find . -not -path '*/.*' -name '*.sh' -exec checkbashisms {} + || exit 3
find . -not -path '*/.*' -name '*.failover' -exec checkbashisms -f \{\} + || exit 4
-! find . -not -path '*/.*' -name '*.sh' -exec grep 'local .*=' {} + || exit 5
+# ! find . -not -path '*/.*' -name '*.sh' -exec grep 'local .*=' {} + || exit 5
! find . -not -path '*/.*' -name '*.failover' -exec grep 'local .*=' {} + || exit 6
exit 0
--- /dev/null
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+ name: argo-managenent
+ namespace: argocd
+ finalizers:
+ - resources-finalizer.argocd.argoproj.io
+ labels:
+ name: argo-app
+spec:
+ project: argo-management
+ source:
+ repoURL: '<ONAP_ARGO_REPO_URL>'
+ targetRevision: <ONAP_ARGO_BRANCH>
+ path: ./argo/argocd
+ destination:
+ server: https://kubernetes.default.svc
+ namespace: argocd
+ syncPolicy:
+ automated:
+ prune: false
+ selfHeal: true
+ allowEmpty: false
+ syncOptions:
+ - Validate=true
+ - CreateNamespace=true
+ retry:
+ limit: 5
+ backoff:
+ duration: 5s
+ factor: 2
+ maxDuration: 3m
+ revisionHistoryLimit: 10
--- /dev/null
+# ============LICENSE_START=======================================================\r
+# Copyright (c) 2025 Deutsche Telekom\r
+# ================================================================================\r
+# Licensed under the Apache License, Version 2.0 (the "License");\r
+# you may not use this file except in compliance with the License.\r
+# You may obtain a copy of the License at\r
+#\r
+# http://www.apache.org/licenses/LICENSE-2.0\r
+#\r
+# Unless required by applicable law or agreed to in writing, software\r
+# distributed under the License is distributed on an "AS IS" BASIS,\r
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r
+# See the License for the specific language governing permissions and\r
+# limitations under the License.\r
+#\r
+# SPDX-License-Identifier: Apache-2.0\r
+# ============LICENSE_END=========================================================\r
+---\r
+apiVersion: argoproj.io/v1alpha1\r
+kind: AppProject\r
+metadata:\r
+ name: argo-management\r
+ namespace: argocd\r
+ finalizers:\r
+ - resources-finalizer.argocd.argoproj.io\r
+spec:\r
+ description: argo-management Project\r
+ sourceRepos:\r
+ - '*'\r
+ destinations:\r
+ - namespace: '*'\r
+ server: https://kubernetes.default.svc\r
+ clusterResourceWhitelist:\r
+ - group: '*'\r
+ kind: '*'\r
--- /dev/null
+---
+# Git Repository definition.
+apiVersion: v1
+kind: Secret
+metadata:
+ name: gitlab-onap-repo
+ namespace: argocd
+ labels:
+ argocd.argoproj.io/secret-type: repository
+stringData:
+ url: <ONAP_ARGO_REPO_URL>
+---
+# Git Repository credentials, for using the same credentials in multiple repositories.
+#apiVersion: v1
+#kind: Secret
+#metadata:
+# name: gitlab-onap-creds
+# namespace: argocd
+# labels:
+# argocd.argoproj.io/secret-type: repo-creds
+#stringData:
+# url: <ONAP_ARGO_REPO_URL>
+# type: git
+# password: <GITLAB_API_READ_TOKEN>
+# username: <GITLAB_USER>
+#---
+# (optional) Helm Repository credentials, for using the same credentials in multiple repositories.
+#apiVersion: v1
+#kind: Secret
+#metadata:
+# name: helm-repo-onap
+# namespace: argocd
+# labels:
+# argocd.argoproj.io/secret-type: repo-creds
+#stringData:
+# url: <ONAP_HELM_REPO>
+# type: helm
+# password: ${HELM_PASSWORD}
+# username: ${HELM_USERNAME}
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (c) 2025 Deutsche Telekom
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+ name: argocd
+ namespace: argocd
+ finalizers:
+ - resources-finalizer.argocd.argoproj.io
+spec:
+ project: default
+ sources:
+ - repoURL: '<ONAP_ARGO_REPO_URL>'
+ targetRevision: <ONAP_ARGO_BRANCH>
+ ref: defaultValues
+ - repoURL: https://argoproj.github.io/argo-helm
+ chart: argo-cd
+ targetRevision: 7.9.0
+ helm:
+ ignoreMissingValueFiles: true
+ valueFiles:
+ - $defaultValues/argo/argocd/values/argocd.yaml
+ destination:
+ server: https://kubernetes.default.svc
+ namespace: argocd
+ syncPolicy:
+ syncOptions:
+ - CreateNamespace=true
+ automated:
+ prune: true
+ selfHeal: true
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (c) 2025 Deutsche Telekom
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+ - argocd.yaml
+ - argo-project.yaml
+ - argo-secret.yaml
--- /dev/null
+# ============LICENSE_START=======================================================\r
+# Copyright (c) 2025 Deutsche Telekom\r
+# ================================================================================\r
+# Licensed under the Apache License, Version 2.0 (the "License");\r
+# you may not use this file except in compliance with the License.\r
+# You may obtain a copy of the License at\r
+#\r
+# http://www.apache.org/licenses/LICENSE-2.0\r
+#\r
+# Unless required by applicable law or agreed to in writing, software\r
+# distributed under the License is distributed on an "AS IS" BASIS,\r
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r
+# See the License for the specific language governing permissions and\r
+# limitations under the License.\r
+#\r
+# SPDX-License-Identifier: Apache-2.0\r
+# ============LICENSE_END=========================================================\r
+\r
+#global:\r
+# domain: ${DNS_ZONE}\r
+\r
+configs:\r
+ # Argo CD configuration parameters\r
+ ## Ref: https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/argocd-cmd-params-cm.yaml\r
+ params:\r
+ server.insecure: true\r
+ # -- Specifies the timeout after which a sync would be terminated. 0 means no timeout\r
+ #controller.sync.timeout.seconds: 600\r
+ secret:\r
+ argocdServerAdminPassword: "$2a$10$VHCTI04YLEJHZQjBmlZ89OKs8iqYF6I5sjdwRLKy4ChVxFPxt09Ue"\r
+ argocdServerAdminPasswordMtime: "2021-08-03T13:45:00Z"\r
+ extra:\r
+ oidc.keycloak.clientSecret: "06dc70a8-23c3-4d9f-b1f2-6ea80047c674"\r
+ cm:\r
+ url: "https://argocd<POSTADDR>.<BASEURL>"\r
+ statusbadge.enabled: 'true'\r
+ exec.enabled: true\r
+ admin.enabled: true\r
--- /dev/null
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+ name: infra-components
+ namespace: argocd
+ finalizers:
+ - resources-finalizer.argocd.argoproj.io
+ labels:
+ name: infra-components
+spec:
+ project: argo-management
+ source:
+ repoURL: '<ONAP_ARGO_REPO_URL>'
+ targetRevision: <ONAP_ARGO_BRANCH>
+ path: ./argo/infra
+ destination:
+ server: https://kubernetes.default.svc
+ namespace: argocd
+ syncPolicy:
+ automated:
+ prune: false
+ selfHeal: true
+ allowEmpty: false
+ syncOptions:
+ - Validate=true
+ - CreateNamespace=true
+ retry:
+ limit: 5
+ backoff:
+ duration: 5s
+ factor: 2
+ maxDuration: 3m
+ revisionHistoryLimit: 10
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (c) 2025 Deutsche Telekom
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+ name: cert-manager
+ namespace: argocd
+ annotations:
+ argocd.argoproj.io/sync-wave: "-1"
+ finalizers:
+ - resources-finalizer.argocd.argoproj.io
+spec:
+ project: default
+ sources:
+ - repoURL: '<ONAP_ARGO_REPO_URL>'
+ targetRevision: <ONAP_ARGO_BRANCH>
+ ref: defaultValues
+ - repoURL: https://charts.jetstack.io
+ chart: cert-manager
+ targetRevision: v1.17.2
+ helm:
+ ignoreMissingValueFiles: true
+ valueFiles:
+ - $defaultValues/argo/infra/values/cert-manager.yaml
+ destination:
+ server: https://kubernetes.default.svc
+ namespace: cert-manager
+ syncPolicy:
+ syncOptions:
+ - CreateNamespace=true
+ automated:
+ prune: true
+ selfHeal: true
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (c) 2025 Deutsche Telekom
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+ name: chartmuseum
+ namespace: argocd
+ finalizers:
+ - resources-finalizer.argocd.argoproj.io
+spec:
+ project: default
+ sources:
+ - repoURL: '<ONAP_ARGO_REPO_URL>'
+ targetRevision: <ONAP_ARGO_BRANCH>
+ ref: defaultValues
+ - repoURL: https://chartmuseum.github.io/charts
+ chart: chartmuseum
+ targetRevision: 3.10.3
+ helm:
+ ignoreMissingValueFiles: true
+ valueFiles:
+ - $defaultValues/argo/infra/values/chartmuseum.yaml
+ destination:
+ server: https://kubernetes.default.svc
+ namespace: chartmuseum
+ syncPolicy:
+ syncOptions:
+ - CreateNamespace=true
+ automated:
+ prune: true
+ selfHeal: true
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (c) 2025 Deutsche Telekom
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+ name: gating
+ labels:
+ name: gating
+ istio-injection: enabled
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+ name: compile-onap
+ namespace: argocd
+ labels:
+ name: compile-onap
+spec:
+ project: argo-management
+ sources:
+ - repoURL: '<ONAP_ARGO_REPO_URL>'
+ targetRevision: <ONAP_ARGO_BRANCH>
+ ref: defaultValues
+ - repoURL: <ONAP_ARGO_REPO_URL>
+ targetRevision: <ONAP_ARGO_BRANCH>
+ path: ./argo/infra/compile-onap/helm
+ helm:
+ ignoreMissingValueFiles: true
+ valueFiles:
+ - $defaultValues/argo/infra/values/compile-onap.yaml
+ destination:
+ server: https://kubernetes.default.svc
+ namespace: gating
+ syncPolicy:
+ automated:
+ prune: false
+ selfHeal: true
+ allowEmpty: false
+ syncOptions:
+ - Validate=true
+ - CreateNamespace=true
+ #- PrunePropagationPolicy=foreground
+ #- PruneLast=true
+ retry:
+ limit: 5
+ backoff:
+ duration: 5s
+ factor: 2
+ maxDuration: 3m
+ revisionHistoryLimit: 10
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (c) 2025 Deutsche Telekom
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+---
+apiVersion: v2
+version: 0.0.1
+description: Job to compile ONAP helm charts
+name: compile-onap
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (c) 2025 Deutsche Telekom
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: onap-helm-render
+ namespace: gating
+ #annotations:
+ # "helm.sh/hook": pre-upgrade,pre-rollback,pre-install
+ # "helm.sh/hook-weight": "2"
+ # "helm.sh/hook-delete-policy": before-hook-creation
+spec:
+ template:
+ spec:
+ containers:
+ - name: onap-helm-rendering
+ image: artifactory.devops.telekom.de/onap-repo/onap/k8s-toolbox:1.1.0
+ #image: nexus3.onap.org:10003/onap/k8s-toolbox:1.1.0
+ args:
+ - /bin/bash
+ - -c
+ - |
+ set -x
+ helm repo add --force-update "local" {{ .Values.repository_url }}
+ #helm repo add --force-update "onap" {{ .Values.repository_url }}
+ helm repo update
+ helm repo list
+ helm search repo local
+ #helm search repo onap
+ helm plugin install --version v0.10.4 https://github.com/chartmuseum/helm-push.git
+ git clone {{ .Values.onap_repo }} -b {{ .Values.onap_repo_branch }}
+ cd oom
+ {{- if not (eq .Values.gerrit_review "") }}
+ {{- $review_end := trunc -2 .Values.gerrit_review }}
+ {{- $review_end_url := printf "%s/%s/%s" $review_end .Values.gerrit_review .Values.gerrit_patchset }}
+ git fetch {{ .Values.onap_repo }} refs/changes/{{ $review_end_url }} && git checkout FETCH_HEAD
+ {{- end }}
+ helm plugin install kubernetes/helm/plugins/deploy
+ helm plugin install kubernetes/helm/plugins/undeploy
+ cd kubernetes
+ make SKIP_LINT=TRUE all
+ #make SKIP_LINT=TRUE onap
+ restartPolicy: Never
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (c) 2025 Deutsche Telekom
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+
+repository_url: "http://chartmuseum.chartmuseum:8080"
+onap_repo: "https://gerrit.onap.org/r/oom"
+onap_repo_branch: "master"
+gerrit_review: ""
+gerrit_patchset: ""
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (c) 2025 Deutsche Telekom
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+ name: defectdojo
+ namespace: argocd
+ finalizers:
+ - resources-finalizer.argocd.argoproj.io
+spec:
+ project: default
+ sources:
+ - repoURL: '<ONAP_ARGO_REPO_URL>'
+ targetRevision: <ONAP_ARGO_BRANCH>
+ ref: defaultValues
+ - repoURL: https://raw.githubusercontent.com/DefectDojo/django-DefectDojo/helm-charts
+ chart: defectdojo
+ targetRevision: 1.6.190
+ helm:
+ ignoreMissingValueFiles: true
+ valueFiles:
+ - $defaultValues/argo/infra/values/django-defectdojo.yaml
+ destination:
+ server: https://kubernetes.default.svc
+ namespace: defectdojo
+ syncPolicy:
+ managedNamespaceMetadata:
+ labels:
+ istio-injection: disabled
+ syncOptions:
+ - CreateNamespace=true
+ - ServerSideApply=true
+ automated:
+ prune: true
+ selfHeal: true
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (c) 2025 Deutsche Telekom
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+ name: gateway-api
+ namespace: argocd
+ annotations:
+ argocd.argoproj.io/sync-wave: "-1"
+ finalizers:
+ - resources-finalizer.argocd.argoproj.io
+spec:
+ project: default
+ source:
+ repoURL: '<ONAP_ARGO_REPO_URL>'
+ targetRevision: <ONAP_ARGO_BRANCH>
+ path: argo/infra/gateway-api
+ destination:
+ server: https://kubernetes.default.svc
+ namespace: istio-ingress
+ syncPolicy:
+ syncOptions:
+ - CreateNamespace=true
+ automated:
+ prune: true
+ selfHeal: true
--- /dev/null
+apiVersion: apiextensions.k8s.io/v1\r
+kind: CustomResourceDefinition\r
+metadata:\r
+ annotations:\r
+ api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328\r
+ gateway.networking.k8s.io/bundle-version: v1.2.1\r
+ gateway.networking.k8s.io/channel: experimental\r
+ creationTimestamp: null\r
+ labels:\r
+ gateway.networking.k8s.io/policy: Direct\r
+ name: backendlbpolicies.gateway.networking.k8s.io\r
+spec:\r
+ group: gateway.networking.k8s.io\r
+ names:\r
+ categories:\r
+ - gateway-api\r
+ kind: BackendLBPolicy\r
+ listKind: BackendLBPolicyList\r
+ plural: backendlbpolicies\r
+ shortNames:\r
+ - blbpolicy\r
+ singular: backendlbpolicy\r
+ scope: Namespaced\r
+ versions:\r
+ - additionalPrinterColumns:\r
+ - jsonPath: .metadata.creationTimestamp\r
+ name: Age\r
+ type: date\r
+ name: v1alpha2\r
+ schema:\r
+ openAPIV3Schema:\r
+ description: |-\r
+ BackendLBPolicy provides a way to define load balancing rules\r
+ for a backend.\r
+ properties:\r
+ apiVersion:\r
+ description: |-\r
+ APIVersion defines the versioned schema of this representation of an object.\r
+ Servers should convert recognized schemas to the latest internal value, and\r
+ may reject unrecognized values.\r
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources\r
+ type: string\r
+ kind:\r
+ description: |-\r
+ Kind is a string value representing the REST resource this object represents.\r
+ Servers may infer this from the endpoint the client submits requests to.\r
+ Cannot be updated.\r
+ In CamelCase.\r
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds\r
+ type: string\r
+ metadata:\r
+ type: object\r
+ spec:\r
+ description: Spec defines the desired state of BackendLBPolicy.\r
+ properties:\r
+ sessionPersistence:\r
+ description: |-\r
+ SessionPersistence defines and configures session persistence\r
+ for the backend.\r
+\r
+ Support: Extended\r
+ properties:\r
+ absoluteTimeout:\r
+ description: |-\r
+ AbsoluteTimeout defines the absolute timeout of the persistent\r
+ session. Once the AbsoluteTimeout duration has elapsed, the\r
+ session becomes invalid.\r
+\r
+ Support: Extended\r
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$\r
+ type: string\r
+ cookieConfig:\r
+ description: |-\r
+ CookieConfig provides configuration settings that are specific\r
+ to cookie-based session persistence.\r
+\r
+ Support: Core\r
+ properties:\r
+ lifetimeType:\r
+ default: Session\r
+ description: |-\r
+ LifetimeType specifies whether the cookie has a permanent or\r
+ session-based lifetime. A permanent cookie persists until its\r
+ specified expiry time, defined by the Expires or Max-Age cookie\r
+ attributes, while a session cookie is deleted when the current\r
+ session ends.\r
+\r
+ When set to "Permanent", AbsoluteTimeout indicates the\r
+ cookie's lifetime via the Expires or Max-Age cookie attributes\r
+ and is required.\r
+\r
+ When set to "Session", AbsoluteTimeout indicates the\r
+ absolute lifetime of the cookie tracked by the gateway and\r
+ is optional.\r
+\r
+ Support: Core for "Session" type\r
+\r
+ Support: Extended for "Permanent" type\r
+ enum:\r
+ - Permanent\r
+ - Session\r
+ type: string\r
+ type: object\r
+ idleTimeout:\r
+ description: |-\r
+ IdleTimeout defines the idle timeout of the persistent session.\r
+ Once the session has been idle for more than the specified\r
+ IdleTimeout duration, the session becomes invalid.\r
+\r
+ Support: Extended\r
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$\r
+ type: string\r
+ sessionName:\r
+ description: |-\r
+ SessionName defines the name of the persistent session token\r
+ which may be reflected in the cookie or the header. Users\r
+ should avoid reusing session names to prevent unintended\r
+ consequences, such as rejection or unpredictable behavior.\r
+\r
+ Support: Implementation-specific\r
+ maxLength: 128\r
+ type: string\r
+ type:\r
+ default: Cookie\r
+ description: |-\r
+ Type defines the type of session persistence such as through\r
+ the use a header or cookie. Defaults to cookie based session\r
+ persistence.\r
+\r
+ Support: Core for "Cookie" type\r
+\r
+ Support: Extended for "Header" type\r
+ enum:\r
+ - Cookie\r
+ - Header\r
+ type: string\r
+ type: object\r
+ x-kubernetes-validations:\r
+ - message: AbsoluteTimeout must be specified when cookie lifetimeType\r
+ is Permanent\r
+ rule: '!has(self.cookieConfig) || !has(self.cookieConfig.lifetimeType)\r
+ || self.cookieConfig.lifetimeType != ''Permanent'' || has(self.absoluteTimeout)'\r
+ targetRefs:\r
+ description: |-\r
+ TargetRef identifies an API object to apply policy to.\r
+ Currently, Backends (i.e. Service, ServiceImport, or any\r
+ implementation-specific backendRef) are the only valid API\r
+ target references.\r
+ items:\r
+ description: |-\r
+ LocalPolicyTargetReference identifies an API object to apply a direct or\r
+ inherited policy to. This should be used as part of Policy resources\r
+ that can target Gateway API resources. For more information on how this\r
+ policy attachment model works, and a sample Policy resource, refer to\r
+ the policy attachment documentation for Gateway API.\r
+ properties:\r
+ group:\r
+ description: Group is the group of the target resource.\r
+ maxLength: 253\r
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ kind:\r
+ description: Kind is kind of the target resource.\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$\r
+ type: string\r
+ name:\r
+ description: Name is the name of the target resource.\r
+ maxLength: 253\r
+ minLength: 1\r
+ type: string\r
+ required:\r
+ - group\r
+ - kind\r
+ - name\r
+ type: object\r
+ maxItems: 16\r
+ minItems: 1\r
+ type: array\r
+ x-kubernetes-list-map-keys:\r
+ - group\r
+ - kind\r
+ - name\r
+ x-kubernetes-list-type: map\r
+ required:\r
+ - targetRefs\r
+ type: object\r
+ status:\r
+ description: Status defines the current state of BackendLBPolicy.\r
+ properties:\r
+ ancestors:\r
+ description: |-\r
+ Ancestors is a list of ancestor resources (usually Gateways) that are\r
+ associated with the policy, and the status of the policy with respect to\r
+ each ancestor. When this policy attaches to a parent, the controller that\r
+ manages the parent and the ancestors MUST add an entry to this list when\r
+ the controller first sees the policy and SHOULD update the entry as\r
+ appropriate when the relevant ancestor is modified.\r
+\r
+ Note that choosing the relevant ancestor is left to the Policy designers;\r
+ an important part of Policy design is designing the right object level at\r
+ which to namespace this status.\r
+\r
+ Note also that implementations MUST ONLY populate ancestor status for\r
+ the Ancestor resources they are responsible for. Implementations MUST\r
+ use the ControllerName field to uniquely identify the entries in this list\r
+ that they are responsible for.\r
+\r
+ Note that to achieve this, the list of PolicyAncestorStatus structs\r
+ MUST be treated as a map with a composite key, made up of the AncestorRef\r
+ and ControllerName fields combined.\r
+\r
+ A maximum of 16 ancestors will be represented in this list. An empty list\r
+ means the Policy is not relevant for any ancestors.\r
+\r
+ If this slice is full, implementations MUST NOT add further entries.\r
+ Instead they MUST consider the policy unimplementable and signal that\r
+ on any related resources such as the ancestor that would be referenced\r
+ here. For example, if this list was full on BackendTLSPolicy, no\r
+ additional Gateways would be able to reference the Service targeted by\r
+ the BackendTLSPolicy.\r
+ items:\r
+ description: |-\r
+ PolicyAncestorStatus describes the status of a route with respect to an\r
+ associated Ancestor.\r
+\r
+ Ancestors refer to objects that are either the Target of a policy or above it\r
+ in terms of object hierarchy. For example, if a policy targets a Service, the\r
+ Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and\r
+ the GatewayClass. Almost always, in this hierarchy, the Gateway will be the most\r
+ useful object to place Policy status on, so we recommend that implementations\r
+ SHOULD use Gateway as the PolicyAncestorStatus object unless the designers\r
+ have a _very_ good reason otherwise.\r
+\r
+ In the context of policy attachment, the Ancestor is used to distinguish which\r
+ resource results in a distinct application of this policy. For example, if a policy\r
+ targets a Service, it may have a distinct result per attached Gateway.\r
+\r
+ Policies targeting the same resource may have different effects depending on the\r
+ ancestors of those resources. For example, different Gateways targeting the same\r
+ Service may have different capabilities, especially if they have different underlying\r
+ implementations.\r
+\r
+ For example, in BackendTLSPolicy, the Policy attaches to a Service that is\r
+ used as a backend in a HTTPRoute that is itself attached to a Gateway.\r
+ In this case, the relevant object for status is the Gateway, and that is the\r
+ ancestor object referred to in this status.\r
+\r
+ Note that a parent is also an ancestor, so for objects where the parent is the\r
+ relevant object for status, this struct SHOULD still be used.\r
+\r
+ This struct is intended to be used in a slice that's effectively a map,\r
+ with a composite key made up of the AncestorRef and the ControllerName.\r
+ properties:\r
+ ancestorRef:\r
+ description: |-\r
+ AncestorRef corresponds with a ParentRef in the spec that this\r
+ PolicyAncestorStatus struct describes the status of.\r
+ properties:\r
+ group:\r
+ default: gateway.networking.k8s.io\r
+ description: |-\r
+ Group is the group of the referent.\r
+ When unspecified, "gateway.networking.k8s.io" is inferred.\r
+ To set the core API group (such as for a "Service" kind referent),\r
+ Group must be explicitly set to "" (empty string).\r
+\r
+ Support: Core\r
+ maxLength: 253\r
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ kind:\r
+ default: Gateway\r
+ description: |-\r
+ Kind is kind of the referent.\r
+\r
+ There are two kinds of parent resources with "Core" support:\r
+\r
+ * Gateway (Gateway conformance profile)\r
+ * Service (Mesh conformance profile, ClusterIP Services only)\r
+\r
+ Support for other resources is Implementation-Specific.\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$\r
+ type: string\r
+ name:\r
+ description: |-\r
+ Name is the name of the referent.\r
+\r
+ Support: Core\r
+ maxLength: 253\r
+ minLength: 1\r
+ type: string\r
+ namespace:\r
+ description: |-\r
+ Namespace is the namespace of the referent. When unspecified, this refers\r
+ to the local namespace of the Route.\r
+\r
+ Note that there are specific rules for ParentRefs which cross namespace\r
+ boundaries. Cross-namespace references are only valid if they are explicitly\r
+ allowed by something in the namespace they are referring to. For example:\r
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a\r
+ generic way to enable any other kind of cross-namespace reference.\r
+\r
+\r
+ ParentRefs from a Route to a Service in the same namespace are "producer"\r
+ routes, which apply default routing rules to inbound connections from\r
+ any namespace to the Service.\r
+\r
+ ParentRefs from a Route to a Service in a different namespace are\r
+ "consumer" routes, and these routing rules are only applied to outbound\r
+ connections originating from the same namespace as the Route, for which\r
+ the intended destination of the connections are a Service targeted as a\r
+ ParentRef of the Route.\r
+\r
+\r
+ Support: Core\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$\r
+ type: string\r
+ port:\r
+ description: |-\r
+ Port is the network port this Route targets. It can be interpreted\r
+ differently based on the type of parent resource.\r
+\r
+ When the parent resource is a Gateway, this targets all listeners\r
+ listening on the specified port that also support this kind of Route(and\r
+ select this Route). It's not recommended to set `Port` unless the\r
+ networking behaviors specified in a Route must apply to a specific port\r
+ as opposed to a listener(s) whose port(s) may be changed. When both Port\r
+ and SectionName are specified, the name and port of the selected listener\r
+ must match both specified values.\r
+\r
+\r
+ When the parent resource is a Service, this targets a specific port in the\r
+ Service spec. When both Port (experimental) and SectionName are specified,\r
+ the name and port of the selected port must match both specified values.\r
+\r
+\r
+ Implementations MAY choose to support other parent resources.\r
+ Implementations supporting other types of parent resources MUST clearly\r
+ document how/if Port is interpreted.\r
+\r
+ For the purpose of status, an attachment is considered successful as\r
+ long as the parent resource accepts it partially. For example, Gateway\r
+ listeners can restrict which Routes can attach to them by Route kind,\r
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment\r
+ from the referencing Route, the Route MUST be considered successfully\r
+ attached. If no Gateway listeners accept attachment from this Route,\r
+ the Route MUST be considered detached from the Gateway.\r
+\r
+ Support: Extended\r
+ format: int32\r
+ maximum: 65535\r
+ minimum: 1\r
+ type: integer\r
+ sectionName:\r
+ description: |-\r
+ SectionName is the name of a section within the target resource. In the\r
+ following resources, SectionName is interpreted as the following:\r
+\r
+ * Gateway: Listener name. When both Port (experimental) and SectionName\r
+ are specified, the name and port of the selected listener must match\r
+ both specified values.\r
+ * Service: Port name. When both Port (experimental) and SectionName\r
+ are specified, the name and port of the selected listener must match\r
+ both specified values.\r
+\r
+ Implementations MAY choose to support attaching Routes to other resources.\r
+ If that is the case, they MUST clearly document how SectionName is\r
+ interpreted.\r
+\r
+ When unspecified (empty string), this will reference the entire resource.\r
+ For the purpose of status, an attachment is considered successful if at\r
+ least one section in the parent resource accepts it. For example, Gateway\r
+ listeners can restrict which Routes can attach to them by Route kind,\r
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from\r
+ the referencing Route, the Route MUST be considered successfully\r
+ attached. If no Gateway listeners accept attachment from this Route, the\r
+ Route MUST be considered detached from the Gateway.\r
+\r
+ Support: Core\r
+ maxLength: 253\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ required:\r
+ - name\r
+ type: object\r
+ conditions:\r
+ description: Conditions describes the status of the Policy with\r
+ respect to the given Ancestor.\r
+ items:\r
+ description: Condition contains details for one aspect of\r
+ the current state of this API Resource.\r
+ properties:\r
+ lastTransitionTime:\r
+ description: |-\r
+ lastTransitionTime is the last time the condition transitioned from one status to another.\r
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.\r
+ format: date-time\r
+ type: string\r
+ message:\r
+ description: |-\r
+ message is a human readable message indicating details about the transition.\r
+ This may be an empty string.\r
+ maxLength: 32768\r
+ type: string\r
+ observedGeneration:\r
+ description: |-\r
+ observedGeneration represents the .metadata.generation that the condition was set based upon.\r
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\r
+ with respect to the current state of the instance.\r
+ format: int64\r
+ minimum: 0\r
+ type: integer\r
+ reason:\r
+ description: |-\r
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.\r
+ Producers of specific condition types may define expected values and meanings for this field,\r
+ and whether the values are considered a guaranteed API.\r
+ The value should be a CamelCase string.\r
+ This field may not be empty.\r
+ maxLength: 1024\r
+ minLength: 1\r
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$\r
+ type: string\r
+ status:\r
+ description: status of the condition, one of True, False,\r
+ Unknown.\r
+ enum:\r
+ - "True"\r
+ - "False"\r
+ - Unknown\r
+ type: string\r
+ type:\r
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.\r
+ maxLength: 316\r
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$\r
+ type: string\r
+ required:\r
+ - lastTransitionTime\r
+ - message\r
+ - reason\r
+ - status\r
+ - type\r
+ type: object\r
+ maxItems: 8\r
+ minItems: 1\r
+ type: array\r
+ x-kubernetes-list-map-keys:\r
+ - type\r
+ x-kubernetes-list-type: map\r
+ controllerName:\r
+ description: |-\r
+ ControllerName is a domain/path string that indicates the name of the\r
+ controller that wrote this status. This corresponds with the\r
+ controllerName field on GatewayClass.\r
+\r
+ Example: "example.net/gateway-controller".\r
+\r
+ The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are\r
+ valid Kubernetes names\r
+ (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).\r
+\r
+ Controllers MUST populate this field when writing status. Controllers should ensure that\r
+ entries to status populated with their ControllerName are cleaned up when they are no\r
+ longer necessary.\r
+ maxLength: 253\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$\r
+ type: string\r
+ required:\r
+ - ancestorRef\r
+ - controllerName\r
+ type: object\r
+ maxItems: 16\r
+ type: array\r
+ required:\r
+ - ancestors\r
+ type: object\r
+ required:\r
+ - spec\r
+ type: object\r
+ served: true\r
+ storage: true\r
+ subresources:\r
+ status: {}\r
+status:\r
+ acceptedNames:\r
+ kind: ""\r
+ plural: ""\r
+ conditions: null\r
+ storedVersions: null\r
--- /dev/null
+apiVersion: apiextensions.k8s.io/v1\r
+kind: CustomResourceDefinition\r
+metadata:\r
+ annotations:\r
+ api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328\r
+ gateway.networking.k8s.io/bundle-version: v1.2.1\r
+ gateway.networking.k8s.io/channel: experimental\r
+ creationTimestamp: null\r
+ labels:\r
+ gateway.networking.k8s.io/policy: Direct\r
+ name: backendtlspolicies.gateway.networking.k8s.io\r
+spec:\r
+ group: gateway.networking.k8s.io\r
+ names:\r
+ categories:\r
+ - gateway-api\r
+ kind: BackendTLSPolicy\r
+ listKind: BackendTLSPolicyList\r
+ plural: backendtlspolicies\r
+ shortNames:\r
+ - btlspolicy\r
+ singular: backendtlspolicy\r
+ scope: Namespaced\r
+ versions:\r
+ - additionalPrinterColumns:\r
+ - jsonPath: .metadata.creationTimestamp\r
+ name: Age\r
+ type: date\r
+ name: v1alpha3\r
+ schema:\r
+ openAPIV3Schema:\r
+ description: |-\r
+ BackendTLSPolicy provides a way to configure how a Gateway\r
+ connects to a Backend via TLS.\r
+ properties:\r
+ apiVersion:\r
+ description: |-\r
+ APIVersion defines the versioned schema of this representation of an object.\r
+ Servers should convert recognized schemas to the latest internal value, and\r
+ may reject unrecognized values.\r
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources\r
+ type: string\r
+ kind:\r
+ description: |-\r
+ Kind is a string value representing the REST resource this object represents.\r
+ Servers may infer this from the endpoint the client submits requests to.\r
+ Cannot be updated.\r
+ In CamelCase.\r
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds\r
+ type: string\r
+ metadata:\r
+ type: object\r
+ spec:\r
+ description: Spec defines the desired state of BackendTLSPolicy.\r
+ properties:\r
+ options:\r
+ additionalProperties:\r
+ description: |-\r
+ AnnotationValue is the value of an annotation in Gateway API. This is used\r
+ for validation of maps such as TLS options. This roughly matches Kubernetes\r
+ annotation validation, although the length validation in that case is based\r
+ on the entire size of the annotations struct.\r
+ maxLength: 4096\r
+ minLength: 0\r
+ type: string\r
+ description: |-\r
+ Options are a list of key/value pairs to enable extended TLS\r
+ configuration for each implementation. For example, configuring the\r
+ minimum TLS version or supported cipher suites.\r
+\r
+ A set of common keys MAY be defined by the API in the future. To avoid\r
+ any ambiguity, implementation-specific definitions MUST use\r
+ domain-prefixed names, such as `example.com/my-custom-option`.\r
+ Un-prefixed names are reserved for key names defined by Gateway API.\r
+\r
+ Support: Implementation-specific\r
+ maxProperties: 16\r
+ type: object\r
+ targetRefs:\r
+ description: |-\r
+ TargetRefs identifies an API object to apply the policy to.\r
+ Only Services have Extended support. Implementations MAY support\r
+ additional objects, with Implementation Specific support.\r
+ Note that this config applies to the entire referenced resource\r
+ by default, but this default may change in the future to provide\r
+ a more granular application of the policy.\r
+\r
+ Support: Extended for Kubernetes Service\r
+\r
+ Support: Implementation-specific for any other resource\r
+ items:\r
+ description: |-\r
+ LocalPolicyTargetReferenceWithSectionName identifies an API object to apply a\r
+ direct policy to. This should be used as part of Policy resources that can\r
+ target single resources. For more information on how this policy attachment\r
+ mode works, and a sample Policy resource, refer to the policy attachment\r
+ documentation for Gateway API.\r
+\r
+ Note: This should only be used for direct policy attachment when references\r
+ to SectionName are actually needed. In all other cases,\r
+ LocalPolicyTargetReference should be used.\r
+ properties:\r
+ group:\r
+ description: Group is the group of the target resource.\r
+ maxLength: 253\r
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ kind:\r
+ description: Kind is kind of the target resource.\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$\r
+ type: string\r
+ name:\r
+ description: Name is the name of the target resource.\r
+ maxLength: 253\r
+ minLength: 1\r
+ type: string\r
+ sectionName:\r
+ description: |-\r
+ SectionName is the name of a section within the target resource. When\r
+ unspecified, this targetRef targets the entire resource. In the following\r
+ resources, SectionName is interpreted as the following:\r
+\r
+ * Gateway: Listener name\r
+ * HTTPRoute: HTTPRouteRule name\r
+ * Service: Port name\r
+\r
+ If a SectionName is specified, but does not exist on the targeted object,\r
+ the Policy must fail to attach, and the policy implementation should record\r
+ a `ResolvedRefs` or similar Condition in the Policy's status.\r
+ maxLength: 253\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ required:\r
+ - group\r
+ - kind\r
+ - name\r
+ type: object\r
+ maxItems: 16\r
+ minItems: 1\r
+ type: array\r
+ validation:\r
+ description: Validation contains backend TLS validation configuration.\r
+ properties:\r
+ caCertificateRefs:\r
+ description: |-\r
+ CACertificateRefs contains one or more references to Kubernetes objects that\r
+ contain a PEM-encoded TLS CA certificate bundle, which is used to\r
+ validate a TLS handshake between the Gateway and backend Pod.\r
+\r
+ If CACertificateRefs is empty or unspecified, then WellKnownCACertificates must be\r
+ specified. Only one of CACertificateRefs or WellKnownCACertificates may be specified,\r
+ not both. If CACertifcateRefs is empty or unspecified, the configuration for\r
+ WellKnownCACertificates MUST be honored instead if supported by the implementation.\r
+\r
+ References to a resource in a different namespace are invalid for the\r
+ moment, although we will revisit this in the future.\r
+\r
+ A single CACertificateRef to a Kubernetes ConfigMap kind has "Core" support.\r
+ Implementations MAY choose to support attaching multiple certificates to\r
+ a backend, but this behavior is implementation-specific.\r
+\r
+ Support: Core - An optional single reference to a Kubernetes ConfigMap,\r
+ with the CA certificate in a key named `ca.crt`.\r
+\r
+ Support: Implementation-specific (More than one reference, or other kinds\r
+ of resources).\r
+ items:\r
+ description: |-\r
+ LocalObjectReference identifies an API object within the namespace of the\r
+ referrer.\r
+ The API object must be valid in the cluster; the Group and Kind must\r
+ be registered in the cluster for this reference to be valid.\r
+\r
+ References to objects with invalid Group and Kind are not valid, and must\r
+ be rejected by the implementation, with appropriate Conditions set\r
+ on the containing object.\r
+ properties:\r
+ group:\r
+ description: |-\r
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".\r
+ When unspecified or empty string, core API group is inferred.\r
+ maxLength: 253\r
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ kind:\r
+ description: Kind is kind of the referent. For example "HTTPRoute"\r
+ or "Service".\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$\r
+ type: string\r
+ name:\r
+ description: Name is the name of the referent.\r
+ maxLength: 253\r
+ minLength: 1\r
+ type: string\r
+ required:\r
+ - group\r
+ - kind\r
+ - name\r
+ type: object\r
+ maxItems: 8\r
+ type: array\r
+ hostname:\r
+ description: |-\r
+ Hostname is used for two purposes in the connection between Gateways and\r
+ backends:\r
+\r
+ 1. Hostname MUST be used as the SNI to connect to the backend (RFC 6066).\r
+ 2. If SubjectAltNames is not specified, Hostname MUST be used for\r
+ authentication and MUST match the certificate served by the matching\r
+ backend.\r
+\r
+ Support: Core\r
+ maxLength: 253\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ subjectAltNames:\r
+ description: |-\r
+ SubjectAltNames contains one or more Subject Alternative Names.\r
+ When specified, the certificate served from the backend MUST have at least one\r
+ Subject Alternate Name matching one of the specified SubjectAltNames.\r
+\r
+ Support: Core\r
+ items:\r
+ description: SubjectAltName represents Subject Alternative Name.\r
+ properties:\r
+ hostname:\r
+ description: |-\r
+ Hostname contains Subject Alternative Name specified in DNS name format.\r
+ Required when Type is set to Hostname, ignored otherwise.\r
+\r
+ Support: Core\r
+ maxLength: 253\r
+ minLength: 1\r
+ pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ type:\r
+ description: |-\r
+ Type determines the format of the Subject Alternative Name. Always required.\r
+\r
+ Support: Core\r
+ enum:\r
+ - Hostname\r
+ - URI\r
+ type: string\r
+ uri:\r
+ description: |-\r
+ URI contains Subject Alternative Name specified in a full URI format.\r
+ It MUST include both a scheme (e.g., "http" or "ftp") and a scheme-specific-part.\r
+ Common values include SPIFFE IDs like "spiffe://mycluster.example.com/ns/myns/sa/svc1sa".\r
+ Required when Type is set to URI, ignored otherwise.\r
+\r
+ Support: Core\r
+ maxLength: 253\r
+ minLength: 1\r
+ pattern: ^(([^:/?#]+):)(//([^/?#]*))([^?#]*)(\?([^#]*))?(#(.*))?\r
+ type: string\r
+ required:\r
+ - type\r
+ type: object\r
+ x-kubernetes-validations:\r
+ - message: SubjectAltName element must contain Hostname, if\r
+ Type is set to Hostname\r
+ rule: '!(self.type == "Hostname" && (!has(self.hostname) ||\r
+ self.hostname == ""))'\r
+ - message: SubjectAltName element must not contain Hostname,\r
+ if Type is not set to Hostname\r
+ rule: '!(self.type != "Hostname" && has(self.hostname) &&\r
+ self.hostname != "")'\r
+ - message: SubjectAltName element must contain URI, if Type\r
+ is set to URI\r
+ rule: '!(self.type == "URI" && (!has(self.uri) || self.uri\r
+ == ""))'\r
+ - message: SubjectAltName element must not contain URI, if Type\r
+ is not set to URI\r
+ rule: '!(self.type != "URI" && has(self.uri) && self.uri !=\r
+ "")'\r
+ maxItems: 5\r
+ type: array\r
+ wellKnownCACertificates:\r
+ description: |-\r
+ WellKnownCACertificates specifies whether system CA certificates may be used in\r
+ the TLS handshake between the gateway and backend pod.\r
+\r
+ If WellKnownCACertificates is unspecified or empty (""), then CACertificateRefs\r
+ must be specified with at least one entry for a valid configuration. Only one of\r
+ CACertificateRefs or WellKnownCACertificates may be specified, not both. If an\r
+ implementation does not support the WellKnownCACertificates field or the value\r
+ supplied is not supported, the Status Conditions on the Policy MUST be\r
+ updated to include an Accepted: False Condition with Reason: Invalid.\r
+\r
+ Support: Implementation-specific\r
+ enum:\r
+ - System\r
+ type: string\r
+ required:\r
+ - hostname\r
+ type: object\r
+ x-kubernetes-validations:\r
+ - message: must not contain both CACertificateRefs and WellKnownCACertificates\r
+ rule: '!(has(self.caCertificateRefs) && size(self.caCertificateRefs)\r
+ > 0 && has(self.wellKnownCACertificates) && self.wellKnownCACertificates\r
+ != "")'\r
+ - message: must specify either CACertificateRefs or WellKnownCACertificates\r
+ rule: (has(self.caCertificateRefs) && size(self.caCertificateRefs)\r
+ > 0 || has(self.wellKnownCACertificates) && self.wellKnownCACertificates\r
+ != "")\r
+ required:\r
+ - targetRefs\r
+ - validation\r
+ type: object\r
+ status:\r
+ description: Status defines the current state of BackendTLSPolicy.\r
+ properties:\r
+ ancestors:\r
+ description: |-\r
+ Ancestors is a list of ancestor resources (usually Gateways) that are\r
+ associated with the policy, and the status of the policy with respect to\r
+ each ancestor. When this policy attaches to a parent, the controller that\r
+ manages the parent and the ancestors MUST add an entry to this list when\r
+ the controller first sees the policy and SHOULD update the entry as\r
+ appropriate when the relevant ancestor is modified.\r
+\r
+ Note that choosing the relevant ancestor is left to the Policy designers;\r
+ an important part of Policy design is designing the right object level at\r
+ which to namespace this status.\r
+\r
+ Note also that implementations MUST ONLY populate ancestor status for\r
+ the Ancestor resources they are responsible for. Implementations MUST\r
+ use the ControllerName field to uniquely identify the entries in this list\r
+ that they are responsible for.\r
+\r
+ Note that to achieve this, the list of PolicyAncestorStatus structs\r
+ MUST be treated as a map with a composite key, made up of the AncestorRef\r
+ and ControllerName fields combined.\r
+\r
+ A maximum of 16 ancestors will be represented in this list. An empty list\r
+ means the Policy is not relevant for any ancestors.\r
+\r
+ If this slice is full, implementations MUST NOT add further entries.\r
+ Instead they MUST consider the policy unimplementable and signal that\r
+ on any related resources such as the ancestor that would be referenced\r
+ here. For example, if this list was full on BackendTLSPolicy, no\r
+ additional Gateways would be able to reference the Service targeted by\r
+ the BackendTLSPolicy.\r
+ items:\r
+ description: |-\r
+ PolicyAncestorStatus describes the status of a route with respect to an\r
+ associated Ancestor.\r
+\r
+ Ancestors refer to objects that are either the Target of a policy or above it\r
+ in terms of object hierarchy. For example, if a policy targets a Service, the\r
+ Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and\r
+ the GatewayClass. Almost always, in this hierarchy, the Gateway will be the most\r
+ useful object to place Policy status on, so we recommend that implementations\r
+ SHOULD use Gateway as the PolicyAncestorStatus object unless the designers\r
+ have a _very_ good reason otherwise.\r
+\r
+ In the context of policy attachment, the Ancestor is used to distinguish which\r
+ resource results in a distinct application of this policy. For example, if a policy\r
+ targets a Service, it may have a distinct result per attached Gateway.\r
+\r
+ Policies targeting the same resource may have different effects depending on the\r
+ ancestors of those resources. For example, different Gateways targeting the same\r
+ Service may have different capabilities, especially if they have different underlying\r
+ implementations.\r
+\r
+ For example, in BackendTLSPolicy, the Policy attaches to a Service that is\r
+ used as a backend in a HTTPRoute that is itself attached to a Gateway.\r
+ In this case, the relevant object for status is the Gateway, and that is the\r
+ ancestor object referred to in this status.\r
+\r
+ Note that a parent is also an ancestor, so for objects where the parent is the\r
+ relevant object for status, this struct SHOULD still be used.\r
+\r
+ This struct is intended to be used in a slice that's effectively a map,\r
+ with a composite key made up of the AncestorRef and the ControllerName.\r
+ properties:\r
+ ancestorRef:\r
+ description: |-\r
+ AncestorRef corresponds with a ParentRef in the spec that this\r
+ PolicyAncestorStatus struct describes the status of.\r
+ properties:\r
+ group:\r
+ default: gateway.networking.k8s.io\r
+ description: |-\r
+ Group is the group of the referent.\r
+ When unspecified, "gateway.networking.k8s.io" is inferred.\r
+ To set the core API group (such as for a "Service" kind referent),\r
+ Group must be explicitly set to "" (empty string).\r
+\r
+ Support: Core\r
+ maxLength: 253\r
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ kind:\r
+ default: Gateway\r
+ description: |-\r
+ Kind is kind of the referent.\r
+\r
+ There are two kinds of parent resources with "Core" support:\r
+\r
+ * Gateway (Gateway conformance profile)\r
+ * Service (Mesh conformance profile, ClusterIP Services only)\r
+\r
+ Support for other resources is Implementation-Specific.\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$\r
+ type: string\r
+ name:\r
+ description: |-\r
+ Name is the name of the referent.\r
+\r
+ Support: Core\r
+ maxLength: 253\r
+ minLength: 1\r
+ type: string\r
+ namespace:\r
+ description: |-\r
+ Namespace is the namespace of the referent. When unspecified, this refers\r
+ to the local namespace of the Route.\r
+\r
+ Note that there are specific rules for ParentRefs which cross namespace\r
+ boundaries. Cross-namespace references are only valid if they are explicitly\r
+ allowed by something in the namespace they are referring to. For example:\r
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a\r
+ generic way to enable any other kind of cross-namespace reference.\r
+\r
+\r
+ ParentRefs from a Route to a Service in the same namespace are "producer"\r
+ routes, which apply default routing rules to inbound connections from\r
+ any namespace to the Service.\r
+\r
+ ParentRefs from a Route to a Service in a different namespace are\r
+ "consumer" routes, and these routing rules are only applied to outbound\r
+ connections originating from the same namespace as the Route, for which\r
+ the intended destination of the connections are a Service targeted as a\r
+ ParentRef of the Route.\r
+\r
+\r
+ Support: Core\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$\r
+ type: string\r
+ port:\r
+ description: |-\r
+ Port is the network port this Route targets. It can be interpreted\r
+ differently based on the type of parent resource.\r
+\r
+ When the parent resource is a Gateway, this targets all listeners\r
+ listening on the specified port that also support this kind of Route(and\r
+ select this Route). It's not recommended to set `Port` unless the\r
+ networking behaviors specified in a Route must apply to a specific port\r
+ as opposed to a listener(s) whose port(s) may be changed. When both Port\r
+ and SectionName are specified, the name and port of the selected listener\r
+ must match both specified values.\r
+\r
+\r
+ When the parent resource is a Service, this targets a specific port in the\r
+ Service spec. When both Port (experimental) and SectionName are specified,\r
+ the name and port of the selected port must match both specified values.\r
+\r
+\r
+ Implementations MAY choose to support other parent resources.\r
+ Implementations supporting other types of parent resources MUST clearly\r
+ document how/if Port is interpreted.\r
+\r
+ For the purpose of status, an attachment is considered successful as\r
+ long as the parent resource accepts it partially. For example, Gateway\r
+ listeners can restrict which Routes can attach to them by Route kind,\r
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment\r
+ from the referencing Route, the Route MUST be considered successfully\r
+ attached. If no Gateway listeners accept attachment from this Route,\r
+ the Route MUST be considered detached from the Gateway.\r
+\r
+ Support: Extended\r
+ format: int32\r
+ maximum: 65535\r
+ minimum: 1\r
+ type: integer\r
+ sectionName:\r
+ description: |-\r
+ SectionName is the name of a section within the target resource. In the\r
+ following resources, SectionName is interpreted as the following:\r
+\r
+ * Gateway: Listener name. When both Port (experimental) and SectionName\r
+ are specified, the name and port of the selected listener must match\r
+ both specified values.\r
+ * Service: Port name. When both Port (experimental) and SectionName\r
+ are specified, the name and port of the selected listener must match\r
+ both specified values.\r
+\r
+ Implementations MAY choose to support attaching Routes to other resources.\r
+ If that is the case, they MUST clearly document how SectionName is\r
+ interpreted.\r
+\r
+ When unspecified (empty string), this will reference the entire resource.\r
+ For the purpose of status, an attachment is considered successful if at\r
+ least one section in the parent resource accepts it. For example, Gateway\r
+ listeners can restrict which Routes can attach to them by Route kind,\r
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from\r
+ the referencing Route, the Route MUST be considered successfully\r
+ attached. If no Gateway listeners accept attachment from this Route, the\r
+ Route MUST be considered detached from the Gateway.\r
+\r
+ Support: Core\r
+ maxLength: 253\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ required:\r
+ - name\r
+ type: object\r
+ conditions:\r
+ description: Conditions describes the status of the Policy with\r
+ respect to the given Ancestor.\r
+ items:\r
+ description: Condition contains details for one aspect of\r
+ the current state of this API Resource.\r
+ properties:\r
+ lastTransitionTime:\r
+ description: |-\r
+ lastTransitionTime is the last time the condition transitioned from one status to another.\r
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.\r
+ format: date-time\r
+ type: string\r
+ message:\r
+ description: |-\r
+ message is a human readable message indicating details about the transition.\r
+ This may be an empty string.\r
+ maxLength: 32768\r
+ type: string\r
+ observedGeneration:\r
+ description: |-\r
+ observedGeneration represents the .metadata.generation that the condition was set based upon.\r
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\r
+ with respect to the current state of the instance.\r
+ format: int64\r
+ minimum: 0\r
+ type: integer\r
+ reason:\r
+ description: |-\r
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.\r
+ Producers of specific condition types may define expected values and meanings for this field,\r
+ and whether the values are considered a guaranteed API.\r
+ The value should be a CamelCase string.\r
+ This field may not be empty.\r
+ maxLength: 1024\r
+ minLength: 1\r
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$\r
+ type: string\r
+ status:\r
+ description: status of the condition, one of True, False,\r
+ Unknown.\r
+ enum:\r
+ - "True"\r
+ - "False"\r
+ - Unknown\r
+ type: string\r
+ type:\r
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.\r
+ maxLength: 316\r
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$\r
+ type: string\r
+ required:\r
+ - lastTransitionTime\r
+ - message\r
+ - reason\r
+ - status\r
+ - type\r
+ type: object\r
+ maxItems: 8\r
+ minItems: 1\r
+ type: array\r
+ x-kubernetes-list-map-keys:\r
+ - type\r
+ x-kubernetes-list-type: map\r
+ controllerName:\r
+ description: |-\r
+ ControllerName is a domain/path string that indicates the name of the\r
+ controller that wrote this status. This corresponds with the\r
+ controllerName field on GatewayClass.\r
+\r
+ Example: "example.net/gateway-controller".\r
+\r
+ The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are\r
+ valid Kubernetes names\r
+ (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).\r
+\r
+ Controllers MUST populate this field when writing status. Controllers should ensure that\r
+ entries to status populated with their ControllerName are cleaned up when they are no\r
+ longer necessary.\r
+ maxLength: 253\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$\r
+ type: string\r
+ required:\r
+ - ancestorRef\r
+ - controllerName\r
+ type: object\r
+ maxItems: 16\r
+ type: array\r
+ required:\r
+ - ancestors\r
+ type: object\r
+ required:\r
+ - spec\r
+ type: object\r
+ served: true\r
+ storage: true\r
+ subresources:\r
+ status: {}\r
+status:\r
+ acceptedNames:\r
+ kind: ""\r
+ plural: ""\r
+ conditions: null\r
+ storedVersions: null\r
--- /dev/null
+apiVersion: apiextensions.k8s.io/v1\r
+kind: CustomResourceDefinition\r
+metadata:\r
+ annotations:\r
+ api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328\r
+ gateway.networking.k8s.io/bundle-version: v1.2.1\r
+ gateway.networking.k8s.io/channel: experimental\r
+ creationTimestamp: null\r
+ name: gatewayclasses.gateway.networking.k8s.io\r
+spec:\r
+ group: gateway.networking.k8s.io\r
+ names:\r
+ categories:\r
+ - gateway-api\r
+ kind: GatewayClass\r
+ listKind: GatewayClassList\r
+ plural: gatewayclasses\r
+ shortNames:\r
+ - gc\r
+ singular: gatewayclass\r
+ scope: Cluster\r
+ versions:\r
+ - additionalPrinterColumns:\r
+ - jsonPath: .spec.controllerName\r
+ name: Controller\r
+ type: string\r
+ - jsonPath: .status.conditions[?(@.type=="Accepted")].status\r
+ name: Accepted\r
+ type: string\r
+ - jsonPath: .metadata.creationTimestamp\r
+ name: Age\r
+ type: date\r
+ - jsonPath: .spec.description\r
+ name: Description\r
+ priority: 1\r
+ type: string\r
+ name: v1\r
+ schema:\r
+ openAPIV3Schema:\r
+ description: |-\r
+ GatewayClass describes a class of Gateways available to the user for creating\r
+ Gateway resources.\r
+\r
+ It is recommended that this resource be used as a template for Gateways. This\r
+ means that a Gateway is based on the state of the GatewayClass at the time it\r
+ was created and changes to the GatewayClass or associated parameters are not\r
+ propagated down to existing Gateways. This recommendation is intended to\r
+ limit the blast radius of changes to GatewayClass or associated parameters.\r
+ If implementations choose to propagate GatewayClass changes to existing\r
+ Gateways, that MUST be clearly documented by the implementation.\r
+\r
+ Whenever one or more Gateways are using a GatewayClass, implementations SHOULD\r
+ add the `gateway-exists-finalizer.gateway.networking.k8s.io` finalizer on the\r
+ associated GatewayClass. This ensures that a GatewayClass associated with a\r
+ Gateway is not deleted while in use.\r
+\r
+ GatewayClass is a Cluster level resource.\r
+ properties:\r
+ apiVersion:\r
+ description: |-\r
+ APIVersion defines the versioned schema of this representation of an object.\r
+ Servers should convert recognized schemas to the latest internal value, and\r
+ may reject unrecognized values.\r
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources\r
+ type: string\r
+ kind:\r
+ description: |-\r
+ Kind is a string value representing the REST resource this object represents.\r
+ Servers may infer this from the endpoint the client submits requests to.\r
+ Cannot be updated.\r
+ In CamelCase.\r
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds\r
+ type: string\r
+ metadata:\r
+ type: object\r
+ spec:\r
+ description: Spec defines the desired state of GatewayClass.\r
+ properties:\r
+ controllerName:\r
+ description: |-\r
+ ControllerName is the name of the controller that is managing Gateways of\r
+ this class. The value of this field MUST be a domain prefixed path.\r
+\r
+ Example: "example.net/gateway-controller".\r
+\r
+ This field is not mutable and cannot be empty.\r
+\r
+ Support: Core\r
+ maxLength: 253\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$\r
+ type: string\r
+ x-kubernetes-validations:\r
+ - message: Value is immutable\r
+ rule: self == oldSelf\r
+ description:\r
+ description: Description helps describe a GatewayClass with more details.\r
+ maxLength: 64\r
+ type: string\r
+ parametersRef:\r
+ description: |-\r
+ ParametersRef is a reference to a resource that contains the configuration\r
+ parameters corresponding to the GatewayClass. This is optional if the\r
+ controller does not require any additional configuration.\r
+\r
+ ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap,\r
+ or an implementation-specific custom resource. The resource can be\r
+ cluster-scoped or namespace-scoped.\r
+\r
+ If the referent cannot be found, refers to an unsupported kind, or when\r
+ the data within that resource is malformed, the GatewayClass SHOULD be\r
+ rejected with the "Accepted" status condition set to "False" and an\r
+ "InvalidParameters" reason.\r
+\r
+ A Gateway for this GatewayClass may provide its own `parametersRef`. When both are specified,\r
+ the merging behavior is implementation specific.\r
+ It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway.\r
+\r
+ Support: Implementation-specific\r
+ properties:\r
+ group:\r
+ description: Group is the group of the referent.\r
+ maxLength: 253\r
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ kind:\r
+ description: Kind is kind of the referent.\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$\r
+ type: string\r
+ name:\r
+ description: Name is the name of the referent.\r
+ maxLength: 253\r
+ minLength: 1\r
+ type: string\r
+ namespace:\r
+ description: |-\r
+ Namespace is the namespace of the referent.\r
+ This field is required when referring to a Namespace-scoped resource and\r
+ MUST be unset when referring to a Cluster-scoped resource.\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$\r
+ type: string\r
+ required:\r
+ - group\r
+ - kind\r
+ - name\r
+ type: object\r
+ required:\r
+ - controllerName\r
+ type: object\r
+ status:\r
+ default:\r
+ conditions:\r
+ - lastTransitionTime: "1970-01-01T00:00:00Z"\r
+ message: Waiting for controller\r
+ reason: Pending\r
+ status: Unknown\r
+ type: Accepted\r
+ description: |-\r
+ Status defines the current state of GatewayClass.\r
+\r
+ Implementations MUST populate status on all GatewayClass resources which\r
+ specify their controller name.\r
+ properties:\r
+ conditions:\r
+ default:\r
+ - lastTransitionTime: "1970-01-01T00:00:00Z"\r
+ message: Waiting for controller\r
+ reason: Pending\r
+ status: Unknown\r
+ type: Accepted\r
+ description: |-\r
+ Conditions is the current status from the controller for\r
+ this GatewayClass.\r
+\r
+ Controllers should prefer to publish conditions using values\r
+ of GatewayClassConditionType for the type of each Condition.\r
+ items:\r
+ description: Condition contains details for one aspect of the current\r
+ state of this API Resource.\r
+ properties:\r
+ lastTransitionTime:\r
+ description: |-\r
+ lastTransitionTime is the last time the condition transitioned from one status to another.\r
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.\r
+ format: date-time\r
+ type: string\r
+ message:\r
+ description: |-\r
+ message is a human readable message indicating details about the transition.\r
+ This may be an empty string.\r
+ maxLength: 32768\r
+ type: string\r
+ observedGeneration:\r
+ description: |-\r
+ observedGeneration represents the .metadata.generation that the condition was set based upon.\r
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\r
+ with respect to the current state of the instance.\r
+ format: int64\r
+ minimum: 0\r
+ type: integer\r
+ reason:\r
+ description: |-\r
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.\r
+ Producers of specific condition types may define expected values and meanings for this field,\r
+ and whether the values are considered a guaranteed API.\r
+ The value should be a CamelCase string.\r
+ This field may not be empty.\r
+ maxLength: 1024\r
+ minLength: 1\r
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$\r
+ type: string\r
+ status:\r
+ description: status of the condition, one of True, False, Unknown.\r
+ enum:\r
+ - "True"\r
+ - "False"\r
+ - Unknown\r
+ type: string\r
+ type:\r
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.\r
+ maxLength: 316\r
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$\r
+ type: string\r
+ required:\r
+ - lastTransitionTime\r
+ - message\r
+ - reason\r
+ - status\r
+ - type\r
+ type: object\r
+ maxItems: 8\r
+ type: array\r
+ x-kubernetes-list-map-keys:\r
+ - type\r
+ x-kubernetes-list-type: map\r
+ supportedFeatures:\r
+ description: |\r
+ SupportedFeatures is the set of features the GatewayClass support.\r
+ It MUST be sorted in ascending alphabetical order by the Name key.\r
+ items:\r
+ properties:\r
+ name:\r
+ description: |-\r
+ FeatureName is used to describe distinct features that are covered by\r
+ conformance tests.\r
+ type: string\r
+ required:\r
+ - name\r
+ type: object\r
+ maxItems: 64\r
+ type: array\r
+ x-kubernetes-list-map-keys:\r
+ - name\r
+ x-kubernetes-list-type: map\r
+ type: object\r
+ required:\r
+ - spec\r
+ type: object\r
+ served: true\r
+ storage: true\r
+ subresources:\r
+ status: {}\r
+ - additionalPrinterColumns:\r
+ - jsonPath: .spec.controllerName\r
+ name: Controller\r
+ type: string\r
+ - jsonPath: .status.conditions[?(@.type=="Accepted")].status\r
+ name: Accepted\r
+ type: string\r
+ - jsonPath: .metadata.creationTimestamp\r
+ name: Age\r
+ type: date\r
+ - jsonPath: .spec.description\r
+ name: Description\r
+ priority: 1\r
+ type: string\r
+ name: v1beta1\r
+ schema:\r
+ openAPIV3Schema:\r
+ description: |-\r
+ GatewayClass describes a class of Gateways available to the user for creating\r
+ Gateway resources.\r
+\r
+ It is recommended that this resource be used as a template for Gateways. This\r
+ means that a Gateway is based on the state of the GatewayClass at the time it\r
+ was created and changes to the GatewayClass or associated parameters are not\r
+ propagated down to existing Gateways. This recommendation is intended to\r
+ limit the blast radius of changes to GatewayClass or associated parameters.\r
+ If implementations choose to propagate GatewayClass changes to existing\r
+ Gateways, that MUST be clearly documented by the implementation.\r
+\r
+ Whenever one or more Gateways are using a GatewayClass, implementations SHOULD\r
+ add the `gateway-exists-finalizer.gateway.networking.k8s.io` finalizer on the\r
+ associated GatewayClass. This ensures that a GatewayClass associated with a\r
+ Gateway is not deleted while in use.\r
+\r
+ GatewayClass is a Cluster level resource.\r
+ properties:\r
+ apiVersion:\r
+ description: |-\r
+ APIVersion defines the versioned schema of this representation of an object.\r
+ Servers should convert recognized schemas to the latest internal value, and\r
+ may reject unrecognized values.\r
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources\r
+ type: string\r
+ kind:\r
+ description: |-\r
+ Kind is a string value representing the REST resource this object represents.\r
+ Servers may infer this from the endpoint the client submits requests to.\r
+ Cannot be updated.\r
+ In CamelCase.\r
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds\r
+ type: string\r
+ metadata:\r
+ type: object\r
+ spec:\r
+ description: Spec defines the desired state of GatewayClass.\r
+ properties:\r
+ controllerName:\r
+ description: |-\r
+ ControllerName is the name of the controller that is managing Gateways of\r
+ this class. The value of this field MUST be a domain prefixed path.\r
+\r
+ Example: "example.net/gateway-controller".\r
+\r
+ This field is not mutable and cannot be empty.\r
+\r
+ Support: Core\r
+ maxLength: 253\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$\r
+ type: string\r
+ x-kubernetes-validations:\r
+ - message: Value is immutable\r
+ rule: self == oldSelf\r
+ description:\r
+ description: Description helps describe a GatewayClass with more details.\r
+ maxLength: 64\r
+ type: string\r
+ parametersRef:\r
+ description: |-\r
+ ParametersRef is a reference to a resource that contains the configuration\r
+ parameters corresponding to the GatewayClass. This is optional if the\r
+ controller does not require any additional configuration.\r
+\r
+ ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap,\r
+ or an implementation-specific custom resource. The resource can be\r
+ cluster-scoped or namespace-scoped.\r
+\r
+ If the referent cannot be found, refers to an unsupported kind, or when\r
+ the data within that resource is malformed, the GatewayClass SHOULD be\r
+ rejected with the "Accepted" status condition set to "False" and an\r
+ "InvalidParameters" reason.\r
+\r
+ A Gateway for this GatewayClass may provide its own `parametersRef`. When both are specified,\r
+ the merging behavior is implementation specific.\r
+ It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway.\r
+\r
+ Support: Implementation-specific\r
+ properties:\r
+ group:\r
+ description: Group is the group of the referent.\r
+ maxLength: 253\r
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ kind:\r
+ description: Kind is kind of the referent.\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$\r
+ type: string\r
+ name:\r
+ description: Name is the name of the referent.\r
+ maxLength: 253\r
+ minLength: 1\r
+ type: string\r
+ namespace:\r
+ description: |-\r
+ Namespace is the namespace of the referent.\r
+ This field is required when referring to a Namespace-scoped resource and\r
+ MUST be unset when referring to a Cluster-scoped resource.\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$\r
+ type: string\r
+ required:\r
+ - group\r
+ - kind\r
+ - name\r
+ type: object\r
+ required:\r
+ - controllerName\r
+ type: object\r
+ status:\r
+ default:\r
+ conditions:\r
+ - lastTransitionTime: "1970-01-01T00:00:00Z"\r
+ message: Waiting for controller\r
+ reason: Pending\r
+ status: Unknown\r
+ type: Accepted\r
+ description: |-\r
+ Status defines the current state of GatewayClass.\r
+\r
+ Implementations MUST populate status on all GatewayClass resources which\r
+ specify their controller name.\r
+ properties:\r
+ conditions:\r
+ default:\r
+ - lastTransitionTime: "1970-01-01T00:00:00Z"\r
+ message: Waiting for controller\r
+ reason: Pending\r
+ status: Unknown\r
+ type: Accepted\r
+ description: |-\r
+ Conditions is the current status from the controller for\r
+ this GatewayClass.\r
+\r
+ Controllers should prefer to publish conditions using values\r
+ of GatewayClassConditionType for the type of each Condition.\r
+ items:\r
+ description: Condition contains details for one aspect of the current\r
+ state of this API Resource.\r
+ properties:\r
+ lastTransitionTime:\r
+ description: |-\r
+ lastTransitionTime is the last time the condition transitioned from one status to another.\r
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.\r
+ format: date-time\r
+ type: string\r
+ message:\r
+ description: |-\r
+ message is a human readable message indicating details about the transition.\r
+ This may be an empty string.\r
+ maxLength: 32768\r
+ type: string\r
+ observedGeneration:\r
+ description: |-\r
+ observedGeneration represents the .metadata.generation that the condition was set based upon.\r
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\r
+ with respect to the current state of the instance.\r
+ format: int64\r
+ minimum: 0\r
+ type: integer\r
+ reason:\r
+ description: |-\r
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.\r
+ Producers of specific condition types may define expected values and meanings for this field,\r
+ and whether the values are considered a guaranteed API.\r
+ The value should be a CamelCase string.\r
+ This field may not be empty.\r
+ maxLength: 1024\r
+ minLength: 1\r
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$\r
+ type: string\r
+ status:\r
+ description: status of the condition, one of True, False, Unknown.\r
+ enum:\r
+ - "True"\r
+ - "False"\r
+ - Unknown\r
+ type: string\r
+ type:\r
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.\r
+ maxLength: 316\r
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$\r
+ type: string\r
+ required:\r
+ - lastTransitionTime\r
+ - message\r
+ - reason\r
+ - status\r
+ - type\r
+ type: object\r
+ maxItems: 8\r
+ type: array\r
+ x-kubernetes-list-map-keys:\r
+ - type\r
+ x-kubernetes-list-type: map\r
+ supportedFeatures:\r
+ description: |\r
+ SupportedFeatures is the set of features the GatewayClass support.\r
+ It MUST be sorted in ascending alphabetical order by the Name key.\r
+ items:\r
+ properties:\r
+ name:\r
+ description: |-\r
+ FeatureName is used to describe distinct features that are covered by\r
+ conformance tests.\r
+ type: string\r
+ required:\r
+ - name\r
+ type: object\r
+ maxItems: 64\r
+ type: array\r
+ x-kubernetes-list-map-keys:\r
+ - name\r
+ x-kubernetes-list-type: map\r
+ type: object\r
+ required:\r
+ - spec\r
+ type: object\r
+ served: true\r
+ storage: false\r
+ subresources:\r
+ status: {}\r
+status:\r
+ acceptedNames:\r
+ kind: ""\r
+ plural: ""\r
+ conditions: null\r
+ storedVersions: null\r
--- /dev/null
+apiVersion: apiextensions.k8s.io/v1\r
+kind: CustomResourceDefinition\r
+metadata:\r
+ annotations:\r
+ api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328\r
+ gateway.networking.k8s.io/bundle-version: v1.2.1\r
+ gateway.networking.k8s.io/channel: experimental\r
+ creationTimestamp: null\r
+ name: gateways.gateway.networking.k8s.io\r
+spec:\r
+ group: gateway.networking.k8s.io\r
+ names:\r
+ categories:\r
+ - gateway-api\r
+ kind: Gateway\r
+ listKind: GatewayList\r
+ plural: gateways\r
+ shortNames:\r
+ - gtw\r
+ singular: gateway\r
+ scope: Namespaced\r
+ versions:\r
+ - additionalPrinterColumns:\r
+ - jsonPath: .spec.gatewayClassName\r
+ name: Class\r
+ type: string\r
+ - jsonPath: .status.addresses[*].value\r
+ name: Address\r
+ type: string\r
+ - jsonPath: .status.conditions[?(@.type=="Programmed")].status\r
+ name: Programmed\r
+ type: string\r
+ - jsonPath: .metadata.creationTimestamp\r
+ name: Age\r
+ type: date\r
+ name: v1\r
+ schema:\r
+ openAPIV3Schema:\r
+ description: |-\r
+ Gateway represents an instance of a service-traffic handling infrastructure\r
+ by binding Listeners to a set of IP addresses.\r
+ properties:\r
+ apiVersion:\r
+ description: |-\r
+ APIVersion defines the versioned schema of this representation of an object.\r
+ Servers should convert recognized schemas to the latest internal value, and\r
+ may reject unrecognized values.\r
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources\r
+ type: string\r
+ kind:\r
+ description: |-\r
+ Kind is a string value representing the REST resource this object represents.\r
+ Servers may infer this from the endpoint the client submits requests to.\r
+ Cannot be updated.\r
+ In CamelCase.\r
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds\r
+ type: string\r
+ metadata:\r
+ type: object\r
+ spec:\r
+ description: Spec defines the desired state of Gateway.\r
+ properties:\r
+ addresses:\r
+ description: |+\r
+ Addresses requested for this Gateway. This is optional and behavior can\r
+ depend on the implementation. If a value is set in the spec and the\r
+ requested address is invalid or unavailable, the implementation MUST\r
+ indicate this in the associated entry in GatewayStatus.Addresses.\r
+\r
+ The Addresses field represents a request for the address(es) on the\r
+ "outside of the Gateway", that traffic bound for this Gateway will use.\r
+ This could be the IP address or hostname of an external load balancer or\r
+ other networking infrastructure, or some other address that traffic will\r
+ be sent to.\r
+\r
+ If no Addresses are specified, the implementation MAY schedule the\r
+ Gateway in an implementation-specific manner, assigning an appropriate\r
+ set of Addresses.\r
+\r
+ The implementation MUST bind all Listeners to every GatewayAddress that\r
+ it assigns to the Gateway and add a corresponding entry in\r
+ GatewayStatus.Addresses.\r
+\r
+ Support: Extended\r
+\r
+ items:\r
+ description: GatewayAddress describes an address that can be bound\r
+ to a Gateway.\r
+ oneOf:\r
+ - properties:\r
+ type:\r
+ enum:\r
+ - IPAddress\r
+ value:\r
+ anyOf:\r
+ - format: ipv4\r
+ - format: ipv6\r
+ - properties:\r
+ type:\r
+ not:\r
+ enum:\r
+ - IPAddress\r
+ properties:\r
+ type:\r
+ default: IPAddress\r
+ description: Type of the address.\r
+ maxLength: 253\r
+ minLength: 1\r
+ pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$\r
+ type: string\r
+ value:\r
+ description: |-\r
+ Value of the address. The validity of the values will depend\r
+ on the type and support by the controller.\r
+\r
+ Examples: `1.2.3.4`, `128::1`, `my-ip-address`.\r
+ maxLength: 253\r
+ minLength: 1\r
+ type: string\r
+ required:\r
+ - value\r
+ type: object\r
+ x-kubernetes-validations:\r
+ - message: Hostname value must only contain valid characters (matching\r
+ ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$)\r
+ rule: 'self.type == ''Hostname'' ? self.value.matches(r"""^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$"""):\r
+ true'\r
+ maxItems: 16\r
+ type: array\r
+ x-kubernetes-validations:\r
+ - message: IPAddress values must be unique\r
+ rule: 'self.all(a1, a1.type == ''IPAddress'' ? self.exists_one(a2,\r
+ a2.type == a1.type && a2.value == a1.value) : true )'\r
+ - message: Hostname values must be unique\r
+ rule: 'self.all(a1, a1.type == ''Hostname'' ? self.exists_one(a2,\r
+ a2.type == a1.type && a2.value == a1.value) : true )'\r
+ backendTLS:\r
+ description: |+\r
+ BackendTLS configures TLS settings for when this Gateway is connecting to\r
+ backends with TLS.\r
+\r
+ Support: Core\r
+\r
+ properties:\r
+ clientCertificateRef:\r
+ description: |+\r
+ ClientCertificateRef is a reference to an object that contains a Client\r
+ Certificate and the associated private key.\r
+\r
+ References to a resource in different namespace are invalid UNLESS there\r
+ is a ReferenceGrant in the target namespace that allows the certificate\r
+ to be attached. If a ReferenceGrant does not allow this reference, the\r
+ "ResolvedRefs" condition MUST be set to False for this listener with the\r
+ "RefNotPermitted" reason.\r
+\r
+ ClientCertificateRef can reference to standard Kubernetes resources, i.e.\r
+ Secret, or implementation-specific custom resources.\r
+\r
+ This setting can be overridden on the service level by use of BackendTLSPolicy.\r
+\r
+ Support: Core\r
+\r
+ properties:\r
+ group:\r
+ default: ""\r
+ description: |-\r
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".\r
+ When unspecified or empty string, core API group is inferred.\r
+ maxLength: 253\r
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ kind:\r
+ default: Secret\r
+ description: Kind is kind of the referent. For example "Secret".\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$\r
+ type: string\r
+ name:\r
+ description: Name is the name of the referent.\r
+ maxLength: 253\r
+ minLength: 1\r
+ type: string\r
+ namespace:\r
+ description: |-\r
+ Namespace is the namespace of the referenced object. When unspecified, the local\r
+ namespace is inferred.\r
+\r
+ Note that when a namespace different than the local namespace is specified,\r
+ a ReferenceGrant object is required in the referent namespace to allow that\r
+ namespace's owner to accept the reference. See the ReferenceGrant\r
+ documentation for details.\r
+\r
+ Support: Core\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$\r
+ type: string\r
+ required:\r
+ - name\r
+ type: object\r
+ type: object\r
+ gatewayClassName:\r
+ description: |-\r
+ GatewayClassName used for this Gateway. This is the name of a\r
+ GatewayClass resource.\r
+ maxLength: 253\r
+ minLength: 1\r
+ type: string\r
+ infrastructure:\r
+ description: |-\r
+ Infrastructure defines infrastructure level attributes about this Gateway instance.\r
+\r
+ Support: Extended\r
+ properties:\r
+ annotations:\r
+ additionalProperties:\r
+ description: |-\r
+ AnnotationValue is the value of an annotation in Gateway API. This is used\r
+ for validation of maps such as TLS options. This roughly matches Kubernetes\r
+ annotation validation, although the length validation in that case is based\r
+ on the entire size of the annotations struct.\r
+ maxLength: 4096\r
+ minLength: 0\r
+ type: string\r
+ description: |-\r
+ Annotations that SHOULD be applied to any resources created in response to this Gateway.\r
+\r
+ For implementations creating other Kubernetes objects, this should be the `metadata.annotations` field on resources.\r
+ For other implementations, this refers to any relevant (implementation specific) "annotations" concepts.\r
+\r
+ An implementation may chose to add additional implementation-specific annotations as they see fit.\r
+\r
+ Support: Extended\r
+ maxProperties: 8\r
+ type: object\r
+ x-kubernetes-validations:\r
+ - message: Annotation keys must be in the form of an optional\r
+ DNS subdomain prefix followed by a required name segment of\r
+ up to 63 characters.\r
+ rule: self.all(key, key.matches(r"""^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9]$"""))\r
+ - message: If specified, the annotation key's prefix must be a\r
+ DNS subdomain not longer than 253 characters in total.\r
+ rule: self.all(key, key.split("/")[0].size() < 253)\r
+ labels:\r
+ additionalProperties:\r
+ description: |-\r
+ LabelValue is the value of a label in the Gateway API. This is used for validation\r
+ of maps such as Gateway infrastructure labels. This matches the Kubernetes\r
+ label validation rules:\r
+ * must be 63 characters or less (can be empty),\r
+ * unless empty, must begin and end with an alphanumeric character ([a-z0-9A-Z]),\r
+ * could contain dashes (-), underscores (_), dots (.), and alphanumerics between.\r
+\r
+ Valid values include:\r
+\r
+ * MyValue\r
+ * my.name\r
+ * 123-my-value\r
+ maxLength: 63\r
+ minLength: 0\r
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$\r
+ type: string\r
+ description: |-\r
+ Labels that SHOULD be applied to any resources created in response to this Gateway.\r
+\r
+ For implementations creating other Kubernetes objects, this should be the `metadata.labels` field on resources.\r
+ For other implementations, this refers to any relevant (implementation specific) "labels" concepts.\r
+\r
+ An implementation may chose to add additional implementation-specific labels as they see fit.\r
+\r
+ If an implementation maps these labels to Pods, or any other resource that would need to be recreated when labels\r
+ change, it SHOULD clearly warn about this behavior in documentation.\r
+\r
+ Support: Extended\r
+ maxProperties: 8\r
+ type: object\r
+ x-kubernetes-validations:\r
+ - message: Label keys must be in the form of an optional DNS subdomain\r
+ prefix followed by a required name segment of up to 63 characters.\r
+ rule: self.all(key, key.matches(r"""^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9]$"""))\r
+ - message: If specified, the label key's prefix must be a DNS\r
+ subdomain not longer than 253 characters in total.\r
+ rule: self.all(key, key.split("/")[0].size() < 253)\r
+ parametersRef:\r
+ description: |-\r
+ ParametersRef is a reference to a resource that contains the configuration\r
+ parameters corresponding to the Gateway. This is optional if the\r
+ controller does not require any additional configuration.\r
+\r
+ This follows the same semantics as GatewayClass's `parametersRef`, but on a per-Gateway basis\r
+\r
+ The Gateway's GatewayClass may provide its own `parametersRef`. When both are specified,\r
+ the merging behavior is implementation specific.\r
+ It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway.\r
+\r
+ Support: Implementation-specific\r
+ properties:\r
+ group:\r
+ description: Group is the group of the referent.\r
+ maxLength: 253\r
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ kind:\r
+ description: Kind is kind of the referent.\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$\r
+ type: string\r
+ name:\r
+ description: Name is the name of the referent.\r
+ maxLength: 253\r
+ minLength: 1\r
+ type: string\r
+ required:\r
+ - group\r
+ - kind\r
+ - name\r
+ type: object\r
+ type: object\r
+ listeners:\r
+ description: |-\r
+ Listeners associated with this Gateway. Listeners define\r
+ logical endpoints that are bound on this Gateway's addresses.\r
+ At least one Listener MUST be specified.\r
+\r
+ ## Distinct Listeners\r
+\r
+ Each Listener in a set of Listeners (for example, in a single Gateway)\r
+ MUST be _distinct_, in that a traffic flow MUST be able to be assigned to\r
+ exactly one listener. (This section uses "set of Listeners" rather than\r
+ "Listeners in a single Gateway" because implementations MAY merge configuration\r
+ from multiple Gateways onto a single data plane, and these rules _also_\r
+ apply in that case).\r
+\r
+ Practically, this means that each listener in a set MUST have a unique\r
+ combination of Port, Protocol, and, if supported by the protocol, Hostname.\r
+\r
+ Some combinations of port, protocol, and TLS settings are considered\r
+ Core support and MUST be supported by implementations based on the objects\r
+ they support:\r
+\r
+ HTTPRoute\r
+\r
+ 1. HTTPRoute, Port: 80, Protocol: HTTP\r
+ 2. HTTPRoute, Port: 443, Protocol: HTTPS, TLS Mode: Terminate, TLS keypair provided\r
+\r
+ TLSRoute\r
+\r
+ 1. TLSRoute, Port: 443, Protocol: TLS, TLS Mode: Passthrough\r
+\r
+ "Distinct" Listeners have the following property:\r
+\r
+ **The implementation can match inbound requests to a single distinct\r
+ Listener**.\r
+\r
+ When multiple Listeners share values for fields (for\r
+ example, two Listeners with the same Port value), the implementation\r
+ can match requests to only one of the Listeners using other\r
+ Listener fields.\r
+\r
+ When multiple listeners have the same value for the Protocol field, then\r
+ each of the Listeners with matching Protocol values MUST have different\r
+ values for other fields.\r
+\r
+ The set of fields that MUST be different for a Listener differs per protocol.\r
+ The following rules define the rules for what fields MUST be considered for\r
+ Listeners to be distinct with each protocol currently defined in the\r
+ Gateway API spec.\r
+\r
+ The set of listeners that all share a protocol value MUST have _different_\r
+ values for _at least one_ of these fields to be distinct:\r
+\r
+ * **HTTP, HTTPS, TLS**: Port, Hostname\r
+ * **TCP, UDP**: Port\r
+\r
+ One **very** important rule to call out involves what happens when an\r
+ implementation:\r
+\r
+ * Supports TCP protocol Listeners, as well as HTTP, HTTPS, or TLS protocol\r
+ Listeners, and\r
+ * sees HTTP, HTTPS, or TLS protocols with the same `port` as one with TCP\r
+ Protocol.\r
+\r
+ In this case all the Listeners that share a port with the\r
+ TCP Listener are not distinct and so MUST NOT be accepted.\r
+\r
+ If an implementation does not support TCP Protocol Listeners, then the\r
+ previous rule does not apply, and the TCP Listeners SHOULD NOT be\r
+ accepted.\r
+\r
+ Note that the `tls` field is not used for determining if a listener is distinct, because\r
+ Listeners that _only_ differ on TLS config will still conflict in all cases.\r
+\r
+ ### Listeners that are distinct only by Hostname\r
+\r
+ When the Listeners are distinct based only on Hostname, inbound request\r
+ hostnames MUST match from the most specific to least specific Hostname\r
+ values to choose the correct Listener and its associated set of Routes.\r
+\r
+ Exact matches MUST be processed before wildcard matches, and wildcard\r
+ matches MUST be processed before fallback (empty Hostname value)\r
+ matches. For example, `"foo.example.com"` takes precedence over\r
+ `"*.example.com"`, and `"*.example.com"` takes precedence over `""`.\r
+\r
+ Additionally, if there are multiple wildcard entries, more specific\r
+ wildcard entries must be processed before less specific wildcard entries.\r
+ For example, `"*.foo.example.com"` takes precedence over `"*.example.com"`.\r
+\r
+ The precise definition here is that the higher the number of dots in the\r
+ hostname to the right of the wildcard character, the higher the precedence.\r
+\r
+ The wildcard character will match any number of characters _and dots_ to\r
+ the left, however, so `"*.example.com"` will match both\r
+ `"foo.bar.example.com"` _and_ `"bar.example.com"`.\r
+\r
+ ## Handling indistinct Listeners\r
+\r
+ If a set of Listeners contains Listeners that are not distinct, then those\r
+ Listeners are _Conflicted_, and the implementation MUST set the "Conflicted"\r
+ condition in the Listener Status to "True".\r
+\r
+ The words "indistict" and "conflicted" are considered equivalent for the\r
+ purpose of this documentation.\r
+\r
+ Implementations MAY choose to accept a Gateway with some Conflicted\r
+ Listeners only if they only accept the partial Listener set that contains\r
+ no Conflicted Listeners.\r
+\r
+ Specifically, an implementation MAY accept a partial Listener set subject to\r
+ the following rules:\r
+\r
+ * The implementation MUST NOT pick one conflicting Listener as the winner.\r
+ ALL indistinct Listeners must not be accepted for processing.\r
+ * At least one distinct Listener MUST be present, or else the Gateway effectively\r
+ contains _no_ Listeners, and must be rejected from processing as a whole.\r
+\r
+ The implementation MUST set a "ListenersNotValid" condition on the\r
+ Gateway Status when the Gateway contains Conflicted Listeners whether or\r
+ not they accept the Gateway. That Condition SHOULD clearly\r
+ indicate in the Message which Listeners are conflicted, and which are\r
+ Accepted. Additionally, the Listener status for those listeners SHOULD\r
+ indicate which Listeners are conflicted and not Accepted.\r
+\r
+ ## General Listener behavior\r
+\r
+ Note that, for all distinct Listeners, requests SHOULD match at most one Listener.\r
+ For example, if Listeners are defined for "foo.example.com" and "*.example.com", a\r
+ request to "foo.example.com" SHOULD only be routed using routes attached\r
+ to the "foo.example.com" Listener (and not the "*.example.com" Listener).\r
+\r
+ This concept is known as "Listener Isolation", and it is an Extended feature\r
+ of Gateway API. Implementations that do not support Listener Isolation MUST\r
+ clearly document this, and MUST NOT claim support for the\r
+ `GatewayHTTPListenerIsolation` feature.\r
+\r
+ Implementations that _do_ support Listener Isolation SHOULD claim support\r
+ for the Extended `GatewayHTTPListenerIsolation` feature and pass the associated\r
+ conformance tests.\r
+\r
+ ## Compatible Listeners\r
+\r
+ A Gateway's Listeners are considered _compatible_ if:\r
+\r
+ 1. They are distinct.\r
+ 2. The implementation can serve them in compliance with the Addresses\r
+ requirement that all Listeners are available on all assigned\r
+ addresses.\r
+\r
+ Compatible combinations in Extended support are expected to vary across\r
+ implementations. A combination that is compatible for one implementation\r
+ may not be compatible for another.\r
+\r
+ For example, an implementation that cannot serve both TCP and UDP listeners\r
+ on the same address, or cannot mix HTTPS and generic TLS listens on the same port\r
+ would not consider those cases compatible, even though they are distinct.\r
+\r
+ Implementations MAY merge separate Gateways onto a single set of\r
+ Addresses if all Listeners across all Gateways are compatible.\r
+\r
+ Support: Core\r
+ items:\r
+ description: |-\r
+ Listener embodies the concept of a logical endpoint where a Gateway accepts\r
+ network connections.\r
+ properties:\r
+ allowedRoutes:\r
+ default:\r
+ namespaces:\r
+ from: Same\r
+ description: |-\r
+ AllowedRoutes defines the types of routes that MAY be attached to a\r
+ Listener and the trusted namespaces where those Route resources MAY be\r
+ present.\r
+\r
+ Although a client request may match multiple route rules, only one rule\r
+ may ultimately receive the request. Matching precedence MUST be\r
+ determined in order of the following criteria:\r
+\r
+ * The most specific match as defined by the Route type.\r
+ * The oldest Route based on creation timestamp. For example, a Route with\r
+ a creation timestamp of "2020-09-08 01:02:03" is given precedence over\r
+ a Route with a creation timestamp of "2020-09-08 01:02:04".\r
+ * If everything else is equivalent, the Route appearing first in\r
+ alphabetical order (namespace/name) should be given precedence. For\r
+ example, foo/bar is given precedence over foo/baz.\r
+\r
+ All valid rules within a Route attached to this Listener should be\r
+ implemented. Invalid Route rules can be ignored (sometimes that will mean\r
+ the full Route). If a Route rule transitions from valid to invalid,\r
+ support for that Route rule should be dropped to ensure consistency. For\r
+ example, even if a filter specified by a Route rule is invalid, the rest\r
+ of the rules within that Route should still be supported.\r
+\r
+ Support: Core\r
+ properties:\r
+ kinds:\r
+ description: |-\r
+ Kinds specifies the groups and kinds of Routes that are allowed to bind\r
+ to this Gateway Listener. When unspecified or empty, the kinds of Routes\r
+ selected are determined using the Listener protocol.\r
+\r
+ A RouteGroupKind MUST correspond to kinds of Routes that are compatible\r
+ with the application protocol specified in the Listener's Protocol field.\r
+ If an implementation does not support or recognize this resource type, it\r
+ MUST set the "ResolvedRefs" condition to False for this Listener with the\r
+ "InvalidRouteKinds" reason.\r
+\r
+ Support: Core\r
+ items:\r
+ description: RouteGroupKind indicates the group and kind\r
+ of a Route resource.\r
+ properties:\r
+ group:\r
+ default: gateway.networking.k8s.io\r
+ description: Group is the group of the Route.\r
+ maxLength: 253\r
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ kind:\r
+ description: Kind is the kind of the Route.\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$\r
+ type: string\r
+ required:\r
+ - kind\r
+ type: object\r
+ maxItems: 8\r
+ type: array\r
+ namespaces:\r
+ default:\r
+ from: Same\r
+ description: |-\r
+ Namespaces indicates namespaces from which Routes may be attached to this\r
+ Listener. This is restricted to the namespace of this Gateway by default.\r
+\r
+ Support: Core\r
+ properties:\r
+ from:\r
+ default: Same\r
+ description: |-\r
+ From indicates where Routes will be selected for this Gateway. Possible\r
+ values are:\r
+\r
+ * All: Routes in all namespaces may be used by this Gateway.\r
+ * Selector: Routes in namespaces selected by the selector may be used by\r
+ this Gateway.\r
+ * Same: Only Routes in the same namespace may be used by this Gateway.\r
+\r
+ Support: Core\r
+ enum:\r
+ - All\r
+ - Selector\r
+ - Same\r
+ type: string\r
+ selector:\r
+ description: |-\r
+ Selector must be specified when From is set to "Selector". In that case,\r
+ only Routes in Namespaces matching this Selector will be selected by this\r
+ Gateway. This field is ignored for other values of "From".\r
+\r
+ Support: Core\r
+ properties:\r
+ matchExpressions:\r
+ description: matchExpressions is a list of label\r
+ selector requirements. The requirements are ANDed.\r
+ items:\r
+ description: |-\r
+ A label selector requirement is a selector that contains values, a key, and an operator that\r
+ relates the key and values.\r
+ properties:\r
+ key:\r
+ description: key is the label key that the\r
+ selector applies to.\r
+ type: string\r
+ operator:\r
+ description: |-\r
+ operator represents a key's relationship to a set of values.\r
+ Valid operators are In, NotIn, Exists and DoesNotExist.\r
+ type: string\r
+ values:\r
+ description: |-\r
+ values is an array of string values. If the operator is In or NotIn,\r
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,\r
+ the values array must be empty. This array is replaced during a strategic\r
+ merge patch.\r
+ items:\r
+ type: string\r
+ type: array\r
+ x-kubernetes-list-type: atomic\r
+ required:\r
+ - key\r
+ - operator\r
+ type: object\r
+ type: array\r
+ x-kubernetes-list-type: atomic\r
+ matchLabels:\r
+ additionalProperties:\r
+ type: string\r
+ description: |-\r
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\r
+ map is equivalent to an element of matchExpressions, whose key field is "key", the\r
+ operator is "In", and the values array contains only "value". The requirements are ANDed.\r
+ type: object\r
+ type: object\r
+ x-kubernetes-map-type: atomic\r
+ type: object\r
+ type: object\r
+ hostname:\r
+ description: |-\r
+ Hostname specifies the virtual hostname to match for protocol types that\r
+ define this concept. When unspecified, all hostnames are matched. This\r
+ field is ignored for protocols that don't require hostname based\r
+ matching.\r
+\r
+ Implementations MUST apply Hostname matching appropriately for each of\r
+ the following protocols:\r
+\r
+ * TLS: The Listener Hostname MUST match the SNI.\r
+ * HTTP: The Listener Hostname MUST match the Host header of the request.\r
+ * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP\r
+ protocol layers as described above. If an implementation does not\r
+ ensure that both the SNI and Host header match the Listener hostname,\r
+ it MUST clearly document that.\r
+\r
+ For HTTPRoute and TLSRoute resources, there is an interaction with the\r
+ `spec.hostnames` array. When both listener and route specify hostnames,\r
+ there MUST be an intersection between the values for a Route to be\r
+ accepted. For more information, refer to the Route specific Hostnames\r
+ documentation.\r
+\r
+ Hostnames that are prefixed with a wildcard label (`*.`) are interpreted\r
+ as a suffix match. That means that a match for `*.example.com` would match\r
+ both `test.example.com`, and `foo.test.example.com`, but not `example.com`.\r
+\r
+ Support: Core\r
+ maxLength: 253\r
+ minLength: 1\r
+ pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ name:\r
+ description: |-\r
+ Name is the name of the Listener. This name MUST be unique within a\r
+ Gateway.\r
+\r
+ Support: Core\r
+ maxLength: 253\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ port:\r
+ description: |-\r
+ Port is the network port. Multiple listeners may use the\r
+ same port, subject to the Listener compatibility rules.\r
+\r
+ Support: Core\r
+ format: int32\r
+ maximum: 65535\r
+ minimum: 1\r
+ type: integer\r
+ protocol:\r
+ description: |-\r
+ Protocol specifies the network protocol this listener expects to receive.\r
+\r
+ Support: Core\r
+ maxLength: 255\r
+ minLength: 1\r
+ pattern: ^[a-zA-Z0-9]([-a-zA-Z0-9]*[a-zA-Z0-9])?$|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9]+$\r
+ type: string\r
+ tls:\r
+ description: |-\r
+ TLS is the TLS configuration for the Listener. This field is required if\r
+ the Protocol field is "HTTPS" or "TLS". It is invalid to set this field\r
+ if the Protocol field is "HTTP", "TCP", or "UDP".\r
+\r
+ The association of SNIs to Certificate defined in GatewayTLSConfig is\r
+ defined based on the Hostname field for this listener.\r
+\r
+ The GatewayClass MUST use the longest matching SNI out of all\r
+ available certificates for any TLS handshake.\r
+\r
+ Support: Core\r
+ properties:\r
+ certificateRefs:\r
+ description: |-\r
+ CertificateRefs contains a series of references to Kubernetes objects that\r
+ contains TLS certificates and private keys. These certificates are used to\r
+ establish a TLS handshake for requests that match the hostname of the\r
+ associated listener.\r
+\r
+ A single CertificateRef to a Kubernetes Secret has "Core" support.\r
+ Implementations MAY choose to support attaching multiple certificates to\r
+ a Listener, but this behavior is implementation-specific.\r
+\r
+ References to a resource in different namespace are invalid UNLESS there\r
+ is a ReferenceGrant in the target namespace that allows the certificate\r
+ to be attached. If a ReferenceGrant does not allow this reference, the\r
+ "ResolvedRefs" condition MUST be set to False for this listener with the\r
+ "RefNotPermitted" reason.\r
+\r
+ This field is required to have at least one element when the mode is set\r
+ to "Terminate" (default) and is optional otherwise.\r
+\r
+ CertificateRefs can reference to standard Kubernetes resources, i.e.\r
+ Secret, or implementation-specific custom resources.\r
+\r
+ Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls\r
+\r
+ Support: Implementation-specific (More than one reference or other resource types)\r
+ items:\r
+ description: |-\r
+ SecretObjectReference identifies an API object including its namespace,\r
+ defaulting to Secret.\r
+\r
+ The API object must be valid in the cluster; the Group and Kind must\r
+ be registered in the cluster for this reference to be valid.\r
+\r
+ References to objects with invalid Group and Kind are not valid, and must\r
+ be rejected by the implementation, with appropriate Conditions set\r
+ on the containing object.\r
+ properties:\r
+ group:\r
+ default: ""\r
+ description: |-\r
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".\r
+ When unspecified or empty string, core API group is inferred.\r
+ maxLength: 253\r
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ kind:\r
+ default: Secret\r
+ description: Kind is kind of the referent. For example\r
+ "Secret".\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$\r
+ type: string\r
+ name:\r
+ description: Name is the name of the referent.\r
+ maxLength: 253\r
+ minLength: 1\r
+ type: string\r
+ namespace:\r
+ description: |-\r
+ Namespace is the namespace of the referenced object. When unspecified, the local\r
+ namespace is inferred.\r
+\r
+ Note that when a namespace different than the local namespace is specified,\r
+ a ReferenceGrant object is required in the referent namespace to allow that\r
+ namespace's owner to accept the reference. See the ReferenceGrant\r
+ documentation for details.\r
+\r
+ Support: Core\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$\r
+ type: string\r
+ required:\r
+ - name\r
+ type: object\r
+ maxItems: 64\r
+ type: array\r
+ frontendValidation:\r
+ description: |+\r
+ FrontendValidation holds configuration information for validating the frontend (client).\r
+ Setting this field will require clients to send a client certificate\r
+ required for validation during the TLS handshake. In browsers this may result in a dialog appearing\r
+ that requests a user to specify the client certificate.\r
+ The maximum depth of a certificate chain accepted in verification is Implementation specific.\r
+\r
+ Support: Extended\r
+\r
+ properties:\r
+ caCertificateRefs:\r
+ description: |-\r
+ CACertificateRefs contains one or more references to\r
+ Kubernetes objects that contain TLS certificates of\r
+ the Certificate Authorities that can be used\r
+ as a trust anchor to validate the certificates presented by the client.\r
+\r
+ A single CA certificate reference to a Kubernetes ConfigMap\r
+ has "Core" support.\r
+ Implementations MAY choose to support attaching multiple CA certificates to\r
+ a Listener, but this behavior is implementation-specific.\r
+\r
+ Support: Core - A single reference to a Kubernetes ConfigMap\r
+ with the CA certificate in a key named `ca.crt`.\r
+\r
+ Support: Implementation-specific (More than one reference, or other kinds\r
+ of resources).\r
+\r
+ References to a resource in a different namespace are invalid UNLESS there\r
+ is a ReferenceGrant in the target namespace that allows the certificate\r
+ to be attached. If a ReferenceGrant does not allow this reference, the\r
+ "ResolvedRefs" condition MUST be set to False for this listener with the\r
+ "RefNotPermitted" reason.\r
+ items:\r
+ description: |-\r
+ ObjectReference identifies an API object including its namespace.\r
+\r
+ The API object must be valid in the cluster; the Group and Kind must\r
+ be registered in the cluster for this reference to be valid.\r
+\r
+ References to objects with invalid Group and Kind are not valid, and must\r
+ be rejected by the implementation, with appropriate Conditions set\r
+ on the containing object.\r
+ properties:\r
+ group:\r
+ description: |-\r
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".\r
+ When unspecified or empty string, core API group is inferred.\r
+ maxLength: 253\r
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ kind:\r
+ description: Kind is kind of the referent. For\r
+ example "ConfigMap" or "Service".\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$\r
+ type: string\r
+ name:\r
+ description: Name is the name of the referent.\r
+ maxLength: 253\r
+ minLength: 1\r
+ type: string\r
+ namespace:\r
+ description: |-\r
+ Namespace is the namespace of the referenced object. When unspecified, the local\r
+ namespace is inferred.\r
+\r
+ Note that when a namespace different than the local namespace is specified,\r
+ a ReferenceGrant object is required in the referent namespace to allow that\r
+ namespace's owner to accept the reference. See the ReferenceGrant\r
+ documentation for details.\r
+\r
+ Support: Core\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$\r
+ type: string\r
+ required:\r
+ - group\r
+ - kind\r
+ - name\r
+ type: object\r
+ maxItems: 8\r
+ minItems: 1\r
+ type: array\r
+ type: object\r
+ mode:\r
+ default: Terminate\r
+ description: |-\r
+ Mode defines the TLS behavior for the TLS session initiated by the client.\r
+ There are two possible modes:\r
+\r
+ - Terminate: The TLS session between the downstream client and the\r
+ Gateway is terminated at the Gateway. This mode requires certificates\r
+ to be specified in some way, such as populating the certificateRefs\r
+ field.\r
+ - Passthrough: The TLS session is NOT terminated by the Gateway. This\r
+ implies that the Gateway can't decipher the TLS stream except for\r
+ the ClientHello message of the TLS protocol. The certificateRefs field\r
+ is ignored in this mode.\r
+\r
+ Support: Core\r
+ enum:\r
+ - Terminate\r
+ - Passthrough\r
+ type: string\r
+ options:\r
+ additionalProperties:\r
+ description: |-\r
+ AnnotationValue is the value of an annotation in Gateway API. This is used\r
+ for validation of maps such as TLS options. This roughly matches Kubernetes\r
+ annotation validation, although the length validation in that case is based\r
+ on the entire size of the annotations struct.\r
+ maxLength: 4096\r
+ minLength: 0\r
+ type: string\r
+ description: |-\r
+ Options are a list of key/value pairs to enable extended TLS\r
+ configuration for each implementation. For example, configuring the\r
+ minimum TLS version or supported cipher suites.\r
+\r
+ A set of common keys MAY be defined by the API in the future. To avoid\r
+ any ambiguity, implementation-specific definitions MUST use\r
+ domain-prefixed names, such as `example.com/my-custom-option`.\r
+ Un-prefixed names are reserved for key names defined by Gateway API.\r
+\r
+ Support: Implementation-specific\r
+ maxProperties: 16\r
+ type: object\r
+ type: object\r
+ x-kubernetes-validations:\r
+ - message: certificateRefs or options must be specified when\r
+ mode is Terminate\r
+ rule: 'self.mode == ''Terminate'' ? size(self.certificateRefs)\r
+ > 0 || size(self.options) > 0 : true'\r
+ required:\r
+ - name\r
+ - port\r
+ - protocol\r
+ type: object\r
+ maxItems: 64\r
+ minItems: 1\r
+ type: array\r
+ x-kubernetes-list-map-keys:\r
+ - name\r
+ x-kubernetes-list-type: map\r
+ x-kubernetes-validations:\r
+ - message: tls must not be specified for protocols ['HTTP', 'TCP',\r
+ 'UDP']\r
+ rule: 'self.all(l, l.protocol in [''HTTP'', ''TCP'', ''UDP''] ?\r
+ !has(l.tls) : true)'\r
+ - message: tls mode must be Terminate for protocol HTTPS\r
+ rule: 'self.all(l, (l.protocol == ''HTTPS'' && has(l.tls)) ? (l.tls.mode\r
+ == '''' || l.tls.mode == ''Terminate'') : true)'\r
+ - message: hostname must not be specified for protocols ['TCP', 'UDP']\r
+ rule: 'self.all(l, l.protocol in [''TCP'', ''UDP''] ? (!has(l.hostname)\r
+ || l.hostname == '''') : true)'\r
+ - message: Listener name must be unique within the Gateway\r
+ rule: self.all(l1, self.exists_one(l2, l1.name == l2.name))\r
+ - message: Combination of port, protocol and hostname must be unique\r
+ for each listener\r
+ rule: 'self.all(l1, self.exists_one(l2, l1.port == l2.port && l1.protocol\r
+ == l2.protocol && (has(l1.hostname) && has(l2.hostname) ? l1.hostname\r
+ == l2.hostname : !has(l1.hostname) && !has(l2.hostname))))'\r
+ required:\r
+ - gatewayClassName\r
+ - listeners\r
+ type: object\r
+ status:\r
+ default:\r
+ conditions:\r
+ - lastTransitionTime: "1970-01-01T00:00:00Z"\r
+ message: Waiting for controller\r
+ reason: Pending\r
+ status: Unknown\r
+ type: Accepted\r
+ - lastTransitionTime: "1970-01-01T00:00:00Z"\r
+ message: Waiting for controller\r
+ reason: Pending\r
+ status: Unknown\r
+ type: Programmed\r
+ description: Status defines the current state of Gateway.\r
+ properties:\r
+ addresses:\r
+ description: |+\r
+ Addresses lists the network addresses that have been bound to the\r
+ Gateway.\r
+\r
+ This list may differ from the addresses provided in the spec under some\r
+ conditions:\r
+\r
+ * no addresses are specified, all addresses are dynamically assigned\r
+ * a combination of specified and dynamic addresses are assigned\r
+ * a specified address was unusable (e.g. already in use)\r
+\r
+ items:\r
+ description: GatewayStatusAddress describes a network address that\r
+ is bound to a Gateway.\r
+ oneOf:\r
+ - properties:\r
+ type:\r
+ enum:\r
+ - IPAddress\r
+ value:\r
+ anyOf:\r
+ - format: ipv4\r
+ - format: ipv6\r
+ - properties:\r
+ type:\r
+ not:\r
+ enum:\r
+ - IPAddress\r
+ properties:\r
+ type:\r
+ default: IPAddress\r
+ description: Type of the address.\r
+ maxLength: 253\r
+ minLength: 1\r
+ pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$\r
+ type: string\r
+ value:\r
+ description: |-\r
+ Value of the address. The validity of the values will depend\r
+ on the type and support by the controller.\r
+\r
+ Examples: `1.2.3.4`, `128::1`, `my-ip-address`.\r
+ maxLength: 253\r
+ minLength: 1\r
+ type: string\r
+ required:\r
+ - value\r
+ type: object\r
+ x-kubernetes-validations:\r
+ - message: Hostname value must only contain valid characters (matching\r
+ ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$)\r
+ rule: 'self.type == ''Hostname'' ? self.value.matches(r"""^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$"""):\r
+ true'\r
+ maxItems: 16\r
+ type: array\r
+ conditions:\r
+ default:\r
+ - lastTransitionTime: "1970-01-01T00:00:00Z"\r
+ message: Waiting for controller\r
+ reason: Pending\r
+ status: Unknown\r
+ type: Accepted\r
+ - lastTransitionTime: "1970-01-01T00:00:00Z"\r
+ message: Waiting for controller\r
+ reason: Pending\r
+ status: Unknown\r
+ type: Programmed\r
+ description: |-\r
+ Conditions describe the current conditions of the Gateway.\r
+\r
+ Implementations should prefer to express Gateway conditions\r
+ using the `GatewayConditionType` and `GatewayConditionReason`\r
+ constants so that operators and tools can converge on a common\r
+ vocabulary to describe Gateway state.\r
+\r
+ Known condition types are:\r
+\r
+ * "Accepted"\r
+ * "Programmed"\r
+ * "Ready"\r
+ items:\r
+ description: Condition contains details for one aspect of the current\r
+ state of this API Resource.\r
+ properties:\r
+ lastTransitionTime:\r
+ description: |-\r
+ lastTransitionTime is the last time the condition transitioned from one status to another.\r
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.\r
+ format: date-time\r
+ type: string\r
+ message:\r
+ description: |-\r
+ message is a human readable message indicating details about the transition.\r
+ This may be an empty string.\r
+ maxLength: 32768\r
+ type: string\r
+ observedGeneration:\r
+ description: |-\r
+ observedGeneration represents the .metadata.generation that the condition was set based upon.\r
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\r
+ with respect to the current state of the instance.\r
+ format: int64\r
+ minimum: 0\r
+ type: integer\r
+ reason:\r
+ description: |-\r
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.\r
+ Producers of specific condition types may define expected values and meanings for this field,\r
+ and whether the values are considered a guaranteed API.\r
+ The value should be a CamelCase string.\r
+ This field may not be empty.\r
+ maxLength: 1024\r
+ minLength: 1\r
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$\r
+ type: string\r
+ status:\r
+ description: status of the condition, one of True, False, Unknown.\r
+ enum:\r
+ - "True"\r
+ - "False"\r
+ - Unknown\r
+ type: string\r
+ type:\r
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.\r
+ maxLength: 316\r
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$\r
+ type: string\r
+ required:\r
+ - lastTransitionTime\r
+ - message\r
+ - reason\r
+ - status\r
+ - type\r
+ type: object\r
+ maxItems: 8\r
+ type: array\r
+ x-kubernetes-list-map-keys:\r
+ - type\r
+ x-kubernetes-list-type: map\r
+ listeners:\r
+ description: Listeners provide status for each unique listener port\r
+ defined in the Spec.\r
+ items:\r
+ description: ListenerStatus is the status associated with a Listener.\r
+ properties:\r
+ attachedRoutes:\r
+ description: |-\r
+ AttachedRoutes represents the total number of Routes that have been\r
+ successfully attached to this Listener.\r
+\r
+ Successful attachment of a Route to a Listener is based solely on the\r
+ combination of the AllowedRoutes field on the corresponding Listener\r
+ and the Route's ParentRefs field. A Route is successfully attached to\r
+ a Listener when it is selected by the Listener's AllowedRoutes field\r
+ AND the Route has a valid ParentRef selecting the whole Gateway\r
+ resource or a specific Listener as a parent resource (more detail on\r
+ attachment semantics can be found in the documentation on the various\r
+ Route kinds ParentRefs fields). Listener or Route status does not impact\r
+ successful attachment, i.e. the AttachedRoutes field count MUST be set\r
+ for Listeners with condition Accepted: false and MUST count successfully\r
+ attached Routes that may themselves have Accepted: false conditions.\r
+\r
+ Uses for this field include troubleshooting Route attachment and\r
+ measuring blast radius/impact of changes to a Listener.\r
+ format: int32\r
+ type: integer\r
+ conditions:\r
+ description: Conditions describe the current condition of this\r
+ listener.\r
+ items:\r
+ description: Condition contains details for one aspect of\r
+ the current state of this API Resource.\r
+ properties:\r
+ lastTransitionTime:\r
+ description: |-\r
+ lastTransitionTime is the last time the condition transitioned from one status to another.\r
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.\r
+ format: date-time\r
+ type: string\r
+ message:\r
+ description: |-\r
+ message is a human readable message indicating details about the transition.\r
+ This may be an empty string.\r
+ maxLength: 32768\r
+ type: string\r
+ observedGeneration:\r
+ description: |-\r
+ observedGeneration represents the .metadata.generation that the condition was set based upon.\r
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\r
+ with respect to the current state of the instance.\r
+ format: int64\r
+ minimum: 0\r
+ type: integer\r
+ reason:\r
+ description: |-\r
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.\r
+ Producers of specific condition types may define expected values and meanings for this field,\r
+ and whether the values are considered a guaranteed API.\r
+ The value should be a CamelCase string.\r
+ This field may not be empty.\r
+ maxLength: 1024\r
+ minLength: 1\r
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$\r
+ type: string\r
+ status:\r
+ description: status of the condition, one of True, False,\r
+ Unknown.\r
+ enum:\r
+ - "True"\r
+ - "False"\r
+ - Unknown\r
+ type: string\r
+ type:\r
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.\r
+ maxLength: 316\r
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$\r
+ type: string\r
+ required:\r
+ - lastTransitionTime\r
+ - message\r
+ - reason\r
+ - status\r
+ - type\r
+ type: object\r
+ maxItems: 8\r
+ type: array\r
+ x-kubernetes-list-map-keys:\r
+ - type\r
+ x-kubernetes-list-type: map\r
+ name:\r
+ description: Name is the name of the Listener that this status\r
+ corresponds to.\r
+ maxLength: 253\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ supportedKinds:\r
+ description: |-\r
+ SupportedKinds is the list indicating the Kinds supported by this\r
+ listener. This MUST represent the kinds an implementation supports for\r
+ that Listener configuration.\r
+\r
+ If kinds are specified in Spec that are not supported, they MUST NOT\r
+ appear in this list and an implementation MUST set the "ResolvedRefs"\r
+ condition to "False" with the "InvalidRouteKinds" reason. If both valid\r
+ and invalid Route kinds are specified, the implementation MUST\r
+ reference the valid Route kinds that have been specified.\r
+ items:\r
+ description: RouteGroupKind indicates the group and kind of\r
+ a Route resource.\r
+ properties:\r
+ group:\r
+ default: gateway.networking.k8s.io\r
+ description: Group is the group of the Route.\r
+ maxLength: 253\r
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ kind:\r
+ description: Kind is the kind of the Route.\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$\r
+ type: string\r
+ required:\r
+ - kind\r
+ type: object\r
+ maxItems: 8\r
+ type: array\r
+ required:\r
+ - attachedRoutes\r
+ - conditions\r
+ - name\r
+ - supportedKinds\r
+ type: object\r
+ maxItems: 64\r
+ type: array\r
+ x-kubernetes-list-map-keys:\r
+ - name\r
+ x-kubernetes-list-type: map\r
+ type: object\r
+ required:\r
+ - spec\r
+ type: object\r
+ served: true\r
+ storage: true\r
+ subresources:\r
+ status: {}\r
+ - additionalPrinterColumns:\r
+ - jsonPath: .spec.gatewayClassName\r
+ name: Class\r
+ type: string\r
+ - jsonPath: .status.addresses[*].value\r
+ name: Address\r
+ type: string\r
+ - jsonPath: .status.conditions[?(@.type=="Programmed")].status\r
+ name: Programmed\r
+ type: string\r
+ - jsonPath: .metadata.creationTimestamp\r
+ name: Age\r
+ type: date\r
+ name: v1beta1\r
+ schema:\r
+ openAPIV3Schema:\r
+ description: |-\r
+ Gateway represents an instance of a service-traffic handling infrastructure\r
+ by binding Listeners to a set of IP addresses.\r
+ properties:\r
+ apiVersion:\r
+ description: |-\r
+ APIVersion defines the versioned schema of this representation of an object.\r
+ Servers should convert recognized schemas to the latest internal value, and\r
+ may reject unrecognized values.\r
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources\r
+ type: string\r
+ kind:\r
+ description: |-\r
+ Kind is a string value representing the REST resource this object represents.\r
+ Servers may infer this from the endpoint the client submits requests to.\r
+ Cannot be updated.\r
+ In CamelCase.\r
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds\r
+ type: string\r
+ metadata:\r
+ type: object\r
+ spec:\r
+ description: Spec defines the desired state of Gateway.\r
+ properties:\r
+ addresses:\r
+ description: |+\r
+ Addresses requested for this Gateway. This is optional and behavior can\r
+ depend on the implementation. If a value is set in the spec and the\r
+ requested address is invalid or unavailable, the implementation MUST\r
+ indicate this in the associated entry in GatewayStatus.Addresses.\r
+\r
+ The Addresses field represents a request for the address(es) on the\r
+ "outside of the Gateway", that traffic bound for this Gateway will use.\r
+ This could be the IP address or hostname of an external load balancer or\r
+ other networking infrastructure, or some other address that traffic will\r
+ be sent to.\r
+\r
+ If no Addresses are specified, the implementation MAY schedule the\r
+ Gateway in an implementation-specific manner, assigning an appropriate\r
+ set of Addresses.\r
+\r
+ The implementation MUST bind all Listeners to every GatewayAddress that\r
+ it assigns to the Gateway and add a corresponding entry in\r
+ GatewayStatus.Addresses.\r
+\r
+ Support: Extended\r
+\r
+ items:\r
+ description: GatewayAddress describes an address that can be bound\r
+ to a Gateway.\r
+ oneOf:\r
+ - properties:\r
+ type:\r
+ enum:\r
+ - IPAddress\r
+ value:\r
+ anyOf:\r
+ - format: ipv4\r
+ - format: ipv6\r
+ - properties:\r
+ type:\r
+ not:\r
+ enum:\r
+ - IPAddress\r
+ properties:\r
+ type:\r
+ default: IPAddress\r
+ description: Type of the address.\r
+ maxLength: 253\r
+ minLength: 1\r
+ pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$\r
+ type: string\r
+ value:\r
+ description: |-\r
+ Value of the address. The validity of the values will depend\r
+ on the type and support by the controller.\r
+\r
+ Examples: `1.2.3.4`, `128::1`, `my-ip-address`.\r
+ maxLength: 253\r
+ minLength: 1\r
+ type: string\r
+ required:\r
+ - value\r
+ type: object\r
+ x-kubernetes-validations:\r
+ - message: Hostname value must only contain valid characters (matching\r
+ ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$)\r
+ rule: 'self.type == ''Hostname'' ? self.value.matches(r"""^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$"""):\r
+ true'\r
+ maxItems: 16\r
+ type: array\r
+ x-kubernetes-validations:\r
+ - message: IPAddress values must be unique\r
+ rule: 'self.all(a1, a1.type == ''IPAddress'' ? self.exists_one(a2,\r
+ a2.type == a1.type && a2.value == a1.value) : true )'\r
+ - message: Hostname values must be unique\r
+ rule: 'self.all(a1, a1.type == ''Hostname'' ? self.exists_one(a2,\r
+ a2.type == a1.type && a2.value == a1.value) : true )'\r
+ backendTLS:\r
+ description: |+\r
+ BackendTLS configures TLS settings for when this Gateway is connecting to\r
+ backends with TLS.\r
+\r
+ Support: Core\r
+\r
+ properties:\r
+ clientCertificateRef:\r
+ description: |+\r
+ ClientCertificateRef is a reference to an object that contains a Client\r
+ Certificate and the associated private key.\r
+\r
+ References to a resource in different namespace are invalid UNLESS there\r
+ is a ReferenceGrant in the target namespace that allows the certificate\r
+ to be attached. If a ReferenceGrant does not allow this reference, the\r
+ "ResolvedRefs" condition MUST be set to False for this listener with the\r
+ "RefNotPermitted" reason.\r
+\r
+ ClientCertificateRef can reference to standard Kubernetes resources, i.e.\r
+ Secret, or implementation-specific custom resources.\r
+\r
+ This setting can be overridden on the service level by use of BackendTLSPolicy.\r
+\r
+ Support: Core\r
+\r
+ properties:\r
+ group:\r
+ default: ""\r
+ description: |-\r
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".\r
+ When unspecified or empty string, core API group is inferred.\r
+ maxLength: 253\r
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ kind:\r
+ default: Secret\r
+ description: Kind is kind of the referent. For example "Secret".\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$\r
+ type: string\r
+ name:\r
+ description: Name is the name of the referent.\r
+ maxLength: 253\r
+ minLength: 1\r
+ type: string\r
+ namespace:\r
+ description: |-\r
+ Namespace is the namespace of the referenced object. When unspecified, the local\r
+ namespace is inferred.\r
+\r
+ Note that when a namespace different than the local namespace is specified,\r
+ a ReferenceGrant object is required in the referent namespace to allow that\r
+ namespace's owner to accept the reference. See the ReferenceGrant\r
+ documentation for details.\r
+\r
+ Support: Core\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$\r
+ type: string\r
+ required:\r
+ - name\r
+ type: object\r
+ type: object\r
+ gatewayClassName:\r
+ description: |-\r
+ GatewayClassName used for this Gateway. This is the name of a\r
+ GatewayClass resource.\r
+ maxLength: 253\r
+ minLength: 1\r
+ type: string\r
+ infrastructure:\r
+ description: |-\r
+ Infrastructure defines infrastructure level attributes about this Gateway instance.\r
+\r
+ Support: Extended\r
+ properties:\r
+ annotations:\r
+ additionalProperties:\r
+ description: |-\r
+ AnnotationValue is the value of an annotation in Gateway API. This is used\r
+ for validation of maps such as TLS options. This roughly matches Kubernetes\r
+ annotation validation, although the length validation in that case is based\r
+ on the entire size of the annotations struct.\r
+ maxLength: 4096\r
+ minLength: 0\r
+ type: string\r
+ description: |-\r
+ Annotations that SHOULD be applied to any resources created in response to this Gateway.\r
+\r
+ For implementations creating other Kubernetes objects, this should be the `metadata.annotations` field on resources.\r
+ For other implementations, this refers to any relevant (implementation specific) "annotations" concepts.\r
+\r
+ An implementation may chose to add additional implementation-specific annotations as they see fit.\r
+\r
+ Support: Extended\r
+ maxProperties: 8\r
+ type: object\r
+ x-kubernetes-validations:\r
+ - message: Annotation keys must be in the form of an optional\r
+ DNS subdomain prefix followed by a required name segment of\r
+ up to 63 characters.\r
+ rule: self.all(key, key.matches(r"""^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9]$"""))\r
+ - message: If specified, the annotation key's prefix must be a\r
+ DNS subdomain not longer than 253 characters in total.\r
+ rule: self.all(key, key.split("/")[0].size() < 253)\r
+ labels:\r
+ additionalProperties:\r
+ description: |-\r
+ LabelValue is the value of a label in the Gateway API. This is used for validation\r
+ of maps such as Gateway infrastructure labels. This matches the Kubernetes\r
+ label validation rules:\r
+ * must be 63 characters or less (can be empty),\r
+ * unless empty, must begin and end with an alphanumeric character ([a-z0-9A-Z]),\r
+ * could contain dashes (-), underscores (_), dots (.), and alphanumerics between.\r
+\r
+ Valid values include:\r
+\r
+ * MyValue\r
+ * my.name\r
+ * 123-my-value\r
+ maxLength: 63\r
+ minLength: 0\r
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$\r
+ type: string\r
+ description: |-\r
+ Labels that SHOULD be applied to any resources created in response to this Gateway.\r
+\r
+ For implementations creating other Kubernetes objects, this should be the `metadata.labels` field on resources.\r
+ For other implementations, this refers to any relevant (implementation specific) "labels" concepts.\r
+\r
+ An implementation may chose to add additional implementation-specific labels as they see fit.\r
+\r
+ If an implementation maps these labels to Pods, or any other resource that would need to be recreated when labels\r
+ change, it SHOULD clearly warn about this behavior in documentation.\r
+\r
+ Support: Extended\r
+ maxProperties: 8\r
+ type: object\r
+ x-kubernetes-validations:\r
+ - message: Label keys must be in the form of an optional DNS subdomain\r
+ prefix followed by a required name segment of up to 63 characters.\r
+ rule: self.all(key, key.matches(r"""^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9]$"""))\r
+ - message: If specified, the label key's prefix must be a DNS\r
+ subdomain not longer than 253 characters in total.\r
+ rule: self.all(key, key.split("/")[0].size() < 253)\r
+ parametersRef:\r
+ description: |-\r
+ ParametersRef is a reference to a resource that contains the configuration\r
+ parameters corresponding to the Gateway. This is optional if the\r
+ controller does not require any additional configuration.\r
+\r
+ This follows the same semantics as GatewayClass's `parametersRef`, but on a per-Gateway basis\r
+\r
+ The Gateway's GatewayClass may provide its own `parametersRef`. When both are specified,\r
+ the merging behavior is implementation specific.\r
+ It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway.\r
+\r
+ Support: Implementation-specific\r
+ properties:\r
+ group:\r
+ description: Group is the group of the referent.\r
+ maxLength: 253\r
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ kind:\r
+ description: Kind is kind of the referent.\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$\r
+ type: string\r
+ name:\r
+ description: Name is the name of the referent.\r
+ maxLength: 253\r
+ minLength: 1\r
+ type: string\r
+ required:\r
+ - group\r
+ - kind\r
+ - name\r
+ type: object\r
+ type: object\r
+ listeners:\r
+ description: |-\r
+ Listeners associated with this Gateway. Listeners define\r
+ logical endpoints that are bound on this Gateway's addresses.\r
+ At least one Listener MUST be specified.\r
+\r
+ ## Distinct Listeners\r
+\r
+ Each Listener in a set of Listeners (for example, in a single Gateway)\r
+ MUST be _distinct_, in that a traffic flow MUST be able to be assigned to\r
+ exactly one listener. (This section uses "set of Listeners" rather than\r
+ "Listeners in a single Gateway" because implementations MAY merge configuration\r
+ from multiple Gateways onto a single data plane, and these rules _also_\r
+ apply in that case).\r
+\r
+ Practically, this means that each listener in a set MUST have a unique\r
+ combination of Port, Protocol, and, if supported by the protocol, Hostname.\r
+\r
+ Some combinations of port, protocol, and TLS settings are considered\r
+ Core support and MUST be supported by implementations based on the objects\r
+ they support:\r
+\r
+ HTTPRoute\r
+\r
+ 1. HTTPRoute, Port: 80, Protocol: HTTP\r
+ 2. HTTPRoute, Port: 443, Protocol: HTTPS, TLS Mode: Terminate, TLS keypair provided\r
+\r
+ TLSRoute\r
+\r
+ 1. TLSRoute, Port: 443, Protocol: TLS, TLS Mode: Passthrough\r
+\r
+ "Distinct" Listeners have the following property:\r
+\r
+ **The implementation can match inbound requests to a single distinct\r
+ Listener**.\r
+\r
+ When multiple Listeners share values for fields (for\r
+ example, two Listeners with the same Port value), the implementation\r
+ can match requests to only one of the Listeners using other\r
+ Listener fields.\r
+\r
+ When multiple listeners have the same value for the Protocol field, then\r
+ each of the Listeners with matching Protocol values MUST have different\r
+ values for other fields.\r
+\r
+ The set of fields that MUST be different for a Listener differs per protocol.\r
+ The following rules define the rules for what fields MUST be considered for\r
+ Listeners to be distinct with each protocol currently defined in the\r
+ Gateway API spec.\r
+\r
+ The set of listeners that all share a protocol value MUST have _different_\r
+ values for _at least one_ of these fields to be distinct:\r
+\r
+ * **HTTP, HTTPS, TLS**: Port, Hostname\r
+ * **TCP, UDP**: Port\r
+\r
+ One **very** important rule to call out involves what happens when an\r
+ implementation:\r
+\r
+ * Supports TCP protocol Listeners, as well as HTTP, HTTPS, or TLS protocol\r
+ Listeners, and\r
+ * sees HTTP, HTTPS, or TLS protocols with the same `port` as one with TCP\r
+ Protocol.\r
+\r
+ In this case all the Listeners that share a port with the\r
+ TCP Listener are not distinct and so MUST NOT be accepted.\r
+\r
+ If an implementation does not support TCP Protocol Listeners, then the\r
+ previous rule does not apply, and the TCP Listeners SHOULD NOT be\r
+ accepted.\r
+\r
+ Note that the `tls` field is not used for determining if a listener is distinct, because\r
+ Listeners that _only_ differ on TLS config will still conflict in all cases.\r
+\r
+ ### Listeners that are distinct only by Hostname\r
+\r
+ When the Listeners are distinct based only on Hostname, inbound request\r
+ hostnames MUST match from the most specific to least specific Hostname\r
+ values to choose the correct Listener and its associated set of Routes.\r
+\r
+ Exact matches MUST be processed before wildcard matches, and wildcard\r
+ matches MUST be processed before fallback (empty Hostname value)\r
+ matches. For example, `"foo.example.com"` takes precedence over\r
+ `"*.example.com"`, and `"*.example.com"` takes precedence over `""`.\r
+\r
+ Additionally, if there are multiple wildcard entries, more specific\r
+ wildcard entries must be processed before less specific wildcard entries.\r
+ For example, `"*.foo.example.com"` takes precedence over `"*.example.com"`.\r
+\r
+ The precise definition here is that the higher the number of dots in the\r
+ hostname to the right of the wildcard character, the higher the precedence.\r
+\r
+ The wildcard character will match any number of characters _and dots_ to\r
+ the left, however, so `"*.example.com"` will match both\r
+ `"foo.bar.example.com"` _and_ `"bar.example.com"`.\r
+\r
+ ## Handling indistinct Listeners\r
+\r
+ If a set of Listeners contains Listeners that are not distinct, then those\r
+ Listeners are _Conflicted_, and the implementation MUST set the "Conflicted"\r
+ condition in the Listener Status to "True".\r
+\r
+ The words "indistict" and "conflicted" are considered equivalent for the\r
+ purpose of this documentation.\r
+\r
+ Implementations MAY choose to accept a Gateway with some Conflicted\r
+ Listeners only if they only accept the partial Listener set that contains\r
+ no Conflicted Listeners.\r
+\r
+ Specifically, an implementation MAY accept a partial Listener set subject to\r
+ the following rules:\r
+\r
+ * The implementation MUST NOT pick one conflicting Listener as the winner.\r
+ ALL indistinct Listeners must not be accepted for processing.\r
+ * At least one distinct Listener MUST be present, or else the Gateway effectively\r
+ contains _no_ Listeners, and must be rejected from processing as a whole.\r
+\r
+ The implementation MUST set a "ListenersNotValid" condition on the\r
+ Gateway Status when the Gateway contains Conflicted Listeners whether or\r
+ not they accept the Gateway. That Condition SHOULD clearly\r
+ indicate in the Message which Listeners are conflicted, and which are\r
+ Accepted. Additionally, the Listener status for those listeners SHOULD\r
+ indicate which Listeners are conflicted and not Accepted.\r
+\r
+ ## General Listener behavior\r
+\r
+ Note that, for all distinct Listeners, requests SHOULD match at most one Listener.\r
+ For example, if Listeners are defined for "foo.example.com" and "*.example.com", a\r
+ request to "foo.example.com" SHOULD only be routed using routes attached\r
+ to the "foo.example.com" Listener (and not the "*.example.com" Listener).\r
+\r
+ This concept is known as "Listener Isolation", and it is an Extended feature\r
+ of Gateway API. Implementations that do not support Listener Isolation MUST\r
+ clearly document this, and MUST NOT claim support for the\r
+ `GatewayHTTPListenerIsolation` feature.\r
+\r
+ Implementations that _do_ support Listener Isolation SHOULD claim support\r
+ for the Extended `GatewayHTTPListenerIsolation` feature and pass the associated\r
+ conformance tests.\r
+\r
+ ## Compatible Listeners\r
+\r
+ A Gateway's Listeners are considered _compatible_ if:\r
+\r
+ 1. They are distinct.\r
+ 2. The implementation can serve them in compliance with the Addresses\r
+ requirement that all Listeners are available on all assigned\r
+ addresses.\r
+\r
+ Compatible combinations in Extended support are expected to vary across\r
+ implementations. A combination that is compatible for one implementation\r
+ may not be compatible for another.\r
+\r
+ For example, an implementation that cannot serve both TCP and UDP listeners\r
+ on the same address, or cannot mix HTTPS and generic TLS listens on the same port\r
+ would not consider those cases compatible, even though they are distinct.\r
+\r
+ Implementations MAY merge separate Gateways onto a single set of\r
+ Addresses if all Listeners across all Gateways are compatible.\r
+\r
+ Support: Core\r
+ items:\r
+ description: |-\r
+ Listener embodies the concept of a logical endpoint where a Gateway accepts\r
+ network connections.\r
+ properties:\r
+ allowedRoutes:\r
+ default:\r
+ namespaces:\r
+ from: Same\r
+ description: |-\r
+ AllowedRoutes defines the types of routes that MAY be attached to a\r
+ Listener and the trusted namespaces where those Route resources MAY be\r
+ present.\r
+\r
+ Although a client request may match multiple route rules, only one rule\r
+ may ultimately receive the request. Matching precedence MUST be\r
+ determined in order of the following criteria:\r
+\r
+ * The most specific match as defined by the Route type.\r
+ * The oldest Route based on creation timestamp. For example, a Route with\r
+ a creation timestamp of "2020-09-08 01:02:03" is given precedence over\r
+ a Route with a creation timestamp of "2020-09-08 01:02:04".\r
+ * If everything else is equivalent, the Route appearing first in\r
+ alphabetical order (namespace/name) should be given precedence. For\r
+ example, foo/bar is given precedence over foo/baz.\r
+\r
+ All valid rules within a Route attached to this Listener should be\r
+ implemented. Invalid Route rules can be ignored (sometimes that will mean\r
+ the full Route). If a Route rule transitions from valid to invalid,\r
+ support for that Route rule should be dropped to ensure consistency. For\r
+ example, even if a filter specified by a Route rule is invalid, the rest\r
+ of the rules within that Route should still be supported.\r
+\r
+ Support: Core\r
+ properties:\r
+ kinds:\r
+ description: |-\r
+ Kinds specifies the groups and kinds of Routes that are allowed to bind\r
+ to this Gateway Listener. When unspecified or empty, the kinds of Routes\r
+ selected are determined using the Listener protocol.\r
+\r
+ A RouteGroupKind MUST correspond to kinds of Routes that are compatible\r
+ with the application protocol specified in the Listener's Protocol field.\r
+ If an implementation does not support or recognize this resource type, it\r
+ MUST set the "ResolvedRefs" condition to False for this Listener with the\r
+ "InvalidRouteKinds" reason.\r
+\r
+ Support: Core\r
+ items:\r
+ description: RouteGroupKind indicates the group and kind\r
+ of a Route resource.\r
+ properties:\r
+ group:\r
+ default: gateway.networking.k8s.io\r
+ description: Group is the group of the Route.\r
+ maxLength: 253\r
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ kind:\r
+ description: Kind is the kind of the Route.\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$\r
+ type: string\r
+ required:\r
+ - kind\r
+ type: object\r
+ maxItems: 8\r
+ type: array\r
+ namespaces:\r
+ default:\r
+ from: Same\r
+ description: |-\r
+ Namespaces indicates namespaces from which Routes may be attached to this\r
+ Listener. This is restricted to the namespace of this Gateway by default.\r
+\r
+ Support: Core\r
+ properties:\r
+ from:\r
+ default: Same\r
+ description: |-\r
+ From indicates where Routes will be selected for this Gateway. Possible\r
+ values are:\r
+\r
+ * All: Routes in all namespaces may be used by this Gateway.\r
+ * Selector: Routes in namespaces selected by the selector may be used by\r
+ this Gateway.\r
+ * Same: Only Routes in the same namespace may be used by this Gateway.\r
+\r
+ Support: Core\r
+ enum:\r
+ - All\r
+ - Selector\r
+ - Same\r
+ type: string\r
+ selector:\r
+ description: |-\r
+ Selector must be specified when From is set to "Selector". In that case,\r
+ only Routes in Namespaces matching this Selector will be selected by this\r
+ Gateway. This field is ignored for other values of "From".\r
+\r
+ Support: Core\r
+ properties:\r
+ matchExpressions:\r
+ description: matchExpressions is a list of label\r
+ selector requirements. The requirements are ANDed.\r
+ items:\r
+ description: |-\r
+ A label selector requirement is a selector that contains values, a key, and an operator that\r
+ relates the key and values.\r
+ properties:\r
+ key:\r
+ description: key is the label key that the\r
+ selector applies to.\r
+ type: string\r
+ operator:\r
+ description: |-\r
+ operator represents a key's relationship to a set of values.\r
+ Valid operators are In, NotIn, Exists and DoesNotExist.\r
+ type: string\r
+ values:\r
+ description: |-\r
+ values is an array of string values. If the operator is In or NotIn,\r
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,\r
+ the values array must be empty. This array is replaced during a strategic\r
+ merge patch.\r
+ items:\r
+ type: string\r
+ type: array\r
+ x-kubernetes-list-type: atomic\r
+ required:\r
+ - key\r
+ - operator\r
+ type: object\r
+ type: array\r
+ x-kubernetes-list-type: atomic\r
+ matchLabels:\r
+ additionalProperties:\r
+ type: string\r
+ description: |-\r
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\r
+ map is equivalent to an element of matchExpressions, whose key field is "key", the\r
+ operator is "In", and the values array contains only "value". The requirements are ANDed.\r
+ type: object\r
+ type: object\r
+ x-kubernetes-map-type: atomic\r
+ type: object\r
+ type: object\r
+ hostname:\r
+ description: |-\r
+ Hostname specifies the virtual hostname to match for protocol types that\r
+ define this concept. When unspecified, all hostnames are matched. This\r
+ field is ignored for protocols that don't require hostname based\r
+ matching.\r
+\r
+ Implementations MUST apply Hostname matching appropriately for each of\r
+ the following protocols:\r
+\r
+ * TLS: The Listener Hostname MUST match the SNI.\r
+ * HTTP: The Listener Hostname MUST match the Host header of the request.\r
+ * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP\r
+ protocol layers as described above. If an implementation does not\r
+ ensure that both the SNI and Host header match the Listener hostname,\r
+ it MUST clearly document that.\r
+\r
+ For HTTPRoute and TLSRoute resources, there is an interaction with the\r
+ `spec.hostnames` array. When both listener and route specify hostnames,\r
+ there MUST be an intersection between the values for a Route to be\r
+ accepted. For more information, refer to the Route specific Hostnames\r
+ documentation.\r
+\r
+ Hostnames that are prefixed with a wildcard label (`*.`) are interpreted\r
+ as a suffix match. That means that a match for `*.example.com` would match\r
+ both `test.example.com`, and `foo.test.example.com`, but not `example.com`.\r
+\r
+ Support: Core\r
+ maxLength: 253\r
+ minLength: 1\r
+ pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ name:\r
+ description: |-\r
+ Name is the name of the Listener. This name MUST be unique within a\r
+ Gateway.\r
+\r
+ Support: Core\r
+ maxLength: 253\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ port:\r
+ description: |-\r
+ Port is the network port. Multiple listeners may use the\r
+ same port, subject to the Listener compatibility rules.\r
+\r
+ Support: Core\r
+ format: int32\r
+ maximum: 65535\r
+ minimum: 1\r
+ type: integer\r
+ protocol:\r
+ description: |-\r
+ Protocol specifies the network protocol this listener expects to receive.\r
+\r
+ Support: Core\r
+ maxLength: 255\r
+ minLength: 1\r
+ pattern: ^[a-zA-Z0-9]([-a-zA-Z0-9]*[a-zA-Z0-9])?$|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9]+$\r
+ type: string\r
+ tls:\r
+ description: |-\r
+ TLS is the TLS configuration for the Listener. This field is required if\r
+ the Protocol field is "HTTPS" or "TLS". It is invalid to set this field\r
+ if the Protocol field is "HTTP", "TCP", or "UDP".\r
+\r
+ The association of SNIs to Certificate defined in GatewayTLSConfig is\r
+ defined based on the Hostname field for this listener.\r
+\r
+ The GatewayClass MUST use the longest matching SNI out of all\r
+ available certificates for any TLS handshake.\r
+\r
+ Support: Core\r
+ properties:\r
+ certificateRefs:\r
+ description: |-\r
+ CertificateRefs contains a series of references to Kubernetes objects that\r
+ contains TLS certificates and private keys. These certificates are used to\r
+ establish a TLS handshake for requests that match the hostname of the\r
+ associated listener.\r
+\r
+ A single CertificateRef to a Kubernetes Secret has "Core" support.\r
+ Implementations MAY choose to support attaching multiple certificates to\r
+ a Listener, but this behavior is implementation-specific.\r
+\r
+ References to a resource in different namespace are invalid UNLESS there\r
+ is a ReferenceGrant in the target namespace that allows the certificate\r
+ to be attached. If a ReferenceGrant does not allow this reference, the\r
+ "ResolvedRefs" condition MUST be set to False for this listener with the\r
+ "RefNotPermitted" reason.\r
+\r
+ This field is required to have at least one element when the mode is set\r
+ to "Terminate" (default) and is optional otherwise.\r
+\r
+ CertificateRefs can reference to standard Kubernetes resources, i.e.\r
+ Secret, or implementation-specific custom resources.\r
+\r
+ Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls\r
+\r
+ Support: Implementation-specific (More than one reference or other resource types)\r
+ items:\r
+ description: |-\r
+ SecretObjectReference identifies an API object including its namespace,\r
+ defaulting to Secret.\r
+\r
+ The API object must be valid in the cluster; the Group and Kind must\r
+ be registered in the cluster for this reference to be valid.\r
+\r
+ References to objects with invalid Group and Kind are not valid, and must\r
+ be rejected by the implementation, with appropriate Conditions set\r
+ on the containing object.\r
+ properties:\r
+ group:\r
+ default: ""\r
+ description: |-\r
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".\r
+ When unspecified or empty string, core API group is inferred.\r
+ maxLength: 253\r
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ kind:\r
+ default: Secret\r
+ description: Kind is kind of the referent. For example\r
+ "Secret".\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$\r
+ type: string\r
+ name:\r
+ description: Name is the name of the referent.\r
+ maxLength: 253\r
+ minLength: 1\r
+ type: string\r
+ namespace:\r
+ description: |-\r
+ Namespace is the namespace of the referenced object. When unspecified, the local\r
+ namespace is inferred.\r
+\r
+ Note that when a namespace different than the local namespace is specified,\r
+ a ReferenceGrant object is required in the referent namespace to allow that\r
+ namespace's owner to accept the reference. See the ReferenceGrant\r
+ documentation for details.\r
+\r
+ Support: Core\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$\r
+ type: string\r
+ required:\r
+ - name\r
+ type: object\r
+ maxItems: 64\r
+ type: array\r
+ frontendValidation:\r
+ description: |+\r
+ FrontendValidation holds configuration information for validating the frontend (client).\r
+ Setting this field will require clients to send a client certificate\r
+ required for validation during the TLS handshake. In browsers this may result in a dialog appearing\r
+ that requests a user to specify the client certificate.\r
+ The maximum depth of a certificate chain accepted in verification is Implementation specific.\r
+\r
+ Support: Extended\r
+\r
+ properties:\r
+ caCertificateRefs:\r
+ description: |-\r
+ CACertificateRefs contains one or more references to\r
+ Kubernetes objects that contain TLS certificates of\r
+ the Certificate Authorities that can be used\r
+ as a trust anchor to validate the certificates presented by the client.\r
+\r
+ A single CA certificate reference to a Kubernetes ConfigMap\r
+ has "Core" support.\r
+ Implementations MAY choose to support attaching multiple CA certificates to\r
+ a Listener, but this behavior is implementation-specific.\r
+\r
+ Support: Core - A single reference to a Kubernetes ConfigMap\r
+ with the CA certificate in a key named `ca.crt`.\r
+\r
+ Support: Implementation-specific (More than one reference, or other kinds\r
+ of resources).\r
+\r
+ References to a resource in a different namespace are invalid UNLESS there\r
+ is a ReferenceGrant in the target namespace that allows the certificate\r
+ to be attached. If a ReferenceGrant does not allow this reference, the\r
+ "ResolvedRefs" condition MUST be set to False for this listener with the\r
+ "RefNotPermitted" reason.\r
+ items:\r
+ description: |-\r
+ ObjectReference identifies an API object including its namespace.\r
+\r
+ The API object must be valid in the cluster; the Group and Kind must\r
+ be registered in the cluster for this reference to be valid.\r
+\r
+ References to objects with invalid Group and Kind are not valid, and must\r
+ be rejected by the implementation, with appropriate Conditions set\r
+ on the containing object.\r
+ properties:\r
+ group:\r
+ description: |-\r
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".\r
+ When unspecified or empty string, core API group is inferred.\r
+ maxLength: 253\r
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ kind:\r
+ description: Kind is kind of the referent. For\r
+ example "ConfigMap" or "Service".\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$\r
+ type: string\r
+ name:\r
+ description: Name is the name of the referent.\r
+ maxLength: 253\r
+ minLength: 1\r
+ type: string\r
+ namespace:\r
+ description: |-\r
+ Namespace is the namespace of the referenced object. When unspecified, the local\r
+ namespace is inferred.\r
+\r
+ Note that when a namespace different than the local namespace is specified,\r
+ a ReferenceGrant object is required in the referent namespace to allow that\r
+ namespace's owner to accept the reference. See the ReferenceGrant\r
+ documentation for details.\r
+\r
+ Support: Core\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$\r
+ type: string\r
+ required:\r
+ - group\r
+ - kind\r
+ - name\r
+ type: object\r
+ maxItems: 8\r
+ minItems: 1\r
+ type: array\r
+ type: object\r
+ mode:\r
+ default: Terminate\r
+ description: |-\r
+ Mode defines the TLS behavior for the TLS session initiated by the client.\r
+ There are two possible modes:\r
+\r
+ - Terminate: The TLS session between the downstream client and the\r
+ Gateway is terminated at the Gateway. This mode requires certificates\r
+ to be specified in some way, such as populating the certificateRefs\r
+ field.\r
+ - Passthrough: The TLS session is NOT terminated by the Gateway. This\r
+ implies that the Gateway can't decipher the TLS stream except for\r
+ the ClientHello message of the TLS protocol. The certificateRefs field\r
+ is ignored in this mode.\r
+\r
+ Support: Core\r
+ enum:\r
+ - Terminate\r
+ - Passthrough\r
+ type: string\r
+ options:\r
+ additionalProperties:\r
+ description: |-\r
+ AnnotationValue is the value of an annotation in Gateway API. This is used\r
+ for validation of maps such as TLS options. This roughly matches Kubernetes\r
+ annotation validation, although the length validation in that case is based\r
+ on the entire size of the annotations struct.\r
+ maxLength: 4096\r
+ minLength: 0\r
+ type: string\r
+ description: |-\r
+ Options are a list of key/value pairs to enable extended TLS\r
+ configuration for each implementation. For example, configuring the\r
+ minimum TLS version or supported cipher suites.\r
+\r
+ A set of common keys MAY be defined by the API in the future. To avoid\r
+ any ambiguity, implementation-specific definitions MUST use\r
+ domain-prefixed names, such as `example.com/my-custom-option`.\r
+ Un-prefixed names are reserved for key names defined by Gateway API.\r
+\r
+ Support: Implementation-specific\r
+ maxProperties: 16\r
+ type: object\r
+ type: object\r
+ x-kubernetes-validations:\r
+ - message: certificateRefs or options must be specified when\r
+ mode is Terminate\r
+ rule: 'self.mode == ''Terminate'' ? size(self.certificateRefs)\r
+ > 0 || size(self.options) > 0 : true'\r
+ required:\r
+ - name\r
+ - port\r
+ - protocol\r
+ type: object\r
+ maxItems: 64\r
+ minItems: 1\r
+ type: array\r
+ x-kubernetes-list-map-keys:\r
+ - name\r
+ x-kubernetes-list-type: map\r
+ x-kubernetes-validations:\r
+ - message: tls must not be specified for protocols ['HTTP', 'TCP',\r
+ 'UDP']\r
+ rule: 'self.all(l, l.protocol in [''HTTP'', ''TCP'', ''UDP''] ?\r
+ !has(l.tls) : true)'\r
+ - message: tls mode must be Terminate for protocol HTTPS\r
+ rule: 'self.all(l, (l.protocol == ''HTTPS'' && has(l.tls)) ? (l.tls.mode\r
+ == '''' || l.tls.mode == ''Terminate'') : true)'\r
+ - message: hostname must not be specified for protocols ['TCP', 'UDP']\r
+ rule: 'self.all(l, l.protocol in [''TCP'', ''UDP''] ? (!has(l.hostname)\r
+ || l.hostname == '''') : true)'\r
+ - message: Listener name must be unique within the Gateway\r
+ rule: self.all(l1, self.exists_one(l2, l1.name == l2.name))\r
+ - message: Combination of port, protocol and hostname must be unique\r
+ for each listener\r
+ rule: 'self.all(l1, self.exists_one(l2, l1.port == l2.port && l1.protocol\r
+ == l2.protocol && (has(l1.hostname) && has(l2.hostname) ? l1.hostname\r
+ == l2.hostname : !has(l1.hostname) && !has(l2.hostname))))'\r
+ required:\r
+ - gatewayClassName\r
+ - listeners\r
+ type: object\r
+ status:\r
+ default:\r
+ conditions:\r
+ - lastTransitionTime: "1970-01-01T00:00:00Z"\r
+ message: Waiting for controller\r
+ reason: Pending\r
+ status: Unknown\r
+ type: Accepted\r
+ - lastTransitionTime: "1970-01-01T00:00:00Z"\r
+ message: Waiting for controller\r
+ reason: Pending\r
+ status: Unknown\r
+ type: Programmed\r
+ description: Status defines the current state of Gateway.\r
+ properties:\r
+ addresses:\r
+ description: |+\r
+ Addresses lists the network addresses that have been bound to the\r
+ Gateway.\r
+\r
+ This list may differ from the addresses provided in the spec under some\r
+ conditions:\r
+\r
+ * no addresses are specified, all addresses are dynamically assigned\r
+ * a combination of specified and dynamic addresses are assigned\r
+ * a specified address was unusable (e.g. already in use)\r
+\r
+ items:\r
+ description: GatewayStatusAddress describes a network address that\r
+ is bound to a Gateway.\r
+ oneOf:\r
+ - properties:\r
+ type:\r
+ enum:\r
+ - IPAddress\r
+ value:\r
+ anyOf:\r
+ - format: ipv4\r
+ - format: ipv6\r
+ - properties:\r
+ type:\r
+ not:\r
+ enum:\r
+ - IPAddress\r
+ properties:\r
+ type:\r
+ default: IPAddress\r
+ description: Type of the address.\r
+ maxLength: 253\r
+ minLength: 1\r
+ pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$\r
+ type: string\r
+ value:\r
+ description: |-\r
+ Value of the address. The validity of the values will depend\r
+ on the type and support by the controller.\r
+\r
+ Examples: `1.2.3.4`, `128::1`, `my-ip-address`.\r
+ maxLength: 253\r
+ minLength: 1\r
+ type: string\r
+ required:\r
+ - value\r
+ type: object\r
+ x-kubernetes-validations:\r
+ - message: Hostname value must only contain valid characters (matching\r
+ ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$)\r
+ rule: 'self.type == ''Hostname'' ? self.value.matches(r"""^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$"""):\r
+ true'\r
+ maxItems: 16\r
+ type: array\r
+ conditions:\r
+ default:\r
+ - lastTransitionTime: "1970-01-01T00:00:00Z"\r
+ message: Waiting for controller\r
+ reason: Pending\r
+ status: Unknown\r
+ type: Accepted\r
+ - lastTransitionTime: "1970-01-01T00:00:00Z"\r
+ message: Waiting for controller\r
+ reason: Pending\r
+ status: Unknown\r
+ type: Programmed\r
+ description: |-\r
+ Conditions describe the current conditions of the Gateway.\r
+\r
+ Implementations should prefer to express Gateway conditions\r
+ using the `GatewayConditionType` and `GatewayConditionReason`\r
+ constants so that operators and tools can converge on a common\r
+ vocabulary to describe Gateway state.\r
+\r
+ Known condition types are:\r
+\r
+ * "Accepted"\r
+ * "Programmed"\r
+ * "Ready"\r
+ items:\r
+ description: Condition contains details for one aspect of the current\r
+ state of this API Resource.\r
+ properties:\r
+ lastTransitionTime:\r
+ description: |-\r
+ lastTransitionTime is the last time the condition transitioned from one status to another.\r
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.\r
+ format: date-time\r
+ type: string\r
+ message:\r
+ description: |-\r
+ message is a human readable message indicating details about the transition.\r
+ This may be an empty string.\r
+ maxLength: 32768\r
+ type: string\r
+ observedGeneration:\r
+ description: |-\r
+ observedGeneration represents the .metadata.generation that the condition was set based upon.\r
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\r
+ with respect to the current state of the instance.\r
+ format: int64\r
+ minimum: 0\r
+ type: integer\r
+ reason:\r
+ description: |-\r
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.\r
+ Producers of specific condition types may define expected values and meanings for this field,\r
+ and whether the values are considered a guaranteed API.\r
+ The value should be a CamelCase string.\r
+ This field may not be empty.\r
+ maxLength: 1024\r
+ minLength: 1\r
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$\r
+ type: string\r
+ status:\r
+ description: status of the condition, one of True, False, Unknown.\r
+ enum:\r
+ - "True"\r
+ - "False"\r
+ - Unknown\r
+ type: string\r
+ type:\r
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.\r
+ maxLength: 316\r
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$\r
+ type: string\r
+ required:\r
+ - lastTransitionTime\r
+ - message\r
+ - reason\r
+ - status\r
+ - type\r
+ type: object\r
+ maxItems: 8\r
+ type: array\r
+ x-kubernetes-list-map-keys:\r
+ - type\r
+ x-kubernetes-list-type: map\r
+ listeners:\r
+ description: Listeners provide status for each unique listener port\r
+ defined in the Spec.\r
+ items:\r
+ description: ListenerStatus is the status associated with a Listener.\r
+ properties:\r
+ attachedRoutes:\r
+ description: |-\r
+ AttachedRoutes represents the total number of Routes that have been\r
+ successfully attached to this Listener.\r
+\r
+ Successful attachment of a Route to a Listener is based solely on the\r
+ combination of the AllowedRoutes field on the corresponding Listener\r
+ and the Route's ParentRefs field. A Route is successfully attached to\r
+ a Listener when it is selected by the Listener's AllowedRoutes field\r
+ AND the Route has a valid ParentRef selecting the whole Gateway\r
+ resource or a specific Listener as a parent resource (more detail on\r
+ attachment semantics can be found in the documentation on the various\r
+ Route kinds ParentRefs fields). Listener or Route status does not impact\r
+ successful attachment, i.e. the AttachedRoutes field count MUST be set\r
+ for Listeners with condition Accepted: false and MUST count successfully\r
+ attached Routes that may themselves have Accepted: false conditions.\r
+\r
+ Uses for this field include troubleshooting Route attachment and\r
+ measuring blast radius/impact of changes to a Listener.\r
+ format: int32\r
+ type: integer\r
+ conditions:\r
+ description: Conditions describe the current condition of this\r
+ listener.\r
+ items:\r
+ description: Condition contains details for one aspect of\r
+ the current state of this API Resource.\r
+ properties:\r
+ lastTransitionTime:\r
+ description: |-\r
+ lastTransitionTime is the last time the condition transitioned from one status to another.\r
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.\r
+ format: date-time\r
+ type: string\r
+ message:\r
+ description: |-\r
+ message is a human readable message indicating details about the transition.\r
+ This may be an empty string.\r
+ maxLength: 32768\r
+ type: string\r
+ observedGeneration:\r
+ description: |-\r
+ observedGeneration represents the .metadata.generation that the condition was set based upon.\r
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\r
+ with respect to the current state of the instance.\r
+ format: int64\r
+ minimum: 0\r
+ type: integer\r
+ reason:\r
+ description: |-\r
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.\r
+ Producers of specific condition types may define expected values and meanings for this field,\r
+ and whether the values are considered a guaranteed API.\r
+ The value should be a CamelCase string.\r
+ This field may not be empty.\r
+ maxLength: 1024\r
+ minLength: 1\r
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$\r
+ type: string\r
+ status:\r
+ description: status of the condition, one of True, False,\r
+ Unknown.\r
+ enum:\r
+ - "True"\r
+ - "False"\r
+ - Unknown\r
+ type: string\r
+ type:\r
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.\r
+ maxLength: 316\r
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$\r
+ type: string\r
+ required:\r
+ - lastTransitionTime\r
+ - message\r
+ - reason\r
+ - status\r
+ - type\r
+ type: object\r
+ maxItems: 8\r
+ type: array\r
+ x-kubernetes-list-map-keys:\r
+ - type\r
+ x-kubernetes-list-type: map\r
+ name:\r
+ description: Name is the name of the Listener that this status\r
+ corresponds to.\r
+ maxLength: 253\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ supportedKinds:\r
+ description: |-\r
+ SupportedKinds is the list indicating the Kinds supported by this\r
+ listener. This MUST represent the kinds an implementation supports for\r
+ that Listener configuration.\r
+\r
+ If kinds are specified in Spec that are not supported, they MUST NOT\r
+ appear in this list and an implementation MUST set the "ResolvedRefs"\r
+ condition to "False" with the "InvalidRouteKinds" reason. If both valid\r
+ and invalid Route kinds are specified, the implementation MUST\r
+ reference the valid Route kinds that have been specified.\r
+ items:\r
+ description: RouteGroupKind indicates the group and kind of\r
+ a Route resource.\r
+ properties:\r
+ group:\r
+ default: gateway.networking.k8s.io\r
+ description: Group is the group of the Route.\r
+ maxLength: 253\r
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ kind:\r
+ description: Kind is the kind of the Route.\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$\r
+ type: string\r
+ required:\r
+ - kind\r
+ type: object\r
+ maxItems: 8\r
+ type: array\r
+ required:\r
+ - attachedRoutes\r
+ - conditions\r
+ - name\r
+ - supportedKinds\r
+ type: object\r
+ maxItems: 64\r
+ type: array\r
+ x-kubernetes-list-map-keys:\r
+ - name\r
+ x-kubernetes-list-type: map\r
+ type: object\r
+ required:\r
+ - spec\r
+ type: object\r
+ served: true\r
+ storage: false\r
+ subresources:\r
+ status: {}\r
+status:\r
+ acceptedNames:\r
+ kind: ""\r
+ plural: ""\r
+ conditions: null\r
+ storedVersions: null\r
--- /dev/null
+apiVersion: apiextensions.k8s.io/v1\r
+kind: CustomResourceDefinition\r
+metadata:\r
+ annotations:\r
+ api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328\r
+ gateway.networking.k8s.io/bundle-version: v1.2.1\r
+ gateway.networking.k8s.io/channel: experimental\r
+ creationTimestamp: null\r
+ name: grpcroutes.gateway.networking.k8s.io\r
+spec:\r
+ group: gateway.networking.k8s.io\r
+ names:\r
+ categories:\r
+ - gateway-api\r
+ kind: GRPCRoute\r
+ listKind: GRPCRouteList\r
+ plural: grpcroutes\r
+ singular: grpcroute\r
+ scope: Namespaced\r
+ versions:\r
+ - additionalPrinterColumns:\r
+ - jsonPath: .spec.hostnames\r
+ name: Hostnames\r
+ type: string\r
+ - jsonPath: .metadata.creationTimestamp\r
+ name: Age\r
+ type: date\r
+ name: v1\r
+ schema:\r
+ openAPIV3Schema:\r
+ description: |-\r
+ GRPCRoute provides a way to route gRPC requests. This includes the capability\r
+ to match requests by hostname, gRPC service, gRPC method, or HTTP/2 header.\r
+ Filters can be used to specify additional processing steps. Backends specify\r
+ where matching requests will be routed.\r
+\r
+ GRPCRoute falls under extended support within the Gateway API. Within the\r
+ following specification, the word "MUST" indicates that an implementation\r
+ supporting GRPCRoute must conform to the indicated requirement, but an\r
+ implementation not supporting this route type need not follow the requirement\r
+ unless explicitly indicated.\r
+\r
+ Implementations supporting `GRPCRoute` with the `HTTPS` `ProtocolType` MUST\r
+ accept HTTP/2 connections without an initial upgrade from HTTP/1.1, i.e. via\r
+ ALPN. If the implementation does not support this, then it MUST set the\r
+ "Accepted" condition to "False" for the affected listener with a reason of\r
+ "UnsupportedProtocol". Implementations MAY also accept HTTP/2 connections\r
+ with an upgrade from HTTP/1.\r
+\r
+ Implementations supporting `GRPCRoute` with the `HTTP` `ProtocolType` MUST\r
+ support HTTP/2 over cleartext TCP (h2c,\r
+ https://www.rfc-editor.org/rfc/rfc7540#section-3.1) without an initial\r
+ upgrade from HTTP/1.1, i.e. with prior knowledge\r
+ (https://www.rfc-editor.org/rfc/rfc7540#section-3.4). If the implementation\r
+ does not support this, then it MUST set the "Accepted" condition to "False"\r
+ for the affected listener with a reason of "UnsupportedProtocol".\r
+ Implementations MAY also accept HTTP/2 connections with an upgrade from\r
+ HTTP/1, i.e. without prior knowledge.\r
+ properties:\r
+ apiVersion:\r
+ description: |-\r
+ APIVersion defines the versioned schema of this representation of an object.\r
+ Servers should convert recognized schemas to the latest internal value, and\r
+ may reject unrecognized values.\r
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources\r
+ type: string\r
+ kind:\r
+ description: |-\r
+ Kind is a string value representing the REST resource this object represents.\r
+ Servers may infer this from the endpoint the client submits requests to.\r
+ Cannot be updated.\r
+ In CamelCase.\r
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds\r
+ type: string\r
+ metadata:\r
+ type: object\r
+ spec:\r
+ description: Spec defines the desired state of GRPCRoute.\r
+ properties:\r
+ hostnames:\r
+ description: |-\r
+ Hostnames defines a set of hostnames to match against the GRPC\r
+ Host header to select a GRPCRoute to process the request. This matches\r
+ the RFC 1123 definition of a hostname with 2 notable exceptions:\r
+\r
+ 1. IPs are not allowed.\r
+ 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard\r
+ label MUST appear by itself as the first label.\r
+\r
+ If a hostname is specified by both the Listener and GRPCRoute, there\r
+ MUST be at least one intersecting hostname for the GRPCRoute to be\r
+ attached to the Listener. For example:\r
+\r
+ * A Listener with `test.example.com` as the hostname matches GRPCRoutes\r
+ that have either not specified any hostnames, or have specified at\r
+ least one of `test.example.com` or `*.example.com`.\r
+ * A Listener with `*.example.com` as the hostname matches GRPCRoutes\r
+ that have either not specified any hostnames or have specified at least\r
+ one hostname that matches the Listener hostname. For example,\r
+ `test.example.com` and `*.example.com` would both match. On the other\r
+ hand, `example.com` and `test.example.net` would not match.\r
+\r
+ Hostnames that are prefixed with a wildcard label (`*.`) are interpreted\r
+ as a suffix match. That means that a match for `*.example.com` would match\r
+ both `test.example.com`, and `foo.test.example.com`, but not `example.com`.\r
+\r
+ If both the Listener and GRPCRoute have specified hostnames, any\r
+ GRPCRoute hostnames that do not match the Listener hostname MUST be\r
+ ignored. For example, if a Listener specified `*.example.com`, and the\r
+ GRPCRoute specified `test.example.com` and `test.example.net`,\r
+ `test.example.net` MUST NOT be considered for a match.\r
+\r
+ If both the Listener and GRPCRoute have specified hostnames, and none\r
+ match with the criteria above, then the GRPCRoute MUST NOT be accepted by\r
+ the implementation. The implementation MUST raise an 'Accepted' Condition\r
+ with a status of `False` in the corresponding RouteParentStatus.\r
+\r
+ If a Route (A) of type HTTPRoute or GRPCRoute is attached to a\r
+ Listener and that listener already has another Route (B) of the other\r
+ type attached and the intersection of the hostnames of A and B is\r
+ non-empty, then the implementation MUST accept exactly one of these two\r
+ routes, determined by the following criteria, in order:\r
+\r
+ * The oldest Route based on creation timestamp.\r
+ * The Route appearing first in alphabetical order by\r
+ "{namespace}/{name}".\r
+\r
+ The rejected Route MUST raise an 'Accepted' condition with a status of\r
+ 'False' in the corresponding RouteParentStatus.\r
+\r
+ Support: Core\r
+ items:\r
+ description: |-\r
+ Hostname is the fully qualified domain name of a network host. This matches\r
+ the RFC 1123 definition of a hostname with 2 notable exceptions:\r
+\r
+ 1. IPs are not allowed.\r
+ 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard\r
+ label must appear by itself as the first label.\r
+\r
+ Hostname can be "precise" which is a domain name without the terminating\r
+ dot of a network host (e.g. "foo.example.com") or "wildcard", which is a\r
+ domain name prefixed with a single wildcard label (e.g. `*.example.com`).\r
+\r
+ Note that as per RFC1035 and RFC1123, a *label* must consist of lower case\r
+ alphanumeric characters or '-', and must start and end with an alphanumeric\r
+ character. No other punctuation is allowed.\r
+ maxLength: 253\r
+ minLength: 1\r
+ pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ maxItems: 16\r
+ type: array\r
+ parentRefs:\r
+ description: |+\r
+ ParentRefs references the resources (usually Gateways) that a Route wants\r
+ to be attached to. Note that the referenced parent resource needs to\r
+ allow this for the attachment to be complete. For Gateways, that means\r
+ the Gateway needs to allow attachment from Routes of this kind and\r
+ namespace. For Services, that means the Service must either be in the same\r
+ namespace for a "producer" route, or the mesh implementation must support\r
+ and allow "consumer" routes for the referenced Service. ReferenceGrant is\r
+ not applicable for governing ParentRefs to Services - it is not possible to\r
+ create a "producer" route for a Service in a different namespace from the\r
+ Route.\r
+\r
+ There are two kinds of parent resources with "Core" support:\r
+\r
+ * Gateway (Gateway conformance profile)\r
+ * Service (Mesh conformance profile, ClusterIP Services only)\r
+\r
+ This API may be extended in the future to support additional kinds of parent\r
+ resources.\r
+\r
+ ParentRefs must be _distinct_. This means either that:\r
+\r
+ * They select different objects. If this is the case, then parentRef\r
+ entries are distinct. In terms of fields, this means that the\r
+ multi-part key defined by `group`, `kind`, `namespace`, and `name` must\r
+ be unique across all parentRef entries in the Route.\r
+ * They do not select different objects, but for each optional field used,\r
+ each ParentRef that selects the same object must set the same set of\r
+ optional fields to different values. If one ParentRef sets a\r
+ combination of optional fields, all must set the same combination.\r
+\r
+ Some examples:\r
+\r
+ * If one ParentRef sets `sectionName`, all ParentRefs referencing the\r
+ same object must also set `sectionName`.\r
+ * If one ParentRef sets `port`, all ParentRefs referencing the same\r
+ object must also set `port`.\r
+ * If one ParentRef sets `sectionName` and `port`, all ParentRefs\r
+ referencing the same object must also set `sectionName` and `port`.\r
+\r
+ It is possible to separately reference multiple distinct objects that may\r
+ be collapsed by an implementation. For example, some implementations may\r
+ choose to merge compatible Gateway Listeners together. If that is the\r
+ case, the list of routes attached to those resources should also be\r
+ merged.\r
+\r
+ Note that for ParentRefs that cross namespace boundaries, there are specific\r
+ rules. Cross-namespace references are only valid if they are explicitly\r
+ allowed by something in the namespace they are referring to. For example,\r
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a\r
+ generic way to enable other kinds of cross-namespace reference.\r
+\r
+\r
+ ParentRefs from a Route to a Service in the same namespace are "producer"\r
+ routes, which apply default routing rules to inbound connections from\r
+ any namespace to the Service.\r
+\r
+ ParentRefs from a Route to a Service in a different namespace are\r
+ "consumer" routes, and these routing rules are only applied to outbound\r
+ connections originating from the same namespace as the Route, for which\r
+ the intended destination of the connections are a Service targeted as a\r
+ ParentRef of the Route.\r
+\r
+\r
+\r
+\r
+\r
+ items:\r
+ description: |-\r
+ ParentReference identifies an API object (usually a Gateway) that can be considered\r
+ a parent of this resource (usually a route). There are two kinds of parent resources\r
+ with "Core" support:\r
+\r
+ * Gateway (Gateway conformance profile)\r
+ * Service (Mesh conformance profile, ClusterIP Services only)\r
+\r
+ This API may be extended in the future to support additional kinds of parent\r
+ resources.\r
+\r
+ The API object must be valid in the cluster; the Group and Kind must\r
+ be registered in the cluster for this reference to be valid.\r
+ properties:\r
+ group:\r
+ default: gateway.networking.k8s.io\r
+ description: |-\r
+ Group is the group of the referent.\r
+ When unspecified, "gateway.networking.k8s.io" is inferred.\r
+ To set the core API group (such as for a "Service" kind referent),\r
+ Group must be explicitly set to "" (empty string).\r
+\r
+ Support: Core\r
+ maxLength: 253\r
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ kind:\r
+ default: Gateway\r
+ description: |-\r
+ Kind is kind of the referent.\r
+\r
+ There are two kinds of parent resources with "Core" support:\r
+\r
+ * Gateway (Gateway conformance profile)\r
+ * Service (Mesh conformance profile, ClusterIP Services only)\r
+\r
+ Support for other resources is Implementation-Specific.\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$\r
+ type: string\r
+ name:\r
+ description: |-\r
+ Name is the name of the referent.\r
+\r
+ Support: Core\r
+ maxLength: 253\r
+ minLength: 1\r
+ type: string\r
+ namespace:\r
+ description: |-\r
+ Namespace is the namespace of the referent. When unspecified, this refers\r
+ to the local namespace of the Route.\r
+\r
+ Note that there are specific rules for ParentRefs which cross namespace\r
+ boundaries. Cross-namespace references are only valid if they are explicitly\r
+ allowed by something in the namespace they are referring to. For example:\r
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a\r
+ generic way to enable any other kind of cross-namespace reference.\r
+\r
+\r
+ ParentRefs from a Route to a Service in the same namespace are "producer"\r
+ routes, which apply default routing rules to inbound connections from\r
+ any namespace to the Service.\r
+\r
+ ParentRefs from a Route to a Service in a different namespace are\r
+ "consumer" routes, and these routing rules are only applied to outbound\r
+ connections originating from the same namespace as the Route, for which\r
+ the intended destination of the connections are a Service targeted as a\r
+ ParentRef of the Route.\r
+\r
+\r
+ Support: Core\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$\r
+ type: string\r
+ port:\r
+ description: |-\r
+ Port is the network port this Route targets. It can be interpreted\r
+ differently based on the type of parent resource.\r
+\r
+ When the parent resource is a Gateway, this targets all listeners\r
+ listening on the specified port that also support this kind of Route(and\r
+ select this Route). It's not recommended to set `Port` unless the\r
+ networking behaviors specified in a Route must apply to a specific port\r
+ as opposed to a listener(s) whose port(s) may be changed. When both Port\r
+ and SectionName are specified, the name and port of the selected listener\r
+ must match both specified values.\r
+\r
+\r
+ When the parent resource is a Service, this targets a specific port in the\r
+ Service spec. When both Port (experimental) and SectionName are specified,\r
+ the name and port of the selected port must match both specified values.\r
+\r
+\r
+ Implementations MAY choose to support other parent resources.\r
+ Implementations supporting other types of parent resources MUST clearly\r
+ document how/if Port is interpreted.\r
+\r
+ For the purpose of status, an attachment is considered successful as\r
+ long as the parent resource accepts it partially. For example, Gateway\r
+ listeners can restrict which Routes can attach to them by Route kind,\r
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment\r
+ from the referencing Route, the Route MUST be considered successfully\r
+ attached. If no Gateway listeners accept attachment from this Route,\r
+ the Route MUST be considered detached from the Gateway.\r
+\r
+ Support: Extended\r
+ format: int32\r
+ maximum: 65535\r
+ minimum: 1\r
+ type: integer\r
+ sectionName:\r
+ description: |-\r
+ SectionName is the name of a section within the target resource. In the\r
+ following resources, SectionName is interpreted as the following:\r
+\r
+ * Gateway: Listener name. When both Port (experimental) and SectionName\r
+ are specified, the name and port of the selected listener must match\r
+ both specified values.\r
+ * Service: Port name. When both Port (experimental) and SectionName\r
+ are specified, the name and port of the selected listener must match\r
+ both specified values.\r
+\r
+ Implementations MAY choose to support attaching Routes to other resources.\r
+ If that is the case, they MUST clearly document how SectionName is\r
+ interpreted.\r
+\r
+ When unspecified (empty string), this will reference the entire resource.\r
+ For the purpose of status, an attachment is considered successful if at\r
+ least one section in the parent resource accepts it. For example, Gateway\r
+ listeners can restrict which Routes can attach to them by Route kind,\r
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from\r
+ the referencing Route, the Route MUST be considered successfully\r
+ attached. If no Gateway listeners accept attachment from this Route, the\r
+ Route MUST be considered detached from the Gateway.\r
+\r
+ Support: Core\r
+ maxLength: 253\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ required:\r
+ - name\r
+ type: object\r
+ maxItems: 32\r
+ type: array\r
+ x-kubernetes-validations:\r
+ - message: sectionName or port must be specified when parentRefs includes\r
+ 2 or more references to the same parent\r
+ rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind\r
+ == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__)\r
+ || p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__\r
+ == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) &&\r
+ p1.__namespace__ == p2.__namespace__)) ? ((!has(p1.sectionName)\r
+ || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName\r
+ == '''') && (!has(p1.port) || p1.port == 0) == (!has(p2.port)\r
+ || p2.port == 0)): true))'\r
+ - message: sectionName or port must be unique when parentRefs includes\r
+ 2 or more references to the same parent\r
+ rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind\r
+ == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__)\r
+ || p1.__namespace__ == '') && (!has(p2.__namespace__) || p2.__namespace__\r
+ == '')) || (has(p1.__namespace__) && has(p2.__namespace__) &&\r
+ p1.__namespace__ == p2.__namespace__ )) && (((!has(p1.sectionName)\r
+ || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName\r
+ == '')) || ( has(p1.sectionName) && has(p2.sectionName) && p1.sectionName\r
+ == p2.sectionName)) && (((!has(p1.port) || p1.port == 0) && (!has(p2.port)\r
+ || p2.port == 0)) || (has(p1.port) && has(p2.port) && p1.port\r
+ == p2.port))))\r
+ rules:\r
+ description: |+\r
+ Rules are a list of GRPC matchers, filters and actions.\r
+\r
+ items:\r
+ description: |-\r
+ GRPCRouteRule defines the semantics for matching a gRPC request based on\r
+ conditions (matches), processing it (filters), and forwarding the request to\r
+ an API object (backendRefs).\r
+ properties:\r
+ backendRefs:\r
+ description: |-\r
+ BackendRefs defines the backend(s) where matching requests should be\r
+ sent.\r
+\r
+ Failure behavior here depends on how many BackendRefs are specified and\r
+ how many are invalid.\r
+\r
+ If *all* entries in BackendRefs are invalid, and there are also no filters\r
+ specified in this route rule, *all* traffic which matches this rule MUST\r
+ receive an `UNAVAILABLE` status.\r
+\r
+ See the GRPCBackendRef definition for the rules about what makes a single\r
+ GRPCBackendRef invalid.\r
+\r
+ When a GRPCBackendRef is invalid, `UNAVAILABLE` statuses MUST be returned for\r
+ requests that would have otherwise been routed to an invalid backend. If\r
+ multiple backends are specified, and some are invalid, the proportion of\r
+ requests that would otherwise have been routed to an invalid backend\r
+ MUST receive an `UNAVAILABLE` status.\r
+\r
+ For example, if two backends are specified with equal weights, and one is\r
+ invalid, 50 percent of traffic MUST receive an `UNAVAILABLE` status.\r
+ Implementations may choose how that 50 percent is determined.\r
+\r
+ Support: Core for Kubernetes Service\r
+\r
+ Support: Implementation-specific for any other resource\r
+\r
+ Support for weight: Core\r
+ items:\r
+ description: |-\r
+ GRPCBackendRef defines how a GRPCRoute forwards a gRPC request.\r
+\r
+ Note that when a namespace different than the local namespace is specified, a\r
+ ReferenceGrant object is required in the referent namespace to allow that\r
+ namespace's owner to accept the reference. See the ReferenceGrant\r
+ documentation for details.\r
+\r
+ <gateway:experimental:description>\r
+\r
+ When the BackendRef points to a Kubernetes Service, implementations SHOULD\r
+ honor the appProtocol field if it is set for the target Service Port.\r
+\r
+ Implementations supporting appProtocol SHOULD recognize the Kubernetes\r
+ Standard Application Protocols defined in KEP-3726.\r
+\r
+ If a Service appProtocol isn't specified, an implementation MAY infer the\r
+ backend protocol through its own means. Implementations MAY infer the\r
+ protocol from the Route type referring to the backend Service.\r
+\r
+ If a Route is not able to send traffic to the backend using the specified\r
+ protocol then the backend is considered invalid. Implementations MUST set the\r
+ "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason.\r
+\r
+ </gateway:experimental:description>\r
+ properties:\r
+ filters:\r
+ description: |-\r
+ Filters defined at this level MUST be executed if and only if the\r
+ request is being forwarded to the backend defined here.\r
+\r
+ Support: Implementation-specific (For broader support of filters, use the\r
+ Filters field in GRPCRouteRule.)\r
+ items:\r
+ description: |-\r
+ GRPCRouteFilter defines processing steps that must be completed during the\r
+ request or response lifecycle. GRPCRouteFilters are meant as an extension\r
+ point to express processing that may be done in Gateway implementations. Some\r
+ examples include request or response modification, implementing\r
+ authentication strategies, rate-limiting, and traffic shaping. API\r
+ guarantee/conformance is defined based on the type of the filter.\r
+ properties:\r
+ extensionRef:\r
+ description: |-\r
+ ExtensionRef is an optional, implementation-specific extension to the\r
+ "filter" behavior. For example, resource "myroutefilter" in group\r
+ "networking.example.net"). ExtensionRef MUST NOT be used for core and\r
+ extended filters.\r
+\r
+ Support: Implementation-specific\r
+\r
+ This filter can be used multiple times within the same rule.\r
+ properties:\r
+ group:\r
+ description: |-\r
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".\r
+ When unspecified or empty string, core API group is inferred.\r
+ maxLength: 253\r
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ kind:\r
+ description: Kind is kind of the referent. For\r
+ example "HTTPRoute" or "Service".\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$\r
+ type: string\r
+ name:\r
+ description: Name is the name of the referent.\r
+ maxLength: 253\r
+ minLength: 1\r
+ type: string\r
+ required:\r
+ - group\r
+ - kind\r
+ - name\r
+ type: object\r
+ requestHeaderModifier:\r
+ description: |-\r
+ RequestHeaderModifier defines a schema for a filter that modifies request\r
+ headers.\r
+\r
+ Support: Core\r
+ properties:\r
+ add:\r
+ description: |-\r
+ Add adds the given header(s) (name, value) to the request\r
+ before the action. It appends to any existing values associated\r
+ with the header name.\r
+\r
+ Input:\r
+ GET /foo HTTP/1.1\r
+ my-header: foo\r
+\r
+ Config:\r
+ add:\r
+ - name: "my-header"\r
+ value: "bar,baz"\r
+\r
+ Output:\r
+ GET /foo HTTP/1.1\r
+ my-header: foo,bar,baz\r
+ items:\r
+ description: HTTPHeader represents an HTTP\r
+ Header name and value as defined by RFC\r
+ 7230.\r
+ properties:\r
+ name:\r
+ description: |-\r
+ Name is the name of the HTTP Header to be matched. Name matching MUST be\r
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).\r
+\r
+ If multiple entries specify equivalent header names, the first entry with\r
+ an equivalent name MUST be considered for a match. Subsequent entries\r
+ with an equivalent header name MUST be ignored. Due to the\r
+ case-insensitivity of header names, "foo" and "Foo" are considered\r
+ equivalent.\r
+ maxLength: 256\r
+ minLength: 1\r
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$\r
+ type: string\r
+ value:\r
+ description: Value is the value of HTTP\r
+ Header to be matched.\r
+ maxLength: 4096\r
+ minLength: 1\r
+ type: string\r
+ required:\r
+ - name\r
+ - value\r
+ type: object\r
+ maxItems: 16\r
+ type: array\r
+ x-kubernetes-list-map-keys:\r
+ - name\r
+ x-kubernetes-list-type: map\r
+ remove:\r
+ description: |-\r
+ Remove the given header(s) from the HTTP request before the action. The\r
+ value of Remove is a list of HTTP header names. Note that the header\r
+ names are case-insensitive (see\r
+ https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).\r
+\r
+ Input:\r
+ GET /foo HTTP/1.1\r
+ my-header1: foo\r
+ my-header2: bar\r
+ my-header3: baz\r
+\r
+ Config:\r
+ remove: ["my-header1", "my-header3"]\r
+\r
+ Output:\r
+ GET /foo HTTP/1.1\r
+ my-header2: bar\r
+ items:\r
+ type: string\r
+ maxItems: 16\r
+ type: array\r
+ x-kubernetes-list-type: set\r
+ set:\r
+ description: |-\r
+ Set overwrites the request with the given header (name, value)\r
+ before the action.\r
+\r
+ Input:\r
+ GET /foo HTTP/1.1\r
+ my-header: foo\r
+\r
+ Config:\r
+ set:\r
+ - name: "my-header"\r
+ value: "bar"\r
+\r
+ Output:\r
+ GET /foo HTTP/1.1\r
+ my-header: bar\r
+ items:\r
+ description: HTTPHeader represents an HTTP\r
+ Header name and value as defined by RFC\r
+ 7230.\r
+ properties:\r
+ name:\r
+ description: |-\r
+ Name is the name of the HTTP Header to be matched. Name matching MUST be\r
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).\r
+\r
+ If multiple entries specify equivalent header names, the first entry with\r
+ an equivalent name MUST be considered for a match. Subsequent entries\r
+ with an equivalent header name MUST be ignored. Due to the\r
+ case-insensitivity of header names, "foo" and "Foo" are considered\r
+ equivalent.\r
+ maxLength: 256\r
+ minLength: 1\r
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$\r
+ type: string\r
+ value:\r
+ description: Value is the value of HTTP\r
+ Header to be matched.\r
+ maxLength: 4096\r
+ minLength: 1\r
+ type: string\r
+ required:\r
+ - name\r
+ - value\r
+ type: object\r
+ maxItems: 16\r
+ type: array\r
+ x-kubernetes-list-map-keys:\r
+ - name\r
+ x-kubernetes-list-type: map\r
+ type: object\r
+ requestMirror:\r
+ description: |+\r
+ RequestMirror defines a schema for a filter that mirrors requests.\r
+ Requests are sent to the specified destination, but responses from\r
+ that destination are ignored.\r
+\r
+ This filter can be used multiple times within the same rule. Note that\r
+ not all implementations will be able to support mirroring to multiple\r
+ backends.\r
+\r
+ Support: Extended\r
+\r
+ properties:\r
+ backendRef:\r
+ description: |-\r
+ BackendRef references a resource where mirrored requests are sent.\r
+\r
+ Mirrored requests must be sent only to a single destination endpoint\r
+ within this BackendRef, irrespective of how many endpoints are present\r
+ within this BackendRef.\r
+\r
+ If the referent cannot be found, this BackendRef is invalid and must be\r
+ dropped from the Gateway. The controller must ensure the "ResolvedRefs"\r
+ condition on the Route status is set to `status: False` and not configure\r
+ this backend in the underlying implementation.\r
+\r
+ If there is a cross-namespace reference to an *existing* object\r
+ that is not allowed by a ReferenceGrant, the controller must ensure the\r
+ "ResolvedRefs" condition on the Route is set to `status: False`,\r
+ with the "RefNotPermitted" reason and not configure this backend in the\r
+ underlying implementation.\r
+\r
+ In either error case, the Message of the `ResolvedRefs` Condition\r
+ should be used to provide more detail about the problem.\r
+\r
+ Support: Extended for Kubernetes Service\r
+\r
+ Support: Implementation-specific for any other resource\r
+ properties:\r
+ group:\r
+ default: ""\r
+ description: |-\r
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".\r
+ When unspecified or empty string, core API group is inferred.\r
+ maxLength: 253\r
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ kind:\r
+ default: Service\r
+ description: |-\r
+ Kind is the Kubernetes resource kind of the referent. For example\r
+ "Service".\r
+\r
+ Defaults to "Service" when not specified.\r
+\r
+ ExternalName services can refer to CNAME DNS records that may live\r
+ outside of the cluster and as such are difficult to reason about in\r
+ terms of conformance. They also may not be safe to forward to (see\r
+ CVE-2021-25740 for more information). Implementations SHOULD NOT\r
+ support ExternalName Services.\r
+\r
+ Support: Core (Services with a type other than ExternalName)\r
+\r
+ Support: Implementation-specific (Services with type ExternalName)\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$\r
+ type: string\r
+ name:\r
+ description: Name is the name of the referent.\r
+ maxLength: 253\r
+ minLength: 1\r
+ type: string\r
+ namespace:\r
+ description: |-\r
+ Namespace is the namespace of the backend. When unspecified, the local\r
+ namespace is inferred.\r
+\r
+ Note that when a namespace different than the local namespace is specified,\r
+ a ReferenceGrant object is required in the referent namespace to allow that\r
+ namespace's owner to accept the reference. See the ReferenceGrant\r
+ documentation for details.\r
+\r
+ Support: Core\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$\r
+ type: string\r
+ port:\r
+ description: |-\r
+ Port specifies the destination port number to use for this resource.\r
+ Port is required when the referent is a Kubernetes Service. In this\r
+ case, the port number is the service port number, not the target port.\r
+ For other resources, destination port might be derived from the referent\r
+ resource or this field.\r
+ format: int32\r
+ maximum: 65535\r
+ minimum: 1\r
+ type: integer\r
+ required:\r
+ - name\r
+ type: object\r
+ x-kubernetes-validations:\r
+ - message: Must have port for Service reference\r
+ rule: '(size(self.group) == 0 && self.kind\r
+ == ''Service'') ? has(self.port) : true'\r
+ fraction:\r
+ description: |+\r
+ Fraction represents the fraction of requests that should be\r
+ mirrored to BackendRef.\r
+\r
+ Only one of Fraction or Percent may be specified. If neither field\r
+ is specified, 100% of requests will be mirrored.\r
+\r
+ properties:\r
+ denominator:\r
+ default: 100\r
+ format: int32\r
+ minimum: 1\r
+ type: integer\r
+ numerator:\r
+ format: int32\r
+ minimum: 0\r
+ type: integer\r
+ required:\r
+ - numerator\r
+ type: object\r
+ x-kubernetes-validations:\r
+ - message: numerator must be less than or equal\r
+ to denominator\r
+ rule: self.numerator <= self.denominator\r
+ percent:\r
+ description: |+\r
+ Percent represents the percentage of requests that should be\r
+ mirrored to BackendRef. Its minimum value is 0 (indicating 0% of\r
+ requests) and its maximum value is 100 (indicating 100% of requests).\r
+\r
+ Only one of Fraction or Percent may be specified. If neither field\r
+ is specified, 100% of requests will be mirrored.\r
+\r
+ format: int32\r
+ maximum: 100\r
+ minimum: 0\r
+ type: integer\r
+ required:\r
+ - backendRef\r
+ type: object\r
+ x-kubernetes-validations:\r
+ - message: Only one of percent or fraction may be\r
+ specified in HTTPRequestMirrorFilter\r
+ rule: '!(has(self.percent) && has(self.fraction))'\r
+ responseHeaderModifier:\r
+ description: |-\r
+ ResponseHeaderModifier defines a schema for a filter that modifies response\r
+ headers.\r
+\r
+ Support: Extended\r
+ properties:\r
+ add:\r
+ description: |-\r
+ Add adds the given header(s) (name, value) to the request\r
+ before the action. It appends to any existing values associated\r
+ with the header name.\r
+\r
+ Input:\r
+ GET /foo HTTP/1.1\r
+ my-header: foo\r
+\r
+ Config:\r
+ add:\r
+ - name: "my-header"\r
+ value: "bar,baz"\r
+\r
+ Output:\r
+ GET /foo HTTP/1.1\r
+ my-header: foo,bar,baz\r
+ items:\r
+ description: HTTPHeader represents an HTTP\r
+ Header name and value as defined by RFC\r
+ 7230.\r
+ properties:\r
+ name:\r
+ description: |-\r
+ Name is the name of the HTTP Header to be matched. Name matching MUST be\r
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).\r
+\r
+ If multiple entries specify equivalent header names, the first entry with\r
+ an equivalent name MUST be considered for a match. Subsequent entries\r
+ with an equivalent header name MUST be ignored. Due to the\r
+ case-insensitivity of header names, "foo" and "Foo" are considered\r
+ equivalent.\r
+ maxLength: 256\r
+ minLength: 1\r
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$\r
+ type: string\r
+ value:\r
+ description: Value is the value of HTTP\r
+ Header to be matched.\r
+ maxLength: 4096\r
+ minLength: 1\r
+ type: string\r
+ required:\r
+ - name\r
+ - value\r
+ type: object\r
+ maxItems: 16\r
+ type: array\r
+ x-kubernetes-list-map-keys:\r
+ - name\r
+ x-kubernetes-list-type: map\r
+ remove:\r
+ description: |-\r
+ Remove the given header(s) from the HTTP request before the action. The\r
+ value of Remove is a list of HTTP header names. Note that the header\r
+ names are case-insensitive (see\r
+ https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).\r
+\r
+ Input:\r
+ GET /foo HTTP/1.1\r
+ my-header1: foo\r
+ my-header2: bar\r
+ my-header3: baz\r
+\r
+ Config:\r
+ remove: ["my-header1", "my-header3"]\r
+\r
+ Output:\r
+ GET /foo HTTP/1.1\r
+ my-header2: bar\r
+ items:\r
+ type: string\r
+ maxItems: 16\r
+ type: array\r
+ x-kubernetes-list-type: set\r
+ set:\r
+ description: |-\r
+ Set overwrites the request with the given header (name, value)\r
+ before the action.\r
+\r
+ Input:\r
+ GET /foo HTTP/1.1\r
+ my-header: foo\r
+\r
+ Config:\r
+ set:\r
+ - name: "my-header"\r
+ value: "bar"\r
+\r
+ Output:\r
+ GET /foo HTTP/1.1\r
+ my-header: bar\r
+ items:\r
+ description: HTTPHeader represents an HTTP\r
+ Header name and value as defined by RFC\r
+ 7230.\r
+ properties:\r
+ name:\r
+ description: |-\r
+ Name is the name of the HTTP Header to be matched. Name matching MUST be\r
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).\r
+\r
+ If multiple entries specify equivalent header names, the first entry with\r
+ an equivalent name MUST be considered for a match. Subsequent entries\r
+ with an equivalent header name MUST be ignored. Due to the\r
+ case-insensitivity of header names, "foo" and "Foo" are considered\r
+ equivalent.\r
+ maxLength: 256\r
+ minLength: 1\r
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$\r
+ type: string\r
+ value:\r
+ description: Value is the value of HTTP\r
+ Header to be matched.\r
+ maxLength: 4096\r
+ minLength: 1\r
+ type: string\r
+ required:\r
+ - name\r
+ - value\r
+ type: object\r
+ maxItems: 16\r
+ type: array\r
+ x-kubernetes-list-map-keys:\r
+ - name\r
+ x-kubernetes-list-type: map\r
+ type: object\r
+ type:\r
+ description: |+\r
+ Type identifies the type of filter to apply. As with other API fields,\r
+ types are classified into three conformance levels:\r
+\r
+ - Core: Filter types and their corresponding configuration defined by\r
+ "Support: Core" in this package, e.g. "RequestHeaderModifier". All\r
+ implementations supporting GRPCRoute MUST support core filters.\r
+\r
+ - Extended: Filter types and their corresponding configuration defined by\r
+ "Support: Extended" in this package, e.g. "RequestMirror". Implementers\r
+ are encouraged to support extended filters.\r
+\r
+ - Implementation-specific: Filters that are defined and supported by specific vendors.\r
+ In the future, filters showing convergence in behavior across multiple\r
+ implementations will be considered for inclusion in extended or core\r
+ conformance levels. Filter-specific configuration for such filters\r
+ is specified using the ExtensionRef field. `Type` MUST be set to\r
+ "ExtensionRef" for custom filters.\r
+\r
+ Implementers are encouraged to define custom implementation types to\r
+ extend the core API with implementation-specific behavior.\r
+\r
+ If a reference to a custom filter type cannot be resolved, the filter\r
+ MUST NOT be skipped. Instead, requests that would have been processed by\r
+ that filter MUST receive a HTTP error response.\r
+\r
+ enum:\r
+ - ResponseHeaderModifier\r
+ - RequestHeaderModifier\r
+ - RequestMirror\r
+ - ExtensionRef\r
+ type: string\r
+ required:\r
+ - type\r
+ type: object\r
+ x-kubernetes-validations:\r
+ - message: filter.requestHeaderModifier must be nil\r
+ if the filter.type is not RequestHeaderModifier\r
+ rule: '!(has(self.requestHeaderModifier) && self.type\r
+ != ''RequestHeaderModifier'')'\r
+ - message: filter.requestHeaderModifier must be specified\r
+ for RequestHeaderModifier filter.type\r
+ rule: '!(!has(self.requestHeaderModifier) && self.type\r
+ == ''RequestHeaderModifier'')'\r
+ - message: filter.responseHeaderModifier must be nil\r
+ if the filter.type is not ResponseHeaderModifier\r
+ rule: '!(has(self.responseHeaderModifier) && self.type\r
+ != ''ResponseHeaderModifier'')'\r
+ - message: filter.responseHeaderModifier must be specified\r
+ for ResponseHeaderModifier filter.type\r
+ rule: '!(!has(self.responseHeaderModifier) && self.type\r
+ == ''ResponseHeaderModifier'')'\r
+ - message: filter.requestMirror must be nil if the filter.type\r
+ is not RequestMirror\r
+ rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')'\r
+ - message: filter.requestMirror must be specified for\r
+ RequestMirror filter.type\r
+ rule: '!(!has(self.requestMirror) && self.type ==\r
+ ''RequestMirror'')'\r
+ - message: filter.extensionRef must be nil if the filter.type\r
+ is not ExtensionRef\r
+ rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')'\r
+ - message: filter.extensionRef must be specified for\r
+ ExtensionRef filter.type\r
+ rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')'\r
+ maxItems: 16\r
+ type: array\r
+ x-kubernetes-validations:\r
+ - message: RequestHeaderModifier filter cannot be repeated\r
+ rule: self.filter(f, f.type == 'RequestHeaderModifier').size()\r
+ <= 1\r
+ - message: ResponseHeaderModifier filter cannot be repeated\r
+ rule: self.filter(f, f.type == 'ResponseHeaderModifier').size()\r
+ <= 1\r
+ group:\r
+ default: ""\r
+ description: |-\r
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".\r
+ When unspecified or empty string, core API group is inferred.\r
+ maxLength: 253\r
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ kind:\r
+ default: Service\r
+ description: |-\r
+ Kind is the Kubernetes resource kind of the referent. For example\r
+ "Service".\r
+\r
+ Defaults to "Service" when not specified.\r
+\r
+ ExternalName services can refer to CNAME DNS records that may live\r
+ outside of the cluster and as such are difficult to reason about in\r
+ terms of conformance. They also may not be safe to forward to (see\r
+ CVE-2021-25740 for more information). Implementations SHOULD NOT\r
+ support ExternalName Services.\r
+\r
+ Support: Core (Services with a type other than ExternalName)\r
+\r
+ Support: Implementation-specific (Services with type ExternalName)\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$\r
+ type: string\r
+ name:\r
+ description: Name is the name of the referent.\r
+ maxLength: 253\r
+ minLength: 1\r
+ type: string\r
+ namespace:\r
+ description: |-\r
+ Namespace is the namespace of the backend. When unspecified, the local\r
+ namespace is inferred.\r
+\r
+ Note that when a namespace different than the local namespace is specified,\r
+ a ReferenceGrant object is required in the referent namespace to allow that\r
+ namespace's owner to accept the reference. See the ReferenceGrant\r
+ documentation for details.\r
+\r
+ Support: Core\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$\r
+ type: string\r
+ port:\r
+ description: |-\r
+ Port specifies the destination port number to use for this resource.\r
+ Port is required when the referent is a Kubernetes Service. In this\r
+ case, the port number is the service port number, not the target port.\r
+ For other resources, destination port might be derived from the referent\r
+ resource or this field.\r
+ format: int32\r
+ maximum: 65535\r
+ minimum: 1\r
+ type: integer\r
+ weight:\r
+ default: 1\r
+ description: |-\r
+ Weight specifies the proportion of requests forwarded to the referenced\r
+ backend. This is computed as weight/(sum of all weights in this\r
+ BackendRefs list). For non-zero values, there may be some epsilon from\r
+ the exact proportion defined here depending on the precision an\r
+ implementation supports. Weight is not a percentage and the sum of\r
+ weights does not need to equal 100.\r
+\r
+ If only one backend is specified and it has a weight greater than 0, 100%\r
+ of the traffic is forwarded to that backend. If weight is set to 0, no\r
+ traffic should be forwarded for this entry. If unspecified, weight\r
+ defaults to 1.\r
+\r
+ Support for this field varies based on the context where used.\r
+ format: int32\r
+ maximum: 1000000\r
+ minimum: 0\r
+ type: integer\r
+ required:\r
+ - name\r
+ type: object\r
+ x-kubernetes-validations:\r
+ - message: Must have port for Service reference\r
+ rule: '(size(self.group) == 0 && self.kind == ''Service'')\r
+ ? has(self.port) : true'\r
+ maxItems: 16\r
+ type: array\r
+ filters:\r
+ description: |-\r
+ Filters define the filters that are applied to requests that match\r
+ this rule.\r
+\r
+ The effects of ordering of multiple behaviors are currently unspecified.\r
+ This can change in the future based on feedback during the alpha stage.\r
+\r
+ Conformance-levels at this level are defined based on the type of filter:\r
+\r
+ - ALL core filters MUST be supported by all implementations that support\r
+ GRPCRoute.\r
+ - Implementers are encouraged to support extended filters.\r
+ - Implementation-specific custom filters have no API guarantees across\r
+ implementations.\r
+\r
+ Specifying the same filter multiple times is not supported unless explicitly\r
+ indicated in the filter.\r
+\r
+ If an implementation can not support a combination of filters, it must clearly\r
+ document that limitation. In cases where incompatible or unsupported\r
+ filters are specified and cause the `Accepted` condition to be set to status\r
+ `False`, implementations may use the `IncompatibleFilters` reason to specify\r
+ this configuration error.\r
+\r
+ Support: Core\r
+ items:\r
+ description: |-\r
+ GRPCRouteFilter defines processing steps that must be completed during the\r
+ request or response lifecycle. GRPCRouteFilters are meant as an extension\r
+ point to express processing that may be done in Gateway implementations. Some\r
+ examples include request or response modification, implementing\r
+ authentication strategies, rate-limiting, and traffic shaping. API\r
+ guarantee/conformance is defined based on the type of the filter.\r
+ properties:\r
+ extensionRef:\r
+ description: |-\r
+ ExtensionRef is an optional, implementation-specific extension to the\r
+ "filter" behavior. For example, resource "myroutefilter" in group\r
+ "networking.example.net"). ExtensionRef MUST NOT be used for core and\r
+ extended filters.\r
+\r
+ Support: Implementation-specific\r
+\r
+ This filter can be used multiple times within the same rule.\r
+ properties:\r
+ group:\r
+ description: |-\r
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".\r
+ When unspecified or empty string, core API group is inferred.\r
+ maxLength: 253\r
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ kind:\r
+ description: Kind is kind of the referent. For example\r
+ "HTTPRoute" or "Service".\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$\r
+ type: string\r
+ name:\r
+ description: Name is the name of the referent.\r
+ maxLength: 253\r
+ minLength: 1\r
+ type: string\r
+ required:\r
+ - group\r
+ - kind\r
+ - name\r
+ type: object\r
+ requestHeaderModifier:\r
+ description: |-\r
+ RequestHeaderModifier defines a schema for a filter that modifies request\r
+ headers.\r
+\r
+ Support: Core\r
+ properties:\r
+ add:\r
+ description: |-\r
+ Add adds the given header(s) (name, value) to the request\r
+ before the action. It appends to any existing values associated\r
+ with the header name.\r
+\r
+ Input:\r
+ GET /foo HTTP/1.1\r
+ my-header: foo\r
+\r
+ Config:\r
+ add:\r
+ - name: "my-header"\r
+ value: "bar,baz"\r
+\r
+ Output:\r
+ GET /foo HTTP/1.1\r
+ my-header: foo,bar,baz\r
+ items:\r
+ description: HTTPHeader represents an HTTP Header\r
+ name and value as defined by RFC 7230.\r
+ properties:\r
+ name:\r
+ description: |-\r
+ Name is the name of the HTTP Header to be matched. Name matching MUST be\r
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).\r
+\r
+ If multiple entries specify equivalent header names, the first entry with\r
+ an equivalent name MUST be considered for a match. Subsequent entries\r
+ with an equivalent header name MUST be ignored. Due to the\r
+ case-insensitivity of header names, "foo" and "Foo" are considered\r
+ equivalent.\r
+ maxLength: 256\r
+ minLength: 1\r
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$\r
+ type: string\r
+ value:\r
+ description: Value is the value of HTTP Header\r
+ to be matched.\r
+ maxLength: 4096\r
+ minLength: 1\r
+ type: string\r
+ required:\r
+ - name\r
+ - value\r
+ type: object\r
+ maxItems: 16\r
+ type: array\r
+ x-kubernetes-list-map-keys:\r
+ - name\r
+ x-kubernetes-list-type: map\r
+ remove:\r
+ description: |-\r
+ Remove the given header(s) from the HTTP request before the action. The\r
+ value of Remove is a list of HTTP header names. Note that the header\r
+ names are case-insensitive (see\r
+ https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).\r
+\r
+ Input:\r
+ GET /foo HTTP/1.1\r
+ my-header1: foo\r
+ my-header2: bar\r
+ my-header3: baz\r
+\r
+ Config:\r
+ remove: ["my-header1", "my-header3"]\r
+\r
+ Output:\r
+ GET /foo HTTP/1.1\r
+ my-header2: bar\r
+ items:\r
+ type: string\r
+ maxItems: 16\r
+ type: array\r
+ x-kubernetes-list-type: set\r
+ set:\r
+ description: |-\r
+ Set overwrites the request with the given header (name, value)\r
+ before the action.\r
+\r
+ Input:\r
+ GET /foo HTTP/1.1\r
+ my-header: foo\r
+\r
+ Config:\r
+ set:\r
+ - name: "my-header"\r
+ value: "bar"\r
+\r
+ Output:\r
+ GET /foo HTTP/1.1\r
+ my-header: bar\r
+ items:\r
+ description: HTTPHeader represents an HTTP Header\r
+ name and value as defined by RFC 7230.\r
+ properties:\r
+ name:\r
+ description: |-\r
+ Name is the name of the HTTP Header to be matched. Name matching MUST be\r
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).\r
+\r
+ If multiple entries specify equivalent header names, the first entry with\r
+ an equivalent name MUST be considered for a match. Subsequent entries\r
+ with an equivalent header name MUST be ignored. Due to the\r
+ case-insensitivity of header names, "foo" and "Foo" are considered\r
+ equivalent.\r
+ maxLength: 256\r
+ minLength: 1\r
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$\r
+ type: string\r
+ value:\r
+ description: Value is the value of HTTP Header\r
+ to be matched.\r
+ maxLength: 4096\r
+ minLength: 1\r
+ type: string\r
+ required:\r
+ - name\r
+ - value\r
+ type: object\r
+ maxItems: 16\r
+ type: array\r
+ x-kubernetes-list-map-keys:\r
+ - name\r
+ x-kubernetes-list-type: map\r
+ type: object\r
+ requestMirror:\r
+ description: |+\r
+ RequestMirror defines a schema for a filter that mirrors requests.\r
+ Requests are sent to the specified destination, but responses from\r
+ that destination are ignored.\r
+\r
+ This filter can be used multiple times within the same rule. Note that\r
+ not all implementations will be able to support mirroring to multiple\r
+ backends.\r
+\r
+ Support: Extended\r
+\r
+ properties:\r
+ backendRef:\r
+ description: |-\r
+ BackendRef references a resource where mirrored requests are sent.\r
+\r
+ Mirrored requests must be sent only to a single destination endpoint\r
+ within this BackendRef, irrespective of how many endpoints are present\r
+ within this BackendRef.\r
+\r
+ If the referent cannot be found, this BackendRef is invalid and must be\r
+ dropped from the Gateway. The controller must ensure the "ResolvedRefs"\r
+ condition on the Route status is set to `status: False` and not configure\r
+ this backend in the underlying implementation.\r
+\r
+ If there is a cross-namespace reference to an *existing* object\r
+ that is not allowed by a ReferenceGrant, the controller must ensure the\r
+ "ResolvedRefs" condition on the Route is set to `status: False`,\r
+ with the "RefNotPermitted" reason and not configure this backend in the\r
+ underlying implementation.\r
+\r
+ In either error case, the Message of the `ResolvedRefs` Condition\r
+ should be used to provide more detail about the problem.\r
+\r
+ Support: Extended for Kubernetes Service\r
+\r
+ Support: Implementation-specific for any other resource\r
+ properties:\r
+ group:\r
+ default: ""\r
+ description: |-\r
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".\r
+ When unspecified or empty string, core API group is inferred.\r
+ maxLength: 253\r
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ kind:\r
+ default: Service\r
+ description: |-\r
+ Kind is the Kubernetes resource kind of the referent. For example\r
+ "Service".\r
+\r
+ Defaults to "Service" when not specified.\r
+\r
+ ExternalName services can refer to CNAME DNS records that may live\r
+ outside of the cluster and as such are difficult to reason about in\r
+ terms of conformance. They also may not be safe to forward to (see\r
+ CVE-2021-25740 for more information). Implementations SHOULD NOT\r
+ support ExternalName Services.\r
+\r
+ Support: Core (Services with a type other than ExternalName)\r
+\r
+ Support: Implementation-specific (Services with type ExternalName)\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$\r
+ type: string\r
+ name:\r
+ description: Name is the name of the referent.\r
+ maxLength: 253\r
+ minLength: 1\r
+ type: string\r
+ namespace:\r
+ description: |-\r
+ Namespace is the namespace of the backend. When unspecified, the local\r
+ namespace is inferred.\r
+\r
+ Note that when a namespace different than the local namespace is specified,\r
+ a ReferenceGrant object is required in the referent namespace to allow that\r
+ namespace's owner to accept the reference. See the ReferenceGrant\r
+ documentation for details.\r
+\r
+ Support: Core\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$\r
+ type: string\r
+ port:\r
+ description: |-\r
+ Port specifies the destination port number to use for this resource.\r
+ Port is required when the referent is a Kubernetes Service. In this\r
+ case, the port number is the service port number, not the target port.\r
+ For other resources, destination port might be derived from the referent\r
+ resource or this field.\r
+ format: int32\r
+ maximum: 65535\r
+ minimum: 1\r
+ type: integer\r
+ required:\r
+ - name\r
+ type: object\r
+ x-kubernetes-validations:\r
+ - message: Must have port for Service reference\r
+ rule: '(size(self.group) == 0 && self.kind == ''Service'')\r
+ ? has(self.port) : true'\r
+ fraction:\r
+ description: |+\r
+ Fraction represents the fraction of requests that should be\r
+ mirrored to BackendRef.\r
+\r
+ Only one of Fraction or Percent may be specified. If neither field\r
+ is specified, 100% of requests will be mirrored.\r
+\r
+ properties:\r
+ denominator:\r
+ default: 100\r
+ format: int32\r
+ minimum: 1\r
+ type: integer\r
+ numerator:\r
+ format: int32\r
+ minimum: 0\r
+ type: integer\r
+ required:\r
+ - numerator\r
+ type: object\r
+ x-kubernetes-validations:\r
+ - message: numerator must be less than or equal to\r
+ denominator\r
+ rule: self.numerator <= self.denominator\r
+ percent:\r
+ description: |+\r
+ Percent represents the percentage of requests that should be\r
+ mirrored to BackendRef. Its minimum value is 0 (indicating 0% of\r
+ requests) and its maximum value is 100 (indicating 100% of requests).\r
+\r
+ Only one of Fraction or Percent may be specified. If neither field\r
+ is specified, 100% of requests will be mirrored.\r
+\r
+ format: int32\r
+ maximum: 100\r
+ minimum: 0\r
+ type: integer\r
+ required:\r
+ - backendRef\r
+ type: object\r
+ x-kubernetes-validations:\r
+ - message: Only one of percent or fraction may be specified\r
+ in HTTPRequestMirrorFilter\r
+ rule: '!(has(self.percent) && has(self.fraction))'\r
+ responseHeaderModifier:\r
+ description: |-\r
+ ResponseHeaderModifier defines a schema for a filter that modifies response\r
+ headers.\r
+\r
+ Support: Extended\r
+ properties:\r
+ add:\r
+ description: |-\r
+ Add adds the given header(s) (name, value) to the request\r
+ before the action. It appends to any existing values associated\r
+ with the header name.\r
+\r
+ Input:\r
+ GET /foo HTTP/1.1\r
+ my-header: foo\r
+\r
+ Config:\r
+ add:\r
+ - name: "my-header"\r
+ value: "bar,baz"\r
+\r
+ Output:\r
+ GET /foo HTTP/1.1\r
+ my-header: foo,bar,baz\r
+ items:\r
+ description: HTTPHeader represents an HTTP Header\r
+ name and value as defined by RFC 7230.\r
+ properties:\r
+ name:\r
+ description: |-\r
+ Name is the name of the HTTP Header to be matched. Name matching MUST be\r
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).\r
+\r
+ If multiple entries specify equivalent header names, the first entry with\r
+ an equivalent name MUST be considered for a match. Subsequent entries\r
+ with an equivalent header name MUST be ignored. Due to the\r
+ case-insensitivity of header names, "foo" and "Foo" are considered\r
+ equivalent.\r
+ maxLength: 256\r
+ minLength: 1\r
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$\r
+ type: string\r
+ value:\r
+ description: Value is the value of HTTP Header\r
+ to be matched.\r
+ maxLength: 4096\r
+ minLength: 1\r
+ type: string\r
+ required:\r
+ - name\r
+ - value\r
+ type: object\r
+ maxItems: 16\r
+ type: array\r
+ x-kubernetes-list-map-keys:\r
+ - name\r
+ x-kubernetes-list-type: map\r
+ remove:\r
+ description: |-\r
+ Remove the given header(s) from the HTTP request before the action. The\r
+ value of Remove is a list of HTTP header names. Note that the header\r
+ names are case-insensitive (see\r
+ https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).\r
+\r
+ Input:\r
+ GET /foo HTTP/1.1\r
+ my-header1: foo\r
+ my-header2: bar\r
+ my-header3: baz\r
+\r
+ Config:\r
+ remove: ["my-header1", "my-header3"]\r
+\r
+ Output:\r
+ GET /foo HTTP/1.1\r
+ my-header2: bar\r
+ items:\r
+ type: string\r
+ maxItems: 16\r
+ type: array\r
+ x-kubernetes-list-type: set\r
+ set:\r
+ description: |-\r
+ Set overwrites the request with the given header (name, value)\r
+ before the action.\r
+\r
+ Input:\r
+ GET /foo HTTP/1.1\r
+ my-header: foo\r
+\r
+ Config:\r
+ set:\r
+ - name: "my-header"\r
+ value: "bar"\r
+\r
+ Output:\r
+ GET /foo HTTP/1.1\r
+ my-header: bar\r
+ items:\r
+ description: HTTPHeader represents an HTTP Header\r
+ name and value as defined by RFC 7230.\r
+ properties:\r
+ name:\r
+ description: |-\r
+ Name is the name of the HTTP Header to be matched. Name matching MUST be\r
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).\r
+\r
+ If multiple entries specify equivalent header names, the first entry with\r
+ an equivalent name MUST be considered for a match. Subsequent entries\r
+ with an equivalent header name MUST be ignored. Due to the\r
+ case-insensitivity of header names, "foo" and "Foo" are considered\r
+ equivalent.\r
+ maxLength: 256\r
+ minLength: 1\r
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$\r
+ type: string\r
+ value:\r
+ description: Value is the value of HTTP Header\r
+ to be matched.\r
+ maxLength: 4096\r
+ minLength: 1\r
+ type: string\r
+ required:\r
+ - name\r
+ - value\r
+ type: object\r
+ maxItems: 16\r
+ type: array\r
+ x-kubernetes-list-map-keys:\r
+ - name\r
+ x-kubernetes-list-type: map\r
+ type: object\r
+ type:\r
+ description: |+\r
+ Type identifies the type of filter to apply. As with other API fields,\r
+ types are classified into three conformance levels:\r
+\r
+ - Core: Filter types and their corresponding configuration defined by\r
+ "Support: Core" in this package, e.g. "RequestHeaderModifier". All\r
+ implementations supporting GRPCRoute MUST support core filters.\r
+\r
+ - Extended: Filter types and their corresponding configuration defined by\r
+ "Support: Extended" in this package, e.g. "RequestMirror". Implementers\r
+ are encouraged to support extended filters.\r
+\r
+ - Implementation-specific: Filters that are defined and supported by specific vendors.\r
+ In the future, filters showing convergence in behavior across multiple\r
+ implementations will be considered for inclusion in extended or core\r
+ conformance levels. Filter-specific configuration for such filters\r
+ is specified using the ExtensionRef field. `Type` MUST be set to\r
+ "ExtensionRef" for custom filters.\r
+\r
+ Implementers are encouraged to define custom implementation types to\r
+ extend the core API with implementation-specific behavior.\r
+\r
+ If a reference to a custom filter type cannot be resolved, the filter\r
+ MUST NOT be skipped. Instead, requests that would have been processed by\r
+ that filter MUST receive a HTTP error response.\r
+\r
+ enum:\r
+ - ResponseHeaderModifier\r
+ - RequestHeaderModifier\r
+ - RequestMirror\r
+ - ExtensionRef\r
+ type: string\r
+ required:\r
+ - type\r
+ type: object\r
+ x-kubernetes-validations:\r
+ - message: filter.requestHeaderModifier must be nil if the\r
+ filter.type is not RequestHeaderModifier\r
+ rule: '!(has(self.requestHeaderModifier) && self.type !=\r
+ ''RequestHeaderModifier'')'\r
+ - message: filter.requestHeaderModifier must be specified\r
+ for RequestHeaderModifier filter.type\r
+ rule: '!(!has(self.requestHeaderModifier) && self.type ==\r
+ ''RequestHeaderModifier'')'\r
+ - message: filter.responseHeaderModifier must be nil if the\r
+ filter.type is not ResponseHeaderModifier\r
+ rule: '!(has(self.responseHeaderModifier) && self.type !=\r
+ ''ResponseHeaderModifier'')'\r
+ - message: filter.responseHeaderModifier must be specified\r
+ for ResponseHeaderModifier filter.type\r
+ rule: '!(!has(self.responseHeaderModifier) && self.type\r
+ == ''ResponseHeaderModifier'')'\r
+ - message: filter.requestMirror must be nil if the filter.type\r
+ is not RequestMirror\r
+ rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')'\r
+ - message: filter.requestMirror must be specified for RequestMirror\r
+ filter.type\r
+ rule: '!(!has(self.requestMirror) && self.type == ''RequestMirror'')'\r
+ - message: filter.extensionRef must be nil if the filter.type\r
+ is not ExtensionRef\r
+ rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')'\r
+ - message: filter.extensionRef must be specified for ExtensionRef\r
+ filter.type\r
+ rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')'\r
+ maxItems: 16\r
+ type: array\r
+ x-kubernetes-validations:\r
+ - message: RequestHeaderModifier filter cannot be repeated\r
+ rule: self.filter(f, f.type == 'RequestHeaderModifier').size()\r
+ <= 1\r
+ - message: ResponseHeaderModifier filter cannot be repeated\r
+ rule: self.filter(f, f.type == 'ResponseHeaderModifier').size()\r
+ <= 1\r
+ matches:\r
+ description: |-\r
+ Matches define conditions used for matching the rule against incoming\r
+ gRPC requests. Each match is independent, i.e. this rule will be matched\r
+ if **any** one of the matches is satisfied.\r
+\r
+ For example, take the following matches configuration:\r
+\r
+ ```\r
+ matches:\r
+ - method:\r
+ service: foo.bar\r
+ headers:\r
+ values:\r
+ version: 2\r
+ - method:\r
+ service: foo.bar.v2\r
+ ```\r
+\r
+ For a request to match against this rule, it MUST satisfy\r
+ EITHER of the two conditions:\r
+\r
+ - service of foo.bar AND contains the header `version: 2`\r
+ - service of foo.bar.v2\r
+\r
+ See the documentation for GRPCRouteMatch on how to specify multiple\r
+ match conditions to be ANDed together.\r
+\r
+ If no matches are specified, the implementation MUST match every gRPC request.\r
+\r
+ Proxy or Load Balancer routing configuration generated from GRPCRoutes\r
+ MUST prioritize rules based on the following criteria, continuing on\r
+ ties. Merging MUST not be done between GRPCRoutes and HTTPRoutes.\r
+ Precedence MUST be given to the rule with the largest number of:\r
+\r
+ * Characters in a matching non-wildcard hostname.\r
+ * Characters in a matching hostname.\r
+ * Characters in a matching service.\r
+ * Characters in a matching method.\r
+ * Header matches.\r
+\r
+ If ties still exist across multiple Routes, matching precedence MUST be\r
+ determined in order of the following criteria, continuing on ties:\r
+\r
+ * The oldest Route based on creation timestamp.\r
+ * The Route appearing first in alphabetical order by\r
+ "{namespace}/{name}".\r
+\r
+ If ties still exist within the Route that has been given precedence,\r
+ matching precedence MUST be granted to the first matching rule meeting\r
+ the above criteria.\r
+ items:\r
+ description: |-\r
+ GRPCRouteMatch defines the predicate used to match requests to a given\r
+ action. Multiple match types are ANDed together, i.e. the match will\r
+ evaluate to true only if all conditions are satisfied.\r
+\r
+ For example, the match below will match a gRPC request only if its service\r
+ is `foo` AND it contains the `version: v1` header:\r
+\r
+ ```\r
+ matches:\r
+ - method:\r
+ type: Exact\r
+ service: "foo"\r
+ headers:\r
+ - name: "version"\r
+ value "v1"\r
+\r
+ ```\r
+ properties:\r
+ headers:\r
+ description: |-\r
+ Headers specifies gRPC request header matchers. Multiple match values are\r
+ ANDed together, meaning, a request MUST match all the specified headers\r
+ to select the route.\r
+ items:\r
+ description: |-\r
+ GRPCHeaderMatch describes how to select a gRPC route by matching gRPC request\r
+ headers.\r
+ properties:\r
+ name:\r
+ description: |-\r
+ Name is the name of the gRPC Header to be matched.\r
+\r
+ If multiple entries specify equivalent header names, only the first\r
+ entry with an equivalent name MUST be considered for a match. Subsequent\r
+ entries with an equivalent header name MUST be ignored. Due to the\r
+ case-insensitivity of header names, "foo" and "Foo" are considered\r
+ equivalent.\r
+ maxLength: 256\r
+ minLength: 1\r
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$\r
+ type: string\r
+ type:\r
+ default: Exact\r
+ description: Type specifies how to match against\r
+ the value of the header.\r
+ enum:\r
+ - Exact\r
+ - RegularExpression\r
+ type: string\r
+ value:\r
+ description: Value is the value of the gRPC Header\r
+ to be matched.\r
+ maxLength: 4096\r
+ minLength: 1\r
+ type: string\r
+ required:\r
+ - name\r
+ - value\r
+ type: object\r
+ maxItems: 16\r
+ type: array\r
+ x-kubernetes-list-map-keys:\r
+ - name\r
+ x-kubernetes-list-type: map\r
+ method:\r
+ description: |-\r
+ Method specifies a gRPC request service/method matcher. If this field is\r
+ not specified, all services and methods will match.\r
+ properties:\r
+ method:\r
+ description: |-\r
+ Value of the method to match against. If left empty or omitted, will\r
+ match all services.\r
+\r
+ At least one of Service and Method MUST be a non-empty string.\r
+ maxLength: 1024\r
+ type: string\r
+ service:\r
+ description: |-\r
+ Value of the service to match against. If left empty or omitted, will\r
+ match any service.\r
+\r
+ At least one of Service and Method MUST be a non-empty string.\r
+ maxLength: 1024\r
+ type: string\r
+ type:\r
+ default: Exact\r
+ description: |-\r
+ Type specifies how to match against the service and/or method.\r
+ Support: Core (Exact with service and method specified)\r
+\r
+ Support: Implementation-specific (Exact with method specified but no service specified)\r
+\r
+ Support: Implementation-specific (RegularExpression)\r
+ enum:\r
+ - Exact\r
+ - RegularExpression\r
+ type: string\r
+ type: object\r
+ x-kubernetes-validations:\r
+ - message: One or both of 'service' or 'method' must be\r
+ specified\r
+ rule: 'has(self.type) ? has(self.service) || has(self.method)\r
+ : true'\r
+ - message: service must only contain valid characters\r
+ (matching ^(?i)\.?[a-z_][a-z_0-9]*(\.[a-z_][a-z_0-9]*)*$)\r
+ rule: '(!has(self.type) || self.type == ''Exact'') &&\r
+ has(self.service) ? self.service.matches(r"""^(?i)\.?[a-z_][a-z_0-9]*(\.[a-z_][a-z_0-9]*)*$"""):\r
+ true'\r
+ - message: method must only contain valid characters (matching\r
+ ^[A-Za-z_][A-Za-z_0-9]*$)\r
+ rule: '(!has(self.type) || self.type == ''Exact'') &&\r
+ has(self.method) ? self.method.matches(r"""^[A-Za-z_][A-Za-z_0-9]*$"""):\r
+ true'\r
+ type: object\r
+ maxItems: 8\r
+ type: array\r
+ name:\r
+ description: |\r
+ Name is the name of the route rule. This name MUST be unique within a Route if it is set.\r
+\r
+ Support: Extended\r
+ maxLength: 253\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ sessionPersistence:\r
+ description: |+\r
+ SessionPersistence defines and configures session persistence\r
+ for the route rule.\r
+\r
+ Support: Extended\r
+\r
+ properties:\r
+ absoluteTimeout:\r
+ description: |-\r
+ AbsoluteTimeout defines the absolute timeout of the persistent\r
+ session. Once the AbsoluteTimeout duration has elapsed, the\r
+ session becomes invalid.\r
+\r
+ Support: Extended\r
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$\r
+ type: string\r
+ cookieConfig:\r
+ description: |-\r
+ CookieConfig provides configuration settings that are specific\r
+ to cookie-based session persistence.\r
+\r
+ Support: Core\r
+ properties:\r
+ lifetimeType:\r
+ default: Session\r
+ description: |-\r
+ LifetimeType specifies whether the cookie has a permanent or\r
+ session-based lifetime. A permanent cookie persists until its\r
+ specified expiry time, defined by the Expires or Max-Age cookie\r
+ attributes, while a session cookie is deleted when the current\r
+ session ends.\r
+\r
+ When set to "Permanent", AbsoluteTimeout indicates the\r
+ cookie's lifetime via the Expires or Max-Age cookie attributes\r
+ and is required.\r
+\r
+ When set to "Session", AbsoluteTimeout indicates the\r
+ absolute lifetime of the cookie tracked by the gateway and\r
+ is optional.\r
+\r
+ Support: Core for "Session" type\r
+\r
+ Support: Extended for "Permanent" type\r
+ enum:\r
+ - Permanent\r
+ - Session\r
+ type: string\r
+ type: object\r
+ idleTimeout:\r
+ description: |-\r
+ IdleTimeout defines the idle timeout of the persistent session.\r
+ Once the session has been idle for more than the specified\r
+ IdleTimeout duration, the session becomes invalid.\r
+\r
+ Support: Extended\r
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$\r
+ type: string\r
+ sessionName:\r
+ description: |-\r
+ SessionName defines the name of the persistent session token\r
+ which may be reflected in the cookie or the header. Users\r
+ should avoid reusing session names to prevent unintended\r
+ consequences, such as rejection or unpredictable behavior.\r
+\r
+ Support: Implementation-specific\r
+ maxLength: 128\r
+ type: string\r
+ type:\r
+ default: Cookie\r
+ description: |-\r
+ Type defines the type of session persistence such as through\r
+ the use a header or cookie. Defaults to cookie based session\r
+ persistence.\r
+\r
+ Support: Core for "Cookie" type\r
+\r
+ Support: Extended for "Header" type\r
+ enum:\r
+ - Cookie\r
+ - Header\r
+ type: string\r
+ type: object\r
+ x-kubernetes-validations:\r
+ - message: AbsoluteTimeout must be specified when cookie lifetimeType\r
+ is Permanent\r
+ rule: '!has(self.cookieConfig) || !has(self.cookieConfig.lifetimeType)\r
+ || self.cookieConfig.lifetimeType != ''Permanent'' || has(self.absoluteTimeout)'\r
+ type: object\r
+ maxItems: 16\r
+ type: array\r
+ x-kubernetes-validations:\r
+ - message: While 16 rules and 64 matches per rule are allowed, the\r
+ total number of matches across all rules in a route must be less\r
+ than 128\r
+ rule: '(self.size() > 0 ? (has(self[0].matches) ? self[0].matches.size()\r
+ : 0) : 0) + (self.size() > 1 ? (has(self[1].matches) ? self[1].matches.size()\r
+ : 0) : 0) + (self.size() > 2 ? (has(self[2].matches) ? self[2].matches.size()\r
+ : 0) : 0) + (self.size() > 3 ? (has(self[3].matches) ? self[3].matches.size()\r
+ : 0) : 0) + (self.size() > 4 ? (has(self[4].matches) ? self[4].matches.size()\r
+ : 0) : 0) + (self.size() > 5 ? (has(self[5].matches) ? self[5].matches.size()\r
+ : 0) : 0) + (self.size() > 6 ? (has(self[6].matches) ? self[6].matches.size()\r
+ : 0) : 0) + (self.size() > 7 ? (has(self[7].matches) ? self[7].matches.size()\r
+ : 0) : 0) + (self.size() > 8 ? (has(self[8].matches) ? self[8].matches.size()\r
+ : 0) : 0) + (self.size() > 9 ? (has(self[9].matches) ? self[9].matches.size()\r
+ : 0) : 0) + (self.size() > 10 ? (has(self[10].matches) ? self[10].matches.size()\r
+ : 0) : 0) + (self.size() > 11 ? (has(self[11].matches) ? self[11].matches.size()\r
+ : 0) : 0) + (self.size() > 12 ? (has(self[12].matches) ? self[12].matches.size()\r
+ : 0) : 0) + (self.size() > 13 ? (has(self[13].matches) ? self[13].matches.size()\r
+ : 0) : 0) + (self.size() > 14 ? (has(self[14].matches) ? self[14].matches.size()\r
+ : 0) : 0) + (self.size() > 15 ? (has(self[15].matches) ? self[15].matches.size()\r
+ : 0) : 0) <= 128'\r
+ - message: Rule name must be unique within the route\r
+ rule: self.all(l1, !has(l1.name) || self.exists_one(l2, has(l2.name)\r
+ && l1.name == l2.name))\r
+ type: object\r
+ status:\r
+ description: Status defines the current state of GRPCRoute.\r
+ properties:\r
+ parents:\r
+ description: |-\r
+ Parents is a list of parent resources (usually Gateways) that are\r
+ associated with the route, and the status of the route with respect to\r
+ each parent. When this route attaches to a parent, the controller that\r
+ manages the parent must add an entry to this list when the controller\r
+ first sees the route and should update the entry as appropriate when the\r
+ route or gateway is modified.\r
+\r
+ Note that parent references that cannot be resolved by an implementation\r
+ of this API will not be added to this list. Implementations of this API\r
+ can only populate Route status for the Gateways/parent resources they are\r
+ responsible for.\r
+\r
+ A maximum of 32 Gateways will be represented in this list. An empty list\r
+ means the route has not been attached to any Gateway.\r
+ items:\r
+ description: |-\r
+ RouteParentStatus describes the status of a route with respect to an\r
+ associated Parent.\r
+ properties:\r
+ conditions:\r
+ description: |-\r
+ Conditions describes the status of the route with respect to the Gateway.\r
+ Note that the route's availability is also subject to the Gateway's own\r
+ status conditions and listener status.\r
+\r
+ If the Route's ParentRef specifies an existing Gateway that supports\r
+ Routes of this kind AND that Gateway's controller has sufficient access,\r
+ then that Gateway's controller MUST set the "Accepted" condition on the\r
+ Route, to indicate whether the route has been accepted or rejected by the\r
+ Gateway, and why.\r
+\r
+ A Route MUST be considered "Accepted" if at least one of the Route's\r
+ rules is implemented by the Gateway.\r
+\r
+ There are a number of cases where the "Accepted" condition may not be set\r
+ due to lack of controller visibility, that includes when:\r
+\r
+ * The Route refers to a non-existent parent.\r
+ * The Route is of a type that the controller does not support.\r
+ * The Route is in a namespace the controller does not have access to.\r
+ items:\r
+ description: Condition contains details for one aspect of\r
+ the current state of this API Resource.\r
+ properties:\r
+ lastTransitionTime:\r
+ description: |-\r
+ lastTransitionTime is the last time the condition transitioned from one status to another.\r
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.\r
+ format: date-time\r
+ type: string\r
+ message:\r
+ description: |-\r
+ message is a human readable message indicating details about the transition.\r
+ This may be an empty string.\r
+ maxLength: 32768\r
+ type: string\r
+ observedGeneration:\r
+ description: |-\r
+ observedGeneration represents the .metadata.generation that the condition was set based upon.\r
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\r
+ with respect to the current state of the instance.\r
+ format: int64\r
+ minimum: 0\r
+ type: integer\r
+ reason:\r
+ description: |-\r
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.\r
+ Producers of specific condition types may define expected values and meanings for this field,\r
+ and whether the values are considered a guaranteed API.\r
+ The value should be a CamelCase string.\r
+ This field may not be empty.\r
+ maxLength: 1024\r
+ minLength: 1\r
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$\r
+ type: string\r
+ status:\r
+ description: status of the condition, one of True, False,\r
+ Unknown.\r
+ enum:\r
+ - "True"\r
+ - "False"\r
+ - Unknown\r
+ type: string\r
+ type:\r
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.\r
+ maxLength: 316\r
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$\r
+ type: string\r
+ required:\r
+ - lastTransitionTime\r
+ - message\r
+ - reason\r
+ - status\r
+ - type\r
+ type: object\r
+ maxItems: 8\r
+ minItems: 1\r
+ type: array\r
+ x-kubernetes-list-map-keys:\r
+ - type\r
+ x-kubernetes-list-type: map\r
+ controllerName:\r
+ description: |-\r
+ ControllerName is a domain/path string that indicates the name of the\r
+ controller that wrote this status. This corresponds with the\r
+ controllerName field on GatewayClass.\r
+\r
+ Example: "example.net/gateway-controller".\r
+\r
+ The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are\r
+ valid Kubernetes names\r
+ (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).\r
+\r
+ Controllers MUST populate this field when writing status. Controllers should ensure that\r
+ entries to status populated with their ControllerName are cleaned up when they are no\r
+ longer necessary.\r
+ maxLength: 253\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$\r
+ type: string\r
+ parentRef:\r
+ description: |-\r
+ ParentRef corresponds with a ParentRef in the spec that this\r
+ RouteParentStatus struct describes the status of.\r
+ properties:\r
+ group:\r
+ default: gateway.networking.k8s.io\r
+ description: |-\r
+ Group is the group of the referent.\r
+ When unspecified, "gateway.networking.k8s.io" is inferred.\r
+ To set the core API group (such as for a "Service" kind referent),\r
+ Group must be explicitly set to "" (empty string).\r
+\r
+ Support: Core\r
+ maxLength: 253\r
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ kind:\r
+ default: Gateway\r
+ description: |-\r
+ Kind is kind of the referent.\r
+\r
+ There are two kinds of parent resources with "Core" support:\r
+\r
+ * Gateway (Gateway conformance profile)\r
+ * Service (Mesh conformance profile, ClusterIP Services only)\r
+\r
+ Support for other resources is Implementation-Specific.\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$\r
+ type: string\r
+ name:\r
+ description: |-\r
+ Name is the name of the referent.\r
+\r
+ Support: Core\r
+ maxLength: 253\r
+ minLength: 1\r
+ type: string\r
+ namespace:\r
+ description: |-\r
+ Namespace is the namespace of the referent. When unspecified, this refers\r
+ to the local namespace of the Route.\r
+\r
+ Note that there are specific rules for ParentRefs which cross namespace\r
+ boundaries. Cross-namespace references are only valid if they are explicitly\r
+ allowed by something in the namespace they are referring to. For example:\r
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a\r
+ generic way to enable any other kind of cross-namespace reference.\r
+\r
+\r
+ ParentRefs from a Route to a Service in the same namespace are "producer"\r
+ routes, which apply default routing rules to inbound connections from\r
+ any namespace to the Service.\r
+\r
+ ParentRefs from a Route to a Service in a different namespace are\r
+ "consumer" routes, and these routing rules are only applied to outbound\r
+ connections originating from the same namespace as the Route, for which\r
+ the intended destination of the connections are a Service targeted as a\r
+ ParentRef of the Route.\r
+\r
+\r
+ Support: Core\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$\r
+ type: string\r
+ port:\r
+ description: |-\r
+ Port is the network port this Route targets. It can be interpreted\r
+ differently based on the type of parent resource.\r
+\r
+ When the parent resource is a Gateway, this targets all listeners\r
+ listening on the specified port that also support this kind of Route(and\r
+ select this Route). It's not recommended to set `Port` unless the\r
+ networking behaviors specified in a Route must apply to a specific port\r
+ as opposed to a listener(s) whose port(s) may be changed. When both Port\r
+ and SectionName are specified, the name and port of the selected listener\r
+ must match both specified values.\r
+\r
+\r
+ When the parent resource is a Service, this targets a specific port in the\r
+ Service spec. When both Port (experimental) and SectionName are specified,\r
+ the name and port of the selected port must match both specified values.\r
+\r
+\r
+ Implementations MAY choose to support other parent resources.\r
+ Implementations supporting other types of parent resources MUST clearly\r
+ document how/if Port is interpreted.\r
+\r
+ For the purpose of status, an attachment is considered successful as\r
+ long as the parent resource accepts it partially. For example, Gateway\r
+ listeners can restrict which Routes can attach to them by Route kind,\r
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment\r
+ from the referencing Route, the Route MUST be considered successfully\r
+ attached. If no Gateway listeners accept attachment from this Route,\r
+ the Route MUST be considered detached from the Gateway.\r
+\r
+ Support: Extended\r
+ format: int32\r
+ maximum: 65535\r
+ minimum: 1\r
+ type: integer\r
+ sectionName:\r
+ description: |-\r
+ SectionName is the name of a section within the target resource. In the\r
+ following resources, SectionName is interpreted as the following:\r
+\r
+ * Gateway: Listener name. When both Port (experimental) and SectionName\r
+ are specified, the name and port of the selected listener must match\r
+ both specified values.\r
+ * Service: Port name. When both Port (experimental) and SectionName\r
+ are specified, the name and port of the selected listener must match\r
+ both specified values.\r
+\r
+ Implementations MAY choose to support attaching Routes to other resources.\r
+ If that is the case, they MUST clearly document how SectionName is\r
+ interpreted.\r
+\r
+ When unspecified (empty string), this will reference the entire resource.\r
+ For the purpose of status, an attachment is considered successful if at\r
+ least one section in the parent resource accepts it. For example, Gateway\r
+ listeners can restrict which Routes can attach to them by Route kind,\r
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from\r
+ the referencing Route, the Route MUST be considered successfully\r
+ attached. If no Gateway listeners accept attachment from this Route, the\r
+ Route MUST be considered detached from the Gateway.\r
+\r
+ Support: Core\r
+ maxLength: 253\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ required:\r
+ - name\r
+ type: object\r
+ required:\r
+ - controllerName\r
+ - parentRef\r
+ type: object\r
+ maxItems: 32\r
+ type: array\r
+ required:\r
+ - parents\r
+ type: object\r
+ type: object\r
+ served: true\r
+ storage: true\r
+ subresources:\r
+ status: {}\r
+status:\r
+ acceptedNames:\r
+ kind: ""\r
+ plural: ""\r
+ conditions: null\r
+ storedVersions: null\r
--- /dev/null
+apiVersion: apiextensions.k8s.io/v1\r
+kind: CustomResourceDefinition\r
+metadata:\r
+ annotations:\r
+ api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328\r
+ gateway.networking.k8s.io/bundle-version: v1.2.1\r
+ gateway.networking.k8s.io/channel: experimental\r
+ creationTimestamp: null\r
+ name: httproutes.gateway.networking.k8s.io\r
+spec:\r
+ group: gateway.networking.k8s.io\r
+ names:\r
+ categories:\r
+ - gateway-api\r
+ kind: HTTPRoute\r
+ listKind: HTTPRouteList\r
+ plural: httproutes\r
+ singular: httproute\r
+ scope: Namespaced\r
+ versions:\r
+ - additionalPrinterColumns:\r
+ - jsonPath: .spec.hostnames\r
+ name: Hostnames\r
+ type: string\r
+ - jsonPath: .metadata.creationTimestamp\r
+ name: Age\r
+ type: date\r
+ name: v1\r
+ schema:\r
+ openAPIV3Schema:\r
+ description: |-\r
+ HTTPRoute provides a way to route HTTP requests. This includes the capability\r
+ to match requests by hostname, path, header, or query param. Filters can be\r
+ used to specify additional processing steps. Backends specify where matching\r
+ requests should be routed.\r
+ properties:\r
+ apiVersion:\r
+ description: |-\r
+ APIVersion defines the versioned schema of this representation of an object.\r
+ Servers should convert recognized schemas to the latest internal value, and\r
+ may reject unrecognized values.\r
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources\r
+ type: string\r
+ kind:\r
+ description: |-\r
+ Kind is a string value representing the REST resource this object represents.\r
+ Servers may infer this from the endpoint the client submits requests to.\r
+ Cannot be updated.\r
+ In CamelCase.\r
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds\r
+ type: string\r
+ metadata:\r
+ type: object\r
+ spec:\r
+ description: Spec defines the desired state of HTTPRoute.\r
+ properties:\r
+ hostnames:\r
+ description: |-\r
+ Hostnames defines a set of hostnames that should match against the HTTP Host\r
+ header to select a HTTPRoute used to process the request. Implementations\r
+ MUST ignore any port value specified in the HTTP Host header while\r
+ performing a match and (absent of any applicable header modification\r
+ configuration) MUST forward this header unmodified to the backend.\r
+\r
+ Valid values for Hostnames are determined by RFC 1123 definition of a\r
+ hostname with 2 notable exceptions:\r
+\r
+ 1. IPs are not allowed.\r
+ 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard\r
+ label must appear by itself as the first label.\r
+\r
+ If a hostname is specified by both the Listener and HTTPRoute, there\r
+ must be at least one intersecting hostname for the HTTPRoute to be\r
+ attached to the Listener. For example:\r
+\r
+ * A Listener with `test.example.com` as the hostname matches HTTPRoutes\r
+ that have either not specified any hostnames, or have specified at\r
+ least one of `test.example.com` or `*.example.com`.\r
+ * A Listener with `*.example.com` as the hostname matches HTTPRoutes\r
+ that have either not specified any hostnames or have specified at least\r
+ one hostname that matches the Listener hostname. For example,\r
+ `*.example.com`, `test.example.com`, and `foo.test.example.com` would\r
+ all match. On the other hand, `example.com` and `test.example.net` would\r
+ not match.\r
+\r
+ Hostnames that are prefixed with a wildcard label (`*.`) are interpreted\r
+ as a suffix match. That means that a match for `*.example.com` would match\r
+ both `test.example.com`, and `foo.test.example.com`, but not `example.com`.\r
+\r
+ If both the Listener and HTTPRoute have specified hostnames, any\r
+ HTTPRoute hostnames that do not match the Listener hostname MUST be\r
+ ignored. For example, if a Listener specified `*.example.com`, and the\r
+ HTTPRoute specified `test.example.com` and `test.example.net`,\r
+ `test.example.net` must not be considered for a match.\r
+\r
+ If both the Listener and HTTPRoute have specified hostnames, and none\r
+ match with the criteria above, then the HTTPRoute is not accepted. The\r
+ implementation must raise an 'Accepted' Condition with a status of\r
+ `False` in the corresponding RouteParentStatus.\r
+\r
+ In the event that multiple HTTPRoutes specify intersecting hostnames (e.g.\r
+ overlapping wildcard matching and exact matching hostnames), precedence must\r
+ be given to rules from the HTTPRoute with the largest number of:\r
+\r
+ * Characters in a matching non-wildcard hostname.\r
+ * Characters in a matching hostname.\r
+\r
+ If ties exist across multiple Routes, the matching precedence rules for\r
+ HTTPRouteMatches takes over.\r
+\r
+ Support: Core\r
+ items:\r
+ description: |-\r
+ Hostname is the fully qualified domain name of a network host. This matches\r
+ the RFC 1123 definition of a hostname with 2 notable exceptions:\r
+\r
+ 1. IPs are not allowed.\r
+ 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard\r
+ label must appear by itself as the first label.\r
+\r
+ Hostname can be "precise" which is a domain name without the terminating\r
+ dot of a network host (e.g. "foo.example.com") or "wildcard", which is a\r
+ domain name prefixed with a single wildcard label (e.g. `*.example.com`).\r
+\r
+ Note that as per RFC1035 and RFC1123, a *label* must consist of lower case\r
+ alphanumeric characters or '-', and must start and end with an alphanumeric\r
+ character. No other punctuation is allowed.\r
+ maxLength: 253\r
+ minLength: 1\r
+ pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ maxItems: 16\r
+ type: array\r
+ parentRefs:\r
+ description: |+\r
+ ParentRefs references the resources (usually Gateways) that a Route wants\r
+ to be attached to. Note that the referenced parent resource needs to\r
+ allow this for the attachment to be complete. For Gateways, that means\r
+ the Gateway needs to allow attachment from Routes of this kind and\r
+ namespace. For Services, that means the Service must either be in the same\r
+ namespace for a "producer" route, or the mesh implementation must support\r
+ and allow "consumer" routes for the referenced Service. ReferenceGrant is\r
+ not applicable for governing ParentRefs to Services - it is not possible to\r
+ create a "producer" route for a Service in a different namespace from the\r
+ Route.\r
+\r
+ There are two kinds of parent resources with "Core" support:\r
+\r
+ * Gateway (Gateway conformance profile)\r
+ * Service (Mesh conformance profile, ClusterIP Services only)\r
+\r
+ This API may be extended in the future to support additional kinds of parent\r
+ resources.\r
+\r
+ ParentRefs must be _distinct_. This means either that:\r
+\r
+ * They select different objects. If this is the case, then parentRef\r
+ entries are distinct. In terms of fields, this means that the\r
+ multi-part key defined by `group`, `kind`, `namespace`, and `name` must\r
+ be unique across all parentRef entries in the Route.\r
+ * They do not select different objects, but for each optional field used,\r
+ each ParentRef that selects the same object must set the same set of\r
+ optional fields to different values. If one ParentRef sets a\r
+ combination of optional fields, all must set the same combination.\r
+\r
+ Some examples:\r
+\r
+ * If one ParentRef sets `sectionName`, all ParentRefs referencing the\r
+ same object must also set `sectionName`.\r
+ * If one ParentRef sets `port`, all ParentRefs referencing the same\r
+ object must also set `port`.\r
+ * If one ParentRef sets `sectionName` and `port`, all ParentRefs\r
+ referencing the same object must also set `sectionName` and `port`.\r
+\r
+ It is possible to separately reference multiple distinct objects that may\r
+ be collapsed by an implementation. For example, some implementations may\r
+ choose to merge compatible Gateway Listeners together. If that is the\r
+ case, the list of routes attached to those resources should also be\r
+ merged.\r
+\r
+ Note that for ParentRefs that cross namespace boundaries, there are specific\r
+ rules. Cross-namespace references are only valid if they are explicitly\r
+ allowed by something in the namespace they are referring to. For example,\r
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a\r
+ generic way to enable other kinds of cross-namespace reference.\r
+\r
+\r
+ ParentRefs from a Route to a Service in the same namespace are "producer"\r
+ routes, which apply default routing rules to inbound connections from\r
+ any namespace to the Service.\r
+\r
+ ParentRefs from a Route to a Service in a different namespace are\r
+ "consumer" routes, and these routing rules are only applied to outbound\r
+ connections originating from the same namespace as the Route, for which\r
+ the intended destination of the connections are a Service targeted as a\r
+ ParentRef of the Route.\r
+\r
+\r
+\r
+\r
+\r
+ items:\r
+ description: |-\r
+ ParentReference identifies an API object (usually a Gateway) that can be considered\r
+ a parent of this resource (usually a route). There are two kinds of parent resources\r
+ with "Core" support:\r
+\r
+ * Gateway (Gateway conformance profile)\r
+ * Service (Mesh conformance profile, ClusterIP Services only)\r
+\r
+ This API may be extended in the future to support additional kinds of parent\r
+ resources.\r
+\r
+ The API object must be valid in the cluster; the Group and Kind must\r
+ be registered in the cluster for this reference to be valid.\r
+ properties:\r
+ group:\r
+ default: gateway.networking.k8s.io\r
+ description: |-\r
+ Group is the group of the referent.\r
+ When unspecified, "gateway.networking.k8s.io" is inferred.\r
+ To set the core API group (such as for a "Service" kind referent),\r
+ Group must be explicitly set to "" (empty string).\r
+\r
+ Support: Core\r
+ maxLength: 253\r
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ kind:\r
+ default: Gateway\r
+ description: |-\r
+ Kind is kind of the referent.\r
+\r
+ There are two kinds of parent resources with "Core" support:\r
+\r
+ * Gateway (Gateway conformance profile)\r
+ * Service (Mesh conformance profile, ClusterIP Services only)\r
+\r
+ Support for other resources is Implementation-Specific.\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$\r
+ type: string\r
+ name:\r
+ description: |-\r
+ Name is the name of the referent.\r
+\r
+ Support: Core\r
+ maxLength: 253\r
+ minLength: 1\r
+ type: string\r
+ namespace:\r
+ description: |-\r
+ Namespace is the namespace of the referent. When unspecified, this refers\r
+ to the local namespace of the Route.\r
+\r
+ Note that there are specific rules for ParentRefs which cross namespace\r
+ boundaries. Cross-namespace references are only valid if they are explicitly\r
+ allowed by something in the namespace they are referring to. For example:\r
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a\r
+ generic way to enable any other kind of cross-namespace reference.\r
+\r
+\r
+ ParentRefs from a Route to a Service in the same namespace are "producer"\r
+ routes, which apply default routing rules to inbound connections from\r
+ any namespace to the Service.\r
+\r
+ ParentRefs from a Route to a Service in a different namespace are\r
+ "consumer" routes, and these routing rules are only applied to outbound\r
+ connections originating from the same namespace as the Route, for which\r
+ the intended destination of the connections are a Service targeted as a\r
+ ParentRef of the Route.\r
+\r
+\r
+ Support: Core\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$\r
+ type: string\r
+ port:\r
+ description: |-\r
+ Port is the network port this Route targets. It can be interpreted\r
+ differently based on the type of parent resource.\r
+\r
+ When the parent resource is a Gateway, this targets all listeners\r
+ listening on the specified port that also support this kind of Route(and\r
+ select this Route). It's not recommended to set `Port` unless the\r
+ networking behaviors specified in a Route must apply to a specific port\r
+ as opposed to a listener(s) whose port(s) may be changed. When both Port\r
+ and SectionName are specified, the name and port of the selected listener\r
+ must match both specified values.\r
+\r
+\r
+ When the parent resource is a Service, this targets a specific port in the\r
+ Service spec. When both Port (experimental) and SectionName are specified,\r
+ the name and port of the selected port must match both specified values.\r
+\r
+\r
+ Implementations MAY choose to support other parent resources.\r
+ Implementations supporting other types of parent resources MUST clearly\r
+ document how/if Port is interpreted.\r
+\r
+ For the purpose of status, an attachment is considered successful as\r
+ long as the parent resource accepts it partially. For example, Gateway\r
+ listeners can restrict which Routes can attach to them by Route kind,\r
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment\r
+ from the referencing Route, the Route MUST be considered successfully\r
+ attached. If no Gateway listeners accept attachment from this Route,\r
+ the Route MUST be considered detached from the Gateway.\r
+\r
+ Support: Extended\r
+ format: int32\r
+ maximum: 65535\r
+ minimum: 1\r
+ type: integer\r
+ sectionName:\r
+ description: |-\r
+ SectionName is the name of a section within the target resource. In the\r
+ following resources, SectionName is interpreted as the following:\r
+\r
+ * Gateway: Listener name. When both Port (experimental) and SectionName\r
+ are specified, the name and port of the selected listener must match\r
+ both specified values.\r
+ * Service: Port name. When both Port (experimental) and SectionName\r
+ are specified, the name and port of the selected listener must match\r
+ both specified values.\r
+\r
+ Implementations MAY choose to support attaching Routes to other resources.\r
+ If that is the case, they MUST clearly document how SectionName is\r
+ interpreted.\r
+\r
+ When unspecified (empty string), this will reference the entire resource.\r
+ For the purpose of status, an attachment is considered successful if at\r
+ least one section in the parent resource accepts it. For example, Gateway\r
+ listeners can restrict which Routes can attach to them by Route kind,\r
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from\r
+ the referencing Route, the Route MUST be considered successfully\r
+ attached. If no Gateway listeners accept attachment from this Route, the\r
+ Route MUST be considered detached from the Gateway.\r
+\r
+ Support: Core\r
+ maxLength: 253\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ required:\r
+ - name\r
+ type: object\r
+ maxItems: 32\r
+ type: array\r
+ x-kubernetes-validations:\r
+ - message: sectionName or port must be specified when parentRefs includes\r
+ 2 or more references to the same parent\r
+ rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind\r
+ == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__)\r
+ || p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__\r
+ == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) &&\r
+ p1.__namespace__ == p2.__namespace__)) ? ((!has(p1.sectionName)\r
+ || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName\r
+ == '''') && (!has(p1.port) || p1.port == 0) == (!has(p2.port)\r
+ || p2.port == 0)): true))'\r
+ - message: sectionName or port must be unique when parentRefs includes\r
+ 2 or more references to the same parent\r
+ rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind\r
+ == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__)\r
+ || p1.__namespace__ == '') && (!has(p2.__namespace__) || p2.__namespace__\r
+ == '')) || (has(p1.__namespace__) && has(p2.__namespace__) &&\r
+ p1.__namespace__ == p2.__namespace__ )) && (((!has(p1.sectionName)\r
+ || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName\r
+ == '')) || ( has(p1.sectionName) && has(p2.sectionName) && p1.sectionName\r
+ == p2.sectionName)) && (((!has(p1.port) || p1.port == 0) && (!has(p2.port)\r
+ || p2.port == 0)) || (has(p1.port) && has(p2.port) && p1.port\r
+ == p2.port))))\r
+ rules:\r
+ default:\r
+ - matches:\r
+ - path:\r
+ type: PathPrefix\r
+ value: /\r
+ description: |+\r
+ Rules are a list of HTTP matchers, filters and actions.\r
+\r
+ items:\r
+ description: |-\r
+ HTTPRouteRule defines semantics for matching an HTTP request based on\r
+ conditions (matches), processing it (filters), and forwarding the request to\r
+ an API object (backendRefs).\r
+ properties:\r
+ backendRefs:\r
+ description: |-\r
+ BackendRefs defines the backend(s) where matching requests should be\r
+ sent.\r
+\r
+ Failure behavior here depends on how many BackendRefs are specified and\r
+ how many are invalid.\r
+\r
+ If *all* entries in BackendRefs are invalid, and there are also no filters\r
+ specified in this route rule, *all* traffic which matches this rule MUST\r
+ receive a 500 status code.\r
+\r
+ See the HTTPBackendRef definition for the rules about what makes a single\r
+ HTTPBackendRef invalid.\r
+\r
+ When a HTTPBackendRef is invalid, 500 status codes MUST be returned for\r
+ requests that would have otherwise been routed to an invalid backend. If\r
+ multiple backends are specified, and some are invalid, the proportion of\r
+ requests that would otherwise have been routed to an invalid backend\r
+ MUST receive a 500 status code.\r
+\r
+ For example, if two backends are specified with equal weights, and one is\r
+ invalid, 50 percent of traffic must receive a 500. Implementations may\r
+ choose how that 50 percent is determined.\r
+\r
+ When a HTTPBackendRef refers to a Service that has no ready endpoints,\r
+ implementations SHOULD return a 503 for requests to that backend instead.\r
+ If an implementation chooses to do this, all of the above rules for 500 responses\r
+ MUST also apply for responses that return a 503.\r
+\r
+ Support: Core for Kubernetes Service\r
+\r
+ Support: Extended for Kubernetes ServiceImport\r
+\r
+ Support: Implementation-specific for any other resource\r
+\r
+ Support for weight: Core\r
+ items:\r
+ description: |-\r
+ HTTPBackendRef defines how a HTTPRoute forwards a HTTP request.\r
+\r
+ Note that when a namespace different than the local namespace is specified, a\r
+ ReferenceGrant object is required in the referent namespace to allow that\r
+ namespace's owner to accept the reference. See the ReferenceGrant\r
+ documentation for details.\r
+\r
+ <gateway:experimental:description>\r
+\r
+ When the BackendRef points to a Kubernetes Service, implementations SHOULD\r
+ honor the appProtocol field if it is set for the target Service Port.\r
+\r
+ Implementations supporting appProtocol SHOULD recognize the Kubernetes\r
+ Standard Application Protocols defined in KEP-3726.\r
+\r
+ If a Service appProtocol isn't specified, an implementation MAY infer the\r
+ backend protocol through its own means. Implementations MAY infer the\r
+ protocol from the Route type referring to the backend Service.\r
+\r
+ If a Route is not able to send traffic to the backend using the specified\r
+ protocol then the backend is considered invalid. Implementations MUST set the\r
+ "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason.\r
+\r
+ </gateway:experimental:description>\r
+ properties:\r
+ filters:\r
+ description: |-\r
+ Filters defined at this level should be executed if and only if the\r
+ request is being forwarded to the backend defined here.\r
+\r
+ Support: Implementation-specific (For broader support of filters, use the\r
+ Filters field in HTTPRouteRule.)\r
+ items:\r
+ description: |-\r
+ HTTPRouteFilter defines processing steps that must be completed during the\r
+ request or response lifecycle. HTTPRouteFilters are meant as an extension\r
+ point to express processing that may be done in Gateway implementations. Some\r
+ examples include request or response modification, implementing\r
+ authentication strategies, rate-limiting, and traffic shaping. API\r
+ guarantee/conformance is defined based on the type of the filter.\r
+ properties:\r
+ extensionRef:\r
+ description: |-\r
+ ExtensionRef is an optional, implementation-specific extension to the\r
+ "filter" behavior. For example, resource "myroutefilter" in group\r
+ "networking.example.net"). ExtensionRef MUST NOT be used for core and\r
+ extended filters.\r
+\r
+ This filter can be used multiple times within the same rule.\r
+\r
+ Support: Implementation-specific\r
+ properties:\r
+ group:\r
+ description: |-\r
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".\r
+ When unspecified or empty string, core API group is inferred.\r
+ maxLength: 253\r
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ kind:\r
+ description: Kind is kind of the referent. For\r
+ example "HTTPRoute" or "Service".\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$\r
+ type: string\r
+ name:\r
+ description: Name is the name of the referent.\r
+ maxLength: 253\r
+ minLength: 1\r
+ type: string\r
+ required:\r
+ - group\r
+ - kind\r
+ - name\r
+ type: object\r
+ requestHeaderModifier:\r
+ description: |-\r
+ RequestHeaderModifier defines a schema for a filter that modifies request\r
+ headers.\r
+\r
+ Support: Core\r
+ properties:\r
+ add:\r
+ description: |-\r
+ Add adds the given header(s) (name, value) to the request\r
+ before the action. It appends to any existing values associated\r
+ with the header name.\r
+\r
+ Input:\r
+ GET /foo HTTP/1.1\r
+ my-header: foo\r
+\r
+ Config:\r
+ add:\r
+ - name: "my-header"\r
+ value: "bar,baz"\r
+\r
+ Output:\r
+ GET /foo HTTP/1.1\r
+ my-header: foo,bar,baz\r
+ items:\r
+ description: HTTPHeader represents an HTTP\r
+ Header name and value as defined by RFC\r
+ 7230.\r
+ properties:\r
+ name:\r
+ description: |-\r
+ Name is the name of the HTTP Header to be matched. Name matching MUST be\r
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).\r
+\r
+ If multiple entries specify equivalent header names, the first entry with\r
+ an equivalent name MUST be considered for a match. Subsequent entries\r
+ with an equivalent header name MUST be ignored. Due to the\r
+ case-insensitivity of header names, "foo" and "Foo" are considered\r
+ equivalent.\r
+ maxLength: 256\r
+ minLength: 1\r
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$\r
+ type: string\r
+ value:\r
+ description: Value is the value of HTTP\r
+ Header to be matched.\r
+ maxLength: 4096\r
+ minLength: 1\r
+ type: string\r
+ required:\r
+ - name\r
+ - value\r
+ type: object\r
+ maxItems: 16\r
+ type: array\r
+ x-kubernetes-list-map-keys:\r
+ - name\r
+ x-kubernetes-list-type: map\r
+ remove:\r
+ description: |-\r
+ Remove the given header(s) from the HTTP request before the action. The\r
+ value of Remove is a list of HTTP header names. Note that the header\r
+ names are case-insensitive (see\r
+ https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).\r
+\r
+ Input:\r
+ GET /foo HTTP/1.1\r
+ my-header1: foo\r
+ my-header2: bar\r
+ my-header3: baz\r
+\r
+ Config:\r
+ remove: ["my-header1", "my-header3"]\r
+\r
+ Output:\r
+ GET /foo HTTP/1.1\r
+ my-header2: bar\r
+ items:\r
+ type: string\r
+ maxItems: 16\r
+ type: array\r
+ x-kubernetes-list-type: set\r
+ set:\r
+ description: |-\r
+ Set overwrites the request with the given header (name, value)\r
+ before the action.\r
+\r
+ Input:\r
+ GET /foo HTTP/1.1\r
+ my-header: foo\r
+\r
+ Config:\r
+ set:\r
+ - name: "my-header"\r
+ value: "bar"\r
+\r
+ Output:\r
+ GET /foo HTTP/1.1\r
+ my-header: bar\r
+ items:\r
+ description: HTTPHeader represents an HTTP\r
+ Header name and value as defined by RFC\r
+ 7230.\r
+ properties:\r
+ name:\r
+ description: |-\r
+ Name is the name of the HTTP Header to be matched. Name matching MUST be\r
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).\r
+\r
+ If multiple entries specify equivalent header names, the first entry with\r
+ an equivalent name MUST be considered for a match. Subsequent entries\r
+ with an equivalent header name MUST be ignored. Due to the\r
+ case-insensitivity of header names, "foo" and "Foo" are considered\r
+ equivalent.\r
+ maxLength: 256\r
+ minLength: 1\r
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$\r
+ type: string\r
+ value:\r
+ description: Value is the value of HTTP\r
+ Header to be matched.\r
+ maxLength: 4096\r
+ minLength: 1\r
+ type: string\r
+ required:\r
+ - name\r
+ - value\r
+ type: object\r
+ maxItems: 16\r
+ type: array\r
+ x-kubernetes-list-map-keys:\r
+ - name\r
+ x-kubernetes-list-type: map\r
+ type: object\r
+ requestMirror:\r
+ description: |+\r
+ RequestMirror defines a schema for a filter that mirrors requests.\r
+ Requests are sent to the specified destination, but responses from\r
+ that destination are ignored.\r
+\r
+ This filter can be used multiple times within the same rule. Note that\r
+ not all implementations will be able to support mirroring to multiple\r
+ backends.\r
+\r
+ Support: Extended\r
+\r
+ properties:\r
+ backendRef:\r
+ description: |-\r
+ BackendRef references a resource where mirrored requests are sent.\r
+\r
+ Mirrored requests must be sent only to a single destination endpoint\r
+ within this BackendRef, irrespective of how many endpoints are present\r
+ within this BackendRef.\r
+\r
+ If the referent cannot be found, this BackendRef is invalid and must be\r
+ dropped from the Gateway. The controller must ensure the "ResolvedRefs"\r
+ condition on the Route status is set to `status: False` and not configure\r
+ this backend in the underlying implementation.\r
+\r
+ If there is a cross-namespace reference to an *existing* object\r
+ that is not allowed by a ReferenceGrant, the controller must ensure the\r
+ "ResolvedRefs" condition on the Route is set to `status: False`,\r
+ with the "RefNotPermitted" reason and not configure this backend in the\r
+ underlying implementation.\r
+\r
+ In either error case, the Message of the `ResolvedRefs` Condition\r
+ should be used to provide more detail about the problem.\r
+\r
+ Support: Extended for Kubernetes Service\r
+\r
+ Support: Implementation-specific for any other resource\r
+ properties:\r
+ group:\r
+ default: ""\r
+ description: |-\r
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".\r
+ When unspecified or empty string, core API group is inferred.\r
+ maxLength: 253\r
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ kind:\r
+ default: Service\r
+ description: |-\r
+ Kind is the Kubernetes resource kind of the referent. For example\r
+ "Service".\r
+\r
+ Defaults to "Service" when not specified.\r
+\r
+ ExternalName services can refer to CNAME DNS records that may live\r
+ outside of the cluster and as such are difficult to reason about in\r
+ terms of conformance. They also may not be safe to forward to (see\r
+ CVE-2021-25740 for more information). Implementations SHOULD NOT\r
+ support ExternalName Services.\r
+\r
+ Support: Core (Services with a type other than ExternalName)\r
+\r
+ Support: Implementation-specific (Services with type ExternalName)\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$\r
+ type: string\r
+ name:\r
+ description: Name is the name of the referent.\r
+ maxLength: 253\r
+ minLength: 1\r
+ type: string\r
+ namespace:\r
+ description: |-\r
+ Namespace is the namespace of the backend. When unspecified, the local\r
+ namespace is inferred.\r
+\r
+ Note that when a namespace different than the local namespace is specified,\r
+ a ReferenceGrant object is required in the referent namespace to allow that\r
+ namespace's owner to accept the reference. See the ReferenceGrant\r
+ documentation for details.\r
+\r
+ Support: Core\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$\r
+ type: string\r
+ port:\r
+ description: |-\r
+ Port specifies the destination port number to use for this resource.\r
+ Port is required when the referent is a Kubernetes Service. In this\r
+ case, the port number is the service port number, not the target port.\r
+ For other resources, destination port might be derived from the referent\r
+ resource or this field.\r
+ format: int32\r
+ maximum: 65535\r
+ minimum: 1\r
+ type: integer\r
+ required:\r
+ - name\r
+ type: object\r
+ x-kubernetes-validations:\r
+ - message: Must have port for Service reference\r
+ rule: '(size(self.group) == 0 && self.kind\r
+ == ''Service'') ? has(self.port) : true'\r
+ fraction:\r
+ description: |+\r
+ Fraction represents the fraction of requests that should be\r
+ mirrored to BackendRef.\r
+\r
+ Only one of Fraction or Percent may be specified. If neither field\r
+ is specified, 100% of requests will be mirrored.\r
+\r
+ properties:\r
+ denominator:\r
+ default: 100\r
+ format: int32\r
+ minimum: 1\r
+ type: integer\r
+ numerator:\r
+ format: int32\r
+ minimum: 0\r
+ type: integer\r
+ required:\r
+ - numerator\r
+ type: object\r
+ x-kubernetes-validations:\r
+ - message: numerator must be less than or equal\r
+ to denominator\r
+ rule: self.numerator <= self.denominator\r
+ percent:\r
+ description: |+\r
+ Percent represents the percentage of requests that should be\r
+ mirrored to BackendRef. Its minimum value is 0 (indicating 0% of\r
+ requests) and its maximum value is 100 (indicating 100% of requests).\r
+\r
+ Only one of Fraction or Percent may be specified. If neither field\r
+ is specified, 100% of requests will be mirrored.\r
+\r
+ format: int32\r
+ maximum: 100\r
+ minimum: 0\r
+ type: integer\r
+ required:\r
+ - backendRef\r
+ type: object\r
+ x-kubernetes-validations:\r
+ - message: Only one of percent or fraction may be\r
+ specified in HTTPRequestMirrorFilter\r
+ rule: '!(has(self.percent) && has(self.fraction))'\r
+ requestRedirect:\r
+ description: |-\r
+ RequestRedirect defines a schema for a filter that responds to the\r
+ request with an HTTP redirection.\r
+\r
+ Support: Core\r
+ properties:\r
+ hostname:\r
+ description: |-\r
+ Hostname is the hostname to be used in the value of the `Location`\r
+ header in the response.\r
+ When empty, the hostname in the `Host` header of the request is used.\r
+\r
+ Support: Core\r
+ maxLength: 253\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ path:\r
+ description: |-\r
+ Path defines parameters used to modify the path of the incoming request.\r
+ The modified path is then used to construct the `Location` header. When\r
+ empty, the request path is used as-is.\r
+\r
+ Support: Extended\r
+ properties:\r
+ replaceFullPath:\r
+ description: |-\r
+ ReplaceFullPath specifies the value with which to replace the full path\r
+ of a request during a rewrite or redirect.\r
+ maxLength: 1024\r
+ type: string\r
+ replacePrefixMatch:\r
+ description: |-\r
+ ReplacePrefixMatch specifies the value with which to replace the prefix\r
+ match of a request during a rewrite or redirect. For example, a request\r
+ to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch\r
+ of "/xyz" would be modified to "/xyz/bar".\r
+\r
+ Note that this matches the behavior of the PathPrefix match type. This\r
+ matches full path elements. A path element refers to the list of labels\r
+ in the path split by the `/` separator. When specified, a trailing `/` is\r
+ ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all\r
+ match the prefix `/abc`, but the path `/abcd` would not.\r
+\r
+ ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.\r
+ Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in\r
+ the implementation setting the Accepted Condition for the Route to `status: False`.\r
+\r
+ Request Path | Prefix Match | Replace Prefix | Modified Path\r
+ maxLength: 1024\r
+ type: string\r
+ type:\r
+ description: |-\r
+ Type defines the type of path modifier. Additional types may be\r
+ added in a future release of the API.\r
+\r
+ Note that values may be added to this enum, implementations\r
+ must ensure that unknown values will not cause a crash.\r
+\r
+ Unknown values here must result in the implementation setting the\r
+ Accepted Condition for the Route to `status: False`, with a\r
+ Reason of `UnsupportedValue`.\r
+ enum:\r
+ - ReplaceFullPath\r
+ - ReplacePrefixMatch\r
+ type: string\r
+ required:\r
+ - type\r
+ type: object\r
+ x-kubernetes-validations:\r
+ - message: replaceFullPath must be specified\r
+ when type is set to 'ReplaceFullPath'\r
+ rule: 'self.type == ''ReplaceFullPath'' ?\r
+ has(self.replaceFullPath) : true'\r
+ - message: type must be 'ReplaceFullPath' when\r
+ replaceFullPath is set\r
+ rule: 'has(self.replaceFullPath) ? self.type\r
+ == ''ReplaceFullPath'' : true'\r
+ - message: replacePrefixMatch must be specified\r
+ when type is set to 'ReplacePrefixMatch'\r
+ rule: 'self.type == ''ReplacePrefixMatch''\r
+ ? has(self.replacePrefixMatch) : true'\r
+ - message: type must be 'ReplacePrefixMatch'\r
+ when replacePrefixMatch is set\r
+ rule: 'has(self.replacePrefixMatch) ? self.type\r
+ == ''ReplacePrefixMatch'' : true'\r
+ port:\r
+ description: |-\r
+ Port is the port to be used in the value of the `Location`\r
+ header in the response.\r
+\r
+ If no port is specified, the redirect port MUST be derived using the\r
+ following rules:\r
+\r
+ * If redirect scheme is not-empty, the redirect port MUST be the well-known\r
+ port associated with the redirect scheme. Specifically "http" to port 80\r
+ and "https" to port 443. If the redirect scheme does not have a\r
+ well-known port, the listener port of the Gateway SHOULD be used.\r
+ * If redirect scheme is empty, the redirect port MUST be the Gateway\r
+ Listener port.\r
+\r
+ Implementations SHOULD NOT add the port number in the 'Location'\r
+ header in the following cases:\r
+\r
+ * A Location header that will use HTTP (whether that is determined via\r
+ the Listener protocol or the Scheme field) _and_ use port 80.\r
+ * A Location header that will use HTTPS (whether that is determined via\r
+ the Listener protocol or the Scheme field) _and_ use port 443.\r
+\r
+ Support: Extended\r
+ format: int32\r
+ maximum: 65535\r
+ minimum: 1\r
+ type: integer\r
+ scheme:\r
+ description: |-\r
+ Scheme is the scheme to be used in the value of the `Location` header in\r
+ the response. When empty, the scheme of the request is used.\r
+\r
+ Scheme redirects can affect the port of the redirect, for more information,\r
+ refer to the documentation for the port field of this filter.\r
+\r
+ Note that values may be added to this enum, implementations\r
+ must ensure that unknown values will not cause a crash.\r
+\r
+ Unknown values here must result in the implementation setting the\r
+ Accepted Condition for the Route to `status: False`, with a\r
+ Reason of `UnsupportedValue`.\r
+\r
+ Support: Extended\r
+ enum:\r
+ - http\r
+ - https\r
+ type: string\r
+ statusCode:\r
+ default: 302\r
+ description: |-\r
+ StatusCode is the HTTP status code to be used in response.\r
+\r
+ Note that values may be added to this enum, implementations\r
+ must ensure that unknown values will not cause a crash.\r
+\r
+ Unknown values here must result in the implementation setting the\r
+ Accepted Condition for the Route to `status: False`, with a\r
+ Reason of `UnsupportedValue`.\r
+\r
+ Support: Core\r
+ enum:\r
+ - 301\r
+ - 302\r
+ type: integer\r
+ type: object\r
+ responseHeaderModifier:\r
+ description: |-\r
+ ResponseHeaderModifier defines a schema for a filter that modifies response\r
+ headers.\r
+\r
+ Support: Extended\r
+ properties:\r
+ add:\r
+ description: |-\r
+ Add adds the given header(s) (name, value) to the request\r
+ before the action. It appends to any existing values associated\r
+ with the header name.\r
+\r
+ Input:\r
+ GET /foo HTTP/1.1\r
+ my-header: foo\r
+\r
+ Config:\r
+ add:\r
+ - name: "my-header"\r
+ value: "bar,baz"\r
+\r
+ Output:\r
+ GET /foo HTTP/1.1\r
+ my-header: foo,bar,baz\r
+ items:\r
+ description: HTTPHeader represents an HTTP\r
+ Header name and value as defined by RFC\r
+ 7230.\r
+ properties:\r
+ name:\r
+ description: |-\r
+ Name is the name of the HTTP Header to be matched. Name matching MUST be\r
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).\r
+\r
+ If multiple entries specify equivalent header names, the first entry with\r
+ an equivalent name MUST be considered for a match. Subsequent entries\r
+ with an equivalent header name MUST be ignored. Due to the\r
+ case-insensitivity of header names, "foo" and "Foo" are considered\r
+ equivalent.\r
+ maxLength: 256\r
+ minLength: 1\r
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$\r
+ type: string\r
+ value:\r
+ description: Value is the value of HTTP\r
+ Header to be matched.\r
+ maxLength: 4096\r
+ minLength: 1\r
+ type: string\r
+ required:\r
+ - name\r
+ - value\r
+ type: object\r
+ maxItems: 16\r
+ type: array\r
+ x-kubernetes-list-map-keys:\r
+ - name\r
+ x-kubernetes-list-type: map\r
+ remove:\r
+ description: |-\r
+ Remove the given header(s) from the HTTP request before the action. The\r
+ value of Remove is a list of HTTP header names. Note that the header\r
+ names are case-insensitive (see\r
+ https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).\r
+\r
+ Input:\r
+ GET /foo HTTP/1.1\r
+ my-header1: foo\r
+ my-header2: bar\r
+ my-header3: baz\r
+\r
+ Config:\r
+ remove: ["my-header1", "my-header3"]\r
+\r
+ Output:\r
+ GET /foo HTTP/1.1\r
+ my-header2: bar\r
+ items:\r
+ type: string\r
+ maxItems: 16\r
+ type: array\r
+ x-kubernetes-list-type: set\r
+ set:\r
+ description: |-\r
+ Set overwrites the request with the given header (name, value)\r
+ before the action.\r
+\r
+ Input:\r
+ GET /foo HTTP/1.1\r
+ my-header: foo\r
+\r
+ Config:\r
+ set:\r
+ - name: "my-header"\r
+ value: "bar"\r
+\r
+ Output:\r
+ GET /foo HTTP/1.1\r
+ my-header: bar\r
+ items:\r
+ description: HTTPHeader represents an HTTP\r
+ Header name and value as defined by RFC\r
+ 7230.\r
+ properties:\r
+ name:\r
+ description: |-\r
+ Name is the name of the HTTP Header to be matched. Name matching MUST be\r
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).\r
+\r
+ If multiple entries specify equivalent header names, the first entry with\r
+ an equivalent name MUST be considered for a match. Subsequent entries\r
+ with an equivalent header name MUST be ignored. Due to the\r
+ case-insensitivity of header names, "foo" and "Foo" are considered\r
+ equivalent.\r
+ maxLength: 256\r
+ minLength: 1\r
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$\r
+ type: string\r
+ value:\r
+ description: Value is the value of HTTP\r
+ Header to be matched.\r
+ maxLength: 4096\r
+ minLength: 1\r
+ type: string\r
+ required:\r
+ - name\r
+ - value\r
+ type: object\r
+ maxItems: 16\r
+ type: array\r
+ x-kubernetes-list-map-keys:\r
+ - name\r
+ x-kubernetes-list-type: map\r
+ type: object\r
+ type:\r
+ description: |-\r
+ Type identifies the type of filter to apply. As with other API fields,\r
+ types are classified into three conformance levels:\r
+\r
+ - Core: Filter types and their corresponding configuration defined by\r
+ "Support: Core" in this package, e.g. "RequestHeaderModifier". All\r
+ implementations must support core filters.\r
+\r
+ - Extended: Filter types and their corresponding configuration defined by\r
+ "Support: Extended" in this package, e.g. "RequestMirror". Implementers\r
+ are encouraged to support extended filters.\r
+\r
+ - Implementation-specific: Filters that are defined and supported by\r
+ specific vendors.\r
+ In the future, filters showing convergence in behavior across multiple\r
+ implementations will be considered for inclusion in extended or core\r
+ conformance levels. Filter-specific configuration for such filters\r
+ is specified using the ExtensionRef field. `Type` should be set to\r
+ "ExtensionRef" for custom filters.\r
+\r
+ Implementers are encouraged to define custom implementation types to\r
+ extend the core API with implementation-specific behavior.\r
+\r
+ If a reference to a custom filter type cannot be resolved, the filter\r
+ MUST NOT be skipped. Instead, requests that would have been processed by\r
+ that filter MUST receive a HTTP error response.\r
+\r
+ Note that values may be added to this enum, implementations\r
+ must ensure that unknown values will not cause a crash.\r
+\r
+ Unknown values here must result in the implementation setting the\r
+ Accepted Condition for the Route to `status: False`, with a\r
+ Reason of `UnsupportedValue`.\r
+ enum:\r
+ - RequestHeaderModifier\r
+ - ResponseHeaderModifier\r
+ - RequestMirror\r
+ - RequestRedirect\r
+ - URLRewrite\r
+ - ExtensionRef\r
+ type: string\r
+ urlRewrite:\r
+ description: |-\r
+ URLRewrite defines a schema for a filter that modifies a request during forwarding.\r
+\r
+ Support: Extended\r
+ properties:\r
+ hostname:\r
+ description: |-\r
+ Hostname is the value to be used to replace the Host header value during\r
+ forwarding.\r
+\r
+ Support: Extended\r
+ maxLength: 253\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ path:\r
+ description: |-\r
+ Path defines a path rewrite.\r
+\r
+ Support: Extended\r
+ properties:\r
+ replaceFullPath:\r
+ description: |-\r
+ ReplaceFullPath specifies the value with which to replace the full path\r
+ of a request during a rewrite or redirect.\r
+ maxLength: 1024\r
+ type: string\r
+ replacePrefixMatch:\r
+ description: |-\r
+ ReplacePrefixMatch specifies the value with which to replace the prefix\r
+ match of a request during a rewrite or redirect. For example, a request\r
+ to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch\r
+ of "/xyz" would be modified to "/xyz/bar".\r
+\r
+ Note that this matches the behavior of the PathPrefix match type. This\r
+ matches full path elements. A path element refers to the list of labels\r
+ in the path split by the `/` separator. When specified, a trailing `/` is\r
+ ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all\r
+ match the prefix `/abc`, but the path `/abcd` would not.\r
+\r
+ ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.\r
+ Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in\r
+ the implementation setting the Accepted Condition for the Route to `status: False`.\r
+\r
+ Request Path | Prefix Match | Replace Prefix | Modified Path\r
+ maxLength: 1024\r
+ type: string\r
+ type:\r
+ description: |-\r
+ Type defines the type of path modifier. Additional types may be\r
+ added in a future release of the API.\r
+\r
+ Note that values may be added to this enum, implementations\r
+ must ensure that unknown values will not cause a crash.\r
+\r
+ Unknown values here must result in the implementation setting the\r
+ Accepted Condition for the Route to `status: False`, with a\r
+ Reason of `UnsupportedValue`.\r
+ enum:\r
+ - ReplaceFullPath\r
+ - ReplacePrefixMatch\r
+ type: string\r
+ required:\r
+ - type\r
+ type: object\r
+ x-kubernetes-validations:\r
+ - message: replaceFullPath must be specified\r
+ when type is set to 'ReplaceFullPath'\r
+ rule: 'self.type == ''ReplaceFullPath'' ?\r
+ has(self.replaceFullPath) : true'\r
+ - message: type must be 'ReplaceFullPath' when\r
+ replaceFullPath is set\r
+ rule: 'has(self.replaceFullPath) ? self.type\r
+ == ''ReplaceFullPath'' : true'\r
+ - message: replacePrefixMatch must be specified\r
+ when type is set to 'ReplacePrefixMatch'\r
+ rule: 'self.type == ''ReplacePrefixMatch''\r
+ ? has(self.replacePrefixMatch) : true'\r
+ - message: type must be 'ReplacePrefixMatch'\r
+ when replacePrefixMatch is set\r
+ rule: 'has(self.replacePrefixMatch) ? self.type\r
+ == ''ReplacePrefixMatch'' : true'\r
+ type: object\r
+ required:\r
+ - type\r
+ type: object\r
+ x-kubernetes-validations:\r
+ - message: filter.requestHeaderModifier must be nil\r
+ if the filter.type is not RequestHeaderModifier\r
+ rule: '!(has(self.requestHeaderModifier) && self.type\r
+ != ''RequestHeaderModifier'')'\r
+ - message: filter.requestHeaderModifier must be specified\r
+ for RequestHeaderModifier filter.type\r
+ rule: '!(!has(self.requestHeaderModifier) && self.type\r
+ == ''RequestHeaderModifier'')'\r
+ - message: filter.responseHeaderModifier must be nil\r
+ if the filter.type is not ResponseHeaderModifier\r
+ rule: '!(has(self.responseHeaderModifier) && self.type\r
+ != ''ResponseHeaderModifier'')'\r
+ - message: filter.responseHeaderModifier must be specified\r
+ for ResponseHeaderModifier filter.type\r
+ rule: '!(!has(self.responseHeaderModifier) && self.type\r
+ == ''ResponseHeaderModifier'')'\r
+ - message: filter.requestMirror must be nil if the filter.type\r
+ is not RequestMirror\r
+ rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')'\r
+ - message: filter.requestMirror must be specified for\r
+ RequestMirror filter.type\r
+ rule: '!(!has(self.requestMirror) && self.type ==\r
+ ''RequestMirror'')'\r
+ - message: filter.requestRedirect must be nil if the\r
+ filter.type is not RequestRedirect\r
+ rule: '!(has(self.requestRedirect) && self.type !=\r
+ ''RequestRedirect'')'\r
+ - message: filter.requestRedirect must be specified\r
+ for RequestRedirect filter.type\r
+ rule: '!(!has(self.requestRedirect) && self.type ==\r
+ ''RequestRedirect'')'\r
+ - message: filter.urlRewrite must be nil if the filter.type\r
+ is not URLRewrite\r
+ rule: '!(has(self.urlRewrite) && self.type != ''URLRewrite'')'\r
+ - message: filter.urlRewrite must be specified for URLRewrite\r
+ filter.type\r
+ rule: '!(!has(self.urlRewrite) && self.type == ''URLRewrite'')'\r
+ - message: filter.extensionRef must be nil if the filter.type\r
+ is not ExtensionRef\r
+ rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')'\r
+ - message: filter.extensionRef must be specified for\r
+ ExtensionRef filter.type\r
+ rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')'\r
+ maxItems: 16\r
+ type: array\r
+ x-kubernetes-validations:\r
+ - message: May specify either httpRouteFilterRequestRedirect\r
+ or httpRouteFilterRequestRewrite, but not both\r
+ rule: '!(self.exists(f, f.type == ''RequestRedirect'')\r
+ && self.exists(f, f.type == ''URLRewrite''))'\r
+ - message: May specify either httpRouteFilterRequestRedirect\r
+ or httpRouteFilterRequestRewrite, but not both\r
+ rule: '!(self.exists(f, f.type == ''RequestRedirect'')\r
+ && self.exists(f, f.type == ''URLRewrite''))'\r
+ - message: RequestHeaderModifier filter cannot be repeated\r
+ rule: self.filter(f, f.type == 'RequestHeaderModifier').size()\r
+ <= 1\r
+ - message: ResponseHeaderModifier filter cannot be repeated\r
+ rule: self.filter(f, f.type == 'ResponseHeaderModifier').size()\r
+ <= 1\r
+ - message: RequestRedirect filter cannot be repeated\r
+ rule: self.filter(f, f.type == 'RequestRedirect').size()\r
+ <= 1\r
+ - message: URLRewrite filter cannot be repeated\r
+ rule: self.filter(f, f.type == 'URLRewrite').size()\r
+ <= 1\r
+ group:\r
+ default: ""\r
+ description: |-\r
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".\r
+ When unspecified or empty string, core API group is inferred.\r
+ maxLength: 253\r
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ kind:\r
+ default: Service\r
+ description: |-\r
+ Kind is the Kubernetes resource kind of the referent. For example\r
+ "Service".\r
+\r
+ Defaults to "Service" when not specified.\r
+\r
+ ExternalName services can refer to CNAME DNS records that may live\r
+ outside of the cluster and as such are difficult to reason about in\r
+ terms of conformance. They also may not be safe to forward to (see\r
+ CVE-2021-25740 for more information). Implementations SHOULD NOT\r
+ support ExternalName Services.\r
+\r
+ Support: Core (Services with a type other than ExternalName)\r
+\r
+ Support: Implementation-specific (Services with type ExternalName)\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$\r
+ type: string\r
+ name:\r
+ description: Name is the name of the referent.\r
+ maxLength: 253\r
+ minLength: 1\r
+ type: string\r
+ namespace:\r
+ description: |-\r
+ Namespace is the namespace of the backend. When unspecified, the local\r
+ namespace is inferred.\r
+\r
+ Note that when a namespace different than the local namespace is specified,\r
+ a ReferenceGrant object is required in the referent namespace to allow that\r
+ namespace's owner to accept the reference. See the ReferenceGrant\r
+ documentation for details.\r
+\r
+ Support: Core\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$\r
+ type: string\r
+ port:\r
+ description: |-\r
+ Port specifies the destination port number to use for this resource.\r
+ Port is required when the referent is a Kubernetes Service. In this\r
+ case, the port number is the service port number, not the target port.\r
+ For other resources, destination port might be derived from the referent\r
+ resource or this field.\r
+ format: int32\r
+ maximum: 65535\r
+ minimum: 1\r
+ type: integer\r
+ weight:\r
+ default: 1\r
+ description: |-\r
+ Weight specifies the proportion of requests forwarded to the referenced\r
+ backend. This is computed as weight/(sum of all weights in this\r
+ BackendRefs list). For non-zero values, there may be some epsilon from\r
+ the exact proportion defined here depending on the precision an\r
+ implementation supports. Weight is not a percentage and the sum of\r
+ weights does not need to equal 100.\r
+\r
+ If only one backend is specified and it has a weight greater than 0, 100%\r
+ of the traffic is forwarded to that backend. If weight is set to 0, no\r
+ traffic should be forwarded for this entry. If unspecified, weight\r
+ defaults to 1.\r
+\r
+ Support for this field varies based on the context where used.\r
+ format: int32\r
+ maximum: 1000000\r
+ minimum: 0\r
+ type: integer\r
+ required:\r
+ - name\r
+ type: object\r
+ x-kubernetes-validations:\r
+ - message: Must have port for Service reference\r
+ rule: '(size(self.group) == 0 && self.kind == ''Service'')\r
+ ? has(self.port) : true'\r
+ maxItems: 16\r
+ type: array\r
+ filters:\r
+ description: |-\r
+ Filters define the filters that are applied to requests that match\r
+ this rule.\r
+\r
+ Wherever possible, implementations SHOULD implement filters in the order\r
+ they are specified.\r
+\r
+ Implementations MAY choose to implement this ordering strictly, rejecting\r
+ any combination or order of filters that can not be supported. If implementations\r
+ choose a strict interpretation of filter ordering, they MUST clearly document\r
+ that behavior.\r
+\r
+ To reject an invalid combination or order of filters, implementations SHOULD\r
+ consider the Route Rules with this configuration invalid. If all Route Rules\r
+ in a Route are invalid, the entire Route would be considered invalid. If only\r
+ a portion of Route Rules are invalid, implementations MUST set the\r
+ "PartiallyInvalid" condition for the Route.\r
+\r
+ Conformance-levels at this level are defined based on the type of filter:\r
+\r
+ - ALL core filters MUST be supported by all implementations.\r
+ - Implementers are encouraged to support extended filters.\r
+ - Implementation-specific custom filters have no API guarantees across\r
+ implementations.\r
+\r
+ Specifying the same filter multiple times is not supported unless explicitly\r
+ indicated in the filter.\r
+\r
+ All filters are expected to be compatible with each other except for the\r
+ URLRewrite and RequestRedirect filters, which may not be combined. If an\r
+ implementation can not support other combinations of filters, they must clearly\r
+ document that limitation. In cases where incompatible or unsupported\r
+ filters are specified and cause the `Accepted` condition to be set to status\r
+ `False`, implementations may use the `IncompatibleFilters` reason to specify\r
+ this configuration error.\r
+\r
+ Support: Core\r
+ items:\r
+ description: |-\r
+ HTTPRouteFilter defines processing steps that must be completed during the\r
+ request or response lifecycle. HTTPRouteFilters are meant as an extension\r
+ point to express processing that may be done in Gateway implementations. Some\r
+ examples include request or response modification, implementing\r
+ authentication strategies, rate-limiting, and traffic shaping. API\r
+ guarantee/conformance is defined based on the type of the filter.\r
+ properties:\r
+ extensionRef:\r
+ description: |-\r
+ ExtensionRef is an optional, implementation-specific extension to the\r
+ "filter" behavior. For example, resource "myroutefilter" in group\r
+ "networking.example.net"). ExtensionRef MUST NOT be used for core and\r
+ extended filters.\r
+\r
+ This filter can be used multiple times within the same rule.\r
+\r
+ Support: Implementation-specific\r
+ properties:\r
+ group:\r
+ description: |-\r
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".\r
+ When unspecified or empty string, core API group is inferred.\r
+ maxLength: 253\r
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ kind:\r
+ description: Kind is kind of the referent. For example\r
+ "HTTPRoute" or "Service".\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$\r
+ type: string\r
+ name:\r
+ description: Name is the name of the referent.\r
+ maxLength: 253\r
+ minLength: 1\r
+ type: string\r
+ required:\r
+ - group\r
+ - kind\r
+ - name\r
+ type: object\r
+ requestHeaderModifier:\r
+ description: |-\r
+ RequestHeaderModifier defines a schema for a filter that modifies request\r
+ headers.\r
+\r
+ Support: Core\r
+ properties:\r
+ add:\r
+ description: |-\r
+ Add adds the given header(s) (name, value) to the request\r
+ before the action. It appends to any existing values associated\r
+ with the header name.\r
+\r
+ Input:\r
+ GET /foo HTTP/1.1\r
+ my-header: foo\r
+\r
+ Config:\r
+ add:\r
+ - name: "my-header"\r
+ value: "bar,baz"\r
+\r
+ Output:\r
+ GET /foo HTTP/1.1\r
+ my-header: foo,bar,baz\r
+ items:\r
+ description: HTTPHeader represents an HTTP Header\r
+ name and value as defined by RFC 7230.\r
+ properties:\r
+ name:\r
+ description: |-\r
+ Name is the name of the HTTP Header to be matched. Name matching MUST be\r
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).\r
+\r
+ If multiple entries specify equivalent header names, the first entry with\r
+ an equivalent name MUST be considered for a match. Subsequent entries\r
+ with an equivalent header name MUST be ignored. Due to the\r
+ case-insensitivity of header names, "foo" and "Foo" are considered\r
+ equivalent.\r
+ maxLength: 256\r
+ minLength: 1\r
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$\r
+ type: string\r
+ value:\r
+ description: Value is the value of HTTP Header\r
+ to be matched.\r
+ maxLength: 4096\r
+ minLength: 1\r
+ type: string\r
+ required:\r
+ - name\r
+ - value\r
+ type: object\r
+ maxItems: 16\r
+ type: array\r
+ x-kubernetes-list-map-keys:\r
+ - name\r
+ x-kubernetes-list-type: map\r
+ remove:\r
+ description: |-\r
+ Remove the given header(s) from the HTTP request before the action. The\r
+ value of Remove is a list of HTTP header names. Note that the header\r
+ names are case-insensitive (see\r
+ https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).\r
+\r
+ Input:\r
+ GET /foo HTTP/1.1\r
+ my-header1: foo\r
+ my-header2: bar\r
+ my-header3: baz\r
+\r
+ Config:\r
+ remove: ["my-header1", "my-header3"]\r
+\r
+ Output:\r
+ GET /foo HTTP/1.1\r
+ my-header2: bar\r
+ items:\r
+ type: string\r
+ maxItems: 16\r
+ type: array\r
+ x-kubernetes-list-type: set\r
+ set:\r
+ description: |-\r
+ Set overwrites the request with the given header (name, value)\r
+ before the action.\r
+\r
+ Input:\r
+ GET /foo HTTP/1.1\r
+ my-header: foo\r
+\r
+ Config:\r
+ set:\r
+ - name: "my-header"\r
+ value: "bar"\r
+\r
+ Output:\r
+ GET /foo HTTP/1.1\r
+ my-header: bar\r
+ items:\r
+ description: HTTPHeader represents an HTTP Header\r
+ name and value as defined by RFC 7230.\r
+ properties:\r
+ name:\r
+ description: |-\r
+ Name is the name of the HTTP Header to be matched. Name matching MUST be\r
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).\r
+\r
+ If multiple entries specify equivalent header names, the first entry with\r
+ an equivalent name MUST be considered for a match. Subsequent entries\r
+ with an equivalent header name MUST be ignored. Due to the\r
+ case-insensitivity of header names, "foo" and "Foo" are considered\r
+ equivalent.\r
+ maxLength: 256\r
+ minLength: 1\r
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$\r
+ type: string\r
+ value:\r
+ description: Value is the value of HTTP Header\r
+ to be matched.\r
+ maxLength: 4096\r
+ minLength: 1\r
+ type: string\r
+ required:\r
+ - name\r
+ - value\r
+ type: object\r
+ maxItems: 16\r
+ type: array\r
+ x-kubernetes-list-map-keys:\r
+ - name\r
+ x-kubernetes-list-type: map\r
+ type: object\r
+ requestMirror:\r
+ description: |+\r
+ RequestMirror defines a schema for a filter that mirrors requests.\r
+ Requests are sent to the specified destination, but responses from\r
+ that destination are ignored.\r
+\r
+ This filter can be used multiple times within the same rule. Note that\r
+ not all implementations will be able to support mirroring to multiple\r
+ backends.\r
+\r
+ Support: Extended\r
+\r
+ properties:\r
+ backendRef:\r
+ description: |-\r
+ BackendRef references a resource where mirrored requests are sent.\r
+\r
+ Mirrored requests must be sent only to a single destination endpoint\r
+ within this BackendRef, irrespective of how many endpoints are present\r
+ within this BackendRef.\r
+\r
+ If the referent cannot be found, this BackendRef is invalid and must be\r
+ dropped from the Gateway. The controller must ensure the "ResolvedRefs"\r
+ condition on the Route status is set to `status: False` and not configure\r
+ this backend in the underlying implementation.\r
+\r
+ If there is a cross-namespace reference to an *existing* object\r
+ that is not allowed by a ReferenceGrant, the controller must ensure the\r
+ "ResolvedRefs" condition on the Route is set to `status: False`,\r
+ with the "RefNotPermitted" reason and not configure this backend in the\r
+ underlying implementation.\r
+\r
+ In either error case, the Message of the `ResolvedRefs` Condition\r
+ should be used to provide more detail about the problem.\r
+\r
+ Support: Extended for Kubernetes Service\r
+\r
+ Support: Implementation-specific for any other resource\r
+ properties:\r
+ group:\r
+ default: ""\r
+ description: |-\r
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".\r
+ When unspecified or empty string, core API group is inferred.\r
+ maxLength: 253\r
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ kind:\r
+ default: Service\r
+ description: |-\r
+ Kind is the Kubernetes resource kind of the referent. For example\r
+ "Service".\r
+\r
+ Defaults to "Service" when not specified.\r
+\r
+ ExternalName services can refer to CNAME DNS records that may live\r
+ outside of the cluster and as such are difficult to reason about in\r
+ terms of conformance. They also may not be safe to forward to (see\r
+ CVE-2021-25740 for more information). Implementations SHOULD NOT\r
+ support ExternalName Services.\r
+\r
+ Support: Core (Services with a type other than ExternalName)\r
+\r
+ Support: Implementation-specific (Services with type ExternalName)\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$\r
+ type: string\r
+ name:\r
+ description: Name is the name of the referent.\r
+ maxLength: 253\r
+ minLength: 1\r
+ type: string\r
+ namespace:\r
+ description: |-\r
+ Namespace is the namespace of the backend. When unspecified, the local\r
+ namespace is inferred.\r
+\r
+ Note that when a namespace different than the local namespace is specified,\r
+ a ReferenceGrant object is required in the referent namespace to allow that\r
+ namespace's owner to accept the reference. See the ReferenceGrant\r
+ documentation for details.\r
+\r
+ Support: Core\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$\r
+ type: string\r
+ port:\r
+ description: |-\r
+ Port specifies the destination port number to use for this resource.\r
+ Port is required when the referent is a Kubernetes Service. In this\r
+ case, the port number is the service port number, not the target port.\r
+ For other resources, destination port might be derived from the referent\r
+ resource or this field.\r
+ format: int32\r
+ maximum: 65535\r
+ minimum: 1\r
+ type: integer\r
+ required:\r
+ - name\r
+ type: object\r
+ x-kubernetes-validations:\r
+ - message: Must have port for Service reference\r
+ rule: '(size(self.group) == 0 && self.kind == ''Service'')\r
+ ? has(self.port) : true'\r
+ fraction:\r
+ description: |+\r
+ Fraction represents the fraction of requests that should be\r
+ mirrored to BackendRef.\r
+\r
+ Only one of Fraction or Percent may be specified. If neither field\r
+ is specified, 100% of requests will be mirrored.\r
+\r
+ properties:\r
+ denominator:\r
+ default: 100\r
+ format: int32\r
+ minimum: 1\r
+ type: integer\r
+ numerator:\r
+ format: int32\r
+ minimum: 0\r
+ type: integer\r
+ required:\r
+ - numerator\r
+ type: object\r
+ x-kubernetes-validations:\r
+ - message: numerator must be less than or equal to\r
+ denominator\r
+ rule: self.numerator <= self.denominator\r
+ percent:\r
+ description: |+\r
+ Percent represents the percentage of requests that should be\r
+ mirrored to BackendRef. Its minimum value is 0 (indicating 0% of\r
+ requests) and its maximum value is 100 (indicating 100% of requests).\r
+\r
+ Only one of Fraction or Percent may be specified. If neither field\r
+ is specified, 100% of requests will be mirrored.\r
+\r
+ format: int32\r
+ maximum: 100\r
+ minimum: 0\r
+ type: integer\r
+ required:\r
+ - backendRef\r
+ type: object\r
+ x-kubernetes-validations:\r
+ - message: Only one of percent or fraction may be specified\r
+ in HTTPRequestMirrorFilter\r
+ rule: '!(has(self.percent) && has(self.fraction))'\r
+ requestRedirect:\r
+ description: |-\r
+ RequestRedirect defines a schema for a filter that responds to the\r
+ request with an HTTP redirection.\r
+\r
+ Support: Core\r
+ properties:\r
+ hostname:\r
+ description: |-\r
+ Hostname is the hostname to be used in the value of the `Location`\r
+ header in the response.\r
+ When empty, the hostname in the `Host` header of the request is used.\r
+\r
+ Support: Core\r
+ maxLength: 253\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ path:\r
+ description: |-\r
+ Path defines parameters used to modify the path of the incoming request.\r
+ The modified path is then used to construct the `Location` header. When\r
+ empty, the request path is used as-is.\r
+\r
+ Support: Extended\r
+ properties:\r
+ replaceFullPath:\r
+ description: |-\r
+ ReplaceFullPath specifies the value with which to replace the full path\r
+ of a request during a rewrite or redirect.\r
+ maxLength: 1024\r
+ type: string\r
+ replacePrefixMatch:\r
+ description: |-\r
+ ReplacePrefixMatch specifies the value with which to replace the prefix\r
+ match of a request during a rewrite or redirect. For example, a request\r
+ to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch\r
+ of "/xyz" would be modified to "/xyz/bar".\r
+\r
+ Note that this matches the behavior of the PathPrefix match type. This\r
+ matches full path elements. A path element refers to the list of labels\r
+ in the path split by the `/` separator. When specified, a trailing `/` is\r
+ ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all\r
+ match the prefix `/abc`, but the path `/abcd` would not.\r
+\r
+ ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.\r
+ Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in\r
+ the implementation setting the Accepted Condition for the Route to `status: False`.\r
+\r
+ Request Path | Prefix Match | Replace Prefix | Modified Path\r
+ maxLength: 1024\r
+ type: string\r
+ type:\r
+ description: |-\r
+ Type defines the type of path modifier. Additional types may be\r
+ added in a future release of the API.\r
+\r
+ Note that values may be added to this enum, implementations\r
+ must ensure that unknown values will not cause a crash.\r
+\r
+ Unknown values here must result in the implementation setting the\r
+ Accepted Condition for the Route to `status: False`, with a\r
+ Reason of `UnsupportedValue`.\r
+ enum:\r
+ - ReplaceFullPath\r
+ - ReplacePrefixMatch\r
+ type: string\r
+ required:\r
+ - type\r
+ type: object\r
+ x-kubernetes-validations:\r
+ - message: replaceFullPath must be specified when\r
+ type is set to 'ReplaceFullPath'\r
+ rule: 'self.type == ''ReplaceFullPath'' ? has(self.replaceFullPath)\r
+ : true'\r
+ - message: type must be 'ReplaceFullPath' when replaceFullPath\r
+ is set\r
+ rule: 'has(self.replaceFullPath) ? self.type ==\r
+ ''ReplaceFullPath'' : true'\r
+ - message: replacePrefixMatch must be specified when\r
+ type is set to 'ReplacePrefixMatch'\r
+ rule: 'self.type == ''ReplacePrefixMatch'' ? has(self.replacePrefixMatch)\r
+ : true'\r
+ - message: type must be 'ReplacePrefixMatch' when\r
+ replacePrefixMatch is set\r
+ rule: 'has(self.replacePrefixMatch) ? self.type\r
+ == ''ReplacePrefixMatch'' : true'\r
+ port:\r
+ description: |-\r
+ Port is the port to be used in the value of the `Location`\r
+ header in the response.\r
+\r
+ If no port is specified, the redirect port MUST be derived using the\r
+ following rules:\r
+\r
+ * If redirect scheme is not-empty, the redirect port MUST be the well-known\r
+ port associated with the redirect scheme. Specifically "http" to port 80\r
+ and "https" to port 443. If the redirect scheme does not have a\r
+ well-known port, the listener port of the Gateway SHOULD be used.\r
+ * If redirect scheme is empty, the redirect port MUST be the Gateway\r
+ Listener port.\r
+\r
+ Implementations SHOULD NOT add the port number in the 'Location'\r
+ header in the following cases:\r
+\r
+ * A Location header that will use HTTP (whether that is determined via\r
+ the Listener protocol or the Scheme field) _and_ use port 80.\r
+ * A Location header that will use HTTPS (whether that is determined via\r
+ the Listener protocol or the Scheme field) _and_ use port 443.\r
+\r
+ Support: Extended\r
+ format: int32\r
+ maximum: 65535\r
+ minimum: 1\r
+ type: integer\r
+ scheme:\r
+ description: |-\r
+ Scheme is the scheme to be used in the value of the `Location` header in\r
+ the response. When empty, the scheme of the request is used.\r
+\r
+ Scheme redirects can affect the port of the redirect, for more information,\r
+ refer to the documentation for the port field of this filter.\r
+\r
+ Note that values may be added to this enum, implementations\r
+ must ensure that unknown values will not cause a crash.\r
+\r
+ Unknown values here must result in the implementation setting the\r
+ Accepted Condition for the Route to `status: False`, with a\r
+ Reason of `UnsupportedValue`.\r
+\r
+ Support: Extended\r
+ enum:\r
+ - http\r
+ - https\r
+ type: string\r
+ statusCode:\r
+ default: 302\r
+ description: |-\r
+ StatusCode is the HTTP status code to be used in response.\r
+\r
+ Note that values may be added to this enum, implementations\r
+ must ensure that unknown values will not cause a crash.\r
+\r
+ Unknown values here must result in the implementation setting the\r
+ Accepted Condition for the Route to `status: False`, with a\r
+ Reason of `UnsupportedValue`.\r
+\r
+ Support: Core\r
+ enum:\r
+ - 301\r
+ - 302\r
+ type: integer\r
+ type: object\r
+ responseHeaderModifier:\r
+ description: |-\r
+ ResponseHeaderModifier defines a schema for a filter that modifies response\r
+ headers.\r
+\r
+ Support: Extended\r
+ properties:\r
+ add:\r
+ description: |-\r
+ Add adds the given header(s) (name, value) to the request\r
+ before the action. It appends to any existing values associated\r
+ with the header name.\r
+\r
+ Input:\r
+ GET /foo HTTP/1.1\r
+ my-header: foo\r
+\r
+ Config:\r
+ add:\r
+ - name: "my-header"\r
+ value: "bar,baz"\r
+\r
+ Output:\r
+ GET /foo HTTP/1.1\r
+ my-header: foo,bar,baz\r
+ items:\r
+ description: HTTPHeader represents an HTTP Header\r
+ name and value as defined by RFC 7230.\r
+ properties:\r
+ name:\r
+ description: |-\r
+ Name is the name of the HTTP Header to be matched. Name matching MUST be\r
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).\r
+\r
+ If multiple entries specify equivalent header names, the first entry with\r
+ an equivalent name MUST be considered for a match. Subsequent entries\r
+ with an equivalent header name MUST be ignored. Due to the\r
+ case-insensitivity of header names, "foo" and "Foo" are considered\r
+ equivalent.\r
+ maxLength: 256\r
+ minLength: 1\r
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$\r
+ type: string\r
+ value:\r
+ description: Value is the value of HTTP Header\r
+ to be matched.\r
+ maxLength: 4096\r
+ minLength: 1\r
+ type: string\r
+ required:\r
+ - name\r
+ - value\r
+ type: object\r
+ maxItems: 16\r
+ type: array\r
+ x-kubernetes-list-map-keys:\r
+ - name\r
+ x-kubernetes-list-type: map\r
+ remove:\r
+ description: |-\r
+ Remove the given header(s) from the HTTP request before the action. The\r
+ value of Remove is a list of HTTP header names. Note that the header\r
+ names are case-insensitive (see\r
+ https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).\r
+\r
+ Input:\r
+ GET /foo HTTP/1.1\r
+ my-header1: foo\r
+ my-header2: bar\r
+ my-header3: baz\r
+\r
+ Config:\r
+ remove: ["my-header1", "my-header3"]\r
+\r
+ Output:\r
+ GET /foo HTTP/1.1\r
+ my-header2: bar\r
+ items:\r
+ type: string\r
+ maxItems: 16\r
+ type: array\r
+ x-kubernetes-list-type: set\r
+ set:\r
+ description: |-\r
+ Set overwrites the request with the given header (name, value)\r
+ before the action.\r
+\r
+ Input:\r
+ GET /foo HTTP/1.1\r
+ my-header: foo\r
+\r
+ Config:\r
+ set:\r
+ - name: "my-header"\r
+ value: "bar"\r
+\r
+ Output:\r
+ GET /foo HTTP/1.1\r
+ my-header: bar\r
+ items:\r
+ description: HTTPHeader represents an HTTP Header\r
+ name and value as defined by RFC 7230.\r
+ properties:\r
+ name:\r
+ description: |-\r
+ Name is the name of the HTTP Header to be matched. Name matching MUST be\r
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).\r
+\r
+ If multiple entries specify equivalent header names, the first entry with\r
+ an equivalent name MUST be considered for a match. Subsequent entries\r
+ with an equivalent header name MUST be ignored. Due to the\r
+ case-insensitivity of header names, "foo" and "Foo" are considered\r
+ equivalent.\r
+ maxLength: 256\r
+ minLength: 1\r
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$\r
+ type: string\r
+ value:\r
+ description: Value is the value of HTTP Header\r
+ to be matched.\r
+ maxLength: 4096\r
+ minLength: 1\r
+ type: string\r
+ required:\r
+ - name\r
+ - value\r
+ type: object\r
+ maxItems: 16\r
+ type: array\r
+ x-kubernetes-list-map-keys:\r
+ - name\r
+ x-kubernetes-list-type: map\r
+ type: object\r
+ type:\r
+ description: |-\r
+ Type identifies the type of filter to apply. As with other API fields,\r
+ types are classified into three conformance levels:\r
+\r
+ - Core: Filter types and their corresponding configuration defined by\r
+ "Support: Core" in this package, e.g. "RequestHeaderModifier". All\r
+ implementations must support core filters.\r
+\r
+ - Extended: Filter types and their corresponding configuration defined by\r
+ "Support: Extended" in this package, e.g. "RequestMirror". Implementers\r
+ are encouraged to support extended filters.\r
+\r
+ - Implementation-specific: Filters that are defined and supported by\r
+ specific vendors.\r
+ In the future, filters showing convergence in behavior across multiple\r
+ implementations will be considered for inclusion in extended or core\r
+ conformance levels. Filter-specific configuration for such filters\r
+ is specified using the ExtensionRef field. `Type` should be set to\r
+ "ExtensionRef" for custom filters.\r
+\r
+ Implementers are encouraged to define custom implementation types to\r
+ extend the core API with implementation-specific behavior.\r
+\r
+ If a reference to a custom filter type cannot be resolved, the filter\r
+ MUST NOT be skipped. Instead, requests that would have been processed by\r
+ that filter MUST receive a HTTP error response.\r
+\r
+ Note that values may be added to this enum, implementations\r
+ must ensure that unknown values will not cause a crash.\r
+\r
+ Unknown values here must result in the implementation setting the\r
+ Accepted Condition for the Route to `status: False`, with a\r
+ Reason of `UnsupportedValue`.\r
+ enum:\r
+ - RequestHeaderModifier\r
+ - ResponseHeaderModifier\r
+ - RequestMirror\r
+ - RequestRedirect\r
+ - URLRewrite\r
+ - ExtensionRef\r
+ type: string\r
+ urlRewrite:\r
+ description: |-\r
+ URLRewrite defines a schema for a filter that modifies a request during forwarding.\r
+\r
+ Support: Extended\r
+ properties:\r
+ hostname:\r
+ description: |-\r
+ Hostname is the value to be used to replace the Host header value during\r
+ forwarding.\r
+\r
+ Support: Extended\r
+ maxLength: 253\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ path:\r
+ description: |-\r
+ Path defines a path rewrite.\r
+\r
+ Support: Extended\r
+ properties:\r
+ replaceFullPath:\r
+ description: |-\r
+ ReplaceFullPath specifies the value with which to replace the full path\r
+ of a request during a rewrite or redirect.\r
+ maxLength: 1024\r
+ type: string\r
+ replacePrefixMatch:\r
+ description: |-\r
+ ReplacePrefixMatch specifies the value with which to replace the prefix\r
+ match of a request during a rewrite or redirect. For example, a request\r
+ to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch\r
+ of "/xyz" would be modified to "/xyz/bar".\r
+\r
+ Note that this matches the behavior of the PathPrefix match type. This\r
+ matches full path elements. A path element refers to the list of labels\r
+ in the path split by the `/` separator. When specified, a trailing `/` is\r
+ ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all\r
+ match the prefix `/abc`, but the path `/abcd` would not.\r
+\r
+ ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.\r
+ Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in\r
+ the implementation setting the Accepted Condition for the Route to `status: False`.\r
+\r
+ Request Path | Prefix Match | Replace Prefix | Modified Path\r
+ maxLength: 1024\r
+ type: string\r
+ type:\r
+ description: |-\r
+ Type defines the type of path modifier. Additional types may be\r
+ added in a future release of the API.\r
+\r
+ Note that values may be added to this enum, implementations\r
+ must ensure that unknown values will not cause a crash.\r
+\r
+ Unknown values here must result in the implementation setting the\r
+ Accepted Condition for the Route to `status: False`, with a\r
+ Reason of `UnsupportedValue`.\r
+ enum:\r
+ - ReplaceFullPath\r
+ - ReplacePrefixMatch\r
+ type: string\r
+ required:\r
+ - type\r
+ type: object\r
+ x-kubernetes-validations:\r
+ - message: replaceFullPath must be specified when\r
+ type is set to 'ReplaceFullPath'\r
+ rule: 'self.type == ''ReplaceFullPath'' ? has(self.replaceFullPath)\r
+ : true'\r
+ - message: type must be 'ReplaceFullPath' when replaceFullPath\r
+ is set\r
+ rule: 'has(self.replaceFullPath) ? self.type ==\r
+ ''ReplaceFullPath'' : true'\r
+ - message: replacePrefixMatch must be specified when\r
+ type is set to 'ReplacePrefixMatch'\r
+ rule: 'self.type == ''ReplacePrefixMatch'' ? has(self.replacePrefixMatch)\r
+ : true'\r
+ - message: type must be 'ReplacePrefixMatch' when\r
+ replacePrefixMatch is set\r
+ rule: 'has(self.replacePrefixMatch) ? self.type\r
+ == ''ReplacePrefixMatch'' : true'\r
+ type: object\r
+ required:\r
+ - type\r
+ type: object\r
+ x-kubernetes-validations:\r
+ - message: filter.requestHeaderModifier must be nil if the\r
+ filter.type is not RequestHeaderModifier\r
+ rule: '!(has(self.requestHeaderModifier) && self.type !=\r
+ ''RequestHeaderModifier'')'\r
+ - message: filter.requestHeaderModifier must be specified\r
+ for RequestHeaderModifier filter.type\r
+ rule: '!(!has(self.requestHeaderModifier) && self.type ==\r
+ ''RequestHeaderModifier'')'\r
+ - message: filter.responseHeaderModifier must be nil if the\r
+ filter.type is not ResponseHeaderModifier\r
+ rule: '!(has(self.responseHeaderModifier) && self.type !=\r
+ ''ResponseHeaderModifier'')'\r
+ - message: filter.responseHeaderModifier must be specified\r
+ for ResponseHeaderModifier filter.type\r
+ rule: '!(!has(self.responseHeaderModifier) && self.type\r
+ == ''ResponseHeaderModifier'')'\r
+ - message: filter.requestMirror must be nil if the filter.type\r
+ is not RequestMirror\r
+ rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')'\r
+ - message: filter.requestMirror must be specified for RequestMirror\r
+ filter.type\r
+ rule: '!(!has(self.requestMirror) && self.type == ''RequestMirror'')'\r
+ - message: filter.requestRedirect must be nil if the filter.type\r
+ is not RequestRedirect\r
+ rule: '!(has(self.requestRedirect) && self.type != ''RequestRedirect'')'\r
+ - message: filter.requestRedirect must be specified for RequestRedirect\r
+ filter.type\r
+ rule: '!(!has(self.requestRedirect) && self.type == ''RequestRedirect'')'\r
+ - message: filter.urlRewrite must be nil if the filter.type\r
+ is not URLRewrite\r
+ rule: '!(has(self.urlRewrite) && self.type != ''URLRewrite'')'\r
+ - message: filter.urlRewrite must be specified for URLRewrite\r
+ filter.type\r
+ rule: '!(!has(self.urlRewrite) && self.type == ''URLRewrite'')'\r
+ - message: filter.extensionRef must be nil if the filter.type\r
+ is not ExtensionRef\r
+ rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')'\r
+ - message: filter.extensionRef must be specified for ExtensionRef\r
+ filter.type\r
+ rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')'\r
+ maxItems: 16\r
+ type: array\r
+ x-kubernetes-validations:\r
+ - message: May specify either httpRouteFilterRequestRedirect\r
+ or httpRouteFilterRequestRewrite, but not both\r
+ rule: '!(self.exists(f, f.type == ''RequestRedirect'') &&\r
+ self.exists(f, f.type == ''URLRewrite''))'\r
+ - message: RequestHeaderModifier filter cannot be repeated\r
+ rule: self.filter(f, f.type == 'RequestHeaderModifier').size()\r
+ <= 1\r
+ - message: ResponseHeaderModifier filter cannot be repeated\r
+ rule: self.filter(f, f.type == 'ResponseHeaderModifier').size()\r
+ <= 1\r
+ - message: RequestRedirect filter cannot be repeated\r
+ rule: self.filter(f, f.type == 'RequestRedirect').size() <=\r
+ 1\r
+ - message: URLRewrite filter cannot be repeated\r
+ rule: self.filter(f, f.type == 'URLRewrite').size() <= 1\r
+ matches:\r
+ default:\r
+ - path:\r
+ type: PathPrefix\r
+ value: /\r
+ description: |-\r
+ Matches define conditions used for matching the rule against incoming\r
+ HTTP requests. Each match is independent, i.e. this rule will be matched\r
+ if **any** one of the matches is satisfied.\r
+\r
+ For example, take the following matches configuration:\r
+\r
+ ```\r
+ matches:\r
+ - path:\r
+ value: "/foo"\r
+ headers:\r
+ - name: "version"\r
+ value: "v2"\r
+ - path:\r
+ value: "/v2/foo"\r
+ ```\r
+\r
+ For a request to match against this rule, a request must satisfy\r
+ EITHER of the two conditions:\r
+\r
+ - path prefixed with `/foo` AND contains the header `version: v2`\r
+ - path prefix of `/v2/foo`\r
+\r
+ See the documentation for HTTPRouteMatch on how to specify multiple\r
+ match conditions that should be ANDed together.\r
+\r
+ If no matches are specified, the default is a prefix\r
+ path match on "/", which has the effect of matching every\r
+ HTTP request.\r
+\r
+ Proxy or Load Balancer routing configuration generated from HTTPRoutes\r
+ MUST prioritize matches based on the following criteria, continuing on\r
+ ties. Across all rules specified on applicable Routes, precedence must be\r
+ given to the match having:\r
+\r
+ * "Exact" path match.\r
+ * "Prefix" path match with largest number of characters.\r
+ * Method match.\r
+ * Largest number of header matches.\r
+ * Largest number of query param matches.\r
+\r
+ Note: The precedence of RegularExpression path matches are implementation-specific.\r
+\r
+ If ties still exist across multiple Routes, matching precedence MUST be\r
+ determined in order of the following criteria, continuing on ties:\r
+\r
+ * The oldest Route based on creation timestamp.\r
+ * The Route appearing first in alphabetical order by\r
+ "{namespace}/{name}".\r
+\r
+ If ties still exist within an HTTPRoute, matching precedence MUST be granted\r
+ to the FIRST matching rule (in list order) with a match meeting the above\r
+ criteria.\r
+\r
+ When no rules matching a request have been successfully attached to the\r
+ parent a request is coming from, a HTTP 404 status code MUST be returned.\r
+ items:\r
+ description: "HTTPRouteMatch defines the predicate used to\r
+ match requests to a given\naction. Multiple match types\r
+ are ANDed together, i.e. the match will\nevaluate to true\r
+ only if all conditions are satisfied.\n\nFor example, the\r
+ match below will match a HTTP request only if its path\nstarts\r
+ with `/foo` AND it contains the `version: v1` header:\n\n```\nmatch:\n\n\tpath:\n\t\r
+ \ value: \"/foo\"\n\theaders:\n\t- name: \"version\"\n\t\r
+ \ value \"v1\"\n\n```"\r
+ properties:\r
+ headers:\r
+ description: |-\r
+ Headers specifies HTTP request header matchers. Multiple match values are\r
+ ANDed together, meaning, a request must match all the specified headers\r
+ to select the route.\r
+ items:\r
+ description: |-\r
+ HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request\r
+ headers.\r
+ properties:\r
+ name:\r
+ description: |-\r
+ Name is the name of the HTTP Header to be matched. Name matching MUST be\r
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).\r
+\r
+ If multiple entries specify equivalent header names, only the first\r
+ entry with an equivalent name MUST be considered for a match. Subsequent\r
+ entries with an equivalent header name MUST be ignored. Due to the\r
+ case-insensitivity of header names, "foo" and "Foo" are considered\r
+ equivalent.\r
+\r
+ When a header is repeated in an HTTP request, it is\r
+ implementation-specific behavior as to how this is represented.\r
+ Generally, proxies should follow the guidance from the RFC:\r
+ https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding\r
+ processing a repeated header, with special handling for "Set-Cookie".\r
+ maxLength: 256\r
+ minLength: 1\r
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$\r
+ type: string\r
+ type:\r
+ default: Exact\r
+ description: |-\r
+ Type specifies how to match against the value of the header.\r
+\r
+ Support: Core (Exact)\r
+\r
+ Support: Implementation-specific (RegularExpression)\r
+\r
+ Since RegularExpression HeaderMatchType has implementation-specific\r
+ conformance, implementations can support POSIX, PCRE or any other dialects\r
+ of regular expressions. Please read the implementation's documentation to\r
+ determine the supported dialect.\r
+ enum:\r
+ - Exact\r
+ - RegularExpression\r
+ type: string\r
+ value:\r
+ description: Value is the value of HTTP Header to\r
+ be matched.\r
+ maxLength: 4096\r
+ minLength: 1\r
+ type: string\r
+ required:\r
+ - name\r
+ - value\r
+ type: object\r
+ maxItems: 16\r
+ type: array\r
+ x-kubernetes-list-map-keys:\r
+ - name\r
+ x-kubernetes-list-type: map\r
+ method:\r
+ description: |-\r
+ Method specifies HTTP method matcher.\r
+ When specified, this route will be matched only if the request has the\r
+ specified method.\r
+\r
+ Support: Extended\r
+ enum:\r
+ - GET\r
+ - HEAD\r
+ - POST\r
+ - PUT\r
+ - DELETE\r
+ - CONNECT\r
+ - OPTIONS\r
+ - TRACE\r
+ - PATCH\r
+ type: string\r
+ path:\r
+ default:\r
+ type: PathPrefix\r
+ value: /\r
+ description: |-\r
+ Path specifies a HTTP request path matcher. If this field is not\r
+ specified, a default prefix match on the "/" path is provided.\r
+ properties:\r
+ type:\r
+ default: PathPrefix\r
+ description: |-\r
+ Type specifies how to match against the path Value.\r
+\r
+ Support: Core (Exact, PathPrefix)\r
+\r
+ Support: Implementation-specific (RegularExpression)\r
+ enum:\r
+ - Exact\r
+ - PathPrefix\r
+ - RegularExpression\r
+ type: string\r
+ value:\r
+ default: /\r
+ description: Value of the HTTP path to match against.\r
+ maxLength: 1024\r
+ type: string\r
+ type: object\r
+ x-kubernetes-validations:\r
+ - message: value must be an absolute path and start with\r
+ '/' when type one of ['Exact', 'PathPrefix']\r
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? self.value.startsWith(''/'')\r
+ : true'\r
+ - message: must not contain '//' when type one of ['Exact',\r
+ 'PathPrefix']\r
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''//'')\r
+ : true'\r
+ - message: must not contain '/./' when type one of ['Exact',\r
+ 'PathPrefix']\r
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''/./'')\r
+ : true'\r
+ - message: must not contain '/../' when type one of ['Exact',\r
+ 'PathPrefix']\r
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''/../'')\r
+ : true'\r
+ - message: must not contain '%2f' when type one of ['Exact',\r
+ 'PathPrefix']\r
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''%2f'')\r
+ : true'\r
+ - message: must not contain '%2F' when type one of ['Exact',\r
+ 'PathPrefix']\r
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''%2F'')\r
+ : true'\r
+ - message: must not contain '#' when type one of ['Exact',\r
+ 'PathPrefix']\r
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''#'')\r
+ : true'\r
+ - message: must not end with '/..' when type one of ['Exact',\r
+ 'PathPrefix']\r
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.endsWith(''/..'')\r
+ : true'\r
+ - message: must not end with '/.' when type one of ['Exact',\r
+ 'PathPrefix']\r
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.endsWith(''/.'')\r
+ : true'\r
+ - message: type must be one of ['Exact', 'PathPrefix',\r
+ 'RegularExpression']\r
+ rule: self.type in ['Exact','PathPrefix'] || self.type\r
+ == 'RegularExpression'\r
+ - message: must only contain valid characters (matching\r
+ ^(?:[-A-Za-z0-9/._~!$&'()*+,;=:@]|[%][0-9a-fA-F]{2})+$)\r
+ for types ['Exact', 'PathPrefix']\r
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? self.value.matches(r"""^(?:[-A-Za-z0-9/._~!$&''()*+,;=:@]|[%][0-9a-fA-F]{2})+$""")\r
+ : true'\r
+ queryParams:\r
+ description: |-\r
+ QueryParams specifies HTTP query parameter matchers. Multiple match\r
+ values are ANDed together, meaning, a request must match all the\r
+ specified query parameters to select the route.\r
+\r
+ Support: Extended\r
+ items:\r
+ description: |-\r
+ HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP\r
+ query parameters.\r
+ properties:\r
+ name:\r
+ description: |-\r
+ Name is the name of the HTTP query param to be matched. This must be an\r
+ exact string match. (See\r
+ https://tools.ietf.org/html/rfc7230#section-2.7.3).\r
+\r
+ If multiple entries specify equivalent query param names, only the first\r
+ entry with an equivalent name MUST be considered for a match. Subsequent\r
+ entries with an equivalent query param name MUST be ignored.\r
+\r
+ If a query param is repeated in an HTTP request, the behavior is\r
+ purposely left undefined, since different data planes have different\r
+ capabilities. However, it is *recommended* that implementations should\r
+ match against the first value of the param if the data plane supports it,\r
+ as this behavior is expected in other load balancing contexts outside of\r
+ the Gateway API.\r
+\r
+ Users SHOULD NOT route traffic based on repeated query params to guard\r
+ themselves against potential differences in the implementations.\r
+ maxLength: 256\r
+ minLength: 1\r
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$\r
+ type: string\r
+ type:\r
+ default: Exact\r
+ description: |-\r
+ Type specifies how to match against the value of the query parameter.\r
+\r
+ Support: Extended (Exact)\r
+\r
+ Support: Implementation-specific (RegularExpression)\r
+\r
+ Since RegularExpression QueryParamMatchType has Implementation-specific\r
+ conformance, implementations can support POSIX, PCRE or any other\r
+ dialects of regular expressions. Please read the implementation's\r
+ documentation to determine the supported dialect.\r
+ enum:\r
+ - Exact\r
+ - RegularExpression\r
+ type: string\r
+ value:\r
+ description: Value is the value of HTTP query param\r
+ to be matched.\r
+ maxLength: 1024\r
+ minLength: 1\r
+ type: string\r
+ required:\r
+ - name\r
+ - value\r
+ type: object\r
+ maxItems: 16\r
+ type: array\r
+ x-kubernetes-list-map-keys:\r
+ - name\r
+ x-kubernetes-list-type: map\r
+ type: object\r
+ maxItems: 64\r
+ type: array\r
+ name:\r
+ description: |\r
+ Name is the name of the route rule. This name MUST be unique within a Route if it is set.\r
+\r
+ Support: Extended\r
+ maxLength: 253\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ retry:\r
+ description: |+\r
+ Retry defines the configuration for when to retry an HTTP request.\r
+\r
+ Support: Extended\r
+\r
+ properties:\r
+ attempts:\r
+ description: |-\r
+ Attempts specifies the maximum number of times an individual request\r
+ from the gateway to a backend should be retried.\r
+\r
+ If the maximum number of retries has been attempted without a successful\r
+ response from the backend, the Gateway MUST return an error.\r
+\r
+ When this field is unspecified, the number of times to attempt to retry\r
+ a backend request is implementation-specific.\r
+\r
+ Support: Extended\r
+ type: integer\r
+ backoff:\r
+ description: |-\r
+ Backoff specifies the minimum duration a Gateway should wait between\r
+ retry attempts and is represented in Gateway API Duration formatting.\r
+\r
+ For example, setting the `rules[].retry.backoff` field to the value\r
+ `100ms` will cause a backend request to first be retried approximately\r
+ 100 milliseconds after timing out or receiving a response code configured\r
+ to be retryable.\r
+\r
+ An implementation MAY use an exponential or alternative backoff strategy\r
+ for subsequent retry attempts, MAY cap the maximum backoff duration to\r
+ some amount greater than the specified minimum, and MAY add arbitrary\r
+ jitter to stagger requests, as long as unsuccessful backend requests are\r
+ not retried before the configured minimum duration.\r
+\r
+ If a Request timeout (`rules[].timeouts.request`) is configured on the\r
+ route, the entire duration of the initial request and any retry attempts\r
+ MUST not exceed the Request timeout duration. If any retry attempts are\r
+ still in progress when the Request timeout duration has been reached,\r
+ these SHOULD be canceled if possible and the Gateway MUST immediately\r
+ return a timeout error.\r
+\r
+ If a BackendRequest timeout (`rules[].timeouts.backendRequest`) is\r
+ configured on the route, any retry attempts which reach the configured\r
+ BackendRequest timeout duration without a response SHOULD be canceled if\r
+ possible and the Gateway should wait for at least the specified backoff\r
+ duration before attempting to retry the backend request again.\r
+\r
+ If a BackendRequest timeout is _not_ configured on the route, retry\r
+ attempts MAY time out after an implementation default duration, or MAY\r
+ remain pending until a configured Request timeout or implementation\r
+ default duration for total request time is reached.\r
+\r
+ When this field is unspecified, the time to wait between retry attempts\r
+ is implementation-specific.\r
+\r
+ Support: Extended\r
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$\r
+ type: string\r
+ codes:\r
+ description: |-\r
+ Codes defines the HTTP response status codes for which a backend request\r
+ should be retried.\r
+\r
+ Support: Extended\r
+ items:\r
+ description: |-\r
+ HTTPRouteRetryStatusCode defines an HTTP response status code for\r
+ which a backend request should be retried.\r
+\r
+ Implementations MUST support the following status codes as retryable:\r
+\r
+ * 500\r
+ * 502\r
+ * 503\r
+ * 504\r
+\r
+ Implementations MAY support specifying additional discrete values in the\r
+ 500-599 range.\r
+\r
+ Implementations MAY support specifying discrete values in the 400-499 range,\r
+ which are often inadvisable to retry.\r
+\r
+ <gateway:experimental>\r
+ maximum: 599\r
+ minimum: 400\r
+ type: integer\r
+ type: array\r
+ type: object\r
+ sessionPersistence:\r
+ description: |+\r
+ SessionPersistence defines and configures session persistence\r
+ for the route rule.\r
+\r
+ Support: Extended\r
+\r
+ properties:\r
+ absoluteTimeout:\r
+ description: |-\r
+ AbsoluteTimeout defines the absolute timeout of the persistent\r
+ session. Once the AbsoluteTimeout duration has elapsed, the\r
+ session becomes invalid.\r
+\r
+ Support: Extended\r
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$\r
+ type: string\r
+ cookieConfig:\r
+ description: |-\r
+ CookieConfig provides configuration settings that are specific\r
+ to cookie-based session persistence.\r
+\r
+ Support: Core\r
+ properties:\r
+ lifetimeType:\r
+ default: Session\r
+ description: |-\r
+ LifetimeType specifies whether the cookie has a permanent or\r
+ session-based lifetime. A permanent cookie persists until its\r
+ specified expiry time, defined by the Expires or Max-Age cookie\r
+ attributes, while a session cookie is deleted when the current\r
+ session ends.\r
+\r
+ When set to "Permanent", AbsoluteTimeout indicates the\r
+ cookie's lifetime via the Expires or Max-Age cookie attributes\r
+ and is required.\r
+\r
+ When set to "Session", AbsoluteTimeout indicates the\r
+ absolute lifetime of the cookie tracked by the gateway and\r
+ is optional.\r
+\r
+ Support: Core for "Session" type\r
+\r
+ Support: Extended for "Permanent" type\r
+ enum:\r
+ - Permanent\r
+ - Session\r
+ type: string\r
+ type: object\r
+ idleTimeout:\r
+ description: |-\r
+ IdleTimeout defines the idle timeout of the persistent session.\r
+ Once the session has been idle for more than the specified\r
+ IdleTimeout duration, the session becomes invalid.\r
+\r
+ Support: Extended\r
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$\r
+ type: string\r
+ sessionName:\r
+ description: |-\r
+ SessionName defines the name of the persistent session token\r
+ which may be reflected in the cookie or the header. Users\r
+ should avoid reusing session names to prevent unintended\r
+ consequences, such as rejection or unpredictable behavior.\r
+\r
+ Support: Implementation-specific\r
+ maxLength: 128\r
+ type: string\r
+ type:\r
+ default: Cookie\r
+ description: |-\r
+ Type defines the type of session persistence such as through\r
+ the use a header or cookie. Defaults to cookie based session\r
+ persistence.\r
+\r
+ Support: Core for "Cookie" type\r
+\r
+ Support: Extended for "Header" type\r
+ enum:\r
+ - Cookie\r
+ - Header\r
+ type: string\r
+ type: object\r
+ x-kubernetes-validations:\r
+ - message: AbsoluteTimeout must be specified when cookie lifetimeType\r
+ is Permanent\r
+ rule: '!has(self.cookieConfig) || !has(self.cookieConfig.lifetimeType)\r
+ || self.cookieConfig.lifetimeType != ''Permanent'' || has(self.absoluteTimeout)'\r
+ timeouts:\r
+ description: |-\r
+ Timeouts defines the timeouts that can be configured for an HTTP request.\r
+\r
+ Support: Extended\r
+ properties:\r
+ backendRequest:\r
+ description: |-\r
+ BackendRequest specifies a timeout for an individual request from the gateway\r
+ to a backend. This covers the time from when the request first starts being\r
+ sent from the gateway to when the full response has been received from the backend.\r
+\r
+ Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout\r
+ completely. Implementations that cannot completely disable the timeout MUST\r
+ instead interpret the zero duration as the longest possible value to which\r
+ the timeout can be set.\r
+\r
+ An entire client HTTP transaction with a gateway, covered by the Request timeout,\r
+ may result in more than one call from the gateway to the destination backend,\r
+ for example, if automatic retries are supported.\r
+\r
+ The value of BackendRequest must be a Gateway API Duration string as defined by\r
+ GEP-2257. When this field is unspecified, its behavior is implementation-specific;\r
+ when specified, the value of BackendRequest must be no more than the value of the\r
+ Request timeout (since the Request timeout encompasses the BackendRequest timeout).\r
+\r
+ Support: Extended\r
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$\r
+ type: string\r
+ request:\r
+ description: |-\r
+ Request specifies the maximum duration for a gateway to respond to an HTTP request.\r
+ If the gateway has not been able to respond before this deadline is met, the gateway\r
+ MUST return a timeout error.\r
+\r
+ For example, setting the `rules.timeouts.request` field to the value `10s` in an\r
+ `HTTPRoute` will cause a timeout if a client request is taking longer than 10 seconds\r
+ to complete.\r
+\r
+ Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout\r
+ completely. Implementations that cannot completely disable the timeout MUST\r
+ instead interpret the zero duration as the longest possible value to which\r
+ the timeout can be set.\r
+\r
+ This timeout is intended to cover as close to the whole request-response transaction\r
+ as possible although an implementation MAY choose to start the timeout after the entire\r
+ request stream has been received instead of immediately after the transaction is\r
+ initiated by the client.\r
+\r
+ The value of Request is a Gateway API Duration string as defined by GEP-2257. When this\r
+ field is unspecified, request timeout behavior is implementation-specific.\r
+\r
+ Support: Extended\r
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$\r
+ type: string\r
+ type: object\r
+ x-kubernetes-validations:\r
+ - message: backendRequest timeout cannot be longer than request\r
+ timeout\r
+ rule: '!(has(self.request) && has(self.backendRequest) &&\r
+ duration(self.request) != duration(''0s'') && duration(self.backendRequest)\r
+ > duration(self.request))'\r
+ type: object\r
+ x-kubernetes-validations:\r
+ - message: RequestRedirect filter must not be used together with\r
+ backendRefs\r
+ rule: '(has(self.backendRefs) && size(self.backendRefs) > 0) ?\r
+ (!has(self.filters) || self.filters.all(f, !has(f.requestRedirect))):\r
+ true'\r
+ - message: When using RequestRedirect filter with path.replacePrefixMatch,\r
+ exactly one PathPrefix match must be specified\r
+ rule: '(has(self.filters) && self.filters.exists_one(f, has(f.requestRedirect)\r
+ && has(f.requestRedirect.path) && f.requestRedirect.path.type\r
+ == ''ReplacePrefixMatch'' && has(f.requestRedirect.path.replacePrefixMatch)))\r
+ ? ((size(self.matches) != 1 || !has(self.matches[0].path) ||\r
+ self.matches[0].path.type != ''PathPrefix'') ? false : true)\r
+ : true'\r
+ - message: When using URLRewrite filter with path.replacePrefixMatch,\r
+ exactly one PathPrefix match must be specified\r
+ rule: '(has(self.filters) && self.filters.exists_one(f, has(f.urlRewrite)\r
+ && has(f.urlRewrite.path) && f.urlRewrite.path.type == ''ReplacePrefixMatch''\r
+ && has(f.urlRewrite.path.replacePrefixMatch))) ? ((size(self.matches)\r
+ != 1 || !has(self.matches[0].path) || self.matches[0].path.type\r
+ != ''PathPrefix'') ? false : true) : true'\r
+ - message: Within backendRefs, when using RequestRedirect filter\r
+ with path.replacePrefixMatch, exactly one PathPrefix match must\r
+ be specified\r
+ rule: '(has(self.backendRefs) && self.backendRefs.exists_one(b,\r
+ (has(b.filters) && b.filters.exists_one(f, has(f.requestRedirect)\r
+ && has(f.requestRedirect.path) && f.requestRedirect.path.type\r
+ == ''ReplacePrefixMatch'' && has(f.requestRedirect.path.replacePrefixMatch)))\r
+ )) ? ((size(self.matches) != 1 || !has(self.matches[0].path)\r
+ || self.matches[0].path.type != ''PathPrefix'') ? false : true)\r
+ : true'\r
+ - message: Within backendRefs, When using URLRewrite filter with\r
+ path.replacePrefixMatch, exactly one PathPrefix match must be\r
+ specified\r
+ rule: '(has(self.backendRefs) && self.backendRefs.exists_one(b,\r
+ (has(b.filters) && b.filters.exists_one(f, has(f.urlRewrite)\r
+ && has(f.urlRewrite.path) && f.urlRewrite.path.type == ''ReplacePrefixMatch''\r
+ && has(f.urlRewrite.path.replacePrefixMatch))) )) ? ((size(self.matches)\r
+ != 1 || !has(self.matches[0].path) || self.matches[0].path.type\r
+ != ''PathPrefix'') ? false : true) : true'\r
+ maxItems: 16\r
+ type: array\r
+ x-kubernetes-validations:\r
+ - message: While 16 rules and 64 matches per rule are allowed, the\r
+ total number of matches across all rules in a route must be less\r
+ than 128\r
+ rule: '(self.size() > 0 ? self[0].matches.size() : 0) + (self.size()\r
+ > 1 ? self[1].matches.size() : 0) + (self.size() > 2 ? self[2].matches.size()\r
+ : 0) + (self.size() > 3 ? self[3].matches.size() : 0) + (self.size()\r
+ > 4 ? self[4].matches.size() : 0) + (self.size() > 5 ? self[5].matches.size()\r
+ : 0) + (self.size() > 6 ? self[6].matches.size() : 0) + (self.size()\r
+ > 7 ? self[7].matches.size() : 0) + (self.size() > 8 ? self[8].matches.size()\r
+ : 0) + (self.size() > 9 ? self[9].matches.size() : 0) + (self.size()\r
+ > 10 ? self[10].matches.size() : 0) + (self.size() > 11 ? self[11].matches.size()\r
+ : 0) + (self.size() > 12 ? self[12].matches.size() : 0) + (self.size()\r
+ > 13 ? self[13].matches.size() : 0) + (self.size() > 14 ? self[14].matches.size()\r
+ : 0) + (self.size() > 15 ? self[15].matches.size() : 0) <= 128'\r
+ - message: Rule name must be unique within the route\r
+ rule: self.all(l1, !has(l1.name) || self.exists_one(l2, has(l2.name)\r
+ && l1.name == l2.name))\r
+ type: object\r
+ status:\r
+ description: Status defines the current state of HTTPRoute.\r
+ properties:\r
+ parents:\r
+ description: |-\r
+ Parents is a list of parent resources (usually Gateways) that are\r
+ associated with the route, and the status of the route with respect to\r
+ each parent. When this route attaches to a parent, the controller that\r
+ manages the parent must add an entry to this list when the controller\r
+ first sees the route and should update the entry as appropriate when the\r
+ route or gateway is modified.\r
+\r
+ Note that parent references that cannot be resolved by an implementation\r
+ of this API will not be added to this list. Implementations of this API\r
+ can only populate Route status for the Gateways/parent resources they are\r
+ responsible for.\r
+\r
+ A maximum of 32 Gateways will be represented in this list. An empty list\r
+ means the route has not been attached to any Gateway.\r
+ items:\r
+ description: |-\r
+ RouteParentStatus describes the status of a route with respect to an\r
+ associated Parent.\r
+ properties:\r
+ conditions:\r
+ description: |-\r
+ Conditions describes the status of the route with respect to the Gateway.\r
+ Note that the route's availability is also subject to the Gateway's own\r
+ status conditions and listener status.\r
+\r
+ If the Route's ParentRef specifies an existing Gateway that supports\r
+ Routes of this kind AND that Gateway's controller has sufficient access,\r
+ then that Gateway's controller MUST set the "Accepted" condition on the\r
+ Route, to indicate whether the route has been accepted or rejected by the\r
+ Gateway, and why.\r
+\r
+ A Route MUST be considered "Accepted" if at least one of the Route's\r
+ rules is implemented by the Gateway.\r
+\r
+ There are a number of cases where the "Accepted" condition may not be set\r
+ due to lack of controller visibility, that includes when:\r
+\r
+ * The Route refers to a non-existent parent.\r
+ * The Route is of a type that the controller does not support.\r
+ * The Route is in a namespace the controller does not have access to.\r
+ items:\r
+ description: Condition contains details for one aspect of\r
+ the current state of this API Resource.\r
+ properties:\r
+ lastTransitionTime:\r
+ description: |-\r
+ lastTransitionTime is the last time the condition transitioned from one status to another.\r
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.\r
+ format: date-time\r
+ type: string\r
+ message:\r
+ description: |-\r
+ message is a human readable message indicating details about the transition.\r
+ This may be an empty string.\r
+ maxLength: 32768\r
+ type: string\r
+ observedGeneration:\r
+ description: |-\r
+ observedGeneration represents the .metadata.generation that the condition was set based upon.\r
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\r
+ with respect to the current state of the instance.\r
+ format: int64\r
+ minimum: 0\r
+ type: integer\r
+ reason:\r
+ description: |-\r
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.\r
+ Producers of specific condition types may define expected values and meanings for this field,\r
+ and whether the values are considered a guaranteed API.\r
+ The value should be a CamelCase string.\r
+ This field may not be empty.\r
+ maxLength: 1024\r
+ minLength: 1\r
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$\r
+ type: string\r
+ status:\r
+ description: status of the condition, one of True, False,\r
+ Unknown.\r
+ enum:\r
+ - "True"\r
+ - "False"\r
+ - Unknown\r
+ type: string\r
+ type:\r
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.\r
+ maxLength: 316\r
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$\r
+ type: string\r
+ required:\r
+ - lastTransitionTime\r
+ - message\r
+ - reason\r
+ - status\r
+ - type\r
+ type: object\r
+ maxItems: 8\r
+ minItems: 1\r
+ type: array\r
+ x-kubernetes-list-map-keys:\r
+ - type\r
+ x-kubernetes-list-type: map\r
+ controllerName:\r
+ description: |-\r
+ ControllerName is a domain/path string that indicates the name of the\r
+ controller that wrote this status. This corresponds with the\r
+ controllerName field on GatewayClass.\r
+\r
+ Example: "example.net/gateway-controller".\r
+\r
+ The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are\r
+ valid Kubernetes names\r
+ (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).\r
+\r
+ Controllers MUST populate this field when writing status. Controllers should ensure that\r
+ entries to status populated with their ControllerName are cleaned up when they are no\r
+ longer necessary.\r
+ maxLength: 253\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$\r
+ type: string\r
+ parentRef:\r
+ description: |-\r
+ ParentRef corresponds with a ParentRef in the spec that this\r
+ RouteParentStatus struct describes the status of.\r
+ properties:\r
+ group:\r
+ default: gateway.networking.k8s.io\r
+ description: |-\r
+ Group is the group of the referent.\r
+ When unspecified, "gateway.networking.k8s.io" is inferred.\r
+ To set the core API group (such as for a "Service" kind referent),\r
+ Group must be explicitly set to "" (empty string).\r
+\r
+ Support: Core\r
+ maxLength: 253\r
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ kind:\r
+ default: Gateway\r
+ description: |-\r
+ Kind is kind of the referent.\r
+\r
+ There are two kinds of parent resources with "Core" support:\r
+\r
+ * Gateway (Gateway conformance profile)\r
+ * Service (Mesh conformance profile, ClusterIP Services only)\r
+\r
+ Support for other resources is Implementation-Specific.\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$\r
+ type: string\r
+ name:\r
+ description: |-\r
+ Name is the name of the referent.\r
+\r
+ Support: Core\r
+ maxLength: 253\r
+ minLength: 1\r
+ type: string\r
+ namespace:\r
+ description: |-\r
+ Namespace is the namespace of the referent. When unspecified, this refers\r
+ to the local namespace of the Route.\r
+\r
+ Note that there are specific rules for ParentRefs which cross namespace\r
+ boundaries. Cross-namespace references are only valid if they are explicitly\r
+ allowed by something in the namespace they are referring to. For example:\r
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a\r
+ generic way to enable any other kind of cross-namespace reference.\r
+\r
+\r
+ ParentRefs from a Route to a Service in the same namespace are "producer"\r
+ routes, which apply default routing rules to inbound connections from\r
+ any namespace to the Service.\r
+\r
+ ParentRefs from a Route to a Service in a different namespace are\r
+ "consumer" routes, and these routing rules are only applied to outbound\r
+ connections originating from the same namespace as the Route, for which\r
+ the intended destination of the connections are a Service targeted as a\r
+ ParentRef of the Route.\r
+\r
+\r
+ Support: Core\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$\r
+ type: string\r
+ port:\r
+ description: |-\r
+ Port is the network port this Route targets. It can be interpreted\r
+ differently based on the type of parent resource.\r
+\r
+ When the parent resource is a Gateway, this targets all listeners\r
+ listening on the specified port that also support this kind of Route(and\r
+ select this Route). It's not recommended to set `Port` unless the\r
+ networking behaviors specified in a Route must apply to a specific port\r
+ as opposed to a listener(s) whose port(s) may be changed. When both Port\r
+ and SectionName are specified, the name and port of the selected listener\r
+ must match both specified values.\r
+\r
+\r
+ When the parent resource is a Service, this targets a specific port in the\r
+ Service spec. When both Port (experimental) and SectionName are specified,\r
+ the name and port of the selected port must match both specified values.\r
+\r
+\r
+ Implementations MAY choose to support other parent resources.\r
+ Implementations supporting other types of parent resources MUST clearly\r
+ document how/if Port is interpreted.\r
+\r
+ For the purpose of status, an attachment is considered successful as\r
+ long as the parent resource accepts it partially. For example, Gateway\r
+ listeners can restrict which Routes can attach to them by Route kind,\r
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment\r
+ from the referencing Route, the Route MUST be considered successfully\r
+ attached. If no Gateway listeners accept attachment from this Route,\r
+ the Route MUST be considered detached from the Gateway.\r
+\r
+ Support: Extended\r
+ format: int32\r
+ maximum: 65535\r
+ minimum: 1\r
+ type: integer\r
+ sectionName:\r
+ description: |-\r
+ SectionName is the name of a section within the target resource. In the\r
+ following resources, SectionName is interpreted as the following:\r
+\r
+ * Gateway: Listener name. When both Port (experimental) and SectionName\r
+ are specified, the name and port of the selected listener must match\r
+ both specified values.\r
+ * Service: Port name. When both Port (experimental) and SectionName\r
+ are specified, the name and port of the selected listener must match\r
+ both specified values.\r
+\r
+ Implementations MAY choose to support attaching Routes to other resources.\r
+ If that is the case, they MUST clearly document how SectionName is\r
+ interpreted.\r
+\r
+ When unspecified (empty string), this will reference the entire resource.\r
+ For the purpose of status, an attachment is considered successful if at\r
+ least one section in the parent resource accepts it. For example, Gateway\r
+ listeners can restrict which Routes can attach to them by Route kind,\r
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from\r
+ the referencing Route, the Route MUST be considered successfully\r
+ attached. If no Gateway listeners accept attachment from this Route, the\r
+ Route MUST be considered detached from the Gateway.\r
+\r
+ Support: Core\r
+ maxLength: 253\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ required:\r
+ - name\r
+ type: object\r
+ required:\r
+ - controllerName\r
+ - parentRef\r
+ type: object\r
+ maxItems: 32\r
+ type: array\r
+ required:\r
+ - parents\r
+ type: object\r
+ required:\r
+ - spec\r
+ type: object\r
+ served: true\r
+ storage: true\r
+ subresources:\r
+ status: {}\r
+ - additionalPrinterColumns:\r
+ - jsonPath: .spec.hostnames\r
+ name: Hostnames\r
+ type: string\r
+ - jsonPath: .metadata.creationTimestamp\r
+ name: Age\r
+ type: date\r
+ name: v1beta1\r
+ schema:\r
+ openAPIV3Schema:\r
+ description: |-\r
+ HTTPRoute provides a way to route HTTP requests. This includes the capability\r
+ to match requests by hostname, path, header, or query param. Filters can be\r
+ used to specify additional processing steps. Backends specify where matching\r
+ requests should be routed.\r
+ properties:\r
+ apiVersion:\r
+ description: |-\r
+ APIVersion defines the versioned schema of this representation of an object.\r
+ Servers should convert recognized schemas to the latest internal value, and\r
+ may reject unrecognized values.\r
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources\r
+ type: string\r
+ kind:\r
+ description: |-\r
+ Kind is a string value representing the REST resource this object represents.\r
+ Servers may infer this from the endpoint the client submits requests to.\r
+ Cannot be updated.\r
+ In CamelCase.\r
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds\r
+ type: string\r
+ metadata:\r
+ type: object\r
+ spec:\r
+ description: Spec defines the desired state of HTTPRoute.\r
+ properties:\r
+ hostnames:\r
+ description: |-\r
+ Hostnames defines a set of hostnames that should match against the HTTP Host\r
+ header to select a HTTPRoute used to process the request. Implementations\r
+ MUST ignore any port value specified in the HTTP Host header while\r
+ performing a match and (absent of any applicable header modification\r
+ configuration) MUST forward this header unmodified to the backend.\r
+\r
+ Valid values for Hostnames are determined by RFC 1123 definition of a\r
+ hostname with 2 notable exceptions:\r
+\r
+ 1. IPs are not allowed.\r
+ 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard\r
+ label must appear by itself as the first label.\r
+\r
+ If a hostname is specified by both the Listener and HTTPRoute, there\r
+ must be at least one intersecting hostname for the HTTPRoute to be\r
+ attached to the Listener. For example:\r
+\r
+ * A Listener with `test.example.com` as the hostname matches HTTPRoutes\r
+ that have either not specified any hostnames, or have specified at\r
+ least one of `test.example.com` or `*.example.com`.\r
+ * A Listener with `*.example.com` as the hostname matches HTTPRoutes\r
+ that have either not specified any hostnames or have specified at least\r
+ one hostname that matches the Listener hostname. For example,\r
+ `*.example.com`, `test.example.com`, and `foo.test.example.com` would\r
+ all match. On the other hand, `example.com` and `test.example.net` would\r
+ not match.\r
+\r
+ Hostnames that are prefixed with a wildcard label (`*.`) are interpreted\r
+ as a suffix match. That means that a match for `*.example.com` would match\r
+ both `test.example.com`, and `foo.test.example.com`, but not `example.com`.\r
+\r
+ If both the Listener and HTTPRoute have specified hostnames, any\r
+ HTTPRoute hostnames that do not match the Listener hostname MUST be\r
+ ignored. For example, if a Listener specified `*.example.com`, and the\r
+ HTTPRoute specified `test.example.com` and `test.example.net`,\r
+ `test.example.net` must not be considered for a match.\r
+\r
+ If both the Listener and HTTPRoute have specified hostnames, and none\r
+ match with the criteria above, then the HTTPRoute is not accepted. The\r
+ implementation must raise an 'Accepted' Condition with a status of\r
+ `False` in the corresponding RouteParentStatus.\r
+\r
+ In the event that multiple HTTPRoutes specify intersecting hostnames (e.g.\r
+ overlapping wildcard matching and exact matching hostnames), precedence must\r
+ be given to rules from the HTTPRoute with the largest number of:\r
+\r
+ * Characters in a matching non-wildcard hostname.\r
+ * Characters in a matching hostname.\r
+\r
+ If ties exist across multiple Routes, the matching precedence rules for\r
+ HTTPRouteMatches takes over.\r
+\r
+ Support: Core\r
+ items:\r
+ description: |-\r
+ Hostname is the fully qualified domain name of a network host. This matches\r
+ the RFC 1123 definition of a hostname with 2 notable exceptions:\r
+\r
+ 1. IPs are not allowed.\r
+ 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard\r
+ label must appear by itself as the first label.\r
+\r
+ Hostname can be "precise" which is a domain name without the terminating\r
+ dot of a network host (e.g. "foo.example.com") or "wildcard", which is a\r
+ domain name prefixed with a single wildcard label (e.g. `*.example.com`).\r
+\r
+ Note that as per RFC1035 and RFC1123, a *label* must consist of lower case\r
+ alphanumeric characters or '-', and must start and end with an alphanumeric\r
+ character. No other punctuation is allowed.\r
+ maxLength: 253\r
+ minLength: 1\r
+ pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ maxItems: 16\r
+ type: array\r
+ parentRefs:\r
+ description: |+\r
+ ParentRefs references the resources (usually Gateways) that a Route wants\r
+ to be attached to. Note that the referenced parent resource needs to\r
+ allow this for the attachment to be complete. For Gateways, that means\r
+ the Gateway needs to allow attachment from Routes of this kind and\r
+ namespace. For Services, that means the Service must either be in the same\r
+ namespace for a "producer" route, or the mesh implementation must support\r
+ and allow "consumer" routes for the referenced Service. ReferenceGrant is\r
+ not applicable for governing ParentRefs to Services - it is not possible to\r
+ create a "producer" route for a Service in a different namespace from the\r
+ Route.\r
+\r
+ There are two kinds of parent resources with "Core" support:\r
+\r
+ * Gateway (Gateway conformance profile)\r
+ * Service (Mesh conformance profile, ClusterIP Services only)\r
+\r
+ This API may be extended in the future to support additional kinds of parent\r
+ resources.\r
+\r
+ ParentRefs must be _distinct_. This means either that:\r
+\r
+ * They select different objects. If this is the case, then parentRef\r
+ entries are distinct. In terms of fields, this means that the\r
+ multi-part key defined by `group`, `kind`, `namespace`, and `name` must\r
+ be unique across all parentRef entries in the Route.\r
+ * They do not select different objects, but for each optional field used,\r
+ each ParentRef that selects the same object must set the same set of\r
+ optional fields to different values. If one ParentRef sets a\r
+ combination of optional fields, all must set the same combination.\r
+\r
+ Some examples:\r
+\r
+ * If one ParentRef sets `sectionName`, all ParentRefs referencing the\r
+ same object must also set `sectionName`.\r
+ * If one ParentRef sets `port`, all ParentRefs referencing the same\r
+ object must also set `port`.\r
+ * If one ParentRef sets `sectionName` and `port`, all ParentRefs\r
+ referencing the same object must also set `sectionName` and `port`.\r
+\r
+ It is possible to separately reference multiple distinct objects that may\r
+ be collapsed by an implementation. For example, some implementations may\r
+ choose to merge compatible Gateway Listeners together. If that is the\r
+ case, the list of routes attached to those resources should also be\r
+ merged.\r
+\r
+ Note that for ParentRefs that cross namespace boundaries, there are specific\r
+ rules. Cross-namespace references are only valid if they are explicitly\r
+ allowed by something in the namespace they are referring to. For example,\r
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a\r
+ generic way to enable other kinds of cross-namespace reference.\r
+\r
+\r
+ ParentRefs from a Route to a Service in the same namespace are "producer"\r
+ routes, which apply default routing rules to inbound connections from\r
+ any namespace to the Service.\r
+\r
+ ParentRefs from a Route to a Service in a different namespace are\r
+ "consumer" routes, and these routing rules are only applied to outbound\r
+ connections originating from the same namespace as the Route, for which\r
+ the intended destination of the connections are a Service targeted as a\r
+ ParentRef of the Route.\r
+\r
+\r
+\r
+\r
+\r
+ items:\r
+ description: |-\r
+ ParentReference identifies an API object (usually a Gateway) that can be considered\r
+ a parent of this resource (usually a route). There are two kinds of parent resources\r
+ with "Core" support:\r
+\r
+ * Gateway (Gateway conformance profile)\r
+ * Service (Mesh conformance profile, ClusterIP Services only)\r
+\r
+ This API may be extended in the future to support additional kinds of parent\r
+ resources.\r
+\r
+ The API object must be valid in the cluster; the Group and Kind must\r
+ be registered in the cluster for this reference to be valid.\r
+ properties:\r
+ group:\r
+ default: gateway.networking.k8s.io\r
+ description: |-\r
+ Group is the group of the referent.\r
+ When unspecified, "gateway.networking.k8s.io" is inferred.\r
+ To set the core API group (such as for a "Service" kind referent),\r
+ Group must be explicitly set to "" (empty string).\r
+\r
+ Support: Core\r
+ maxLength: 253\r
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ kind:\r
+ default: Gateway\r
+ description: |-\r
+ Kind is kind of the referent.\r
+\r
+ There are two kinds of parent resources with "Core" support:\r
+\r
+ * Gateway (Gateway conformance profile)\r
+ * Service (Mesh conformance profile, ClusterIP Services only)\r
+\r
+ Support for other resources is Implementation-Specific.\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$\r
+ type: string\r
+ name:\r
+ description: |-\r
+ Name is the name of the referent.\r
+\r
+ Support: Core\r
+ maxLength: 253\r
+ minLength: 1\r
+ type: string\r
+ namespace:\r
+ description: |-\r
+ Namespace is the namespace of the referent. When unspecified, this refers\r
+ to the local namespace of the Route.\r
+\r
+ Note that there are specific rules for ParentRefs which cross namespace\r
+ boundaries. Cross-namespace references are only valid if they are explicitly\r
+ allowed by something in the namespace they are referring to. For example:\r
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a\r
+ generic way to enable any other kind of cross-namespace reference.\r
+\r
+\r
+ ParentRefs from a Route to a Service in the same namespace are "producer"\r
+ routes, which apply default routing rules to inbound connections from\r
+ any namespace to the Service.\r
+\r
+ ParentRefs from a Route to a Service in a different namespace are\r
+ "consumer" routes, and these routing rules are only applied to outbound\r
+ connections originating from the same namespace as the Route, for which\r
+ the intended destination of the connections are a Service targeted as a\r
+ ParentRef of the Route.\r
+\r
+\r
+ Support: Core\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$\r
+ type: string\r
+ port:\r
+ description: |-\r
+ Port is the network port this Route targets. It can be interpreted\r
+ differently based on the type of parent resource.\r
+\r
+ When the parent resource is a Gateway, this targets all listeners\r
+ listening on the specified port that also support this kind of Route(and\r
+ select this Route). It's not recommended to set `Port` unless the\r
+ networking behaviors specified in a Route must apply to a specific port\r
+ as opposed to a listener(s) whose port(s) may be changed. When both Port\r
+ and SectionName are specified, the name and port of the selected listener\r
+ must match both specified values.\r
+\r
+\r
+ When the parent resource is a Service, this targets a specific port in the\r
+ Service spec. When both Port (experimental) and SectionName are specified,\r
+ the name and port of the selected port must match both specified values.\r
+\r
+\r
+ Implementations MAY choose to support other parent resources.\r
+ Implementations supporting other types of parent resources MUST clearly\r
+ document how/if Port is interpreted.\r
+\r
+ For the purpose of status, an attachment is considered successful as\r
+ long as the parent resource accepts it partially. For example, Gateway\r
+ listeners can restrict which Routes can attach to them by Route kind,\r
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment\r
+ from the referencing Route, the Route MUST be considered successfully\r
+ attached. If no Gateway listeners accept attachment from this Route,\r
+ the Route MUST be considered detached from the Gateway.\r
+\r
+ Support: Extended\r
+ format: int32\r
+ maximum: 65535\r
+ minimum: 1\r
+ type: integer\r
+ sectionName:\r
+ description: |-\r
+ SectionName is the name of a section within the target resource. In the\r
+ following resources, SectionName is interpreted as the following:\r
+\r
+ * Gateway: Listener name. When both Port (experimental) and SectionName\r
+ are specified, the name and port of the selected listener must match\r
+ both specified values.\r
+ * Service: Port name. When both Port (experimental) and SectionName\r
+ are specified, the name and port of the selected listener must match\r
+ both specified values.\r
+\r
+ Implementations MAY choose to support attaching Routes to other resources.\r
+ If that is the case, they MUST clearly document how SectionName is\r
+ interpreted.\r
+\r
+ When unspecified (empty string), this will reference the entire resource.\r
+ For the purpose of status, an attachment is considered successful if at\r
+ least one section in the parent resource accepts it. For example, Gateway\r
+ listeners can restrict which Routes can attach to them by Route kind,\r
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from\r
+ the referencing Route, the Route MUST be considered successfully\r
+ attached. If no Gateway listeners accept attachment from this Route, the\r
+ Route MUST be considered detached from the Gateway.\r
+\r
+ Support: Core\r
+ maxLength: 253\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ required:\r
+ - name\r
+ type: object\r
+ maxItems: 32\r
+ type: array\r
+ x-kubernetes-validations:\r
+ - message: sectionName or port must be specified when parentRefs includes\r
+ 2 or more references to the same parent\r
+ rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind\r
+ == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__)\r
+ || p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__\r
+ == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) &&\r
+ p1.__namespace__ == p2.__namespace__)) ? ((!has(p1.sectionName)\r
+ || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName\r
+ == '''') && (!has(p1.port) || p1.port == 0) == (!has(p2.port)\r
+ || p2.port == 0)): true))'\r
+ - message: sectionName or port must be unique when parentRefs includes\r
+ 2 or more references to the same parent\r
+ rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind\r
+ == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__)\r
+ || p1.__namespace__ == '') && (!has(p2.__namespace__) || p2.__namespace__\r
+ == '')) || (has(p1.__namespace__) && has(p2.__namespace__) &&\r
+ p1.__namespace__ == p2.__namespace__ )) && (((!has(p1.sectionName)\r
+ || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName\r
+ == '')) || ( has(p1.sectionName) && has(p2.sectionName) && p1.sectionName\r
+ == p2.sectionName)) && (((!has(p1.port) || p1.port == 0) && (!has(p2.port)\r
+ || p2.port == 0)) || (has(p1.port) && has(p2.port) && p1.port\r
+ == p2.port))))\r
+ rules:\r
+ default:\r
+ - matches:\r
+ - path:\r
+ type: PathPrefix\r
+ value: /\r
+ description: |+\r
+ Rules are a list of HTTP matchers, filters and actions.\r
+\r
+ items:\r
+ description: |-\r
+ HTTPRouteRule defines semantics for matching an HTTP request based on\r
+ conditions (matches), processing it (filters), and forwarding the request to\r
+ an API object (backendRefs).\r
+ properties:\r
+ backendRefs:\r
+ description: |-\r
+ BackendRefs defines the backend(s) where matching requests should be\r
+ sent.\r
+\r
+ Failure behavior here depends on how many BackendRefs are specified and\r
+ how many are invalid.\r
+\r
+ If *all* entries in BackendRefs are invalid, and there are also no filters\r
+ specified in this route rule, *all* traffic which matches this rule MUST\r
+ receive a 500 status code.\r
+\r
+ See the HTTPBackendRef definition for the rules about what makes a single\r
+ HTTPBackendRef invalid.\r
+\r
+ When a HTTPBackendRef is invalid, 500 status codes MUST be returned for\r
+ requests that would have otherwise been routed to an invalid backend. If\r
+ multiple backends are specified, and some are invalid, the proportion of\r
+ requests that would otherwise have been routed to an invalid backend\r
+ MUST receive a 500 status code.\r
+\r
+ For example, if two backends are specified with equal weights, and one is\r
+ invalid, 50 percent of traffic must receive a 500. Implementations may\r
+ choose how that 50 percent is determined.\r
+\r
+ When a HTTPBackendRef refers to a Service that has no ready endpoints,\r
+ implementations SHOULD return a 503 for requests to that backend instead.\r
+ If an implementation chooses to do this, all of the above rules for 500 responses\r
+ MUST also apply for responses that return a 503.\r
+\r
+ Support: Core for Kubernetes Service\r
+\r
+ Support: Extended for Kubernetes ServiceImport\r
+\r
+ Support: Implementation-specific for any other resource\r
+\r
+ Support for weight: Core\r
+ items:\r
+ description: |-\r
+ HTTPBackendRef defines how a HTTPRoute forwards a HTTP request.\r
+\r
+ Note that when a namespace different than the local namespace is specified, a\r
+ ReferenceGrant object is required in the referent namespace to allow that\r
+ namespace's owner to accept the reference. See the ReferenceGrant\r
+ documentation for details.\r
+\r
+ <gateway:experimental:description>\r
+\r
+ When the BackendRef points to a Kubernetes Service, implementations SHOULD\r
+ honor the appProtocol field if it is set for the target Service Port.\r
+\r
+ Implementations supporting appProtocol SHOULD recognize the Kubernetes\r
+ Standard Application Protocols defined in KEP-3726.\r
+\r
+ If a Service appProtocol isn't specified, an implementation MAY infer the\r
+ backend protocol through its own means. Implementations MAY infer the\r
+ protocol from the Route type referring to the backend Service.\r
+\r
+ If a Route is not able to send traffic to the backend using the specified\r
+ protocol then the backend is considered invalid. Implementations MUST set the\r
+ "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason.\r
+\r
+ </gateway:experimental:description>\r
+ properties:\r
+ filters:\r
+ description: |-\r
+ Filters defined at this level should be executed if and only if the\r
+ request is being forwarded to the backend defined here.\r
+\r
+ Support: Implementation-specific (For broader support of filters, use the\r
+ Filters field in HTTPRouteRule.)\r
+ items:\r
+ description: |-\r
+ HTTPRouteFilter defines processing steps that must be completed during the\r
+ request or response lifecycle. HTTPRouteFilters are meant as an extension\r
+ point to express processing that may be done in Gateway implementations. Some\r
+ examples include request or response modification, implementing\r
+ authentication strategies, rate-limiting, and traffic shaping. API\r
+ guarantee/conformance is defined based on the type of the filter.\r
+ properties:\r
+ extensionRef:\r
+ description: |-\r
+ ExtensionRef is an optional, implementation-specific extension to the\r
+ "filter" behavior. For example, resource "myroutefilter" in group\r
+ "networking.example.net"). ExtensionRef MUST NOT be used for core and\r
+ extended filters.\r
+\r
+ This filter can be used multiple times within the same rule.\r
+\r
+ Support: Implementation-specific\r
+ properties:\r
+ group:\r
+ description: |-\r
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".\r
+ When unspecified or empty string, core API group is inferred.\r
+ maxLength: 253\r
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ kind:\r
+ description: Kind is kind of the referent. For\r
+ example "HTTPRoute" or "Service".\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$\r
+ type: string\r
+ name:\r
+ description: Name is the name of the referent.\r
+ maxLength: 253\r
+ minLength: 1\r
+ type: string\r
+ required:\r
+ - group\r
+ - kind\r
+ - name\r
+ type: object\r
+ requestHeaderModifier:\r
+ description: |-\r
+ RequestHeaderModifier defines a schema for a filter that modifies request\r
+ headers.\r
+\r
+ Support: Core\r
+ properties:\r
+ add:\r
+ description: |-\r
+ Add adds the given header(s) (name, value) to the request\r
+ before the action. It appends to any existing values associated\r
+ with the header name.\r
+\r
+ Input:\r
+ GET /foo HTTP/1.1\r
+ my-header: foo\r
+\r
+ Config:\r
+ add:\r
+ - name: "my-header"\r
+ value: "bar,baz"\r
+\r
+ Output:\r
+ GET /foo HTTP/1.1\r
+ my-header: foo,bar,baz\r
+ items:\r
+ description: HTTPHeader represents an HTTP\r
+ Header name and value as defined by RFC\r
+ 7230.\r
+ properties:\r
+ name:\r
+ description: |-\r
+ Name is the name of the HTTP Header to be matched. Name matching MUST be\r
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).\r
+\r
+ If multiple entries specify equivalent header names, the first entry with\r
+ an equivalent name MUST be considered for a match. Subsequent entries\r
+ with an equivalent header name MUST be ignored. Due to the\r
+ case-insensitivity of header names, "foo" and "Foo" are considered\r
+ equivalent.\r
+ maxLength: 256\r
+ minLength: 1\r
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$\r
+ type: string\r
+ value:\r
+ description: Value is the value of HTTP\r
+ Header to be matched.\r
+ maxLength: 4096\r
+ minLength: 1\r
+ type: string\r
+ required:\r
+ - name\r
+ - value\r
+ type: object\r
+ maxItems: 16\r
+ type: array\r
+ x-kubernetes-list-map-keys:\r
+ - name\r
+ x-kubernetes-list-type: map\r
+ remove:\r
+ description: |-\r
+ Remove the given header(s) from the HTTP request before the action. The\r
+ value of Remove is a list of HTTP header names. Note that the header\r
+ names are case-insensitive (see\r
+ https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).\r
+\r
+ Input:\r
+ GET /foo HTTP/1.1\r
+ my-header1: foo\r
+ my-header2: bar\r
+ my-header3: baz\r
+\r
+ Config:\r
+ remove: ["my-header1", "my-header3"]\r
+\r
+ Output:\r
+ GET /foo HTTP/1.1\r
+ my-header2: bar\r
+ items:\r
+ type: string\r
+ maxItems: 16\r
+ type: array\r
+ x-kubernetes-list-type: set\r
+ set:\r
+ description: |-\r
+ Set overwrites the request with the given header (name, value)\r
+ before the action.\r
+\r
+ Input:\r
+ GET /foo HTTP/1.1\r
+ my-header: foo\r
+\r
+ Config:\r
+ set:\r
+ - name: "my-header"\r
+ value: "bar"\r
+\r
+ Output:\r
+ GET /foo HTTP/1.1\r
+ my-header: bar\r
+ items:\r
+ description: HTTPHeader represents an HTTP\r
+ Header name and value as defined by RFC\r
+ 7230.\r
+ properties:\r
+ name:\r
+ description: |-\r
+ Name is the name of the HTTP Header to be matched. Name matching MUST be\r
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).\r
+\r
+ If multiple entries specify equivalent header names, the first entry with\r
+ an equivalent name MUST be considered for a match. Subsequent entries\r
+ with an equivalent header name MUST be ignored. Due to the\r
+ case-insensitivity of header names, "foo" and "Foo" are considered\r
+ equivalent.\r
+ maxLength: 256\r
+ minLength: 1\r
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$\r
+ type: string\r
+ value:\r
+ description: Value is the value of HTTP\r
+ Header to be matched.\r
+ maxLength: 4096\r
+ minLength: 1\r
+ type: string\r
+ required:\r
+ - name\r
+ - value\r
+ type: object\r
+ maxItems: 16\r
+ type: array\r
+ x-kubernetes-list-map-keys:\r
+ - name\r
+ x-kubernetes-list-type: map\r
+ type: object\r
+ requestMirror:\r
+ description: |+\r
+ RequestMirror defines a schema for a filter that mirrors requests.\r
+ Requests are sent to the specified destination, but responses from\r
+ that destination are ignored.\r
+\r
+ This filter can be used multiple times within the same rule. Note that\r
+ not all implementations will be able to support mirroring to multiple\r
+ backends.\r
+\r
+ Support: Extended\r
+\r
+ properties:\r
+ backendRef:\r
+ description: |-\r
+ BackendRef references a resource where mirrored requests are sent.\r
+\r
+ Mirrored requests must be sent only to a single destination endpoint\r
+ within this BackendRef, irrespective of how many endpoints are present\r
+ within this BackendRef.\r
+\r
+ If the referent cannot be found, this BackendRef is invalid and must be\r
+ dropped from the Gateway. The controller must ensure the "ResolvedRefs"\r
+ condition on the Route status is set to `status: False` and not configure\r
+ this backend in the underlying implementation.\r
+\r
+ If there is a cross-namespace reference to an *existing* object\r
+ that is not allowed by a ReferenceGrant, the controller must ensure the\r
+ "ResolvedRefs" condition on the Route is set to `status: False`,\r
+ with the "RefNotPermitted" reason and not configure this backend in the\r
+ underlying implementation.\r
+\r
+ In either error case, the Message of the `ResolvedRefs` Condition\r
+ should be used to provide more detail about the problem.\r
+\r
+ Support: Extended for Kubernetes Service\r
+\r
+ Support: Implementation-specific for any other resource\r
+ properties:\r
+ group:\r
+ default: ""\r
+ description: |-\r
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".\r
+ When unspecified or empty string, core API group is inferred.\r
+ maxLength: 253\r
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ kind:\r
+ default: Service\r
+ description: |-\r
+ Kind is the Kubernetes resource kind of the referent. For example\r
+ "Service".\r
+\r
+ Defaults to "Service" when not specified.\r
+\r
+ ExternalName services can refer to CNAME DNS records that may live\r
+ outside of the cluster and as such are difficult to reason about in\r
+ terms of conformance. They also may not be safe to forward to (see\r
+ CVE-2021-25740 for more information). Implementations SHOULD NOT\r
+ support ExternalName Services.\r
+\r
+ Support: Core (Services with a type other than ExternalName)\r
+\r
+ Support: Implementation-specific (Services with type ExternalName)\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$\r
+ type: string\r
+ name:\r
+ description: Name is the name of the referent.\r
+ maxLength: 253\r
+ minLength: 1\r
+ type: string\r
+ namespace:\r
+ description: |-\r
+ Namespace is the namespace of the backend. When unspecified, the local\r
+ namespace is inferred.\r
+\r
+ Note that when a namespace different than the local namespace is specified,\r
+ a ReferenceGrant object is required in the referent namespace to allow that\r
+ namespace's owner to accept the reference. See the ReferenceGrant\r
+ documentation for details.\r
+\r
+ Support: Core\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$\r
+ type: string\r
+ port:\r
+ description: |-\r
+ Port specifies the destination port number to use for this resource.\r
+ Port is required when the referent is a Kubernetes Service. In this\r
+ case, the port number is the service port number, not the target port.\r
+ For other resources, destination port might be derived from the referent\r
+ resource or this field.\r
+ format: int32\r
+ maximum: 65535\r
+ minimum: 1\r
+ type: integer\r
+ required:\r
+ - name\r
+ type: object\r
+ x-kubernetes-validations:\r
+ - message: Must have port for Service reference\r
+ rule: '(size(self.group) == 0 && self.kind\r
+ == ''Service'') ? has(self.port) : true'\r
+ fraction:\r
+ description: |+\r
+ Fraction represents the fraction of requests that should be\r
+ mirrored to BackendRef.\r
+\r
+ Only one of Fraction or Percent may be specified. If neither field\r
+ is specified, 100% of requests will be mirrored.\r
+\r
+ properties:\r
+ denominator:\r
+ default: 100\r
+ format: int32\r
+ minimum: 1\r
+ type: integer\r
+ numerator:\r
+ format: int32\r
+ minimum: 0\r
+ type: integer\r
+ required:\r
+ - numerator\r
+ type: object\r
+ x-kubernetes-validations:\r
+ - message: numerator must be less than or equal\r
+ to denominator\r
+ rule: self.numerator <= self.denominator\r
+ percent:\r
+ description: |+\r
+ Percent represents the percentage of requests that should be\r
+ mirrored to BackendRef. Its minimum value is 0 (indicating 0% of\r
+ requests) and its maximum value is 100 (indicating 100% of requests).\r
+\r
+ Only one of Fraction or Percent may be specified. If neither field\r
+ is specified, 100% of requests will be mirrored.\r
+\r
+ format: int32\r
+ maximum: 100\r
+ minimum: 0\r
+ type: integer\r
+ required:\r
+ - backendRef\r
+ type: object\r
+ x-kubernetes-validations:\r
+ - message: Only one of percent or fraction may be\r
+ specified in HTTPRequestMirrorFilter\r
+ rule: '!(has(self.percent) && has(self.fraction))'\r
+ requestRedirect:\r
+ description: |-\r
+ RequestRedirect defines a schema for a filter that responds to the\r
+ request with an HTTP redirection.\r
+\r
+ Support: Core\r
+ properties:\r
+ hostname:\r
+ description: |-\r
+ Hostname is the hostname to be used in the value of the `Location`\r
+ header in the response.\r
+ When empty, the hostname in the `Host` header of the request is used.\r
+\r
+ Support: Core\r
+ maxLength: 253\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ path:\r
+ description: |-\r
+ Path defines parameters used to modify the path of the incoming request.\r
+ The modified path is then used to construct the `Location` header. When\r
+ empty, the request path is used as-is.\r
+\r
+ Support: Extended\r
+ properties:\r
+ replaceFullPath:\r
+ description: |-\r
+ ReplaceFullPath specifies the value with which to replace the full path\r
+ of a request during a rewrite or redirect.\r
+ maxLength: 1024\r
+ type: string\r
+ replacePrefixMatch:\r
+ description: |-\r
+ ReplacePrefixMatch specifies the value with which to replace the prefix\r
+ match of a request during a rewrite or redirect. For example, a request\r
+ to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch\r
+ of "/xyz" would be modified to "/xyz/bar".\r
+\r
+ Note that this matches the behavior of the PathPrefix match type. This\r
+ matches full path elements. A path element refers to the list of labels\r
+ in the path split by the `/` separator. When specified, a trailing `/` is\r
+ ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all\r
+ match the prefix `/abc`, but the path `/abcd` would not.\r
+\r
+ ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.\r
+ Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in\r
+ the implementation setting the Accepted Condition for the Route to `status: False`.\r
+\r
+ Request Path | Prefix Match | Replace Prefix | Modified Path\r
+ maxLength: 1024\r
+ type: string\r
+ type:\r
+ description: |-\r
+ Type defines the type of path modifier. Additional types may be\r
+ added in a future release of the API.\r
+\r
+ Note that values may be added to this enum, implementations\r
+ must ensure that unknown values will not cause a crash.\r
+\r
+ Unknown values here must result in the implementation setting the\r
+ Accepted Condition for the Route to `status: False`, with a\r
+ Reason of `UnsupportedValue`.\r
+ enum:\r
+ - ReplaceFullPath\r
+ - ReplacePrefixMatch\r
+ type: string\r
+ required:\r
+ - type\r
+ type: object\r
+ x-kubernetes-validations:\r
+ - message: replaceFullPath must be specified\r
+ when type is set to 'ReplaceFullPath'\r
+ rule: 'self.type == ''ReplaceFullPath'' ?\r
+ has(self.replaceFullPath) : true'\r
+ - message: type must be 'ReplaceFullPath' when\r
+ replaceFullPath is set\r
+ rule: 'has(self.replaceFullPath) ? self.type\r
+ == ''ReplaceFullPath'' : true'\r
+ - message: replacePrefixMatch must be specified\r
+ when type is set to 'ReplacePrefixMatch'\r
+ rule: 'self.type == ''ReplacePrefixMatch''\r
+ ? has(self.replacePrefixMatch) : true'\r
+ - message: type must be 'ReplacePrefixMatch'\r
+ when replacePrefixMatch is set\r
+ rule: 'has(self.replacePrefixMatch) ? self.type\r
+ == ''ReplacePrefixMatch'' : true'\r
+ port:\r
+ description: |-\r
+ Port is the port to be used in the value of the `Location`\r
+ header in the response.\r
+\r
+ If no port is specified, the redirect port MUST be derived using the\r
+ following rules:\r
+\r
+ * If redirect scheme is not-empty, the redirect port MUST be the well-known\r
+ port associated with the redirect scheme. Specifically "http" to port 80\r
+ and "https" to port 443. If the redirect scheme does not have a\r
+ well-known port, the listener port of the Gateway SHOULD be used.\r
+ * If redirect scheme is empty, the redirect port MUST be the Gateway\r
+ Listener port.\r
+\r
+ Implementations SHOULD NOT add the port number in the 'Location'\r
+ header in the following cases:\r
+\r
+ * A Location header that will use HTTP (whether that is determined via\r
+ the Listener protocol or the Scheme field) _and_ use port 80.\r
+ * A Location header that will use HTTPS (whether that is determined via\r
+ the Listener protocol or the Scheme field) _and_ use port 443.\r
+\r
+ Support: Extended\r
+ format: int32\r
+ maximum: 65535\r
+ minimum: 1\r
+ type: integer\r
+ scheme:\r
+ description: |-\r
+ Scheme is the scheme to be used in the value of the `Location` header in\r
+ the response. When empty, the scheme of the request is used.\r
+\r
+ Scheme redirects can affect the port of the redirect, for more information,\r
+ refer to the documentation for the port field of this filter.\r
+\r
+ Note that values may be added to this enum, implementations\r
+ must ensure that unknown values will not cause a crash.\r
+\r
+ Unknown values here must result in the implementation setting the\r
+ Accepted Condition for the Route to `status: False`, with a\r
+ Reason of `UnsupportedValue`.\r
+\r
+ Support: Extended\r
+ enum:\r
+ - http\r
+ - https\r
+ type: string\r
+ statusCode:\r
+ default: 302\r
+ description: |-\r
+ StatusCode is the HTTP status code to be used in response.\r
+\r
+ Note that values may be added to this enum, implementations\r
+ must ensure that unknown values will not cause a crash.\r
+\r
+ Unknown values here must result in the implementation setting the\r
+ Accepted Condition for the Route to `status: False`, with a\r
+ Reason of `UnsupportedValue`.\r
+\r
+ Support: Core\r
+ enum:\r
+ - 301\r
+ - 302\r
+ type: integer\r
+ type: object\r
+ responseHeaderModifier:\r
+ description: |-\r
+ ResponseHeaderModifier defines a schema for a filter that modifies response\r
+ headers.\r
+\r
+ Support: Extended\r
+ properties:\r
+ add:\r
+ description: |-\r
+ Add adds the given header(s) (name, value) to the request\r
+ before the action. It appends to any existing values associated\r
+ with the header name.\r
+\r
+ Input:\r
+ GET /foo HTTP/1.1\r
+ my-header: foo\r
+\r
+ Config:\r
+ add:\r
+ - name: "my-header"\r
+ value: "bar,baz"\r
+\r
+ Output:\r
+ GET /foo HTTP/1.1\r
+ my-header: foo,bar,baz\r
+ items:\r
+ description: HTTPHeader represents an HTTP\r
+ Header name and value as defined by RFC\r
+ 7230.\r
+ properties:\r
+ name:\r
+ description: |-\r
+ Name is the name of the HTTP Header to be matched. Name matching MUST be\r
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).\r
+\r
+ If multiple entries specify equivalent header names, the first entry with\r
+ an equivalent name MUST be considered for a match. Subsequent entries\r
+ with an equivalent header name MUST be ignored. Due to the\r
+ case-insensitivity of header names, "foo" and "Foo" are considered\r
+ equivalent.\r
+ maxLength: 256\r
+ minLength: 1\r
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$\r
+ type: string\r
+ value:\r
+ description: Value is the value of HTTP\r
+ Header to be matched.\r
+ maxLength: 4096\r
+ minLength: 1\r
+ type: string\r
+ required:\r
+ - name\r
+ - value\r
+ type: object\r
+ maxItems: 16\r
+ type: array\r
+ x-kubernetes-list-map-keys:\r
+ - name\r
+ x-kubernetes-list-type: map\r
+ remove:\r
+ description: |-\r
+ Remove the given header(s) from the HTTP request before the action. The\r
+ value of Remove is a list of HTTP header names. Note that the header\r
+ names are case-insensitive (see\r
+ https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).\r
+\r
+ Input:\r
+ GET /foo HTTP/1.1\r
+ my-header1: foo\r
+ my-header2: bar\r
+ my-header3: baz\r
+\r
+ Config:\r
+ remove: ["my-header1", "my-header3"]\r
+\r
+ Output:\r
+ GET /foo HTTP/1.1\r
+ my-header2: bar\r
+ items:\r
+ type: string\r
+ maxItems: 16\r
+ type: array\r
+ x-kubernetes-list-type: set\r
+ set:\r
+ description: |-\r
+ Set overwrites the request with the given header (name, value)\r
+ before the action.\r
+\r
+ Input:\r
+ GET /foo HTTP/1.1\r
+ my-header: foo\r
+\r
+ Config:\r
+ set:\r
+ - name: "my-header"\r
+ value: "bar"\r
+\r
+ Output:\r
+ GET /foo HTTP/1.1\r
+ my-header: bar\r
+ items:\r
+ description: HTTPHeader represents an HTTP\r
+ Header name and value as defined by RFC\r
+ 7230.\r
+ properties:\r
+ name:\r
+ description: |-\r
+ Name is the name of the HTTP Header to be matched. Name matching MUST be\r
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).\r
+\r
+ If multiple entries specify equivalent header names, the first entry with\r
+ an equivalent name MUST be considered for a match. Subsequent entries\r
+ with an equivalent header name MUST be ignored. Due to the\r
+ case-insensitivity of header names, "foo" and "Foo" are considered\r
+ equivalent.\r
+ maxLength: 256\r
+ minLength: 1\r
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$\r
+ type: string\r
+ value:\r
+ description: Value is the value of HTTP\r
+ Header to be matched.\r
+ maxLength: 4096\r
+ minLength: 1\r
+ type: string\r
+ required:\r
+ - name\r
+ - value\r
+ type: object\r
+ maxItems: 16\r
+ type: array\r
+ x-kubernetes-list-map-keys:\r
+ - name\r
+ x-kubernetes-list-type: map\r
+ type: object\r
+ type:\r
+ description: |-\r
+ Type identifies the type of filter to apply. As with other API fields,\r
+ types are classified into three conformance levels:\r
+\r
+ - Core: Filter types and their corresponding configuration defined by\r
+ "Support: Core" in this package, e.g. "RequestHeaderModifier". All\r
+ implementations must support core filters.\r
+\r
+ - Extended: Filter types and their corresponding configuration defined by\r
+ "Support: Extended" in this package, e.g. "RequestMirror". Implementers\r
+ are encouraged to support extended filters.\r
+\r
+ - Implementation-specific: Filters that are defined and supported by\r
+ specific vendors.\r
+ In the future, filters showing convergence in behavior across multiple\r
+ implementations will be considered for inclusion in extended or core\r
+ conformance levels. Filter-specific configuration for such filters\r
+ is specified using the ExtensionRef field. `Type` should be set to\r
+ "ExtensionRef" for custom filters.\r
+\r
+ Implementers are encouraged to define custom implementation types to\r
+ extend the core API with implementation-specific behavior.\r
+\r
+ If a reference to a custom filter type cannot be resolved, the filter\r
+ MUST NOT be skipped. Instead, requests that would have been processed by\r
+ that filter MUST receive a HTTP error response.\r
+\r
+ Note that values may be added to this enum, implementations\r
+ must ensure that unknown values will not cause a crash.\r
+\r
+ Unknown values here must result in the implementation setting the\r
+ Accepted Condition for the Route to `status: False`, with a\r
+ Reason of `UnsupportedValue`.\r
+ enum:\r
+ - RequestHeaderModifier\r
+ - ResponseHeaderModifier\r
+ - RequestMirror\r
+ - RequestRedirect\r
+ - URLRewrite\r
+ - ExtensionRef\r
+ type: string\r
+ urlRewrite:\r
+ description: |-\r
+ URLRewrite defines a schema for a filter that modifies a request during forwarding.\r
+\r
+ Support: Extended\r
+ properties:\r
+ hostname:\r
+ description: |-\r
+ Hostname is the value to be used to replace the Host header value during\r
+ forwarding.\r
+\r
+ Support: Extended\r
+ maxLength: 253\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ path:\r
+ description: |-\r
+ Path defines a path rewrite.\r
+\r
+ Support: Extended\r
+ properties:\r
+ replaceFullPath:\r
+ description: |-\r
+ ReplaceFullPath specifies the value with which to replace the full path\r
+ of a request during a rewrite or redirect.\r
+ maxLength: 1024\r
+ type: string\r
+ replacePrefixMatch:\r
+ description: |-\r
+ ReplacePrefixMatch specifies the value with which to replace the prefix\r
+ match of a request during a rewrite or redirect. For example, a request\r
+ to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch\r
+ of "/xyz" would be modified to "/xyz/bar".\r
+\r
+ Note that this matches the behavior of the PathPrefix match type. This\r
+ matches full path elements. A path element refers to the list of labels\r
+ in the path split by the `/` separator. When specified, a trailing `/` is\r
+ ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all\r
+ match the prefix `/abc`, but the path `/abcd` would not.\r
+\r
+ ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.\r
+ Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in\r
+ the implementation setting the Accepted Condition for the Route to `status: False`.\r
+\r
+ Request Path | Prefix Match | Replace Prefix | Modified Path\r
+ maxLength: 1024\r
+ type: string\r
+ type:\r
+ description: |-\r
+ Type defines the type of path modifier. Additional types may be\r
+ added in a future release of the API.\r
+\r
+ Note that values may be added to this enum, implementations\r
+ must ensure that unknown values will not cause a crash.\r
+\r
+ Unknown values here must result in the implementation setting the\r
+ Accepted Condition for the Route to `status: False`, with a\r
+ Reason of `UnsupportedValue`.\r
+ enum:\r
+ - ReplaceFullPath\r
+ - ReplacePrefixMatch\r
+ type: string\r
+ required:\r
+ - type\r
+ type: object\r
+ x-kubernetes-validations:\r
+ - message: replaceFullPath must be specified\r
+ when type is set to 'ReplaceFullPath'\r
+ rule: 'self.type == ''ReplaceFullPath'' ?\r
+ has(self.replaceFullPath) : true'\r
+ - message: type must be 'ReplaceFullPath' when\r
+ replaceFullPath is set\r
+ rule: 'has(self.replaceFullPath) ? self.type\r
+ == ''ReplaceFullPath'' : true'\r
+ - message: replacePrefixMatch must be specified\r
+ when type is set to 'ReplacePrefixMatch'\r
+ rule: 'self.type == ''ReplacePrefixMatch''\r
+ ? has(self.replacePrefixMatch) : true'\r
+ - message: type must be 'ReplacePrefixMatch'\r
+ when replacePrefixMatch is set\r
+ rule: 'has(self.replacePrefixMatch) ? self.type\r
+ == ''ReplacePrefixMatch'' : true'\r
+ type: object\r
+ required:\r
+ - type\r
+ type: object\r
+ x-kubernetes-validations:\r
+ - message: filter.requestHeaderModifier must be nil\r
+ if the filter.type is not RequestHeaderModifier\r
+ rule: '!(has(self.requestHeaderModifier) && self.type\r
+ != ''RequestHeaderModifier'')'\r
+ - message: filter.requestHeaderModifier must be specified\r
+ for RequestHeaderModifier filter.type\r
+ rule: '!(!has(self.requestHeaderModifier) && self.type\r
+ == ''RequestHeaderModifier'')'\r
+ - message: filter.responseHeaderModifier must be nil\r
+ if the filter.type is not ResponseHeaderModifier\r
+ rule: '!(has(self.responseHeaderModifier) && self.type\r
+ != ''ResponseHeaderModifier'')'\r
+ - message: filter.responseHeaderModifier must be specified\r
+ for ResponseHeaderModifier filter.type\r
+ rule: '!(!has(self.responseHeaderModifier) && self.type\r
+ == ''ResponseHeaderModifier'')'\r
+ - message: filter.requestMirror must be nil if the filter.type\r
+ is not RequestMirror\r
+ rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')'\r
+ - message: filter.requestMirror must be specified for\r
+ RequestMirror filter.type\r
+ rule: '!(!has(self.requestMirror) && self.type ==\r
+ ''RequestMirror'')'\r
+ - message: filter.requestRedirect must be nil if the\r
+ filter.type is not RequestRedirect\r
+ rule: '!(has(self.requestRedirect) && self.type !=\r
+ ''RequestRedirect'')'\r
+ - message: filter.requestRedirect must be specified\r
+ for RequestRedirect filter.type\r
+ rule: '!(!has(self.requestRedirect) && self.type ==\r
+ ''RequestRedirect'')'\r
+ - message: filter.urlRewrite must be nil if the filter.type\r
+ is not URLRewrite\r
+ rule: '!(has(self.urlRewrite) && self.type != ''URLRewrite'')'\r
+ - message: filter.urlRewrite must be specified for URLRewrite\r
+ filter.type\r
+ rule: '!(!has(self.urlRewrite) && self.type == ''URLRewrite'')'\r
+ - message: filter.extensionRef must be nil if the filter.type\r
+ is not ExtensionRef\r
+ rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')'\r
+ - message: filter.extensionRef must be specified for\r
+ ExtensionRef filter.type\r
+ rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')'\r
+ maxItems: 16\r
+ type: array\r
+ x-kubernetes-validations:\r
+ - message: May specify either httpRouteFilterRequestRedirect\r
+ or httpRouteFilterRequestRewrite, but not both\r
+ rule: '!(self.exists(f, f.type == ''RequestRedirect'')\r
+ && self.exists(f, f.type == ''URLRewrite''))'\r
+ - message: May specify either httpRouteFilterRequestRedirect\r
+ or httpRouteFilterRequestRewrite, but not both\r
+ rule: '!(self.exists(f, f.type == ''RequestRedirect'')\r
+ && self.exists(f, f.type == ''URLRewrite''))'\r
+ - message: RequestHeaderModifier filter cannot be repeated\r
+ rule: self.filter(f, f.type == 'RequestHeaderModifier').size()\r
+ <= 1\r
+ - message: ResponseHeaderModifier filter cannot be repeated\r
+ rule: self.filter(f, f.type == 'ResponseHeaderModifier').size()\r
+ <= 1\r
+ - message: RequestRedirect filter cannot be repeated\r
+ rule: self.filter(f, f.type == 'RequestRedirect').size()\r
+ <= 1\r
+ - message: URLRewrite filter cannot be repeated\r
+ rule: self.filter(f, f.type == 'URLRewrite').size()\r
+ <= 1\r
+ group:\r
+ default: ""\r
+ description: |-\r
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".\r
+ When unspecified or empty string, core API group is inferred.\r
+ maxLength: 253\r
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ kind:\r
+ default: Service\r
+ description: |-\r
+ Kind is the Kubernetes resource kind of the referent. For example\r
+ "Service".\r
+\r
+ Defaults to "Service" when not specified.\r
+\r
+ ExternalName services can refer to CNAME DNS records that may live\r
+ outside of the cluster and as such are difficult to reason about in\r
+ terms of conformance. They also may not be safe to forward to (see\r
+ CVE-2021-25740 for more information). Implementations SHOULD NOT\r
+ support ExternalName Services.\r
+\r
+ Support: Core (Services with a type other than ExternalName)\r
+\r
+ Support: Implementation-specific (Services with type ExternalName)\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$\r
+ type: string\r
+ name:\r
+ description: Name is the name of the referent.\r
+ maxLength: 253\r
+ minLength: 1\r
+ type: string\r
+ namespace:\r
+ description: |-\r
+ Namespace is the namespace of the backend. When unspecified, the local\r
+ namespace is inferred.\r
+\r
+ Note that when a namespace different than the local namespace is specified,\r
+ a ReferenceGrant object is required in the referent namespace to allow that\r
+ namespace's owner to accept the reference. See the ReferenceGrant\r
+ documentation for details.\r
+\r
+ Support: Core\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$\r
+ type: string\r
+ port:\r
+ description: |-\r
+ Port specifies the destination port number to use for this resource.\r
+ Port is required when the referent is a Kubernetes Service. In this\r
+ case, the port number is the service port number, not the target port.\r
+ For other resources, destination port might be derived from the referent\r
+ resource or this field.\r
+ format: int32\r
+ maximum: 65535\r
+ minimum: 1\r
+ type: integer\r
+ weight:\r
+ default: 1\r
+ description: |-\r
+ Weight specifies the proportion of requests forwarded to the referenced\r
+ backend. This is computed as weight/(sum of all weights in this\r
+ BackendRefs list). For non-zero values, there may be some epsilon from\r
+ the exact proportion defined here depending on the precision an\r
+ implementation supports. Weight is not a percentage and the sum of\r
+ weights does not need to equal 100.\r
+\r
+ If only one backend is specified and it has a weight greater than 0, 100%\r
+ of the traffic is forwarded to that backend. If weight is set to 0, no\r
+ traffic should be forwarded for this entry. If unspecified, weight\r
+ defaults to 1.\r
+\r
+ Support for this field varies based on the context where used.\r
+ format: int32\r
+ maximum: 1000000\r
+ minimum: 0\r
+ type: integer\r
+ required:\r
+ - name\r
+ type: object\r
+ x-kubernetes-validations:\r
+ - message: Must have port for Service reference\r
+ rule: '(size(self.group) == 0 && self.kind == ''Service'')\r
+ ? has(self.port) : true'\r
+ maxItems: 16\r
+ type: array\r
+ filters:\r
+ description: |-\r
+ Filters define the filters that are applied to requests that match\r
+ this rule.\r
+\r
+ Wherever possible, implementations SHOULD implement filters in the order\r
+ they are specified.\r
+\r
+ Implementations MAY choose to implement this ordering strictly, rejecting\r
+ any combination or order of filters that can not be supported. If implementations\r
+ choose a strict interpretation of filter ordering, they MUST clearly document\r
+ that behavior.\r
+\r
+ To reject an invalid combination or order of filters, implementations SHOULD\r
+ consider the Route Rules with this configuration invalid. If all Route Rules\r
+ in a Route are invalid, the entire Route would be considered invalid. If only\r
+ a portion of Route Rules are invalid, implementations MUST set the\r
+ "PartiallyInvalid" condition for the Route.\r
+\r
+ Conformance-levels at this level are defined based on the type of filter:\r
+\r
+ - ALL core filters MUST be supported by all implementations.\r
+ - Implementers are encouraged to support extended filters.\r
+ - Implementation-specific custom filters have no API guarantees across\r
+ implementations.\r
+\r
+ Specifying the same filter multiple times is not supported unless explicitly\r
+ indicated in the filter.\r
+\r
+ All filters are expected to be compatible with each other except for the\r
+ URLRewrite and RequestRedirect filters, which may not be combined. If an\r
+ implementation can not support other combinations of filters, they must clearly\r
+ document that limitation. In cases where incompatible or unsupported\r
+ filters are specified and cause the `Accepted` condition to be set to status\r
+ `False`, implementations may use the `IncompatibleFilters` reason to specify\r
+ this configuration error.\r
+\r
+ Support: Core\r
+ items:\r
+ description: |-\r
+ HTTPRouteFilter defines processing steps that must be completed during the\r
+ request or response lifecycle. HTTPRouteFilters are meant as an extension\r
+ point to express processing that may be done in Gateway implementations. Some\r
+ examples include request or response modification, implementing\r
+ authentication strategies, rate-limiting, and traffic shaping. API\r
+ guarantee/conformance is defined based on the type of the filter.\r
+ properties:\r
+ extensionRef:\r
+ description: |-\r
+ ExtensionRef is an optional, implementation-specific extension to the\r
+ "filter" behavior. For example, resource "myroutefilter" in group\r
+ "networking.example.net"). ExtensionRef MUST NOT be used for core and\r
+ extended filters.\r
+\r
+ This filter can be used multiple times within the same rule.\r
+\r
+ Support: Implementation-specific\r
+ properties:\r
+ group:\r
+ description: |-\r
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".\r
+ When unspecified or empty string, core API group is inferred.\r
+ maxLength: 253\r
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ kind:\r
+ description: Kind is kind of the referent. For example\r
+ "HTTPRoute" or "Service".\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$\r
+ type: string\r
+ name:\r
+ description: Name is the name of the referent.\r
+ maxLength: 253\r
+ minLength: 1\r
+ type: string\r
+ required:\r
+ - group\r
+ - kind\r
+ - name\r
+ type: object\r
+ requestHeaderModifier:\r
+ description: |-\r
+ RequestHeaderModifier defines a schema for a filter that modifies request\r
+ headers.\r
+\r
+ Support: Core\r
+ properties:\r
+ add:\r
+ description: |-\r
+ Add adds the given header(s) (name, value) to the request\r
+ before the action. It appends to any existing values associated\r
+ with the header name.\r
+\r
+ Input:\r
+ GET /foo HTTP/1.1\r
+ my-header: foo\r
+\r
+ Config:\r
+ add:\r
+ - name: "my-header"\r
+ value: "bar,baz"\r
+\r
+ Output:\r
+ GET /foo HTTP/1.1\r
+ my-header: foo,bar,baz\r
+ items:\r
+ description: HTTPHeader represents an HTTP Header\r
+ name and value as defined by RFC 7230.\r
+ properties:\r
+ name:\r
+ description: |-\r
+ Name is the name of the HTTP Header to be matched. Name matching MUST be\r
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).\r
+\r
+ If multiple entries specify equivalent header names, the first entry with\r
+ an equivalent name MUST be considered for a match. Subsequent entries\r
+ with an equivalent header name MUST be ignored. Due to the\r
+ case-insensitivity of header names, "foo" and "Foo" are considered\r
+ equivalent.\r
+ maxLength: 256\r
+ minLength: 1\r
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$\r
+ type: string\r
+ value:\r
+ description: Value is the value of HTTP Header\r
+ to be matched.\r
+ maxLength: 4096\r
+ minLength: 1\r
+ type: string\r
+ required:\r
+ - name\r
+ - value\r
+ type: object\r
+ maxItems: 16\r
+ type: array\r
+ x-kubernetes-list-map-keys:\r
+ - name\r
+ x-kubernetes-list-type: map\r
+ remove:\r
+ description: |-\r
+ Remove the given header(s) from the HTTP request before the action. The\r
+ value of Remove is a list of HTTP header names. Note that the header\r
+ names are case-insensitive (see\r
+ https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).\r
+\r
+ Input:\r
+ GET /foo HTTP/1.1\r
+ my-header1: foo\r
+ my-header2: bar\r
+ my-header3: baz\r
+\r
+ Config:\r
+ remove: ["my-header1", "my-header3"]\r
+\r
+ Output:\r
+ GET /foo HTTP/1.1\r
+ my-header2: bar\r
+ items:\r
+ type: string\r
+ maxItems: 16\r
+ type: array\r
+ x-kubernetes-list-type: set\r
+ set:\r
+ description: |-\r
+ Set overwrites the request with the given header (name, value)\r
+ before the action.\r
+\r
+ Input:\r
+ GET /foo HTTP/1.1\r
+ my-header: foo\r
+\r
+ Config:\r
+ set:\r
+ - name: "my-header"\r
+ value: "bar"\r
+\r
+ Output:\r
+ GET /foo HTTP/1.1\r
+ my-header: bar\r
+ items:\r
+ description: HTTPHeader represents an HTTP Header\r
+ name and value as defined by RFC 7230.\r
+ properties:\r
+ name:\r
+ description: |-\r
+ Name is the name of the HTTP Header to be matched. Name matching MUST be\r
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).\r
+\r
+ If multiple entries specify equivalent header names, the first entry with\r
+ an equivalent name MUST be considered for a match. Subsequent entries\r
+ with an equivalent header name MUST be ignored. Due to the\r
+ case-insensitivity of header names, "foo" and "Foo" are considered\r
+ equivalent.\r
+ maxLength: 256\r
+ minLength: 1\r
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$\r
+ type: string\r
+ value:\r
+ description: Value is the value of HTTP Header\r
+ to be matched.\r
+ maxLength: 4096\r
+ minLength: 1\r
+ type: string\r
+ required:\r
+ - name\r
+ - value\r
+ type: object\r
+ maxItems: 16\r
+ type: array\r
+ x-kubernetes-list-map-keys:\r
+ - name\r
+ x-kubernetes-list-type: map\r
+ type: object\r
+ requestMirror:\r
+ description: |+\r
+ RequestMirror defines a schema for a filter that mirrors requests.\r
+ Requests are sent to the specified destination, but responses from\r
+ that destination are ignored.\r
+\r
+ This filter can be used multiple times within the same rule. Note that\r
+ not all implementations will be able to support mirroring to multiple\r
+ backends.\r
+\r
+ Support: Extended\r
+\r
+ properties:\r
+ backendRef:\r
+ description: |-\r
+ BackendRef references a resource where mirrored requests are sent.\r
+\r
+ Mirrored requests must be sent only to a single destination endpoint\r
+ within this BackendRef, irrespective of how many endpoints are present\r
+ within this BackendRef.\r
+\r
+ If the referent cannot be found, this BackendRef is invalid and must be\r
+ dropped from the Gateway. The controller must ensure the "ResolvedRefs"\r
+ condition on the Route status is set to `status: False` and not configure\r
+ this backend in the underlying implementation.\r
+\r
+ If there is a cross-namespace reference to an *existing* object\r
+ that is not allowed by a ReferenceGrant, the controller must ensure the\r
+ "ResolvedRefs" condition on the Route is set to `status: False`,\r
+ with the "RefNotPermitted" reason and not configure this backend in the\r
+ underlying implementation.\r
+\r
+ In either error case, the Message of the `ResolvedRefs` Condition\r
+ should be used to provide more detail about the problem.\r
+\r
+ Support: Extended for Kubernetes Service\r
+\r
+ Support: Implementation-specific for any other resource\r
+ properties:\r
+ group:\r
+ default: ""\r
+ description: |-\r
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".\r
+ When unspecified or empty string, core API group is inferred.\r
+ maxLength: 253\r
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ kind:\r
+ default: Service\r
+ description: |-\r
+ Kind is the Kubernetes resource kind of the referent. For example\r
+ "Service".\r
+\r
+ Defaults to "Service" when not specified.\r
+\r
+ ExternalName services can refer to CNAME DNS records that may live\r
+ outside of the cluster and as such are difficult to reason about in\r
+ terms of conformance. They also may not be safe to forward to (see\r
+ CVE-2021-25740 for more information). Implementations SHOULD NOT\r
+ support ExternalName Services.\r
+\r
+ Support: Core (Services with a type other than ExternalName)\r
+\r
+ Support: Implementation-specific (Services with type ExternalName)\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$\r
+ type: string\r
+ name:\r
+ description: Name is the name of the referent.\r
+ maxLength: 253\r
+ minLength: 1\r
+ type: string\r
+ namespace:\r
+ description: |-\r
+ Namespace is the namespace of the backend. When unspecified, the local\r
+ namespace is inferred.\r
+\r
+ Note that when a namespace different than the local namespace is specified,\r
+ a ReferenceGrant object is required in the referent namespace to allow that\r
+ namespace's owner to accept the reference. See the ReferenceGrant\r
+ documentation for details.\r
+\r
+ Support: Core\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$\r
+ type: string\r
+ port:\r
+ description: |-\r
+ Port specifies the destination port number to use for this resource.\r
+ Port is required when the referent is a Kubernetes Service. In this\r
+ case, the port number is the service port number, not the target port.\r
+ For other resources, destination port might be derived from the referent\r
+ resource or this field.\r
+ format: int32\r
+ maximum: 65535\r
+ minimum: 1\r
+ type: integer\r
+ required:\r
+ - name\r
+ type: object\r
+ x-kubernetes-validations:\r
+ - message: Must have port for Service reference\r
+ rule: '(size(self.group) == 0 && self.kind == ''Service'')\r
+ ? has(self.port) : true'\r
+ fraction:\r
+ description: |+\r
+ Fraction represents the fraction of requests that should be\r
+ mirrored to BackendRef.\r
+\r
+ Only one of Fraction or Percent may be specified. If neither field\r
+ is specified, 100% of requests will be mirrored.\r
+\r
+ properties:\r
+ denominator:\r
+ default: 100\r
+ format: int32\r
+ minimum: 1\r
+ type: integer\r
+ numerator:\r
+ format: int32\r
+ minimum: 0\r
+ type: integer\r
+ required:\r
+ - numerator\r
+ type: object\r
+ x-kubernetes-validations:\r
+ - message: numerator must be less than or equal to\r
+ denominator\r
+ rule: self.numerator <= self.denominator\r
+ percent:\r
+ description: |+\r
+ Percent represents the percentage of requests that should be\r
+ mirrored to BackendRef. Its minimum value is 0 (indicating 0% of\r
+ requests) and its maximum value is 100 (indicating 100% of requests).\r
+\r
+ Only one of Fraction or Percent may be specified. If neither field\r
+ is specified, 100% of requests will be mirrored.\r
+\r
+ format: int32\r
+ maximum: 100\r
+ minimum: 0\r
+ type: integer\r
+ required:\r
+ - backendRef\r
+ type: object\r
+ x-kubernetes-validations:\r
+ - message: Only one of percent or fraction may be specified\r
+ in HTTPRequestMirrorFilter\r
+ rule: '!(has(self.percent) && has(self.fraction))'\r
+ requestRedirect:\r
+ description: |-\r
+ RequestRedirect defines a schema for a filter that responds to the\r
+ request with an HTTP redirection.\r
+\r
+ Support: Core\r
+ properties:\r
+ hostname:\r
+ description: |-\r
+ Hostname is the hostname to be used in the value of the `Location`\r
+ header in the response.\r
+ When empty, the hostname in the `Host` header of the request is used.\r
+\r
+ Support: Core\r
+ maxLength: 253\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ path:\r
+ description: |-\r
+ Path defines parameters used to modify the path of the incoming request.\r
+ The modified path is then used to construct the `Location` header. When\r
+ empty, the request path is used as-is.\r
+\r
+ Support: Extended\r
+ properties:\r
+ replaceFullPath:\r
+ description: |-\r
+ ReplaceFullPath specifies the value with which to replace the full path\r
+ of a request during a rewrite or redirect.\r
+ maxLength: 1024\r
+ type: string\r
+ replacePrefixMatch:\r
+ description: |-\r
+ ReplacePrefixMatch specifies the value with which to replace the prefix\r
+ match of a request during a rewrite or redirect. For example, a request\r
+ to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch\r
+ of "/xyz" would be modified to "/xyz/bar".\r
+\r
+ Note that this matches the behavior of the PathPrefix match type. This\r
+ matches full path elements. A path element refers to the list of labels\r
+ in the path split by the `/` separator. When specified, a trailing `/` is\r
+ ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all\r
+ match the prefix `/abc`, but the path `/abcd` would not.\r
+\r
+ ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.\r
+ Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in\r
+ the implementation setting the Accepted Condition for the Route to `status: False`.\r
+\r
+ Request Path | Prefix Match | Replace Prefix | Modified Path\r
+ maxLength: 1024\r
+ type: string\r
+ type:\r
+ description: |-\r
+ Type defines the type of path modifier. Additional types may be\r
+ added in a future release of the API.\r
+\r
+ Note that values may be added to this enum, implementations\r
+ must ensure that unknown values will not cause a crash.\r
+\r
+ Unknown values here must result in the implementation setting the\r
+ Accepted Condition for the Route to `status: False`, with a\r
+ Reason of `UnsupportedValue`.\r
+ enum:\r
+ - ReplaceFullPath\r
+ - ReplacePrefixMatch\r
+ type: string\r
+ required:\r
+ - type\r
+ type: object\r
+ x-kubernetes-validations:\r
+ - message: replaceFullPath must be specified when\r
+ type is set to 'ReplaceFullPath'\r
+ rule: 'self.type == ''ReplaceFullPath'' ? has(self.replaceFullPath)\r
+ : true'\r
+ - message: type must be 'ReplaceFullPath' when replaceFullPath\r
+ is set\r
+ rule: 'has(self.replaceFullPath) ? self.type ==\r
+ ''ReplaceFullPath'' : true'\r
+ - message: replacePrefixMatch must be specified when\r
+ type is set to 'ReplacePrefixMatch'\r
+ rule: 'self.type == ''ReplacePrefixMatch'' ? has(self.replacePrefixMatch)\r
+ : true'\r
+ - message: type must be 'ReplacePrefixMatch' when\r
+ replacePrefixMatch is set\r
+ rule: 'has(self.replacePrefixMatch) ? self.type\r
+ == ''ReplacePrefixMatch'' : true'\r
+ port:\r
+ description: |-\r
+ Port is the port to be used in the value of the `Location`\r
+ header in the response.\r
+\r
+ If no port is specified, the redirect port MUST be derived using the\r
+ following rules:\r
+\r
+ * If redirect scheme is not-empty, the redirect port MUST be the well-known\r
+ port associated with the redirect scheme. Specifically "http" to port 80\r
+ and "https" to port 443. If the redirect scheme does not have a\r
+ well-known port, the listener port of the Gateway SHOULD be used.\r
+ * If redirect scheme is empty, the redirect port MUST be the Gateway\r
+ Listener port.\r
+\r
+ Implementations SHOULD NOT add the port number in the 'Location'\r
+ header in the following cases:\r
+\r
+ * A Location header that will use HTTP (whether that is determined via\r
+ the Listener protocol or the Scheme field) _and_ use port 80.\r
+ * A Location header that will use HTTPS (whether that is determined via\r
+ the Listener protocol or the Scheme field) _and_ use port 443.\r
+\r
+ Support: Extended\r
+ format: int32\r
+ maximum: 65535\r
+ minimum: 1\r
+ type: integer\r
+ scheme:\r
+ description: |-\r
+ Scheme is the scheme to be used in the value of the `Location` header in\r
+ the response. When empty, the scheme of the request is used.\r
+\r
+ Scheme redirects can affect the port of the redirect, for more information,\r
+ refer to the documentation for the port field of this filter.\r
+\r
+ Note that values may be added to this enum, implementations\r
+ must ensure that unknown values will not cause a crash.\r
+\r
+ Unknown values here must result in the implementation setting the\r
+ Accepted Condition for the Route to `status: False`, with a\r
+ Reason of `UnsupportedValue`.\r
+\r
+ Support: Extended\r
+ enum:\r
+ - http\r
+ - https\r
+ type: string\r
+ statusCode:\r
+ default: 302\r
+ description: |-\r
+ StatusCode is the HTTP status code to be used in response.\r
+\r
+ Note that values may be added to this enum, implementations\r
+ must ensure that unknown values will not cause a crash.\r
+\r
+ Unknown values here must result in the implementation setting the\r
+ Accepted Condition for the Route to `status: False`, with a\r
+ Reason of `UnsupportedValue`.\r
+\r
+ Support: Core\r
+ enum:\r
+ - 301\r
+ - 302\r
+ type: integer\r
+ type: object\r
+ responseHeaderModifier:\r
+ description: |-\r
+ ResponseHeaderModifier defines a schema for a filter that modifies response\r
+ headers.\r
+\r
+ Support: Extended\r
+ properties:\r
+ add:\r
+ description: |-\r
+ Add adds the given header(s) (name, value) to the request\r
+ before the action. It appends to any existing values associated\r
+ with the header name.\r
+\r
+ Input:\r
+ GET /foo HTTP/1.1\r
+ my-header: foo\r
+\r
+ Config:\r
+ add:\r
+ - name: "my-header"\r
+ value: "bar,baz"\r
+\r
+ Output:\r
+ GET /foo HTTP/1.1\r
+ my-header: foo,bar,baz\r
+ items:\r
+ description: HTTPHeader represents an HTTP Header\r
+ name and value as defined by RFC 7230.\r
+ properties:\r
+ name:\r
+ description: |-\r
+ Name is the name of the HTTP Header to be matched. Name matching MUST be\r
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).\r
+\r
+ If multiple entries specify equivalent header names, the first entry with\r
+ an equivalent name MUST be considered for a match. Subsequent entries\r
+ with an equivalent header name MUST be ignored. Due to the\r
+ case-insensitivity of header names, "foo" and "Foo" are considered\r
+ equivalent.\r
+ maxLength: 256\r
+ minLength: 1\r
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$\r
+ type: string\r
+ value:\r
+ description: Value is the value of HTTP Header\r
+ to be matched.\r
+ maxLength: 4096\r
+ minLength: 1\r
+ type: string\r
+ required:\r
+ - name\r
+ - value\r
+ type: object\r
+ maxItems: 16\r
+ type: array\r
+ x-kubernetes-list-map-keys:\r
+ - name\r
+ x-kubernetes-list-type: map\r
+ remove:\r
+ description: |-\r
+ Remove the given header(s) from the HTTP request before the action. The\r
+ value of Remove is a list of HTTP header names. Note that the header\r
+ names are case-insensitive (see\r
+ https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).\r
+\r
+ Input:\r
+ GET /foo HTTP/1.1\r
+ my-header1: foo\r
+ my-header2: bar\r
+ my-header3: baz\r
+\r
+ Config:\r
+ remove: ["my-header1", "my-header3"]\r
+\r
+ Output:\r
+ GET /foo HTTP/1.1\r
+ my-header2: bar\r
+ items:\r
+ type: string\r
+ maxItems: 16\r
+ type: array\r
+ x-kubernetes-list-type: set\r
+ set:\r
+ description: |-\r
+ Set overwrites the request with the given header (name, value)\r
+ before the action.\r
+\r
+ Input:\r
+ GET /foo HTTP/1.1\r
+ my-header: foo\r
+\r
+ Config:\r
+ set:\r
+ - name: "my-header"\r
+ value: "bar"\r
+\r
+ Output:\r
+ GET /foo HTTP/1.1\r
+ my-header: bar\r
+ items:\r
+ description: HTTPHeader represents an HTTP Header\r
+ name and value as defined by RFC 7230.\r
+ properties:\r
+ name:\r
+ description: |-\r
+ Name is the name of the HTTP Header to be matched. Name matching MUST be\r
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).\r
+\r
+ If multiple entries specify equivalent header names, the first entry with\r
+ an equivalent name MUST be considered for a match. Subsequent entries\r
+ with an equivalent header name MUST be ignored. Due to the\r
+ case-insensitivity of header names, "foo" and "Foo" are considered\r
+ equivalent.\r
+ maxLength: 256\r
+ minLength: 1\r
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$\r
+ type: string\r
+ value:\r
+ description: Value is the value of HTTP Header\r
+ to be matched.\r
+ maxLength: 4096\r
+ minLength: 1\r
+ type: string\r
+ required:\r
+ - name\r
+ - value\r
+ type: object\r
+ maxItems: 16\r
+ type: array\r
+ x-kubernetes-list-map-keys:\r
+ - name\r
+ x-kubernetes-list-type: map\r
+ type: object\r
+ type:\r
+ description: |-\r
+ Type identifies the type of filter to apply. As with other API fields,\r
+ types are classified into three conformance levels:\r
+\r
+ - Core: Filter types and their corresponding configuration defined by\r
+ "Support: Core" in this package, e.g. "RequestHeaderModifier". All\r
+ implementations must support core filters.\r
+\r
+ - Extended: Filter types and their corresponding configuration defined by\r
+ "Support: Extended" in this package, e.g. "RequestMirror". Implementers\r
+ are encouraged to support extended filters.\r
+\r
+ - Implementation-specific: Filters that are defined and supported by\r
+ specific vendors.\r
+ In the future, filters showing convergence in behavior across multiple\r
+ implementations will be considered for inclusion in extended or core\r
+ conformance levels. Filter-specific configuration for such filters\r
+ is specified using the ExtensionRef field. `Type` should be set to\r
+ "ExtensionRef" for custom filters.\r
+\r
+ Implementers are encouraged to define custom implementation types to\r
+ extend the core API with implementation-specific behavior.\r
+\r
+ If a reference to a custom filter type cannot be resolved, the filter\r
+ MUST NOT be skipped. Instead, requests that would have been processed by\r
+ that filter MUST receive a HTTP error response.\r
+\r
+ Note that values may be added to this enum, implementations\r
+ must ensure that unknown values will not cause a crash.\r
+\r
+ Unknown values here must result in the implementation setting the\r
+ Accepted Condition for the Route to `status: False`, with a\r
+ Reason of `UnsupportedValue`.\r
+ enum:\r
+ - RequestHeaderModifier\r
+ - ResponseHeaderModifier\r
+ - RequestMirror\r
+ - RequestRedirect\r
+ - URLRewrite\r
+ - ExtensionRef\r
+ type: string\r
+ urlRewrite:\r
+ description: |-\r
+ URLRewrite defines a schema for a filter that modifies a request during forwarding.\r
+\r
+ Support: Extended\r
+ properties:\r
+ hostname:\r
+ description: |-\r
+ Hostname is the value to be used to replace the Host header value during\r
+ forwarding.\r
+\r
+ Support: Extended\r
+ maxLength: 253\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ path:\r
+ description: |-\r
+ Path defines a path rewrite.\r
+\r
+ Support: Extended\r
+ properties:\r
+ replaceFullPath:\r
+ description: |-\r
+ ReplaceFullPath specifies the value with which to replace the full path\r
+ of a request during a rewrite or redirect.\r
+ maxLength: 1024\r
+ type: string\r
+ replacePrefixMatch:\r
+ description: |-\r
+ ReplacePrefixMatch specifies the value with which to replace the prefix\r
+ match of a request during a rewrite or redirect. For example, a request\r
+ to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch\r
+ of "/xyz" would be modified to "/xyz/bar".\r
+\r
+ Note that this matches the behavior of the PathPrefix match type. This\r
+ matches full path elements. A path element refers to the list of labels\r
+ in the path split by the `/` separator. When specified, a trailing `/` is\r
+ ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all\r
+ match the prefix `/abc`, but the path `/abcd` would not.\r
+\r
+ ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.\r
+ Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in\r
+ the implementation setting the Accepted Condition for the Route to `status: False`.\r
+\r
+ Request Path | Prefix Match | Replace Prefix | Modified Path\r
+ maxLength: 1024\r
+ type: string\r
+ type:\r
+ description: |-\r
+ Type defines the type of path modifier. Additional types may be\r
+ added in a future release of the API.\r
+\r
+ Note that values may be added to this enum, implementations\r
+ must ensure that unknown values will not cause a crash.\r
+\r
+ Unknown values here must result in the implementation setting the\r
+ Accepted Condition for the Route to `status: False`, with a\r
+ Reason of `UnsupportedValue`.\r
+ enum:\r
+ - ReplaceFullPath\r
+ - ReplacePrefixMatch\r
+ type: string\r
+ required:\r
+ - type\r
+ type: object\r
+ x-kubernetes-validations:\r
+ - message: replaceFullPath must be specified when\r
+ type is set to 'ReplaceFullPath'\r
+ rule: 'self.type == ''ReplaceFullPath'' ? has(self.replaceFullPath)\r
+ : true'\r
+ - message: type must be 'ReplaceFullPath' when replaceFullPath\r
+ is set\r
+ rule: 'has(self.replaceFullPath) ? self.type ==\r
+ ''ReplaceFullPath'' : true'\r
+ - message: replacePrefixMatch must be specified when\r
+ type is set to 'ReplacePrefixMatch'\r
+ rule: 'self.type == ''ReplacePrefixMatch'' ? has(self.replacePrefixMatch)\r
+ : true'\r
+ - message: type must be 'ReplacePrefixMatch' when\r
+ replacePrefixMatch is set\r
+ rule: 'has(self.replacePrefixMatch) ? self.type\r
+ == ''ReplacePrefixMatch'' : true'\r
+ type: object\r
+ required:\r
+ - type\r
+ type: object\r
+ x-kubernetes-validations:\r
+ - message: filter.requestHeaderModifier must be nil if the\r
+ filter.type is not RequestHeaderModifier\r
+ rule: '!(has(self.requestHeaderModifier) && self.type !=\r
+ ''RequestHeaderModifier'')'\r
+ - message: filter.requestHeaderModifier must be specified\r
+ for RequestHeaderModifier filter.type\r
+ rule: '!(!has(self.requestHeaderModifier) && self.type ==\r
+ ''RequestHeaderModifier'')'\r
+ - message: filter.responseHeaderModifier must be nil if the\r
+ filter.type is not ResponseHeaderModifier\r
+ rule: '!(has(self.responseHeaderModifier) && self.type !=\r
+ ''ResponseHeaderModifier'')'\r
+ - message: filter.responseHeaderModifier must be specified\r
+ for ResponseHeaderModifier filter.type\r
+ rule: '!(!has(self.responseHeaderModifier) && self.type\r
+ == ''ResponseHeaderModifier'')'\r
+ - message: filter.requestMirror must be nil if the filter.type\r
+ is not RequestMirror\r
+ rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')'\r
+ - message: filter.requestMirror must be specified for RequestMirror\r
+ filter.type\r
+ rule: '!(!has(self.requestMirror) && self.type == ''RequestMirror'')'\r
+ - message: filter.requestRedirect must be nil if the filter.type\r
+ is not RequestRedirect\r
+ rule: '!(has(self.requestRedirect) && self.type != ''RequestRedirect'')'\r
+ - message: filter.requestRedirect must be specified for RequestRedirect\r
+ filter.type\r
+ rule: '!(!has(self.requestRedirect) && self.type == ''RequestRedirect'')'\r
+ - message: filter.urlRewrite must be nil if the filter.type\r
+ is not URLRewrite\r
+ rule: '!(has(self.urlRewrite) && self.type != ''URLRewrite'')'\r
+ - message: filter.urlRewrite must be specified for URLRewrite\r
+ filter.type\r
+ rule: '!(!has(self.urlRewrite) && self.type == ''URLRewrite'')'\r
+ - message: filter.extensionRef must be nil if the filter.type\r
+ is not ExtensionRef\r
+ rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')'\r
+ - message: filter.extensionRef must be specified for ExtensionRef\r
+ filter.type\r
+ rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')'\r
+ maxItems: 16\r
+ type: array\r
+ x-kubernetes-validations:\r
+ - message: May specify either httpRouteFilterRequestRedirect\r
+ or httpRouteFilterRequestRewrite, but not both\r
+ rule: '!(self.exists(f, f.type == ''RequestRedirect'') &&\r
+ self.exists(f, f.type == ''URLRewrite''))'\r
+ - message: RequestHeaderModifier filter cannot be repeated\r
+ rule: self.filter(f, f.type == 'RequestHeaderModifier').size()\r
+ <= 1\r
+ - message: ResponseHeaderModifier filter cannot be repeated\r
+ rule: self.filter(f, f.type == 'ResponseHeaderModifier').size()\r
+ <= 1\r
+ - message: RequestRedirect filter cannot be repeated\r
+ rule: self.filter(f, f.type == 'RequestRedirect').size() <=\r
+ 1\r
+ - message: URLRewrite filter cannot be repeated\r
+ rule: self.filter(f, f.type == 'URLRewrite').size() <= 1\r
+ matches:\r
+ default:\r
+ - path:\r
+ type: PathPrefix\r
+ value: /\r
+ description: |-\r
+ Matches define conditions used for matching the rule against incoming\r
+ HTTP requests. Each match is independent, i.e. this rule will be matched\r
+ if **any** one of the matches is satisfied.\r
+\r
+ For example, take the following matches configuration:\r
+\r
+ ```\r
+ matches:\r
+ - path:\r
+ value: "/foo"\r
+ headers:\r
+ - name: "version"\r
+ value: "v2"\r
+ - path:\r
+ value: "/v2/foo"\r
+ ```\r
+\r
+ For a request to match against this rule, a request must satisfy\r
+ EITHER of the two conditions:\r
+\r
+ - path prefixed with `/foo` AND contains the header `version: v2`\r
+ - path prefix of `/v2/foo`\r
+\r
+ See the documentation for HTTPRouteMatch on how to specify multiple\r
+ match conditions that should be ANDed together.\r
+\r
+ If no matches are specified, the default is a prefix\r
+ path match on "/", which has the effect of matching every\r
+ HTTP request.\r
+\r
+ Proxy or Load Balancer routing configuration generated from HTTPRoutes\r
+ MUST prioritize matches based on the following criteria, continuing on\r
+ ties. Across all rules specified on applicable Routes, precedence must be\r
+ given to the match having:\r
+\r
+ * "Exact" path match.\r
+ * "Prefix" path match with largest number of characters.\r
+ * Method match.\r
+ * Largest number of header matches.\r
+ * Largest number of query param matches.\r
+\r
+ Note: The precedence of RegularExpression path matches are implementation-specific.\r
+\r
+ If ties still exist across multiple Routes, matching precedence MUST be\r
+ determined in order of the following criteria, continuing on ties:\r
+\r
+ * The oldest Route based on creation timestamp.\r
+ * The Route appearing first in alphabetical order by\r
+ "{namespace}/{name}".\r
+\r
+ If ties still exist within an HTTPRoute, matching precedence MUST be granted\r
+ to the FIRST matching rule (in list order) with a match meeting the above\r
+ criteria.\r
+\r
+ When no rules matching a request have been successfully attached to the\r
+ parent a request is coming from, a HTTP 404 status code MUST be returned.\r
+ items:\r
+ description: "HTTPRouteMatch defines the predicate used to\r
+ match requests to a given\naction. Multiple match types\r
+ are ANDed together, i.e. the match will\nevaluate to true\r
+ only if all conditions are satisfied.\n\nFor example, the\r
+ match below will match a HTTP request only if its path\nstarts\r
+ with `/foo` AND it contains the `version: v1` header:\n\n```\nmatch:\n\n\tpath:\n\t\r
+ \ value: \"/foo\"\n\theaders:\n\t- name: \"version\"\n\t\r
+ \ value \"v1\"\n\n```"\r
+ properties:\r
+ headers:\r
+ description: |-\r
+ Headers specifies HTTP request header matchers. Multiple match values are\r
+ ANDed together, meaning, a request must match all the specified headers\r
+ to select the route.\r
+ items:\r
+ description: |-\r
+ HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request\r
+ headers.\r
+ properties:\r
+ name:\r
+ description: |-\r
+ Name is the name of the HTTP Header to be matched. Name matching MUST be\r
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).\r
+\r
+ If multiple entries specify equivalent header names, only the first\r
+ entry with an equivalent name MUST be considered for a match. Subsequent\r
+ entries with an equivalent header name MUST be ignored. Due to the\r
+ case-insensitivity of header names, "foo" and "Foo" are considered\r
+ equivalent.\r
+\r
+ When a header is repeated in an HTTP request, it is\r
+ implementation-specific behavior as to how this is represented.\r
+ Generally, proxies should follow the guidance from the RFC:\r
+ https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding\r
+ processing a repeated header, with special handling for "Set-Cookie".\r
+ maxLength: 256\r
+ minLength: 1\r
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$\r
+ type: string\r
+ type:\r
+ default: Exact\r
+ description: |-\r
+ Type specifies how to match against the value of the header.\r
+\r
+ Support: Core (Exact)\r
+\r
+ Support: Implementation-specific (RegularExpression)\r
+\r
+ Since RegularExpression HeaderMatchType has implementation-specific\r
+ conformance, implementations can support POSIX, PCRE or any other dialects\r
+ of regular expressions. Please read the implementation's documentation to\r
+ determine the supported dialect.\r
+ enum:\r
+ - Exact\r
+ - RegularExpression\r
+ type: string\r
+ value:\r
+ description: Value is the value of HTTP Header to\r
+ be matched.\r
+ maxLength: 4096\r
+ minLength: 1\r
+ type: string\r
+ required:\r
+ - name\r
+ - value\r
+ type: object\r
+ maxItems: 16\r
+ type: array\r
+ x-kubernetes-list-map-keys:\r
+ - name\r
+ x-kubernetes-list-type: map\r
+ method:\r
+ description: |-\r
+ Method specifies HTTP method matcher.\r
+ When specified, this route will be matched only if the request has the\r
+ specified method.\r
+\r
+ Support: Extended\r
+ enum:\r
+ - GET\r
+ - HEAD\r
+ - POST\r
+ - PUT\r
+ - DELETE\r
+ - CONNECT\r
+ - OPTIONS\r
+ - TRACE\r
+ - PATCH\r
+ type: string\r
+ path:\r
+ default:\r
+ type: PathPrefix\r
+ value: /\r
+ description: |-\r
+ Path specifies a HTTP request path matcher. If this field is not\r
+ specified, a default prefix match on the "/" path is provided.\r
+ properties:\r
+ type:\r
+ default: PathPrefix\r
+ description: |-\r
+ Type specifies how to match against the path Value.\r
+\r
+ Support: Core (Exact, PathPrefix)\r
+\r
+ Support: Implementation-specific (RegularExpression)\r
+ enum:\r
+ - Exact\r
+ - PathPrefix\r
+ - RegularExpression\r
+ type: string\r
+ value:\r
+ default: /\r
+ description: Value of the HTTP path to match against.\r
+ maxLength: 1024\r
+ type: string\r
+ type: object\r
+ x-kubernetes-validations:\r
+ - message: value must be an absolute path and start with\r
+ '/' when type one of ['Exact', 'PathPrefix']\r
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? self.value.startsWith(''/'')\r
+ : true'\r
+ - message: must not contain '//' when type one of ['Exact',\r
+ 'PathPrefix']\r
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''//'')\r
+ : true'\r
+ - message: must not contain '/./' when type one of ['Exact',\r
+ 'PathPrefix']\r
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''/./'')\r
+ : true'\r
+ - message: must not contain '/../' when type one of ['Exact',\r
+ 'PathPrefix']\r
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''/../'')\r
+ : true'\r
+ - message: must not contain '%2f' when type one of ['Exact',\r
+ 'PathPrefix']\r
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''%2f'')\r
+ : true'\r
+ - message: must not contain '%2F' when type one of ['Exact',\r
+ 'PathPrefix']\r
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''%2F'')\r
+ : true'\r
+ - message: must not contain '#' when type one of ['Exact',\r
+ 'PathPrefix']\r
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''#'')\r
+ : true'\r
+ - message: must not end with '/..' when type one of ['Exact',\r
+ 'PathPrefix']\r
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.endsWith(''/..'')\r
+ : true'\r
+ - message: must not end with '/.' when type one of ['Exact',\r
+ 'PathPrefix']\r
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.endsWith(''/.'')\r
+ : true'\r
+ - message: type must be one of ['Exact', 'PathPrefix',\r
+ 'RegularExpression']\r
+ rule: self.type in ['Exact','PathPrefix'] || self.type\r
+ == 'RegularExpression'\r
+ - message: must only contain valid characters (matching\r
+ ^(?:[-A-Za-z0-9/._~!$&'()*+,;=:@]|[%][0-9a-fA-F]{2})+$)\r
+ for types ['Exact', 'PathPrefix']\r
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? self.value.matches(r"""^(?:[-A-Za-z0-9/._~!$&''()*+,;=:@]|[%][0-9a-fA-F]{2})+$""")\r
+ : true'\r
+ queryParams:\r
+ description: |-\r
+ QueryParams specifies HTTP query parameter matchers. Multiple match\r
+ values are ANDed together, meaning, a request must match all the\r
+ specified query parameters to select the route.\r
+\r
+ Support: Extended\r
+ items:\r
+ description: |-\r
+ HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP\r
+ query parameters.\r
+ properties:\r
+ name:\r
+ description: |-\r
+ Name is the name of the HTTP query param to be matched. This must be an\r
+ exact string match. (See\r
+ https://tools.ietf.org/html/rfc7230#section-2.7.3).\r
+\r
+ If multiple entries specify equivalent query param names, only the first\r
+ entry with an equivalent name MUST be considered for a match. Subsequent\r
+ entries with an equivalent query param name MUST be ignored.\r
+\r
+ If a query param is repeated in an HTTP request, the behavior is\r
+ purposely left undefined, since different data planes have different\r
+ capabilities. However, it is *recommended* that implementations should\r
+ match against the first value of the param if the data plane supports it,\r
+ as this behavior is expected in other load balancing contexts outside of\r
+ the Gateway API.\r
+\r
+ Users SHOULD NOT route traffic based on repeated query params to guard\r
+ themselves against potential differences in the implementations.\r
+ maxLength: 256\r
+ minLength: 1\r
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$\r
+ type: string\r
+ type:\r
+ default: Exact\r
+ description: |-\r
+ Type specifies how to match against the value of the query parameter.\r
+\r
+ Support: Extended (Exact)\r
+\r
+ Support: Implementation-specific (RegularExpression)\r
+\r
+ Since RegularExpression QueryParamMatchType has Implementation-specific\r
+ conformance, implementations can support POSIX, PCRE or any other\r
+ dialects of regular expressions. Please read the implementation's\r
+ documentation to determine the supported dialect.\r
+ enum:\r
+ - Exact\r
+ - RegularExpression\r
+ type: string\r
+ value:\r
+ description: Value is the value of HTTP query param\r
+ to be matched.\r
+ maxLength: 1024\r
+ minLength: 1\r
+ type: string\r
+ required:\r
+ - name\r
+ - value\r
+ type: object\r
+ maxItems: 16\r
+ type: array\r
+ x-kubernetes-list-map-keys:\r
+ - name\r
+ x-kubernetes-list-type: map\r
+ type: object\r
+ maxItems: 64\r
+ type: array\r
+ name:\r
+ description: |\r
+ Name is the name of the route rule. This name MUST be unique within a Route if it is set.\r
+\r
+ Support: Extended\r
+ maxLength: 253\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ retry:\r
+ description: |+\r
+ Retry defines the configuration for when to retry an HTTP request.\r
+\r
+ Support: Extended\r
+\r
+ properties:\r
+ attempts:\r
+ description: |-\r
+ Attempts specifies the maximum number of times an individual request\r
+ from the gateway to a backend should be retried.\r
+\r
+ If the maximum number of retries has been attempted without a successful\r
+ response from the backend, the Gateway MUST return an error.\r
+\r
+ When this field is unspecified, the number of times to attempt to retry\r
+ a backend request is implementation-specific.\r
+\r
+ Support: Extended\r
+ type: integer\r
+ backoff:\r
+ description: |-\r
+ Backoff specifies the minimum duration a Gateway should wait between\r
+ retry attempts and is represented in Gateway API Duration formatting.\r
+\r
+ For example, setting the `rules[].retry.backoff` field to the value\r
+ `100ms` will cause a backend request to first be retried approximately\r
+ 100 milliseconds after timing out or receiving a response code configured\r
+ to be retryable.\r
+\r
+ An implementation MAY use an exponential or alternative backoff strategy\r
+ for subsequent retry attempts, MAY cap the maximum backoff duration to\r
+ some amount greater than the specified minimum, and MAY add arbitrary\r
+ jitter to stagger requests, as long as unsuccessful backend requests are\r
+ not retried before the configured minimum duration.\r
+\r
+ If a Request timeout (`rules[].timeouts.request`) is configured on the\r
+ route, the entire duration of the initial request and any retry attempts\r
+ MUST not exceed the Request timeout duration. If any retry attempts are\r
+ still in progress when the Request timeout duration has been reached,\r
+ these SHOULD be canceled if possible and the Gateway MUST immediately\r
+ return a timeout error.\r
+\r
+ If a BackendRequest timeout (`rules[].timeouts.backendRequest`) is\r
+ configured on the route, any retry attempts which reach the configured\r
+ BackendRequest timeout duration without a response SHOULD be canceled if\r
+ possible and the Gateway should wait for at least the specified backoff\r
+ duration before attempting to retry the backend request again.\r
+\r
+ If a BackendRequest timeout is _not_ configured on the route, retry\r
+ attempts MAY time out after an implementation default duration, or MAY\r
+ remain pending until a configured Request timeout or implementation\r
+ default duration for total request time is reached.\r
+\r
+ When this field is unspecified, the time to wait between retry attempts\r
+ is implementation-specific.\r
+\r
+ Support: Extended\r
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$\r
+ type: string\r
+ codes:\r
+ description: |-\r
+ Codes defines the HTTP response status codes for which a backend request\r
+ should be retried.\r
+\r
+ Support: Extended\r
+ items:\r
+ description: |-\r
+ HTTPRouteRetryStatusCode defines an HTTP response status code for\r
+ which a backend request should be retried.\r
+\r
+ Implementations MUST support the following status codes as retryable:\r
+\r
+ * 500\r
+ * 502\r
+ * 503\r
+ * 504\r
+\r
+ Implementations MAY support specifying additional discrete values in the\r
+ 500-599 range.\r
+\r
+ Implementations MAY support specifying discrete values in the 400-499 range,\r
+ which are often inadvisable to retry.\r
+\r
+ <gateway:experimental>\r
+ maximum: 599\r
+ minimum: 400\r
+ type: integer\r
+ type: array\r
+ type: object\r
+ sessionPersistence:\r
+ description: |+\r
+ SessionPersistence defines and configures session persistence\r
+ for the route rule.\r
+\r
+ Support: Extended\r
+\r
+ properties:\r
+ absoluteTimeout:\r
+ description: |-\r
+ AbsoluteTimeout defines the absolute timeout of the persistent\r
+ session. Once the AbsoluteTimeout duration has elapsed, the\r
+ session becomes invalid.\r
+\r
+ Support: Extended\r
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$\r
+ type: string\r
+ cookieConfig:\r
+ description: |-\r
+ CookieConfig provides configuration settings that are specific\r
+ to cookie-based session persistence.\r
+\r
+ Support: Core\r
+ properties:\r
+ lifetimeType:\r
+ default: Session\r
+ description: |-\r
+ LifetimeType specifies whether the cookie has a permanent or\r
+ session-based lifetime. A permanent cookie persists until its\r
+ specified expiry time, defined by the Expires or Max-Age cookie\r
+ attributes, while a session cookie is deleted when the current\r
+ session ends.\r
+\r
+ When set to "Permanent", AbsoluteTimeout indicates the\r
+ cookie's lifetime via the Expires or Max-Age cookie attributes\r
+ and is required.\r
+\r
+ When set to "Session", AbsoluteTimeout indicates the\r
+ absolute lifetime of the cookie tracked by the gateway and\r
+ is optional.\r
+\r
+ Support: Core for "Session" type\r
+\r
+ Support: Extended for "Permanent" type\r
+ enum:\r
+ - Permanent\r
+ - Session\r
+ type: string\r
+ type: object\r
+ idleTimeout:\r
+ description: |-\r
+ IdleTimeout defines the idle timeout of the persistent session.\r
+ Once the session has been idle for more than the specified\r
+ IdleTimeout duration, the session becomes invalid.\r
+\r
+ Support: Extended\r
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$\r
+ type: string\r
+ sessionName:\r
+ description: |-\r
+ SessionName defines the name of the persistent session token\r
+ which may be reflected in the cookie or the header. Users\r
+ should avoid reusing session names to prevent unintended\r
+ consequences, such as rejection or unpredictable behavior.\r
+\r
+ Support: Implementation-specific\r
+ maxLength: 128\r
+ type: string\r
+ type:\r
+ default: Cookie\r
+ description: |-\r
+ Type defines the type of session persistence such as through\r
+ the use a header or cookie. Defaults to cookie based session\r
+ persistence.\r
+\r
+ Support: Core for "Cookie" type\r
+\r
+ Support: Extended for "Header" type\r
+ enum:\r
+ - Cookie\r
+ - Header\r
+ type: string\r
+ type: object\r
+ x-kubernetes-validations:\r
+ - message: AbsoluteTimeout must be specified when cookie lifetimeType\r
+ is Permanent\r
+ rule: '!has(self.cookieConfig) || !has(self.cookieConfig.lifetimeType)\r
+ || self.cookieConfig.lifetimeType != ''Permanent'' || has(self.absoluteTimeout)'\r
+ timeouts:\r
+ description: |-\r
+ Timeouts defines the timeouts that can be configured for an HTTP request.\r
+\r
+ Support: Extended\r
+ properties:\r
+ backendRequest:\r
+ description: |-\r
+ BackendRequest specifies a timeout for an individual request from the gateway\r
+ to a backend. This covers the time from when the request first starts being\r
+ sent from the gateway to when the full response has been received from the backend.\r
+\r
+ Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout\r
+ completely. Implementations that cannot completely disable the timeout MUST\r
+ instead interpret the zero duration as the longest possible value to which\r
+ the timeout can be set.\r
+\r
+ An entire client HTTP transaction with a gateway, covered by the Request timeout,\r
+ may result in more than one call from the gateway to the destination backend,\r
+ for example, if automatic retries are supported.\r
+\r
+ The value of BackendRequest must be a Gateway API Duration string as defined by\r
+ GEP-2257. When this field is unspecified, its behavior is implementation-specific;\r
+ when specified, the value of BackendRequest must be no more than the value of the\r
+ Request timeout (since the Request timeout encompasses the BackendRequest timeout).\r
+\r
+ Support: Extended\r
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$\r
+ type: string\r
+ request:\r
+ description: |-\r
+ Request specifies the maximum duration for a gateway to respond to an HTTP request.\r
+ If the gateway has not been able to respond before this deadline is met, the gateway\r
+ MUST return a timeout error.\r
+\r
+ For example, setting the `rules.timeouts.request` field to the value `10s` in an\r
+ `HTTPRoute` will cause a timeout if a client request is taking longer than 10 seconds\r
+ to complete.\r
+\r
+ Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout\r
+ completely. Implementations that cannot completely disable the timeout MUST\r
+ instead interpret the zero duration as the longest possible value to which\r
+ the timeout can be set.\r
+\r
+ This timeout is intended to cover as close to the whole request-response transaction\r
+ as possible although an implementation MAY choose to start the timeout after the entire\r
+ request stream has been received instead of immediately after the transaction is\r
+ initiated by the client.\r
+\r
+ The value of Request is a Gateway API Duration string as defined by GEP-2257. When this\r
+ field is unspecified, request timeout behavior is implementation-specific.\r
+\r
+ Support: Extended\r
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$\r
+ type: string\r
+ type: object\r
+ x-kubernetes-validations:\r
+ - message: backendRequest timeout cannot be longer than request\r
+ timeout\r
+ rule: '!(has(self.request) && has(self.backendRequest) &&\r
+ duration(self.request) != duration(''0s'') && duration(self.backendRequest)\r
+ > duration(self.request))'\r
+ type: object\r
+ x-kubernetes-validations:\r
+ - message: RequestRedirect filter must not be used together with\r
+ backendRefs\r
+ rule: '(has(self.backendRefs) && size(self.backendRefs) > 0) ?\r
+ (!has(self.filters) || self.filters.all(f, !has(f.requestRedirect))):\r
+ true'\r
+ - message: When using RequestRedirect filter with path.replacePrefixMatch,\r
+ exactly one PathPrefix match must be specified\r
+ rule: '(has(self.filters) && self.filters.exists_one(f, has(f.requestRedirect)\r
+ && has(f.requestRedirect.path) && f.requestRedirect.path.type\r
+ == ''ReplacePrefixMatch'' && has(f.requestRedirect.path.replacePrefixMatch)))\r
+ ? ((size(self.matches) != 1 || !has(self.matches[0].path) ||\r
+ self.matches[0].path.type != ''PathPrefix'') ? false : true)\r
+ : true'\r
+ - message: When using URLRewrite filter with path.replacePrefixMatch,\r
+ exactly one PathPrefix match must be specified\r
+ rule: '(has(self.filters) && self.filters.exists_one(f, has(f.urlRewrite)\r
+ && has(f.urlRewrite.path) && f.urlRewrite.path.type == ''ReplacePrefixMatch''\r
+ && has(f.urlRewrite.path.replacePrefixMatch))) ? ((size(self.matches)\r
+ != 1 || !has(self.matches[0].path) || self.matches[0].path.type\r
+ != ''PathPrefix'') ? false : true) : true'\r
+ - message: Within backendRefs, when using RequestRedirect filter\r
+ with path.replacePrefixMatch, exactly one PathPrefix match must\r
+ be specified\r
+ rule: '(has(self.backendRefs) && self.backendRefs.exists_one(b,\r
+ (has(b.filters) && b.filters.exists_one(f, has(f.requestRedirect)\r
+ && has(f.requestRedirect.path) && f.requestRedirect.path.type\r
+ == ''ReplacePrefixMatch'' && has(f.requestRedirect.path.replacePrefixMatch)))\r
+ )) ? ((size(self.matches) != 1 || !has(self.matches[0].path)\r
+ || self.matches[0].path.type != ''PathPrefix'') ? false : true)\r
+ : true'\r
+ - message: Within backendRefs, When using URLRewrite filter with\r
+ path.replacePrefixMatch, exactly one PathPrefix match must be\r
+ specified\r
+ rule: '(has(self.backendRefs) && self.backendRefs.exists_one(b,\r
+ (has(b.filters) && b.filters.exists_one(f, has(f.urlRewrite)\r
+ && has(f.urlRewrite.path) && f.urlRewrite.path.type == ''ReplacePrefixMatch''\r
+ && has(f.urlRewrite.path.replacePrefixMatch))) )) ? ((size(self.matches)\r
+ != 1 || !has(self.matches[0].path) || self.matches[0].path.type\r
+ != ''PathPrefix'') ? false : true) : true'\r
+ maxItems: 16\r
+ type: array\r
+ x-kubernetes-validations:\r
+ - message: While 16 rules and 64 matches per rule are allowed, the\r
+ total number of matches across all rules in a route must be less\r
+ than 128\r
+ rule: '(self.size() > 0 ? self[0].matches.size() : 0) + (self.size()\r
+ > 1 ? self[1].matches.size() : 0) + (self.size() > 2 ? self[2].matches.size()\r
+ : 0) + (self.size() > 3 ? self[3].matches.size() : 0) + (self.size()\r
+ > 4 ? self[4].matches.size() : 0) + (self.size() > 5 ? self[5].matches.size()\r
+ : 0) + (self.size() > 6 ? self[6].matches.size() : 0) + (self.size()\r
+ > 7 ? self[7].matches.size() : 0) + (self.size() > 8 ? self[8].matches.size()\r
+ : 0) + (self.size() > 9 ? self[9].matches.size() : 0) + (self.size()\r
+ > 10 ? self[10].matches.size() : 0) + (self.size() > 11 ? self[11].matches.size()\r
+ : 0) + (self.size() > 12 ? self[12].matches.size() : 0) + (self.size()\r
+ > 13 ? self[13].matches.size() : 0) + (self.size() > 14 ? self[14].matches.size()\r
+ : 0) + (self.size() > 15 ? self[15].matches.size() : 0) <= 128'\r
+ - message: Rule name must be unique within the route\r
+ rule: self.all(l1, !has(l1.name) || self.exists_one(l2, has(l2.name)\r
+ && l1.name == l2.name))\r
+ type: object\r
+ status:\r
+ description: Status defines the current state of HTTPRoute.\r
+ properties:\r
+ parents:\r
+ description: |-\r
+ Parents is a list of parent resources (usually Gateways) that are\r
+ associated with the route, and the status of the route with respect to\r
+ each parent. When this route attaches to a parent, the controller that\r
+ manages the parent must add an entry to this list when the controller\r
+ first sees the route and should update the entry as appropriate when the\r
+ route or gateway is modified.\r
+\r
+ Note that parent references that cannot be resolved by an implementation\r
+ of this API will not be added to this list. Implementations of this API\r
+ can only populate Route status for the Gateways/parent resources they are\r
+ responsible for.\r
+\r
+ A maximum of 32 Gateways will be represented in this list. An empty list\r
+ means the route has not been attached to any Gateway.\r
+ items:\r
+ description: |-\r
+ RouteParentStatus describes the status of a route with respect to an\r
+ associated Parent.\r
+ properties:\r
+ conditions:\r
+ description: |-\r
+ Conditions describes the status of the route with respect to the Gateway.\r
+ Note that the route's availability is also subject to the Gateway's own\r
+ status conditions and listener status.\r
+\r
+ If the Route's ParentRef specifies an existing Gateway that supports\r
+ Routes of this kind AND that Gateway's controller has sufficient access,\r
+ then that Gateway's controller MUST set the "Accepted" condition on the\r
+ Route, to indicate whether the route has been accepted or rejected by the\r
+ Gateway, and why.\r
+\r
+ A Route MUST be considered "Accepted" if at least one of the Route's\r
+ rules is implemented by the Gateway.\r
+\r
+ There are a number of cases where the "Accepted" condition may not be set\r
+ due to lack of controller visibility, that includes when:\r
+\r
+ * The Route refers to a non-existent parent.\r
+ * The Route is of a type that the controller does not support.\r
+ * The Route is in a namespace the controller does not have access to.\r
+ items:\r
+ description: Condition contains details for one aspect of\r
+ the current state of this API Resource.\r
+ properties:\r
+ lastTransitionTime:\r
+ description: |-\r
+ lastTransitionTime is the last time the condition transitioned from one status to another.\r
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.\r
+ format: date-time\r
+ type: string\r
+ message:\r
+ description: |-\r
+ message is a human readable message indicating details about the transition.\r
+ This may be an empty string.\r
+ maxLength: 32768\r
+ type: string\r
+ observedGeneration:\r
+ description: |-\r
+ observedGeneration represents the .metadata.generation that the condition was set based upon.\r
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\r
+ with respect to the current state of the instance.\r
+ format: int64\r
+ minimum: 0\r
+ type: integer\r
+ reason:\r
+ description: |-\r
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.\r
+ Producers of specific condition types may define expected values and meanings for this field,\r
+ and whether the values are considered a guaranteed API.\r
+ The value should be a CamelCase string.\r
+ This field may not be empty.\r
+ maxLength: 1024\r
+ minLength: 1\r
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$\r
+ type: string\r
+ status:\r
+ description: status of the condition, one of True, False,\r
+ Unknown.\r
+ enum:\r
+ - "True"\r
+ - "False"\r
+ - Unknown\r
+ type: string\r
+ type:\r
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.\r
+ maxLength: 316\r
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$\r
+ type: string\r
+ required:\r
+ - lastTransitionTime\r
+ - message\r
+ - reason\r
+ - status\r
+ - type\r
+ type: object\r
+ maxItems: 8\r
+ minItems: 1\r
+ type: array\r
+ x-kubernetes-list-map-keys:\r
+ - type\r
+ x-kubernetes-list-type: map\r
+ controllerName:\r
+ description: |-\r
+ ControllerName is a domain/path string that indicates the name of the\r
+ controller that wrote this status. This corresponds with the\r
+ controllerName field on GatewayClass.\r
+\r
+ Example: "example.net/gateway-controller".\r
+\r
+ The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are\r
+ valid Kubernetes names\r
+ (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).\r
+\r
+ Controllers MUST populate this field when writing status. Controllers should ensure that\r
+ entries to status populated with their ControllerName are cleaned up when they are no\r
+ longer necessary.\r
+ maxLength: 253\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$\r
+ type: string\r
+ parentRef:\r
+ description: |-\r
+ ParentRef corresponds with a ParentRef in the spec that this\r
+ RouteParentStatus struct describes the status of.\r
+ properties:\r
+ group:\r
+ default: gateway.networking.k8s.io\r
+ description: |-\r
+ Group is the group of the referent.\r
+ When unspecified, "gateway.networking.k8s.io" is inferred.\r
+ To set the core API group (such as for a "Service" kind referent),\r
+ Group must be explicitly set to "" (empty string).\r
+\r
+ Support: Core\r
+ maxLength: 253\r
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ kind:\r
+ default: Gateway\r
+ description: |-\r
+ Kind is kind of the referent.\r
+\r
+ There are two kinds of parent resources with "Core" support:\r
+\r
+ * Gateway (Gateway conformance profile)\r
+ * Service (Mesh conformance profile, ClusterIP Services only)\r
+\r
+ Support for other resources is Implementation-Specific.\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$\r
+ type: string\r
+ name:\r
+ description: |-\r
+ Name is the name of the referent.\r
+\r
+ Support: Core\r
+ maxLength: 253\r
+ minLength: 1\r
+ type: string\r
+ namespace:\r
+ description: |-\r
+ Namespace is the namespace of the referent. When unspecified, this refers\r
+ to the local namespace of the Route.\r
+\r
+ Note that there are specific rules for ParentRefs which cross namespace\r
+ boundaries. Cross-namespace references are only valid if they are explicitly\r
+ allowed by something in the namespace they are referring to. For example:\r
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a\r
+ generic way to enable any other kind of cross-namespace reference.\r
+\r
+\r
+ ParentRefs from a Route to a Service in the same namespace are "producer"\r
+ routes, which apply default routing rules to inbound connections from\r
+ any namespace to the Service.\r
+\r
+ ParentRefs from a Route to a Service in a different namespace are\r
+ "consumer" routes, and these routing rules are only applied to outbound\r
+ connections originating from the same namespace as the Route, for which\r
+ the intended destination of the connections are a Service targeted as a\r
+ ParentRef of the Route.\r
+\r
+\r
+ Support: Core\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$\r
+ type: string\r
+ port:\r
+ description: |-\r
+ Port is the network port this Route targets. It can be interpreted\r
+ differently based on the type of parent resource.\r
+\r
+ When the parent resource is a Gateway, this targets all listeners\r
+ listening on the specified port that also support this kind of Route(and\r
+ select this Route). It's not recommended to set `Port` unless the\r
+ networking behaviors specified in a Route must apply to a specific port\r
+ as opposed to a listener(s) whose port(s) may be changed. When both Port\r
+ and SectionName are specified, the name and port of the selected listener\r
+ must match both specified values.\r
+\r
+\r
+ When the parent resource is a Service, this targets a specific port in the\r
+ Service spec. When both Port (experimental) and SectionName are specified,\r
+ the name and port of the selected port must match both specified values.\r
+\r
+\r
+ Implementations MAY choose to support other parent resources.\r
+ Implementations supporting other types of parent resources MUST clearly\r
+ document how/if Port is interpreted.\r
+\r
+ For the purpose of status, an attachment is considered successful as\r
+ long as the parent resource accepts it partially. For example, Gateway\r
+ listeners can restrict which Routes can attach to them by Route kind,\r
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment\r
+ from the referencing Route, the Route MUST be considered successfully\r
+ attached. If no Gateway listeners accept attachment from this Route,\r
+ the Route MUST be considered detached from the Gateway.\r
+\r
+ Support: Extended\r
+ format: int32\r
+ maximum: 65535\r
+ minimum: 1\r
+ type: integer\r
+ sectionName:\r
+ description: |-\r
+ SectionName is the name of a section within the target resource. In the\r
+ following resources, SectionName is interpreted as the following:\r
+\r
+ * Gateway: Listener name. When both Port (experimental) and SectionName\r
+ are specified, the name and port of the selected listener must match\r
+ both specified values.\r
+ * Service: Port name. When both Port (experimental) and SectionName\r
+ are specified, the name and port of the selected listener must match\r
+ both specified values.\r
+\r
+ Implementations MAY choose to support attaching Routes to other resources.\r
+ If that is the case, they MUST clearly document how SectionName is\r
+ interpreted.\r
+\r
+ When unspecified (empty string), this will reference the entire resource.\r
+ For the purpose of status, an attachment is considered successful if at\r
+ least one section in the parent resource accepts it. For example, Gateway\r
+ listeners can restrict which Routes can attach to them by Route kind,\r
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from\r
+ the referencing Route, the Route MUST be considered successfully\r
+ attached. If no Gateway listeners accept attachment from this Route, the\r
+ Route MUST be considered detached from the Gateway.\r
+\r
+ Support: Core\r
+ maxLength: 253\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ required:\r
+ - name\r
+ type: object\r
+ required:\r
+ - controllerName\r
+ - parentRef\r
+ type: object\r
+ maxItems: 32\r
+ type: array\r
+ required:\r
+ - parents\r
+ type: object\r
+ required:\r
+ - spec\r
+ type: object\r
+ served: true\r
+ storage: false\r
+ subresources:\r
+ status: {}\r
+status:\r
+ acceptedNames:\r
+ kind: ""\r
+ plural: ""\r
+ conditions: null\r
+ storedVersions: null\r
--- /dev/null
+apiVersion: apiextensions.k8s.io/v1\r
+kind: CustomResourceDefinition\r
+metadata:\r
+ annotations:\r
+ api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328\r
+ gateway.networking.k8s.io/bundle-version: v1.2.1\r
+ gateway.networking.k8s.io/channel: experimental\r
+ creationTimestamp: null\r
+ name: referencegrants.gateway.networking.k8s.io\r
+spec:\r
+ group: gateway.networking.k8s.io\r
+ names:\r
+ categories:\r
+ - gateway-api\r
+ kind: ReferenceGrant\r
+ listKind: ReferenceGrantList\r
+ plural: referencegrants\r
+ shortNames:\r
+ - refgrant\r
+ singular: referencegrant\r
+ scope: Namespaced\r
+ versions:\r
+ - additionalPrinterColumns:\r
+ - jsonPath: .metadata.creationTimestamp\r
+ name: Age\r
+ type: date\r
+ name: v1beta1\r
+ schema:\r
+ openAPIV3Schema:\r
+ description: |-\r
+ ReferenceGrant identifies kinds of resources in other namespaces that are\r
+ trusted to reference the specified kinds of resources in the same namespace\r
+ as the policy.\r
+\r
+ Each ReferenceGrant can be used to represent a unique trust relationship.\r
+ Additional Reference Grants can be used to add to the set of trusted\r
+ sources of inbound references for the namespace they are defined within.\r
+\r
+ All cross-namespace references in Gateway API (with the exception of cross-namespace\r
+ Gateway-route attachment) require a ReferenceGrant.\r
+\r
+ ReferenceGrant is a form of runtime verification allowing users to assert\r
+ which cross-namespace object references are permitted. Implementations that\r
+ support ReferenceGrant MUST NOT permit cross-namespace references which have\r
+ no grant, and MUST respond to the removal of a grant by revoking the access\r
+ that the grant allowed.\r
+ properties:\r
+ apiVersion:\r
+ description: |-\r
+ APIVersion defines the versioned schema of this representation of an object.\r
+ Servers should convert recognized schemas to the latest internal value, and\r
+ may reject unrecognized values.\r
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources\r
+ type: string\r
+ kind:\r
+ description: |-\r
+ Kind is a string value representing the REST resource this object represents.\r
+ Servers may infer this from the endpoint the client submits requests to.\r
+ Cannot be updated.\r
+ In CamelCase.\r
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds\r
+ type: string\r
+ metadata:\r
+ type: object\r
+ spec:\r
+ description: Spec defines the desired state of ReferenceGrant.\r
+ properties:\r
+ from:\r
+ description: |-\r
+ From describes the trusted namespaces and kinds that can reference the\r
+ resources described in "To". Each entry in this list MUST be considered\r
+ to be an additional place that references can be valid from, or to put\r
+ this another way, entries MUST be combined using OR.\r
+\r
+ Support: Core\r
+ items:\r
+ description: ReferenceGrantFrom describes trusted namespaces and\r
+ kinds.\r
+ properties:\r
+ group:\r
+ description: |-\r
+ Group is the group of the referent.\r
+ When empty, the Kubernetes core API group is inferred.\r
+\r
+ Support: Core\r
+ maxLength: 253\r
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ kind:\r
+ description: |-\r
+ Kind is the kind of the referent. Although implementations may support\r
+ additional resources, the following types are part of the "Core"\r
+ support level for this field.\r
+\r
+ When used to permit a SecretObjectReference:\r
+\r
+ * Gateway\r
+\r
+ When used to permit a BackendObjectReference:\r
+\r
+ * GRPCRoute\r
+ * HTTPRoute\r
+ * TCPRoute\r
+ * TLSRoute\r
+ * UDPRoute\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$\r
+ type: string\r
+ namespace:\r
+ description: |-\r
+ Namespace is the namespace of the referent.\r
+\r
+ Support: Core\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$\r
+ type: string\r
+ required:\r
+ - group\r
+ - kind\r
+ - namespace\r
+ type: object\r
+ maxItems: 16\r
+ minItems: 1\r
+ type: array\r
+ to:\r
+ description: |-\r
+ To describes the resources that may be referenced by the resources\r
+ described in "From". Each entry in this list MUST be considered to be an\r
+ additional place that references can be valid to, or to put this another\r
+ way, entries MUST be combined using OR.\r
+\r
+ Support: Core\r
+ items:\r
+ description: |-\r
+ ReferenceGrantTo describes what Kinds are allowed as targets of the\r
+ references.\r
+ properties:\r
+ group:\r
+ description: |-\r
+ Group is the group of the referent.\r
+ When empty, the Kubernetes core API group is inferred.\r
+\r
+ Support: Core\r
+ maxLength: 253\r
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ kind:\r
+ description: |-\r
+ Kind is the kind of the referent. Although implementations may support\r
+ additional resources, the following types are part of the "Core"\r
+ support level for this field:\r
+\r
+ * Secret when used to permit a SecretObjectReference\r
+ * Service when used to permit a BackendObjectReference\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$\r
+ type: string\r
+ name:\r
+ description: |-\r
+ Name is the name of the referent. When unspecified, this policy\r
+ refers to all resources of the specified Group and Kind in the local\r
+ namespace.\r
+ maxLength: 253\r
+ minLength: 1\r
+ type: string\r
+ required:\r
+ - group\r
+ - kind\r
+ type: object\r
+ maxItems: 16\r
+ minItems: 1\r
+ type: array\r
+ required:\r
+ - from\r
+ - to\r
+ type: object\r
+ type: object\r
+ served: true\r
+ storage: true\r
+ subresources: {}\r
+status:\r
+ acceptedNames:\r
+ kind: ""\r
+ plural: ""\r
+ conditions: null\r
+ storedVersions: null\r
--- /dev/null
+apiVersion: apiextensions.k8s.io/v1\r
+kind: CustomResourceDefinition\r
+metadata:\r
+ annotations:\r
+ api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328\r
+ gateway.networking.k8s.io/bundle-version: v1.2.1\r
+ gateway.networking.k8s.io/channel: experimental\r
+ creationTimestamp: null\r
+ name: tcproutes.gateway.networking.k8s.io\r
+spec:\r
+ group: gateway.networking.k8s.io\r
+ names:\r
+ categories:\r
+ - gateway-api\r
+ kind: TCPRoute\r
+ listKind: TCPRouteList\r
+ plural: tcproutes\r
+ singular: tcproute\r
+ scope: Namespaced\r
+ versions:\r
+ - additionalPrinterColumns:\r
+ - jsonPath: .metadata.creationTimestamp\r
+ name: Age\r
+ type: date\r
+ name: v1alpha2\r
+ schema:\r
+ openAPIV3Schema:\r
+ description: |-\r
+ TCPRoute provides a way to route TCP requests. When combined with a Gateway\r
+ listener, it can be used to forward connections on the port specified by the\r
+ listener to a set of backends specified by the TCPRoute.\r
+ properties:\r
+ apiVersion:\r
+ description: |-\r
+ APIVersion defines the versioned schema of this representation of an object.\r
+ Servers should convert recognized schemas to the latest internal value, and\r
+ may reject unrecognized values.\r
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources\r
+ type: string\r
+ kind:\r
+ description: |-\r
+ Kind is a string value representing the REST resource this object represents.\r
+ Servers may infer this from the endpoint the client submits requests to.\r
+ Cannot be updated.\r
+ In CamelCase.\r
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds\r
+ type: string\r
+ metadata:\r
+ type: object\r
+ spec:\r
+ description: Spec defines the desired state of TCPRoute.\r
+ properties:\r
+ parentRefs:\r
+ description: |+\r
+ ParentRefs references the resources (usually Gateways) that a Route wants\r
+ to be attached to. Note that the referenced parent resource needs to\r
+ allow this for the attachment to be complete. For Gateways, that means\r
+ the Gateway needs to allow attachment from Routes of this kind and\r
+ namespace. For Services, that means the Service must either be in the same\r
+ namespace for a "producer" route, or the mesh implementation must support\r
+ and allow "consumer" routes for the referenced Service. ReferenceGrant is\r
+ not applicable for governing ParentRefs to Services - it is not possible to\r
+ create a "producer" route for a Service in a different namespace from the\r
+ Route.\r
+\r
+ There are two kinds of parent resources with "Core" support:\r
+\r
+ * Gateway (Gateway conformance profile)\r
+ * Service (Mesh conformance profile, ClusterIP Services only)\r
+\r
+ This API may be extended in the future to support additional kinds of parent\r
+ resources.\r
+\r
+ ParentRefs must be _distinct_. This means either that:\r
+\r
+ * They select different objects. If this is the case, then parentRef\r
+ entries are distinct. In terms of fields, this means that the\r
+ multi-part key defined by `group`, `kind`, `namespace`, and `name` must\r
+ be unique across all parentRef entries in the Route.\r
+ * They do not select different objects, but for each optional field used,\r
+ each ParentRef that selects the same object must set the same set of\r
+ optional fields to different values. If one ParentRef sets a\r
+ combination of optional fields, all must set the same combination.\r
+\r
+ Some examples:\r
+\r
+ * If one ParentRef sets `sectionName`, all ParentRefs referencing the\r
+ same object must also set `sectionName`.\r
+ * If one ParentRef sets `port`, all ParentRefs referencing the same\r
+ object must also set `port`.\r
+ * If one ParentRef sets `sectionName` and `port`, all ParentRefs\r
+ referencing the same object must also set `sectionName` and `port`.\r
+\r
+ It is possible to separately reference multiple distinct objects that may\r
+ be collapsed by an implementation. For example, some implementations may\r
+ choose to merge compatible Gateway Listeners together. If that is the\r
+ case, the list of routes attached to those resources should also be\r
+ merged.\r
+\r
+ Note that for ParentRefs that cross namespace boundaries, there are specific\r
+ rules. Cross-namespace references are only valid if they are explicitly\r
+ allowed by something in the namespace they are referring to. For example,\r
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a\r
+ generic way to enable other kinds of cross-namespace reference.\r
+\r
+\r
+ ParentRefs from a Route to a Service in the same namespace are "producer"\r
+ routes, which apply default routing rules to inbound connections from\r
+ any namespace to the Service.\r
+\r
+ ParentRefs from a Route to a Service in a different namespace are\r
+ "consumer" routes, and these routing rules are only applied to outbound\r
+ connections originating from the same namespace as the Route, for which\r
+ the intended destination of the connections are a Service targeted as a\r
+ ParentRef of the Route.\r
+\r
+\r
+\r
+\r
+\r
+ items:\r
+ description: |-\r
+ ParentReference identifies an API object (usually a Gateway) that can be considered\r
+ a parent of this resource (usually a route). There are two kinds of parent resources\r
+ with "Core" support:\r
+\r
+ * Gateway (Gateway conformance profile)\r
+ * Service (Mesh conformance profile, ClusterIP Services only)\r
+\r
+ This API may be extended in the future to support additional kinds of parent\r
+ resources.\r
+\r
+ The API object must be valid in the cluster; the Group and Kind must\r
+ be registered in the cluster for this reference to be valid.\r
+ properties:\r
+ group:\r
+ default: gateway.networking.k8s.io\r
+ description: |-\r
+ Group is the group of the referent.\r
+ When unspecified, "gateway.networking.k8s.io" is inferred.\r
+ To set the core API group (such as for a "Service" kind referent),\r
+ Group must be explicitly set to "" (empty string).\r
+\r
+ Support: Core\r
+ maxLength: 253\r
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ kind:\r
+ default: Gateway\r
+ description: |-\r
+ Kind is kind of the referent.\r
+\r
+ There are two kinds of parent resources with "Core" support:\r
+\r
+ * Gateway (Gateway conformance profile)\r
+ * Service (Mesh conformance profile, ClusterIP Services only)\r
+\r
+ Support for other resources is Implementation-Specific.\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$\r
+ type: string\r
+ name:\r
+ description: |-\r
+ Name is the name of the referent.\r
+\r
+ Support: Core\r
+ maxLength: 253\r
+ minLength: 1\r
+ type: string\r
+ namespace:\r
+ description: |-\r
+ Namespace is the namespace of the referent. When unspecified, this refers\r
+ to the local namespace of the Route.\r
+\r
+ Note that there are specific rules for ParentRefs which cross namespace\r
+ boundaries. Cross-namespace references are only valid if they are explicitly\r
+ allowed by something in the namespace they are referring to. For example:\r
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a\r
+ generic way to enable any other kind of cross-namespace reference.\r
+\r
+\r
+ ParentRefs from a Route to a Service in the same namespace are "producer"\r
+ routes, which apply default routing rules to inbound connections from\r
+ any namespace to the Service.\r
+\r
+ ParentRefs from a Route to a Service in a different namespace are\r
+ "consumer" routes, and these routing rules are only applied to outbound\r
+ connections originating from the same namespace as the Route, for which\r
+ the intended destination of the connections are a Service targeted as a\r
+ ParentRef of the Route.\r
+\r
+\r
+ Support: Core\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$\r
+ type: string\r
+ port:\r
+ description: |-\r
+ Port is the network port this Route targets. It can be interpreted\r
+ differently based on the type of parent resource.\r
+\r
+ When the parent resource is a Gateway, this targets all listeners\r
+ listening on the specified port that also support this kind of Route(and\r
+ select this Route). It's not recommended to set `Port` unless the\r
+ networking behaviors specified in a Route must apply to a specific port\r
+ as opposed to a listener(s) whose port(s) may be changed. When both Port\r
+ and SectionName are specified, the name and port of the selected listener\r
+ must match both specified values.\r
+\r
+\r
+ When the parent resource is a Service, this targets a specific port in the\r
+ Service spec. When both Port (experimental) and SectionName are specified,\r
+ the name and port of the selected port must match both specified values.\r
+\r
+\r
+ Implementations MAY choose to support other parent resources.\r
+ Implementations supporting other types of parent resources MUST clearly\r
+ document how/if Port is interpreted.\r
+\r
+ For the purpose of status, an attachment is considered successful as\r
+ long as the parent resource accepts it partially. For example, Gateway\r
+ listeners can restrict which Routes can attach to them by Route kind,\r
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment\r
+ from the referencing Route, the Route MUST be considered successfully\r
+ attached. If no Gateway listeners accept attachment from this Route,\r
+ the Route MUST be considered detached from the Gateway.\r
+\r
+ Support: Extended\r
+ format: int32\r
+ maximum: 65535\r
+ minimum: 1\r
+ type: integer\r
+ sectionName:\r
+ description: |-\r
+ SectionName is the name of a section within the target resource. In the\r
+ following resources, SectionName is interpreted as the following:\r
+\r
+ * Gateway: Listener name. When both Port (experimental) and SectionName\r
+ are specified, the name and port of the selected listener must match\r
+ both specified values.\r
+ * Service: Port name. When both Port (experimental) and SectionName\r
+ are specified, the name and port of the selected listener must match\r
+ both specified values.\r
+\r
+ Implementations MAY choose to support attaching Routes to other resources.\r
+ If that is the case, they MUST clearly document how SectionName is\r
+ interpreted.\r
+\r
+ When unspecified (empty string), this will reference the entire resource.\r
+ For the purpose of status, an attachment is considered successful if at\r
+ least one section in the parent resource accepts it. For example, Gateway\r
+ listeners can restrict which Routes can attach to them by Route kind,\r
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from\r
+ the referencing Route, the Route MUST be considered successfully\r
+ attached. If no Gateway listeners accept attachment from this Route, the\r
+ Route MUST be considered detached from the Gateway.\r
+\r
+ Support: Core\r
+ maxLength: 253\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ required:\r
+ - name\r
+ type: object\r
+ maxItems: 32\r
+ type: array\r
+ x-kubernetes-validations:\r
+ - message: sectionName or port must be specified when parentRefs includes\r
+ 2 or more references to the same parent\r
+ rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind\r
+ == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__)\r
+ || p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__\r
+ == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) &&\r
+ p1.__namespace__ == p2.__namespace__)) ? ((!has(p1.sectionName)\r
+ || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName\r
+ == '''') && (!has(p1.port) || p1.port == 0) == (!has(p2.port)\r
+ || p2.port == 0)): true))'\r
+ - message: sectionName or port must be unique when parentRefs includes\r
+ 2 or more references to the same parent\r
+ rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind\r
+ == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__)\r
+ || p1.__namespace__ == '') && (!has(p2.__namespace__) || p2.__namespace__\r
+ == '')) || (has(p1.__namespace__) && has(p2.__namespace__) &&\r
+ p1.__namespace__ == p2.__namespace__ )) && (((!has(p1.sectionName)\r
+ || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName\r
+ == '')) || ( has(p1.sectionName) && has(p2.sectionName) && p1.sectionName\r
+ == p2.sectionName)) && (((!has(p1.port) || p1.port == 0) && (!has(p2.port)\r
+ || p2.port == 0)) || (has(p1.port) && has(p2.port) && p1.port\r
+ == p2.port))))\r
+ rules:\r
+ description: |+\r
+ Rules are a list of TCP matchers and actions.\r
+\r
+ items:\r
+ description: TCPRouteRule is the configuration for a given rule.\r
+ properties:\r
+ backendRefs:\r
+ description: |-\r
+ BackendRefs defines the backend(s) where matching requests should be\r
+ sent. If unspecified or invalid (refers to a non-existent resource or a\r
+ Service with no endpoints), the underlying implementation MUST actively\r
+ reject connection attempts to this backend. Connection rejections must\r
+ respect weight; if an invalid backend is requested to have 80% of\r
+ connections, then 80% of connections must be rejected instead.\r
+\r
+ Support: Core for Kubernetes Service\r
+\r
+ Support: Extended for Kubernetes ServiceImport\r
+\r
+ Support: Implementation-specific for any other resource\r
+\r
+ Support for weight: Extended\r
+ items:\r
+ description: |-\r
+ BackendRef defines how a Route should forward a request to a Kubernetes\r
+ resource.\r
+\r
+ Note that when a namespace different than the local namespace is specified, a\r
+ ReferenceGrant object is required in the referent namespace to allow that\r
+ namespace's owner to accept the reference. See the ReferenceGrant\r
+ documentation for details.\r
+\r
+ <gateway:experimental:description>\r
+\r
+ When the BackendRef points to a Kubernetes Service, implementations SHOULD\r
+ honor the appProtocol field if it is set for the target Service Port.\r
+\r
+ Implementations supporting appProtocol SHOULD recognize the Kubernetes\r
+ Standard Application Protocols defined in KEP-3726.\r
+\r
+ If a Service appProtocol isn't specified, an implementation MAY infer the\r
+ backend protocol through its own means. Implementations MAY infer the\r
+ protocol from the Route type referring to the backend Service.\r
+\r
+ If a Route is not able to send traffic to the backend using the specified\r
+ protocol then the backend is considered invalid. Implementations MUST set the\r
+ "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason.\r
+\r
+ </gateway:experimental:description>\r
+\r
+ Note that when the BackendTLSPolicy object is enabled by the implementation,\r
+ there are some extra rules about validity to consider here. See the fields\r
+ where this struct is used for more information about the exact behavior.\r
+ properties:\r
+ group:\r
+ default: ""\r
+ description: |-\r
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".\r
+ When unspecified or empty string, core API group is inferred.\r
+ maxLength: 253\r
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ kind:\r
+ default: Service\r
+ description: |-\r
+ Kind is the Kubernetes resource kind of the referent. For example\r
+ "Service".\r
+\r
+ Defaults to "Service" when not specified.\r
+\r
+ ExternalName services can refer to CNAME DNS records that may live\r
+ outside of the cluster and as such are difficult to reason about in\r
+ terms of conformance. They also may not be safe to forward to (see\r
+ CVE-2021-25740 for more information). Implementations SHOULD NOT\r
+ support ExternalName Services.\r
+\r
+ Support: Core (Services with a type other than ExternalName)\r
+\r
+ Support: Implementation-specific (Services with type ExternalName)\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$\r
+ type: string\r
+ name:\r
+ description: Name is the name of the referent.\r
+ maxLength: 253\r
+ minLength: 1\r
+ type: string\r
+ namespace:\r
+ description: |-\r
+ Namespace is the namespace of the backend. When unspecified, the local\r
+ namespace is inferred.\r
+\r
+ Note that when a namespace different than the local namespace is specified,\r
+ a ReferenceGrant object is required in the referent namespace to allow that\r
+ namespace's owner to accept the reference. See the ReferenceGrant\r
+ documentation for details.\r
+\r
+ Support: Core\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$\r
+ type: string\r
+ port:\r
+ description: |-\r
+ Port specifies the destination port number to use for this resource.\r
+ Port is required when the referent is a Kubernetes Service. In this\r
+ case, the port number is the service port number, not the target port.\r
+ For other resources, destination port might be derived from the referent\r
+ resource or this field.\r
+ format: int32\r
+ maximum: 65535\r
+ minimum: 1\r
+ type: integer\r
+ weight:\r
+ default: 1\r
+ description: |-\r
+ Weight specifies the proportion of requests forwarded to the referenced\r
+ backend. This is computed as weight/(sum of all weights in this\r
+ BackendRefs list). For non-zero values, there may be some epsilon from\r
+ the exact proportion defined here depending on the precision an\r
+ implementation supports. Weight is not a percentage and the sum of\r
+ weights does not need to equal 100.\r
+\r
+ If only one backend is specified and it has a weight greater than 0, 100%\r
+ of the traffic is forwarded to that backend. If weight is set to 0, no\r
+ traffic should be forwarded for this entry. If unspecified, weight\r
+ defaults to 1.\r
+\r
+ Support for this field varies based on the context where used.\r
+ format: int32\r
+ maximum: 1000000\r
+ minimum: 0\r
+ type: integer\r
+ required:\r
+ - name\r
+ type: object\r
+ x-kubernetes-validations:\r
+ - message: Must have port for Service reference\r
+ rule: '(size(self.group) == 0 && self.kind == ''Service'')\r
+ ? has(self.port) : true'\r
+ maxItems: 16\r
+ minItems: 1\r
+ type: array\r
+ name:\r
+ description: |-\r
+ Name is the name of the route rule. This name MUST be unique within a Route if it is set.\r
+\r
+ Support: Extended\r
+ maxLength: 253\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ type: object\r
+ maxItems: 16\r
+ minItems: 1\r
+ type: array\r
+ x-kubernetes-validations:\r
+ - message: Rule name must be unique within the route\r
+ rule: self.all(l1, !has(l1.name) || self.exists_one(l2, has(l2.name)\r
+ && l1.name == l2.name))\r
+ required:\r
+ - rules\r
+ type: object\r
+ status:\r
+ description: Status defines the current state of TCPRoute.\r
+ properties:\r
+ parents:\r
+ description: |-\r
+ Parents is a list of parent resources (usually Gateways) that are\r
+ associated with the route, and the status of the route with respect to\r
+ each parent. When this route attaches to a parent, the controller that\r
+ manages the parent must add an entry to this list when the controller\r
+ first sees the route and should update the entry as appropriate when the\r
+ route or gateway is modified.\r
+\r
+ Note that parent references that cannot be resolved by an implementation\r
+ of this API will not be added to this list. Implementations of this API\r
+ can only populate Route status for the Gateways/parent resources they are\r
+ responsible for.\r
+\r
+ A maximum of 32 Gateways will be represented in this list. An empty list\r
+ means the route has not been attached to any Gateway.\r
+ items:\r
+ description: |-\r
+ RouteParentStatus describes the status of a route with respect to an\r
+ associated Parent.\r
+ properties:\r
+ conditions:\r
+ description: |-\r
+ Conditions describes the status of the route with respect to the Gateway.\r
+ Note that the route's availability is also subject to the Gateway's own\r
+ status conditions and listener status.\r
+\r
+ If the Route's ParentRef specifies an existing Gateway that supports\r
+ Routes of this kind AND that Gateway's controller has sufficient access,\r
+ then that Gateway's controller MUST set the "Accepted" condition on the\r
+ Route, to indicate whether the route has been accepted or rejected by the\r
+ Gateway, and why.\r
+\r
+ A Route MUST be considered "Accepted" if at least one of the Route's\r
+ rules is implemented by the Gateway.\r
+\r
+ There are a number of cases where the "Accepted" condition may not be set\r
+ due to lack of controller visibility, that includes when:\r
+\r
+ * The Route refers to a non-existent parent.\r
+ * The Route is of a type that the controller does not support.\r
+ * The Route is in a namespace the controller does not have access to.\r
+ items:\r
+ description: Condition contains details for one aspect of\r
+ the current state of this API Resource.\r
+ properties:\r
+ lastTransitionTime:\r
+ description: |-\r
+ lastTransitionTime is the last time the condition transitioned from one status to another.\r
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.\r
+ format: date-time\r
+ type: string\r
+ message:\r
+ description: |-\r
+ message is a human readable message indicating details about the transition.\r
+ This may be an empty string.\r
+ maxLength: 32768\r
+ type: string\r
+ observedGeneration:\r
+ description: |-\r
+ observedGeneration represents the .metadata.generation that the condition was set based upon.\r
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\r
+ with respect to the current state of the instance.\r
+ format: int64\r
+ minimum: 0\r
+ type: integer\r
+ reason:\r
+ description: |-\r
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.\r
+ Producers of specific condition types may define expected values and meanings for this field,\r
+ and whether the values are considered a guaranteed API.\r
+ The value should be a CamelCase string.\r
+ This field may not be empty.\r
+ maxLength: 1024\r
+ minLength: 1\r
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$\r
+ type: string\r
+ status:\r
+ description: status of the condition, one of True, False,\r
+ Unknown.\r
+ enum:\r
+ - "True"\r
+ - "False"\r
+ - Unknown\r
+ type: string\r
+ type:\r
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.\r
+ maxLength: 316\r
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$\r
+ type: string\r
+ required:\r
+ - lastTransitionTime\r
+ - message\r
+ - reason\r
+ - status\r
+ - type\r
+ type: object\r
+ maxItems: 8\r
+ minItems: 1\r
+ type: array\r
+ x-kubernetes-list-map-keys:\r
+ - type\r
+ x-kubernetes-list-type: map\r
+ controllerName:\r
+ description: |-\r
+ ControllerName is a domain/path string that indicates the name of the\r
+ controller that wrote this status. This corresponds with the\r
+ controllerName field on GatewayClass.\r
+\r
+ Example: "example.net/gateway-controller".\r
+\r
+ The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are\r
+ valid Kubernetes names\r
+ (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).\r
+\r
+ Controllers MUST populate this field when writing status. Controllers should ensure that\r
+ entries to status populated with their ControllerName are cleaned up when they are no\r
+ longer necessary.\r
+ maxLength: 253\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$\r
+ type: string\r
+ parentRef:\r
+ description: |-\r
+ ParentRef corresponds with a ParentRef in the spec that this\r
+ RouteParentStatus struct describes the status of.\r
+ properties:\r
+ group:\r
+ default: gateway.networking.k8s.io\r
+ description: |-\r
+ Group is the group of the referent.\r
+ When unspecified, "gateway.networking.k8s.io" is inferred.\r
+ To set the core API group (such as for a "Service" kind referent),\r
+ Group must be explicitly set to "" (empty string).\r
+\r
+ Support: Core\r
+ maxLength: 253\r
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ kind:\r
+ default: Gateway\r
+ description: |-\r
+ Kind is kind of the referent.\r
+\r
+ There are two kinds of parent resources with "Core" support:\r
+\r
+ * Gateway (Gateway conformance profile)\r
+ * Service (Mesh conformance profile, ClusterIP Services only)\r
+\r
+ Support for other resources is Implementation-Specific.\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$\r
+ type: string\r
+ name:\r
+ description: |-\r
+ Name is the name of the referent.\r
+\r
+ Support: Core\r
+ maxLength: 253\r
+ minLength: 1\r
+ type: string\r
+ namespace:\r
+ description: |-\r
+ Namespace is the namespace of the referent. When unspecified, this refers\r
+ to the local namespace of the Route.\r
+\r
+ Note that there are specific rules for ParentRefs which cross namespace\r
+ boundaries. Cross-namespace references are only valid if they are explicitly\r
+ allowed by something in the namespace they are referring to. For example:\r
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a\r
+ generic way to enable any other kind of cross-namespace reference.\r
+\r
+\r
+ ParentRefs from a Route to a Service in the same namespace are "producer"\r
+ routes, which apply default routing rules to inbound connections from\r
+ any namespace to the Service.\r
+\r
+ ParentRefs from a Route to a Service in a different namespace are\r
+ "consumer" routes, and these routing rules are only applied to outbound\r
+ connections originating from the same namespace as the Route, for which\r
+ the intended destination of the connections are a Service targeted as a\r
+ ParentRef of the Route.\r
+\r
+\r
+ Support: Core\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$\r
+ type: string\r
+ port:\r
+ description: |-\r
+ Port is the network port this Route targets. It can be interpreted\r
+ differently based on the type of parent resource.\r
+\r
+ When the parent resource is a Gateway, this targets all listeners\r
+ listening on the specified port that also support this kind of Route(and\r
+ select this Route). It's not recommended to set `Port` unless the\r
+ networking behaviors specified in a Route must apply to a specific port\r
+ as opposed to a listener(s) whose port(s) may be changed. When both Port\r
+ and SectionName are specified, the name and port of the selected listener\r
+ must match both specified values.\r
+\r
+\r
+ When the parent resource is a Service, this targets a specific port in the\r
+ Service spec. When both Port (experimental) and SectionName are specified,\r
+ the name and port of the selected port must match both specified values.\r
+\r
+\r
+ Implementations MAY choose to support other parent resources.\r
+ Implementations supporting other types of parent resources MUST clearly\r
+ document how/if Port is interpreted.\r
+\r
+ For the purpose of status, an attachment is considered successful as\r
+ long as the parent resource accepts it partially. For example, Gateway\r
+ listeners can restrict which Routes can attach to them by Route kind,\r
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment\r
+ from the referencing Route, the Route MUST be considered successfully\r
+ attached. If no Gateway listeners accept attachment from this Route,\r
+ the Route MUST be considered detached from the Gateway.\r
+\r
+ Support: Extended\r
+ format: int32\r
+ maximum: 65535\r
+ minimum: 1\r
+ type: integer\r
+ sectionName:\r
+ description: |-\r
+ SectionName is the name of a section within the target resource. In the\r
+ following resources, SectionName is interpreted as the following:\r
+\r
+ * Gateway: Listener name. When both Port (experimental) and SectionName\r
+ are specified, the name and port of the selected listener must match\r
+ both specified values.\r
+ * Service: Port name. When both Port (experimental) and SectionName\r
+ are specified, the name and port of the selected listener must match\r
+ both specified values.\r
+\r
+ Implementations MAY choose to support attaching Routes to other resources.\r
+ If that is the case, they MUST clearly document how SectionName is\r
+ interpreted.\r
+\r
+ When unspecified (empty string), this will reference the entire resource.\r
+ For the purpose of status, an attachment is considered successful if at\r
+ least one section in the parent resource accepts it. For example, Gateway\r
+ listeners can restrict which Routes can attach to them by Route kind,\r
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from\r
+ the referencing Route, the Route MUST be considered successfully\r
+ attached. If no Gateway listeners accept attachment from this Route, the\r
+ Route MUST be considered detached from the Gateway.\r
+\r
+ Support: Core\r
+ maxLength: 253\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ required:\r
+ - name\r
+ type: object\r
+ required:\r
+ - controllerName\r
+ - parentRef\r
+ type: object\r
+ maxItems: 32\r
+ type: array\r
+ required:\r
+ - parents\r
+ type: object\r
+ required:\r
+ - spec\r
+ type: object\r
+ served: true\r
+ storage: true\r
+ subresources:\r
+ status: {}\r
+status:\r
+ acceptedNames:\r
+ kind: ""\r
+ plural: ""\r
+ conditions: null\r
+ storedVersions: null\r
--- /dev/null
+apiVersion: apiextensions.k8s.io/v1\r
+kind: CustomResourceDefinition\r
+metadata:\r
+ annotations:\r
+ api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328\r
+ gateway.networking.k8s.io/bundle-version: v1.2.1\r
+ gateway.networking.k8s.io/channel: experimental\r
+ creationTimestamp: null\r
+ name: tlsroutes.gateway.networking.k8s.io\r
+spec:\r
+ group: gateway.networking.k8s.io\r
+ names:\r
+ categories:\r
+ - gateway-api\r
+ kind: TLSRoute\r
+ listKind: TLSRouteList\r
+ plural: tlsroutes\r
+ singular: tlsroute\r
+ scope: Namespaced\r
+ versions:\r
+ - additionalPrinterColumns:\r
+ - jsonPath: .metadata.creationTimestamp\r
+ name: Age\r
+ type: date\r
+ name: v1alpha2\r
+ schema:\r
+ openAPIV3Schema:\r
+ description: |-\r
+ The TLSRoute resource is similar to TCPRoute, but can be configured\r
+ to match against TLS-specific metadata. This allows more flexibility\r
+ in matching streams for a given TLS listener.\r
+\r
+ If you need to forward traffic to a single target for a TLS listener, you\r
+ could choose to use a TCPRoute with a TLS listener.\r
+ properties:\r
+ apiVersion:\r
+ description: |-\r
+ APIVersion defines the versioned schema of this representation of an object.\r
+ Servers should convert recognized schemas to the latest internal value, and\r
+ may reject unrecognized values.\r
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources\r
+ type: string\r
+ kind:\r
+ description: |-\r
+ Kind is a string value representing the REST resource this object represents.\r
+ Servers may infer this from the endpoint the client submits requests to.\r
+ Cannot be updated.\r
+ In CamelCase.\r
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds\r
+ type: string\r
+ metadata:\r
+ type: object\r
+ spec:\r
+ description: Spec defines the desired state of TLSRoute.\r
+ properties:\r
+ hostnames:\r
+ description: |-\r
+ Hostnames defines a set of SNI names that should match against the\r
+ SNI attribute of TLS ClientHello message in TLS handshake. This matches\r
+ the RFC 1123 definition of a hostname with 2 notable exceptions:\r
+\r
+ 1. IPs are not allowed in SNI names per RFC 6066.\r
+ 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard\r
+ label must appear by itself as the first label.\r
+\r
+ If a hostname is specified by both the Listener and TLSRoute, there\r
+ must be at least one intersecting hostname for the TLSRoute to be\r
+ attached to the Listener. For example:\r
+\r
+ * A Listener with `test.example.com` as the hostname matches TLSRoutes\r
+ that have either not specified any hostnames, or have specified at\r
+ least one of `test.example.com` or `*.example.com`.\r
+ * A Listener with `*.example.com` as the hostname matches TLSRoutes\r
+ that have either not specified any hostnames or have specified at least\r
+ one hostname that matches the Listener hostname. For example,\r
+ `test.example.com` and `*.example.com` would both match. On the other\r
+ hand, `example.com` and `test.example.net` would not match.\r
+\r
+ If both the Listener and TLSRoute have specified hostnames, any\r
+ TLSRoute hostnames that do not match the Listener hostname MUST be\r
+ ignored. For example, if a Listener specified `*.example.com`, and the\r
+ TLSRoute specified `test.example.com` and `test.example.net`,\r
+ `test.example.net` must not be considered for a match.\r
+\r
+ If both the Listener and TLSRoute have specified hostnames, and none\r
+ match with the criteria above, then the TLSRoute is not accepted. The\r
+ implementation must raise an 'Accepted' Condition with a status of\r
+ `False` in the corresponding RouteParentStatus.\r
+\r
+ Support: Core\r
+ items:\r
+ description: |-\r
+ Hostname is the fully qualified domain name of a network host. This matches\r
+ the RFC 1123 definition of a hostname with 2 notable exceptions:\r
+\r
+ 1. IPs are not allowed.\r
+ 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard\r
+ label must appear by itself as the first label.\r
+\r
+ Hostname can be "precise" which is a domain name without the terminating\r
+ dot of a network host (e.g. "foo.example.com") or "wildcard", which is a\r
+ domain name prefixed with a single wildcard label (e.g. `*.example.com`).\r
+\r
+ Note that as per RFC1035 and RFC1123, a *label* must consist of lower case\r
+ alphanumeric characters or '-', and must start and end with an alphanumeric\r
+ character. No other punctuation is allowed.\r
+ maxLength: 253\r
+ minLength: 1\r
+ pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ maxItems: 16\r
+ type: array\r
+ parentRefs:\r
+ description: |+\r
+ ParentRefs references the resources (usually Gateways) that a Route wants\r
+ to be attached to. Note that the referenced parent resource needs to\r
+ allow this for the attachment to be complete. For Gateways, that means\r
+ the Gateway needs to allow attachment from Routes of this kind and\r
+ namespace. For Services, that means the Service must either be in the same\r
+ namespace for a "producer" route, or the mesh implementation must support\r
+ and allow "consumer" routes for the referenced Service. ReferenceGrant is\r
+ not applicable for governing ParentRefs to Services - it is not possible to\r
+ create a "producer" route for a Service in a different namespace from the\r
+ Route.\r
+\r
+ There are two kinds of parent resources with "Core" support:\r
+\r
+ * Gateway (Gateway conformance profile)\r
+ * Service (Mesh conformance profile, ClusterIP Services only)\r
+\r
+ This API may be extended in the future to support additional kinds of parent\r
+ resources.\r
+\r
+ ParentRefs must be _distinct_. This means either that:\r
+\r
+ * They select different objects. If this is the case, then parentRef\r
+ entries are distinct. In terms of fields, this means that the\r
+ multi-part key defined by `group`, `kind`, `namespace`, and `name` must\r
+ be unique across all parentRef entries in the Route.\r
+ * They do not select different objects, but for each optional field used,\r
+ each ParentRef that selects the same object must set the same set of\r
+ optional fields to different values. If one ParentRef sets a\r
+ combination of optional fields, all must set the same combination.\r
+\r
+ Some examples:\r
+\r
+ * If one ParentRef sets `sectionName`, all ParentRefs referencing the\r
+ same object must also set `sectionName`.\r
+ * If one ParentRef sets `port`, all ParentRefs referencing the same\r
+ object must also set `port`.\r
+ * If one ParentRef sets `sectionName` and `port`, all ParentRefs\r
+ referencing the same object must also set `sectionName` and `port`.\r
+\r
+ It is possible to separately reference multiple distinct objects that may\r
+ be collapsed by an implementation. For example, some implementations may\r
+ choose to merge compatible Gateway Listeners together. If that is the\r
+ case, the list of routes attached to those resources should also be\r
+ merged.\r
+\r
+ Note that for ParentRefs that cross namespace boundaries, there are specific\r
+ rules. Cross-namespace references are only valid if they are explicitly\r
+ allowed by something in the namespace they are referring to. For example,\r
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a\r
+ generic way to enable other kinds of cross-namespace reference.\r
+\r
+\r
+ ParentRefs from a Route to a Service in the same namespace are "producer"\r
+ routes, which apply default routing rules to inbound connections from\r
+ any namespace to the Service.\r
+\r
+ ParentRefs from a Route to a Service in a different namespace are\r
+ "consumer" routes, and these routing rules are only applied to outbound\r
+ connections originating from the same namespace as the Route, for which\r
+ the intended destination of the connections are a Service targeted as a\r
+ ParentRef of the Route.\r
+\r
+\r
+\r
+\r
+\r
+ items:\r
+ description: |-\r
+ ParentReference identifies an API object (usually a Gateway) that can be considered\r
+ a parent of this resource (usually a route). There are two kinds of parent resources\r
+ with "Core" support:\r
+\r
+ * Gateway (Gateway conformance profile)\r
+ * Service (Mesh conformance profile, ClusterIP Services only)\r
+\r
+ This API may be extended in the future to support additional kinds of parent\r
+ resources.\r
+\r
+ The API object must be valid in the cluster; the Group and Kind must\r
+ be registered in the cluster for this reference to be valid.\r
+ properties:\r
+ group:\r
+ default: gateway.networking.k8s.io\r
+ description: |-\r
+ Group is the group of the referent.\r
+ When unspecified, "gateway.networking.k8s.io" is inferred.\r
+ To set the core API group (such as for a "Service" kind referent),\r
+ Group must be explicitly set to "" (empty string).\r
+\r
+ Support: Core\r
+ maxLength: 253\r
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ kind:\r
+ default: Gateway\r
+ description: |-\r
+ Kind is kind of the referent.\r
+\r
+ There are two kinds of parent resources with "Core" support:\r
+\r
+ * Gateway (Gateway conformance profile)\r
+ * Service (Mesh conformance profile, ClusterIP Services only)\r
+\r
+ Support for other resources is Implementation-Specific.\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$\r
+ type: string\r
+ name:\r
+ description: |-\r
+ Name is the name of the referent.\r
+\r
+ Support: Core\r
+ maxLength: 253\r
+ minLength: 1\r
+ type: string\r
+ namespace:\r
+ description: |-\r
+ Namespace is the namespace of the referent. When unspecified, this refers\r
+ to the local namespace of the Route.\r
+\r
+ Note that there are specific rules for ParentRefs which cross namespace\r
+ boundaries. Cross-namespace references are only valid if they are explicitly\r
+ allowed by something in the namespace they are referring to. For example:\r
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a\r
+ generic way to enable any other kind of cross-namespace reference.\r
+\r
+\r
+ ParentRefs from a Route to a Service in the same namespace are "producer"\r
+ routes, which apply default routing rules to inbound connections from\r
+ any namespace to the Service.\r
+\r
+ ParentRefs from a Route to a Service in a different namespace are\r
+ "consumer" routes, and these routing rules are only applied to outbound\r
+ connections originating from the same namespace as the Route, for which\r
+ the intended destination of the connections are a Service targeted as a\r
+ ParentRef of the Route.\r
+\r
+\r
+ Support: Core\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$\r
+ type: string\r
+ port:\r
+ description: |-\r
+ Port is the network port this Route targets. It can be interpreted\r
+ differently based on the type of parent resource.\r
+\r
+ When the parent resource is a Gateway, this targets all listeners\r
+ listening on the specified port that also support this kind of Route(and\r
+ select this Route). It's not recommended to set `Port` unless the\r
+ networking behaviors specified in a Route must apply to a specific port\r
+ as opposed to a listener(s) whose port(s) may be changed. When both Port\r
+ and SectionName are specified, the name and port of the selected listener\r
+ must match both specified values.\r
+\r
+\r
+ When the parent resource is a Service, this targets a specific port in the\r
+ Service spec. When both Port (experimental) and SectionName are specified,\r
+ the name and port of the selected port must match both specified values.\r
+\r
+\r
+ Implementations MAY choose to support other parent resources.\r
+ Implementations supporting other types of parent resources MUST clearly\r
+ document how/if Port is interpreted.\r
+\r
+ For the purpose of status, an attachment is considered successful as\r
+ long as the parent resource accepts it partially. For example, Gateway\r
+ listeners can restrict which Routes can attach to them by Route kind,\r
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment\r
+ from the referencing Route, the Route MUST be considered successfully\r
+ attached. If no Gateway listeners accept attachment from this Route,\r
+ the Route MUST be considered detached from the Gateway.\r
+\r
+ Support: Extended\r
+ format: int32\r
+ maximum: 65535\r
+ minimum: 1\r
+ type: integer\r
+ sectionName:\r
+ description: |-\r
+ SectionName is the name of a section within the target resource. In the\r
+ following resources, SectionName is interpreted as the following:\r
+\r
+ * Gateway: Listener name. When both Port (experimental) and SectionName\r
+ are specified, the name and port of the selected listener must match\r
+ both specified values.\r
+ * Service: Port name. When both Port (experimental) and SectionName\r
+ are specified, the name and port of the selected listener must match\r
+ both specified values.\r
+\r
+ Implementations MAY choose to support attaching Routes to other resources.\r
+ If that is the case, they MUST clearly document how SectionName is\r
+ interpreted.\r
+\r
+ When unspecified (empty string), this will reference the entire resource.\r
+ For the purpose of status, an attachment is considered successful if at\r
+ least one section in the parent resource accepts it. For example, Gateway\r
+ listeners can restrict which Routes can attach to them by Route kind,\r
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from\r
+ the referencing Route, the Route MUST be considered successfully\r
+ attached. If no Gateway listeners accept attachment from this Route, the\r
+ Route MUST be considered detached from the Gateway.\r
+\r
+ Support: Core\r
+ maxLength: 253\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ required:\r
+ - name\r
+ type: object\r
+ maxItems: 32\r
+ type: array\r
+ x-kubernetes-validations:\r
+ - message: sectionName or port must be specified when parentRefs includes\r
+ 2 or more references to the same parent\r
+ rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind\r
+ == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__)\r
+ || p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__\r
+ == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) &&\r
+ p1.__namespace__ == p2.__namespace__)) ? ((!has(p1.sectionName)\r
+ || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName\r
+ == '''') && (!has(p1.port) || p1.port == 0) == (!has(p2.port)\r
+ || p2.port == 0)): true))'\r
+ - message: sectionName or port must be unique when parentRefs includes\r
+ 2 or more references to the same parent\r
+ rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind\r
+ == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__)\r
+ || p1.__namespace__ == '') && (!has(p2.__namespace__) || p2.__namespace__\r
+ == '')) || (has(p1.__namespace__) && has(p2.__namespace__) &&\r
+ p1.__namespace__ == p2.__namespace__ )) && (((!has(p1.sectionName)\r
+ || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName\r
+ == '')) || ( has(p1.sectionName) && has(p2.sectionName) && p1.sectionName\r
+ == p2.sectionName)) && (((!has(p1.port) || p1.port == 0) && (!has(p2.port)\r
+ || p2.port == 0)) || (has(p1.port) && has(p2.port) && p1.port\r
+ == p2.port))))\r
+ rules:\r
+ description: |+\r
+ Rules are a list of TLS matchers and actions.\r
+\r
+ items:\r
+ description: TLSRouteRule is the configuration for a given rule.\r
+ properties:\r
+ backendRefs:\r
+ description: |-\r
+ BackendRefs defines the backend(s) where matching requests should be\r
+ sent. If unspecified or invalid (refers to a non-existent resource or\r
+ a Service with no endpoints), the rule performs no forwarding; if no\r
+ filters are specified that would result in a response being sent, the\r
+ underlying implementation must actively reject request attempts to this\r
+ backend, by rejecting the connection or returning a 500 status code.\r
+ Request rejections must respect weight; if an invalid backend is\r
+ requested to have 80% of requests, then 80% of requests must be rejected\r
+ instead.\r
+\r
+ Support: Core for Kubernetes Service\r
+\r
+ Support: Extended for Kubernetes ServiceImport\r
+\r
+ Support: Implementation-specific for any other resource\r
+\r
+ Support for weight: Extended\r
+ items:\r
+ description: |-\r
+ BackendRef defines how a Route should forward a request to a Kubernetes\r
+ resource.\r
+\r
+ Note that when a namespace different than the local namespace is specified, a\r
+ ReferenceGrant object is required in the referent namespace to allow that\r
+ namespace's owner to accept the reference. See the ReferenceGrant\r
+ documentation for details.\r
+\r
+ <gateway:experimental:description>\r
+\r
+ When the BackendRef points to a Kubernetes Service, implementations SHOULD\r
+ honor the appProtocol field if it is set for the target Service Port.\r
+\r
+ Implementations supporting appProtocol SHOULD recognize the Kubernetes\r
+ Standard Application Protocols defined in KEP-3726.\r
+\r
+ If a Service appProtocol isn't specified, an implementation MAY infer the\r
+ backend protocol through its own means. Implementations MAY infer the\r
+ protocol from the Route type referring to the backend Service.\r
+\r
+ If a Route is not able to send traffic to the backend using the specified\r
+ protocol then the backend is considered invalid. Implementations MUST set the\r
+ "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason.\r
+\r
+ </gateway:experimental:description>\r
+\r
+ Note that when the BackendTLSPolicy object is enabled by the implementation,\r
+ there are some extra rules about validity to consider here. See the fields\r
+ where this struct is used for more information about the exact behavior.\r
+ properties:\r
+ group:\r
+ default: ""\r
+ description: |-\r
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".\r
+ When unspecified or empty string, core API group is inferred.\r
+ maxLength: 253\r
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ kind:\r
+ default: Service\r
+ description: |-\r
+ Kind is the Kubernetes resource kind of the referent. For example\r
+ "Service".\r
+\r
+ Defaults to "Service" when not specified.\r
+\r
+ ExternalName services can refer to CNAME DNS records that may live\r
+ outside of the cluster and as such are difficult to reason about in\r
+ terms of conformance. They also may not be safe to forward to (see\r
+ CVE-2021-25740 for more information). Implementations SHOULD NOT\r
+ support ExternalName Services.\r
+\r
+ Support: Core (Services with a type other than ExternalName)\r
+\r
+ Support: Implementation-specific (Services with type ExternalName)\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$\r
+ type: string\r
+ name:\r
+ description: Name is the name of the referent.\r
+ maxLength: 253\r
+ minLength: 1\r
+ type: string\r
+ namespace:\r
+ description: |-\r
+ Namespace is the namespace of the backend. When unspecified, the local\r
+ namespace is inferred.\r
+\r
+ Note that when a namespace different than the local namespace is specified,\r
+ a ReferenceGrant object is required in the referent namespace to allow that\r
+ namespace's owner to accept the reference. See the ReferenceGrant\r
+ documentation for details.\r
+\r
+ Support: Core\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$\r
+ type: string\r
+ port:\r
+ description: |-\r
+ Port specifies the destination port number to use for this resource.\r
+ Port is required when the referent is a Kubernetes Service. In this\r
+ case, the port number is the service port number, not the target port.\r
+ For other resources, destination port might be derived from the referent\r
+ resource or this field.\r
+ format: int32\r
+ maximum: 65535\r
+ minimum: 1\r
+ type: integer\r
+ weight:\r
+ default: 1\r
+ description: |-\r
+ Weight specifies the proportion of requests forwarded to the referenced\r
+ backend. This is computed as weight/(sum of all weights in this\r
+ BackendRefs list). For non-zero values, there may be some epsilon from\r
+ the exact proportion defined here depending on the precision an\r
+ implementation supports. Weight is not a percentage and the sum of\r
+ weights does not need to equal 100.\r
+\r
+ If only one backend is specified and it has a weight greater than 0, 100%\r
+ of the traffic is forwarded to that backend. If weight is set to 0, no\r
+ traffic should be forwarded for this entry. If unspecified, weight\r
+ defaults to 1.\r
+\r
+ Support for this field varies based on the context where used.\r
+ format: int32\r
+ maximum: 1000000\r
+ minimum: 0\r
+ type: integer\r
+ required:\r
+ - name\r
+ type: object\r
+ x-kubernetes-validations:\r
+ - message: Must have port for Service reference\r
+ rule: '(size(self.group) == 0 && self.kind == ''Service'')\r
+ ? has(self.port) : true'\r
+ maxItems: 16\r
+ minItems: 1\r
+ type: array\r
+ name:\r
+ description: |-\r
+ Name is the name of the route rule. This name MUST be unique within a Route if it is set.\r
+\r
+ Support: Extended\r
+ maxLength: 253\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ type: object\r
+ maxItems: 16\r
+ minItems: 1\r
+ type: array\r
+ x-kubernetes-validations:\r
+ - message: Rule name must be unique within the route\r
+ rule: self.all(l1, !has(l1.name) || self.exists_one(l2, has(l2.name)\r
+ && l1.name == l2.name))\r
+ required:\r
+ - rules\r
+ type: object\r
+ status:\r
+ description: Status defines the current state of TLSRoute.\r
+ properties:\r
+ parents:\r
+ description: |-\r
+ Parents is a list of parent resources (usually Gateways) that are\r
+ associated with the route, and the status of the route with respect to\r
+ each parent. When this route attaches to a parent, the controller that\r
+ manages the parent must add an entry to this list when the controller\r
+ first sees the route and should update the entry as appropriate when the\r
+ route or gateway is modified.\r
+\r
+ Note that parent references that cannot be resolved by an implementation\r
+ of this API will not be added to this list. Implementations of this API\r
+ can only populate Route status for the Gateways/parent resources they are\r
+ responsible for.\r
+\r
+ A maximum of 32 Gateways will be represented in this list. An empty list\r
+ means the route has not been attached to any Gateway.\r
+ items:\r
+ description: |-\r
+ RouteParentStatus describes the status of a route with respect to an\r
+ associated Parent.\r
+ properties:\r
+ conditions:\r
+ description: |-\r
+ Conditions describes the status of the route with respect to the Gateway.\r
+ Note that the route's availability is also subject to the Gateway's own\r
+ status conditions and listener status.\r
+\r
+ If the Route's ParentRef specifies an existing Gateway that supports\r
+ Routes of this kind AND that Gateway's controller has sufficient access,\r
+ then that Gateway's controller MUST set the "Accepted" condition on the\r
+ Route, to indicate whether the route has been accepted or rejected by the\r
+ Gateway, and why.\r
+\r
+ A Route MUST be considered "Accepted" if at least one of the Route's\r
+ rules is implemented by the Gateway.\r
+\r
+ There are a number of cases where the "Accepted" condition may not be set\r
+ due to lack of controller visibility, that includes when:\r
+\r
+ * The Route refers to a non-existent parent.\r
+ * The Route is of a type that the controller does not support.\r
+ * The Route is in a namespace the controller does not have access to.\r
+ items:\r
+ description: Condition contains details for one aspect of\r
+ the current state of this API Resource.\r
+ properties:\r
+ lastTransitionTime:\r
+ description: |-\r
+ lastTransitionTime is the last time the condition transitioned from one status to another.\r
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.\r
+ format: date-time\r
+ type: string\r
+ message:\r
+ description: |-\r
+ message is a human readable message indicating details about the transition.\r
+ This may be an empty string.\r
+ maxLength: 32768\r
+ type: string\r
+ observedGeneration:\r
+ description: |-\r
+ observedGeneration represents the .metadata.generation that the condition was set based upon.\r
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\r
+ with respect to the current state of the instance.\r
+ format: int64\r
+ minimum: 0\r
+ type: integer\r
+ reason:\r
+ description: |-\r
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.\r
+ Producers of specific condition types may define expected values and meanings for this field,\r
+ and whether the values are considered a guaranteed API.\r
+ The value should be a CamelCase string.\r
+ This field may not be empty.\r
+ maxLength: 1024\r
+ minLength: 1\r
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$\r
+ type: string\r
+ status:\r
+ description: status of the condition, one of True, False,\r
+ Unknown.\r
+ enum:\r
+ - "True"\r
+ - "False"\r
+ - Unknown\r
+ type: string\r
+ type:\r
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.\r
+ maxLength: 316\r
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$\r
+ type: string\r
+ required:\r
+ - lastTransitionTime\r
+ - message\r
+ - reason\r
+ - status\r
+ - type\r
+ type: object\r
+ maxItems: 8\r
+ minItems: 1\r
+ type: array\r
+ x-kubernetes-list-map-keys:\r
+ - type\r
+ x-kubernetes-list-type: map\r
+ controllerName:\r
+ description: |-\r
+ ControllerName is a domain/path string that indicates the name of the\r
+ controller that wrote this status. This corresponds with the\r
+ controllerName field on GatewayClass.\r
+\r
+ Example: "example.net/gateway-controller".\r
+\r
+ The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are\r
+ valid Kubernetes names\r
+ (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).\r
+\r
+ Controllers MUST populate this field when writing status. Controllers should ensure that\r
+ entries to status populated with their ControllerName are cleaned up when they are no\r
+ longer necessary.\r
+ maxLength: 253\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$\r
+ type: string\r
+ parentRef:\r
+ description: |-\r
+ ParentRef corresponds with a ParentRef in the spec that this\r
+ RouteParentStatus struct describes the status of.\r
+ properties:\r
+ group:\r
+ default: gateway.networking.k8s.io\r
+ description: |-\r
+ Group is the group of the referent.\r
+ When unspecified, "gateway.networking.k8s.io" is inferred.\r
+ To set the core API group (such as for a "Service" kind referent),\r
+ Group must be explicitly set to "" (empty string).\r
+\r
+ Support: Core\r
+ maxLength: 253\r
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ kind:\r
+ default: Gateway\r
+ description: |-\r
+ Kind is kind of the referent.\r
+\r
+ There are two kinds of parent resources with "Core" support:\r
+\r
+ * Gateway (Gateway conformance profile)\r
+ * Service (Mesh conformance profile, ClusterIP Services only)\r
+\r
+ Support for other resources is Implementation-Specific.\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$\r
+ type: string\r
+ name:\r
+ description: |-\r
+ Name is the name of the referent.\r
+\r
+ Support: Core\r
+ maxLength: 253\r
+ minLength: 1\r
+ type: string\r
+ namespace:\r
+ description: |-\r
+ Namespace is the namespace of the referent. When unspecified, this refers\r
+ to the local namespace of the Route.\r
+\r
+ Note that there are specific rules for ParentRefs which cross namespace\r
+ boundaries. Cross-namespace references are only valid if they are explicitly\r
+ allowed by something in the namespace they are referring to. For example:\r
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a\r
+ generic way to enable any other kind of cross-namespace reference.\r
+\r
+\r
+ ParentRefs from a Route to a Service in the same namespace are "producer"\r
+ routes, which apply default routing rules to inbound connections from\r
+ any namespace to the Service.\r
+\r
+ ParentRefs from a Route to a Service in a different namespace are\r
+ "consumer" routes, and these routing rules are only applied to outbound\r
+ connections originating from the same namespace as the Route, for which\r
+ the intended destination of the connections are a Service targeted as a\r
+ ParentRef of the Route.\r
+\r
+\r
+ Support: Core\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$\r
+ type: string\r
+ port:\r
+ description: |-\r
+ Port is the network port this Route targets. It can be interpreted\r
+ differently based on the type of parent resource.\r
+\r
+ When the parent resource is a Gateway, this targets all listeners\r
+ listening on the specified port that also support this kind of Route(and\r
+ select this Route). It's not recommended to set `Port` unless the\r
+ networking behaviors specified in a Route must apply to a specific port\r
+ as opposed to a listener(s) whose port(s) may be changed. When both Port\r
+ and SectionName are specified, the name and port of the selected listener\r
+ must match both specified values.\r
+\r
+\r
+ When the parent resource is a Service, this targets a specific port in the\r
+ Service spec. When both Port (experimental) and SectionName are specified,\r
+ the name and port of the selected port must match both specified values.\r
+\r
+\r
+ Implementations MAY choose to support other parent resources.\r
+ Implementations supporting other types of parent resources MUST clearly\r
+ document how/if Port is interpreted.\r
+\r
+ For the purpose of status, an attachment is considered successful as\r
+ long as the parent resource accepts it partially. For example, Gateway\r
+ listeners can restrict which Routes can attach to them by Route kind,\r
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment\r
+ from the referencing Route, the Route MUST be considered successfully\r
+ attached. If no Gateway listeners accept attachment from this Route,\r
+ the Route MUST be considered detached from the Gateway.\r
+\r
+ Support: Extended\r
+ format: int32\r
+ maximum: 65535\r
+ minimum: 1\r
+ type: integer\r
+ sectionName:\r
+ description: |-\r
+ SectionName is the name of a section within the target resource. In the\r
+ following resources, SectionName is interpreted as the following:\r
+\r
+ * Gateway: Listener name. When both Port (experimental) and SectionName\r
+ are specified, the name and port of the selected listener must match\r
+ both specified values.\r
+ * Service: Port name. When both Port (experimental) and SectionName\r
+ are specified, the name and port of the selected listener must match\r
+ both specified values.\r
+\r
+ Implementations MAY choose to support attaching Routes to other resources.\r
+ If that is the case, they MUST clearly document how SectionName is\r
+ interpreted.\r
+\r
+ When unspecified (empty string), this will reference the entire resource.\r
+ For the purpose of status, an attachment is considered successful if at\r
+ least one section in the parent resource accepts it. For example, Gateway\r
+ listeners can restrict which Routes can attach to them by Route kind,\r
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from\r
+ the referencing Route, the Route MUST be considered successfully\r
+ attached. If no Gateway listeners accept attachment from this Route, the\r
+ Route MUST be considered detached from the Gateway.\r
+\r
+ Support: Core\r
+ maxLength: 253\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ required:\r
+ - name\r
+ type: object\r
+ required:\r
+ - controllerName\r
+ - parentRef\r
+ type: object\r
+ maxItems: 32\r
+ type: array\r
+ required:\r
+ - parents\r
+ type: object\r
+ required:\r
+ - spec\r
+ type: object\r
+ served: true\r
+ storage: true\r
+ subresources:\r
+ status: {}\r
+status:\r
+ acceptedNames:\r
+ kind: ""\r
+ plural: ""\r
+ conditions: null\r
+ storedVersions: null\r
--- /dev/null
+apiVersion: apiextensions.k8s.io/v1\r
+kind: CustomResourceDefinition\r
+metadata:\r
+ annotations:\r
+ api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328\r
+ gateway.networking.k8s.io/bundle-version: v1.2.1\r
+ gateway.networking.k8s.io/channel: experimental\r
+ creationTimestamp: null\r
+ name: udproutes.gateway.networking.k8s.io\r
+spec:\r
+ group: gateway.networking.k8s.io\r
+ names:\r
+ categories:\r
+ - gateway-api\r
+ kind: UDPRoute\r
+ listKind: UDPRouteList\r
+ plural: udproutes\r
+ singular: udproute\r
+ scope: Namespaced\r
+ versions:\r
+ - additionalPrinterColumns:\r
+ - jsonPath: .metadata.creationTimestamp\r
+ name: Age\r
+ type: date\r
+ name: v1alpha2\r
+ schema:\r
+ openAPIV3Schema:\r
+ description: |-\r
+ UDPRoute provides a way to route UDP traffic. When combined with a Gateway\r
+ listener, it can be used to forward traffic on the port specified by the\r
+ listener to a set of backends specified by the UDPRoute.\r
+ properties:\r
+ apiVersion:\r
+ description: |-\r
+ APIVersion defines the versioned schema of this representation of an object.\r
+ Servers should convert recognized schemas to the latest internal value, and\r
+ may reject unrecognized values.\r
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources\r
+ type: string\r
+ kind:\r
+ description: |-\r
+ Kind is a string value representing the REST resource this object represents.\r
+ Servers may infer this from the endpoint the client submits requests to.\r
+ Cannot be updated.\r
+ In CamelCase.\r
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds\r
+ type: string\r
+ metadata:\r
+ type: object\r
+ spec:\r
+ description: Spec defines the desired state of UDPRoute.\r
+ properties:\r
+ parentRefs:\r
+ description: |+\r
+ ParentRefs references the resources (usually Gateways) that a Route wants\r
+ to be attached to. Note that the referenced parent resource needs to\r
+ allow this for the attachment to be complete. For Gateways, that means\r
+ the Gateway needs to allow attachment from Routes of this kind and\r
+ namespace. For Services, that means the Service must either be in the same\r
+ namespace for a "producer" route, or the mesh implementation must support\r
+ and allow "consumer" routes for the referenced Service. ReferenceGrant is\r
+ not applicable for governing ParentRefs to Services - it is not possible to\r
+ create a "producer" route for a Service in a different namespace from the\r
+ Route.\r
+\r
+ There are two kinds of parent resources with "Core" support:\r
+\r
+ * Gateway (Gateway conformance profile)\r
+ * Service (Mesh conformance profile, ClusterIP Services only)\r
+\r
+ This API may be extended in the future to support additional kinds of parent\r
+ resources.\r
+\r
+ ParentRefs must be _distinct_. This means either that:\r
+\r
+ * They select different objects. If this is the case, then parentRef\r
+ entries are distinct. In terms of fields, this means that the\r
+ multi-part key defined by `group`, `kind`, `namespace`, and `name` must\r
+ be unique across all parentRef entries in the Route.\r
+ * They do not select different objects, but for each optional field used,\r
+ each ParentRef that selects the same object must set the same set of\r
+ optional fields to different values. If one ParentRef sets a\r
+ combination of optional fields, all must set the same combination.\r
+\r
+ Some examples:\r
+\r
+ * If one ParentRef sets `sectionName`, all ParentRefs referencing the\r
+ same object must also set `sectionName`.\r
+ * If one ParentRef sets `port`, all ParentRefs referencing the same\r
+ object must also set `port`.\r
+ * If one ParentRef sets `sectionName` and `port`, all ParentRefs\r
+ referencing the same object must also set `sectionName` and `port`.\r
+\r
+ It is possible to separately reference multiple distinct objects that may\r
+ be collapsed by an implementation. For example, some implementations may\r
+ choose to merge compatible Gateway Listeners together. If that is the\r
+ case, the list of routes attached to those resources should also be\r
+ merged.\r
+\r
+ Note that for ParentRefs that cross namespace boundaries, there are specific\r
+ rules. Cross-namespace references are only valid if they are explicitly\r
+ allowed by something in the namespace they are referring to. For example,\r
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a\r
+ generic way to enable other kinds of cross-namespace reference.\r
+\r
+\r
+ ParentRefs from a Route to a Service in the same namespace are "producer"\r
+ routes, which apply default routing rules to inbound connections from\r
+ any namespace to the Service.\r
+\r
+ ParentRefs from a Route to a Service in a different namespace are\r
+ "consumer" routes, and these routing rules are only applied to outbound\r
+ connections originating from the same namespace as the Route, for which\r
+ the intended destination of the connections are a Service targeted as a\r
+ ParentRef of the Route.\r
+\r
+\r
+\r
+\r
+\r
+ items:\r
+ description: |-\r
+ ParentReference identifies an API object (usually a Gateway) that can be considered\r
+ a parent of this resource (usually a route). There are two kinds of parent resources\r
+ with "Core" support:\r
+\r
+ * Gateway (Gateway conformance profile)\r
+ * Service (Mesh conformance profile, ClusterIP Services only)\r
+\r
+ This API may be extended in the future to support additional kinds of parent\r
+ resources.\r
+\r
+ The API object must be valid in the cluster; the Group and Kind must\r
+ be registered in the cluster for this reference to be valid.\r
+ properties:\r
+ group:\r
+ default: gateway.networking.k8s.io\r
+ description: |-\r
+ Group is the group of the referent.\r
+ When unspecified, "gateway.networking.k8s.io" is inferred.\r
+ To set the core API group (such as for a "Service" kind referent),\r
+ Group must be explicitly set to "" (empty string).\r
+\r
+ Support: Core\r
+ maxLength: 253\r
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ kind:\r
+ default: Gateway\r
+ description: |-\r
+ Kind is kind of the referent.\r
+\r
+ There are two kinds of parent resources with "Core" support:\r
+\r
+ * Gateway (Gateway conformance profile)\r
+ * Service (Mesh conformance profile, ClusterIP Services only)\r
+\r
+ Support for other resources is Implementation-Specific.\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$\r
+ type: string\r
+ name:\r
+ description: |-\r
+ Name is the name of the referent.\r
+\r
+ Support: Core\r
+ maxLength: 253\r
+ minLength: 1\r
+ type: string\r
+ namespace:\r
+ description: |-\r
+ Namespace is the namespace of the referent. When unspecified, this refers\r
+ to the local namespace of the Route.\r
+\r
+ Note that there are specific rules for ParentRefs which cross namespace\r
+ boundaries. Cross-namespace references are only valid if they are explicitly\r
+ allowed by something in the namespace they are referring to. For example:\r
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a\r
+ generic way to enable any other kind of cross-namespace reference.\r
+\r
+\r
+ ParentRefs from a Route to a Service in the same namespace are "producer"\r
+ routes, which apply default routing rules to inbound connections from\r
+ any namespace to the Service.\r
+\r
+ ParentRefs from a Route to a Service in a different namespace are\r
+ "consumer" routes, and these routing rules are only applied to outbound\r
+ connections originating from the same namespace as the Route, for which\r
+ the intended destination of the connections are a Service targeted as a\r
+ ParentRef of the Route.\r
+\r
+\r
+ Support: Core\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$\r
+ type: string\r
+ port:\r
+ description: |-\r
+ Port is the network port this Route targets. It can be interpreted\r
+ differently based on the type of parent resource.\r
+\r
+ When the parent resource is a Gateway, this targets all listeners\r
+ listening on the specified port that also support this kind of Route(and\r
+ select this Route). It's not recommended to set `Port` unless the\r
+ networking behaviors specified in a Route must apply to a specific port\r
+ as opposed to a listener(s) whose port(s) may be changed. When both Port\r
+ and SectionName are specified, the name and port of the selected listener\r
+ must match both specified values.\r
+\r
+\r
+ When the parent resource is a Service, this targets a specific port in the\r
+ Service spec. When both Port (experimental) and SectionName are specified,\r
+ the name and port of the selected port must match both specified values.\r
+\r
+\r
+ Implementations MAY choose to support other parent resources.\r
+ Implementations supporting other types of parent resources MUST clearly\r
+ document how/if Port is interpreted.\r
+\r
+ For the purpose of status, an attachment is considered successful as\r
+ long as the parent resource accepts it partially. For example, Gateway\r
+ listeners can restrict which Routes can attach to them by Route kind,\r
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment\r
+ from the referencing Route, the Route MUST be considered successfully\r
+ attached. If no Gateway listeners accept attachment from this Route,\r
+ the Route MUST be considered detached from the Gateway.\r
+\r
+ Support: Extended\r
+ format: int32\r
+ maximum: 65535\r
+ minimum: 1\r
+ type: integer\r
+ sectionName:\r
+ description: |-\r
+ SectionName is the name of a section within the target resource. In the\r
+ following resources, SectionName is interpreted as the following:\r
+\r
+ * Gateway: Listener name. When both Port (experimental) and SectionName\r
+ are specified, the name and port of the selected listener must match\r
+ both specified values.\r
+ * Service: Port name. When both Port (experimental) and SectionName\r
+ are specified, the name and port of the selected listener must match\r
+ both specified values.\r
+\r
+ Implementations MAY choose to support attaching Routes to other resources.\r
+ If that is the case, they MUST clearly document how SectionName is\r
+ interpreted.\r
+\r
+ When unspecified (empty string), this will reference the entire resource.\r
+ For the purpose of status, an attachment is considered successful if at\r
+ least one section in the parent resource accepts it. For example, Gateway\r
+ listeners can restrict which Routes can attach to them by Route kind,\r
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from\r
+ the referencing Route, the Route MUST be considered successfully\r
+ attached. If no Gateway listeners accept attachment from this Route, the\r
+ Route MUST be considered detached from the Gateway.\r
+\r
+ Support: Core\r
+ maxLength: 253\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ required:\r
+ - name\r
+ type: object\r
+ maxItems: 32\r
+ type: array\r
+ x-kubernetes-validations:\r
+ - message: sectionName or port must be specified when parentRefs includes\r
+ 2 or more references to the same parent\r
+ rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind\r
+ == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__)\r
+ || p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__\r
+ == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) &&\r
+ p1.__namespace__ == p2.__namespace__)) ? ((!has(p1.sectionName)\r
+ || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName\r
+ == '''') && (!has(p1.port) || p1.port == 0) == (!has(p2.port)\r
+ || p2.port == 0)): true))'\r
+ - message: sectionName or port must be unique when parentRefs includes\r
+ 2 or more references to the same parent\r
+ rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind\r
+ == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__)\r
+ || p1.__namespace__ == '') && (!has(p2.__namespace__) || p2.__namespace__\r
+ == '')) || (has(p1.__namespace__) && has(p2.__namespace__) &&\r
+ p1.__namespace__ == p2.__namespace__ )) && (((!has(p1.sectionName)\r
+ || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName\r
+ == '')) || ( has(p1.sectionName) && has(p2.sectionName) && p1.sectionName\r
+ == p2.sectionName)) && (((!has(p1.port) || p1.port == 0) && (!has(p2.port)\r
+ || p2.port == 0)) || (has(p1.port) && has(p2.port) && p1.port\r
+ == p2.port))))\r
+ rules:\r
+ description: |+\r
+ Rules are a list of UDP matchers and actions.\r
+\r
+ items:\r
+ description: UDPRouteRule is the configuration for a given rule.\r
+ properties:\r
+ backendRefs:\r
+ description: |-\r
+ BackendRefs defines the backend(s) where matching requests should be\r
+ sent. If unspecified or invalid (refers to a non-existent resource or a\r
+ Service with no endpoints), the underlying implementation MUST actively\r
+ reject connection attempts to this backend. Packet drops must\r
+ respect weight; if an invalid backend is requested to have 80% of\r
+ the packets, then 80% of packets must be dropped instead.\r
+\r
+ Support: Core for Kubernetes Service\r
+\r
+ Support: Extended for Kubernetes ServiceImport\r
+\r
+ Support: Implementation-specific for any other resource\r
+\r
+ Support for weight: Extended\r
+ items:\r
+ description: |-\r
+ BackendRef defines how a Route should forward a request to a Kubernetes\r
+ resource.\r
+\r
+ Note that when a namespace different than the local namespace is specified, a\r
+ ReferenceGrant object is required in the referent namespace to allow that\r
+ namespace's owner to accept the reference. See the ReferenceGrant\r
+ documentation for details.\r
+\r
+ <gateway:experimental:description>\r
+\r
+ When the BackendRef points to a Kubernetes Service, implementations SHOULD\r
+ honor the appProtocol field if it is set for the target Service Port.\r
+\r
+ Implementations supporting appProtocol SHOULD recognize the Kubernetes\r
+ Standard Application Protocols defined in KEP-3726.\r
+\r
+ If a Service appProtocol isn't specified, an implementation MAY infer the\r
+ backend protocol through its own means. Implementations MAY infer the\r
+ protocol from the Route type referring to the backend Service.\r
+\r
+ If a Route is not able to send traffic to the backend using the specified\r
+ protocol then the backend is considered invalid. Implementations MUST set the\r
+ "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason.\r
+\r
+ </gateway:experimental:description>\r
+\r
+ Note that when the BackendTLSPolicy object is enabled by the implementation,\r
+ there are some extra rules about validity to consider here. See the fields\r
+ where this struct is used for more information about the exact behavior.\r
+ properties:\r
+ group:\r
+ default: ""\r
+ description: |-\r
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".\r
+ When unspecified or empty string, core API group is inferred.\r
+ maxLength: 253\r
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ kind:\r
+ default: Service\r
+ description: |-\r
+ Kind is the Kubernetes resource kind of the referent. For example\r
+ "Service".\r
+\r
+ Defaults to "Service" when not specified.\r
+\r
+ ExternalName services can refer to CNAME DNS records that may live\r
+ outside of the cluster and as such are difficult to reason about in\r
+ terms of conformance. They also may not be safe to forward to (see\r
+ CVE-2021-25740 for more information). Implementations SHOULD NOT\r
+ support ExternalName Services.\r
+\r
+ Support: Core (Services with a type other than ExternalName)\r
+\r
+ Support: Implementation-specific (Services with type ExternalName)\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$\r
+ type: string\r
+ name:\r
+ description: Name is the name of the referent.\r
+ maxLength: 253\r
+ minLength: 1\r
+ type: string\r
+ namespace:\r
+ description: |-\r
+ Namespace is the namespace of the backend. When unspecified, the local\r
+ namespace is inferred.\r
+\r
+ Note that when a namespace different than the local namespace is specified,\r
+ a ReferenceGrant object is required in the referent namespace to allow that\r
+ namespace's owner to accept the reference. See the ReferenceGrant\r
+ documentation for details.\r
+\r
+ Support: Core\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$\r
+ type: string\r
+ port:\r
+ description: |-\r
+ Port specifies the destination port number to use for this resource.\r
+ Port is required when the referent is a Kubernetes Service. In this\r
+ case, the port number is the service port number, not the target port.\r
+ For other resources, destination port might be derived from the referent\r
+ resource or this field.\r
+ format: int32\r
+ maximum: 65535\r
+ minimum: 1\r
+ type: integer\r
+ weight:\r
+ default: 1\r
+ description: |-\r
+ Weight specifies the proportion of requests forwarded to the referenced\r
+ backend. This is computed as weight/(sum of all weights in this\r
+ BackendRefs list). For non-zero values, there may be some epsilon from\r
+ the exact proportion defined here depending on the precision an\r
+ implementation supports. Weight is not a percentage and the sum of\r
+ weights does not need to equal 100.\r
+\r
+ If only one backend is specified and it has a weight greater than 0, 100%\r
+ of the traffic is forwarded to that backend. If weight is set to 0, no\r
+ traffic should be forwarded for this entry. If unspecified, weight\r
+ defaults to 1.\r
+\r
+ Support for this field varies based on the context where used.\r
+ format: int32\r
+ maximum: 1000000\r
+ minimum: 0\r
+ type: integer\r
+ required:\r
+ - name\r
+ type: object\r
+ x-kubernetes-validations:\r
+ - message: Must have port for Service reference\r
+ rule: '(size(self.group) == 0 && self.kind == ''Service'')\r
+ ? has(self.port) : true'\r
+ maxItems: 16\r
+ minItems: 1\r
+ type: array\r
+ name:\r
+ description: |-\r
+ Name is the name of the route rule. This name MUST be unique within a Route if it is set.\r
+\r
+ Support: Extended\r
+ maxLength: 253\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ type: object\r
+ maxItems: 16\r
+ minItems: 1\r
+ type: array\r
+ x-kubernetes-validations:\r
+ - message: Rule name must be unique within the route\r
+ rule: self.all(l1, !has(l1.name) || self.exists_one(l2, has(l2.name)\r
+ && l1.name == l2.name))\r
+ required:\r
+ - rules\r
+ type: object\r
+ status:\r
+ description: Status defines the current state of UDPRoute.\r
+ properties:\r
+ parents:\r
+ description: |-\r
+ Parents is a list of parent resources (usually Gateways) that are\r
+ associated with the route, and the status of the route with respect to\r
+ each parent. When this route attaches to a parent, the controller that\r
+ manages the parent must add an entry to this list when the controller\r
+ first sees the route and should update the entry as appropriate when the\r
+ route or gateway is modified.\r
+\r
+ Note that parent references that cannot be resolved by an implementation\r
+ of this API will not be added to this list. Implementations of this API\r
+ can only populate Route status for the Gateways/parent resources they are\r
+ responsible for.\r
+\r
+ A maximum of 32 Gateways will be represented in this list. An empty list\r
+ means the route has not been attached to any Gateway.\r
+ items:\r
+ description: |-\r
+ RouteParentStatus describes the status of a route with respect to an\r
+ associated Parent.\r
+ properties:\r
+ conditions:\r
+ description: |-\r
+ Conditions describes the status of the route with respect to the Gateway.\r
+ Note that the route's availability is also subject to the Gateway's own\r
+ status conditions and listener status.\r
+\r
+ If the Route's ParentRef specifies an existing Gateway that supports\r
+ Routes of this kind AND that Gateway's controller has sufficient access,\r
+ then that Gateway's controller MUST set the "Accepted" condition on the\r
+ Route, to indicate whether the route has been accepted or rejected by the\r
+ Gateway, and why.\r
+\r
+ A Route MUST be considered "Accepted" if at least one of the Route's\r
+ rules is implemented by the Gateway.\r
+\r
+ There are a number of cases where the "Accepted" condition may not be set\r
+ due to lack of controller visibility, that includes when:\r
+\r
+ * The Route refers to a non-existent parent.\r
+ * The Route is of a type that the controller does not support.\r
+ * The Route is in a namespace the controller does not have access to.\r
+ items:\r
+ description: Condition contains details for one aspect of\r
+ the current state of this API Resource.\r
+ properties:\r
+ lastTransitionTime:\r
+ description: |-\r
+ lastTransitionTime is the last time the condition transitioned from one status to another.\r
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.\r
+ format: date-time\r
+ type: string\r
+ message:\r
+ description: |-\r
+ message is a human readable message indicating details about the transition.\r
+ This may be an empty string.\r
+ maxLength: 32768\r
+ type: string\r
+ observedGeneration:\r
+ description: |-\r
+ observedGeneration represents the .metadata.generation that the condition was set based upon.\r
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\r
+ with respect to the current state of the instance.\r
+ format: int64\r
+ minimum: 0\r
+ type: integer\r
+ reason:\r
+ description: |-\r
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.\r
+ Producers of specific condition types may define expected values and meanings for this field,\r
+ and whether the values are considered a guaranteed API.\r
+ The value should be a CamelCase string.\r
+ This field may not be empty.\r
+ maxLength: 1024\r
+ minLength: 1\r
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$\r
+ type: string\r
+ status:\r
+ description: status of the condition, one of True, False,\r
+ Unknown.\r
+ enum:\r
+ - "True"\r
+ - "False"\r
+ - Unknown\r
+ type: string\r
+ type:\r
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.\r
+ maxLength: 316\r
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$\r
+ type: string\r
+ required:\r
+ - lastTransitionTime\r
+ - message\r
+ - reason\r
+ - status\r
+ - type\r
+ type: object\r
+ maxItems: 8\r
+ minItems: 1\r
+ type: array\r
+ x-kubernetes-list-map-keys:\r
+ - type\r
+ x-kubernetes-list-type: map\r
+ controllerName:\r
+ description: |-\r
+ ControllerName is a domain/path string that indicates the name of the\r
+ controller that wrote this status. This corresponds with the\r
+ controllerName field on GatewayClass.\r
+\r
+ Example: "example.net/gateway-controller".\r
+\r
+ The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are\r
+ valid Kubernetes names\r
+ (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).\r
+\r
+ Controllers MUST populate this field when writing status. Controllers should ensure that\r
+ entries to status populated with their ControllerName are cleaned up when they are no\r
+ longer necessary.\r
+ maxLength: 253\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$\r
+ type: string\r
+ parentRef:\r
+ description: |-\r
+ ParentRef corresponds with a ParentRef in the spec that this\r
+ RouteParentStatus struct describes the status of.\r
+ properties:\r
+ group:\r
+ default: gateway.networking.k8s.io\r
+ description: |-\r
+ Group is the group of the referent.\r
+ When unspecified, "gateway.networking.k8s.io" is inferred.\r
+ To set the core API group (such as for a "Service" kind referent),\r
+ Group must be explicitly set to "" (empty string).\r
+\r
+ Support: Core\r
+ maxLength: 253\r
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ kind:\r
+ default: Gateway\r
+ description: |-\r
+ Kind is kind of the referent.\r
+\r
+ There are two kinds of parent resources with "Core" support:\r
+\r
+ * Gateway (Gateway conformance profile)\r
+ * Service (Mesh conformance profile, ClusterIP Services only)\r
+\r
+ Support for other resources is Implementation-Specific.\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$\r
+ type: string\r
+ name:\r
+ description: |-\r
+ Name is the name of the referent.\r
+\r
+ Support: Core\r
+ maxLength: 253\r
+ minLength: 1\r
+ type: string\r
+ namespace:\r
+ description: |-\r
+ Namespace is the namespace of the referent. When unspecified, this refers\r
+ to the local namespace of the Route.\r
+\r
+ Note that there are specific rules for ParentRefs which cross namespace\r
+ boundaries. Cross-namespace references are only valid if they are explicitly\r
+ allowed by something in the namespace they are referring to. For example:\r
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a\r
+ generic way to enable any other kind of cross-namespace reference.\r
+\r
+\r
+ ParentRefs from a Route to a Service in the same namespace are "producer"\r
+ routes, which apply default routing rules to inbound connections from\r
+ any namespace to the Service.\r
+\r
+ ParentRefs from a Route to a Service in a different namespace are\r
+ "consumer" routes, and these routing rules are only applied to outbound\r
+ connections originating from the same namespace as the Route, for which\r
+ the intended destination of the connections are a Service targeted as a\r
+ ParentRef of the Route.\r
+\r
+\r
+ Support: Core\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$\r
+ type: string\r
+ port:\r
+ description: |-\r
+ Port is the network port this Route targets. It can be interpreted\r
+ differently based on the type of parent resource.\r
+\r
+ When the parent resource is a Gateway, this targets all listeners\r
+ listening on the specified port that also support this kind of Route(and\r
+ select this Route). It's not recommended to set `Port` unless the\r
+ networking behaviors specified in a Route must apply to a specific port\r
+ as opposed to a listener(s) whose port(s) may be changed. When both Port\r
+ and SectionName are specified, the name and port of the selected listener\r
+ must match both specified values.\r
+\r
+\r
+ When the parent resource is a Service, this targets a specific port in the\r
+ Service spec. When both Port (experimental) and SectionName are specified,\r
+ the name and port of the selected port must match both specified values.\r
+\r
+\r
+ Implementations MAY choose to support other parent resources.\r
+ Implementations supporting other types of parent resources MUST clearly\r
+ document how/if Port is interpreted.\r
+\r
+ For the purpose of status, an attachment is considered successful as\r
+ long as the parent resource accepts it partially. For example, Gateway\r
+ listeners can restrict which Routes can attach to them by Route kind,\r
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment\r
+ from the referencing Route, the Route MUST be considered successfully\r
+ attached. If no Gateway listeners accept attachment from this Route,\r
+ the Route MUST be considered detached from the Gateway.\r
+\r
+ Support: Extended\r
+ format: int32\r
+ maximum: 65535\r
+ minimum: 1\r
+ type: integer\r
+ sectionName:\r
+ description: |-\r
+ SectionName is the name of a section within the target resource. In the\r
+ following resources, SectionName is interpreted as the following:\r
+\r
+ * Gateway: Listener name. When both Port (experimental) and SectionName\r
+ are specified, the name and port of the selected listener must match\r
+ both specified values.\r
+ * Service: Port name. When both Port (experimental) and SectionName\r
+ are specified, the name and port of the selected listener must match\r
+ both specified values.\r
+\r
+ Implementations MAY choose to support attaching Routes to other resources.\r
+ If that is the case, they MUST clearly document how SectionName is\r
+ interpreted.\r
+\r
+ When unspecified (empty string), this will reference the entire resource.\r
+ For the purpose of status, an attachment is considered successful if at\r
+ least one section in the parent resource accepts it. For example, Gateway\r
+ listeners can restrict which Routes can attach to them by Route kind,\r
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from\r
+ the referencing Route, the Route MUST be considered successfully\r
+ attached. If no Gateway listeners accept attachment from this Route, the\r
+ Route MUST be considered detached from the Gateway.\r
+\r
+ Support: Core\r
+ maxLength: 253\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ required:\r
+ - name\r
+ type: object\r
+ required:\r
+ - controllerName\r
+ - parentRef\r
+ type: object\r
+ maxItems: 32\r
+ type: array\r
+ required:\r
+ - parents\r
+ type: object\r
+ required:\r
+ - spec\r
+ type: object\r
+ served: true\r
+ storage: true\r
+ subresources:\r
+ status: {}\r
+status:\r
+ acceptedNames:\r
+ kind: ""\r
+ plural: ""\r
+ conditions: null\r
+ storedVersions: null\r
--- /dev/null
+# ============LICENSE_START=======================================================\r
+# Copyright (c) 2025 Deutsche Telekom\r
+# ================================================================================\r
+# Licensed under the Apache License, Version 2.0 (the "License");\r
+# you may not use this file except in compliance with the License.\r
+# You may obtain a copy of the License at\r
+#\r
+# http://www.apache.org/licenses/LICENSE-2.0\r
+#\r
+# Unless required by applicable law or agreed to in writing, software\r
+# distributed under the License is distributed on an "AS IS" BASIS,\r
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r
+# See the License for the specific language governing permissions and\r
+# limitations under the License.\r
+#\r
+# SPDX-License-Identifier: Apache-2.0\r
+# ============LICENSE_END=========================================================\r
+---\r
+resources:\r
+ #- experimental/gateway.networking.k8s.io_gateways.yaml\r
+ - experimental/gateway.networking.k8s.io_udproutes.yaml\r
+ - experimental/gateway.networking.k8s.io_tcproutes.yaml\r
+ - experimental/gateway.networking.k8s.io_tlsroutes.yaml\r
+ - experimental/gateway.networking.k8s.io_backendlbpolicies.yaml\r
+ - standard/gateway.networking.k8s.io_gatewayclasses.yaml\r
+ - standard/gateway.networking.k8s.io_gateways.yaml\r
+ - standard/gateway.networking.k8s.io_grpcroutes.yaml\r
+ - standard/gateway.networking.k8s.io_httproutes.yaml\r
+ - standard/gateway.networking.k8s.io_referencegrants.yaml\r
--- /dev/null
+apiVersion: apiextensions.k8s.io/v1\r
+kind: CustomResourceDefinition\r
+metadata:\r
+ annotations:\r
+ api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328\r
+ gateway.networking.k8s.io/bundle-version: v1.2.1\r
+ gateway.networking.k8s.io/channel: standard\r
+ creationTimestamp: null\r
+ name: gatewayclasses.gateway.networking.k8s.io\r
+spec:\r
+ group: gateway.networking.k8s.io\r
+ names:\r
+ categories:\r
+ - gateway-api\r
+ kind: GatewayClass\r
+ listKind: GatewayClassList\r
+ plural: gatewayclasses\r
+ shortNames:\r
+ - gc\r
+ singular: gatewayclass\r
+ scope: Cluster\r
+ versions:\r
+ - additionalPrinterColumns:\r
+ - jsonPath: .spec.controllerName\r
+ name: Controller\r
+ type: string\r
+ - jsonPath: .status.conditions[?(@.type=="Accepted")].status\r
+ name: Accepted\r
+ type: string\r
+ - jsonPath: .metadata.creationTimestamp\r
+ name: Age\r
+ type: date\r
+ - jsonPath: .spec.description\r
+ name: Description\r
+ priority: 1\r
+ type: string\r
+ name: v1\r
+ schema:\r
+ openAPIV3Schema:\r
+ description: |-\r
+ GatewayClass describes a class of Gateways available to the user for creating\r
+ Gateway resources.\r
+\r
+ It is recommended that this resource be used as a template for Gateways. This\r
+ means that a Gateway is based on the state of the GatewayClass at the time it\r
+ was created and changes to the GatewayClass or associated parameters are not\r
+ propagated down to existing Gateways. This recommendation is intended to\r
+ limit the blast radius of changes to GatewayClass or associated parameters.\r
+ If implementations choose to propagate GatewayClass changes to existing\r
+ Gateways, that MUST be clearly documented by the implementation.\r
+\r
+ Whenever one or more Gateways are using a GatewayClass, implementations SHOULD\r
+ add the `gateway-exists-finalizer.gateway.networking.k8s.io` finalizer on the\r
+ associated GatewayClass. This ensures that a GatewayClass associated with a\r
+ Gateway is not deleted while in use.\r
+\r
+ GatewayClass is a Cluster level resource.\r
+ properties:\r
+ apiVersion:\r
+ description: |-\r
+ APIVersion defines the versioned schema of this representation of an object.\r
+ Servers should convert recognized schemas to the latest internal value, and\r
+ may reject unrecognized values.\r
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources\r
+ type: string\r
+ kind:\r
+ description: |-\r
+ Kind is a string value representing the REST resource this object represents.\r
+ Servers may infer this from the endpoint the client submits requests to.\r
+ Cannot be updated.\r
+ In CamelCase.\r
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds\r
+ type: string\r
+ metadata:\r
+ type: object\r
+ spec:\r
+ description: Spec defines the desired state of GatewayClass.\r
+ properties:\r
+ controllerName:\r
+ description: |-\r
+ ControllerName is the name of the controller that is managing Gateways of\r
+ this class. The value of this field MUST be a domain prefixed path.\r
+\r
+ Example: "example.net/gateway-controller".\r
+\r
+ This field is not mutable and cannot be empty.\r
+\r
+ Support: Core\r
+ maxLength: 253\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$\r
+ type: string\r
+ x-kubernetes-validations:\r
+ - message: Value is immutable\r
+ rule: self == oldSelf\r
+ description:\r
+ description: Description helps describe a GatewayClass with more details.\r
+ maxLength: 64\r
+ type: string\r
+ parametersRef:\r
+ description: |-\r
+ ParametersRef is a reference to a resource that contains the configuration\r
+ parameters corresponding to the GatewayClass. This is optional if the\r
+ controller does not require any additional configuration.\r
+\r
+ ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap,\r
+ or an implementation-specific custom resource. The resource can be\r
+ cluster-scoped or namespace-scoped.\r
+\r
+ If the referent cannot be found, refers to an unsupported kind, or when\r
+ the data within that resource is malformed, the GatewayClass SHOULD be\r
+ rejected with the "Accepted" status condition set to "False" and an\r
+ "InvalidParameters" reason.\r
+\r
+ A Gateway for this GatewayClass may provide its own `parametersRef`. When both are specified,\r
+ the merging behavior is implementation specific.\r
+ It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway.\r
+\r
+ Support: Implementation-specific\r
+ properties:\r
+ group:\r
+ description: Group is the group of the referent.\r
+ maxLength: 253\r
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ kind:\r
+ description: Kind is kind of the referent.\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$\r
+ type: string\r
+ name:\r
+ description: Name is the name of the referent.\r
+ maxLength: 253\r
+ minLength: 1\r
+ type: string\r
+ namespace:\r
+ description: |-\r
+ Namespace is the namespace of the referent.\r
+ This field is required when referring to a Namespace-scoped resource and\r
+ MUST be unset when referring to a Cluster-scoped resource.\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$\r
+ type: string\r
+ required:\r
+ - group\r
+ - kind\r
+ - name\r
+ type: object\r
+ required:\r
+ - controllerName\r
+ type: object\r
+ status:\r
+ default:\r
+ conditions:\r
+ - lastTransitionTime: "1970-01-01T00:00:00Z"\r
+ message: Waiting for controller\r
+ reason: Pending\r
+ status: Unknown\r
+ type: Accepted\r
+ description: |-\r
+ Status defines the current state of GatewayClass.\r
+\r
+ Implementations MUST populate status on all GatewayClass resources which\r
+ specify their controller name.\r
+ properties:\r
+ conditions:\r
+ default:\r
+ - lastTransitionTime: "1970-01-01T00:00:00Z"\r
+ message: Waiting for controller\r
+ reason: Pending\r
+ status: Unknown\r
+ type: Accepted\r
+ description: |-\r
+ Conditions is the current status from the controller for\r
+ this GatewayClass.\r
+\r
+ Controllers should prefer to publish conditions using values\r
+ of GatewayClassConditionType for the type of each Condition.\r
+ items:\r
+ description: Condition contains details for one aspect of the current\r
+ state of this API Resource.\r
+ properties:\r
+ lastTransitionTime:\r
+ description: |-\r
+ lastTransitionTime is the last time the condition transitioned from one status to another.\r
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.\r
+ format: date-time\r
+ type: string\r
+ message:\r
+ description: |-\r
+ message is a human readable message indicating details about the transition.\r
+ This may be an empty string.\r
+ maxLength: 32768\r
+ type: string\r
+ observedGeneration:\r
+ description: |-\r
+ observedGeneration represents the .metadata.generation that the condition was set based upon.\r
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\r
+ with respect to the current state of the instance.\r
+ format: int64\r
+ minimum: 0\r
+ type: integer\r
+ reason:\r
+ description: |-\r
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.\r
+ Producers of specific condition types may define expected values and meanings for this field,\r
+ and whether the values are considered a guaranteed API.\r
+ The value should be a CamelCase string.\r
+ This field may not be empty.\r
+ maxLength: 1024\r
+ minLength: 1\r
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$\r
+ type: string\r
+ status:\r
+ description: status of the condition, one of True, False, Unknown.\r
+ enum:\r
+ - "True"\r
+ - "False"\r
+ - Unknown\r
+ type: string\r
+ type:\r
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.\r
+ maxLength: 316\r
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$\r
+ type: string\r
+ required:\r
+ - lastTransitionTime\r
+ - message\r
+ - reason\r
+ - status\r
+ - type\r
+ type: object\r
+ maxItems: 8\r
+ type: array\r
+ x-kubernetes-list-map-keys:\r
+ - type\r
+ x-kubernetes-list-type: map\r
+ type: object\r
+ required:\r
+ - spec\r
+ type: object\r
+ served: true\r
+ storage: true\r
+ subresources:\r
+ status: {}\r
+ - additionalPrinterColumns:\r
+ - jsonPath: .spec.controllerName\r
+ name: Controller\r
+ type: string\r
+ - jsonPath: .status.conditions[?(@.type=="Accepted")].status\r
+ name: Accepted\r
+ type: string\r
+ - jsonPath: .metadata.creationTimestamp\r
+ name: Age\r
+ type: date\r
+ - jsonPath: .spec.description\r
+ name: Description\r
+ priority: 1\r
+ type: string\r
+ name: v1beta1\r
+ schema:\r
+ openAPIV3Schema:\r
+ description: |-\r
+ GatewayClass describes a class of Gateways available to the user for creating\r
+ Gateway resources.\r
+\r
+ It is recommended that this resource be used as a template for Gateways. This\r
+ means that a Gateway is based on the state of the GatewayClass at the time it\r
+ was created and changes to the GatewayClass or associated parameters are not\r
+ propagated down to existing Gateways. This recommendation is intended to\r
+ limit the blast radius of changes to GatewayClass or associated parameters.\r
+ If implementations choose to propagate GatewayClass changes to existing\r
+ Gateways, that MUST be clearly documented by the implementation.\r
+\r
+ Whenever one or more Gateways are using a GatewayClass, implementations SHOULD\r
+ add the `gateway-exists-finalizer.gateway.networking.k8s.io` finalizer on the\r
+ associated GatewayClass. This ensures that a GatewayClass associated with a\r
+ Gateway is not deleted while in use.\r
+\r
+ GatewayClass is a Cluster level resource.\r
+ properties:\r
+ apiVersion:\r
+ description: |-\r
+ APIVersion defines the versioned schema of this representation of an object.\r
+ Servers should convert recognized schemas to the latest internal value, and\r
+ may reject unrecognized values.\r
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources\r
+ type: string\r
+ kind:\r
+ description: |-\r
+ Kind is a string value representing the REST resource this object represents.\r
+ Servers may infer this from the endpoint the client submits requests to.\r
+ Cannot be updated.\r
+ In CamelCase.\r
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds\r
+ type: string\r
+ metadata:\r
+ type: object\r
+ spec:\r
+ description: Spec defines the desired state of GatewayClass.\r
+ properties:\r
+ controllerName:\r
+ description: |-\r
+ ControllerName is the name of the controller that is managing Gateways of\r
+ this class. The value of this field MUST be a domain prefixed path.\r
+\r
+ Example: "example.net/gateway-controller".\r
+\r
+ This field is not mutable and cannot be empty.\r
+\r
+ Support: Core\r
+ maxLength: 253\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$\r
+ type: string\r
+ x-kubernetes-validations:\r
+ - message: Value is immutable\r
+ rule: self == oldSelf\r
+ description:\r
+ description: Description helps describe a GatewayClass with more details.\r
+ maxLength: 64\r
+ type: string\r
+ parametersRef:\r
+ description: |-\r
+ ParametersRef is a reference to a resource that contains the configuration\r
+ parameters corresponding to the GatewayClass. This is optional if the\r
+ controller does not require any additional configuration.\r
+\r
+ ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap,\r
+ or an implementation-specific custom resource. The resource can be\r
+ cluster-scoped or namespace-scoped.\r
+\r
+ If the referent cannot be found, refers to an unsupported kind, or when\r
+ the data within that resource is malformed, the GatewayClass SHOULD be\r
+ rejected with the "Accepted" status condition set to "False" and an\r
+ "InvalidParameters" reason.\r
+\r
+ A Gateway for this GatewayClass may provide its own `parametersRef`. When both are specified,\r
+ the merging behavior is implementation specific.\r
+ It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway.\r
+\r
+ Support: Implementation-specific\r
+ properties:\r
+ group:\r
+ description: Group is the group of the referent.\r
+ maxLength: 253\r
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ kind:\r
+ description: Kind is kind of the referent.\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$\r
+ type: string\r
+ name:\r
+ description: Name is the name of the referent.\r
+ maxLength: 253\r
+ minLength: 1\r
+ type: string\r
+ namespace:\r
+ description: |-\r
+ Namespace is the namespace of the referent.\r
+ This field is required when referring to a Namespace-scoped resource and\r
+ MUST be unset when referring to a Cluster-scoped resource.\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$\r
+ type: string\r
+ required:\r
+ - group\r
+ - kind\r
+ - name\r
+ type: object\r
+ required:\r
+ - controllerName\r
+ type: object\r
+ status:\r
+ default:\r
+ conditions:\r
+ - lastTransitionTime: "1970-01-01T00:00:00Z"\r
+ message: Waiting for controller\r
+ reason: Pending\r
+ status: Unknown\r
+ type: Accepted\r
+ description: |-\r
+ Status defines the current state of GatewayClass.\r
+\r
+ Implementations MUST populate status on all GatewayClass resources which\r
+ specify their controller name.\r
+ properties:\r
+ conditions:\r
+ default:\r
+ - lastTransitionTime: "1970-01-01T00:00:00Z"\r
+ message: Waiting for controller\r
+ reason: Pending\r
+ status: Unknown\r
+ type: Accepted\r
+ description: |-\r
+ Conditions is the current status from the controller for\r
+ this GatewayClass.\r
+\r
+ Controllers should prefer to publish conditions using values\r
+ of GatewayClassConditionType for the type of each Condition.\r
+ items:\r
+ description: Condition contains details for one aspect of the current\r
+ state of this API Resource.\r
+ properties:\r
+ lastTransitionTime:\r
+ description: |-\r
+ lastTransitionTime is the last time the condition transitioned from one status to another.\r
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.\r
+ format: date-time\r
+ type: string\r
+ message:\r
+ description: |-\r
+ message is a human readable message indicating details about the transition.\r
+ This may be an empty string.\r
+ maxLength: 32768\r
+ type: string\r
+ observedGeneration:\r
+ description: |-\r
+ observedGeneration represents the .metadata.generation that the condition was set based upon.\r
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\r
+ with respect to the current state of the instance.\r
+ format: int64\r
+ minimum: 0\r
+ type: integer\r
+ reason:\r
+ description: |-\r
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.\r
+ Producers of specific condition types may define expected values and meanings for this field,\r
+ and whether the values are considered a guaranteed API.\r
+ The value should be a CamelCase string.\r
+ This field may not be empty.\r
+ maxLength: 1024\r
+ minLength: 1\r
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$\r
+ type: string\r
+ status:\r
+ description: status of the condition, one of True, False, Unknown.\r
+ enum:\r
+ - "True"\r
+ - "False"\r
+ - Unknown\r
+ type: string\r
+ type:\r
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.\r
+ maxLength: 316\r
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$\r
+ type: string\r
+ required:\r
+ - lastTransitionTime\r
+ - message\r
+ - reason\r
+ - status\r
+ - type\r
+ type: object\r
+ maxItems: 8\r
+ type: array\r
+ x-kubernetes-list-map-keys:\r
+ - type\r
+ x-kubernetes-list-type: map\r
+ type: object\r
+ required:\r
+ - spec\r
+ type: object\r
+ served: true\r
+ storage: false\r
+ subresources:\r
+ status: {}\r
+status:\r
+ acceptedNames:\r
+ kind: ""\r
+ plural: ""\r
+ conditions: null\r
+ storedVersions: null\r
--- /dev/null
+apiVersion: apiextensions.k8s.io/v1\r
+kind: CustomResourceDefinition\r
+metadata:\r
+ annotations:\r
+ api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328\r
+ gateway.networking.k8s.io/bundle-version: v1.2.1\r
+ gateway.networking.k8s.io/channel: standard\r
+ creationTimestamp: null\r
+ name: gateways.gateway.networking.k8s.io\r
+spec:\r
+ group: gateway.networking.k8s.io\r
+ names:\r
+ categories:\r
+ - gateway-api\r
+ kind: Gateway\r
+ listKind: GatewayList\r
+ plural: gateways\r
+ shortNames:\r
+ - gtw\r
+ singular: gateway\r
+ scope: Namespaced\r
+ versions:\r
+ - additionalPrinterColumns:\r
+ - jsonPath: .spec.gatewayClassName\r
+ name: Class\r
+ type: string\r
+ - jsonPath: .status.addresses[*].value\r
+ name: Address\r
+ type: string\r
+ - jsonPath: .status.conditions[?(@.type=="Programmed")].status\r
+ name: Programmed\r
+ type: string\r
+ - jsonPath: .metadata.creationTimestamp\r
+ name: Age\r
+ type: date\r
+ name: v1\r
+ schema:\r
+ openAPIV3Schema:\r
+ description: |-\r
+ Gateway represents an instance of a service-traffic handling infrastructure\r
+ by binding Listeners to a set of IP addresses.\r
+ properties:\r
+ apiVersion:\r
+ description: |-\r
+ APIVersion defines the versioned schema of this representation of an object.\r
+ Servers should convert recognized schemas to the latest internal value, and\r
+ may reject unrecognized values.\r
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources\r
+ type: string\r
+ kind:\r
+ description: |-\r
+ Kind is a string value representing the REST resource this object represents.\r
+ Servers may infer this from the endpoint the client submits requests to.\r
+ Cannot be updated.\r
+ In CamelCase.\r
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds\r
+ type: string\r
+ metadata:\r
+ type: object\r
+ spec:\r
+ description: Spec defines the desired state of Gateway.\r
+ properties:\r
+ addresses:\r
+ description: |+\r
+ Addresses requested for this Gateway. This is optional and behavior can\r
+ depend on the implementation. If a value is set in the spec and the\r
+ requested address is invalid or unavailable, the implementation MUST\r
+ indicate this in the associated entry in GatewayStatus.Addresses.\r
+\r
+ The Addresses field represents a request for the address(es) on the\r
+ "outside of the Gateway", that traffic bound for this Gateway will use.\r
+ This could be the IP address or hostname of an external load balancer or\r
+ other networking infrastructure, or some other address that traffic will\r
+ be sent to.\r
+\r
+ If no Addresses are specified, the implementation MAY schedule the\r
+ Gateway in an implementation-specific manner, assigning an appropriate\r
+ set of Addresses.\r
+\r
+ The implementation MUST bind all Listeners to every GatewayAddress that\r
+ it assigns to the Gateway and add a corresponding entry in\r
+ GatewayStatus.Addresses.\r
+\r
+ Support: Extended\r
+\r
+ items:\r
+ description: GatewayAddress describes an address that can be bound\r
+ to a Gateway.\r
+ oneOf:\r
+ - properties:\r
+ type:\r
+ enum:\r
+ - IPAddress\r
+ value:\r
+ anyOf:\r
+ - format: ipv4\r
+ - format: ipv6\r
+ - properties:\r
+ type:\r
+ not:\r
+ enum:\r
+ - IPAddress\r
+ properties:\r
+ type:\r
+ default: IPAddress\r
+ description: Type of the address.\r
+ maxLength: 253\r
+ minLength: 1\r
+ pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$\r
+ type: string\r
+ value:\r
+ description: |-\r
+ Value of the address. The validity of the values will depend\r
+ on the type and support by the controller.\r
+\r
+ Examples: `1.2.3.4`, `128::1`, `my-ip-address`.\r
+ maxLength: 253\r
+ minLength: 1\r
+ type: string\r
+ required:\r
+ - value\r
+ type: object\r
+ x-kubernetes-validations:\r
+ - message: Hostname value must only contain valid characters (matching\r
+ ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$)\r
+ rule: 'self.type == ''Hostname'' ? self.value.matches(r"""^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$"""):\r
+ true'\r
+ maxItems: 16\r
+ type: array\r
+ x-kubernetes-validations:\r
+ - message: IPAddress values must be unique\r
+ rule: 'self.all(a1, a1.type == ''IPAddress'' ? self.exists_one(a2,\r
+ a2.type == a1.type && a2.value == a1.value) : true )'\r
+ - message: Hostname values must be unique\r
+ rule: 'self.all(a1, a1.type == ''Hostname'' ? self.exists_one(a2,\r
+ a2.type == a1.type && a2.value == a1.value) : true )'\r
+ gatewayClassName:\r
+ description: |-\r
+ GatewayClassName used for this Gateway. This is the name of a\r
+ GatewayClass resource.\r
+ maxLength: 253\r
+ minLength: 1\r
+ type: string\r
+ infrastructure:\r
+ description: |-\r
+ Infrastructure defines infrastructure level attributes about this Gateway instance.\r
+\r
+ Support: Extended\r
+ properties:\r
+ annotations:\r
+ additionalProperties:\r
+ description: |-\r
+ AnnotationValue is the value of an annotation in Gateway API. This is used\r
+ for validation of maps such as TLS options. This roughly matches Kubernetes\r
+ annotation validation, although the length validation in that case is based\r
+ on the entire size of the annotations struct.\r
+ maxLength: 4096\r
+ minLength: 0\r
+ type: string\r
+ description: |-\r
+ Annotations that SHOULD be applied to any resources created in response to this Gateway.\r
+\r
+ For implementations creating other Kubernetes objects, this should be the `metadata.annotations` field on resources.\r
+ For other implementations, this refers to any relevant (implementation specific) "annotations" concepts.\r
+\r
+ An implementation may chose to add additional implementation-specific annotations as they see fit.\r
+\r
+ Support: Extended\r
+ maxProperties: 8\r
+ type: object\r
+ x-kubernetes-validations:\r
+ - message: Annotation keys must be in the form of an optional\r
+ DNS subdomain prefix followed by a required name segment of\r
+ up to 63 characters.\r
+ rule: self.all(key, key.matches(r"""^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9]$"""))\r
+ - message: If specified, the annotation key's prefix must be a\r
+ DNS subdomain not longer than 253 characters in total.\r
+ rule: self.all(key, key.split("/")[0].size() < 253)\r
+ labels:\r
+ additionalProperties:\r
+ description: |-\r
+ LabelValue is the value of a label in the Gateway API. This is used for validation\r
+ of maps such as Gateway infrastructure labels. This matches the Kubernetes\r
+ label validation rules:\r
+ * must be 63 characters or less (can be empty),\r
+ * unless empty, must begin and end with an alphanumeric character ([a-z0-9A-Z]),\r
+ * could contain dashes (-), underscores (_), dots (.), and alphanumerics between.\r
+\r
+ Valid values include:\r
+\r
+ * MyValue\r
+ * my.name\r
+ * 123-my-value\r
+ maxLength: 63\r
+ minLength: 0\r
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$\r
+ type: string\r
+ description: |-\r
+ Labels that SHOULD be applied to any resources created in response to this Gateway.\r
+\r
+ For implementations creating other Kubernetes objects, this should be the `metadata.labels` field on resources.\r
+ For other implementations, this refers to any relevant (implementation specific) "labels" concepts.\r
+\r
+ An implementation may chose to add additional implementation-specific labels as they see fit.\r
+\r
+ If an implementation maps these labels to Pods, or any other resource that would need to be recreated when labels\r
+ change, it SHOULD clearly warn about this behavior in documentation.\r
+\r
+ Support: Extended\r
+ maxProperties: 8\r
+ type: object\r
+ x-kubernetes-validations:\r
+ - message: Label keys must be in the form of an optional DNS subdomain\r
+ prefix followed by a required name segment of up to 63 characters.\r
+ rule: self.all(key, key.matches(r"""^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9]$"""))\r
+ - message: If specified, the label key's prefix must be a DNS\r
+ subdomain not longer than 253 characters in total.\r
+ rule: self.all(key, key.split("/")[0].size() < 253)\r
+ parametersRef:\r
+ description: |-\r
+ ParametersRef is a reference to a resource that contains the configuration\r
+ parameters corresponding to the Gateway. This is optional if the\r
+ controller does not require any additional configuration.\r
+\r
+ This follows the same semantics as GatewayClass's `parametersRef`, but on a per-Gateway basis\r
+\r
+ The Gateway's GatewayClass may provide its own `parametersRef`. When both are specified,\r
+ the merging behavior is implementation specific.\r
+ It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway.\r
+\r
+ Support: Implementation-specific\r
+ properties:\r
+ group:\r
+ description: Group is the group of the referent.\r
+ maxLength: 253\r
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ kind:\r
+ description: Kind is kind of the referent.\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$\r
+ type: string\r
+ name:\r
+ description: Name is the name of the referent.\r
+ maxLength: 253\r
+ minLength: 1\r
+ type: string\r
+ required:\r
+ - group\r
+ - kind\r
+ - name\r
+ type: object\r
+ type: object\r
+ listeners:\r
+ description: |-\r
+ Listeners associated with this Gateway. Listeners define\r
+ logical endpoints that are bound on this Gateway's addresses.\r
+ At least one Listener MUST be specified.\r
+\r
+ ## Distinct Listeners\r
+\r
+ Each Listener in a set of Listeners (for example, in a single Gateway)\r
+ MUST be _distinct_, in that a traffic flow MUST be able to be assigned to\r
+ exactly one listener. (This section uses "set of Listeners" rather than\r
+ "Listeners in a single Gateway" because implementations MAY merge configuration\r
+ from multiple Gateways onto a single data plane, and these rules _also_\r
+ apply in that case).\r
+\r
+ Practically, this means that each listener in a set MUST have a unique\r
+ combination of Port, Protocol, and, if supported by the protocol, Hostname.\r
+\r
+ Some combinations of port, protocol, and TLS settings are considered\r
+ Core support and MUST be supported by implementations based on the objects\r
+ they support:\r
+\r
+ HTTPRoute\r
+\r
+ 1. HTTPRoute, Port: 80, Protocol: HTTP\r
+ 2. HTTPRoute, Port: 443, Protocol: HTTPS, TLS Mode: Terminate, TLS keypair provided\r
+\r
+ TLSRoute\r
+\r
+ 1. TLSRoute, Port: 443, Protocol: TLS, TLS Mode: Passthrough\r
+\r
+ "Distinct" Listeners have the following property:\r
+\r
+ **The implementation can match inbound requests to a single distinct\r
+ Listener**.\r
+\r
+ When multiple Listeners share values for fields (for\r
+ example, two Listeners with the same Port value), the implementation\r
+ can match requests to only one of the Listeners using other\r
+ Listener fields.\r
+\r
+ When multiple listeners have the same value for the Protocol field, then\r
+ each of the Listeners with matching Protocol values MUST have different\r
+ values for other fields.\r
+\r
+ The set of fields that MUST be different for a Listener differs per protocol.\r
+ The following rules define the rules for what fields MUST be considered for\r
+ Listeners to be distinct with each protocol currently defined in the\r
+ Gateway API spec.\r
+\r
+ The set of listeners that all share a protocol value MUST have _different_\r
+ values for _at least one_ of these fields to be distinct:\r
+\r
+ * **HTTP, HTTPS, TLS**: Port, Hostname\r
+ * **TCP, UDP**: Port\r
+\r
+ One **very** important rule to call out involves what happens when an\r
+ implementation:\r
+\r
+ * Supports TCP protocol Listeners, as well as HTTP, HTTPS, or TLS protocol\r
+ Listeners, and\r
+ * sees HTTP, HTTPS, or TLS protocols with the same `port` as one with TCP\r
+ Protocol.\r
+\r
+ In this case all the Listeners that share a port with the\r
+ TCP Listener are not distinct and so MUST NOT be accepted.\r
+\r
+ If an implementation does not support TCP Protocol Listeners, then the\r
+ previous rule does not apply, and the TCP Listeners SHOULD NOT be\r
+ accepted.\r
+\r
+ Note that the `tls` field is not used for determining if a listener is distinct, because\r
+ Listeners that _only_ differ on TLS config will still conflict in all cases.\r
+\r
+ ### Listeners that are distinct only by Hostname\r
+\r
+ When the Listeners are distinct based only on Hostname, inbound request\r
+ hostnames MUST match from the most specific to least specific Hostname\r
+ values to choose the correct Listener and its associated set of Routes.\r
+\r
+ Exact matches MUST be processed before wildcard matches, and wildcard\r
+ matches MUST be processed before fallback (empty Hostname value)\r
+ matches. For example, `"foo.example.com"` takes precedence over\r
+ `"*.example.com"`, and `"*.example.com"` takes precedence over `""`.\r
+\r
+ Additionally, if there are multiple wildcard entries, more specific\r
+ wildcard entries must be processed before less specific wildcard entries.\r
+ For example, `"*.foo.example.com"` takes precedence over `"*.example.com"`.\r
+\r
+ The precise definition here is that the higher the number of dots in the\r
+ hostname to the right of the wildcard character, the higher the precedence.\r
+\r
+ The wildcard character will match any number of characters _and dots_ to\r
+ the left, however, so `"*.example.com"` will match both\r
+ `"foo.bar.example.com"` _and_ `"bar.example.com"`.\r
+\r
+ ## Handling indistinct Listeners\r
+\r
+ If a set of Listeners contains Listeners that are not distinct, then those\r
+ Listeners are _Conflicted_, and the implementation MUST set the "Conflicted"\r
+ condition in the Listener Status to "True".\r
+\r
+ The words "indistict" and "conflicted" are considered equivalent for the\r
+ purpose of this documentation.\r
+\r
+ Implementations MAY choose to accept a Gateway with some Conflicted\r
+ Listeners only if they only accept the partial Listener set that contains\r
+ no Conflicted Listeners.\r
+\r
+ Specifically, an implementation MAY accept a partial Listener set subject to\r
+ the following rules:\r
+\r
+ * The implementation MUST NOT pick one conflicting Listener as the winner.\r
+ ALL indistinct Listeners must not be accepted for processing.\r
+ * At least one distinct Listener MUST be present, or else the Gateway effectively\r
+ contains _no_ Listeners, and must be rejected from processing as a whole.\r
+\r
+ The implementation MUST set a "ListenersNotValid" condition on the\r
+ Gateway Status when the Gateway contains Conflicted Listeners whether or\r
+ not they accept the Gateway. That Condition SHOULD clearly\r
+ indicate in the Message which Listeners are conflicted, and which are\r
+ Accepted. Additionally, the Listener status for those listeners SHOULD\r
+ indicate which Listeners are conflicted and not Accepted.\r
+\r
+ ## General Listener behavior\r
+\r
+ Note that, for all distinct Listeners, requests SHOULD match at most one Listener.\r
+ For example, if Listeners are defined for "foo.example.com" and "*.example.com", a\r
+ request to "foo.example.com" SHOULD only be routed using routes attached\r
+ to the "foo.example.com" Listener (and not the "*.example.com" Listener).\r
+\r
+ This concept is known as "Listener Isolation", and it is an Extended feature\r
+ of Gateway API. Implementations that do not support Listener Isolation MUST\r
+ clearly document this, and MUST NOT claim support for the\r
+ `GatewayHTTPListenerIsolation` feature.\r
+\r
+ Implementations that _do_ support Listener Isolation SHOULD claim support\r
+ for the Extended `GatewayHTTPListenerIsolation` feature and pass the associated\r
+ conformance tests.\r
+\r
+ ## Compatible Listeners\r
+\r
+ A Gateway's Listeners are considered _compatible_ if:\r
+\r
+ 1. They are distinct.\r
+ 2. The implementation can serve them in compliance with the Addresses\r
+ requirement that all Listeners are available on all assigned\r
+ addresses.\r
+\r
+ Compatible combinations in Extended support are expected to vary across\r
+ implementations. A combination that is compatible for one implementation\r
+ may not be compatible for another.\r
+\r
+ For example, an implementation that cannot serve both TCP and UDP listeners\r
+ on the same address, or cannot mix HTTPS and generic TLS listens on the same port\r
+ would not consider those cases compatible, even though they are distinct.\r
+\r
+ Implementations MAY merge separate Gateways onto a single set of\r
+ Addresses if all Listeners across all Gateways are compatible.\r
+\r
+ Support: Core\r
+ items:\r
+ description: |-\r
+ Listener embodies the concept of a logical endpoint where a Gateway accepts\r
+ network connections.\r
+ properties:\r
+ allowedRoutes:\r
+ default:\r
+ namespaces:\r
+ from: Same\r
+ description: |-\r
+ AllowedRoutes defines the types of routes that MAY be attached to a\r
+ Listener and the trusted namespaces where those Route resources MAY be\r
+ present.\r
+\r
+ Although a client request may match multiple route rules, only one rule\r
+ may ultimately receive the request. Matching precedence MUST be\r
+ determined in order of the following criteria:\r
+\r
+ * The most specific match as defined by the Route type.\r
+ * The oldest Route based on creation timestamp. For example, a Route with\r
+ a creation timestamp of "2020-09-08 01:02:03" is given precedence over\r
+ a Route with a creation timestamp of "2020-09-08 01:02:04".\r
+ * If everything else is equivalent, the Route appearing first in\r
+ alphabetical order (namespace/name) should be given precedence. For\r
+ example, foo/bar is given precedence over foo/baz.\r
+\r
+ All valid rules within a Route attached to this Listener should be\r
+ implemented. Invalid Route rules can be ignored (sometimes that will mean\r
+ the full Route). If a Route rule transitions from valid to invalid,\r
+ support for that Route rule should be dropped to ensure consistency. For\r
+ example, even if a filter specified by a Route rule is invalid, the rest\r
+ of the rules within that Route should still be supported.\r
+\r
+ Support: Core\r
+ properties:\r
+ kinds:\r
+ description: |-\r
+ Kinds specifies the groups and kinds of Routes that are allowed to bind\r
+ to this Gateway Listener. When unspecified or empty, the kinds of Routes\r
+ selected are determined using the Listener protocol.\r
+\r
+ A RouteGroupKind MUST correspond to kinds of Routes that are compatible\r
+ with the application protocol specified in the Listener's Protocol field.\r
+ If an implementation does not support or recognize this resource type, it\r
+ MUST set the "ResolvedRefs" condition to False for this Listener with the\r
+ "InvalidRouteKinds" reason.\r
+\r
+ Support: Core\r
+ items:\r
+ description: RouteGroupKind indicates the group and kind\r
+ of a Route resource.\r
+ properties:\r
+ group:\r
+ default: gateway.networking.k8s.io\r
+ description: Group is the group of the Route.\r
+ maxLength: 253\r
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ kind:\r
+ description: Kind is the kind of the Route.\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$\r
+ type: string\r
+ required:\r
+ - kind\r
+ type: object\r
+ maxItems: 8\r
+ type: array\r
+ namespaces:\r
+ default:\r
+ from: Same\r
+ description: |-\r
+ Namespaces indicates namespaces from which Routes may be attached to this\r
+ Listener. This is restricted to the namespace of this Gateway by default.\r
+\r
+ Support: Core\r
+ properties:\r
+ from:\r
+ default: Same\r
+ description: |-\r
+ From indicates where Routes will be selected for this Gateway. Possible\r
+ values are:\r
+\r
+ * All: Routes in all namespaces may be used by this Gateway.\r
+ * Selector: Routes in namespaces selected by the selector may be used by\r
+ this Gateway.\r
+ * Same: Only Routes in the same namespace may be used by this Gateway.\r
+\r
+ Support: Core\r
+ enum:\r
+ - All\r
+ - Selector\r
+ - Same\r
+ type: string\r
+ selector:\r
+ description: |-\r
+ Selector must be specified when From is set to "Selector". In that case,\r
+ only Routes in Namespaces matching this Selector will be selected by this\r
+ Gateway. This field is ignored for other values of "From".\r
+\r
+ Support: Core\r
+ properties:\r
+ matchExpressions:\r
+ description: matchExpressions is a list of label\r
+ selector requirements. The requirements are ANDed.\r
+ items:\r
+ description: |-\r
+ A label selector requirement is a selector that contains values, a key, and an operator that\r
+ relates the key and values.\r
+ properties:\r
+ key:\r
+ description: key is the label key that the\r
+ selector applies to.\r
+ type: string\r
+ operator:\r
+ description: |-\r
+ operator represents a key's relationship to a set of values.\r
+ Valid operators are In, NotIn, Exists and DoesNotExist.\r
+ type: string\r
+ values:\r
+ description: |-\r
+ values is an array of string values. If the operator is In or NotIn,\r
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,\r
+ the values array must be empty. This array is replaced during a strategic\r
+ merge patch.\r
+ items:\r
+ type: string\r
+ type: array\r
+ x-kubernetes-list-type: atomic\r
+ required:\r
+ - key\r
+ - operator\r
+ type: object\r
+ type: array\r
+ x-kubernetes-list-type: atomic\r
+ matchLabels:\r
+ additionalProperties:\r
+ type: string\r
+ description: |-\r
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\r
+ map is equivalent to an element of matchExpressions, whose key field is "key", the\r
+ operator is "In", and the values array contains only "value". The requirements are ANDed.\r
+ type: object\r
+ type: object\r
+ x-kubernetes-map-type: atomic\r
+ type: object\r
+ type: object\r
+ hostname:\r
+ description: |-\r
+ Hostname specifies the virtual hostname to match for protocol types that\r
+ define this concept. When unspecified, all hostnames are matched. This\r
+ field is ignored for protocols that don't require hostname based\r
+ matching.\r
+\r
+ Implementations MUST apply Hostname matching appropriately for each of\r
+ the following protocols:\r
+\r
+ * TLS: The Listener Hostname MUST match the SNI.\r
+ * HTTP: The Listener Hostname MUST match the Host header of the request.\r
+ * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP\r
+ protocol layers as described above. If an implementation does not\r
+ ensure that both the SNI and Host header match the Listener hostname,\r
+ it MUST clearly document that.\r
+\r
+ For HTTPRoute and TLSRoute resources, there is an interaction with the\r
+ `spec.hostnames` array. When both listener and route specify hostnames,\r
+ there MUST be an intersection between the values for a Route to be\r
+ accepted. For more information, refer to the Route specific Hostnames\r
+ documentation.\r
+\r
+ Hostnames that are prefixed with a wildcard label (`*.`) are interpreted\r
+ as a suffix match. That means that a match for `*.example.com` would match\r
+ both `test.example.com`, and `foo.test.example.com`, but not `example.com`.\r
+\r
+ Support: Core\r
+ maxLength: 253\r
+ minLength: 1\r
+ pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ name:\r
+ description: |-\r
+ Name is the name of the Listener. This name MUST be unique within a\r
+ Gateway.\r
+\r
+ Support: Core\r
+ maxLength: 253\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ port:\r
+ description: |-\r
+ Port is the network port. Multiple listeners may use the\r
+ same port, subject to the Listener compatibility rules.\r
+\r
+ Support: Core\r
+ format: int32\r
+ maximum: 65535\r
+ minimum: 1\r
+ type: integer\r
+ protocol:\r
+ description: |-\r
+ Protocol specifies the network protocol this listener expects to receive.\r
+\r
+ Support: Core\r
+ maxLength: 255\r
+ minLength: 1\r
+ pattern: ^[a-zA-Z0-9]([-a-zA-Z0-9]*[a-zA-Z0-9])?$|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9]+$\r
+ type: string\r
+ tls:\r
+ description: |-\r
+ TLS is the TLS configuration for the Listener. This field is required if\r
+ the Protocol field is "HTTPS" or "TLS". It is invalid to set this field\r
+ if the Protocol field is "HTTP", "TCP", or "UDP".\r
+\r
+ The association of SNIs to Certificate defined in GatewayTLSConfig is\r
+ defined based on the Hostname field for this listener.\r
+\r
+ The GatewayClass MUST use the longest matching SNI out of all\r
+ available certificates for any TLS handshake.\r
+\r
+ Support: Core\r
+ properties:\r
+ certificateRefs:\r
+ description: |-\r
+ CertificateRefs contains a series of references to Kubernetes objects that\r
+ contains TLS certificates and private keys. These certificates are used to\r
+ establish a TLS handshake for requests that match the hostname of the\r
+ associated listener.\r
+\r
+ A single CertificateRef to a Kubernetes Secret has "Core" support.\r
+ Implementations MAY choose to support attaching multiple certificates to\r
+ a Listener, but this behavior is implementation-specific.\r
+\r
+ References to a resource in different namespace are invalid UNLESS there\r
+ is a ReferenceGrant in the target namespace that allows the certificate\r
+ to be attached. If a ReferenceGrant does not allow this reference, the\r
+ "ResolvedRefs" condition MUST be set to False for this listener with the\r
+ "RefNotPermitted" reason.\r
+\r
+ This field is required to have at least one element when the mode is set\r
+ to "Terminate" (default) and is optional otherwise.\r
+\r
+ CertificateRefs can reference to standard Kubernetes resources, i.e.\r
+ Secret, or implementation-specific custom resources.\r
+\r
+ Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls\r
+\r
+ Support: Implementation-specific (More than one reference or other resource types)\r
+ items:\r
+ description: |-\r
+ SecretObjectReference identifies an API object including its namespace,\r
+ defaulting to Secret.\r
+\r
+ The API object must be valid in the cluster; the Group and Kind must\r
+ be registered in the cluster for this reference to be valid.\r
+\r
+ References to objects with invalid Group and Kind are not valid, and must\r
+ be rejected by the implementation, with appropriate Conditions set\r
+ on the containing object.\r
+ properties:\r
+ group:\r
+ default: ""\r
+ description: |-\r
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".\r
+ When unspecified or empty string, core API group is inferred.\r
+ maxLength: 253\r
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ kind:\r
+ default: Secret\r
+ description: Kind is kind of the referent. For example\r
+ "Secret".\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$\r
+ type: string\r
+ name:\r
+ description: Name is the name of the referent.\r
+ maxLength: 253\r
+ minLength: 1\r
+ type: string\r
+ namespace:\r
+ description: |-\r
+ Namespace is the namespace of the referenced object. When unspecified, the local\r
+ namespace is inferred.\r
+\r
+ Note that when a namespace different than the local namespace is specified,\r
+ a ReferenceGrant object is required in the referent namespace to allow that\r
+ namespace's owner to accept the reference. See the ReferenceGrant\r
+ documentation for details.\r
+\r
+ Support: Core\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$\r
+ type: string\r
+ required:\r
+ - name\r
+ type: object\r
+ maxItems: 64\r
+ type: array\r
+ mode:\r
+ default: Terminate\r
+ description: |-\r
+ Mode defines the TLS behavior for the TLS session initiated by the client.\r
+ There are two possible modes:\r
+\r
+ - Terminate: The TLS session between the downstream client and the\r
+ Gateway is terminated at the Gateway. This mode requires certificates\r
+ to be specified in some way, such as populating the certificateRefs\r
+ field.\r
+ - Passthrough: The TLS session is NOT terminated by the Gateway. This\r
+ implies that the Gateway can't decipher the TLS stream except for\r
+ the ClientHello message of the TLS protocol. The certificateRefs field\r
+ is ignored in this mode.\r
+\r
+ Support: Core\r
+ enum:\r
+ - Terminate\r
+ - Passthrough\r
+ type: string\r
+ options:\r
+ additionalProperties:\r
+ description: |-\r
+ AnnotationValue is the value of an annotation in Gateway API. This is used\r
+ for validation of maps such as TLS options. This roughly matches Kubernetes\r
+ annotation validation, although the length validation in that case is based\r
+ on the entire size of the annotations struct.\r
+ maxLength: 4096\r
+ minLength: 0\r
+ type: string\r
+ description: |-\r
+ Options are a list of key/value pairs to enable extended TLS\r
+ configuration for each implementation. For example, configuring the\r
+ minimum TLS version or supported cipher suites.\r
+\r
+ A set of common keys MAY be defined by the API in the future. To avoid\r
+ any ambiguity, implementation-specific definitions MUST use\r
+ domain-prefixed names, such as `example.com/my-custom-option`.\r
+ Un-prefixed names are reserved for key names defined by Gateway API.\r
+\r
+ Support: Implementation-specific\r
+ maxProperties: 16\r
+ type: object\r
+ type: object\r
+ x-kubernetes-validations:\r
+ - message: certificateRefs or options must be specified when\r
+ mode is Terminate\r
+ rule: 'self.mode == ''Terminate'' ? size(self.certificateRefs)\r
+ > 0 || size(self.options) > 0 : true'\r
+ required:\r
+ - name\r
+ - port\r
+ - protocol\r
+ type: object\r
+ maxItems: 64\r
+ minItems: 1\r
+ type: array\r
+ x-kubernetes-list-map-keys:\r
+ - name\r
+ x-kubernetes-list-type: map\r
+ x-kubernetes-validations:\r
+ - message: tls must not be specified for protocols ['HTTP', 'TCP',\r
+ 'UDP']\r
+ rule: 'self.all(l, l.protocol in [''HTTP'', ''TCP'', ''UDP''] ?\r
+ !has(l.tls) : true)'\r
+ - message: tls mode must be Terminate for protocol HTTPS\r
+ rule: 'self.all(l, (l.protocol == ''HTTPS'' && has(l.tls)) ? (l.tls.mode\r
+ == '''' || l.tls.mode == ''Terminate'') : true)'\r
+ - message: hostname must not be specified for protocols ['TCP', 'UDP']\r
+ rule: 'self.all(l, l.protocol in [''TCP'', ''UDP''] ? (!has(l.hostname)\r
+ || l.hostname == '''') : true)'\r
+ - message: Listener name must be unique within the Gateway\r
+ rule: self.all(l1, self.exists_one(l2, l1.name == l2.name))\r
+ - message: Combination of port, protocol and hostname must be unique\r
+ for each listener\r
+ rule: 'self.all(l1, self.exists_one(l2, l1.port == l2.port && l1.protocol\r
+ == l2.protocol && (has(l1.hostname) && has(l2.hostname) ? l1.hostname\r
+ == l2.hostname : !has(l1.hostname) && !has(l2.hostname))))'\r
+ required:\r
+ - gatewayClassName\r
+ - listeners\r
+ type: object\r
+ status:\r
+ default:\r
+ conditions:\r
+ - lastTransitionTime: "1970-01-01T00:00:00Z"\r
+ message: Waiting for controller\r
+ reason: Pending\r
+ status: Unknown\r
+ type: Accepted\r
+ - lastTransitionTime: "1970-01-01T00:00:00Z"\r
+ message: Waiting for controller\r
+ reason: Pending\r
+ status: Unknown\r
+ type: Programmed\r
+ description: Status defines the current state of Gateway.\r
+ properties:\r
+ addresses:\r
+ description: |+\r
+ Addresses lists the network addresses that have been bound to the\r
+ Gateway.\r
+\r
+ This list may differ from the addresses provided in the spec under some\r
+ conditions:\r
+\r
+ * no addresses are specified, all addresses are dynamically assigned\r
+ * a combination of specified and dynamic addresses are assigned\r
+ * a specified address was unusable (e.g. already in use)\r
+\r
+ items:\r
+ description: GatewayStatusAddress describes a network address that\r
+ is bound to a Gateway.\r
+ oneOf:\r
+ - properties:\r
+ type:\r
+ enum:\r
+ - IPAddress\r
+ value:\r
+ anyOf:\r
+ - format: ipv4\r
+ - format: ipv6\r
+ - properties:\r
+ type:\r
+ not:\r
+ enum:\r
+ - IPAddress\r
+ properties:\r
+ type:\r
+ default: IPAddress\r
+ description: Type of the address.\r
+ maxLength: 253\r
+ minLength: 1\r
+ pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$\r
+ type: string\r
+ value:\r
+ description: |-\r
+ Value of the address. The validity of the values will depend\r
+ on the type and support by the controller.\r
+\r
+ Examples: `1.2.3.4`, `128::1`, `my-ip-address`.\r
+ maxLength: 253\r
+ minLength: 1\r
+ type: string\r
+ required:\r
+ - value\r
+ type: object\r
+ x-kubernetes-validations:\r
+ - message: Hostname value must only contain valid characters (matching\r
+ ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$)\r
+ rule: 'self.type == ''Hostname'' ? self.value.matches(r"""^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$"""):\r
+ true'\r
+ maxItems: 16\r
+ type: array\r
+ conditions:\r
+ default:\r
+ - lastTransitionTime: "1970-01-01T00:00:00Z"\r
+ message: Waiting for controller\r
+ reason: Pending\r
+ status: Unknown\r
+ type: Accepted\r
+ - lastTransitionTime: "1970-01-01T00:00:00Z"\r
+ message: Waiting for controller\r
+ reason: Pending\r
+ status: Unknown\r
+ type: Programmed\r
+ description: |-\r
+ Conditions describe the current conditions of the Gateway.\r
+\r
+ Implementations should prefer to express Gateway conditions\r
+ using the `GatewayConditionType` and `GatewayConditionReason`\r
+ constants so that operators and tools can converge on a common\r
+ vocabulary to describe Gateway state.\r
+\r
+ Known condition types are:\r
+\r
+ * "Accepted"\r
+ * "Programmed"\r
+ * "Ready"\r
+ items:\r
+ description: Condition contains details for one aspect of the current\r
+ state of this API Resource.\r
+ properties:\r
+ lastTransitionTime:\r
+ description: |-\r
+ lastTransitionTime is the last time the condition transitioned from one status to another.\r
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.\r
+ format: date-time\r
+ type: string\r
+ message:\r
+ description: |-\r
+ message is a human readable message indicating details about the transition.\r
+ This may be an empty string.\r
+ maxLength: 32768\r
+ type: string\r
+ observedGeneration:\r
+ description: |-\r
+ observedGeneration represents the .metadata.generation that the condition was set based upon.\r
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\r
+ with respect to the current state of the instance.\r
+ format: int64\r
+ minimum: 0\r
+ type: integer\r
+ reason:\r
+ description: |-\r
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.\r
+ Producers of specific condition types may define expected values and meanings for this field,\r
+ and whether the values are considered a guaranteed API.\r
+ The value should be a CamelCase string.\r
+ This field may not be empty.\r
+ maxLength: 1024\r
+ minLength: 1\r
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$\r
+ type: string\r
+ status:\r
+ description: status of the condition, one of True, False, Unknown.\r
+ enum:\r
+ - "True"\r
+ - "False"\r
+ - Unknown\r
+ type: string\r
+ type:\r
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.\r
+ maxLength: 316\r
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$\r
+ type: string\r
+ required:\r
+ - lastTransitionTime\r
+ - message\r
+ - reason\r
+ - status\r
+ - type\r
+ type: object\r
+ maxItems: 8\r
+ type: array\r
+ x-kubernetes-list-map-keys:\r
+ - type\r
+ x-kubernetes-list-type: map\r
+ listeners:\r
+ description: Listeners provide status for each unique listener port\r
+ defined in the Spec.\r
+ items:\r
+ description: ListenerStatus is the status associated with a Listener.\r
+ properties:\r
+ attachedRoutes:\r
+ description: |-\r
+ AttachedRoutes represents the total number of Routes that have been\r
+ successfully attached to this Listener.\r
+\r
+ Successful attachment of a Route to a Listener is based solely on the\r
+ combination of the AllowedRoutes field on the corresponding Listener\r
+ and the Route's ParentRefs field. A Route is successfully attached to\r
+ a Listener when it is selected by the Listener's AllowedRoutes field\r
+ AND the Route has a valid ParentRef selecting the whole Gateway\r
+ resource or a specific Listener as a parent resource (more detail on\r
+ attachment semantics can be found in the documentation on the various\r
+ Route kinds ParentRefs fields). Listener or Route status does not impact\r
+ successful attachment, i.e. the AttachedRoutes field count MUST be set\r
+ for Listeners with condition Accepted: false and MUST count successfully\r
+ attached Routes that may themselves have Accepted: false conditions.\r
+\r
+ Uses for this field include troubleshooting Route attachment and\r
+ measuring blast radius/impact of changes to a Listener.\r
+ format: int32\r
+ type: integer\r
+ conditions:\r
+ description: Conditions describe the current condition of this\r
+ listener.\r
+ items:\r
+ description: Condition contains details for one aspect of\r
+ the current state of this API Resource.\r
+ properties:\r
+ lastTransitionTime:\r
+ description: |-\r
+ lastTransitionTime is the last time the condition transitioned from one status to another.\r
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.\r
+ format: date-time\r
+ type: string\r
+ message:\r
+ description: |-\r
+ message is a human readable message indicating details about the transition.\r
+ This may be an empty string.\r
+ maxLength: 32768\r
+ type: string\r
+ observedGeneration:\r
+ description: |-\r
+ observedGeneration represents the .metadata.generation that the condition was set based upon.\r
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\r
+ with respect to the current state of the instance.\r
+ format: int64\r
+ minimum: 0\r
+ type: integer\r
+ reason:\r
+ description: |-\r
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.\r
+ Producers of specific condition types may define expected values and meanings for this field,\r
+ and whether the values are considered a guaranteed API.\r
+ The value should be a CamelCase string.\r
+ This field may not be empty.\r
+ maxLength: 1024\r
+ minLength: 1\r
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$\r
+ type: string\r
+ status:\r
+ description: status of the condition, one of True, False,\r
+ Unknown.\r
+ enum:\r
+ - "True"\r
+ - "False"\r
+ - Unknown\r
+ type: string\r
+ type:\r
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.\r
+ maxLength: 316\r
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$\r
+ type: string\r
+ required:\r
+ - lastTransitionTime\r
+ - message\r
+ - reason\r
+ - status\r
+ - type\r
+ type: object\r
+ maxItems: 8\r
+ type: array\r
+ x-kubernetes-list-map-keys:\r
+ - type\r
+ x-kubernetes-list-type: map\r
+ name:\r
+ description: Name is the name of the Listener that this status\r
+ corresponds to.\r
+ maxLength: 253\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ supportedKinds:\r
+ description: |-\r
+ SupportedKinds is the list indicating the Kinds supported by this\r
+ listener. This MUST represent the kinds an implementation supports for\r
+ that Listener configuration.\r
+\r
+ If kinds are specified in Spec that are not supported, they MUST NOT\r
+ appear in this list and an implementation MUST set the "ResolvedRefs"\r
+ condition to "False" with the "InvalidRouteKinds" reason. If both valid\r
+ and invalid Route kinds are specified, the implementation MUST\r
+ reference the valid Route kinds that have been specified.\r
+ items:\r
+ description: RouteGroupKind indicates the group and kind of\r
+ a Route resource.\r
+ properties:\r
+ group:\r
+ default: gateway.networking.k8s.io\r
+ description: Group is the group of the Route.\r
+ maxLength: 253\r
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ kind:\r
+ description: Kind is the kind of the Route.\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$\r
+ type: string\r
+ required:\r
+ - kind\r
+ type: object\r
+ maxItems: 8\r
+ type: array\r
+ required:\r
+ - attachedRoutes\r
+ - conditions\r
+ - name\r
+ - supportedKinds\r
+ type: object\r
+ maxItems: 64\r
+ type: array\r
+ x-kubernetes-list-map-keys:\r
+ - name\r
+ x-kubernetes-list-type: map\r
+ type: object\r
+ required:\r
+ - spec\r
+ type: object\r
+ served: true\r
+ storage: true\r
+ subresources:\r
+ status: {}\r
+ - additionalPrinterColumns:\r
+ - jsonPath: .spec.gatewayClassName\r
+ name: Class\r
+ type: string\r
+ - jsonPath: .status.addresses[*].value\r
+ name: Address\r
+ type: string\r
+ - jsonPath: .status.conditions[?(@.type=="Programmed")].status\r
+ name: Programmed\r
+ type: string\r
+ - jsonPath: .metadata.creationTimestamp\r
+ name: Age\r
+ type: date\r
+ name: v1beta1\r
+ schema:\r
+ openAPIV3Schema:\r
+ description: |-\r
+ Gateway represents an instance of a service-traffic handling infrastructure\r
+ by binding Listeners to a set of IP addresses.\r
+ properties:\r
+ apiVersion:\r
+ description: |-\r
+ APIVersion defines the versioned schema of this representation of an object.\r
+ Servers should convert recognized schemas to the latest internal value, and\r
+ may reject unrecognized values.\r
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources\r
+ type: string\r
+ kind:\r
+ description: |-\r
+ Kind is a string value representing the REST resource this object represents.\r
+ Servers may infer this from the endpoint the client submits requests to.\r
+ Cannot be updated.\r
+ In CamelCase.\r
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds\r
+ type: string\r
+ metadata:\r
+ type: object\r
+ spec:\r
+ description: Spec defines the desired state of Gateway.\r
+ properties:\r
+ addresses:\r
+ description: |+\r
+ Addresses requested for this Gateway. This is optional and behavior can\r
+ depend on the implementation. If a value is set in the spec and the\r
+ requested address is invalid or unavailable, the implementation MUST\r
+ indicate this in the associated entry in GatewayStatus.Addresses.\r
+\r
+ The Addresses field represents a request for the address(es) on the\r
+ "outside of the Gateway", that traffic bound for this Gateway will use.\r
+ This could be the IP address or hostname of an external load balancer or\r
+ other networking infrastructure, or some other address that traffic will\r
+ be sent to.\r
+\r
+ If no Addresses are specified, the implementation MAY schedule the\r
+ Gateway in an implementation-specific manner, assigning an appropriate\r
+ set of Addresses.\r
+\r
+ The implementation MUST bind all Listeners to every GatewayAddress that\r
+ it assigns to the Gateway and add a corresponding entry in\r
+ GatewayStatus.Addresses.\r
+\r
+ Support: Extended\r
+\r
+ items:\r
+ description: GatewayAddress describes an address that can be bound\r
+ to a Gateway.\r
+ oneOf:\r
+ - properties:\r
+ type:\r
+ enum:\r
+ - IPAddress\r
+ value:\r
+ anyOf:\r
+ - format: ipv4\r
+ - format: ipv6\r
+ - properties:\r
+ type:\r
+ not:\r
+ enum:\r
+ - IPAddress\r
+ properties:\r
+ type:\r
+ default: IPAddress\r
+ description: Type of the address.\r
+ maxLength: 253\r
+ minLength: 1\r
+ pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$\r
+ type: string\r
+ value:\r
+ description: |-\r
+ Value of the address. The validity of the values will depend\r
+ on the type and support by the controller.\r
+\r
+ Examples: `1.2.3.4`, `128::1`, `my-ip-address`.\r
+ maxLength: 253\r
+ minLength: 1\r
+ type: string\r
+ required:\r
+ - value\r
+ type: object\r
+ x-kubernetes-validations:\r
+ - message: Hostname value must only contain valid characters (matching\r
+ ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$)\r
+ rule: 'self.type == ''Hostname'' ? self.value.matches(r"""^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$"""):\r
+ true'\r
+ maxItems: 16\r
+ type: array\r
+ x-kubernetes-validations:\r
+ - message: IPAddress values must be unique\r
+ rule: 'self.all(a1, a1.type == ''IPAddress'' ? self.exists_one(a2,\r
+ a2.type == a1.type && a2.value == a1.value) : true )'\r
+ - message: Hostname values must be unique\r
+ rule: 'self.all(a1, a1.type == ''Hostname'' ? self.exists_one(a2,\r
+ a2.type == a1.type && a2.value == a1.value) : true )'\r
+ gatewayClassName:\r
+ description: |-\r
+ GatewayClassName used for this Gateway. This is the name of a\r
+ GatewayClass resource.\r
+ maxLength: 253\r
+ minLength: 1\r
+ type: string\r
+ infrastructure:\r
+ description: |-\r
+ Infrastructure defines infrastructure level attributes about this Gateway instance.\r
+\r
+ Support: Extended\r
+ properties:\r
+ annotations:\r
+ additionalProperties:\r
+ description: |-\r
+ AnnotationValue is the value of an annotation in Gateway API. This is used\r
+ for validation of maps such as TLS options. This roughly matches Kubernetes\r
+ annotation validation, although the length validation in that case is based\r
+ on the entire size of the annotations struct.\r
+ maxLength: 4096\r
+ minLength: 0\r
+ type: string\r
+ description: |-\r
+ Annotations that SHOULD be applied to any resources created in response to this Gateway.\r
+\r
+ For implementations creating other Kubernetes objects, this should be the `metadata.annotations` field on resources.\r
+ For other implementations, this refers to any relevant (implementation specific) "annotations" concepts.\r
+\r
+ An implementation may chose to add additional implementation-specific annotations as they see fit.\r
+\r
+ Support: Extended\r
+ maxProperties: 8\r
+ type: object\r
+ x-kubernetes-validations:\r
+ - message: Annotation keys must be in the form of an optional\r
+ DNS subdomain prefix followed by a required name segment of\r
+ up to 63 characters.\r
+ rule: self.all(key, key.matches(r"""^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9]$"""))\r
+ - message: If specified, the annotation key's prefix must be a\r
+ DNS subdomain not longer than 253 characters in total.\r
+ rule: self.all(key, key.split("/")[0].size() < 253)\r
+ labels:\r
+ additionalProperties:\r
+ description: |-\r
+ LabelValue is the value of a label in the Gateway API. This is used for validation\r
+ of maps such as Gateway infrastructure labels. This matches the Kubernetes\r
+ label validation rules:\r
+ * must be 63 characters or less (can be empty),\r
+ * unless empty, must begin and end with an alphanumeric character ([a-z0-9A-Z]),\r
+ * could contain dashes (-), underscores (_), dots (.), and alphanumerics between.\r
+\r
+ Valid values include:\r
+\r
+ * MyValue\r
+ * my.name\r
+ * 123-my-value\r
+ maxLength: 63\r
+ minLength: 0\r
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$\r
+ type: string\r
+ description: |-\r
+ Labels that SHOULD be applied to any resources created in response to this Gateway.\r
+\r
+ For implementations creating other Kubernetes objects, this should be the `metadata.labels` field on resources.\r
+ For other implementations, this refers to any relevant (implementation specific) "labels" concepts.\r
+\r
+ An implementation may chose to add additional implementation-specific labels as they see fit.\r
+\r
+ If an implementation maps these labels to Pods, or any other resource that would need to be recreated when labels\r
+ change, it SHOULD clearly warn about this behavior in documentation.\r
+\r
+ Support: Extended\r
+ maxProperties: 8\r
+ type: object\r
+ x-kubernetes-validations:\r
+ - message: Label keys must be in the form of an optional DNS subdomain\r
+ prefix followed by a required name segment of up to 63 characters.\r
+ rule: self.all(key, key.matches(r"""^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9]$"""))\r
+ - message: If specified, the label key's prefix must be a DNS\r
+ subdomain not longer than 253 characters in total.\r
+ rule: self.all(key, key.split("/")[0].size() < 253)\r
+ parametersRef:\r
+ description: |-\r
+ ParametersRef is a reference to a resource that contains the configuration\r
+ parameters corresponding to the Gateway. This is optional if the\r
+ controller does not require any additional configuration.\r
+\r
+ This follows the same semantics as GatewayClass's `parametersRef`, but on a per-Gateway basis\r
+\r
+ The Gateway's GatewayClass may provide its own `parametersRef`. When both are specified,\r
+ the merging behavior is implementation specific.\r
+ It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway.\r
+\r
+ Support: Implementation-specific\r
+ properties:\r
+ group:\r
+ description: Group is the group of the referent.\r
+ maxLength: 253\r
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ kind:\r
+ description: Kind is kind of the referent.\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$\r
+ type: string\r
+ name:\r
+ description: Name is the name of the referent.\r
+ maxLength: 253\r
+ minLength: 1\r
+ type: string\r
+ required:\r
+ - group\r
+ - kind\r
+ - name\r
+ type: object\r
+ type: object\r
+ listeners:\r
+ description: |-\r
+ Listeners associated with this Gateway. Listeners define\r
+ logical endpoints that are bound on this Gateway's addresses.\r
+ At least one Listener MUST be specified.\r
+\r
+ ## Distinct Listeners\r
+\r
+ Each Listener in a set of Listeners (for example, in a single Gateway)\r
+ MUST be _distinct_, in that a traffic flow MUST be able to be assigned to\r
+ exactly one listener. (This section uses "set of Listeners" rather than\r
+ "Listeners in a single Gateway" because implementations MAY merge configuration\r
+ from multiple Gateways onto a single data plane, and these rules _also_\r
+ apply in that case).\r
+\r
+ Practically, this means that each listener in a set MUST have a unique\r
+ combination of Port, Protocol, and, if supported by the protocol, Hostname.\r
+\r
+ Some combinations of port, protocol, and TLS settings are considered\r
+ Core support and MUST be supported by implementations based on the objects\r
+ they support:\r
+\r
+ HTTPRoute\r
+\r
+ 1. HTTPRoute, Port: 80, Protocol: HTTP\r
+ 2. HTTPRoute, Port: 443, Protocol: HTTPS, TLS Mode: Terminate, TLS keypair provided\r
+\r
+ TLSRoute\r
+\r
+ 1. TLSRoute, Port: 443, Protocol: TLS, TLS Mode: Passthrough\r
+\r
+ "Distinct" Listeners have the following property:\r
+\r
+ **The implementation can match inbound requests to a single distinct\r
+ Listener**.\r
+\r
+ When multiple Listeners share values for fields (for\r
+ example, two Listeners with the same Port value), the implementation\r
+ can match requests to only one of the Listeners using other\r
+ Listener fields.\r
+\r
+ When multiple listeners have the same value for the Protocol field, then\r
+ each of the Listeners with matching Protocol values MUST have different\r
+ values for other fields.\r
+\r
+ The set of fields that MUST be different for a Listener differs per protocol.\r
+ The following rules define the rules for what fields MUST be considered for\r
+ Listeners to be distinct with each protocol currently defined in the\r
+ Gateway API spec.\r
+\r
+ The set of listeners that all share a protocol value MUST have _different_\r
+ values for _at least one_ of these fields to be distinct:\r
+\r
+ * **HTTP, HTTPS, TLS**: Port, Hostname\r
+ * **TCP, UDP**: Port\r
+\r
+ One **very** important rule to call out involves what happens when an\r
+ implementation:\r
+\r
+ * Supports TCP protocol Listeners, as well as HTTP, HTTPS, or TLS protocol\r
+ Listeners, and\r
+ * sees HTTP, HTTPS, or TLS protocols with the same `port` as one with TCP\r
+ Protocol.\r
+\r
+ In this case all the Listeners that share a port with the\r
+ TCP Listener are not distinct and so MUST NOT be accepted.\r
+\r
+ If an implementation does not support TCP Protocol Listeners, then the\r
+ previous rule does not apply, and the TCP Listeners SHOULD NOT be\r
+ accepted.\r
+\r
+ Note that the `tls` field is not used for determining if a listener is distinct, because\r
+ Listeners that _only_ differ on TLS config will still conflict in all cases.\r
+\r
+ ### Listeners that are distinct only by Hostname\r
+\r
+ When the Listeners are distinct based only on Hostname, inbound request\r
+ hostnames MUST match from the most specific to least specific Hostname\r
+ values to choose the correct Listener and its associated set of Routes.\r
+\r
+ Exact matches MUST be processed before wildcard matches, and wildcard\r
+ matches MUST be processed before fallback (empty Hostname value)\r
+ matches. For example, `"foo.example.com"` takes precedence over\r
+ `"*.example.com"`, and `"*.example.com"` takes precedence over `""`.\r
+\r
+ Additionally, if there are multiple wildcard entries, more specific\r
+ wildcard entries must be processed before less specific wildcard entries.\r
+ For example, `"*.foo.example.com"` takes precedence over `"*.example.com"`.\r
+\r
+ The precise definition here is that the higher the number of dots in the\r
+ hostname to the right of the wildcard character, the higher the precedence.\r
+\r
+ The wildcard character will match any number of characters _and dots_ to\r
+ the left, however, so `"*.example.com"` will match both\r
+ `"foo.bar.example.com"` _and_ `"bar.example.com"`.\r
+\r
+ ## Handling indistinct Listeners\r
+\r
+ If a set of Listeners contains Listeners that are not distinct, then those\r
+ Listeners are _Conflicted_, and the implementation MUST set the "Conflicted"\r
+ condition in the Listener Status to "True".\r
+\r
+ The words "indistict" and "conflicted" are considered equivalent for the\r
+ purpose of this documentation.\r
+\r
+ Implementations MAY choose to accept a Gateway with some Conflicted\r
+ Listeners only if they only accept the partial Listener set that contains\r
+ no Conflicted Listeners.\r
+\r
+ Specifically, an implementation MAY accept a partial Listener set subject to\r
+ the following rules:\r
+\r
+ * The implementation MUST NOT pick one conflicting Listener as the winner.\r
+ ALL indistinct Listeners must not be accepted for processing.\r
+ * At least one distinct Listener MUST be present, or else the Gateway effectively\r
+ contains _no_ Listeners, and must be rejected from processing as a whole.\r
+\r
+ The implementation MUST set a "ListenersNotValid" condition on the\r
+ Gateway Status when the Gateway contains Conflicted Listeners whether or\r
+ not they accept the Gateway. That Condition SHOULD clearly\r
+ indicate in the Message which Listeners are conflicted, and which are\r
+ Accepted. Additionally, the Listener status for those listeners SHOULD\r
+ indicate which Listeners are conflicted and not Accepted.\r
+\r
+ ## General Listener behavior\r
+\r
+ Note that, for all distinct Listeners, requests SHOULD match at most one Listener.\r
+ For example, if Listeners are defined for "foo.example.com" and "*.example.com", a\r
+ request to "foo.example.com" SHOULD only be routed using routes attached\r
+ to the "foo.example.com" Listener (and not the "*.example.com" Listener).\r
+\r
+ This concept is known as "Listener Isolation", and it is an Extended feature\r
+ of Gateway API. Implementations that do not support Listener Isolation MUST\r
+ clearly document this, and MUST NOT claim support for the\r
+ `GatewayHTTPListenerIsolation` feature.\r
+\r
+ Implementations that _do_ support Listener Isolation SHOULD claim support\r
+ for the Extended `GatewayHTTPListenerIsolation` feature and pass the associated\r
+ conformance tests.\r
+\r
+ ## Compatible Listeners\r
+\r
+ A Gateway's Listeners are considered _compatible_ if:\r
+\r
+ 1. They are distinct.\r
+ 2. The implementation can serve them in compliance with the Addresses\r
+ requirement that all Listeners are available on all assigned\r
+ addresses.\r
+\r
+ Compatible combinations in Extended support are expected to vary across\r
+ implementations. A combination that is compatible for one implementation\r
+ may not be compatible for another.\r
+\r
+ For example, an implementation that cannot serve both TCP and UDP listeners\r
+ on the same address, or cannot mix HTTPS and generic TLS listens on the same port\r
+ would not consider those cases compatible, even though they are distinct.\r
+\r
+ Implementations MAY merge separate Gateways onto a single set of\r
+ Addresses if all Listeners across all Gateways are compatible.\r
+\r
+ Support: Core\r
+ items:\r
+ description: |-\r
+ Listener embodies the concept of a logical endpoint where a Gateway accepts\r
+ network connections.\r
+ properties:\r
+ allowedRoutes:\r
+ default:\r
+ namespaces:\r
+ from: Same\r
+ description: |-\r
+ AllowedRoutes defines the types of routes that MAY be attached to a\r
+ Listener and the trusted namespaces where those Route resources MAY be\r
+ present.\r
+\r
+ Although a client request may match multiple route rules, only one rule\r
+ may ultimately receive the request. Matching precedence MUST be\r
+ determined in order of the following criteria:\r
+\r
+ * The most specific match as defined by the Route type.\r
+ * The oldest Route based on creation timestamp. For example, a Route with\r
+ a creation timestamp of "2020-09-08 01:02:03" is given precedence over\r
+ a Route with a creation timestamp of "2020-09-08 01:02:04".\r
+ * If everything else is equivalent, the Route appearing first in\r
+ alphabetical order (namespace/name) should be given precedence. For\r
+ example, foo/bar is given precedence over foo/baz.\r
+\r
+ All valid rules within a Route attached to this Listener should be\r
+ implemented. Invalid Route rules can be ignored (sometimes that will mean\r
+ the full Route). If a Route rule transitions from valid to invalid,\r
+ support for that Route rule should be dropped to ensure consistency. For\r
+ example, even if a filter specified by a Route rule is invalid, the rest\r
+ of the rules within that Route should still be supported.\r
+\r
+ Support: Core\r
+ properties:\r
+ kinds:\r
+ description: |-\r
+ Kinds specifies the groups and kinds of Routes that are allowed to bind\r
+ to this Gateway Listener. When unspecified or empty, the kinds of Routes\r
+ selected are determined using the Listener protocol.\r
+\r
+ A RouteGroupKind MUST correspond to kinds of Routes that are compatible\r
+ with the application protocol specified in the Listener's Protocol field.\r
+ If an implementation does not support or recognize this resource type, it\r
+ MUST set the "ResolvedRefs" condition to False for this Listener with the\r
+ "InvalidRouteKinds" reason.\r
+\r
+ Support: Core\r
+ items:\r
+ description: RouteGroupKind indicates the group and kind\r
+ of a Route resource.\r
+ properties:\r
+ group:\r
+ default: gateway.networking.k8s.io\r
+ description: Group is the group of the Route.\r
+ maxLength: 253\r
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ kind:\r
+ description: Kind is the kind of the Route.\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$\r
+ type: string\r
+ required:\r
+ - kind\r
+ type: object\r
+ maxItems: 8\r
+ type: array\r
+ namespaces:\r
+ default:\r
+ from: Same\r
+ description: |-\r
+ Namespaces indicates namespaces from which Routes may be attached to this\r
+ Listener. This is restricted to the namespace of this Gateway by default.\r
+\r
+ Support: Core\r
+ properties:\r
+ from:\r
+ default: Same\r
+ description: |-\r
+ From indicates where Routes will be selected for this Gateway. Possible\r
+ values are:\r
+\r
+ * All: Routes in all namespaces may be used by this Gateway.\r
+ * Selector: Routes in namespaces selected by the selector may be used by\r
+ this Gateway.\r
+ * Same: Only Routes in the same namespace may be used by this Gateway.\r
+\r
+ Support: Core\r
+ enum:\r
+ - All\r
+ - Selector\r
+ - Same\r
+ type: string\r
+ selector:\r
+ description: |-\r
+ Selector must be specified when From is set to "Selector". In that case,\r
+ only Routes in Namespaces matching this Selector will be selected by this\r
+ Gateway. This field is ignored for other values of "From".\r
+\r
+ Support: Core\r
+ properties:\r
+ matchExpressions:\r
+ description: matchExpressions is a list of label\r
+ selector requirements. The requirements are ANDed.\r
+ items:\r
+ description: |-\r
+ A label selector requirement is a selector that contains values, a key, and an operator that\r
+ relates the key and values.\r
+ properties:\r
+ key:\r
+ description: key is the label key that the\r
+ selector applies to.\r
+ type: string\r
+ operator:\r
+ description: |-\r
+ operator represents a key's relationship to a set of values.\r
+ Valid operators are In, NotIn, Exists and DoesNotExist.\r
+ type: string\r
+ values:\r
+ description: |-\r
+ values is an array of string values. If the operator is In or NotIn,\r
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,\r
+ the values array must be empty. This array is replaced during a strategic\r
+ merge patch.\r
+ items:\r
+ type: string\r
+ type: array\r
+ x-kubernetes-list-type: atomic\r
+ required:\r
+ - key\r
+ - operator\r
+ type: object\r
+ type: array\r
+ x-kubernetes-list-type: atomic\r
+ matchLabels:\r
+ additionalProperties:\r
+ type: string\r
+ description: |-\r
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\r
+ map is equivalent to an element of matchExpressions, whose key field is "key", the\r
+ operator is "In", and the values array contains only "value". The requirements are ANDed.\r
+ type: object\r
+ type: object\r
+ x-kubernetes-map-type: atomic\r
+ type: object\r
+ type: object\r
+ hostname:\r
+ description: |-\r
+ Hostname specifies the virtual hostname to match for protocol types that\r
+ define this concept. When unspecified, all hostnames are matched. This\r
+ field is ignored for protocols that don't require hostname based\r
+ matching.\r
+\r
+ Implementations MUST apply Hostname matching appropriately for each of\r
+ the following protocols:\r
+\r
+ * TLS: The Listener Hostname MUST match the SNI.\r
+ * HTTP: The Listener Hostname MUST match the Host header of the request.\r
+ * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP\r
+ protocol layers as described above. If an implementation does not\r
+ ensure that both the SNI and Host header match the Listener hostname,\r
+ it MUST clearly document that.\r
+\r
+ For HTTPRoute and TLSRoute resources, there is an interaction with the\r
+ `spec.hostnames` array. When both listener and route specify hostnames,\r
+ there MUST be an intersection between the values for a Route to be\r
+ accepted. For more information, refer to the Route specific Hostnames\r
+ documentation.\r
+\r
+ Hostnames that are prefixed with a wildcard label (`*.`) are interpreted\r
+ as a suffix match. That means that a match for `*.example.com` would match\r
+ both `test.example.com`, and `foo.test.example.com`, but not `example.com`.\r
+\r
+ Support: Core\r
+ maxLength: 253\r
+ minLength: 1\r
+ pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ name:\r
+ description: |-\r
+ Name is the name of the Listener. This name MUST be unique within a\r
+ Gateway.\r
+\r
+ Support: Core\r
+ maxLength: 253\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ port:\r
+ description: |-\r
+ Port is the network port. Multiple listeners may use the\r
+ same port, subject to the Listener compatibility rules.\r
+\r
+ Support: Core\r
+ format: int32\r
+ maximum: 65535\r
+ minimum: 1\r
+ type: integer\r
+ protocol:\r
+ description: |-\r
+ Protocol specifies the network protocol this listener expects to receive.\r
+\r
+ Support: Core\r
+ maxLength: 255\r
+ minLength: 1\r
+ pattern: ^[a-zA-Z0-9]([-a-zA-Z0-9]*[a-zA-Z0-9])?$|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9]+$\r
+ type: string\r
+ tls:\r
+ description: |-\r
+ TLS is the TLS configuration for the Listener. This field is required if\r
+ the Protocol field is "HTTPS" or "TLS". It is invalid to set this field\r
+ if the Protocol field is "HTTP", "TCP", or "UDP".\r
+\r
+ The association of SNIs to Certificate defined in GatewayTLSConfig is\r
+ defined based on the Hostname field for this listener.\r
+\r
+ The GatewayClass MUST use the longest matching SNI out of all\r
+ available certificates for any TLS handshake.\r
+\r
+ Support: Core\r
+ properties:\r
+ certificateRefs:\r
+ description: |-\r
+ CertificateRefs contains a series of references to Kubernetes objects that\r
+ contains TLS certificates and private keys. These certificates are used to\r
+ establish a TLS handshake for requests that match the hostname of the\r
+ associated listener.\r
+\r
+ A single CertificateRef to a Kubernetes Secret has "Core" support.\r
+ Implementations MAY choose to support attaching multiple certificates to\r
+ a Listener, but this behavior is implementation-specific.\r
+\r
+ References to a resource in different namespace are invalid UNLESS there\r
+ is a ReferenceGrant in the target namespace that allows the certificate\r
+ to be attached. If a ReferenceGrant does not allow this reference, the\r
+ "ResolvedRefs" condition MUST be set to False for this listener with the\r
+ "RefNotPermitted" reason.\r
+\r
+ This field is required to have at least one element when the mode is set\r
+ to "Terminate" (default) and is optional otherwise.\r
+\r
+ CertificateRefs can reference to standard Kubernetes resources, i.e.\r
+ Secret, or implementation-specific custom resources.\r
+\r
+ Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls\r
+\r
+ Support: Implementation-specific (More than one reference or other resource types)\r
+ items:\r
+ description: |-\r
+ SecretObjectReference identifies an API object including its namespace,\r
+ defaulting to Secret.\r
+\r
+ The API object must be valid in the cluster; the Group and Kind must\r
+ be registered in the cluster for this reference to be valid.\r
+\r
+ References to objects with invalid Group and Kind are not valid, and must\r
+ be rejected by the implementation, with appropriate Conditions set\r
+ on the containing object.\r
+ properties:\r
+ group:\r
+ default: ""\r
+ description: |-\r
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".\r
+ When unspecified or empty string, core API group is inferred.\r
+ maxLength: 253\r
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ kind:\r
+ default: Secret\r
+ description: Kind is kind of the referent. For example\r
+ "Secret".\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$\r
+ type: string\r
+ name:\r
+ description: Name is the name of the referent.\r
+ maxLength: 253\r
+ minLength: 1\r
+ type: string\r
+ namespace:\r
+ description: |-\r
+ Namespace is the namespace of the referenced object. When unspecified, the local\r
+ namespace is inferred.\r
+\r
+ Note that when a namespace different than the local namespace is specified,\r
+ a ReferenceGrant object is required in the referent namespace to allow that\r
+ namespace's owner to accept the reference. See the ReferenceGrant\r
+ documentation for details.\r
+\r
+ Support: Core\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$\r
+ type: string\r
+ required:\r
+ - name\r
+ type: object\r
+ maxItems: 64\r
+ type: array\r
+ mode:\r
+ default: Terminate\r
+ description: |-\r
+ Mode defines the TLS behavior for the TLS session initiated by the client.\r
+ There are two possible modes:\r
+\r
+ - Terminate: The TLS session between the downstream client and the\r
+ Gateway is terminated at the Gateway. This mode requires certificates\r
+ to be specified in some way, such as populating the certificateRefs\r
+ field.\r
+ - Passthrough: The TLS session is NOT terminated by the Gateway. This\r
+ implies that the Gateway can't decipher the TLS stream except for\r
+ the ClientHello message of the TLS protocol. The certificateRefs field\r
+ is ignored in this mode.\r
+\r
+ Support: Core\r
+ enum:\r
+ - Terminate\r
+ - Passthrough\r
+ type: string\r
+ options:\r
+ additionalProperties:\r
+ description: |-\r
+ AnnotationValue is the value of an annotation in Gateway API. This is used\r
+ for validation of maps such as TLS options. This roughly matches Kubernetes\r
+ annotation validation, although the length validation in that case is based\r
+ on the entire size of the annotations struct.\r
+ maxLength: 4096\r
+ minLength: 0\r
+ type: string\r
+ description: |-\r
+ Options are a list of key/value pairs to enable extended TLS\r
+ configuration for each implementation. For example, configuring the\r
+ minimum TLS version or supported cipher suites.\r
+\r
+ A set of common keys MAY be defined by the API in the future. To avoid\r
+ any ambiguity, implementation-specific definitions MUST use\r
+ domain-prefixed names, such as `example.com/my-custom-option`.\r
+ Un-prefixed names are reserved for key names defined by Gateway API.\r
+\r
+ Support: Implementation-specific\r
+ maxProperties: 16\r
+ type: object\r
+ type: object\r
+ x-kubernetes-validations:\r
+ - message: certificateRefs or options must be specified when\r
+ mode is Terminate\r
+ rule: 'self.mode == ''Terminate'' ? size(self.certificateRefs)\r
+ > 0 || size(self.options) > 0 : true'\r
+ required:\r
+ - name\r
+ - port\r
+ - protocol\r
+ type: object\r
+ maxItems: 64\r
+ minItems: 1\r
+ type: array\r
+ x-kubernetes-list-map-keys:\r
+ - name\r
+ x-kubernetes-list-type: map\r
+ x-kubernetes-validations:\r
+ - message: tls must not be specified for protocols ['HTTP', 'TCP',\r
+ 'UDP']\r
+ rule: 'self.all(l, l.protocol in [''HTTP'', ''TCP'', ''UDP''] ?\r
+ !has(l.tls) : true)'\r
+ - message: tls mode must be Terminate for protocol HTTPS\r
+ rule: 'self.all(l, (l.protocol == ''HTTPS'' && has(l.tls)) ? (l.tls.mode\r
+ == '''' || l.tls.mode == ''Terminate'') : true)'\r
+ - message: hostname must not be specified for protocols ['TCP', 'UDP']\r
+ rule: 'self.all(l, l.protocol in [''TCP'', ''UDP''] ? (!has(l.hostname)\r
+ || l.hostname == '''') : true)'\r
+ - message: Listener name must be unique within the Gateway\r
+ rule: self.all(l1, self.exists_one(l2, l1.name == l2.name))\r
+ - message: Combination of port, protocol and hostname must be unique\r
+ for each listener\r
+ rule: 'self.all(l1, self.exists_one(l2, l1.port == l2.port && l1.protocol\r
+ == l2.protocol && (has(l1.hostname) && has(l2.hostname) ? l1.hostname\r
+ == l2.hostname : !has(l1.hostname) && !has(l2.hostname))))'\r
+ required:\r
+ - gatewayClassName\r
+ - listeners\r
+ type: object\r
+ status:\r
+ default:\r
+ conditions:\r
+ - lastTransitionTime: "1970-01-01T00:00:00Z"\r
+ message: Waiting for controller\r
+ reason: Pending\r
+ status: Unknown\r
+ type: Accepted\r
+ - lastTransitionTime: "1970-01-01T00:00:00Z"\r
+ message: Waiting for controller\r
+ reason: Pending\r
+ status: Unknown\r
+ type: Programmed\r
+ description: Status defines the current state of Gateway.\r
+ properties:\r
+ addresses:\r
+ description: |+\r
+ Addresses lists the network addresses that have been bound to the\r
+ Gateway.\r
+\r
+ This list may differ from the addresses provided in the spec under some\r
+ conditions:\r
+\r
+ * no addresses are specified, all addresses are dynamically assigned\r
+ * a combination of specified and dynamic addresses are assigned\r
+ * a specified address was unusable (e.g. already in use)\r
+\r
+ items:\r
+ description: GatewayStatusAddress describes a network address that\r
+ is bound to a Gateway.\r
+ oneOf:\r
+ - properties:\r
+ type:\r
+ enum:\r
+ - IPAddress\r
+ value:\r
+ anyOf:\r
+ - format: ipv4\r
+ - format: ipv6\r
+ - properties:\r
+ type:\r
+ not:\r
+ enum:\r
+ - IPAddress\r
+ properties:\r
+ type:\r
+ default: IPAddress\r
+ description: Type of the address.\r
+ maxLength: 253\r
+ minLength: 1\r
+ pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$\r
+ type: string\r
+ value:\r
+ description: |-\r
+ Value of the address. The validity of the values will depend\r
+ on the type and support by the controller.\r
+\r
+ Examples: `1.2.3.4`, `128::1`, `my-ip-address`.\r
+ maxLength: 253\r
+ minLength: 1\r
+ type: string\r
+ required:\r
+ - value\r
+ type: object\r
+ x-kubernetes-validations:\r
+ - message: Hostname value must only contain valid characters (matching\r
+ ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$)\r
+ rule: 'self.type == ''Hostname'' ? self.value.matches(r"""^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$"""):\r
+ true'\r
+ maxItems: 16\r
+ type: array\r
+ conditions:\r
+ default:\r
+ - lastTransitionTime: "1970-01-01T00:00:00Z"\r
+ message: Waiting for controller\r
+ reason: Pending\r
+ status: Unknown\r
+ type: Accepted\r
+ - lastTransitionTime: "1970-01-01T00:00:00Z"\r
+ message: Waiting for controller\r
+ reason: Pending\r
+ status: Unknown\r
+ type: Programmed\r
+ description: |-\r
+ Conditions describe the current conditions of the Gateway.\r
+\r
+ Implementations should prefer to express Gateway conditions\r
+ using the `GatewayConditionType` and `GatewayConditionReason`\r
+ constants so that operators and tools can converge on a common\r
+ vocabulary to describe Gateway state.\r
+\r
+ Known condition types are:\r
+\r
+ * "Accepted"\r
+ * "Programmed"\r
+ * "Ready"\r
+ items:\r
+ description: Condition contains details for one aspect of the current\r
+ state of this API Resource.\r
+ properties:\r
+ lastTransitionTime:\r
+ description: |-\r
+ lastTransitionTime is the last time the condition transitioned from one status to another.\r
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.\r
+ format: date-time\r
+ type: string\r
+ message:\r
+ description: |-\r
+ message is a human readable message indicating details about the transition.\r
+ This may be an empty string.\r
+ maxLength: 32768\r
+ type: string\r
+ observedGeneration:\r
+ description: |-\r
+ observedGeneration represents the .metadata.generation that the condition was set based upon.\r
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\r
+ with respect to the current state of the instance.\r
+ format: int64\r
+ minimum: 0\r
+ type: integer\r
+ reason:\r
+ description: |-\r
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.\r
+ Producers of specific condition types may define expected values and meanings for this field,\r
+ and whether the values are considered a guaranteed API.\r
+ The value should be a CamelCase string.\r
+ This field may not be empty.\r
+ maxLength: 1024\r
+ minLength: 1\r
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$\r
+ type: string\r
+ status:\r
+ description: status of the condition, one of True, False, Unknown.\r
+ enum:\r
+ - "True"\r
+ - "False"\r
+ - Unknown\r
+ type: string\r
+ type:\r
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.\r
+ maxLength: 316\r
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$\r
+ type: string\r
+ required:\r
+ - lastTransitionTime\r
+ - message\r
+ - reason\r
+ - status\r
+ - type\r
+ type: object\r
+ maxItems: 8\r
+ type: array\r
+ x-kubernetes-list-map-keys:\r
+ - type\r
+ x-kubernetes-list-type: map\r
+ listeners:\r
+ description: Listeners provide status for each unique listener port\r
+ defined in the Spec.\r
+ items:\r
+ description: ListenerStatus is the status associated with a Listener.\r
+ properties:\r
+ attachedRoutes:\r
+ description: |-\r
+ AttachedRoutes represents the total number of Routes that have been\r
+ successfully attached to this Listener.\r
+\r
+ Successful attachment of a Route to a Listener is based solely on the\r
+ combination of the AllowedRoutes field on the corresponding Listener\r
+ and the Route's ParentRefs field. A Route is successfully attached to\r
+ a Listener when it is selected by the Listener's AllowedRoutes field\r
+ AND the Route has a valid ParentRef selecting the whole Gateway\r
+ resource or a specific Listener as a parent resource (more detail on\r
+ attachment semantics can be found in the documentation on the various\r
+ Route kinds ParentRefs fields). Listener or Route status does not impact\r
+ successful attachment, i.e. the AttachedRoutes field count MUST be set\r
+ for Listeners with condition Accepted: false and MUST count successfully\r
+ attached Routes that may themselves have Accepted: false conditions.\r
+\r
+ Uses for this field include troubleshooting Route attachment and\r
+ measuring blast radius/impact of changes to a Listener.\r
+ format: int32\r
+ type: integer\r
+ conditions:\r
+ description: Conditions describe the current condition of this\r
+ listener.\r
+ items:\r
+ description: Condition contains details for one aspect of\r
+ the current state of this API Resource.\r
+ properties:\r
+ lastTransitionTime:\r
+ description: |-\r
+ lastTransitionTime is the last time the condition transitioned from one status to another.\r
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.\r
+ format: date-time\r
+ type: string\r
+ message:\r
+ description: |-\r
+ message is a human readable message indicating details about the transition.\r
+ This may be an empty string.\r
+ maxLength: 32768\r
+ type: string\r
+ observedGeneration:\r
+ description: |-\r
+ observedGeneration represents the .metadata.generation that the condition was set based upon.\r
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\r
+ with respect to the current state of the instance.\r
+ format: int64\r
+ minimum: 0\r
+ type: integer\r
+ reason:\r
+ description: |-\r
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.\r
+ Producers of specific condition types may define expected values and meanings for this field,\r
+ and whether the values are considered a guaranteed API.\r
+ The value should be a CamelCase string.\r
+ This field may not be empty.\r
+ maxLength: 1024\r
+ minLength: 1\r
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$\r
+ type: string\r
+ status:\r
+ description: status of the condition, one of True, False,\r
+ Unknown.\r
+ enum:\r
+ - "True"\r
+ - "False"\r
+ - Unknown\r
+ type: string\r
+ type:\r
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.\r
+ maxLength: 316\r
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$\r
+ type: string\r
+ required:\r
+ - lastTransitionTime\r
+ - message\r
+ - reason\r
+ - status\r
+ - type\r
+ type: object\r
+ maxItems: 8\r
+ type: array\r
+ x-kubernetes-list-map-keys:\r
+ - type\r
+ x-kubernetes-list-type: map\r
+ name:\r
+ description: Name is the name of the Listener that this status\r
+ corresponds to.\r
+ maxLength: 253\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ supportedKinds:\r
+ description: |-\r
+ SupportedKinds is the list indicating the Kinds supported by this\r
+ listener. This MUST represent the kinds an implementation supports for\r
+ that Listener configuration.\r
+\r
+ If kinds are specified in Spec that are not supported, they MUST NOT\r
+ appear in this list and an implementation MUST set the "ResolvedRefs"\r
+ condition to "False" with the "InvalidRouteKinds" reason. If both valid\r
+ and invalid Route kinds are specified, the implementation MUST\r
+ reference the valid Route kinds that have been specified.\r
+ items:\r
+ description: RouteGroupKind indicates the group and kind of\r
+ a Route resource.\r
+ properties:\r
+ group:\r
+ default: gateway.networking.k8s.io\r
+ description: Group is the group of the Route.\r
+ maxLength: 253\r
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ kind:\r
+ description: Kind is the kind of the Route.\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$\r
+ type: string\r
+ required:\r
+ - kind\r
+ type: object\r
+ maxItems: 8\r
+ type: array\r
+ required:\r
+ - attachedRoutes\r
+ - conditions\r
+ - name\r
+ - supportedKinds\r
+ type: object\r
+ maxItems: 64\r
+ type: array\r
+ x-kubernetes-list-map-keys:\r
+ - name\r
+ x-kubernetes-list-type: map\r
+ type: object\r
+ required:\r
+ - spec\r
+ type: object\r
+ served: true\r
+ storage: false\r
+ subresources:\r
+ status: {}\r
+status:\r
+ acceptedNames:\r
+ kind: ""\r
+ plural: ""\r
+ conditions: null\r
+ storedVersions: null\r
--- /dev/null
+apiVersion: apiextensions.k8s.io/v1\r
+kind: CustomResourceDefinition\r
+metadata:\r
+ annotations:\r
+ api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328\r
+ gateway.networking.k8s.io/bundle-version: v1.2.1\r
+ gateway.networking.k8s.io/channel: standard\r
+ creationTimestamp: null\r
+ name: grpcroutes.gateway.networking.k8s.io\r
+spec:\r
+ group: gateway.networking.k8s.io\r
+ names:\r
+ categories:\r
+ - gateway-api\r
+ kind: GRPCRoute\r
+ listKind: GRPCRouteList\r
+ plural: grpcroutes\r
+ singular: grpcroute\r
+ scope: Namespaced\r
+ versions:\r
+ - additionalPrinterColumns:\r
+ - jsonPath: .spec.hostnames\r
+ name: Hostnames\r
+ type: string\r
+ - jsonPath: .metadata.creationTimestamp\r
+ name: Age\r
+ type: date\r
+ name: v1\r
+ schema:\r
+ openAPIV3Schema:\r
+ description: |-\r
+ GRPCRoute provides a way to route gRPC requests. This includes the capability\r
+ to match requests by hostname, gRPC service, gRPC method, or HTTP/2 header.\r
+ Filters can be used to specify additional processing steps. Backends specify\r
+ where matching requests will be routed.\r
+\r
+ GRPCRoute falls under extended support within the Gateway API. Within the\r
+ following specification, the word "MUST" indicates that an implementation\r
+ supporting GRPCRoute must conform to the indicated requirement, but an\r
+ implementation not supporting this route type need not follow the requirement\r
+ unless explicitly indicated.\r
+\r
+ Implementations supporting `GRPCRoute` with the `HTTPS` `ProtocolType` MUST\r
+ accept HTTP/2 connections without an initial upgrade from HTTP/1.1, i.e. via\r
+ ALPN. If the implementation does not support this, then it MUST set the\r
+ "Accepted" condition to "False" for the affected listener with a reason of\r
+ "UnsupportedProtocol". Implementations MAY also accept HTTP/2 connections\r
+ with an upgrade from HTTP/1.\r
+\r
+ Implementations supporting `GRPCRoute` with the `HTTP` `ProtocolType` MUST\r
+ support HTTP/2 over cleartext TCP (h2c,\r
+ https://www.rfc-editor.org/rfc/rfc7540#section-3.1) without an initial\r
+ upgrade from HTTP/1.1, i.e. with prior knowledge\r
+ (https://www.rfc-editor.org/rfc/rfc7540#section-3.4). If the implementation\r
+ does not support this, then it MUST set the "Accepted" condition to "False"\r
+ for the affected listener with a reason of "UnsupportedProtocol".\r
+ Implementations MAY also accept HTTP/2 connections with an upgrade from\r
+ HTTP/1, i.e. without prior knowledge.\r
+ properties:\r
+ apiVersion:\r
+ description: |-\r
+ APIVersion defines the versioned schema of this representation of an object.\r
+ Servers should convert recognized schemas to the latest internal value, and\r
+ may reject unrecognized values.\r
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources\r
+ type: string\r
+ kind:\r
+ description: |-\r
+ Kind is a string value representing the REST resource this object represents.\r
+ Servers may infer this from the endpoint the client submits requests to.\r
+ Cannot be updated.\r
+ In CamelCase.\r
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds\r
+ type: string\r
+ metadata:\r
+ type: object\r
+ spec:\r
+ description: Spec defines the desired state of GRPCRoute.\r
+ properties:\r
+ hostnames:\r
+ description: |-\r
+ Hostnames defines a set of hostnames to match against the GRPC\r
+ Host header to select a GRPCRoute to process the request. This matches\r
+ the RFC 1123 definition of a hostname with 2 notable exceptions:\r
+\r
+ 1. IPs are not allowed.\r
+ 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard\r
+ label MUST appear by itself as the first label.\r
+\r
+ If a hostname is specified by both the Listener and GRPCRoute, there\r
+ MUST be at least one intersecting hostname for the GRPCRoute to be\r
+ attached to the Listener. For example:\r
+\r
+ * A Listener with `test.example.com` as the hostname matches GRPCRoutes\r
+ that have either not specified any hostnames, or have specified at\r
+ least one of `test.example.com` or `*.example.com`.\r
+ * A Listener with `*.example.com` as the hostname matches GRPCRoutes\r
+ that have either not specified any hostnames or have specified at least\r
+ one hostname that matches the Listener hostname. For example,\r
+ `test.example.com` and `*.example.com` would both match. On the other\r
+ hand, `example.com` and `test.example.net` would not match.\r
+\r
+ Hostnames that are prefixed with a wildcard label (`*.`) are interpreted\r
+ as a suffix match. That means that a match for `*.example.com` would match\r
+ both `test.example.com`, and `foo.test.example.com`, but not `example.com`.\r
+\r
+ If both the Listener and GRPCRoute have specified hostnames, any\r
+ GRPCRoute hostnames that do not match the Listener hostname MUST be\r
+ ignored. For example, if a Listener specified `*.example.com`, and the\r
+ GRPCRoute specified `test.example.com` and `test.example.net`,\r
+ `test.example.net` MUST NOT be considered for a match.\r
+\r
+ If both the Listener and GRPCRoute have specified hostnames, and none\r
+ match with the criteria above, then the GRPCRoute MUST NOT be accepted by\r
+ the implementation. The implementation MUST raise an 'Accepted' Condition\r
+ with a status of `False` in the corresponding RouteParentStatus.\r
+\r
+ If a Route (A) of type HTTPRoute or GRPCRoute is attached to a\r
+ Listener and that listener already has another Route (B) of the other\r
+ type attached and the intersection of the hostnames of A and B is\r
+ non-empty, then the implementation MUST accept exactly one of these two\r
+ routes, determined by the following criteria, in order:\r
+\r
+ * The oldest Route based on creation timestamp.\r
+ * The Route appearing first in alphabetical order by\r
+ "{namespace}/{name}".\r
+\r
+ The rejected Route MUST raise an 'Accepted' condition with a status of\r
+ 'False' in the corresponding RouteParentStatus.\r
+\r
+ Support: Core\r
+ items:\r
+ description: |-\r
+ Hostname is the fully qualified domain name of a network host. This matches\r
+ the RFC 1123 definition of a hostname with 2 notable exceptions:\r
+\r
+ 1. IPs are not allowed.\r
+ 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard\r
+ label must appear by itself as the first label.\r
+\r
+ Hostname can be "precise" which is a domain name without the terminating\r
+ dot of a network host (e.g. "foo.example.com") or "wildcard", which is a\r
+ domain name prefixed with a single wildcard label (e.g. `*.example.com`).\r
+\r
+ Note that as per RFC1035 and RFC1123, a *label* must consist of lower case\r
+ alphanumeric characters or '-', and must start and end with an alphanumeric\r
+ character. No other punctuation is allowed.\r
+ maxLength: 253\r
+ minLength: 1\r
+ pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ maxItems: 16\r
+ type: array\r
+ parentRefs:\r
+ description: |+\r
+ ParentRefs references the resources (usually Gateways) that a Route wants\r
+ to be attached to. Note that the referenced parent resource needs to\r
+ allow this for the attachment to be complete. For Gateways, that means\r
+ the Gateway needs to allow attachment from Routes of this kind and\r
+ namespace. For Services, that means the Service must either be in the same\r
+ namespace for a "producer" route, or the mesh implementation must support\r
+ and allow "consumer" routes for the referenced Service. ReferenceGrant is\r
+ not applicable for governing ParentRefs to Services - it is not possible to\r
+ create a "producer" route for a Service in a different namespace from the\r
+ Route.\r
+\r
+ There are two kinds of parent resources with "Core" support:\r
+\r
+ * Gateway (Gateway conformance profile)\r
+ * Service (Mesh conformance profile, ClusterIP Services only)\r
+\r
+ This API may be extended in the future to support additional kinds of parent\r
+ resources.\r
+\r
+ ParentRefs must be _distinct_. This means either that:\r
+\r
+ * They select different objects. If this is the case, then parentRef\r
+ entries are distinct. In terms of fields, this means that the\r
+ multi-part key defined by `group`, `kind`, `namespace`, and `name` must\r
+ be unique across all parentRef entries in the Route.\r
+ * They do not select different objects, but for each optional field used,\r
+ each ParentRef that selects the same object must set the same set of\r
+ optional fields to different values. If one ParentRef sets a\r
+ combination of optional fields, all must set the same combination.\r
+\r
+ Some examples:\r
+\r
+ * If one ParentRef sets `sectionName`, all ParentRefs referencing the\r
+ same object must also set `sectionName`.\r
+ * If one ParentRef sets `port`, all ParentRefs referencing the same\r
+ object must also set `port`.\r
+ * If one ParentRef sets `sectionName` and `port`, all ParentRefs\r
+ referencing the same object must also set `sectionName` and `port`.\r
+\r
+ It is possible to separately reference multiple distinct objects that may\r
+ be collapsed by an implementation. For example, some implementations may\r
+ choose to merge compatible Gateway Listeners together. If that is the\r
+ case, the list of routes attached to those resources should also be\r
+ merged.\r
+\r
+ Note that for ParentRefs that cross namespace boundaries, there are specific\r
+ rules. Cross-namespace references are only valid if they are explicitly\r
+ allowed by something in the namespace they are referring to. For example,\r
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a\r
+ generic way to enable other kinds of cross-namespace reference.\r
+\r
+\r
+\r
+\r
+\r
+\r
+ items:\r
+ description: |-\r
+ ParentReference identifies an API object (usually a Gateway) that can be considered\r
+ a parent of this resource (usually a route). There are two kinds of parent resources\r
+ with "Core" support:\r
+\r
+ * Gateway (Gateway conformance profile)\r
+ * Service (Mesh conformance profile, ClusterIP Services only)\r
+\r
+ This API may be extended in the future to support additional kinds of parent\r
+ resources.\r
+\r
+ The API object must be valid in the cluster; the Group and Kind must\r
+ be registered in the cluster for this reference to be valid.\r
+ properties:\r
+ group:\r
+ default: gateway.networking.k8s.io\r
+ description: |-\r
+ Group is the group of the referent.\r
+ When unspecified, "gateway.networking.k8s.io" is inferred.\r
+ To set the core API group (such as for a "Service" kind referent),\r
+ Group must be explicitly set to "" (empty string).\r
+\r
+ Support: Core\r
+ maxLength: 253\r
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ kind:\r
+ default: Gateway\r
+ description: |-\r
+ Kind is kind of the referent.\r
+\r
+ There are two kinds of parent resources with "Core" support:\r
+\r
+ * Gateway (Gateway conformance profile)\r
+ * Service (Mesh conformance profile, ClusterIP Services only)\r
+\r
+ Support for other resources is Implementation-Specific.\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$\r
+ type: string\r
+ name:\r
+ description: |-\r
+ Name is the name of the referent.\r
+\r
+ Support: Core\r
+ maxLength: 253\r
+ minLength: 1\r
+ type: string\r
+ namespace:\r
+ description: |-\r
+ Namespace is the namespace of the referent. When unspecified, this refers\r
+ to the local namespace of the Route.\r
+\r
+ Note that there are specific rules for ParentRefs which cross namespace\r
+ boundaries. Cross-namespace references are only valid if they are explicitly\r
+ allowed by something in the namespace they are referring to. For example:\r
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a\r
+ generic way to enable any other kind of cross-namespace reference.\r
+\r
+\r
+\r
+ Support: Core\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$\r
+ type: string\r
+ port:\r
+ description: |-\r
+ Port is the network port this Route targets. It can be interpreted\r
+ differently based on the type of parent resource.\r
+\r
+ When the parent resource is a Gateway, this targets all listeners\r
+ listening on the specified port that also support this kind of Route(and\r
+ select this Route). It's not recommended to set `Port` unless the\r
+ networking behaviors specified in a Route must apply to a specific port\r
+ as opposed to a listener(s) whose port(s) may be changed. When both Port\r
+ and SectionName are specified, the name and port of the selected listener\r
+ must match both specified values.\r
+\r
+\r
+\r
+ Implementations MAY choose to support other parent resources.\r
+ Implementations supporting other types of parent resources MUST clearly\r
+ document how/if Port is interpreted.\r
+\r
+ For the purpose of status, an attachment is considered successful as\r
+ long as the parent resource accepts it partially. For example, Gateway\r
+ listeners can restrict which Routes can attach to them by Route kind,\r
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment\r
+ from the referencing Route, the Route MUST be considered successfully\r
+ attached. If no Gateway listeners accept attachment from this Route,\r
+ the Route MUST be considered detached from the Gateway.\r
+\r
+ Support: Extended\r
+ format: int32\r
+ maximum: 65535\r
+ minimum: 1\r
+ type: integer\r
+ sectionName:\r
+ description: |-\r
+ SectionName is the name of a section within the target resource. In the\r
+ following resources, SectionName is interpreted as the following:\r
+\r
+ * Gateway: Listener name. When both Port (experimental) and SectionName\r
+ are specified, the name and port of the selected listener must match\r
+ both specified values.\r
+ * Service: Port name. When both Port (experimental) and SectionName\r
+ are specified, the name and port of the selected listener must match\r
+ both specified values.\r
+\r
+ Implementations MAY choose to support attaching Routes to other resources.\r
+ If that is the case, they MUST clearly document how SectionName is\r
+ interpreted.\r
+\r
+ When unspecified (empty string), this will reference the entire resource.\r
+ For the purpose of status, an attachment is considered successful if at\r
+ least one section in the parent resource accepts it. For example, Gateway\r
+ listeners can restrict which Routes can attach to them by Route kind,\r
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from\r
+ the referencing Route, the Route MUST be considered successfully\r
+ attached. If no Gateway listeners accept attachment from this Route, the\r
+ Route MUST be considered detached from the Gateway.\r
+\r
+ Support: Core\r
+ maxLength: 253\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ required:\r
+ - name\r
+ type: object\r
+ maxItems: 32\r
+ type: array\r
+ x-kubernetes-validations:\r
+ - message: sectionName must be specified when parentRefs includes\r
+ 2 or more references to the same parent\r
+ rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind\r
+ == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__)\r
+ || p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__\r
+ == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) &&\r
+ p1.__namespace__ == p2.__namespace__ )) ? ((!has(p1.sectionName)\r
+ || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName\r
+ == '''')) : true))'\r
+ - message: sectionName must be unique when parentRefs includes 2 or\r
+ more references to the same parent\r
+ rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind\r
+ == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__)\r
+ || p1.__namespace__ == '') && (!has(p2.__namespace__) || p2.__namespace__\r
+ == '')) || (has(p1.__namespace__) && has(p2.__namespace__) &&\r
+ p1.__namespace__ == p2.__namespace__ )) && (((!has(p1.sectionName)\r
+ || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName\r
+ == '')) || (has(p1.sectionName) && has(p2.sectionName) && p1.sectionName\r
+ == p2.sectionName))))\r
+ rules:\r
+ description: |+\r
+ Rules are a list of GRPC matchers, filters and actions.\r
+\r
+ items:\r
+ description: |-\r
+ GRPCRouteRule defines the semantics for matching a gRPC request based on\r
+ conditions (matches), processing it (filters), and forwarding the request to\r
+ an API object (backendRefs).\r
+ properties:\r
+ backendRefs:\r
+ description: |-\r
+ BackendRefs defines the backend(s) where matching requests should be\r
+ sent.\r
+\r
+ Failure behavior here depends on how many BackendRefs are specified and\r
+ how many are invalid.\r
+\r
+ If *all* entries in BackendRefs are invalid, and there are also no filters\r
+ specified in this route rule, *all* traffic which matches this rule MUST\r
+ receive an `UNAVAILABLE` status.\r
+\r
+ See the GRPCBackendRef definition for the rules about what makes a single\r
+ GRPCBackendRef invalid.\r
+\r
+ When a GRPCBackendRef is invalid, `UNAVAILABLE` statuses MUST be returned for\r
+ requests that would have otherwise been routed to an invalid backend. If\r
+ multiple backends are specified, and some are invalid, the proportion of\r
+ requests that would otherwise have been routed to an invalid backend\r
+ MUST receive an `UNAVAILABLE` status.\r
+\r
+ For example, if two backends are specified with equal weights, and one is\r
+ invalid, 50 percent of traffic MUST receive an `UNAVAILABLE` status.\r
+ Implementations may choose how that 50 percent is determined.\r
+\r
+ Support: Core for Kubernetes Service\r
+\r
+ Support: Implementation-specific for any other resource\r
+\r
+ Support for weight: Core\r
+ items:\r
+ description: |-\r
+ GRPCBackendRef defines how a GRPCRoute forwards a gRPC request.\r
+\r
+ Note that when a namespace different than the local namespace is specified, a\r
+ ReferenceGrant object is required in the referent namespace to allow that\r
+ namespace's owner to accept the reference. See the ReferenceGrant\r
+ documentation for details.\r
+\r
+ <gateway:experimental:description>\r
+\r
+ When the BackendRef points to a Kubernetes Service, implementations SHOULD\r
+ honor the appProtocol field if it is set for the target Service Port.\r
+\r
+ Implementations supporting appProtocol SHOULD recognize the Kubernetes\r
+ Standard Application Protocols defined in KEP-3726.\r
+\r
+ If a Service appProtocol isn't specified, an implementation MAY infer the\r
+ backend protocol through its own means. Implementations MAY infer the\r
+ protocol from the Route type referring to the backend Service.\r
+\r
+ If a Route is not able to send traffic to the backend using the specified\r
+ protocol then the backend is considered invalid. Implementations MUST set the\r
+ "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason.\r
+\r
+ </gateway:experimental:description>\r
+ properties:\r
+ filters:\r
+ description: |-\r
+ Filters defined at this level MUST be executed if and only if the\r
+ request is being forwarded to the backend defined here.\r
+\r
+ Support: Implementation-specific (For broader support of filters, use the\r
+ Filters field in GRPCRouteRule.)\r
+ items:\r
+ description: |-\r
+ GRPCRouteFilter defines processing steps that must be completed during the\r
+ request or response lifecycle. GRPCRouteFilters are meant as an extension\r
+ point to express processing that may be done in Gateway implementations. Some\r
+ examples include request or response modification, implementing\r
+ authentication strategies, rate-limiting, and traffic shaping. API\r
+ guarantee/conformance is defined based on the type of the filter.\r
+ properties:\r
+ extensionRef:\r
+ description: |-\r
+ ExtensionRef is an optional, implementation-specific extension to the\r
+ "filter" behavior. For example, resource "myroutefilter" in group\r
+ "networking.example.net"). ExtensionRef MUST NOT be used for core and\r
+ extended filters.\r
+\r
+ Support: Implementation-specific\r
+\r
+ This filter can be used multiple times within the same rule.\r
+ properties:\r
+ group:\r
+ description: |-\r
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".\r
+ When unspecified or empty string, core API group is inferred.\r
+ maxLength: 253\r
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ kind:\r
+ description: Kind is kind of the referent. For\r
+ example "HTTPRoute" or "Service".\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$\r
+ type: string\r
+ name:\r
+ description: Name is the name of the referent.\r
+ maxLength: 253\r
+ minLength: 1\r
+ type: string\r
+ required:\r
+ - group\r
+ - kind\r
+ - name\r
+ type: object\r
+ requestHeaderModifier:\r
+ description: |-\r
+ RequestHeaderModifier defines a schema for a filter that modifies request\r
+ headers.\r
+\r
+ Support: Core\r
+ properties:\r
+ add:\r
+ description: |-\r
+ Add adds the given header(s) (name, value) to the request\r
+ before the action. It appends to any existing values associated\r
+ with the header name.\r
+\r
+ Input:\r
+ GET /foo HTTP/1.1\r
+ my-header: foo\r
+\r
+ Config:\r
+ add:\r
+ - name: "my-header"\r
+ value: "bar,baz"\r
+\r
+ Output:\r
+ GET /foo HTTP/1.1\r
+ my-header: foo,bar,baz\r
+ items:\r
+ description: HTTPHeader represents an HTTP\r
+ Header name and value as defined by RFC\r
+ 7230.\r
+ properties:\r
+ name:\r
+ description: |-\r
+ Name is the name of the HTTP Header to be matched. Name matching MUST be\r
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).\r
+\r
+ If multiple entries specify equivalent header names, the first entry with\r
+ an equivalent name MUST be considered for a match. Subsequent entries\r
+ with an equivalent header name MUST be ignored. Due to the\r
+ case-insensitivity of header names, "foo" and "Foo" are considered\r
+ equivalent.\r
+ maxLength: 256\r
+ minLength: 1\r
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$\r
+ type: string\r
+ value:\r
+ description: Value is the value of HTTP\r
+ Header to be matched.\r
+ maxLength: 4096\r
+ minLength: 1\r
+ type: string\r
+ required:\r
+ - name\r
+ - value\r
+ type: object\r
+ maxItems: 16\r
+ type: array\r
+ x-kubernetes-list-map-keys:\r
+ - name\r
+ x-kubernetes-list-type: map\r
+ remove:\r
+ description: |-\r
+ Remove the given header(s) from the HTTP request before the action. The\r
+ value of Remove is a list of HTTP header names. Note that the header\r
+ names are case-insensitive (see\r
+ https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).\r
+\r
+ Input:\r
+ GET /foo HTTP/1.1\r
+ my-header1: foo\r
+ my-header2: bar\r
+ my-header3: baz\r
+\r
+ Config:\r
+ remove: ["my-header1", "my-header3"]\r
+\r
+ Output:\r
+ GET /foo HTTP/1.1\r
+ my-header2: bar\r
+ items:\r
+ type: string\r
+ maxItems: 16\r
+ type: array\r
+ x-kubernetes-list-type: set\r
+ set:\r
+ description: |-\r
+ Set overwrites the request with the given header (name, value)\r
+ before the action.\r
+\r
+ Input:\r
+ GET /foo HTTP/1.1\r
+ my-header: foo\r
+\r
+ Config:\r
+ set:\r
+ - name: "my-header"\r
+ value: "bar"\r
+\r
+ Output:\r
+ GET /foo HTTP/1.1\r
+ my-header: bar\r
+ items:\r
+ description: HTTPHeader represents an HTTP\r
+ Header name and value as defined by RFC\r
+ 7230.\r
+ properties:\r
+ name:\r
+ description: |-\r
+ Name is the name of the HTTP Header to be matched. Name matching MUST be\r
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).\r
+\r
+ If multiple entries specify equivalent header names, the first entry with\r
+ an equivalent name MUST be considered for a match. Subsequent entries\r
+ with an equivalent header name MUST be ignored. Due to the\r
+ case-insensitivity of header names, "foo" and "Foo" are considered\r
+ equivalent.\r
+ maxLength: 256\r
+ minLength: 1\r
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$\r
+ type: string\r
+ value:\r
+ description: Value is the value of HTTP\r
+ Header to be matched.\r
+ maxLength: 4096\r
+ minLength: 1\r
+ type: string\r
+ required:\r
+ - name\r
+ - value\r
+ type: object\r
+ maxItems: 16\r
+ type: array\r
+ x-kubernetes-list-map-keys:\r
+ - name\r
+ x-kubernetes-list-type: map\r
+ type: object\r
+ requestMirror:\r
+ description: |+\r
+ RequestMirror defines a schema for a filter that mirrors requests.\r
+ Requests are sent to the specified destination, but responses from\r
+ that destination are ignored.\r
+\r
+ This filter can be used multiple times within the same rule. Note that\r
+ not all implementations will be able to support mirroring to multiple\r
+ backends.\r
+\r
+ Support: Extended\r
+\r
+ properties:\r
+ backendRef:\r
+ description: |-\r
+ BackendRef references a resource where mirrored requests are sent.\r
+\r
+ Mirrored requests must be sent only to a single destination endpoint\r
+ within this BackendRef, irrespective of how many endpoints are present\r
+ within this BackendRef.\r
+\r
+ If the referent cannot be found, this BackendRef is invalid and must be\r
+ dropped from the Gateway. The controller must ensure the "ResolvedRefs"\r
+ condition on the Route status is set to `status: False` and not configure\r
+ this backend in the underlying implementation.\r
+\r
+ If there is a cross-namespace reference to an *existing* object\r
+ that is not allowed by a ReferenceGrant, the controller must ensure the\r
+ "ResolvedRefs" condition on the Route is set to `status: False`,\r
+ with the "RefNotPermitted" reason and not configure this backend in the\r
+ underlying implementation.\r
+\r
+ In either error case, the Message of the `ResolvedRefs` Condition\r
+ should be used to provide more detail about the problem.\r
+\r
+ Support: Extended for Kubernetes Service\r
+\r
+ Support: Implementation-specific for any other resource\r
+ properties:\r
+ group:\r
+ default: ""\r
+ description: |-\r
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".\r
+ When unspecified or empty string, core API group is inferred.\r
+ maxLength: 253\r
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ kind:\r
+ default: Service\r
+ description: |-\r
+ Kind is the Kubernetes resource kind of the referent. For example\r
+ "Service".\r
+\r
+ Defaults to "Service" when not specified.\r
+\r
+ ExternalName services can refer to CNAME DNS records that may live\r
+ outside of the cluster and as such are difficult to reason about in\r
+ terms of conformance. They also may not be safe to forward to (see\r
+ CVE-2021-25740 for more information). Implementations SHOULD NOT\r
+ support ExternalName Services.\r
+\r
+ Support: Core (Services with a type other than ExternalName)\r
+\r
+ Support: Implementation-specific (Services with type ExternalName)\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$\r
+ type: string\r
+ name:\r
+ description: Name is the name of the referent.\r
+ maxLength: 253\r
+ minLength: 1\r
+ type: string\r
+ namespace:\r
+ description: |-\r
+ Namespace is the namespace of the backend. When unspecified, the local\r
+ namespace is inferred.\r
+\r
+ Note that when a namespace different than the local namespace is specified,\r
+ a ReferenceGrant object is required in the referent namespace to allow that\r
+ namespace's owner to accept the reference. See the ReferenceGrant\r
+ documentation for details.\r
+\r
+ Support: Core\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$\r
+ type: string\r
+ port:\r
+ description: |-\r
+ Port specifies the destination port number to use for this resource.\r
+ Port is required when the referent is a Kubernetes Service. In this\r
+ case, the port number is the service port number, not the target port.\r
+ For other resources, destination port might be derived from the referent\r
+ resource or this field.\r
+ format: int32\r
+ maximum: 65535\r
+ minimum: 1\r
+ type: integer\r
+ required:\r
+ - name\r
+ type: object\r
+ x-kubernetes-validations:\r
+ - message: Must have port for Service reference\r
+ rule: '(size(self.group) == 0 && self.kind\r
+ == ''Service'') ? has(self.port) : true'\r
+ required:\r
+ - backendRef\r
+ type: object\r
+ responseHeaderModifier:\r
+ description: |-\r
+ ResponseHeaderModifier defines a schema for a filter that modifies response\r
+ headers.\r
+\r
+ Support: Extended\r
+ properties:\r
+ add:\r
+ description: |-\r
+ Add adds the given header(s) (name, value) to the request\r
+ before the action. It appends to any existing values associated\r
+ with the header name.\r
+\r
+ Input:\r
+ GET /foo HTTP/1.1\r
+ my-header: foo\r
+\r
+ Config:\r
+ add:\r
+ - name: "my-header"\r
+ value: "bar,baz"\r
+\r
+ Output:\r
+ GET /foo HTTP/1.1\r
+ my-header: foo,bar,baz\r
+ items:\r
+ description: HTTPHeader represents an HTTP\r
+ Header name and value as defined by RFC\r
+ 7230.\r
+ properties:\r
+ name:\r
+ description: |-\r
+ Name is the name of the HTTP Header to be matched. Name matching MUST be\r
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).\r
+\r
+ If multiple entries specify equivalent header names, the first entry with\r
+ an equivalent name MUST be considered for a match. Subsequent entries\r
+ with an equivalent header name MUST be ignored. Due to the\r
+ case-insensitivity of header names, "foo" and "Foo" are considered\r
+ equivalent.\r
+ maxLength: 256\r
+ minLength: 1\r
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$\r
+ type: string\r
+ value:\r
+ description: Value is the value of HTTP\r
+ Header to be matched.\r
+ maxLength: 4096\r
+ minLength: 1\r
+ type: string\r
+ required:\r
+ - name\r
+ - value\r
+ type: object\r
+ maxItems: 16\r
+ type: array\r
+ x-kubernetes-list-map-keys:\r
+ - name\r
+ x-kubernetes-list-type: map\r
+ remove:\r
+ description: |-\r
+ Remove the given header(s) from the HTTP request before the action. The\r
+ value of Remove is a list of HTTP header names. Note that the header\r
+ names are case-insensitive (see\r
+ https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).\r
+\r
+ Input:\r
+ GET /foo HTTP/1.1\r
+ my-header1: foo\r
+ my-header2: bar\r
+ my-header3: baz\r
+\r
+ Config:\r
+ remove: ["my-header1", "my-header3"]\r
+\r
+ Output:\r
+ GET /foo HTTP/1.1\r
+ my-header2: bar\r
+ items:\r
+ type: string\r
+ maxItems: 16\r
+ type: array\r
+ x-kubernetes-list-type: set\r
+ set:\r
+ description: |-\r
+ Set overwrites the request with the given header (name, value)\r
+ before the action.\r
+\r
+ Input:\r
+ GET /foo HTTP/1.1\r
+ my-header: foo\r
+\r
+ Config:\r
+ set:\r
+ - name: "my-header"\r
+ value: "bar"\r
+\r
+ Output:\r
+ GET /foo HTTP/1.1\r
+ my-header: bar\r
+ items:\r
+ description: HTTPHeader represents an HTTP\r
+ Header name and value as defined by RFC\r
+ 7230.\r
+ properties:\r
+ name:\r
+ description: |-\r
+ Name is the name of the HTTP Header to be matched. Name matching MUST be\r
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).\r
+\r
+ If multiple entries specify equivalent header names, the first entry with\r
+ an equivalent name MUST be considered for a match. Subsequent entries\r
+ with an equivalent header name MUST be ignored. Due to the\r
+ case-insensitivity of header names, "foo" and "Foo" are considered\r
+ equivalent.\r
+ maxLength: 256\r
+ minLength: 1\r
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$\r
+ type: string\r
+ value:\r
+ description: Value is the value of HTTP\r
+ Header to be matched.\r
+ maxLength: 4096\r
+ minLength: 1\r
+ type: string\r
+ required:\r
+ - name\r
+ - value\r
+ type: object\r
+ maxItems: 16\r
+ type: array\r
+ x-kubernetes-list-map-keys:\r
+ - name\r
+ x-kubernetes-list-type: map\r
+ type: object\r
+ type:\r
+ description: |+\r
+ Type identifies the type of filter to apply. As with other API fields,\r
+ types are classified into three conformance levels:\r
+\r
+ - Core: Filter types and their corresponding configuration defined by\r
+ "Support: Core" in this package, e.g. "RequestHeaderModifier". All\r
+ implementations supporting GRPCRoute MUST support core filters.\r
+\r
+ - Extended: Filter types and their corresponding configuration defined by\r
+ "Support: Extended" in this package, e.g. "RequestMirror". Implementers\r
+ are encouraged to support extended filters.\r
+\r
+ - Implementation-specific: Filters that are defined and supported by specific vendors.\r
+ In the future, filters showing convergence in behavior across multiple\r
+ implementations will be considered for inclusion in extended or core\r
+ conformance levels. Filter-specific configuration for such filters\r
+ is specified using the ExtensionRef field. `Type` MUST be set to\r
+ "ExtensionRef" for custom filters.\r
+\r
+ Implementers are encouraged to define custom implementation types to\r
+ extend the core API with implementation-specific behavior.\r
+\r
+ If a reference to a custom filter type cannot be resolved, the filter\r
+ MUST NOT be skipped. Instead, requests that would have been processed by\r
+ that filter MUST receive a HTTP error response.\r
+\r
+ enum:\r
+ - ResponseHeaderModifier\r
+ - RequestHeaderModifier\r
+ - RequestMirror\r
+ - ExtensionRef\r
+ type: string\r
+ required:\r
+ - type\r
+ type: object\r
+ x-kubernetes-validations:\r
+ - message: filter.requestHeaderModifier must be nil\r
+ if the filter.type is not RequestHeaderModifier\r
+ rule: '!(has(self.requestHeaderModifier) && self.type\r
+ != ''RequestHeaderModifier'')'\r
+ - message: filter.requestHeaderModifier must be specified\r
+ for RequestHeaderModifier filter.type\r
+ rule: '!(!has(self.requestHeaderModifier) && self.type\r
+ == ''RequestHeaderModifier'')'\r
+ - message: filter.responseHeaderModifier must be nil\r
+ if the filter.type is not ResponseHeaderModifier\r
+ rule: '!(has(self.responseHeaderModifier) && self.type\r
+ != ''ResponseHeaderModifier'')'\r
+ - message: filter.responseHeaderModifier must be specified\r
+ for ResponseHeaderModifier filter.type\r
+ rule: '!(!has(self.responseHeaderModifier) && self.type\r
+ == ''ResponseHeaderModifier'')'\r
+ - message: filter.requestMirror must be nil if the filter.type\r
+ is not RequestMirror\r
+ rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')'\r
+ - message: filter.requestMirror must be specified for\r
+ RequestMirror filter.type\r
+ rule: '!(!has(self.requestMirror) && self.type ==\r
+ ''RequestMirror'')'\r
+ - message: filter.extensionRef must be nil if the filter.type\r
+ is not ExtensionRef\r
+ rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')'\r
+ - message: filter.extensionRef must be specified for\r
+ ExtensionRef filter.type\r
+ rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')'\r
+ maxItems: 16\r
+ type: array\r
+ x-kubernetes-validations:\r
+ - message: RequestHeaderModifier filter cannot be repeated\r
+ rule: self.filter(f, f.type == 'RequestHeaderModifier').size()\r
+ <= 1\r
+ - message: ResponseHeaderModifier filter cannot be repeated\r
+ rule: self.filter(f, f.type == 'ResponseHeaderModifier').size()\r
+ <= 1\r
+ group:\r
+ default: ""\r
+ description: |-\r
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".\r
+ When unspecified or empty string, core API group is inferred.\r
+ maxLength: 253\r
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ kind:\r
+ default: Service\r
+ description: |-\r
+ Kind is the Kubernetes resource kind of the referent. For example\r
+ "Service".\r
+\r
+ Defaults to "Service" when not specified.\r
+\r
+ ExternalName services can refer to CNAME DNS records that may live\r
+ outside of the cluster and as such are difficult to reason about in\r
+ terms of conformance. They also may not be safe to forward to (see\r
+ CVE-2021-25740 for more information). Implementations SHOULD NOT\r
+ support ExternalName Services.\r
+\r
+ Support: Core (Services with a type other than ExternalName)\r
+\r
+ Support: Implementation-specific (Services with type ExternalName)\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$\r
+ type: string\r
+ name:\r
+ description: Name is the name of the referent.\r
+ maxLength: 253\r
+ minLength: 1\r
+ type: string\r
+ namespace:\r
+ description: |-\r
+ Namespace is the namespace of the backend. When unspecified, the local\r
+ namespace is inferred.\r
+\r
+ Note that when a namespace different than the local namespace is specified,\r
+ a ReferenceGrant object is required in the referent namespace to allow that\r
+ namespace's owner to accept the reference. See the ReferenceGrant\r
+ documentation for details.\r
+\r
+ Support: Core\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$\r
+ type: string\r
+ port:\r
+ description: |-\r
+ Port specifies the destination port number to use for this resource.\r
+ Port is required when the referent is a Kubernetes Service. In this\r
+ case, the port number is the service port number, not the target port.\r
+ For other resources, destination port might be derived from the referent\r
+ resource or this field.\r
+ format: int32\r
+ maximum: 65535\r
+ minimum: 1\r
+ type: integer\r
+ weight:\r
+ default: 1\r
+ description: |-\r
+ Weight specifies the proportion of requests forwarded to the referenced\r
+ backend. This is computed as weight/(sum of all weights in this\r
+ BackendRefs list). For non-zero values, there may be some epsilon from\r
+ the exact proportion defined here depending on the precision an\r
+ implementation supports. Weight is not a percentage and the sum of\r
+ weights does not need to equal 100.\r
+\r
+ If only one backend is specified and it has a weight greater than 0, 100%\r
+ of the traffic is forwarded to that backend. If weight is set to 0, no\r
+ traffic should be forwarded for this entry. If unspecified, weight\r
+ defaults to 1.\r
+\r
+ Support for this field varies based on the context where used.\r
+ format: int32\r
+ maximum: 1000000\r
+ minimum: 0\r
+ type: integer\r
+ required:\r
+ - name\r
+ type: object\r
+ x-kubernetes-validations:\r
+ - message: Must have port for Service reference\r
+ rule: '(size(self.group) == 0 && self.kind == ''Service'')\r
+ ? has(self.port) : true'\r
+ maxItems: 16\r
+ type: array\r
+ filters:\r
+ description: |-\r
+ Filters define the filters that are applied to requests that match\r
+ this rule.\r
+\r
+ The effects of ordering of multiple behaviors are currently unspecified.\r
+ This can change in the future based on feedback during the alpha stage.\r
+\r
+ Conformance-levels at this level are defined based on the type of filter:\r
+\r
+ - ALL core filters MUST be supported by all implementations that support\r
+ GRPCRoute.\r
+ - Implementers are encouraged to support extended filters.\r
+ - Implementation-specific custom filters have no API guarantees across\r
+ implementations.\r
+\r
+ Specifying the same filter multiple times is not supported unless explicitly\r
+ indicated in the filter.\r
+\r
+ If an implementation can not support a combination of filters, it must clearly\r
+ document that limitation. In cases where incompatible or unsupported\r
+ filters are specified and cause the `Accepted` condition to be set to status\r
+ `False`, implementations may use the `IncompatibleFilters` reason to specify\r
+ this configuration error.\r
+\r
+ Support: Core\r
+ items:\r
+ description: |-\r
+ GRPCRouteFilter defines processing steps that must be completed during the\r
+ request or response lifecycle. GRPCRouteFilters are meant as an extension\r
+ point to express processing that may be done in Gateway implementations. Some\r
+ examples include request or response modification, implementing\r
+ authentication strategies, rate-limiting, and traffic shaping. API\r
+ guarantee/conformance is defined based on the type of the filter.\r
+ properties:\r
+ extensionRef:\r
+ description: |-\r
+ ExtensionRef is an optional, implementation-specific extension to the\r
+ "filter" behavior. For example, resource "myroutefilter" in group\r
+ "networking.example.net"). ExtensionRef MUST NOT be used for core and\r
+ extended filters.\r
+\r
+ Support: Implementation-specific\r
+\r
+ This filter can be used multiple times within the same rule.\r
+ properties:\r
+ group:\r
+ description: |-\r
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".\r
+ When unspecified or empty string, core API group is inferred.\r
+ maxLength: 253\r
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ kind:\r
+ description: Kind is kind of the referent. For example\r
+ "HTTPRoute" or "Service".\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$\r
+ type: string\r
+ name:\r
+ description: Name is the name of the referent.\r
+ maxLength: 253\r
+ minLength: 1\r
+ type: string\r
+ required:\r
+ - group\r
+ - kind\r
+ - name\r
+ type: object\r
+ requestHeaderModifier:\r
+ description: |-\r
+ RequestHeaderModifier defines a schema for a filter that modifies request\r
+ headers.\r
+\r
+ Support: Core\r
+ properties:\r
+ add:\r
+ description: |-\r
+ Add adds the given header(s) (name, value) to the request\r
+ before the action. It appends to any existing values associated\r
+ with the header name.\r
+\r
+ Input:\r
+ GET /foo HTTP/1.1\r
+ my-header: foo\r
+\r
+ Config:\r
+ add:\r
+ - name: "my-header"\r
+ value: "bar,baz"\r
+\r
+ Output:\r
+ GET /foo HTTP/1.1\r
+ my-header: foo,bar,baz\r
+ items:\r
+ description: HTTPHeader represents an HTTP Header\r
+ name and value as defined by RFC 7230.\r
+ properties:\r
+ name:\r
+ description: |-\r
+ Name is the name of the HTTP Header to be matched. Name matching MUST be\r
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).\r
+\r
+ If multiple entries specify equivalent header names, the first entry with\r
+ an equivalent name MUST be considered for a match. Subsequent entries\r
+ with an equivalent header name MUST be ignored. Due to the\r
+ case-insensitivity of header names, "foo" and "Foo" are considered\r
+ equivalent.\r
+ maxLength: 256\r
+ minLength: 1\r
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$\r
+ type: string\r
+ value:\r
+ description: Value is the value of HTTP Header\r
+ to be matched.\r
+ maxLength: 4096\r
+ minLength: 1\r
+ type: string\r
+ required:\r
+ - name\r
+ - value\r
+ type: object\r
+ maxItems: 16\r
+ type: array\r
+ x-kubernetes-list-map-keys:\r
+ - name\r
+ x-kubernetes-list-type: map\r
+ remove:\r
+ description: |-\r
+ Remove the given header(s) from the HTTP request before the action. The\r
+ value of Remove is a list of HTTP header names. Note that the header\r
+ names are case-insensitive (see\r
+ https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).\r
+\r
+ Input:\r
+ GET /foo HTTP/1.1\r
+ my-header1: foo\r
+ my-header2: bar\r
+ my-header3: baz\r
+\r
+ Config:\r
+ remove: ["my-header1", "my-header3"]\r
+\r
+ Output:\r
+ GET /foo HTTP/1.1\r
+ my-header2: bar\r
+ items:\r
+ type: string\r
+ maxItems: 16\r
+ type: array\r
+ x-kubernetes-list-type: set\r
+ set:\r
+ description: |-\r
+ Set overwrites the request with the given header (name, value)\r
+ before the action.\r
+\r
+ Input:\r
+ GET /foo HTTP/1.1\r
+ my-header: foo\r
+\r
+ Config:\r
+ set:\r
+ - name: "my-header"\r
+ value: "bar"\r
+\r
+ Output:\r
+ GET /foo HTTP/1.1\r
+ my-header: bar\r
+ items:\r
+ description: HTTPHeader represents an HTTP Header\r
+ name and value as defined by RFC 7230.\r
+ properties:\r
+ name:\r
+ description: |-\r
+ Name is the name of the HTTP Header to be matched. Name matching MUST be\r
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).\r
+\r
+ If multiple entries specify equivalent header names, the first entry with\r
+ an equivalent name MUST be considered for a match. Subsequent entries\r
+ with an equivalent header name MUST be ignored. Due to the\r
+ case-insensitivity of header names, "foo" and "Foo" are considered\r
+ equivalent.\r
+ maxLength: 256\r
+ minLength: 1\r
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$\r
+ type: string\r
+ value:\r
+ description: Value is the value of HTTP Header\r
+ to be matched.\r
+ maxLength: 4096\r
+ minLength: 1\r
+ type: string\r
+ required:\r
+ - name\r
+ - value\r
+ type: object\r
+ maxItems: 16\r
+ type: array\r
+ x-kubernetes-list-map-keys:\r
+ - name\r
+ x-kubernetes-list-type: map\r
+ type: object\r
+ requestMirror:\r
+ description: |+\r
+ RequestMirror defines a schema for a filter that mirrors requests.\r
+ Requests are sent to the specified destination, but responses from\r
+ that destination are ignored.\r
+\r
+ This filter can be used multiple times within the same rule. Note that\r
+ not all implementations will be able to support mirroring to multiple\r
+ backends.\r
+\r
+ Support: Extended\r
+\r
+ properties:\r
+ backendRef:\r
+ description: |-\r
+ BackendRef references a resource where mirrored requests are sent.\r
+\r
+ Mirrored requests must be sent only to a single destination endpoint\r
+ within this BackendRef, irrespective of how many endpoints are present\r
+ within this BackendRef.\r
+\r
+ If the referent cannot be found, this BackendRef is invalid and must be\r
+ dropped from the Gateway. The controller must ensure the "ResolvedRefs"\r
+ condition on the Route status is set to `status: False` and not configure\r
+ this backend in the underlying implementation.\r
+\r
+ If there is a cross-namespace reference to an *existing* object\r
+ that is not allowed by a ReferenceGrant, the controller must ensure the\r
+ "ResolvedRefs" condition on the Route is set to `status: False`,\r
+ with the "RefNotPermitted" reason and not configure this backend in the\r
+ underlying implementation.\r
+\r
+ In either error case, the Message of the `ResolvedRefs` Condition\r
+ should be used to provide more detail about the problem.\r
+\r
+ Support: Extended for Kubernetes Service\r
+\r
+ Support: Implementation-specific for any other resource\r
+ properties:\r
+ group:\r
+ default: ""\r
+ description: |-\r
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".\r
+ When unspecified or empty string, core API group is inferred.\r
+ maxLength: 253\r
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ kind:\r
+ default: Service\r
+ description: |-\r
+ Kind is the Kubernetes resource kind of the referent. For example\r
+ "Service".\r
+\r
+ Defaults to "Service" when not specified.\r
+\r
+ ExternalName services can refer to CNAME DNS records that may live\r
+ outside of the cluster and as such are difficult to reason about in\r
+ terms of conformance. They also may not be safe to forward to (see\r
+ CVE-2021-25740 for more information). Implementations SHOULD NOT\r
+ support ExternalName Services.\r
+\r
+ Support: Core (Services with a type other than ExternalName)\r
+\r
+ Support: Implementation-specific (Services with type ExternalName)\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$\r
+ type: string\r
+ name:\r
+ description: Name is the name of the referent.\r
+ maxLength: 253\r
+ minLength: 1\r
+ type: string\r
+ namespace:\r
+ description: |-\r
+ Namespace is the namespace of the backend. When unspecified, the local\r
+ namespace is inferred.\r
+\r
+ Note that when a namespace different than the local namespace is specified,\r
+ a ReferenceGrant object is required in the referent namespace to allow that\r
+ namespace's owner to accept the reference. See the ReferenceGrant\r
+ documentation for details.\r
+\r
+ Support: Core\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$\r
+ type: string\r
+ port:\r
+ description: |-\r
+ Port specifies the destination port number to use for this resource.\r
+ Port is required when the referent is a Kubernetes Service. In this\r
+ case, the port number is the service port number, not the target port.\r
+ For other resources, destination port might be derived from the referent\r
+ resource or this field.\r
+ format: int32\r
+ maximum: 65535\r
+ minimum: 1\r
+ type: integer\r
+ required:\r
+ - name\r
+ type: object\r
+ x-kubernetes-validations:\r
+ - message: Must have port for Service reference\r
+ rule: '(size(self.group) == 0 && self.kind == ''Service'')\r
+ ? has(self.port) : true'\r
+ required:\r
+ - backendRef\r
+ type: object\r
+ responseHeaderModifier:\r
+ description: |-\r
+ ResponseHeaderModifier defines a schema for a filter that modifies response\r
+ headers.\r
+\r
+ Support: Extended\r
+ properties:\r
+ add:\r
+ description: |-\r
+ Add adds the given header(s) (name, value) to the request\r
+ before the action. It appends to any existing values associated\r
+ with the header name.\r
+\r
+ Input:\r
+ GET /foo HTTP/1.1\r
+ my-header: foo\r
+\r
+ Config:\r
+ add:\r
+ - name: "my-header"\r
+ value: "bar,baz"\r
+\r
+ Output:\r
+ GET /foo HTTP/1.1\r
+ my-header: foo,bar,baz\r
+ items:\r
+ description: HTTPHeader represents an HTTP Header\r
+ name and value as defined by RFC 7230.\r
+ properties:\r
+ name:\r
+ description: |-\r
+ Name is the name of the HTTP Header to be matched. Name matching MUST be\r
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).\r
+\r
+ If multiple entries specify equivalent header names, the first entry with\r
+ an equivalent name MUST be considered for a match. Subsequent entries\r
+ with an equivalent header name MUST be ignored. Due to the\r
+ case-insensitivity of header names, "foo" and "Foo" are considered\r
+ equivalent.\r
+ maxLength: 256\r
+ minLength: 1\r
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$\r
+ type: string\r
+ value:\r
+ description: Value is the value of HTTP Header\r
+ to be matched.\r
+ maxLength: 4096\r
+ minLength: 1\r
+ type: string\r
+ required:\r
+ - name\r
+ - value\r
+ type: object\r
+ maxItems: 16\r
+ type: array\r
+ x-kubernetes-list-map-keys:\r
+ - name\r
+ x-kubernetes-list-type: map\r
+ remove:\r
+ description: |-\r
+ Remove the given header(s) from the HTTP request before the action. The\r
+ value of Remove is a list of HTTP header names. Note that the header\r
+ names are case-insensitive (see\r
+ https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).\r
+\r
+ Input:\r
+ GET /foo HTTP/1.1\r
+ my-header1: foo\r
+ my-header2: bar\r
+ my-header3: baz\r
+\r
+ Config:\r
+ remove: ["my-header1", "my-header3"]\r
+\r
+ Output:\r
+ GET /foo HTTP/1.1\r
+ my-header2: bar\r
+ items:\r
+ type: string\r
+ maxItems: 16\r
+ type: array\r
+ x-kubernetes-list-type: set\r
+ set:\r
+ description: |-\r
+ Set overwrites the request with the given header (name, value)\r
+ before the action.\r
+\r
+ Input:\r
+ GET /foo HTTP/1.1\r
+ my-header: foo\r
+\r
+ Config:\r
+ set:\r
+ - name: "my-header"\r
+ value: "bar"\r
+\r
+ Output:\r
+ GET /foo HTTP/1.1\r
+ my-header: bar\r
+ items:\r
+ description: HTTPHeader represents an HTTP Header\r
+ name and value as defined by RFC 7230.\r
+ properties:\r
+ name:\r
+ description: |-\r
+ Name is the name of the HTTP Header to be matched. Name matching MUST be\r
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).\r
+\r
+ If multiple entries specify equivalent header names, the first entry with\r
+ an equivalent name MUST be considered for a match. Subsequent entries\r
+ with an equivalent header name MUST be ignored. Due to the\r
+ case-insensitivity of header names, "foo" and "Foo" are considered\r
+ equivalent.\r
+ maxLength: 256\r
+ minLength: 1\r
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$\r
+ type: string\r
+ value:\r
+ description: Value is the value of HTTP Header\r
+ to be matched.\r
+ maxLength: 4096\r
+ minLength: 1\r
+ type: string\r
+ required:\r
+ - name\r
+ - value\r
+ type: object\r
+ maxItems: 16\r
+ type: array\r
+ x-kubernetes-list-map-keys:\r
+ - name\r
+ x-kubernetes-list-type: map\r
+ type: object\r
+ type:\r
+ description: |+\r
+ Type identifies the type of filter to apply. As with other API fields,\r
+ types are classified into three conformance levels:\r
+\r
+ - Core: Filter types and their corresponding configuration defined by\r
+ "Support: Core" in this package, e.g. "RequestHeaderModifier". All\r
+ implementations supporting GRPCRoute MUST support core filters.\r
+\r
+ - Extended: Filter types and their corresponding configuration defined by\r
+ "Support: Extended" in this package, e.g. "RequestMirror". Implementers\r
+ are encouraged to support extended filters.\r
+\r
+ - Implementation-specific: Filters that are defined and supported by specific vendors.\r
+ In the future, filters showing convergence in behavior across multiple\r
+ implementations will be considered for inclusion in extended or core\r
+ conformance levels. Filter-specific configuration for such filters\r
+ is specified using the ExtensionRef field. `Type` MUST be set to\r
+ "ExtensionRef" for custom filters.\r
+\r
+ Implementers are encouraged to define custom implementation types to\r
+ extend the core API with implementation-specific behavior.\r
+\r
+ If a reference to a custom filter type cannot be resolved, the filter\r
+ MUST NOT be skipped. Instead, requests that would have been processed by\r
+ that filter MUST receive a HTTP error response.\r
+\r
+ enum:\r
+ - ResponseHeaderModifier\r
+ - RequestHeaderModifier\r
+ - RequestMirror\r
+ - ExtensionRef\r
+ type: string\r
+ required:\r
+ - type\r
+ type: object\r
+ x-kubernetes-validations:\r
+ - message: filter.requestHeaderModifier must be nil if the\r
+ filter.type is not RequestHeaderModifier\r
+ rule: '!(has(self.requestHeaderModifier) && self.type !=\r
+ ''RequestHeaderModifier'')'\r
+ - message: filter.requestHeaderModifier must be specified\r
+ for RequestHeaderModifier filter.type\r
+ rule: '!(!has(self.requestHeaderModifier) && self.type ==\r
+ ''RequestHeaderModifier'')'\r
+ - message: filter.responseHeaderModifier must be nil if the\r
+ filter.type is not ResponseHeaderModifier\r
+ rule: '!(has(self.responseHeaderModifier) && self.type !=\r
+ ''ResponseHeaderModifier'')'\r
+ - message: filter.responseHeaderModifier must be specified\r
+ for ResponseHeaderModifier filter.type\r
+ rule: '!(!has(self.responseHeaderModifier) && self.type\r
+ == ''ResponseHeaderModifier'')'\r
+ - message: filter.requestMirror must be nil if the filter.type\r
+ is not RequestMirror\r
+ rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')'\r
+ - message: filter.requestMirror must be specified for RequestMirror\r
+ filter.type\r
+ rule: '!(!has(self.requestMirror) && self.type == ''RequestMirror'')'\r
+ - message: filter.extensionRef must be nil if the filter.type\r
+ is not ExtensionRef\r
+ rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')'\r
+ - message: filter.extensionRef must be specified for ExtensionRef\r
+ filter.type\r
+ rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')'\r
+ maxItems: 16\r
+ type: array\r
+ x-kubernetes-validations:\r
+ - message: RequestHeaderModifier filter cannot be repeated\r
+ rule: self.filter(f, f.type == 'RequestHeaderModifier').size()\r
+ <= 1\r
+ - message: ResponseHeaderModifier filter cannot be repeated\r
+ rule: self.filter(f, f.type == 'ResponseHeaderModifier').size()\r
+ <= 1\r
+ matches:\r
+ description: |-\r
+ Matches define conditions used for matching the rule against incoming\r
+ gRPC requests. Each match is independent, i.e. this rule will be matched\r
+ if **any** one of the matches is satisfied.\r
+\r
+ For example, take the following matches configuration:\r
+\r
+ ```\r
+ matches:\r
+ - method:\r
+ service: foo.bar\r
+ headers:\r
+ values:\r
+ version: 2\r
+ - method:\r
+ service: foo.bar.v2\r
+ ```\r
+\r
+ For a request to match against this rule, it MUST satisfy\r
+ EITHER of the two conditions:\r
+\r
+ - service of foo.bar AND contains the header `version: 2`\r
+ - service of foo.bar.v2\r
+\r
+ See the documentation for GRPCRouteMatch on how to specify multiple\r
+ match conditions to be ANDed together.\r
+\r
+ If no matches are specified, the implementation MUST match every gRPC request.\r
+\r
+ Proxy or Load Balancer routing configuration generated from GRPCRoutes\r
+ MUST prioritize rules based on the following criteria, continuing on\r
+ ties. Merging MUST not be done between GRPCRoutes and HTTPRoutes.\r
+ Precedence MUST be given to the rule with the largest number of:\r
+\r
+ * Characters in a matching non-wildcard hostname.\r
+ * Characters in a matching hostname.\r
+ * Characters in a matching service.\r
+ * Characters in a matching method.\r
+ * Header matches.\r
+\r
+ If ties still exist across multiple Routes, matching precedence MUST be\r
+ determined in order of the following criteria, continuing on ties:\r
+\r
+ * The oldest Route based on creation timestamp.\r
+ * The Route appearing first in alphabetical order by\r
+ "{namespace}/{name}".\r
+\r
+ If ties still exist within the Route that has been given precedence,\r
+ matching precedence MUST be granted to the first matching rule meeting\r
+ the above criteria.\r
+ items:\r
+ description: |-\r
+ GRPCRouteMatch defines the predicate used to match requests to a given\r
+ action. Multiple match types are ANDed together, i.e. the match will\r
+ evaluate to true only if all conditions are satisfied.\r
+\r
+ For example, the match below will match a gRPC request only if its service\r
+ is `foo` AND it contains the `version: v1` header:\r
+\r
+ ```\r
+ matches:\r
+ - method:\r
+ type: Exact\r
+ service: "foo"\r
+ headers:\r
+ - name: "version"\r
+ value "v1"\r
+\r
+ ```\r
+ properties:\r
+ headers:\r
+ description: |-\r
+ Headers specifies gRPC request header matchers. Multiple match values are\r
+ ANDed together, meaning, a request MUST match all the specified headers\r
+ to select the route.\r
+ items:\r
+ description: |-\r
+ GRPCHeaderMatch describes how to select a gRPC route by matching gRPC request\r
+ headers.\r
+ properties:\r
+ name:\r
+ description: |-\r
+ Name is the name of the gRPC Header to be matched.\r
+\r
+ If multiple entries specify equivalent header names, only the first\r
+ entry with an equivalent name MUST be considered for a match. Subsequent\r
+ entries with an equivalent header name MUST be ignored. Due to the\r
+ case-insensitivity of header names, "foo" and "Foo" are considered\r
+ equivalent.\r
+ maxLength: 256\r
+ minLength: 1\r
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$\r
+ type: string\r
+ type:\r
+ default: Exact\r
+ description: Type specifies how to match against\r
+ the value of the header.\r
+ enum:\r
+ - Exact\r
+ - RegularExpression\r
+ type: string\r
+ value:\r
+ description: Value is the value of the gRPC Header\r
+ to be matched.\r
+ maxLength: 4096\r
+ minLength: 1\r
+ type: string\r
+ required:\r
+ - name\r
+ - value\r
+ type: object\r
+ maxItems: 16\r
+ type: array\r
+ x-kubernetes-list-map-keys:\r
+ - name\r
+ x-kubernetes-list-type: map\r
+ method:\r
+ description: |-\r
+ Method specifies a gRPC request service/method matcher. If this field is\r
+ not specified, all services and methods will match.\r
+ properties:\r
+ method:\r
+ description: |-\r
+ Value of the method to match against. If left empty or omitted, will\r
+ match all services.\r
+\r
+ At least one of Service and Method MUST be a non-empty string.\r
+ maxLength: 1024\r
+ type: string\r
+ service:\r
+ description: |-\r
+ Value of the service to match against. If left empty or omitted, will\r
+ match any service.\r
+\r
+ At least one of Service and Method MUST be a non-empty string.\r
+ maxLength: 1024\r
+ type: string\r
+ type:\r
+ default: Exact\r
+ description: |-\r
+ Type specifies how to match against the service and/or method.\r
+ Support: Core (Exact with service and method specified)\r
+\r
+ Support: Implementation-specific (Exact with method specified but no service specified)\r
+\r
+ Support: Implementation-specific (RegularExpression)\r
+ enum:\r
+ - Exact\r
+ - RegularExpression\r
+ type: string\r
+ type: object\r
+ x-kubernetes-validations:\r
+ - message: One or both of 'service' or 'method' must be\r
+ specified\r
+ rule: 'has(self.type) ? has(self.service) || has(self.method)\r
+ : true'\r
+ - message: service must only contain valid characters\r
+ (matching ^(?i)\.?[a-z_][a-z_0-9]*(\.[a-z_][a-z_0-9]*)*$)\r
+ rule: '(!has(self.type) || self.type == ''Exact'') &&\r
+ has(self.service) ? self.service.matches(r"""^(?i)\.?[a-z_][a-z_0-9]*(\.[a-z_][a-z_0-9]*)*$"""):\r
+ true'\r
+ - message: method must only contain valid characters (matching\r
+ ^[A-Za-z_][A-Za-z_0-9]*$)\r
+ rule: '(!has(self.type) || self.type == ''Exact'') &&\r
+ has(self.method) ? self.method.matches(r"""^[A-Za-z_][A-Za-z_0-9]*$"""):\r
+ true'\r
+ type: object\r
+ maxItems: 8\r
+ type: array\r
+ type: object\r
+ maxItems: 16\r
+ type: array\r
+ x-kubernetes-validations:\r
+ - message: While 16 rules and 64 matches per rule are allowed, the\r
+ total number of matches across all rules in a route must be less\r
+ than 128\r
+ rule: '(self.size() > 0 ? (has(self[0].matches) ? self[0].matches.size()\r
+ : 0) : 0) + (self.size() > 1 ? (has(self[1].matches) ? self[1].matches.size()\r
+ : 0) : 0) + (self.size() > 2 ? (has(self[2].matches) ? self[2].matches.size()\r
+ : 0) : 0) + (self.size() > 3 ? (has(self[3].matches) ? self[3].matches.size()\r
+ : 0) : 0) + (self.size() > 4 ? (has(self[4].matches) ? self[4].matches.size()\r
+ : 0) : 0) + (self.size() > 5 ? (has(self[5].matches) ? self[5].matches.size()\r
+ : 0) : 0) + (self.size() > 6 ? (has(self[6].matches) ? self[6].matches.size()\r
+ : 0) : 0) + (self.size() > 7 ? (has(self[7].matches) ? self[7].matches.size()\r
+ : 0) : 0) + (self.size() > 8 ? (has(self[8].matches) ? self[8].matches.size()\r
+ : 0) : 0) + (self.size() > 9 ? (has(self[9].matches) ? self[9].matches.size()\r
+ : 0) : 0) + (self.size() > 10 ? (has(self[10].matches) ? self[10].matches.size()\r
+ : 0) : 0) + (self.size() > 11 ? (has(self[11].matches) ? self[11].matches.size()\r
+ : 0) : 0) + (self.size() > 12 ? (has(self[12].matches) ? self[12].matches.size()\r
+ : 0) : 0) + (self.size() > 13 ? (has(self[13].matches) ? self[13].matches.size()\r
+ : 0) : 0) + (self.size() > 14 ? (has(self[14].matches) ? self[14].matches.size()\r
+ : 0) : 0) + (self.size() > 15 ? (has(self[15].matches) ? self[15].matches.size()\r
+ : 0) : 0) <= 128'\r
+ type: object\r
+ status:\r
+ description: Status defines the current state of GRPCRoute.\r
+ properties:\r
+ parents:\r
+ description: |-\r
+ Parents is a list of parent resources (usually Gateways) that are\r
+ associated with the route, and the status of the route with respect to\r
+ each parent. When this route attaches to a parent, the controller that\r
+ manages the parent must add an entry to this list when the controller\r
+ first sees the route and should update the entry as appropriate when the\r
+ route or gateway is modified.\r
+\r
+ Note that parent references that cannot be resolved by an implementation\r
+ of this API will not be added to this list. Implementations of this API\r
+ can only populate Route status for the Gateways/parent resources they are\r
+ responsible for.\r
+\r
+ A maximum of 32 Gateways will be represented in this list. An empty list\r
+ means the route has not been attached to any Gateway.\r
+ items:\r
+ description: |-\r
+ RouteParentStatus describes the status of a route with respect to an\r
+ associated Parent.\r
+ properties:\r
+ conditions:\r
+ description: |-\r
+ Conditions describes the status of the route with respect to the Gateway.\r
+ Note that the route's availability is also subject to the Gateway's own\r
+ status conditions and listener status.\r
+\r
+ If the Route's ParentRef specifies an existing Gateway that supports\r
+ Routes of this kind AND that Gateway's controller has sufficient access,\r
+ then that Gateway's controller MUST set the "Accepted" condition on the\r
+ Route, to indicate whether the route has been accepted or rejected by the\r
+ Gateway, and why.\r
+\r
+ A Route MUST be considered "Accepted" if at least one of the Route's\r
+ rules is implemented by the Gateway.\r
+\r
+ There are a number of cases where the "Accepted" condition may not be set\r
+ due to lack of controller visibility, that includes when:\r
+\r
+ * The Route refers to a non-existent parent.\r
+ * The Route is of a type that the controller does not support.\r
+ * The Route is in a namespace the controller does not have access to.\r
+ items:\r
+ description: Condition contains details for one aspect of\r
+ the current state of this API Resource.\r
+ properties:\r
+ lastTransitionTime:\r
+ description: |-\r
+ lastTransitionTime is the last time the condition transitioned from one status to another.\r
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.\r
+ format: date-time\r
+ type: string\r
+ message:\r
+ description: |-\r
+ message is a human readable message indicating details about the transition.\r
+ This may be an empty string.\r
+ maxLength: 32768\r
+ type: string\r
+ observedGeneration:\r
+ description: |-\r
+ observedGeneration represents the .metadata.generation that the condition was set based upon.\r
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\r
+ with respect to the current state of the instance.\r
+ format: int64\r
+ minimum: 0\r
+ type: integer\r
+ reason:\r
+ description: |-\r
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.\r
+ Producers of specific condition types may define expected values and meanings for this field,\r
+ and whether the values are considered a guaranteed API.\r
+ The value should be a CamelCase string.\r
+ This field may not be empty.\r
+ maxLength: 1024\r
+ minLength: 1\r
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$\r
+ type: string\r
+ status:\r
+ description: status of the condition, one of True, False,\r
+ Unknown.\r
+ enum:\r
+ - "True"\r
+ - "False"\r
+ - Unknown\r
+ type: string\r
+ type:\r
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.\r
+ maxLength: 316\r
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$\r
+ type: string\r
+ required:\r
+ - lastTransitionTime\r
+ - message\r
+ - reason\r
+ - status\r
+ - type\r
+ type: object\r
+ maxItems: 8\r
+ minItems: 1\r
+ type: array\r
+ x-kubernetes-list-map-keys:\r
+ - type\r
+ x-kubernetes-list-type: map\r
+ controllerName:\r
+ description: |-\r
+ ControllerName is a domain/path string that indicates the name of the\r
+ controller that wrote this status. This corresponds with the\r
+ controllerName field on GatewayClass.\r
+\r
+ Example: "example.net/gateway-controller".\r
+\r
+ The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are\r
+ valid Kubernetes names\r
+ (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).\r
+\r
+ Controllers MUST populate this field when writing status. Controllers should ensure that\r
+ entries to status populated with their ControllerName are cleaned up when they are no\r
+ longer necessary.\r
+ maxLength: 253\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$\r
+ type: string\r
+ parentRef:\r
+ description: |-\r
+ ParentRef corresponds with a ParentRef in the spec that this\r
+ RouteParentStatus struct describes the status of.\r
+ properties:\r
+ group:\r
+ default: gateway.networking.k8s.io\r
+ description: |-\r
+ Group is the group of the referent.\r
+ When unspecified, "gateway.networking.k8s.io" is inferred.\r
+ To set the core API group (such as for a "Service" kind referent),\r
+ Group must be explicitly set to "" (empty string).\r
+\r
+ Support: Core\r
+ maxLength: 253\r
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ kind:\r
+ default: Gateway\r
+ description: |-\r
+ Kind is kind of the referent.\r
+\r
+ There are two kinds of parent resources with "Core" support:\r
+\r
+ * Gateway (Gateway conformance profile)\r
+ * Service (Mesh conformance profile, ClusterIP Services only)\r
+\r
+ Support for other resources is Implementation-Specific.\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$\r
+ type: string\r
+ name:\r
+ description: |-\r
+ Name is the name of the referent.\r
+\r
+ Support: Core\r
+ maxLength: 253\r
+ minLength: 1\r
+ type: string\r
+ namespace:\r
+ description: |-\r
+ Namespace is the namespace of the referent. When unspecified, this refers\r
+ to the local namespace of the Route.\r
+\r
+ Note that there are specific rules for ParentRefs which cross namespace\r
+ boundaries. Cross-namespace references are only valid if they are explicitly\r
+ allowed by something in the namespace they are referring to. For example:\r
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a\r
+ generic way to enable any other kind of cross-namespace reference.\r
+\r
+\r
+\r
+ Support: Core\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$\r
+ type: string\r
+ port:\r
+ description: |-\r
+ Port is the network port this Route targets. It can be interpreted\r
+ differently based on the type of parent resource.\r
+\r
+ When the parent resource is a Gateway, this targets all listeners\r
+ listening on the specified port that also support this kind of Route(and\r
+ select this Route). It's not recommended to set `Port` unless the\r
+ networking behaviors specified in a Route must apply to a specific port\r
+ as opposed to a listener(s) whose port(s) may be changed. When both Port\r
+ and SectionName are specified, the name and port of the selected listener\r
+ must match both specified values.\r
+\r
+\r
+\r
+ Implementations MAY choose to support other parent resources.\r
+ Implementations supporting other types of parent resources MUST clearly\r
+ document how/if Port is interpreted.\r
+\r
+ For the purpose of status, an attachment is considered successful as\r
+ long as the parent resource accepts it partially. For example, Gateway\r
+ listeners can restrict which Routes can attach to them by Route kind,\r
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment\r
+ from the referencing Route, the Route MUST be considered successfully\r
+ attached. If no Gateway listeners accept attachment from this Route,\r
+ the Route MUST be considered detached from the Gateway.\r
+\r
+ Support: Extended\r
+ format: int32\r
+ maximum: 65535\r
+ minimum: 1\r
+ type: integer\r
+ sectionName:\r
+ description: |-\r
+ SectionName is the name of a section within the target resource. In the\r
+ following resources, SectionName is interpreted as the following:\r
+\r
+ * Gateway: Listener name. When both Port (experimental) and SectionName\r
+ are specified, the name and port of the selected listener must match\r
+ both specified values.\r
+ * Service: Port name. When both Port (experimental) and SectionName\r
+ are specified, the name and port of the selected listener must match\r
+ both specified values.\r
+\r
+ Implementations MAY choose to support attaching Routes to other resources.\r
+ If that is the case, they MUST clearly document how SectionName is\r
+ interpreted.\r
+\r
+ When unspecified (empty string), this will reference the entire resource.\r
+ For the purpose of status, an attachment is considered successful if at\r
+ least one section in the parent resource accepts it. For example, Gateway\r
+ listeners can restrict which Routes can attach to them by Route kind,\r
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from\r
+ the referencing Route, the Route MUST be considered successfully\r
+ attached. If no Gateway listeners accept attachment from this Route, the\r
+ Route MUST be considered detached from the Gateway.\r
+\r
+ Support: Core\r
+ maxLength: 253\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ required:\r
+ - name\r
+ type: object\r
+ required:\r
+ - controllerName\r
+ - parentRef\r
+ type: object\r
+ maxItems: 32\r
+ type: array\r
+ required:\r
+ - parents\r
+ type: object\r
+ type: object\r
+ served: true\r
+ storage: true\r
+ subresources:\r
+ status: {}\r
+status:\r
+ acceptedNames:\r
+ kind: ""\r
+ plural: ""\r
+ conditions: null\r
+ storedVersions: null\r
--- /dev/null
+apiVersion: apiextensions.k8s.io/v1\r
+kind: CustomResourceDefinition\r
+metadata:\r
+ annotations:\r
+ api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328\r
+ gateway.networking.k8s.io/bundle-version: v1.2.1\r
+ gateway.networking.k8s.io/channel: standard\r
+ creationTimestamp: null\r
+ name: httproutes.gateway.networking.k8s.io\r
+spec:\r
+ group: gateway.networking.k8s.io\r
+ names:\r
+ categories:\r
+ - gateway-api\r
+ kind: HTTPRoute\r
+ listKind: HTTPRouteList\r
+ plural: httproutes\r
+ singular: httproute\r
+ scope: Namespaced\r
+ versions:\r
+ - additionalPrinterColumns:\r
+ - jsonPath: .spec.hostnames\r
+ name: Hostnames\r
+ type: string\r
+ - jsonPath: .metadata.creationTimestamp\r
+ name: Age\r
+ type: date\r
+ name: v1\r
+ schema:\r
+ openAPIV3Schema:\r
+ description: |-\r
+ HTTPRoute provides a way to route HTTP requests. This includes the capability\r
+ to match requests by hostname, path, header, or query param. Filters can be\r
+ used to specify additional processing steps. Backends specify where matching\r
+ requests should be routed.\r
+ properties:\r
+ apiVersion:\r
+ description: |-\r
+ APIVersion defines the versioned schema of this representation of an object.\r
+ Servers should convert recognized schemas to the latest internal value, and\r
+ may reject unrecognized values.\r
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources\r
+ type: string\r
+ kind:\r
+ description: |-\r
+ Kind is a string value representing the REST resource this object represents.\r
+ Servers may infer this from the endpoint the client submits requests to.\r
+ Cannot be updated.\r
+ In CamelCase.\r
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds\r
+ type: string\r
+ metadata:\r
+ type: object\r
+ spec:\r
+ description: Spec defines the desired state of HTTPRoute.\r
+ properties:\r
+ hostnames:\r
+ description: |-\r
+ Hostnames defines a set of hostnames that should match against the HTTP Host\r
+ header to select a HTTPRoute used to process the request. Implementations\r
+ MUST ignore any port value specified in the HTTP Host header while\r
+ performing a match and (absent of any applicable header modification\r
+ configuration) MUST forward this header unmodified to the backend.\r
+\r
+ Valid values for Hostnames are determined by RFC 1123 definition of a\r
+ hostname with 2 notable exceptions:\r
+\r
+ 1. IPs are not allowed.\r
+ 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard\r
+ label must appear by itself as the first label.\r
+\r
+ If a hostname is specified by both the Listener and HTTPRoute, there\r
+ must be at least one intersecting hostname for the HTTPRoute to be\r
+ attached to the Listener. For example:\r
+\r
+ * A Listener with `test.example.com` as the hostname matches HTTPRoutes\r
+ that have either not specified any hostnames, or have specified at\r
+ least one of `test.example.com` or `*.example.com`.\r
+ * A Listener with `*.example.com` as the hostname matches HTTPRoutes\r
+ that have either not specified any hostnames or have specified at least\r
+ one hostname that matches the Listener hostname. For example,\r
+ `*.example.com`, `test.example.com`, and `foo.test.example.com` would\r
+ all match. On the other hand, `example.com` and `test.example.net` would\r
+ not match.\r
+\r
+ Hostnames that are prefixed with a wildcard label (`*.`) are interpreted\r
+ as a suffix match. That means that a match for `*.example.com` would match\r
+ both `test.example.com`, and `foo.test.example.com`, but not `example.com`.\r
+\r
+ If both the Listener and HTTPRoute have specified hostnames, any\r
+ HTTPRoute hostnames that do not match the Listener hostname MUST be\r
+ ignored. For example, if a Listener specified `*.example.com`, and the\r
+ HTTPRoute specified `test.example.com` and `test.example.net`,\r
+ `test.example.net` must not be considered for a match.\r
+\r
+ If both the Listener and HTTPRoute have specified hostnames, and none\r
+ match with the criteria above, then the HTTPRoute is not accepted. The\r
+ implementation must raise an 'Accepted' Condition with a status of\r
+ `False` in the corresponding RouteParentStatus.\r
+\r
+ In the event that multiple HTTPRoutes specify intersecting hostnames (e.g.\r
+ overlapping wildcard matching and exact matching hostnames), precedence must\r
+ be given to rules from the HTTPRoute with the largest number of:\r
+\r
+ * Characters in a matching non-wildcard hostname.\r
+ * Characters in a matching hostname.\r
+\r
+ If ties exist across multiple Routes, the matching precedence rules for\r
+ HTTPRouteMatches takes over.\r
+\r
+ Support: Core\r
+ items:\r
+ description: |-\r
+ Hostname is the fully qualified domain name of a network host. This matches\r
+ the RFC 1123 definition of a hostname with 2 notable exceptions:\r
+\r
+ 1. IPs are not allowed.\r
+ 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard\r
+ label must appear by itself as the first label.\r
+\r
+ Hostname can be "precise" which is a domain name without the terminating\r
+ dot of a network host (e.g. "foo.example.com") or "wildcard", which is a\r
+ domain name prefixed with a single wildcard label (e.g. `*.example.com`).\r
+\r
+ Note that as per RFC1035 and RFC1123, a *label* must consist of lower case\r
+ alphanumeric characters or '-', and must start and end with an alphanumeric\r
+ character. No other punctuation is allowed.\r
+ maxLength: 253\r
+ minLength: 1\r
+ pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ maxItems: 16\r
+ type: array\r
+ parentRefs:\r
+ description: |+\r
+ ParentRefs references the resources (usually Gateways) that a Route wants\r
+ to be attached to. Note that the referenced parent resource needs to\r
+ allow this for the attachment to be complete. For Gateways, that means\r
+ the Gateway needs to allow attachment from Routes of this kind and\r
+ namespace. For Services, that means the Service must either be in the same\r
+ namespace for a "producer" route, or the mesh implementation must support\r
+ and allow "consumer" routes for the referenced Service. ReferenceGrant is\r
+ not applicable for governing ParentRefs to Services - it is not possible to\r
+ create a "producer" route for a Service in a different namespace from the\r
+ Route.\r
+\r
+ There are two kinds of parent resources with "Core" support:\r
+\r
+ * Gateway (Gateway conformance profile)\r
+ * Service (Mesh conformance profile, ClusterIP Services only)\r
+\r
+ This API may be extended in the future to support additional kinds of parent\r
+ resources.\r
+\r
+ ParentRefs must be _distinct_. This means either that:\r
+\r
+ * They select different objects. If this is the case, then parentRef\r
+ entries are distinct. In terms of fields, this means that the\r
+ multi-part key defined by `group`, `kind`, `namespace`, and `name` must\r
+ be unique across all parentRef entries in the Route.\r
+ * They do not select different objects, but for each optional field used,\r
+ each ParentRef that selects the same object must set the same set of\r
+ optional fields to different values. If one ParentRef sets a\r
+ combination of optional fields, all must set the same combination.\r
+\r
+ Some examples:\r
+\r
+ * If one ParentRef sets `sectionName`, all ParentRefs referencing the\r
+ same object must also set `sectionName`.\r
+ * If one ParentRef sets `port`, all ParentRefs referencing the same\r
+ object must also set `port`.\r
+ * If one ParentRef sets `sectionName` and `port`, all ParentRefs\r
+ referencing the same object must also set `sectionName` and `port`.\r
+\r
+ It is possible to separately reference multiple distinct objects that may\r
+ be collapsed by an implementation. For example, some implementations may\r
+ choose to merge compatible Gateway Listeners together. If that is the\r
+ case, the list of routes attached to those resources should also be\r
+ merged.\r
+\r
+ Note that for ParentRefs that cross namespace boundaries, there are specific\r
+ rules. Cross-namespace references are only valid if they are explicitly\r
+ allowed by something in the namespace they are referring to. For example,\r
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a\r
+ generic way to enable other kinds of cross-namespace reference.\r
+\r
+\r
+\r
+\r
+\r
+\r
+ items:\r
+ description: |-\r
+ ParentReference identifies an API object (usually a Gateway) that can be considered\r
+ a parent of this resource (usually a route). There are two kinds of parent resources\r
+ with "Core" support:\r
+\r
+ * Gateway (Gateway conformance profile)\r
+ * Service (Mesh conformance profile, ClusterIP Services only)\r
+\r
+ This API may be extended in the future to support additional kinds of parent\r
+ resources.\r
+\r
+ The API object must be valid in the cluster; the Group and Kind must\r
+ be registered in the cluster for this reference to be valid.\r
+ properties:\r
+ group:\r
+ default: gateway.networking.k8s.io\r
+ description: |-\r
+ Group is the group of the referent.\r
+ When unspecified, "gateway.networking.k8s.io" is inferred.\r
+ To set the core API group (such as for a "Service" kind referent),\r
+ Group must be explicitly set to "" (empty string).\r
+\r
+ Support: Core\r
+ maxLength: 253\r
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ kind:\r
+ default: Gateway\r
+ description: |-\r
+ Kind is kind of the referent.\r
+\r
+ There are two kinds of parent resources with "Core" support:\r
+\r
+ * Gateway (Gateway conformance profile)\r
+ * Service (Mesh conformance profile, ClusterIP Services only)\r
+\r
+ Support for other resources is Implementation-Specific.\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$\r
+ type: string\r
+ name:\r
+ description: |-\r
+ Name is the name of the referent.\r
+\r
+ Support: Core\r
+ maxLength: 253\r
+ minLength: 1\r
+ type: string\r
+ namespace:\r
+ description: |-\r
+ Namespace is the namespace of the referent. When unspecified, this refers\r
+ to the local namespace of the Route.\r
+\r
+ Note that there are specific rules for ParentRefs which cross namespace\r
+ boundaries. Cross-namespace references are only valid if they are explicitly\r
+ allowed by something in the namespace they are referring to. For example:\r
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a\r
+ generic way to enable any other kind of cross-namespace reference.\r
+\r
+\r
+\r
+ Support: Core\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$\r
+ type: string\r
+ port:\r
+ description: |-\r
+ Port is the network port this Route targets. It can be interpreted\r
+ differently based on the type of parent resource.\r
+\r
+ When the parent resource is a Gateway, this targets all listeners\r
+ listening on the specified port that also support this kind of Route(and\r
+ select this Route). It's not recommended to set `Port` unless the\r
+ networking behaviors specified in a Route must apply to a specific port\r
+ as opposed to a listener(s) whose port(s) may be changed. When both Port\r
+ and SectionName are specified, the name and port of the selected listener\r
+ must match both specified values.\r
+\r
+\r
+\r
+ Implementations MAY choose to support other parent resources.\r
+ Implementations supporting other types of parent resources MUST clearly\r
+ document how/if Port is interpreted.\r
+\r
+ For the purpose of status, an attachment is considered successful as\r
+ long as the parent resource accepts it partially. For example, Gateway\r
+ listeners can restrict which Routes can attach to them by Route kind,\r
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment\r
+ from the referencing Route, the Route MUST be considered successfully\r
+ attached. If no Gateway listeners accept attachment from this Route,\r
+ the Route MUST be considered detached from the Gateway.\r
+\r
+ Support: Extended\r
+ format: int32\r
+ maximum: 65535\r
+ minimum: 1\r
+ type: integer\r
+ sectionName:\r
+ description: |-\r
+ SectionName is the name of a section within the target resource. In the\r
+ following resources, SectionName is interpreted as the following:\r
+\r
+ * Gateway: Listener name. When both Port (experimental) and SectionName\r
+ are specified, the name and port of the selected listener must match\r
+ both specified values.\r
+ * Service: Port name. When both Port (experimental) and SectionName\r
+ are specified, the name and port of the selected listener must match\r
+ both specified values.\r
+\r
+ Implementations MAY choose to support attaching Routes to other resources.\r
+ If that is the case, they MUST clearly document how SectionName is\r
+ interpreted.\r
+\r
+ When unspecified (empty string), this will reference the entire resource.\r
+ For the purpose of status, an attachment is considered successful if at\r
+ least one section in the parent resource accepts it. For example, Gateway\r
+ listeners can restrict which Routes can attach to them by Route kind,\r
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from\r
+ the referencing Route, the Route MUST be considered successfully\r
+ attached. If no Gateway listeners accept attachment from this Route, the\r
+ Route MUST be considered detached from the Gateway.\r
+\r
+ Support: Core\r
+ maxLength: 253\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ required:\r
+ - name\r
+ type: object\r
+ maxItems: 32\r
+ type: array\r
+ x-kubernetes-validations:\r
+ - message: sectionName must be specified when parentRefs includes\r
+ 2 or more references to the same parent\r
+ rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind\r
+ == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__)\r
+ || p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__\r
+ == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) &&\r
+ p1.__namespace__ == p2.__namespace__ )) ? ((!has(p1.sectionName)\r
+ || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName\r
+ == '''')) : true))'\r
+ - message: sectionName must be unique when parentRefs includes 2 or\r
+ more references to the same parent\r
+ rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind\r
+ == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__)\r
+ || p1.__namespace__ == '') && (!has(p2.__namespace__) || p2.__namespace__\r
+ == '')) || (has(p1.__namespace__) && has(p2.__namespace__) &&\r
+ p1.__namespace__ == p2.__namespace__ )) && (((!has(p1.sectionName)\r
+ || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName\r
+ == '')) || (has(p1.sectionName) && has(p2.sectionName) && p1.sectionName\r
+ == p2.sectionName))))\r
+ rules:\r
+ default:\r
+ - matches:\r
+ - path:\r
+ type: PathPrefix\r
+ value: /\r
+ description: |+\r
+ Rules are a list of HTTP matchers, filters and actions.\r
+\r
+ items:\r
+ description: |-\r
+ HTTPRouteRule defines semantics for matching an HTTP request based on\r
+ conditions (matches), processing it (filters), and forwarding the request to\r
+ an API object (backendRefs).\r
+ properties:\r
+ backendRefs:\r
+ description: |-\r
+ BackendRefs defines the backend(s) where matching requests should be\r
+ sent.\r
+\r
+ Failure behavior here depends on how many BackendRefs are specified and\r
+ how many are invalid.\r
+\r
+ If *all* entries in BackendRefs are invalid, and there are also no filters\r
+ specified in this route rule, *all* traffic which matches this rule MUST\r
+ receive a 500 status code.\r
+\r
+ See the HTTPBackendRef definition for the rules about what makes a single\r
+ HTTPBackendRef invalid.\r
+\r
+ When a HTTPBackendRef is invalid, 500 status codes MUST be returned for\r
+ requests that would have otherwise been routed to an invalid backend. If\r
+ multiple backends are specified, and some are invalid, the proportion of\r
+ requests that would otherwise have been routed to an invalid backend\r
+ MUST receive a 500 status code.\r
+\r
+ For example, if two backends are specified with equal weights, and one is\r
+ invalid, 50 percent of traffic must receive a 500. Implementations may\r
+ choose how that 50 percent is determined.\r
+\r
+ When a HTTPBackendRef refers to a Service that has no ready endpoints,\r
+ implementations SHOULD return a 503 for requests to that backend instead.\r
+ If an implementation chooses to do this, all of the above rules for 500 responses\r
+ MUST also apply for responses that return a 503.\r
+\r
+ Support: Core for Kubernetes Service\r
+\r
+ Support: Extended for Kubernetes ServiceImport\r
+\r
+ Support: Implementation-specific for any other resource\r
+\r
+ Support for weight: Core\r
+ items:\r
+ description: |-\r
+ HTTPBackendRef defines how a HTTPRoute forwards a HTTP request.\r
+\r
+ Note that when a namespace different than the local namespace is specified, a\r
+ ReferenceGrant object is required in the referent namespace to allow that\r
+ namespace's owner to accept the reference. See the ReferenceGrant\r
+ documentation for details.\r
+\r
+ <gateway:experimental:description>\r
+\r
+ When the BackendRef points to a Kubernetes Service, implementations SHOULD\r
+ honor the appProtocol field if it is set for the target Service Port.\r
+\r
+ Implementations supporting appProtocol SHOULD recognize the Kubernetes\r
+ Standard Application Protocols defined in KEP-3726.\r
+\r
+ If a Service appProtocol isn't specified, an implementation MAY infer the\r
+ backend protocol through its own means. Implementations MAY infer the\r
+ protocol from the Route type referring to the backend Service.\r
+\r
+ If a Route is not able to send traffic to the backend using the specified\r
+ protocol then the backend is considered invalid. Implementations MUST set the\r
+ "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason.\r
+\r
+ </gateway:experimental:description>\r
+ properties:\r
+ filters:\r
+ description: |-\r
+ Filters defined at this level should be executed if and only if the\r
+ request is being forwarded to the backend defined here.\r
+\r
+ Support: Implementation-specific (For broader support of filters, use the\r
+ Filters field in HTTPRouteRule.)\r
+ items:\r
+ description: |-\r
+ HTTPRouteFilter defines processing steps that must be completed during the\r
+ request or response lifecycle. HTTPRouteFilters are meant as an extension\r
+ point to express processing that may be done in Gateway implementations. Some\r
+ examples include request or response modification, implementing\r
+ authentication strategies, rate-limiting, and traffic shaping. API\r
+ guarantee/conformance is defined based on the type of the filter.\r
+ properties:\r
+ extensionRef:\r
+ description: |-\r
+ ExtensionRef is an optional, implementation-specific extension to the\r
+ "filter" behavior. For example, resource "myroutefilter" in group\r
+ "networking.example.net"). ExtensionRef MUST NOT be used for core and\r
+ extended filters.\r
+\r
+ This filter can be used multiple times within the same rule.\r
+\r
+ Support: Implementation-specific\r
+ properties:\r
+ group:\r
+ description: |-\r
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".\r
+ When unspecified or empty string, core API group is inferred.\r
+ maxLength: 253\r
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ kind:\r
+ description: Kind is kind of the referent. For\r
+ example "HTTPRoute" or "Service".\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$\r
+ type: string\r
+ name:\r
+ description: Name is the name of the referent.\r
+ maxLength: 253\r
+ minLength: 1\r
+ type: string\r
+ required:\r
+ - group\r
+ - kind\r
+ - name\r
+ type: object\r
+ requestHeaderModifier:\r
+ description: |-\r
+ RequestHeaderModifier defines a schema for a filter that modifies request\r
+ headers.\r
+\r
+ Support: Core\r
+ properties:\r
+ add:\r
+ description: |-\r
+ Add adds the given header(s) (name, value) to the request\r
+ before the action. It appends to any existing values associated\r
+ with the header name.\r
+\r
+ Input:\r
+ GET /foo HTTP/1.1\r
+ my-header: foo\r
+\r
+ Config:\r
+ add:\r
+ - name: "my-header"\r
+ value: "bar,baz"\r
+\r
+ Output:\r
+ GET /foo HTTP/1.1\r
+ my-header: foo,bar,baz\r
+ items:\r
+ description: HTTPHeader represents an HTTP\r
+ Header name and value as defined by RFC\r
+ 7230.\r
+ properties:\r
+ name:\r
+ description: |-\r
+ Name is the name of the HTTP Header to be matched. Name matching MUST be\r
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).\r
+\r
+ If multiple entries specify equivalent header names, the first entry with\r
+ an equivalent name MUST be considered for a match. Subsequent entries\r
+ with an equivalent header name MUST be ignored. Due to the\r
+ case-insensitivity of header names, "foo" and "Foo" are considered\r
+ equivalent.\r
+ maxLength: 256\r
+ minLength: 1\r
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$\r
+ type: string\r
+ value:\r
+ description: Value is the value of HTTP\r
+ Header to be matched.\r
+ maxLength: 4096\r
+ minLength: 1\r
+ type: string\r
+ required:\r
+ - name\r
+ - value\r
+ type: object\r
+ maxItems: 16\r
+ type: array\r
+ x-kubernetes-list-map-keys:\r
+ - name\r
+ x-kubernetes-list-type: map\r
+ remove:\r
+ description: |-\r
+ Remove the given header(s) from the HTTP request before the action. The\r
+ value of Remove is a list of HTTP header names. Note that the header\r
+ names are case-insensitive (see\r
+ https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).\r
+\r
+ Input:\r
+ GET /foo HTTP/1.1\r
+ my-header1: foo\r
+ my-header2: bar\r
+ my-header3: baz\r
+\r
+ Config:\r
+ remove: ["my-header1", "my-header3"]\r
+\r
+ Output:\r
+ GET /foo HTTP/1.1\r
+ my-header2: bar\r
+ items:\r
+ type: string\r
+ maxItems: 16\r
+ type: array\r
+ x-kubernetes-list-type: set\r
+ set:\r
+ description: |-\r
+ Set overwrites the request with the given header (name, value)\r
+ before the action.\r
+\r
+ Input:\r
+ GET /foo HTTP/1.1\r
+ my-header: foo\r
+\r
+ Config:\r
+ set:\r
+ - name: "my-header"\r
+ value: "bar"\r
+\r
+ Output:\r
+ GET /foo HTTP/1.1\r
+ my-header: bar\r
+ items:\r
+ description: HTTPHeader represents an HTTP\r
+ Header name and value as defined by RFC\r
+ 7230.\r
+ properties:\r
+ name:\r
+ description: |-\r
+ Name is the name of the HTTP Header to be matched. Name matching MUST be\r
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).\r
+\r
+ If multiple entries specify equivalent header names, the first entry with\r
+ an equivalent name MUST be considered for a match. Subsequent entries\r
+ with an equivalent header name MUST be ignored. Due to the\r
+ case-insensitivity of header names, "foo" and "Foo" are considered\r
+ equivalent.\r
+ maxLength: 256\r
+ minLength: 1\r
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$\r
+ type: string\r
+ value:\r
+ description: Value is the value of HTTP\r
+ Header to be matched.\r
+ maxLength: 4096\r
+ minLength: 1\r
+ type: string\r
+ required:\r
+ - name\r
+ - value\r
+ type: object\r
+ maxItems: 16\r
+ type: array\r
+ x-kubernetes-list-map-keys:\r
+ - name\r
+ x-kubernetes-list-type: map\r
+ type: object\r
+ requestMirror:\r
+ description: |+\r
+ RequestMirror defines a schema for a filter that mirrors requests.\r
+ Requests are sent to the specified destination, but responses from\r
+ that destination are ignored.\r
+\r
+ This filter can be used multiple times within the same rule. Note that\r
+ not all implementations will be able to support mirroring to multiple\r
+ backends.\r
+\r
+ Support: Extended\r
+\r
+ properties:\r
+ backendRef:\r
+ description: |-\r
+ BackendRef references a resource where mirrored requests are sent.\r
+\r
+ Mirrored requests must be sent only to a single destination endpoint\r
+ within this BackendRef, irrespective of how many endpoints are present\r
+ within this BackendRef.\r
+\r
+ If the referent cannot be found, this BackendRef is invalid and must be\r
+ dropped from the Gateway. The controller must ensure the "ResolvedRefs"\r
+ condition on the Route status is set to `status: False` and not configure\r
+ this backend in the underlying implementation.\r
+\r
+ If there is a cross-namespace reference to an *existing* object\r
+ that is not allowed by a ReferenceGrant, the controller must ensure the\r
+ "ResolvedRefs" condition on the Route is set to `status: False`,\r
+ with the "RefNotPermitted" reason and not configure this backend in the\r
+ underlying implementation.\r
+\r
+ In either error case, the Message of the `ResolvedRefs` Condition\r
+ should be used to provide more detail about the problem.\r
+\r
+ Support: Extended for Kubernetes Service\r
+\r
+ Support: Implementation-specific for any other resource\r
+ properties:\r
+ group:\r
+ default: ""\r
+ description: |-\r
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".\r
+ When unspecified or empty string, core API group is inferred.\r
+ maxLength: 253\r
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ kind:\r
+ default: Service\r
+ description: |-\r
+ Kind is the Kubernetes resource kind of the referent. For example\r
+ "Service".\r
+\r
+ Defaults to "Service" when not specified.\r
+\r
+ ExternalName services can refer to CNAME DNS records that may live\r
+ outside of the cluster and as such are difficult to reason about in\r
+ terms of conformance. They also may not be safe to forward to (see\r
+ CVE-2021-25740 for more information). Implementations SHOULD NOT\r
+ support ExternalName Services.\r
+\r
+ Support: Core (Services with a type other than ExternalName)\r
+\r
+ Support: Implementation-specific (Services with type ExternalName)\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$\r
+ type: string\r
+ name:\r
+ description: Name is the name of the referent.\r
+ maxLength: 253\r
+ minLength: 1\r
+ type: string\r
+ namespace:\r
+ description: |-\r
+ Namespace is the namespace of the backend. When unspecified, the local\r
+ namespace is inferred.\r
+\r
+ Note that when a namespace different than the local namespace is specified,\r
+ a ReferenceGrant object is required in the referent namespace to allow that\r
+ namespace's owner to accept the reference. See the ReferenceGrant\r
+ documentation for details.\r
+\r
+ Support: Core\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$\r
+ type: string\r
+ port:\r
+ description: |-\r
+ Port specifies the destination port number to use for this resource.\r
+ Port is required when the referent is a Kubernetes Service. In this\r
+ case, the port number is the service port number, not the target port.\r
+ For other resources, destination port might be derived from the referent\r
+ resource or this field.\r
+ format: int32\r
+ maximum: 65535\r
+ minimum: 1\r
+ type: integer\r
+ required:\r
+ - name\r
+ type: object\r
+ x-kubernetes-validations:\r
+ - message: Must have port for Service reference\r
+ rule: '(size(self.group) == 0 && self.kind\r
+ == ''Service'') ? has(self.port) : true'\r
+ required:\r
+ - backendRef\r
+ type: object\r
+ requestRedirect:\r
+ description: |-\r
+ RequestRedirect defines a schema for a filter that responds to the\r
+ request with an HTTP redirection.\r
+\r
+ Support: Core\r
+ properties:\r
+ hostname:\r
+ description: |-\r
+ Hostname is the hostname to be used in the value of the `Location`\r
+ header in the response.\r
+ When empty, the hostname in the `Host` header of the request is used.\r
+\r
+ Support: Core\r
+ maxLength: 253\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ path:\r
+ description: |-\r
+ Path defines parameters used to modify the path of the incoming request.\r
+ The modified path is then used to construct the `Location` header. When\r
+ empty, the request path is used as-is.\r
+\r
+ Support: Extended\r
+ properties:\r
+ replaceFullPath:\r
+ description: |-\r
+ ReplaceFullPath specifies the value with which to replace the full path\r
+ of a request during a rewrite or redirect.\r
+ maxLength: 1024\r
+ type: string\r
+ replacePrefixMatch:\r
+ description: |-\r
+ ReplacePrefixMatch specifies the value with which to replace the prefix\r
+ match of a request during a rewrite or redirect. For example, a request\r
+ to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch\r
+ of "/xyz" would be modified to "/xyz/bar".\r
+\r
+ Note that this matches the behavior of the PathPrefix match type. This\r
+ matches full path elements. A path element refers to the list of labels\r
+ in the path split by the `/` separator. When specified, a trailing `/` is\r
+ ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all\r
+ match the prefix `/abc`, but the path `/abcd` would not.\r
+\r
+ ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.\r
+ Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in\r
+ the implementation setting the Accepted Condition for the Route to `status: False`.\r
+\r
+ Request Path | Prefix Match | Replace Prefix | Modified Path\r
+ maxLength: 1024\r
+ type: string\r
+ type:\r
+ description: |-\r
+ Type defines the type of path modifier. Additional types may be\r
+ added in a future release of the API.\r
+\r
+ Note that values may be added to this enum, implementations\r
+ must ensure that unknown values will not cause a crash.\r
+\r
+ Unknown values here must result in the implementation setting the\r
+ Accepted Condition for the Route to `status: False`, with a\r
+ Reason of `UnsupportedValue`.\r
+ enum:\r
+ - ReplaceFullPath\r
+ - ReplacePrefixMatch\r
+ type: string\r
+ required:\r
+ - type\r
+ type: object\r
+ x-kubernetes-validations:\r
+ - message: replaceFullPath must be specified\r
+ when type is set to 'ReplaceFullPath'\r
+ rule: 'self.type == ''ReplaceFullPath'' ?\r
+ has(self.replaceFullPath) : true'\r
+ - message: type must be 'ReplaceFullPath' when\r
+ replaceFullPath is set\r
+ rule: 'has(self.replaceFullPath) ? self.type\r
+ == ''ReplaceFullPath'' : true'\r
+ - message: replacePrefixMatch must be specified\r
+ when type is set to 'ReplacePrefixMatch'\r
+ rule: 'self.type == ''ReplacePrefixMatch''\r
+ ? has(self.replacePrefixMatch) : true'\r
+ - message: type must be 'ReplacePrefixMatch'\r
+ when replacePrefixMatch is set\r
+ rule: 'has(self.replacePrefixMatch) ? self.type\r
+ == ''ReplacePrefixMatch'' : true'\r
+ port:\r
+ description: |-\r
+ Port is the port to be used in the value of the `Location`\r
+ header in the response.\r
+\r
+ If no port is specified, the redirect port MUST be derived using the\r
+ following rules:\r
+\r
+ * If redirect scheme is not-empty, the redirect port MUST be the well-known\r
+ port associated with the redirect scheme. Specifically "http" to port 80\r
+ and "https" to port 443. If the redirect scheme does not have a\r
+ well-known port, the listener port of the Gateway SHOULD be used.\r
+ * If redirect scheme is empty, the redirect port MUST be the Gateway\r
+ Listener port.\r
+\r
+ Implementations SHOULD NOT add the port number in the 'Location'\r
+ header in the following cases:\r
+\r
+ * A Location header that will use HTTP (whether that is determined via\r
+ the Listener protocol or the Scheme field) _and_ use port 80.\r
+ * A Location header that will use HTTPS (whether that is determined via\r
+ the Listener protocol or the Scheme field) _and_ use port 443.\r
+\r
+ Support: Extended\r
+ format: int32\r
+ maximum: 65535\r
+ minimum: 1\r
+ type: integer\r
+ scheme:\r
+ description: |-\r
+ Scheme is the scheme to be used in the value of the `Location` header in\r
+ the response. When empty, the scheme of the request is used.\r
+\r
+ Scheme redirects can affect the port of the redirect, for more information,\r
+ refer to the documentation for the port field of this filter.\r
+\r
+ Note that values may be added to this enum, implementations\r
+ must ensure that unknown values will not cause a crash.\r
+\r
+ Unknown values here must result in the implementation setting the\r
+ Accepted Condition for the Route to `status: False`, with a\r
+ Reason of `UnsupportedValue`.\r
+\r
+ Support: Extended\r
+ enum:\r
+ - http\r
+ - https\r
+ type: string\r
+ statusCode:\r
+ default: 302\r
+ description: |-\r
+ StatusCode is the HTTP status code to be used in response.\r
+\r
+ Note that values may be added to this enum, implementations\r
+ must ensure that unknown values will not cause a crash.\r
+\r
+ Unknown values here must result in the implementation setting the\r
+ Accepted Condition for the Route to `status: False`, with a\r
+ Reason of `UnsupportedValue`.\r
+\r
+ Support: Core\r
+ enum:\r
+ - 301\r
+ - 302\r
+ type: integer\r
+ type: object\r
+ responseHeaderModifier:\r
+ description: |-\r
+ ResponseHeaderModifier defines a schema for a filter that modifies response\r
+ headers.\r
+\r
+ Support: Extended\r
+ properties:\r
+ add:\r
+ description: |-\r
+ Add adds the given header(s) (name, value) to the request\r
+ before the action. It appends to any existing values associated\r
+ with the header name.\r
+\r
+ Input:\r
+ GET /foo HTTP/1.1\r
+ my-header: foo\r
+\r
+ Config:\r
+ add:\r
+ - name: "my-header"\r
+ value: "bar,baz"\r
+\r
+ Output:\r
+ GET /foo HTTP/1.1\r
+ my-header: foo,bar,baz\r
+ items:\r
+ description: HTTPHeader represents an HTTP\r
+ Header name and value as defined by RFC\r
+ 7230.\r
+ properties:\r
+ name:\r
+ description: |-\r
+ Name is the name of the HTTP Header to be matched. Name matching MUST be\r
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).\r
+\r
+ If multiple entries specify equivalent header names, the first entry with\r
+ an equivalent name MUST be considered for a match. Subsequent entries\r
+ with an equivalent header name MUST be ignored. Due to the\r
+ case-insensitivity of header names, "foo" and "Foo" are considered\r
+ equivalent.\r
+ maxLength: 256\r
+ minLength: 1\r
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$\r
+ type: string\r
+ value:\r
+ description: Value is the value of HTTP\r
+ Header to be matched.\r
+ maxLength: 4096\r
+ minLength: 1\r
+ type: string\r
+ required:\r
+ - name\r
+ - value\r
+ type: object\r
+ maxItems: 16\r
+ type: array\r
+ x-kubernetes-list-map-keys:\r
+ - name\r
+ x-kubernetes-list-type: map\r
+ remove:\r
+ description: |-\r
+ Remove the given header(s) from the HTTP request before the action. The\r
+ value of Remove is a list of HTTP header names. Note that the header\r
+ names are case-insensitive (see\r
+ https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).\r
+\r
+ Input:\r
+ GET /foo HTTP/1.1\r
+ my-header1: foo\r
+ my-header2: bar\r
+ my-header3: baz\r
+\r
+ Config:\r
+ remove: ["my-header1", "my-header3"]\r
+\r
+ Output:\r
+ GET /foo HTTP/1.1\r
+ my-header2: bar\r
+ items:\r
+ type: string\r
+ maxItems: 16\r
+ type: array\r
+ x-kubernetes-list-type: set\r
+ set:\r
+ description: |-\r
+ Set overwrites the request with the given header (name, value)\r
+ before the action.\r
+\r
+ Input:\r
+ GET /foo HTTP/1.1\r
+ my-header: foo\r
+\r
+ Config:\r
+ set:\r
+ - name: "my-header"\r
+ value: "bar"\r
+\r
+ Output:\r
+ GET /foo HTTP/1.1\r
+ my-header: bar\r
+ items:\r
+ description: HTTPHeader represents an HTTP\r
+ Header name and value as defined by RFC\r
+ 7230.\r
+ properties:\r
+ name:\r
+ description: |-\r
+ Name is the name of the HTTP Header to be matched. Name matching MUST be\r
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).\r
+\r
+ If multiple entries specify equivalent header names, the first entry with\r
+ an equivalent name MUST be considered for a match. Subsequent entries\r
+ with an equivalent header name MUST be ignored. Due to the\r
+ case-insensitivity of header names, "foo" and "Foo" are considered\r
+ equivalent.\r
+ maxLength: 256\r
+ minLength: 1\r
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$\r
+ type: string\r
+ value:\r
+ description: Value is the value of HTTP\r
+ Header to be matched.\r
+ maxLength: 4096\r
+ minLength: 1\r
+ type: string\r
+ required:\r
+ - name\r
+ - value\r
+ type: object\r
+ maxItems: 16\r
+ type: array\r
+ x-kubernetes-list-map-keys:\r
+ - name\r
+ x-kubernetes-list-type: map\r
+ type: object\r
+ type:\r
+ description: |-\r
+ Type identifies the type of filter to apply. As with other API fields,\r
+ types are classified into three conformance levels:\r
+\r
+ - Core: Filter types and their corresponding configuration defined by\r
+ "Support: Core" in this package, e.g. "RequestHeaderModifier". All\r
+ implementations must support core filters.\r
+\r
+ - Extended: Filter types and their corresponding configuration defined by\r
+ "Support: Extended" in this package, e.g. "RequestMirror". Implementers\r
+ are encouraged to support extended filters.\r
+\r
+ - Implementation-specific: Filters that are defined and supported by\r
+ specific vendors.\r
+ In the future, filters showing convergence in behavior across multiple\r
+ implementations will be considered for inclusion in extended or core\r
+ conformance levels. Filter-specific configuration for such filters\r
+ is specified using the ExtensionRef field. `Type` should be set to\r
+ "ExtensionRef" for custom filters.\r
+\r
+ Implementers are encouraged to define custom implementation types to\r
+ extend the core API with implementation-specific behavior.\r
+\r
+ If a reference to a custom filter type cannot be resolved, the filter\r
+ MUST NOT be skipped. Instead, requests that would have been processed by\r
+ that filter MUST receive a HTTP error response.\r
+\r
+ Note that values may be added to this enum, implementations\r
+ must ensure that unknown values will not cause a crash.\r
+\r
+ Unknown values here must result in the implementation setting the\r
+ Accepted Condition for the Route to `status: False`, with a\r
+ Reason of `UnsupportedValue`.\r
+ enum:\r
+ - RequestHeaderModifier\r
+ - ResponseHeaderModifier\r
+ - RequestMirror\r
+ - RequestRedirect\r
+ - URLRewrite\r
+ - ExtensionRef\r
+ type: string\r
+ urlRewrite:\r
+ description: |-\r
+ URLRewrite defines a schema for a filter that modifies a request during forwarding.\r
+\r
+ Support: Extended\r
+ properties:\r
+ hostname:\r
+ description: |-\r
+ Hostname is the value to be used to replace the Host header value during\r
+ forwarding.\r
+\r
+ Support: Extended\r
+ maxLength: 253\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ path:\r
+ description: |-\r
+ Path defines a path rewrite.\r
+\r
+ Support: Extended\r
+ properties:\r
+ replaceFullPath:\r
+ description: |-\r
+ ReplaceFullPath specifies the value with which to replace the full path\r
+ of a request during a rewrite or redirect.\r
+ maxLength: 1024\r
+ type: string\r
+ replacePrefixMatch:\r
+ description: |-\r
+ ReplacePrefixMatch specifies the value with which to replace the prefix\r
+ match of a request during a rewrite or redirect. For example, a request\r
+ to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch\r
+ of "/xyz" would be modified to "/xyz/bar".\r
+\r
+ Note that this matches the behavior of the PathPrefix match type. This\r
+ matches full path elements. A path element refers to the list of labels\r
+ in the path split by the `/` separator. When specified, a trailing `/` is\r
+ ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all\r
+ match the prefix `/abc`, but the path `/abcd` would not.\r
+\r
+ ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.\r
+ Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in\r
+ the implementation setting the Accepted Condition for the Route to `status: False`.\r
+\r
+ Request Path | Prefix Match | Replace Prefix | Modified Path\r
+ maxLength: 1024\r
+ type: string\r
+ type:\r
+ description: |-\r
+ Type defines the type of path modifier. Additional types may be\r
+ added in a future release of the API.\r
+\r
+ Note that values may be added to this enum, implementations\r
+ must ensure that unknown values will not cause a crash.\r
+\r
+ Unknown values here must result in the implementation setting the\r
+ Accepted Condition for the Route to `status: False`, with a\r
+ Reason of `UnsupportedValue`.\r
+ enum:\r
+ - ReplaceFullPath\r
+ - ReplacePrefixMatch\r
+ type: string\r
+ required:\r
+ - type\r
+ type: object\r
+ x-kubernetes-validations:\r
+ - message: replaceFullPath must be specified\r
+ when type is set to 'ReplaceFullPath'\r
+ rule: 'self.type == ''ReplaceFullPath'' ?\r
+ has(self.replaceFullPath) : true'\r
+ - message: type must be 'ReplaceFullPath' when\r
+ replaceFullPath is set\r
+ rule: 'has(self.replaceFullPath) ? self.type\r
+ == ''ReplaceFullPath'' : true'\r
+ - message: replacePrefixMatch must be specified\r
+ when type is set to 'ReplacePrefixMatch'\r
+ rule: 'self.type == ''ReplacePrefixMatch''\r
+ ? has(self.replacePrefixMatch) : true'\r
+ - message: type must be 'ReplacePrefixMatch'\r
+ when replacePrefixMatch is set\r
+ rule: 'has(self.replacePrefixMatch) ? self.type\r
+ == ''ReplacePrefixMatch'' : true'\r
+ type: object\r
+ required:\r
+ - type\r
+ type: object\r
+ x-kubernetes-validations:\r
+ - message: filter.requestHeaderModifier must be nil\r
+ if the filter.type is not RequestHeaderModifier\r
+ rule: '!(has(self.requestHeaderModifier) && self.type\r
+ != ''RequestHeaderModifier'')'\r
+ - message: filter.requestHeaderModifier must be specified\r
+ for RequestHeaderModifier filter.type\r
+ rule: '!(!has(self.requestHeaderModifier) && self.type\r
+ == ''RequestHeaderModifier'')'\r
+ - message: filter.responseHeaderModifier must be nil\r
+ if the filter.type is not ResponseHeaderModifier\r
+ rule: '!(has(self.responseHeaderModifier) && self.type\r
+ != ''ResponseHeaderModifier'')'\r
+ - message: filter.responseHeaderModifier must be specified\r
+ for ResponseHeaderModifier filter.type\r
+ rule: '!(!has(self.responseHeaderModifier) && self.type\r
+ == ''ResponseHeaderModifier'')'\r
+ - message: filter.requestMirror must be nil if the filter.type\r
+ is not RequestMirror\r
+ rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')'\r
+ - message: filter.requestMirror must be specified for\r
+ RequestMirror filter.type\r
+ rule: '!(!has(self.requestMirror) && self.type ==\r
+ ''RequestMirror'')'\r
+ - message: filter.requestRedirect must be nil if the\r
+ filter.type is not RequestRedirect\r
+ rule: '!(has(self.requestRedirect) && self.type !=\r
+ ''RequestRedirect'')'\r
+ - message: filter.requestRedirect must be specified\r
+ for RequestRedirect filter.type\r
+ rule: '!(!has(self.requestRedirect) && self.type ==\r
+ ''RequestRedirect'')'\r
+ - message: filter.urlRewrite must be nil if the filter.type\r
+ is not URLRewrite\r
+ rule: '!(has(self.urlRewrite) && self.type != ''URLRewrite'')'\r
+ - message: filter.urlRewrite must be specified for URLRewrite\r
+ filter.type\r
+ rule: '!(!has(self.urlRewrite) && self.type == ''URLRewrite'')'\r
+ - message: filter.extensionRef must be nil if the filter.type\r
+ is not ExtensionRef\r
+ rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')'\r
+ - message: filter.extensionRef must be specified for\r
+ ExtensionRef filter.type\r
+ rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')'\r
+ maxItems: 16\r
+ type: array\r
+ x-kubernetes-validations:\r
+ - message: May specify either httpRouteFilterRequestRedirect\r
+ or httpRouteFilterRequestRewrite, but not both\r
+ rule: '!(self.exists(f, f.type == ''RequestRedirect'')\r
+ && self.exists(f, f.type == ''URLRewrite''))'\r
+ - message: May specify either httpRouteFilterRequestRedirect\r
+ or httpRouteFilterRequestRewrite, but not both\r
+ rule: '!(self.exists(f, f.type == ''RequestRedirect'')\r
+ && self.exists(f, f.type == ''URLRewrite''))'\r
+ - message: RequestHeaderModifier filter cannot be repeated\r
+ rule: self.filter(f, f.type == 'RequestHeaderModifier').size()\r
+ <= 1\r
+ - message: ResponseHeaderModifier filter cannot be repeated\r
+ rule: self.filter(f, f.type == 'ResponseHeaderModifier').size()\r
+ <= 1\r
+ - message: RequestRedirect filter cannot be repeated\r
+ rule: self.filter(f, f.type == 'RequestRedirect').size()\r
+ <= 1\r
+ - message: URLRewrite filter cannot be repeated\r
+ rule: self.filter(f, f.type == 'URLRewrite').size()\r
+ <= 1\r
+ group:\r
+ default: ""\r
+ description: |-\r
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".\r
+ When unspecified or empty string, core API group is inferred.\r
+ maxLength: 253\r
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ kind:\r
+ default: Service\r
+ description: |-\r
+ Kind is the Kubernetes resource kind of the referent. For example\r
+ "Service".\r
+\r
+ Defaults to "Service" when not specified.\r
+\r
+ ExternalName services can refer to CNAME DNS records that may live\r
+ outside of the cluster and as such are difficult to reason about in\r
+ terms of conformance. They also may not be safe to forward to (see\r
+ CVE-2021-25740 for more information). Implementations SHOULD NOT\r
+ support ExternalName Services.\r
+\r
+ Support: Core (Services with a type other than ExternalName)\r
+\r
+ Support: Implementation-specific (Services with type ExternalName)\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$\r
+ type: string\r
+ name:\r
+ description: Name is the name of the referent.\r
+ maxLength: 253\r
+ minLength: 1\r
+ type: string\r
+ namespace:\r
+ description: |-\r
+ Namespace is the namespace of the backend. When unspecified, the local\r
+ namespace is inferred.\r
+\r
+ Note that when a namespace different than the local namespace is specified,\r
+ a ReferenceGrant object is required in the referent namespace to allow that\r
+ namespace's owner to accept the reference. See the ReferenceGrant\r
+ documentation for details.\r
+\r
+ Support: Core\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$\r
+ type: string\r
+ port:\r
+ description: |-\r
+ Port specifies the destination port number to use for this resource.\r
+ Port is required when the referent is a Kubernetes Service. In this\r
+ case, the port number is the service port number, not the target port.\r
+ For other resources, destination port might be derived from the referent\r
+ resource or this field.\r
+ format: int32\r
+ maximum: 65535\r
+ minimum: 1\r
+ type: integer\r
+ weight:\r
+ default: 1\r
+ description: |-\r
+ Weight specifies the proportion of requests forwarded to the referenced\r
+ backend. This is computed as weight/(sum of all weights in this\r
+ BackendRefs list). For non-zero values, there may be some epsilon from\r
+ the exact proportion defined here depending on the precision an\r
+ implementation supports. Weight is not a percentage and the sum of\r
+ weights does not need to equal 100.\r
+\r
+ If only one backend is specified and it has a weight greater than 0, 100%\r
+ of the traffic is forwarded to that backend. If weight is set to 0, no\r
+ traffic should be forwarded for this entry. If unspecified, weight\r
+ defaults to 1.\r
+\r
+ Support for this field varies based on the context where used.\r
+ format: int32\r
+ maximum: 1000000\r
+ minimum: 0\r
+ type: integer\r
+ required:\r
+ - name\r
+ type: object\r
+ x-kubernetes-validations:\r
+ - message: Must have port for Service reference\r
+ rule: '(size(self.group) == 0 && self.kind == ''Service'')\r
+ ? has(self.port) : true'\r
+ maxItems: 16\r
+ type: array\r
+ filters:\r
+ description: |-\r
+ Filters define the filters that are applied to requests that match\r
+ this rule.\r
+\r
+ Wherever possible, implementations SHOULD implement filters in the order\r
+ they are specified.\r
+\r
+ Implementations MAY choose to implement this ordering strictly, rejecting\r
+ any combination or order of filters that can not be supported. If implementations\r
+ choose a strict interpretation of filter ordering, they MUST clearly document\r
+ that behavior.\r
+\r
+ To reject an invalid combination or order of filters, implementations SHOULD\r
+ consider the Route Rules with this configuration invalid. If all Route Rules\r
+ in a Route are invalid, the entire Route would be considered invalid. If only\r
+ a portion of Route Rules are invalid, implementations MUST set the\r
+ "PartiallyInvalid" condition for the Route.\r
+\r
+ Conformance-levels at this level are defined based on the type of filter:\r
+\r
+ - ALL core filters MUST be supported by all implementations.\r
+ - Implementers are encouraged to support extended filters.\r
+ - Implementation-specific custom filters have no API guarantees across\r
+ implementations.\r
+\r
+ Specifying the same filter multiple times is not supported unless explicitly\r
+ indicated in the filter.\r
+\r
+ All filters are expected to be compatible with each other except for the\r
+ URLRewrite and RequestRedirect filters, which may not be combined. If an\r
+ implementation can not support other combinations of filters, they must clearly\r
+ document that limitation. In cases where incompatible or unsupported\r
+ filters are specified and cause the `Accepted` condition to be set to status\r
+ `False`, implementations may use the `IncompatibleFilters` reason to specify\r
+ this configuration error.\r
+\r
+ Support: Core\r
+ items:\r
+ description: |-\r
+ HTTPRouteFilter defines processing steps that must be completed during the\r
+ request or response lifecycle. HTTPRouteFilters are meant as an extension\r
+ point to express processing that may be done in Gateway implementations. Some\r
+ examples include request or response modification, implementing\r
+ authentication strategies, rate-limiting, and traffic shaping. API\r
+ guarantee/conformance is defined based on the type of the filter.\r
+ properties:\r
+ extensionRef:\r
+ description: |-\r
+ ExtensionRef is an optional, implementation-specific extension to the\r
+ "filter" behavior. For example, resource "myroutefilter" in group\r
+ "networking.example.net"). ExtensionRef MUST NOT be used for core and\r
+ extended filters.\r
+\r
+ This filter can be used multiple times within the same rule.\r
+\r
+ Support: Implementation-specific\r
+ properties:\r
+ group:\r
+ description: |-\r
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".\r
+ When unspecified or empty string, core API group is inferred.\r
+ maxLength: 253\r
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ kind:\r
+ description: Kind is kind of the referent. For example\r
+ "HTTPRoute" or "Service".\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$\r
+ type: string\r
+ name:\r
+ description: Name is the name of the referent.\r
+ maxLength: 253\r
+ minLength: 1\r
+ type: string\r
+ required:\r
+ - group\r
+ - kind\r
+ - name\r
+ type: object\r
+ requestHeaderModifier:\r
+ description: |-\r
+ RequestHeaderModifier defines a schema for a filter that modifies request\r
+ headers.\r
+\r
+ Support: Core\r
+ properties:\r
+ add:\r
+ description: |-\r
+ Add adds the given header(s) (name, value) to the request\r
+ before the action. It appends to any existing values associated\r
+ with the header name.\r
+\r
+ Input:\r
+ GET /foo HTTP/1.1\r
+ my-header: foo\r
+\r
+ Config:\r
+ add:\r
+ - name: "my-header"\r
+ value: "bar,baz"\r
+\r
+ Output:\r
+ GET /foo HTTP/1.1\r
+ my-header: foo,bar,baz\r
+ items:\r
+ description: HTTPHeader represents an HTTP Header\r
+ name and value as defined by RFC 7230.\r
+ properties:\r
+ name:\r
+ description: |-\r
+ Name is the name of the HTTP Header to be matched. Name matching MUST be\r
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).\r
+\r
+ If multiple entries specify equivalent header names, the first entry with\r
+ an equivalent name MUST be considered for a match. Subsequent entries\r
+ with an equivalent header name MUST be ignored. Due to the\r
+ case-insensitivity of header names, "foo" and "Foo" are considered\r
+ equivalent.\r
+ maxLength: 256\r
+ minLength: 1\r
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$\r
+ type: string\r
+ value:\r
+ description: Value is the value of HTTP Header\r
+ to be matched.\r
+ maxLength: 4096\r
+ minLength: 1\r
+ type: string\r
+ required:\r
+ - name\r
+ - value\r
+ type: object\r
+ maxItems: 16\r
+ type: array\r
+ x-kubernetes-list-map-keys:\r
+ - name\r
+ x-kubernetes-list-type: map\r
+ remove:\r
+ description: |-\r
+ Remove the given header(s) from the HTTP request before the action. The\r
+ value of Remove is a list of HTTP header names. Note that the header\r
+ names are case-insensitive (see\r
+ https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).\r
+\r
+ Input:\r
+ GET /foo HTTP/1.1\r
+ my-header1: foo\r
+ my-header2: bar\r
+ my-header3: baz\r
+\r
+ Config:\r
+ remove: ["my-header1", "my-header3"]\r
+\r
+ Output:\r
+ GET /foo HTTP/1.1\r
+ my-header2: bar\r
+ items:\r
+ type: string\r
+ maxItems: 16\r
+ type: array\r
+ x-kubernetes-list-type: set\r
+ set:\r
+ description: |-\r
+ Set overwrites the request with the given header (name, value)\r
+ before the action.\r
+\r
+ Input:\r
+ GET /foo HTTP/1.1\r
+ my-header: foo\r
+\r
+ Config:\r
+ set:\r
+ - name: "my-header"\r
+ value: "bar"\r
+\r
+ Output:\r
+ GET /foo HTTP/1.1\r
+ my-header: bar\r
+ items:\r
+ description: HTTPHeader represents an HTTP Header\r
+ name and value as defined by RFC 7230.\r
+ properties:\r
+ name:\r
+ description: |-\r
+ Name is the name of the HTTP Header to be matched. Name matching MUST be\r
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).\r
+\r
+ If multiple entries specify equivalent header names, the first entry with\r
+ an equivalent name MUST be considered for a match. Subsequent entries\r
+ with an equivalent header name MUST be ignored. Due to the\r
+ case-insensitivity of header names, "foo" and "Foo" are considered\r
+ equivalent.\r
+ maxLength: 256\r
+ minLength: 1\r
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$\r
+ type: string\r
+ value:\r
+ description: Value is the value of HTTP Header\r
+ to be matched.\r
+ maxLength: 4096\r
+ minLength: 1\r
+ type: string\r
+ required:\r
+ - name\r
+ - value\r
+ type: object\r
+ maxItems: 16\r
+ type: array\r
+ x-kubernetes-list-map-keys:\r
+ - name\r
+ x-kubernetes-list-type: map\r
+ type: object\r
+ requestMirror:\r
+ description: |+\r
+ RequestMirror defines a schema for a filter that mirrors requests.\r
+ Requests are sent to the specified destination, but responses from\r
+ that destination are ignored.\r
+\r
+ This filter can be used multiple times within the same rule. Note that\r
+ not all implementations will be able to support mirroring to multiple\r
+ backends.\r
+\r
+ Support: Extended\r
+\r
+ properties:\r
+ backendRef:\r
+ description: |-\r
+ BackendRef references a resource where mirrored requests are sent.\r
+\r
+ Mirrored requests must be sent only to a single destination endpoint\r
+ within this BackendRef, irrespective of how many endpoints are present\r
+ within this BackendRef.\r
+\r
+ If the referent cannot be found, this BackendRef is invalid and must be\r
+ dropped from the Gateway. The controller must ensure the "ResolvedRefs"\r
+ condition on the Route status is set to `status: False` and not configure\r
+ this backend in the underlying implementation.\r
+\r
+ If there is a cross-namespace reference to an *existing* object\r
+ that is not allowed by a ReferenceGrant, the controller must ensure the\r
+ "ResolvedRefs" condition on the Route is set to `status: False`,\r
+ with the "RefNotPermitted" reason and not configure this backend in the\r
+ underlying implementation.\r
+\r
+ In either error case, the Message of the `ResolvedRefs` Condition\r
+ should be used to provide more detail about the problem.\r
+\r
+ Support: Extended for Kubernetes Service\r
+\r
+ Support: Implementation-specific for any other resource\r
+ properties:\r
+ group:\r
+ default: ""\r
+ description: |-\r
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".\r
+ When unspecified or empty string, core API group is inferred.\r
+ maxLength: 253\r
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ kind:\r
+ default: Service\r
+ description: |-\r
+ Kind is the Kubernetes resource kind of the referent. For example\r
+ "Service".\r
+\r
+ Defaults to "Service" when not specified.\r
+\r
+ ExternalName services can refer to CNAME DNS records that may live\r
+ outside of the cluster and as such are difficult to reason about in\r
+ terms of conformance. They also may not be safe to forward to (see\r
+ CVE-2021-25740 for more information). Implementations SHOULD NOT\r
+ support ExternalName Services.\r
+\r
+ Support: Core (Services with a type other than ExternalName)\r
+\r
+ Support: Implementation-specific (Services with type ExternalName)\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$\r
+ type: string\r
+ name:\r
+ description: Name is the name of the referent.\r
+ maxLength: 253\r
+ minLength: 1\r
+ type: string\r
+ namespace:\r
+ description: |-\r
+ Namespace is the namespace of the backend. When unspecified, the local\r
+ namespace is inferred.\r
+\r
+ Note that when a namespace different than the local namespace is specified,\r
+ a ReferenceGrant object is required in the referent namespace to allow that\r
+ namespace's owner to accept the reference. See the ReferenceGrant\r
+ documentation for details.\r
+\r
+ Support: Core\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$\r
+ type: string\r
+ port:\r
+ description: |-\r
+ Port specifies the destination port number to use for this resource.\r
+ Port is required when the referent is a Kubernetes Service. In this\r
+ case, the port number is the service port number, not the target port.\r
+ For other resources, destination port might be derived from the referent\r
+ resource or this field.\r
+ format: int32\r
+ maximum: 65535\r
+ minimum: 1\r
+ type: integer\r
+ required:\r
+ - name\r
+ type: object\r
+ x-kubernetes-validations:\r
+ - message: Must have port for Service reference\r
+ rule: '(size(self.group) == 0 && self.kind == ''Service'')\r
+ ? has(self.port) : true'\r
+ required:\r
+ - backendRef\r
+ type: object\r
+ requestRedirect:\r
+ description: |-\r
+ RequestRedirect defines a schema for a filter that responds to the\r
+ request with an HTTP redirection.\r
+\r
+ Support: Core\r
+ properties:\r
+ hostname:\r
+ description: |-\r
+ Hostname is the hostname to be used in the value of the `Location`\r
+ header in the response.\r
+ When empty, the hostname in the `Host` header of the request is used.\r
+\r
+ Support: Core\r
+ maxLength: 253\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ path:\r
+ description: |-\r
+ Path defines parameters used to modify the path of the incoming request.\r
+ The modified path is then used to construct the `Location` header. When\r
+ empty, the request path is used as-is.\r
+\r
+ Support: Extended\r
+ properties:\r
+ replaceFullPath:\r
+ description: |-\r
+ ReplaceFullPath specifies the value with which to replace the full path\r
+ of a request during a rewrite or redirect.\r
+ maxLength: 1024\r
+ type: string\r
+ replacePrefixMatch:\r
+ description: |-\r
+ ReplacePrefixMatch specifies the value with which to replace the prefix\r
+ match of a request during a rewrite or redirect. For example, a request\r
+ to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch\r
+ of "/xyz" would be modified to "/xyz/bar".\r
+\r
+ Note that this matches the behavior of the PathPrefix match type. This\r
+ matches full path elements. A path element refers to the list of labels\r
+ in the path split by the `/` separator. When specified, a trailing `/` is\r
+ ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all\r
+ match the prefix `/abc`, but the path `/abcd` would not.\r
+\r
+ ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.\r
+ Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in\r
+ the implementation setting the Accepted Condition for the Route to `status: False`.\r
+\r
+ Request Path | Prefix Match | Replace Prefix | Modified Path\r
+ maxLength: 1024\r
+ type: string\r
+ type:\r
+ description: |-\r
+ Type defines the type of path modifier. Additional types may be\r
+ added in a future release of the API.\r
+\r
+ Note that values may be added to this enum, implementations\r
+ must ensure that unknown values will not cause a crash.\r
+\r
+ Unknown values here must result in the implementation setting the\r
+ Accepted Condition for the Route to `status: False`, with a\r
+ Reason of `UnsupportedValue`.\r
+ enum:\r
+ - ReplaceFullPath\r
+ - ReplacePrefixMatch\r
+ type: string\r
+ required:\r
+ - type\r
+ type: object\r
+ x-kubernetes-validations:\r
+ - message: replaceFullPath must be specified when\r
+ type is set to 'ReplaceFullPath'\r
+ rule: 'self.type == ''ReplaceFullPath'' ? has(self.replaceFullPath)\r
+ : true'\r
+ - message: type must be 'ReplaceFullPath' when replaceFullPath\r
+ is set\r
+ rule: 'has(self.replaceFullPath) ? self.type ==\r
+ ''ReplaceFullPath'' : true'\r
+ - message: replacePrefixMatch must be specified when\r
+ type is set to 'ReplacePrefixMatch'\r
+ rule: 'self.type == ''ReplacePrefixMatch'' ? has(self.replacePrefixMatch)\r
+ : true'\r
+ - message: type must be 'ReplacePrefixMatch' when\r
+ replacePrefixMatch is set\r
+ rule: 'has(self.replacePrefixMatch) ? self.type\r
+ == ''ReplacePrefixMatch'' : true'\r
+ port:\r
+ description: |-\r
+ Port is the port to be used in the value of the `Location`\r
+ header in the response.\r
+\r
+ If no port is specified, the redirect port MUST be derived using the\r
+ following rules:\r
+\r
+ * If redirect scheme is not-empty, the redirect port MUST be the well-known\r
+ port associated with the redirect scheme. Specifically "http" to port 80\r
+ and "https" to port 443. If the redirect scheme does not have a\r
+ well-known port, the listener port of the Gateway SHOULD be used.\r
+ * If redirect scheme is empty, the redirect port MUST be the Gateway\r
+ Listener port.\r
+\r
+ Implementations SHOULD NOT add the port number in the 'Location'\r
+ header in the following cases:\r
+\r
+ * A Location header that will use HTTP (whether that is determined via\r
+ the Listener protocol or the Scheme field) _and_ use port 80.\r
+ * A Location header that will use HTTPS (whether that is determined via\r
+ the Listener protocol or the Scheme field) _and_ use port 443.\r
+\r
+ Support: Extended\r
+ format: int32\r
+ maximum: 65535\r
+ minimum: 1\r
+ type: integer\r
+ scheme:\r
+ description: |-\r
+ Scheme is the scheme to be used in the value of the `Location` header in\r
+ the response. When empty, the scheme of the request is used.\r
+\r
+ Scheme redirects can affect the port of the redirect, for more information,\r
+ refer to the documentation for the port field of this filter.\r
+\r
+ Note that values may be added to this enum, implementations\r
+ must ensure that unknown values will not cause a crash.\r
+\r
+ Unknown values here must result in the implementation setting the\r
+ Accepted Condition for the Route to `status: False`, with a\r
+ Reason of `UnsupportedValue`.\r
+\r
+ Support: Extended\r
+ enum:\r
+ - http\r
+ - https\r
+ type: string\r
+ statusCode:\r
+ default: 302\r
+ description: |-\r
+ StatusCode is the HTTP status code to be used in response.\r
+\r
+ Note that values may be added to this enum, implementations\r
+ must ensure that unknown values will not cause a crash.\r
+\r
+ Unknown values here must result in the implementation setting the\r
+ Accepted Condition for the Route to `status: False`, with a\r
+ Reason of `UnsupportedValue`.\r
+\r
+ Support: Core\r
+ enum:\r
+ - 301\r
+ - 302\r
+ type: integer\r
+ type: object\r
+ responseHeaderModifier:\r
+ description: |-\r
+ ResponseHeaderModifier defines a schema for a filter that modifies response\r
+ headers.\r
+\r
+ Support: Extended\r
+ properties:\r
+ add:\r
+ description: |-\r
+ Add adds the given header(s) (name, value) to the request\r
+ before the action. It appends to any existing values associated\r
+ with the header name.\r
+\r
+ Input:\r
+ GET /foo HTTP/1.1\r
+ my-header: foo\r
+\r
+ Config:\r
+ add:\r
+ - name: "my-header"\r
+ value: "bar,baz"\r
+\r
+ Output:\r
+ GET /foo HTTP/1.1\r
+ my-header: foo,bar,baz\r
+ items:\r
+ description: HTTPHeader represents an HTTP Header\r
+ name and value as defined by RFC 7230.\r
+ properties:\r
+ name:\r
+ description: |-\r
+ Name is the name of the HTTP Header to be matched. Name matching MUST be\r
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).\r
+\r
+ If multiple entries specify equivalent header names, the first entry with\r
+ an equivalent name MUST be considered for a match. Subsequent entries\r
+ with an equivalent header name MUST be ignored. Due to the\r
+ case-insensitivity of header names, "foo" and "Foo" are considered\r
+ equivalent.\r
+ maxLength: 256\r
+ minLength: 1\r
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$\r
+ type: string\r
+ value:\r
+ description: Value is the value of HTTP Header\r
+ to be matched.\r
+ maxLength: 4096\r
+ minLength: 1\r
+ type: string\r
+ required:\r
+ - name\r
+ - value\r
+ type: object\r
+ maxItems: 16\r
+ type: array\r
+ x-kubernetes-list-map-keys:\r
+ - name\r
+ x-kubernetes-list-type: map\r
+ remove:\r
+ description: |-\r
+ Remove the given header(s) from the HTTP request before the action. The\r
+ value of Remove is a list of HTTP header names. Note that the header\r
+ names are case-insensitive (see\r
+ https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).\r
+\r
+ Input:\r
+ GET /foo HTTP/1.1\r
+ my-header1: foo\r
+ my-header2: bar\r
+ my-header3: baz\r
+\r
+ Config:\r
+ remove: ["my-header1", "my-header3"]\r
+\r
+ Output:\r
+ GET /foo HTTP/1.1\r
+ my-header2: bar\r
+ items:\r
+ type: string\r
+ maxItems: 16\r
+ type: array\r
+ x-kubernetes-list-type: set\r
+ set:\r
+ description: |-\r
+ Set overwrites the request with the given header (name, value)\r
+ before the action.\r
+\r
+ Input:\r
+ GET /foo HTTP/1.1\r
+ my-header: foo\r
+\r
+ Config:\r
+ set:\r
+ - name: "my-header"\r
+ value: "bar"\r
+\r
+ Output:\r
+ GET /foo HTTP/1.1\r
+ my-header: bar\r
+ items:\r
+ description: HTTPHeader represents an HTTP Header\r
+ name and value as defined by RFC 7230.\r
+ properties:\r
+ name:\r
+ description: |-\r
+ Name is the name of the HTTP Header to be matched. Name matching MUST be\r
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).\r
+\r
+ If multiple entries specify equivalent header names, the first entry with\r
+ an equivalent name MUST be considered for a match. Subsequent entries\r
+ with an equivalent header name MUST be ignored. Due to the\r
+ case-insensitivity of header names, "foo" and "Foo" are considered\r
+ equivalent.\r
+ maxLength: 256\r
+ minLength: 1\r
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$\r
+ type: string\r
+ value:\r
+ description: Value is the value of HTTP Header\r
+ to be matched.\r
+ maxLength: 4096\r
+ minLength: 1\r
+ type: string\r
+ required:\r
+ - name\r
+ - value\r
+ type: object\r
+ maxItems: 16\r
+ type: array\r
+ x-kubernetes-list-map-keys:\r
+ - name\r
+ x-kubernetes-list-type: map\r
+ type: object\r
+ type:\r
+ description: |-\r
+ Type identifies the type of filter to apply. As with other API fields,\r
+ types are classified into three conformance levels:\r
+\r
+ - Core: Filter types and their corresponding configuration defined by\r
+ "Support: Core" in this package, e.g. "RequestHeaderModifier". All\r
+ implementations must support core filters.\r
+\r
+ - Extended: Filter types and their corresponding configuration defined by\r
+ "Support: Extended" in this package, e.g. "RequestMirror". Implementers\r
+ are encouraged to support extended filters.\r
+\r
+ - Implementation-specific: Filters that are defined and supported by\r
+ specific vendors.\r
+ In the future, filters showing convergence in behavior across multiple\r
+ implementations will be considered for inclusion in extended or core\r
+ conformance levels. Filter-specific configuration for such filters\r
+ is specified using the ExtensionRef field. `Type` should be set to\r
+ "ExtensionRef" for custom filters.\r
+\r
+ Implementers are encouraged to define custom implementation types to\r
+ extend the core API with implementation-specific behavior.\r
+\r
+ If a reference to a custom filter type cannot be resolved, the filter\r
+ MUST NOT be skipped. Instead, requests that would have been processed by\r
+ that filter MUST receive a HTTP error response.\r
+\r
+ Note that values may be added to this enum, implementations\r
+ must ensure that unknown values will not cause a crash.\r
+\r
+ Unknown values here must result in the implementation setting the\r
+ Accepted Condition for the Route to `status: False`, with a\r
+ Reason of `UnsupportedValue`.\r
+ enum:\r
+ - RequestHeaderModifier\r
+ - ResponseHeaderModifier\r
+ - RequestMirror\r
+ - RequestRedirect\r
+ - URLRewrite\r
+ - ExtensionRef\r
+ type: string\r
+ urlRewrite:\r
+ description: |-\r
+ URLRewrite defines a schema for a filter that modifies a request during forwarding.\r
+\r
+ Support: Extended\r
+ properties:\r
+ hostname:\r
+ description: |-\r
+ Hostname is the value to be used to replace the Host header value during\r
+ forwarding.\r
+\r
+ Support: Extended\r
+ maxLength: 253\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ path:\r
+ description: |-\r
+ Path defines a path rewrite.\r
+\r
+ Support: Extended\r
+ properties:\r
+ replaceFullPath:\r
+ description: |-\r
+ ReplaceFullPath specifies the value with which to replace the full path\r
+ of a request during a rewrite or redirect.\r
+ maxLength: 1024\r
+ type: string\r
+ replacePrefixMatch:\r
+ description: |-\r
+ ReplacePrefixMatch specifies the value with which to replace the prefix\r
+ match of a request during a rewrite or redirect. For example, a request\r
+ to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch\r
+ of "/xyz" would be modified to "/xyz/bar".\r
+\r
+ Note that this matches the behavior of the PathPrefix match type. This\r
+ matches full path elements. A path element refers to the list of labels\r
+ in the path split by the `/` separator. When specified, a trailing `/` is\r
+ ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all\r
+ match the prefix `/abc`, but the path `/abcd` would not.\r
+\r
+ ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.\r
+ Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in\r
+ the implementation setting the Accepted Condition for the Route to `status: False`.\r
+\r
+ Request Path | Prefix Match | Replace Prefix | Modified Path\r
+ maxLength: 1024\r
+ type: string\r
+ type:\r
+ description: |-\r
+ Type defines the type of path modifier. Additional types may be\r
+ added in a future release of the API.\r
+\r
+ Note that values may be added to this enum, implementations\r
+ must ensure that unknown values will not cause a crash.\r
+\r
+ Unknown values here must result in the implementation setting the\r
+ Accepted Condition for the Route to `status: False`, with a\r
+ Reason of `UnsupportedValue`.\r
+ enum:\r
+ - ReplaceFullPath\r
+ - ReplacePrefixMatch\r
+ type: string\r
+ required:\r
+ - type\r
+ type: object\r
+ x-kubernetes-validations:\r
+ - message: replaceFullPath must be specified when\r
+ type is set to 'ReplaceFullPath'\r
+ rule: 'self.type == ''ReplaceFullPath'' ? has(self.replaceFullPath)\r
+ : true'\r
+ - message: type must be 'ReplaceFullPath' when replaceFullPath\r
+ is set\r
+ rule: 'has(self.replaceFullPath) ? self.type ==\r
+ ''ReplaceFullPath'' : true'\r
+ - message: replacePrefixMatch must be specified when\r
+ type is set to 'ReplacePrefixMatch'\r
+ rule: 'self.type == ''ReplacePrefixMatch'' ? has(self.replacePrefixMatch)\r
+ : true'\r
+ - message: type must be 'ReplacePrefixMatch' when\r
+ replacePrefixMatch is set\r
+ rule: 'has(self.replacePrefixMatch) ? self.type\r
+ == ''ReplacePrefixMatch'' : true'\r
+ type: object\r
+ required:\r
+ - type\r
+ type: object\r
+ x-kubernetes-validations:\r
+ - message: filter.requestHeaderModifier must be nil if the\r
+ filter.type is not RequestHeaderModifier\r
+ rule: '!(has(self.requestHeaderModifier) && self.type !=\r
+ ''RequestHeaderModifier'')'\r
+ - message: filter.requestHeaderModifier must be specified\r
+ for RequestHeaderModifier filter.type\r
+ rule: '!(!has(self.requestHeaderModifier) && self.type ==\r
+ ''RequestHeaderModifier'')'\r
+ - message: filter.responseHeaderModifier must be nil if the\r
+ filter.type is not ResponseHeaderModifier\r
+ rule: '!(has(self.responseHeaderModifier) && self.type !=\r
+ ''ResponseHeaderModifier'')'\r
+ - message: filter.responseHeaderModifier must be specified\r
+ for ResponseHeaderModifier filter.type\r
+ rule: '!(!has(self.responseHeaderModifier) && self.type\r
+ == ''ResponseHeaderModifier'')'\r
+ - message: filter.requestMirror must be nil if the filter.type\r
+ is not RequestMirror\r
+ rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')'\r
+ - message: filter.requestMirror must be specified for RequestMirror\r
+ filter.type\r
+ rule: '!(!has(self.requestMirror) && self.type == ''RequestMirror'')'\r
+ - message: filter.requestRedirect must be nil if the filter.type\r
+ is not RequestRedirect\r
+ rule: '!(has(self.requestRedirect) && self.type != ''RequestRedirect'')'\r
+ - message: filter.requestRedirect must be specified for RequestRedirect\r
+ filter.type\r
+ rule: '!(!has(self.requestRedirect) && self.type == ''RequestRedirect'')'\r
+ - message: filter.urlRewrite must be nil if the filter.type\r
+ is not URLRewrite\r
+ rule: '!(has(self.urlRewrite) && self.type != ''URLRewrite'')'\r
+ - message: filter.urlRewrite must be specified for URLRewrite\r
+ filter.type\r
+ rule: '!(!has(self.urlRewrite) && self.type == ''URLRewrite'')'\r
+ - message: filter.extensionRef must be nil if the filter.type\r
+ is not ExtensionRef\r
+ rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')'\r
+ - message: filter.extensionRef must be specified for ExtensionRef\r
+ filter.type\r
+ rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')'\r
+ maxItems: 16\r
+ type: array\r
+ x-kubernetes-validations:\r
+ - message: May specify either httpRouteFilterRequestRedirect\r
+ or httpRouteFilterRequestRewrite, but not both\r
+ rule: '!(self.exists(f, f.type == ''RequestRedirect'') &&\r
+ self.exists(f, f.type == ''URLRewrite''))'\r
+ - message: RequestHeaderModifier filter cannot be repeated\r
+ rule: self.filter(f, f.type == 'RequestHeaderModifier').size()\r
+ <= 1\r
+ - message: ResponseHeaderModifier filter cannot be repeated\r
+ rule: self.filter(f, f.type == 'ResponseHeaderModifier').size()\r
+ <= 1\r
+ - message: RequestRedirect filter cannot be repeated\r
+ rule: self.filter(f, f.type == 'RequestRedirect').size() <=\r
+ 1\r
+ - message: URLRewrite filter cannot be repeated\r
+ rule: self.filter(f, f.type == 'URLRewrite').size() <= 1\r
+ matches:\r
+ default:\r
+ - path:\r
+ type: PathPrefix\r
+ value: /\r
+ description: |-\r
+ Matches define conditions used for matching the rule against incoming\r
+ HTTP requests. Each match is independent, i.e. this rule will be matched\r
+ if **any** one of the matches is satisfied.\r
+\r
+ For example, take the following matches configuration:\r
+\r
+ ```\r
+ matches:\r
+ - path:\r
+ value: "/foo"\r
+ headers:\r
+ - name: "version"\r
+ value: "v2"\r
+ - path:\r
+ value: "/v2/foo"\r
+ ```\r
+\r
+ For a request to match against this rule, a request must satisfy\r
+ EITHER of the two conditions:\r
+\r
+ - path prefixed with `/foo` AND contains the header `version: v2`\r
+ - path prefix of `/v2/foo`\r
+\r
+ See the documentation for HTTPRouteMatch on how to specify multiple\r
+ match conditions that should be ANDed together.\r
+\r
+ If no matches are specified, the default is a prefix\r
+ path match on "/", which has the effect of matching every\r
+ HTTP request.\r
+\r
+ Proxy or Load Balancer routing configuration generated from HTTPRoutes\r
+ MUST prioritize matches based on the following criteria, continuing on\r
+ ties. Across all rules specified on applicable Routes, precedence must be\r
+ given to the match having:\r
+\r
+ * "Exact" path match.\r
+ * "Prefix" path match with largest number of characters.\r
+ * Method match.\r
+ * Largest number of header matches.\r
+ * Largest number of query param matches.\r
+\r
+ Note: The precedence of RegularExpression path matches are implementation-specific.\r
+\r
+ If ties still exist across multiple Routes, matching precedence MUST be\r
+ determined in order of the following criteria, continuing on ties:\r
+\r
+ * The oldest Route based on creation timestamp.\r
+ * The Route appearing first in alphabetical order by\r
+ "{namespace}/{name}".\r
+\r
+ If ties still exist within an HTTPRoute, matching precedence MUST be granted\r
+ to the FIRST matching rule (in list order) with a match meeting the above\r
+ criteria.\r
+\r
+ When no rules matching a request have been successfully attached to the\r
+ parent a request is coming from, a HTTP 404 status code MUST be returned.\r
+ items:\r
+ description: "HTTPRouteMatch defines the predicate used to\r
+ match requests to a given\naction. Multiple match types\r
+ are ANDed together, i.e. the match will\nevaluate to true\r
+ only if all conditions are satisfied.\n\nFor example, the\r
+ match below will match a HTTP request only if its path\nstarts\r
+ with `/foo` AND it contains the `version: v1` header:\n\n```\nmatch:\n\n\tpath:\n\t\r
+ \ value: \"/foo\"\n\theaders:\n\t- name: \"version\"\n\t\r
+ \ value \"v1\"\n\n```"\r
+ properties:\r
+ headers:\r
+ description: |-\r
+ Headers specifies HTTP request header matchers. Multiple match values are\r
+ ANDed together, meaning, a request must match all the specified headers\r
+ to select the route.\r
+ items:\r
+ description: |-\r
+ HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request\r
+ headers.\r
+ properties:\r
+ name:\r
+ description: |-\r
+ Name is the name of the HTTP Header to be matched. Name matching MUST be\r
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).\r
+\r
+ If multiple entries specify equivalent header names, only the first\r
+ entry with an equivalent name MUST be considered for a match. Subsequent\r
+ entries with an equivalent header name MUST be ignored. Due to the\r
+ case-insensitivity of header names, "foo" and "Foo" are considered\r
+ equivalent.\r
+\r
+ When a header is repeated in an HTTP request, it is\r
+ implementation-specific behavior as to how this is represented.\r
+ Generally, proxies should follow the guidance from the RFC:\r
+ https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding\r
+ processing a repeated header, with special handling for "Set-Cookie".\r
+ maxLength: 256\r
+ minLength: 1\r
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$\r
+ type: string\r
+ type:\r
+ default: Exact\r
+ description: |-\r
+ Type specifies how to match against the value of the header.\r
+\r
+ Support: Core (Exact)\r
+\r
+ Support: Implementation-specific (RegularExpression)\r
+\r
+ Since RegularExpression HeaderMatchType has implementation-specific\r
+ conformance, implementations can support POSIX, PCRE or any other dialects\r
+ of regular expressions. Please read the implementation's documentation to\r
+ determine the supported dialect.\r
+ enum:\r
+ - Exact\r
+ - RegularExpression\r
+ type: string\r
+ value:\r
+ description: Value is the value of HTTP Header to\r
+ be matched.\r
+ maxLength: 4096\r
+ minLength: 1\r
+ type: string\r
+ required:\r
+ - name\r
+ - value\r
+ type: object\r
+ maxItems: 16\r
+ type: array\r
+ x-kubernetes-list-map-keys:\r
+ - name\r
+ x-kubernetes-list-type: map\r
+ method:\r
+ description: |-\r
+ Method specifies HTTP method matcher.\r
+ When specified, this route will be matched only if the request has the\r
+ specified method.\r
+\r
+ Support: Extended\r
+ enum:\r
+ - GET\r
+ - HEAD\r
+ - POST\r
+ - PUT\r
+ - DELETE\r
+ - CONNECT\r
+ - OPTIONS\r
+ - TRACE\r
+ - PATCH\r
+ type: string\r
+ path:\r
+ default:\r
+ type: PathPrefix\r
+ value: /\r
+ description: |-\r
+ Path specifies a HTTP request path matcher. If this field is not\r
+ specified, a default prefix match on the "/" path is provided.\r
+ properties:\r
+ type:\r
+ default: PathPrefix\r
+ description: |-\r
+ Type specifies how to match against the path Value.\r
+\r
+ Support: Core (Exact, PathPrefix)\r
+\r
+ Support: Implementation-specific (RegularExpression)\r
+ enum:\r
+ - Exact\r
+ - PathPrefix\r
+ - RegularExpression\r
+ type: string\r
+ value:\r
+ default: /\r
+ description: Value of the HTTP path to match against.\r
+ maxLength: 1024\r
+ type: string\r
+ type: object\r
+ x-kubernetes-validations:\r
+ - message: value must be an absolute path and start with\r
+ '/' when type one of ['Exact', 'PathPrefix']\r
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? self.value.startsWith(''/'')\r
+ : true'\r
+ - message: must not contain '//' when type one of ['Exact',\r
+ 'PathPrefix']\r
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''//'')\r
+ : true'\r
+ - message: must not contain '/./' when type one of ['Exact',\r
+ 'PathPrefix']\r
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''/./'')\r
+ : true'\r
+ - message: must not contain '/../' when type one of ['Exact',\r
+ 'PathPrefix']\r
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''/../'')\r
+ : true'\r
+ - message: must not contain '%2f' when type one of ['Exact',\r
+ 'PathPrefix']\r
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''%2f'')\r
+ : true'\r
+ - message: must not contain '%2F' when type one of ['Exact',\r
+ 'PathPrefix']\r
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''%2F'')\r
+ : true'\r
+ - message: must not contain '#' when type one of ['Exact',\r
+ 'PathPrefix']\r
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''#'')\r
+ : true'\r
+ - message: must not end with '/..' when type one of ['Exact',\r
+ 'PathPrefix']\r
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.endsWith(''/..'')\r
+ : true'\r
+ - message: must not end with '/.' when type one of ['Exact',\r
+ 'PathPrefix']\r
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.endsWith(''/.'')\r
+ : true'\r
+ - message: type must be one of ['Exact', 'PathPrefix',\r
+ 'RegularExpression']\r
+ rule: self.type in ['Exact','PathPrefix'] || self.type\r
+ == 'RegularExpression'\r
+ - message: must only contain valid characters (matching\r
+ ^(?:[-A-Za-z0-9/._~!$&'()*+,;=:@]|[%][0-9a-fA-F]{2})+$)\r
+ for types ['Exact', 'PathPrefix']\r
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? self.value.matches(r"""^(?:[-A-Za-z0-9/._~!$&''()*+,;=:@]|[%][0-9a-fA-F]{2})+$""")\r
+ : true'\r
+ queryParams:\r
+ description: |-\r
+ QueryParams specifies HTTP query parameter matchers. Multiple match\r
+ values are ANDed together, meaning, a request must match all the\r
+ specified query parameters to select the route.\r
+\r
+ Support: Extended\r
+ items:\r
+ description: |-\r
+ HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP\r
+ query parameters.\r
+ properties:\r
+ name:\r
+ description: |-\r
+ Name is the name of the HTTP query param to be matched. This must be an\r
+ exact string match. (See\r
+ https://tools.ietf.org/html/rfc7230#section-2.7.3).\r
+\r
+ If multiple entries specify equivalent query param names, only the first\r
+ entry with an equivalent name MUST be considered for a match. Subsequent\r
+ entries with an equivalent query param name MUST be ignored.\r
+\r
+ If a query param is repeated in an HTTP request, the behavior is\r
+ purposely left undefined, since different data planes have different\r
+ capabilities. However, it is *recommended* that implementations should\r
+ match against the first value of the param if the data plane supports it,\r
+ as this behavior is expected in other load balancing contexts outside of\r
+ the Gateway API.\r
+\r
+ Users SHOULD NOT route traffic based on repeated query params to guard\r
+ themselves against potential differences in the implementations.\r
+ maxLength: 256\r
+ minLength: 1\r
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$\r
+ type: string\r
+ type:\r
+ default: Exact\r
+ description: |-\r
+ Type specifies how to match against the value of the query parameter.\r
+\r
+ Support: Extended (Exact)\r
+\r
+ Support: Implementation-specific (RegularExpression)\r
+\r
+ Since RegularExpression QueryParamMatchType has Implementation-specific\r
+ conformance, implementations can support POSIX, PCRE or any other\r
+ dialects of regular expressions. Please read the implementation's\r
+ documentation to determine the supported dialect.\r
+ enum:\r
+ - Exact\r
+ - RegularExpression\r
+ type: string\r
+ value:\r
+ description: Value is the value of HTTP query param\r
+ to be matched.\r
+ maxLength: 1024\r
+ minLength: 1\r
+ type: string\r
+ required:\r
+ - name\r
+ - value\r
+ type: object\r
+ maxItems: 16\r
+ type: array\r
+ x-kubernetes-list-map-keys:\r
+ - name\r
+ x-kubernetes-list-type: map\r
+ type: object\r
+ maxItems: 64\r
+ type: array\r
+ timeouts:\r
+ description: |-\r
+ Timeouts defines the timeouts that can be configured for an HTTP request.\r
+\r
+ Support: Extended\r
+ properties:\r
+ backendRequest:\r
+ description: |-\r
+ BackendRequest specifies a timeout for an individual request from the gateway\r
+ to a backend. This covers the time from when the request first starts being\r
+ sent from the gateway to when the full response has been received from the backend.\r
+\r
+ Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout\r
+ completely. Implementations that cannot completely disable the timeout MUST\r
+ instead interpret the zero duration as the longest possible value to which\r
+ the timeout can be set.\r
+\r
+ An entire client HTTP transaction with a gateway, covered by the Request timeout,\r
+ may result in more than one call from the gateway to the destination backend,\r
+ for example, if automatic retries are supported.\r
+\r
+ The value of BackendRequest must be a Gateway API Duration string as defined by\r
+ GEP-2257. When this field is unspecified, its behavior is implementation-specific;\r
+ when specified, the value of BackendRequest must be no more than the value of the\r
+ Request timeout (since the Request timeout encompasses the BackendRequest timeout).\r
+\r
+ Support: Extended\r
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$\r
+ type: string\r
+ request:\r
+ description: |-\r
+ Request specifies the maximum duration for a gateway to respond to an HTTP request.\r
+ If the gateway has not been able to respond before this deadline is met, the gateway\r
+ MUST return a timeout error.\r
+\r
+ For example, setting the `rules.timeouts.request` field to the value `10s` in an\r
+ `HTTPRoute` will cause a timeout if a client request is taking longer than 10 seconds\r
+ to complete.\r
+\r
+ Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout\r
+ completely. Implementations that cannot completely disable the timeout MUST\r
+ instead interpret the zero duration as the longest possible value to which\r
+ the timeout can be set.\r
+\r
+ This timeout is intended to cover as close to the whole request-response transaction\r
+ as possible although an implementation MAY choose to start the timeout after the entire\r
+ request stream has been received instead of immediately after the transaction is\r
+ initiated by the client.\r
+\r
+ The value of Request is a Gateway API Duration string as defined by GEP-2257. When this\r
+ field is unspecified, request timeout behavior is implementation-specific.\r
+\r
+ Support: Extended\r
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$\r
+ type: string\r
+ type: object\r
+ x-kubernetes-validations:\r
+ - message: backendRequest timeout cannot be longer than request\r
+ timeout\r
+ rule: '!(has(self.request) && has(self.backendRequest) &&\r
+ duration(self.request) != duration(''0s'') && duration(self.backendRequest)\r
+ > duration(self.request))'\r
+ type: object\r
+ x-kubernetes-validations:\r
+ - message: RequestRedirect filter must not be used together with\r
+ backendRefs\r
+ rule: '(has(self.backendRefs) && size(self.backendRefs) > 0) ?\r
+ (!has(self.filters) || self.filters.all(f, !has(f.requestRedirect))):\r
+ true'\r
+ - message: When using RequestRedirect filter with path.replacePrefixMatch,\r
+ exactly one PathPrefix match must be specified\r
+ rule: '(has(self.filters) && self.filters.exists_one(f, has(f.requestRedirect)\r
+ && has(f.requestRedirect.path) && f.requestRedirect.path.type\r
+ == ''ReplacePrefixMatch'' && has(f.requestRedirect.path.replacePrefixMatch)))\r
+ ? ((size(self.matches) != 1 || !has(self.matches[0].path) ||\r
+ self.matches[0].path.type != ''PathPrefix'') ? false : true)\r
+ : true'\r
+ - message: When using URLRewrite filter with path.replacePrefixMatch,\r
+ exactly one PathPrefix match must be specified\r
+ rule: '(has(self.filters) && self.filters.exists_one(f, has(f.urlRewrite)\r
+ && has(f.urlRewrite.path) && f.urlRewrite.path.type == ''ReplacePrefixMatch''\r
+ && has(f.urlRewrite.path.replacePrefixMatch))) ? ((size(self.matches)\r
+ != 1 || !has(self.matches[0].path) || self.matches[0].path.type\r
+ != ''PathPrefix'') ? false : true) : true'\r
+ - message: Within backendRefs, when using RequestRedirect filter\r
+ with path.replacePrefixMatch, exactly one PathPrefix match must\r
+ be specified\r
+ rule: '(has(self.backendRefs) && self.backendRefs.exists_one(b,\r
+ (has(b.filters) && b.filters.exists_one(f, has(f.requestRedirect)\r
+ && has(f.requestRedirect.path) && f.requestRedirect.path.type\r
+ == ''ReplacePrefixMatch'' && has(f.requestRedirect.path.replacePrefixMatch)))\r
+ )) ? ((size(self.matches) != 1 || !has(self.matches[0].path)\r
+ || self.matches[0].path.type != ''PathPrefix'') ? false : true)\r
+ : true'\r
+ - message: Within backendRefs, When using URLRewrite filter with\r
+ path.replacePrefixMatch, exactly one PathPrefix match must be\r
+ specified\r
+ rule: '(has(self.backendRefs) && self.backendRefs.exists_one(b,\r
+ (has(b.filters) && b.filters.exists_one(f, has(f.urlRewrite)\r
+ && has(f.urlRewrite.path) && f.urlRewrite.path.type == ''ReplacePrefixMatch''\r
+ && has(f.urlRewrite.path.replacePrefixMatch))) )) ? ((size(self.matches)\r
+ != 1 || !has(self.matches[0].path) || self.matches[0].path.type\r
+ != ''PathPrefix'') ? false : true) : true'\r
+ maxItems: 16\r
+ type: array\r
+ x-kubernetes-validations:\r
+ - message: While 16 rules and 64 matches per rule are allowed, the\r
+ total number of matches across all rules in a route must be less\r
+ than 128\r
+ rule: '(self.size() > 0 ? self[0].matches.size() : 0) + (self.size()\r
+ > 1 ? self[1].matches.size() : 0) + (self.size() > 2 ? self[2].matches.size()\r
+ : 0) + (self.size() > 3 ? self[3].matches.size() : 0) + (self.size()\r
+ > 4 ? self[4].matches.size() : 0) + (self.size() > 5 ? self[5].matches.size()\r
+ : 0) + (self.size() > 6 ? self[6].matches.size() : 0) + (self.size()\r
+ > 7 ? self[7].matches.size() : 0) + (self.size() > 8 ? self[8].matches.size()\r
+ : 0) + (self.size() > 9 ? self[9].matches.size() : 0) + (self.size()\r
+ > 10 ? self[10].matches.size() : 0) + (self.size() > 11 ? self[11].matches.size()\r
+ : 0) + (self.size() > 12 ? self[12].matches.size() : 0) + (self.size()\r
+ > 13 ? self[13].matches.size() : 0) + (self.size() > 14 ? self[14].matches.size()\r
+ : 0) + (self.size() > 15 ? self[15].matches.size() : 0) <= 128'\r
+ type: object\r
+ status:\r
+ description: Status defines the current state of HTTPRoute.\r
+ properties:\r
+ parents:\r
+ description: |-\r
+ Parents is a list of parent resources (usually Gateways) that are\r
+ associated with the route, and the status of the route with respect to\r
+ each parent. When this route attaches to a parent, the controller that\r
+ manages the parent must add an entry to this list when the controller\r
+ first sees the route and should update the entry as appropriate when the\r
+ route or gateway is modified.\r
+\r
+ Note that parent references that cannot be resolved by an implementation\r
+ of this API will not be added to this list. Implementations of this API\r
+ can only populate Route status for the Gateways/parent resources they are\r
+ responsible for.\r
+\r
+ A maximum of 32 Gateways will be represented in this list. An empty list\r
+ means the route has not been attached to any Gateway.\r
+ items:\r
+ description: |-\r
+ RouteParentStatus describes the status of a route with respect to an\r
+ associated Parent.\r
+ properties:\r
+ conditions:\r
+ description: |-\r
+ Conditions describes the status of the route with respect to the Gateway.\r
+ Note that the route's availability is also subject to the Gateway's own\r
+ status conditions and listener status.\r
+\r
+ If the Route's ParentRef specifies an existing Gateway that supports\r
+ Routes of this kind AND that Gateway's controller has sufficient access,\r
+ then that Gateway's controller MUST set the "Accepted" condition on the\r
+ Route, to indicate whether the route has been accepted or rejected by the\r
+ Gateway, and why.\r
+\r
+ A Route MUST be considered "Accepted" if at least one of the Route's\r
+ rules is implemented by the Gateway.\r
+\r
+ There are a number of cases where the "Accepted" condition may not be set\r
+ due to lack of controller visibility, that includes when:\r
+\r
+ * The Route refers to a non-existent parent.\r
+ * The Route is of a type that the controller does not support.\r
+ * The Route is in a namespace the controller does not have access to.\r
+ items:\r
+ description: Condition contains details for one aspect of\r
+ the current state of this API Resource.\r
+ properties:\r
+ lastTransitionTime:\r
+ description: |-\r
+ lastTransitionTime is the last time the condition transitioned from one status to another.\r
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.\r
+ format: date-time\r
+ type: string\r
+ message:\r
+ description: |-\r
+ message is a human readable message indicating details about the transition.\r
+ This may be an empty string.\r
+ maxLength: 32768\r
+ type: string\r
+ observedGeneration:\r
+ description: |-\r
+ observedGeneration represents the .metadata.generation that the condition was set based upon.\r
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\r
+ with respect to the current state of the instance.\r
+ format: int64\r
+ minimum: 0\r
+ type: integer\r
+ reason:\r
+ description: |-\r
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.\r
+ Producers of specific condition types may define expected values and meanings for this field,\r
+ and whether the values are considered a guaranteed API.\r
+ The value should be a CamelCase string.\r
+ This field may not be empty.\r
+ maxLength: 1024\r
+ minLength: 1\r
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$\r
+ type: string\r
+ status:\r
+ description: status of the condition, one of True, False,\r
+ Unknown.\r
+ enum:\r
+ - "True"\r
+ - "False"\r
+ - Unknown\r
+ type: string\r
+ type:\r
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.\r
+ maxLength: 316\r
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$\r
+ type: string\r
+ required:\r
+ - lastTransitionTime\r
+ - message\r
+ - reason\r
+ - status\r
+ - type\r
+ type: object\r
+ maxItems: 8\r
+ minItems: 1\r
+ type: array\r
+ x-kubernetes-list-map-keys:\r
+ - type\r
+ x-kubernetes-list-type: map\r
+ controllerName:\r
+ description: |-\r
+ ControllerName is a domain/path string that indicates the name of the\r
+ controller that wrote this status. This corresponds with the\r
+ controllerName field on GatewayClass.\r
+\r
+ Example: "example.net/gateway-controller".\r
+\r
+ The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are\r
+ valid Kubernetes names\r
+ (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).\r
+\r
+ Controllers MUST populate this field when writing status. Controllers should ensure that\r
+ entries to status populated with their ControllerName are cleaned up when they are no\r
+ longer necessary.\r
+ maxLength: 253\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$\r
+ type: string\r
+ parentRef:\r
+ description: |-\r
+ ParentRef corresponds with a ParentRef in the spec that this\r
+ RouteParentStatus struct describes the status of.\r
+ properties:\r
+ group:\r
+ default: gateway.networking.k8s.io\r
+ description: |-\r
+ Group is the group of the referent.\r
+ When unspecified, "gateway.networking.k8s.io" is inferred.\r
+ To set the core API group (such as for a "Service" kind referent),\r
+ Group must be explicitly set to "" (empty string).\r
+\r
+ Support: Core\r
+ maxLength: 253\r
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ kind:\r
+ default: Gateway\r
+ description: |-\r
+ Kind is kind of the referent.\r
+\r
+ There are two kinds of parent resources with "Core" support:\r
+\r
+ * Gateway (Gateway conformance profile)\r
+ * Service (Mesh conformance profile, ClusterIP Services only)\r
+\r
+ Support for other resources is Implementation-Specific.\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$\r
+ type: string\r
+ name:\r
+ description: |-\r
+ Name is the name of the referent.\r
+\r
+ Support: Core\r
+ maxLength: 253\r
+ minLength: 1\r
+ type: string\r
+ namespace:\r
+ description: |-\r
+ Namespace is the namespace of the referent. When unspecified, this refers\r
+ to the local namespace of the Route.\r
+\r
+ Note that there are specific rules for ParentRefs which cross namespace\r
+ boundaries. Cross-namespace references are only valid if they are explicitly\r
+ allowed by something in the namespace they are referring to. For example:\r
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a\r
+ generic way to enable any other kind of cross-namespace reference.\r
+\r
+\r
+\r
+ Support: Core\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$\r
+ type: string\r
+ port:\r
+ description: |-\r
+ Port is the network port this Route targets. It can be interpreted\r
+ differently based on the type of parent resource.\r
+\r
+ When the parent resource is a Gateway, this targets all listeners\r
+ listening on the specified port that also support this kind of Route(and\r
+ select this Route). It's not recommended to set `Port` unless the\r
+ networking behaviors specified in a Route must apply to a specific port\r
+ as opposed to a listener(s) whose port(s) may be changed. When both Port\r
+ and SectionName are specified, the name and port of the selected listener\r
+ must match both specified values.\r
+\r
+\r
+\r
+ Implementations MAY choose to support other parent resources.\r
+ Implementations supporting other types of parent resources MUST clearly\r
+ document how/if Port is interpreted.\r
+\r
+ For the purpose of status, an attachment is considered successful as\r
+ long as the parent resource accepts it partially. For example, Gateway\r
+ listeners can restrict which Routes can attach to them by Route kind,\r
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment\r
+ from the referencing Route, the Route MUST be considered successfully\r
+ attached. If no Gateway listeners accept attachment from this Route,\r
+ the Route MUST be considered detached from the Gateway.\r
+\r
+ Support: Extended\r
+ format: int32\r
+ maximum: 65535\r
+ minimum: 1\r
+ type: integer\r
+ sectionName:\r
+ description: |-\r
+ SectionName is the name of a section within the target resource. In the\r
+ following resources, SectionName is interpreted as the following:\r
+\r
+ * Gateway: Listener name. When both Port (experimental) and SectionName\r
+ are specified, the name and port of the selected listener must match\r
+ both specified values.\r
+ * Service: Port name. When both Port (experimental) and SectionName\r
+ are specified, the name and port of the selected listener must match\r
+ both specified values.\r
+\r
+ Implementations MAY choose to support attaching Routes to other resources.\r
+ If that is the case, they MUST clearly document how SectionName is\r
+ interpreted.\r
+\r
+ When unspecified (empty string), this will reference the entire resource.\r
+ For the purpose of status, an attachment is considered successful if at\r
+ least one section in the parent resource accepts it. For example, Gateway\r
+ listeners can restrict which Routes can attach to them by Route kind,\r
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from\r
+ the referencing Route, the Route MUST be considered successfully\r
+ attached. If no Gateway listeners accept attachment from this Route, the\r
+ Route MUST be considered detached from the Gateway.\r
+\r
+ Support: Core\r
+ maxLength: 253\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ required:\r
+ - name\r
+ type: object\r
+ required:\r
+ - controllerName\r
+ - parentRef\r
+ type: object\r
+ maxItems: 32\r
+ type: array\r
+ required:\r
+ - parents\r
+ type: object\r
+ required:\r
+ - spec\r
+ type: object\r
+ served: true\r
+ storage: true\r
+ subresources:\r
+ status: {}\r
+ - additionalPrinterColumns:\r
+ - jsonPath: .spec.hostnames\r
+ name: Hostnames\r
+ type: string\r
+ - jsonPath: .metadata.creationTimestamp\r
+ name: Age\r
+ type: date\r
+ name: v1beta1\r
+ schema:\r
+ openAPIV3Schema:\r
+ description: |-\r
+ HTTPRoute provides a way to route HTTP requests. This includes the capability\r
+ to match requests by hostname, path, header, or query param. Filters can be\r
+ used to specify additional processing steps. Backends specify where matching\r
+ requests should be routed.\r
+ properties:\r
+ apiVersion:\r
+ description: |-\r
+ APIVersion defines the versioned schema of this representation of an object.\r
+ Servers should convert recognized schemas to the latest internal value, and\r
+ may reject unrecognized values.\r
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources\r
+ type: string\r
+ kind:\r
+ description: |-\r
+ Kind is a string value representing the REST resource this object represents.\r
+ Servers may infer this from the endpoint the client submits requests to.\r
+ Cannot be updated.\r
+ In CamelCase.\r
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds\r
+ type: string\r
+ metadata:\r
+ type: object\r
+ spec:\r
+ description: Spec defines the desired state of HTTPRoute.\r
+ properties:\r
+ hostnames:\r
+ description: |-\r
+ Hostnames defines a set of hostnames that should match against the HTTP Host\r
+ header to select a HTTPRoute used to process the request. Implementations\r
+ MUST ignore any port value specified in the HTTP Host header while\r
+ performing a match and (absent of any applicable header modification\r
+ configuration) MUST forward this header unmodified to the backend.\r
+\r
+ Valid values for Hostnames are determined by RFC 1123 definition of a\r
+ hostname with 2 notable exceptions:\r
+\r
+ 1. IPs are not allowed.\r
+ 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard\r
+ label must appear by itself as the first label.\r
+\r
+ If a hostname is specified by both the Listener and HTTPRoute, there\r
+ must be at least one intersecting hostname for the HTTPRoute to be\r
+ attached to the Listener. For example:\r
+\r
+ * A Listener with `test.example.com` as the hostname matches HTTPRoutes\r
+ that have either not specified any hostnames, or have specified at\r
+ least one of `test.example.com` or `*.example.com`.\r
+ * A Listener with `*.example.com` as the hostname matches HTTPRoutes\r
+ that have either not specified any hostnames or have specified at least\r
+ one hostname that matches the Listener hostname. For example,\r
+ `*.example.com`, `test.example.com`, and `foo.test.example.com` would\r
+ all match. On the other hand, `example.com` and `test.example.net` would\r
+ not match.\r
+\r
+ Hostnames that are prefixed with a wildcard label (`*.`) are interpreted\r
+ as a suffix match. That means that a match for `*.example.com` would match\r
+ both `test.example.com`, and `foo.test.example.com`, but not `example.com`.\r
+\r
+ If both the Listener and HTTPRoute have specified hostnames, any\r
+ HTTPRoute hostnames that do not match the Listener hostname MUST be\r
+ ignored. For example, if a Listener specified `*.example.com`, and the\r
+ HTTPRoute specified `test.example.com` and `test.example.net`,\r
+ `test.example.net` must not be considered for a match.\r
+\r
+ If both the Listener and HTTPRoute have specified hostnames, and none\r
+ match with the criteria above, then the HTTPRoute is not accepted. The\r
+ implementation must raise an 'Accepted' Condition with a status of\r
+ `False` in the corresponding RouteParentStatus.\r
+\r
+ In the event that multiple HTTPRoutes specify intersecting hostnames (e.g.\r
+ overlapping wildcard matching and exact matching hostnames), precedence must\r
+ be given to rules from the HTTPRoute with the largest number of:\r
+\r
+ * Characters in a matching non-wildcard hostname.\r
+ * Characters in a matching hostname.\r
+\r
+ If ties exist across multiple Routes, the matching precedence rules for\r
+ HTTPRouteMatches takes over.\r
+\r
+ Support: Core\r
+ items:\r
+ description: |-\r
+ Hostname is the fully qualified domain name of a network host. This matches\r
+ the RFC 1123 definition of a hostname with 2 notable exceptions:\r
+\r
+ 1. IPs are not allowed.\r
+ 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard\r
+ label must appear by itself as the first label.\r
+\r
+ Hostname can be "precise" which is a domain name without the terminating\r
+ dot of a network host (e.g. "foo.example.com") or "wildcard", which is a\r
+ domain name prefixed with a single wildcard label (e.g. `*.example.com`).\r
+\r
+ Note that as per RFC1035 and RFC1123, a *label* must consist of lower case\r
+ alphanumeric characters or '-', and must start and end with an alphanumeric\r
+ character. No other punctuation is allowed.\r
+ maxLength: 253\r
+ minLength: 1\r
+ pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ maxItems: 16\r
+ type: array\r
+ parentRefs:\r
+ description: |+\r
+ ParentRefs references the resources (usually Gateways) that a Route wants\r
+ to be attached to. Note that the referenced parent resource needs to\r
+ allow this for the attachment to be complete. For Gateways, that means\r
+ the Gateway needs to allow attachment from Routes of this kind and\r
+ namespace. For Services, that means the Service must either be in the same\r
+ namespace for a "producer" route, or the mesh implementation must support\r
+ and allow "consumer" routes for the referenced Service. ReferenceGrant is\r
+ not applicable for governing ParentRefs to Services - it is not possible to\r
+ create a "producer" route for a Service in a different namespace from the\r
+ Route.\r
+\r
+ There are two kinds of parent resources with "Core" support:\r
+\r
+ * Gateway (Gateway conformance profile)\r
+ * Service (Mesh conformance profile, ClusterIP Services only)\r
+\r
+ This API may be extended in the future to support additional kinds of parent\r
+ resources.\r
+\r
+ ParentRefs must be _distinct_. This means either that:\r
+\r
+ * They select different objects. If this is the case, then parentRef\r
+ entries are distinct. In terms of fields, this means that the\r
+ multi-part key defined by `group`, `kind`, `namespace`, and `name` must\r
+ be unique across all parentRef entries in the Route.\r
+ * They do not select different objects, but for each optional field used,\r
+ each ParentRef that selects the same object must set the same set of\r
+ optional fields to different values. If one ParentRef sets a\r
+ combination of optional fields, all must set the same combination.\r
+\r
+ Some examples:\r
+\r
+ * If one ParentRef sets `sectionName`, all ParentRefs referencing the\r
+ same object must also set `sectionName`.\r
+ * If one ParentRef sets `port`, all ParentRefs referencing the same\r
+ object must also set `port`.\r
+ * If one ParentRef sets `sectionName` and `port`, all ParentRefs\r
+ referencing the same object must also set `sectionName` and `port`.\r
+\r
+ It is possible to separately reference multiple distinct objects that may\r
+ be collapsed by an implementation. For example, some implementations may\r
+ choose to merge compatible Gateway Listeners together. If that is the\r
+ case, the list of routes attached to those resources should also be\r
+ merged.\r
+\r
+ Note that for ParentRefs that cross namespace boundaries, there are specific\r
+ rules. Cross-namespace references are only valid if they are explicitly\r
+ allowed by something in the namespace they are referring to. For example,\r
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a\r
+ generic way to enable other kinds of cross-namespace reference.\r
+\r
+\r
+\r
+\r
+\r
+\r
+ items:\r
+ description: |-\r
+ ParentReference identifies an API object (usually a Gateway) that can be considered\r
+ a parent of this resource (usually a route). There are two kinds of parent resources\r
+ with "Core" support:\r
+\r
+ * Gateway (Gateway conformance profile)\r
+ * Service (Mesh conformance profile, ClusterIP Services only)\r
+\r
+ This API may be extended in the future to support additional kinds of parent\r
+ resources.\r
+\r
+ The API object must be valid in the cluster; the Group and Kind must\r
+ be registered in the cluster for this reference to be valid.\r
+ properties:\r
+ group:\r
+ default: gateway.networking.k8s.io\r
+ description: |-\r
+ Group is the group of the referent.\r
+ When unspecified, "gateway.networking.k8s.io" is inferred.\r
+ To set the core API group (such as for a "Service" kind referent),\r
+ Group must be explicitly set to "" (empty string).\r
+\r
+ Support: Core\r
+ maxLength: 253\r
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ kind:\r
+ default: Gateway\r
+ description: |-\r
+ Kind is kind of the referent.\r
+\r
+ There are two kinds of parent resources with "Core" support:\r
+\r
+ * Gateway (Gateway conformance profile)\r
+ * Service (Mesh conformance profile, ClusterIP Services only)\r
+\r
+ Support for other resources is Implementation-Specific.\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$\r
+ type: string\r
+ name:\r
+ description: |-\r
+ Name is the name of the referent.\r
+\r
+ Support: Core\r
+ maxLength: 253\r
+ minLength: 1\r
+ type: string\r
+ namespace:\r
+ description: |-\r
+ Namespace is the namespace of the referent. When unspecified, this refers\r
+ to the local namespace of the Route.\r
+\r
+ Note that there are specific rules for ParentRefs which cross namespace\r
+ boundaries. Cross-namespace references are only valid if they are explicitly\r
+ allowed by something in the namespace they are referring to. For example:\r
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a\r
+ generic way to enable any other kind of cross-namespace reference.\r
+\r
+\r
+\r
+ Support: Core\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$\r
+ type: string\r
+ port:\r
+ description: |-\r
+ Port is the network port this Route targets. It can be interpreted\r
+ differently based on the type of parent resource.\r
+\r
+ When the parent resource is a Gateway, this targets all listeners\r
+ listening on the specified port that also support this kind of Route(and\r
+ select this Route). It's not recommended to set `Port` unless the\r
+ networking behaviors specified in a Route must apply to a specific port\r
+ as opposed to a listener(s) whose port(s) may be changed. When both Port\r
+ and SectionName are specified, the name and port of the selected listener\r
+ must match both specified values.\r
+\r
+\r
+\r
+ Implementations MAY choose to support other parent resources.\r
+ Implementations supporting other types of parent resources MUST clearly\r
+ document how/if Port is interpreted.\r
+\r
+ For the purpose of status, an attachment is considered successful as\r
+ long as the parent resource accepts it partially. For example, Gateway\r
+ listeners can restrict which Routes can attach to them by Route kind,\r
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment\r
+ from the referencing Route, the Route MUST be considered successfully\r
+ attached. If no Gateway listeners accept attachment from this Route,\r
+ the Route MUST be considered detached from the Gateway.\r
+\r
+ Support: Extended\r
+ format: int32\r
+ maximum: 65535\r
+ minimum: 1\r
+ type: integer\r
+ sectionName:\r
+ description: |-\r
+ SectionName is the name of a section within the target resource. In the\r
+ following resources, SectionName is interpreted as the following:\r
+\r
+ * Gateway: Listener name. When both Port (experimental) and SectionName\r
+ are specified, the name and port of the selected listener must match\r
+ both specified values.\r
+ * Service: Port name. When both Port (experimental) and SectionName\r
+ are specified, the name and port of the selected listener must match\r
+ both specified values.\r
+\r
+ Implementations MAY choose to support attaching Routes to other resources.\r
+ If that is the case, they MUST clearly document how SectionName is\r
+ interpreted.\r
+\r
+ When unspecified (empty string), this will reference the entire resource.\r
+ For the purpose of status, an attachment is considered successful if at\r
+ least one section in the parent resource accepts it. For example, Gateway\r
+ listeners can restrict which Routes can attach to them by Route kind,\r
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from\r
+ the referencing Route, the Route MUST be considered successfully\r
+ attached. If no Gateway listeners accept attachment from this Route, the\r
+ Route MUST be considered detached from the Gateway.\r
+\r
+ Support: Core\r
+ maxLength: 253\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ required:\r
+ - name\r
+ type: object\r
+ maxItems: 32\r
+ type: array\r
+ x-kubernetes-validations:\r
+ - message: sectionName must be specified when parentRefs includes\r
+ 2 or more references to the same parent\r
+ rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind\r
+ == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__)\r
+ || p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__\r
+ == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) &&\r
+ p1.__namespace__ == p2.__namespace__ )) ? ((!has(p1.sectionName)\r
+ || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName\r
+ == '''')) : true))'\r
+ - message: sectionName must be unique when parentRefs includes 2 or\r
+ more references to the same parent\r
+ rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind\r
+ == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__)\r
+ || p1.__namespace__ == '') && (!has(p2.__namespace__) || p2.__namespace__\r
+ == '')) || (has(p1.__namespace__) && has(p2.__namespace__) &&\r
+ p1.__namespace__ == p2.__namespace__ )) && (((!has(p1.sectionName)\r
+ || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName\r
+ == '')) || (has(p1.sectionName) && has(p2.sectionName) && p1.sectionName\r
+ == p2.sectionName))))\r
+ rules:\r
+ default:\r
+ - matches:\r
+ - path:\r
+ type: PathPrefix\r
+ value: /\r
+ description: |+\r
+ Rules are a list of HTTP matchers, filters and actions.\r
+\r
+ items:\r
+ description: |-\r
+ HTTPRouteRule defines semantics for matching an HTTP request based on\r
+ conditions (matches), processing it (filters), and forwarding the request to\r
+ an API object (backendRefs).\r
+ properties:\r
+ backendRefs:\r
+ description: |-\r
+ BackendRefs defines the backend(s) where matching requests should be\r
+ sent.\r
+\r
+ Failure behavior here depends on how many BackendRefs are specified and\r
+ how many are invalid.\r
+\r
+ If *all* entries in BackendRefs are invalid, and there are also no filters\r
+ specified in this route rule, *all* traffic which matches this rule MUST\r
+ receive a 500 status code.\r
+\r
+ See the HTTPBackendRef definition for the rules about what makes a single\r
+ HTTPBackendRef invalid.\r
+\r
+ When a HTTPBackendRef is invalid, 500 status codes MUST be returned for\r
+ requests that would have otherwise been routed to an invalid backend. If\r
+ multiple backends are specified, and some are invalid, the proportion of\r
+ requests that would otherwise have been routed to an invalid backend\r
+ MUST receive a 500 status code.\r
+\r
+ For example, if two backends are specified with equal weights, and one is\r
+ invalid, 50 percent of traffic must receive a 500. Implementations may\r
+ choose how that 50 percent is determined.\r
+\r
+ When a HTTPBackendRef refers to a Service that has no ready endpoints,\r
+ implementations SHOULD return a 503 for requests to that backend instead.\r
+ If an implementation chooses to do this, all of the above rules for 500 responses\r
+ MUST also apply for responses that return a 503.\r
+\r
+ Support: Core for Kubernetes Service\r
+\r
+ Support: Extended for Kubernetes ServiceImport\r
+\r
+ Support: Implementation-specific for any other resource\r
+\r
+ Support for weight: Core\r
+ items:\r
+ description: |-\r
+ HTTPBackendRef defines how a HTTPRoute forwards a HTTP request.\r
+\r
+ Note that when a namespace different than the local namespace is specified, a\r
+ ReferenceGrant object is required in the referent namespace to allow that\r
+ namespace's owner to accept the reference. See the ReferenceGrant\r
+ documentation for details.\r
+\r
+ <gateway:experimental:description>\r
+\r
+ When the BackendRef points to a Kubernetes Service, implementations SHOULD\r
+ honor the appProtocol field if it is set for the target Service Port.\r
+\r
+ Implementations supporting appProtocol SHOULD recognize the Kubernetes\r
+ Standard Application Protocols defined in KEP-3726.\r
+\r
+ If a Service appProtocol isn't specified, an implementation MAY infer the\r
+ backend protocol through its own means. Implementations MAY infer the\r
+ protocol from the Route type referring to the backend Service.\r
+\r
+ If a Route is not able to send traffic to the backend using the specified\r
+ protocol then the backend is considered invalid. Implementations MUST set the\r
+ "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason.\r
+\r
+ </gateway:experimental:description>\r
+ properties:\r
+ filters:\r
+ description: |-\r
+ Filters defined at this level should be executed if and only if the\r
+ request is being forwarded to the backend defined here.\r
+\r
+ Support: Implementation-specific (For broader support of filters, use the\r
+ Filters field in HTTPRouteRule.)\r
+ items:\r
+ description: |-\r
+ HTTPRouteFilter defines processing steps that must be completed during the\r
+ request or response lifecycle. HTTPRouteFilters are meant as an extension\r
+ point to express processing that may be done in Gateway implementations. Some\r
+ examples include request or response modification, implementing\r
+ authentication strategies, rate-limiting, and traffic shaping. API\r
+ guarantee/conformance is defined based on the type of the filter.\r
+ properties:\r
+ extensionRef:\r
+ description: |-\r
+ ExtensionRef is an optional, implementation-specific extension to the\r
+ "filter" behavior. For example, resource "myroutefilter" in group\r
+ "networking.example.net"). ExtensionRef MUST NOT be used for core and\r
+ extended filters.\r
+\r
+ This filter can be used multiple times within the same rule.\r
+\r
+ Support: Implementation-specific\r
+ properties:\r
+ group:\r
+ description: |-\r
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".\r
+ When unspecified or empty string, core API group is inferred.\r
+ maxLength: 253\r
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ kind:\r
+ description: Kind is kind of the referent. For\r
+ example "HTTPRoute" or "Service".\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$\r
+ type: string\r
+ name:\r
+ description: Name is the name of the referent.\r
+ maxLength: 253\r
+ minLength: 1\r
+ type: string\r
+ required:\r
+ - group\r
+ - kind\r
+ - name\r
+ type: object\r
+ requestHeaderModifier:\r
+ description: |-\r
+ RequestHeaderModifier defines a schema for a filter that modifies request\r
+ headers.\r
+\r
+ Support: Core\r
+ properties:\r
+ add:\r
+ description: |-\r
+ Add adds the given header(s) (name, value) to the request\r
+ before the action. It appends to any existing values associated\r
+ with the header name.\r
+\r
+ Input:\r
+ GET /foo HTTP/1.1\r
+ my-header: foo\r
+\r
+ Config:\r
+ add:\r
+ - name: "my-header"\r
+ value: "bar,baz"\r
+\r
+ Output:\r
+ GET /foo HTTP/1.1\r
+ my-header: foo,bar,baz\r
+ items:\r
+ description: HTTPHeader represents an HTTP\r
+ Header name and value as defined by RFC\r
+ 7230.\r
+ properties:\r
+ name:\r
+ description: |-\r
+ Name is the name of the HTTP Header to be matched. Name matching MUST be\r
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).\r
+\r
+ If multiple entries specify equivalent header names, the first entry with\r
+ an equivalent name MUST be considered for a match. Subsequent entries\r
+ with an equivalent header name MUST be ignored. Due to the\r
+ case-insensitivity of header names, "foo" and "Foo" are considered\r
+ equivalent.\r
+ maxLength: 256\r
+ minLength: 1\r
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$\r
+ type: string\r
+ value:\r
+ description: Value is the value of HTTP\r
+ Header to be matched.\r
+ maxLength: 4096\r
+ minLength: 1\r
+ type: string\r
+ required:\r
+ - name\r
+ - value\r
+ type: object\r
+ maxItems: 16\r
+ type: array\r
+ x-kubernetes-list-map-keys:\r
+ - name\r
+ x-kubernetes-list-type: map\r
+ remove:\r
+ description: |-\r
+ Remove the given header(s) from the HTTP request before the action. The\r
+ value of Remove is a list of HTTP header names. Note that the header\r
+ names are case-insensitive (see\r
+ https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).\r
+\r
+ Input:\r
+ GET /foo HTTP/1.1\r
+ my-header1: foo\r
+ my-header2: bar\r
+ my-header3: baz\r
+\r
+ Config:\r
+ remove: ["my-header1", "my-header3"]\r
+\r
+ Output:\r
+ GET /foo HTTP/1.1\r
+ my-header2: bar\r
+ items:\r
+ type: string\r
+ maxItems: 16\r
+ type: array\r
+ x-kubernetes-list-type: set\r
+ set:\r
+ description: |-\r
+ Set overwrites the request with the given header (name, value)\r
+ before the action.\r
+\r
+ Input:\r
+ GET /foo HTTP/1.1\r
+ my-header: foo\r
+\r
+ Config:\r
+ set:\r
+ - name: "my-header"\r
+ value: "bar"\r
+\r
+ Output:\r
+ GET /foo HTTP/1.1\r
+ my-header: bar\r
+ items:\r
+ description: HTTPHeader represents an HTTP\r
+ Header name and value as defined by RFC\r
+ 7230.\r
+ properties:\r
+ name:\r
+ description: |-\r
+ Name is the name of the HTTP Header to be matched. Name matching MUST be\r
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).\r
+\r
+ If multiple entries specify equivalent header names, the first entry with\r
+ an equivalent name MUST be considered for a match. Subsequent entries\r
+ with an equivalent header name MUST be ignored. Due to the\r
+ case-insensitivity of header names, "foo" and "Foo" are considered\r
+ equivalent.\r
+ maxLength: 256\r
+ minLength: 1\r
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$\r
+ type: string\r
+ value:\r
+ description: Value is the value of HTTP\r
+ Header to be matched.\r
+ maxLength: 4096\r
+ minLength: 1\r
+ type: string\r
+ required:\r
+ - name\r
+ - value\r
+ type: object\r
+ maxItems: 16\r
+ type: array\r
+ x-kubernetes-list-map-keys:\r
+ - name\r
+ x-kubernetes-list-type: map\r
+ type: object\r
+ requestMirror:\r
+ description: |+\r
+ RequestMirror defines a schema for a filter that mirrors requests.\r
+ Requests are sent to the specified destination, but responses from\r
+ that destination are ignored.\r
+\r
+ This filter can be used multiple times within the same rule. Note that\r
+ not all implementations will be able to support mirroring to multiple\r
+ backends.\r
+\r
+ Support: Extended\r
+\r
+ properties:\r
+ backendRef:\r
+ description: |-\r
+ BackendRef references a resource where mirrored requests are sent.\r
+\r
+ Mirrored requests must be sent only to a single destination endpoint\r
+ within this BackendRef, irrespective of how many endpoints are present\r
+ within this BackendRef.\r
+\r
+ If the referent cannot be found, this BackendRef is invalid and must be\r
+ dropped from the Gateway. The controller must ensure the "ResolvedRefs"\r
+ condition on the Route status is set to `status: False` and not configure\r
+ this backend in the underlying implementation.\r
+\r
+ If there is a cross-namespace reference to an *existing* object\r
+ that is not allowed by a ReferenceGrant, the controller must ensure the\r
+ "ResolvedRefs" condition on the Route is set to `status: False`,\r
+ with the "RefNotPermitted" reason and not configure this backend in the\r
+ underlying implementation.\r
+\r
+ In either error case, the Message of the `ResolvedRefs` Condition\r
+ should be used to provide more detail about the problem.\r
+\r
+ Support: Extended for Kubernetes Service\r
+\r
+ Support: Implementation-specific for any other resource\r
+ properties:\r
+ group:\r
+ default: ""\r
+ description: |-\r
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".\r
+ When unspecified or empty string, core API group is inferred.\r
+ maxLength: 253\r
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ kind:\r
+ default: Service\r
+ description: |-\r
+ Kind is the Kubernetes resource kind of the referent. For example\r
+ "Service".\r
+\r
+ Defaults to "Service" when not specified.\r
+\r
+ ExternalName services can refer to CNAME DNS records that may live\r
+ outside of the cluster and as such are difficult to reason about in\r
+ terms of conformance. They also may not be safe to forward to (see\r
+ CVE-2021-25740 for more information). Implementations SHOULD NOT\r
+ support ExternalName Services.\r
+\r
+ Support: Core (Services with a type other than ExternalName)\r
+\r
+ Support: Implementation-specific (Services with type ExternalName)\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$\r
+ type: string\r
+ name:\r
+ description: Name is the name of the referent.\r
+ maxLength: 253\r
+ minLength: 1\r
+ type: string\r
+ namespace:\r
+ description: |-\r
+ Namespace is the namespace of the backend. When unspecified, the local\r
+ namespace is inferred.\r
+\r
+ Note that when a namespace different than the local namespace is specified,\r
+ a ReferenceGrant object is required in the referent namespace to allow that\r
+ namespace's owner to accept the reference. See the ReferenceGrant\r
+ documentation for details.\r
+\r
+ Support: Core\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$\r
+ type: string\r
+ port:\r
+ description: |-\r
+ Port specifies the destination port number to use for this resource.\r
+ Port is required when the referent is a Kubernetes Service. In this\r
+ case, the port number is the service port number, not the target port.\r
+ For other resources, destination port might be derived from the referent\r
+ resource or this field.\r
+ format: int32\r
+ maximum: 65535\r
+ minimum: 1\r
+ type: integer\r
+ required:\r
+ - name\r
+ type: object\r
+ x-kubernetes-validations:\r
+ - message: Must have port for Service reference\r
+ rule: '(size(self.group) == 0 && self.kind\r
+ == ''Service'') ? has(self.port) : true'\r
+ required:\r
+ - backendRef\r
+ type: object\r
+ requestRedirect:\r
+ description: |-\r
+ RequestRedirect defines a schema for a filter that responds to the\r
+ request with an HTTP redirection.\r
+\r
+ Support: Core\r
+ properties:\r
+ hostname:\r
+ description: |-\r
+ Hostname is the hostname to be used in the value of the `Location`\r
+ header in the response.\r
+ When empty, the hostname in the `Host` header of the request is used.\r
+\r
+ Support: Core\r
+ maxLength: 253\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ path:\r
+ description: |-\r
+ Path defines parameters used to modify the path of the incoming request.\r
+ The modified path is then used to construct the `Location` header. When\r
+ empty, the request path is used as-is.\r
+\r
+ Support: Extended\r
+ properties:\r
+ replaceFullPath:\r
+ description: |-\r
+ ReplaceFullPath specifies the value with which to replace the full path\r
+ of a request during a rewrite or redirect.\r
+ maxLength: 1024\r
+ type: string\r
+ replacePrefixMatch:\r
+ description: |-\r
+ ReplacePrefixMatch specifies the value with which to replace the prefix\r
+ match of a request during a rewrite or redirect. For example, a request\r
+ to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch\r
+ of "/xyz" would be modified to "/xyz/bar".\r
+\r
+ Note that this matches the behavior of the PathPrefix match type. This\r
+ matches full path elements. A path element refers to the list of labels\r
+ in the path split by the `/` separator. When specified, a trailing `/` is\r
+ ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all\r
+ match the prefix `/abc`, but the path `/abcd` would not.\r
+\r
+ ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.\r
+ Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in\r
+ the implementation setting the Accepted Condition for the Route to `status: False`.\r
+\r
+ Request Path | Prefix Match | Replace Prefix | Modified Path\r
+ maxLength: 1024\r
+ type: string\r
+ type:\r
+ description: |-\r
+ Type defines the type of path modifier. Additional types may be\r
+ added in a future release of the API.\r
+\r
+ Note that values may be added to this enum, implementations\r
+ must ensure that unknown values will not cause a crash.\r
+\r
+ Unknown values here must result in the implementation setting the\r
+ Accepted Condition for the Route to `status: False`, with a\r
+ Reason of `UnsupportedValue`.\r
+ enum:\r
+ - ReplaceFullPath\r
+ - ReplacePrefixMatch\r
+ type: string\r
+ required:\r
+ - type\r
+ type: object\r
+ x-kubernetes-validations:\r
+ - message: replaceFullPath must be specified\r
+ when type is set to 'ReplaceFullPath'\r
+ rule: 'self.type == ''ReplaceFullPath'' ?\r
+ has(self.replaceFullPath) : true'\r
+ - message: type must be 'ReplaceFullPath' when\r
+ replaceFullPath is set\r
+ rule: 'has(self.replaceFullPath) ? self.type\r
+ == ''ReplaceFullPath'' : true'\r
+ - message: replacePrefixMatch must be specified\r
+ when type is set to 'ReplacePrefixMatch'\r
+ rule: 'self.type == ''ReplacePrefixMatch''\r
+ ? has(self.replacePrefixMatch) : true'\r
+ - message: type must be 'ReplacePrefixMatch'\r
+ when replacePrefixMatch is set\r
+ rule: 'has(self.replacePrefixMatch) ? self.type\r
+ == ''ReplacePrefixMatch'' : true'\r
+ port:\r
+ description: |-\r
+ Port is the port to be used in the value of the `Location`\r
+ header in the response.\r
+\r
+ If no port is specified, the redirect port MUST be derived using the\r
+ following rules:\r
+\r
+ * If redirect scheme is not-empty, the redirect port MUST be the well-known\r
+ port associated with the redirect scheme. Specifically "http" to port 80\r
+ and "https" to port 443. If the redirect scheme does not have a\r
+ well-known port, the listener port of the Gateway SHOULD be used.\r
+ * If redirect scheme is empty, the redirect port MUST be the Gateway\r
+ Listener port.\r
+\r
+ Implementations SHOULD NOT add the port number in the 'Location'\r
+ header in the following cases:\r
+\r
+ * A Location header that will use HTTP (whether that is determined via\r
+ the Listener protocol or the Scheme field) _and_ use port 80.\r
+ * A Location header that will use HTTPS (whether that is determined via\r
+ the Listener protocol or the Scheme field) _and_ use port 443.\r
+\r
+ Support: Extended\r
+ format: int32\r
+ maximum: 65535\r
+ minimum: 1\r
+ type: integer\r
+ scheme:\r
+ description: |-\r
+ Scheme is the scheme to be used in the value of the `Location` header in\r
+ the response. When empty, the scheme of the request is used.\r
+\r
+ Scheme redirects can affect the port of the redirect, for more information,\r
+ refer to the documentation for the port field of this filter.\r
+\r
+ Note that values may be added to this enum, implementations\r
+ must ensure that unknown values will not cause a crash.\r
+\r
+ Unknown values here must result in the implementation setting the\r
+ Accepted Condition for the Route to `status: False`, with a\r
+ Reason of `UnsupportedValue`.\r
+\r
+ Support: Extended\r
+ enum:\r
+ - http\r
+ - https\r
+ type: string\r
+ statusCode:\r
+ default: 302\r
+ description: |-\r
+ StatusCode is the HTTP status code to be used in response.\r
+\r
+ Note that values may be added to this enum, implementations\r
+ must ensure that unknown values will not cause a crash.\r
+\r
+ Unknown values here must result in the implementation setting the\r
+ Accepted Condition for the Route to `status: False`, with a\r
+ Reason of `UnsupportedValue`.\r
+\r
+ Support: Core\r
+ enum:\r
+ - 301\r
+ - 302\r
+ type: integer\r
+ type: object\r
+ responseHeaderModifier:\r
+ description: |-\r
+ ResponseHeaderModifier defines a schema for a filter that modifies response\r
+ headers.\r
+\r
+ Support: Extended\r
+ properties:\r
+ add:\r
+ description: |-\r
+ Add adds the given header(s) (name, value) to the request\r
+ before the action. It appends to any existing values associated\r
+ with the header name.\r
+\r
+ Input:\r
+ GET /foo HTTP/1.1\r
+ my-header: foo\r
+\r
+ Config:\r
+ add:\r
+ - name: "my-header"\r
+ value: "bar,baz"\r
+\r
+ Output:\r
+ GET /foo HTTP/1.1\r
+ my-header: foo,bar,baz\r
+ items:\r
+ description: HTTPHeader represents an HTTP\r
+ Header name and value as defined by RFC\r
+ 7230.\r
+ properties:\r
+ name:\r
+ description: |-\r
+ Name is the name of the HTTP Header to be matched. Name matching MUST be\r
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).\r
+\r
+ If multiple entries specify equivalent header names, the first entry with\r
+ an equivalent name MUST be considered for a match. Subsequent entries\r
+ with an equivalent header name MUST be ignored. Due to the\r
+ case-insensitivity of header names, "foo" and "Foo" are considered\r
+ equivalent.\r
+ maxLength: 256\r
+ minLength: 1\r
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$\r
+ type: string\r
+ value:\r
+ description: Value is the value of HTTP\r
+ Header to be matched.\r
+ maxLength: 4096\r
+ minLength: 1\r
+ type: string\r
+ required:\r
+ - name\r
+ - value\r
+ type: object\r
+ maxItems: 16\r
+ type: array\r
+ x-kubernetes-list-map-keys:\r
+ - name\r
+ x-kubernetes-list-type: map\r
+ remove:\r
+ description: |-\r
+ Remove the given header(s) from the HTTP request before the action. The\r
+ value of Remove is a list of HTTP header names. Note that the header\r
+ names are case-insensitive (see\r
+ https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).\r
+\r
+ Input:\r
+ GET /foo HTTP/1.1\r
+ my-header1: foo\r
+ my-header2: bar\r
+ my-header3: baz\r
+\r
+ Config:\r
+ remove: ["my-header1", "my-header3"]\r
+\r
+ Output:\r
+ GET /foo HTTP/1.1\r
+ my-header2: bar\r
+ items:\r
+ type: string\r
+ maxItems: 16\r
+ type: array\r
+ x-kubernetes-list-type: set\r
+ set:\r
+ description: |-\r
+ Set overwrites the request with the given header (name, value)\r
+ before the action.\r
+\r
+ Input:\r
+ GET /foo HTTP/1.1\r
+ my-header: foo\r
+\r
+ Config:\r
+ set:\r
+ - name: "my-header"\r
+ value: "bar"\r
+\r
+ Output:\r
+ GET /foo HTTP/1.1\r
+ my-header: bar\r
+ items:\r
+ description: HTTPHeader represents an HTTP\r
+ Header name and value as defined by RFC\r
+ 7230.\r
+ properties:\r
+ name:\r
+ description: |-\r
+ Name is the name of the HTTP Header to be matched. Name matching MUST be\r
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).\r
+\r
+ If multiple entries specify equivalent header names, the first entry with\r
+ an equivalent name MUST be considered for a match. Subsequent entries\r
+ with an equivalent header name MUST be ignored. Due to the\r
+ case-insensitivity of header names, "foo" and "Foo" are considered\r
+ equivalent.\r
+ maxLength: 256\r
+ minLength: 1\r
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$\r
+ type: string\r
+ value:\r
+ description: Value is the value of HTTP\r
+ Header to be matched.\r
+ maxLength: 4096\r
+ minLength: 1\r
+ type: string\r
+ required:\r
+ - name\r
+ - value\r
+ type: object\r
+ maxItems: 16\r
+ type: array\r
+ x-kubernetes-list-map-keys:\r
+ - name\r
+ x-kubernetes-list-type: map\r
+ type: object\r
+ type:\r
+ description: |-\r
+ Type identifies the type of filter to apply. As with other API fields,\r
+ types are classified into three conformance levels:\r
+\r
+ - Core: Filter types and their corresponding configuration defined by\r
+ "Support: Core" in this package, e.g. "RequestHeaderModifier". All\r
+ implementations must support core filters.\r
+\r
+ - Extended: Filter types and their corresponding configuration defined by\r
+ "Support: Extended" in this package, e.g. "RequestMirror". Implementers\r
+ are encouraged to support extended filters.\r
+\r
+ - Implementation-specific: Filters that are defined and supported by\r
+ specific vendors.\r
+ In the future, filters showing convergence in behavior across multiple\r
+ implementations will be considered for inclusion in extended or core\r
+ conformance levels. Filter-specific configuration for such filters\r
+ is specified using the ExtensionRef field. `Type` should be set to\r
+ "ExtensionRef" for custom filters.\r
+\r
+ Implementers are encouraged to define custom implementation types to\r
+ extend the core API with implementation-specific behavior.\r
+\r
+ If a reference to a custom filter type cannot be resolved, the filter\r
+ MUST NOT be skipped. Instead, requests that would have been processed by\r
+ that filter MUST receive a HTTP error response.\r
+\r
+ Note that values may be added to this enum, implementations\r
+ must ensure that unknown values will not cause a crash.\r
+\r
+ Unknown values here must result in the implementation setting the\r
+ Accepted Condition for the Route to `status: False`, with a\r
+ Reason of `UnsupportedValue`.\r
+ enum:\r
+ - RequestHeaderModifier\r
+ - ResponseHeaderModifier\r
+ - RequestMirror\r
+ - RequestRedirect\r
+ - URLRewrite\r
+ - ExtensionRef\r
+ type: string\r
+ urlRewrite:\r
+ description: |-\r
+ URLRewrite defines a schema for a filter that modifies a request during forwarding.\r
+\r
+ Support: Extended\r
+ properties:\r
+ hostname:\r
+ description: |-\r
+ Hostname is the value to be used to replace the Host header value during\r
+ forwarding.\r
+\r
+ Support: Extended\r
+ maxLength: 253\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ path:\r
+ description: |-\r
+ Path defines a path rewrite.\r
+\r
+ Support: Extended\r
+ properties:\r
+ replaceFullPath:\r
+ description: |-\r
+ ReplaceFullPath specifies the value with which to replace the full path\r
+ of a request during a rewrite or redirect.\r
+ maxLength: 1024\r
+ type: string\r
+ replacePrefixMatch:\r
+ description: |-\r
+ ReplacePrefixMatch specifies the value with which to replace the prefix\r
+ match of a request during a rewrite or redirect. For example, a request\r
+ to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch\r
+ of "/xyz" would be modified to "/xyz/bar".\r
+\r
+ Note that this matches the behavior of the PathPrefix match type. This\r
+ matches full path elements. A path element refers to the list of labels\r
+ in the path split by the `/` separator. When specified, a trailing `/` is\r
+ ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all\r
+ match the prefix `/abc`, but the path `/abcd` would not.\r
+\r
+ ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.\r
+ Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in\r
+ the implementation setting the Accepted Condition for the Route to `status: False`.\r
+\r
+ Request Path | Prefix Match | Replace Prefix | Modified Path\r
+ maxLength: 1024\r
+ type: string\r
+ type:\r
+ description: |-\r
+ Type defines the type of path modifier. Additional types may be\r
+ added in a future release of the API.\r
+\r
+ Note that values may be added to this enum, implementations\r
+ must ensure that unknown values will not cause a crash.\r
+\r
+ Unknown values here must result in the implementation setting the\r
+ Accepted Condition for the Route to `status: False`, with a\r
+ Reason of `UnsupportedValue`.\r
+ enum:\r
+ - ReplaceFullPath\r
+ - ReplacePrefixMatch\r
+ type: string\r
+ required:\r
+ - type\r
+ type: object\r
+ x-kubernetes-validations:\r
+ - message: replaceFullPath must be specified\r
+ when type is set to 'ReplaceFullPath'\r
+ rule: 'self.type == ''ReplaceFullPath'' ?\r
+ has(self.replaceFullPath) : true'\r
+ - message: type must be 'ReplaceFullPath' when\r
+ replaceFullPath is set\r
+ rule: 'has(self.replaceFullPath) ? self.type\r
+ == ''ReplaceFullPath'' : true'\r
+ - message: replacePrefixMatch must be specified\r
+ when type is set to 'ReplacePrefixMatch'\r
+ rule: 'self.type == ''ReplacePrefixMatch''\r
+ ? has(self.replacePrefixMatch) : true'\r
+ - message: type must be 'ReplacePrefixMatch'\r
+ when replacePrefixMatch is set\r
+ rule: 'has(self.replacePrefixMatch) ? self.type\r
+ == ''ReplacePrefixMatch'' : true'\r
+ type: object\r
+ required:\r
+ - type\r
+ type: object\r
+ x-kubernetes-validations:\r
+ - message: filter.requestHeaderModifier must be nil\r
+ if the filter.type is not RequestHeaderModifier\r
+ rule: '!(has(self.requestHeaderModifier) && self.type\r
+ != ''RequestHeaderModifier'')'\r
+ - message: filter.requestHeaderModifier must be specified\r
+ for RequestHeaderModifier filter.type\r
+ rule: '!(!has(self.requestHeaderModifier) && self.type\r
+ == ''RequestHeaderModifier'')'\r
+ - message: filter.responseHeaderModifier must be nil\r
+ if the filter.type is not ResponseHeaderModifier\r
+ rule: '!(has(self.responseHeaderModifier) && self.type\r
+ != ''ResponseHeaderModifier'')'\r
+ - message: filter.responseHeaderModifier must be specified\r
+ for ResponseHeaderModifier filter.type\r
+ rule: '!(!has(self.responseHeaderModifier) && self.type\r
+ == ''ResponseHeaderModifier'')'\r
+ - message: filter.requestMirror must be nil if the filter.type\r
+ is not RequestMirror\r
+ rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')'\r
+ - message: filter.requestMirror must be specified for\r
+ RequestMirror filter.type\r
+ rule: '!(!has(self.requestMirror) && self.type ==\r
+ ''RequestMirror'')'\r
+ - message: filter.requestRedirect must be nil if the\r
+ filter.type is not RequestRedirect\r
+ rule: '!(has(self.requestRedirect) && self.type !=\r
+ ''RequestRedirect'')'\r
+ - message: filter.requestRedirect must be specified\r
+ for RequestRedirect filter.type\r
+ rule: '!(!has(self.requestRedirect) && self.type ==\r
+ ''RequestRedirect'')'\r
+ - message: filter.urlRewrite must be nil if the filter.type\r
+ is not URLRewrite\r
+ rule: '!(has(self.urlRewrite) && self.type != ''URLRewrite'')'\r
+ - message: filter.urlRewrite must be specified for URLRewrite\r
+ filter.type\r
+ rule: '!(!has(self.urlRewrite) && self.type == ''URLRewrite'')'\r
+ - message: filter.extensionRef must be nil if the filter.type\r
+ is not ExtensionRef\r
+ rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')'\r
+ - message: filter.extensionRef must be specified for\r
+ ExtensionRef filter.type\r
+ rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')'\r
+ maxItems: 16\r
+ type: array\r
+ x-kubernetes-validations:\r
+ - message: May specify either httpRouteFilterRequestRedirect\r
+ or httpRouteFilterRequestRewrite, but not both\r
+ rule: '!(self.exists(f, f.type == ''RequestRedirect'')\r
+ && self.exists(f, f.type == ''URLRewrite''))'\r
+ - message: May specify either httpRouteFilterRequestRedirect\r
+ or httpRouteFilterRequestRewrite, but not both\r
+ rule: '!(self.exists(f, f.type == ''RequestRedirect'')\r
+ && self.exists(f, f.type == ''URLRewrite''))'\r
+ - message: RequestHeaderModifier filter cannot be repeated\r
+ rule: self.filter(f, f.type == 'RequestHeaderModifier').size()\r
+ <= 1\r
+ - message: ResponseHeaderModifier filter cannot be repeated\r
+ rule: self.filter(f, f.type == 'ResponseHeaderModifier').size()\r
+ <= 1\r
+ - message: RequestRedirect filter cannot be repeated\r
+ rule: self.filter(f, f.type == 'RequestRedirect').size()\r
+ <= 1\r
+ - message: URLRewrite filter cannot be repeated\r
+ rule: self.filter(f, f.type == 'URLRewrite').size()\r
+ <= 1\r
+ group:\r
+ default: ""\r
+ description: |-\r
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".\r
+ When unspecified or empty string, core API group is inferred.\r
+ maxLength: 253\r
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ kind:\r
+ default: Service\r
+ description: |-\r
+ Kind is the Kubernetes resource kind of the referent. For example\r
+ "Service".\r
+\r
+ Defaults to "Service" when not specified.\r
+\r
+ ExternalName services can refer to CNAME DNS records that may live\r
+ outside of the cluster and as such are difficult to reason about in\r
+ terms of conformance. They also may not be safe to forward to (see\r
+ CVE-2021-25740 for more information). Implementations SHOULD NOT\r
+ support ExternalName Services.\r
+\r
+ Support: Core (Services with a type other than ExternalName)\r
+\r
+ Support: Implementation-specific (Services with type ExternalName)\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$\r
+ type: string\r
+ name:\r
+ description: Name is the name of the referent.\r
+ maxLength: 253\r
+ minLength: 1\r
+ type: string\r
+ namespace:\r
+ description: |-\r
+ Namespace is the namespace of the backend. When unspecified, the local\r
+ namespace is inferred.\r
+\r
+ Note that when a namespace different than the local namespace is specified,\r
+ a ReferenceGrant object is required in the referent namespace to allow that\r
+ namespace's owner to accept the reference. See the ReferenceGrant\r
+ documentation for details.\r
+\r
+ Support: Core\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$\r
+ type: string\r
+ port:\r
+ description: |-\r
+ Port specifies the destination port number to use for this resource.\r
+ Port is required when the referent is a Kubernetes Service. In this\r
+ case, the port number is the service port number, not the target port.\r
+ For other resources, destination port might be derived from the referent\r
+ resource or this field.\r
+ format: int32\r
+ maximum: 65535\r
+ minimum: 1\r
+ type: integer\r
+ weight:\r
+ default: 1\r
+ description: |-\r
+ Weight specifies the proportion of requests forwarded to the referenced\r
+ backend. This is computed as weight/(sum of all weights in this\r
+ BackendRefs list). For non-zero values, there may be some epsilon from\r
+ the exact proportion defined here depending on the precision an\r
+ implementation supports. Weight is not a percentage and the sum of\r
+ weights does not need to equal 100.\r
+\r
+ If only one backend is specified and it has a weight greater than 0, 100%\r
+ of the traffic is forwarded to that backend. If weight is set to 0, no\r
+ traffic should be forwarded for this entry. If unspecified, weight\r
+ defaults to 1.\r
+\r
+ Support for this field varies based on the context where used.\r
+ format: int32\r
+ maximum: 1000000\r
+ minimum: 0\r
+ type: integer\r
+ required:\r
+ - name\r
+ type: object\r
+ x-kubernetes-validations:\r
+ - message: Must have port for Service reference\r
+ rule: '(size(self.group) == 0 && self.kind == ''Service'')\r
+ ? has(self.port) : true'\r
+ maxItems: 16\r
+ type: array\r
+ filters:\r
+ description: |-\r
+ Filters define the filters that are applied to requests that match\r
+ this rule.\r
+\r
+ Wherever possible, implementations SHOULD implement filters in the order\r
+ they are specified.\r
+\r
+ Implementations MAY choose to implement this ordering strictly, rejecting\r
+ any combination or order of filters that can not be supported. If implementations\r
+ choose a strict interpretation of filter ordering, they MUST clearly document\r
+ that behavior.\r
+\r
+ To reject an invalid combination or order of filters, implementations SHOULD\r
+ consider the Route Rules with this configuration invalid. If all Route Rules\r
+ in a Route are invalid, the entire Route would be considered invalid. If only\r
+ a portion of Route Rules are invalid, implementations MUST set the\r
+ "PartiallyInvalid" condition for the Route.\r
+\r
+ Conformance-levels at this level are defined based on the type of filter:\r
+\r
+ - ALL core filters MUST be supported by all implementations.\r
+ - Implementers are encouraged to support extended filters.\r
+ - Implementation-specific custom filters have no API guarantees across\r
+ implementations.\r
+\r
+ Specifying the same filter multiple times is not supported unless explicitly\r
+ indicated in the filter.\r
+\r
+ All filters are expected to be compatible with each other except for the\r
+ URLRewrite and RequestRedirect filters, which may not be combined. If an\r
+ implementation can not support other combinations of filters, they must clearly\r
+ document that limitation. In cases where incompatible or unsupported\r
+ filters are specified and cause the `Accepted` condition to be set to status\r
+ `False`, implementations may use the `IncompatibleFilters` reason to specify\r
+ this configuration error.\r
+\r
+ Support: Core\r
+ items:\r
+ description: |-\r
+ HTTPRouteFilter defines processing steps that must be completed during the\r
+ request or response lifecycle. HTTPRouteFilters are meant as an extension\r
+ point to express processing that may be done in Gateway implementations. Some\r
+ examples include request or response modification, implementing\r
+ authentication strategies, rate-limiting, and traffic shaping. API\r
+ guarantee/conformance is defined based on the type of the filter.\r
+ properties:\r
+ extensionRef:\r
+ description: |-\r
+ ExtensionRef is an optional, implementation-specific extension to the\r
+ "filter" behavior. For example, resource "myroutefilter" in group\r
+ "networking.example.net"). ExtensionRef MUST NOT be used for core and\r
+ extended filters.\r
+\r
+ This filter can be used multiple times within the same rule.\r
+\r
+ Support: Implementation-specific\r
+ properties:\r
+ group:\r
+ description: |-\r
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".\r
+ When unspecified or empty string, core API group is inferred.\r
+ maxLength: 253\r
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ kind:\r
+ description: Kind is kind of the referent. For example\r
+ "HTTPRoute" or "Service".\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$\r
+ type: string\r
+ name:\r
+ description: Name is the name of the referent.\r
+ maxLength: 253\r
+ minLength: 1\r
+ type: string\r
+ required:\r
+ - group\r
+ - kind\r
+ - name\r
+ type: object\r
+ requestHeaderModifier:\r
+ description: |-\r
+ RequestHeaderModifier defines a schema for a filter that modifies request\r
+ headers.\r
+\r
+ Support: Core\r
+ properties:\r
+ add:\r
+ description: |-\r
+ Add adds the given header(s) (name, value) to the request\r
+ before the action. It appends to any existing values associated\r
+ with the header name.\r
+\r
+ Input:\r
+ GET /foo HTTP/1.1\r
+ my-header: foo\r
+\r
+ Config:\r
+ add:\r
+ - name: "my-header"\r
+ value: "bar,baz"\r
+\r
+ Output:\r
+ GET /foo HTTP/1.1\r
+ my-header: foo,bar,baz\r
+ items:\r
+ description: HTTPHeader represents an HTTP Header\r
+ name and value as defined by RFC 7230.\r
+ properties:\r
+ name:\r
+ description: |-\r
+ Name is the name of the HTTP Header to be matched. Name matching MUST be\r
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).\r
+\r
+ If multiple entries specify equivalent header names, the first entry with\r
+ an equivalent name MUST be considered for a match. Subsequent entries\r
+ with an equivalent header name MUST be ignored. Due to the\r
+ case-insensitivity of header names, "foo" and "Foo" are considered\r
+ equivalent.\r
+ maxLength: 256\r
+ minLength: 1\r
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$\r
+ type: string\r
+ value:\r
+ description: Value is the value of HTTP Header\r
+ to be matched.\r
+ maxLength: 4096\r
+ minLength: 1\r
+ type: string\r
+ required:\r
+ - name\r
+ - value\r
+ type: object\r
+ maxItems: 16\r
+ type: array\r
+ x-kubernetes-list-map-keys:\r
+ - name\r
+ x-kubernetes-list-type: map\r
+ remove:\r
+ description: |-\r
+ Remove the given header(s) from the HTTP request before the action. The\r
+ value of Remove is a list of HTTP header names. Note that the header\r
+ names are case-insensitive (see\r
+ https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).\r
+\r
+ Input:\r
+ GET /foo HTTP/1.1\r
+ my-header1: foo\r
+ my-header2: bar\r
+ my-header3: baz\r
+\r
+ Config:\r
+ remove: ["my-header1", "my-header3"]\r
+\r
+ Output:\r
+ GET /foo HTTP/1.1\r
+ my-header2: bar\r
+ items:\r
+ type: string\r
+ maxItems: 16\r
+ type: array\r
+ x-kubernetes-list-type: set\r
+ set:\r
+ description: |-\r
+ Set overwrites the request with the given header (name, value)\r
+ before the action.\r
+\r
+ Input:\r
+ GET /foo HTTP/1.1\r
+ my-header: foo\r
+\r
+ Config:\r
+ set:\r
+ - name: "my-header"\r
+ value: "bar"\r
+\r
+ Output:\r
+ GET /foo HTTP/1.1\r
+ my-header: bar\r
+ items:\r
+ description: HTTPHeader represents an HTTP Header\r
+ name and value as defined by RFC 7230.\r
+ properties:\r
+ name:\r
+ description: |-\r
+ Name is the name of the HTTP Header to be matched. Name matching MUST be\r
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).\r
+\r
+ If multiple entries specify equivalent header names, the first entry with\r
+ an equivalent name MUST be considered for a match. Subsequent entries\r
+ with an equivalent header name MUST be ignored. Due to the\r
+ case-insensitivity of header names, "foo" and "Foo" are considered\r
+ equivalent.\r
+ maxLength: 256\r
+ minLength: 1\r
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$\r
+ type: string\r
+ value:\r
+ description: Value is the value of HTTP Header\r
+ to be matched.\r
+ maxLength: 4096\r
+ minLength: 1\r
+ type: string\r
+ required:\r
+ - name\r
+ - value\r
+ type: object\r
+ maxItems: 16\r
+ type: array\r
+ x-kubernetes-list-map-keys:\r
+ - name\r
+ x-kubernetes-list-type: map\r
+ type: object\r
+ requestMirror:\r
+ description: |+\r
+ RequestMirror defines a schema for a filter that mirrors requests.\r
+ Requests are sent to the specified destination, but responses from\r
+ that destination are ignored.\r
+\r
+ This filter can be used multiple times within the same rule. Note that\r
+ not all implementations will be able to support mirroring to multiple\r
+ backends.\r
+\r
+ Support: Extended\r
+\r
+ properties:\r
+ backendRef:\r
+ description: |-\r
+ BackendRef references a resource where mirrored requests are sent.\r
+\r
+ Mirrored requests must be sent only to a single destination endpoint\r
+ within this BackendRef, irrespective of how many endpoints are present\r
+ within this BackendRef.\r
+\r
+ If the referent cannot be found, this BackendRef is invalid and must be\r
+ dropped from the Gateway. The controller must ensure the "ResolvedRefs"\r
+ condition on the Route status is set to `status: False` and not configure\r
+ this backend in the underlying implementation.\r
+\r
+ If there is a cross-namespace reference to an *existing* object\r
+ that is not allowed by a ReferenceGrant, the controller must ensure the\r
+ "ResolvedRefs" condition on the Route is set to `status: False`,\r
+ with the "RefNotPermitted" reason and not configure this backend in the\r
+ underlying implementation.\r
+\r
+ In either error case, the Message of the `ResolvedRefs` Condition\r
+ should be used to provide more detail about the problem.\r
+\r
+ Support: Extended for Kubernetes Service\r
+\r
+ Support: Implementation-specific for any other resource\r
+ properties:\r
+ group:\r
+ default: ""\r
+ description: |-\r
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".\r
+ When unspecified or empty string, core API group is inferred.\r
+ maxLength: 253\r
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ kind:\r
+ default: Service\r
+ description: |-\r
+ Kind is the Kubernetes resource kind of the referent. For example\r
+ "Service".\r
+\r
+ Defaults to "Service" when not specified.\r
+\r
+ ExternalName services can refer to CNAME DNS records that may live\r
+ outside of the cluster and as such are difficult to reason about in\r
+ terms of conformance. They also may not be safe to forward to (see\r
+ CVE-2021-25740 for more information). Implementations SHOULD NOT\r
+ support ExternalName Services.\r
+\r
+ Support: Core (Services with a type other than ExternalName)\r
+\r
+ Support: Implementation-specific (Services with type ExternalName)\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$\r
+ type: string\r
+ name:\r
+ description: Name is the name of the referent.\r
+ maxLength: 253\r
+ minLength: 1\r
+ type: string\r
+ namespace:\r
+ description: |-\r
+ Namespace is the namespace of the backend. When unspecified, the local\r
+ namespace is inferred.\r
+\r
+ Note that when a namespace different than the local namespace is specified,\r
+ a ReferenceGrant object is required in the referent namespace to allow that\r
+ namespace's owner to accept the reference. See the ReferenceGrant\r
+ documentation for details.\r
+\r
+ Support: Core\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$\r
+ type: string\r
+ port:\r
+ description: |-\r
+ Port specifies the destination port number to use for this resource.\r
+ Port is required when the referent is a Kubernetes Service. In this\r
+ case, the port number is the service port number, not the target port.\r
+ For other resources, destination port might be derived from the referent\r
+ resource or this field.\r
+ format: int32\r
+ maximum: 65535\r
+ minimum: 1\r
+ type: integer\r
+ required:\r
+ - name\r
+ type: object\r
+ x-kubernetes-validations:\r
+ - message: Must have port for Service reference\r
+ rule: '(size(self.group) == 0 && self.kind == ''Service'')\r
+ ? has(self.port) : true'\r
+ required:\r
+ - backendRef\r
+ type: object\r
+ requestRedirect:\r
+ description: |-\r
+ RequestRedirect defines a schema for a filter that responds to the\r
+ request with an HTTP redirection.\r
+\r
+ Support: Core\r
+ properties:\r
+ hostname:\r
+ description: |-\r
+ Hostname is the hostname to be used in the value of the `Location`\r
+ header in the response.\r
+ When empty, the hostname in the `Host` header of the request is used.\r
+\r
+ Support: Core\r
+ maxLength: 253\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ path:\r
+ description: |-\r
+ Path defines parameters used to modify the path of the incoming request.\r
+ The modified path is then used to construct the `Location` header. When\r
+ empty, the request path is used as-is.\r
+\r
+ Support: Extended\r
+ properties:\r
+ replaceFullPath:\r
+ description: |-\r
+ ReplaceFullPath specifies the value with which to replace the full path\r
+ of a request during a rewrite or redirect.\r
+ maxLength: 1024\r
+ type: string\r
+ replacePrefixMatch:\r
+ description: |-\r
+ ReplacePrefixMatch specifies the value with which to replace the prefix\r
+ match of a request during a rewrite or redirect. For example, a request\r
+ to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch\r
+ of "/xyz" would be modified to "/xyz/bar".\r
+\r
+ Note that this matches the behavior of the PathPrefix match type. This\r
+ matches full path elements. A path element refers to the list of labels\r
+ in the path split by the `/` separator. When specified, a trailing `/` is\r
+ ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all\r
+ match the prefix `/abc`, but the path `/abcd` would not.\r
+\r
+ ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.\r
+ Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in\r
+ the implementation setting the Accepted Condition for the Route to `status: False`.\r
+\r
+ Request Path | Prefix Match | Replace Prefix | Modified Path\r
+ maxLength: 1024\r
+ type: string\r
+ type:\r
+ description: |-\r
+ Type defines the type of path modifier. Additional types may be\r
+ added in a future release of the API.\r
+\r
+ Note that values may be added to this enum, implementations\r
+ must ensure that unknown values will not cause a crash.\r
+\r
+ Unknown values here must result in the implementation setting the\r
+ Accepted Condition for the Route to `status: False`, with a\r
+ Reason of `UnsupportedValue`.\r
+ enum:\r
+ - ReplaceFullPath\r
+ - ReplacePrefixMatch\r
+ type: string\r
+ required:\r
+ - type\r
+ type: object\r
+ x-kubernetes-validations:\r
+ - message: replaceFullPath must be specified when\r
+ type is set to 'ReplaceFullPath'\r
+ rule: 'self.type == ''ReplaceFullPath'' ? has(self.replaceFullPath)\r
+ : true'\r
+ - message: type must be 'ReplaceFullPath' when replaceFullPath\r
+ is set\r
+ rule: 'has(self.replaceFullPath) ? self.type ==\r
+ ''ReplaceFullPath'' : true'\r
+ - message: replacePrefixMatch must be specified when\r
+ type is set to 'ReplacePrefixMatch'\r
+ rule: 'self.type == ''ReplacePrefixMatch'' ? has(self.replacePrefixMatch)\r
+ : true'\r
+ - message: type must be 'ReplacePrefixMatch' when\r
+ replacePrefixMatch is set\r
+ rule: 'has(self.replacePrefixMatch) ? self.type\r
+ == ''ReplacePrefixMatch'' : true'\r
+ port:\r
+ description: |-\r
+ Port is the port to be used in the value of the `Location`\r
+ header in the response.\r
+\r
+ If no port is specified, the redirect port MUST be derived using the\r
+ following rules:\r
+\r
+ * If redirect scheme is not-empty, the redirect port MUST be the well-known\r
+ port associated with the redirect scheme. Specifically "http" to port 80\r
+ and "https" to port 443. If the redirect scheme does not have a\r
+ well-known port, the listener port of the Gateway SHOULD be used.\r
+ * If redirect scheme is empty, the redirect port MUST be the Gateway\r
+ Listener port.\r
+\r
+ Implementations SHOULD NOT add the port number in the 'Location'\r
+ header in the following cases:\r
+\r
+ * A Location header that will use HTTP (whether that is determined via\r
+ the Listener protocol or the Scheme field) _and_ use port 80.\r
+ * A Location header that will use HTTPS (whether that is determined via\r
+ the Listener protocol or the Scheme field) _and_ use port 443.\r
+\r
+ Support: Extended\r
+ format: int32\r
+ maximum: 65535\r
+ minimum: 1\r
+ type: integer\r
+ scheme:\r
+ description: |-\r
+ Scheme is the scheme to be used in the value of the `Location` header in\r
+ the response. When empty, the scheme of the request is used.\r
+\r
+ Scheme redirects can affect the port of the redirect, for more information,\r
+ refer to the documentation for the port field of this filter.\r
+\r
+ Note that values may be added to this enum, implementations\r
+ must ensure that unknown values will not cause a crash.\r
+\r
+ Unknown values here must result in the implementation setting the\r
+ Accepted Condition for the Route to `status: False`, with a\r
+ Reason of `UnsupportedValue`.\r
+\r
+ Support: Extended\r
+ enum:\r
+ - http\r
+ - https\r
+ type: string\r
+ statusCode:\r
+ default: 302\r
+ description: |-\r
+ StatusCode is the HTTP status code to be used in response.\r
+\r
+ Note that values may be added to this enum, implementations\r
+ must ensure that unknown values will not cause a crash.\r
+\r
+ Unknown values here must result in the implementation setting the\r
+ Accepted Condition for the Route to `status: False`, with a\r
+ Reason of `UnsupportedValue`.\r
+\r
+ Support: Core\r
+ enum:\r
+ - 301\r
+ - 302\r
+ type: integer\r
+ type: object\r
+ responseHeaderModifier:\r
+ description: |-\r
+ ResponseHeaderModifier defines a schema for a filter that modifies response\r
+ headers.\r
+\r
+ Support: Extended\r
+ properties:\r
+ add:\r
+ description: |-\r
+ Add adds the given header(s) (name, value) to the request\r
+ before the action. It appends to any existing values associated\r
+ with the header name.\r
+\r
+ Input:\r
+ GET /foo HTTP/1.1\r
+ my-header: foo\r
+\r
+ Config:\r
+ add:\r
+ - name: "my-header"\r
+ value: "bar,baz"\r
+\r
+ Output:\r
+ GET /foo HTTP/1.1\r
+ my-header: foo,bar,baz\r
+ items:\r
+ description: HTTPHeader represents an HTTP Header\r
+ name and value as defined by RFC 7230.\r
+ properties:\r
+ name:\r
+ description: |-\r
+ Name is the name of the HTTP Header to be matched. Name matching MUST be\r
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).\r
+\r
+ If multiple entries specify equivalent header names, the first entry with\r
+ an equivalent name MUST be considered for a match. Subsequent entries\r
+ with an equivalent header name MUST be ignored. Due to the\r
+ case-insensitivity of header names, "foo" and "Foo" are considered\r
+ equivalent.\r
+ maxLength: 256\r
+ minLength: 1\r
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$\r
+ type: string\r
+ value:\r
+ description: Value is the value of HTTP Header\r
+ to be matched.\r
+ maxLength: 4096\r
+ minLength: 1\r
+ type: string\r
+ required:\r
+ - name\r
+ - value\r
+ type: object\r
+ maxItems: 16\r
+ type: array\r
+ x-kubernetes-list-map-keys:\r
+ - name\r
+ x-kubernetes-list-type: map\r
+ remove:\r
+ description: |-\r
+ Remove the given header(s) from the HTTP request before the action. The\r
+ value of Remove is a list of HTTP header names. Note that the header\r
+ names are case-insensitive (see\r
+ https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).\r
+\r
+ Input:\r
+ GET /foo HTTP/1.1\r
+ my-header1: foo\r
+ my-header2: bar\r
+ my-header3: baz\r
+\r
+ Config:\r
+ remove: ["my-header1", "my-header3"]\r
+\r
+ Output:\r
+ GET /foo HTTP/1.1\r
+ my-header2: bar\r
+ items:\r
+ type: string\r
+ maxItems: 16\r
+ type: array\r
+ x-kubernetes-list-type: set\r
+ set:\r
+ description: |-\r
+ Set overwrites the request with the given header (name, value)\r
+ before the action.\r
+\r
+ Input:\r
+ GET /foo HTTP/1.1\r
+ my-header: foo\r
+\r
+ Config:\r
+ set:\r
+ - name: "my-header"\r
+ value: "bar"\r
+\r
+ Output:\r
+ GET /foo HTTP/1.1\r
+ my-header: bar\r
+ items:\r
+ description: HTTPHeader represents an HTTP Header\r
+ name and value as defined by RFC 7230.\r
+ properties:\r
+ name:\r
+ description: |-\r
+ Name is the name of the HTTP Header to be matched. Name matching MUST be\r
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).\r
+\r
+ If multiple entries specify equivalent header names, the first entry with\r
+ an equivalent name MUST be considered for a match. Subsequent entries\r
+ with an equivalent header name MUST be ignored. Due to the\r
+ case-insensitivity of header names, "foo" and "Foo" are considered\r
+ equivalent.\r
+ maxLength: 256\r
+ minLength: 1\r
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$\r
+ type: string\r
+ value:\r
+ description: Value is the value of HTTP Header\r
+ to be matched.\r
+ maxLength: 4096\r
+ minLength: 1\r
+ type: string\r
+ required:\r
+ - name\r
+ - value\r
+ type: object\r
+ maxItems: 16\r
+ type: array\r
+ x-kubernetes-list-map-keys:\r
+ - name\r
+ x-kubernetes-list-type: map\r
+ type: object\r
+ type:\r
+ description: |-\r
+ Type identifies the type of filter to apply. As with other API fields,\r
+ types are classified into three conformance levels:\r
+\r
+ - Core: Filter types and their corresponding configuration defined by\r
+ "Support: Core" in this package, e.g. "RequestHeaderModifier". All\r
+ implementations must support core filters.\r
+\r
+ - Extended: Filter types and their corresponding configuration defined by\r
+ "Support: Extended" in this package, e.g. "RequestMirror". Implementers\r
+ are encouraged to support extended filters.\r
+\r
+ - Implementation-specific: Filters that are defined and supported by\r
+ specific vendors.\r
+ In the future, filters showing convergence in behavior across multiple\r
+ implementations will be considered for inclusion in extended or core\r
+ conformance levels. Filter-specific configuration for such filters\r
+ is specified using the ExtensionRef field. `Type` should be set to\r
+ "ExtensionRef" for custom filters.\r
+\r
+ Implementers are encouraged to define custom implementation types to\r
+ extend the core API with implementation-specific behavior.\r
+\r
+ If a reference to a custom filter type cannot be resolved, the filter\r
+ MUST NOT be skipped. Instead, requests that would have been processed by\r
+ that filter MUST receive a HTTP error response.\r
+\r
+ Note that values may be added to this enum, implementations\r
+ must ensure that unknown values will not cause a crash.\r
+\r
+ Unknown values here must result in the implementation setting the\r
+ Accepted Condition for the Route to `status: False`, with a\r
+ Reason of `UnsupportedValue`.\r
+ enum:\r
+ - RequestHeaderModifier\r
+ - ResponseHeaderModifier\r
+ - RequestMirror\r
+ - RequestRedirect\r
+ - URLRewrite\r
+ - ExtensionRef\r
+ type: string\r
+ urlRewrite:\r
+ description: |-\r
+ URLRewrite defines a schema for a filter that modifies a request during forwarding.\r
+\r
+ Support: Extended\r
+ properties:\r
+ hostname:\r
+ description: |-\r
+ Hostname is the value to be used to replace the Host header value during\r
+ forwarding.\r
+\r
+ Support: Extended\r
+ maxLength: 253\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ path:\r
+ description: |-\r
+ Path defines a path rewrite.\r
+\r
+ Support: Extended\r
+ properties:\r
+ replaceFullPath:\r
+ description: |-\r
+ ReplaceFullPath specifies the value with which to replace the full path\r
+ of a request during a rewrite or redirect.\r
+ maxLength: 1024\r
+ type: string\r
+ replacePrefixMatch:\r
+ description: |-\r
+ ReplacePrefixMatch specifies the value with which to replace the prefix\r
+ match of a request during a rewrite or redirect. For example, a request\r
+ to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch\r
+ of "/xyz" would be modified to "/xyz/bar".\r
+\r
+ Note that this matches the behavior of the PathPrefix match type. This\r
+ matches full path elements. A path element refers to the list of labels\r
+ in the path split by the `/` separator. When specified, a trailing `/` is\r
+ ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all\r
+ match the prefix `/abc`, but the path `/abcd` would not.\r
+\r
+ ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.\r
+ Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in\r
+ the implementation setting the Accepted Condition for the Route to `status: False`.\r
+\r
+ Request Path | Prefix Match | Replace Prefix | Modified Path\r
+ maxLength: 1024\r
+ type: string\r
+ type:\r
+ description: |-\r
+ Type defines the type of path modifier. Additional types may be\r
+ added in a future release of the API.\r
+\r
+ Note that values may be added to this enum, implementations\r
+ must ensure that unknown values will not cause a crash.\r
+\r
+ Unknown values here must result in the implementation setting the\r
+ Accepted Condition for the Route to `status: False`, with a\r
+ Reason of `UnsupportedValue`.\r
+ enum:\r
+ - ReplaceFullPath\r
+ - ReplacePrefixMatch\r
+ type: string\r
+ required:\r
+ - type\r
+ type: object\r
+ x-kubernetes-validations:\r
+ - message: replaceFullPath must be specified when\r
+ type is set to 'ReplaceFullPath'\r
+ rule: 'self.type == ''ReplaceFullPath'' ? has(self.replaceFullPath)\r
+ : true'\r
+ - message: type must be 'ReplaceFullPath' when replaceFullPath\r
+ is set\r
+ rule: 'has(self.replaceFullPath) ? self.type ==\r
+ ''ReplaceFullPath'' : true'\r
+ - message: replacePrefixMatch must be specified when\r
+ type is set to 'ReplacePrefixMatch'\r
+ rule: 'self.type == ''ReplacePrefixMatch'' ? has(self.replacePrefixMatch)\r
+ : true'\r
+ - message: type must be 'ReplacePrefixMatch' when\r
+ replacePrefixMatch is set\r
+ rule: 'has(self.replacePrefixMatch) ? self.type\r
+ == ''ReplacePrefixMatch'' : true'\r
+ type: object\r
+ required:\r
+ - type\r
+ type: object\r
+ x-kubernetes-validations:\r
+ - message: filter.requestHeaderModifier must be nil if the\r
+ filter.type is not RequestHeaderModifier\r
+ rule: '!(has(self.requestHeaderModifier) && self.type !=\r
+ ''RequestHeaderModifier'')'\r
+ - message: filter.requestHeaderModifier must be specified\r
+ for RequestHeaderModifier filter.type\r
+ rule: '!(!has(self.requestHeaderModifier) && self.type ==\r
+ ''RequestHeaderModifier'')'\r
+ - message: filter.responseHeaderModifier must be nil if the\r
+ filter.type is not ResponseHeaderModifier\r
+ rule: '!(has(self.responseHeaderModifier) && self.type !=\r
+ ''ResponseHeaderModifier'')'\r
+ - message: filter.responseHeaderModifier must be specified\r
+ for ResponseHeaderModifier filter.type\r
+ rule: '!(!has(self.responseHeaderModifier) && self.type\r
+ == ''ResponseHeaderModifier'')'\r
+ - message: filter.requestMirror must be nil if the filter.type\r
+ is not RequestMirror\r
+ rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')'\r
+ - message: filter.requestMirror must be specified for RequestMirror\r
+ filter.type\r
+ rule: '!(!has(self.requestMirror) && self.type == ''RequestMirror'')'\r
+ - message: filter.requestRedirect must be nil if the filter.type\r
+ is not RequestRedirect\r
+ rule: '!(has(self.requestRedirect) && self.type != ''RequestRedirect'')'\r
+ - message: filter.requestRedirect must be specified for RequestRedirect\r
+ filter.type\r
+ rule: '!(!has(self.requestRedirect) && self.type == ''RequestRedirect'')'\r
+ - message: filter.urlRewrite must be nil if the filter.type\r
+ is not URLRewrite\r
+ rule: '!(has(self.urlRewrite) && self.type != ''URLRewrite'')'\r
+ - message: filter.urlRewrite must be specified for URLRewrite\r
+ filter.type\r
+ rule: '!(!has(self.urlRewrite) && self.type == ''URLRewrite'')'\r
+ - message: filter.extensionRef must be nil if the filter.type\r
+ is not ExtensionRef\r
+ rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')'\r
+ - message: filter.extensionRef must be specified for ExtensionRef\r
+ filter.type\r
+ rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')'\r
+ maxItems: 16\r
+ type: array\r
+ x-kubernetes-validations:\r
+ - message: May specify either httpRouteFilterRequestRedirect\r
+ or httpRouteFilterRequestRewrite, but not both\r
+ rule: '!(self.exists(f, f.type == ''RequestRedirect'') &&\r
+ self.exists(f, f.type == ''URLRewrite''))'\r
+ - message: RequestHeaderModifier filter cannot be repeated\r
+ rule: self.filter(f, f.type == 'RequestHeaderModifier').size()\r
+ <= 1\r
+ - message: ResponseHeaderModifier filter cannot be repeated\r
+ rule: self.filter(f, f.type == 'ResponseHeaderModifier').size()\r
+ <= 1\r
+ - message: RequestRedirect filter cannot be repeated\r
+ rule: self.filter(f, f.type == 'RequestRedirect').size() <=\r
+ 1\r
+ - message: URLRewrite filter cannot be repeated\r
+ rule: self.filter(f, f.type == 'URLRewrite').size() <= 1\r
+ matches:\r
+ default:\r
+ - path:\r
+ type: PathPrefix\r
+ value: /\r
+ description: |-\r
+ Matches define conditions used for matching the rule against incoming\r
+ HTTP requests. Each match is independent, i.e. this rule will be matched\r
+ if **any** one of the matches is satisfied.\r
+\r
+ For example, take the following matches configuration:\r
+\r
+ ```\r
+ matches:\r
+ - path:\r
+ value: "/foo"\r
+ headers:\r
+ - name: "version"\r
+ value: "v2"\r
+ - path:\r
+ value: "/v2/foo"\r
+ ```\r
+\r
+ For a request to match against this rule, a request must satisfy\r
+ EITHER of the two conditions:\r
+\r
+ - path prefixed with `/foo` AND contains the header `version: v2`\r
+ - path prefix of `/v2/foo`\r
+\r
+ See the documentation for HTTPRouteMatch on how to specify multiple\r
+ match conditions that should be ANDed together.\r
+\r
+ If no matches are specified, the default is a prefix\r
+ path match on "/", which has the effect of matching every\r
+ HTTP request.\r
+\r
+ Proxy or Load Balancer routing configuration generated from HTTPRoutes\r
+ MUST prioritize matches based on the following criteria, continuing on\r
+ ties. Across all rules specified on applicable Routes, precedence must be\r
+ given to the match having:\r
+\r
+ * "Exact" path match.\r
+ * "Prefix" path match with largest number of characters.\r
+ * Method match.\r
+ * Largest number of header matches.\r
+ * Largest number of query param matches.\r
+\r
+ Note: The precedence of RegularExpression path matches are implementation-specific.\r
+\r
+ If ties still exist across multiple Routes, matching precedence MUST be\r
+ determined in order of the following criteria, continuing on ties:\r
+\r
+ * The oldest Route based on creation timestamp.\r
+ * The Route appearing first in alphabetical order by\r
+ "{namespace}/{name}".\r
+\r
+ If ties still exist within an HTTPRoute, matching precedence MUST be granted\r
+ to the FIRST matching rule (in list order) with a match meeting the above\r
+ criteria.\r
+\r
+ When no rules matching a request have been successfully attached to the\r
+ parent a request is coming from, a HTTP 404 status code MUST be returned.\r
+ items:\r
+ description: "HTTPRouteMatch defines the predicate used to\r
+ match requests to a given\naction. Multiple match types\r
+ are ANDed together, i.e. the match will\nevaluate to true\r
+ only if all conditions are satisfied.\n\nFor example, the\r
+ match below will match a HTTP request only if its path\nstarts\r
+ with `/foo` AND it contains the `version: v1` header:\n\n```\nmatch:\n\n\tpath:\n\t\r
+ \ value: \"/foo\"\n\theaders:\n\t- name: \"version\"\n\t\r
+ \ value \"v1\"\n\n```"\r
+ properties:\r
+ headers:\r
+ description: |-\r
+ Headers specifies HTTP request header matchers. Multiple match values are\r
+ ANDed together, meaning, a request must match all the specified headers\r
+ to select the route.\r
+ items:\r
+ description: |-\r
+ HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request\r
+ headers.\r
+ properties:\r
+ name:\r
+ description: |-\r
+ Name is the name of the HTTP Header to be matched. Name matching MUST be\r
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).\r
+\r
+ If multiple entries specify equivalent header names, only the first\r
+ entry with an equivalent name MUST be considered for a match. Subsequent\r
+ entries with an equivalent header name MUST be ignored. Due to the\r
+ case-insensitivity of header names, "foo" and "Foo" are considered\r
+ equivalent.\r
+\r
+ When a header is repeated in an HTTP request, it is\r
+ implementation-specific behavior as to how this is represented.\r
+ Generally, proxies should follow the guidance from the RFC:\r
+ https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding\r
+ processing a repeated header, with special handling for "Set-Cookie".\r
+ maxLength: 256\r
+ minLength: 1\r
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$\r
+ type: string\r
+ type:\r
+ default: Exact\r
+ description: |-\r
+ Type specifies how to match against the value of the header.\r
+\r
+ Support: Core (Exact)\r
+\r
+ Support: Implementation-specific (RegularExpression)\r
+\r
+ Since RegularExpression HeaderMatchType has implementation-specific\r
+ conformance, implementations can support POSIX, PCRE or any other dialects\r
+ of regular expressions. Please read the implementation's documentation to\r
+ determine the supported dialect.\r
+ enum:\r
+ - Exact\r
+ - RegularExpression\r
+ type: string\r
+ value:\r
+ description: Value is the value of HTTP Header to\r
+ be matched.\r
+ maxLength: 4096\r
+ minLength: 1\r
+ type: string\r
+ required:\r
+ - name\r
+ - value\r
+ type: object\r
+ maxItems: 16\r
+ type: array\r
+ x-kubernetes-list-map-keys:\r
+ - name\r
+ x-kubernetes-list-type: map\r
+ method:\r
+ description: |-\r
+ Method specifies HTTP method matcher.\r
+ When specified, this route will be matched only if the request has the\r
+ specified method.\r
+\r
+ Support: Extended\r
+ enum:\r
+ - GET\r
+ - HEAD\r
+ - POST\r
+ - PUT\r
+ - DELETE\r
+ - CONNECT\r
+ - OPTIONS\r
+ - TRACE\r
+ - PATCH\r
+ type: string\r
+ path:\r
+ default:\r
+ type: PathPrefix\r
+ value: /\r
+ description: |-\r
+ Path specifies a HTTP request path matcher. If this field is not\r
+ specified, a default prefix match on the "/" path is provided.\r
+ properties:\r
+ type:\r
+ default: PathPrefix\r
+ description: |-\r
+ Type specifies how to match against the path Value.\r
+\r
+ Support: Core (Exact, PathPrefix)\r
+\r
+ Support: Implementation-specific (RegularExpression)\r
+ enum:\r
+ - Exact\r
+ - PathPrefix\r
+ - RegularExpression\r
+ type: string\r
+ value:\r
+ default: /\r
+ description: Value of the HTTP path to match against.\r
+ maxLength: 1024\r
+ type: string\r
+ type: object\r
+ x-kubernetes-validations:\r
+ - message: value must be an absolute path and start with\r
+ '/' when type one of ['Exact', 'PathPrefix']\r
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? self.value.startsWith(''/'')\r
+ : true'\r
+ - message: must not contain '//' when type one of ['Exact',\r
+ 'PathPrefix']\r
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''//'')\r
+ : true'\r
+ - message: must not contain '/./' when type one of ['Exact',\r
+ 'PathPrefix']\r
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''/./'')\r
+ : true'\r
+ - message: must not contain '/../' when type one of ['Exact',\r
+ 'PathPrefix']\r
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''/../'')\r
+ : true'\r
+ - message: must not contain '%2f' when type one of ['Exact',\r
+ 'PathPrefix']\r
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''%2f'')\r
+ : true'\r
+ - message: must not contain '%2F' when type one of ['Exact',\r
+ 'PathPrefix']\r
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''%2F'')\r
+ : true'\r
+ - message: must not contain '#' when type one of ['Exact',\r
+ 'PathPrefix']\r
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''#'')\r
+ : true'\r
+ - message: must not end with '/..' when type one of ['Exact',\r
+ 'PathPrefix']\r
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.endsWith(''/..'')\r
+ : true'\r
+ - message: must not end with '/.' when type one of ['Exact',\r
+ 'PathPrefix']\r
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.endsWith(''/.'')\r
+ : true'\r
+ - message: type must be one of ['Exact', 'PathPrefix',\r
+ 'RegularExpression']\r
+ rule: self.type in ['Exact','PathPrefix'] || self.type\r
+ == 'RegularExpression'\r
+ - message: must only contain valid characters (matching\r
+ ^(?:[-A-Za-z0-9/._~!$&'()*+,;=:@]|[%][0-9a-fA-F]{2})+$)\r
+ for types ['Exact', 'PathPrefix']\r
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? self.value.matches(r"""^(?:[-A-Za-z0-9/._~!$&''()*+,;=:@]|[%][0-9a-fA-F]{2})+$""")\r
+ : true'\r
+ queryParams:\r
+ description: |-\r
+ QueryParams specifies HTTP query parameter matchers. Multiple match\r
+ values are ANDed together, meaning, a request must match all the\r
+ specified query parameters to select the route.\r
+\r
+ Support: Extended\r
+ items:\r
+ description: |-\r
+ HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP\r
+ query parameters.\r
+ properties:\r
+ name:\r
+ description: |-\r
+ Name is the name of the HTTP query param to be matched. This must be an\r
+ exact string match. (See\r
+ https://tools.ietf.org/html/rfc7230#section-2.7.3).\r
+\r
+ If multiple entries specify equivalent query param names, only the first\r
+ entry with an equivalent name MUST be considered for a match. Subsequent\r
+ entries with an equivalent query param name MUST be ignored.\r
+\r
+ If a query param is repeated in an HTTP request, the behavior is\r
+ purposely left undefined, since different data planes have different\r
+ capabilities. However, it is *recommended* that implementations should\r
+ match against the first value of the param if the data plane supports it,\r
+ as this behavior is expected in other load balancing contexts outside of\r
+ the Gateway API.\r
+\r
+ Users SHOULD NOT route traffic based on repeated query params to guard\r
+ themselves against potential differences in the implementations.\r
+ maxLength: 256\r
+ minLength: 1\r
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$\r
+ type: string\r
+ type:\r
+ default: Exact\r
+ description: |-\r
+ Type specifies how to match against the value of the query parameter.\r
+\r
+ Support: Extended (Exact)\r
+\r
+ Support: Implementation-specific (RegularExpression)\r
+\r
+ Since RegularExpression QueryParamMatchType has Implementation-specific\r
+ conformance, implementations can support POSIX, PCRE or any other\r
+ dialects of regular expressions. Please read the implementation's\r
+ documentation to determine the supported dialect.\r
+ enum:\r
+ - Exact\r
+ - RegularExpression\r
+ type: string\r
+ value:\r
+ description: Value is the value of HTTP query param\r
+ to be matched.\r
+ maxLength: 1024\r
+ minLength: 1\r
+ type: string\r
+ required:\r
+ - name\r
+ - value\r
+ type: object\r
+ maxItems: 16\r
+ type: array\r
+ x-kubernetes-list-map-keys:\r
+ - name\r
+ x-kubernetes-list-type: map\r
+ type: object\r
+ maxItems: 64\r
+ type: array\r
+ timeouts:\r
+ description: |-\r
+ Timeouts defines the timeouts that can be configured for an HTTP request.\r
+\r
+ Support: Extended\r
+ properties:\r
+ backendRequest:\r
+ description: |-\r
+ BackendRequest specifies a timeout for an individual request from the gateway\r
+ to a backend. This covers the time from when the request first starts being\r
+ sent from the gateway to when the full response has been received from the backend.\r
+\r
+ Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout\r
+ completely. Implementations that cannot completely disable the timeout MUST\r
+ instead interpret the zero duration as the longest possible value to which\r
+ the timeout can be set.\r
+\r
+ An entire client HTTP transaction with a gateway, covered by the Request timeout,\r
+ may result in more than one call from the gateway to the destination backend,\r
+ for example, if automatic retries are supported.\r
+\r
+ The value of BackendRequest must be a Gateway API Duration string as defined by\r
+ GEP-2257. When this field is unspecified, its behavior is implementation-specific;\r
+ when specified, the value of BackendRequest must be no more than the value of the\r
+ Request timeout (since the Request timeout encompasses the BackendRequest timeout).\r
+\r
+ Support: Extended\r
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$\r
+ type: string\r
+ request:\r
+ description: |-\r
+ Request specifies the maximum duration for a gateway to respond to an HTTP request.\r
+ If the gateway has not been able to respond before this deadline is met, the gateway\r
+ MUST return a timeout error.\r
+\r
+ For example, setting the `rules.timeouts.request` field to the value `10s` in an\r
+ `HTTPRoute` will cause a timeout if a client request is taking longer than 10 seconds\r
+ to complete.\r
+\r
+ Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout\r
+ completely. Implementations that cannot completely disable the timeout MUST\r
+ instead interpret the zero duration as the longest possible value to which\r
+ the timeout can be set.\r
+\r
+ This timeout is intended to cover as close to the whole request-response transaction\r
+ as possible although an implementation MAY choose to start the timeout after the entire\r
+ request stream has been received instead of immediately after the transaction is\r
+ initiated by the client.\r
+\r
+ The value of Request is a Gateway API Duration string as defined by GEP-2257. When this\r
+ field is unspecified, request timeout behavior is implementation-specific.\r
+\r
+ Support: Extended\r
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$\r
+ type: string\r
+ type: object\r
+ x-kubernetes-validations:\r
+ - message: backendRequest timeout cannot be longer than request\r
+ timeout\r
+ rule: '!(has(self.request) && has(self.backendRequest) &&\r
+ duration(self.request) != duration(''0s'') && duration(self.backendRequest)\r
+ > duration(self.request))'\r
+ type: object\r
+ x-kubernetes-validations:\r
+ - message: RequestRedirect filter must not be used together with\r
+ backendRefs\r
+ rule: '(has(self.backendRefs) && size(self.backendRefs) > 0) ?\r
+ (!has(self.filters) || self.filters.all(f, !has(f.requestRedirect))):\r
+ true'\r
+ - message: When using RequestRedirect filter with path.replacePrefixMatch,\r
+ exactly one PathPrefix match must be specified\r
+ rule: '(has(self.filters) && self.filters.exists_one(f, has(f.requestRedirect)\r
+ && has(f.requestRedirect.path) && f.requestRedirect.path.type\r
+ == ''ReplacePrefixMatch'' && has(f.requestRedirect.path.replacePrefixMatch)))\r
+ ? ((size(self.matches) != 1 || !has(self.matches[0].path) ||\r
+ self.matches[0].path.type != ''PathPrefix'') ? false : true)\r
+ : true'\r
+ - message: When using URLRewrite filter with path.replacePrefixMatch,\r
+ exactly one PathPrefix match must be specified\r
+ rule: '(has(self.filters) && self.filters.exists_one(f, has(f.urlRewrite)\r
+ && has(f.urlRewrite.path) && f.urlRewrite.path.type == ''ReplacePrefixMatch''\r
+ && has(f.urlRewrite.path.replacePrefixMatch))) ? ((size(self.matches)\r
+ != 1 || !has(self.matches[0].path) || self.matches[0].path.type\r
+ != ''PathPrefix'') ? false : true) : true'\r
+ - message: Within backendRefs, when using RequestRedirect filter\r
+ with path.replacePrefixMatch, exactly one PathPrefix match must\r
+ be specified\r
+ rule: '(has(self.backendRefs) && self.backendRefs.exists_one(b,\r
+ (has(b.filters) && b.filters.exists_one(f, has(f.requestRedirect)\r
+ && has(f.requestRedirect.path) && f.requestRedirect.path.type\r
+ == ''ReplacePrefixMatch'' && has(f.requestRedirect.path.replacePrefixMatch)))\r
+ )) ? ((size(self.matches) != 1 || !has(self.matches[0].path)\r
+ || self.matches[0].path.type != ''PathPrefix'') ? false : true)\r
+ : true'\r
+ - message: Within backendRefs, When using URLRewrite filter with\r
+ path.replacePrefixMatch, exactly one PathPrefix match must be\r
+ specified\r
+ rule: '(has(self.backendRefs) && self.backendRefs.exists_one(b,\r
+ (has(b.filters) && b.filters.exists_one(f, has(f.urlRewrite)\r
+ && has(f.urlRewrite.path) && f.urlRewrite.path.type == ''ReplacePrefixMatch''\r
+ && has(f.urlRewrite.path.replacePrefixMatch))) )) ? ((size(self.matches)\r
+ != 1 || !has(self.matches[0].path) || self.matches[0].path.type\r
+ != ''PathPrefix'') ? false : true) : true'\r
+ maxItems: 16\r
+ type: array\r
+ x-kubernetes-validations:\r
+ - message: While 16 rules and 64 matches per rule are allowed, the\r
+ total number of matches across all rules in a route must be less\r
+ than 128\r
+ rule: '(self.size() > 0 ? self[0].matches.size() : 0) + (self.size()\r
+ > 1 ? self[1].matches.size() : 0) + (self.size() > 2 ? self[2].matches.size()\r
+ : 0) + (self.size() > 3 ? self[3].matches.size() : 0) + (self.size()\r
+ > 4 ? self[4].matches.size() : 0) + (self.size() > 5 ? self[5].matches.size()\r
+ : 0) + (self.size() > 6 ? self[6].matches.size() : 0) + (self.size()\r
+ > 7 ? self[7].matches.size() : 0) + (self.size() > 8 ? self[8].matches.size()\r
+ : 0) + (self.size() > 9 ? self[9].matches.size() : 0) + (self.size()\r
+ > 10 ? self[10].matches.size() : 0) + (self.size() > 11 ? self[11].matches.size()\r
+ : 0) + (self.size() > 12 ? self[12].matches.size() : 0) + (self.size()\r
+ > 13 ? self[13].matches.size() : 0) + (self.size() > 14 ? self[14].matches.size()\r
+ : 0) + (self.size() > 15 ? self[15].matches.size() : 0) <= 128'\r
+ type: object\r
+ status:\r
+ description: Status defines the current state of HTTPRoute.\r
+ properties:\r
+ parents:\r
+ description: |-\r
+ Parents is a list of parent resources (usually Gateways) that are\r
+ associated with the route, and the status of the route with respect to\r
+ each parent. When this route attaches to a parent, the controller that\r
+ manages the parent must add an entry to this list when the controller\r
+ first sees the route and should update the entry as appropriate when the\r
+ route or gateway is modified.\r
+\r
+ Note that parent references that cannot be resolved by an implementation\r
+ of this API will not be added to this list. Implementations of this API\r
+ can only populate Route status for the Gateways/parent resources they are\r
+ responsible for.\r
+\r
+ A maximum of 32 Gateways will be represented in this list. An empty list\r
+ means the route has not been attached to any Gateway.\r
+ items:\r
+ description: |-\r
+ RouteParentStatus describes the status of a route with respect to an\r
+ associated Parent.\r
+ properties:\r
+ conditions:\r
+ description: |-\r
+ Conditions describes the status of the route with respect to the Gateway.\r
+ Note that the route's availability is also subject to the Gateway's own\r
+ status conditions and listener status.\r
+\r
+ If the Route's ParentRef specifies an existing Gateway that supports\r
+ Routes of this kind AND that Gateway's controller has sufficient access,\r
+ then that Gateway's controller MUST set the "Accepted" condition on the\r
+ Route, to indicate whether the route has been accepted or rejected by the\r
+ Gateway, and why.\r
+\r
+ A Route MUST be considered "Accepted" if at least one of the Route's\r
+ rules is implemented by the Gateway.\r
+\r
+ There are a number of cases where the "Accepted" condition may not be set\r
+ due to lack of controller visibility, that includes when:\r
+\r
+ * The Route refers to a non-existent parent.\r
+ * The Route is of a type that the controller does not support.\r
+ * The Route is in a namespace the controller does not have access to.\r
+ items:\r
+ description: Condition contains details for one aspect of\r
+ the current state of this API Resource.\r
+ properties:\r
+ lastTransitionTime:\r
+ description: |-\r
+ lastTransitionTime is the last time the condition transitioned from one status to another.\r
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.\r
+ format: date-time\r
+ type: string\r
+ message:\r
+ description: |-\r
+ message is a human readable message indicating details about the transition.\r
+ This may be an empty string.\r
+ maxLength: 32768\r
+ type: string\r
+ observedGeneration:\r
+ description: |-\r
+ observedGeneration represents the .metadata.generation that the condition was set based upon.\r
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\r
+ with respect to the current state of the instance.\r
+ format: int64\r
+ minimum: 0\r
+ type: integer\r
+ reason:\r
+ description: |-\r
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.\r
+ Producers of specific condition types may define expected values and meanings for this field,\r
+ and whether the values are considered a guaranteed API.\r
+ The value should be a CamelCase string.\r
+ This field may not be empty.\r
+ maxLength: 1024\r
+ minLength: 1\r
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$\r
+ type: string\r
+ status:\r
+ description: status of the condition, one of True, False,\r
+ Unknown.\r
+ enum:\r
+ - "True"\r
+ - "False"\r
+ - Unknown\r
+ type: string\r
+ type:\r
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.\r
+ maxLength: 316\r
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$\r
+ type: string\r
+ required:\r
+ - lastTransitionTime\r
+ - message\r
+ - reason\r
+ - status\r
+ - type\r
+ type: object\r
+ maxItems: 8\r
+ minItems: 1\r
+ type: array\r
+ x-kubernetes-list-map-keys:\r
+ - type\r
+ x-kubernetes-list-type: map\r
+ controllerName:\r
+ description: |-\r
+ ControllerName is a domain/path string that indicates the name of the\r
+ controller that wrote this status. This corresponds with the\r
+ controllerName field on GatewayClass.\r
+\r
+ Example: "example.net/gateway-controller".\r
+\r
+ The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are\r
+ valid Kubernetes names\r
+ (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).\r
+\r
+ Controllers MUST populate this field when writing status. Controllers should ensure that\r
+ entries to status populated with their ControllerName are cleaned up when they are no\r
+ longer necessary.\r
+ maxLength: 253\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$\r
+ type: string\r
+ parentRef:\r
+ description: |-\r
+ ParentRef corresponds with a ParentRef in the spec that this\r
+ RouteParentStatus struct describes the status of.\r
+ properties:\r
+ group:\r
+ default: gateway.networking.k8s.io\r
+ description: |-\r
+ Group is the group of the referent.\r
+ When unspecified, "gateway.networking.k8s.io" is inferred.\r
+ To set the core API group (such as for a "Service" kind referent),\r
+ Group must be explicitly set to "" (empty string).\r
+\r
+ Support: Core\r
+ maxLength: 253\r
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ kind:\r
+ default: Gateway\r
+ description: |-\r
+ Kind is kind of the referent.\r
+\r
+ There are two kinds of parent resources with "Core" support:\r
+\r
+ * Gateway (Gateway conformance profile)\r
+ * Service (Mesh conformance profile, ClusterIP Services only)\r
+\r
+ Support for other resources is Implementation-Specific.\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$\r
+ type: string\r
+ name:\r
+ description: |-\r
+ Name is the name of the referent.\r
+\r
+ Support: Core\r
+ maxLength: 253\r
+ minLength: 1\r
+ type: string\r
+ namespace:\r
+ description: |-\r
+ Namespace is the namespace of the referent. When unspecified, this refers\r
+ to the local namespace of the Route.\r
+\r
+ Note that there are specific rules for ParentRefs which cross namespace\r
+ boundaries. Cross-namespace references are only valid if they are explicitly\r
+ allowed by something in the namespace they are referring to. For example:\r
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a\r
+ generic way to enable any other kind of cross-namespace reference.\r
+\r
+\r
+\r
+ Support: Core\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$\r
+ type: string\r
+ port:\r
+ description: |-\r
+ Port is the network port this Route targets. It can be interpreted\r
+ differently based on the type of parent resource.\r
+\r
+ When the parent resource is a Gateway, this targets all listeners\r
+ listening on the specified port that also support this kind of Route(and\r
+ select this Route). It's not recommended to set `Port` unless the\r
+ networking behaviors specified in a Route must apply to a specific port\r
+ as opposed to a listener(s) whose port(s) may be changed. When both Port\r
+ and SectionName are specified, the name and port of the selected listener\r
+ must match both specified values.\r
+\r
+\r
+\r
+ Implementations MAY choose to support other parent resources.\r
+ Implementations supporting other types of parent resources MUST clearly\r
+ document how/if Port is interpreted.\r
+\r
+ For the purpose of status, an attachment is considered successful as\r
+ long as the parent resource accepts it partially. For example, Gateway\r
+ listeners can restrict which Routes can attach to them by Route kind,\r
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment\r
+ from the referencing Route, the Route MUST be considered successfully\r
+ attached. If no Gateway listeners accept attachment from this Route,\r
+ the Route MUST be considered detached from the Gateway.\r
+\r
+ Support: Extended\r
+ format: int32\r
+ maximum: 65535\r
+ minimum: 1\r
+ type: integer\r
+ sectionName:\r
+ description: |-\r
+ SectionName is the name of a section within the target resource. In the\r
+ following resources, SectionName is interpreted as the following:\r
+\r
+ * Gateway: Listener name. When both Port (experimental) and SectionName\r
+ are specified, the name and port of the selected listener must match\r
+ both specified values.\r
+ * Service: Port name. When both Port (experimental) and SectionName\r
+ are specified, the name and port of the selected listener must match\r
+ both specified values.\r
+\r
+ Implementations MAY choose to support attaching Routes to other resources.\r
+ If that is the case, they MUST clearly document how SectionName is\r
+ interpreted.\r
+\r
+ When unspecified (empty string), this will reference the entire resource.\r
+ For the purpose of status, an attachment is considered successful if at\r
+ least one section in the parent resource accepts it. For example, Gateway\r
+ listeners can restrict which Routes can attach to them by Route kind,\r
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from\r
+ the referencing Route, the Route MUST be considered successfully\r
+ attached. If no Gateway listeners accept attachment from this Route, the\r
+ Route MUST be considered detached from the Gateway.\r
+\r
+ Support: Core\r
+ maxLength: 253\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ required:\r
+ - name\r
+ type: object\r
+ required:\r
+ - controllerName\r
+ - parentRef\r
+ type: object\r
+ maxItems: 32\r
+ type: array\r
+ required:\r
+ - parents\r
+ type: object\r
+ required:\r
+ - spec\r
+ type: object\r
+ served: true\r
+ storage: false\r
+ subresources:\r
+ status: {}\r
+status:\r
+ acceptedNames:\r
+ kind: ""\r
+ plural: ""\r
+ conditions: null\r
+ storedVersions: null\r
--- /dev/null
+apiVersion: apiextensions.k8s.io/v1\r
+kind: CustomResourceDefinition\r
+metadata:\r
+ annotations:\r
+ api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328\r
+ gateway.networking.k8s.io/bundle-version: v1.2.1\r
+ gateway.networking.k8s.io/channel: standard\r
+ creationTimestamp: null\r
+ name: referencegrants.gateway.networking.k8s.io\r
+spec:\r
+ group: gateway.networking.k8s.io\r
+ names:\r
+ categories:\r
+ - gateway-api\r
+ kind: ReferenceGrant\r
+ listKind: ReferenceGrantList\r
+ plural: referencegrants\r
+ shortNames:\r
+ - refgrant\r
+ singular: referencegrant\r
+ scope: Namespaced\r
+ versions:\r
+ - additionalPrinterColumns:\r
+ - jsonPath: .metadata.creationTimestamp\r
+ name: Age\r
+ type: date\r
+ name: v1beta1\r
+ schema:\r
+ openAPIV3Schema:\r
+ description: |-\r
+ ReferenceGrant identifies kinds of resources in other namespaces that are\r
+ trusted to reference the specified kinds of resources in the same namespace\r
+ as the policy.\r
+\r
+ Each ReferenceGrant can be used to represent a unique trust relationship.\r
+ Additional Reference Grants can be used to add to the set of trusted\r
+ sources of inbound references for the namespace they are defined within.\r
+\r
+ All cross-namespace references in Gateway API (with the exception of cross-namespace\r
+ Gateway-route attachment) require a ReferenceGrant.\r
+\r
+ ReferenceGrant is a form of runtime verification allowing users to assert\r
+ which cross-namespace object references are permitted. Implementations that\r
+ support ReferenceGrant MUST NOT permit cross-namespace references which have\r
+ no grant, and MUST respond to the removal of a grant by revoking the access\r
+ that the grant allowed.\r
+ properties:\r
+ apiVersion:\r
+ description: |-\r
+ APIVersion defines the versioned schema of this representation of an object.\r
+ Servers should convert recognized schemas to the latest internal value, and\r
+ may reject unrecognized values.\r
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources\r
+ type: string\r
+ kind:\r
+ description: |-\r
+ Kind is a string value representing the REST resource this object represents.\r
+ Servers may infer this from the endpoint the client submits requests to.\r
+ Cannot be updated.\r
+ In CamelCase.\r
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds\r
+ type: string\r
+ metadata:\r
+ type: object\r
+ spec:\r
+ description: Spec defines the desired state of ReferenceGrant.\r
+ properties:\r
+ from:\r
+ description: |-\r
+ From describes the trusted namespaces and kinds that can reference the\r
+ resources described in "To". Each entry in this list MUST be considered\r
+ to be an additional place that references can be valid from, or to put\r
+ this another way, entries MUST be combined using OR.\r
+\r
+ Support: Core\r
+ items:\r
+ description: ReferenceGrantFrom describes trusted namespaces and\r
+ kinds.\r
+ properties:\r
+ group:\r
+ description: |-\r
+ Group is the group of the referent.\r
+ When empty, the Kubernetes core API group is inferred.\r
+\r
+ Support: Core\r
+ maxLength: 253\r
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ kind:\r
+ description: |-\r
+ Kind is the kind of the referent. Although implementations may support\r
+ additional resources, the following types are part of the "Core"\r
+ support level for this field.\r
+\r
+ When used to permit a SecretObjectReference:\r
+\r
+ * Gateway\r
+\r
+ When used to permit a BackendObjectReference:\r
+\r
+ * GRPCRoute\r
+ * HTTPRoute\r
+ * TCPRoute\r
+ * TLSRoute\r
+ * UDPRoute\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$\r
+ type: string\r
+ namespace:\r
+ description: |-\r
+ Namespace is the namespace of the referent.\r
+\r
+ Support: Core\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$\r
+ type: string\r
+ required:\r
+ - group\r
+ - kind\r
+ - namespace\r
+ type: object\r
+ maxItems: 16\r
+ minItems: 1\r
+ type: array\r
+ to:\r
+ description: |-\r
+ To describes the resources that may be referenced by the resources\r
+ described in "From". Each entry in this list MUST be considered to be an\r
+ additional place that references can be valid to, or to put this another\r
+ way, entries MUST be combined using OR.\r
+\r
+ Support: Core\r
+ items:\r
+ description: |-\r
+ ReferenceGrantTo describes what Kinds are allowed as targets of the\r
+ references.\r
+ properties:\r
+ group:\r
+ description: |-\r
+ Group is the group of the referent.\r
+ When empty, the Kubernetes core API group is inferred.\r
+\r
+ Support: Core\r
+ maxLength: 253\r
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\r
+ type: string\r
+ kind:\r
+ description: |-\r
+ Kind is the kind of the referent. Although implementations may support\r
+ additional resources, the following types are part of the "Core"\r
+ support level for this field:\r
+\r
+ * Secret when used to permit a SecretObjectReference\r
+ * Service when used to permit a BackendObjectReference\r
+ maxLength: 63\r
+ minLength: 1\r
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$\r
+ type: string\r
+ name:\r
+ description: |-\r
+ Name is the name of the referent. When unspecified, this policy\r
+ refers to all resources of the specified Group and Kind in the local\r
+ namespace.\r
+ maxLength: 253\r
+ minLength: 1\r
+ type: string\r
+ required:\r
+ - group\r
+ - kind\r
+ type: object\r
+ maxItems: 16\r
+ minItems: 1\r
+ type: array\r
+ required:\r
+ - from\r
+ - to\r
+ type: object\r
+ type: object\r
+ served: true\r
+ storage: true\r
+ subresources: {}\r
+status:\r
+ acceptedNames:\r
+ kind: ""\r
+ plural: ""\r
+ conditions: null\r
+ storedVersions: null\r
--- /dev/null
+# ============LICENSE_START=======================================================\r
+# Copyright (c) 2025 Deutsche Telekom\r
+# ================================================================================\r
+# Licensed under the Apache License, Version 2.0 (the "License");\r
+# you may not use this file except in compliance with the License.\r
+# You may obtain a copy of the License at\r
+#\r
+# http://www.apache.org/licenses/LICENSE-2.0\r
+#\r
+# Unless required by applicable law or agreed to in writing, software\r
+# distributed under the License is distributed on an "AS IS" BASIS,\r
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r
+# See the License for the specific language governing permissions and\r
+# limitations under the License.\r
+#\r
+# SPDX-License-Identifier: Apache-2.0\r
+# ============LICENSE_END=========================================================\r
+---\r
+kind: Kustomization\r
+apiVersion: kustomize.config.k8s.io/v1beta1\r
+\r
+resources:\r
+ - crd/\r
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (c) 2025 Deutsche Telekom
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+ name: infra-ingress
+ namespace: argocd
+ finalizers:
+ - resources-finalizer.argocd.argoproj.io
+ labels:
+ name: infra-ingress
+spec:
+ project: argo-management
+ sources:
+ - repoURL: '<ONAP_ARGO_REPO_URL>'
+ targetRevision: <ONAP_ARGO_BRANCH>
+ ref: defaultValues
+ - repoURL: <ONAP_ARGO_REPO_URL>
+ targetRevision: <ONAP_ARGO_BRANCH>
+ path: ./argo/infra/ingress-routes/helm
+ helm:
+ ignoreMissingValueFiles: true
+ valueFiles:
+ - $defaultValues/argo/infra/values/infra-ingress.yaml
+ destination:
+ server: https://kubernetes.default.svc
+ namespace: argocd
+ syncPolicy:
+ automated:
+ prune: false
+ selfHeal: true
+ allowEmpty: false
+ syncOptions:
+ - Validate=true
+ - CreateNamespace=true
+ #- PrunePropagationPolicy=foreground
+ #- PruneLast=true
+ retry:
+ limit: 5
+ backoff:
+ duration: 5s
+ factor: 2
+ maxDuration: 3m
+ revisionHistoryLimit: 10
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (c) 2025 Deutsche Telekom
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+---
+apiVersion: v2
+version: 0.0.1
+description: Chart to create gateway and Ingress Routes
+name: ingress
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (c) 2025 Deutsche Telekom
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: Gateway
+metadata:
+ name: common-gateway
+ namespace: istio-ingress
+spec:
+ gatewayClassName: istio
+ listeners:
+ - name: http
+ hostname: "*.{{ .Values.dns_zone }}"
+ port: 80
+ protocol: HTTP
+ allowedRoutes:
+ namespaces:
+ from: All
+ - name: https
+ hostname: "*.{{ .Values.dns_zone }}"
+ port: 443
+ protocol: HTTPS
+ allowedRoutes:
+ namespaces:
+ from: All
+ tls:
+ mode: Terminate
+ options:
+ minProtocolVersion: TLSV1_3
+ certificateRefs:
+ - kind: Secret
+ group: ""
+ name: ingress-tls-secret
+ # TODO cert from other NS eg. cert-manager https://gateway-api.sigs.k8s.io/v1alpha2/guides/tls/#cross-namespace-certificate-references
+ - name: ftp-20
+ protocol: TCP
+ port: 30026
+ allowedRoutes:
+ kinds:
+ - group: gateway.networking.k8s.io
+ kind: TCPRoute
+ namespaces:
+ from: All
+ - name: ftp-21
+ protocol: TCP
+ port: 30025
+ allowedRoutes:
+ kinds:
+ - group: gateway.networking.k8s.io
+ kind: TCPRoute
+ namespaces:
+ from: All
+ - name: ftp-route-passive-32100
+ protocol: TCP
+ port: 32100
+ allowedRoutes:
+ kinds:
+ - group: gateway.networking.k8s.io
+ kind: TCPRoute
+ namespaces:
+ from: All
+ - name: ftp-route-passive-32101
+ protocol: TCP
+ port: 32101
+ allowedRoutes:
+ kinds:
+ - group: gateway.networking.k8s.io
+ kind: TCPRoute
+ namespaces:
+ from: All
+ - name: ftp-route-passive-32102
+ protocol: TCP
+ port: 32102
+ allowedRoutes:
+ kinds:
+ - group: gateway.networking.k8s.io
+ kind: TCPRoute
+ namespaces:
+ from: All
+ - name: cson-importer
+ protocol: TCP
+ port: 2222
+ allowedRoutes:
+ kinds:
+ - group: gateway.networking.k8s.io
+ kind: TCPRoute
+ namespaces:
+ from: All
+ - name: tcp-4334
+ protocol: TCP
+ port: 4334
+ allowedRoutes:
+ kinds:
+ - group: gateway.networking.k8s.io
+ kind: TCPRoute
+ namespaces:
+ from: All
+ - name: tcp-9000
+ allowedRoutes:
+ namespaces:
+ from: All
+ hostname: "kafka-api{{ .Values.post_addr }}.{{ .Values.dns_zone }}"
+ port: 9000
+ protocol: TLS
+ tls:
+ certificateRefs:
+ - group: ""
+ kind: Secret
+ name: ingress-tls-secret
+ mode: Terminate
+ - name: tcp-9001
+ allowedRoutes:
+ namespaces:
+ from: All
+ hostname: "kafka-api{{ .Values.post_addr }}.{{ .Values.dns_zone }}"
+ port: 9001
+ protocol: TLS
+ tls:
+ certificateRefs:
+ - group: ""
+ kind: Secret
+ name: ingress-tls-secret
+ mode: Terminate
+ - name: tcp-9002
+ allowedRoutes:
+ namespaces:
+ from: All
+ hostname: "kafka-api{{ .Values.post_addr }}.{{ .Values.dns_zone }}"
+ port: 9002
+ protocol: TLS
+ tls:
+ certificateRefs:
+ - group: ""
+ kind: Secret
+ name: ingress-tls-secret
+ mode: Terminate
+ - name: tcp-9010
+ allowedRoutes:
+ namespaces:
+ from: All
+ hostname: "kafka-bootstrap-api{{ .Values.post_addr }}.{{ .Values.dns_zone }}"
+ port: 9010
+ protocol: TLS
+ tls:
+ certificateRefs:
+ - group: ""
+ kind: Secret
+ name: ingress-tls-secret
+ mode: Terminate
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (c) 2025 Deutsche Telekom
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+---
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: HTTPRoute
+metadata:
+ name: argocd-http-route
+ namespace: argocd
+spec:
+ parentRefs:
+ - name: common-gateway
+ namespace: istio-ingress
+ hostnames:
+ - argocd{{ .Values.post_addr }}.{{ .Values.dns_zone }}
+ rules:
+ - backendRefs:
+ - name: argocd-server
+ port: 80
+ matches:
+ - path:
+ type: PathPrefix
+ value: /
+---
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: HTTPRoute
+metadata:
+ name: argocd-redirect-route
+ namespace: argocd
+spec:
+ parentRefs:
+ - name: common-gateway
+ sectionName: https
+ namespace: istio-ingress
+ hostnames:
+ - argocd{{ .Values.post_addr }}.{{ .Values.dns_zone }}
+ rules:
+ - filters:
+ - type: RequestRedirect
+ requestRedirect:
+ scheme: https
+ #statusCode: 301
+ port: 443
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (c) 2025 Deutsche Telekom
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+---
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: HTTPRoute
+metadata:
+ name: defectdojo-route
+ namespace: defectdojo
+spec:
+ parentRefs:
+ - name: common-gateway
+ sectionName: https
+ namespace: istio-ingress
+ hostnames:
+ - defectdojo{{ .Values.post_addr }}.{{ .Values.dns_zone }}
+ rules:
+ - matches:
+ - path:
+ type: PathPrefix
+ value: /
+ backendRefs:
+ - name: defectdojo-django
+ port: 80
+---
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: HTTPRoute
+metadata:
+ name: defectdojo-redirect-route
+ namespace: defectdojo
+spec:
+ parentRefs:
+ - name: common-gateway
+ sectionName: http
+ namespace: istio-ingress
+ hostnames:
+ - defectdojo{{ .Values.post_addr }}.{{ .Values.dns_zone }}
+ rules:
+ - filters:
+ - type: RequestRedirect
+ requestRedirect:
+ scheme: https
+ statusCode: 301
+ port: 443
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (c) 2025 Deutsche Telekom
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+---
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: HTTPRoute
+metadata:
+ name: grafana-route
+ namespace: prometheus
+spec:
+ parentRefs:
+ - name: common-gateway
+ sectionName: https
+ namespace: istio-ingress
+ hostnames:
+ - grafana{{ .Values.post_addr }}.{{ .Values.dns_zone }}
+ rules:
+ - backendRefs:
+ - name: prometheus-grafana
+ port: 80
+---
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: HTTPRoute
+metadata:
+ name: grafana-redirect-route
+ namespace: prometheus
+spec:
+ parentRefs:
+ - name: common-gateway
+ sectionName: http
+ namespace: istio-ingress
+ hostnames:
+ - grafana{{ .Values.post_addr }}.{{ .Values.dns_zone }}
+ rules:
+ - filters:
+ - type: RequestRedirect
+ requestRedirect:
+ scheme: https
+ statusCode: 301
+ port: 443
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (c) 2025 Deutsche Telekom
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+---
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: HTTPRoute
+metadata:
+ name: jaeger-route
+ namespace: istio-system
+spec:
+ parentRefs:
+ - name: common-gateway
+ sectionName: https
+ namespace: istio-ingress
+ hostnames:
+ - jaeger-ui{{ .Values.post_addr }}.{{ .Values.dns_zone }}
+ rules:
+ - backendRefs:
+ - name: jaeger-query
+ port: 80
+---
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: HTTPRoute
+metadata:
+ name: jaeger-redirect-route
+ namespace: istio-system
+spec:
+ parentRefs:
+ - name: common-gateway
+ sectionName: http
+ namespace: istio-ingress
+ hostnames:
+ - jaeger-ui{{ .Values.post_addr }}.{{ .Values.dns_zone }}
+ rules:
+ - filters:
+ - type: RequestRedirect
+ requestRedirect:
+ scheme: https
+ statusCode: 301
+ port: 443
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (c) 2025 Deutsche Telekom
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+---
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: HTTPRoute
+metadata:
+ name: keycloak-ui-http-route
+ namespace: keycloak
+spec:
+ hostnames:
+ - keycloak-ui{{ .Values.post_addr }}.{{ .Values.dns_zone }}
+ parentRefs:
+ - name: common-gateway
+ namespace: istio-ingress
+ rules:
+ - backendRefs:
+ - name: keycloak-http
+ port: 80
+---
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: HTTPRoute
+metadata:
+ name: keycloak-ui-redirect-route
+ namespace: keycloak
+spec:
+ hostnames:
+ - keycloak-ui{{ .Values.post_addr }}.{{ .Values.dns_zone }}
+ parentRefs:
+ - name: common-gateway
+ namespace: istio-ingress
+ sectionName: https
+ rules:
+ - filters:
+ - type: RequestRedirect
+ requestRedirect:
+ scheme: https
+ #statusCode: 301
+ port: 443
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (c) 2025 Deutsche Telekom
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+---
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: HTTPRoute
+metadata:
+ name: kiali-route
+ namespace: istio-system
+spec:
+ parentRefs:
+ - name: common-gateway
+ sectionName: https
+ namespace: istio-ingress
+ hostnames:
+ - kiali{{ .Values.post_addr }}.{{ .Values.dns_zone }}
+ rules:
+ - backendRefs:
+ - name: kiali
+ port: 20001
+---
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: HTTPRoute
+metadata:
+ name: kiali-redirect-route
+ namespace: istio-system
+spec:
+ parentRefs:
+ - name: common-gateway
+ sectionName: http
+ namespace: istio-ingress
+ hostnames:
+ - kiali{{ .Values.post_addr }}.{{ .Values.dns_zone }}
+ rules:
+ - filters:
+ - type: RequestRedirect
+ requestRedirect:
+ scheme: https
+ statusCode: 301
+ port: 443
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (c) 2025 Deutsche Telekom
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+
+post_addr: ""
+dns_zone: ""
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (c) 2025 Deutsche Telekom
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+ name: istio-base
+ namespace: argocd
+ annotations:
+ argocd.argoproj.io/sync-wave: "-1"
+ finalizers:
+ - resources-finalizer.argocd.argoproj.io
+spec:
+ project: default
+ sources:
+ - repoURL: '<ONAP_ARGO_REPO_URL>'
+ targetRevision: <ONAP_ARGO_BRANCH>
+ ref: defaultValues
+ - repoURL: https://istio-release.storage.googleapis.com/charts
+ chart: base
+ targetRevision: 1.26.1
+ helm:
+ ignoreMissingValueFiles: true
+ valueFiles:
+ - $defaultValues/argo/infra/values/istio-base.yaml
+ destination:
+ server: https://kubernetes.default.svc
+ namespace: istio-system
+ ignoreDifferences:
+ - group: admissionregistration.k8s.io
+ kind: ValidatingWebhookConfiguration
+ name: istiod-default-validator
+ jsonPointers:
+ - /webhooks/0/failurePolicy
+ syncPolicy:
+ syncOptions:
+ - CreateNamespace=true
+ automated:
+ prune: true
+ selfHeal: true
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+ name: istiod
+ namespace: argocd
+ annotations:
+ argocd.argoproj.io/sync-wave: "-1"
+ finalizers:
+ - resources-finalizer.argocd.argoproj.io
+spec:
+ project: default
+ sources:
+ - repoURL: '<ONAP_ARGO_REPO_URL>'
+ targetRevision: <ONAP_ARGO_BRANCH>
+ ref: defaultValues
+ - repoURL: https://istio-release.storage.googleapis.com/charts
+ chart: istiod
+ targetRevision: 1.26.1
+ helm:
+ helm:
+ ignoreMissingValueFiles: true
+ valueFiles:
+ - $defaultValues/argo/infra/values/istiod.yaml
+ destination:
+ server: https://kubernetes.default.svc
+ namespace: istio-system
+ ignoreDifferences:
+ - group: admissionregistration.k8s.io
+ kind: ValidatingWebhookConfiguration
+ name: istio-validator-istio-system
+ jsonPointers:
+ - /webhooks/0/failurePolicy
+ syncPolicy:
+ syncOptions:
+ - CreateNamespace=true
+ automated:
+ prune: true
+ selfHeal: true
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (c) 2025 Deutsche Telekom
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+ name: jaeger
+ namespace: argocd
+ finalizers:
+ - resources-finalizer.argocd.argoproj.io
+spec:
+ project: default
+ sources:
+ - repoURL: '<ONAP_ARGO_REPO_URL>'
+ targetRevision: <ONAP_ARGO_BRANCH>
+ ref: defaultValues
+ - repoURL: https://jaegertracing.github.io/helm-charts
+ chart: jaeger
+ targetRevision: 3.4.1
+ helm:
+ helm:
+ ignoreMissingValueFiles: true
+ valueFiles:
+ - $defaultValues/argo/infra/values/jaeger.yaml
+ destination:
+ server: https://kubernetes.default.svc
+ namespace: istio-system
+ syncPolicy:
+ managedNamespaceMetadata:
+ labels:
+ istio-injection: disabled
+ syncOptions:
+ - CreateNamespace=true
+ - ServerSideApply=true
+ automated:
+ prune: true
+ selfHeal: true
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (c) 2025 Deutsche Telekom
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+ name: k8ssandra-operator
+ namespace: argocd
+ annotations:
+ argocd.argoproj.io/sync-wave: "-1"
+ finalizers:
+ - resources-finalizer.argocd.argoproj.io
+spec:
+ project: default
+ sources:
+ - repoURL: '<ONAP_ARGO_REPO_URL>'
+ targetRevision: <ONAP_ARGO_BRANCH>
+ ref: defaultValues
+ - repoURL: https://helm.k8ssandra.io/stable
+ chart: k8ssandra-operator
+ targetRevision: 1.23.1
+ helm:
+ helm:
+ ignoreMissingValueFiles: true
+ valueFiles:
+ - $defaultValues/argo/infra/values/k8ssandra-operator.yaml
+ destination:
+ server: https://kubernetes.default.svc
+ namespace: k8ssandra-operator
+ syncPolicy:
+ managedNamespaceMetadata:
+ labels:
+ istio-injection: enabled
+ syncOptions:
+ - CreateNamespace=true
+ - ServerSideApply=true
+ automated:
+ prune: true
+ selfHeal: true
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (c) 2025 Deutsche Telekom
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+ name: keycloak-db
+ namespace: argocd
+ annotations:
+ argocd.argoproj.io/sync-wave: "-1"
+ finalizers:
+ - resources-finalizer.argocd.argoproj.io
+spec:
+ project: default
+ sources:
+ - repoURL: '<ONAP_ARGO_REPO_URL>'
+ targetRevision: <ONAP_ARGO_BRANCH>
+ ref: defaultValues
+ - repoURL: 'registry-1.docker.io/bitnamicharts'
+ path: 'postgresql'
+ chart: postgresql
+ targetRevision: 16.6.6
+ helm:
+ helm:
+ ignoreMissingValueFiles: true
+ valueFiles:
+ - $defaultValues/argo/infra/values/keycloak-db.yaml
+ destination:
+ server: https://kubernetes.default.svc
+ namespace: keycloak
+ syncPolicy:
+ managedNamespaceMetadata:
+ labels:
+ istio-injection: enabled
+ syncOptions:
+ - CreateNamespace=true
+ automated:
+ prune: true
+ selfHeal: true
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (c) 2025 Deutsche Telekom
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+ name: keycloak
+ namespace: argocd
+ finalizers:
+ - resources-finalizer.argocd.argoproj.io
+spec:
+ project: default
+ sources:
+ - repoURL: '<ONAP_ARGO_REPO_URL>'
+ targetRevision: <ONAP_ARGO_BRANCH>
+ ref: defaultValues
+ - repoURL: https://codecentric.github.io/helm-charts
+ chart: keycloakx
+ #targetRevision: 2.5.1
+ targetRevision: 7.0.1
+ helm:
+ helm:
+ ignoreMissingValueFiles: true
+ valueFiles:
+ - $defaultValues/argo/infra/values/keycloak.yaml
+ destination:
+ server: https://kubernetes.default.svc
+ namespace: keycloak
+ syncPolicy:
+ managedNamespaceMetadata:
+ labels:
+ istio-injection: enabled
+ syncOptions:
+ - CreateNamespace=true
+ automated:
+ prune: true
+ selfHeal: true
--- /dev/null
+# ============LICENSE_START=======================================================\r
+# Copyright (c) 2025 Deutsche Telekom\r
+# ================================================================================\r
+# Licensed under the Apache License, Version 2.0 (the "License");\r
+# you may not use this file except in compliance with the License.\r
+# You may obtain a copy of the License at\r
+#\r
+# http://www.apache.org/licenses/LICENSE-2.0\r
+#\r
+# Unless required by applicable law or agreed to in writing, software\r
+# distributed under the License is distributed on an "AS IS" BASIS,\r
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r
+# See the License for the specific language governing permissions and\r
+# limitations under the License.\r
+#\r
+# SPDX-License-Identifier: Apache-2.0\r
+# ============LICENSE_END=========================================================\r
+---\r
+apiVersion: kiali.io/v1alpha1\r
+kind: Kiali\r
+metadata:\r
+ name: kiali-instance\r
+ namespace: istio-system\r
+spec:\r
+ # changing the app_label_name, as long as not all applications using "app" label\r
+ # istio_labels:\r
+ # app_label_name: "app.kubernetes.io/name"\r
+ api:\r
+ namespaces:\r
+ include:\r
+ - "keycloak"\r
+ - "kiali-operator"\r
+ - "onap"\r
+ - "postgres-operator"\r
+ - "kiali-operator"\r
+ - "k8ssandra-operator"\r
+ - "mariadb-operator"\r
+ - "mongodb-operator"\r
+ - "psmdb-operator"\r
+ - "nonrtric-rapp"\r
+ - "strimzi-system"\r
+ - "istio-ingress"\r
+ - "istio-system"\r
+ auth:\r
+ strategy: anonymous\r
+ istio_component_namespaces:\r
+ prometheus: cluster-observability\r
+ external_services:\r
+ grafana:\r
+ internal_url: "http://prometheus-grafana.prometheus"\r
+ url: "https://grafana<POSTADDR>.<BASEURL>"\r
+ auth:\r
+ username: "admin"\r
+ password: "prom-operator"\r
+ enabled: true\r
+ prometheus:\r
+ url: "http://prometheus-kube-prometheus-prometheus.prometheus:9090"\r
+ tracing:\r
+ enabled: false\r
+ external_url: https://jaeger<POSTADDR>.<BASEURL>\r
+ internal_url: http://jaeger-query.istio-system:16685\r
+ use_grpc: true\r
+ istio:\r
+ egress_gateway_namespace: istio-ingress\r
+ ingress_gateway_namespace: istio-ingress\r
+ deployment:\r
+ view_only_mode: false\r
+ security_context:\r
+ allowPrivilegeEscalation: false\r
+ capabilities:\r
+ drop: ["CAP_NET_RAW", "ALL"]\r
+ privileged: false\r
+ readOnlyRootFilesystem: true\r
+ runAsNonRoot: true\r
+ runAsUser: 1000\r
+ runAsGroup: 1000\r
+ seccompProfile:\r
+ type: RuntimeDefault\r
+ server:\r
+ web_root: "/kiali"\r
--- /dev/null
+# ============LICENSE_START=======================================================\r
+# Copyright (c) 2025 Deutsche Telekom\r
+# ================================================================================\r
+# Licensed under the Apache License, Version 2.0 (the "License");\r
+# you may not use this file except in compliance with the License.\r
+# You may obtain a copy of the License at\r
+#\r
+# http://www.apache.org/licenses/LICENSE-2.0\r
+#\r
+# Unless required by applicable law or agreed to in writing, software\r
+# distributed under the License is distributed on an "AS IS" BASIS,\r
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r
+# See the License for the specific language governing permissions and\r
+# limitations under the License.\r
+#\r
+# SPDX-License-Identifier: Apache-2.0\r
+# ============LICENSE_END=========================================================\r
+---\r
+kind: Kustomization\r
+apiVersion: kustomize.config.k8s.io/v1beta1\r
+\r
+resources:\r
+ - kiali-instance.yaml\r
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (c) 2025 Deutsche Telekom
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+ name: kiali-operator
+ namespace: argocd
+ annotations:
+ argocd.argoproj.io/sync-wave: "-1"
+ finalizers:
+ - resources-finalizer.argocd.argoproj.io
+spec:
+ project: default
+ sources:
+ - repoURL: '<ONAP_ARGO_REPO_URL>'
+ targetRevision: <ONAP_ARGO_BRANCH>
+ ref: defaultValues
+ - repoURL: https://kiali.org/helm-charts
+ chart: kiali-operator
+ targetRevision: 2.9.0
+ helm:
+ helm:
+ ignoreMissingValueFiles: true
+ valueFiles:
+ - $defaultValues/argo/infra/values/kiali-operator.yaml
+ destination:
+ server: https://kubernetes.default.svc
+ namespace: kiali-operator
+ syncPolicy:
+ managedNamespaceMetadata:
+ labels:
+ istio-injection: enabled
+ syncOptions:
+ - CreateNamespace=true
+ - ServerSideApply=true
+ automated:
+ prune: true
+ selfHeal: true
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (c) 2025 Deutsche Telekom
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+ name: kiali-instance
+ namespace: argocd
+ finalizers:
+ - resources-finalizer.argocd.argoproj.io
+spec:
+ project: default
+ source:
+ repoURL: '<ONAP_ARGO_REPO_URL>'
+ targetRevision: <ONAP_ARGO_BRANCH>
+ path: argo/infra/kiali-instance
+ destination:
+ server: https://kubernetes.default.svc
+ namespace: istio-system
+ syncPolicy:
+ syncOptions:
+ - CreateNamespace=true
+ automated:
+ prune: true
+ selfHeal: true
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (c) 2025 Deutsche Telekom
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+ - cert-manager.yaml
+ - istio.yaml
+ - gateway-api.yaml
+ - chartmuseum.yaml
+ - kiali-operator.yaml
+ - kiali.yaml
+ - k8ssandra-operator.yaml
+ - keycloak-db.yaml
+ - keycloak.yaml
+ - jaeger.yaml
+ - mariadb-operator.yaml
+ - mariadb-operator-crds.yaml
+ - mongodb-operator.yaml
+ - postgres-operator.yaml
+ - nfs-server-provisioner.yaml
+ - strimzi.yaml
+ - prometheus.yaml
+ - infra-ingress.yaml
+ - django-defectdojo.yaml
+ - trivy-dojo-report-operator.yaml
+ - compile-onap.yaml
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (c) 2025 Deutsche Telekom
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+ name: mariadb-operator-crds
+ namespace: argocd
+ annotations:
+ argocd.argoproj.io/sync-wave: "-1"
+ finalizers:
+ - resources-finalizer.argocd.argoproj.io
+spec:
+ project: default
+ sources:
+ - repoURL: '<ONAP_ARGO_REPO_URL>'
+ targetRevision: <ONAP_ARGO_BRANCH>
+ ref: defaultValues
+ - repoURL: https://helm.mariadb.com/mariadb-operator
+ chart: mariadb-operator-crds
+ targetRevision: 0.38.1
+ helm:
+ ignoreMissingValueFiles: true
+ valueFiles:
+ - $defaultValues/argo/infra/values/mariadb-operator-crds.yaml
+ destination:
+ server: https://kubernetes.default.svc
+ namespace: mariadb-operator
+ syncPolicy:
+ managedNamespaceMetadata:
+ labels:
+ istio-injection: enabled
+ syncOptions:
+ - CreateNamespace=true
+ automated:
+ prune: true
+ selfHeal: true
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (c) 2025 Deutsche Telekom
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+ name: mariadb-operator
+ namespace: argocd
+ annotations:
+ argocd.argoproj.io/sync-wave: "-1"
+ finalizers:
+ - resources-finalizer.argocd.argoproj.io
+spec:
+ project: default
+ sources:
+ - repoURL: '<ONAP_ARGO_REPO_URL>'
+ targetRevision: <ONAP_ARGO_BRANCH>
+ ref: defaultValues
+ - repoURL: https://helm.mariadb.com/mariadb-operator
+ chart: mariadb-operator
+ targetRevision: 0.38.1
+ helm:
+ helm:
+ ignoreMissingValueFiles: true
+ valueFiles:
+ - $defaultValues/argo/infra/values/mariadb-operator.yaml
+ destination:
+ server: https://kubernetes.default.svc
+ namespace: mariadb-operator
+ syncPolicy:
+ managedNamespaceMetadata:
+ labels:
+ istio-injection: enabled
+ syncOptions:
+ - CreateNamespace=true
+ automated:
+ prune: true
+ selfHeal: true
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (c) 2025 Deutsche Telekom
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+ name: mongodb-operator
+ namespace: argocd
+ annotations:
+ argocd.argoproj.io/sync-wave: "-1"
+ finalizers:
+ - resources-finalizer.argocd.argoproj.io
+spec:
+ project: default
+ sources:
+ - repoURL: '<ONAP_ARGO_REPO_URL>'
+ targetRevision: <ONAP_ARGO_BRANCH>
+ ref: defaultValues
+ - repoURL: https://percona.github.io/percona-helm-charts
+ chart: psmdb-operator
+ targetRevision: 1.19.1
+ helm:
+ helm:
+ ignoreMissingValueFiles: true
+ valueFiles:
+ - $defaultValues/argo/infra/values/mongodb-operator.yaml
+ destination:
+ server: https://kubernetes.default.svc
+ namespace: mongodb-operator
+ syncPolicy:
+ managedNamespaceMetadata:
+ labels:
+ istio-injection: enabled
+ syncOptions:
+ - CreateNamespace=true
+ - ServerSideApply=true
+ automated:
+ prune: true
+ selfHeal: true
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (c) 2025 Deutsche Telekom
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+ name: nfs-server-provisioner
+ namespace: argocd
+ annotations:
+ argocd.argoproj.io/sync-wave: "-1"
+ finalizers:
+ - resources-finalizer.argocd.argoproj.io
+spec:
+ project: default
+ sources:
+ - repoURL: '<ONAP_ARGO_REPO_URL>'
+ targetRevision: <ONAP_ARGO_BRANCH>
+ ref: defaultValues
+ - repoURL: https://kvaps.github.io/charts
+ chart: nfs-server-provisioner
+ targetRevision: 1.8.0
+ helm:
+ ignoreMissingValueFiles: true
+ valueFiles:
+ - $defaultValues/argo/infra/values/nfs-server-provisioner.yaml
+ destination:
+ server: https://kubernetes.default.svc
+ namespace: nfs-server
+ syncPolicy:
+ syncOptions:
+ - CreateNamespace=true
+ automated:
+ prune: true
+ selfHeal: true
--- /dev/null
+# ============LICENSE_START=======================================================\r
+# Copyright (c) 2025 Deutsche Telekom\r
+# ================================================================================\r
+# Licensed under the Apache License, Version 2.0 (the "License");\r
+# you may not use this file except in compliance with the License.\r
+# You may obtain a copy of the License at\r
+#\r
+# http://www.apache.org/licenses/LICENSE-2.0\r
+#\r
+# Unless required by applicable law or agreed to in writing, software\r
+# distributed under the License is distributed on an "AS IS" BASIS,\r
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r
+# See the License for the specific language governing permissions and\r
+# limitations under the License.\r
+#\r
+# SPDX-License-Identifier: Apache-2.0\r
+# ============LICENSE_END=========================================================\r
+---\r
+apiVersion: argoproj.io/v1alpha1\r
+kind: Application\r
+metadata:\r
+ name: postgres-operator\r
+ namespace: argocd\r
+ annotations:\r
+ argocd.argoproj.io/sync-wave: "-1"\r
+ finalizers:\r
+ - resources-finalizer.argocd.argoproj.io\r
+spec:\r
+ project: default\r
+ source:\r
+ repoURL: 'https://github.com/CrunchyData/postgres-operator-examples'\r
+ targetRevision: main\r
+ path: kustomize/install/default\r
+ destination:\r
+ server: https://kubernetes.default.svc\r
+ namespace: postgres-operator\r
+ syncPolicy:\r
+ syncOptions:\r
+ - CreateNamespace=true\r
+ - ServerSideApply=true\r
+ automated:\r
+ prune: true\r
+ selfHeal: true\r
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (c) 2025 Deutsche Telekom
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+ name: prometheus
+ namespace: argocd
+ finalizers:
+ - resources-finalizer.argocd.argoproj.io
+spec:
+ project: default
+ sources:
+ - repoURL: '<ONAP_ARGO_REPO_URL>'
+ targetRevision: <ONAP_ARGO_BRANCH>
+ ref: defaultValues
+ - repoURL: https://prometheus-community.github.io/helm-charts
+ chart: kube-prometheus-stack
+ # targetRevision: 67.4.0
+ targetRevision: 71.1.1
+ helm:
+ ignoreMissingValueFiles: true
+ valueFiles:
+ - $defaultValues/argo/infra/values/prometheus.yaml
+ destination:
+ server: https://kubernetes.default.svc
+ namespace: prometheus
+ syncPolicy:
+ syncOptions:
+ - CreateNamespace=true
+ - ServerSideApply=true
+ automated:
+ prune: true
+ selfHeal: true
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (c) 2025 Deutsche Telekom
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+ name: strimzi-kafka-operator
+ namespace: argocd
+ finalizers:
+ - resources-finalizer.argocd.argoproj.io
+spec:
+ project: default
+ sources:
+ - repoURL: '<ONAP_ARGO_REPO_URL>'
+ targetRevision: <ONAP_ARGO_BRANCH>
+ ref: defaultValues
+ - repoURL: https://strimzi.io/charts/
+ chart: strimzi-kafka-operator
+ targetRevision: 0.46.0
+ helm:
+ ignoreMissingValueFiles: true
+ valueFiles:
+ - $defaultValues/argo/infra/values/strimzi.yaml
+ destination:
+ server: https://kubernetes.default.svc
+ namespace: strimzi-system
+ syncPolicy:
+ managedNamespaceMetadata:
+ labels:
+ istio-injection: enabled
+ syncOptions:
+ - CreateNamespace=true
+ automated:
+ prune: true
+ selfHeal: true
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (c) 2025 Deutsche Telekom
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+ name: trivy-dojo-report-operator
+ namespace: argocd
+ finalizers:
+ - resources-finalizer.argocd.argoproj.io
+spec:
+ project: default
+ sources:
+ - repoURL: '<ONAP_ARGO_REPO_URL>'
+ targetRevision: <ONAP_ARGO_BRANCH>
+ ref: defaultValues
+ - repoURL: https://telekom-mms.github.io/trivy-dojo-report-operator
+ chart: trivy-dojo-report-operator
+ targetRevision: 0.8.8
+ helm:
+ ignoreMissingValueFiles: true
+ valueFiles:
+ - $defaultValues/argo/infra/values/trivy-dojo-report-operator.yaml
+ destination:
+ server: https://kubernetes.default.svc
+ namespace: trividojo
+ syncPolicy:
+ managedNamespaceMetadata:
+ labels:
+ istio-injection: disabled
+ syncOptions:
+ - CreateNamespace=true
+ - ServerSideApply=true
+ automated:
+ prune: true
+ selfHeal: true
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (c) 2025 Deutsche Telekom
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+
+installCRDs: true
+
+prometheus:
+ servicemonitor:
+ enabled: false
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (c) 2025 Deutsche Telekom
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+
+replicaCount: 1
+
+image:
+ repository: ghcr.io/helm/chartmuseum
+ tag: v0.16.2
+ pullPolicy: IfNotPresent
+
+service:
+ type: ClusterIP
+ port: 8080
+
+ingress:
+ enabled: false
+
+env:
+ open:
+ STORAGE: local
+ DISABLE_API: false
+ DEBUG: true
+
+persistence:
+ storageClass: <STORAGECLASS>
+ enabled: true
+ size: 8Gi
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (c) 2025 Deutsche Telekom
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+
+repository_url: "http://chartmuseum.chartmuseum:8080"
+onap_repo: "https://gerrit.onap.org/r/oom"
+onap_repo_branch: "master"
+gerrit_review: ""
+gerrit_patchset: ""
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (c) 2025 Deutsche Telekom
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+
+global:
+ defaultStorageClass: <STORAGECLASS>
+
+# Global settings
+# create defectdojo specific secret
+createSecret: true
+# create redis secret in defectdojo chart, outside of redis chart
+createRedisSecret: true
+# create postgresql secret in defectdojo chart, outside of postgresql chart
+createPostgresqlSecret: true
+# create postgresql-ha secret in defectdojo chart, outside of postgresql-ha chart
+createPostgresqlHaSecret: false
+# create postgresql-ha-pgpool secret in defectdojo chart, outside of postgresql-ha chart
+createPostgresqlHaPgpoolSecret: false
+# Primary hostname of instance
+host: defectdojo-django.defectdojo
+alternativeHosts:
+ - defectdojo<POSTADDR>.<BASEURL>
+admin:
+ user: admin
+ password: gating
+postgresql:
+ enabled: true
+ auth:
+ username: defectdojo
+ password: "defectdojo"
+ primary:
+ resources:
+ limits:
+ cpu: 500m
+ memory: 512Mi
+redis:
+ auth:
+ password: "defectdojo"
+django:
+ ingress:
+ enabled: false
+ uwsgi:
+ resources:
+ requests:
+ cpu: 300m
+ limits:
+ memory: 1Gi
+ appSettings:
+ maxFd: 102400
+extraEnv:
+ # Disable API token usage
+ #- name: DD_API_TOKENS_ENABLED
+ # value: "false"
+ #- name: DD_API_TOKEN_AUTH_ENDPOINT_ENABLED
+ # value: "false"
\ No newline at end of file
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (c) 2025 Deutsche Telekom
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+
+post_addr: "<POSTADDR>"
+dns_zone: "<BASEURL>"
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (c) 2025 Deutsche Telekom
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+
+global:
+ # configValidation enables the validation webhook for Istio configuration.
+ # TNAP: had to set it to False, as otherwise a setting is required:
+ # .Values.base.validationCABundle
+ configValidation: false
+ #hub: "<DOCKER_REPO>/istio"
+ proxy:
+ holdApplicationUntilProxyStarts: true
+
+meshConfig:
+ enablePrometheusMerge: true
+ defaultConfig:
+ tracing:
+ zipkin:
+ address: jaeger-collector.istio-system:9411
+ sampling: 100
+ meshMTLS:
+ minProtocolVersion: TLSV1_3
+ #tlsDefaults:
+ # Note: applicable only for non ISTIO_MUTUAL scenarios
+ # ecdhCurves:
+ # - P-256
+ # - P-512
+ rootNamespace: istio-config
+ extensionProviders:
+ - name: oauth2-proxy
+ envoyExtAuthzHttp:
+ service: oauth2-proxy.default.svc.cluster.local
+ port: 80
+ timeout: 1.5s
+ includeHeadersInCheck: ["authorization", "cookie"]
+ headersToUpstreamOnAllow: ["x-forwarded-access-token", "authorization", "path", "x-auth-request-user", "x-auth-request-email", "x-auth-request-access-token"]
+ headersToDownstreamOnDeny: ["content-type", "set-cookie"]
+
+pilot:
+ env:
+ PILOT_ENABLE_ALPHA_GATEWAY_API: true
+ PILOT_HTTP10: true
+ ENABLE_NATIVE_SIDECARS: true
+ cni:
+ enabled: false
+
+istio_cni:
+ enabled: false
+
+base:
+ enableIstioConfigCRDs: false
\ No newline at end of file
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (c) 2025 Deutsche Telekom
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+
+fullnameOverride: jaeger
+
+collector:
+ service:
+ zipkin:
+ port: 9411
+ otlp:
+ grpc:
+ name: otlp-grpc
+ port: 4317
+ http:
+ name: otlp-http
+ port: 4318
+
+query:
+ cmdlineParams:
+ query.max-clock-skew-adjustment: 300s
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (c) 2025 Deutsche Telekom
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+
+global:
+ clusterScoped: true
+
+image:
+ registry: <DOCKER_REPO>
+ registryOverride: <DOCKER_REPO>
+
+cass-operator:
+ image:
+ registry: <DOCKER_REPO>
+ registryOverride: <DOCKER_REPO>
+ admissionWebhooks:
+ enabled: true
+
+cleaner:
+ image:
+ registry: <DOCKER_REPO>
+
+client:
+ image:
+ registry: <DOCKER_REPO>
+
+# -- Allows managing CRD upgrades externally and fully disable the CRD upgrader job hook
+disableCrdUpgraderJob: true
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (c) 2025 Deutsche Telekom
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+
+global:
+ defaultStorageClass: <STORAGECLASS>
+ imageRegistry: <DOCKER_REPO>
+ security:
+ allowInsecureImages: true
+ postgresql:
+ auth:
+ username: dbusername
+ password: dbpassword
+ database: keycloak
\ No newline at end of file
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (c) 2025 Deutsche Telekom
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+
+fullnameOverride: keycloak
+
+image:
+ tag: "26.0.6"
+
+command:
+ - "/opt/keycloak/bin/kc.sh"
+ - "--verbose"
+ - "start"
+ - "--http-port=8080"
+ - "--hostname-strict=false"
+ - "--spi-events-listener-jboss-logging-success-level=info"
+ - "--spi-events-listener-jboss-logging-error-level=warn"
+
+extraEnv: |
+ - name: KC_BOOTSTRAP_ADMIN_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ include "keycloak.fullname" . }}-admin-creds
+ key: user
+ - name: KC_BOOTSTRAP_ADMIN_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: {{ include "keycloak.fullname" . }}-admin-creds
+ key: password
+ - name: JAVA_OPTS_APPEND
+ value: >-
+ -XX:+UseContainerSupport
+ -XX:MaxRAMPercentage=50.0
+ -Djava.awt.headless=true
+ -Djgroups.dns.query={{ include "keycloak.fullname" . }}-headless
+ - name: PROXY_ADDRESS_FORWARDING
+ value: "true"
+
+dbchecker:
+ enabled: true
+ image:
+ repository: <DOCKER_REPO>/busybox
+
+database:
+ vendor: postgres
+ hostname: keycloak-db-postgresql
+ port: 5432
+ username: dbusername
+ password: dbpassword
+ database: keycloak
+
+proxy:
+ enabled: true
+ mode: xforwarded
+ http:
+ enabled: true
+
+secrets:
+ admin-creds:
+ stringData:
+ user: admin
+ password: secret
+
+http:
+ relativePath: "/"
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (c) 2025 Deutsche Telekom
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+
+global:
+ clusterScoped: true
+
+image:
+ registry: <DOCKER_REPO>
+ registryOverride: <DOCKER_REPO>
+
+cass-operator:
+ image:
+ registry: <DOCKER_REPO>
+ registryOverride: <DOCKER_REPO>
+ admissionWebhooks:
+ enabled: true
+
+cleaner:
+ image:
+ registry: <DOCKER_REPO>
+
+client:
+ image:
+ registry: <DOCKER_REPO>
+
+# -- Allows managing CRD upgrades externally and fully disable the CRD upgrader job hook
+disableCrdUpgraderJob: true
\ No newline at end of file
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (c) 2025 Deutsche Telekom
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+
+ha:
+ enabled: true
+
+logLevel: "debug"
+
+metrics:
+ enabled: false
+
+webhook:
+ certificate:
+ certManager: true
\ No newline at end of file
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (c) 2025 Deutsche Telekom
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+
+watchAllNamespaces: true
+
+fullnameOverride: "percona-server-mongodb-operator"
+
+replicaCount: 1
+
+resources:
+ requests:
+ cpu: 600m
+ memory: 700Mi
+ limits:
+ cpu: 1200m
+ memory: 1000Mi
+
+podSecurityContext:
+ runAsGroup: 65533
+ runAsNonRoot: true
+ runAsUser: 100
+ seccompProfile:
+ type: RuntimeDefault
+
+securityContext:
+ readOnlyRootFilesystem: true
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ - CAP_NET_RAW
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (c) 2025 Deutsche Telekom
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+
+prometheus:
+ agentMode: false
+ prometheusSpec:
+ ## If true, a nil or {} value for prometheus.prometheusSpec.ruleSelector will cause the
+ ## prometheus resource to be created with selectors based on values in the helm deployment,
+ ## which will also match the PrometheusRule resources created
+ ##
+ ruleSelectorNilUsesHelmValues: false
+ ## If true, a nil or {} value for prometheus.prometheusSpec.serviceMonitorSelector will cause the
+ ## prometheus resource to be created with selectors based on values in the helm deployment,
+ ## which will also match the servicemonitors created
+ ##
+ serviceMonitorSelectorNilUsesHelmValues: false
+ ## If true, a nil or {} value for prometheus.prometheusSpec.podMonitorSelector will cause the
+ ## prometheus resource to be created with selectors based on values in the helm deployment,
+ ## which will also match the podmonitors created
+ ##
+ podMonitorSelectorNilUsesHelmValues: false
+ additionalScrapeConfigs:
+ - job_name: 'istiod'
+ kubernetes_sd_configs:
+ - role: endpoints
+ namespaces:
+ names:
+ - istio-system
+ relabel_configs:
+ - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
+ action: keep
+ regex: istiod;http-monitoring
+ - job_name: 'envoy-stats'
+ metrics_path: /stats/prometheus
+ kubernetes_sd_configs:
+ - role: pod
+ scrape_interval: 5m
+ scrape_timeout: 1m
+ relabel_configs:
+ - source_labels: [__meta_kubernetes_pod_container_port_name]
+ action: keep
+ regex: '.*-envoy-prom'
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (c) 2025 Deutsche Telekom
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+
+watchAnyNamespace: true
+
+podSecurityContext:
+ runAsGroup: 65533
+ runAsNonRoot: true
+ runAsUser: 100
+ seccompProfile:
+ type: RuntimeDefault
+
+securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ - CAP_NET_RAW
+ readOnlyRootFilesystem: true
+ runAsGroup: 65533
+ runAsNonRoot: true
+ runAsUser: 100
+ seccompProfile:
+ type: RuntimeDefault
+
+config:
+ kafkaVersion: 4.0.0
+ kafkaMetadataVersion: 4.0.0-IV3
\ No newline at end of file
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (c) 2025 Deutsche Telekom
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+
+defectDojoApiCredentials:
+ apiKey: "2e5af2a04069492ea63cbd593efccfd4b2758b77"
+ url: "http://defectdojo-django.defectdojo"
+ #url: "https://defectdojo<POSTADDR>.<BASEURL>"
+
+operator:
+ trivyDojoReportOperator:
+ env:
+ defectDojoActive: "true"
+ defectDojoCloseOldFindings: "false"
+ defectDojoMinimumSeverity: Critical
--- /dev/null
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+ name: onap-test
+ namespace: argocd
+ finalizers:
+ - resources-finalizer.argocd.argoproj.io
+ labels:
+ name: onap-test
+spec:
+ project: argo-management
+ source:
+ repoURL: '<ONAP_ARGO_REPO_URL>'
+ targetRevision: <ONAP_ARGO_BRANCH>
+ path: ./argo/onap-test
+ destination:
+ server: https://kubernetes.default.svc
+ namespace: onap
+ syncPolicy:
+ automated:
+ prune: false
+ selfHeal: true
+ allowEmpty: false
+ syncOptions:
+ - Validate=true
+ - CreateNamespace=true
+ retry:
+ limit: 5
+ backoff:
+ duration: 5s
+ factor: 2
+ maxDuration: 3m
+ revisionHistoryLimit: 10
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (c) 2025 Deutsche Telekom
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+apiVersion: v2
+version: 0.0.1
+description: Chart to create gateway and Ingress Routes
+name: ingress
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (c) 2025 Deutsche Telekom
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+---
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: HTTPRoute
+metadata:
+ name: kafka-ui-route
+ namespace: onap
+spec:
+ parentRefs:
+ - name: common-gateway
+ sectionName: https
+ namespace: istio-ingress
+ hostnames:
+ - kafka-ui{{ .Values.post_addr }}.{{ .Values.dns_zone }}
+ rules:
+ - matches:
+ - path:
+ type: PathPrefix
+ value: /
+ backendRefs:
+ - name: kafka-ui
+ port: 80
+---
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: HTTPRoute
+metadata:
+ name: kafka-ui-redirect-route
+ namespace: onap
+spec:
+ parentRefs:
+ - name: common-gateway
+ sectionName: http
+ namespace: istio-ingress
+ hostnames:
+ - kafka-ui{{ .Values.post_addr }}.{{ .Values.dns_zone }}
+ rules:
+ - filters:
+ - type: RequestRedirect
+ requestRedirect:
+ scheme: https
+ statusCode: 301
+ port: 443
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (c) 2025 Deutsche Telekom
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+
+post_addr: ""
+dns_zone: ""
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (c) 2025 Deutsche Telekom
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+ name: kafka-ui
+ namespace: argocd
+ finalizers:
+ - resources-finalizer.argocd.argoproj.io
+spec:
+ project: default
+ sources:
+ - repoURL: '<ONAP_ARGO_REPO_URL>'
+ targetRevision: <ONAP_ARGO_BRANCH>
+ ref: defaultValues
+ - repoURL: https://kafbat.github.io/helm-charts
+ chart: kafka-ui
+ targetRevision: 1.5.0
+ helm:
+ helm:
+ ignoreMissingValueFiles: true
+ valueFiles:
+ - $defaultValues/argo/onap-test/values/kafka-ui.yaml
+ destination:
+ server: https://kubernetes.default.svc
+ namespace: onap
+ syncPolicy:
+ syncOptions:
+ - CreateNamespace=true
+ automated:
+ prune: true
+ selfHeal: true
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (c) 2025 Deutsche Telekom
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+generatorOptions:
+ disableNameSuffixHash: true
+
+resources:
+ - testkube.yaml
+ - kafka-ui.yaml
+ - trivy-operator.yaml
+ - onap-test-ingress.yaml
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (c) 2025 Deutsche Telekom
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+ name: onap-test-ingress
+ namespace: argocd
+ finalizers:
+ - resources-finalizer.argocd.argoproj.io
+ labels:
+ name: onap-test-ingress
+spec:
+ project: argo-management
+ sources:
+ - repoURL: '<ONAP_ARGO_REPO_URL>'
+ targetRevision: <ONAP_ARGO_BRANCH>
+ ref: defaultValues
+ - repoURL: <ONAP_ARGO_REPO_URL>
+ targetRevision: <ONAP_ARGO_BRANCH>
+ path: ./argo/onap-test/ingress-routes/helm
+ helm:
+ ignoreMissingValueFiles: true
+ valueFiles:
+ - $defaultValues/argo/onap-test/values/onap-test-ingress.yaml
+ destination:
+ server: https://kubernetes.default.svc
+ namespace: argocd
+ syncPolicy:
+ automated:
+ prune: false
+ selfHeal: true
+ allowEmpty: false
+ syncOptions:
+ - Validate=true
+ - CreateNamespace=true
+ #- PrunePropagationPolicy=foreground
+ #- PruneLast=true
+ retry:
+ limit: 5
+ backoff:
+ duration: 5s
+ factor: 2
+ maxDuration: 3m
+ revisionHistoryLimit: 10
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (c) 2025 Deutsche Telekom
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+ name: testkube
+ namespace: argocd
+ finalizers:
+ - resources-finalizer.argocd.argoproj.io
+ labels:
+ name: testkube
+spec:
+ destination:
+ namespace: onap
+ server: https://kubernetes.default.svc
+ project: default
+ sources:
+ - repoURL: '<ONAP_ARGO_REPO_URL>'
+ targetRevision: <ONAP_ARGO_BRANCH>
+ ref: defaultValues
+ - repoURL: <ONAP_ARGO_REPO_URL>
+ targetRevision: <ONAP_ARGO_BRANCH>
+ path: ./argo/onap-test/testkube/helm
+ helm:
+ # Values file as block file. This takes precedence over values
+ ignoreMissingValueFiles: true
+ valueFiles:
+ - $defaultValues/argo/onap/values/values-global.yaml
+ - $defaultValues/argo/onap-test/values/testkube.yaml
+ syncPolicy:
+ managedNamespaceMetadata:
+ labels:
+ istio-injection: enabled
+ syncOptions:
+ - CreateNamespace=true
+ automated:
+ prune: true
+ selfHeal: true
--- /dev/null
+# ============LICENSE_START=======================================================\r
+# Copyright (c) 2025 Deutsche Telekom\r
+# ================================================================================\r
+# Licensed under the Apache License, Version 2.0 (the "License");\r
+# you may not use this file except in compliance with the License.\r
+# You may obtain a copy of the License at\r
+#\r
+# http://www.apache.org/licenses/LICENSE-2.0\r
+#\r
+# Unless required by applicable law or agreed to in writing, software\r
+# distributed under the License is distributed on an "AS IS" BASIS,\r
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r
+# See the License for the specific language governing permissions and\r
+# limitations under the License.\r
+#\r
+# SPDX-License-Identifier: Apache-2.0\r
+# ============LICENSE_END=========================================================\r
+apiVersion: v2\r
+name: onapTestkube\r
+description: A Helm chart with tests for onap\r
+type: application\r
+version: 0.0.1\r
+dependencies:\r
+ - name: testkube\r
+ version: 1.16.63\r
+ repository: 'https://kubeshop.github.io/helm-charts'\r
--- /dev/null
+# ============LICENSE_START=======================================================\r
+# Copyright (c) 2025 Deutsche Telekom\r
+# ================================================================================\r
+# Licensed under the Apache License, Version 2.0 (the "License");\r
+# you may not use this file except in compliance with the License.\r
+# You may obtain a copy of the License at\r
+#\r
+# http://www.apache.org/licenses/LICENSE-2.0\r
+#\r
+# Unless required by applicable law or agreed to in writing, software\r
+# distributed under the License is distributed on an "AS IS" BASIS,\r
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r
+# See the License for the specific language governing permissions and\r
+# limitations under the License.\r
+#\r
+# SPDX-License-Identifier: Apache-2.0\r
+# ============LICENSE_END=========================================================\r
+---\r
+apiVersion: rbac.authorization.k8s.io/v1\r
+# This cluster role binding allows anyone in the "manager" group to read secrets in any namespace.\r
+kind: ClusterRoleBinding\r
+metadata:\r
+ name: {{ .Release.Name }}-tests-cluster-role-binding\r
+subjects:\r
+- kind: ServiceAccount\r
+ name: {{ .Release.Name }}-tests-service-account\r
+ namespace: {{ .Release.Namespace }}\r
+roleRef:\r
+ kind: ClusterRole\r
+ name: {{ .Release.Name }}-tests-cluster-role\r
+ apiGroup: rbac.authorization.k8s.io\r
--- /dev/null
+# ============LICENSE_START=======================================================\r
+# Copyright (c) 2025 Deutsche Telekom\r
+# ================================================================================\r
+# Licensed under the Apache License, Version 2.0 (the "License");\r
+# you may not use this file except in compliance with the License.\r
+# You may obtain a copy of the License at\r
+#\r
+# http://www.apache.org/licenses/LICENSE-2.0\r
+#\r
+# Unless required by applicable law or agreed to in writing, software\r
+# distributed under the License is distributed on an "AS IS" BASIS,\r
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r
+# See the License for the specific language governing permissions and\r
+# limitations under the License.\r
+#\r
+# SPDX-License-Identifier: Apache-2.0\r
+# ============LICENSE_END=========================================================\r
+---\r
+apiVersion: rbac.authorization.k8s.io/v1\r
+kind: ClusterRole\r
+metadata:\r
+ name: {{ .Release.Name }}-tests-cluster-role\r
+rules:\r
+- apiGroups:\r
+ - ''\r
+ - apps\r
+ - batch\r
+ - extensions\r
+ - networking.k8s.io\r
+ - gateway.networking.k8s.io\r
+ - tf.galleybytes.com\r
+ - aquasecurity.github.io\r
+ - onap.com\r
+ resources:\r
+ - pods\r
+ - deployments\r
+ - deployments/status\r
+ - jobs\r
+ - jobs/status\r
+ - statefulsets\r
+ - replicasets\r
+ - replicasets/status\r
+ - daemonsets\r
+ - secrets\r
+ - services\r
+ - events\r
+ - configmaps\r
+ - ingresses\r
+ - persistentvolumeclaims\r
+ - nodes\r
+ - terraforms\r
+ - httproutes\r
+ - namespaces\r
+ - serviceinstances\r
+ - vnfs\r
+ - vulnerabilityreports\r
+ verbs:\r
+ - get\r
+ - watch\r
+ - list\r
+- apiGroups:\r
+ - ''\r
+ - apps\r
+ resources:\r
+ - statefulsets\r
+ - configmaps\r
+ verbs:\r
+ - patch\r
+- apiGroups:\r
+ - ''\r
+ - apps\r
+ - tf.galleybytes.com\r
+ - onap.com\r
+ resources:\r
+ - deployments\r
+ - daemonsets\r
+ - statefulsets\r
+ - secrets\r
+ - services\r
+ - pods\r
+ - terraforms\r
+ - namespaces\r
+ - configmaps\r
+ - serviceinstances\r
+ - vnfs\r
+ verbs:\r
+ - create\r
+- apiGroups:\r
+ - ''\r
+ - apps\r
+ - tf.galleybytes.com\r
+ - onap.com\r
+ resources:\r
+ - pods\r
+ - persistentvolumeclaims\r
+ - secrets\r
+ - deployments\r
+ - daemonsets\r
+ - statefulsets\r
+ - services\r
+ - terraforms\r
+ - configmaps\r
+ - serviceinstances\r
+ - vnfs\r
+ verbs:\r
+ - delete\r
+- apiGroups:\r
+ - ''\r
+ - apps\r
+ resources:\r
+ - pods/exec\r
+ verbs:\r
+ - create\r
+- apiGroups:\r
+ - cert-manager.io\r
+ resources:\r
+ - certificates\r
+ verbs:\r
+ - create\r
+ - delete\r
+{{- if .Values.tests.tests.basicKafka.enabled }}\r
+- apiGroups:\r
+ - kafka.strimzi.io\r
+ resources:\r
+ - kafkatopics\r
+ verbs:\r
+ - create\r
+ - delete\r
+{{- end }}\r
--- /dev/null
+# ============LICENSE_START=======================================================\r
+# Copyright (c) 2025 Deutsche Telekom\r
+# ================================================================================\r
+# Licensed under the Apache License, Version 2.0 (the "License");\r
+# you may not use this file except in compliance with the License.\r
+# You may obtain a copy of the License at\r
+#\r
+# http://www.apache.org/licenses/LICENSE-2.0\r
+#\r
+# Unless required by applicable law or agreed to in writing, software\r
+# distributed under the License is distributed on an "AS IS" BASIS,\r
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r
+# See the License for the specific language governing permissions and\r
+# limitations under the License.\r
+#\r
+# SPDX-License-Identifier: Apache-2.0\r
+# ============LICENSE_END=========================================================\r
+---\r
+apiVersion: executor.testkube.io/v1\r
+kind: Executor\r
+metadata:\r
+ name: {{ .Values.tests.smokeTests.executor.controlPanelSdk.name }}\r
+spec:\r
+ {{- with .Values.imagePullSecrets }}\r
+ imagePullSecrets:\r
+ {{- toYaml . | nindent 4 }}\r
+ {{- end }}\r
+ image: <ONAP_REPO>/onap/control-panel-ui-smoke-tests/controlpanel-smoke-tests:{{ .Values.tests.smokeTests.executor.controlPanelSdk.imageVersion }}\r
+ command:\r
+ - "/bin/bash"\r
+ - "-c"\r
+ - "./gradlew --offline -p controlpanel-smoke-tests test \"-Dcucumber.filter.tags=${CUCUMBER_FILTER_TAGS}\" "\r
+ executor_type: container\r
+ types:\r
+ - {{ .Values.tests.smokeTests.executor.controlPanelSdk.type }}\r
+ features:\r
+ - artifacts\r
--- /dev/null
+# ============LICENSE_START=======================================================\r
+# Copyright (c) 2025 Deutsche Telekom\r
+# ================================================================================\r
+# Licensed under the Apache License, Version 2.0 (the "License");\r
+# you may not use this file except in compliance with the License.\r
+# You may obtain a copy of the License at\r
+#\r
+# http://www.apache.org/licenses/LICENSE-2.0\r
+#\r
+# Unless required by applicable law or agreed to in writing, software\r
+# distributed under the License is distributed on an "AS IS" BASIS,\r
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r
+# See the License for the specific language governing permissions and\r
+# limitations under the License.\r
+#\r
+# SPDX-License-Identifier: Apache-2.0\r
+# ============LICENSE_END=========================================================\r
+---\r
+{{- if .Values.tests.tests.controlPanelSmokeTest.enabled }}\r
+apiVersion: tests.testkube.io/v3\r
+kind: Test\r
+metadata:\r
+ name: {{ .Values.tests.tests.controlPanelSmokeTest.testName }}\r
+spec:\r
+ type: {{ .Values.tests.smokeTests.executor.controlPanelSdk.type }}\r
+ executionRequest:\r
+ variables:\r
+ CUCUMBER_FILTER_TAGS:\r
+ name: CUCUMBER_FILTER_TAGS\r
+ type: basic\r
+ CONTROLPANEL_ENV:\r
+ name: CONTROLPANEL_ENV\r
+ value: {{ .Values.tests.testEnvName }}\r
+ type: basic\r
+ activeDeadlineSeconds: {{ .Values.tests.smokeTests.execution.activeDeadlineSeconds }}\r
+ artifactRequest:\r
+ storageClassName: {{ .Values.tests.smokeTests.artifacts.storageClassName }}\r
+ volumeMountPath: /app/test-artifacts\r
+{{- include "job.template" . | indent 4 }}\r
+{{- if .Values.global.serviceMesh.enabled }}\r
+{{- include "scraper.template" . | indent 4 }}\r
+{{- end }}\r
+{{- end }}\r
--- /dev/null
+{{/* https://docs.testkube.io/articles/crds/tests.testkube.io-v3 */}}
+{{/*
+Common test template for cypress tests
+
+@param .dot (Optional, default .) The root scope
+@param .repo A map representing the repository configuration
+ The map must contain at least the following fields:
+ .repo.uri: the uri of the git repo that
+ contains the cypress project
+ .repo.branch the branch of the git repo that
+ contains the cypress project
+@param .test A map representing a single test
+ The map must contain at least the following fields:
+ .test.name: The name of the test
+ The map may contain the following optional fields:
+ .test.env: environment variables for the container
+
+Example include:
+ {{ include "cypress.test" (dict "repo" .Values.tests.cypress "test" .Values.tests.cypress.tests.aai) }}
+*/}}
+{{- define "cypress.test" }}
+apiVersion: tests.testkube.io/v3
+kind: Test
+metadata:
+ name: {{ kebabcase .test.testName }}
+spec:
+ type: cypress/project
+ content:
+ type: git
+ repository:
+ type: git
+ uri: {{ .repo.uri }}
+ branch: {{ .test.branch | default .repo.branch }}
+ tokenSecret:
+ key: git-token
+ name: testkube-git-creds
+ usernameSecret:
+ key: git-username
+ name: testkube-git-creds
+ executionRequest:
+ activeDeadlineSeconds: 1800
+ jobTemplate: |
+ apiVersion: batch/v1
+ kind: Job
+ metadata:
+ annotations:
+ argocd.argoproj.io/compare-options: IgnoreExtraneous
+ argocd.argoproj.io/sync-options: Prune=false
+ spec:
+ template:
+ metadata:
+ labels:
+ sidecar.istio.io/inject: 'false'
+ spec:
+ containers:
+ - name: {{ kebabcase .test.testName }}
+ image: {{ .repo.image }}
+ imagePullPolicy: IfNotPresent
+ resources:
+ requests:
+ cpu: 300m
+ memory: 300Mi
+ {{- if .test.env }}
+ envs:
+ {{- range $key, $value := .test.env }}
+ {{ $key }}: {{ $value | quote }}
+ {{ end -}}
+ {{ end -}}
+{{ end -}}
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (c) 2025 Deutsche Telekom
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+---
+apiVersion: tests.testkube.io/v3
+kind: Test
+metadata:
+ name: cypress-test-3
+spec:
+ type: cypress/project
+ content:
+ type: git-dir
+ repository:
+ type: git
+ uri: https://github.com/kubeshop/testkube.git
+ branch: main
+ path: test/cypress/executor-tests/cypress-14
+ executionRequest:
+ variables:
+ CYPRESS_CUSTOM_ENV:
+ name: CYPRESS_CUSTOM_ENV
+ value: "CYPRESS_CUSTOM_ENV_value"
+ type: basic
+ DEBUG:
+ name: DEBUG
+ value: "cypress:*"
+ type: basic
+ args:
+ - "--env"
+ - "NON_CYPRESS_ENV=NON_CYPRESS_ENV_value"
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (c) 2025 Deutsche Telekom
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+{{- if .Values.tests.cypress.tests.portalng.someTest.enabled }}
+{{ include "cypress.test" (dict "repo" .Values.tests.cypress "test" .Values.tests.cypress.tests.portalng.someTest) }}
+{{- end }}
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (c) 2025 Deutsche Telekom
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+{{- if .Values.tests.gradle.tests.aai.aaiCrudTest.enabled }}
+{{ include "gradle.test" (dict "repo" .Values.tests.gradle "test" .Values.tests.gradle.tests.aai.aaiCrudTest) }}
+{{- end }}
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (c) 2025 Deutsche Telekom
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+{{- if .Values.tests.gradle.tests.aai.kafkaTest.enabled }}
+{{ include "gradle.test" (dict "repo" .Values.tests.gradle "test" .Values.tests.gradle.tests.aai.kafkaTest) }}
+{{- end }}
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (c) 2025 Deutsche Telekom
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+{{- if .Values.tests.gradle.tests.aai.aaiTraversalTest.enabled }}
+{{ include "gradle.test" (dict "repo" .Values.tests.gradle "test" .Values.tests.gradle.tests.aai.aaiTraversalTest) }}
+{{- end }}
--- /dev/null
+{{/* https://docs.testkube.io/articles/crds/tests.testkube.io-v3 */}}
+{{/*
+Common test template for gradle tests
+
+@param .dot (Optional, default .) The root scope
+@param .repo A map representing the repository configuration
+ The map must contain at least the following fields:
+ .repo.uri: the uri of the git repo that
+ contains the gradle project
+ .repo.branch the branch of the git repo that
+ contains the gradle project
+@param .test A map representing a single test
+ The map must contain at least the following fields:
+ .test.name: The name of the test
+ The map may contain the following optional fields:
+ .test.env: environment variables for the container
+
+Example include:
+ {{ include "gradle.test" (dict "repo" .Values.tests.gradle "test" .Values.tests.gradle.tests.aai) }}
+*/}}
+{{- define "gradle.test" }}
+apiVersion: tests.testkube.io/v3
+kind: Test
+metadata:
+ name: {{ kebabcase .test.testName }}
+spec:
+ type: gradle/test
+ content:
+ type: git
+ repository:
+ type: git
+ uri: {{ .repo.uri }}
+ branch: {{ .test.branch | default .repo.branch }}
+ tokenSecret:
+ key: git-token
+ name: testkube-git-creds
+ usernameSecret:
+ key: git-username
+ name: testkube-git-creds
+ executionRequest:
+ args:
+ - "--tests"
+ - {{ .test.testName | quote }}
+ {{- if .test.debugLogEnabled }}
+ - "--info"
+ {{- end }}
+ activeDeadlineSeconds: 1800
+ jobTemplate: |
+ apiVersion: batch/v1
+ kind: Job
+ metadata:
+ annotations:
+ argocd.argoproj.io/compare-options: IgnoreExtraneous
+ argocd.argoproj.io/sync-options: Prune=false
+ spec:
+ template:
+ metadata:
+ labels:
+ sidecar.istio.io/inject: 'false'
+ spec:
+ containers:
+ - name: {{ kebabcase .test.testName }}
+ image: {{ .repo.image }}
+ imagePullPolicy: IfNotPresent
+ resources:
+ requests:
+ cpu: 300m
+ memory: 300Mi
+ {{- if .test.env }}
+ envs:
+ {{- range $key, $value := .test.env }}
+ {{ $key }}: {{ $value | quote }}
+ {{ end -}}
+ {{ end -}}
+{{ end -}}
--- /dev/null
+# ============LICENSE_START=======================================================\r
+# Copyright (c) 2025 Deutsche Telekom\r
+# ================================================================================\r
+# Licensed under the Apache License, Version 2.0 (the "License");\r
+# you may not use this file except in compliance with the License.\r
+# You may obtain a copy of the License at\r
+#\r
+# http://www.apache.org/licenses/LICENSE-2.0\r
+#\r
+# Unless required by applicable law or agreed to in writing, software\r
+# distributed under the License is distributed on an "AS IS" BASIS,\r
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r
+# See the License for the specific language governing permissions and\r
+# limitations under the License.\r
+#\r
+# SPDX-License-Identifier: Apache-2.0\r
+# ============LICENSE_END=========================================================\r
+---\r
+apiVersion: gateway.networking.k8s.io/v1beta1\r
+kind: HTTPRoute\r
+metadata:\r
+ name: testkube-route\r
+ namespace: onap\r
+spec:\r
+ parentRefs:\r
+ - name: common-gateway\r
+ sectionName: https\r
+ namespace: istio-ingress\r
+ hostnames:\r
+ - testkube{{ .Values.global.ingress.post_addr }}.{{ .Values.global.ingress.dns_zone }}\r
+ rules:\r
+ - backendRefs:\r
+ - name: testkube-dashboard\r
+ port: 8080\r
+---\r
+apiVersion: gateway.networking.k8s.io/v1beta1\r
+kind: HTTPRoute\r
+metadata:\r
+ name: testkube-redirect-route\r
+ namespace: onap\r
+spec:\r
+ parentRefs:\r
+ - name: common-gateway\r
+ sectionName: http\r
+ namespace: istio-ingress\r
+ hostnames:\r
+ - testkube{{ .Values.global.ingress.post_addr }}.{{ .Values.global.ingress.dns_zone }}\r
+ rules:\r
+ - filters:\r
+ - type: RequestRedirect\r
+ requestRedirect:\r
+ scheme: https\r
+ statusCode: 301\r
+ port: 443\r
+---\r
+apiVersion: gateway.networking.k8s.io/v1beta1\r
+kind: HTTPRoute\r
+metadata:\r
+ name: testkube-api-route\r
+ namespace: onap\r
+spec:\r
+ parentRefs:\r
+ - name: common-gateway\r
+ sectionName: https\r
+ namespace: istio-ingress\r
+ hostnames:\r
+ - testkube-api{{ .Values.global.ingress.post_addr }}.{{ .Values.global.ingress.dns_zone }}\r
+ rules:\r
+ - backendRefs:\r
+ - name: testkube-api-server\r
+ port: 8088\r
+---\r
+apiVersion: gateway.networking.k8s.io/v1beta1\r
+kind: HTTPRoute\r
+metadata:\r
+ name: testkube-api-redirect-route\r
+ namespace: onap\r
+spec:\r
+ parentRefs:\r
+ - name: common-gateway\r
+ sectionName: http\r
+ namespace: istio-ingress\r
+ hostnames:\r
+ - testkube-api{{ .Values.global.ingress.post_addr }}.{{ .Values.global.ingress.dns_zone }}\r
+ rules:\r
+ - filters:\r
+ - type: RequestRedirect\r
+ requestRedirect:\r
+ scheme: https\r
+ statusCode: 301\r
+ port: 443\r
--- /dev/null
+{{- define "job.template" }}\r
+{{/* Define job.template */}}\r
+jobTemplate: |\r
+ apiVersion: batch/v1\r
+ kind: Job\r
+ metadata:\r
+ annotations:\r
+ argocd.argoproj.io/compare-options: IgnoreExtraneous\r
+ argocd.argoproj.io/sync-options: Prune=false\r
+ spec:\r
+ template:\r
+ spec:\r
+ serviceAccountName: {{ .Release.Name }}-tests-service-account\r
+ containers:\r
+ - name: {{ printf "\"{{ .Name }}\"" }}\r
+ image: {{ printf "{{ .Image }}" }}\r
+ imagePullPolicy: Always\r
+{{ end -}}\r
--- /dev/null
+# ============LICENSE_START=======================================================\r
+# Copyright (c) 2025 Deutsche Telekom\r
+# ================================================================================\r
+# Licensed under the Apache License, Version 2.0 (the "License");\r
+# you may not use this file except in compliance with the License.\r
+# You may obtain a copy of the License at\r
+#\r
+# http://www.apache.org/licenses/LICENSE-2.0\r
+#\r
+# Unless required by applicable law or agreed to in writing, software\r
+# distributed under the License is distributed on an "AS IS" BASIS,\r
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r
+# See the License for the specific language governing permissions and\r
+# limitations under the License.\r
+#\r
+# SPDX-License-Identifier: Apache-2.0\r
+# ============LICENSE_END=========================================================\r
+---\r
+apiVersion: tests.testkube.io/v3\r
+kind: TestSuite\r
+metadata:\r
+ name: {{ .Values.tests.smokeTests.testsuite.name }}\r
+spec:\r
+ schedule: "{{ .Values.tests.smokeTests.testsuite.cron }}"\r
+ steps:\r
+ {{- /* Gradle tests */}}\r
+ - execute:\r
+ {{- range $usecase := .Values.tests.gradle.tests }}\r
+ {{- range $test := $usecase }}\r
+ {{- if $test.enabled }}\r
+ - test: {{ kebabcase $test.testName }}\r
+ {{- end }}\r
+ {{- end }}\r
+ {{- end }}\r
+ stopOnFailure: false\r
+ {{- /* Smoke tests */}}\r
+ {{- /* Basic tests group */}}\r
+ - stopOnFailure: false\r
+ execute:\r
+ {{- $test := .Values.tests.tests.basicCps }}\r
+ {{- if $test.enabled }}\r
+ - test: {{ $test.testName }}\r
+ {{- end }}\r
+ {{- $test := .Values.tests.tests.basicOnboard }}\r
+ {{- if $test.enabled }}\r
+ - test: {{ $test.testName }}\r
+ {{- end }}\r
+ {{- $test := .Values.tests.tests.basicNetwork }}\r
+ {{- if $test.enabled }}\r
+ - test: {{ $test.testName }}\r
+ {{- end }}\r
+ {{- $test := .Values.tests.tests.basicCds }}\r
+ {{- if $test.enabled }}\r
+ - test: {{ $test.testName }}\r
+ {{- end }}\r
+ {{- $test := .Values.tests.tests.basicSdnc }}\r
+ {{- if $test.enabled }}\r
+ - test: {{ $test.testName }}\r
+ {{- end }}\r
+ {{- $test := .Values.tests.tests.basicCnfMacro }}\r
+ {{- if $test.enabled }}\r
+ - test: {{ $test.testName }}\r
+ {{- end }}\r
+ {{- $test := .Values.tests.tests.controlPanelSmokeTest }}\r
+ {{- if $test.enabled }}\r
+ - execute:\r
+ - test: {{ $test.testName }}\r
+ stopOnFailure: false\r
+ {{- end }}\r
+ {{- $test := .Values.tests.tests.aaiInitialDataSetup }}\r
+ {{- if $test.enabled }}\r
+ - execute:\r
+ - test: {{ $test.testName }}\r
+ stopOnFailure: false\r
+ {{- end }}\r
+ {{- $test := .Values.tests.tests.serviceWithoutResource }}\r
+ {{- if $test.enabled }}\r
+ - execute:\r
+ - test: {{ $test.testName }}\r
+ stopOnFailure: false\r
+ {{- end }}\r
+ {{- $test := .Values.tests.tests.addDeletePnfInRunningService }}\r
+ {{- if $test.enabled }}\r
+ - execute:\r
+ - test: {{ $test.testName }}\r
+ stopOnFailure: false\r
+ {{- end }}\r
+ {{- $test := .Values.tests.tests.pnfWithVesEvent }}\r
+ {{- if $test.enabled }}\r
+ - execute:\r
+ - test: {{ $test.testName }}\r
+ stopOnFailure: false\r
+ {{- end }}\r
+ {{- $test := .Values.tests.tests.pnfWithoutVesEvent }}\r
+ {{- if $test.enabled }}\r
+ - execute:\r
+ - test: {{ $test.testName }}\r
+ stopOnFailure: false\r
+ {{- end }}\r
+ {{- $test := .Values.tests.tests.pnfMacro }}\r
+ {{- if $test.enabled }}\r
+ - execute:\r
+ - test: {{ $test.testName }}\r
+ stopOnFailure: false\r
+ {{- end }}\r
+ {{- $test := .Values.tests.tests.basicPrh }}\r
+ {{- if $test.enabled }}\r
+ - execute:\r
+ - test: {{ $test.testName }}\r
+ stopOnFailure: false\r
+ {{- end }}\r
+ {{- $test := .Values.tests.tests.checkTimeSync }}\r
+ {{- if $test.enabled }}\r
+ - execute:\r
+ - test: {{ $test.testName }}\r
+ stopOnFailure: false\r
+ {{- end }}\r
+ {{- $test := .Values.tests.tests.basicStatus }}\r
+ {{- if $test.enabled }}\r
+ - execute:\r
+ - test: {{ $test.testName }}\r
+ stopOnFailure: false\r
+ {{- end }}\r
+ {{- $test := .Values.tests.tests.basicKafka }}\r
+ {{- if $test.enabled }}\r
+ - execute:\r
+ - test: {{ $test.testName }}\r
+ stopOnFailure: false\r
+ {{- end }}\r
+ {{- $test := .Values.tests.tests.addDeleteCnfMacro }}\r
+ {{- if $test.enabled }}\r
+ - execute:\r
+ - test: {{ $test.testName }}\r
+ stopOnFailure: false\r
+ {{- end }}\r
+ {{- $test := .Values.tests.tests.policyFramework }}\r
+ {{- if $test.enabled }}\r
+ - execute:\r
+ - test: {{ $test.testName }}\r
+ stopOnFailure: false\r
+ {{- end }}\r
+ {{- $test := .Values.tests.tests.vesPublish }}\r
+ {{- if $test.enabled }}\r
+ - execute:\r
+ - test: {{ $test.testName }}\r
+ stopOnFailure: false\r
+ {{- end }}\r
+ {{- if .Values.global.serviceMesh.enabled }}\r
+ executionRequest:\r
+ cronJobTemplate: |\r
+ apiVersion: batch/v1\r
+ kind: CronJob\r
+ metadata:\r
+ annotations:\r
+ argocd.argoproj.io/compare-options: IgnoreExtraneous\r
+ argocd.argoproj.io/sync-options: Prune=false\r
+ spec:\r
+ jobTemplate:\r
+ spec:\r
+ activeDeadlineSeconds: {{ .Values.tests.smokeTests.testsuite.testsuiteJobActiveDeadlineSeconds }}\r
+ template:\r
+ spec:\r
+ serviceAccountName: {{ .Release.Name }}-tests-service-account\r
+ {{- end }}\r
--- /dev/null
+{{- define "sidecarKiller" }}\r
+{{/*\r
+{{ include "sidecarKiller" (dict "containerName" "containerNameToCheck" "Values" .Values) }}\r
+*/}}\r
+- name: sidecar-killer\r
+ image: {{ .Values.serviceMesh.sidecarKiller.image }}\r
+ command: ["/bin/sh", "-c"]\r
+ args: ["echo \"waiting 10s for istio side cars to be up\"; sleep 10s; /app/ready.py --service-mesh-check {{ .containerName }} -t 45;"]\r
+ env:\r
+ - name: NAMESPACE\r
+ valueFrom:\r
+ fieldRef:\r
+ apiVersion: v1\r
+ fieldPath: metadata.namespace\r
+{{ end -}}\r
+\r
+{{- define "smoke.test" }}\r
+{{/* Define smoke test template */}}\r
+{{- $dot := default . .dot -}}\r
+{{- $configurationName := default .onapTestName .configurationName }}\r
+{{- $executor := default $dot.Values.tests.smokeTests.executor.pythonsdk.type .executor }}\r
+{{- $testEnv := default $dot.Values.tests.testEnvName .testEnvName }}\r
+{{- $schedule := default "" .schedule }}\r
+{{/* - if hasKey $dot.Values.tests.configuration $executor */}}\r
+{{- $executorRepoConfig := get $dot.Values.tests.configuration $executor }}\r
+{{- $uri := default "" $executorRepoConfig.uri }}\r
+{{- $branch := default "master" $executorRepoConfig.branch }}\r
+{{- $path := default "/" $executorRepoConfig.path }}\r
+{{/* - else */}}\r
+{{/* - fail "Executor has to have git configuration set in .Values.tests.configuration" -*/}}\r
+{{/*- end */}}\r
+apiVersion: tests.testkube.io/v3\r
+kind: Test\r
+metadata:\r
+ name: {{ .testName }}\r
+spec:\r
+ type: {{ $executor }}\r
+ executionRequest:\r
+ args:\r
+ - $(TESTNAME)\r
+ envs:\r
+ NAMESPACE: "{{ $dot.Values.namespace }}"\r
+ TESTNAME: {{ .onapTestName }}\r
+ PYTHONPATH: $PYTHONPATH:/data/repo{{ $path }}/basic_configuration_settings\r
+ ONAP_PYTHON_SDK_SETTINGS: "{{ $configurationName }}.{{ $configurationName }}_configuration"\r
+ TEST_ENV_NAME: "{{ $testEnv }}"\r
+ {{- if $dot.Values.tests.slackNotifications.enabled }}\r
+ SLACK_TOKEN: "{{ $dot.Values.tests.slackNotifications.slackConfig.token }}"\r
+ SLACK_URL: {{ $dot.Values.tests.slackNotifications.slackConfig.baseUrl }}\r
+ SLACK_CHANNEL: "{{ $dot.Values.tests.slackNotifications.slackConfig.channel }}"\r
+ {{- end }}\r
+ {{- if $dot.Values.global.serviceMesh.enabled }}\r
+ {{- range $key, $val := $dot.Values.serviceMesh.envVariable }}\r
+ {{ $key }}: {{ $val | quote }}\r
+ {{- end }}\r
+ {{- end }}\r
+ artifactRequest:\r
+ storageClassName: {{ $dot.Values.tests.smokeTests.artifacts.storageClassName }}\r
+ volumeMountPath: /tmp\r
+ activeDeadlineSeconds: {{ $dot.Values.tests.smokeTests.execution.activeDeadlineSeconds }}\r
+ {{- include "job.template" $dot | indent 4 }}\r
+ {{- if $dot.Values.global.serviceMesh.enabled }}\r
+ {{- include "scraper.template" $dot | indent 4 }}\r
+ {{- end }}\r
+ content:\r
+ type: git-file\r
+ repository:\r
+ type: git\r
+ uri: {{ $uri }}\r
+ branch: {{ $branch }}\r
+ path: {{ $path }}\r
+ tokenSecret:\r
+ key: git-token\r
+ name: {{ $executorRepoConfig.secretName | default "tnap-testkube-git-creds" }}\r
+ usernameSecret:\r
+ key: git-username\r
+ name: {{ $executorRepoConfig.secretName | default "tnap-testkube-git-creds" }}\r
+ {{- if $schedule }}\r
+ schedule: "{{ $schedule }}"\r
+ {{- end }}\r
+{{ end -}}\r
--- /dev/null
+# ============LICENSE_START=======================================================\r
+# Copyright (c) 2025 Deutsche Telekom\r
+# ================================================================================\r
+# Licensed under the Apache License, Version 2.0 (the "License");\r
+# you may not use this file except in compliance with the License.\r
+# You may obtain a copy of the License at\r
+#\r
+# http://www.apache.org/licenses/LICENSE-2.0\r
+#\r
+# Unless required by applicable law or agreed to in writing, software\r
+# distributed under the License is distributed on an "AS IS" BASIS,\r
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r
+# See the License for the specific language governing permissions and\r
+# limitations under the License.\r
+#\r
+# SPDX-License-Identifier: Apache-2.0\r
+# ============LICENSE_END=========================================================\r
+{{- if .Values.tests.tests.aaiInitialDataSetup.enabled }}\r
+{{ include "smoke.test" (dict "testName" .Values.tests.tests.aaiInitialDataSetup.testName "onapTestName" "aai_initial_data_setup" "dot" .) }}\r
+{{- end }}\r
--- /dev/null
+# ============LICENSE_START=======================================================\r
+# Copyright (c) 2025 Deutsche Telekom\r
+# ================================================================================\r
+# Licensed under the Apache License, Version 2.0 (the "License");\r
+# you may not use this file except in compliance with the License.\r
+# You may obtain a copy of the License at\r
+#\r
+# http://www.apache.org/licenses/LICENSE-2.0\r
+#\r
+# Unless required by applicable law or agreed to in writing, software\r
+# distributed under the License is distributed on an "AS IS" BASIS,\r
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r
+# See the License for the specific language governing permissions and\r
+# limitations under the License.\r
+#\r
+# SPDX-License-Identifier: Apache-2.0\r
+# ============LICENSE_END=========================================================\r
+{{- if .Values.tests.tests.addDeleteCnfMacro.enabled }}\r
+{{ include "smoke.test" (dict "testName" .Values.tests.tests.addDeleteCnfMacro.testName "onapTestName" "add_delete_cnf_macro" "dot" .) }}\r
+{{- end }}\r
--- /dev/null
+# ============LICENSE_START=======================================================\r
+# Copyright (c) 2025 Deutsche Telekom\r
+# ================================================================================\r
+# Licensed under the Apache License, Version 2.0 (the "License");\r
+# you may not use this file except in compliance with the License.\r
+# You may obtain a copy of the License at\r
+#\r
+# http://www.apache.org/licenses/LICENSE-2.0\r
+#\r
+# Unless required by applicable law or agreed to in writing, software\r
+# distributed under the License is distributed on an "AS IS" BASIS,\r
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r
+# See the License for the specific language governing permissions and\r
+# limitations under the License.\r
+#\r
+# SPDX-License-Identifier: Apache-2.0\r
+# ============LICENSE_END=========================================================\r
+{{- if .Values.tests.tests.addDeletePnfInRunningService.enabled }}\r
+{{ include "smoke.test" (dict "testName" .Values.tests.tests.addDeletePnfInRunningService.testName "onapTestName" "add_pnf_in_running_service" "dot" .) }}\r
+{{- end }}\r
--- /dev/null
+# ============LICENSE_START=======================================================\r
+# Copyright (c) 2025 Deutsche Telekom\r
+# ================================================================================\r
+# Licensed under the Apache License, Version 2.0 (the "License");\r
+# you may not use this file except in compliance with the License.\r
+# You may obtain a copy of the License at\r
+#\r
+# http://www.apache.org/licenses/LICENSE-2.0\r
+#\r
+# Unless required by applicable law or agreed to in writing, software\r
+# distributed under the License is distributed on an "AS IS" BASIS,\r
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r
+# See the License for the specific language governing permissions and\r
+# limitations under the License.\r
+#\r
+# SPDX-License-Identifier: Apache-2.0\r
+# ============LICENSE_END=========================================================\r
+{{- if .Values.tests.tests.basicCds.enabled }}\r
+{{ include "smoke.test" (dict "testName" .Values.tests.tests.basicCds.testName "onapTestName" "basic_cds" "dot" .) }}\r
+{{- end }}\r
--- /dev/null
+# ============LICENSE_START=======================================================\r
+# Copyright (c) 2025 Deutsche Telekom\r
+# ================================================================================\r
+# Licensed under the Apache License, Version 2.0 (the "License");\r
+# you may not use this file except in compliance with the License.\r
+# You may obtain a copy of the License at\r
+#\r
+# http://www.apache.org/licenses/LICENSE-2.0\r
+#\r
+# Unless required by applicable law or agreed to in writing, software\r
+# distributed under the License is distributed on an "AS IS" BASIS,\r
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r
+# See the License for the specific language governing permissions and\r
+# limitations under the License.\r
+#\r
+# SPDX-License-Identifier: Apache-2.0\r
+# ============LICENSE_END=========================================================\r
+{{- if .Values.tests.tests.basicCnfMacro.enabled }}\r
+{{ include "smoke.test" (dict "testName" .Values.tests.tests.basicCnfMacro.testName "onapTestName" "basic_cnf_macro" "dot" .) }}\r
+{{- end }}\r
--- /dev/null
+# ============LICENSE_START=======================================================\r
+# Copyright (c) 2025 Deutsche Telekom\r
+# ================================================================================\r
+# Licensed under the Apache License, Version 2.0 (the "License");\r
+# you may not use this file except in compliance with the License.\r
+# You may obtain a copy of the License at\r
+#\r
+# http://www.apache.org/licenses/LICENSE-2.0\r
+#\r
+# Unless required by applicable law or agreed to in writing, software\r
+# distributed under the License is distributed on an "AS IS" BASIS,\r
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r
+# See the License for the specific language governing permissions and\r
+# limitations under the License.\r
+#\r
+# SPDX-License-Identifier: Apache-2.0\r
+# ============LICENSE_END=========================================================\r
+{{- if .Values.tests.tests.basicCps.enabled }}\r
+{{ include "smoke.test" (dict "testName" .Values.tests.tests.basicCps.testName "onapTestName" "basic_cps" "dot" .) }}\r
+{{- end }}\r
--- /dev/null
+# ============LICENSE_START=======================================================\r
+# Copyright (c) 2025 Deutsche Telekom\r
+# ================================================================================\r
+# Licensed under the Apache License, Version 2.0 (the "License");\r
+# you may not use this file except in compliance with the License.\r
+# You may obtain a copy of the License at\r
+#\r
+# http://www.apache.org/licenses/LICENSE-2.0\r
+#\r
+# Unless required by applicable law or agreed to in writing, software\r
+# distributed under the License is distributed on an "AS IS" BASIS,\r
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r
+# See the License for the specific language governing permissions and\r
+# limitations under the License.\r
+#\r
+# SPDX-License-Identifier: Apache-2.0\r
+# ============LICENSE_END=========================================================\r
+---\r
+apiVersion: executor.testkube.io/v1\r
+kind: Executor\r
+metadata:\r
+ name: {{ .Values.tests.smokeTests.executor.pythonsdk.name }}\r
+spec:\r
+ {{- with .Values.imagePullSecrets }}\r
+ imagePullSecrets:\r
+ {{- toYaml . | nindent 4 }}\r
+ {{- end }}\r
+ image: {{ .Values.tests.smokeTests.executor.pythonsdk.image }}\r
+ command:\r
+ - /bin/sh\r
+ - -c\r
+ - run_tests -t ${TESTNAME}\r
+ executor_type: container\r
+ types:\r
+ - {{ .Values.tests.smokeTests.executor.pythonsdk.type }}\r
+ features:\r
+ - artifacts\r
--- /dev/null
+# ============LICENSE_START=======================================================\r
+# Copyright (c) 2025 Deutsche Telekom\r
+# ================================================================================\r
+# Licensed under the Apache License, Version 2.0 (the "License");\r
+# you may not use this file except in compliance with the License.\r
+# You may obtain a copy of the License at\r
+#\r
+# http://www.apache.org/licenses/LICENSE-2.0\r
+#\r
+# Unless required by applicable law or agreed to in writing, software\r
+# distributed under the License is distributed on an "AS IS" BASIS,\r
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r
+# See the License for the specific language governing permissions and\r
+# limitations under the License.\r
+#\r
+# SPDX-License-Identifier: Apache-2.0\r
+# ============LICENSE_END=========================================================\r
+{{- if .Values.tests.tests.basicKafka.enabled }}\r
+{{ include "smoke.test" (dict "testName" .Values.tests.tests.basicKafka.testName "onapTestName" "basic_kafka" "dot" .) }}\r
+{{- end }}\r
--- /dev/null
+# ============LICENSE_START=======================================================\r
+# Copyright (c) 2025 Deutsche Telekom\r
+# ================================================================================\r
+# Licensed under the Apache License, Version 2.0 (the "License");\r
+# you may not use this file except in compliance with the License.\r
+# You may obtain a copy of the License at\r
+#\r
+# http://www.apache.org/licenses/LICENSE-2.0\r
+#\r
+# Unless required by applicable law or agreed to in writing, software\r
+# distributed under the License is distributed on an "AS IS" BASIS,\r
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r
+# See the License for the specific language governing permissions and\r
+# limitations under the License.\r
+#\r
+# SPDX-License-Identifier: Apache-2.0\r
+# ============LICENSE_END=========================================================\r
+{{- if .Values.tests.tests.basicNetwork.enabled }}\r
+{{ include "smoke.test" (dict "testName" .Values.tests.tests.basicNetwork.testName "onapTestName" "basic_network" "dot" .) }}\r
+{{- end }}\r
--- /dev/null
+# ============LICENSE_START=======================================================\r
+# Copyright (c) 2025 Deutsche Telekom\r
+# ================================================================================\r
+# Licensed under the Apache License, Version 2.0 (the "License");\r
+# you may not use this file except in compliance with the License.\r
+# You may obtain a copy of the License at\r
+#\r
+# http://www.apache.org/licenses/LICENSE-2.0\r
+#\r
+# Unless required by applicable law or agreed to in writing, software\r
+# distributed under the License is distributed on an "AS IS" BASIS,\r
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r
+# See the License for the specific language governing permissions and\r
+# limitations under the License.\r
+#\r
+# SPDX-License-Identifier: Apache-2.0\r
+# ============LICENSE_END=========================================================\r
+{{- if .Values.tests.tests.basicOnboard.enabled }}\r
+{{ include "smoke.test" (dict "testName" .Values.tests.tests.basicOnboard.testName "onapTestName" "basic_onboard" "dot" .) }}\r
+{{- end }}\r
--- /dev/null
+# ============LICENSE_START=======================================================\r
+# Copyright (c) 2025 Deutsche Telekom\r
+# ================================================================================\r
+# Licensed under the Apache License, Version 2.0 (the "License");\r
+# you may not use this file except in compliance with the License.\r
+# You may obtain a copy of the License at\r
+#\r
+# http://www.apache.org/licenses/LICENSE-2.0\r
+#\r
+# Unless required by applicable law or agreed to in writing, software\r
+# distributed under the License is distributed on an "AS IS" BASIS,\r
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r
+# See the License for the specific language governing permissions and\r
+# limitations under the License.\r
+#\r
+# SPDX-License-Identifier: Apache-2.0\r
+# ============LICENSE_END=========================================================\r
+{{- if .Values.tests.tests.basicPrh.enabled }}\r
+{{ include "smoke.test" (dict "testName" .Values.tests.tests.basicPrh.testName "onapTestName" "basic_prh" "dot" .) }}\r
+{{- end }}\r
--- /dev/null
+# ============LICENSE_START=======================================================\r
+# Copyright (c) 2025 Deutsche Telekom\r
+# ================================================================================\r
+# Licensed under the Apache License, Version 2.0 (the "License");\r
+# you may not use this file except in compliance with the License.\r
+# You may obtain a copy of the License at\r
+#\r
+# http://www.apache.org/licenses/LICENSE-2.0\r
+#\r
+# Unless required by applicable law or agreed to in writing, software\r
+# distributed under the License is distributed on an "AS IS" BASIS,\r
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r
+# See the License for the specific language governing permissions and\r
+# limitations under the License.\r
+#\r
+# SPDX-License-Identifier: Apache-2.0\r
+# ============LICENSE_END=========================================================\r
+{{- if .Values.tests.tests.basicSdnc.enabled }}\r
+{{ include "smoke.test" (dict "testName" .Values.tests.tests.basicSdnc.testName "onapTestName" "basic_sdnc" "dot" .) }}\r
+{{- end }}\r
--- /dev/null
+# ============LICENSE_START=======================================================\r
+# Copyright (c) 2025 Deutsche Telekom\r
+# ================================================================================\r
+# Licensed under the Apache License, Version 2.0 (the "License");\r
+# you may not use this file except in compliance with the License.\r
+# You may obtain a copy of the License at\r
+#\r
+# http://www.apache.org/licenses/LICENSE-2.0\r
+#\r
+# Unless required by applicable law or agreed to in writing, software\r
+# distributed under the License is distributed on an "AS IS" BASIS,\r
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r
+# See the License for the specific language governing permissions and\r
+# limitations under the License.\r
+#\r
+# SPDX-License-Identifier: Apache-2.0\r
+# ============LICENSE_END=========================================================\r
+{{- if .Values.tests.tests.basicStatus.enabled }}\r
+{{ include "smoke.test" (dict "testName" .Values.tests.tests.basicStatus.testName "onapTestName" "status" "configurationName" "basic_status" "dot" .) }}\r
+{{- end }}\r
--- /dev/null
+# ============LICENSE_START=======================================================\r
+# Copyright (c) 2025 Deutsche Telekom\r
+# ================================================================================\r
+# Licensed under the Apache License, Version 2.0 (the "License");\r
+# you may not use this file except in compliance with the License.\r
+# You may obtain a copy of the License at\r
+#\r
+# http://www.apache.org/licenses/LICENSE-2.0\r
+#\r
+# Unless required by applicable law or agreed to in writing, software\r
+# distributed under the License is distributed on an "AS IS" BASIS,\r
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r
+# See the License for the specific language governing permissions and\r
+# limitations under the License.\r
+#\r
+# SPDX-License-Identifier: Apache-2.0\r
+# ============LICENSE_END=========================================================\r
+{{- if .Values.tests.tests.checkTimeSync.enabled }}\r
+{{ include "smoke.test" (dict "testName" .Values.tests.tests.checkTimeSync.testName "onapTestName" "check_time_sync" "dot" .) }}\r
+{{- end }}\r
--- /dev/null
+# ============LICENSE_START=======================================================\r
+# Copyright (c) 2025 Deutsche Telekom\r
+# ================================================================================\r
+# Licensed under the Apache License, Version 2.0 (the "License");\r
+# you may not use this file except in compliance with the License.\r
+# You may obtain a copy of the License at\r
+#\r
+# http://www.apache.org/licenses/LICENSE-2.0\r
+#\r
+# Unless required by applicable law or agreed to in writing, software\r
+# distributed under the License is distributed on an "AS IS" BASIS,\r
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r
+# See the License for the specific language governing permissions and\r
+# limitations under the License.\r
+#\r
+# SPDX-License-Identifier: Apache-2.0\r
+# ============LICENSE_END=========================================================\r
+{{- if .Values.tests.tests.fullStatus.enabled }}\r
+{{ include "smoke.test" (dict "testName" .Values.tests.tests.fullStatus.testName "onapTestName" "status" "configurationName" "full_status" "dot" .) }}\r
+{{- end }}\r
--- /dev/null
+# ============LICENSE_START=======================================================\r
+# Copyright (c) 2025 Deutsche Telekom\r
+# ================================================================================\r
+# Licensed under the Apache License, Version 2.0 (the "License");\r
+# you may not use this file except in compliance with the License.\r
+# You may obtain a copy of the License at\r
+#\r
+# http://www.apache.org/licenses/LICENSE-2.0\r
+#\r
+# Unless required by applicable law or agreed to in writing, software\r
+# distributed under the License is distributed on an "AS IS" BASIS,\r
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r
+# See the License for the specific language governing permissions and\r
+# limitations under the License.\r
+#\r
+# SPDX-License-Identifier: Apache-2.0\r
+# ============LICENSE_END=========================================================\r
+{{- if .Values.tests.tests.pnfMacro.enabled }}\r
+{{ include "smoke.test" (dict "testName" .Values.tests.tests.pnfMacro.testName "onapTestName" "pnf_macro" "dot" .) }}\r
+{{- end }}\r
--- /dev/null
+# ============LICENSE_START=======================================================\r
+# Copyright (c) 2025 Deutsche Telekom\r
+# ================================================================================\r
+# Licensed under the Apache License, Version 2.0 (the "License");\r
+# you may not use this file except in compliance with the License.\r
+# You may obtain a copy of the License at\r
+#\r
+# http://www.apache.org/licenses/LICENSE-2.0\r
+#\r
+# Unless required by applicable law or agreed to in writing, software\r
+# distributed under the License is distributed on an "AS IS" BASIS,\r
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r
+# See the License for the specific language governing permissions and\r
+# limitations under the License.\r
+#\r
+# SPDX-License-Identifier: Apache-2.0\r
+# ============LICENSE_END=========================================================\r
+{{- if .Values.tests.tests.pnfWithVesEvent.enabled }}\r
+{{ include "smoke.test" (dict "testName" .Values.tests.tests.pnfWithVesEvent.testName "onapTestName" "pnf_with_ves_event" "dot" .) }}\r
+{{- end }}\r
--- /dev/null
+# ============LICENSE_START=======================================================\r
+# Copyright (c) 2025 Deutsche Telekom\r
+# ================================================================================\r
+# Licensed under the Apache License, Version 2.0 (the "License");\r
+# you may not use this file except in compliance with the License.\r
+# You may obtain a copy of the License at\r
+#\r
+# http://www.apache.org/licenses/LICENSE-2.0\r
+#\r
+# Unless required by applicable law or agreed to in writing, software\r
+# distributed under the License is distributed on an "AS IS" BASIS,\r
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r
+# See the License for the specific language governing permissions and\r
+# limitations under the License.\r
+#\r
+# SPDX-License-Identifier: Apache-2.0\r
+# ============LICENSE_END=========================================================\r
+{{- if .Values.tests.tests.pnfWithoutVesEvent.enabled }}\r
+{{ include "smoke.test" (dict "testName" .Values.tests.tests.pnfWithoutVesEvent.testName "onapTestName" "instantiate_pnf_without_registration_event" "dot" .) }}\r
+{{- end }}\r
--- /dev/null
+# ============LICENSE_START=======================================================\r
+# Copyright (c) 2025 Deutsche Telekom\r
+# ================================================================================\r
+# Licensed under the Apache License, Version 2.0 (the "License");\r
+# you may not use this file except in compliance with the License.\r
+# You may obtain a copy of the License at\r
+#\r
+# http://www.apache.org/licenses/LICENSE-2.0\r
+#\r
+# Unless required by applicable law or agreed to in writing, software\r
+# distributed under the License is distributed on an "AS IS" BASIS,\r
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r
+# See the License for the specific language governing permissions and\r
+# limitations under the License.\r
+#\r
+# SPDX-License-Identifier: Apache-2.0\r
+# ============LICENSE_END=========================================================\r
+{{- if .Values.tests.tests.policyFramework.enabled }}\r
+{{ include "smoke.test" (dict "testName" .Values.tests.tests.policyFramework.testName "onapTestName" "basic_policy" "dot" .) }}\r
+{{- end }}\r
--- /dev/null
+# ============LICENSE_START=======================================================\r
+# Copyright (c) 2025 Deutsche Telekom\r
+# ================================================================================\r
+# Licensed under the Apache License, Version 2.0 (the "License");\r
+# you may not use this file except in compliance with the License.\r
+# You may obtain a copy of the License at\r
+#\r
+# http://www.apache.org/licenses/LICENSE-2.0\r
+#\r
+# Unless required by applicable law or agreed to in writing, software\r
+# distributed under the License is distributed on an "AS IS" BASIS,\r
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r
+# See the License for the specific language governing permissions and\r
+# limitations under the License.\r
+#\r
+# SPDX-License-Identifier: Apache-2.0\r
+# ============LICENSE_END=========================================================\r
+{{- if .Values.tests.tests.serviceWithoutResource.enabled }}\r
+{{ include "smoke.test" (dict "testName" .Values.tests.tests.serviceWithoutResource.testName "onapTestName" "instantiate_service_without_resource" "dot" .) }}\r
+{{- end }}\r
--- /dev/null
+# ============LICENSE_START=======================================================\r
+# Copyright (c) 2025 Deutsche Telekom\r
+# ================================================================================\r
+# Licensed under the Apache License, Version 2.0 (the "License");\r
+# you may not use this file except in compliance with the License.\r
+# You may obtain a copy of the License at\r
+#\r
+# http://www.apache.org/licenses/LICENSE-2.0\r
+#\r
+# Unless required by applicable law or agreed to in writing, software\r
+# distributed under the License is distributed on an "AS IS" BASIS,\r
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r
+# See the License for the specific language governing permissions and\r
+# limitations under the License.\r
+#\r
+# SPDX-License-Identifier: Apache-2.0\r
+# ============LICENSE_END=========================================================\r
+{{- if .Values.tests.tests.vesPublish.enabled }}\r
+{{ include "smoke.test" (dict "testName" .Values.tests.tests.vesPublish.testName "onapTestName" "ves_publish" "dot" .) }}\r
+{{- end }}\r
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (c) 2025 Deutsche Telekom
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+#---
+# apiVersion: testworkflows.testkube.io/v1
+# kind: TestWorkflow
+# metadata:
+# name: integration-onap
+# namespace: onap
+# spec:
+# content:
+# container:
+# image: nexus3.onap.org:10001/onap/xtesting-healthcheck:latest
+# imagePullPolicy: Always
+# env:
+# - name: INSTALLER_TYPE
+# value: "{{ .Values.config.deployment_name }}"
+# - name: DEPLOY_SCENARIO
+# value: "{{ .Values.config.deploy_scenario }}"
+# - name: NODE_NAME
+# value: "{{ .Values.config.node_name }}"
+# - name: TEST_DB_URL
+# value: http://testresults.opnfv.org/onap/api/v1/results
+# - name: BUILD_TAG
+# value: "{{ .Values.config.build_tag }}"
+# - name: TAG
+# value: "{{ .Values.config.run_type }}"
+# volumeMounts:
+# - mountPath: /etc/localtime
+# name: localtime
+# - mountPath: /share/config
+# name: robot-eteshare
+# - mountPath: /var/lib/xtesting/results/
+# name: robot-save-results
+
+# volumes:
+# - name: localtime
+# hostPath:
+# path: /etc/localtime
+# - name: robot-eteshare
+# configMap:
+# name: onap-robot-eteshare-configmap
+# - name: robot-save-results
+# hostPath:
+# path: "{{ .Values.config.res_local_path }}"
+
+# steps:
+# - name: run-robot-tests
+# shell: |
+# robot --outputdir /var/lib/xtesting/results/ /path/to/your/tests/
+
+# artifacts:
+# paths:
+# - /var/lib/xtesting/results/*
+# storageClassName: standard
+# volumeSize: 1Gi
--- /dev/null
+{{- define "scraper.template" }}\r
+{{/* Define scraper.template */}}\r
+scraperTemplate: |\r
+ apiVersion: batch/v1\r
+ kind: Job\r
+ metadata:\r
+ annotations:\r
+ argocd.argoproj.io/compare-options: IgnoreExtraneous\r
+ argocd.argoproj.io/sync-options: Prune=false\r
+ spec:\r
+ template:\r
+ spec:\r
+ serviceAccountName: {{ .Release.Name }}-tests-service-account\r
+ containers:\r
+ - name: {{ printf "\"{{ .Name }}-scraper\"" }}\r
+ {{ printf "{{- if .Registry }}" }}\r
+ image: {{ printf "{{ .Registry }}/{{ .ScraperImage }}" }}\r
+ {{ printf "{{- else }}" }}\r
+ image: {{ printf "{{ .ScraperImage }}" }}\r
+ {{ printf "{{- end }}" }}\r
+ imagePullPolicy: Always\r
+ command:\r
+ - "/bin/runner"\r
+ - {{ printf "'{{ .Jsn }}'" }}\r
+{{ end -}}\r
--- /dev/null
+# ============LICENSE_START=======================================================\r
+# Copyright (c) 2025 Deutsche Telekom\r
+# ================================================================================\r
+# Licensed under the Apache License, Version 2.0 (the "License");\r
+# you may not use this file except in compliance with the License.\r
+# You may obtain a copy of the License at\r
+#\r
+# http://www.apache.org/licenses/LICENSE-2.0\r
+#\r
+# Unless required by applicable law or agreed to in writing, software\r
+# distributed under the License is distributed on an "AS IS" BASIS,\r
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r
+# See the License for the specific language governing permissions and\r
+# limitations under the License.\r
+#\r
+# SPDX-License-Identifier: Apache-2.0\r
+# ============LICENSE_END=========================================================\r
+---\r
+apiVersion: v1\r
+kind: ServiceAccount\r
+metadata:\r
+ name: {{ .Release.Name }}-tests-service-account\r
--- /dev/null
+# ============LICENSE_START=======================================================\r
+# Copyright (c) 2025 Deutsche Telekom\r
+# ================================================================================\r
+# Licensed under the Apache License, Version 2.0 (the "License");\r
+# you may not use this file except in compliance with the License.\r
+# You may obtain a copy of the License at\r
+#\r
+# http://www.apache.org/licenses/LICENSE-2.0\r
+#\r
+# Unless required by applicable law or agreed to in writing, software\r
+# distributed under the License is distributed on an "AS IS" BASIS,\r
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r
+# See the License for the specific language governing permissions and\r
+# limitations under the License.\r
+#\r
+# SPDX-License-Identifier: Apache-2.0\r
+# ============LICENSE_END=========================================================\r
+\r
+# Default values for tnapTestkube.\r
+# This is a YAML-formatted file.\r
+# Declare variables to be passed into your templates.\r
+\r
+global:\r
+ ingress:\r
+ enabled: false\r
+ post_addr: &postrAddr ""\r
+ dns_zone: &dnsZone "<BASEURL>"\r
+ serviceMesh:\r
+ enabled: false\r
+ renderPullSecrets: True\r
+ defaultStorageClass: <STORAGECLASS>\r
+ storageClass: <STORAGECLASS>\r
+ingress:\r
+ host: to-be-changed\r
+\r
+namespace: onap\r
+\r
+serviceMesh:\r
+ envVariable:\r
+ SERVICE_MESH_ENABLED: True\r
+ sidecarKiller:\r
+ image: <ONAP_REPO>/onap/oom/readiness:4.2.0\r
+\r
+imagePullSecrets:\r
+ - name: onap-docker-registry-key\r
+\r
+tests:\r
+ testEnvName: ""\r
+ configuration:\r
+ pythonsdk-tests/smoke-test:\r
+ uri: <ONAP_ARGO_REPO_URL>\r
+ path: /argo/onap-test/testkube/pythonsdk-tests\r
+ branch: main\r
+ secretName: testkube-git-creds\r
+ gradle:\r
+ uri: https://git.onap.org/integration/java-tests\r
+ branch: main\r
+ image: <DOCKER_REPO>/kubeshop/testkube-gradle-executor:1.16.39\r
+ tests:\r
+ aai:\r
+ aaiTraversalTest:\r
+ enabled: true\r
+ testName: TraversalTest\r
+ env:\r
+ AAI_BASEURL: http://aai.onap/aai/v30\r
+ aaiCrudTest:\r
+ enabled: true\r
+ testName: AAICrudTest\r
+ env:\r
+ AAI_BASEURL: http://aai.onap/aai/v30\r
+ kafkaTest:\r
+ enabled: false\r
+ testName: KafkaTest\r
+ branch: kafka\r
+ env:\r
+ AAI_BASEURL: http://aai.onap/aai/v30\r
+ cypress:\r
+ uri: https://git.onap.org/integration/cypress-tests\r
+ branch: main\r
+ image: <DOCKER_REPO>/kubeshop/testkube-cypress-executor:1.16.39\r
+ tests:\r
+ portalng:\r
+ someTest:\r
+ enabled: true\r
+ testName: foo\r
+ env:\r
+ CYPRESS_KEYCLOAK_URL: https://keycloak-ui<POSTADDR>.<BASEURL>\r
+ CYPRESS_PORTAL_NG_URL: https://portal-ng-ui<POSTADDR>.<BASEURL>\r
+ CYPRESS_PORTAL_NG_USERNAME: onap-admin\r
+ CYPRESS_PORTAL_NG_PASSWORD: password\r
+\r
+ tests:\r
+ basicCds:\r
+ enabled: true\r
+ testName: basic-cds\r
+ basicCnfMacro:\r
+ enabled: true\r
+ testName: basic-cnf-macro\r
+ basicCps:\r
+ enabled: true\r
+ testName: basic-cps\r
+ basicOnboard:\r
+ enabled: true\r
+ testName: basic-onboard\r
+ basicNetwork:\r
+ enabled: false\r
+ testName: basic-network\r
+ basicSdnc:\r
+ enabled: true\r
+ testName: basic-sdnc\r
+ basicStatus:\r
+ enabled: true\r
+ testName: basic-status\r
+ fullStatus:\r
+ enabled: true\r
+ testName: full-status\r
+ resultSummary:\r
+ enabled: true\r
+ testName: result-summary\r
+ vesPublish:\r
+ enabled: true\r
+ testName: ves-publish\r
+ pnfMacro:\r
+ enabled: true\r
+ testName: pnf-macro\r
+ controlPanelSmokeTest:\r
+ enabled: false\r
+ testName: control-panel-ui-smoke-test\r
+ aaiInitialDataSetup:\r
+ enabled: true\r
+ testName: aai-initial-data-setup\r
+ serviceWithoutResource:\r
+ enabled: true\r
+ testName: service-without-resource\r
+ pnfWithoutVesEvent:\r
+ enabled: true\r
+ testName: pnf-without-ves-event\r
+ pnfWithVesEvent:\r
+ enabled: true\r
+ testName: pnf-with-ves-event\r
+ addDeletePnfInRunningService:\r
+ enabled: true\r
+ testName: add-delete-pnf-in-running-service\r
+ basicPrh:\r
+ enabled: true\r
+ testName: basic-prh\r
+ checkTimeSync:\r
+ enabled: true\r
+ testName: check-time-sync\r
+ basicKafka:\r
+ enabled: true\r
+ testName: basic-kafka\r
+ addDeleteCnfMacro:\r
+ enabled: true\r
+ testName: add-delete-cnf-macro\r
+ policyFramework:\r
+ enabled: true\r
+ testName: policy-framework\r
+ smokeTests:\r
+ artifacts:\r
+ storageClassName: <STORAGECLASS>\r
+ execution:\r
+ activeDeadlineSeconds: 1800\r
+ executor:\r
+ pythonsdk:\r
+ name: pythonsdk-tests-basic-executor\r
+ type: pythonsdk-tests/smoke-test\r
+ image: <ONAP_REPO>/onap/xtesting-smoke-usecases-pythonsdk:master\r
+ controlPanelSdk:\r
+ name: control-panel-basic-executor\r
+ type: controlpanel-sdk/smoke-test\r
+ imageVersion: 3.1\r
+ testsuite:\r
+ name: onap-testsuite\r
+ cron: 0 6 * * *\r
+ # Testsuite job is going to be killed after 6 hours\r
+ # if it doesn't end by itself. That prevents an issue\r
+ # with blocked cronjobs executions\r
+ testsuiteJobActiveDeadlineSeconds: 21600\r
+ slackNotifications:\r
+ enabled: false\r
+ slackConfig:\r
+ baseUrl: https://slack.com\r
+ token: example\r
+ channel: test\r
+\r
+testkube:\r
+ testkube-dashboard:\r
+ apiServerEndpoint: "https://testkube-api<POSTADDR>.<BASEURL>"\r
+ securityContext:\r
+ allowPrivilegeEscalation: false\r
+ capabilities:\r
+ drop:\r
+ - ALL\r
+ - CAP_NET_RAW\r
+ readOnlyRootFilesystem: false\r
+ runAsGroup: 65533\r
+ runAsNonRoot: true\r
+ runAsUser: 100\r
+ seccompProfile:\r
+ type: RuntimeDefault\r
+ podSecurityContext:\r
+ fsGroup: 65533\r
+ runAsGroup: 65533\r
+ runAsNonRoot: true\r
+ runAsUser: 100\r
+ seccompProfile:\r
+ type: RuntimeDefault\r
+ analyticsEnabled: false\r
+ preUpgradeHook:\r
+ enabled: false\r
+ serviceAccount:\r
+ create: false\r
+ preUpgradeHookNATS:\r
+ labels:\r
+ sidecar.istio.io/inject: "false"\r
+ testkube-api:\r
+ image:\r
+ registry: <DOCKER_REPO>\r
+ analyticsEnabled: false\r
+ minio:\r
+ securityContext:\r
+ allowPrivilegeEscalation: false\r
+ capabilities:\r
+ drop:\r
+ - ALL\r
+ - CAP_NET_RAW\r
+ readOnlyRootFilesystem: true\r
+ runAsGroup: 65533\r
+ runAsNonRoot: false\r
+ runAsUser: 0\r
+ seccompProfile:\r
+ type: RuntimeDefault\r
+ podSecurityContext:\r
+ runAsGroup: 65533\r
+ runAsNonRoot: true\r
+ runAsUser: 100\r
+ seccompProfile:\r
+ type: RuntimeDefault\r
+ storageClassName: <STORAGECLASS>\r
+ image:\r
+ registry: <DOCKER_REPO>\r
+ nats:\r
+ uri: nats://testkube-nats\r
+ storage: "30Gi"\r
+ storage:\r
+ expriation:\r
+ "7"\r
+ securityContext:\r
+ allowPrivilegeEscalation: false\r
+ capabilities:\r
+ drop:\r
+ - ALL\r
+ - CAP_NET_RAW\r
+ readOnlyRootFilesystem: true\r
+ runAsGroup: 65533\r
+ runAsNonRoot: true\r
+ runAsUser: 100\r
+ seccompProfile:\r
+ type: RuntimeDefault\r
+ podSecurityContext:\r
+ runAsGroup: 65533\r
+ runAsNonRoot: true\r
+ runAsUser: 100\r
+ seccompProfile:\r
+ type: RuntimeDefault\r
+ testkube-operator:\r
+ webhook:\r
+ patch:\r
+ enabled: true\r
+ labels:\r
+ sidecar.istio.io/inject: "false"\r
+ image:\r
+ registry: <DOCKER_REPO>\r
+ migrate:\r
+ image:\r
+ registry: <DOCKER_REPO>\r
+ preUpgrade:\r
+ image:\r
+ registry: <DOCKER_REPO>\r
+ labels:\r
+ sidecar.istio.io/inject: "false"\r
+ proxy:\r
+ image:\r
+ registry: <GOOGLE_REPO>\r
+ resources:\r
+ limits:\r
+ cpu: 400m\r
+ memory: 500Mi\r
+ requests:\r
+ cpu: 10m\r
+ memory: 150Mi\r
+ securityContext:\r
+ allowPrivilegeEscalation: false\r
+ capabilities:\r
+ drop:\r
+ - ALL\r
+ - CAP_NET_RAW\r
+ readOnlyRootFilesystem: true\r
+ podSecurityContext:\r
+ runAsGroup: 65533\r
+ runAsNonRoot: true\r
+ runAsUser: 100\r
+ seccompProfile:\r
+ type: RuntimeDefault\r
+ mongodb:\r
+ storageClass: <STORAGECLASS>\r
+ image:\r
+ registry: <DOCKER_REPO>\r
+ readinessProbe:\r
+ timeoutSeconds: 50\r
+ livenessProbe:\r
+ timeoutSeconds: 50\r
+ containerSecurityContext:\r
+ allowPrivilegeEscalation: false\r
+ capabilities:\r
+ drop:\r
+ - ALL\r
+ - CAP_NET_RAW\r
+ readOnlyRootFilesystem: false\r
+ seccompProfile:\r
+ type: RuntimeDefault\r
+ podSecurityContext:\r
+ fsGroup: 1001\r
+ seccompProfile:\r
+ type: RuntimeDefault\r
+ nats:\r
+ config:\r
+ jetstream:\r
+ fileStore:\r
+ pvc:\r
+ storageClassName: <STORAGECLASS>\r
+ resolver:\r
+ pvc:\r
+ storageClassName: <STORAGECLASS>\r
+ container:\r
+ image:\r
+ registry: <DOCKER_REPO>\r
+ podTemplate:\r
+ merge:\r
+ spec:\r
+ securityContext:\r
+ seccompProfile:\r
+ type: RuntimeDefault\r
+ natsBox:\r
+ container:\r
+ image:\r
+ registry: <DOCKER_REPO>\r
+ merge:\r
+ resources:\r
+ limits:\r
+ cpu: 400m\r
+ memory: 500Mi\r
+ requests:\r
+ cpu: 10m\r
+ memory: 150Mi\r
+ securityContext:\r
+ allowPrivilegeEscalation: false\r
+ capabilities:\r
+ add:\r
+ - AUDIT_WRITE\r
+ - CHOWN\r
+ - DAC_OVERRIDE\r
+ - FOWNER\r
+ - FSETID\r
+ - KILL\r
+ - MKNOD\r
+ - NET_BIND_SERVICE\r
+ - SETFCAP\r
+ - SETGID\r
+ - SETPCAP\r
+ - SETUID\r
+ - SYS_CHROOT\r
+ drop:\r
+ - ALL\r
+ - CAP_NET_RAW\r
+ readOnlyRootFilesystem: false\r
+ runAsGroup: 65533\r
+ runAsNonRoot: false\r
+ runAsUser: 0\r
+ podTemplate:\r
+ merge:\r
+ spec:\r
+ securityContext:\r
+ runAsGroup: 65533\r
+ runAsNonRoot: false\r
+ runAsUser: 0\r
+ seccompProfile:\r
+ type: RuntimeDefault\r
+ reloader:\r
+ image:\r
+ registry: <DOCKER_REPO>\r
+ merge:\r
+ securityContext:\r
+ allowPrivilegeEscalation: false\r
+ capabilities:\r
+ drop:\r
+ - ALL\r
+ - CAP_NET_RAW\r
+ readOnlyRootFilesystem: false\r
+ runAsNonRoot: false\r
+ runAsUser: 0\r
+ seccompProfile:\r
+ type: RuntimeDefault\r
+ container:\r
+ merge:\r
+ securityContext:\r
+ allowPrivilegeEscalation: false\r
+ capabilities:\r
+ drop:\r
+ - ALL\r
+ - CAP_NET_RAW\r
+ privileged: false\r
+ readOnlyRootFilesystem: false\r
+ runAsGroup: 0\r
+ runAsUser: 0\r
+ seccompProfile:\r
+ type: RuntimeDefault\r
+\r
+# this is here only temporarily\r
+config:\r
+ run_type: "core"\r
+ deployment_name: "oom"\r
+ deploy_scenario: "onap-nofeature-noha"\r
+ node_name: foo\r
+ build_tag: bar\r
+ res_local_path: "/var/lib/xtesting/results"\r
--- /dev/null
+from onaptests.configuration.aai_initial_data_setup_settings import *\r
+from global_tests_settings import *\r
--- /dev/null
+from onaptests.configuration.add_delete_cnf_macro_settings import *\r
+from global_tests_settings import *\r
+\r
+SERVICE_INSTANCE_NAME = f"add_delete_cnf_macro_{str(uuid4())}"\r
--- /dev/null
+from onaptests.configuration.instantiate_pnf_without_registration_event_settings import *\r
+from global_tests_settings import *\r
--- /dev/null
+from onaptests.configuration.cds_resource_resolution_settings import *\r
+from global_tests_settings import *\r
--- /dev/null
+from onaptests.configuration.basic_cnf_macro_settings import *\r
+from global_tests_settings import *\r
--- /dev/null
+from onaptests.configuration.basic_cps_settings import *\r
+from global_tests_settings import *\r
+\r
+CHECK_POSTGRESQL = True\r
+\r
+DB_PRIMARY_HOST = "tcp-pgset-primary"\r
--- /dev/null
+from onaptests.configuration.basic_kafka_settings import *\r
+from global_tests_settings import *\r
--- /dev/null
+from onaptests.configuration.basic_network_nomulticloud_settings import *\r
+from global_tests_settings import *\r
+\r
+SDC_CLEANUP = True\r
--- /dev/null
+from onaptests.configuration.basic_onboard_settings import *\r
+from global_tests_settings import *\r
+\r
+SDC_CLEANUP = True\r
--- /dev/null
+from onaptests.configuration.basic_policy_settings import *\r
+from global_tests_settings import *\r
--- /dev/null
+from onaptests.configuration.basic_prh_settings import *\r
+from global_tests_settings import *\r
--- /dev/null
+from onaptests.configuration.basic_sdnc_settings import *\r
+from global_tests_settings import *\r
--- /dev/null
+from onaptests.configuration.status_settings import *\r
+from global_tests_settings import *\r
+\r
+STORE_ARTIFACTS = False\r
+CHECK_POD_VERSIONS = False\r
+IGNORE_EMPTY_REPLICAS = True\r
+\r
+WAIVER_LIST = ['integration', 'jaeger', 'performance-test', 'medusa-purge', 'wiremock', 'sample-rapp', '-scraper', 'soak', 'repo1-full']\r
+\r
+EXCLUDE_NAMESPACE_LIST = ['nonrtric-rapp', 'kyverno', 'cluster-observability']\r
+\r
+CHECK_ALL_NAMESPACES = True\r
+LOG_CONFIG["handlers"]["file"]["level"] = "INFO"\r
--- /dev/null
+from onaptests.configuration.check_time_sync_settings import *\r
+from global_tests_settings import *\r
--- /dev/null
+{\r
+"cloud-region":"k8sregion-cnf-macro",\r
+"cloud-owner":"basiccnf-cloud-owner",\r
+"other-connectivity-list":\r
+ {"connectivity-records":[]}\r
+}\r
--- /dev/null
+from onaptests.configuration.status_settings import *\r
+from global_tests_settings import *\r
+\r
+IGNORE_EMPTY_REPLICAS = True\r
--- /dev/null
+from os import getenv\r
+\r
+K8S_TESTS_NAMESPACE = getenv("NAMESPACE", "onap")\r
+\r
+CDS_URL = f"http://cds-blueprints-processor-http.{K8S_TESTS_NAMESPACE}.svc.cluster.local:8080"\r
+SDC_BE_URL = f"http://sdc-be.{K8S_TESTS_NAMESPACE}.svc.cluster.local:8080"\r
+SDC_FE_URL = f"http://sdc-fe.{K8S_TESTS_NAMESPACE}.svc.cluster.local:8181"\r
+SO_URL = f"http://so.{K8S_TESTS_NAMESPACE}.svc.cluster.local:8080"\r
+K8SPLUGIN_URL = f"http://multicloud-k8s.{K8S_TESTS_NAMESPACE}.svc.cluster.local:9015"\r
+AAI_URL = f"http://aai.{K8S_TESTS_NAMESPACE}.svc.cluster.local:80"\r
+CPS_URL = f"http://cps-core.{K8S_TESTS_NAMESPACE}.svc.cluster.local:8080"\r
+SDNC_URL = f"http://sdnc.{K8S_TESTS_NAMESPACE}.svc.cluster.local:8282"\r
+TESTKUBE_URL = f"http://testkube-api-server.{K8S_TESTS_NAMESPACE}.svc.cluster.local:8088"\r
+VES_URL = f"http://dcae-ves-collector.{K8S_TESTS_NAMESPACE}.svc.cluster.local:8080"\r
+NBI_URL = f"http://nbi.{K8S_TESTS_NAMESPACE}.svc.cluster.local:8080"\r
+POLICY_API_URL = f"http://policy-api.{K8S_TESTS_NAMESPACE}.svc.cluster.local:6969"\r
+POLICY_PAP_URL = f"http://policy-pap.{K8S_TESTS_NAMESPACE}.svc.cluster.local:6969"\r
+POLICY_PDP_URL = f"http://policy-xacml-pdp.{K8S_TESTS_NAMESPACE}.svc.cluster.local:6969"\r
+\r
+IN_CLUSTER = True\r
+SERVICE_DISTRIBUTION_NUMBER_OF_TRIES = 15\r
+EXPOSE_SERVICES_NODE_PORTS = False\r
+CPS_AUTH = ("cpsuser", "tj61KoH9")\r
+SDC_CLEANUP = False\r
+#SDNC_DB_PRIMARY_HOST = f"sdnc-db.{K8S_TESTS_NAMESPACE}.svc.cluster.local"\r
+SDNC_DB_PRIMARY_HOST = f"mariadb-galera.{K8S_TESTS_NAMESPACE}.svc.cluster.local"\r
+\r
+AAI_API_VERSION = "v29"\r
+\r
+SDC_SERVICE_DISTRIBUTION_COMPONENTS = [\r
+ "SO-sdc-controller",\r
+ "aai-model-loader",\r
+ "sdnc-sdc-listener",\r
+ "multicloud-k8s"\r
+]\r
+\r
+SDC_SERVICE_DISTRIBUTION_DESIRED_STATE = {\r
+ "SO-sdc-controller": "DOWNLOAD_OK",\r
+ "aai-model-loader": "DOWNLOAD_OK",\r
+ "sdnc-sdc-listener": "DOWNLOAD_OK",\r
+}\r
--- /dev/null
+from onaptests.configuration.instantiate_service_without_resource_settings import *\r
+from global_tests_settings import *\r
--- /dev/null
+from onaptests.configuration.pnf_macro_settings import *\r
+from global_tests_settings import *\r
+\r
+USE_SIMULATOR = True\r
+PNF_SIMULATOR_URL = "pnf-macro-test-simulator.onap-tests"\r
+PNF_SIMULATOR_PORT = "5000"\r
--- /dev/null
+from onaptests.configuration.pnf_with_ves_event_settings import *\r
+from global_tests_settings import *\r
--- /dev/null
+# ============LICENSE_START=======================================================\r
+# Copyright (c) 2025 Deutsche Telekom\r
+# ================================================================================\r
+# Licensed under the Apache License, Version 2.0 (the "License");\r
+# you may not use this file except in compliance with the License.\r
+# You may obtain a copy of the License at\r
+#\r
+# http://www.apache.org/licenses/LICENSE-2.0\r
+#\r
+# Unless required by applicable law or agreed to in writing, software\r
+# distributed under the License is distributed on an "AS IS" BASIS,\r
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r
+# See the License for the specific language governing permissions and\r
+# limitations under the License.\r
+#\r
+# SPDX-License-Identifier: Apache-2.0\r
+# ============LICENSE_END=========================================================\r
+---\r
+apiVersion: v1\r
+kind: Config\r
+current-context: default\r
+contexts:\r
+- name: default\r
+ context:\r
+ cluster: cluster\r
+ user: cluster-admin\r
+ namespace: default\r
+clusters:\r
+- name: cluster\r
+ cluster:\r
+ insecure-skip-tls-verify: true\r
+ server: https://kubernetes.default.svc.cluster.local\r
+users:\r
+- name: cluster-admin\r
+ user:\r
+ token: eyJhbGciOiJSUzI1NiIsImtpZCI6ImFwR0gwMGl4Q2hpRkU1OHAwSHQydDBMMjZkWk9nLVBmQ1Nfb2NWYjVXVFUifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJvbmFwIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZmF1bHQtdG9rZW4tejJzcXQiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGVmYXVsdCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6ImJjZGVjZTNmLTY2OTQtNDk2Yi05ZjVkLWNmMDA2OTY1NWQ5ZiIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpvbmFwOmRlZmF1bHQifQ.DCDab0Ccsj4kTynjKGRNGJrvkB-ZwBKWrJS72596S8ytLx-Ixe-lBxn_zAY3RCuamXASG93MaJQBbv1c_3KK5qf_zgqYoj21xI1A-WeBc_d0uoGtDq6LpgjJ-kmmZ8RE1p6kYIRp5xx-m9rE7jWcMBpxkTKeuZghX4zWwXXKpYzJ9JRW9dZqfRGyEzd32Rx8PlVU9B1G2-I4FInRsNjjD1h-ChR0Ur8mXj0WVJsM8EankmvI7hyDEnbj_DUnw09MhJLGxWyo-HBvj67grQGLpCnQpPZ3_fvWDCnqrv13EXLI_yBRt4rODIe-jFyeTKXV4Krvv8sR01UY1aSoWWh5ZQ\r
--- /dev/null
+from onaptests.configuration.ves_publish_settings import *\r
+from global_tests_settings import *\r
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (c) 2025 Deutsche Telekom
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+ name: trivy-operator
+ namespace: argocd
+ finalizers:
+ - resources-finalizer.argocd.argoproj.io
+spec:
+ project: default
+ sources:
+ - repoURL: '<ONAP_ARGO_REPO_URL>'
+ targetRevision: <ONAP_ARGO_BRANCH>
+ ref: defaultValues
+ - repoURL: https://aquasecurity.github.io/helm-charts
+ chart: trivy-operator
+ targetRevision: 0.27.0
+ helm:
+ helm:
+ ignoreMissingValueFiles: true
+ valueFiles:
+ - $defaultValues/argo/onap-test/values/trivy-operator.yaml
+ destination:
+ server: https://kubernetes.default.svc
+ namespace: trivy-system
+ syncPolicy:
+ managedNamespaceMetadata:
+ labels:
+ istio-injection: disabled
+ syncOptions:
+ - CreateNamespace=true
+ - ServerSideApply=true
+ automated:
+ prune: true
+ selfHeal: true
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (c) 2025 Deutsche Telekom
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+
+existingSecret: "strimzi-kafka-admin"
+
+yamlApplicationConfig:
+ kafka:
+ clusters:
+ - name: yaml
+ bootstrapServers: onap-strimzi-kafka-bootstrap:9092
+ properties:
+ security.protocol: SASL_PLAINTEXT
+ sasl.mechanism: SCRAM-SHA-512
+ sasl.jaas.config: "${sasl.jaas.config}"
+ auth:
+ type: disabled
+ management:
+ health:
+ ldap:
+ enabled: false
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (c) 2025 Deutsche Telekom
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+
+post_addr: "<POSTADDR>"
+dns_zone: "<BASEURL>"
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (c) 2025 Deutsche Telekom
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+
+global:
+ imageRegistry: <DOCKER_REPO>
+ imagePullSecrets:
+ - artifactory-docker-secret
+ defaultStorageClass: <STORAGECLASS>
+ storageClass: <STORAGECLASS>
+ serviceMesh:
+ enabled: true
+ ingress:
+ post_addr: "<POSTADDR>"
+ dns_zone: "<BASEURL>"
+
+serviceMesh:
+ envVariable:
+ SERVICE_MESH_ENABLED: true
+
+imagePullSecrets:
+ - name: artifactory-docker-secret
+
+tests:
+ testEnvName: "<ONAP_ARGO_BRANCH>"
+ smokeTests:
+ artifacts:
+ storageClassName: <STORAGECLASS>
+ testsuite:
+ name: onap-testsuite
+ cron: 0 6 * * *
+ # Testsuite job is going to be killed after 6 hours
+ # if it doesn't end by itself. That prevents an issue
+ # with blocked cronjobs executions
+ testsuiteJobActiveDeadlineSeconds: 21600
+ # Tests listed below will be included into testsuite
+ # Important: test here is no a test name but a key from `tests.tests` value dictionary
+ # We are going to range through list below, get object from `tests.tests` dictionary,
+ # verify if it's enabled and then add it into testsuite. So user at the end has to
+ # remember only on one place to enable/disable test. But thanks to that we are able
+ # to modify order, presence of tests on testsuite but also to include some tests
+ # which are not a part of given helm package (so for example if that helm is a dependency
+ # of other package)
+ tests:
+ - basicCps
+ - basicOnboard
+ - basicNetwork
+ - basicCds
+ - basicSdnc
+ - basicCnfMacro
+ - controlPanelSmokeTest
+ - aaiInitialDataSetup
+ - serviceWithoutResource
+ - addDeletePnfInRunningService
+ - pnfWithVesEvent
+ - pnfWithoutVesEvent
+ - pnfMacro
+ - basicPrh
+ - checkTimeSync
+ - basicStatus
+ - basicKafka
+ - addDeleteCnfMacro
+ - policyFramework
+ - vesPublish
+
+testkube:
+ testkube-dashboard:
+ apiServerEndpoint: "https://testkube-api<POSTADDR>.<BASEURL>"
+ testkube-api:
+ minio:
+ storageClassName: <STORAGECLASS>
+ image:
+ registry: <DOCKER_REPO>
+ mongodb:
+ storageClass: <STORAGECLASS>
+ nats:
+ config:
+ jetstream:
+ fileStore:
+ pvc:
+ storageClassName: <STORAGECLASS>
+ resolver:
+ pvc:
+ storageClassName: <STORAGECLASS>
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (c) 2025 Deutsche Telekom
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+
+# -- targetNamespace defines where you want trivy-operator to operate. By
+# default, it's a blank string to select all namespaces, but you can specify
+# another namespace, or a comma separated list of namespaces.
+#targetNamespaces: "onap"
+targetNamespaces: "onap"
+operator:
+ # -- the flag to enable vulnerability scanner
+ vulnerabilityScannerEnabled: true
+ # -- the flag to enable sbom generation, required for enabling ClusterVulnerabilityReports
+ sbomGenerationEnabled: false
+ # -- the flag to enable cluster sbom cache generation
+ clusterSbomCacheEnabled: false
+ # -- scannerReportTTL the flag to set how long a report should exist. "" means that the ScannerReportTTL feature is disabled
+ scannerReportTTL: "24h"
+ # -- cacheReportTTL the flag to set how long a cluster sbom report should exist. "" means that the cacheReportTTL feature is disabled
+ cacheReportTTL: "120h"
+ # -- configAuditScannerEnabled the flag to enable configuration audit scanner
+ configAuditScannerEnabled: false
+ # -- rbacAssessmentScannerEnabled the flag to enable rbac assessment scanner
+ rbacAssessmentScannerEnabled: false
+ # -- infraAssessmentScannerEnabled the flag to enable infra assessment scanner
+ infraAssessmentScannerEnabled: true
+ # -- clusterComplianceEnabled the flag to enable cluster compliance scanner
+ clusterComplianceEnabled: true
+ # -- batchDeleteLimit the maximum number of config audit reports deleted by the operator when the plugin's config has changed.
+ batchDeleteLimit: 10
+ # -- vulnerabilityScannerScanOnlyCurrentRevisions the flag to only create vulnerability scans on the current revision of a deployment.
+ vulnerabilityScannerScanOnlyCurrentRevisions: true
+ # -- configAuditScannerScanOnlyCurrentRevisions the flag to only create config audit scans on the current revision of a deployment.
+ configAuditScannerScanOnlyCurrentRevisions: true
+ # -- batchDeleteDelay the duration to wait before deleting another batch of config audit reports.
+ batchDeleteDelay: 10s
+ # -- accessGlobalSecretsAndServiceAccount The flag to enable access to global secrets/service accounts to allow `vulnerability scan job` to pull images from private registries
+ accessGlobalSecretsAndServiceAccount: true
+ # -- builtInTrivyServer The flag enables the usage of built-in trivy server in cluster. It also overrides the following trivy params with built-in values
+ # trivy.mode = ClientServer and serverURL = http://<serverServiceName>.<trivy operator namespace>:4975
+ builtInTrivyServer: false
+ # -- builtInServerRegistryInsecure is the flag to enable insecure connection from the built-in Trivy server to the registry.
+ builtInServerRegistryInsecure: false
+
+image:
+ registry: <DOCKER_REPO>
+trivyOperator:
+ skipResourceByLabels: "test-name"
+trivy:
+ resources:
+ requests:
+ cpu: 100m
+ memory: 100M
+ # ephemeralStorage: "2Gi"
+ limits:
+ cpu: 1
+ memory: 2000M
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (c) 2025 Deutsche Telekom
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+ name: onap-a1policymanagement
+ namespace: argocd
+ finalizers:
+ - resources-finalizer.argocd.argoproj.io
+spec:
+ destination:
+ namespace: onap
+ server: https://kubernetes.default.svc
+ project: default
+ sources:
+ - repoURL: '<ONAP_ARGO_REPO_URL>'
+ targetRevision: <ONAP_ARGO_BRANCH>
+ ref: defaultValues
+ - repoURL: http://chartmuseum.chartmuseum:8080
+ chart: a1policymanagement
+ targetRevision: "*"
+ helm:
+ ignoreMissingValueFiles: true
+ valueFiles:
+ - $defaultValues/argo/onap/values/values-global.yaml
+ - $defaultValues/argo/onap/values/a1policymanagement.yaml
+ syncPolicy:
+ managedNamespaceMetadata:
+ labels:
+ istio-injection: enabled
+ syncOptions:
+ - CreateNamespace=true
+ automated:
+ prune: true
+ selfHeal: true
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (c) 2025 Deutsche Telekom
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+ name: onap-aai
+ namespace: argocd
+ finalizers:
+ - resources-finalizer.argocd.argoproj.io
+spec:
+ destination:
+ namespace: onap
+ server: https://kubernetes.default.svc
+ project: default
+ sources:
+ - repoURL: '<ONAP_ARGO_REPO_URL>'
+ targetRevision: <ONAP_ARGO_BRANCH>
+ ref: defaultValues
+ - repoURL: http://chartmuseum.chartmuseum:8080
+ chart: aai
+ targetRevision: "*"
+ helm:
+ ignoreMissingValueFiles: true
+ valueFiles:
+ - $defaultValues/argo/onap/values/values-global.yaml
+ - $defaultValues/argo/onap/values/aai.yaml
+ syncPolicy:
+ managedNamespaceMetadata:
+ labels:
+ istio-injection: enabled
+ syncOptions:
+ - CreateNamespace=true
+ automated:
+ prune: true
+ selfHeal: true
--- /dev/null
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+ name: onap
+ namespace: argocd
+ finalizers:
+ - resources-finalizer.argocd.argoproj.io
+ labels:
+ name: onap
+spec:
+ project: argo-management
+ source:
+ repoURL: '<ONAP_ARGO_REPO_URL>'
+ targetRevision: <ONAP_ARGO_BRANCH>
+ path: ./argo/onap
+ destination:
+ server: https://kubernetes.default.svc
+ namespace: onap
+ syncPolicy:
+ automated:
+ prune: false
+ selfHeal: true
+ allowEmpty: false
+ syncOptions:
+ - Validate=true
+ - CreateNamespace=true
+ retry:
+ limit: 5
+ backoff:
+ duration: 5s
+ factor: 2
+ maxDuration: 3m
+ revisionHistoryLimit: 10
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (c) 2025 Deutsche Telekom
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+ name: onap-authentication
+ namespace: argocd
+ finalizers:
+ - resources-finalizer.argocd.argoproj.io
+spec:
+ destination:
+ namespace: onap
+ server: https://kubernetes.default.svc
+ project: default
+ sources:
+ - repoURL: '<ONAP_ARGO_REPO_URL>'
+ targetRevision: <ONAP_ARGO_BRANCH>
+ ref: defaultValues
+ - repoURL: http://chartmuseum.chartmuseum:8080
+ chart: authentication
+ targetRevision: "*"
+ helm:
+ ignoreMissingValueFiles: true
+ valueFiles:
+ - $defaultValues/argo/onap/values/values-global.yaml
+ - $defaultValues/argo/onap/values/authentication.yaml
+ syncPolicy:
+ managedNamespaceMetadata:
+ labels:
+ istio-injection: enabled
+ syncOptions:
+ - CreateNamespace=true
+ automated:
+ prune: true
+ selfHeal: true
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (c) 2025 Deutsche Telekom
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+ name: onap-cds
+ namespace: argocd
+ finalizers:
+ - resources-finalizer.argocd.argoproj.io
+spec:
+ destination:
+ namespace: onap
+ server: https://kubernetes.default.svc
+ project: default
+ sources:
+ - repoURL: '<ONAP_ARGO_REPO_URL>'
+ targetRevision: <ONAP_ARGO_BRANCH>
+ ref: defaultValues
+ - repoURL: http://chartmuseum.chartmuseum:8080
+ chart: cds
+ targetRevision: "*"
+ helm:
+ ignoreMissingValueFiles: true
+ valueFiles:
+ - $defaultValues/argo/onap/values/values-global.yaml
+ - $defaultValues/argo/onap/values/cds.yaml
+ syncPolicy:
+ managedNamespaceMetadata:
+ labels:
+ istio-injection: enabled
+ syncOptions:
+ - CreateNamespace=true
+ automated:
+ prune: true
+ selfHeal: true
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (c) 2025 Deutsche Telekom
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+ name: onap-cassandra
+ namespace: argocd
+ finalizers:
+ - resources-finalizer.argocd.argoproj.io
+spec:
+ destination:
+ namespace: onap
+ server: https://kubernetes.default.svc
+ project: default
+ sources:
+ - repoURL: '<ONAP_ARGO_REPO_URL>'
+ targetRevision: <ONAP_ARGO_BRANCH>
+ ref: defaultValues
+ - repoURL: http://chartmuseum.chartmuseum:8080
+ chart: cassandra
+ targetRevision: "*"
+ helm:
+ ignoreMissingValueFiles: true
+ valueFiles:
+ - $defaultValues/argo/onap/values/values-global.yaml
+ - $defaultValues/argo/onap/values/cassandra.yaml
+ syncPolicy:
+ managedNamespaceMetadata:
+ labels:
+ istio-injection: enabled
+ syncOptions:
+ - CreateNamespace=true
+ automated:
+ prune: true
+ selfHeal: true
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (c) 2025 Deutsche Telekom
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+ name: onap-mariadb-galera
+ namespace: argocd
+ finalizers:
+ - resources-finalizer.argocd.argoproj.io
+spec:
+ destination:
+ namespace: onap
+ server: https://kubernetes.default.svc
+ project: default
+ sources:
+ - repoURL: '<ONAP_ARGO_REPO_URL>'
+ targetRevision: <ONAP_ARGO_BRANCH>
+ ref: defaultValues
+ - repoURL: http://chartmuseum.chartmuseum:8080
+ chart: mariadb-galera
+ targetRevision: "*"
+ helm:
+ ignoreMissingValueFiles: true
+ valueFiles:
+ - $defaultValues/argo/onap/values/values-global.yaml
+ - $defaultValues/argo/onap/values/mariadb-galera.yaml
+ syncPolicy:
+ managedNamespaceMetadata:
+ labels:
+ istio-injection: enabled
+ syncOptions:
+ - CreateNamespace=true
+ automated:
+ prune: true
+ selfHeal: true
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (c) 2025 Deutsche Telekom
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+ name: onap-postgres
+ namespace: argocd
+ finalizers:
+ - resources-finalizer.argocd.argoproj.io
+spec:
+ destination:
+ namespace: onap
+ server: https://kubernetes.default.svc
+ project: default
+ sources:
+ - repoURL: '<ONAP_ARGO_REPO_URL>'
+ targetRevision: <ONAP_ARGO_BRANCH>
+ ref: defaultValues
+ - repoURL: http://chartmuseum.chartmuseum:8080
+ chart: postgres
+ targetRevision: "*"
+ helm:
+ ignoreMissingValueFiles: true
+ valueFiles:
+ - $defaultValues/argo/onap/values/values-global.yaml
+ - $defaultValues/argo/onap/values/postgres.yaml
+ syncPolicy:
+ managedNamespaceMetadata:
+ labels:
+ istio-injection: enabled
+ syncOptions:
+ - CreateNamespace=true
+ automated:
+ prune: true
+ selfHeal: true
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (c) 2025 Deutsche Telekom
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+ name: onap-repository-wrapper
+ namespace: argocd
+ finalizers:
+ - resources-finalizer.argocd.argoproj.io
+spec:
+ destination:
+ namespace: onap
+ server: https://kubernetes.default.svc
+ project: default
+ sources:
+ - repoURL: '<ONAP_ARGO_REPO_URL>'
+ targetRevision: <ONAP_ARGO_BRANCH>
+ ref: defaultValues
+ - repoURL: http://chartmuseum.chartmuseum:8080
+ chart: repository-wrapper
+ targetRevision: "*"
+ helm:
+ ignoreMissingValueFiles: true
+ valueFiles:
+ - $defaultValues/argo/onap/values/values-global.yaml
+ - $defaultValues/argo/onap/values/repository-wrapper.yaml
+ syncPolicy:
+ managedNamespaceMetadata:
+ labels:
+ istio-injection: enabled
+ syncOptions:
+ - CreateNamespace=true
+ automated:
+ prune: true
+ selfHeal: true
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (c) 2025 Deutsche Telekom
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+ name: onap-roles-wrapper
+ namespace: argocd
+ finalizers:
+ - resources-finalizer.argocd.argoproj.io
+spec:
+ destination:
+ namespace: onap
+ server: https://kubernetes.default.svc
+ project: default
+ sources:
+ - repoURL: '<ONAP_ARGO_REPO_URL>'
+ targetRevision: <ONAP_ARGO_BRANCH>
+ ref: defaultValues
+ - repoURL: http://chartmuseum.chartmuseum:8080
+ chart: roles-wrapper
+ targetRevision: "*"
+ helm:
+ ignoreMissingValueFiles: true
+ valueFiles:
+ - $defaultValues/argo/onap/values/values-global.yaml
+ - $defaultValues/argo/onap/values/roles-wrapper.yaml
+ syncPolicy:
+ managedNamespaceMetadata:
+ labels:
+ istio-injection: enabled
+ syncOptions:
+ - CreateNamespace=true
+ automated:
+ prune: true
+ selfHeal: true
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (c) 2025 Deutsche Telekom
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+ name: onap-cps
+ namespace: argocd
+ finalizers:
+ - resources-finalizer.argocd.argoproj.io
+spec:
+ destination:
+ namespace: onap
+ server: https://kubernetes.default.svc
+ project: default
+ sources:
+ - repoURL: '<ONAP_ARGO_REPO_URL>'
+ targetRevision: <ONAP_ARGO_BRANCH>
+ ref: defaultValues
+ - repoURL: http://chartmuseum.chartmuseum:8080
+ chart: cps
+ targetRevision: "*"
+ helm:
+ ignoreMissingValueFiles: true
+ valueFiles:
+ - $defaultValues/argo/onap/values/values-global.yaml
+ - $defaultValues/argo/onap/values/cps.yaml
+ syncPolicy:
+ managedNamespaceMetadata:
+ labels:
+ istio-injection: enabled
+ syncOptions:
+ - CreateNamespace=true
+ automated:
+ prune: true
+ selfHeal: true
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (c) 2025 Deutsche Telekom
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+ name: onap-dcaegen2-services
+ namespace: argocd
+ finalizers:
+ - resources-finalizer.argocd.argoproj.io
+spec:
+ destination:
+ namespace: onap
+ server: https://kubernetes.default.svc
+ project: default
+ sources:
+ - repoURL: '<ONAP_ARGO_REPO_URL>'
+ targetRevision: <ONAP_ARGO_BRANCH>
+ ref: defaultValues
+ - repoURL: http://chartmuseum.chartmuseum:8080
+ chart: dcaegen2-services
+ targetRevision: "*"
+ helm:
+ ignoreMissingValueFiles: true
+ valueFiles:
+ - $defaultValues/argo/onap/values/values-global.yaml
+ - $defaultValues/argo/onap/values/dcaegen2-services.yaml
+ syncPolicy:
+ managedNamespaceMetadata:
+ labels:
+ istio-injection: enabled
+ syncOptions:
+ - CreateNamespace=true
+ - ServerSideApply=true
+ automated:
+ prune: true
+ selfHeal: true
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (c) 2025 Deutsche Telekom
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+ - a1policymanagement.yaml
+ - aai.yaml
+ - authentication.yaml
+ - cds.yaml
+ - cps.yaml
+ - dcaegen2-services.yaml
+ - multicloud.yaml
+ - platform.yaml
+ - policy.yaml
+ - portal-ng.yaml
+ - sdc.yaml
+ - sdnc.yaml
+ - so.yaml
+ - uui.yaml
+ - strimzi.yaml
+ - common/cassandra.yaml
+ - common/mariadb-galera.yaml
+ - common/postgres.yaml
+ - common/repository-wrapper.yaml
+ - common/roles-wrapper.yaml
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (c) 2025 Deutsche Telekom
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+ name: onap-multicloud
+ namespace: argocd
+ finalizers:
+ - resources-finalizer.argocd.argoproj.io
+spec:
+ destination:
+ namespace: onap
+ server: https://kubernetes.default.svc
+ project: default
+ sources:
+ - repoURL: '<ONAP_ARGO_REPO_URL>'
+ targetRevision: <ONAP_ARGO_BRANCH>
+ ref: defaultValues
+ - repoURL: http://chartmuseum.chartmuseum:8080
+ chart: multicloud
+ targetRevision: "*"
+ helm:
+ ignoreMissingValueFiles: true
+ valueFiles:
+ - $defaultValues/argo/onap/values/values-global.yaml
+ - $defaultValues/argo/onap/values/multicloud.yaml
+ syncPolicy:
+ managedNamespaceMetadata:
+ labels:
+ istio-injection: enabled
+ syncOptions:
+ - CreateNamespace=true
+ automated:
+ prune: true
+ selfHeal: true
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (c) 2025 Deutsche Telekom
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+ name: onap-platform
+ namespace: argocd
+ finalizers:
+ - resources-finalizer.argocd.argoproj.io
+spec:
+ destination:
+ namespace: onap
+ server: https://kubernetes.default.svc
+ project: default
+ sources:
+ - repoURL: '<ONAP_ARGO_REPO_URL>'
+ targetRevision: <ONAP_ARGO_BRANCH>
+ ref: defaultValues
+ - repoURL: http://chartmuseum.chartmuseum:8080
+ chart: platform
+ targetRevision: "*"
+ helm:
+ ignoreMissingValueFiles: true
+ valueFiles:
+ - $defaultValues/argo/onap/values/values-global.yaml
+ - $defaultValues/argo/onap/values/platform.yaml
+ syncPolicy:
+ managedNamespaceMetadata:
+ labels:
+ istio-injection: enabled
+ syncOptions:
+ - CreateNamespace=true
+ automated:
+ prune: true
+ selfHeal: true
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (c) 2025 Deutsche Telekom
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+ name: onap-policy
+ namespace: argocd
+ finalizers:
+ - resources-finalizer.argocd.argoproj.io
+spec:
+ destination:
+ namespace: onap
+ server: https://kubernetes.default.svc
+ project: default
+ sources:
+ - repoURL: '<ONAP_ARGO_REPO_URL>'
+ targetRevision: <ONAP_ARGO_BRANCH>
+ ref: defaultValues
+ - repoURL: http://chartmuseum.chartmuseum:8080
+ chart: policy
+ targetRevision: "*"
+ helm:
+ ignoreMissingValueFiles: true
+ valueFiles:
+ - $defaultValues/argo/onap/values/values-global.yaml
+ - $defaultValues/argo/onap/values/policy.yaml
+ syncPolicy:
+ managedNamespaceMetadata:
+ labels:
+ istio-injection: enabled
+ syncOptions:
+ - CreateNamespace=true
+ automated:
+ prune: true
+ selfHeal: true
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (c) 2025 Deutsche Telekom
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+ name: onap-portal-ng
+ namespace: argocd
+ finalizers:
+ - resources-finalizer.argocd.argoproj.io
+spec:
+ destination:
+ namespace: onap
+ server: https://kubernetes.default.svc
+ project: default
+ sources:
+ - repoURL: '<ONAP_ARGO_REPO_URL>'
+ targetRevision: <ONAP_ARGO_BRANCH>
+ ref: defaultValues
+ - repoURL: http://chartmuseum.chartmuseum:8080
+ chart: portal-ng
+ targetRevision: "*"
+ helm:
+ ignoreMissingValueFiles: true
+ valueFiles:
+ - $defaultValues/argo/onap/values/values-global.yaml
+ - $defaultValues/argo/onap/values/portal-ng.yaml
+ syncPolicy:
+ managedNamespaceMetadata:
+ labels:
+ istio-injection: enabled
+ syncOptions:
+ - CreateNamespace=true
+ automated:
+ prune: true
+ selfHeal: true
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (c) 2025 Deutsche Telekom
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+ name: onap-sdc
+ namespace: argocd
+ finalizers:
+ - resources-finalizer.argocd.argoproj.io
+spec:
+ destination:
+ namespace: onap
+ server: https://kubernetes.default.svc
+ project: default
+ sources:
+ - repoURL: '<ONAP_ARGO_REPO_URL>'
+ targetRevision: <ONAP_ARGO_BRANCH>
+ ref: defaultValues
+ - repoURL: http://chartmuseum.chartmuseum:8080
+ chart: sdc
+ targetRevision: "*"
+ helm:
+ ignoreMissingValueFiles: true
+ valueFiles:
+ - $defaultValues/argo/onap/values/values-global.yaml
+ - $defaultValues/argo/onap/values/sdc.yaml
+ syncPolicy:
+ managedNamespaceMetadata:
+ labels:
+ istio-injection: enabled
+ syncOptions:
+ - CreateNamespace=true
+ automated:
+ prune: true
+ selfHeal: true
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (c) 2025 Deutsche Telekom
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+ name: onap-sdnc
+ namespace: argocd
+ finalizers:
+ - resources-finalizer.argocd.argoproj.io
+spec:
+ destination:
+ namespace: onap
+ server: https://kubernetes.default.svc
+ project: default
+ sources:
+ - repoURL: '<ONAP_ARGO_REPO_URL>'
+ targetRevision: <ONAP_ARGO_BRANCH>
+ ref: defaultValues
+ - repoURL: http://chartmuseum.chartmuseum:8080
+ chart: sdnc
+ targetRevision: "*"
+ helm:
+ ignoreMissingValueFiles: true
+ valueFiles:
+ - $defaultValues/argo/onap/values/values-global.yaml
+ - $defaultValues/argo/onap/values/sdnc.yaml
+ syncPolicy:
+ managedNamespaceMetadata:
+ labels:
+ istio-injection: enabled
+ syncOptions:
+ - CreateNamespace=true
+ automated:
+ prune: true
+ selfHeal: true
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (c) 2025 Deutsche Telekom
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+ name: onap-so
+ namespace: argocd
+ finalizers:
+ - resources-finalizer.argocd.argoproj.io
+spec:
+ destination:
+ namespace: onap
+ server: https://kubernetes.default.svc
+ project: default
+ sources:
+ - repoURL: '<ONAP_ARGO_REPO_URL>'
+ targetRevision: <ONAP_ARGO_BRANCH>
+ ref: defaultValues
+ - repoURL: http://chartmuseum.chartmuseum:8080
+ chart: so
+ targetRevision: "*"
+ helm:
+ ignoreMissingValueFiles: true
+ valueFiles:
+ - $defaultValues/argo/onap/values/values-global.yaml
+ - $defaultValues/argo/onap/values/so.yaml
+ syncPolicy:
+ managedNamespaceMetadata:
+ labels:
+ istio-injection: enabled
+ syncOptions:
+ - CreateNamespace=true
+ automated:
+ prune: true
+ selfHeal: true
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (c) 2025 Deutsche Telekom
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+ name: onap-strimzi
+ namespace: argocd
+ finalizers:
+ - resources-finalizer.argocd.argoproj.io
+spec:
+ destination:
+ namespace: onap
+ server: https://kubernetes.default.svc
+ project: default
+ sources:
+ - repoURL: '<ONAP_ARGO_REPO_URL>'
+ targetRevision: <ONAP_ARGO_BRANCH>
+ ref: defaultValues
+ - repoURL: http://chartmuseum.chartmuseum:8080
+ chart: strimzi
+ targetRevision: "*"
+ helm:
+ ignoreMissingValueFiles: true
+ valueFiles:
+ - $defaultValues/argo/onap/values/values-global.yaml
+ - $defaultValues/argo/onap/values/strimzi.yaml
+ syncPolicy:
+ managedNamespaceMetadata:
+ labels:
+ istio-injection: enabled
+ syncOptions:
+ - CreateNamespace=true
+ automated:
+ prune: true
+ selfHeal: true
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (c) 2025 Deutsche Telekom
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+ name: onap-uui
+ namespace: argocd
+ finalizers:
+ - resources-finalizer.argocd.argoproj.io
+spec:
+ destination:
+ namespace: onap
+ server: https://kubernetes.default.svc
+ project: default
+ sources:
+ - repoURL: '<ONAP_ARGO_REPO_URL>'
+ targetRevision: <ONAP_ARGO_BRANCH>
+ ref: defaultValues
+ - repoURL: http://chartmuseum.chartmuseum:8080
+ chart: uui
+ targetRevision: "*"
+ helm:
+ ignoreMissingValueFiles: true
+ valueFiles:
+ - $defaultValues/argo/onap/values/values-global.yaml
+ - $defaultValues/argo/onap/values/uui.yaml
+ syncPolicy:
+ managedNamespaceMetadata:
+ labels:
+ istio-injection: enabled
+ syncOptions:
+ - CreateNamespace=true
+ automated:
+ prune: true
+ selfHeal: true
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (c) 2025 Deutsche Telekom
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+
+aai-traversal:
+ jobAnnotations:
+ argocd.argoproj.io/hook: Sync
+ argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
+ podAnnotations:
+ proxy.istio.io/config: |
+ tracing:
+ sampling: 0
+
+aai-resources:
+ podAnnotations:
+ proxy.istio.io/config: |
+ tracing:
+ sampling: 0
+
+aai-modelloader:
+ podAnnotations:
+ proxy.istio.io/config: |
+ tracing:
+ sampling: 0
+
+aai-babel:
+ podAnnotations:
+ proxy.istio.io/config: |
+ tracing:
+ sampling: 0
+
+aai-schema-service:
+ podAnnotations:
+ proxy.istio.io/config: |
+ tracing:
+ sampling: 0
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (c) 2025 Deutsche Telekom
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+
+global:
+ # storageClass for oauth2-proxy setting for Redis DB
+ defaultStorageClass: <STORAGECLASS>
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (c) 2025 Deutsche Telekom
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+
+k8ssandraOperator:
+ persistence:
+ storageClassName: <STORAGECLASS>
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (c) 2025 Deutsche Telekom
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+
+mariadb-galera:
+ mariadbOperator:
+ persistence:
+ storageClassName: <STORAGECLASS>
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (c) 2025 Deutsche Telekom
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+
+cps-core:
+ postgres-init:
+ jobAnnotations:
+ argocd.argoproj.io/hook: Sync
+ argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (c) 2025 Deutsche Telekom
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+
+mariadbOperator:
+ persistence:
+ storageClassName: <STORAGECLASS>
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (c) 2025 Deutsche Telekom
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+
+global:
+ # setting for mongodb
+ storageClass: <STORAGECLASS>
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (c) 2025 Deutsche Telekom
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+
+cmpv2-cert-provider:
+ enabled: false
+oom-cert-service:
+ enabled: false
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (c) 2025 Deutsche Telekom
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+
+global:
+ mariadbGalera:
+ localCluster: false
+
+jobAnnotations:
+ argocd.argoproj.io/hook: Sync
+ argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (c) 2025 Deutsche Telekom
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+
+global:
+ # setting for mongodb
+ storageClass: <STORAGECLASS>
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (c) 2025 Deutsche Telekom
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+
+sdc-cs:
+ jobAnnotations:
+ argocd.argoproj.io/hook: Sync
+ argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
+
+sdc-be:
+ jobAnnotations:
+ argocd.argoproj.io/hook: Sync
+ argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
+
+sdc-onboarding-be:
+ jobAnnotations:
+ argocd.argoproj.io/hook: Sync
+ argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
+
+sdc-wfd-be:
+ jobAnnotations:
+ argocd.argoproj.io/hook: Sync
+ argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (c) 2025 Deutsche Telekom
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+
+jobAnnotations:
+ argocd.argoproj.io/hook: Sync
+ argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
+
+network-name-gen:
+ mariadb-init:
+ jobAnnotations:
+ argocd.argoproj.io/hook: Sync
+ argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (c) 2025 Deutsche Telekom
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+
+so-mariadb:
+ jobAnnotations:
+ argocd.argoproj.io/hook: Sync
+ argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
+
+so-bpmn-infra:
+ podAnnotations:
+ proxy.istio.io/config: |
+ tracing:
+ sampling: 0
+
+so-catalog-db-adapter:
+ podAnnotations:
+ proxy.istio.io/config: |
+ tracing:
+ sampling: 0
+
+so-openstack-adapter:
+ podAnnotations:
+ proxy.istio.io/config: |
+ tracing:
+ sampling: 0
+
+so-request-db-adapter:
+ podAnnotations:
+ proxy.istio.io/config: |
+ tracing:
+ sampling: 0
+
+so-sdc-controller:
+ podAnnotations:
+ proxy.istio.io/config: |
+ tracing:
+ sampling: 0
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (c) 2025 Deutsche Telekom
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+
+uui-server:
+ jobAnnotations:
+ argocd.argoproj.io/hook: Sync
+ argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
+
+uui-intent-analysis:
+ jobAnnotations:
+ argocd.argoproj.io/hook: Sync
+ argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
+
+uui-llm-adaptation:
+ jobAnnotations:
+ argocd.argoproj.io/hook: Sync
+ argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
--- /dev/null
+# ============LICENSE_START=======================================================\r
+# Copyright (c) 2025 Deutsche Telekom\r
+# ================================================================================\r
+# Licensed under the Apache License, Version 2.0 (the "License");\r
+# you may not use this file except in compliance with the License.\r
+# You may obtain a copy of the License at\r
+#\r
+# http://www.apache.org/licenses/LICENSE-2.0\r
+#\r
+# Unless required by applicable law or agreed to in writing, software\r
+# distributed under the License is distributed on an "AS IS" BASIS,\r
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r
+# See the License for the specific language governing permissions and\r
+# limitations under the License.\r
+#\r
+# SPDX-License-Identifier: Apache-2.0\r
+# ============LICENSE_END=========================================================\r
+\r
+################################\r
+# General configuration of ONAP\r
+# ORIGINAL FILE:\r
+# https://git.onap.org/oom/tree/kubernetes/onap/values.yaml\r
+#\r
+# Using value files in argo:\r
+# https://github.com/argoproj/argo-cd/issues/2789#issuecomment-879043660\r
+################################\r
+global:\r
+\r
+ # override default resource limit flavor for all charts\r
+ flavor: small\r
+\r
+ nodePortPrefix: 302\r
+ nodePortPrefixExt: 304\r
+ masterPassword: gatingPassword\r
+ addTestingComponents: &testing false\r
+ repository: <ONAP_REPO>\r
+ dockerHubRepository: &dockerHubRepository <DOCKER_REPO>\r
+ elasticRepository: &elasticRepository <ELASTIC_REPO>\r
+ quayRepository: <QUAY_REPO>\r
+ googleK8sRepository: <K8S_REPO>\r
+ githubContainerRegistry: <GITHUB_REPO>\r
+ loggingRepository: *elasticRepository\r
+ busyboxRepository: *dockerHubRepository\r
+ repositoryCred:\r
+ user: docker\r
+ password: docker\r
+ busyboxImage: busybox:1.34.1\r
+ curlImage: curlimages/curl:7.80.0\r
+ envsubstImage: dibi/envsubst:latest\r
+ htpasswdImage: xmartlabs/htpasswd:latest\r
+ kubectlImage: bitnami/kubectl:1.22.4\r
+ loggingImage: beats/filebeat:5.5.0\r
+ mongodbImage: percona/percona-server-mongodb:7.0.16-10\r
+ mariadbImage: mariadb:11.7.2\r
+ nginxImage: bitnami/nginx:1.21.4\r
+ postgresImage: crunchydata/crunchy-postgres:centos8-13.2-4.6.1\r
+ readinessImage: onap/oom/readiness:6.2.0\r
+ # Default definition of the secret containing the docker image repository\r
+ # credentials. In the default ONAP deployment the secret is created by the\r
+ # repository-wrapper component, which uses the secrets defined above.\r
+ # If this is not wanted or other secrets are created, alternative secret\r
+ # names can be used\r
+ # Overrides for specific images can be done, if the "image" entry is used as\r
+ # a map and the "pullSecrets" is used, e.g.\r
+ # image:\r
+ # ...\r
+ # pullSecrets:\r
+ # - myRegistryKeySecretName\r
+ #\r
+ imagePullSecrets:\r
+ - name: '{{ include "common.namespace" . }}-docker-registry-key'\r
+\r
+ pullPolicy: Always\r
+ jreImage: onap/integration-java11:10.0.0\r
+ clusterName: cluster.local\r
+\r
+ # enable this if you have deployed Jaeger alongside ONAP\r
+ tracing:\r
+ enabled: true\r
+ collector:\r
+ baseUrl: http://jaeger-collector.istio-system:9411\r
+ sampling:\r
+ probability: 1.0 # percentage of requests that are sampled (between 0-1/0%-100%)\r
+\r
+ persistence:\r
+ mountPath: /dockerdata-nfs\r
+ enableDefaultStorageclass: false\r
+ parameters: {}\r
+ storageclassProvisioner: <STORAGECLASS>\r
+ volumeReclaimPolicy: Retain\r
+ storageClass: "<STORAGECLASS>"\r
+ debugEnabled: false\r
+ passwordStrength: long\r
+\r
+ ingress:\r
+ enabled: true\r
+ # enable all component's Ingress interfaces\r
+ enable_all: true\r
+\r
+ # Provider: ingress, istio, gw-api\r
+ provider: gw-api\r
+ # Ingress class (only for provider "ingress"): e.g. nginx, traefik\r
+ ingressClass:\r
+ # Ingress Selector (only for provider "istio") to match with the\r
+ # ingress pod label "istio=ingress"\r
+ ingressSelector: ingress\r
+ # optional: common used Gateway (for Istio, GW-API)\r
+ commonGateway:\r
+ name: common-gateway\r
+ httpListener: http\r
+ httpsListener: https\r
+\r
+ # default Ingress base URL and preAddr- and postAddr settings\r
+ # Ingress URLs result:\r
+ # <preaddr><component.ingress.service.baseaddr><postaddr>.<baseurl>\r
+ virtualhost:\r
+ # Default Ingress base URL\r
+ # can be overwritten in component by setting ingress.baseurlOverride\r
+ baseurl: "<BASEURL>"\r
+ # prefix for baseaddr\r
+ # can be overwritten in component by setting ingress.preaddrOverride\r
+ preaddr: ""\r
+ # POSTADDR for baseaddr\r
+ # can be overwritten in component by setting ingress.postaddrOverride\r
+ postaddr: "<POSTADDR>"\r
+ config:\r
+ # All http (port 80) requests via ingress will be redirected\r
+ # to port 443 on Ingress controller\r
+ # only valid for Istio Gateway (ServiceMesh enabled)\r
+ ssl: "redirect"\r
+ tls:\r
+ secret: 'ingress-tls-secret'\r
+ # optional: Namespace of the Istio IngressGateway\r
+ # only valid for Istio Gateway (ServiceMesh enabled)\r
+ namespace: istio-ingress\r
+ serviceMesh:\r
+ enabled: true\r
+ tls: true\r
+ engine: "istio"\r
+ nativeSidecars: true\r
+ # Global Istio Authorization Policy configuration\r
+ authorizationPolicies:\r
+ enabled: false\r
+ metrics:\r
+ enabled: true\r
+ custom_resources: false\r
+ aafEnabled: false\r
+ aafAgentImage: onap/aaf/aaf_agent:2.1.20\r
+ msbEnabled: false\r
+ certificate:\r
+ default:\r
+ renewBefore: 720h0m0s # 30 days\r
+ duration: 8760h0m0s # 365 days\r
+ subject:\r
+ organization: "Linux-Foundation"\r
+ country: "US"\r
+ locality: "San-Francisco"\r
+ province: "California"\r
+ organizationalUnit: "ONAP"\r
+ issuer:\r
+ group: certmanager.onap.org\r
+ kind: CMPv2Issuer\r
+ name: cmpv2-issuer-onap\r
+ cmpv2Enabled: false\r
+ platform:\r
+ certificates:\r
+ clientSecretName: oom-cert-service-client-tls-secret\r
+ keystoreKeyRef: keystore.jks\r
+ truststoreKeyRef: truststore.jks\r
+ keystorePasswordSecretName: oom-cert-service-certificates-password\r
+ keystorePasswordSecretKey: password\r
+ truststorePasswordSecretName: oom-cert-service-certificates-password\r
+ truststorePasswordSecretKey: password\r
+ offlineDeploymentBuild: false\r
+ centralizedLoggingEnabled: ¢ralizedLogging false\r
+ tlsEnabled: false\r
+\r
+ # Global flag to enable the creation of default roles instead of using\r
+ # common roles-wrapper\r
+ createDefaultRoles: true\r
+\r
+ # temporarily useOperator is set to false for migration to "Montreal"\r
+ mariadbGalera:\r
+ # flag to enable the DB creation via mariadb-operator\r
+ useOperator: true\r
+ # if useOperator set to "true", set "enableServiceAccount to "false"\r
+ # as the SA is created by the Operator\r
+ enableServiceAccount: false\r
+\r
+ # not used in TNAP, as cassandra cluster is not created via ONAP chart\r
+ cassandra:\r
+ # flag to enable the DB creation via k8ssandra-operator\r
+ useOperator: true\r
+ # if useOperator set to "true", set "enableServiceAccount to "false"\r
+ # as the SA is created by the Operator\r
+ enableServiceAccount: false\r
--- /dev/null
+#!/bin/bash
+
+# directories to patch
+DIRS=("argocd" "infra" "onap" "onap-test")
+
+# Variables and Replacements (Key=Variable, Value=Replacement)
+# Beispiel: VAR1="Wert1", VAR2="Wert2"
+declare -A VARS
+VARS["ONAP_ARGO_REPO_URL"]="https://git.onap.org/oom"
+VARS["ONAP_ARGO_BRANCH"]="master"
+VARS["STORAGECLASS"]="cinder-os"
+VARS["BASEURL"]="simpledemo.onap.org"
+VARS["POSTADDR"]="-test"
+VARS["DOCKER_REPO"]="docker.io"
+VARS["ONAP_REPO"]="nexus3.onap.org:10001"
+VARS["ELASTIC_REPO"]="docker.elastic.co"
+VARS["QUAY_REPO"]="quay.io"
+VARS["GOOGLE_REPO"]="gcr.io"
+VARS["K8S_REPO"]="registry.k8s.io"
+VARS["GITHUB_REPO"]="ghcr.io"
+
+# Funktion to replace in one file
+replace_in_file() {
+ local file="$1"
+ local tmpfile="${file}.tmp"
+
+ cp "$file" "$tmpfile"
+
+ for var in "${!VARS[@]}"; do
+ # Replace <VAR> with value
+ # -i: inplace, but done with tmpfile, if Backup is required
+ sed -i "s|<${var}>|${VARS[$var]}|g" "$tmpfile"
+ done
+
+ mv "$tmpfile" "$file"
+}
+
+# Main Loop: Run through all files in the given directories
+for dir in "${DIRS[@]}"; do
+ # Find all files recursively
+ find "$dir" -type f | while read -r file; do
+ replace_in_file "$file"
+ echo "Done: $file"
+ done
+done
+
+echo "Done."
\ No newline at end of file
--- /dev/null
+.. This work is licensed under a Creative Commons Attribution 4.0
+.. International License.
+.. http://creativecommons.org/licenses/by/4.0
+.. Copyright (C) 2025 Deutsche Telekom
+
+.. Links
+.. _ONAP helm release repository: https://nexus3.onap.org/service/rest/repository/browse/onap-helm-release/
+.. _ONAP Release Long Term Roadmap: https://lf-onap.atlassian.net/wiki/spaces/DW/pages/16220234/Long+Term+Release+Roadmap
+.. _GitOps Deployment: https://www.cncf.io/blog/2025/06/09/gitops-in-2025-from-old-school-updates-to-the-modern-way/
+.. _Trivy Scan: https://trivy.dev/latest/
+.. _ArgoCD: https://argo-cd.readthedocs.io/en/stable/
+.. _App of Apps: https://argo-cd.readthedocs.io/en/latest/operator-manual/cluster-bootstrapping/
+
+.. _oom_argo_release_deploy:
+
+OOM Deployment using ArgoCD
+===========================
+
+Besides the deployment of ONAP using helm as described in :ref:`oom_helm_release_repo_deploy`, you
+can use GitOps based deployment of ONAP components using ArgoCD or Flux (see `GitOps deployment`_).
+This document shows an example for an ArgoCD (see `ArgoCD`_) based installation.
+
+General principles of GitOps and ArgoCD
+---------------------------------------
+
+GitOps is a modern approach to continuous delivery and infrastructure management
+that uses Git as the source of truth for both application and infrastructure configurations.
+
+In GitOps, all changes to the system, such as updates or rollbacks, are made through pull
+requests in Git repositories, which then trigger automated deployment pipelines.
+
+This ensures that the environment is always aligned with the desired state defined in the Git
+repository, making the system more predictable and auditable.
+
+ArgoCD is a Kubernetes-native continuous delivery tool that implements GitOps principles.
+It monitors Git repositories for changes in configuration files
+(such as YAML or Helm charts) and automatically syncs the state of the Kubernetes
+clusters to match the desired configuration.
+With ArgoCD, users can track application deployments and changes visually through
+a web UI or CLI, providing transparency and easy rollback options.
+It also supports multi-cluster deployments and offers strong access control mechanisms
+to manage who can trigger changes.
+The system is highly automated and allows for fast, secure delivery and operational
+consistency across environments.
+
+OOM support for ArgoCD deployment
+---------------------------------
+
+In the OOM repository a subtree is provided, which contains ArgoCD
+Application definitions and other files supporting the installation
+using ArgoCD:
+
+An example structure of the OOM common helm charts is shown below:
+
+.. code-block:: bash
+
+ argo
+ ├── argocd
+ │ ├── app-argocd.yaml
+ │ ├── kustomization.yaml
+ │ ├── argo-project.yaml
+ │ ├── argo-secret.yaml
+ │ ├── argocd.yaml
+ │ ├── values
+ │ │ └── argocd.yaml
+ ├── infra
+ │ ├── app-infra.yaml
+ │ ├── kustomization.yaml
+ │ ├── certmanager.yaml
+ │ ├── chartmuseum.yaml
+ │ ├── compile-onap.yaml
+ │ ├── ...
+ │ ├── values
+ │ │ ├── certmanager.yaml
+ │ │ ├── chartmuseum.yaml
+ │ │ ├── compile-onap.yaml
+ │ │ ├── ...
+ │ │ └── xxx.yaml
+ │ ├── compile-onap
+ │ │ └── helm
+ │ │ ├── Chart.yaml
+ │ │ ├── values.yaml
+ │ │ └── templates
+ │ │ └── onap-helm-render-job.yaml
+ │ ├── ...
+ ├── onap
+ │ ├── app-onap.yaml
+ │ ├── kustomization.yaml
+ │ ├── a1policymanagement.yaml
+ │ ├── aai.yaml
+ │ ├── authentication.yaml
+ │ ├── cds.yaml
+ │ ├── ...
+ │ ├── values
+ │ │ ├── a1policymanagement.yaml
+ │ │ ├── aai.yaml
+ │ │ ├── authentication.yaml
+ │ │ ├── ...
+ │ │ └── xxx.yaml
+ ├── onap-test
+ │ ├── app-onap-test.yaml
+ │ ├── kustomization.yaml
+ │ ├── kafka-ui.yaml
+ │ ├── onap-test-ingress.yaml
+ │ ├── testkube.yaml
+ │ ├── trivy-operator.yaml
+ │ ├── values
+ │ │ ├── kafka-ui.yaml
+ │ │ ├── onap-test-ingress.yaml
+ │ │ ├── testkube.yaml
+ │ │ └── trivy-operator.yaml
+ │ ├── ingress-routes
+ │ │ └── helm
+ │ │ ├── Chart.yaml
+ │ │ ├── values.yaml
+ │ │ └── templates
+ │ │ └── ingress-kafka-ui.yaml
+ │ ├── ...
+ └── update-variables.sh
+
+The main folders are:
+
+* argocd
+
+ * Application definition for the ArgoCD deployment
+
+* infra
+
+ * Application definitions for required infrastructure components
+ (e.g. Istio, CertManager, DB Operators, ...)
+ * Required Helm Charts for IngressRoutes, Kiali, ONAP Chart compilation
+
+* onap
+
+ * Application definitions for ONAP components (e.g. AAI, CDS, SO, ...)
+
+* onap-test
+
+ * Application definitions for ONAP Test components and tools
+ (e.g. Trivy Scan, Testkube, Kafka-UI)
+
+General hints and preparation
+-----------------------------
+
+Prerequisites
+^^^^^^^^^^^^^
+
+As prerequisite you would need a Kubernetes cluster with the required
+capacity to deploy the components into.
+
+The Infrastructure (e.g. Bare Metal servers, Virtual Hosts) and the
+way of deployment (e.g. ClusterAPI, Kubespray) is not restricted.
+
+In the tests of the OOM team it is done:
+
+* On a vanilla Openstack cluster
+* Using Terraform to create the tenant, VMs and networking
+* Using Kubespray to create the K8S cluster
+* Use a GitLab-CI pipeline to orchestrate the creation
+
+At the end of the deployment you need to install ArgoCD in this cluster
+for the further process of installation.
+
+As a input parameters for the ONAP deployment you would need to provide:
+
+* A local Git(lab) project to store the "argo" Application definitions (or the oom project)
+* Storage Class the cluster provides for PVs
+* (Optional) A local helm registry to store the ONAP helmcharts,
+ if you don't use the installed ChartMuseum
+
+Preparation
+^^^^^^^^^^^
+
+* Clone the OOM repository into a new Git(Lab) project
+* Replace the following variables with the script 'updateVariables.sh' (in argo subdir):
+
+ * <ONAP_ARGO_REPO_URL> with the URL of the new git repo
+ * <STORAGECLASS> with the default K8S storage class
+ * <BASEURL> with the base DNS zone (e.g. "simpledemo.onap.org")
+ * <POSTADDR> with the postfix for the hosts (optional) (e.g. "-onap-00")
+ * <DOCKER_REPO> URL of the docker repository ('docker.io')
+ * <ONAP_REPO> URL of the ONAP docker repository ('nexus3.onap.org:10001')
+ * <ELASTIC_REPO> URL of the Elastic docker repository ('docker.elastic.co')
+ * <QUAY_REPO> URL of the Quay.io docker repository ('quay.io')
+ * <GOOGLE_REPO> URL of the K8S docker repository ('gcr.io')
+ * <K8S_REPO> URL of the GoogleK8S docker repository ('registry.k8s.io')
+ * <GITHUB_REPO> URL of the Github docker repository ('ghcr.io')
+* after setting the variables start the script in the argo dir:
+ './updateVariables.sh'
+* check-in the git project
+
+To allow ArgoCD to access the
+
+- Git Repository, which contains the application definitions,
+- (optional) Helm Repository, which contains the compiled charts
+
+you need to create secrets to define the repository and the access credentials.
+E.g.:
+
+.. collapse:: argo-secret.yaml
+
+ .. include:: ../../../../argo/argocd/argo-secret.yaml
+ :code: yaml
+
+The secrets will be created during the ArgoCD "self-managed" deployment described in the later section.
+
+General info about the installation of applications
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+In this example we use the "App of Apps" Pattern (see `App of Apps`_) to install bundles of applications.
+E.g. we create an "onap" application containing multiple ONAP component applications (e.g. so, aai).
+
+As definition of the "onap" application an "Application" resource is defined, which points to
+the directory 'argo/onap' in the examples.
+
+.. collapse:: app-onap.yaml
+
+ .. include:: ../../../../argo/onap/app-onap.yaml
+ :code: yaml
+
+The directory contains a kustomization.yaml file, which contains a resource definition pointing to
+the ONAP component application files in its subdirectories.
+
+.. collapse:: kustomization.yaml
+
+ .. include:: ../../../../argo/onap/kustomization.yaml
+ :code: yaml
+
+To add the ONAP application to ArgoCD for management, you can add it via kubectl command::
+
+ > kubectl apply -f argo/onap/app-onap.yaml
+
+If you don't want to use the "App of Apps" Pattern, you can also install the single applications, e.g.::
+
+ > kubectl apply -f argo/onap/so.yaml
+
+User Guide for ArgoCD example
+-----------------------------
+
+After preparation of the environment and git repository the following steps are executed:
+
+* Installation of "self-managed" ArgoCD
+* Installation of the Infrastructure Applications and compilation and storage of the ONAP charts
+* Installation of the ONAP Applications
+* Installation of the ONAP Test Applications
+
+The separation of the deployment steps is done to ease the installation procedure and avoid
+dependency problems. But generally it should also be possible to install all applications at once
+and let ArgoCD deal with the deployment.
+
+Installation of "self-managed" ArgoCD
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+After ArgoCD has been installed, you can add an "argocd" application to force ArgoCD to manage itself.
+
+The definition files can be found in the directory 'argo/argocd':
+
+* app-argocd.yaml - (AppOfApps-)Application definition file points to the same directory and uses kustomization.yaml
+* kustomization.yaml - Kustomize file with resources collection (argocd.yaml, argo-project.yaml, argo-secrets.yaml)
+* argocd.yaml - Application definition for ArgoCD
+* app-secrets.yaml - Secrets for needed Git/Helm-repositories and credentials
+* app-project.yaml - ArgoCD Project definition
+* values/argocd.yaml - values definition used by argocd.yaml
+
+To deploy the ArgoCD "self-managed" (AppOfApps-)application, you can add it via kubectl command::
+
+ > kubectl apply -f argo/argocd/app-argocd.yaml
+
+You can now try to access the ArgoCD UI via Port Forwarding of the "argo-service".
+The access credentials are "admin/gating"
+
+Installation of the Infrastructure Applications
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+As ONAP requires a number of platform/infrastructure components, the installation of those are bundled in
+this "App of Apps" Application.
+
+The definition files can be found in the directory 'argo/infra':
+
+* app-infra.yaml - (AppOfApps-)Application definition file points to the same directory and uses kustomization.yaml
+* kustomization.yaml - Kustomize file with resources collection for the "App of Apps" Application
+* cert-manager.yaml - Application definition for Certificate Manager
+* chartmuseum.yaml - Application definition for ChartMuseum (required for compile-onap)
+* compile-onap.yaml - Application definition a local helm chart used for local ONAP chart compilation
+* compile-onap/helm/* - Helm chart used for local ONAP chart compilation
+* django-defectdojo.yaml - Application definition for Defect-Dojo (used as Trivy Report UI)
+* gateway-api.yaml - Application definition for Gateway-API CRDs
+* gateway-api/* - CRD definitions of Gateway-API
+* infra-ingress.yaml - Application definition for a local helm chart for Ingress routes (ingress-routes)
+* ingress-routes/helm - Helm chart with ingress definition for Infra Applications and Ingress Gateway
+* istio.yaml - Application definition for Istio ServiceMesh
+* jaeger.yaml - Application definition for Jaeger
+* k8ssandra-operator.yaml - Application definition for K8ssandra-Operator
+* keycloak-db.yaml - Application definition for the Database instance for Keycloak
+* keycloak.yaml - Application definition for Keycloak
+* kiali-operator.yaml - Application definition for the Kiali-Operator
+* kiali.yaml - Application definition for the Kiali Instance
+* kiali-instance/* - Definition of the Kiali Instance
+* mariadb-operator-crds.yaml - Application definition for the MariaDB-Operator CRDs
+* mariadb-operator.yaml - Application definition for the MariaDB-Operator
+* mongodb-operator.yaml - Application definition for the MongoDB-Operator
+* nfs-server-provisioner.yaml - Application definition for the NFS Server Provisioner
+* postgres-operator.yaml - Application definition for the Postgres-Operator
+* prometheus.yaml - Application definition for the Prometheus
+* strimzi.yaml - Application definition for the Strimzi-Kafka-Operator
+* trivy-dojo-report-operator.yaml - Application definition for the Trivy-DefectDojo Connector
+* values/* - values definition for all infra applications
+
+To deploy the Infrastructure (AppOfApps-)application, you can add it via kubectl command::
+
+ > kubectl apply -f argo/infra/app-infra.yaml
+
+After the successful installation of the Ingress setup you should be able to start the ArgoCD UI via the URL:
+
+``https://argocd<POSTADDR>.<BASEURL>``
+
+Access credentials are "admin/gating"
+
+.. figure:: ../../resources/images/argocd/login.jpg
+ :align: right
+
+You should see in the UI the Application trees of "argo-management" and "infra-components"
+
+.. figure:: ../../resources/images/argocd/argocd.jpg
+ :align: right
+
+.. figure:: ../../resources/images/argocd/infra.jpg
+ :align: right
+
+Within the Infrastructure components the "compile-onap" App creates a job, which downloads the "OOM"
+git repository, compiles the ONAP charts and stores them into the "ChartMuseum" App.
+
+The ChartMuseum is used as Helm Repository for the ONAP Applications.
+Within the ONAP Application definitions (e.g. in 'argo/onap/aai.yaml') you see as source definition
+the internal Chart Museum Service URL ('repoURL').
+
+If you want to use another repository, you need to change the value.
+The Chart version ('targetRevision') is set as "*", so it uses the latest version it finds.
+
+If you want, you can specify here a fixed release version (e.g. '16.0.0').
+
+.. code-block:: yaml
+
+ apiVersion: argoproj.io/v1alpha1
+ kind: Application
+ metadata:
+ name: onap-aai
+ namespace: argocd
+ finalizers:
+ - resources-finalizer.argocd.argoproj.io
+ spec:
+ ...
+ sources:
+ - repoURL: '<ONAP_ARGO_REPO_URL>'
+ targetRevision: <ONAP_ARGO_BRANCH>
+ ref: defaultValues
+ - repoURL: http://chartmuseum.chartmuseum:8080
+ chart: aai
+ targetRevision: "*"
+ helm:
+ ignoreMissingValueFiles: true
+ valueFiles:
+ - $defaultValues/argo/onap/values/values-global.yaml
+ - $defaultValues/argo/onap/values/aai.yaml
+ ...
+
+Installation of the ONAP Applications
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+The deployment of ONAP components is shown here as "App of Apps" application.
+
+The selection of the ONAP component can be done via the kustomization.yaml file.
+
+If the "App of Apps" pattern is not wanted, the components an also be deployed individually.
+
+The definition files can be found in the directory 'argo/onap':
+
+* app-onap.yaml - (AppOfApps-)Application definition file points to the same directory and uses kustomization.yaml
+* kustomization.yaml - Kustomize file with resources collection for the "App of Apps" Application
+* a1policymanagement.yaml - Application definition for A1 Policy Management
+* aai.yaml - Application definition for AAI component
+* authentication.yaml - Application definition for Authentication component
+* cds.yaml - Application definition for CDS component
+* common/cassandra.yaml - Application definition for the common CASSANDRA DB instance
+* common/mariadb-galera.yaml - Application definition for the common MariaDB instance
+* common/postgres.yaml - Application definition for the common Postgres DB instance
+* common/repository-wrapper.yaml - Application definition for the common Repository Wrapper
+* common/roles-wrapper.yaml - Application definition for the common Roles Wrapper (optional)
+* cps.yaml - Application definition for CPS component
+* dcaegen2-services.yaml - Application definition for DCAEGEN2-SERVICES component
+* multicloud.yaml - Application definition for MULTICLOUD component
+* platform.yaml - Application definition for PLATFORM component
+* policy.yaml - Application definition for POLICY component
+* portal-ng.yaml - Application definition for PORTAL-NG component
+* sdc.yaml - Application definition for SDC component
+* sdnc.yaml - Application definition for SDNC component
+* so.yaml - Application definition for SO component
+* strimzi.yaml - Application definition for STRIMZI component
+* uui.yaml - Application definition for UUI component
+* values/* - values definition for all ONAP applications + common values-global.yaml
+
+To deploy the ONAP (AppOfApps-)application, you can add it via kubectl command::
+
+ > kubectl apply -f argo/onap/app-onap.yaml
+
+You should see in the UI the Application trees of "onap"
+
+.. figure:: ../../resources/images/argocd/onap.jpg
+ :align: right
+
+Installation of the ONAP Test Applications
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+As we use the ArgoCD deployment also for testing the ONAP components,
+we decided to add an application set to deploy testing components.
+
+The definition files can be found in the directory 'argo/onap-test':
+
+* app-onap-test.yaml - (AppOfApps-)Application definition file points to the same directory and uses kustomization.yaml
+* kustomization.yaml - Kustomize file with resources collection for the "App of Apps" Application
+* kafka-ui.yaml - Application definition for Kafka UI
+* onap-test-ingress.yaml - Application definition for a local helm chart for Ingress routes (ingress-routes)
+* ingress-routes/helm - Helm chart with ingress definition for KAfka UI Application and Ingress Gateway
+* testkube.yaml - Application definition for the TESTKUBE Chart deployent for running ONAP tests
+* testkube/helm/* - Helm chart for the TESTKUBE application
+* testkube/pythonsdk-tests/* - TESTKUBE test definitions based on ONAP PythonSDK
+* values/* - values definition for all ONAP Test applications
+
+To deploy the ONAP-Test (AppOfApps-)application, you can add it via kubectl command::
+
+ > kubectl apply -f argo/onap-test/app-onap-test.yaml
+
+URLs of Applications
+^^^^^^^^^^^^^^^^^^^^
+
+Besides the ONAP applications the following applications are exposed via Ingress:
+
+* ArgoCD: ``https://argocd<POSTADDR>.<BASEURL>`` (admin/gating)
+* Kafka-UI: ``https://kafka-ui<POSTADDR>.<BASEURL>``
+* Cassandra-Reaper: ``https://reaper-dc1<POSTADDR>.<BASEURL>`` (see secret "cassandra-reaper-ui")
+* Testkube: ``https://testkube<POSTADDR>.<BASEURL>``
+* DefectDojo: ``https://defectdojo<POSTADDR>.<BASEURL>`` (admin/gating)
+* Grafana: ``https://grafana<POSTADDR>.<BASEURL>`` (admin/prom-operator)
+* Kiali: ``https://kiali<POSTADDR>.<BASEURL>``
+* Jaeger: ``https://jaeger<POSTADDR>.<BASEURL>``
+* Keycloak: ``https://keycloak-ui<POSTADDR>.<BASEURL>`` (admin/secret)
+
+ONAP applications follow the same schema, e.g. portal-ng:
+
+* PortalNG: ``https://portal-ng-ui<POSTADDR>.<BASEURL>``
+* ...
* :ref:`oom_helm_release_repo_deploy`
* :ref:`oom_helm_testing_repo_deploy`
* :ref:`oom_dev_testing_local_deploy`
+ * :ref:`oom_argo_release_deploy`
.. warning::
| **Pre-requisites**
.. toctree::
- :hidden:
+ :maxdepth: 1
oom_customize_overrides.rst
oom_helm_release_repo_deploy.rst
oom_helm_testing_repo_deploy.rst
oom_dev_testing_local_deploy.rst
+ oom_argo_release_deploy.rst
============== =========== ======= ======== ======== ============= ========
New Delhi 1.28.6 3.13.1 1.28.x 20.10.x 1.14.4 0.41.0
Oslo 1.28.6 3.13.1 1.30.x 23.0.x 1.16.2 0.44.0
- Paris 1.30.4 3.16.4 1.30.x 23.0.x 1.17.2 0.45.0
+ Paris 1.32.5 3.16.4 1.32.x 23.0.x 1.17.2 0.46.0
============== =========== ======= ======== ======== ============= ========
.. table:: OOM Software Requirements (production)
--- /dev/null
+.. This work is licensed under a Creative Commons Attribution 4.0
+ International License.
+.. http://creativecommons.org/licenses/by/4.0
+.. (c) ONAP Project and its contributors
+.. _release_notes_oslo:
+
+:orphan:
+
+*************************************
+ONAP Operations Manager Release Notes
+*************************************
+
+Previous Release Notes
+======================
+
+- :ref:`New Delhi <release_notes_newdelhi>`
+- :ref:`Montreal <release_notes_montreal>`
+- :ref:`London <release_notes_london>`
+- :ref:`Kohn <release_notes_kohn>`
+- :ref:`Jakarta <release_notes_jakarta>`
+- :ref:`Istanbul <release_notes_istanbul>`
+- :ref:`Honolulu <release_notes_honolulu>`
+- :ref:`Guilin <release_notes_guilin>`
+- :ref:`Frankfurt <release_notes_frankfurt>`
+- :ref:`El Alto <release_notes_elalto>`
+- :ref:`Dublin <release_notes_dublin>`
+- :ref:`Casablanca <release_notes_casablanca>`
+- :ref:`Beijing <release_notes_beijing>`
+- :ref:`Amsterdam <release_notes_amsterdam>`
+
+Abstract
+========
+
+This document provides the release notes for the Oslo release.
+
+Summary
+=======
+
+
+
+Release Data
+============
+
++--------------------------------------+--------------------------------------+
+| **Project** | OOM |
+| | |
++--------------------------------------+--------------------------------------+
+| **Docker images** | N/A |
+| | |
++--------------------------------------+--------------------------------------+
+| **Release designation** | Oslo |
+| | |
++--------------------------------------+--------------------------------------+
+| **Release date** | 2025/01/09 |
+| | |
++--------------------------------------+--------------------------------------+
+
+New features
+------------
+
+* Support the latest Database Operators:
+
+ * MariaDB-Operator (0.36.0)
+ * K8ssandra-Operator (v0.20.2)
+ * Postgres-Operator (CrunchyData) (5.7.2)
+ * MongoDB-Operator (Percona) (1.18.0)
+
+* authentication (15.0.0)
+
+ * support for REALM Client AuthorizationSettings
+ * update oauth2-proxy and keycloak-config-cli versions
+ * add support for latest keycloak version 26.x
+
+* Update the helm common templates (13.2.10) to:
+
+ * add SecurityContext settings for Production readiness
+
+* cassandra (13.1.1)
+
+ * support for new cassandra version (4.1.6)
+ * add SecurityContext settings for Production readiness
+
+* mariadb-galera (13.2.3)
+
+ * add SecurityContext settings for Production readiness
+
+* mariadb-init (13.0.2)
+
+ * add SecurityContext settings for Production readiness
+
+* mongodb (14.12.4)
+
+ * add SecurityContext settings for Production readiness
+
+* mongodb-init (13.0.2)
+
+ * new chart to support external mongodb initialization
+
+* postgres (13.1.0)
+
+ * add SecurityContext settings for Production readiness
+
+* postgres-init (13.0.3)
+
+ * add SecurityContext settings for Production readiness
+
+* readinessCheck (13.1.1)
+
+ * add SecurityContext settings for Production readiness
+
+* serviceAccount (13.0.2)
+
+ * adjust default role mapping
+
+**Bug fixes**
+
+A list of issues resolved in this release can be found here:
+https://lf-onap.atlassian.net/projects/OOM/versions/10783
+
+**Known Issues**
+
+
+Deliverables
+------------
+
+Software Deliverables
+~~~~~~~~~~~~~~~~~~~~~
+
+OOM provides `Helm charts <https://nexus3.onap.org/service/rest/repository/browse/onap-helm-release/>`_
+
+Documentation Deliverables
+~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+- :ref:`Project Description <oom_project_description>` - a guide for developers
+ of OOM
+- :ref:`oom_dev_guide` - a guide for developers of OOM
+- :ref:`oom_infra_guide` - a guide for those setting up the environments that
+ OOM will use
+- :ref:`oom_deploy_guide` - a guide for those deploying OOM on an existing
+ cloud
+- :ref:`oom_user_guide` - a guide for operators of an OOM instance
+- :ref:`oom_access_info_guide` - a guide for operators who require access to
+ OOM applications
+
+Known Limitations, Issues and Workarounds
+=========================================
+
+Known Vulnerabilities
+---------------------
+
+
+Workarounds
+-----------
+
+Security Notes
+--------------
+
+**Fixed Security Issues**
+
+References
+==========
+
+For more information on the ONAP Istanbul release, please see:
+
+#. `ONAP Home Page`_
+#. `ONAP Documentation`_
+#. `ONAP Release Downloads`_
+#. `ONAP Wiki Page`_
+
+
+.. _`ONAP Home Page`: https://www.onap.org
+.. _`ONAP Wiki Page`: https://lf-onap.atlassian.net/wiki
+.. _`ONAP Documentation`: https://docs.onap.org
+.. _`ONAP Release Downloads`: https://git.onap.org
+.. _`Gateway-API`: https://istio.io/latest/docs/tasks/traffic-management/ingress/gateway-api/
Previous Release Notes
======================
+- :ref:`Oslo <release_notes_oslo>`
- :ref:`New Delhi <release_notes_newdelhi>`
- :ref:`Montreal <release_notes_montreal>`
- :ref:`London <release_notes_london>`
Abstract
========
-This document provides the release notes for the Oslo release.
+This document provides the release notes for the Paris release.
Summary
=======
-
-
Release Data
============
| **Docker images** | N/A |
| | |
+--------------------------------------+--------------------------------------+
-| **Release designation** | Oslo |
+| **Release designation** | Paris |
| | |
+--------------------------------------+--------------------------------------+
-| **Release date** | 2025/01/09 |
+| **Release date** | 2025/06/26 |
| | |
+--------------------------------------+--------------------------------------+
New features
------------
-* Support the latest Database Operators:
+* Tested on the latest K8S Infrastructure
- * MariaDB-Operator (0.36.0)
- * K8ssandra-Operator (v0.20.2)
- * Postgres-Operator (CrunchyData) (5.7.2)
- * MongoDB-Operator (Percona) (1.18.0)
+ * Kubernetes (v1.32.5)
+ * CertManager (1.17.2)
+ * Istio (v1.26.1)
+ * Keycloak (26.0.6)
-* authentication (15.0.0)
+* Support the latest Database Operators:
- * support for REALM Client AuthorizationSettings
- * update oauth2-proxy and keycloak-config-cli versions
- * add support for latest keycloak version 26.x
+ * MariaDB-Operator (0.38.1)
+ * K8ssandra-Operator (v1.23.2)
+ * Postgres-Operator (CrunchyData) (5.8.1)
+ * MongoDB-Operator (Percona) (1.19.1)
+ * Strimzi Kafka Operator (0.46.0)
-* Update the helm common templates (13.2.10) to:
+* Update the helm common templates (13.2.19) to:
- * add SecurityContext settings for Production readiness
+ * Make Jobs GitOps ready
+ * Fix security vulnerabilities
-* cassandra (13.1.1)
+* cassandra (16.0.0)
- * support for new cassandra version (4.1.6)
- * add SecurityContext settings for Production readiness
+ * Support for new cassandra version (4.1.8)
+ * Fix security vulnerabilities
-* mariadb-galera (13.2.3)
+* mariadb-galera (16.0.0)
- * add SecurityContext settings for Production readiness
+ * Support for new mariadb version (11.7.2)
+ * Fix security vulnerabilities
-* mariadb-init (13.0.2)
+* mariadb-init (16.0.0)
- * add SecurityContext settings for Production readiness
+ * Use ‘mariadb’ client instead of ‘mysql’
+ * Add Job Annotations
-* mongodb (14.12.4)
+* mongodb (16.5.7)
- * add SecurityContext settings for Production readiness
+ * Use the latest Bitnami charts
-* mongodb-init (13.0.2)
+* mongodb-init (13.0.6)
- * new chart to support external mongodb initialization
+ * Add Job Annotations
+ * Harmonize resource labeling
-* postgres (13.1.0)
+* nginx (18.3.5)
- * add SecurityContext settings for Production readiness
+ * New (Bitnami) Chart used for UUI
-* postgres-init (13.0.3)
+* postgres-init (13.0.6)
- * add SecurityContext settings for Production readiness
+ * Add Job Annotations
+ * Harmonize resource labeling
-* readinessCheck (13.1.1)
+* readinessCheck (13.1.4)
- * add SecurityContext settings for Production readiness
+ * Update to the latest image
+ * Harmonize resource labeling
-* serviceAccount (13.0.2)
+* timescaleDB (13.0.2)
- * adjust default role mapping
+ * Harmonize resource labeling
**Bug fixes**
A list of issues resolved in this release can be found here:
-https://lf-onap.atlassian.net/projects/OOM/versions/10783
+https://lf-onap.atlassian.net/projects/OOM/versions/10791
**Known Issues**
account: <account theme> - (optional) Keycloak Theme for Account UI (e.g. "base")
email: <email theme> - (optional) Keycloak Theme for Email UI (e.g. "base")
attributes: - (optional)
- frontendUrl: "<Keycloak URL>" - (optional) External Url for Keycloak access (e.g. "https://keycloak-$PARAM_BASE_URL/")
+ frontendUrl: "<Keycloak URL>" - (optional) External Url for Keycloak access (e.g. "https://keycloak.simpledemo.onap.org")
```
### CLIENT definitions
additionalDefaultScopes:
- "onap_roles"
redirectUris:
- - "https://portal-$PARAM_BASE_URL/*"
+ - "https://portal.simpledemo.onap.org/*"
- "http://localhost/*"
webOrigins:
- - "https://argocd-$PARAM_BASE_URL"
+ - "https://argocd.simpledemo.onap.org"
defaultClientScopes: - (optional) definition of default client scopes
- "web-origins" - if used, has to contain the full scope list
- "profile"
- name: "gitlab"
displayName: "gitlab"
config:
- userInfoUrl: "https://gitlab.devops.telekom.de/oauth/userinfo"
+ userInfoUrl: "https://<gitlab-url>/oauth/userinfo"
validateSignature: "true"
- clientId: "ee4e0db734157e9cdad16733656ba285f2f813354aa7c590a8693e48ed156860"
- tokenUrl: "https://gitlab.devops.telekom.de/oauth/token"
- jwksUrl: "https://gitlab.devops.telekom.de/oauth/discovery/keys"
- issuer: "https://gitlab.devops.telekom.de"
+ clientId: "<client ID>"
+ tokenUrl: "https://<gitlab-url>/oauth/token"
+ jwksUrl: "https://<gitlab-url>/oauth/discovery/keys"
+ issuer: "https://<gitlab-url>"
useJwksUrl: "true"
- authorizationUrl: "https://gitlab.devops.telekom.de/oauth/authorize"
+ authorizationUrl: "https://<gitlab-url>/oauth/authorize"
clientAuthMethod: "client_secret_post"
syncMode: "IMPORT"
clientSecret: "gloas-35267790bf6fb7c4b507aea11db46d80174cb8ef4192e77424803b595eef735e"
initContainers:
waitForRedis:
#image:
- # repository: "dockerhub.devops.telekom.de/alpine"
+ # repository: "docker.io/alpine"
# tag: "3.20"
securityContext:
capabilities:
useKafkaForPatch: false
-persistence:
- enabled: true
- volumeReclaimPolicy: Retain
- accessMode: ReadWriteMany
- logsSize: 1Gi
- mountPath: /dockerdata-nfs
- mountSubPath: policy/opapdp
- storageClass: "cinder-os"
- enableDefaultStorageclass: false
- parameters: {}
- storageclassProvisioner: cinder-os
-
# default number of instances
replicaCount: 1
+#!/bin/sh
{{/*
#
# Copyright (C) 2022 Huawei Technologies Co., Ltd. All rights reserved.
+#!/bin/sh
{{/*
#
# Copyright (C) 2022 Huawei Technologies Co., Ltd. All rights reserved.
Code Review / oom.git / commitdiff
