaces may be used by this Gateway. * Selector: + Routes in namespaces selected by the selector may + be used by this Gateway. * Same: Only Routes in + the same namespace may be used by this Gateway. \n + Support: Core" + enum: + - All + - Selector + - Same + type: string + selector: + description: "Selector must be specified when From is + set to \"Selector\". In that case, only Routes in + Namespaces matching this Selector will be selected + by this Gateway. This field is ignored for other values + of \"From\". \n Support: Core" + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + type: object + selector: + description: "Selector specifies a set of route labels used + for selecting routes to associate with the Gateway. If + this Selector is defined, only routes matching the Selector + are associated with the Gateway. An empty Selector matches + all routes. \n Support: Core" + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object + required: + - kind + type: object + tls: + description: "TLS is the TLS configuration for the Listener. + This field is required if the Protocol field is \"HTTPS\" + or \"TLS\" and ignored otherwise. \n The association of SNIs + to Certificate defined in GatewayTLSConfig is defined based + on the Hostname field for this listener. \n The GatewayClass + MUST use the longest matching SNI out of all available certificates + for any TLS handshake. \n Support: Core" + properties: + certificateRef: + description: "CertificateRef is a reference to a Kubernetes + object that contains a TLS certificate and private key. + This certificate is used to establish a TLS handshake + for requests that match the hostname of the associated + listener. The referenced object MUST reside in the same + namespace as Gateway. \n This field is required when mode + is set to \"Terminate\" (default) and optional otherwise. + \n CertificateRef can reference a standard Kubernetes + resource, i.e. Secret, or an implementation-specific custom + resource. \n Support: Core (Kubernetes Secrets) \n Support: + Implementation-specific (Other resource types)" + properties: + group: + description: Group is the group of the referent. + maxLength: 253 + minLength: 1 + type: string + kind: + description: Kind is kind of the referent. + maxLength: 253 + minLength: 1 + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + mode: + default: Terminate + description: "Mode defines the TLS behavior for the TLS + session initiated by the client. There are two possible + modes: - Terminate: The TLS session between the downstream + client and the Gateway is terminated at the Gateway. + This mode requires certificateRef to be set. - Passthrough: + The TLS session is NOT terminated by the Gateway. This + \ implies that the Gateway can't decipher the TLS stream + except for the ClientHello message of the TLS protocol. + \ CertificateRef field is ignored in this mode. \n Support: + Core" + enum: + - Terminate + - Passthrough + type: string + options: + additionalProperties: + type: string + description: "Options are a list of key/value pairs to give + extended options to the provider. \n There variation among + providers as to how ciphersuites are expressed. If there + is a common subset for expressing ciphers then it will + make sense to loft that as a core API construct. \n Support: + Implementation-specific" + type: object + routeOverride: + default: + certificate: Deny + description: "RouteOverride dictates if TLS settings can + be configured via Routes or not. \n CertificateRef must + be defined even if `routeOverride.certificate` is set + to 'Allow' as it will be used as the default certificate + for the listener. \n Support: Core" + properties: + certificate: + default: Deny + description: "Certificate dictates if TLS certificates + can be configured via Routes. If set to 'Allow', a + TLS certificate for a hostname defined in a Route + takes precedence over the certificate defined in Gateway. + \n Support: Core" + enum: + - Allow + - Deny + type: string + type: object + type: object + required: + - port + - protocol + - routes + type: object + maxItems: 64 + minItems: 1 + type: array + required: + - gatewayClassName + - listeners + type: object + status: + default: + conditions: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: NotReconciled + status: "False" + type: Scheduled + description: Status defines the current state of Gateway. + properties: + addresses: + description: "Addresses lists the IP addresses that have actually + been bound to the Gateway. These addresses may differ from the addresses + in the Spec, e.g. if the Gateway automatically assigns an address + from a reserved pool. \n These addresses should all be of type \"IPAddress\"." + items: + description: GatewayAddress describes an address that can be bound + to a Gateway. + properties: + type: + default: IPAddress + description: "Type of the address. \n Support: Extended" + enum: + - IPAddress + - NamedAddress + type: string + value: + description: "Value of the address. The validity of the values + will depend on the type and support by the controller. \n + Examples: `1.2.3.4`, `128::1`, `my-ip-address`." + maxLength: 253 + minLength: 1 + type: string + required: + - value + type: object + maxItems: 16 + type: array + conditions: + default: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: NotReconciled + status: "False" + type: Scheduled + description: "Conditions describe the current conditions of the Gateway. + \n Implementations should prefer to express Gateway conditions using + the `GatewayConditionType` and `GatewayConditionReason` constants + so that operators and tools can converge on a common vocabulary + to describe Gateway state. \n Known condition types are: \n * \"Scheduled\" + * \"Ready\"" + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: + \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type + \ // +patchStrategy=merge // +listType=map // +listMapKey=type + \ Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` + \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + listeners: + description: Listeners provide status for each unique listener port + defined in the Spec. + items: + description: ListenerStatus is the status associated with a Listener. + properties: + conditions: + description: Conditions describe the current condition of this + listener. + items: + description: "Condition contains details for one aspect of + the current state of this API Resource. --- This struct + is intended for direct use as an array at the field path + .status.conditions. For example, type FooStatus struct{ + \ // Represents the observations of a foo's current state. + \ // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type + \ // +patchStrategy=merge // +listType=map // + +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` + \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should + be when the underlying condition changed. If that is + not known, then using the time when the API field changed + is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, + if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the + current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier + indicating the reason for the condition's last transition. + Producers of specific condition types may define expected + values and meanings for this field, and whether the + values are considered a guaranteed API. The value should + be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across + resources like Available, but because arbitrary conditions + can be useful (see .node.status.conditions), the ability + to deconflict is important. The regex it matches is + (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + hostname: + description: Hostname is the Listener hostname value for which + this message is reporting the status. + maxLength: 253 + minLength: 1 + type: string + port: + description: Port is the unique Listener port value for which + this message is reporting the status. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + protocol: + description: Protocol is the Listener protocol value for which + this message is reporting the status. + type: string + required: + - conditions + - port + - protocol + type: object + maxItems: 64 + type: array + x-kubernetes-list-map-keys: + - port + x-kubernetes-list-type: map + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.5.0 + creationTimestamp: null + name: httproutes.networking.x-k8s.io +spec: + group: networking.x-k8s.io + names: + categories: + - gateway-api + kind: HTTPRoute + listKind: HTTPRouteList + plural: httproutes + singular: httproute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.hostnames + name: Hostnames + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: HTTPRoute is the Schema for the HTTPRoute resource. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of HTTPRoute. + properties: + gateways: + default: + allow: SameNamespace + description: Gateways defines which Gateways can use this Route. + properties: + allow: + default: SameNamespace + description: 'Allow indicates which Gateways will be allowed to + use this route. Possible values are: * All: Gateways in any + namespace can use this route. * FromList: Only Gateways specified + in GatewayRefs may use this route. * SameNamespace: Only Gateways + in the same namespace may use this route.' + enum: + - All + - FromList + - SameNamespace + type: string + gatewayRefs: + description: GatewayRefs must be specified when Allow is set to + "FromList". In that case, only Gateways referenced in this list + will be allowed to use this route. This field is ignored for + other values of "Allow". + items: + description: GatewayReference identifies a Gateway in a specified + namespace. + properties: + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: Namespace is the namespace of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - name + - namespace + type: object + type: array + type: object + hostnames: + description: "Hostnames defines a set of hostname that should match + against the HTTP Host header to select a HTTPRoute to process the + request. Hostname is the fully qualified domain name of a network + host, as defined by RFC 3986. Note the following deviations from + the \"host\" part of the URI as defined in the RFC: \n 1. IPs are + not allowed. 2. The `:` delimiter is not respected because ports + are not allowed. \n Incoming requests are matched against the hostnames + before the HTTPRoute rules. If no hostname is specified, traffic + is routed based on the HTTPRouteRules. \n Hostname can be \"precise\" + which is a domain name without the terminating dot of a network + host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain + name prefixed with a single wildcard label (e.g. `*.example.com`). + The wildcard character `*` must appear by itself as the first DNS + label and matches only a single label. You cannot have a wildcard + label by itself (e.g. Host == `*`). Requests will be matched against + the Host field in the following order: \n 1. If Host is precise, + the request matches this rule if the HTTP Host header is equal + to Host. 2. If Host is a wildcard, then the request matches this + rule if the HTTP Host header is to equal to the suffix (removing + the first label) of the wildcard rule. \n Support: Core" + items: + description: Hostname is used to specify a hostname that should + be matched. + maxLength: 253 + minLength: 1 + type: string + maxItems: 16 + type: array + rules: + default: + - matches: + - path: + type: Prefix + value: / + description: Rules are a list of HTTP matchers, filters and actions. + items: + description: HTTPRouteRule defines semantics for matching an HTTP + request based on conditions, optionally executing additional processing + steps, and forwarding the request to an API object. + properties: + filters: + description: "Filters define the filters that are applied to + requests that match this rule. \n The effects of ordering + of multiple behaviors are currently unspecified. This can + change in the future based on feedback during the alpha stage. + \n Conformance-levels at this level are defined based on the + type of filter: \n - ALL core filters MUST be supported by + all implementations. - Implementers are encouraged to support + extended filters. - Implementation-specific custom filters + have no API guarantees across implementations. \n Specifying + a core filter multiple times has unspecified or custom conformance. + \n Support: Core" + items: + description: 'HTTPRouteFilter defines additional processing + steps that must be completed during the request or response + lifecycle. HTTPRouteFilters are meant as an extension point + to express additional processing that may be done in Gateway + implementations. Some examples include request or response + modification, implementing authentication strategies, rate-limiting, + and traffic shaping. API guarantee/conformance is defined + based on the type of the filter. TODO(hbagdi): re-render + CRDs once controller-tools supports union tags: - https://github.com/kubernetes-sigs/controller-tools/pull/298 + - https://github.com/kubernetes-sigs/controller-tools/issues/461' + properties: + extensionRef: + description: "ExtensionRef is an optional, implementation-specific + extension to the \"filter\" behavior. For example, + resource \"myroutefilter\" in group \"networking.acme.io\"). + ExtensionRef MUST NOT be used for core and extended + filters. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. + maxLength: 253 + minLength: 1 + type: string + kind: + description: Kind is kind of the referent. + maxLength: 253 + minLength: 1 + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema for + a filter that modifies request headers. \n Support: + Core" + properties: + add: + additionalProperties: + type: string + description: "Add adds the given header (name, value) + to the request before the action. It appends to + any existing values associated with the header name. + \n Input: GET /foo HTTP/1.1 my-header: foo \n + Config: add: {\"my-header\": \"bar\"} \n Output: + \ GET /foo HTTP/1.1 my-header: foo my-header: + bar \n Support: Extended" + type: object + remove: + description: "Remove the given header(s) from the + HTTP request before the action. The value of RemoveHeader + is a list of HTTP header names. Note that the header + names are case-insensitive [RFC-2616 4.2]. \n Input: + \ GET /foo HTTP/1.1 my-header1: foo my-header2: + bar my-header3: baz \n Config: remove: [\"my-header1\", + \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: + bar \n Support: Extended" + items: + type: string + maxItems: 16 + type: array + set: + additionalProperties: + type: string + description: "Set overwrites the request with the + given header (name, value) before the action. \n + Input: GET /foo HTTP/1.1 my-header: foo \n Config: + \ set: {\"my-header\": \"bar\"} \n Output: GET + /foo HTTP/1.1 my-header: bar \n Support: Extended" + type: object + type: object + requestMirror: + description: "RequestMirror defines a schema for a filter + that mirrors requests. \n Support: Extended" + properties: + backendRef: + description: "BackendRef is a local object reference + to mirror matched requests to. If both BackendRef + and ServiceName are specified, ServiceName will + be given precedence. \n If the referent cannot be + found, the rule is not included in the route. The + controller should raise the \"ResolvedRefs\" condition + on the Gateway with the \"DegradedRoutes\" reason. + The gateway status for this route should be updated + with a condition that describes the error more specifically. + \n Support: Custom" + properties: + group: + description: Group is the group of the referent. + maxLength: 253 + minLength: 1 + type: string + kind: + description: Kind is kind of the referent. + maxLength: 253 + minLength: 1 + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + port: + description: "Port specifies the destination port + number to use for the backend referenced by the + ServiceName or BackendRef field. \n If unspecified, + the destination port in the request is used when + forwarding to a backendRef or serviceName." + format: int32 + maximum: 65535 + minimum: 1 + type: integer + serviceName: + description: "ServiceName refers to the name of the + Service to mirror matched requests to. When specified, + this takes the place of BackendRef. If both BackendRef + and ServiceName are specified, ServiceName will + be given precedence. \n If the referent cannot be + found, the rule is not included in the route. The + controller should raise the \"ResolvedRefs\" condition + on the Gateway with the \"DegradedRoutes\" reason. + The gateway status for this route should be updated + with a condition that describes the error more specifically. + \n Support: Core" + maxLength: 253 + type: string + type: object + type: + description: "Type identifies the type of filter to apply. + As with other API fields, types are classified into + three conformance levels: \n - Core: Filter types and + their corresponding configuration defined by \"Support: + Core\" in this package, e.g. \"RequestHeaderModifier\". + All implementations must support core filters. \n + - Extended: Filter types and their corresponding configuration + defined by \"Support: Extended\" in this package, + e.g. \"RequestMirror\". Implementers are encouraged + to support extended filters. \n - Custom: Filters that + are defined and supported by specific vendors. In + the future, filters showing convergence in behavior + across multiple implementations will be considered + for inclusion in extended or core conformance levels. + Filter-specific configuration for such filters is + specified using the ExtensionRef field. `Type` should + be set to \"ExtensionRef\" for custom filters. \n + Implementers are encouraged to define custom implementation + types to extend the core API with implementation-specific + behavior." + enum: + - RequestHeaderModifier + - RequestMirror + - ExtensionRef + type: string + required: + - type + type: object + maxItems: 16 + type: array + forwardTo: + description: ForwardTo defines the backend(s) where matching + requests should be sent. If unspecified, the rule performs + no forwarding. If unspecified and no filters are specified + that would result in a response being sent, a 503 error code + is returned. + items: + description: HTTPRouteForwardTo defines how a HTTPRoute should + forward a request. + properties: + backendRef: + description: "BackendRef is a reference to a backend to + forward matched requests to. If both BackendRef and + ServiceName are specified, ServiceName will be given + precedence. \n If the referent cannot be found, the + route must be dropped from the Gateway. The controller + should raise the \"ResolvedRefs\" condition on the Gateway + with the \"DegradedRoutes\" reason. The gateway status + for this route should be updated with a condition that + describes the error more specifically. \n Support: Custom" + properties: + group: + description: Group is the group of the referent. + maxLength: 253 + minLength: 1 + type: string + kind: + description: Kind is kind of the referent. + maxLength: 253 + minLength: 1 + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + filters: + description: "Filters defined at this-level should be + executed if and only if the request is being forwarded + to the backend defined here. \n Support: Custom (For + broader support of filters, use the Filters field in + HTTPRouteRule.)" + items: + description: 'HTTPRouteFilter defines additional processing + steps that must be completed during the request or + response lifecycle. HTTPRouteFilters are meant as + an extension point to express additional processing + that may be done in Gateway implementations. Some + examples include request or response modification, + implementing authentication strategies, rate-limiting, + and traffic shaping. API guarantee/conformance is + defined based on the type of the filter. TODO(hbagdi): + re-render CRDs once controller-tools supports union + tags: - https://github.com/kubernetes-sigs/controller-tools/pull/298 + - https://github.com/kubernetes-sigs/controller-tools/issues/461' + properties: + extensionRef: + description: "ExtensionRef is an optional, implementation-specific + extension to the \"filter\" behavior. For example, + resource \"myroutefilter\" in group \"networking.acme.io\"). + ExtensionRef MUST NOT be used for core and extended + filters. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. + maxLength: 253 + minLength: 1 + type: string + kind: + description: Kind is kind of the referent. + maxLength: 253 + minLength: 1 + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema + for a filter that modifies request headers. \n + Support: Core" + properties: + add: + additionalProperties: + type: string + description: "Add adds the given header (name, + value) to the request before the action. It + appends to any existing values associated + with the header name. \n Input: GET /foo + HTTP/1.1 my-header: foo \n Config: add: + {\"my-header\": \"bar\"} \n Output: GET + /foo HTTP/1.1 my-header: foo my-header: + bar \n Support: Extended" + type: object + remove: + description: "Remove the given header(s) from + the HTTP request before the action. The value + of RemoveHeader is a list of HTTP header names. + Note that the header names are case-insensitive + [RFC-2616 4.2]. \n Input: GET /foo HTTP/1.1 + \ my-header1: foo my-header2: bar my-header3: + baz \n Config: remove: [\"my-header1\", + \"my-header3\"] \n Output: GET /foo HTTP/1.1 + \ my-header2: bar \n Support: Extended" + items: + type: string + maxItems: 16 + type: array + set: + additionalProperties: + type: string + description: "Set overwrites the request with + the given header (name, value) before the + action. \n Input: GET /foo HTTP/1.1 my-header: + foo \n Config: set: {\"my-header\": \"bar\"} + \n Output: GET /foo HTTP/1.1 my-header: + bar \n Support: Extended" + type: object + type: object + requestMirror: + description: "RequestMirror defines a schema for + a filter that mirrors requests. \n Support: Extended" + properties: + backendRef: + description: "BackendRef is a local object reference + to mirror matched requests to. If both BackendRef + and ServiceName are specified, ServiceName + will be given precedence. \n If the referent + cannot be found, the rule is not included + in the route. The controller should raise + the \"ResolvedRefs\" condition on the Gateway + with the \"DegradedRoutes\" reason. The gateway + status for this route should be updated with + a condition that describes the error more + specifically. \n Support: Custom" + properties: + group: + description: Group is the group of the referent. + maxLength: 253 + minLength: 1 + type: string + kind: + description: Kind is kind of the referent. + maxLength: 253 + minLength: 1 + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + port: + description: "Port specifies the destination + port number to use for the backend referenced + by the ServiceName or BackendRef field. \n + If unspecified, the destination port in the + request is used when forwarding to a backendRef + or serviceName." + format: int32 + maximum: 65535 + minimum: 1 + type: integer + serviceName: + description: "ServiceName refers to the name + of the Service to mirror matched requests + to. When specified, this takes the place of + BackendRef. If both BackendRef and ServiceName + are specified, ServiceName will be given precedence. + \n If the referent cannot be found, the rule + is not included in the route. The controller + should raise the \"ResolvedRefs\" condition + on the Gateway with the \"DegradedRoutes\" + reason. The gateway status for this route + should be updated with a condition that describes + the error more specifically. \n Support: Core" + maxLength: 253 + type: string + type: object + type: + description: "Type identifies the type of filter + to apply. As with other API fields, types are + classified into three conformance levels: \n - + Core: Filter types and their corresponding configuration + defined by \"Support: Core\" in this package, + e.g. \"RequestHeaderModifier\". All implementations + must support core filters. \n - Extended: Filter + types and their corresponding configuration defined + by \"Support: Extended\" in this package, e.g. + \"RequestMirror\". Implementers are encouraged + to support extended filters. \n - Custom: Filters + that are defined and supported by specific vendors. + \ In the future, filters showing convergence + in behavior across multiple implementations + will be considered for inclusion in extended or + core conformance levels. Filter-specific configuration + for such filters is specified using the ExtensionRef + field. `Type` should be set to \"ExtensionRef\" + for custom filters. \n Implementers are encouraged + to define custom implementation types to extend + the core API with implementation-specific behavior." + enum: + - RequestHeaderModifier + - RequestMirror + - ExtensionRef + type: string + required: + - type + type: object + maxItems: 16 + type: array + port: + description: "Port specifies the destination port number + to use for the backend referenced by the ServiceName + or BackendRef field. If unspecified, the destination + port in the request is used when forwarding to a backendRef + or serviceName. \n Support: Core" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + serviceName: + description: "ServiceName refers to the name of the Service + to forward matched requests to. When specified, this + takes the place of BackendRef. If both BackendRef and + ServiceName are specified, ServiceName will be given + precedence. \n If the referent cannot be found, the + route must be dropped from the Gateway. The controller + should raise the \"ResolvedRefs\" condition on the Gateway + with the \"DegradedRoutes\" reason. The gateway status + for this route should be updated with a condition that + describes the error more specifically. \n The protocol + to use should be specified with the AppProtocol field + on Service resources. This field was introduced in Kubernetes + 1.18. If using an earlier version of Kubernetes, a `networking.x-k8s.io/app-protocol` + annotation on the BackendPolicy resource may be used + to define the protocol. If the AppProtocol field is + available, this annotation should not be used. The AppProtocol + field, when populated, takes precedence over the annotation + in the BackendPolicy resource. For custom backends, + it is encouraged to add a semantically-equivalent field + in the Custom Resource Definition. \n Support: Core" + maxLength: 253 + type: string + weight: + default: 1 + description: "Weight specifies the proportion of HTTP + requests forwarded to the backend referenced by the + ServiceName or BackendRef field. This is computed as + weight/(sum of all weights in this ForwardTo list). + For non-zero values, there may be some epsilon from + the exact proportion defined here depending on the precision + an implementation supports. Weight is not a percentage + and the sum of weights does not need to equal 100. \n + If only one backend is specified and it has a weight + greater than 0, 100% of the traffic is forwarded to + that backend. If weight is set to 0, no traffic should + be forwarded for this entry. If unspecified, weight + defaults to 1. \n Support: Core" + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + type: object + maxItems: 16 + type: array + matches: + default: + - path: + type: Prefix + value: / + description: "Matches define conditions used for matching the + rule against incoming HTTP requests. Each match is independent, + i.e. this rule will be matched if **any** one of the matches + is satisfied. \n For example, take the following matches configuration: + \n ``` matches: - path: value: \"/foo\" headers: values: + \ version: \"2\" - path: value: \"/v2/foo\" ``` \n + For a request to match against this rule, a request should + satisfy EITHER of the two conditions: \n - path prefixed with + `/foo` AND contains the header `version: \"2\"` - path prefix + of `/v2/foo` \n See the documentation for HTTPRouteMatch on + how to specify multiple match conditions that should be ANDed + together. \n If no matches are specified, the default is a + prefix path match on \"/\", which has the effect of matching + every HTTP request. \n Each client request MUST map to a maximum + of one route rule. If a request matches multiple rules, matching + precedence MUST be determined in order of the following criteria, + continuing on ties: \n * The longest matching hostname. * + The longest matching path. * The largest number of header + matches. \n If ties still exist across multiple Routes, matching + precedence MUST be determined in order of the following criteria, + continuing on ties: \n * The oldest Route based on creation + timestamp. For example, a Route with a creation timestamp + of \"2020-09-08 01:02:03\" is given precedence over a Route + with a creation timestamp of \"2020-09-08 01:02:04\". * The + Route appearing first in alphabetical order by \"/\". + For example, foo/bar is given precedence over foo/baz. \n + If ties still exist within the Route that has been given precedence, + matching precedence MUST be granted to the first matching + rule meeting the above criteria." + items: + description: "HTTPRouteMatch defines the predicate used to + match requests to a given action. Multiple match types are + ANDed together, i.e. the match will evaluate to true only + if all conditions are satisfied. \n For example, the match + below will match a HTTP request only if its path starts + with `/foo` AND it contains the `version: \"1\"` header: + \n ``` match: path: value: \"/foo\" headers: values: + \ version: \"1\" ```" + properties: + extensionRef: + description: "ExtensionRef is an optional, implementation-specific + extension to the \"match\" behavior. For example, resource + \"myroutematcher\" in group \"networking.acme.io\". + If the referent cannot be found, the rule is not included + in the route. The controller should raise the \"ResolvedRefs\" + condition on the Gateway with the \"DegradedRoutes\" + reason. The gateway status for this route should be + updated with a condition that describes the error more + specifically. \n Support: Custom" + properties: + group: + description: Group is the group of the referent. + maxLength: 253 + minLength: 1 + type: string + kind: + description: Kind is kind of the referent. + maxLength: 253 + minLength: 1 + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + headers: + description: Headers specifies a HTTP request header matcher. + properties: + type: + default: Exact + description: "Type specifies how to match against + the value of the header. \n Support: Core (Exact) + \n Support: Custom (RegularExpression, ImplementationSpecific) + \n Since RegularExpression PathType has custom conformance, + implementations can support POSIX, PCRE or any other + dialects of regular expressions. Please read the + implementation's documentation to determine the + supported dialect. \n HTTP Header name matching + MUST be case-insensitive (RFC 2616 - section 4.2)." + enum: + - Exact + - RegularExpression + - ImplementationSpecific + type: string + values: + additionalProperties: + type: string + description: "Values is a map of HTTP Headers to be + matched. It MUST contain at least one entry. \n + The HTTP header field name to match is the map key, + and the value of the HTTP header is the map value. + HTTP header field name matching MUST be case-insensitive. + \n Multiple match values are ANDed together, meaning, + a request must match all the specified headers to + select the route." + type: object + required: + - values + type: object + path: + default: + type: Prefix + value: / + description: Path specifies a HTTP request path matcher. + If this field is not specified, a default prefix match + on the "/" path is provided. + properties: + type: + default: Prefix + description: "Type specifies how to match against + the path Value. \n Support: Core (Exact, Prefix) + \n Support: Custom (RegularExpression, ImplementationSpecific) + \n Since RegularExpression PathType has custom conformance, + implementations can support POSIX, PCRE or any other + dialects of regular expressions. Please read the + implementation's documentation to determine the + supported dialect." + enum: + - Exact + - Prefix + - RegularExpression + - ImplementationSpecific + type: string + value: + default: / + description: Value of the HTTP path to match against. + type: string + type: object + queryParams: + description: QueryParams specifies a HTTP query parameter + matcher. + properties: + type: + default: Exact + description: "Type specifies how to match against + the value of the query parameter. \n Support: Extended + (Exact) \n Support: Custom (RegularExpression, ImplementationSpecific) + \n Since RegularExpression QueryParamMatchType has + custom conformance, implementations can support + POSIX, PCRE or any other dialects of regular expressions. + Please read the implementation's documentation to + determine the supported dialect." + enum: + - Exact + - RegularExpression + - ImplementationSpecific + type: string + values: + additionalProperties: + type: string + description: "Values is a map of HTTP query parameters + to be matched. It MUST contain at least one entry. + \n The query parameter name to match is the map + key, and the value of the query parameter is the + map value. \n Multiple match values are ANDed together, + meaning, a request must match all the specified + query parameters to select the route. \n HTTP query + parameter matching MUST be case-sensitive for both + keys and values. (See https://tools.ietf.org/html/rfc7230#section-2.7.3). + \n Note that the query parameter key MUST always + be an exact match by string comparison." + type: object + required: + - values + type: object + type: object + maxItems: 8 + type: array + type: object + maxItems: 16 + type: array + tls: + description: "TLS defines the TLS certificate to use for Hostnames + defined in this Route. This configuration only takes effect if the + AllowRouteOverride field is set to true in the associated Gateway + resource. \n Collisions can happen if multiple HTTPRoutes define + a TLS certificate for the same hostname. In such a case, conflict + resolution guiding principles apply, specifically, if hostnames + are same and two different certificates are specified then the certificate + in the oldest resource wins. \n Please note that HTTP Route-selection + takes place after the TLS Handshake (ClientHello). Due to this, + TLS certificate defined here will take precedence even if the request + has the potential to match multiple routes (in case multiple HTTPRoutes + share the same hostname). \n Support: Core" + properties: + certificateRef: + description: "CertificateRef is a reference to a Kubernetes object + that contains a TLS certificate and private key. This certificate + is used to establish a TLS handshake for requests that match + the hostname of the associated HTTPRoute. The referenced object + MUST reside in the same namespace as HTTPRoute. \n This field + is required when the TLS configuration mode of the associated + Gateway listener is set to \"Passthrough\". \n CertificateRef + can reference a standard Kubernetes resource, i.e. Secret, or + an implementation-specific custom resource. \n Support: Core + (Kubernetes Secrets) \n Support: Implementation-specific (Other + resource types)" + properties: + group: + description: Group is the group of the referent. + maxLength: 253 + minLength: 1 + type: string + kind: + description: Kind is kind of the referent. + maxLength: 253 + minLength: 1 + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + required: + - certificateRef + type: object + type: object + status: + description: Status defines the current state of HTTPRoute. + properties: + gateways: + description: "Gateways is a list of Gateways that are associated with + the route, and the status of the route with respect to each Gateway. + When a Gateway selects this route, the controller that manages the + Gateway must add an entry to this list when the controller first + sees the route and should update the entry as appropriate when the + route is modified. \n A maximum of 100 Gateways will be represented + in this list. If this list is full, there may be additional Gateways + using this Route that are not included in the list. An empty list + means the route has not been admitted by any Gateway." + items: + description: RouteGatewayStatus describes the status of a route + with respect to an associated Gateway. + properties: + conditions: + description: Conditions describes the status of the route with + respect to the Gateway. The "Admitted" condition must always + be specified by controllers to indicate whether the route + has been admitted or rejected by the Gateway, and why. Note + that the route's availability is also subject to the Gateway's + own status conditions and listener status. + items: + description: "Condition contains details for one aspect of + the current state of this API Resource. --- This struct + is intended for direct use as an array at the field path + .status.conditions. For example, type FooStatus struct{ + \ // Represents the observations of a foo's current state. + \ // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type + \ // +patchStrategy=merge // +listType=map // + +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` + \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should + be when the underlying condition changed. If that is + not known, then using the time when the API field changed + is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, + if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the + current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier + indicating the reason for the condition's last transition. + Producers of specific condition types may define expected + values and meanings for this field, and whether the + values are considered a guaranteed API. The value should + be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across + resources like Available, but because arbitrary conditions + can be useful (see .node.status.conditions), the ability + to deconflict is important. The regex it matches is + (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + gatewayRef: + description: GatewayRef is a reference to a Gateway object that + is associated with the route. + properties: + controller: + description: "Controller is a domain/path string that indicates + the controller implementing the Gateway. This corresponds + with the controller field on GatewayClass. \n Example: + \"acme.io/gateway-controller\". \n The format of this + field is DOMAIN \"/\" PATH, where DOMAIN and PATH are + valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names)." + maxLength: 253 + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: Namespace is the namespace of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - name + - namespace + type: object + required: + - gatewayRef + type: object + maxItems: 100 + type: array + required: + - gateways + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.5.0 + creationTimestamp: null + name: tcproutes.networking.x-k8s.io +spec: + group: networking.x-k8s.io + names: + categories: + - gateway-api + kind: TCPRoute + listKind: TCPRouteList + plural: tcproutes + singular: tcproute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: TCPRoute is the Schema for the TCPRoute resource. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of TCPRoute. + properties: + gateways: + default: + allow: SameNamespace + description: Gateways defines which Gateways can use this Route. + properties: + allow: + default: SameNamespace + description: 'Allow indicates which Gateways will be allowed to + use this route. Possible values are: * All: Gateways in any + namespace can use this route. * FromList: Only Gateways specified + in GatewayRefs may use this route. * SameNamespace: Only Gateways + in the same namespace may use this route.' + enum: + - All + - FromList + - SameNamespace + type: string + gatewayRefs: + description: GatewayRefs must be specified when Allow is set to + "FromList". In that case, only Gateways referenced in this list + will be allowed to use this route. This field is ignored for + other values of "Allow". + items: + description: GatewayReference identifies a Gateway in a specified + namespace. + properties: + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: Namespace is the namespace of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - name + - namespace + type: object + type: array + type: object + rules: + description: Rules are a list of TCP matchers and actions. + items: + description: TCPRouteRule is the configuration for a given rule. + properties: + forwardTo: + description: ForwardTo defines the backend(s) where matching + requests should be sent. + items: + description: RouteForwardTo defines how a Route should forward + a request. + properties: + backendRef: + description: "BackendRef is a reference to a backend to + forward matched requests to. If both BackendRef and + ServiceName are specified, ServiceName will be given + precedence. \n If the referent cannot be found, the + rule is not included in the route. The controller should + raise the \"ResolvedRefs\" condition on the Gateway + with the \"DegradedRoutes\" reason. The gateway status + for this route should be updated with a condition that + describes the error more specifically. \n Support: Custom" + properties: + group: + description: Group is the group of the referent. + maxLength: 253 + minLength: 1 + type: string + kind: + description: Kind is kind of the referent. + maxLength: 253 + minLength: 1 + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + port: + description: "Port specifies the destination port number + to use for the backend referenced by the ServiceName + or BackendRef field. If unspecified, the destination + port in the request is used when forwarding to a backendRef + or serviceName. \n Support: Core" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + serviceName: + description: "ServiceName refers to the name of the Service + to forward matched requests to. When specified, this + takes the place of BackendRef. If both BackendRef and + ServiceName are specified, ServiceName will be given + precedence. \n If the referent cannot be found, the + rule is not included in the route. The controller should + raise the \"ResolvedRefs\" condition on the Gateway + with the \"DegradedRoutes\" reason. The gateway status + for this route should be updated with a condition that + describes the error more specifically. \n The protocol + to use is defined using AppProtocol field (introduced + in Kubernetes 1.18) in the Service resource. In the + absence of the AppProtocol field a `networking.x-k8s.io/app-protocol` + annotation on the BackendPolicy resource may be used + to define the protocol. If the AppProtocol field is + available, this annotation should not be used. The AppProtocol + field, when populated, takes precedence over the annotation + in the BackendPolicy resource. For custom backends, + it is encouraged to add a semantically-equivalent field + in the Custom Resource Definition. \n Support: Core" + maxLength: 253 + type: string + weight: + default: 1 + description: "Weight specifies the proportion of HTTP + requests forwarded to the backend referenced by the + ServiceName or BackendRef field. This is computed as + weight/(sum of all weights in this ForwardTo list). + For non-zero values, there may be some epsilon from + the exact proportion defined here depending on the precision + an implementation supports. Weight is not a percentage + and the sum of weights does not need to equal 100. \n + If only one backend is specified and it has a weight + greater than 0, 100% of the traffic is forwarded to + that backend. If weight is set to 0, no traffic should + be forwarded for this entry. If unspecified, weight + defaults to 1. \n Support: Extended" + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + type: object + maxItems: 16 + minItems: 1 + type: array + matches: + description: "Matches define conditions used for matching the + rule against incoming TCP connections. Each match is independent, + i.e. this rule will be matched if **any** one of the matches + is satisfied. If unspecified (i.e. empty), this Rule will + match all requests for the associated Listener. \n Each client + request MUST map to a maximum of one route rule. If a request + matches multiple rules, matching precedence MUST be determined + in order of the following criteria, continuing on ties: \n + * The most specific match specified by ExtensionRef. Each + implementation that supports ExtensionRef may have different + ways of determining the specificity of the referenced extension. + \n If ties still exist across multiple Routes, matching precedence + MUST be determined in order of the following criteria, continuing + on ties: \n * The oldest Route based on creation timestamp. + For example, a Route with a creation timestamp of \"2020-09-08 + 01:02:03\" is given precedence over a Route with a creation + timestamp of \"2020-09-08 01:02:04\". * The Route appearing + first in alphabetical order by \"/\". For + example, foo/bar is given precedence over foo/baz. \n If + ties still exist within the Route that has been given precedence, + matching precedence MUST be granted to the first matching + rule meeting the above criteria." + items: + description: TCPRouteMatch defines the predicate used to match + connections to a given action. + properties: + extensionRef: + description: "ExtensionRef is an optional, implementation-specific + extension to the \"match\" behavior. For example, resource + \"mytcproutematcher\" in group \"networking.acme.io\". + If the referent cannot be found, the rule is not included + in the route. The controller should raise the \"ResolvedRefs\" + condition on the Gateway with the \"DegradedRoutes\" + reason. The gateway status for this route should be + updated with a condition that describes the error more + specifically. \n Support: Custom" + properties: + group: + description: Group is the group of the referent. + maxLength: 253 + minLength: 1 + type: string + kind: + description: Kind is kind of the referent. + maxLength: 253 + minLength: 1 + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + type: object + maxItems: 8 + type: array + required: + - forwardTo + type: object + maxItems: 16 + minItems: 1 + type: array + required: + - rules + type: object + status: + description: Status defines the current state of TCPRoute. + properties: + gateways: + description: "Gateways is a list of Gateways that are associated with + the route, and the status of the route with respect to each Gateway. + When a Gateway selects this route, the controller that manages the + Gateway must add an entry to this list when the controller first + sees the route and should update the entry as appropriate when the + route is modified. \n A maximum of 100 Gateways will be represented + in this list. If this list is full, there may be additional Gateways + using this Route that are not included in the list. An empty list + means the route has not been admitted by any Gateway." + items: + description: RouteGatewayStatus describes the status of a route + with respect to an associated Gateway. + properties: + conditions: + description: Conditions describes the status of the route with + respect to the Gateway. The "Admitted" condition must always + be specified by controllers to indicate whether the route + has been admitted or rejected by the Gateway, and why. Note + that the route's availability is also subject to the Gateway's + own status conditions and listener status. + items: + description: "Condition contains details for one aspect of + the current state of this API Resource. --- This struct + is intended for direct use as an array at the field path + .status.conditions. For example, type FooStatus struct{ + \ // Represents the observations of a foo's current state. + \ // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type + \ // +patchStrategy=merge // +listType=map // + +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` + \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should + be when the underlying condition changed. If that is + not known, then using the time when the API field changed + is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, + if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the + current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier + indicating the reason for the condition's last transition. + Producers of specific condition types may define expected + values and meanings for this field, and whether the + values are considered a guaranteed API. The value should + be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across + resources like Available, but because arbitrary conditions + can be useful (see .node.status.conditions), the ability + to deconflict is important. The regex it matches is + (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + gatewayRef: + description: GatewayRef is a reference to a Gateway object that + is associated with the route. + properties: + controller: + description: "Controller is a domain/path string that indicates + the controller implementing the Gateway. This corresponds + with the controller field on GatewayClass. \n Example: + \"acme.io/gateway-controller\". \n The format of this + field is DOMAIN \"/\" PATH, where DOMAIN and PATH are + valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names)." + maxLength: 253 + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: Namespace is the namespace of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - name + - namespace + type: object + required: + - gatewayRef + type: object + maxItems: 100 + type: array + required: + - gateways + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.5.0 + creationTimestamp: null + name: tlsroutes.networking.x-k8s.io +spec: + group: networking.x-k8s.io + names: + categories: + - gateway-api + kind: TLSRoute + listKind: TLSRouteList + plural: tlsroutes + singular: tlsroute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: "The TLSRoute resource is similar to TCPRoute, but can be configured + to match against TLS-specific metadata. This allows more flexibility in + matching streams for a given TLS listener. \n If you need to forward traffic + to a single target for a TLS listener, you could choose to use a TCPRoute + with a TLS listener." + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of TLSRoute. + properties: + gateways: + default: + allow: SameNamespace + description: Gateways defines which Gateways can use this Route. + properties: + allow: + default: SameNamespace + description: 'Allow indicates which Gateways will be allowed to + use this route. Possible values are: * All: Gateways in any + namespace can use this route. * FromList: Only Gateways specified + in GatewayRefs may use this route. * SameNamespace: Only Gateways + in the same namespace may use this route.' + enum: + - All + - FromList + - SameNamespace + type: string + gatewayRefs: + description: GatewayRefs must be specified when Allow is set to + "FromList". In that case, only Gateways referenced in this list + will be allowed to use this route. This field is ignored for + other values of "Allow". + items: + description: GatewayReference identifies a Gateway in a specified + namespace. + properties: + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: Namespace is the namespace of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - name + - namespace + type: object + type: array + type: object + rules: + description: Rules are a list of TLS matchers and actions. + items: + description: TLSRouteRule is the configuration for a given rule. + properties: + forwardTo: + description: ForwardTo defines the backend(s) where matching + requests should be sent. + items: + description: RouteForwardTo defines how a Route should forward + a request. + properties: + backendRef: + description: "BackendRef is a reference to a backend to + forward matched requests to. If both BackendRef and + ServiceName are specified, ServiceName will be given + precedence. \n If the referent cannot be found, the + rule is not included in the route. The controller should + raise the \"ResolvedRefs\" condition on the Gateway + with the \"DegradedRoutes\" reason. The gateway status + for this route should be updated with a condition that + describes the error more specifically. \n Support: Custom" + properties: + group: + description: Group is the group of the referent. + maxLength: 253 + minLength: 1 + type: string + kind: + description: Kind is kind of the referent. + maxLength: 253 + minLength: 1 + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + port: + description: "Port specifies the destination port number + to use for the backend referenced by the ServiceName + or BackendRef field. If unspecified, the destination + port in the request is used when forwarding to a backendRef + or serviceName. \n Support: Core" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + serviceName: + description: "ServiceName refers to the name of the Service + to forward matched requests to. When specified, this + takes the place of BackendRef. If both BackendRef and + ServiceName are specified, ServiceName will be given + precedence. \n If the referent cannot be found, the + rule is not included in the route. The controller should + raise the \"ResolvedRefs\" condition on the Gateway + with the \"DegradedRoutes\" reason. The gateway status + for this route should be updated with a condition that + describes the error more specifically. \n The protocol + to use is defined using AppProtocol field (introduced + in Kubernetes 1.18) in the Service resource. In the + absence of the AppProtocol field a `networking.x-k8s.io/app-protocol` + annotation on the BackendPolicy resource may be used + to define the protocol. If the AppProtocol field is + available, this annotation should not be used. The AppProtocol + field, when populated, takes precedence over the annotation + in the BackendPolicy resource. For custom backends, + it is encouraged to add a semantically-equivalent field + in the Custom Resource Definition. \n Support: Core" + maxLength: 253 + type: string + weight: + default: 1 + description: "Weight specifies the proportion of HTTP + requests forwarded to the backend referenced by the + ServiceName or BackendRef field. This is computed as + weight/(sum of all weights in this ForwardTo list). + For non-zero values, there may be some epsilon from + the exact proportion defined here depending on the precision + an implementation supports. Weight is not a percentage + and the sum of weights does not need to equal 100. \n + If only one backend is specified and it has a weight + greater than 0, 100% of the traffic is forwarded to + that backend. If weight is set to 0, no traffic should + be forwarded for this entry. If unspecified, weight + defaults to 1. \n Support: Extended" + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + type: object + maxItems: 16 + minItems: 1 + type: array + matches: + description: "Matches define conditions used for matching the + rule against incoming TLS connections. Each match is independent, + i.e. this rule will be matched if **any** one of the matches + is satisfied. If unspecified (i.e. empty), this Rule will + match all requests for the associated Listener. \n Each client + request MUST map to a maximum of one route rule. If a request + matches multiple rules, matching precedence MUST be determined + in order of the following criteria, continuing on ties: \n + * The longest matching SNI. * The longest matching precise + SNI (without a wildcard). This means that \"b.example.com\" + should be given precedence over \"*.example.com\". * The most + specific match specified by ExtensionRef. Each implementation + \ that supports ExtensionRef may have different ways of determining + the specificity of the referenced extension. \n If ties + still exist across multiple Routes, matching precedence MUST + be determined in order of the following criteria, continuing + on ties: \n * The oldest Route based on creation timestamp. + For example, a Route with a creation timestamp of \"2020-09-08 + 01:02:03\" is given precedence over a Route with a creation + timestamp of \"2020-09-08 01:02:04\". * The Route appearing + first in alphabetical order by \"/\". For + example, foo/bar is given precedence over foo/baz. \n If + ties still exist within the Route that has been given precedence, + matching precedence MUST be granted to the first matching + rule meeting the above criteria." + items: + description: TLSRouteMatch defines the predicate used to match + connections to a given action. + properties: + extensionRef: + description: "ExtensionRef is an optional, implementation-specific + extension to the \"match\" behavior. For example, resource + \"mytlsroutematcher\" in group \"networking.acme.io\". + If the referent cannot be found, the rule is not included + in the route. The controller should raise the \"ResolvedRefs\" + condition on the Gateway with the \"DegradedRoutes\" + reason. The gateway status for this route should be + updated with a condition that describes the error more + specifically. \n Support: Custom" + properties: + group: + description: Group is the group of the referent. + maxLength: 253 + minLength: 1 + type: string + kind: + description: Kind is kind of the referent. + maxLength: 253 + minLength: 1 + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + snis: + description: "SNIs defines a set of SNI names that should + match against the SNI attribute of TLS ClientHello message + in TLS handshake. \n SNI can be \"precise\" which is + a domain name without the terminating dot of a network + host (e.g. \"foo.example.com\") or \"wildcard\", which + is a domain name prefixed with a single wildcard label + (e.g. `*.example.com`). The wildcard character `*` must + appear by itself as the first DNS label and matches + only a single label. You cannot have a wildcard label + by itself (e.g. Host == `*`). \n Requests will be matched + against the Host field in the following order: \n 1. + If SNI is precise, the request matches this rule if + the SNI in ClientHello is equal to one of the defined + SNIs. 2. If SNI is a wildcard, then the request matches + this rule if the SNI is to equal to the suffix (removing + the first label) of the wildcard rule. 3. If SNIs + is unspecified, all requests associated with the gateway + TLS listener will match. This can be used to define + a default backend for a TLS listener. \n Support: + Core" + items: + description: Hostname is used to specify a hostname + that should be matched. + maxLength: 253 + minLength: 1 + type: string + maxItems: 16 + type: array + type: object + maxItems: 8 + type: array + required: + - forwardTo + type: object + maxItems: 16 + minItems: 1 + type: array + required: + - rules + type: object + status: + description: Status defines the current state of TLSRoute. + properties: + gateways: + description: "Gateways is a list of Gateways that are associated with + the route, and the status of the route with respect to each Gateway. + When a Gateway selects this route, the controller that manages the + Gateway must add an entry to this list when the controller first + sees the route and should update the entry as appropriate when the + route is modified. \n A maximum of 100 Gateways will be represented + in this list. If this list is full, there may be additional Gateways + using this Route that are not included in the list. An empty list + means the route has not been admitted by any Gateway." + items: + description: RouteGatewayStatus describes the status of a route + with respect to an associated Gateway. + properties: + conditions: + description: Conditions describes the status of the route with + respect to the Gateway. The "Admitted" condition must always + be specified by controllers to indicate whether the route + has been admitted or rejected by the Gateway, and why. Note + that the route's availability is also subject to the Gateway's + own status conditions and listener status. + items: + description: "Condition contains details for one aspect of + the current state of this API Resource. --- This struct + is intended for direct use as an array at the field path + .status.conditions. For example, type FooStatus struct{ + \ // Represents the observations of a foo's current state. + \ // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type + \ // +patchStrategy=merge // +listType=map // + +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` + \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should + be when the underlying condition changed. If that is + not known, then using the time when the API field changed + is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, + if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the + current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier + indicating the reason for the condition's last transition. + Producers of specific condition types may define expected + values and meanings for this field, and whether the + values are considered a guaranteed API. The value should + be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across + resources like Available, but because arbitrary conditions + can be useful (see .node.status.conditions), the ability + to deconflict is important. The regex it matches is + (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + gatewayRef: + description: GatewayRef is a reference to a Gateway object that + is associated with the route. + properties: + controller: + description: "Controller is a domain/path string that indicates + the controller implementing the Gateway. This corresponds + with the controller field on GatewayClass. \n Example: + \"acme.io/gateway-controller\". \n The format of this + field is DOMAIN \"/\" PATH, where DOMAIN and PATH are + valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names)." + maxLength: 253 + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: Namespace is the namespace of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - name + - namespace + type: object + required: + - gatewayRef + type: object + maxItems: 100 + type: array + required: + - gateways + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.5.0 + creationTimestamp: null + name: udproutes.networking.x-k8s.io +spec: + group: networking.x-k8s.io + names: + categories: + - gateway-api + kind: UDPRoute + listKind: UDPRouteList + plural: udproutes + singular: udproute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: UDPRoute is a resource that specifies how a Gateway should forward + UDP traffic. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of UDPRoute. + properties: + gateways: + default: + allow: SameNamespace + description: Gateways defines which Gateways can use this Route. + properties: + allow: + default: SameNamespace + description: 'Allow indicates which Gateways will be allowed to + use this route. Possible values are: * All: Gateways in any + namespace can use this route. * FromList: Only Gateways specified + in GatewayRefs may use this route. * SameNamespace: Only Gateways + in the same namespace may use this route.' + enum: + - All + - FromList + - SameNamespace + type: string + gatewayRefs: + description: GatewayRefs must be specified when Allow is set to + "FromList". In that case, only Gateways referenced in this list + will be allowed to use this route. This field is ignored for + other values of "Allow". + items: + description: GatewayReference identifies a Gateway in a specified + namespace. + properties: + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: Namespace is the namespace of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - name + - namespace + type: object + type: array + type: object + rules: + description: Rules are a list of UDP matchers and actions. + items: + description: UDPRouteRule is the configuration for a given rule. + properties: + forwardTo: + description: ForwardTo defines the backend(s) where matching + requests should be sent. + items: + description: RouteForwardTo defines how a Route should forward + a request. + properties: + backendRef: + description: "BackendRef is a reference to a backend to + forward matched requests to. If both BackendRef and + ServiceName are specified, ServiceName will be given + precedence. \n If the referent cannot be found, the + rule is not included in the route. The controller should + raise the \"ResolvedRefs\" condition on the Gateway + with the \"DegradedRoutes\" reason. The gateway status + for this route should be updated with a condition that + describes the error more specifically. \n Support: Custom" + properties: + group: + description: Group is the group of the referent. + maxLength: 253 + minLength: 1 + type: string + kind: + description: Kind is kind of the referent. + maxLength: 253 + minLength: 1 + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + port: + description: "Port specifies the destination port number + to use for the backend referenced by the ServiceName + or BackendRef field. If unspecified, the destination + port in the request is used when forwarding to a backendRef + or serviceName. \n Support: Core" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + serviceName: + description: "ServiceName refers to the name of the Service + to forward matched requests to. When specified, this + takes the place of BackendRef. If both BackendRef and + ServiceName are specified, ServiceName will be given + precedence. \n If the referent cannot be found, the + rule is not included in the route. The controller should + raise the \"ResolvedRefs\" condition on the Gateway + with the \"DegradedRoutes\" reason. The gateway status + for this route should be updated with a condition that + describes the error more specifically. \n The protocol + to use is defined using AppProtocol field (introduced + in Kubernetes 1.18) in the Service resource. In the + absence of the AppProtocol field a `networking.x-k8s.io/app-protocol` + annotation on the BackendPolicy resource may be used + to define the protocol. If the AppProtocol field is + available, this annotation should not be used. The AppProtocol + field, when populated, takes precedence over the annotation + in the BackendPolicy resource. For custom backends, + it is encouraged to add a semantically-equivalent field + in the Custom Resource Definition. \n Support: Core" + maxLength: 253 + type: string + weight: + default: 1 + description: "Weight specifies the proportion of HTTP + requests forwarded to the backend referenced by the + ServiceName or BackendRef field. This is computed as + weight/(sum of all weights in this ForwardTo list). + For non-zero values, there may be some epsilon from + the exact proportion defined here depending on the precision + an implementation supports. Weight is not a percentage + and the sum of weights does not need to equal 100. \n + If only one backend is specified and it has a weight + greater than 0, 100% of the traffic is forwarded to + that backend. If weight is set to 0, no traffic should + be forwarded for this entry. If unspecified, weight + defaults to 1. \n Support: Extended" + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + type: object + maxItems: 16 + minItems: 1 + type: array + matches: + description: "Matches define conditions used for matching the + rule against incoming UDP connections. Each match is independent, + i.e. this rule will be matched if **any** one of the matches + is satisfied. If unspecified (i.e. empty), this Rule will + match all requests for the associated Listener. \n Each client + request MUST map to a maximum of one route rule. If a request + matches multiple rules, matching precedence MUST be determined + in order of the following criteria, continuing on ties: \n + * The most specific match specified by ExtensionRef. Each + implementation that supports ExtensionRef may have different + ways of determining the specificity of the referenced extension. + \n If ties still exist across multiple Routes, matching precedence + MUST be determined in order of the following criteria, continuing + on ties: \n * The oldest Route based on creation timestamp. + For example, a Route with a creation timestamp of \"2020-09-08 + 01:02:03\" is given precedence over a Route with a creation + timestamp of \"2020-09-08 01:02:04\". * The Route appearing + first in alphabetical order by \"/\". For + example, foo/bar is given precedence over foo/baz. \n If + ties still exist within the Route that has been given precedence, + matching precedence MUST be granted to the first matching + rule meeting the above criteria." + items: + description: UDPRouteMatch defines the predicate used to match + packets to a given action. + properties: + extensionRef: + description: "ExtensionRef is an optional, implementation-specific + extension to the \"match\" behavior. For example, resource + \"myudproutematcher\" in group \"networking.acme.io\". + If the referent cannot be found, the rule is not included + in the route. The controller should raise the \"ResolvedRefs\" + condition on the Gateway with the \"DegradedRoutes\" + reason. The gateway status for this route should be + updated with a condition that describes the error more + specifically. \n Support: Custom" + properties: + group: + description: Group is the group of the referent. + maxLength: 253 + minLength: 1 + type: string + kind: + description: Kind is kind of the referent. + maxLength: 253 + minLength: 1 + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + type: object + maxItems: 8 + type: array + required: + - forwardTo + type: object + maxItems: 16 + minItems: 1 + type: array + required: + - rules + type: object + status: + description: Status defines the current state of UDPRoute. + properties: + gateways: + description: "Gateways is a list of Gateways that are associated with + the route, and the status of the route with respect to each Gateway. + When a Gateway selects this route, the controller that manages the + Gateway must add an entry to this list when the controller first + sees the route and should update the entry as appropriate when the + route is modified. \n A maximum of 100 Gateways will be represented + in this list. If this list is full, there may be additional Gateways + using this Route that are not included in the list. An empty list + means the route has not been admitted by any Gateway." + items: + description: RouteGatewayStatus describes the status of a route + with respect to an associated Gateway. + properties: + conditions: + description: Conditions describes the status of the route with + respect to the Gateway. The "Admitted" condition must always + be specified by controllers to indicate whether the route + has been admitted or rejected by the Gateway, and why. Note + that the route's availability is also subject to the Gateway's + own status conditions and listener status. + items: + description: "Condition contains details for one aspect of + the current state of this API Resource. --- This struct + is intended for direct use as an array at the field path + .status.conditions. For example, type FooStatus struct{ + \ // Represents the observations of a foo's current state. + \ // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type + \ // +patchStrategy=merge // +listType=map // + +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` + \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should + be when the underlying condition changed. If that is + not known, then using the time when the API field changed + is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, + if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the + current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier + indicating the reason for the condition's last transition. + Producers of specific condition types may define expected + values and meanings for this field, and whether the + values are considered a guaranteed API. The value should + be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across + resources like Available, but because arbitrary conditions + can be useful (see .node.status.conditions), the ability + to deconflict is important. The regex it matches is + (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + gatewayRef: + description: GatewayRef is a reference to a Gateway object that + is associated with the route. + properties: + controller: + description: "Controller is a domain/path string that indicates + the controller implementing the Gateway. This corresponds + with the controller field on GatewayClass. \n Example: + \"acme.io/gateway-controller\". \n The format of this + field is DOMAIN \"/\" PATH, where DOMAIN and PATH are + valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names)." + maxLength: 253 + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: Namespace is the namespace of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - name + - namespace + type: object + required: + - gatewayRef + type: object + maxItems: 100 + type: array + required: + - gateways + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/examples/gateway/02-job-certgen.yaml b/examples/gateway/02-job-certgen.yaml new file mode 100644 index 00000000000..cfe20f0b2c8 --- /dev/null +++ b/examples/gateway/02-job-certgen.yaml @@ -0,0 +1,73 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: contour-certgen + namespace: projectcontour +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: contour + namespace: projectcontour +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: contour-certgen +subjects: +- kind: ServiceAccount + name: contour-certgen + namespace: projectcontour +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: contour-certgen + namespace: projectcontour +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - update +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: contour-certgen-main + namespace: projectcontour +spec: + ttlSecondsAfterFinished: 0 + template: + metadata: + labels: + app: "contour-certgen" + spec: + containers: + - name: contour + image: docker.io/projectcontour/contour:main + imagePullPolicy: Always + command: + - contour + - certgen + - --kube + - --incluster + - --overwrite + - --secrets-format=compact + - --namespace=$(CONTOUR_NAMESPACE) + env: + - name: CONTOUR_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + restartPolicy: Never + serviceAccountName: contour-certgen + securityContext: + runAsNonRoot: true + runAsUser: 65534 + runAsGroup: 65534 + parallelism: 1 + completions: 1 + backoffLimit: 1 diff --git a/examples/gateway/02-rbac.yaml b/examples/gateway/02-rbac.yaml new file mode 100644 index 00000000000..8105158a48a --- /dev/null +++ b/examples/gateway/02-rbac.yaml @@ -0,0 +1,15 @@ +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: contour +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: contour +subjects: +- kind: ServiceAccount + name: contour + namespace: projectcontour + diff --git a/examples/gateway/02-role-contour.yaml b/examples/gateway/02-role-contour.yaml new file mode 100644 index 00000000000..8575c1d0037 --- /dev/null +++ b/examples/gateway/02-role-contour.yaml @@ -0,0 +1,153 @@ +# The following ClusterRole is generated from kubebuilder RBAC tags by +# generate-rbac.sh. Do not edit this file directly but instead edit the source +# files and re-render. + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + name: contour +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - create + - get + - update +- apiGroups: + - "" + resources: + - endpoints + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - namespaces + - secrets + - serviceaccounts + - services + verbs: + - create + - delete + - get + - list + - update + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - list +- apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - create + - get + - update +- apiGroups: + - networking.x-k8s.io + resources: + - backendpolicies + - gatewayclasses + - gateways + - httproutes + - tcproutes + - tlsroutes + - udproutes + verbs: + - get + - list + - watch +- apiGroups: + - networking.x-k8s.io + resources: + - backendpolicies/status + - gatewayclasses/status + - httproutes/status + - tcproutes/status + - tlsroutes/status + - udproutes/status + verbs: + - update +- apiGroups: + - projectcontour.io + resources: + - extensionservices + verbs: + - get + - list + - watch +- apiGroups: + - projectcontour.io + resources: + - extensionservices/status + verbs: + - create + - get + - update +- apiGroups: + - projectcontour.io + resources: + - httpproxies + - tlscertificatedelegations + verbs: + - get + - list + - watch +- apiGroups: + - projectcontour.io + resources: + - httpproxies/status + verbs: + - create + - get + - update diff --git a/examples/gateway/02-service-contour.yaml b/examples/gateway/02-service-contour.yaml new file mode 100644 index 00000000000..8be5bc9a748 --- /dev/null +++ b/examples/gateway/02-service-contour.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: contour + namespace: projectcontour +spec: + ports: + - port: 8001 + name: xds + protocol: TCP + targetPort: 8001 + selector: + app: contour + type: ClusterIP diff --git a/examples/gateway/03-contour.yaml b/examples/gateway/03-contour.yaml new file mode 100644 index 00000000000..ab0e54ab6c9 --- /dev/null +++ b/examples/gateway/03-contour.yaml @@ -0,0 +1,104 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: contour + name: contour + namespace: projectcontour +spec: + replicas: 1 + strategy: + type: RollingUpdate + rollingUpdate: + # This value of maxSurge means that during a rolling update + # the new ReplicaSet will be created first. + maxSurge: 50% + selector: + matchLabels: + app: contour + template: + metadata: + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "8000" + labels: + app: contour + spec: + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchLabels: + app: contour + topologyKey: kubernetes.io/hostname + weight: 100 + containers: + - args: + - serve + - --incluster + - --xds-address=0.0.0.0 + - --xds-port=8001 + - --contour-cafile=/certs/ca.crt + - --contour-cert-file=/certs/tls.crt + - --contour-key-file=/certs/tls.key + - --config-path=/config/contour.yaml + command: ["contour"] + image: docker.io/projectcontour/contour:main + imagePullPolicy: Always + name: contour + ports: + - containerPort: 8001 + name: xds + protocol: TCP + - containerPort: 8000 + name: metrics + protocol: TCP + - containerPort: 6060 + name: debug + protocol: TCP + livenessProbe: + httpGet: + path: /healthz + port: 8000 + readinessProbe: + tcpSocket: + port: 8001 + initialDelaySeconds: 15 + periodSeconds: 10 + volumeMounts: + - name: contourcert + mountPath: /certs + readOnly: true + - name: contour-config + mountPath: /config + readOnly: true + env: + - name: CONTOUR_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + dnsPolicy: ClusterFirst + serviceAccountName: contour + securityContext: + runAsNonRoot: true + runAsUser: 65534 + runAsGroup: 65534 + volumes: + - name: contourcert + secret: + secretName: contourcert + - name: contour-config + configMap: + name: contour + defaultMode: 0644 + items: + - key: contour.yaml + path: contour.yaml diff --git a/examples/gateway/03-envoy.yaml b/examples/gateway/03-envoy.yaml new file mode 100644 index 00000000000..36ca22565f7 --- /dev/null +++ b/examples/gateway/03-envoy.yaml @@ -0,0 +1,134 @@ +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + labels: + app: envoy + name: envoy + namespace: projectcontour +spec: + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 10% + selector: + matchLabels: + app: envoy + template: + metadata: + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "8002" + prometheus.io/path: "/stats/prometheus" + labels: + app: envoy + spec: + containers: + - command: + - /bin/contour + args: + - envoy + - shutdown-manager + image: docker.io/projectcontour/contour:main + imagePullPolicy: Always + lifecycle: + preStop: + exec: + command: + - /bin/contour + - envoy + - shutdown + livenessProbe: + httpGet: + path: /healthz + port: 8090 + initialDelaySeconds: 3 + periodSeconds: 10 + name: shutdown-manager + - args: + - -c + - /config/envoy.json + - --service-cluster $(CONTOUR_NAMESPACE) + - --service-node $(ENVOY_POD_NAME) + - --log-level info + command: + - envoy + image: docker.io/envoyproxy/envoy:v1.18.2 + imagePullPolicy: IfNotPresent + name: envoy + env: + - name: CONTOUR_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: ENVOY_POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + ports: + - containerPort: 8080 + hostPort: 80 + name: http + protocol: TCP + - containerPort: 8443 + hostPort: 443 + name: https + protocol: TCP + readinessProbe: + httpGet: + path: /ready + port: 8002 + initialDelaySeconds: 3 + periodSeconds: 4 + volumeMounts: + - name: envoy-config + mountPath: /config + readOnly: true + - name: envoycert + mountPath: /certs + readOnly: true + lifecycle: + preStop: + httpGet: + path: /shutdown + port: 8090 + scheme: HTTP + initContainers: + - args: + - bootstrap + - /config/envoy.json + - --xds-address=contour + - --xds-port=8001 + - --xds-resource-version=v3 + - --resources-dir=/config/resources + - --envoy-cafile=/certs/ca.crt + - --envoy-cert-file=/certs/tls.crt + - --envoy-key-file=/certs/tls.key + command: + - contour + image: docker.io/projectcontour/contour:main + imagePullPolicy: Always + name: envoy-initconfig + volumeMounts: + - name: envoy-config + mountPath: /config + - name: envoycert + mountPath: /certs + readOnly: true + env: + - name: CONTOUR_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + automountServiceAccountToken: false + serviceAccountName: envoy + terminationGracePeriodSeconds: 300 + volumes: + - name: envoy-config + emptyDir: {} + - name: envoycert + secret: + secretName: envoycert + restartPolicy: Always diff --git a/examples/gateway/04-gatewayclass.yaml b/examples/gateway/04-gatewayclass.yaml new file mode 100644 index 00000000000..b1175f22adc --- /dev/null +++ b/examples/gateway/04-gatewayclass.yaml @@ -0,0 +1,7 @@ +--- +kind: GatewayClass +apiVersion: networking.x-k8s.io/v1alpha1 +metadata: + name: contour +spec: + controller: projectcontour.io/contour diff --git a/examples/gateway/05-gateway.yaml b/examples/gateway/05-gateway.yaml new file mode 100644 index 00000000000..2642c592587 --- /dev/null +++ b/examples/gateway/05-gateway.yaml @@ -0,0 +1,16 @@ +--- +kind: Gateway +apiVersion: networking.x-k8s.io/v1alpha1 +metadata: + name: contour + namespace: projectcontour +spec: + gatewayClassName: contour + listeners: + - protocol: HTTP + port: 80 + routes: + kind: HTTPRoute + selector: + matchLabels: + app: kuard diff --git a/examples/render/contour-gateway.yaml b/examples/render/contour-gateway.yaml new file mode 100644 index 00000000000..28ba425a1f3 --- /dev/null +++ b/examples/render/contour-gateway.yaml @@ -0,0 +1,6505 @@ +# This file is generated from the individual YAML files by generate-gateway-deployment.sh. Do not +# edit this file directly but instead edit the source files and re-render. +# +# Generated from: +# examples/gateway/00-common.yaml +# examples/gateway/01-contour-config.yaml +# examples/gateway/01-crds.yaml +# examples/gateway/01-gateway-crds.yaml +# examples/gateway/02-job-certgen.yaml +# examples/gateway/02-rbac.yaml +# examples/gateway/02-role-contour.yaml +# examples/gateway/02-service-contour.yaml +# examples/gateway/03-contour.yaml +# examples/gateway/03-envoy.yaml +# examples/gateway/04-gatewayclass.yaml +# examples/gateway/05-gateway.yaml +# + +--- +apiVersion: v1 +kind: Namespace +metadata: + name: projectcontour +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: contour + namespace: projectcontour +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: envoy + namespace: projectcontour + +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: contour + namespace: projectcontour +data: + contour.yaml: | + # + # server: + # determine which XDS Server implementation to utilize in Contour. + # xds-server-type: contour + # + # Specify the gateway-api Gateway Contour should watch. + gateway: + name: contour + namespace: projectcontour + # + # should contour expect to be running inside a k8s cluster + # incluster: true + # + # path to kubeconfig (if not running inside a k8s cluster) + # kubeconfig: /path/to/.kube/config + # + # Disable RFC-compliant behavior to strip "Content-Length" header if + # "Tranfer-Encoding: chunked" is also set. + # disableAllowChunkedLength: false + # Disable HTTPProxy permitInsecure field + disablePermitInsecure: false + tls: + # minimum TLS version that Contour will negotiate + # minimum-protocol-version: "1.2" + # TLS ciphers to be supported by Envoy TLS listeners when negotiating + # TLS 1.2. + # cipher-suites: + # - '[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]' + # - '[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]' + # - 'ECDHE-ECDSA-AES256-GCM-SHA384' + # - 'ECDHE-RSA-AES256-GCM-SHA384' + # Defines the Kubernetes name/namespace matching a secret to use + # as the fallback certificate when requests which don't match the + # SNI defined for a vhost. + fallback-certificate: + # name: fallback-secret-name + # namespace: projectcontour + envoy-client-certificate: + # name: envoy-client-cert-secret-name + # namespace: projectcontour + # The following config shows the defaults for the leader election. + # leaderelection: + # configmap-name: leader-elect + # configmap-namespace: projectcontour + ### Logging options + # Default setting + accesslog-format: envoy + # To enable JSON logging in Envoy + # accesslog-format: json + # The default fields that will be logged are specified below. + # To customise this list, just add or remove entries. + # The canonical list is available at + # https://godoc.org/github.com/projectcontour/contour/internal/envoy#JSONFields + # json-fields: + # - "@timestamp" + # - "authority" + # - "bytes_received" + # - "bytes_sent" + # - "downstream_local_address" + # - "downstream_remote_address" + # - "duration" + # - "method" + # - "path" + # - "protocol" + # - "request_id" + # - "requested_server_name" + # - "response_code" + # - "response_flags" + # - "uber_trace_id" + # - "upstream_cluster" + # - "upstream_host" + # - "upstream_local_address" + # - "upstream_service_time" + # - "user_agent" + # - "x_forwarded_for" + # + # default-http-versions: + # - "HTTP/2" + # - "HTTP/1.1" + # + # The following shows the default proxy timeout settings. + # timeouts: + # request-timeout: infinity + # connection-idle-timeout: 60s + # stream-idle-timeout: 5m + # max-connection-duration: infinity + # delayed-close-timeout: 1s + # connection-shutdown-grace-period: 5s + # + # Envoy cluster settings. + # cluster: + # configure the cluster dns lookup family + # valid options are: auto (default), v4, v6 + # dns-lookup-family: auto + # + # Envoy network settings. + # network: + # Configure the number of additional ingress proxy hops from the + # right side of the x-forwarded-for HTTP header to trust. + # num-trusted-hops: 0 + # + # Configure an optional global rate limit service. + # rateLimitService: + # Identifies the extension service defining the rate limit service, + # formatted as /. + # extensionService: projectcontour/ratelimit + # Defines the rate limit domain to pass to the rate limit service. + # Acts as a container for a set of rate limit definitions within + # the RLS. + # domain: contour + # Defines whether to allow requests to proceed when the rate limit + # service fails to respond with a valid rate limit decision within + # the timeout defined on the extension service. + # failOpen: false + # Defines whether to include the X-RateLimit headers X-RateLimit-Limit, + # X-RateLimit-Remaining, and X-RateLimit-Reset (as defined by the IETF + # Internet-Draft linked below), on responses to clients when the Rate + # Limit Service is consulted for a request. + # ref. https://tools.ietf.org/id/draft-polli-ratelimit-headers-03.html + # enableXRateLimitHeaders: false + # + # Global Policy settings. + # policy: + # # Default headers to set on all requests (unless set/removed on the HTTPProxy object itself) + # request-headers: + # set: + # # example: the hostname of the Envoy instance that proxied the request + # X-Envoy-Hostname: %HOSTNAME% + # # example: add a l5d-dst-override header to instruct Linkerd what service the request is destined for + # l5d-dst-override: %CONTOUR_SERVICE_NAME%.%CONTOUR_NAMESPACE%.svc.cluster.local:%CONTOUR_SERVICE_PORT% + # # default headers to set on all responses (unless set/removed on the HTTPProxy object itself) + # response-headers: + # set: + # # example: Envoy flags that provide additional details about the response or connection + # X-Envoy-Response-Flags: %RESPONSE_FLAGS% + # + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.5.0 + creationTimestamp: null + name: extensionservices.projectcontour.io +spec: + preserveUnknownFields: false + group: projectcontour.io + names: + kind: ExtensionService + listKind: ExtensionServiceList + plural: extensionservices + shortNames: + - extensionservice + - extensionservices + singular: extensionservice + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: ExtensionService is the schema for the Contour extension services + API. An ExtensionService resource binds a network service to the Contour + API so that Contour API features can be implemented by collaborating components. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ExtensionServiceSpec defines the desired state of an ExtensionService + resource. + properties: + loadBalancerPolicy: + description: The policy for load balancing GRPC service requests. + Note that the `Cookie` and `RequestHash` load balancing strategies + cannot be used here. + properties: + requestHashPolicies: + description: RequestHashPolicies contains a list of hash policies + to apply when the `RequestHash` load balancing strategy is chosen. + If an element of the supplied list of hash policies is invalid, + it will be ignored. If the list of hash policies is empty after + validation, the load balancing strategy will fall back the the + default `RoundRobin`. + items: + description: RequestHashPolicy contains configuration for an + individual hash policy on a request attribute. + properties: + headerHashOptions: + description: HeaderHashOptions should be set when request + header hash based load balancing is desired. It must be + the only hash option field set, otherwise this request + hash policy object will be ignored. + properties: + headerName: + description: HeaderName is the name of the HTTP request + header that will be used to calculate the hash key. + If the header specified is not present on a request, + no hash will be produced. + minLength: 1 + type: string + type: object + terminal: + description: Terminal is a flag that allows for short-circuiting + computing of a hash for a given request. If set to true, + and the request attribute specified in the attribute hash + options is present, no further hash policies will be used + to calculate a hash for the request. + type: boolean + type: object + type: array + strategy: + description: Strategy specifies the policy used to balance requests + across the pool of backend pods. Valid policy names are `Random`, + `RoundRobin`, `WeightedLeastRequest`, `Cookie`, and `RequestHash`. + If an unknown strategy name is specified or no policy is supplied, + the default `RoundRobin` policy is used. + type: string + type: object + protocol: + description: Protocol may be used to specify (or override) the protocol + used to reach this Service. Values may be h2 or h2c. If omitted, + protocol-selection falls back on Service annotations. + enum: + - h2 + - h2c + type: string + protocolVersion: + description: This field sets the version of the GRPC protocol that + Envoy uses to send requests to the extension service. Since Contour + always uses the v3 Envoy API, this is currently fixed at "v3". However, + other protocol options will be available in future. + enum: + - v3 + type: string + services: + description: Services specifies the set of Kubernetes Service resources + that receive GRPC extension API requests. If no weights are specified + for any of the entries in this array, traffic will be spread evenly + across all the services. Otherwise, traffic is balanced proportionally + to the Weight field in each entry. + items: + description: ExtensionServiceTarget defines an Kubernetes Service + to target with extension service traffic. + properties: + name: + description: Name is the name of Kubernetes service that will + accept service traffic. + type: string + port: + description: Port (defined as Integer) to proxy traffic to since + a service can have multiple defined. + exclusiveMaximum: true + maximum: 65536 + minimum: 1 + type: integer + weight: + description: Weight defines proportion of traffic to balance + to the Kubernetes Service. + format: int32 + type: integer + required: + - name + - port + type: object + minItems: 1 + type: array + timeoutPolicy: + description: The timeout policy for requests to the services. + properties: + idle: + description: Timeout after which, if there are no active requests + for this route, the connection between Envoy and the backend + or Envoy and the external client will be closed. If not specified, + there is no per-route idle timeout, though a connection manager-wide + stream_idle_timeout default of 5m still applies. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + response: + description: Timeout for receiving a response from the server + after processing a request from client. If not supplied, Envoy's + default value of 15s applies. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + type: object + validation: + description: UpstreamValidation defines how to verify the backend + service's certificate + properties: + caSecret: + description: Name of the Kubernetes secret be used to validate + the certificate presented by the backend + type: string + subjectName: + description: Key which is expected to be present in the 'subjectAltName' + of the presented certificate + type: string + required: + - caSecret + - subjectName + type: object + required: + - services + type: object + status: + description: ExtensionServiceStatus defines the observed state of an ExtensionService + resource. + properties: + conditions: + description: "Conditions contains the current status of the ExtensionService + resource. \n Contour will update a single condition, `Valid`, that + is in normal-true polarity. \n Contour will not modify any other + Conditions set in this block, in case some other controller wants + to add a Condition." + items: + description: "DetailedCondition is an extension of the normal Kubernetes + conditions, with two extra fields to hold sub-conditions, which + provide more detailed reasons for the state (True or False) of + the condition. \n `errors` holds information about sub-conditions + which are fatal to that condition and render its state False. + \n `warnings` holds information about sub-conditions which are + not fatal to that condition and do not force the state to be False. + \n Remember that Conditions have a type, a status, and a reason. + \n The type is the type of the condition, the most important one + in this CRD set is `Valid`. `Valid` is a positive-polarity condition: + when it is `status: true` there are no problems. \n In more detail, + `status: true` means that the object is has been ingested into + Contour with no errors. `warnings` may still be present, and will + be indicated in the Reason field. There must be zero entries in + the `errors` slice in this case. \n `Valid`, `status: false` means + that the object has had one or more fatal errors during processing + into Contour. The details of the errors will be present under + the `errors` field. There must be at least one error in the `errors` + slice if `status` is `false`. \n For DetailedConditions of types + other than `Valid`, the Condition must be in the negative polarity. + When they have `status` `true`, there is an error. There must + be at least one entry in the `errors` Subcondition slice. When + they have `status` `false`, there are no serious errors, and there + must be zero entries in the `errors` slice. In either case, there + may be entries in the `warnings` slice. \n Regardless of the polarity, + the `reason` and `message` fields must be updated with either + the detail of the reason (if there is one and only one entry in + total across both the `errors` and `warnings` slices), or `MultipleReasons` + if there is more than one entry." + properties: + errors: + description: "Errors contains a slice of relevant error subconditions + for this object. \n Subconditions are expected to appear when + relevant (when there is a error), and disappear when not relevant. + An empty slice here indicates no errors." + items: + description: "SubCondition is a Condition-like type intended + for use as a subcondition inside a DetailedCondition. \n + It contains a subset of the Condition fields. \n It is intended + for warnings and errors, so `type` names should use abnormal-true + polarity, that is, they should be of the form \"ErrorPresent: + true\". \n The expected lifecycle for these errors is that + they should only be present when the error or warning is, + and should be removed when they are not relevant." + properties: + message: + description: "Message is a human readable message indicating + details about the transition. \n This may be an empty + string." + maxLength: 32768 + type: string + reason: + description: "Reason contains a programmatic identifier + indicating the reason for the condition's last transition. + Producers of specific condition types may define expected + values and meanings for this field, and whether the + values are considered a guaranteed API. \n The value + should be a CamelCase string. \n This field may not + be empty." + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: Status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: "Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. + \n This must be in abnormal-true polarity, that is, + `ErrorFound` or `controller.io/ErrorFound`. \n The regex + it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - message + - reason + - status + - type + type: object + type: array + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + warnings: + description: "Warnings contains a slice of relevant warning + subconditions for this object. \n Subconditions are expected + to appear when relevant (when there is a warning), and disappear + when not relevant. An empty slice here indicates no warnings." + items: + description: "SubCondition is a Condition-like type intended + for use as a subcondition inside a DetailedCondition. \n + It contains a subset of the Condition fields. \n It is intended + for warnings and errors, so `type` names should use abnormal-true + polarity, that is, they should be of the form \"ErrorPresent: + true\". \n The expected lifecycle for these errors is that + they should only be present when the error or warning is, + and should be removed when they are not relevant." + properties: + message: + description: "Message is a human readable message indicating + details about the transition. \n This may be an empty + string." + maxLength: 32768 + type: string + reason: + description: "Reason contains a programmatic identifier + indicating the reason for the condition's last transition. + Producers of specific condition types may define expected + values and meanings for this field, and whether the + values are considered a guaranteed API. \n The value + should be a CamelCase string. \n This field may not + be empty." + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: Status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: "Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. + \n This must be in abnormal-true polarity, that is, + `ErrorFound` or `controller.io/ErrorFound`. \n The regex + it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - message + - reason + - status + - type + type: object + type: array + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.5.0 + creationTimestamp: null + name: httpproxies.projectcontour.io +spec: + preserveUnknownFields: false + group: projectcontour.io + names: + kind: HTTPProxy + listKind: HTTPProxyList + plural: httpproxies + shortNames: + - proxy + - proxies + singular: httpproxy + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Fully qualified domain name + jsonPath: .spec.virtualhost.fqdn + name: FQDN + type: string + - description: Secret with TLS credentials + jsonPath: .spec.virtualhost.tls.secretName + name: TLS Secret + type: string + - description: The current status of the HTTPProxy + jsonPath: .status.currentStatus + name: Status + type: string + - description: Description of the current status + jsonPath: .status.description + name: Status Description + type: string + name: v1 + schema: + openAPIV3Schema: + description: HTTPProxy is an Ingress CRD specification. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: HTTPProxySpec defines the spec of the CRD. + properties: + includes: + description: Includes allow for specific routing configuration to + be included from another HTTPProxy, possibly in another namespace. + items: + description: Include describes a set of policies that can be applied + to an HTTPProxy in a namespace. + properties: + conditions: + description: 'Conditions are a set of rules that are applied + to included HTTPProxies. In effect, they are added onto the + Conditions of included HTTPProxy Route structs. When applied, + they are merged using AND, with one exception: There can be + only one Prefix MatchCondition per Conditions slice. More + than one Prefix, or contradictory Conditions, will make the + include invalid.' + items: + description: MatchCondition are a general holder for matching + rules for HTTPProxies. One of Prefix or Header must be provided. + properties: + header: + description: Header specifies the header condition to + match. + properties: + contains: + description: Contains specifies a substring that must + be present in the header value. + type: string + exact: + description: Exact specifies a string that the header + value must be equal to. + type: string + name: + description: Name is the name of the header to match + against. Name is required. Header names are case + insensitive. + type: string + notcontains: + description: NotContains specifies a substring that + must not be present in the header value. + type: string + notexact: + description: NoExact specifies a string that the header + value must not be equal to. The condition is true + if the header has any other value. + type: string + notpresent: + description: NotPresent specifies that condition is + true when the named header is not present. Note + that setting NotPresent to false does not make the + condition true if the named header is present. + type: boolean + present: + description: Present specifies that condition is true + when the named header is present, regardless of + its value. Note that setting Present to false does + not make the condition true if the named header + is absent. + type: boolean + required: + - name + type: object + prefix: + description: Prefix defines a prefix match for a request. + type: string + type: object + type: array + name: + description: Name of the HTTPProxy + type: string + namespace: + description: Namespace of the HTTPProxy to include. Defaults + to the current namespace if not supplied. + type: string + required: + - name + type: object + type: array + routes: + description: Routes are the ingress routes. If TCPProxy is present, + Routes is ignored. + items: + description: Route contains the set of routes for a virtual host. + properties: + authPolicy: + description: AuthPolicy updates the authorization policy that + was set on the root HTTPProxy object for client requests that + match this route. + properties: + context: + additionalProperties: + type: string + description: Context is a set of key/value pairs that are + sent to the authentication server in the check request. + If a context is provided at an enclosing scope, the entries + are merged such that the inner scope overrides matching + keys from the outer scope. + type: object + disabled: + description: When true, this field disables client request + authentication for the scope of the policy. + type: boolean + type: object + conditions: + description: 'Conditions are a set of rules that are applied + to a Route. When applied, they are merged using AND, with + one exception: There can be only one Prefix MatchCondition + per Conditions slice. More than one Prefix, or contradictory + Conditions, will make the route invalid.' + items: + description: MatchCondition are a general holder for matching + rules for HTTPProxies. One of Prefix or Header must be provided. + properties: + header: + description: Header specifies the header condition to + match. + properties: + contains: + description: Contains specifies a substring that must + be present in the header value. + type: string + exact: + description: Exact specifies a string that the header + value must be equal to. + type: string + name: + description: Name is the name of the header to match + against. Name is required. Header names are case + insensitive. + type: string + notcontains: + description: NotContains specifies a substring that + must not be present in the header value. + type: string + notexact: + description: NoExact specifies a string that the header + value must not be equal to. The condition is true + if the header has any other value. + type: string + notpresent: + description: NotPresent specifies that condition is + true when the named header is not present. Note + that setting NotPresent to false does not make the + condition true if the named header is present. + type: boolean + present: + description: Present specifies that condition is true + when the named header is present, regardless of + its value. Note that setting Present to false does + not make the condition true if the named header + is absent. + type: boolean + required: + - name + type: object + prefix: + description: Prefix defines a prefix match for a request. + type: string + type: object + type: array + enableWebsockets: + description: Enables websocket support for the route. + type: boolean + healthCheckPolicy: + description: The health check policy for this route. + properties: + healthyThresholdCount: + description: The number of healthy health checks required + before a host is marked healthy + format: int64 + minimum: 0 + type: integer + host: + description: The value of the host header in the HTTP health + check request. If left empty (default value), the name + "contour-envoy-healthcheck" will be used. + type: string + intervalSeconds: + description: The interval (seconds) between health checks + format: int64 + type: integer + path: + description: HTTP endpoint used to perform health checks + on upstream service + type: string + timeoutSeconds: + description: The time to wait (seconds) for a health check + response + format: int64 + type: integer + unhealthyThresholdCount: + description: The number of unhealthy health checks required + before a host is marked unhealthy + format: int64 + minimum: 0 + type: integer + required: + - path + type: object + loadBalancerPolicy: + description: The load balancing policy for this route. + properties: + requestHashPolicies: + description: RequestHashPolicies contains a list of hash + policies to apply when the `RequestHash` load balancing + strategy is chosen. If an element of the supplied list + of hash policies is invalid, it will be ignored. If the + list of hash policies is empty after validation, the load + balancing strategy will fall back the the default `RoundRobin`. + items: + description: RequestHashPolicy contains configuration + for an individual hash policy on a request attribute. + properties: + headerHashOptions: + description: HeaderHashOptions should be set when + request header hash based load balancing is desired. + It must be the only hash option field set, otherwise + this request hash policy object will be ignored. + properties: + headerName: + description: HeaderName is the name of the HTTP + request header that will be used to calculate + the hash key. If the header specified is not + present on a request, no hash will be produced. + minLength: 1 + type: string + type: object + terminal: + description: Terminal is a flag that allows for short-circuiting + computing of a hash for a given request. If set + to true, and the request attribute specified in + the attribute hash options is present, no further + hash policies will be used to calculate a hash for + the request. + type: boolean + type: object + type: array + strategy: + description: Strategy specifies the policy used to balance + requests across the pool of backend pods. Valid policy + names are `Random`, `RoundRobin`, `WeightedLeastRequest`, + `Cookie`, and `RequestHash`. If an unknown strategy name + is specified or no policy is supplied, the default `RoundRobin` + policy is used. + type: string + type: object + pathRewritePolicy: + description: The policy for rewriting the path of the request + URL after the request has been routed to a Service. + properties: + replacePrefix: + description: ReplacePrefix describes how the path prefix + should be replaced. + items: + description: ReplacePrefix describes a path prefix replacement. + properties: + prefix: + description: "Prefix specifies the URL path prefix + to be replaced. \n If Prefix is specified, it must + exactly match the MatchCondition prefix that is + rendered by the chain of including HTTPProxies and + only that path prefix will be replaced by Replacement. + This allows HTTPProxies that are included through + multiple roots to only replace specific path prefixes, + leaving others unmodified. \n If Prefix is not specified, + all routing prefixes rendered by the include chain + will be replaced." + minLength: 1 + type: string + replacement: + description: Replacement is the string that the routing + path prefix will be replaced with. This must not + be empty. + minLength: 1 + type: string + required: + - replacement + type: object + type: array + type: object + permitInsecure: + description: Allow this path to respond to insecure requests + over HTTP which are normally not permitted when a `virtualhost.tls` + block is present. + type: boolean + rateLimitPolicy: + description: The policy for rate limiting on the route. + properties: + global: + description: Global defines global rate limiting parameters, + i.e. parameters defining descriptors that are sent to + an external rate limit service (RLS) for a rate limit + decision on each request. + properties: + descriptors: + description: Descriptors defines the list of descriptors + that will be generated and sent to the rate limit + service. Each descriptor contains 1+ key-value pair + entries. + items: + description: RateLimitDescriptor defines a list of + key-value pair generators. + properties: + entries: + description: Entries is the list of key-value + pair generators. + items: + description: RateLimitDescriptorEntry is a key-value + pair generator. Exactly one field on this + struct must be non-nil. + properties: + genericKey: + description: GenericKey defines a descriptor + entry with a static key and value. + properties: + key: + description: Key defines the key of + the descriptor entry. If not set, + the key is set to "generic_key". + type: string + value: + description: Value defines the value + of the descriptor entry. + minLength: 1 + type: string + type: object + remoteAddress: + description: RemoteAddress defines a descriptor + entry with a key of "remote_address" and + a value equal to the client's IP address + (from x-forwarded-for). + type: object + requestHeader: + description: RequestHeader defines a descriptor + entry that's populated only if a given + header is present on the request. The + descriptor key is static, and the descriptor + value is equal to the value of the header. + properties: + descriptorKey: + description: DescriptorKey defines the + key to use on the descriptor entry. + minLength: 1 + type: string + headerName: + description: HeaderName defines the + name of the header to look for on + the request. + minLength: 1 + type: string + type: object + requestHeaderValueMatch: + description: RequestHeaderValueMatch defines + a descriptor entry that's populated if + the request's headers match a set of 1+ + match criteria. The descriptor key is + "header_match", and the descriptor value + is static. + properties: + expectMatch: + default: true + description: ExpectMatch defines whether + the request must positively match + the match criteria in order to generate + a descriptor entry (i.e. true), or + not match the match criteria in order + to generate a descriptor entry (i.e. + false). The default is true. + type: boolean + headers: + description: Headers is a list of 1+ + match criteria to apply against the + request to determine whether to populate + the descriptor entry or not. + items: + description: HeaderMatchCondition + specifies how to conditionally match + against HTTP headers. The Name field + is required, but only one of the + remaining fields should be be provided. + properties: + contains: + description: Contains specifies + a substring that must be present + in the header value. + type: string + exact: + description: Exact specifies a + string that the header value + must be equal to. + type: string + name: + description: Name is the name + of the header to match against. + Name is required. Header names + are case insensitive. + type: string + notcontains: + description: NotContains specifies + a substring that must not be + present in the header value. + type: string + notexact: + description: NoExact specifies + a string that the header value + must not be equal to. The condition + is true if the header has any + other value. + type: string + notpresent: + description: NotPresent specifies + that condition is true when + the named header is not present. + Note that setting NotPresent + to false does not make the condition + true if the named header is + present. + type: boolean + present: + description: Present specifies + that condition is true when + the named header is present, + regardless of its value. Note + that setting Present to false + does not make the condition + true if the named header is + absent. + type: boolean + required: + - name + type: object + minItems: 1 + type: array + value: + description: Value defines the value + of the descriptor entry. + minLength: 1 + type: string + type: object + type: object + minItems: 1 + type: array + type: object + minItems: 1 + type: array + type: object + local: + description: Local defines local rate limiting parameters, + i.e. parameters for rate limiting that occurs within each + Envoy pod as requests are handled. + properties: + burst: + description: Burst defines the number of requests above + the requests per unit that should be allowed within + a short period of time. + format: int32 + type: integer + requests: + description: Requests defines how many requests per + unit of time should be allowed before rate limiting + occurs. + format: int32 + minimum: 1 + type: integer + responseHeadersToAdd: + description: ResponseHeadersToAdd is an optional list + of response headers to set when a request is rate-limited. + items: + description: HeaderValue represents a header name/value + pair + properties: + name: + description: Name represents a key of a header + minLength: 1 + type: string + value: + description: Value represents the value of a header + specified by a key + minLength: 1 + type: string + required: + - name + - value + type: object + type: array + responseStatusCode: + description: ResponseStatusCode is the HTTP status code + to use for responses to rate-limited requests. Codes + must be in the 400-599 range (inclusive). If not specified, + the Envoy default of 429 (Too Many Requests) is used. + format: int32 + maximum: 599 + minimum: 400 + type: integer + unit: + description: Unit defines the period of time within + which requests over the limit will be rate limited. + Valid values are "second", "minute" and "hour". + enum: + - second + - minute + - hour + type: string + required: + - requests + - unit + type: object + type: object + requestHeadersPolicy: + description: The policy for managing request headers during + proxying. + properties: + remove: + description: Remove specifies a list of HTTP header names + to remove. + items: + type: string + type: array + set: + description: Set specifies a list of HTTP header values + that will be set in the HTTP header. If the header does + not exist it will be added, otherwise it will be overwritten + with the new value. + items: + description: HeaderValue represents a header name/value + pair + properties: + name: + description: Name represents a key of a header + minLength: 1 + type: string + value: + description: Value represents the value of a header + specified by a key + minLength: 1 + type: string + required: + - name + - value + type: object + type: array + type: object + responseHeadersPolicy: + description: The policy for managing response headers during + proxying. Rewriting the 'Host' header is not supported. + properties: + remove: + description: Remove specifies a list of HTTP header names + to remove. + items: + type: string + type: array + set: + description: Set specifies a list of HTTP header values + that will be set in the HTTP header. If the header does + not exist it will be added, otherwise it will be overwritten + with the new value. + items: + description: HeaderValue represents a header name/value + pair + properties: + name: + description: Name represents a key of a header + minLength: 1 + type: string + value: + description: Value represents the value of a header + specified by a key + minLength: 1 + type: string + required: + - name + - value + type: object + type: array + type: object + retryPolicy: + description: The retry policy for this route. + properties: + count: + description: NumRetries is maximum allowed number of retries. + If not supplied, the number of retries is one. + format: int64 + minimum: 0 + type: integer + perTryTimeout: + description: PerTryTimeout specifies the timeout per retry + attempt. Ignored if NumRetries is not supplied. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + retriableStatusCodes: + description: "RetriableStatusCodes specifies the HTTP status + codes that should be retried. \n This field is only respected + when you include `retriable-status-codes` in the `RetryOn` + field." + items: + format: int32 + type: integer + type: array + retryOn: + description: "RetryOn specifies the conditions on which + to retry a request. \n Supported [HTTP conditions](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#x-envoy-retry-on): + \n - `5xx` - `gateway-error` - `reset` - `connect-failure` + - `retriable-4xx` - `refused-stream` - `retriable-status-codes` + - `retriable-headers` \n Supported [gRPC conditions](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#x-envoy-retry-grpc-on): + \n - `cancelled` - `deadline-exceeded` - `internal` - + `resource-exhausted` - `unavailable`" + items: + description: RetryOn is a string type alias with validation + to ensure that the value is valid. + enum: + - 5xx + - gateway-error + - reset + - connect-failure + - retriable-4xx + - refused-stream + - retriable-status-codes + - retriable-headers + - cancelled + - deadline-exceeded + - internal + - resource-exhausted + - unavailable + type: string + type: array + type: object + services: + description: Services are the services to proxy traffic. + items: + description: Service defines an Kubernetes Service to proxy + traffic. + properties: + mirror: + description: If Mirror is true the Service will receive + a read only mirror of the traffic for this route. + type: boolean + name: + description: Name is the name of Kubernetes service to + proxy traffic. Names defined here will be used to look + up corresponding endpoints which contain the ips to + route. + type: string + port: + description: Port (defined as Integer) to proxy traffic + to since a service can have multiple defined. + exclusiveMaximum: true + maximum: 65536 + minimum: 1 + type: integer + protocol: + description: Protocol may be used to specify (or override) + the protocol used to reach this Service. Values may + be tls, h2, h2c. If omitted, protocol-selection falls + back on Service annotations. + enum: + - h2 + - h2c + - tls + type: string + requestHeadersPolicy: + description: The policy for managing request headers during + proxying. Rewriting the 'Host' header is not supported. + properties: + remove: + description: Remove specifies a list of HTTP header + names to remove. + items: + type: string + type: array + set: + description: Set specifies a list of HTTP header values + that will be set in the HTTP header. If the header + does not exist it will be added, otherwise it will + be overwritten with the new value. + items: + description: HeaderValue represents a header name/value + pair + properties: + name: + description: Name represents a key of a header + minLength: 1 + type: string + value: + description: Value represents the value of a + header specified by a key + minLength: 1 + type: string + required: + - name + - value + type: object + type: array + type: object + responseHeadersPolicy: + description: The policy for managing response headers + during proxying. Rewriting the 'Host' header is not + supported. + properties: + remove: + description: Remove specifies a list of HTTP header + names to remove. + items: + type: string + type: array + set: + description: Set specifies a list of HTTP header values + that will be set in the HTTP header. If the header + does not exist it will be added, otherwise it will + be overwritten with the new value. + items: + description: HeaderValue represents a header name/value + pair + properties: + name: + description: Name represents a key of a header + minLength: 1 + type: string + value: + description: Value represents the value of a + header specified by a key + minLength: 1 + type: string + required: + - name + - value + type: object + type: array + type: object + validation: + description: UpstreamValidation defines how to verify + the backend service's certificate + properties: + caSecret: + description: Name of the Kubernetes secret be used + to validate the certificate presented by the backend + type: string + subjectName: + description: Key which is expected to be present in + the 'subjectAltName' of the presented certificate + type: string + required: + - caSecret + - subjectName + type: object + weight: + description: Weight defines percentage of traffic to balance + traffic + format: int64 + minimum: 0 + type: integer + required: + - name + - port + type: object + minItems: 1 + type: array + timeoutPolicy: + description: The timeout policy for this route. + properties: + idle: + description: Timeout after which, if there are no active + requests for this route, the connection between Envoy + and the backend or Envoy and the external client will + be closed. If not specified, there is no per-route idle + timeout, though a connection manager-wide stream_idle_timeout + default of 5m still applies. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + response: + description: Timeout for receiving a response from the server + after processing a request from client. If not supplied, + Envoy's default value of 15s applies. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + type: object + required: + - services + type: object + type: array + tcpproxy: + description: TCPProxy holds TCP proxy information. + properties: + healthCheckPolicy: + description: The health check policy for this tcp proxy + properties: + healthyThresholdCount: + description: The number of healthy health checks required + before a host is marked healthy + format: int32 + type: integer + intervalSeconds: + description: The interval (seconds) between health checks + format: int64 + type: integer + timeoutSeconds: + description: The time to wait (seconds) for a health check + response + format: int64 + type: integer + unhealthyThresholdCount: + description: The number of unhealthy health checks required + before a host is marked unhealthy + format: int32 + type: integer + type: object + include: + description: Include specifies that this tcpproxy should be delegated + to another HTTPProxy. + properties: + name: + description: Name of the child HTTPProxy + type: string + namespace: + description: Namespace of the HTTPProxy to include. Defaults + to the current namespace if not supplied. + type: string + required: + - name + type: object + includes: + description: "IncludesDeprecated allow for specific routing configuration + to be appended to another HTTPProxy in another namespace. \n + Exists due to a mistake when developing HTTPProxy and the field + was marked plural when it should have been singular. This field + should stay to not break backwards compatibility to v1 users." + properties: + name: + description: Name of the child HTTPProxy + type: string + namespace: + description: Namespace of the HTTPProxy to include. Defaults + to the current namespace if not supplied. + type: string + required: + - name + type: object + loadBalancerPolicy: + description: The load balancing policy for the backend services. + Note that the `Cookie` and `RequestHash` load balancing strategies + cannot be used here. + properties: + requestHashPolicies: + description: RequestHashPolicies contains a list of hash policies + to apply when the `RequestHash` load balancing strategy + is chosen. If an element of the supplied list of hash policies + is invalid, it will be ignored. If the list of hash policies + is empty after validation, the load balancing strategy will + fall back the the default `RoundRobin`. + items: + description: RequestHashPolicy contains configuration for + an individual hash policy on a request attribute. + properties: + headerHashOptions: + description: HeaderHashOptions should be set when request + header hash based load balancing is desired. It must + be the only hash option field set, otherwise this + request hash policy object will be ignored. + properties: + headerName: + description: HeaderName is the name of the HTTP + request header that will be used to calculate + the hash key. If the header specified is not present + on a request, no hash will be produced. + minLength: 1 + type: string + type: object + terminal: + description: Terminal is a flag that allows for short-circuiting + computing of a hash for a given request. If set to + true, and the request attribute specified in the attribute + hash options is present, no further hash policies + will be used to calculate a hash for the request. + type: boolean + type: object + type: array + strategy: + description: Strategy specifies the policy used to balance + requests across the pool of backend pods. Valid policy names + are `Random`, `RoundRobin`, `WeightedLeastRequest`, `Cookie`, + and `RequestHash`. If an unknown strategy name is specified + or no policy is supplied, the default `RoundRobin` policy + is used. + type: string + type: object + services: + description: Services are the services to proxy traffic + items: + description: Service defines an Kubernetes Service to proxy + traffic. + properties: + mirror: + description: If Mirror is true the Service will receive + a read only mirror of the traffic for this route. + type: boolean + name: + description: Name is the name of Kubernetes service to proxy + traffic. Names defined here will be used to look up corresponding + endpoints which contain the ips to route. + type: string + port: + description: Port (defined as Integer) to proxy traffic + to since a service can have multiple defined. + exclusiveMaximum: true + maximum: 65536 + minimum: 1 + type: integer + protocol: + description: Protocol may be used to specify (or override) + the protocol used to reach this Service. Values may be + tls, h2, h2c. If omitted, protocol-selection falls back + on Service annotations. + enum: + - h2 + - h2c + - tls + type: string + requestHeadersPolicy: + description: The policy for managing request headers during + proxying. Rewriting the 'Host' header is not supported. + properties: + remove: + description: Remove specifies a list of HTTP header + names to remove. + items: + type: string + type: array + set: + description: Set specifies a list of HTTP header values + that will be set in the HTTP header. If the header + does not exist it will be added, otherwise it will + be overwritten with the new value. + items: + description: HeaderValue represents a header name/value + pair + properties: + name: + description: Name represents a key of a header + minLength: 1 + type: string + value: + description: Value represents the value of a header + specified by a key + minLength: 1 + type: string + required: + - name + - value + type: object + type: array + type: object + responseHeadersPolicy: + description: The policy for managing response headers during + proxying. Rewriting the 'Host' header is not supported. + properties: + remove: + description: Remove specifies a list of HTTP header + names to remove. + items: + type: string + type: array + set: + description: Set specifies a list of HTTP header values + that will be set in the HTTP header. If the header + does not exist it will be added, otherwise it will + be overwritten with the new value. + items: + description: HeaderValue represents a header name/value + pair + properties: + name: + description: Name represents a key of a header + minLength: 1 + type: string + value: + description: Value represents the value of a header + specified by a key + minLength: 1 + type: string + required: + - name + - value + type: object + type: array + type: object + validation: + description: UpstreamValidation defines how to verify the + backend service's certificate + properties: + caSecret: + description: Name of the Kubernetes secret be used to + validate the certificate presented by the backend + type: string + subjectName: + description: Key which is expected to be present in + the 'subjectAltName' of the presented certificate + type: string + required: + - caSecret + - subjectName + type: object + weight: + description: Weight defines percentage of traffic to balance + traffic + format: int64 + minimum: 0 + type: integer + required: + - name + - port + type: object + type: array + type: object + virtualhost: + description: Virtualhost appears at most once. If it is present, the + object is considered to be a "root" HTTPProxy. + properties: + authorization: + description: This field configures an extension service to perform + authorization for this virtual host. Authorization can only + be configured on virtual hosts that have TLS enabled. If the + TLS configuration requires client certificate validation, the + client certificate is always included in the authentication + check request. + properties: + authPolicy: + description: AuthPolicy sets a default authorization policy + for client requests. This policy will be used unless overridden + by individual routes. + properties: + context: + additionalProperties: + type: string + description: Context is a set of key/value pairs that + are sent to the authentication server in the check request. + If a context is provided at an enclosing scope, the + entries are merged such that the inner scope overrides + matching keys from the outer scope. + type: object + disabled: + description: When true, this field disables client request + authentication for the scope of the policy. + type: boolean + type: object + extensionRef: + description: ExtensionServiceRef specifies the extension resource + that will authorize client requests. + properties: + apiVersion: + description: API version of the referent. If this field + is not specified, the default "projectcontour.io/v1alpha1" + will be used + minLength: 1 + type: string + name: + description: "Name of the referent. \n More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" + minLength: 1 + type: string + namespace: + description: "Namespace of the referent. If this field + is not specifies, the namespace of the resource that + targets the referent will be used. \n More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/" + minLength: 1 + type: string + type: object + failOpen: + description: If FailOpen is true, the client request is forwarded + to the upstream service even if the authorization server + fails to respond. This field should not be set in most cases. + It is intended for use only while migrating applications + from internal authorization to Contour external authorization. + type: boolean + responseTimeout: + description: ResponseTimeout configures maximum time to wait + for a check response from the authorization server. Timeout + durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", + "h". The string "infinity" is also a valid input and specifies + no timeout. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + required: + - extensionRef + type: object + corsPolicy: + description: Specifies the cross-origin policy to apply to the + VirtualHost. + properties: + allowCredentials: + description: Specifies whether the resource allows credentials. + type: boolean + allowHeaders: + description: AllowHeaders specifies the content for the *access-control-allow-headers* + header. + items: + description: CORSHeaderValue specifies the value of the + string headers returned by a cross-domain request. + pattern: ^[a-zA-Z0-9!#$%&'*+.^_`|~-]+$ + type: string + type: array + allowMethods: + description: AllowMethods specifies the content for the *access-control-allow-methods* + header. + items: + description: CORSHeaderValue specifies the value of the + string headers returned by a cross-domain request. + pattern: ^[a-zA-Z0-9!#$%&'*+.^_`|~-]+$ + type: string + type: array + allowOrigin: + description: AllowOrigin specifies the origins that will be + allowed to do CORS requests. "*" means allow any origin. + items: + type: string + type: array + exposeHeaders: + description: ExposeHeaders Specifies the content for the *access-control-expose-headers* + header. + items: + description: CORSHeaderValue specifies the value of the + string headers returned by a cross-domain request. + pattern: ^[a-zA-Z0-9!#$%&'*+.^_`|~-]+$ + type: string + type: array + maxAge: + description: MaxAge indicates for how long the results of + a preflight request can be cached. MaxAge durations are + expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", + "h". Only positive values are allowed while 0 disables the + cache requiring a preflight OPTIONS check for all cross-origin + requests. + type: string + required: + - allowMethods + - allowOrigin + type: object + fqdn: + description: The fully qualified domain name of the root of the + ingress tree all leaves of the DAG rooted at this object relate + to the fqdn. + type: string + rateLimitPolicy: + description: The policy for rate limiting on the virtual host. + properties: + global: + description: Global defines global rate limiting parameters, + i.e. parameters defining descriptors that are sent to an + external rate limit service (RLS) for a rate limit decision + on each request. + properties: + descriptors: + description: Descriptors defines the list of descriptors + that will be generated and sent to the rate limit service. + Each descriptor contains 1+ key-value pair entries. + items: + description: RateLimitDescriptor defines a list of key-value + pair generators. + properties: + entries: + description: Entries is the list of key-value pair + generators. + items: + description: RateLimitDescriptorEntry is a key-value + pair generator. Exactly one field on this struct + must be non-nil. + properties: + genericKey: + description: GenericKey defines a descriptor + entry with a static key and value. + properties: + key: + description: Key defines the key of the + descriptor entry. If not set, the key + is set to "generic_key". + type: string + value: + description: Value defines the value of + the descriptor entry. + minLength: 1 + type: string + type: object + remoteAddress: + description: RemoteAddress defines a descriptor + entry with a key of "remote_address" and + a value equal to the client's IP address + (from x-forwarded-for). + type: object + requestHeader: + description: RequestHeader defines a descriptor + entry that's populated only if a given header + is present on the request. The descriptor + key is static, and the descriptor value + is equal to the value of the header. + properties: + descriptorKey: + description: DescriptorKey defines the + key to use on the descriptor entry. + minLength: 1 + type: string + headerName: + description: HeaderName defines the name + of the header to look for on the request. + minLength: 1 + type: string + type: object + requestHeaderValueMatch: + description: RequestHeaderValueMatch defines + a descriptor entry that's populated if the + request's headers match a set of 1+ match + criteria. The descriptor key is "header_match", + and the descriptor value is static. + properties: + expectMatch: + default: true + description: ExpectMatch defines whether + the request must positively match the + match criteria in order to generate + a descriptor entry (i.e. true), or not + match the match criteria in order to + generate a descriptor entry (i.e. false). + The default is true. + type: boolean + headers: + description: Headers is a list of 1+ match + criteria to apply against the request + to determine whether to populate the + descriptor entry or not. + items: + description: HeaderMatchCondition specifies + how to conditionally match against + HTTP headers. The Name field is required, + but only one of the remaining fields + should be be provided. + properties: + contains: + description: Contains specifies + a substring that must be present + in the header value. + type: string + exact: + description: Exact specifies a string + that the header value must be + equal to. + type: string + name: + description: Name is the name of + the header to match against. Name + is required. Header names are + case insensitive. + type: string + notcontains: + description: NotContains specifies + a substring that must not be present + in the header value. + type: string + notexact: + description: NoExact specifies a + string that the header value must + not be equal to. The condition + is true if the header has any + other value. + type: string + notpresent: + description: NotPresent specifies + that condition is true when the + named header is not present. Note + that setting NotPresent to false + does not make the condition true + if the named header is present. + type: boolean + present: + description: Present specifies that + condition is true when the named + header is present, regardless + of its value. Note that setting + Present to false does not make + the condition true if the named + header is absent. + type: boolean + required: + - name + type: object + minItems: 1 + type: array + value: + description: Value defines the value of + the descriptor entry. + minLength: 1 + type: string + type: object + type: object + minItems: 1 + type: array + type: object + minItems: 1 + type: array + type: object + local: + description: Local defines local rate limiting parameters, + i.e. parameters for rate limiting that occurs within each + Envoy pod as requests are handled. + properties: + burst: + description: Burst defines the number of requests above + the requests per unit that should be allowed within + a short period of time. + format: int32 + type: integer + requests: + description: Requests defines how many requests per unit + of time should be allowed before rate limiting occurs. + format: int32 + minimum: 1 + type: integer + responseHeadersToAdd: + description: ResponseHeadersToAdd is an optional list + of response headers to set when a request is rate-limited. + items: + description: HeaderValue represents a header name/value + pair + properties: + name: + description: Name represents a key of a header + minLength: 1 + type: string + value: + description: Value represents the value of a header + specified by a key + minLength: 1 + type: string + required: + - name + - value + type: object + type: array + responseStatusCode: + description: ResponseStatusCode is the HTTP status code + to use for responses to rate-limited requests. Codes + must be in the 400-599 range (inclusive). If not specified, + the Envoy default of 429 (Too Many Requests) is used. + format: int32 + maximum: 599 + minimum: 400 + type: integer + unit: + description: Unit defines the period of time within which + requests over the limit will be rate limited. Valid + values are "second", "minute" and "hour". + enum: + - second + - minute + - hour + type: string + required: + - requests + - unit + type: object + type: object + tls: + description: If present the fields describes TLS properties of + the virtual host. The SNI names that will be matched on are + described in fqdn, the tls.secretName secret must contain a + certificate that itself contains a name that matches the FQDN. + properties: + clientValidation: + description: "ClientValidation defines how to verify the client + certificate when an external client establishes a TLS connection + to Envoy. \n This setting: \n 1. Enables TLS client certificate + validation. 2. Specifies how the client certificate will + be validated (i.e. validation required or skipped). \n + Note: Setting client certificate validation to be skipped + should be only used in conjunction with an external authorization + server that performs client validation as Contour will ensure + client certificates are passed along." + properties: + caSecret: + description: Name of a Kubernetes secret that contains + a CA certificate bundle. The client certificate must + validate against the certificates in the bundle. + minLength: 1 + type: string + skipClientCertValidation: + description: SkipClientCertValidation disables downstream + client certificate validation. Defaults to false. This + field is intended to be used in conjunction with external + authorization in order to enable the external authorization + server to validate client certificates. When this field + is set to true, client certificates are requested but + not verified by Envoy. If external authorization is + in use, they are presented to the external authorization + server. + type: boolean + type: object + enableFallbackCertificate: + description: EnableFallbackCertificate defines if the vhost + should allow a default certificate to be applied which handles + all requests which don't match the SNI defined in this vhost. + type: boolean + minimumProtocolVersion: + description: MinimumProtocolVersion is the minimum TLS version + this vhost should negotiate. Valid options are `1.2` (default) + and `1.3`. Any other value defaults to TLS 1.2. + type: string + passthrough: + description: Passthrough defines whether the encrypted TLS + handshake will be passed through to the backing cluster. + Either Passthrough or SecretName must be specified, but + not both. + type: boolean + secretName: + description: SecretName is the name of a TLS secret in the + current namespace. Either SecretName or Passthrough must + be specified, but not both. If specified, the named secret + must contain a matching certificate for the virtual host's + FQDN. + type: string + type: object + required: + - fqdn + type: object + type: object + status: + description: Status is a container for computed information about the + HTTPProxy. + properties: + conditions: + description: "Conditions contains information about the current status + of the HTTPProxy, in an upstream-friendly container. \n Contour + will update a single condition, `Valid`, that is in normal-true + polarity. That is, when `currentStatus` is `valid`, the `Valid` + condition will be `status: true`, and vice versa. \n Contour will + leave untouched any other Conditions set in this block, in case + some other controller wants to add a Condition. \n If you are another + controller owner and wish to add a condition, you *should* namespace + your condition with a label, like `controller.domain.com/ConditionName`." + items: + description: "DetailedCondition is an extension of the normal Kubernetes + conditions, with two extra fields to hold sub-conditions, which + provide more detailed reasons for the state (True or False) of + the condition. \n `errors` holds information about sub-conditions + which are fatal to that condition and render its state False. + \n `warnings` holds information about sub-conditions which are + not fatal to that condition and do not force the state to be False. + \n Remember that Conditions have a type, a status, and a reason. + \n The type is the type of the condition, the most important one + in this CRD set is `Valid`. `Valid` is a positive-polarity condition: + when it is `status: true` there are no problems. \n In more detail, + `status: true` means that the object is has been ingested into + Contour with no errors. `warnings` may still be present, and will + be indicated in the Reason field. There must be zero entries in + the `errors` slice in this case. \n `Valid`, `status: false` means + that the object has had one or more fatal errors during processing + into Contour. The details of the errors will be present under + the `errors` field. There must be at least one error in the `errors` + slice if `status` is `false`. \n For DetailedConditions of types + other than `Valid`, the Condition must be in the negative polarity. + When they have `status` `true`, there is an error. There must + be at least one entry in the `errors` Subcondition slice. When + they have `status` `false`, there are no serious errors, and there + must be zero entries in the `errors` slice. In either case, there + may be entries in the `warnings` slice. \n Regardless of the polarity, + the `reason` and `message` fields must be updated with either + the detail of the reason (if there is one and only one entry in + total across both the `errors` and `warnings` slices), or `MultipleReasons` + if there is more than one entry." + properties: + errors: + description: "Errors contains a slice of relevant error subconditions + for this object. \n Subconditions are expected to appear when + relevant (when there is a error), and disappear when not relevant. + An empty slice here indicates no errors." + items: + description: "SubCondition is a Condition-like type intended + for use as a subcondition inside a DetailedCondition. \n + It contains a subset of the Condition fields. \n It is intended + for warnings and errors, so `type` names should use abnormal-true + polarity, that is, they should be of the form \"ErrorPresent: + true\". \n The expected lifecycle for these errors is that + they should only be present when the error or warning is, + and should be removed when they are not relevant." + properties: + message: + description: "Message is a human readable message indicating + details about the transition. \n This may be an empty + string." + maxLength: 32768 + type: string + reason: + description: "Reason contains a programmatic identifier + indicating the reason for the condition's last transition. + Producers of specific condition types may define expected + values and meanings for this field, and whether the + values are considered a guaranteed API. \n The value + should be a CamelCase string. \n This field may not + be empty." + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: Status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: "Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. + \n This must be in abnormal-true polarity, that is, + `ErrorFound` or `controller.io/ErrorFound`. \n The regex + it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - message + - reason + - status + - type + type: object + type: array + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + warnings: + description: "Warnings contains a slice of relevant warning + subconditions for this object. \n Subconditions are expected + to appear when relevant (when there is a warning), and disappear + when not relevant. An empty slice here indicates no warnings." + items: + description: "SubCondition is a Condition-like type intended + for use as a subcondition inside a DetailedCondition. \n + It contains a subset of the Condition fields. \n It is intended + for warnings and errors, so `type` names should use abnormal-true + polarity, that is, they should be of the form \"ErrorPresent: + true\". \n The expected lifecycle for these errors is that + they should only be present when the error or warning is, + and should be removed when they are not relevant." + properties: + message: + description: "Message is a human readable message indicating + details about the transition. \n This may be an empty + string." + maxLength: 32768 + type: string + reason: + description: "Reason contains a programmatic identifier + indicating the reason for the condition's last transition. + Producers of specific condition types may define expected + values and meanings for this field, and whether the + values are considered a guaranteed API. \n The value + should be a CamelCase string. \n This field may not + be empty." + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: Status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: "Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. + \n This must be in abnormal-true polarity, that is, + `ErrorFound` or `controller.io/ErrorFound`. \n The regex + it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - message + - reason + - status + - type + type: object + type: array + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + currentStatus: + type: string + description: + type: string + loadBalancer: + description: LoadBalancer contains the current status of the load + balancer. + properties: + ingress: + description: Ingress is a list containing ingress points for the + load-balancer. Traffic intended for the service should be sent + to these ingress points. + items: + description: 'LoadBalancerIngress represents the status of a + load-balancer ingress point: traffic intended for the service + should be sent to an ingress point.' + properties: + hostname: + description: Hostname is set for load-balancer ingress points + that are DNS based (typically AWS load-balancers) + type: string + ip: + description: IP is set for load-balancer ingress points + that are IP based (typically GCE or OpenStack load-balancers) + type: string + ports: + description: Ports is a list of records of service ports + If used, every port defined in the service should have + an entry in it + items: + properties: + error: + description: 'Error is to record the problem with + the service port The format of the error shall comply + with the following rules: - built-in error values + shall be specified in this file and those shall + use CamelCase names - cloud provider specific + error values must have names that comply with the format + foo.example.com/CamelCase. --- The regex it matches + is (dns1123SubdomainFmt/)?(qualifiedNameFmt)' + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + port: + description: Port is the port number of the service + port of which status is recorded here + format: int32 + type: integer + protocol: + default: TCP + description: 'Protocol is the protocol of the service + port of which status is recorded here The supported + values are: "TCP", "UDP", "SCTP"' + type: string + required: + - port + - protocol + type: object + type: array + x-kubernetes-list-type: atomic + type: object + type: array + type: object + type: object + required: + - metadata + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.5.0 + creationTimestamp: null + name: tlscertificatedelegations.projectcontour.io +spec: + preserveUnknownFields: false + group: projectcontour.io + names: + kind: TLSCertificateDelegation + listKind: TLSCertificateDelegationList + plural: tlscertificatedelegations + shortNames: + - tlscerts + singular: tlscertificatedelegation + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: TLSCertificateDelegation is an TLS Certificate Delegation CRD + specification. See design/tls-certificate-delegation.md for details. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: TLSCertificateDelegationSpec defines the spec of the CRD + properties: + delegations: + items: + description: CertificateDelegation maps the authority to reference + a secret in the current namespace to a set of namespaces. + properties: + secretName: + description: required, the name of a secret in the current namespace. + type: string + targetNamespaces: + description: required, the namespaces the authority to reference + the the secret will be delegated to. If TargetNamespaces is + nil or empty, the CertificateDelegation' is ignored. If the + TargetNamespace list contains the character, "*" the secret + will be delegated to all namespaces. + items: + type: string + type: array + required: + - secretName + - targetNamespaces + type: object + type: array + required: + - delegations + type: object + status: + description: TLSCertificateDelegationStatus allows for the status of the + delegation to be presented to the user. + properties: + conditions: + description: "Conditions contains information about the current status + of the HTTPProxy, in an upstream-friendly container. \n Contour + will update a single condition, `Valid`, that is in normal-true + polarity. That is, when `currentStatus` is `valid`, the `Valid` + condition will be `status: true`, and vice versa. \n Contour will + leave untouched any other Conditions set in this block, in case + some other controller wants to add a Condition. \n If you are another + controller owner and wish to add a condition, you *should* namespace + your condition with a label, like `controller.domain.com\\ConditionName`." + items: + description: "DetailedCondition is an extension of the normal Kubernetes + conditions, with two extra fields to hold sub-conditions, which + provide more detailed reasons for the state (True or False) of + the condition. \n `errors` holds information about sub-conditions + which are fatal to that condition and render its state False. + \n `warnings` holds information about sub-conditions which are + not fatal to that condition and do not force the state to be False. + \n Remember that Conditions have a type, a status, and a reason. + \n The type is the type of the condition, the most important one + in this CRD set is `Valid`. `Valid` is a positive-polarity condition: + when it is `status: true` there are no problems. \n In more detail, + `status: true` means that the object is has been ingested into + Contour with no errors. `warnings` may still be present, and will + be indicated in the Reason field. There must be zero entries in + the `errors` slice in this case. \n `Valid`, `status: false` means + that the object has had one or more fatal errors during processing + into Contour. The details of the errors will be present under + the `errors` field. There must be at least one error in the `errors` + slice if `status` is `false`. \n For DetailedConditions of types + other than `Valid`, the Condition must be in the negative polarity. + When they have `status` `true`, there is an error. There must + be at least one entry in the `errors` Subcondition slice. When + they have `status` `false`, there are no serious errors, and there + must be zero entries in the `errors` slice. In either case, there + may be entries in the `warnings` slice. \n Regardless of the polarity, + the `reason` and `message` fields must be updated with either + the detail of the reason (if there is one and only one entry in + total across both the `errors` and `warnings` slices), or `MultipleReasons` + if there is more than one entry." + properties: + errors: + description: "Errors contains a slice of relevant error subconditions + for this object. \n Subconditions are expected to appear when + relevant (when there is a error), and disappear when not relevant. + An empty slice here indicates no errors." + items: + description: "SubCondition is a Condition-like type intended + for use as a subcondition inside a DetailedCondition. \n + It contains a subset of the Condition fields. \n It is intended + for warnings and errors, so `type` names should use abnormal-true + polarity, that is, they should be of the form \"ErrorPresent: + true\". \n The expected lifecycle for these errors is that + they should only be present when the error or warning is, + and should be removed when they are not relevant." + properties: + message: + description: "Message is a human readable message indicating + details about the transition. \n This may be an empty + string." + maxLength: 32768 + type: string + reason: + description: "Reason contains a programmatic identifier + indicating the reason for the condition's last transition. + Producers of specific condition types may define expected + values and meanings for this field, and whether the + values are considered a guaranteed API. \n The value + should be a CamelCase string. \n This field may not + be empty." + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: Status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: "Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. + \n This must be in abnormal-true polarity, that is, + `ErrorFound` or `controller.io/ErrorFound`. \n The regex + it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - message + - reason + - status + - type + type: object + type: array + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + warnings: + description: "Warnings contains a slice of relevant warning + subconditions for this object. \n Subconditions are expected + to appear when relevant (when there is a warning), and disappear + when not relevant. An empty slice here indicates no warnings." + items: + description: "SubCondition is a Condition-like type intended + for use as a subcondition inside a DetailedCondition. \n + It contains a subset of the Condition fields. \n It is intended + for warnings and errors, so `type` names should use abnormal-true + polarity, that is, they should be of the form \"ErrorPresent: + true\". \n The expected lifecycle for these errors is that + they should only be present when the error or warning is, + and should be removed when they are not relevant." + properties: + message: + description: "Message is a human readable message indicating + details about the transition. \n This may be an empty + string." + maxLength: 32768 + type: string + reason: + description: "Reason contains a programmatic identifier + indicating the reason for the condition's last transition. + Producers of specific condition types may define expected + values and meanings for this field, and whether the + values are considered a guaranteed API. \n The value + should be a CamelCase string. \n This field may not + be empty." + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: Status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: "Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. + \n This must be in abnormal-true polarity, that is, + `ErrorFound` or `controller.io/ErrorFound`. \n The regex + it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - message + - reason + - status + - type + type: object + type: array + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + required: + - metadata + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.5.0 + creationTimestamp: null + name: backendpolicies.networking.x-k8s.io +spec: + group: networking.x-k8s.io + names: + categories: + - gateway-api + kind: BackendPolicy + listKind: BackendPolicyList + plural: backendpolicies + shortNames: + - bp + singular: backendpolicy + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: BackendPolicy defines policies associated with backends. For + the purpose of this API, a backend is defined as any resource that a route + can forward traffic to. A common example of a backend is a Service. Configuration + that is implementation specific may be represented with similar implementation + specific custom resources. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of BackendPolicy. + properties: + backendRefs: + description: "BackendRefs define which backends this policy should + be applied to. This policy can only apply to backends within the + same namespace. If more than one BackendPolicy targets the same + backend, precedence must be given to the oldest BackendPolicy. \n + Support: Core" + items: + description: BackendRef identifies an API object within the same + namespace as the BackendPolicy. + properties: + group: + description: Group is the group of the referent. + maxLength: 253 + type: string + kind: + description: Kind is the kind of the referent. + maxLength: 253 + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + type: string + port: + description: Port is the port of the referent. If unspecified, + this policy applies to all ports on the backend. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - group + - kind + - name + type: object + maxItems: 16 + type: array + tls: + description: "TLS is the TLS configuration for these backends. \n + Support: Extended" + properties: + certificateAuthorityRef: + description: "CertificateAuthorityRef is a reference to a Kubernetes + object that contains one or more trusted CA certificates. The + CA certificates are used to establish a TLS handshake to backends + listed in BackendRefs. The referenced object MUST reside in + the same namespace as BackendPolicy. \n CertificateAuthorityRef + can reference a standard Kubernetes resource, i.e. ConfigMap, + or an implementation-specific custom resource. \n When stored + in a Secret, certificates must be PEM encoded and specified + within the \"ca.crt\" data field of the Secret. When multiple + certificates are specified, the certificates MUST be concatenated + by new lines. \n CertificateAuthorityRef can also reference + a standard Kubernetes resource, i.e. ConfigMap, or an implementation-specific + custom resource. \n Support: Extended" + properties: + group: + description: Group is the group of the referent. + maxLength: 253 + minLength: 1 + type: string + kind: + description: Kind is kind of the referent. + maxLength: 253 + minLength: 1 + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + options: + additionalProperties: + type: string + description: "Options are a list of key/value pairs to give extended + options to the provider. \n Support: Implementation-specific" + type: object + type: object + required: + - backendRefs + type: object + status: + description: Status defines the current state of BackendPolicy. + properties: + conditions: + description: Conditions describe the current conditions of the BackendPolicy. + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: + \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type + \ // +patchStrategy=merge // +listType=map // +listMapKey=type + \ Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` + \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.5.0 + creationTimestamp: null + name: gatewayclasses.networking.x-k8s.io +spec: + group: networking.x-k8s.io + names: + categories: + - gateway-api + kind: GatewayClass + listKind: GatewayClassList + plural: gatewayclasses + shortNames: + - gc + singular: gatewayclass + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.controller + name: Controller + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: "GatewayClass describes a class of Gateways available to the + user for creating Gateway resources. \n GatewayClass is a Cluster level + resource." + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of GatewayClass. + properties: + controller: + description: "Controller is a domain/path string that indicates the + controller that is managing Gateways of this class. \n Example: + \"acme.io/gateway-controller\". \n This field is not mutable and + cannot be empty. \n The format of this field is DOMAIN \"/\" PATH, + where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + \n Support: Core" + maxLength: 253 + type: string + parametersRef: + description: "ParametersRef is a reference to a resource that contains + the configuration parameters corresponding to the GatewayClass. + This is optional if the controller does not require any additional + configuration. \n ParametersRef can reference a standard Kubernetes + resource, i.e. ConfigMap, or an implementation-specific custom resource. + The resource can be cluster-scoped or namespace-scoped. \n If the + referent cannot be found, the GatewayClass's \"InvalidParameters\" + status condition will be true. \n Support: Custom" + properties: + group: + description: Group is the group of the referent. + maxLength: 253 + minLength: 1 + type: string + kind: + description: Kind is kind of the referent. + maxLength: 253 + minLength: 1 + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: Namespace is the namespace of the referent. This + field is required when scope is set to "Namespace" and ignored + when scope is set to "Cluster". + maxLength: 253 + minLength: 1 + type: string + scope: + default: Cluster + description: Scope represents if the referent is a Cluster or + Namespace scoped resource. This may be set to "Cluster" or "Namespace". + enum: + - Cluster + - Namespace + type: string + required: + - group + - kind + - name + type: object + required: + - controller + type: object + status: + default: + conditions: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Waiting + status: "False" + type: Admitted + description: Status defines the current state of GatewayClass. + properties: + conditions: + default: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Waiting + status: "False" + type: Admitted + description: "Conditions is the current status from the controller + for this GatewayClass. \n Controllers should prefer to publish conditions + using values of GatewayClassConditionType for the type of each Condition." + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: + \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type + \ // +patchStrategy=merge // +listType=map // +listMapKey=type + \ Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` + \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.5.0 + creationTimestamp: null + name: gateways.networking.x-k8s.io +spec: + group: networking.x-k8s.io + names: + categories: + - gateway-api + kind: Gateway + listKind: GatewayList + plural: gateways + shortNames: + - gtw + singular: gateway + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.gatewayClassName + name: Class + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: "Gateway represents an instantiation of a service-traffic handling + infrastructure by binding Listeners to a set of IP addresses. \n Implementations + should add the `gateway-exists-finalizer.networking.x-k8s.io` finalizer + on the associated GatewayClass whenever Gateway(s) is running. This ensures + that a GatewayClass associated with a Gateway(s) is not deleted while in + use." + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of Gateway. + properties: + addresses: + description: "Addresses requested for this gateway. This is optional + and behavior can depend on the GatewayClass. If a value is set in + the spec and the requested address is invalid, the GatewayClass + MUST indicate this in the associated entry in GatewayStatus.Addresses. + \n If no Addresses are specified, the GatewayClass may schedule + the Gateway in an implementation-defined manner, assigning an appropriate + set of Addresses. \n The GatewayClass MUST bind all Listeners to + every GatewayAddress that it assigns to the Gateway. \n Support: + Core" + items: + description: GatewayAddress describes an address that can be bound + to a Gateway. + properties: + type: + default: IPAddress + description: "Type of the address. \n Support: Extended" + enum: + - IPAddress + - NamedAddress + type: string + value: + description: "Value of the address. The validity of the values + will depend on the type and support by the controller. \n + Examples: `1.2.3.4`, `128::1`, `my-ip-address`." + maxLength: 253 + minLength: 1 + type: string + required: + - value + type: object + maxItems: 16 + type: array + gatewayClassName: + description: GatewayClassName used for this Gateway. This is the name + of a GatewayClass resource. + maxLength: 253 + minLength: 1 + type: string + listeners: + description: "Listeners associated with this Gateway. Listeners define + logical endpoints that are bound on this Gateway's addresses. At + least one Listener MUST be specified. \n An implementation MAY group + Listeners by Port and then collapse each group of Listeners into + a single Listener if the implementation determines that the Listeners + in the group are \"compatible\". An implementation MAY also group + together and collapse compatible Listeners belonging to different + Gateways. \n For example, an implementation might consider Listeners + to be compatible with each other if all of the following conditions + are met: \n 1. Either each Listener within the group specifies the + \"HTTP\" Protocol or each Listener within the group specifies + either the \"HTTPS\" or \"TLS\" Protocol. \n 2. Each Listener + within the group specifies a Hostname that is unique within the + group. \n 3. As a special case, one Listener within a group may + omit Hostname, in which case this Listener matches when no other + Listener matches. \n If the implementation does collapse compatible + Listeners, the hostname provided in the incoming client request + MUST be matched to a Listener to find the correct set of Routes. + The incoming hostname MUST be matched using the Hostname field for + each Listener in order of most to least specific. That is, exact + matches must be processed before wildcard matches. \n If this field + specifies multiple Listeners that have the same Port value but are + not compatible, the implementation must raise a \"Conflicted\" condition + in the Listener status. \n Support: Core" + items: + description: Listener embodies the concept of a logical endpoint + where a Gateway can accept network connections. Each listener + in a Gateway must have a unique combination of Hostname, Port, + and Protocol. This will be enforced by a validating webhook. + properties: + hostname: + description: "Hostname specifies the virtual hostname to match + for protocol types that define this concept. When unspecified, + \"\", or `*`, all hostnames are matched. This field can be + omitted for protocols that don't require hostname based matching. + \n Hostname is the fully qualified domain name of a network + host, as defined by RFC 3986. Note the following deviations + from the \"host\" part of the URI as defined in the RFC: \n + 1. IP literals are not allowed. 2. The `:` delimiter is not + respected because ports are not allowed. \n Hostname can be + \"precise\" which is a domain name without the terminating + dot of a network host (e.g. \"foo.example.com\") or \"wildcard\", + which is a domain name prefixed with a single wildcard label + (e.g. `*.example.com`). The wildcard character `*` must appear + by itself as the first DNS label and matches only a single + label. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + port: + description: "Port is the network port. Multiple listeners may + use the same port, subject to the Listener compatibility rules. + \n Support: Core" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + protocol: + description: "Protocol specifies the network protocol this listener + expects to receive. The GatewayClass MUST apply the Hostname + match appropriately for each protocol: \n * For the \"TLS\" + protocol, the Hostname match MUST be applied to the [SNI](https://tools.ietf.org/html/rfc6066#section-3) + \ server name offered by the client. * For the \"HTTP\" protocol, + the Hostname match MUST be applied to the host portion of + the [effective request URI](https://tools.ietf.org/html/rfc7230#section-5.5) + \ or the [:authority pseudo-header](https://tools.ietf.org/html/rfc7540#section-8.1.2.3) + * For the \"HTTPS\" protocol, the Hostname match MUST be applied + at both the TLS and HTTP protocol layers. \n Support: Core" + type: string + routes: + description: "Routes specifies a schema for associating routes + with the Listener using selectors. A Route is a resource capable + of servicing a request and allows a cluster operator to expose + a cluster resource (i.e. Service) by externally-reachable + URL, load-balance traffic and terminate SSL/TLS. Typically, + a route is a \"HTTPRoute\" or \"TCPRoute\" in group \"networking.x-k8s.io\", + however, an implementation may support other types of resources. + \n The Routes selector MUST select a set of objects that are + compatible with the application protocol specified in the + Protocol field. \n Although a client request may technically + match multiple route rules, only one rule may ultimately receive + the request. Matching precedence MUST be determined in order + of the following criteria: \n * The most specific match. For + example, the most specific HTTPRoute match is determined + by the longest matching combination of hostname and path. + * The oldest Route based on creation timestamp. For example, + a Route with a creation timestamp of \"2020-09-08 01:02:03\" + is given precedence over a Route with a creation timestamp + of \"2020-09-08 01:02:04\". * If everything else is equivalent, + the Route appearing first in alphabetical order (namespace/name) + should be given precedence. For example, foo/bar is given + precedence over foo/baz. \n All valid portions of a Route + selected by this field should be supported. Invalid portions + of a Route can be ignored (sometimes that will mean the full + Route). If a portion of a Route transitions from valid to + invalid, support for that portion of the Route should be dropped + to ensure consistency. For example, even if a filter specified + by a Route is invalid, the rest of the Route should still + be supported. \n Support: Core" + properties: + group: + default: networking.x-k8s.io + description: "Group is the group of the route resource to + select. Omitting the value or specifying the empty string + indicates the networking.x-k8s.io API group. For example, + use the following to select an HTTPRoute: \n routes: kind: + HTTPRoute \n Otherwise, if an alternative API group is + desired, specify the desired group: \n routes: group: + acme.io kind: FooRoute \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + kind: + description: "Kind is the kind of the route resource to + select. \n Kind MUST correspond to kinds of routes that + are compatible with the application protocol specified + in the Listener's Protocol field. \n If an implementation + does not support or recognize this resource type, it SHOULD + set the \"ResolvedRefs\" condition to false for this listener + with the \"InvalidRoutesRef\" reason. \n Support: Core" + type: string + namespaces: + default: + from: Same + description: "Namespaces indicates in which namespaces Routes + should be selected for this Gateway. This is restricted + to the namespace of this Gateway by default. \n Support: + Core" + properties: + from: + default: Same + description: "From indicates where Routes will be selected + for this Gateway. Possible values are: * All: Routes + in all namespaces may be used by this Gateway. * Selector: + Routes in namespaces selected by the selector may + be used by this Gateway. * Same: Only Routes in + the same namespace may be used by this Gateway. \n + Support: Core" + enum: + - All + - Selector + - Same + type: string + selector: + description: "Selector must be specified when From is + set to \"Selector\". In that case, only Routes in + Namespaces matching this Selector will be selected + by this Gateway. This field is ignored for other values + of \"From\". \n Support: Core" + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + type: object + selector: + description: "Selector specifies a set of route labels used + for selecting routes to associate with the Gateway. If + this Selector is defined, only routes matching the Selector + are associated with the Gateway. An empty Selector matches + all routes. \n Support: Core" + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object + required: + - kind + type: object + tls: + description: "TLS is the TLS configuration for the Listener. + This field is required if the Protocol field is \"HTTPS\" + or \"TLS\" and ignored otherwise. \n The association of SNIs + to Certificate defined in GatewayTLSConfig is defined based + on the Hostname field for this listener. \n The GatewayClass + MUST use the longest matching SNI out of all available certificates + for any TLS handshake. \n Support: Core" + properties: + certificateRef: + description: "CertificateRef is a reference to a Kubernetes + object that contains a TLS certificate and private key. + This certificate is used to establish a TLS handshake + for requests that match the hostname of the associated + listener. The referenced object MUST reside in the same + namespace as Gateway. \n This field is required when mode + is set to \"Terminate\" (default) and optional otherwise. + \n CertificateRef can reference a standard Kubernetes + resource, i.e. Secret, or an implementation-specific custom + resource. \n Support: Core (Kubernetes Secrets) \n Support: + Implementation-specific (Other resource types)" + properties: + group: + description: Group is the group of the referent. + maxLength: 253 + minLength: 1 + type: string + kind: + description: Kind is kind of the referent. + maxLength: 253 + minLength: 1 + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + mode: + default: Terminate + description: "Mode defines the TLS behavior for the TLS + session initiated by the client. There are two possible + modes: - Terminate: The TLS session between the downstream + client and the Gateway is terminated at the Gateway. + This mode requires certificateRef to be set. - Passthrough: + The TLS session is NOT terminated by the Gateway. This + \ implies that the Gateway can't decipher the TLS stream + except for the ClientHello message of the TLS protocol. + \ CertificateRef field is ignored in this mode. \n Support: + Core" + enum: + - Terminate + - Passthrough + type: string + options: + additionalProperties: + type: string + description: "Options are a list of key/value pairs to give + extended options to the provider. \n There variation among + providers as to how ciphersuites are expressed. If there + is a common subset for expressing ciphers then it will + make sense to loft that as a core API construct. \n Support: + Implementation-specific" + type: object + routeOverride: + default: + certificate: Deny + description: "RouteOverride dictates if TLS settings can + be configured via Routes or not. \n CertificateRef must + be defined even if `routeOverride.certificate` is set + to 'Allow' as it will be used as the default certificate + for the listener. \n Support: Core" + properties: + certificate: + default: Deny + description: "Certificate dictates if TLS certificates + can be configured via Routes. If set to 'Allow', a + TLS certificate for a hostname defined in a Route + takes precedence over the certificate defined in Gateway. + \n Support: Core" + enum: + - Allow + - Deny + type: string + type: object + type: object + required: + - port + - protocol + - routes + type: object + maxItems: 64 + minItems: 1 + type: array + required: + - gatewayClassName + - listeners + type: object + status: + default: + conditions: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: NotReconciled + status: "False" + type: Scheduled + description: Status defines the current state of Gateway. + properties: + addresses: + description: "Addresses lists the IP addresses that have actually + been bound to the Gateway. These addresses may differ from the addresses + in the Spec, e.g. if the Gateway automatically assigns an address + from a reserved pool. \n These addresses should all be of type \"IPAddress\"." + items: + description: GatewayAddress describes an address that can be bound + to a Gateway. + properties: + type: + default: IPAddress + description: "Type of the address. \n Support: Extended" + enum: + - IPAddress + - NamedAddress + type: string + value: + description: "Value of the address. The validity of the values + will depend on the type and support by the controller. \n + Examples: `1.2.3.4`, `128::1`, `my-ip-address`." + maxLength: 253 + minLength: 1 + type: string + required: + - value + type: object + maxItems: 16 + type: array + conditions: + default: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: NotReconciled + status: "False" + type: Scheduled + description: "Conditions describe the current conditions of the Gateway. + \n Implementations should prefer to express Gateway conditions using + the `GatewayConditionType` and `GatewayConditionReason` constants + so that operators and tools can converge on a common vocabulary + to describe Gateway state. \n Known condition types are: \n * \"Scheduled\" + * \"Ready\"" + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: + \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type + \ // +patchStrategy=merge // +listType=map // +listMapKey=type + \ Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` + \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + listeners: + description: Listeners provide status for each unique listener port + defined in the Spec. + items: + description: ListenerStatus is the status associated with a Listener. + properties: + conditions: + description: Conditions describe the current condition of this + listener. + items: + description: "Condition contains details for one aspect of + the current state of this API Resource. --- This struct + is intended for direct use as an array at the field path + .status.conditions. For example, type FooStatus struct{ + \ // Represents the observations of a foo's current state. + \ // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type + \ // +patchStrategy=merge // +listType=map // + +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` + \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should + be when the underlying condition changed. If that is + not known, then using the time when the API field changed + is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, + if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the + current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier + indicating the reason for the condition's last transition. + Producers of specific condition types may define expected + values and meanings for this field, and whether the + values are considered a guaranteed API. The value should + be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across + resources like Available, but because arbitrary conditions + can be useful (see .node.status.conditions), the ability + to deconflict is important. The regex it matches is + (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + hostname: + description: Hostname is the Listener hostname value for which + this message is reporting the status. + maxLength: 253 + minLength: 1 + type: string + port: + description: Port is the unique Listener port value for which + this message is reporting the status. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + protocol: + description: Protocol is the Listener protocol value for which + this message is reporting the status. + type: string + required: + - conditions + - port + - protocol + type: object + maxItems: 64 + type: array + x-kubernetes-list-map-keys: + - port + x-kubernetes-list-type: map + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.5.0 + creationTimestamp: null + name: httproutes.networking.x-k8s.io +spec: + group: networking.x-k8s.io + names: + categories: + - gateway-api + kind: HTTPRoute + listKind: HTTPRouteList + plural: httproutes + singular: httproute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.hostnames + name: Hostnames + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: HTTPRoute is the Schema for the HTTPRoute resource. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of HTTPRoute. + properties: + gateways: + default: + allow: SameNamespace + description: Gateways defines which Gateways can use this Route. + properties: + allow: + default: SameNamespace + description: 'Allow indicates which Gateways will be allowed to + use this route. Possible values are: * All: Gateways in any + namespace can use this route. * FromList: Only Gateways specified + in GatewayRefs may use this route. * SameNamespace: Only Gateways + in the same namespace may use this route.' + enum: + - All + - FromList + - SameNamespace + type: string + gatewayRefs: + description: GatewayRefs must be specified when Allow is set to + "FromList". In that case, only Gateways referenced in this list + will be allowed to use this route. This field is ignored for + other values of "Allow". + items: + description: GatewayReference identifies a Gateway in a specified + namespace. + properties: + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: Namespace is the namespace of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - name + - namespace + type: object + type: array + type: object + hostnames: + description: "Hostnames defines a set of hostname that should match + against the HTTP Host header to select a HTTPRoute to process the + request. Hostname is the fully qualified domain name of a network + host, as defined by RFC 3986. Note the following deviations from + the \"host\" part of the URI as defined in the RFC: \n 1. IPs are + not allowed. 2. The `:` delimiter is not respected because ports + are not allowed. \n Incoming requests are matched against the hostnames + before the HTTPRoute rules. If no hostname is specified, traffic + is routed based on the HTTPRouteRules. \n Hostname can be \"precise\" + which is a domain name without the terminating dot of a network + host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain + name prefixed with a single wildcard label (e.g. `*.example.com`). + The wildcard character `*` must appear by itself as the first DNS + label and matches only a single label. You cannot have a wildcard + label by itself (e.g. Host == `*`). Requests will be matched against + the Host field in the following order: \n 1. If Host is precise, + the request matches this rule if the HTTP Host header is equal + to Host. 2. If Host is a wildcard, then the request matches this + rule if the HTTP Host header is to equal to the suffix (removing + the first label) of the wildcard rule. \n Support: Core" + items: + description: Hostname is used to specify a hostname that should + be matched. + maxLength: 253 + minLength: 1 + type: string + maxItems: 16 + type: array + rules: + default: + - matches: + - path: + type: Prefix + value: / + description: Rules are a list of HTTP matchers, filters and actions. + items: + description: HTTPRouteRule defines semantics for matching an HTTP + request based on conditions, optionally executing additional processing + steps, and forwarding the request to an API object. + properties: + filters: + description: "Filters define the filters that are applied to + requests that match this rule. \n The effects of ordering + of multiple behaviors are currently unspecified. This can + change in the future based on feedback during the alpha stage. + \n Conformance-levels at this level are defined based on the + type of filter: \n - ALL core filters MUST be supported by + all implementations. - Implementers are encouraged to support + extended filters. - Implementation-specific custom filters + have no API guarantees across implementations. \n Specifying + a core filter multiple times has unspecified or custom conformance. + \n Support: Core" + items: + description: 'HTTPRouteFilter defines additional processing + steps that must be completed during the request or response + lifecycle. HTTPRouteFilters are meant as an extension point + to express additional processing that may be done in Gateway + implementations. Some examples include request or response + modification, implementing authentication strategies, rate-limiting, + and traffic shaping. API guarantee/conformance is defined + based on the type of the filter. TODO(hbagdi): re-render + CRDs once controller-tools supports union tags: - https://github.com/kubernetes-sigs/controller-tools/pull/298 + - https://github.com/kubernetes-sigs/controller-tools/issues/461' + properties: + extensionRef: + description: "ExtensionRef is an optional, implementation-specific + extension to the \"filter\" behavior. For example, + resource \"myroutefilter\" in group \"networking.acme.io\"). + ExtensionRef MUST NOT be used for core and extended + filters. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. + maxLength: 253 + minLength: 1 + type: string + kind: + description: Kind is kind of the referent. + maxLength: 253 + minLength: 1 + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema for + a filter that modifies request headers. \n Support: + Core" + properties: + add: + additionalProperties: + type: string + description: "Add adds the given header (name, value) + to the request before the action. It appends to + any existing values associated with the header name. + \n Input: GET /foo HTTP/1.1 my-header: foo \n + Config: add: {\"my-header\": \"bar\"} \n Output: + \ GET /foo HTTP/1.1 my-header: foo my-header: + bar \n Support: Extended" + type: object + remove: + description: "Remove the given header(s) from the + HTTP request before the action. The value of RemoveHeader + is a list of HTTP header names. Note that the header + names are case-insensitive [RFC-2616 4.2]. \n Input: + \ GET /foo HTTP/1.1 my-header1: foo my-header2: + bar my-header3: baz \n Config: remove: [\"my-header1\", + \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: + bar \n Support: Extended" + items: + type: string + maxItems: 16 + type: array + set: + additionalProperties: + type: string + description: "Set overwrites the request with the + given header (name, value) before the action. \n + Input: GET /foo HTTP/1.1 my-header: foo \n Config: + \ set: {\"my-header\": \"bar\"} \n Output: GET + /foo HTTP/1.1 my-header: bar \n Support: Extended" + type: object + type: object + requestMirror: + description: "RequestMirror defines a schema for a filter + that mirrors requests. \n Support: Extended" + properties: + backendRef: + description: "BackendRef is a local object reference + to mirror matched requests to. If both BackendRef + and ServiceName are specified, ServiceName will + be given precedence. \n If the referent cannot be + found, the rule is not included in the route. The + controller should raise the \"ResolvedRefs\" condition + on the Gateway with the \"DegradedRoutes\" reason. + The gateway status for this route should be updated + with a condition that describes the error more specifically. + \n Support: Custom" + properties: + group: + description: Group is the group of the referent. + maxLength: 253 + minLength: 1 + type: string + kind: + description: Kind is kind of the referent. + maxLength: 253 + minLength: 1 + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + port: + description: "Port specifies the destination port + number to use for the backend referenced by the + ServiceName or BackendRef field. \n If unspecified, + the destination port in the request is used when + forwarding to a backendRef or serviceName." + format: int32 + maximum: 65535 + minimum: 1 + type: integer + serviceName: + description: "ServiceName refers to the name of the + Service to mirror matched requests to. When specified, + this takes the place of BackendRef. If both BackendRef + and ServiceName are specified, ServiceName will + be given precedence. \n If the referent cannot be + found, the rule is not included in the route. The + controller should raise the \"ResolvedRefs\" condition + on the Gateway with the \"DegradedRoutes\" reason. + The gateway status for this route should be updated + with a condition that describes the error more specifically. + \n Support: Core" + maxLength: 253 + type: string + type: object + type: + description: "Type identifies the type of filter to apply. + As with other API fields, types are classified into + three conformance levels: \n - Core: Filter types and + their corresponding configuration defined by \"Support: + Core\" in this package, e.g. \"RequestHeaderModifier\". + All implementations must support core filters. \n + - Extended: Filter types and their corresponding configuration + defined by \"Support: Extended\" in this package, + e.g. \"RequestMirror\". Implementers are encouraged + to support extended filters. \n - Custom: Filters that + are defined and supported by specific vendors. In + the future, filters showing convergence in behavior + across multiple implementations will be considered + for inclusion in extended or core conformance levels. + Filter-specific configuration for such filters is + specified using the ExtensionRef field. `Type` should + be set to \"ExtensionRef\" for custom filters. \n + Implementers are encouraged to define custom implementation + types to extend the core API with implementation-specific + behavior." + enum: + - RequestHeaderModifier + - RequestMirror + - ExtensionRef + type: string + required: + - type + type: object + maxItems: 16 + type: array + forwardTo: + description: ForwardTo defines the backend(s) where matching + requests should be sent. If unspecified, the rule performs + no forwarding. If unspecified and no filters are specified + that would result in a response being sent, a 503 error code + is returned. + items: + description: HTTPRouteForwardTo defines how a HTTPRoute should + forward a request. + properties: + backendRef: + description: "BackendRef is a reference to a backend to + forward matched requests to. If both BackendRef and + ServiceName are specified, ServiceName will be given + precedence. \n If the referent cannot be found, the + route must be dropped from the Gateway. The controller + should raise the \"ResolvedRefs\" condition on the Gateway + with the \"DegradedRoutes\" reason. The gateway status + for this route should be updated with a condition that + describes the error more specifically. \n Support: Custom" + properties: + group: + description: Group is the group of the referent. + maxLength: 253 + minLength: 1 + type: string + kind: + description: Kind is kind of the referent. + maxLength: 253 + minLength: 1 + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + filters: + description: "Filters defined at this-level should be + executed if and only if the request is being forwarded + to the backend defined here. \n Support: Custom (For + broader support of filters, use the Filters field in + HTTPRouteRule.)" + items: + description: 'HTTPRouteFilter defines additional processing + steps that must be completed during the request or + response lifecycle. HTTPRouteFilters are meant as + an extension point to express additional processing + that may be done in Gateway implementations. Some + examples include request or response modification, + implementing authentication strategies, rate-limiting, + and traffic shaping. API guarantee/conformance is + defined based on the type of the filter. TODO(hbagdi): + re-render CRDs once controller-tools supports union + tags: - https://github.com/kubernetes-sigs/controller-tools/pull/298 + - https://github.com/kubernetes-sigs/controller-tools/issues/461' + properties: + extensionRef: + description: "ExtensionRef is an optional, implementation-specific + extension to the \"filter\" behavior. For example, + resource \"myroutefilter\" in group \"networking.acme.io\"). + ExtensionRef MUST NOT be used for core and extended + filters. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. + maxLength: 253 + minLength: 1 + type: string + kind: + description: Kind is kind of the referent. + maxLength: 253 + minLength: 1 + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema + for a filter that modifies request headers. \n + Support: Core" + properties: + add: + additionalProperties: + type: string + description: "Add adds the given header (name, + value) to the request before the action. It + appends to any existing values associated + with the header name. \n Input: GET /foo + HTTP/1.1 my-header: foo \n Config: add: + {\"my-header\": \"bar\"} \n Output: GET + /foo HTTP/1.1 my-header: foo my-header: + bar \n Support: Extended" + type: object + remove: + description: "Remove the given header(s) from + the HTTP request before the action. The value + of RemoveHeader is a list of HTTP header names. + Note that the header names are case-insensitive + [RFC-2616 4.2]. \n Input: GET /foo HTTP/1.1 + \ my-header1: foo my-header2: bar my-header3: + baz \n Config: remove: [\"my-header1\", + \"my-header3\"] \n Output: GET /foo HTTP/1.1 + \ my-header2: bar \n Support: Extended" + items: + type: string + maxItems: 16 + type: array + set: + additionalProperties: + type: string + description: "Set overwrites the request with + the given header (name, value) before the + action. \n Input: GET /foo HTTP/1.1 my-header: + foo \n Config: set: {\"my-header\": \"bar\"} + \n Output: GET /foo HTTP/1.1 my-header: + bar \n Support: Extended" + type: object + type: object + requestMirror: + description: "RequestMirror defines a schema for + a filter that mirrors requests. \n Support: Extended" + properties: + backendRef: + description: "BackendRef is a local object reference + to mirror matched requests to. If both BackendRef + and ServiceName are specified, ServiceName + will be given precedence. \n If the referent + cannot be found, the rule is not included + in the route. The controller should raise + the \"ResolvedRefs\" condition on the Gateway + with the \"DegradedRoutes\" reason. The gateway + status for this route should be updated with + a condition that describes the error more + specifically. \n Support: Custom" + properties: + group: + description: Group is the group of the referent. + maxLength: 253 + minLength: 1 + type: string + kind: + description: Kind is kind of the referent. + maxLength: 253 + minLength: 1 + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + port: + description: "Port specifies the destination + port number to use for the backend referenced + by the ServiceName or BackendRef field. \n + If unspecified, the destination port in the + request is used when forwarding to a backendRef + or serviceName." + format: int32 + maximum: 65535 + minimum: 1 + type: integer + serviceName: + description: "ServiceName refers to the name + of the Service to mirror matched requests + to. When specified, this takes the place of + BackendRef. If both BackendRef and ServiceName + are specified, ServiceName will be given precedence. + \n If the referent cannot be found, the rule + is not included in the route. The controller + should raise the \"ResolvedRefs\" condition + on the Gateway with the \"DegradedRoutes\" + reason. The gateway status for this route + should be updated with a condition that describes + the error more specifically. \n Support: Core" + maxLength: 253 + type: string + type: object + type: + description: "Type identifies the type of filter + to apply. As with other API fields, types are + classified into three conformance levels: \n - + Core: Filter types and their corresponding configuration + defined by \"Support: Core\" in this package, + e.g. \"RequestHeaderModifier\". All implementations + must support core filters. \n - Extended: Filter + types and their corresponding configuration defined + by \"Support: Extended\" in this package, e.g. + \"RequestMirror\". Implementers are encouraged + to support extended filters. \n - Custom: Filters + that are defined and supported by specific vendors. + \ In the future, filters showing convergence + in behavior across multiple implementations + will be considered for inclusion in extended or + core conformance levels. Filter-specific configuration + for such filters is specified using the ExtensionRef + field. `Type` should be set to \"ExtensionRef\" + for custom filters. \n Implementers are encouraged + to define custom implementation types to extend + the core API with implementation-specific behavior." + enum: + - RequestHeaderModifier + - RequestMirror + - ExtensionRef + type: string + required: + - type + type: object + maxItems: 16 + type: array + port: + description: "Port specifies the destination port number + to use for the backend referenced by the ServiceName + or BackendRef field. If unspecified, the destination + port in the request is used when forwarding to a backendRef + or serviceName. \n Support: Core" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + serviceName: + description: "ServiceName refers to the name of the Service + to forward matched requests to. When specified, this + takes the place of BackendRef. If both BackendRef and + ServiceName are specified, ServiceName will be given + precedence. \n If the referent cannot be found, the + route must be dropped from the Gateway. The controller + should raise the \"ResolvedRefs\" condition on the Gateway + with the \"DegradedRoutes\" reason. The gateway status + for this route should be updated with a condition that + describes the error more specifically. \n The protocol + to use should be specified with the AppProtocol field + on Service resources. This field was introduced in Kubernetes + 1.18. If using an earlier version of Kubernetes, a `networking.x-k8s.io/app-protocol` + annotation on the BackendPolicy resource may be used + to define the protocol. If the AppProtocol field is + available, this annotation should not be used. The AppProtocol + field, when populated, takes precedence over the annotation + in the BackendPolicy resource. For custom backends, + it is encouraged to add a semantically-equivalent field + in the Custom Resource Definition. \n Support: Core" + maxLength: 253 + type: string + weight: + default: 1 + description: "Weight specifies the proportion of HTTP + requests forwarded to the backend referenced by the + ServiceName or BackendRef field. This is computed as + weight/(sum of all weights in this ForwardTo list). + For non-zero values, there may be some epsilon from + the exact proportion defined here depending on the precision + an implementation supports. Weight is not a percentage + and the sum of weights does not need to equal 100. \n + If only one backend is specified and it has a weight + greater than 0, 100% of the traffic is forwarded to + that backend. If weight is set to 0, no traffic should + be forwarded for this entry. If unspecified, weight + defaults to 1. \n Support: Core" + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + type: object + maxItems: 16 + type: array + matches: + default: + - path: + type: Prefix + value: / + description: "Matches define conditions used for matching the + rule against incoming HTTP requests. Each match is independent, + i.e. this rule will be matched if **any** one of the matches + is satisfied. \n For example, take the following matches configuration: + \n ``` matches: - path: value: \"/foo\" headers: values: + \ version: \"2\" - path: value: \"/v2/foo\" ``` \n + For a request to match against this rule, a request should + satisfy EITHER of the two conditions: \n - path prefixed with + `/foo` AND contains the header `version: \"2\"` - path prefix + of `/v2/foo` \n See the documentation for HTTPRouteMatch on + how to specify multiple match conditions that should be ANDed + together. \n If no matches are specified, the default is a + prefix path match on \"/\", which has the effect of matching + every HTTP request. \n Each client request MUST map to a maximum + of one route rule. If a request matches multiple rules, matching + precedence MUST be determined in order of the following criteria, + continuing on ties: \n * The longest matching hostname. * + The longest matching path. * The largest number of header + matches. \n If ties still exist across multiple Routes, matching + precedence MUST be determined in order of the following criteria, + continuing on ties: \n * The oldest Route based on creation + timestamp. For example, a Route with a creation timestamp + of \"2020-09-08 01:02:03\" is given precedence over a Route + with a creation timestamp of \"2020-09-08 01:02:04\". * The + Route appearing first in alphabetical order by \"/\". + For example, foo/bar is given precedence over foo/baz. \n + If ties still exist within the Route that has been given precedence, + matching precedence MUST be granted to the first matching + rule meeting the above criteria." + items: + description: "HTTPRouteMatch defines the predicate used to + match requests to a given action. Multiple match types are + ANDed together, i.e. the match will evaluate to true only + if all conditions are satisfied. \n For example, the match + below will match a HTTP request only if its path starts + with `/foo` AND it contains the `version: \"1\"` header: + \n ``` match: path: value: \"/foo\" headers: values: + \ version: \"1\" ```" + properties: + extensionRef: + description: "ExtensionRef is an optional, implementation-specific + extension to the \"match\" behavior. For example, resource + \"myroutematcher\" in group \"networking.acme.io\". + If the referent cannot be found, the rule is not included + in the route. The controller should raise the \"ResolvedRefs\" + condition on the Gateway with the \"DegradedRoutes\" + reason. The gateway status for this route should be + updated with a condition that describes the error more + specifically. \n Support: Custom" + properties: + group: + description: Group is the group of the referent. + maxLength: 253 + minLength: 1 + type: string + kind: + description: Kind is kind of the referent. + maxLength: 253 + minLength: 1 + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + headers: + description: Headers specifies a HTTP request header matcher. + properties: + type: + default: Exact + description: "Type specifies how to match against + the value of the header. \n Support: Core (Exact) + \n Support: Custom (RegularExpression, ImplementationSpecific) + \n Since RegularExpression PathType has custom conformance, + implementations can support POSIX, PCRE or any other + dialects of regular expressions. Please read the + implementation's documentation to determine the + supported dialect. \n HTTP Header name matching + MUST be case-insensitive (RFC 2616 - section 4.2)." + enum: + - Exact + - RegularExpression + - ImplementationSpecific + type: string + values: + additionalProperties: + type: string + description: "Values is a map of HTTP Headers to be + matched. It MUST contain at least one entry. \n + The HTTP header field name to match is the map key, + and the value of the HTTP header is the map value. + HTTP header field name matching MUST be case-insensitive. + \n Multiple match values are ANDed together, meaning, + a request must match all the specified headers to + select the route." + type: object + required: + - values + type: object + path: + default: + type: Prefix + value: / + description: Path specifies a HTTP request path matcher. + If this field is not specified, a default prefix match + on the "/" path is provided. + properties: + type: + default: Prefix + description: "Type specifies how to match against + the path Value. \n Support: Core (Exact, Prefix) + \n Support: Custom (RegularExpression, ImplementationSpecific) + \n Since RegularExpression PathType has custom conformance, + implementations can support POSIX, PCRE or any other + dialects of regular expressions. Please read the + implementation's documentation to determine the + supported dialect." + enum: + - Exact + - Prefix + - RegularExpression + - ImplementationSpecific + type: string + value: + default: / + description: Value of the HTTP path to match against. + type: string + type: object + queryParams: + description: QueryParams specifies a HTTP query parameter + matcher. + properties: + type: + default: Exact + description: "Type specifies how to match against + the value of the query parameter. \n Support: Extended + (Exact) \n Support: Custom (RegularExpression, ImplementationSpecific) + \n Since RegularExpression QueryParamMatchType has + custom conformance, implementations can support + POSIX, PCRE or any other dialects of regular expressions. + Please read the implementation's documentation to + determine the supported dialect." + enum: + - Exact + - RegularExpression + - ImplementationSpecific + type: string + values: + additionalProperties: + type: string + description: "Values is a map of HTTP query parameters + to be matched. It MUST contain at least one entry. + \n The query parameter name to match is the map + key, and the value of the query parameter is the + map value. \n Multiple match values are ANDed together, + meaning, a request must match all the specified + query parameters to select the route. \n HTTP query + parameter matching MUST be case-sensitive for both + keys and values. (See https://tools.ietf.org/html/rfc7230#section-2.7.3). + \n Note that the query parameter key MUST always + be an exact match by string comparison." + type: object + required: + - values + type: object + type: object + maxItems: 8 + type: array + type: object + maxItems: 16 + type: array + tls: + description: "TLS defines the TLS certificate to use for Hostnames + defined in this Route. This configuration only takes effect if the + AllowRouteOverride field is set to true in the associated Gateway + resource. \n Collisions can happen if multiple HTTPRoutes define + a TLS certificate for the same hostname. In such a case, conflict + resolution guiding principles apply, specifically, if hostnames + are same and two different certificates are specified then the certificate + in the oldest resource wins. \n Please note that HTTP Route-selection + takes place after the TLS Handshake (ClientHello). Due to this, + TLS certificate defined here will take precedence even if the request + has the potential to match multiple routes (in case multiple HTTPRoutes + share the same hostname). \n Support: Core" + properties: + certificateRef: + description: "CertificateRef is a reference to a Kubernetes object + that contains a TLS certificate and private key. This certificate + is used to establish a TLS handshake for requests that match + the hostname of the associated HTTPRoute. The referenced object + MUST reside in the same namespace as HTTPRoute. \n This field + is required when the TLS configuration mode of the associated + Gateway listener is set to \"Passthrough\". \n CertificateRef + can reference a standard Kubernetes resource, i.e. Secret, or + an implementation-specific custom resource. \n Support: Core + (Kubernetes Secrets) \n Support: Implementation-specific (Other + resource types)" + properties: + group: + description: Group is the group of the referent. + maxLength: 253 + minLength: 1 + type: string + kind: + description: Kind is kind of the referent. + maxLength: 253 + minLength: 1 + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + required: + - certificateRef + type: object + type: object + status: + description: Status defines the current state of HTTPRoute. + properties: + gateways: + description: "Gateways is a list of Gateways that are associated with + the route, and the status of the route with respect to each Gateway. + When a Gateway selects this route, the controller that manages the + Gateway must add an entry to this list when the controller first + sees the route and should update the entry as appropriate when the + route is modified. \n A maximum of 100 Gateways will be represented + in this list. If this list is full, there may be additional Gateways + using this Route that are not included in the list. An empty list + means the route has not been admitted by any Gateway." + items: + description: RouteGatewayStatus describes the status of a route + with respect to an associated Gateway. + properties: + conditions: + description: Conditions describes the status of the route with + respect to the Gateway. The "Admitted" condition must always + be specified by controllers to indicate whether the route + has been admitted or rejected by the Gateway, and why. Note + that the route's availability is also subject to the Gateway's + own status conditions and listener status. + items: + description: "Condition contains details for one aspect of + the current state of this API Resource. --- This struct + is intended for direct use as an array at the field path + .status.conditions. For example, type FooStatus struct{ + \ // Represents the observations of a foo's current state. + \ // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type + \ // +patchStrategy=merge // +listType=map // + +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` + \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should + be when the underlying condition changed. If that is + not known, then using the time when the API field changed + is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, + if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the + current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier + indicating the reason for the condition's last transition. + Producers of specific condition types may define expected + values and meanings for this field, and whether the + values are considered a guaranteed API. The value should + be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across + resources like Available, but because arbitrary conditions + can be useful (see .node.status.conditions), the ability + to deconflict is important. The regex it matches is + (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + gatewayRef: + description: GatewayRef is a reference to a Gateway object that + is associated with the route. + properties: + controller: + description: "Controller is a domain/path string that indicates + the controller implementing the Gateway. This corresponds + with the controller field on GatewayClass. \n Example: + \"acme.io/gateway-controller\". \n The format of this + field is DOMAIN \"/\" PATH, where DOMAIN and PATH are + valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names)." + maxLength: 253 + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: Namespace is the namespace of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - name + - namespace + type: object + required: + - gatewayRef + type: object + maxItems: 100 + type: array + required: + - gateways + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.5.0 + creationTimestamp: null + name: tcproutes.networking.x-k8s.io +spec: + group: networking.x-k8s.io + names: + categories: + - gateway-api + kind: TCPRoute + listKind: TCPRouteList + plural: tcproutes + singular: tcproute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: TCPRoute is the Schema for the TCPRoute resource. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of TCPRoute. + properties: + gateways: + default: + allow: SameNamespace + description: Gateways defines which Gateways can use this Route. + properties: + allow: + default: SameNamespace + description: 'Allow indicates which Gateways will be allowed to + use this route. Possible values are: * All: Gateways in any + namespace can use this route. * FromList: Only Gateways specified + in GatewayRefs may use this route. * SameNamespace: Only Gateways + in the same namespace may use this route.' + enum: + - All + - FromList + - SameNamespace + type: string + gatewayRefs: + description: GatewayRefs must be specified when Allow is set to + "FromList". In that case, only Gateways referenced in this list + will be allowed to use this route. This field is ignored for + other values of "Allow". + items: + description: GatewayReference identifies a Gateway in a specified + namespace. + properties: + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: Namespace is the namespace of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - name + - namespace + type: object + type: array + type: object + rules: + description: Rules are a list of TCP matchers and actions. + items: + description: TCPRouteRule is the configuration for a given rule. + properties: + forwardTo: + description: ForwardTo defines the backend(s) where matching + requests should be sent. + items: + description: RouteForwardTo defines how a Route should forward + a request. + properties: + backendRef: + description: "BackendRef is a reference to a backend to + forward matched requests to. If both BackendRef and + ServiceName are specified, ServiceName will be given + precedence. \n If the referent cannot be found, the + rule is not included in the route. The controller should + raise the \"ResolvedRefs\" condition on the Gateway + with the \"DegradedRoutes\" reason. The gateway status + for this route should be updated with a condition that + describes the error more specifically. \n Support: Custom" + properties: + group: + description: Group is the group of the referent. + maxLength: 253 + minLength: 1 + type: string + kind: + description: Kind is kind of the referent. + maxLength: 253 + minLength: 1 + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + port: + description: "Port specifies the destination port number + to use for the backend referenced by the ServiceName + or BackendRef field. If unspecified, the destination + port in the request is used when forwarding to a backendRef + or serviceName. \n Support: Core" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + serviceName: + description: "ServiceName refers to the name of the Service + to forward matched requests to. When specified, this + takes the place of BackendRef. If both BackendRef and + ServiceName are specified, ServiceName will be given + precedence. \n If the referent cannot be found, the + rule is not included in the route. The controller should + raise the \"ResolvedRefs\" condition on the Gateway + with the \"DegradedRoutes\" reason. The gateway status + for this route should be updated with a condition that + describes the error more specifically. \n The protocol + to use is defined using AppProtocol field (introduced + in Kubernetes 1.18) in the Service resource. In the + absence of the AppProtocol field a `networking.x-k8s.io/app-protocol` + annotation on the BackendPolicy resource may be used + to define the protocol. If the AppProtocol field is + available, this annotation should not be used. The AppProtocol + field, when populated, takes precedence over the annotation + in the BackendPolicy resource. For custom backends, + it is encouraged to add a semantically-equivalent field + in the Custom Resource Definition. \n Support: Core" + maxLength: 253 + type: string + weight: + default: 1 + description: "Weight specifies the proportion of HTTP + requests forwarded to the backend referenced by the + ServiceName or BackendRef field. This is computed as + weight/(sum of all weights in this ForwardTo list). + For non-zero values, there may be some epsilon from + the exact proportion defined here depending on the precision + an implementation supports. Weight is not a percentage + and the sum of weights does not need to equal 100. \n + If only one backend is specified and it has a weight + greater than 0, 100% of the traffic is forwarded to + that backend. If weight is set to 0, no traffic should + be forwarded for this entry. If unspecified, weight + defaults to 1. \n Support: Extended" + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + type: object + maxItems: 16 + minItems: 1 + type: array + matches: + description: "Matches define conditions used for matching the + rule against incoming TCP connections. Each match is independent, + i.e. this rule will be matched if **any** one of the matches + is satisfied. If unspecified (i.e. empty), this Rule will + match all requests for the associated Listener. \n Each client + request MUST map to a maximum of one route rule. If a request + matches multiple rules, matching precedence MUST be determined + in order of the following criteria, continuing on ties: \n + * The most specific match specified by ExtensionRef. Each + implementation that supports ExtensionRef may have different + ways of determining the specificity of the referenced extension. + \n If ties still exist across multiple Routes, matching precedence + MUST be determined in order of the following criteria, continuing + on ties: \n * The oldest Route based on creation timestamp. + For example, a Route with a creation timestamp of \"2020-09-08 + 01:02:03\" is given precedence over a Route with a creation + timestamp of \"2020-09-08 01:02:04\". * The Route appearing + first in alphabetical order by \"/\". For + example, foo/bar is given precedence over foo/baz. \n If + ties still exist within the Route that has been given precedence, + matching precedence MUST be granted to the first matching + rule meeting the above criteria." + items: + description: TCPRouteMatch defines the predicate used to match + connections to a given action. + properties: + extensionRef: + description: "ExtensionRef is an optional, implementation-specific + extension to the \"match\" behavior. For example, resource + \"mytcproutematcher\" in group \"networking.acme.io\". + If the referent cannot be found, the rule is not included + in the route. The controller should raise the \"ResolvedRefs\" + condition on the Gateway with the \"DegradedRoutes\" + reason. The gateway status for this route should be + updated with a condition that describes the error more + specifically. \n Support: Custom" + properties: + group: + description: Group is the group of the referent. + maxLength: 253 + minLength: 1 + type: string + kind: + description: Kind is kind of the referent. + maxLength: 253 + minLength: 1 + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + type: object + maxItems: 8 + type: array + required: + - forwardTo + type: object + maxItems: 16 + minItems: 1 + type: array + required: + - rules + type: object + status: + description: Status defines the current state of TCPRoute. + properties: + gateways: + description: "Gateways is a list of Gateways that are associated with + the route, and the status of the route with respect to each Gateway. + When a Gateway selects this route, the controller that manages the + Gateway must add an entry to this list when the controller first + sees the route and should update the entry as appropriate when the + route is modified. \n A maximum of 100 Gateways will be represented + in this list. If this list is full, there may be additional Gateways + using this Route that are not included in the list. An empty list + means the route has not been admitted by any Gateway." + items: + description: RouteGatewayStatus describes the status of a route + with respect to an associated Gateway. + properties: + conditions: + description: Conditions describes the status of the route with + respect to the Gateway. The "Admitted" condition must always + be specified by controllers to indicate whether the route + has been admitted or rejected by the Gateway, and why. Note + that the route's availability is also subject to the Gateway's + own status conditions and listener status. + items: + description: "Condition contains details for one aspect of + the current state of this API Resource. --- This struct + is intended for direct use as an array at the field path + .status.conditions. For example, type FooStatus struct{ + \ // Represents the observations of a foo's current state. + \ // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type + \ // +patchStrategy=merge // +listType=map // + +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` + \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should + be when the underlying condition changed. If that is + not known, then using the time when the API field changed + is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, + if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the + current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier + indicating the reason for the condition's last transition. + Producers of specific condition types may define expected + values and meanings for this field, and whether the + values are considered a guaranteed API. The value should + be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across + resources like Available, but because arbitrary conditions + can be useful (see .node.status.conditions), the ability + to deconflict is important. The regex it matches is + (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + gatewayRef: + description: GatewayRef is a reference to a Gateway object that + is associated with the route. + properties: + controller: + description: "Controller is a domain/path string that indicates + the controller implementing the Gateway. This corresponds + with the controller field on GatewayClass. \n Example: + \"acme.io/gateway-controller\". \n The format of this + field is DOMAIN \"/\" PATH, where DOMAIN and PATH are + valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names)." + maxLength: 253 + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: Namespace is the namespace of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - name + - namespace + type: object + required: + - gatewayRef + type: object + maxItems: 100 + type: array + required: + - gateways + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.5.0 + creationTimestamp: null + name: tlsroutes.networking.x-k8s.io +spec: + group: networking.x-k8s.io + names: + categories: + - gateway-api + kind: TLSRoute + listKind: TLSRouteList + plural: tlsroutes + singular: tlsroute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: "The TLSRoute resource is similar to TCPRoute, but can be configured + to match against TLS-specific metadata. This allows more flexibility in + matching streams for a given TLS listener. \n If you need to forward traffic + to a single target for a TLS listener, you could choose to use a TCPRoute + with a TLS listener." + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of TLSRoute. + properties: + gateways: + default: + allow: SameNamespace + description: Gateways defines which Gateways can use this Route. + properties: + allow: + default: SameNamespace + description: 'Allow indicates which Gateways will be allowed to + use this route. Possible values are: * All: Gateways in any + namespace can use this route. * FromList: Only Gateways specified + in GatewayRefs may use this route. * SameNamespace: Only Gateways + in the same namespace may use this route.' + enum: + - All + - FromList + - SameNamespace + type: string + gatewayRefs: + description: GatewayRefs must be specified when Allow is set to + "FromList". In that case, only Gateways referenced in this list + will be allowed to use this route. This field is ignored for + other values of "Allow". + items: + description: GatewayReference identifies a Gateway in a specified + namespace. + properties: + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: Namespace is the namespace of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - name + - namespace + type: object + type: array + type: object + rules: + description: Rules are a list of TLS matchers and actions. + items: + description: TLSRouteRule is the configuration for a given rule. + properties: + forwardTo: + description: ForwardTo defines the backend(s) where matching + requests should be sent. + items: + description: RouteForwardTo defines how a Route should forward + a request. + properties: + backendRef: + description: "BackendRef is a reference to a backend to + forward matched requests to. If both BackendRef and + ServiceName are specified, ServiceName will be given + precedence. \n If the referent cannot be found, the + rule is not included in the route. The controller should + raise the \"ResolvedRefs\" condition on the Gateway + with the \"DegradedRoutes\" reason. The gateway status + for this route should be updated with a condition that + describes the error more specifically. \n Support: Custom" + properties: + group: + description: Group is the group of the referent. + maxLength: 253 + minLength: 1 + type: string + kind: + description: Kind is kind of the referent. + maxLength: 253 + minLength: 1 + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + port: + description: "Port specifies the destination port number + to use for the backend referenced by the ServiceName + or BackendRef field. If unspecified, the destination + port in the request is used when forwarding to a backendRef + or serviceName. \n Support: Core" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + serviceName: + description: "ServiceName refers to the name of the Service + to forward matched requests to. When specified, this + takes the place of BackendRef. If both BackendRef and + ServiceName are specified, ServiceName will be given + precedence. \n If the referent cannot be found, the + rule is not included in the route. The controller should + raise the \"ResolvedRefs\" condition on the Gateway + with the \"DegradedRoutes\" reason. The gateway status + for this route should be updated with a condition that + describes the error more specifically. \n The protocol + to use is defined using AppProtocol field (introduced + in Kubernetes 1.18) in the Service resource. In the + absence of the AppProtocol field a `networking.x-k8s.io/app-protocol` + annotation on the BackendPolicy resource may be used + to define the protocol. If the AppProtocol field is + available, this annotation should not be used. The AppProtocol + field, when populated, takes precedence over the annotation + in the BackendPolicy resource. For custom backends, + it is encouraged to add a semantically-equivalent field + in the Custom Resource Definition. \n Support: Core" + maxLength: 253 + type: string + weight: + default: 1 + description: "Weight specifies the proportion of HTTP + requests forwarded to the backend referenced by the + ServiceName or BackendRef field. This is computed as + weight/(sum of all weights in this ForwardTo list). + For non-zero values, there may be some epsilon from + the exact proportion defined here depending on the precision + an implementation supports. Weight is not a percentage + and the sum of weights does not need to equal 100. \n + If only one backend is specified and it has a weight + greater than 0, 100% of the traffic is forwarded to + that backend. If weight is set to 0, no traffic should + be forwarded for this entry. If unspecified, weight + defaults to 1. \n Support: Extended" + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + type: object + maxItems: 16 + minItems: 1 + type: array + matches: + description: "Matches define conditions used for matching the + rule against incoming TLS connections. Each match is independent, + i.e. this rule will be matched if **any** one of the matches + is satisfied. If unspecified (i.e. empty), this Rule will + match all requests for the associated Listener. \n Each client + request MUST map to a maximum of one route rule. If a request + matches multiple rules, matching precedence MUST be determined + in order of the following criteria, continuing on ties: \n + * The longest matching SNI. * The longest matching precise + SNI (without a wildcard). This means that \"b.example.com\" + should be given precedence over \"*.example.com\". * The most + specific match specified by ExtensionRef. Each implementation + \ that supports ExtensionRef may have different ways of determining + the specificity of the referenced extension. \n If ties + still exist across multiple Routes, matching precedence MUST + be determined in order of the following criteria, continuing + on ties: \n * The oldest Route based on creation timestamp. + For example, a Route with a creation timestamp of \"2020-09-08 + 01:02:03\" is given precedence over a Route with a creation + timestamp of \"2020-09-08 01:02:04\". * The Route appearing + first in alphabetical order by \"/\". For + example, foo/bar is given precedence over foo/baz. \n If + ties still exist within the Route that has been given precedence, + matching precedence MUST be granted to the first matching + rule meeting the above criteria." + items: + description: TLSRouteMatch defines the predicate used to match + connections to a given action. + properties: + extensionRef: + description: "ExtensionRef is an optional, implementation-specific + extension to the \"match\" behavior. For example, resource + \"mytlsroutematcher\" in group \"networking.acme.io\". + If the referent cannot be found, the rule is not included + in the route. The controller should raise the \"ResolvedRefs\" + condition on the Gateway with the \"DegradedRoutes\" + reason. The gateway status for this route should be + updated with a condition that describes the error more + specifically. \n Support: Custom" + properties: + group: + description: Group is the group of the referent. + maxLength: 253 + minLength: 1 + type: string + kind: + description: Kind is kind of the referent. + maxLength: 253 + minLength: 1 + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + snis: + description: "SNIs defines a set of SNI names that should + match against the SNI attribute of TLS ClientHello message + in TLS handshake. \n SNI can be \"precise\" which is + a domain name without the terminating dot of a network + host (e.g. \"foo.example.com\") or \"wildcard\", which + is a domain name prefixed with a single wildcard label + (e.g. `*.example.com`). The wildcard character `*` must + appear by itself as the first DNS label and matches + only a single label. You cannot have a wildcard label + by itself (e.g. Host == `*`). \n Requests will be matched + against the Host field in the following order: \n 1. + If SNI is precise, the request matches this rule if + the SNI in ClientHello is equal to one of the defined + SNIs. 2. If SNI is a wildcard, then the request matches + this rule if the SNI is to equal to the suffix (removing + the first label) of the wildcard rule. 3. If SNIs + is unspecified, all requests associated with the gateway + TLS listener will match. This can be used to define + a default backend for a TLS listener. \n Support: + Core" + items: + description: Hostname is used to specify a hostname + that should be matched. + maxLength: 253 + minLength: 1 + type: string + maxItems: 16 + type: array + type: object + maxItems: 8 + type: array + required: + - forwardTo + type: object + maxItems: 16 + minItems: 1 + type: array + required: + - rules + type: object + status: + description: Status defines the current state of TLSRoute. + properties: + gateways: + description: "Gateways is a list of Gateways that are associated with + the route, and the status of the route with respect to each Gateway. + When a Gateway selects this route, the controller that manages the + Gateway must add an entry to this list when the controller first + sees the route and should update the entry as appropriate when the + route is modified. \n A maximum of 100 Gateways will be represented + in this list. If this list is full, there may be additional Gateways + using this Route that are not included in the list. An empty list + means the route has not been admitted by any Gateway." + items: + description: RouteGatewayStatus describes the status of a route + with respect to an associated Gateway. + properties: + conditions: + description: Conditions describes the status of the route with + respect to the Gateway. The "Admitted" condition must always + be specified by controllers to indicate whether the route + has been admitted or rejected by the Gateway, and why. Note + that the route's availability is also subject to the Gateway's + own status conditions and listener status. + items: + description: "Condition contains details for one aspect of + the current state of this API Resource. --- This struct + is intended for direct use as an array at the field path + .status.conditions. For example, type FooStatus struct{ + \ // Represents the observations of a foo's current state. + \ // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type + \ // +patchStrategy=merge // +listType=map // + +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` + \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should + be when the underlying condition changed. If that is + not known, then using the time when the API field changed + is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, + if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the + current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier + indicating the reason for the condition's last transition. + Producers of specific condition types may define expected + values and meanings for this field, and whether the + values are considered a guaranteed API. The value should + be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across + resources like Available, but because arbitrary conditions + can be useful (see .node.status.conditions), the ability + to deconflict is important. The regex it matches is + (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + gatewayRef: + description: GatewayRef is a reference to a Gateway object that + is associated with the route. + properties: + controller: + description: "Controller is a domain/path string that indicates + the controller implementing the Gateway. This corresponds + with the controller field on GatewayClass. \n Example: + \"acme.io/gateway-controller\". \n The format of this + field is DOMAIN \"/\" PATH, where DOMAIN and PATH are + valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names)." + maxLength: 253 + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: Namespace is the namespace of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - name + - namespace + type: object + required: + - gatewayRef + type: object + maxItems: 100 + type: array + required: + - gateways + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.5.0 + creationTimestamp: null + name: udproutes.networking.x-k8s.io +spec: + group: networking.x-k8s.io + names: + categories: + - gateway-api + kind: UDPRoute + listKind: UDPRouteList + plural: udproutes + singular: udproute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: UDPRoute is a resource that specifies how a Gateway should forward + UDP traffic. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of UDPRoute. + properties: + gateways: + default: + allow: SameNamespace + description: Gateways defines which Gateways can use this Route. + properties: + allow: + default: SameNamespace + description: 'Allow indicates which Gateways will be allowed to + use this route. Possible values are: * All: Gateways in any + namespace can use this route. * FromList: Only Gateways specified + in GatewayRefs may use this route. * SameNamespace: Only Gateways + in the same namespace may use this route.' + enum: + - All + - FromList + - SameNamespace + type: string + gatewayRefs: + description: GatewayRefs must be specified when Allow is set to + "FromList". In that case, only Gateways referenced in this list + will be allowed to use this route. This field is ignored for + other values of "Allow". + items: + description: GatewayReference identifies a Gateway in a specified + namespace. + properties: + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: Namespace is the namespace of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - name + - namespace + type: object + type: array + type: object + rules: + description: Rules are a list of UDP matchers and actions. + items: + description: UDPRouteRule is the configuration for a given rule. + properties: + forwardTo: + description: ForwardTo defines the backend(s) where matching + requests should be sent. + items: + description: RouteForwardTo defines how a Route should forward + a request. + properties: + backendRef: + description: "BackendRef is a reference to a backend to + forward matched requests to. If both BackendRef and + ServiceName are specified, ServiceName will be given + precedence. \n If the referent cannot be found, the + rule is not included in the route. The controller should + raise the \"ResolvedRefs\" condition on the Gateway + with the \"DegradedRoutes\" reason. The gateway status + for this route should be updated with a condition that + describes the error more specifically. \n Support: Custom" + properties: + group: + description: Group is the group of the referent. + maxLength: 253 + minLength: 1 + type: string + kind: + description: Kind is kind of the referent. + maxLength: 253 + minLength: 1 + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + port: + description: "Port specifies the destination port number + to use for the backend referenced by the ServiceName + or BackendRef field. If unspecified, the destination + port in the request is used when forwarding to a backendRef + or serviceName. \n Support: Core" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + serviceName: + description: "ServiceName refers to the name of the Service + to forward matched requests to. When specified, this + takes the place of BackendRef. If both BackendRef and + ServiceName are specified, ServiceName will be given + precedence. \n If the referent cannot be found, the + rule is not included in the route. The controller should + raise the \"ResolvedRefs\" condition on the Gateway + with the \"DegradedRoutes\" reason. The gateway status + for this route should be updated with a condition that + describes the error more specifically. \n The protocol + to use is defined using AppProtocol field (introduced + in Kubernetes 1.18) in the Service resource. In the + absence of the AppProtocol field a `networking.x-k8s.io/app-protocol` + annotation on the BackendPolicy resource may be used + to define the protocol. If the AppProtocol field is + available, this annotation should not be used. The AppProtocol + field, when populated, takes precedence over the annotation + in the BackendPolicy resource. For custom backends, + it is encouraged to add a semantically-equivalent field + in the Custom Resource Definition. \n Support: Core" + maxLength: 253 + type: string + weight: + default: 1 + description: "Weight specifies the proportion of HTTP + requests forwarded to the backend referenced by the + ServiceName or BackendRef field. This is computed as + weight/(sum of all weights in this ForwardTo list). + For non-zero values, there may be some epsilon from + the exact proportion defined here depending on the precision + an implementation supports. Weight is not a percentage + and the sum of weights does not need to equal 100. \n + If only one backend is specified and it has a weight + greater than 0, 100% of the traffic is forwarded to + that backend. If weight is set to 0, no traffic should + be forwarded for this entry. If unspecified, weight + defaults to 1. \n Support: Extended" + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + type: object + maxItems: 16 + minItems: 1 + type: array + matches: + description: "Matches define conditions used for matching the + rule against incoming UDP connections. Each match is independent, + i.e. this rule will be matched if **any** one of the matches + is satisfied. If unspecified (i.e. empty), this Rule will + match all requests for the associated Listener. \n Each client + request MUST map to a maximum of one route rule. If a request + matches multiple rules, matching precedence MUST be determined + in order of the following criteria, continuing on ties: \n + * The most specific match specified by ExtensionRef. Each + implementation that supports ExtensionRef may have different + ways of determining the specificity of the referenced extension. + \n If ties still exist across multiple Routes, matching precedence + MUST be determined in order of the following criteria, continuing + on ties: \n * The oldest Route based on creation timestamp. + For example, a Route with a creation timestamp of \"2020-09-08 + 01:02:03\" is given precedence over a Route with a creation + timestamp of \"2020-09-08 01:02:04\". * The Route appearing + first in alphabetical order by \"/\". For + example, foo/bar is given precedence over foo/baz. \n If + ties still exist within the Route that has been given precedence, + matching precedence MUST be granted to the first matching + rule meeting the above criteria." + items: + description: UDPRouteMatch defines the predicate used to match + packets to a given action. + properties: + extensionRef: + description: "ExtensionRef is an optional, implementation-specific + extension to the \"match\" behavior. For example, resource + \"myudproutematcher\" in group \"networking.acme.io\". + If the referent cannot be found, the rule is not included + in the route. The controller should raise the \"ResolvedRefs\" + condition on the Gateway with the \"DegradedRoutes\" + reason. The gateway status for this route should be + updated with a condition that describes the error more + specifically. \n Support: Custom" + properties: + group: + description: Group is the group of the referent. + maxLength: 253 + minLength: 1 + type: string + kind: + description: Kind is kind of the referent. + maxLength: 253 + minLength: 1 + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + type: object + maxItems: 8 + type: array + required: + - forwardTo + type: object + maxItems: 16 + minItems: 1 + type: array + required: + - rules + type: object + status: + description: Status defines the current state of UDPRoute. + properties: + gateways: + description: "Gateways is a list of Gateways that are associated with + the route, and the status of the route with respect to each Gateway. + When a Gateway selects this route, the controller that manages the + Gateway must add an entry to this list when the controller first + sees the route and should update the entry as appropriate when the + route is modified. \n A maximum of 100 Gateways will be represented + in this list. If this list is full, there may be additional Gateways + using this Route that are not included in the list. An empty list + means the route has not been admitted by any Gateway." + items: + description: RouteGatewayStatus describes the status of a route + with respect to an associated Gateway. + properties: + conditions: + description: Conditions describes the status of the route with + respect to the Gateway. The "Admitted" condition must always + be specified by controllers to indicate whether the route + has been admitted or rejected by the Gateway, and why. Note + that the route's availability is also subject to the Gateway's + own status conditions and listener status. + items: + description: "Condition contains details for one aspect of + the current state of this API Resource. --- This struct + is intended for direct use as an array at the field path + .status.conditions. For example, type FooStatus struct{ + \ // Represents the observations of a foo's current state. + \ // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type + \ // +patchStrategy=merge // +listType=map // + +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` + \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should + be when the underlying condition changed. If that is + not known, then using the time when the API field changed + is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, + if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the + current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier + indicating the reason for the condition's last transition. + Producers of specific condition types may define expected + values and meanings for this field, and whether the + values are considered a guaranteed API. The value should + be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across + resources like Available, but because arbitrary conditions + can be useful (see .node.status.conditions), the ability + to deconflict is important. The regex it matches is + (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + gatewayRef: + description: GatewayRef is a reference to a Gateway object that + is associated with the route. + properties: + controller: + description: "Controller is a domain/path string that indicates + the controller implementing the Gateway. This corresponds + with the controller field on GatewayClass. \n Example: + \"acme.io/gateway-controller\". \n The format of this + field is DOMAIN \"/\" PATH, where DOMAIN and PATH are + valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names)." + maxLength: 253 + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: Namespace is the namespace of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - name + - namespace + type: object + required: + - gatewayRef + type: object + maxItems: 100 + type: array + required: + - gateways + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] + +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: contour-certgen + namespace: projectcontour +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: contour + namespace: projectcontour +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: contour-certgen +subjects: +- kind: ServiceAccount + name: contour-certgen + namespace: projectcontour +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: contour-certgen + namespace: projectcontour +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - update +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: contour-certgen-main + namespace: projectcontour +spec: + ttlSecondsAfterFinished: 0 + template: + metadata: + labels: + app: "contour-certgen" + spec: + containers: + - name: contour + image: docker.io/projectcontour/contour:main + imagePullPolicy: Always + command: + - contour + - certgen + - --kube + - --incluster + - --overwrite + - --secrets-format=compact + - --namespace=$(CONTOUR_NAMESPACE) + env: + - name: CONTOUR_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + restartPolicy: Never + serviceAccountName: contour-certgen + securityContext: + runAsNonRoot: true + runAsUser: 65534 + runAsGroup: 65534 + parallelism: 1 + completions: 1 + backoffLimit: 1 + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: contour +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: contour +subjects: +- kind: ServiceAccount + name: contour + namespace: projectcontour + +# The following ClusterRole is generated from kubebuilder RBAC tags by +# generate-rbac.sh. Do not edit this file directly but instead edit the source +# files and re-render. + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + name: contour +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - create + - get + - update +- apiGroups: + - "" + resources: + - endpoints + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - namespaces + - secrets + - serviceaccounts + - services + verbs: + - create + - delete + - get + - list + - update + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - list +- apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - create + - get + - update +- apiGroups: + - networking.x-k8s.io + resources: + - backendpolicies + - gatewayclasses + - gateways + - httproutes + - tcproutes + - tlsroutes + - udproutes + verbs: + - get + - list + - watch +- apiGroups: + - networking.x-k8s.io + resources: + - backendpolicies/status + - gatewayclasses/status + - httproutes/status + - tcproutes/status + - tlsroutes/status + - udproutes/status + verbs: + - update +- apiGroups: + - projectcontour.io + resources: + - extensionservices + verbs: + - get + - list + - watch +- apiGroups: + - projectcontour.io + resources: + - extensionservices/status + verbs: + - create + - get + - update +- apiGroups: + - projectcontour.io + resources: + - httpproxies + - tlscertificatedelegations + verbs: + - get + - list + - watch +- apiGroups: + - projectcontour.io + resources: + - httpproxies/status + verbs: + - create + - get + - update + +--- +apiVersion: v1 +kind: Service +metadata: + name: contour + namespace: projectcontour +spec: + ports: + - port: 8001 + name: xds + protocol: TCP + targetPort: 8001 + selector: + app: contour + type: ClusterIP + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: contour + name: contour + namespace: projectcontour +spec: + replicas: 1 + strategy: + type: RollingUpdate + rollingUpdate: + # This value of maxSurge means that during a rolling update + # the new ReplicaSet will be created first. + maxSurge: 50% + selector: + matchLabels: + app: contour + template: + metadata: + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "8000" + labels: + app: contour + spec: + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchLabels: + app: contour + topologyKey: kubernetes.io/hostname + weight: 100 + containers: + - args: + - serve + - --incluster + - --xds-address=0.0.0.0 + - --xds-port=8001 + - --contour-cafile=/certs/ca.crt + - --contour-cert-file=/certs/tls.crt + - --contour-key-file=/certs/tls.key + - --config-path=/config/contour.yaml + command: ["contour"] + image: docker.io/projectcontour/contour:main + imagePullPolicy: IfNotPresent + name: contour + ports: + - containerPort: 8001 + name: xds + protocol: TCP + - containerPort: 8000 + name: metrics + protocol: TCP + - containerPort: 6060 + name: debug + protocol: TCP + livenessProbe: + httpGet: + path: /healthz + port: 8000 + readinessProbe: + tcpSocket: + port: 8001 + initialDelaySeconds: 15 + periodSeconds: 10 + volumeMounts: + - name: contourcert + mountPath: /certs + readOnly: true + - name: contour-config + mountPath: /config + readOnly: true + env: + - name: CONTOUR_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + dnsPolicy: ClusterFirst + serviceAccountName: contour + securityContext: + runAsNonRoot: true + runAsUser: 65534 + runAsGroup: 65534 + volumes: + - name: contourcert + secret: + secretName: contourcert + - name: contour-config + configMap: + name: contour + defaultMode: 0644 + items: + - key: contour.yaml + path: contour.yaml + +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + labels: + app: envoy + name: envoy + namespace: projectcontour +spec: + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 10% + selector: + matchLabels: + app: envoy + template: + metadata: + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "8002" + prometheus.io/path: "/stats/prometheus" + labels: + app: envoy + spec: + containers: + - command: + - /bin/contour + args: + - envoy + - shutdown-manager + image: docker.io/projectcontour/contour:main + imagePullPolicy: IfNotPresent + lifecycle: + preStop: + exec: + command: + - /bin/contour + - envoy + - shutdown + livenessProbe: + httpGet: + path: /healthz + port: 8090 + initialDelaySeconds: 3 + periodSeconds: 10 + name: shutdown-manager + - args: + - -c + - /config/envoy.json + - --service-cluster $(CONTOUR_NAMESPACE) + - --service-node $(ENVOY_POD_NAME) + - --log-level info + command: + - envoy + image: docker.io/envoyproxy/envoy:v1.18.2 + imagePullPolicy: IfNotPresent + name: envoy + env: + - name: CONTOUR_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: ENVOY_POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + ports: + - containerPort: 8080 + hostPort: 80 + name: http + protocol: TCP + - containerPort: 8443 + hostPort: 443 + name: https + protocol: TCP + readinessProbe: + httpGet: + path: /ready + port: 8002 + initialDelaySeconds: 3 + periodSeconds: 4 + volumeMounts: + - name: envoy-config + mountPath: /config + readOnly: true + - name: envoycert + mountPath: /certs + readOnly: true + lifecycle: + preStop: + httpGet: + path: /shutdown + port: 8090 + scheme: HTTP + initContainers: + - args: + - bootstrap + - /config/envoy.json + - --xds-address=contour + - --xds-port=8001 + - --xds-resource-version=v3 + - --resources-dir=/config/resources + - --envoy-cafile=/certs/ca.crt + - --envoy-cert-file=/certs/tls.crt + - --envoy-key-file=/certs/tls.key + command: + - contour + image: docker.io/projectcontour/contour:main + imagePullPolicy: IfNotPresent + name: envoy-initconfig + volumeMounts: + - name: envoy-config + mountPath: /config + - name: envoycert + mountPath: /certs + readOnly: true + env: + - name: CONTOUR_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + automountServiceAccountToken: false + serviceAccountName: envoy + terminationGracePeriodSeconds: 300 + volumes: + - name: envoy-config + emptyDir: {} + - name: envoycert + secret: + secretName: envoycert + restartPolicy: Always + +--- +kind: GatewayClass +apiVersion: networking.x-k8s.io/v1alpha1 +metadata: + name: contour +spec: + controller: projectcontour.io/contour + +--- +kind: Gateway +apiVersion: networking.x-k8s.io/v1alpha1 +metadata: + name: contour + namespace: projectcontour +spec: + gatewayClassName: contour + listeners: + - protocol: HTTP + port: 80 + routes: + kind: HTTPRoute + selector: + matchLabels: + app: kuard diff --git a/hack/generate-gateway-deployment.sh b/hack/generate-gateway-deployment.sh new file mode 100755 index 00000000000..b2083344e79 --- /dev/null +++ b/hack/generate-gateway-deployment.sh @@ -0,0 +1,41 @@ +#! /usr/bin/env bash + +set -o errexit +set -o nounset +set -o pipefail + +readonly HERE=$(cd "$(dirname "$0")" && pwd) +readonly REPO=$(cd "${HERE}"/.. && pwd) +readonly PROGNAME=$(basename "$0") + + +readonly TARGET="${REPO}/examples/render/contour-gateway.yaml" + +exec > >(git stripspace >"$TARGET") + +cat <