From 53fcc59206db28228f2e258fdcdd0ce893aa2e87 Mon Sep 17 00:00:00 2001 From: Seth Malaki Date: Wed, 20 May 2026 14:23:09 +0100 Subject: [PATCH 1/5] feat(gatewayapi): bump bundled Envoy Gateway helm chart to v1.8.0 [release-v1.42] Mirrors tigera/operator#4832 (master) onto release-v1.42 for the v3.23 GA. - Makefile: ENVOY_GATEWAY_VERSION v1.7.2 -> v1.8.0 - go.mod: github.com/envoyproxy/gateway v1.7.2 -> v1.8.0 - pkg/render/gatewayapi/gateway_api_resources.yaml: regenerated - pkg/render/gatewayapi/gateway_api.go: loader handles ValidatingAdmissionPolicy and ValidatingAdmissionPolicyBinding shipped by v1.8 chart - gateway_api_test.go: expected resource lists updated --- Makefile | 2 +- go.mod | 62 +- go.sum | 208 +- pkg/render/gatewayapi/gateway_api.go | 22 +- .../gatewayapi/gateway_api_resources.yaml | 13019 +++++++++++----- pkg/render/gatewayapi/gateway_api_test.go | 8 +- 6 files changed, 9406 insertions(+), 3915 deletions(-) diff --git a/Makefile b/Makefile index d57fd765d5..1a679c4d4f 100644 --- a/Makefile +++ b/Makefile @@ -247,7 +247,7 @@ $(ISTIO_RESOURCES_DIR)/%.tgz: # To update the Envoy Gateway version, see "Updating the bundled version of # Envoy Gateway" in docs/common_tasks.md. ENVOY_GATEWAY_HELM_CHART ?= oci://docker.io/envoyproxy/gateway-helm -ENVOY_GATEWAY_VERSION ?= v1.7.2 +ENVOY_GATEWAY_VERSION ?= v1.8.0 ENVOY_GATEWAY_PREFIX ?= tigera-gateway-api ENVOY_GATEWAY_NAMESPACE ?= tigera-gateway ENVOY_GATEWAY_RESOURCES = pkg/render/gatewayapi/gateway_api_resources.yaml diff --git a/go.mod b/go.mod index 547ac17387..6682f3808f 100644 --- a/go.mod +++ b/go.mod @@ -1,20 +1,20 @@ module github.com/tigera/operator -go 1.25.10 +go 1.26.3 require ( github.com/Masterminds/semver/v3 v3.4.0 - github.com/aws/aws-sdk-go-v2 v1.41.4 + github.com/aws/aws-sdk-go-v2 v1.41.5 github.com/aws/aws-sdk-go-v2/config v1.32.12 - github.com/aws/aws-sdk-go-v2/credentials v1.19.12 - github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.20 + github.com/aws/aws-sdk-go-v2/credentials v1.19.14 + github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.21 github.com/aws/aws-sdk-go-v2/service/ec2 v1.294.1 github.com/blang/semver/v4 v4.0.0 github.com/cloudflare/cfssl v1.6.5 github.com/containernetworking/cni v1.2.3 github.com/corazawaf/coraza-coreruleset/v4 v4.23.0 github.com/elastic/cloud-on-k8s/v2 v2.0.0-20250129010100-648f902d9807 - github.com/envoyproxy/gateway v1.7.2 + github.com/envoyproxy/gateway v1.8.0 github.com/go-ldap/ldap v3.0.3+incompatible github.com/go-logr/logr v1.4.3 github.com/google/go-cmp v0.7.0 @@ -36,7 +36,7 @@ require ( github.com/tigera/api v0.0.0-20260310182635-546021df243c github.com/tigera/operator/api v0.0.0-20260120220012-4a3f8a7d8399 github.com/urfave/cli/v3 v3.6.2 - go.uber.org/zap v1.27.1 + go.uber.org/zap v1.28.0 golang.org/x/crypto v0.51.0 golang.org/x/net v0.54.0 gopkg.in/inf.v0 v0.9.1 @@ -49,9 +49,9 @@ require ( k8s.io/apiserver v0.35.4 k8s.io/client-go v0.35.4 k8s.io/kube-aggregator v0.35.4 - k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 - sigs.k8s.io/controller-runtime v0.23.1 - sigs.k8s.io/gateway-api v1.4.1 + k8s.io/utils v0.0.0-20260108192941-914a6e750570 + sigs.k8s.io/controller-runtime v0.23.3 + sigs.k8s.io/gateway-api v1.5.1 sigs.k8s.io/kind v0.31.0 // Do not remove, not used by code but used by build sigs.k8s.io/secrets-store-csi-driver v1.5.5 sigs.k8s.io/yaml v1.6.0 @@ -69,15 +69,15 @@ require ( github.com/ProtonMail/go-crypto v0.0.0-20230217124315-7d5c6f04bbb8 // indirect github.com/armon/go-radix v1.0.0 // indirect github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect - github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.20 // indirect - github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.20 // indirect + github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.21 // indirect + github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.21 // indirect github.com/aws/aws-sdk-go-v2/internal/ini v1.8.6 // indirect github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.7 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.20 // indirect - github.com/aws/aws-sdk-go-v2/service/signin v1.0.8 // indirect - github.com/aws/aws-sdk-go-v2/service/sso v1.30.13 // indirect - github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.17 // indirect - github.com/aws/aws-sdk-go-v2/service/sts v1.41.9 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.21 // indirect + github.com/aws/aws-sdk-go-v2/service/signin v1.0.9 // indirect + github.com/aws/aws-sdk-go-v2/service/sso v1.30.15 // indirect + github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.19 // indirect + github.com/aws/aws-sdk-go-v2/service/sts v1.41.10 // indirect github.com/aws/smithy-go v1.24.2 // indirect github.com/beorn7/perks v1.0.1 // indirect github.com/cespare/xxhash/v2 v2.3.0 // indirect @@ -87,12 +87,12 @@ require ( github.com/containerd/errdefs v1.0.0 // indirect github.com/containerd/log v0.1.0 // indirect github.com/containerd/platforms v0.2.1 // indirect - github.com/containerd/stargz-snapshotter/estargz v0.18.1 // indirect + github.com/containerd/stargz-snapshotter/estargz v0.18.2 // indirect github.com/cyphar/filepath-securejoin v0.6.1 // indirect github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect - github.com/docker/cli v29.2.0+incompatible // indirect + github.com/docker/cli v29.4.1+incompatible // indirect github.com/docker/distribution v2.8.3+incompatible // indirect - github.com/docker/docker-credential-helpers v0.9.4 // indirect + github.com/docker/docker-credential-helpers v0.9.5 // indirect github.com/elastic/go-sysinfo v1.13.1 // indirect github.com/elastic/go-ucfg v0.8.8 // indirect github.com/elastic/go-windows v1.0.1 // indirect @@ -100,16 +100,16 @@ require ( github.com/evanphx/json-patch v5.9.11+incompatible // indirect github.com/evanphx/json-patch/v5 v5.9.11 // indirect github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f // indirect - github.com/fatih/color v1.18.0 // indirect + github.com/fatih/color v1.19.0 // indirect github.com/fsnotify/fsnotify v1.9.0 // indirect github.com/fxamacker/cbor/v2 v2.9.0 // indirect github.com/go-errors/errors v1.4.2 // indirect github.com/go-gorp/gorp/v3 v3.1.0 // indirect github.com/go-logr/zapr v1.3.0 // indirect - github.com/go-openapi/jsonpointer v0.22.4 // indirect - github.com/go-openapi/jsonreference v0.21.4 // indirect + github.com/go-openapi/jsonpointer v0.22.5 // indirect + github.com/go-openapi/jsonreference v0.21.5 // indirect github.com/go-openapi/swag v0.23.1 // indirect - github.com/go-openapi/swag/jsonname v0.25.4 // indirect + github.com/go-openapi/swag/jsonname v0.25.5 // indirect github.com/go-task/slim-sprig/v3 v3.0.0 // indirect github.com/gobwas/glob v0.2.3 // indirect github.com/gogo/protobuf v1.3.2 // indirect @@ -130,15 +130,15 @@ require ( github.com/joeshaw/multierror v0.0.0-20140124173710-69b34d4ec901 // indirect github.com/josharian/intern v1.0.0 // indirect github.com/json-iterator/go v1.1.12 // indirect - github.com/klauspost/compress v1.18.3 // indirect + github.com/klauspost/compress v1.18.5 // indirect github.com/lann/builder v0.0.0-20180802200727-47ae307949d0 // indirect github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0 // indirect github.com/lib/pq v1.10.9 // indirect github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect github.com/magefile/mage v1.15.0 // indirect - github.com/mailru/easyjson v0.9.0 // indirect + github.com/mailru/easyjson v0.9.1 // indirect github.com/mattn/go-colorable v0.1.14 // indirect - github.com/mattn/go-isatty v0.0.20 // indirect + github.com/mattn/go-isatty v0.0.21 // indirect github.com/mattn/go-runewidth v0.0.16 // indirect github.com/mitchellh/copystructure v1.2.0 // indirect github.com/mitchellh/go-homedir v1.1.0 // indirect @@ -157,7 +157,7 @@ require ( github.com/prometheus/client_golang v1.23.2 // indirect github.com/prometheus/client_model v0.6.2 // indirect github.com/prometheus/common v0.67.5 // indirect - github.com/prometheus/procfs v0.19.2 // indirect + github.com/prometheus/procfs v0.20.1 // indirect github.com/rivo/uniseg v0.4.7 // indirect github.com/rubenv/sql-migrate v1.8.1 // indirect github.com/russross/blackfriday/v2 v2.1.0 // indirect @@ -175,7 +175,7 @@ require ( go.elastic.co/apm/v2 v2.6.2 // indirect go.elastic.co/fastjson v1.3.0 // indirect go.uber.org/multierr v1.11.0 // indirect - go.yaml.in/yaml/v2 v2.4.3 // indirect + go.yaml.in/yaml/v2 v2.4.4 // indirect go.yaml.in/yaml/v3 v3.0.4 // indirect golang.org/x/mod v0.35.0 // indirect golang.org/x/oauth2 v0.36.0 // indirect @@ -187,7 +187,7 @@ require ( golang.org/x/tools v0.44.0 // indirect gomodules.xyz/jsonpatch/v2 v2.5.0 // indirect google.golang.org/appengine v1.6.7 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20260120221211-b8f7ae30c516 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20260401024825-9d38bb4040a9 // indirect google.golang.org/grpc v1.80.0 // indirect google.golang.org/protobuf v1.36.11 // indirect gopkg.in/asn1-ber.v1 v1.0.0-20181015200546-f715ec2f112d // indirect @@ -196,7 +196,7 @@ require ( howett.net/plist v1.0.1 // indirect k8s.io/cli-runtime v0.35.4 // indirect k8s.io/component-base v0.35.4 // indirect - k8s.io/klog/v2 v2.130.1 // indirect + k8s.io/klog/v2 v2.140.0 // indirect k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 // indirect k8s.io/kubectl v0.35.4 // indirect oras.land/oras-go/v2 v2.6.0 // indirect @@ -204,7 +204,7 @@ require ( sigs.k8s.io/kustomize/api v0.20.1 // indirect sigs.k8s.io/kustomize/kyaml v0.20.1 // indirect sigs.k8s.io/randfill v1.0.0 // indirect - sigs.k8s.io/structured-merge-diff/v6 v6.3.2-0.20260122202528-d9cc6641c482 // indirect + sigs.k8s.io/structured-merge-diff/v6 v6.3.2 // indirect ) replace ( diff --git a/go.sum b/go.sum index 2dea4df4b1..dc9b36eda2 100644 --- a/go.sum +++ b/go.sum @@ -2,10 +2,11 @@ al.essio.dev/pkg/shellescape v1.5.1 h1:86HrALUujYS/h+GtqoB26SBEdkWfmMI6FubjXlsXy al.essio.dev/pkg/shellescape v1.5.1/go.mod h1:6sIqp7X2P6mThCQ7twERpZTuigpr6KbZWtls1U8I890= dario.cat/mergo v1.0.2 h1:85+piFYR1tMbRrLcDwR18y4UKJ3aH1Tbzi24VRW1TK8= dario.cat/mergo v1.0.2/go.mod h1:E/hbnu0NxMFBjpMIE34DRGLWqDy0g5FuKDhCb31ngxA= -filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA= filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4= -github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 h1:bvDV9vkmnHYOMsOr4WLk+Vo07yKIzd94sVoIqshQ4bU= -github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24/go.mod h1:8o94RPi1/7XTJvwPpRSzSUedZrtlirdB3r9Z20bi2f8= +filippo.io/edwards25519 v1.2.0 h1:crnVqOiS4jqYleHd9vaKZ+HKtHfllngJIiOpNpoJsjo= +filippo.io/edwards25519 v1.2.0/go.mod h1:xzAOLCNug/yB62zG1bQ8uziwrIqIuxhctzJT18Q77mc= +github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6 h1:He8afgbRMd7mFxO99hRNu+6tazq8nFF9lIwo9JFroBk= +github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6/go.mod h1:8o94RPi1/7XTJvwPpRSzSUedZrtlirdB3r9Z20bi2f8= github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c h1:udKWzYgxTojEKWjV8V+WSxDXJ4NFATAsZjh8iIbsQIg= github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E= github.com/BurntSushi/toml v1.6.0 h1:dRaEfpa2VI55EwlIW72hMRHdWouJeRF7TPYhI+AUQjk= @@ -30,34 +31,34 @@ github.com/armon/go-radix v1.0.0 h1:F4z6KzEeeQIMeLFa97iZU6vupzoecKdU5TX24SNppXI= github.com/armon/go-radix v1.0.0/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8= github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 h1:DklsrG3dyBCFEj5IhUbnKptjxatkF07cF2ak3yi77so= github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw= -github.com/aws/aws-sdk-go-v2 v1.41.4 h1:10f50G7WyU02T56ox1wWXq+zTX9I1zxG46HYuG1hH/k= -github.com/aws/aws-sdk-go-v2 v1.41.4/go.mod h1:mwsPRE8ceUUpiTgF7QmQIJ7lgsKUPQOUl3o72QBrE1o= +github.com/aws/aws-sdk-go-v2 v1.41.5 h1:dj5kopbwUsVUVFgO4Fi5BIT3t4WyqIDjGKCangnV/yY= +github.com/aws/aws-sdk-go-v2 v1.41.5/go.mod h1:mwsPRE8ceUUpiTgF7QmQIJ7lgsKUPQOUl3o72QBrE1o= github.com/aws/aws-sdk-go-v2/config v1.32.12 h1:O3csC7HUGn2895eNrLytOJQdoL2xyJy0iYXhoZ1OmP0= github.com/aws/aws-sdk-go-v2/config v1.32.12/go.mod h1:96zTvoOFR4FURjI+/5wY1vc1ABceROO4lWgWJuxgy0g= -github.com/aws/aws-sdk-go-v2/credentials v1.19.12 h1:oqtA6v+y5fZg//tcTWahyN9PEn5eDU/Wpvc2+kJ4aY8= -github.com/aws/aws-sdk-go-v2/credentials v1.19.12/go.mod h1:U3R1RtSHx6NB0DvEQFGyf/0sbrpJrluENHdPy1j/3TE= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.20 h1:zOgq3uezl5nznfoK3ODuqbhVg1JzAGDUhXOsU0IDCAo= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.20/go.mod h1:z/MVwUARehy6GAg/yQ1GO2IMl0k++cu1ohP9zo887wE= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.20 h1:CNXO7mvgThFGqOFgbNAP2nol2qAWBOGfqR/7tQlvLmc= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.20/go.mod h1:oydPDJKcfMhgfcgBUZaG+toBbwy8yPWubJXBVERtI4o= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.20 h1:tN6W/hg+pkM+tf9XDkWUbDEjGLb+raoBMFsTodcoYKw= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.20/go.mod h1:YJ898MhD067hSHA6xYCx5ts/jEd8BSOLtQDL3iZsvbc= +github.com/aws/aws-sdk-go-v2/credentials v1.19.14 h1:n+UcGWAIZHkXzYt87uMFBv/l8THYELoX6gVcUvgl6fI= +github.com/aws/aws-sdk-go-v2/credentials v1.19.14/go.mod h1:cJKuyWB59Mqi0jM3nFYQRmnHVQIcgoxjEMAbLkpr62w= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.21 h1:NUS3K4BTDArQqNu2ih7yeDLaS3bmHD0YndtA6UP884g= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.21/go.mod h1:YWNWJQNjKigKY1RHVJCuupeWDrrHjRqHm0N9rdrWzYI= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.21 h1:Rgg6wvjjtX8bNHcvi9OnXWwcE0a2vGpbwmtICOsvcf4= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.21/go.mod h1:A/kJFst/nm//cyqonihbdpQZwiUhhzpqTsdbhDdRF9c= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.21 h1:PEgGVtPoB6NTpPrBgqSE5hE/o47Ij9qk/SEZFbUOe9A= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.21/go.mod h1:p+hz+PRAYlY3zcpJhPwXlLC4C+kqn70WIHwnzAfs6ps= github.com/aws/aws-sdk-go-v2/internal/ini v1.8.6 h1:qYQ4pzQ2Oz6WpQ8T3HvGHnZydA72MnLuFK9tJwmrbHw= github.com/aws/aws-sdk-go-v2/internal/ini v1.8.6/go.mod h1:O3h0IK87yXci+kg6flUKzJnWeziQUKciKrLjcatSNcY= github.com/aws/aws-sdk-go-v2/service/ec2 v1.294.1 h1:c2BbWVkQ0hVqls6SruYCRxfN5W46qvL+hIg7VLhXpg8= github.com/aws/aws-sdk-go-v2/service/ec2 v1.294.1/go.mod h1:T6ndRfdhnXLIY5oKBHjYZDVj706los2zGdpThppquvA= github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.7 h1:5EniKhLZe4xzL7a+fU3C2tfUN4nWIqlLesfrjkuPFTY= github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.7/go.mod h1:x0nZssQ3qZSnIcePWLvcoFisRXJzcTVvYpAAdYX8+GI= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.20 h1:2HvVAIq+YqgGotK6EkMf+KIEqTISmTYh5zLpYyeTo1Y= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.20/go.mod h1:V4X406Y666khGa8ghKmphma/7C0DAtEQYhkq9z4vpbk= -github.com/aws/aws-sdk-go-v2/service/signin v1.0.8 h1:0GFOLzEbOyZABS3PhYfBIx2rNBACYcKty+XGkTgw1ow= -github.com/aws/aws-sdk-go-v2/service/signin v1.0.8/go.mod h1:LXypKvk85AROkKhOG6/YEcHFPoX+prKTowKnVdcaIxE= -github.com/aws/aws-sdk-go-v2/service/sso v1.30.13 h1:kiIDLZ005EcKomYYITtfsjn7dtOwHDOFy7IbPXKek2o= -github.com/aws/aws-sdk-go-v2/service/sso v1.30.13/go.mod h1:2h/xGEowcW/g38g06g3KpRWDlT+OTfxxI0o1KqayAB8= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.17 h1:jzKAXIlhZhJbnYwHbvUQZEB8KfgAEuG0dc08Bkda7NU= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.17/go.mod h1:Al9fFsXjv4KfbzQHGe6V4NZSZQXecFcvaIF4e70FoRA= -github.com/aws/aws-sdk-go-v2/service/sts v1.41.9 h1:Cng+OOwCHmFljXIxpEVXAGMnBia8MSU6Ch5i9PgBkcU= -github.com/aws/aws-sdk-go-v2/service/sts v1.41.9/go.mod h1:LrlIndBDdjA/EeXeyNBle+gyCwTlizzW5ycgWnvIxkk= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.21 h1:c31//R3xgIJMSC8S6hEVq+38DcvUlgFY0FM6mSI5oto= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.21/go.mod h1:r6+pf23ouCB718FUxaqzZdbpYFyDtehyZcmP5KL9FkA= +github.com/aws/aws-sdk-go-v2/service/signin v1.0.9 h1:QKZH0S178gCmFEgst8hN0mCX1KxLgHBKKY/CLqwP8lg= +github.com/aws/aws-sdk-go-v2/service/signin v1.0.9/go.mod h1:7yuQJoT+OoH8aqIxw9vwF+8KpvLZ8AWmvmUWHsGQZvI= +github.com/aws/aws-sdk-go-v2/service/sso v1.30.15 h1:lFd1+ZSEYJZYvv9d6kXzhkZu07si3f+GQ1AaYwa2LUM= +github.com/aws/aws-sdk-go-v2/service/sso v1.30.15/go.mod h1:WSvS1NLr7JaPunCXqpJnWk1Bjo7IxzZXrZi1QQCkuqM= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.19 h1:dzztQ1YmfPrxdrOiuZRMF6fuOwWlWpD2StNLTceKpys= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.19/go.mod h1:YO8TrYtFdl5w/4vmjL8zaBSsiNp3w0L1FfKVKenZT7w= +github.com/aws/aws-sdk-go-v2/service/sts v1.41.10 h1:p8ogvvLugcR/zLBXTXrTkj0RYBUdErbMnAFFp12Lm/U= +github.com/aws/aws-sdk-go-v2/service/sts v1.41.10/go.mod h1:60dv0eZJfeVXfbT1tFJinbHrDfSJ2GZl4Q//OSSNAVw= github.com/aws/smithy-go v1.24.2 h1:FzA3bu/nt/vDvmnkg+R8Xl46gmzEDam6mZ1hzmwXFng= github.com/aws/smithy-go v1.24.2/go.mod h1:YE2RhdIuDbA5E5bTdciG9KrW3+TiEONeUWCqxX9i1Fc= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= @@ -90,8 +91,8 @@ github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I= github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo= github.com/containerd/platforms v0.2.1 h1:zvwtM3rz2YHPQsF2CHYM8+KtB5dvhISiXh5ZpSBQv6A= github.com/containerd/platforms v0.2.1/go.mod h1:XHCb+2/hzowdiut9rkudds9bE5yJ7npe7dG/wG+uFPw= -github.com/containerd/stargz-snapshotter/estargz v0.18.1 h1:cy2/lpgBXDA3cDKSyEfNOFMA/c10O1axL69EU7iirO8= -github.com/containerd/stargz-snapshotter/estargz v0.18.1/go.mod h1:ALIEqa7B6oVDsrF37GkGN20SuvG/pIMm7FwP7ZmRb0Q= +github.com/containerd/stargz-snapshotter/estargz v0.18.2 h1:yXkZFYIzz3eoLwlTUZKz2iQ4MrckBxJjkmD16ynUTrw= +github.com/containerd/stargz-snapshotter/estargz v0.18.2/go.mod h1:XyVU5tcJ3PRpkA9XS2T5us6Eg35yM0214Y+wvrZTBrY= github.com/containernetworking/cni v1.2.3 h1:hhOcjNVUQTnzdRJ6alC5XF+wd9mfGIUaj8FuJbEslXM= github.com/containernetworking/cni v1.2.3/go.mod h1:DuLgF+aPd3DzcTQTtp/Nvl1Kim23oFKdm2okJzBQA5M= github.com/corazawaf/coraza-coreruleset/v4 v4.23.0 h1:e7f2tRhOBFN8YtL72wqy2cMPS6o64XyMgS81dRbw2/c= @@ -109,20 +110,20 @@ github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f h1:lO4WD4F/rVNCu3HqELle0jiPLLBs70cWOduZpkS1E78= github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f/go.mod h1:cuUVRXasLTGF7a8hSLbxyZXjz+1KgoB3wDUb6vlszIc= -github.com/distribution/distribution/v3 v3.0.0 h1:q4R8wemdRQDClzoNNStftB2ZAfqOiN6UX90KJc4HjyM= -github.com/distribution/distribution/v3 v3.0.0/go.mod h1:tRNuFoZsUdyRVegq8xGNeds4KLjwLCRin/tTo6i1DhU= +github.com/distribution/distribution/v3 v3.1.0 h1:u1v788HreKTLGdNY6s7px8Exgrs9mZ9UrCDjSrpCM8g= +github.com/distribution/distribution/v3 v3.1.0/go.mod h1:73BuF5/ziMHNVt7nnL1roYpH4Eg/FgUlKZm3WryIx/o= github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk= github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E= github.com/dlclark/regexp2 v1.11.0 h1:G/nrcoOa7ZXlpoa/91N3X7mM3r8eIlMBBJZvsz/mxKI= github.com/dlclark/regexp2 v1.11.0/go.mod h1:DHkYz0B9wPfa6wondMfaivmHpzrQ3v9q8cnmRbL6yW8= -github.com/docker/cli v29.2.0+incompatible h1:9oBd9+YM7rxjZLfyMGxjraKBKE4/nVyvVfN4qNl9XRM= -github.com/docker/cli v29.2.0+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= +github.com/docker/cli v29.4.1+incompatible h1:02RT8QqqwtGRn+6SYypv8IUEbD/ltY6sfKCJIoUcGzk= +github.com/docker/cli v29.4.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk= github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= -github.com/docker/docker v28.5.1+incompatible h1:Bm8DchhSD2J6PsFzxC35TZo4TLGR2PdW/E69rU45NhM= -github.com/docker/docker v28.5.1+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= -github.com/docker/docker-credential-helpers v0.9.4 h1:76ItO69/AP/V4yT9V4uuuItG0B1N8hvt0T0c0NN/DzI= -github.com/docker/docker-credential-helpers v0.9.4/go.mod h1:v1S+hepowrQXITkEfw6o4+BMbGot02wiKpzWhGUZK6c= +github.com/docker/docker v28.5.2+incompatible h1:DBX0Y0zAjZbSrm1uzOkdr1onVghKaftjlSWt4AFexzM= +github.com/docker/docker v28.5.2+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/docker-credential-helpers v0.9.5 h1:EFNN8DHvaiK8zVqFA2DT6BjXE0GzfLOZ38ggPTKePkY= +github.com/docker/docker-credential-helpers v0.9.5/go.mod h1:v1S+hepowrQXITkEfw6o4+BMbGot02wiKpzWhGUZK6c= github.com/docker/go-connections v0.6.0 h1:LlMG9azAe1TqfR7sO+NJttz1gy6KO7VJBh+pMmjSD94= github.com/docker/go-connections v0.6.0/go.mod h1:AahvXYshr6JgfUJGdDCs2b5EZG/vmaMAntpSFH5BFKE= github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c h1:+pKlWGMw7gf6bQ+oDZB4KHQFypsfjYlq/C4rfL7D3g8= @@ -141,16 +142,16 @@ github.com/elastic/go-windows v1.0.1 h1:AlYZOldA+UJ0/2nBuqWdo90GFCgG9xuyw9SYzGUt github.com/elastic/go-windows v1.0.1/go.mod h1:FoVvqWSun28vaDQPbj2Elfc0JahhPB7WQEGa3c814Ss= github.com/emicklei/go-restful/v3 v3.13.0 h1:C4Bl2xDndpU6nJ4bc1jXd+uTmYPVUwkD6bFY/oTyCes= github.com/emicklei/go-restful/v3 v3.13.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= -github.com/envoyproxy/gateway v1.7.2 h1:mIC52fBLZKO8ahwwh5hNbpWP++HLC7I7RO+6n6JcJbI= -github.com/envoyproxy/gateway v1.7.2/go.mod h1:EiXhtwv0xkFE17KDXmchFF60jg0y9H9Ou3V7pIIzyUc= +github.com/envoyproxy/gateway v1.8.0 h1:pn5TYSteO1zZjUMPVXGY7ayFDhZAZZWAQ+yDgVzj78o= +github.com/envoyproxy/gateway v1.8.0/go.mod h1:W5S+pcTL0tUgGap4/QcvQKpypgZzL42t3c2/QGCMFAA= github.com/evanphx/json-patch v5.9.11+incompatible h1:ixHHqfcGvxhWkniF1tWxBHA0yb4Z+d1UQi45df52xW8= github.com/evanphx/json-patch v5.9.11+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= github.com/evanphx/json-patch/v5 v5.9.11 h1:/8HVnzMq13/3x9TPvjG08wUGqBTmZBsCWzjTM0wiaDU= github.com/evanphx/json-patch/v5 v5.9.11/go.mod h1:3j+LviiESTElxA4p3EMKAB9HXj3/XEtnUf6OZxqIQTM= github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f h1:Wl78ApPPB2Wvf/TIe2xdyJxTlb6obmF18d8QdkxNDu4= github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f/go.mod h1:OSYXu++VVOHnXeitef/D8n/6y4QV8uLHSFXX4NeXMGc= -github.com/fatih/color v1.18.0 h1:S8gINlzdQ840/4pfAwic/ZE0djQEH3wM94VfqLTZcOM= -github.com/fatih/color v1.18.0/go.mod h1:4FelSpRwEGDpQ12mAdzqdOukCy4u8WUtOY6lkT/6HfU= +github.com/fatih/color v1.19.0 h1:Zp3PiM21/9Ld6FzSKyL5c/BULoe/ONr9KlbYVOfG8+w= +github.com/fatih/color v1.19.0/go.mod h1:zNk67I0ZUT1bEGsSGyCZYZNrHuTkJJB+r6Q9VuMi0LE= github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg= github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= github.com/fortytw2/leaktest v1.3.0 h1:u8491cBMTQ8ft8aeV+adlcytMZylmA5nnwwkRZjI8vw= @@ -181,16 +182,16 @@ github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag= github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE= github.com/go-logr/zapr v1.3.0 h1:XGdV8XW8zdwFiwOA2Dryh1gj2KRQyOOoNmBy4EplIcQ= github.com/go-logr/zapr v1.3.0/go.mod h1:YKepepNBd1u/oyhd/yQmtjVXmm9uML4IXUgMOwR8/Gg= -github.com/go-openapi/jsonpointer v0.22.4 h1:dZtK82WlNpVLDW2jlA1YCiVJFVqkED1MegOUy9kR5T4= -github.com/go-openapi/jsonpointer v0.22.4/go.mod h1:elX9+UgznpFhgBuaMQ7iu4lvvX1nvNsesQ3oxmYTw80= -github.com/go-openapi/jsonreference v0.21.4 h1:24qaE2y9bx/q3uRK/qN+TDwbok1NhbSmGjjySRCHtC8= -github.com/go-openapi/jsonreference v0.21.4/go.mod h1:rIENPTjDbLpzQmQWCj5kKj3ZlmEh+EFVbz3RTUh30/4= +github.com/go-openapi/jsonpointer v0.22.5 h1:8on/0Yp4uTb9f4XvTrM2+1CPrV05QPZXu+rvu2o9jcA= +github.com/go-openapi/jsonpointer v0.22.5/go.mod h1:gyUR3sCvGSWchA2sUBJGluYMbe1zazrYWIkWPjjMUY0= +github.com/go-openapi/jsonreference v0.21.5 h1:6uCGVXU/aNF13AQNggxfysJ+5ZcU4nEAe+pJyVWRdiE= +github.com/go-openapi/jsonreference v0.21.5/go.mod h1:u25Bw85sX4E2jzFodh1FOKMTZLcfifd1Q+iKKOUxExw= github.com/go-openapi/swag v0.23.1 h1:lpsStH0n2ittzTnbaSloVZLuB5+fvSY/+hnagBjSNZU= github.com/go-openapi/swag v0.23.1/go.mod h1:STZs8TbRvEQQKUA+JZNAm3EWlgaOBGpyFDqQnDHMef0= -github.com/go-openapi/swag/jsonname v0.25.4 h1:bZH0+MsS03MbnwBXYhuTttMOqk+5KcQ9869Vye1bNHI= -github.com/go-openapi/swag/jsonname v0.25.4/go.mod h1:GPVEk9CWVhNvWhZgrnvRA6utbAltopbKwDu8mXNUMag= -github.com/go-openapi/testify/v2 v2.0.2 h1:X999g3jeLcoY8qctY/c/Z8iBHTbwLz7R2WXd6Ub6wls= -github.com/go-openapi/testify/v2 v2.0.2/go.mod h1:HCPmvFFnheKK2BuwSA0TbbdxJ3I16pjwMkYkP4Ywn54= +github.com/go-openapi/swag/jsonname v0.25.5 h1:8p150i44rv/Drip4vWI3kGi9+4W9TdI3US3uUYSFhSo= +github.com/go-openapi/swag/jsonname v0.25.5/go.mod h1:jNqqikyiAK56uS7n8sLkdaNY/uq6+D2m2LANat09pKU= +github.com/go-openapi/testify/v2 v2.4.0 h1:8nsPrHVCWkQ4p8h1EsRVymA2XABB4OT40gcvAu+voFM= +github.com/go-openapi/testify/v2 v2.4.0/go.mod h1:HCPmvFFnheKK2BuwSA0TbbdxJ3I16pjwMkYkP4Ywn54= github.com/go-sql-driver/mysql v1.8.1/go.mod h1:wEBSXgmK//2ZFJyE+qWnIsVGmvmEKlqwuVSjsCm7DZg= github.com/go-sql-driver/mysql v1.9.3 h1:U/N249h2WzJ3Ukj8SowVFjdtZKfu9vlLZxjPXV1aweo= github.com/go-sql-driver/mysql v1.9.3/go.mod h1:qn46aNg1333BRMNU69Lq93t8du/dwxI64Gl8i5p1WMU= @@ -237,8 +238,8 @@ github.com/gosuri/uitable v0.0.4 h1:IG2xLKRvErL3uhY6e1BylFzG+aJiwQviDDTfOKeKTpY= github.com/gosuri/uitable v0.0.4/go.mod h1:tKR86bXuXPZazfOTG1FIzvjIdXzd0mo4Vtn16vt0PJo= github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 h1:+ngKgrYPPJrOjhax5N+uePQ0Fh1Z7PheYoUI/0nzkPA= github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA= -github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.3 h1:NmZ1PKzSTQbuGHw9DGPFomqkkLWMC+vZCkfs+FHv1Vg= -github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.3/go.mod h1:zQrxl1YP88HQlA6i9c63DSVPFklWpGX4OWAc9bFuaH4= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.28.0 h1:HWRh5R2+9EifMyIHV7ZV+MIZqgz+PMpZ14Jynv3O2Zs= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.28.0/go.mod h1:JfhWUomR1baixubs02l85lZYYOm7LV6om4ceouMv45c= github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I= github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= @@ -272,8 +273,8 @@ github.com/k8snetworkplumbingwg/network-attachment-definition-client v1.7.7 h1:z github.com/k8snetworkplumbingwg/network-attachment-definition-client v1.7.7/go.mod h1:CM7HAH5PNuIsqjMN0fGc1ydM74Uj+0VZFhob620nklw= github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= -github.com/klauspost/compress v1.18.3 h1:9PJRvfbmTabkOX8moIpXPbMMbYN60bWImDDU7L+/6zw= -github.com/klauspost/compress v1.18.3/go.mod h1:R0h/fSBs8DE4ENlcrlib3PsXS61voFxhIs2DeRhCvJ4= +github.com/klauspost/compress v1.18.5 h1:/h1gH5Ce+VWNLSWqPzOVn6XBO+vJbCNGvjoaGBFW2IE= +github.com/klauspost/compress v1.18.5/go.mod h1:cwPg85FWrGar70rWktvGQj8/hthj3wpl0PGDogxkrSQ= github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= @@ -292,14 +293,14 @@ github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de h1:9TO3cAIGXtEhn github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de/go.mod h1:zAbeS9B/r2mtpb6U+EI2rYA5OAXxsYw6wTamcNW+zcE= github.com/magefile/mage v1.15.0 h1:BvGheCMAsG3bWUDbZ8AyXXpCNwU9u5CB6sM+HNb9HYg= github.com/magefile/mage v1.15.0/go.mod h1:z5UZb/iS3GoOSn0JgWuiw7dxlurVYTu+/jHXqQg881A= -github.com/mailru/easyjson v0.9.0 h1:PrnmzHw7262yW8sTBwxi1PdJA3Iw/EKBa8psRf7d9a4= -github.com/mailru/easyjson v0.9.0/go.mod h1:1+xMtQp2MRNVL/V1bOzuP3aP8VNwRW55fQUto+XFtTU= +github.com/mailru/easyjson v0.9.1 h1:LbtsOm5WAswyWbvTEOqhypdPeZzHavpZx96/n553mR8= +github.com/mailru/easyjson v0.9.1/go.mod h1:1+xMtQp2MRNVL/V1bOzuP3aP8VNwRW55fQUto+XFtTU= github.com/maruel/natural v1.1.1 h1:Hja7XhhmvEFhcByqDoHz9QZbkWey+COd9xWfCfn1ioo= github.com/maruel/natural v1.1.1/go.mod h1:v+Rfd79xlw1AgVBjbO0BEQmptqb5HvL/k9GRHB7ZKEg= github.com/mattn/go-colorable v0.1.14 h1:9A9LHSqF/7dyVVX6g0U9cwm9pG3kP9gSzcuIPHPsaIE= github.com/mattn/go-colorable v0.1.14/go.mod h1:6LmQG8QLFO4G5z1gPvYEzlUgJ2wF+stgPZH1UqBm1s8= -github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY= -github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y= +github.com/mattn/go-isatty v0.0.21 h1:xYae+lCNBP7QuW4PUnNG61ffM4hVIfm+zUzDuSzYLGs= +github.com/mattn/go-isatty v0.0.21/go.mod h1:ZXfXG4SQHsB/w3ZeOYbR0PrPwLy+n6xiMrJlRFqopa4= github.com/mattn/go-runewidth v0.0.16 h1:E5ScNMtiwvlvB5paMFdw9p4kSQzbXFikJ5SQO6TULQc= github.com/mattn/go-runewidth v0.0.16/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w= github.com/mattn/go-sqlite3 v1.14.22 h1:2gZY6PC6kBnID23Tichd1K+Z0oS6nE/XwU+Vz/5o4kU= @@ -369,8 +370,8 @@ github.com/prometheus/common v0.67.5 h1:pIgK94WWlQt1WLwAC5j2ynLaBRDiinoAb86HZHTU github.com/prometheus/common v0.67.5/go.mod h1:SjE/0MzDEEAyrdr5Gqc6G+sXI67maCxzaT3A2+HqjUw= github.com/prometheus/otlptranslator v1.0.0 h1:s0LJW/iN9dkIH+EnhiD3BlkkP5QVIUVEoIwkU+A6qos= github.com/prometheus/otlptranslator v1.0.0/go.mod h1:vRYWnXvI6aWGpsdY/mOT/cbeVRBlPWtBNDb7kGR3uKM= -github.com/prometheus/procfs v0.19.2 h1:zUMhqEW66Ex7OXIiDkll3tl9a1ZdilUOd/F6ZXw4Vws= -github.com/prometheus/procfs v0.19.2/go.mod h1:M0aotyiemPhBCM0z5w87kL22CxfcH05ZpYlu+b4J7mw= +github.com/prometheus/procfs v0.20.1 h1:XwbrGOIplXW/AU3YhIhLODXMJYyC1isLFfYCsTEycfc= +github.com/prometheus/procfs v0.20.1/go.mod h1:o9EMBZGRyvDrSPH1RqdxhojkuXstoe4UlK79eF5TGGo= github.com/r3labs/diff/v2 v2.15.1 h1:EOrVqPUzi+njlumoqJwiS/TgGgmZo83619FNDB9xQUg= github.com/r3labs/diff/v2 v2.15.1/go.mod h1:I8noH9Fc2fjSaMxqF3G2lhDdC0b+JXCfyx85tWFM9kc= github.com/redis/go-redis/extra/rediscmd/v9 v9.0.5 h1:EaDatTxkdHG+U3Bk4EUr+DZ7fOGwTfezUiUJMaIcaho= @@ -456,54 +457,54 @@ go.opentelemetry.io/contrib/bridges/prometheus v0.57.0 h1:UW0+QyeyBVhn+COBec3nGh go.opentelemetry.io/contrib/bridges/prometheus v0.57.0/go.mod h1:ppciCHRLsyCio54qbzQv0E4Jyth/fLWDTJYfvWpcSVk= go.opentelemetry.io/contrib/exporters/autoexport v0.57.0 h1:jmTVJ86dP60C01K3slFQa2NQ/Aoi7zA+wy7vMOKD9H4= go.opentelemetry.io/contrib/exporters/autoexport v0.57.0/go.mod h1:EJBheUMttD/lABFyLXhce47Wr6DPWYReCzaZiXadH7g= -go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.62.0 h1:Hf9xI/XLML9ElpiHVDNwvqI0hIFlzV8dgIr35kV1kRU= -go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.62.0/go.mod h1:NfchwuyNoMcZ5MLHwPrODwUF1HWCXWrL31s8gSAdIKY= -go.opentelemetry.io/otel v1.41.0 h1:YlEwVsGAlCvczDILpUXpIpPSL/VPugt7zHThEMLce1c= -go.opentelemetry.io/otel v1.41.0/go.mod h1:Yt4UwgEKeT05QbLwbyHXEwhnjxNO6D8L5PQP51/46dE= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.67.0 h1:OyrsyzuttWTSur2qN/Lm0m2a8yqyIjUVBZcxFPuXq2o= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.67.0/go.mod h1:C2NGBr+kAB4bk3xtMXfZ94gqFDtg/GkI7e9zqGh5Beg= +go.opentelemetry.io/otel v1.43.0 h1:mYIM03dnh5zfN7HautFE4ieIig9amkNANT+xcVxAj9I= +go.opentelemetry.io/otel v1.43.0/go.mod h1:JuG+u74mvjvcm8vj8pI5XiHy1zDeoCS2LB1spIq7Ay0= go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc v0.8.0 h1:WzNab7hOOLzdDF/EoWCt4glhrbMPVMOO5JYTmpz36Ls= go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc v0.8.0/go.mod h1:hKvJwTzJdp90Vh7p6q/9PAOd55dI6WA6sWj62a/JvSs= go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.8.0 h1:S+LdBGiQXtJdowoJoQPEtI52syEP/JYBUpjO49EQhV8= go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.8.0/go.mod h1:5KXybFvPGds3QinJWQT7pmXf+TN5YIa7CNYObWRkj50= -go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.39.0 h1:cEf8jF6WbuGQWUVcqgyWtTR0kOOAWY1DYZ+UhvdmQPw= -go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.39.0/go.mod h1:k1lzV5n5U3HkGvTCJHraTAGJ7MqsgL1wrGwTj1Isfiw= -go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.39.0 h1:nKP4Z2ejtHn3yShBb+2KawiXgpn8In5cT7aO2wXuOTE= -go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.39.0/go.mod h1:NwjeBbNigsO4Aj9WgM0C+cKIrxsZUaRmZUO7A8I7u8o= -go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.37.0 h1:Ahq7pZmv87yiyn3jeFz/LekZmPLLdKejuO3NcK9MssM= -go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.37.0/go.mod h1:MJTqhM0im3mRLw1i8uGHnCvUEeS7VwRyxlLC78PA18M= -go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.34.0 h1:tgJ0uaNS4c98WRNUEx5U3aDlrDOI5Rs+1Vifcw4DJ8U= -go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.34.0/go.mod h1:U7HYyW0zt/a9x5J1Kjs+r1f/d4ZHnYFclhYY2+YbeoE= -go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.33.0 h1:wpMfgF8E1rkrT1Z6meFh1NDtownE9Ii3n3X2GJYjsaU= -go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.33.0/go.mod h1:wAy0T/dUbs468uOlkT31xjvqQgEVXv58BRFWEgn5v/0= -go.opentelemetry.io/otel/exporters/prometheus v0.61.0 h1:cCyZS4dr67d30uDyh8etKM2QyDsQ4zC9ds3bdbrVoD0= -go.opentelemetry.io/otel/exporters/prometheus v0.61.0/go.mod h1:iivMuj3xpR2DkUrUya3TPS/Z9h3dz7h01GxU+fQBRNg= +go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.43.0 h1:8UQVDcZxOJLtX6gxtDt3vY2WTgvZqMQRzjsqiIHQdkc= +go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.43.0/go.mod h1:2lmweYCiHYpEjQ/lSJBYhj9jP1zvCvQW4BqL9dnT7FQ= +go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.43.0 h1:w1K+pCJoPpQifuVpsKamUdn9U0zM3xUziVOqsGksUrY= +go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.43.0/go.mod h1:HBy4BjzgVE8139ieRI75oXm3EcDN+6GhD88JT1Kjvxg= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.43.0 h1:88Y4s2C8oTui1LGM6bTWkw0ICGcOLCAI5l6zsD1j20k= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.43.0/go.mod h1:Vl1/iaggsuRlrHf/hfPJPvVag77kKyvrLeD10kpMl+A= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.43.0 h1:RAE+JPfvEmvy+0LzyUA25/SGawPwIUbZ6u0Wug54sLc= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.43.0/go.mod h1:AGmbycVGEsRx9mXMZ75CsOyhSP6MFIcj/6dnG+vhVjk= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.43.0 h1:3iZJKlCZufyRzPzlQhUIWVmfltrXuGyfjREgGP3UUjc= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.43.0/go.mod h1:/G+nUPfhq2e+qiXMGxMwumDrP5jtzU+mWN7/sjT2rak= +go.opentelemetry.io/otel/exporters/prometheus v0.65.0 h1:jOveH/b4lU9HT7y+Gfamf18BqlOuz2PWEvs8yM7Q6XE= +go.opentelemetry.io/otel/exporters/prometheus v0.65.0/go.mod h1:i1P8pcumauPtUI4YNopea1dhzEMuEqWP1xoUZDylLHo= go.opentelemetry.io/otel/exporters/stdout/stdoutlog v0.8.0 h1:CHXNXwfKWfzS65yrlB2PVds1IBZcdsX8Vepy9of0iRU= go.opentelemetry.io/otel/exporters/stdout/stdoutlog v0.8.0/go.mod h1:zKU4zUgKiaRxrdovSS2amdM5gOc59slmo/zJwGX+YBg= -go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.39.0 h1:5gn2urDL/FBnK8OkCfD1j3/ER79rUuTYmCvlXBKeYL8= -go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.39.0/go.mod h1:0fBG6ZJxhqByfFZDwSwpZGzJU671HkwpWaNe2t4VUPI= +go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.43.0 h1:TC+BewnDpeiAmcscXbGMfxkO+mwYUwE/VySwvw88PfA= +go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.43.0/go.mod h1:J/ZyF4vfPwsSr9xJSPyQ4LqtcTPULFR64KwTikGLe+A= go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.32.0 h1:cC2yDI3IQd0Udsux7Qmq8ToKAx1XCilTQECZ0KDZyTw= go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.32.0/go.mod h1:2PD5Ex6z8CFzDbTdOlwyNIUywRr1DN0ospafJM1wJ+s= go.opentelemetry.io/otel/log v0.8.0 h1:egZ8vV5atrUWUbnSsHn6vB8R21G2wrKqNiDt3iWertk= go.opentelemetry.io/otel/log v0.8.0/go.mod h1:M9qvDdUTRCopJcGRKg57+JSQ9LgLBrwwfC32epk5NX8= -go.opentelemetry.io/otel/metric v1.41.0 h1:rFnDcs4gRzBcsO9tS8LCpgR0dxg4aaxWlJxCno7JlTQ= -go.opentelemetry.io/otel/metric v1.41.0/go.mod h1:xPvCwd9pU0VN8tPZYzDZV/BMj9CM9vs00GuBjeKhJps= -go.opentelemetry.io/otel/sdk v1.39.0 h1:nMLYcjVsvdui1B/4FRkwjzoRVsMK8uL/cj0OyhKzt18= -go.opentelemetry.io/otel/sdk v1.39.0/go.mod h1:vDojkC4/jsTJsE+kh+LXYQlbL8CgrEcwmt1ENZszdJE= +go.opentelemetry.io/otel/metric v1.43.0 h1:d7638QeInOnuwOONPp4JAOGfbCEpYb+K6DVWvdxGzgM= +go.opentelemetry.io/otel/metric v1.43.0/go.mod h1:RDnPtIxvqlgO8GRW18W6Z/4P462ldprJtfxHxyKd2PY= +go.opentelemetry.io/otel/sdk v1.43.0 h1:pi5mE86i5rTeLXqoF/hhiBtUNcrAGHLKQdhg4h4V9Dg= +go.opentelemetry.io/otel/sdk v1.43.0/go.mod h1:P+IkVU3iWukmiit/Yf9AWvpyRDlUeBaRg6Y+C58QHzg= go.opentelemetry.io/otel/sdk/log v0.8.0 h1:zg7GUYXqxk1jnGF/dTdLPrK06xJdrXgqgFLnI4Crxvs= go.opentelemetry.io/otel/sdk/log v0.8.0/go.mod h1:50iXr0UVwQrYS45KbruFrEt4LvAdCaWWgIrsN3ZQggo= -go.opentelemetry.io/otel/sdk/metric v1.39.0 h1:cXMVVFVgsIf2YL6QkRF4Urbr/aMInf+2WKg+sEJTtB8= -go.opentelemetry.io/otel/sdk/metric v1.39.0/go.mod h1:xq9HEVH7qeX69/JnwEfp6fVq5wosJsY1mt4lLfYdVew= -go.opentelemetry.io/otel/trace v1.41.0 h1:Vbk2co6bhj8L59ZJ6/xFTskY+tGAbOnCtQGVVa9TIN0= -go.opentelemetry.io/otel/trace v1.41.0/go.mod h1:U1NU4ULCoxeDKc09yCWdWe+3QoyweJcISEVa1RBzOis= -go.opentelemetry.io/proto/otlp v1.9.0 h1:l706jCMITVouPOqEnii2fIAuO3IVGBRPV5ICjceRb/A= -go.opentelemetry.io/proto/otlp v1.9.0/go.mod h1:xE+Cx5E/eEHw+ISFkwPLwCZefwVjY+pqKg1qcK03+/4= +go.opentelemetry.io/otel/sdk/metric v1.43.0 h1:S88dyqXjJkuBNLeMcVPRFXpRw2fuwdvfCGLEo89fDkw= +go.opentelemetry.io/otel/sdk/metric v1.43.0/go.mod h1:C/RJtwSEJ5hzTiUz5pXF1kILHStzb9zFlIEe85bhj6A= +go.opentelemetry.io/otel/trace v1.43.0 h1:BkNrHpup+4k4w+ZZ86CZoHHEkohws8AY+WTX09nk+3A= +go.opentelemetry.io/otel/trace v1.43.0/go.mod h1:/QJhyVBUUswCphDVxq+8mld+AvhXZLhe+8WVFxiFff0= +go.opentelemetry.io/proto/otlp v1.10.0 h1:IQRWgT5srOCYfiWnpqUYz9CVmbO8bFmKcwYxpuCSL2g= +go.opentelemetry.io/proto/otlp v1.10.0/go.mod h1:/CV4QoCR/S9yaPj8utp3lvQPoqMtxXdzn7ozvvozVqk= go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE= go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0= go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y= -go.uber.org/zap v1.27.1 h1:08RqriUEv8+ArZRYSTXy1LeBScaMpVSTBhCeaZYfMYc= -go.uber.org/zap v1.27.1/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E= -go.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0= -go.yaml.in/yaml/v2 v2.4.3/go.mod h1:zSxWcmIDjOzPXpjlTTbAsKokqkDNAVtZO0WOMiT90s8= +go.uber.org/zap v1.28.0 h1:IZzaP1Fv73/T/pBMLk4VutPl36uNC+OSUh3JLG3FIjo= +go.uber.org/zap v1.28.0/go.mod h1:rDLpOi171uODNm/mxFcuYWxDsqWSAVkFdX4XojSKg/Q= +go.yaml.in/yaml/v2 v2.4.4 h1:tuyd0P+2Ont/d6e2rl3be67goVK4R6deVxCUX5vyPaQ= +go.yaml.in/yaml/v2 v2.4.4/go.mod h1:gMZqIpDtDqOfM0uNfy0SkpRhvUryYH0Z6wdMYcacYXQ= go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc= go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= @@ -512,8 +513,8 @@ golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPh golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.51.0 h1:IBPXwPfKxY7cWQZ38ZCIRPI50YLeevDLlLnyC5wRGTI= golang.org/x/crypto v0.51.0/go.mod h1:8AdwkbraGNABw2kOX6YFPs3WM22XqI4EXEd8g+x7Oc8= -golang.org/x/exp v0.0.0-20250718183923-645b1fa84792 h1:R9PFI6EUdfVKgwKjZef7QIwGcBKu86OEFpJ9nUEP2l4= -golang.org/x/exp v0.0.0-20250718183923-645b1fa84792/go.mod h1:A+z0yzpGtvnG90cToK5n2tu8UJVP2XUATh+r+sfOOOc= +golang.org/x/exp v0.0.0-20260410095643-746e56fc9e2f h1:W3F4c+6OLc6H2lb//N1q4WpJkhzJCK5J6kUi1NTVXfM= +golang.org/x/exp v0.0.0-20260410095643-746e56fc9e2f/go.mod h1:J1xhfL/vlindoeF/aINzNzt2Bket5bjo9sdOYzOsU80= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.35.0 h1:Ww1D637e6Pg+Zb2KrWfHQUnH2dQRLBQyAtpr/haaJeM= @@ -541,7 +542,6 @@ golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20211007075335-d3039528d8ac/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.44.0 h1:ildZl3J4uzeKP07r2F++Op7E9B29JRUy+a27EibtBTQ= golang.org/x/sys v0.44.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= @@ -570,10 +570,10 @@ google.golang.org/appengine v1.6.6/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCID google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c= google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= google.golang.org/genproto v0.0.0-20231211222908-989df2bf70f3 h1:1hfbdAfFbkmpg41000wDVqr7jUpK/Yo+LPnIxxGzmkg= -google.golang.org/genproto/googleapis/api v0.0.0-20260120221211-b8f7ae30c516 h1:vmC/ws+pLzWjj/gzApyoZuSVrDtF1aod4u/+bbj8hgM= -google.golang.org/genproto/googleapis/api v0.0.0-20260120221211-b8f7ae30c516/go.mod h1:p3MLuOwURrGBRoEyFHBT3GjUwaCQVKeNqqWxlcISGdw= -google.golang.org/genproto/googleapis/rpc v0.0.0-20260120221211-b8f7ae30c516 h1:sNrWoksmOyF5bvJUcnmbeAmQi8baNhqg5IWaI3llQqU= -google.golang.org/genproto/googleapis/rpc v0.0.0-20260120221211-b8f7ae30c516/go.mod h1:j9x/tPzZkyxcgEFkiKEEGxfvyumM01BEtsW8xzOahRQ= +google.golang.org/genproto/googleapis/api v0.0.0-20260401024825-9d38bb4040a9 h1:VPWxll4HlMw1Vs/qXtN7BvhZqsS9cdAittCNvVENElA= +google.golang.org/genproto/googleapis/api v0.0.0-20260401024825-9d38bb4040a9/go.mod h1:7QBABkRtR8z+TEnmXTqIqwJLlzrZKVfAUm7tY3yGv0M= +google.golang.org/genproto/googleapis/rpc v0.0.0-20260401024825-9d38bb4040a9 h1:m8qni9SQFH0tJc1X0vmnpw/0t+AImlSvp30sEupozUg= +google.golang.org/genproto/googleapis/rpc v0.0.0-20260401024825-9d38bb4040a9/go.mod h1:4Hqkh8ycfw05ld/3BWL7rJOSfebL2Q+DVDeRgYgxUU8= google.golang.org/grpc v1.80.0 h1:Xr6m2WmWZLETvUNvIUmeD5OAagMw3FiKmMlTdViWsHM= google.golang.org/grpc v1.80.0/go.mod h1:ho/dLnxwi3EDJA4Zghp7k2Ec1+c2jqup0bFkw07bwF4= google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE= @@ -619,22 +619,22 @@ k8s.io/client-go v0.35.4 h1:DN6fyaGuzK64UvnKO5fOA6ymSjvfGAnCAHAR0C66kD8= k8s.io/client-go v0.35.4/go.mod h1:2Pg9WpsS4NeOpoYTfHHfMxBG8zFMSAUi4O/qoiJC3nY= k8s.io/component-base v0.35.4 h1:6n1tNJ87johN0Hif0Fs8K2GMthsaUwMqCebUDLYyv7U= k8s.io/component-base v0.35.4/go.mod h1:qaDJgz5c1KYKla9occFmlJEfPpkuA55s90G509R+PeY= -k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= -k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= +k8s.io/klog/v2 v2.140.0 h1:Tf+J3AH7xnUzZyVVXhTgGhEKnFqye14aadWv7bzXdzc= +k8s.io/klog/v2 v2.140.0/go.mod h1:o+/RWfJ6PwpnFn7OyAG3QnO47BFsymfEfrz6XyYSSp0= k8s.io/kube-aggregator v0.35.4 h1:6eR50WHwqSYJQTR6QxEG5fRW2vBA6Yoqzp72hw76koE= k8s.io/kube-aggregator v0.35.4/go.mod h1:13mmXpCW9sReIQR8yLvApbKphZfoGnK39UJ8u1opT9g= k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 h1:Y3gxNAuB0OBLImH611+UDZcmKS3g6CthxToOb37KgwE= k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912/go.mod h1:kdmbQkyfwUagLfXIad1y2TdrjPFWp2Q89B3qkRwf/pQ= k8s.io/kubectl v0.35.4 h1:IHitney6OUeH29rBQnt6Cas6az8HpFeSAohormITNMc= k8s.io/kubectl v0.35.4/go.mod h1:CGWAaof9ae4vGDAyhnSf1bSQN/U7jiWQHLVbMbLMjRI= -k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 h1:SjGebBtkBqHFOli+05xYbK8YF1Dzkbzn+gDM4X9T4Ck= -k8s.io/utils v0.0.0-20251002143259-bc988d571ff4/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +k8s.io/utils v0.0.0-20260108192941-914a6e750570 h1:JT4W8lsdrGENg9W+YwwdLJxklIuKWdRm+BC+xt33FOY= +k8s.io/utils v0.0.0-20260108192941-914a6e750570/go.mod h1:xDxuJ0whA3d0I4mf/C4ppKHxXynQ+fxnkmQH0vTHnuk= oras.land/oras-go/v2 v2.6.0 h1:X4ELRsiGkrbeox69+9tzTu492FMUu7zJQW6eJU+I2oc= oras.land/oras-go/v2 v2.6.0/go.mod h1:magiQDfG6H1O9APp+rOsvCPcW1GD2MM7vgnKY0Y+u1o= -sigs.k8s.io/controller-runtime v0.23.1 h1:TjJSM80Nf43Mg21+RCy3J70aj/W6KyvDtOlpKf+PupE= -sigs.k8s.io/controller-runtime v0.23.1/go.mod h1:B6COOxKptp+YaUT5q4l6LqUJTRpizbgf9KSRNdQGns0= -sigs.k8s.io/gateway-api v1.4.1 h1:NPxFutNkKNa8UfLd2CMlEuhIPMQgDQ6DXNKG9sHbJU8= -sigs.k8s.io/gateway-api v1.4.1/go.mod h1:AR5RSqciWP98OPckEjOjh2XJhAe2Na4LHyXD2FUY7Qk= +sigs.k8s.io/controller-runtime v0.23.3 h1:VjB/vhoPoA9l1kEKZHBMnQF33tdCLQKJtydy4iqwZ80= +sigs.k8s.io/controller-runtime v0.23.3/go.mod h1:B6COOxKptp+YaUT5q4l6LqUJTRpizbgf9KSRNdQGns0= +sigs.k8s.io/gateway-api v1.5.1 h1:RqVRIlkhLhUO8wOHKTLnTJA6o/1un4po4/6M1nRzdd0= +sigs.k8s.io/gateway-api v1.5.1/go.mod h1:GvCETiaMAlLym5CovLxGjS0NysqFk3+Yuq3/rh6QL2o= sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 h1:IpInykpT6ceI+QxKBbEflcR5EXP7sU1kvOlxwZh5txg= sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg= sigs.k8s.io/kind v0.31.0 h1:UcT4nzm+YM7YEbqiAKECk+b6dsvc/HRZZu9U0FolL1g= @@ -647,7 +647,7 @@ sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU= sigs.k8s.io/randfill v1.0.0/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY= sigs.k8s.io/secrets-store-csi-driver v1.5.5 h1:LJDpDL5TILhlP68nGvtGSlJFxSDgAD2m148NT0Ts7os= sigs.k8s.io/secrets-store-csi-driver v1.5.5/go.mod h1:i2WqLicYH00hrTG3JAzICPMF4HL4KMEORlDt9UQoZLk= -sigs.k8s.io/structured-merge-diff/v6 v6.3.2-0.20260122202528-d9cc6641c482 h1:2WOzJpHUBVrrkDjU4KBT8n5LDcj824eX0I5UKcgeRUs= -sigs.k8s.io/structured-merge-diff/v6 v6.3.2-0.20260122202528-d9cc6641c482/go.mod h1:M3W8sfWvn2HhQDIbGWj3S099YozAsymCo/wrT5ohRUE= +sigs.k8s.io/structured-merge-diff/v6 v6.3.2 h1:kwVWMx5yS1CrnFWA/2QHyRVJ8jM6dBA80uLmm0wJkk8= +sigs.k8s.io/structured-merge-diff/v6 v6.3.2/go.mod h1:M3W8sfWvn2HhQDIbGWj3S099YozAsymCo/wrT5ohRUE= sigs.k8s.io/yaml v1.6.0 h1:G8fkbMSAFqgEFgh4b1wmtzDnioxFCUgTZhlbj5P9QYs= sigs.k8s.io/yaml v1.6.0/go.mod h1:796bPqUfzR/0jLAl6XjHl3Ck7MiyVv8dbTdyT3/pMf4= diff --git a/pkg/render/gatewayapi/gateway_api.go b/pkg/render/gatewayapi/gateway_api.go index 973a2fd521..fda83fcea3 100644 --- a/pkg/render/gatewayapi/gateway_api.go +++ b/pkg/render/gatewayapi/gateway_api.go @@ -80,7 +80,9 @@ type gatewayAPIResources struct { certgenRole *rbacv1.Role certgenRoleBinding *rbacv1.RoleBinding certgenJob *batchv1.Job - mutatingWebhookConfigurations []*admissionregv1.MutatingWebhookConfiguration + mutatingWebhookConfigurations []*admissionregv1.MutatingWebhookConfiguration + validatingAdmissionPolicies []*admissionregv1.ValidatingAdmissionPolicy + validatingAdmissionPolicyBindings []*admissionregv1.ValidatingAdmissionPolicyBinding } const ( @@ -285,6 +287,18 @@ func GatewayAPIResourcesGetter() func() *gatewayAPIResources { panic(fmt.Sprintf("unable to unmarshal %v: %v", kindStr, err)) } resources.mutatingWebhookConfigurations = append(resources.mutatingWebhookConfigurations, obj) + case "admissionregistration.k8s.io/v1/ValidatingAdmissionPolicy": + obj := &admissionregv1.ValidatingAdmissionPolicy{} + if err := yaml.Unmarshal([]byte(yml), obj); err != nil { + panic(fmt.Sprintf("unable to unmarshal %v: %v", kindStr, err)) + } + resources.validatingAdmissionPolicies = append(resources.validatingAdmissionPolicies, obj) + case "admissionregistration.k8s.io/v1/ValidatingAdmissionPolicyBinding": + obj := &admissionregv1.ValidatingAdmissionPolicyBinding{} + if err := yaml.Unmarshal([]byte(yml), obj); err != nil { + panic(fmt.Sprintf("unable to unmarshal %v: %v", kindStr, err)) + } + resources.validatingAdmissionPolicyBindings = append(resources.validatingAdmissionPolicyBindings, obj) case "/": // No-op. We see this when there is only a comment between // two "---" delimiters. @@ -513,6 +527,12 @@ func (pr *gatewayAPIImplementationComponent) Objects() ([]client.Object, []clien for _, mwc := range resources.mutatingWebhookConfigurations { objs = append(objs, mwc.DeepCopyObject().(client.Object)) } + for _, vap := range resources.validatingAdmissionPolicies { + objs = append(objs, vap.DeepCopyObject().(client.Object)) + } + for _, vapb := range resources.validatingAdmissionPolicyBindings { + objs = append(objs, vapb.DeepCopyObject().(client.Object)) + } for _, resource := range []client.Object{ resources.role, resources.roleBinding, diff --git a/pkg/render/gatewayapi/gateway_api_resources.yaml b/pkg/render/gatewayapi/gateway_api_resources.yaml index a17af092ac..31a1bc5041 100644 --- a/pkg/render/gatewayapi/gateway_api_resources.yaml +++ b/pkg/render/gatewayapi/gateway_api_resources.yaml @@ -4,8 +4,8 @@ kind: Namespace metadata: name: tigera-gateway --- -# Source: crds/gatewayapi-crds.yaml -# Copyright 2025 The Kubernetes Authors. +# Source: gateway-helm/charts/crds/crds/gatewayapi-crds.yaml +# Copyright The Kubernetes Authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -30,8 +30,8 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.1 + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/4530 + gateway.networking.k8s.io/bundle-version: v1.5.1 gateway.networking.k8s.io/channel: experimental labels: gateway.networking.k8s.io/policy: Direct @@ -106,8 +106,6 @@ spec: targetRefs: description: |- TargetRefs identifies an API object to apply the policy to. - Only Services have Extended support. Implementations MAY support - additional objects, with Implementation Specific support. Note that this config applies to the entire referenced resource by default, but this default may change in the future to provide a more granular application of the policy. @@ -128,9 +126,9 @@ spec: example, a policy with a creation timestamp of "2021-07-15 01:02:03" MUST be given precedence over a policy with a creation timestamp of "2021-07-15 01:02:04". - * The policy appearing first in alphabetical order by {name}. - For example, a policy named `bar` is given precedence over a - policy named `baz`. + * The policy appearing first in alphabetical order by {namespace}/{name}. + For example, a policy named `foo/bar` is given precedence over a + policy named `foo/baz`. For any BackendTLSPolicy that does not take precedence, the implementation MUST ensure the `Accepted` Condition is set to @@ -142,9 +140,28 @@ spec: clarified in a future release, the safest approach is to support a single targetRef. - Support: Extended for Kubernetes Service + Support Levels: - Support: Implementation-specific for any other resource + * Extended: Kubernetes Service referenced by HTTPRoute backendRefs. + + * Implementation-Specific: Services not connected via HTTPRoute, and any + other kind of backend. Implementations MAY use BackendTLSPolicy for: + - Services not referenced by any Route (e.g., infrastructure services) + - Gateway feature backends (e.g., ExternalAuth, rate-limiting services) + - Service mesh workload-to-service communication + - Other resource types beyond Service + + Implementations SHOULD aim to ensure that BackendTLSPolicy behavior is consistent, + even outside of the extended HTTPRoute -(backendRef) -> Service path. + They SHOULD clearly document how BackendTLSPolicy is interpreted in these + scenarios, including: + - Which resources beyond Service are supported + - How the policy is discovered and applied + - Any implementation-specific semantics or restrictions + + Note that this config applies to the entire referenced resource + by default, but this default may change in the future to provide + a more granular application of the policy. items: description: |- LocalPolicyTargetReferenceWithSectionName identifies an API object to apply a @@ -383,8 +400,8 @@ spec: x-kubernetes-list-type: atomic wellKnownCACertificates: description: |- - WellKnownCACertificates specifies whether system CA certificates may be used in - the TLS handshake between the gateway and backend pod. + WellKnownCACertificates specifies whether a well-known set of CA certificates + may be used in the TLS handshake between the gateway and backend pod. If WellKnownCACertificates is unspecified or empty (""), then CACertificateRefs must be specified with at least one entry for a valid configuration. Only one of @@ -394,9 +411,17 @@ spec: `Accepted` Condition on the BackendTLSPolicy is set to `status: False`, with a Reason `Invalid`. + Valid values include: + * "System" - indicates that well-known system CA certificates should be used. + + Implementations MAY define their own sets of CA certificates. Such definitions + MUST use an implementation-specific, prefixed name, such as + `mycompany.com/my-custom-ca-certificates`. + Support: Implementation-specific - enum: - - System + maxLength: 253 + minLength: 1 + pattern: ^(System|([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9]))$ type: string required: - hostname @@ -775,8 +800,6 @@ spec: targetRefs: description: |- TargetRefs identifies an API object to apply the policy to. - Only Services have Extended support. Implementations MAY support - additional objects, with Implementation Specific support. Note that this config applies to the entire referenced resource by default, but this default may change in the future to provide a more granular application of the policy. @@ -797,9 +820,9 @@ spec: example, a policy with a creation timestamp of "2021-07-15 01:02:03" MUST be given precedence over a policy with a creation timestamp of "2021-07-15 01:02:04". - * The policy appearing first in alphabetical order by {name}. - For example, a policy named `bar` is given precedence over a - policy named `baz`. + * The policy appearing first in alphabetical order by {namespace}/{name}. + For example, a policy named `foo/bar` is given precedence over a + policy named `foo/baz`. For any BackendTLSPolicy that does not take precedence, the implementation MUST ensure the `Accepted` Condition is set to @@ -811,9 +834,28 @@ spec: clarified in a future release, the safest approach is to support a single targetRef. - Support: Extended for Kubernetes Service + Support Levels: + + * Extended: Kubernetes Service referenced by HTTPRoute backendRefs. - Support: Implementation-specific for any other resource + * Implementation-Specific: Services not connected via HTTPRoute, and any + other kind of backend. Implementations MAY use BackendTLSPolicy for: + - Services not referenced by any Route (e.g., infrastructure services) + - Gateway feature backends (e.g., ExternalAuth, rate-limiting services) + - Service mesh workload-to-service communication + - Other resource types beyond Service + + Implementations SHOULD aim to ensure that BackendTLSPolicy behavior is consistent, + even outside of the extended HTTPRoute -(backendRef) -> Service path. + They SHOULD clearly document how BackendTLSPolicy is interpreted in these + scenarios, including: + - Which resources beyond Service are supported + - How the policy is discovered and applied + - Any implementation-specific semantics or restrictions + + Note that this config applies to the entire referenced resource + by default, but this default may change in the future to provide + a more granular application of the policy. items: description: |- LocalPolicyTargetReferenceWithSectionName identifies an API object to apply a @@ -1052,8 +1094,8 @@ spec: x-kubernetes-list-type: atomic wellKnownCACertificates: description: |- - WellKnownCACertificates specifies whether system CA certificates may be used in - the TLS handshake between the gateway and backend pod. + WellKnownCACertificates specifies whether a well-known set of CA certificates + may be used in the TLS handshake between the gateway and backend pod. If WellKnownCACertificates is unspecified or empty (""), then CACertificateRefs must be specified with at least one entry for a valid configuration. Only one of @@ -1063,9 +1105,17 @@ spec: `Accepted` Condition on the BackendTLSPolicy is set to `status: False`, with a Reason `Invalid`. + Valid values include: + * "System" - indicates that well-known system CA certificates should be used. + + Implementations MAY define their own sets of CA certificates. Such definitions + MUST use an implementation-specific, prefixed name, such as + `mycompany.com/my-custom-ca-certificates`. + Support: Implementation-specific - enum: - - System + maxLength: 253 + minLength: 1 + pattern: ^(System|([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9]))$ type: string required: - hostname @@ -1402,8 +1452,8 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.1 + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/4530 + gateway.networking.k8s.io/bundle-version: v1.5.1 gateway.networking.k8s.io/channel: experimental name: gatewayclasses.gateway.networking.k8s.io spec: @@ -1921,8 +1971,8 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.1 + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/4530 + gateway.networking.k8s.io/bundle-version: v1.5.1 gateway.networking.k8s.io/channel: experimental name: gateways.gateway.networking.k8s.io spec: @@ -2057,14 +2107,14 @@ spec: allowedListeners: description: |- AllowedListeners defines which ListenerSets can be attached to this Gateway. - While this feature is experimental, the default value is to allow no ListenerSets. + The default value is to allow no ListenerSets. properties: namespaces: default: from: None description: |- Namespaces defines which namespaces ListenerSets can be attached to this Gateway. - While this feature is experimental, the default value is to allow no ListenerSets. + The default value is to allow no ListenerSets. properties: from: default: None @@ -2077,7 +2127,7 @@ spec: * All: ListenerSets in all namespaces may be attached to this Gateway. * None: Only listeners defined in the Gateway's spec are allowed - While this feature is experimental, the default value None + The default value None enum: - All - Selector @@ -2626,7 +2676,7 @@ spec: the Gateway SHOULD return a 421. * If the current Listener (selected by SNI matching during ClientHello) does not match the Host: - * If another Listener does match the Host the Gateway SHOULD return a + * If another Listener does match the Host, the Gateway SHOULD return a 421. * If no other Listener matches the Host, the Gateway MUST return a 404. @@ -2837,6 +2887,9 @@ spec: - message: tls mode must be Terminate for protocol HTTPS rule: 'self.all(l, (l.protocol == ''HTTPS'' && has(l.tls)) ? (l.tls.mode == '''' || l.tls.mode == ''Terminate'') : true)' + - message: tls mode must be set for protocol TLS + rule: 'self.all(l, (l.protocol == ''TLS'' ? has(l.tls) && has(l.tls.mode) + && l.tls.mode != '''' : true))' - message: hostname must not be specified for protocols ['TCP', 'UDP'] rule: 'self.all(l, l.protocol in [''TCP'', ''UDP''] ? (!has(l.hostname) || l.hostname == '''') : true)' @@ -2866,19 +2919,30 @@ spec: properties: clientCertificateRef: description: |- - ClientCertificateRef is a reference to an object that contains a Client - Certificate and the associated private key. - - References to a resource in different namespace are invalid UNLESS there - is a ReferenceGrant in the target namespace that allows the certificate - to be attached. If a ReferenceGrant does not allow this reference, the - "ResolvedRefs" condition MUST be set to False for this listener with the - "RefNotPermitted" reason. - - ClientCertificateRef can reference to standard Kubernetes resources, i.e. - Secret, or implementation-specific custom resources. - - Support: Core + ClientCertificateRef references an object that contains a client certificate + and its associated private key. It can reference standard Kubernetes resources, + i.e., Secret, or implementation-specific custom resources. + + A ClientCertificateRef is considered invalid if: + + * It refers to a resource that cannot be resolved (e.g., the referenced resource + does not exist) or is misconfigured (e.g., a Secret does not contain the keys + named `tls.crt` and `tls.key`). In this case, the `ResolvedRefs` condition + on the Gateway MUST be set to False with the Reason `InvalidClientCertificateRef` + and the Message of the Condition MUST indicate why the reference is invalid. + + * It refers to a resource in another namespace UNLESS there is a ReferenceGrant + in the target namespace that allows the certificate to be attached. + If a ReferenceGrant does not allow this reference, the `ResolvedRefs` condition + on the Gateway MUST be set to False with the Reason `RefNotPermitted`. + + Implementations MAY choose to perform further validation of the certificate + content (e.g., checking expiry or enforcing specific formats). In such cases, + an implementation-specific Reason and Message MUST be set. + + Support: Core - Reference to a Kubernetes TLS Secret (with the type `kubernetes.io/tls`). + Support: Implementation-specific - Other resource kinds or Secrets with a + different type (e.g., `Opaque`). properties: group: default: "" @@ -2945,27 +3009,49 @@ spec: properties: caCertificateRefs: description: |- - CACertificateRefs contains one or more references to - Kubernetes objects that contain TLS certificates of - the Certificate Authorities that can be used - as a trust anchor to validate the certificates presented by the client. - - A single CA certificate reference to a Kubernetes ConfigMap - has "Core" support. - Implementations MAY choose to support attaching multiple CA certificates to - a Listener, but this behavior is implementation-specific. - - Support: Core - A single reference to a Kubernetes ConfigMap - with the CA certificate in a key named `ca.crt`. - - Support: Implementation-specific (More than one certificate in a ConfigMap - with different keys or more than one reference, or other kinds of resources). - - References to a resource in a different namespace are invalid UNLESS there - is a ReferenceGrant in the target namespace that allows the certificate - to be attached. If a ReferenceGrant does not allow this reference, the - "ResolvedRefs" condition MUST be set to False for this listener with the - "RefNotPermitted" reason. + CACertificateRefs contains one or more references to Kubernetes + objects that contain a PEM-encoded TLS CA certificate bundle, which + is used as a trust anchor to validate the certificates presented by + the client. + + A CACertificateRef is invalid if: + + * It refers to a resource that cannot be resolved (e.g., the + referenced resource does not exist) or is misconfigured (e.g., a + ConfigMap does not contain a key named `ca.crt`). In this case, the + Reason on all matching HTTPS listeners must be set to `InvalidCACertificateRef` + and the Message of the Condition must indicate which reference is invalid and why. + + * It refers to an unknown or unsupported kind of resource. In this + case, the Reason on all matching HTTPS listeners must be set to + `InvalidCACertificateKind` and the Message of the Condition must explain + which kind of resource is unknown or unsupported. + + * It refers to a resource in another namespace UNLESS there is a + ReferenceGrant in the target namespace that allows the CA + certificate to be attached. If a ReferenceGrant does not allow this + reference, the `ResolvedRefs` on all matching HTTPS listeners condition + MUST be set with the Reason `RefNotPermitted`. + + Implementations MAY choose to perform further validation of the + certificate content (e.g., checking expiry or enforcing specific formats). + In such cases, an implementation-specific Reason and Message MUST be set. + + In all cases, the implementation MUST ensure that the `ResolvedRefs` + condition is set to `status: False` on all targeted listeners (i.e., + listeners serving HTTPS on a matching port). The condition MUST + include a Reason and Message that indicate the cause of the error. If + ALL CACertificateRefs are invalid, the implementation MUST also ensure + the `Accepted` condition on the listener is set to `status: False`, with + the Reason `NoValidCACertificate`. + Implementations MAY choose to support attaching multiple CA certificates + to a listener, but this behavior is implementation-specific. + + Support: Core - A single reference to a Kubernetes ConfigMap, with the + CA certificate in a key named `ca.crt`. + + Support: Implementation-specific - More than one reference, other kinds + of resources, or a single reference that includes multiple certificates. items: description: |- ObjectReference identifies an API object including its namespace. @@ -3088,27 +3174,49 @@ spec: properties: caCertificateRefs: description: |- - CACertificateRefs contains one or more references to - Kubernetes objects that contain TLS certificates of - the Certificate Authorities that can be used - as a trust anchor to validate the certificates presented by the client. - - A single CA certificate reference to a Kubernetes ConfigMap - has "Core" support. - Implementations MAY choose to support attaching multiple CA certificates to - a Listener, but this behavior is implementation-specific. - - Support: Core - A single reference to a Kubernetes ConfigMap - with the CA certificate in a key named `ca.crt`. - - Support: Implementation-specific (More than one certificate in a ConfigMap - with different keys or more than one reference, or other kinds of resources). + CACertificateRefs contains one or more references to Kubernetes + objects that contain a PEM-encoded TLS CA certificate bundle, which + is used as a trust anchor to validate the certificates presented by + the client. - References to a resource in a different namespace are invalid UNLESS there - is a ReferenceGrant in the target namespace that allows the certificate - to be attached. If a ReferenceGrant does not allow this reference, the - "ResolvedRefs" condition MUST be set to False for this listener with the - "RefNotPermitted" reason. + A CACertificateRef is invalid if: + + * It refers to a resource that cannot be resolved (e.g., the + referenced resource does not exist) or is misconfigured (e.g., a + ConfigMap does not contain a key named `ca.crt`). In this case, the + Reason on all matching HTTPS listeners must be set to `InvalidCACertificateRef` + and the Message of the Condition must indicate which reference is invalid and why. + + * It refers to an unknown or unsupported kind of resource. In this + case, the Reason on all matching HTTPS listeners must be set to + `InvalidCACertificateKind` and the Message of the Condition must explain + which kind of resource is unknown or unsupported. + + * It refers to a resource in another namespace UNLESS there is a + ReferenceGrant in the target namespace that allows the CA + certificate to be attached. If a ReferenceGrant does not allow this + reference, the `ResolvedRefs` on all matching HTTPS listeners condition + MUST be set with the Reason `RefNotPermitted`. + + Implementations MAY choose to perform further validation of the + certificate content (e.g., checking expiry or enforcing specific formats). + In such cases, an implementation-specific Reason and Message MUST be set. + + In all cases, the implementation MUST ensure that the `ResolvedRefs` + condition is set to `status: False` on all targeted listeners (i.e., + listeners serving HTTPS on a matching port). The condition MUST + include a Reason and Message that indicate the cause of the error. If + ALL CACertificateRefs are invalid, the implementation MUST also ensure + the `Accepted` condition on the listener is set to `status: False`, with + the Reason `NoValidCACertificate`. + Implementations MAY choose to support attaching multiple CA certificates + to a listener, but this behavior is implementation-specific. + + Support: Core - A single reference to a Kubernetes ConfigMap, with the + CA certificate in a key named `ca.crt`. + + Support: Implementation-specific - More than one reference, other kinds + of resources, or a single reference that includes multiple certificates. items: description: |- ObjectReference identifies an API object including its namespace. @@ -3282,6 +3390,20 @@ spec: maxItems: 16 type: array x-kubernetes-list-type: atomic + attachedListenerSets: + description: |- + AttachedListenerSets represents the total number of ListenerSets that have been + successfully attached to this Gateway. + + A ListenerSet is successfully attached to a Gateway when all the following conditions are met: + - The ListenerSet is selected by the Gateway's AllowedListeners field + - The ListenerSet has a valid ParentRef selecting the Gateway + - The ListenerSet's status has the condition "Accepted: true" + + Uses for this field include troubleshooting AttachedListenerSets attachment and + measuring blast radius/impact of changes to a Gateway. + format: int32 + type: integer conditions: default: - lastTransitionTime: "1970-01-01T00:00:00Z" @@ -3386,8 +3508,11 @@ spec: attachment semantics can be found in the documentation on the various Route kinds ParentRefs fields). Listener or Route status does not impact successful attachment, i.e. the AttachedRoutes field count MUST be set - for Listeners with condition Accepted: false and MUST count successfully - attached Routes that may themselves have Accepted: false conditions. + for Listeners, even if the Accepted condition of an individual Listener is set + to "False". The AttachedRoutes number represents the number of Routes with + the Accepted condition set to "True" that have been attached to this Listener. + Routes with any other value for the Accepted condition MUST NOT be included + in this count. Uses for this field include troubleshooting Route attachment and measuring blast radius/impact of changes to a Listener. @@ -3466,7 +3591,7 @@ spec: supportedKinds: description: |- SupportedKinds is the list indicating the Kinds supported by this - listener. This MUST represent the kinds an implementation supports for + listener. This MUST represent the kinds supported by an implementation for that Listener configuration. If kinds are specified in Spec that are not supported, they MUST NOT @@ -3500,7 +3625,6 @@ spec: - attachedRoutes - conditions - name - - supportedKinds type: object maxItems: 64 type: array @@ -3634,14 +3758,14 @@ spec: allowedListeners: description: |- AllowedListeners defines which ListenerSets can be attached to this Gateway. - While this feature is experimental, the default value is to allow no ListenerSets. + The default value is to allow no ListenerSets. properties: namespaces: default: from: None description: |- Namespaces defines which namespaces ListenerSets can be attached to this Gateway. - While this feature is experimental, the default value is to allow no ListenerSets. + The default value is to allow no ListenerSets. properties: from: default: None @@ -3654,7 +3778,7 @@ spec: * All: ListenerSets in all namespaces may be attached to this Gateway. * None: Only listeners defined in the Gateway's spec are allowed - While this feature is experimental, the default value None + The default value None enum: - All - Selector @@ -4203,7 +4327,7 @@ spec: the Gateway SHOULD return a 421. * If the current Listener (selected by SNI matching during ClientHello) does not match the Host: - * If another Listener does match the Host the Gateway SHOULD return a + * If another Listener does match the Host, the Gateway SHOULD return a 421. * If no other Listener matches the Host, the Gateway MUST return a 404. @@ -4414,6 +4538,9 @@ spec: - message: tls mode must be Terminate for protocol HTTPS rule: 'self.all(l, (l.protocol == ''HTTPS'' && has(l.tls)) ? (l.tls.mode == '''' || l.tls.mode == ''Terminate'') : true)' + - message: tls mode must be set for protocol TLS + rule: 'self.all(l, (l.protocol == ''TLS'' ? has(l.tls) && has(l.tls.mode) + && l.tls.mode != '''' : true))' - message: hostname must not be specified for protocols ['TCP', 'UDP'] rule: 'self.all(l, l.protocol in [''TCP'', ''UDP''] ? (!has(l.hostname) || l.hostname == '''') : true)' @@ -4443,19 +4570,30 @@ spec: properties: clientCertificateRef: description: |- - ClientCertificateRef is a reference to an object that contains a Client - Certificate and the associated private key. - - References to a resource in different namespace are invalid UNLESS there - is a ReferenceGrant in the target namespace that allows the certificate - to be attached. If a ReferenceGrant does not allow this reference, the - "ResolvedRefs" condition MUST be set to False for this listener with the - "RefNotPermitted" reason. - - ClientCertificateRef can reference to standard Kubernetes resources, i.e. - Secret, or implementation-specific custom resources. - - Support: Core + ClientCertificateRef references an object that contains a client certificate + and its associated private key. It can reference standard Kubernetes resources, + i.e., Secret, or implementation-specific custom resources. + + A ClientCertificateRef is considered invalid if: + + * It refers to a resource that cannot be resolved (e.g., the referenced resource + does not exist) or is misconfigured (e.g., a Secret does not contain the keys + named `tls.crt` and `tls.key`). In this case, the `ResolvedRefs` condition + on the Gateway MUST be set to False with the Reason `InvalidClientCertificateRef` + and the Message of the Condition MUST indicate why the reference is invalid. + + * It refers to a resource in another namespace UNLESS there is a ReferenceGrant + in the target namespace that allows the certificate to be attached. + If a ReferenceGrant does not allow this reference, the `ResolvedRefs` condition + on the Gateway MUST be set to False with the Reason `RefNotPermitted`. + + Implementations MAY choose to perform further validation of the certificate + content (e.g., checking expiry or enforcing specific formats). In such cases, + an implementation-specific Reason and Message MUST be set. + + Support: Core - Reference to a Kubernetes TLS Secret (with the type `kubernetes.io/tls`). + Support: Implementation-specific - Other resource kinds or Secrets with a + different type (e.g., `Opaque`). properties: group: default: "" @@ -4522,27 +4660,49 @@ spec: properties: caCertificateRefs: description: |- - CACertificateRefs contains one or more references to - Kubernetes objects that contain TLS certificates of - the Certificate Authorities that can be used - as a trust anchor to validate the certificates presented by the client. - - A single CA certificate reference to a Kubernetes ConfigMap - has "Core" support. - Implementations MAY choose to support attaching multiple CA certificates to - a Listener, but this behavior is implementation-specific. - - Support: Core - A single reference to a Kubernetes ConfigMap - with the CA certificate in a key named `ca.crt`. - - Support: Implementation-specific (More than one certificate in a ConfigMap - with different keys or more than one reference, or other kinds of resources). - - References to a resource in a different namespace are invalid UNLESS there - is a ReferenceGrant in the target namespace that allows the certificate - to be attached. If a ReferenceGrant does not allow this reference, the - "ResolvedRefs" condition MUST be set to False for this listener with the - "RefNotPermitted" reason. + CACertificateRefs contains one or more references to Kubernetes + objects that contain a PEM-encoded TLS CA certificate bundle, which + is used as a trust anchor to validate the certificates presented by + the client. + + A CACertificateRef is invalid if: + + * It refers to a resource that cannot be resolved (e.g., the + referenced resource does not exist) or is misconfigured (e.g., a + ConfigMap does not contain a key named `ca.crt`). In this case, the + Reason on all matching HTTPS listeners must be set to `InvalidCACertificateRef` + and the Message of the Condition must indicate which reference is invalid and why. + + * It refers to an unknown or unsupported kind of resource. In this + case, the Reason on all matching HTTPS listeners must be set to + `InvalidCACertificateKind` and the Message of the Condition must explain + which kind of resource is unknown or unsupported. + + * It refers to a resource in another namespace UNLESS there is a + ReferenceGrant in the target namespace that allows the CA + certificate to be attached. If a ReferenceGrant does not allow this + reference, the `ResolvedRefs` on all matching HTTPS listeners condition + MUST be set with the Reason `RefNotPermitted`. + + Implementations MAY choose to perform further validation of the + certificate content (e.g., checking expiry or enforcing specific formats). + In such cases, an implementation-specific Reason and Message MUST be set. + + In all cases, the implementation MUST ensure that the `ResolvedRefs` + condition is set to `status: False` on all targeted listeners (i.e., + listeners serving HTTPS on a matching port). The condition MUST + include a Reason and Message that indicate the cause of the error. If + ALL CACertificateRefs are invalid, the implementation MUST also ensure + the `Accepted` condition on the listener is set to `status: False`, with + the Reason `NoValidCACertificate`. + Implementations MAY choose to support attaching multiple CA certificates + to a listener, but this behavior is implementation-specific. + + Support: Core - A single reference to a Kubernetes ConfigMap, with the + CA certificate in a key named `ca.crt`. + + Support: Implementation-specific - More than one reference, other kinds + of resources, or a single reference that includes multiple certificates. items: description: |- ObjectReference identifies an API object including its namespace. @@ -4665,27 +4825,49 @@ spec: properties: caCertificateRefs: description: |- - CACertificateRefs contains one or more references to - Kubernetes objects that contain TLS certificates of - the Certificate Authorities that can be used - as a trust anchor to validate the certificates presented by the client. - - A single CA certificate reference to a Kubernetes ConfigMap - has "Core" support. - Implementations MAY choose to support attaching multiple CA certificates to - a Listener, but this behavior is implementation-specific. - - Support: Core - A single reference to a Kubernetes ConfigMap - with the CA certificate in a key named `ca.crt`. - - Support: Implementation-specific (More than one certificate in a ConfigMap - with different keys or more than one reference, or other kinds of resources). + CACertificateRefs contains one or more references to Kubernetes + objects that contain a PEM-encoded TLS CA certificate bundle, which + is used as a trust anchor to validate the certificates presented by + the client. - References to a resource in a different namespace are invalid UNLESS there - is a ReferenceGrant in the target namespace that allows the certificate - to be attached. If a ReferenceGrant does not allow this reference, the - "ResolvedRefs" condition MUST be set to False for this listener with the - "RefNotPermitted" reason. + A CACertificateRef is invalid if: + + * It refers to a resource that cannot be resolved (e.g., the + referenced resource does not exist) or is misconfigured (e.g., a + ConfigMap does not contain a key named `ca.crt`). In this case, the + Reason on all matching HTTPS listeners must be set to `InvalidCACertificateRef` + and the Message of the Condition must indicate which reference is invalid and why. + + * It refers to an unknown or unsupported kind of resource. In this + case, the Reason on all matching HTTPS listeners must be set to + `InvalidCACertificateKind` and the Message of the Condition must explain + which kind of resource is unknown or unsupported. + + * It refers to a resource in another namespace UNLESS there is a + ReferenceGrant in the target namespace that allows the CA + certificate to be attached. If a ReferenceGrant does not allow this + reference, the `ResolvedRefs` on all matching HTTPS listeners condition + MUST be set with the Reason `RefNotPermitted`. + + Implementations MAY choose to perform further validation of the + certificate content (e.g., checking expiry or enforcing specific formats). + In such cases, an implementation-specific Reason and Message MUST be set. + + In all cases, the implementation MUST ensure that the `ResolvedRefs` + condition is set to `status: False` on all targeted listeners (i.e., + listeners serving HTTPS on a matching port). The condition MUST + include a Reason and Message that indicate the cause of the error. If + ALL CACertificateRefs are invalid, the implementation MUST also ensure + the `Accepted` condition on the listener is set to `status: False`, with + the Reason `NoValidCACertificate`. + Implementations MAY choose to support attaching multiple CA certificates + to a listener, but this behavior is implementation-specific. + + Support: Core - A single reference to a Kubernetes ConfigMap, with the + CA certificate in a key named `ca.crt`. + + Support: Implementation-specific - More than one reference, other kinds + of resources, or a single reference that includes multiple certificates. items: description: |- ObjectReference identifies an API object including its namespace. @@ -4859,6 +5041,20 @@ spec: maxItems: 16 type: array x-kubernetes-list-type: atomic + attachedListenerSets: + description: |- + AttachedListenerSets represents the total number of ListenerSets that have been + successfully attached to this Gateway. + + A ListenerSet is successfully attached to a Gateway when all the following conditions are met: + - The ListenerSet is selected by the Gateway's AllowedListeners field + - The ListenerSet has a valid ParentRef selecting the Gateway + - The ListenerSet's status has the condition "Accepted: true" + + Uses for this field include troubleshooting AttachedListenerSets attachment and + measuring blast radius/impact of changes to a Gateway. + format: int32 + type: integer conditions: default: - lastTransitionTime: "1970-01-01T00:00:00Z" @@ -4963,8 +5159,11 @@ spec: attachment semantics can be found in the documentation on the various Route kinds ParentRefs fields). Listener or Route status does not impact successful attachment, i.e. the AttachedRoutes field count MUST be set - for Listeners with condition Accepted: false and MUST count successfully - attached Routes that may themselves have Accepted: false conditions. + for Listeners, even if the Accepted condition of an individual Listener is set + to "False". The AttachedRoutes number represents the number of Routes with + the Accepted condition set to "True" that have been attached to this Listener. + Routes with any other value for the Accepted condition MUST NOT be included + in this count. Uses for this field include troubleshooting Route attachment and measuring blast radius/impact of changes to a Listener. @@ -5043,7 +5242,7 @@ spec: supportedKinds: description: |- SupportedKinds is the list indicating the Kinds supported by this - listener. This MUST represent the kinds an implementation supports for + listener. This MUST represent the kinds supported by an implementation for that Listener configuration. If kinds are specified in Spec that are not supported, they MUST NOT @@ -5077,7 +5276,6 @@ spec: - attachedRoutes - conditions - name - - supportedKinds type: object maxItems: 64 type: array @@ -5106,8 +5304,8 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.1 + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/4530 + gateway.networking.k8s.io/bundle-version: v1.5.1 gateway.networking.k8s.io/channel: experimental name: grpcroutes.gateway.networking.k8s.io spec: @@ -5649,293 +5847,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. - maxLength: 4096 - minLength: 1 - type: string - required: - - name - - value - type: object - maxItems: 16 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - remove: - description: |- - Remove the given header(s) from the HTTP request before the action. The - value of Remove is a list of HTTP header names. Note that the header - names are case-insensitive (see - https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). - - Input: - GET /foo HTTP/1.1 - my-header1: foo - my-header2: bar - my-header3: baz - - Config: - remove: ["my-header1", "my-header3"] - - Output: - GET /foo HTTP/1.1 - my-header2: bar - items: - type: string - maxItems: 16 - type: array - x-kubernetes-list-type: set - set: - description: |- - Set overwrites the request with the given header (name, value) - before the action. - - Input: - GET /foo HTTP/1.1 - my-header: foo - - Config: - set: - - name: "my-header" - value: "bar" - - Output: - GET /foo HTTP/1.1 - my-header: bar - items: - description: HTTPHeader represents an HTTP - Header name and value as defined by RFC - 7230. - properties: - name: description: |- - Name is the name of the HTTP Header to be matched. Name matching MUST be - case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - - If multiple entries specify equivalent header names, the first entry with - an equivalent name MUST be considered for a match. Subsequent entries - with an equivalent header name MUST be ignored. Due to the - case-insensitivity of header names, "foo" and "Foo" are considered - equivalent. - maxLength: 256 - minLength: 1 - pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ - type: string - value: - description: Value is the value of HTTP - Header to be matched. - maxLength: 4096 - minLength: 1 - type: string - required: - - name - - value - type: object - maxItems: 16 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - type: object - requestMirror: - description: |- - RequestMirror defines a schema for a filter that mirrors requests. - Requests are sent to the specified destination, but responses from - that destination are ignored. - - This filter can be used multiple times within the same rule. Note that - not all implementations will be able to support mirroring to multiple - backends. - - Support: Extended - properties: - backendRef: - description: |- - BackendRef references a resource where mirrored requests are sent. - - Mirrored requests must be sent only to a single destination endpoint - within this BackendRef, irrespective of how many endpoints are present - within this BackendRef. - - If the referent cannot be found, this BackendRef is invalid and must be - dropped from the Gateway. The controller must ensure the "ResolvedRefs" - condition on the Route status is set to `status: False` and not configure - this backend in the underlying implementation. + Value is the value of HTTP Header to be matched. - If there is a cross-namespace reference to an *existing* object - that is not allowed by a ReferenceGrant, the controller must ensure the - "ResolvedRefs" condition on the Route is set to `status: False`, - with the "RefNotPermitted" reason and not configure this backend in the - underlying implementation. - - In either error case, the Message of the `ResolvedRefs` Condition - should be used to provide more detail about the problem. - - Support: Extended for Kubernetes Service - - Support: Implementation-specific for any other resource - properties: - group: - default: "" - description: |- - Group is the group of the referent. For example, "gateway.networking.k8s.io". - When unspecified or empty string, core API group is inferred. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - default: Service - description: |- - Kind is the Kubernetes resource kind of the referent. For example - "Service". - - Defaults to "Service" when not specified. - - ExternalName services can refer to CNAME DNS records that may live - outside of the cluster and as such are difficult to reason about in - terms of conformance. They also may not be safe to forward to (see - CVE-2021-25740 for more information). Implementations SHOULD NOT - support ExternalName Services. - - Support: Core (Services with a type other than ExternalName) - - Support: Implementation-specific (Services with type ExternalName) - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: Name is the name of the referent. - maxLength: 253 - minLength: 1 - type: string - namespace: - description: |- - Namespace is the namespace of the backend. When unspecified, the local - namespace is inferred. - - Note that when a namespace different than the local namespace is specified, - a ReferenceGrant object is required in the referent namespace to allow that - namespace's owner to accept the reference. See the ReferenceGrant - documentation for details. - - Support: Core - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - port: - description: |- - Port specifies the destination port number to use for this resource. - Port is required when the referent is a Kubernetes Service. In this - case, the port number is the service port number, not the target port. - For other resources, destination port might be derived from the referent - resource or this field. - format: int32 - maximum: 65535 - minimum: 1 - type: integer - required: - - name - type: object - x-kubernetes-validations: - - message: Must have port for Service reference - rule: '(size(self.group) == 0 && self.kind - == ''Service'') ? has(self.port) : true' - fraction: - description: |- - Fraction represents the fraction of requests that should be - mirrored to BackendRef. - - Only one of Fraction or Percent may be specified. If neither field - is specified, 100% of requests will be mirrored. - properties: - denominator: - default: 100 - format: int32 - minimum: 1 - type: integer - numerator: - format: int32 - minimum: 0 - type: integer - required: - - numerator - type: object - x-kubernetes-validations: - - message: numerator must be less than or equal - to denominator - rule: self.numerator <= self.denominator - percent: - description: |- - Percent represents the percentage of requests that should be - mirrored to BackendRef. Its minimum value is 0 (indicating 0% of - requests) and its maximum value is 100 (indicating 100% of requests). - - Only one of Fraction or Percent may be specified. If neither field - is specified, 100% of requests will be mirrored. - format: int32 - maximum: 100 - minimum: 0 - type: integer - required: - - backendRef - type: object - x-kubernetes-validations: - - message: Only one of percent or fraction may be - specified in HTTPRequestMirrorFilter - rule: '!(has(self.percent) && has(self.fraction))' - responseHeaderModifier: - description: |- - ResponseHeaderModifier defines a schema for a filter that modifies response - headers. - - Support: Extended - properties: - add: - description: |- - Add adds the given header(s) (name, value) to the request - before the action. It appends to any existing values associated - with the header name. - - Input: - GET /foo HTTP/1.1 - my-header: foo - - Config: - add: - - name: "my-header" - value: "bar,baz" - - Output: - GET /foo HTTP/1.1 - my-header: foo,bar,baz - items: - description: HTTPHeader represents an HTTP - Header name and value as defined by RFC - 7230. - properties: - name: - description: |- - Name is the name of the HTTP Header to be matched. Name matching MUST be - case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - - If multiple entries specify equivalent header names, the first entry with - an equivalent name MUST be considered for a match. Subsequent entries - with an equivalent header name MUST be ignored. Due to the - case-insensitivity of header names, "foo" and "Foo" are considered - equivalent. - maxLength: 256 - minLength: 1 - pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ - type: string - value: - description: Value is the value of HTTP - Header to be matched. + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -6007,10 +5926,305 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: |- + RequestMirror defines a schema for a filter that mirrors requests. + Requests are sent to the specified destination, but responses from + that destination are ignored. + + This filter can be used multiple times within the same rule. Note that + not all implementations will be able to support mirroring to multiple + backends. + + Support: Extended + properties: + backendRef: + description: |- + BackendRef references a resource where mirrored requests are sent. + + Mirrored requests must be sent only to a single destination endpoint + within this BackendRef, irrespective of how many endpoints are present + within this BackendRef. + + If the referent cannot be found, this BackendRef is invalid and must be + dropped from the Gateway. The controller must ensure the "ResolvedRefs" + condition on the Route status is set to `status: False` and not configure + this backend in the underlying implementation. + + If there is a cross-namespace reference to an *existing* object + that is not allowed by a ReferenceGrant, the controller must ensure the + "ResolvedRefs" condition on the Route is set to `status: False`, + with the "RefNotPermitted" reason and not configure this backend in the + underlying implementation. + + In either error case, the Message of the `ResolvedRefs` Condition + should be used to provide more detail about the problem. + + Support: Extended for Kubernetes Service + + Support: Implementation-specific for any other resource + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: |- + Kind is the Kubernetes resource kind of the referent. For example + "Service". + + Defaults to "Service" when not specified. + + ExternalName services can refer to CNAME DNS records that may live + outside of the cluster and as such are difficult to reason about in + terms of conformance. They also may not be safe to forward to (see + CVE-2021-25740 for more information). Implementations SHOULD NOT + support ExternalName Services. + + Support: Core (Services with a type other than ExternalName) + + Support: Implementation-specific (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the backend. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port specifies the destination port number to use for this resource. + Port is required when the referent is a Kubernetes Service. In this + case, the port number is the service port number, not the target port. + For other resources, destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind + == ''Service'') ? has(self.port) : true' + fraction: + description: |- + Fraction represents the fraction of requests that should be + mirrored to BackendRef. + + Only one of Fraction or Percent may be specified. If neither field + is specified, 100% of requests will be mirrored. + properties: + denominator: + default: 100 + format: int32 + minimum: 1 + type: integer + numerator: + format: int32 + minimum: 0 + type: integer + required: + - numerator + type: object + x-kubernetes-validations: + - message: numerator must be less than or equal + to denominator + rule: self.numerator <= self.denominator + percent: + description: |- + Percent represents the percentage of requests that should be + mirrored to BackendRef. Its minimum value is 0 (indicating 0% of + requests) and its maximum value is 100 (indicating 100% of requests). + + Only one of Fraction or Percent may be specified. If neither field + is specified, 100% of requests will be mirrored. + format: int32 + maximum: 100 + minimum: 0 + type: integer + required: + - backendRef + type: object + x-kubernetes-validations: + - message: Only one of percent or fraction may be + specified in HTTPRequestMirrorFilter + rule: '!(has(self.percent) && has(self.fraction))' + responseHeaderModifier: + description: |- + ResponseHeaderModifier defines a schema for a filter that modifies response + headers. + + Support: Extended + properties: + add: + description: |- + Add adds the given header(s) (name, value) to the request + before the action. It appends to any existing values associated + with the header name. + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + add: + - name: "my-header" + value: "bar,baz" + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 + maxLength: 4096 + minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: |- + Remove the given header(s) from the HTTP request before the action. The + value of Remove is a list of HTTP header names. Note that the header + names are case-insensitive (see + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + Config: + remove: ["my-header1", "my-header3"] + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: |- + Set overwrites the request with the given header (name, value) + before the action. + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + set: + - name: "my-header" + value: "bar" + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 + maxLength: 4096 + minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -6301,10 +6515,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -6375,10 +6593,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -6582,10 +6804,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -6656,10 +6882,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -6810,8 +7040,8 @@ spec: - method: type: Exact service: "foo" - headers: - - name: "version" + - headers: + name: "version" value "v1" ``` @@ -6998,7 +7228,7 @@ spec: default: Cookie description: |- Type defines the type of session persistence such as through - the use a header or cookie. Defaults to cookie based session + the use of a header or cookie. Defaults to cookie based session persistence. Support: Core for "Cookie" type @@ -7014,6 +7244,8 @@ spec: is Permanent rule: '!has(self.cookieConfig) || !has(self.cookieConfig.lifetimeType) || self.cookieConfig.lifetimeType != ''Permanent'' || has(self.absoluteTimeout)' + - message: cookieConfig can only be set with type Cookie + rule: '!has(self.cookieConfig) || self.type == ''Cookie''' type: object maxItems: 16 type: array @@ -7105,7 +7337,7 @@ spec: * The Route refers to a nonexistent parent. * The Route is of a type that the controller does not support. - * The Route is in a namespace the controller does not have access to. + * The Route is in a namespace to which the controller does not have access. items: description: Condition contains details for one aspect of the current state of this API Resource. @@ -7355,8 +7587,8 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.1 + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/4530 + gateway.networking.k8s.io/bundle-version: v1.5.1 gateway.networking.k8s.io/channel: experimental name: httproutes.gateway.networking.k8s.io spec: @@ -7836,7 +8068,7 @@ spec: AllowHeaders indicates which HTTP request headers are supported for accessing the requested resource. - Header names are not case sensitive. + Header names are not case-sensitive. Multiple header names in the value of the `Access-Control-Allow-Headers` response header are separated by a comma (","). @@ -7855,18 +8087,21 @@ spec: client side. A wildcard indicates that the requests with all HTTP headers are allowed. - The `Access-Control-Allow-Headers` response header can only use `*` - wildcard as value when the `AllowCredentials` field is false or omitted. - - When the `AllowCredentials` field is true and `AllowHeaders` field - specified with the `*` wildcard, the gateway must specify one or more + If config contains the wildcard "*" in allowHeaders and the request is + not credentialed, the `Access-Control-Allow-Headers` response header + can either use the `*` wildcard or the value of + Access-Control-Request-Headers from the request. + + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Headers` response header. When + also the `AllowCredentials` field is true and `AllowHeaders` field + is specified with the `*` wildcard, the gateway must specify one or more HTTP headers in the value of the `Access-Control-Allow-Headers` response header. The value of the header `Access-Control-Allow-Headers` is same as the `Access-Control-Request-Headers` header provided by the client. If the header `Access-Control-Request-Headers` is not included in the request, the gateway will omit the `Access-Control-Allow-Headers` - response header, instead of specifying the `*` wildcard. A Gateway - implementation may choose to add implementation-specific default headers. + response header, instead of specifying the `*` wildcard. Support: Extended items: @@ -7890,6 +8125,10 @@ spec: maxItems: 64 type: array x-kubernetes-list-type: set + x-kubernetes-validations: + - message: AllowHeaders cannot contain '*' alongside + other methods + rule: '!(''*'' in self && self.size() > 1)' allowMethods: description: |- AllowMethods indicates which HTTP methods are supported for accessing the @@ -7898,7 +8137,7 @@ spec: Valid values are any method defined by RFC9110, along with the special value `*`, which represents all HTTP methods are allowed. - Method names are case sensitive, so these values are also case-sensitive. + Method names are case-sensitive, so these values are also case-sensitive. (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1) Multiple method names in the value of the `Access-Control-Allow-Methods` @@ -7918,18 +8157,21 @@ spec: `Access-Control-Allow-Methods`, it will present an error on the client side. - The `Access-Control-Allow-Methods` response header can only use `*` - wildcard as value when the `AllowCredentials` field is false or omitted. + If config contains the wildcard "*" in allowMethods and the request is + not credentialed, the `Access-Control-Allow-Methods` response header + can either use the `*` wildcard or the value of + Access-Control-Request-Method from the request. - When the `AllowCredentials` field is true and `AllowMethods` field + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Methods` response header. When + also the `AllowCredentials` field is true and `AllowMethods` field specified with the `*` wildcard, the gateway must specify one HTTP method in the value of the Access-Control-Allow-Methods response header. The value of the header `Access-Control-Allow-Methods` is same as the `Access-Control-Request-Method` header provided by the client. If the header `Access-Control-Request-Method` is not included in the request, the gateway will omit the `Access-Control-Allow-Methods` response header, - instead of specifying the `*` wildcard. A Gateway implementation may - choose to add implementation-specific default methods. + instead of specifying the `*` wildcard. Support: Extended items: @@ -7996,10 +8238,19 @@ spec: the CORS headers. The cross-origin request fails on the client side. Therefore, the client doesn't attempt the actual cross-origin request. - The `Access-Control-Allow-Origin` response header can only use `*` - wildcard as value when the `AllowCredentials` field is false or omitted. + Conversely, if the request `Origin` matches one of the configured + allowed origins, the gateway sets the response header + `Access-Control-Allow-Origin` to the same value as the `Origin` + header provided by the client. - When the `AllowCredentials` field is true and `AllowOrigins` field + When config has the wildcard ("*") in allowOrigins, and the request + is not credentialed (e.g., it is a preflight request), the + `Access-Control-Allow-Origin` response header either contains the + wildcard as well or the Origin from the request. + + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Origin` response header. When + also the `AllowCredentials` field is true and `AllowOrigins` field specified with the `*` wildcard, the gateway must return a single origin in the value of the `Access-Control-Allow-Origin` response header, instead of specifying the `*` wildcard. The value of the header @@ -8011,12 +8262,12 @@ spec: description: |- The CORSOrigin MUST NOT be a relative URI, and it MUST follow the URI syntax and encoding rules specified in RFC3986. The CORSOrigin MUST include both a - scheme (e.g., "http" or "spiffe") and a scheme-specific-part, or it should be a single '*' character. + scheme ("http" or "https") and a scheme-specific-part, or it should be a single '*' character. URIs that include an authority MUST include a fully qualified domain name or IP address as the host. maxLength: 253 minLength: 1 - pattern: (^\*$)|(^([a-zA-Z][a-zA-Z0-9+\-.]+):\/\/([^:/?#]+)(:([0-9]{1,5}))?$) + pattern: (^\*$)|(^(http(s)?):\/\/(((\*\.)?([a-zA-Z0-9\-]+\.)*[a-zA-Z0-9-]+|\*)(:([0-9]{1,5}))?)$) type: string maxItems: 64 type: array @@ -8047,14 +8298,18 @@ spec: this additional header will be exposed as part of the response to the client. - Header names are not case sensitive. + Header names are not case-sensitive. Multiple header names in the value of the `Access-Control-Expose-Headers` response header are separated by a comma (","). A wildcard indicates that the responses with all HTTP headers are exposed to clients. The `Access-Control-Expose-Headers` response header can only - use `*` wildcard as value when the `AllowCredentials` field is false or omitted. + use `*` wildcard as value when the request is not credentialed. + + When the `exposeHeaders` config field contains the "*" wildcard and + the request is credentialed, the gateway cannot use the `*` wildcard in + the `Access-Control-Expose-Headers` response header. Support: Extended items: @@ -8090,6 +8345,9 @@ spec: The default value of `Access-Control-Max-Age` response header is 5 (seconds). + + When the `MaxAge` field is unspecified, the gateway sets the response + header "Access-Control-Max-Age: 5" by default. format: int32 minimum: 1 type: integer @@ -8268,6 +8526,7 @@ spec: If the list has entries, only those entries must be sent. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set type: object @@ -8306,6 +8565,7 @@ spec: request must be set to the actual number of bytes forwarded. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set allowedResponseHeaders: @@ -8317,6 +8577,7 @@ spec: except Authority or Host must be copied. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set path: @@ -8421,446 +8682,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. - maxLength: 4096 - minLength: 1 - type: string - required: - - name - - value - type: object - maxItems: 16 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - remove: - description: |- - Remove the given header(s) from the HTTP request before the action. The - value of Remove is a list of HTTP header names. Note that the header - names are case-insensitive (see - https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). - - Input: - GET /foo HTTP/1.1 - my-header1: foo - my-header2: bar - my-header3: baz - - Config: - remove: ["my-header1", "my-header3"] - - Output: - GET /foo HTTP/1.1 - my-header2: bar - items: - type: string - maxItems: 16 - type: array - x-kubernetes-list-type: set - set: - description: |- - Set overwrites the request with the given header (name, value) - before the action. - - Input: - GET /foo HTTP/1.1 - my-header: foo - - Config: - set: - - name: "my-header" - value: "bar" - - Output: - GET /foo HTTP/1.1 - my-header: bar - items: - description: HTTPHeader represents an HTTP - Header name and value as defined by RFC - 7230. - properties: - name: - description: |- - Name is the name of the HTTP Header to be matched. Name matching MUST be - case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - - If multiple entries specify equivalent header names, the first entry with - an equivalent name MUST be considered for a match. Subsequent entries - with an equivalent header name MUST be ignored. Due to the - case-insensitivity of header names, "foo" and "Foo" are considered - equivalent. - maxLength: 256 - minLength: 1 - pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ - type: string - value: - description: Value is the value of HTTP - Header to be matched. - maxLength: 4096 - minLength: 1 - type: string - required: - - name - - value - type: object - maxItems: 16 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - type: object - requestMirror: - description: |- - RequestMirror defines a schema for a filter that mirrors requests. - Requests are sent to the specified destination, but responses from - that destination are ignored. - - This filter can be used multiple times within the same rule. Note that - not all implementations will be able to support mirroring to multiple - backends. - - Support: Extended - properties: - backendRef: - description: |- - BackendRef references a resource where mirrored requests are sent. - - Mirrored requests must be sent only to a single destination endpoint - within this BackendRef, irrespective of how many endpoints are present - within this BackendRef. - - If the referent cannot be found, this BackendRef is invalid and must be - dropped from the Gateway. The controller must ensure the "ResolvedRefs" - condition on the Route status is set to `status: False` and not configure - this backend in the underlying implementation. - - If there is a cross-namespace reference to an *existing* object - that is not allowed by a ReferenceGrant, the controller must ensure the - "ResolvedRefs" condition on the Route is set to `status: False`, - with the "RefNotPermitted" reason and not configure this backend in the - underlying implementation. - - In either error case, the Message of the `ResolvedRefs` Condition - should be used to provide more detail about the problem. - - Support: Extended for Kubernetes Service - - Support: Implementation-specific for any other resource - properties: - group: - default: "" - description: |- - Group is the group of the referent. For example, "gateway.networking.k8s.io". - When unspecified or empty string, core API group is inferred. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - default: Service - description: |- - Kind is the Kubernetes resource kind of the referent. For example - "Service". - - Defaults to "Service" when not specified. - - ExternalName services can refer to CNAME DNS records that may live - outside of the cluster and as such are difficult to reason about in - terms of conformance. They also may not be safe to forward to (see - CVE-2021-25740 for more information). Implementations SHOULD NOT - support ExternalName Services. - - Support: Core (Services with a type other than ExternalName) - - Support: Implementation-specific (Services with type ExternalName) - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: Name is the name of the referent. - maxLength: 253 - minLength: 1 - type: string - namespace: - description: |- - Namespace is the namespace of the backend. When unspecified, the local - namespace is inferred. - - Note that when a namespace different than the local namespace is specified, - a ReferenceGrant object is required in the referent namespace to allow that - namespace's owner to accept the reference. See the ReferenceGrant - documentation for details. - - Support: Core - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - port: - description: |- - Port specifies the destination port number to use for this resource. - Port is required when the referent is a Kubernetes Service. In this - case, the port number is the service port number, not the target port. - For other resources, destination port might be derived from the referent - resource or this field. - format: int32 - maximum: 65535 - minimum: 1 - type: integer - required: - - name - type: object - x-kubernetes-validations: - - message: Must have port for Service reference - rule: '(size(self.group) == 0 && self.kind - == ''Service'') ? has(self.port) : true' - fraction: - description: |- - Fraction represents the fraction of requests that should be - mirrored to BackendRef. - - Only one of Fraction or Percent may be specified. If neither field - is specified, 100% of requests will be mirrored. - properties: - denominator: - default: 100 - format: int32 - minimum: 1 - type: integer - numerator: - format: int32 - minimum: 0 - type: integer - required: - - numerator - type: object - x-kubernetes-validations: - - message: numerator must be less than or equal - to denominator - rule: self.numerator <= self.denominator - percent: - description: |- - Percent represents the percentage of requests that should be - mirrored to BackendRef. Its minimum value is 0 (indicating 0% of - requests) and its maximum value is 100 (indicating 100% of requests). - - Only one of Fraction or Percent may be specified. If neither field - is specified, 100% of requests will be mirrored. - format: int32 - maximum: 100 - minimum: 0 - type: integer - required: - - backendRef - type: object - x-kubernetes-validations: - - message: Only one of percent or fraction may be - specified in HTTPRequestMirrorFilter - rule: '!(has(self.percent) && has(self.fraction))' - requestRedirect: - description: |- - RequestRedirect defines a schema for a filter that responds to the - request with an HTTP redirection. - - Support: Core - properties: - hostname: - description: |- - Hostname is the hostname to be used in the value of the `Location` - header in the response. - When empty, the hostname in the `Host` header of the request is used. - - Support: Core - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - path: - description: |- - Path defines parameters used to modify the path of the incoming request. - The modified path is then used to construct the `Location` header. When - empty, the request path is used as-is. - - Support: Extended - properties: - replaceFullPath: - description: |- - ReplaceFullPath specifies the value with which to replace the full path - of a request during a rewrite or redirect. - maxLength: 1024 - type: string - replacePrefixMatch: - description: |- - ReplacePrefixMatch specifies the value with which to replace the prefix - match of a request during a rewrite or redirect. For example, a request - to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch - of "/xyz" would be modified to "/xyz/bar". - - Note that this matches the behavior of the PathPrefix match type. This - matches full path elements. A path element refers to the list of labels - in the path split by the `/` separator. When specified, a trailing `/` is - ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all - match the prefix `/abc`, but the path `/abcd` would not. - - ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. - Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in - the implementation setting the Accepted Condition for the Route to `status: False`. - - Request Path | Prefix Match | Replace Prefix | Modified Path - maxLength: 1024 - type: string - type: - description: |- - Type defines the type of path modifier. Additional types may be - added in a future release of the API. - - Note that values may be added to this enum, implementations - must ensure that unknown values will not cause a crash. - - Unknown values here must result in the implementation setting the - Accepted Condition for the Route to `status: False`, with a - Reason of `UnsupportedValue`. - enum: - - ReplaceFullPath - - ReplacePrefixMatch - type: string - required: - - type - type: object - x-kubernetes-validations: - - message: replaceFullPath must be specified - when type is set to 'ReplaceFullPath' - rule: 'self.type == ''ReplaceFullPath'' ? - has(self.replaceFullPath) : true' - - message: type must be 'ReplaceFullPath' when - replaceFullPath is set - rule: 'has(self.replaceFullPath) ? self.type - == ''ReplaceFullPath'' : true' - - message: replacePrefixMatch must be specified - when type is set to 'ReplacePrefixMatch' - rule: 'self.type == ''ReplacePrefixMatch'' - ? has(self.replacePrefixMatch) : true' - - message: type must be 'ReplacePrefixMatch' - when replacePrefixMatch is set - rule: 'has(self.replacePrefixMatch) ? self.type - == ''ReplacePrefixMatch'' : true' - port: - description: |- - Port is the port to be used in the value of the `Location` - header in the response. - - If no port is specified, the redirect port MUST be derived using the - following rules: - - * If redirect scheme is not-empty, the redirect port MUST be the well-known - port associated with the redirect scheme. Specifically "http" to port 80 - and "https" to port 443. If the redirect scheme does not have a - well-known port, the listener port of the Gateway SHOULD be used. - * If redirect scheme is empty, the redirect port MUST be the Gateway - Listener port. - - Implementations SHOULD NOT add the port number in the 'Location' - header in the following cases: - - * A Location header that will use HTTP (whether that is determined via - the Listener protocol or the Scheme field) _and_ use port 80. - * A Location header that will use HTTPS (whether that is determined via - the Listener protocol or the Scheme field) _and_ use port 443. - - Support: Extended - format: int32 - maximum: 65535 - minimum: 1 - type: integer - scheme: - description: |- - Scheme is the scheme to be used in the value of the `Location` header in - the response. When empty, the scheme of the request is used. - - Scheme redirects can affect the port of the redirect, for more information, - refer to the documentation for the port field of this filter. - - Note that values may be added to this enum, implementations - must ensure that unknown values will not cause a crash. - - Unknown values here must result in the implementation setting the - Accepted Condition for the Route to `status: False`, with a - Reason of `UnsupportedValue`. - - Support: Extended - enum: - - http - - https - type: string - statusCode: - default: 302 - description: |- - StatusCode is the HTTP status code to be used in response. - - Note that values may be added to this enum, implementations - must ensure that unknown values will not cause a crash. - - Unknown values here must result in the implementation setting the - Accepted Condition for the Route to `status: False`, with a - Reason of `UnsupportedValue`. - - Support: Core - enum: - - 301 - - 302 - type: integer - type: object - responseHeaderModifier: - description: |- - ResponseHeaderModifier defines a schema for a filter that modifies response - headers. - - Support: Extended - properties: - add: - description: |- - Add adds the given header(s) (name, value) to the request - before the action. It appends to any existing values associated - with the header name. - - Input: - GET /foo HTTP/1.1 - my-header: foo - - Config: - add: - - name: "my-header" - value: "bar,baz" - - Output: - GET /foo HTTP/1.1 - my-header: foo,bar,baz - items: - description: HTTPHeader represents an HTTP - Header name and value as defined by RFC - 7230. - properties: - name: description: |- - Name is the name of the HTTP Header to be matched. Name matching MUST be - case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + Value is the value of HTTP Header to be matched. - If multiple entries specify equivalent header names, the first entry with - an equivalent name MUST be considered for a match. Subsequent entries - with an equivalent header name MUST be ignored. Due to the - case-insensitivity of header names, "foo" and "Foo" are considered - equivalent. - maxLength: 256 - minLength: 1 - pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ - type: string - value: - description: Value is the value of HTTP - Header to be matched. + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -8932,10 +8761,461 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: |- + RequestMirror defines a schema for a filter that mirrors requests. + Requests are sent to the specified destination, but responses from + that destination are ignored. + + This filter can be used multiple times within the same rule. Note that + not all implementations will be able to support mirroring to multiple + backends. + + Support: Extended + properties: + backendRef: + description: |- + BackendRef references a resource where mirrored requests are sent. + + Mirrored requests must be sent only to a single destination endpoint + within this BackendRef, irrespective of how many endpoints are present + within this BackendRef. + + If the referent cannot be found, this BackendRef is invalid and must be + dropped from the Gateway. The controller must ensure the "ResolvedRefs" + condition on the Route status is set to `status: False` and not configure + this backend in the underlying implementation. + + If there is a cross-namespace reference to an *existing* object + that is not allowed by a ReferenceGrant, the controller must ensure the + "ResolvedRefs" condition on the Route is set to `status: False`, + with the "RefNotPermitted" reason and not configure this backend in the + underlying implementation. + + In either error case, the Message of the `ResolvedRefs` Condition + should be used to provide more detail about the problem. + + Support: Extended for Kubernetes Service + + Support: Implementation-specific for any other resource + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: |- + Kind is the Kubernetes resource kind of the referent. For example + "Service". + + Defaults to "Service" when not specified. + + ExternalName services can refer to CNAME DNS records that may live + outside of the cluster and as such are difficult to reason about in + terms of conformance. They also may not be safe to forward to (see + CVE-2021-25740 for more information). Implementations SHOULD NOT + support ExternalName Services. + + Support: Core (Services with a type other than ExternalName) + + Support: Implementation-specific (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the backend. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port specifies the destination port number to use for this resource. + Port is required when the referent is a Kubernetes Service. In this + case, the port number is the service port number, not the target port. + For other resources, destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind + == ''Service'') ? has(self.port) : true' + fraction: + description: |- + Fraction represents the fraction of requests that should be + mirrored to BackendRef. + + Only one of Fraction or Percent may be specified. If neither field + is specified, 100% of requests will be mirrored. + properties: + denominator: + default: 100 + format: int32 + minimum: 1 + type: integer + numerator: + format: int32 + minimum: 0 + type: integer + required: + - numerator + type: object + x-kubernetes-validations: + - message: numerator must be less than or equal + to denominator + rule: self.numerator <= self.denominator + percent: + description: |- + Percent represents the percentage of requests that should be + mirrored to BackendRef. Its minimum value is 0 (indicating 0% of + requests) and its maximum value is 100 (indicating 100% of requests). + + Only one of Fraction or Percent may be specified. If neither field + is specified, 100% of requests will be mirrored. + format: int32 + maximum: 100 + minimum: 0 + type: integer + required: + - backendRef + type: object + x-kubernetes-validations: + - message: Only one of percent or fraction may be + specified in HTTPRequestMirrorFilter + rule: '!(has(self.percent) && has(self.fraction))' + requestRedirect: + description: |- + RequestRedirect defines a schema for a filter that responds to the + request with an HTTP redirection. + + Support: Core + properties: + hostname: + description: |- + Hostname is the hostname to be used in the value of the `Location` + header in the response. + When empty, the hostname in the `Host` header of the request is used. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: |- + Path defines parameters used to modify the path of the incoming request. + The modified path is then used to construct the `Location` header. When + empty, the request path is used as-is. + + Support: Extended + properties: + replaceFullPath: + description: |- + ReplaceFullPath specifies the value with which to replace the full path + of a request during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: |- + ReplacePrefixMatch specifies the value with which to replace the prefix + match of a request during a rewrite or redirect. For example, a request + to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch + of "/xyz" would be modified to "/xyz/bar". + + Note that this matches the behavior of the PathPrefix match type. This + matches full path elements. A path element refers to the list of labels + in the path split by the `/` separator. When specified, a trailing `/` is + ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all + match the prefix `/abc`, but the path `/abcd` would not. + + ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. + Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in + the implementation setting the Accepted Condition for the Route to `status: False`. + + Request Path | Prefix Match | Replace Prefix | Modified Path + maxLength: 1024 + type: string + type: + description: |- + Type defines the type of path modifier. Additional types may be + added in a future release of the API. + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: replaceFullPath must be specified + when type is set to 'ReplaceFullPath' + rule: 'self.type == ''ReplaceFullPath'' ? + has(self.replaceFullPath) : true' + - message: type must be 'ReplaceFullPath' when + replaceFullPath is set + rule: 'has(self.replaceFullPath) ? self.type + == ''ReplaceFullPath'' : true' + - message: replacePrefixMatch must be specified + when type is set to 'ReplacePrefixMatch' + rule: 'self.type == ''ReplacePrefixMatch'' + ? has(self.replacePrefixMatch) : true' + - message: type must be 'ReplacePrefixMatch' + when replacePrefixMatch is set + rule: 'has(self.replacePrefixMatch) ? self.type + == ''ReplacePrefixMatch'' : true' + port: + description: |- + Port is the port to be used in the value of the `Location` + header in the response. + + If no port is specified, the redirect port MUST be derived using the + following rules: + + * If redirect scheme is not-empty, the redirect port MUST be the well-known + port associated with the redirect scheme. Specifically "http" to port 80 + and "https" to port 443. If the redirect scheme does not have a + well-known port, the listener port of the Gateway SHOULD be used. + * If redirect scheme is empty, the redirect port MUST be the Gateway + Listener port. + + Implementations SHOULD NOT add the port number in the 'Location' + header in the following cases: + + * A Location header that will use HTTP (whether that is determined via + the Listener protocol or the Scheme field) _and_ use port 80. + * A Location header that will use HTTPS (whether that is determined via + the Listener protocol or the Scheme field) _and_ use port 443. + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: |- + Scheme is the scheme to be used in the value of the `Location` header in + the response. When empty, the scheme of the request is used. + + Scheme redirects can affect the port of the redirect, for more information, + refer to the documentation for the port field of this filter. + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + + Support: Extended + enum: + - http + - https + type: string + statusCode: + default: 302 + description: |- + StatusCode is the HTTP status code to be used in response. + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + + Support: Core + enum: + - 301 + - 302 + - 303 + - 307 + - 308 + type: integer + type: object + responseHeaderModifier: + description: |- + ResponseHeaderModifier defines a schema for a filter that modifies response + headers. + + Support: Extended + properties: + add: + description: |- + Add adds the given header(s) (name, value) to the request + before the action. It appends to any existing values associated + with the header name. + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + add: + - name: "my-header" + value: "bar,baz" + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 + maxLength: 4096 + minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: |- + Remove the given header(s) from the HTTP request before the action. The + value of Remove is a list of HTTP header names. Note that the header + names are case-insensitive (see + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + Config: + remove: ["my-header1", "my-header3"] + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: |- + Set overwrites the request with the given header (name, value) + before the action. + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + set: + - name: "my-header" + value: "bar" + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 + maxLength: 4096 + minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -9079,6 +9359,11 @@ spec: - type type: object x-kubernetes-validations: + - message: filter.cors must be nil if the filter.type + is not CORS + rule: '!(has(self.cors) && self.type != ''CORS'')' + - message: filter.cors must be specified for CORS filter.type + rule: '!(!has(self.cors) && self.type == ''CORS'')' - message: filter.requestHeaderModifier must be nil if the filter.type is not RequestHeaderModifier rule: '!(has(self.requestHeaderModifier) && self.type @@ -9122,11 +9407,6 @@ spec: - message: filter.extensionRef must be specified for ExtensionRef filter.type rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')' - - message: filter.cors must be nil if the filter.type - is not CORS - rule: '!(has(self.cors) && self.type != ''CORS'')' - - message: filter.cors must be specified for CORS filter.type - rule: '!(!has(self.cors) && self.type == ''CORS'')' - message: filter.externalAuth must be nil if the filter.type is not ExternalAuth rule: '!(has(self.externalAuth) && self.type != ''ExternalAuth'')' @@ -9141,6 +9421,8 @@ spec: or httpRouteFilterRequestRewrite, but not both rule: '!(self.exists(f, f.type == ''RequestRedirect'') && self.exists(f, f.type == ''URLRewrite''))' + - message: CORS filter cannot be repeated + rule: self.filter(f, f.type == 'CORS').size() <= 1 - message: RequestHeaderModifier filter cannot be repeated rule: self.filter(f, f.type == 'RequestHeaderModifier').size() <= 1 @@ -9316,7 +9598,7 @@ spec: AllowHeaders indicates which HTTP request headers are supported for accessing the requested resource. - Header names are not case sensitive. + Header names are not case-sensitive. Multiple header names in the value of the `Access-Control-Allow-Headers` response header are separated by a comma (","). @@ -9335,18 +9617,21 @@ spec: client side. A wildcard indicates that the requests with all HTTP headers are allowed. - The `Access-Control-Allow-Headers` response header can only use `*` - wildcard as value when the `AllowCredentials` field is false or omitted. - - When the `AllowCredentials` field is true and `AllowHeaders` field - specified with the `*` wildcard, the gateway must specify one or more + If config contains the wildcard "*" in allowHeaders and the request is + not credentialed, the `Access-Control-Allow-Headers` response header + can either use the `*` wildcard or the value of + Access-Control-Request-Headers from the request. + + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Headers` response header. When + also the `AllowCredentials` field is true and `AllowHeaders` field + is specified with the `*` wildcard, the gateway must specify one or more HTTP headers in the value of the `Access-Control-Allow-Headers` response header. The value of the header `Access-Control-Allow-Headers` is same as the `Access-Control-Request-Headers` header provided by the client. If the header `Access-Control-Request-Headers` is not included in the request, the gateway will omit the `Access-Control-Allow-Headers` - response header, instead of specifying the `*` wildcard. A Gateway - implementation may choose to add implementation-specific default headers. + response header, instead of specifying the `*` wildcard. Support: Extended items: @@ -9370,6 +9655,10 @@ spec: maxItems: 64 type: array x-kubernetes-list-type: set + x-kubernetes-validations: + - message: AllowHeaders cannot contain '*' alongside + other methods + rule: '!(''*'' in self && self.size() > 1)' allowMethods: description: |- AllowMethods indicates which HTTP methods are supported for accessing the @@ -9378,7 +9667,7 @@ spec: Valid values are any method defined by RFC9110, along with the special value `*`, which represents all HTTP methods are allowed. - Method names are case sensitive, so these values are also case-sensitive. + Method names are case-sensitive, so these values are also case-sensitive. (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1) Multiple method names in the value of the `Access-Control-Allow-Methods` @@ -9398,18 +9687,21 @@ spec: `Access-Control-Allow-Methods`, it will present an error on the client side. - The `Access-Control-Allow-Methods` response header can only use `*` - wildcard as value when the `AllowCredentials` field is false or omitted. + If config contains the wildcard "*" in allowMethods and the request is + not credentialed, the `Access-Control-Allow-Methods` response header + can either use the `*` wildcard or the value of + Access-Control-Request-Method from the request. - When the `AllowCredentials` field is true and `AllowMethods` field + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Methods` response header. When + also the `AllowCredentials` field is true and `AllowMethods` field specified with the `*` wildcard, the gateway must specify one HTTP method in the value of the Access-Control-Allow-Methods response header. The value of the header `Access-Control-Allow-Methods` is same as the `Access-Control-Request-Method` header provided by the client. If the header `Access-Control-Request-Method` is not included in the request, the gateway will omit the `Access-Control-Allow-Methods` response header, - instead of specifying the `*` wildcard. A Gateway implementation may - choose to add implementation-specific default methods. + instead of specifying the `*` wildcard. Support: Extended items: @@ -9476,10 +9768,19 @@ spec: the CORS headers. The cross-origin request fails on the client side. Therefore, the client doesn't attempt the actual cross-origin request. - The `Access-Control-Allow-Origin` response header can only use `*` - wildcard as value when the `AllowCredentials` field is false or omitted. + Conversely, if the request `Origin` matches one of the configured + allowed origins, the gateway sets the response header + `Access-Control-Allow-Origin` to the same value as the `Origin` + header provided by the client. - When the `AllowCredentials` field is true and `AllowOrigins` field + When config has the wildcard ("*") in allowOrigins, and the request + is not credentialed (e.g., it is a preflight request), the + `Access-Control-Allow-Origin` response header either contains the + wildcard as well or the Origin from the request. + + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Origin` response header. When + also the `AllowCredentials` field is true and `AllowOrigins` field specified with the `*` wildcard, the gateway must return a single origin in the value of the `Access-Control-Allow-Origin` response header, instead of specifying the `*` wildcard. The value of the header @@ -9491,12 +9792,12 @@ spec: description: |- The CORSOrigin MUST NOT be a relative URI, and it MUST follow the URI syntax and encoding rules specified in RFC3986. The CORSOrigin MUST include both a - scheme (e.g., "http" or "spiffe") and a scheme-specific-part, or it should be a single '*' character. + scheme ("http" or "https") and a scheme-specific-part, or it should be a single '*' character. URIs that include an authority MUST include a fully qualified domain name or IP address as the host. maxLength: 253 minLength: 1 - pattern: (^\*$)|(^([a-zA-Z][a-zA-Z0-9+\-.]+):\/\/([^:/?#]+)(:([0-9]{1,5}))?$) + pattern: (^\*$)|(^(http(s)?):\/\/(((\*\.)?([a-zA-Z0-9\-]+\.)*[a-zA-Z0-9-]+|\*)(:([0-9]{1,5}))?)$) type: string maxItems: 64 type: array @@ -9527,14 +9828,18 @@ spec: this additional header will be exposed as part of the response to the client. - Header names are not case sensitive. + Header names are not case-sensitive. Multiple header names in the value of the `Access-Control-Expose-Headers` response header are separated by a comma (","). A wildcard indicates that the responses with all HTTP headers are exposed to clients. The `Access-Control-Expose-Headers` response header can only - use `*` wildcard as value when the `AllowCredentials` field is false or omitted. + use `*` wildcard as value when the request is not credentialed. + + When the `exposeHeaders` config field contains the "*" wildcard and + the request is credentialed, the gateway cannot use the `*` wildcard in + the `Access-Control-Expose-Headers` response header. Support: Extended items: @@ -9570,6 +9875,9 @@ spec: The default value of `Access-Control-Max-Age` response header is 5 (seconds). + + When the `MaxAge` field is unspecified, the gateway sets the response + header "Access-Control-Max-Age: 5" by default. format: int32 minimum: 1 type: integer @@ -9748,6 +10056,7 @@ spec: If the list has entries, only those entries must be sent. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set type: object @@ -9786,6 +10095,7 @@ spec: request must be set to the actual number of bytes forwarded. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set allowedResponseHeaders: @@ -9797,6 +10107,7 @@ spec: except Authority or Host must be copied. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set path: @@ -9898,10 +10209,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -9972,10 +10287,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -10286,6 +10605,9 @@ spec: enum: - 301 - 302 + - 303 + - 307 + - 308 type: integer type: object responseHeaderModifier: @@ -10332,10 +10654,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -10406,10 +10732,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -10553,6 +10883,11 @@ spec: - type type: object x-kubernetes-validations: + - message: filter.cors must be nil if the filter.type is not + CORS + rule: '!(has(self.cors) && self.type != ''CORS'')' + - message: filter.cors must be specified for CORS filter.type + rule: '!(!has(self.cors) && self.type == ''CORS'')' - message: filter.requestHeaderModifier must be nil if the filter.type is not RequestHeaderModifier rule: '!(has(self.requestHeaderModifier) && self.type != @@ -10593,11 +10928,6 @@ spec: - message: filter.extensionRef must be specified for ExtensionRef filter.type rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')' - - message: filter.cors must be nil if the filter.type is not - CORS - rule: '!(has(self.cors) && self.type != ''CORS'')' - - message: filter.cors must be specified for CORS filter.type - rule: '!(!has(self.cors) && self.type == ''CORS'')' - message: filter.externalAuth must be nil if the filter.type is not ExternalAuth rule: '!(has(self.externalAuth) && self.type != ''ExternalAuth'')' @@ -10612,6 +10942,8 @@ spec: or httpRouteFilterRequestRewrite, but not both rule: '!(self.exists(f, f.type == ''RequestRedirect'') && self.exists(f, f.type == ''URLRewrite''))' + - message: CORS filter cannot be repeated + rule: self.filter(f, f.type == 'CORS').size() <= 1 - message: RequestHeaderModifier filter cannot be repeated rule: self.filter(f, f.type == 'RequestHeaderModifier').size() <= 1 @@ -10743,10 +11075,14 @@ spec: - RegularExpression type: string value: - description: Value is the value of HTTP Header to - be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -10955,7 +11291,7 @@ spec: For example, setting the `rules[].retry.backoff` field to the value `100ms` will cause a backend request to first be retried approximately 100 milliseconds after timing out or receiving a response code configured - to be retryable. + to be retriable. An implementation MAY use an exponential or alternative backoff strategy for subsequent retry attempts, MAY cap the maximum backoff duration to @@ -10998,7 +11334,7 @@ spec: HTTPRouteRetryStatusCode defines an HTTP response status code for which a backend request should be retried. - Implementations MUST support the following status codes as retryable: + Implementations MUST support the following status codes as retriable: * 500 * 502 @@ -11089,7 +11425,7 @@ spec: default: Cookie description: |- Type defines the type of session persistence such as through - the use a header or cookie. Defaults to cookie based session + the use of a header or cookie. Defaults to cookie based session persistence. Support: Core for "Cookie" type @@ -11105,6 +11441,8 @@ spec: is Permanent rule: '!has(self.cookieConfig) || !has(self.cookieConfig.lifetimeType) || self.cookieConfig.lifetimeType != ''Permanent'' || has(self.absoluteTimeout)' + - message: cookieConfig can only be set with type Cookie + rule: '!has(self.cookieConfig) || self.type == ''Cookie''' timeouts: description: |- Timeouts defines the timeouts that can be configured for an HTTP request. @@ -11209,6 +11547,7 @@ spec: != 1 || !has(self.matches[0].path) || self.matches[0].path.type != ''PathPrefix'') ? false : true) : true' maxItems: 16 + minItems: 1 type: array x-kubernetes-list-type: atomic x-kubernetes-validations: @@ -11292,7 +11631,7 @@ spec: * The Route refers to a nonexistent parent. * The Route is of a type that the controller does not support. - * The Route is in a namespace the controller does not have access to. + * The Route is in a namespace to which the controller does not have access. items: description: Condition contains details for one aspect of the current state of this API Resource. @@ -11994,7 +12333,7 @@ spec: AllowHeaders indicates which HTTP request headers are supported for accessing the requested resource. - Header names are not case sensitive. + Header names are not case-sensitive. Multiple header names in the value of the `Access-Control-Allow-Headers` response header are separated by a comma (","). @@ -12013,18 +12352,21 @@ spec: client side. A wildcard indicates that the requests with all HTTP headers are allowed. - The `Access-Control-Allow-Headers` response header can only use `*` - wildcard as value when the `AllowCredentials` field is false or omitted. - - When the `AllowCredentials` field is true and `AllowHeaders` field - specified with the `*` wildcard, the gateway must specify one or more + If config contains the wildcard "*" in allowHeaders and the request is + not credentialed, the `Access-Control-Allow-Headers` response header + can either use the `*` wildcard or the value of + Access-Control-Request-Headers from the request. + + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Headers` response header. When + also the `AllowCredentials` field is true and `AllowHeaders` field + is specified with the `*` wildcard, the gateway must specify one or more HTTP headers in the value of the `Access-Control-Allow-Headers` response header. The value of the header `Access-Control-Allow-Headers` is same as the `Access-Control-Request-Headers` header provided by the client. If the header `Access-Control-Request-Headers` is not included in the request, the gateway will omit the `Access-Control-Allow-Headers` - response header, instead of specifying the `*` wildcard. A Gateway - implementation may choose to add implementation-specific default headers. + response header, instead of specifying the `*` wildcard. Support: Extended items: @@ -12048,6 +12390,10 @@ spec: maxItems: 64 type: array x-kubernetes-list-type: set + x-kubernetes-validations: + - message: AllowHeaders cannot contain '*' alongside + other methods + rule: '!(''*'' in self && self.size() > 1)' allowMethods: description: |- AllowMethods indicates which HTTP methods are supported for accessing the @@ -12056,7 +12402,7 @@ spec: Valid values are any method defined by RFC9110, along with the special value `*`, which represents all HTTP methods are allowed. - Method names are case sensitive, so these values are also case-sensitive. + Method names are case-sensitive, so these values are also case-sensitive. (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1) Multiple method names in the value of the `Access-Control-Allow-Methods` @@ -12076,18 +12422,21 @@ spec: `Access-Control-Allow-Methods`, it will present an error on the client side. - The `Access-Control-Allow-Methods` response header can only use `*` - wildcard as value when the `AllowCredentials` field is false or omitted. + If config contains the wildcard "*" in allowMethods and the request is + not credentialed, the `Access-Control-Allow-Methods` response header + can either use the `*` wildcard or the value of + Access-Control-Request-Method from the request. - When the `AllowCredentials` field is true and `AllowMethods` field + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Methods` response header. When + also the `AllowCredentials` field is true and `AllowMethods` field specified with the `*` wildcard, the gateway must specify one HTTP method in the value of the Access-Control-Allow-Methods response header. The value of the header `Access-Control-Allow-Methods` is same as the `Access-Control-Request-Method` header provided by the client. If the header `Access-Control-Request-Method` is not included in the request, the gateway will omit the `Access-Control-Allow-Methods` response header, - instead of specifying the `*` wildcard. A Gateway implementation may - choose to add implementation-specific default methods. + instead of specifying the `*` wildcard. Support: Extended items: @@ -12154,10 +12503,19 @@ spec: the CORS headers. The cross-origin request fails on the client side. Therefore, the client doesn't attempt the actual cross-origin request. - The `Access-Control-Allow-Origin` response header can only use `*` - wildcard as value when the `AllowCredentials` field is false or omitted. + Conversely, if the request `Origin` matches one of the configured + allowed origins, the gateway sets the response header + `Access-Control-Allow-Origin` to the same value as the `Origin` + header provided by the client. + + When config has the wildcard ("*") in allowOrigins, and the request + is not credentialed (e.g., it is a preflight request), the + `Access-Control-Allow-Origin` response header either contains the + wildcard as well or the Origin from the request. - When the `AllowCredentials` field is true and `AllowOrigins` field + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Origin` response header. When + also the `AllowCredentials` field is true and `AllowOrigins` field specified with the `*` wildcard, the gateway must return a single origin in the value of the `Access-Control-Allow-Origin` response header, instead of specifying the `*` wildcard. The value of the header @@ -12169,12 +12527,12 @@ spec: description: |- The CORSOrigin MUST NOT be a relative URI, and it MUST follow the URI syntax and encoding rules specified in RFC3986. The CORSOrigin MUST include both a - scheme (e.g., "http" or "spiffe") and a scheme-specific-part, or it should be a single '*' character. + scheme ("http" or "https") and a scheme-specific-part, or it should be a single '*' character. URIs that include an authority MUST include a fully qualified domain name or IP address as the host. maxLength: 253 minLength: 1 - pattern: (^\*$)|(^([a-zA-Z][a-zA-Z0-9+\-.]+):\/\/([^:/?#]+)(:([0-9]{1,5}))?$) + pattern: (^\*$)|(^(http(s)?):\/\/(((\*\.)?([a-zA-Z0-9\-]+\.)*[a-zA-Z0-9-]+|\*)(:([0-9]{1,5}))?)$) type: string maxItems: 64 type: array @@ -12205,14 +12563,18 @@ spec: this additional header will be exposed as part of the response to the client. - Header names are not case sensitive. + Header names are not case-sensitive. Multiple header names in the value of the `Access-Control-Expose-Headers` response header are separated by a comma (","). A wildcard indicates that the responses with all HTTP headers are exposed to clients. The `Access-Control-Expose-Headers` response header can only - use `*` wildcard as value when the `AllowCredentials` field is false or omitted. + use `*` wildcard as value when the request is not credentialed. + + When the `exposeHeaders` config field contains the "*" wildcard and + the request is credentialed, the gateway cannot use the `*` wildcard in + the `Access-Control-Expose-Headers` response header. Support: Extended items: @@ -12248,6 +12610,9 @@ spec: The default value of `Access-Control-Max-Age` response header is 5 (seconds). + + When the `MaxAge` field is unspecified, the gateway sets the response + header "Access-Control-Max-Age: 5" by default. format: int32 minimum: 1 type: integer @@ -12426,6 +12791,7 @@ spec: If the list has entries, only those entries must be sent. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set type: object @@ -12464,6 +12830,7 @@ spec: request must be set to the actual number of bytes forwarded. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set allowedResponseHeaders: @@ -12475,6 +12842,7 @@ spec: except Authority or Host must be copied. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set path: @@ -12579,446 +12947,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. - maxLength: 4096 - minLength: 1 - type: string - required: - - name - - value - type: object - maxItems: 16 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - remove: - description: |- - Remove the given header(s) from the HTTP request before the action. The - value of Remove is a list of HTTP header names. Note that the header - names are case-insensitive (see - https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). - - Input: - GET /foo HTTP/1.1 - my-header1: foo - my-header2: bar - my-header3: baz - - Config: - remove: ["my-header1", "my-header3"] - - Output: - GET /foo HTTP/1.1 - my-header2: bar - items: - type: string - maxItems: 16 - type: array - x-kubernetes-list-type: set - set: - description: |- - Set overwrites the request with the given header (name, value) - before the action. - - Input: - GET /foo HTTP/1.1 - my-header: foo - - Config: - set: - - name: "my-header" - value: "bar" - - Output: - GET /foo HTTP/1.1 - my-header: bar - items: - description: HTTPHeader represents an HTTP - Header name and value as defined by RFC - 7230. - properties: - name: - description: |- - Name is the name of the HTTP Header to be matched. Name matching MUST be - case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - - If multiple entries specify equivalent header names, the first entry with - an equivalent name MUST be considered for a match. Subsequent entries - with an equivalent header name MUST be ignored. Due to the - case-insensitivity of header names, "foo" and "Foo" are considered - equivalent. - maxLength: 256 - minLength: 1 - pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ - type: string - value: - description: Value is the value of HTTP - Header to be matched. - maxLength: 4096 - minLength: 1 - type: string - required: - - name - - value - type: object - maxItems: 16 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - type: object - requestMirror: - description: |- - RequestMirror defines a schema for a filter that mirrors requests. - Requests are sent to the specified destination, but responses from - that destination are ignored. - - This filter can be used multiple times within the same rule. Note that - not all implementations will be able to support mirroring to multiple - backends. - - Support: Extended - properties: - backendRef: - description: |- - BackendRef references a resource where mirrored requests are sent. - - Mirrored requests must be sent only to a single destination endpoint - within this BackendRef, irrespective of how many endpoints are present - within this BackendRef. - - If the referent cannot be found, this BackendRef is invalid and must be - dropped from the Gateway. The controller must ensure the "ResolvedRefs" - condition on the Route status is set to `status: False` and not configure - this backend in the underlying implementation. - - If there is a cross-namespace reference to an *existing* object - that is not allowed by a ReferenceGrant, the controller must ensure the - "ResolvedRefs" condition on the Route is set to `status: False`, - with the "RefNotPermitted" reason and not configure this backend in the - underlying implementation. - - In either error case, the Message of the `ResolvedRefs` Condition - should be used to provide more detail about the problem. - - Support: Extended for Kubernetes Service - - Support: Implementation-specific for any other resource - properties: - group: - default: "" - description: |- - Group is the group of the referent. For example, "gateway.networking.k8s.io". - When unspecified or empty string, core API group is inferred. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - default: Service - description: |- - Kind is the Kubernetes resource kind of the referent. For example - "Service". - - Defaults to "Service" when not specified. - - ExternalName services can refer to CNAME DNS records that may live - outside of the cluster and as such are difficult to reason about in - terms of conformance. They also may not be safe to forward to (see - CVE-2021-25740 for more information). Implementations SHOULD NOT - support ExternalName Services. - - Support: Core (Services with a type other than ExternalName) - - Support: Implementation-specific (Services with type ExternalName) - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: Name is the name of the referent. - maxLength: 253 - minLength: 1 - type: string - namespace: - description: |- - Namespace is the namespace of the backend. When unspecified, the local - namespace is inferred. - - Note that when a namespace different than the local namespace is specified, - a ReferenceGrant object is required in the referent namespace to allow that - namespace's owner to accept the reference. See the ReferenceGrant - documentation for details. - - Support: Core - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - port: - description: |- - Port specifies the destination port number to use for this resource. - Port is required when the referent is a Kubernetes Service. In this - case, the port number is the service port number, not the target port. - For other resources, destination port might be derived from the referent - resource or this field. - format: int32 - maximum: 65535 - minimum: 1 - type: integer - required: - - name - type: object - x-kubernetes-validations: - - message: Must have port for Service reference - rule: '(size(self.group) == 0 && self.kind - == ''Service'') ? has(self.port) : true' - fraction: - description: |- - Fraction represents the fraction of requests that should be - mirrored to BackendRef. - - Only one of Fraction or Percent may be specified. If neither field - is specified, 100% of requests will be mirrored. - properties: - denominator: - default: 100 - format: int32 - minimum: 1 - type: integer - numerator: - format: int32 - minimum: 0 - type: integer - required: - - numerator - type: object - x-kubernetes-validations: - - message: numerator must be less than or equal - to denominator - rule: self.numerator <= self.denominator - percent: - description: |- - Percent represents the percentage of requests that should be - mirrored to BackendRef. Its minimum value is 0 (indicating 0% of - requests) and its maximum value is 100 (indicating 100% of requests). - - Only one of Fraction or Percent may be specified. If neither field - is specified, 100% of requests will be mirrored. - format: int32 - maximum: 100 - minimum: 0 - type: integer - required: - - backendRef - type: object - x-kubernetes-validations: - - message: Only one of percent or fraction may be - specified in HTTPRequestMirrorFilter - rule: '!(has(self.percent) && has(self.fraction))' - requestRedirect: - description: |- - RequestRedirect defines a schema for a filter that responds to the - request with an HTTP redirection. - - Support: Core - properties: - hostname: - description: |- - Hostname is the hostname to be used in the value of the `Location` - header in the response. - When empty, the hostname in the `Host` header of the request is used. - - Support: Core - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - path: - description: |- - Path defines parameters used to modify the path of the incoming request. - The modified path is then used to construct the `Location` header. When - empty, the request path is used as-is. - - Support: Extended - properties: - replaceFullPath: - description: |- - ReplaceFullPath specifies the value with which to replace the full path - of a request during a rewrite or redirect. - maxLength: 1024 - type: string - replacePrefixMatch: - description: |- - ReplacePrefixMatch specifies the value with which to replace the prefix - match of a request during a rewrite or redirect. For example, a request - to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch - of "/xyz" would be modified to "/xyz/bar". - - Note that this matches the behavior of the PathPrefix match type. This - matches full path elements. A path element refers to the list of labels - in the path split by the `/` separator. When specified, a trailing `/` is - ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all - match the prefix `/abc`, but the path `/abcd` would not. - - ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. - Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in - the implementation setting the Accepted Condition for the Route to `status: False`. - - Request Path | Prefix Match | Replace Prefix | Modified Path - maxLength: 1024 - type: string - type: - description: |- - Type defines the type of path modifier. Additional types may be - added in a future release of the API. - - Note that values may be added to this enum, implementations - must ensure that unknown values will not cause a crash. - - Unknown values here must result in the implementation setting the - Accepted Condition for the Route to `status: False`, with a - Reason of `UnsupportedValue`. - enum: - - ReplaceFullPath - - ReplacePrefixMatch - type: string - required: - - type - type: object - x-kubernetes-validations: - - message: replaceFullPath must be specified - when type is set to 'ReplaceFullPath' - rule: 'self.type == ''ReplaceFullPath'' ? - has(self.replaceFullPath) : true' - - message: type must be 'ReplaceFullPath' when - replaceFullPath is set - rule: 'has(self.replaceFullPath) ? self.type - == ''ReplaceFullPath'' : true' - - message: replacePrefixMatch must be specified - when type is set to 'ReplacePrefixMatch' - rule: 'self.type == ''ReplacePrefixMatch'' - ? has(self.replacePrefixMatch) : true' - - message: type must be 'ReplacePrefixMatch' - when replacePrefixMatch is set - rule: 'has(self.replacePrefixMatch) ? self.type - == ''ReplacePrefixMatch'' : true' - port: - description: |- - Port is the port to be used in the value of the `Location` - header in the response. - - If no port is specified, the redirect port MUST be derived using the - following rules: - - * If redirect scheme is not-empty, the redirect port MUST be the well-known - port associated with the redirect scheme. Specifically "http" to port 80 - and "https" to port 443. If the redirect scheme does not have a - well-known port, the listener port of the Gateway SHOULD be used. - * If redirect scheme is empty, the redirect port MUST be the Gateway - Listener port. - - Implementations SHOULD NOT add the port number in the 'Location' - header in the following cases: - - * A Location header that will use HTTP (whether that is determined via - the Listener protocol or the Scheme field) _and_ use port 80. - * A Location header that will use HTTPS (whether that is determined via - the Listener protocol or the Scheme field) _and_ use port 443. - - Support: Extended - format: int32 - maximum: 65535 - minimum: 1 - type: integer - scheme: - description: |- - Scheme is the scheme to be used in the value of the `Location` header in - the response. When empty, the scheme of the request is used. - - Scheme redirects can affect the port of the redirect, for more information, - refer to the documentation for the port field of this filter. - - Note that values may be added to this enum, implementations - must ensure that unknown values will not cause a crash. - - Unknown values here must result in the implementation setting the - Accepted Condition for the Route to `status: False`, with a - Reason of `UnsupportedValue`. - - Support: Extended - enum: - - http - - https - type: string - statusCode: - default: 302 - description: |- - StatusCode is the HTTP status code to be used in response. - - Note that values may be added to this enum, implementations - must ensure that unknown values will not cause a crash. - - Unknown values here must result in the implementation setting the - Accepted Condition for the Route to `status: False`, with a - Reason of `UnsupportedValue`. - - Support: Core - enum: - - 301 - - 302 - type: integer - type: object - responseHeaderModifier: - description: |- - ResponseHeaderModifier defines a schema for a filter that modifies response - headers. - - Support: Extended - properties: - add: - description: |- - Add adds the given header(s) (name, value) to the request - before the action. It appends to any existing values associated - with the header name. - - Input: - GET /foo HTTP/1.1 - my-header: foo - - Config: - add: - - name: "my-header" - value: "bar,baz" - - Output: - GET /foo HTTP/1.1 - my-header: foo,bar,baz - items: - description: HTTPHeader represents an HTTP - Header name and value as defined by RFC - 7230. - properties: - name: description: |- - Name is the name of the HTTP Header to be matched. Name matching MUST be - case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + Value is the value of HTTP Header to be matched. - If multiple entries specify equivalent header names, the first entry with - an equivalent name MUST be considered for a match. Subsequent entries - with an equivalent header name MUST be ignored. Due to the - case-insensitivity of header names, "foo" and "Foo" are considered - equivalent. - maxLength: 256 - minLength: 1 - pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ - type: string - value: - description: Value is the value of HTTP - Header to be matched. + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -13090,10 +13026,461 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: |- + RequestMirror defines a schema for a filter that mirrors requests. + Requests are sent to the specified destination, but responses from + that destination are ignored. + + This filter can be used multiple times within the same rule. Note that + not all implementations will be able to support mirroring to multiple + backends. + + Support: Extended + properties: + backendRef: + description: |- + BackendRef references a resource where mirrored requests are sent. + + Mirrored requests must be sent only to a single destination endpoint + within this BackendRef, irrespective of how many endpoints are present + within this BackendRef. + + If the referent cannot be found, this BackendRef is invalid and must be + dropped from the Gateway. The controller must ensure the "ResolvedRefs" + condition on the Route status is set to `status: False` and not configure + this backend in the underlying implementation. + + If there is a cross-namespace reference to an *existing* object + that is not allowed by a ReferenceGrant, the controller must ensure the + "ResolvedRefs" condition on the Route is set to `status: False`, + with the "RefNotPermitted" reason and not configure this backend in the + underlying implementation. + + In either error case, the Message of the `ResolvedRefs` Condition + should be used to provide more detail about the problem. + + Support: Extended for Kubernetes Service + + Support: Implementation-specific for any other resource + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: |- + Kind is the Kubernetes resource kind of the referent. For example + "Service". + + Defaults to "Service" when not specified. + + ExternalName services can refer to CNAME DNS records that may live + outside of the cluster and as such are difficult to reason about in + terms of conformance. They also may not be safe to forward to (see + CVE-2021-25740 for more information). Implementations SHOULD NOT + support ExternalName Services. + + Support: Core (Services with a type other than ExternalName) + + Support: Implementation-specific (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the backend. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port specifies the destination port number to use for this resource. + Port is required when the referent is a Kubernetes Service. In this + case, the port number is the service port number, not the target port. + For other resources, destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind + == ''Service'') ? has(self.port) : true' + fraction: + description: |- + Fraction represents the fraction of requests that should be + mirrored to BackendRef. + + Only one of Fraction or Percent may be specified. If neither field + is specified, 100% of requests will be mirrored. + properties: + denominator: + default: 100 + format: int32 + minimum: 1 + type: integer + numerator: + format: int32 + minimum: 0 + type: integer + required: + - numerator + type: object + x-kubernetes-validations: + - message: numerator must be less than or equal + to denominator + rule: self.numerator <= self.denominator + percent: + description: |- + Percent represents the percentage of requests that should be + mirrored to BackendRef. Its minimum value is 0 (indicating 0% of + requests) and its maximum value is 100 (indicating 100% of requests). + + Only one of Fraction or Percent may be specified. If neither field + is specified, 100% of requests will be mirrored. + format: int32 + maximum: 100 + minimum: 0 + type: integer + required: + - backendRef + type: object + x-kubernetes-validations: + - message: Only one of percent or fraction may be + specified in HTTPRequestMirrorFilter + rule: '!(has(self.percent) && has(self.fraction))' + requestRedirect: + description: |- + RequestRedirect defines a schema for a filter that responds to the + request with an HTTP redirection. + + Support: Core + properties: + hostname: + description: |- + Hostname is the hostname to be used in the value of the `Location` + header in the response. + When empty, the hostname in the `Host` header of the request is used. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: |- + Path defines parameters used to modify the path of the incoming request. + The modified path is then used to construct the `Location` header. When + empty, the request path is used as-is. + + Support: Extended + properties: + replaceFullPath: + description: |- + ReplaceFullPath specifies the value with which to replace the full path + of a request during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: |- + ReplacePrefixMatch specifies the value with which to replace the prefix + match of a request during a rewrite or redirect. For example, a request + to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch + of "/xyz" would be modified to "/xyz/bar". + + Note that this matches the behavior of the PathPrefix match type. This + matches full path elements. A path element refers to the list of labels + in the path split by the `/` separator. When specified, a trailing `/` is + ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all + match the prefix `/abc`, but the path `/abcd` would not. + + ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. + Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in + the implementation setting the Accepted Condition for the Route to `status: False`. + + Request Path | Prefix Match | Replace Prefix | Modified Path + maxLength: 1024 + type: string + type: + description: |- + Type defines the type of path modifier. Additional types may be + added in a future release of the API. + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: replaceFullPath must be specified + when type is set to 'ReplaceFullPath' + rule: 'self.type == ''ReplaceFullPath'' ? + has(self.replaceFullPath) : true' + - message: type must be 'ReplaceFullPath' when + replaceFullPath is set + rule: 'has(self.replaceFullPath) ? self.type + == ''ReplaceFullPath'' : true' + - message: replacePrefixMatch must be specified + when type is set to 'ReplacePrefixMatch' + rule: 'self.type == ''ReplacePrefixMatch'' + ? has(self.replacePrefixMatch) : true' + - message: type must be 'ReplacePrefixMatch' + when replacePrefixMatch is set + rule: 'has(self.replacePrefixMatch) ? self.type + == ''ReplacePrefixMatch'' : true' + port: + description: |- + Port is the port to be used in the value of the `Location` + header in the response. + + If no port is specified, the redirect port MUST be derived using the + following rules: + + * If redirect scheme is not-empty, the redirect port MUST be the well-known + port associated with the redirect scheme. Specifically "http" to port 80 + and "https" to port 443. If the redirect scheme does not have a + well-known port, the listener port of the Gateway SHOULD be used. + * If redirect scheme is empty, the redirect port MUST be the Gateway + Listener port. + + Implementations SHOULD NOT add the port number in the 'Location' + header in the following cases: + + * A Location header that will use HTTP (whether that is determined via + the Listener protocol or the Scheme field) _and_ use port 80. + * A Location header that will use HTTPS (whether that is determined via + the Listener protocol or the Scheme field) _and_ use port 443. + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: |- + Scheme is the scheme to be used in the value of the `Location` header in + the response. When empty, the scheme of the request is used. + + Scheme redirects can affect the port of the redirect, for more information, + refer to the documentation for the port field of this filter. + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + + Support: Extended + enum: + - http + - https + type: string + statusCode: + default: 302 + description: |- + StatusCode is the HTTP status code to be used in response. + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + + Support: Core + enum: + - 301 + - 302 + - 303 + - 307 + - 308 + type: integer + type: object + responseHeaderModifier: + description: |- + ResponseHeaderModifier defines a schema for a filter that modifies response + headers. + + Support: Extended + properties: + add: + description: |- + Add adds the given header(s) (name, value) to the request + before the action. It appends to any existing values associated + with the header name. + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + add: + - name: "my-header" + value: "bar,baz" + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 + maxLength: 4096 + minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: |- + Remove the given header(s) from the HTTP request before the action. The + value of Remove is a list of HTTP header names. Note that the header + names are case-insensitive (see + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + Config: + remove: ["my-header1", "my-header3"] + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: |- + Set overwrites the request with the given header (name, value) + before the action. + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + set: + - name: "my-header" + value: "bar" + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 + maxLength: 4096 + minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -13237,6 +13624,11 @@ spec: - type type: object x-kubernetes-validations: + - message: filter.cors must be nil if the filter.type + is not CORS + rule: '!(has(self.cors) && self.type != ''CORS'')' + - message: filter.cors must be specified for CORS filter.type + rule: '!(!has(self.cors) && self.type == ''CORS'')' - message: filter.requestHeaderModifier must be nil if the filter.type is not RequestHeaderModifier rule: '!(has(self.requestHeaderModifier) && self.type @@ -13280,11 +13672,6 @@ spec: - message: filter.extensionRef must be specified for ExtensionRef filter.type rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')' - - message: filter.cors must be nil if the filter.type - is not CORS - rule: '!(has(self.cors) && self.type != ''CORS'')' - - message: filter.cors must be specified for CORS filter.type - rule: '!(!has(self.cors) && self.type == ''CORS'')' - message: filter.externalAuth must be nil if the filter.type is not ExternalAuth rule: '!(has(self.externalAuth) && self.type != ''ExternalAuth'')' @@ -13299,6 +13686,8 @@ spec: or httpRouteFilterRequestRewrite, but not both rule: '!(self.exists(f, f.type == ''RequestRedirect'') && self.exists(f, f.type == ''URLRewrite''))' + - message: CORS filter cannot be repeated + rule: self.filter(f, f.type == 'CORS').size() <= 1 - message: RequestHeaderModifier filter cannot be repeated rule: self.filter(f, f.type == 'RequestHeaderModifier').size() <= 1 @@ -13474,7 +13863,7 @@ spec: AllowHeaders indicates which HTTP request headers are supported for accessing the requested resource. - Header names are not case sensitive. + Header names are not case-sensitive. Multiple header names in the value of the `Access-Control-Allow-Headers` response header are separated by a comma (","). @@ -13493,18 +13882,21 @@ spec: client side. A wildcard indicates that the requests with all HTTP headers are allowed. - The `Access-Control-Allow-Headers` response header can only use `*` - wildcard as value when the `AllowCredentials` field is false or omitted. - - When the `AllowCredentials` field is true and `AllowHeaders` field - specified with the `*` wildcard, the gateway must specify one or more + If config contains the wildcard "*" in allowHeaders and the request is + not credentialed, the `Access-Control-Allow-Headers` response header + can either use the `*` wildcard or the value of + Access-Control-Request-Headers from the request. + + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Headers` response header. When + also the `AllowCredentials` field is true and `AllowHeaders` field + is specified with the `*` wildcard, the gateway must specify one or more HTTP headers in the value of the `Access-Control-Allow-Headers` response header. The value of the header `Access-Control-Allow-Headers` is same as the `Access-Control-Request-Headers` header provided by the client. If the header `Access-Control-Request-Headers` is not included in the request, the gateway will omit the `Access-Control-Allow-Headers` - response header, instead of specifying the `*` wildcard. A Gateway - implementation may choose to add implementation-specific default headers. + response header, instead of specifying the `*` wildcard. Support: Extended items: @@ -13528,6 +13920,10 @@ spec: maxItems: 64 type: array x-kubernetes-list-type: set + x-kubernetes-validations: + - message: AllowHeaders cannot contain '*' alongside + other methods + rule: '!(''*'' in self && self.size() > 1)' allowMethods: description: |- AllowMethods indicates which HTTP methods are supported for accessing the @@ -13536,7 +13932,7 @@ spec: Valid values are any method defined by RFC9110, along with the special value `*`, which represents all HTTP methods are allowed. - Method names are case sensitive, so these values are also case-sensitive. + Method names are case-sensitive, so these values are also case-sensitive. (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1) Multiple method names in the value of the `Access-Control-Allow-Methods` @@ -13556,18 +13952,21 @@ spec: `Access-Control-Allow-Methods`, it will present an error on the client side. - The `Access-Control-Allow-Methods` response header can only use `*` - wildcard as value when the `AllowCredentials` field is false or omitted. + If config contains the wildcard "*" in allowMethods and the request is + not credentialed, the `Access-Control-Allow-Methods` response header + can either use the `*` wildcard or the value of + Access-Control-Request-Method from the request. - When the `AllowCredentials` field is true and `AllowMethods` field + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Methods` response header. When + also the `AllowCredentials` field is true and `AllowMethods` field specified with the `*` wildcard, the gateway must specify one HTTP method in the value of the Access-Control-Allow-Methods response header. The value of the header `Access-Control-Allow-Methods` is same as the `Access-Control-Request-Method` header provided by the client. If the header `Access-Control-Request-Method` is not included in the request, the gateway will omit the `Access-Control-Allow-Methods` response header, - instead of specifying the `*` wildcard. A Gateway implementation may - choose to add implementation-specific default methods. + instead of specifying the `*` wildcard. Support: Extended items: @@ -13634,10 +14033,19 @@ spec: the CORS headers. The cross-origin request fails on the client side. Therefore, the client doesn't attempt the actual cross-origin request. - The `Access-Control-Allow-Origin` response header can only use `*` - wildcard as value when the `AllowCredentials` field is false or omitted. + Conversely, if the request `Origin` matches one of the configured + allowed origins, the gateway sets the response header + `Access-Control-Allow-Origin` to the same value as the `Origin` + header provided by the client. - When the `AllowCredentials` field is true and `AllowOrigins` field + When config has the wildcard ("*") in allowOrigins, and the request + is not credentialed (e.g., it is a preflight request), the + `Access-Control-Allow-Origin` response header either contains the + wildcard as well or the Origin from the request. + + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Origin` response header. When + also the `AllowCredentials` field is true and `AllowOrigins` field specified with the `*` wildcard, the gateway must return a single origin in the value of the `Access-Control-Allow-Origin` response header, instead of specifying the `*` wildcard. The value of the header @@ -13649,12 +14057,12 @@ spec: description: |- The CORSOrigin MUST NOT be a relative URI, and it MUST follow the URI syntax and encoding rules specified in RFC3986. The CORSOrigin MUST include both a - scheme (e.g., "http" or "spiffe") and a scheme-specific-part, or it should be a single '*' character. + scheme ("http" or "https") and a scheme-specific-part, or it should be a single '*' character. URIs that include an authority MUST include a fully qualified domain name or IP address as the host. maxLength: 253 minLength: 1 - pattern: (^\*$)|(^([a-zA-Z][a-zA-Z0-9+\-.]+):\/\/([^:/?#]+)(:([0-9]{1,5}))?$) + pattern: (^\*$)|(^(http(s)?):\/\/(((\*\.)?([a-zA-Z0-9\-]+\.)*[a-zA-Z0-9-]+|\*)(:([0-9]{1,5}))?)$) type: string maxItems: 64 type: array @@ -13685,14 +14093,18 @@ spec: this additional header will be exposed as part of the response to the client. - Header names are not case sensitive. + Header names are not case-sensitive. Multiple header names in the value of the `Access-Control-Expose-Headers` response header are separated by a comma (","). A wildcard indicates that the responses with all HTTP headers are exposed to clients. The `Access-Control-Expose-Headers` response header can only - use `*` wildcard as value when the `AllowCredentials` field is false or omitted. + use `*` wildcard as value when the request is not credentialed. + + When the `exposeHeaders` config field contains the "*" wildcard and + the request is credentialed, the gateway cannot use the `*` wildcard in + the `Access-Control-Expose-Headers` response header. Support: Extended items: @@ -13728,6 +14140,9 @@ spec: The default value of `Access-Control-Max-Age` response header is 5 (seconds). + + When the `MaxAge` field is unspecified, the gateway sets the response + header "Access-Control-Max-Age: 5" by default. format: int32 minimum: 1 type: integer @@ -13906,6 +14321,7 @@ spec: If the list has entries, only those entries must be sent. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set type: object @@ -13944,6 +14360,7 @@ spec: request must be set to the actual number of bytes forwarded. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set allowedResponseHeaders: @@ -13955,6 +14372,7 @@ spec: except Authority or Host must be copied. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set path: @@ -14056,10 +14474,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -14130,10 +14552,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -14444,6 +14870,9 @@ spec: enum: - 301 - 302 + - 303 + - 307 + - 308 type: integer type: object responseHeaderModifier: @@ -14490,10 +14919,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -14564,10 +14997,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -14711,6 +15148,11 @@ spec: - type type: object x-kubernetes-validations: + - message: filter.cors must be nil if the filter.type is not + CORS + rule: '!(has(self.cors) && self.type != ''CORS'')' + - message: filter.cors must be specified for CORS filter.type + rule: '!(!has(self.cors) && self.type == ''CORS'')' - message: filter.requestHeaderModifier must be nil if the filter.type is not RequestHeaderModifier rule: '!(has(self.requestHeaderModifier) && self.type != @@ -14751,11 +15193,6 @@ spec: - message: filter.extensionRef must be specified for ExtensionRef filter.type rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')' - - message: filter.cors must be nil if the filter.type is not - CORS - rule: '!(has(self.cors) && self.type != ''CORS'')' - - message: filter.cors must be specified for CORS filter.type - rule: '!(!has(self.cors) && self.type == ''CORS'')' - message: filter.externalAuth must be nil if the filter.type is not ExternalAuth rule: '!(has(self.externalAuth) && self.type != ''ExternalAuth'')' @@ -14770,6 +15207,8 @@ spec: or httpRouteFilterRequestRewrite, but not both rule: '!(self.exists(f, f.type == ''RequestRedirect'') && self.exists(f, f.type == ''URLRewrite''))' + - message: CORS filter cannot be repeated + rule: self.filter(f, f.type == 'CORS').size() <= 1 - message: RequestHeaderModifier filter cannot be repeated rule: self.filter(f, f.type == 'RequestHeaderModifier').size() <= 1 @@ -14901,10 +15340,14 @@ spec: - RegularExpression type: string value: - description: Value is the value of HTTP Header to - be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -15113,7 +15556,7 @@ spec: For example, setting the `rules[].retry.backoff` field to the value `100ms` will cause a backend request to first be retried approximately 100 milliseconds after timing out or receiving a response code configured - to be retryable. + to be retriable. An implementation MAY use an exponential or alternative backoff strategy for subsequent retry attempts, MAY cap the maximum backoff duration to @@ -15156,7 +15599,7 @@ spec: HTTPRouteRetryStatusCode defines an HTTP response status code for which a backend request should be retried. - Implementations MUST support the following status codes as retryable: + Implementations MUST support the following status codes as retriable: * 500 * 502 @@ -15247,7 +15690,7 @@ spec: default: Cookie description: |- Type defines the type of session persistence such as through - the use a header or cookie. Defaults to cookie based session + the use of a header or cookie. Defaults to cookie based session persistence. Support: Core for "Cookie" type @@ -15263,6 +15706,8 @@ spec: is Permanent rule: '!has(self.cookieConfig) || !has(self.cookieConfig.lifetimeType) || self.cookieConfig.lifetimeType != ''Permanent'' || has(self.absoluteTimeout)' + - message: cookieConfig can only be set with type Cookie + rule: '!has(self.cookieConfig) || self.type == ''Cookie''' timeouts: description: |- Timeouts defines the timeouts that can be configured for an HTTP request. @@ -15367,6 +15812,7 @@ spec: != 1 || !has(self.matches[0].path) || self.matches[0].path.type != ''PathPrefix'') ? false : true) : true' maxItems: 16 + minItems: 1 type: array x-kubernetes-list-type: atomic x-kubernetes-validations: @@ -15450,7 +15896,7 @@ spec: * The Route refers to a nonexistent parent. * The Route is of a type that the controller does not support. - * The Route is in a namespace the controller does not have access to. + * The Route is in a namespace to which the controller does not have access. items: description: Condition contains details for one aspect of the current state of this API Resource. @@ -15694,53 +16140,71 @@ status: storedVersions: null --- # -# config/crd/experimental/gateway.networking.k8s.io_referencegrants.yaml +# config/crd/experimental/gateway.networking.k8s.io_listenersets.yaml # apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.1 + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/4530 + gateway.networking.k8s.io/bundle-version: v1.5.1 gateway.networking.k8s.io/channel: experimental - name: referencegrants.gateway.networking.k8s.io + name: listenersets.gateway.networking.k8s.io spec: group: gateway.networking.k8s.io names: categories: - gateway-api - kind: ReferenceGrant - listKind: ReferenceGrantList - plural: referencegrants + kind: ListenerSet + listKind: ListenerSetList + plural: listenersets shortNames: - - refgrant - singular: referencegrant + - lset + singular: listenerset scope: Namespaced versions: - additionalPrinterColumns: + - jsonPath: .status.conditions[?(@.type=="Accepted")].status + name: Accepted + type: string + - jsonPath: .status.conditions[?(@.type=="Programmed")].status + name: Programmed + type: string - jsonPath: .metadata.creationTimestamp name: Age type: date - name: v1beta1 + name: v1 schema: openAPIV3Schema: description: |- - ReferenceGrant identifies kinds of resources in other namespaces that are - trusted to reference the specified kinds of resources in the same namespace - as the policy. + ListenerSet defines a set of additional listeners to attach to an existing Gateway. + This resource provides a mechanism to merge multiple listeners into a single Gateway. - Each ReferenceGrant can be used to represent a unique trust relationship. - Additional Reference Grants can be used to add to the set of trusted - sources of inbound references for the namespace they are defined within. + The parent Gateway must explicitly allow ListenerSet attachment through its + AllowedListeners configuration. By default, Gateways do not allow ListenerSet + attachment. - All cross-namespace references in Gateway API (with the exception of cross-namespace - Gateway-route attachment) require a ReferenceGrant. + Routes can attach to a ListenerSet by specifying it as a parentRef, and can + optionally target specific listeners using the sectionName field. - ReferenceGrant is a form of runtime verification allowing users to assert - which cross-namespace object references are permitted. Implementations that - support ReferenceGrant MUST NOT permit cross-namespace references which have - no grant, and MUST respond to the removal of a grant by revoking the access - that the grant allowed. + Policy Attachment: + - Policies that attach to a ListenerSet apply to all listeners defined in that resource + - Policies do not impact listeners in the parent Gateway + - Different ListenerSets attached to the same Gateway can have different policies + - If an implementation cannot apply a policy to specific listeners, it should reject the policy + + ReferenceGrant Semantics: + - ReferenceGrants applied to a Gateway are not inherited by child ListenerSets + - ReferenceGrants applied to a ListenerSet do not grant permission to the parent Gateway's listeners + - A ListenerSet can reference secrets/backends in its own namespace without a ReferenceGrant + + Gateway Integration: + - The parent Gateway's status will include "AttachedListenerSets" + which is the count of ListenerSets that have successfully attached to a Gateway + A ListenerSet is successfully attached to a Gateway when all the following conditions are met: + - The ListenerSet is selected by the Gateway's AllowedListeners field + - The ListenerSet has a valid ParentRef selecting the Gateway + - The ListenerSet's status has the condition "Accepted: true" properties: apiVersion: description: |- @@ -15760,651 +16224,580 @@ spec: metadata: type: object spec: - description: Spec defines the desired state of ReferenceGrant. + description: Spec defines the desired state of ListenerSet. properties: - from: + listeners: description: |- - From describes the trusted namespaces and kinds that can reference the - resources described in "To". Each entry in this list MUST be considered - to be an additional place that references can be valid from, or to put - this another way, entries MUST be combined using OR. - - Support: Core - items: - description: ReferenceGrantFrom describes trusted namespaces and - kinds. - properties: - group: - description: |- - Group is the group of the referent. - When empty, the Kubernetes core API group is inferred. - - Support: Core - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - description: |- - Kind is the kind of the referent. Although implementations may support - additional resources, the following types are part of the "Core" - support level for this field. + Listeners associated with this ListenerSet. Listeners define + logical endpoints that are bound on this referenced parent Gateway's addresses. - When used to permit a SecretObjectReference: + Listeners in a `Gateway` and their attached `ListenerSets` are concatenated + as a list when programming the underlying infrastructure. Each listener + name does not need to be unique across the Gateway and ListenerSets. + See ListenerEntry.Name for more details. - * Gateway + Implementations MUST treat the parent Gateway as having the merged + list of all listeners from itself and attached ListenerSets using + the following precedence: - When used to permit a BackendObjectReference: + 1. "parent" Gateway + 2. ListenerSet ordered by creation time (oldest first) + 3. ListenerSet ordered alphabetically by "{namespace}/{name}". - * GRPCRoute - * HTTPRoute - * TCPRoute - * TLSRoute - * UDPRoute - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - namespace: - description: |- - Namespace is the namespace of the referent. + An implementation MAY reject listeners by setting the ListenerEntryStatus + `Accepted` condition to False with the Reason `TooManyListeners` - Support: Core - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - group - - kind - - namespace - type: object - maxItems: 16 - minItems: 1 - type: array - x-kubernetes-list-type: atomic - to: - description: |- - To describes the resources that may be referenced by the resources - described in "From". Each entry in this list MUST be considered to be an - additional place that references can be valid to, or to put this another - way, entries MUST be combined using OR. + If a listener has a conflict, this will be reported in the + Status.ListenerEntryStatus setting the `Conflicted` condition to True. - Support: Core + Implementations SHOULD be cautious about what information from the + parent or siblings are reported to avoid accidentally leaking + sensitive information that the child would not otherwise have access + to. This can include contents of secrets etc. items: - description: |- - ReferenceGrantTo describes what Kinds are allowed as targets of the - references. properties: - group: - description: |- - Group is the group of the referent. - When empty, the Kubernetes core API group is inferred. - - Support: Core - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - description: |- - Kind is the kind of the referent. Although implementations may support - additional resources, the following types are part of the "Core" - support level for this field: - - * Secret when used to permit a SecretObjectReference - * Service when used to permit a BackendObjectReference - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: + allowedRoutes: + default: + namespaces: + from: Same description: |- - Name is the name of the referent. When unspecified, this policy - refers to all resources of the specified Group and Kind in the local - namespace. - maxLength: 253 - minLength: 1 - type: string - required: - - group - - kind - type: object - maxItems: 16 - minItems: 1 - type: array - x-kubernetes-list-type: atomic - required: - - from - - to - type: object - type: object - served: true - storage: true - subresources: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: null - storedVersions: null ---- -# -# config/crd/experimental/gateway.networking.k8s.io_tcproutes.yaml -# -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.1 - gateway.networking.k8s.io/channel: experimental - name: tcproutes.gateway.networking.k8s.io -spec: - group: gateway.networking.k8s.io - names: - categories: - - gateway-api - kind: TCPRoute - listKind: TCPRouteList - plural: tcproutes - singular: tcproute - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha2 - schema: - openAPIV3Schema: - description: |- - TCPRoute provides a way to route TCP requests. When combined with a Gateway - listener, it can be used to forward connections on the port specified by the - listener to a set of backends specified by the TCPRoute. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Spec defines the desired state of TCPRoute. - properties: - parentRefs: - description: |- - ParentRefs references the resources (usually Gateways) that a Route wants - to be attached to. Note that the referenced parent resource needs to - allow this for the attachment to be complete. For Gateways, that means - the Gateway needs to allow attachment from Routes of this kind and - namespace. For Services, that means the Service must either be in the same - namespace for a "producer" route, or the mesh implementation must support - and allow "consumer" routes for the referenced Service. ReferenceGrant is - not applicable for governing ParentRefs to Services - it is not possible to - create a "producer" route for a Service in a different namespace from the - Route. - - There are two kinds of parent resources with "Core" support: - - * Gateway (Gateway conformance profile) - * Service (Mesh conformance profile, ClusterIP Services only) - - This API may be extended in the future to support additional kinds of parent - resources. - - ParentRefs must be _distinct_. This means either that: - - * They select different objects. If this is the case, then parentRef - entries are distinct. In terms of fields, this means that the - multi-part key defined by `group`, `kind`, `namespace`, and `name` must - be unique across all parentRef entries in the Route. - * They do not select different objects, but for each optional field used, - each ParentRef that selects the same object must set the same set of - optional fields to different values. If one ParentRef sets a - combination of optional fields, all must set the same combination. - - Some examples: + AllowedRoutes defines the types of routes that MAY be attached to a + Listener and the trusted namespaces where those Route resources MAY be + present. - * If one ParentRef sets `sectionName`, all ParentRefs referencing the - same object must also set `sectionName`. - * If one ParentRef sets `port`, all ParentRefs referencing the same - object must also set `port`. - * If one ParentRef sets `sectionName` and `port`, all ParentRefs - referencing the same object must also set `sectionName` and `port`. + Although a client request may match multiple route rules, only one rule + may ultimately receive the request. Matching precedence MUST be + determined in order of the following criteria: - It is possible to separately reference multiple distinct objects that may - be collapsed by an implementation. For example, some implementations may - choose to merge compatible Gateway Listeners together. If that is the - case, the list of routes attached to those resources should also be - merged. + * The most specific match as defined by the Route type. + * The oldest Route based on creation timestamp. For example, a Route with + a creation timestamp of "2020-09-08 01:02:03" is given precedence over + a Route with a creation timestamp of "2020-09-08 01:02:04". + * If everything else is equivalent, the Route appearing first in + alphabetical order (namespace/name) should be given precedence. For + example, foo/bar is given precedence over foo/baz. - Note that for ParentRefs that cross namespace boundaries, there are specific - rules. Cross-namespace references are only valid if they are explicitly - allowed by something in the namespace they are referring to. For example, - Gateway has the AllowedRoutes field, and ReferenceGrant provides a - generic way to enable other kinds of cross-namespace reference. + All valid rules within a Route attached to this Listener should be + implemented. Invalid Route rules can be ignored (sometimes that will mean + the full Route). If a Route rule transitions from valid to invalid, + support for that Route rule should be dropped to ensure consistency. For + example, even if a filter specified by a Route rule is invalid, the rest + of the rules within that Route should still be supported. + properties: + kinds: + description: |- + Kinds specifies the groups and kinds of Routes that are allowed to bind + to this Gateway Listener. When unspecified or empty, the kinds of Routes + selected are determined using the Listener protocol. + A RouteGroupKind MUST correspond to kinds of Routes that are compatible + with the application protocol specified in the Listener's Protocol field. + If an implementation does not support or recognize this resource type, it + MUST set the "ResolvedRefs" condition to False for this Listener with the + "InvalidRouteKinds" reason. - ParentRefs from a Route to a Service in the same namespace are "producer" - routes, which apply default routing rules to inbound connections from - any namespace to the Service. + Support: Core + items: + description: RouteGroupKind indicates the group and kind + of a Route resource. + properties: + group: + default: gateway.networking.k8s.io + description: Group is the group of the Route. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is the kind of the Route. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + required: + - kind + type: object + maxItems: 8 + type: array + x-kubernetes-list-type: atomic + namespaces: + default: + from: Same + description: |- + Namespaces indicates namespaces from which Routes may be attached to this + Listener. This is restricted to the namespace of this Gateway by default. - ParentRefs from a Route to a Service in a different namespace are - "consumer" routes, and these routing rules are only applied to outbound - connections originating from the same namespace as the Route, for which - the intended destination of the connections are a Service targeted as a - ParentRef of the Route. - items: - description: |- - ParentReference identifies an API object (usually a Gateway) that can be considered - a parent of this resource (usually a route). There are two kinds of parent resources - with "Core" support: + Support: Core + properties: + from: + default: Same + description: |- + From indicates where Routes will be selected for this Gateway. Possible + values are: - * Gateway (Gateway conformance profile) - * Service (Mesh conformance profile, ClusterIP Services only) + * All: Routes in all namespaces may be used by this Gateway. + * Selector: Routes in namespaces selected by the selector may be used by + this Gateway. + * Same: Only Routes in the same namespace may be used by this Gateway. - This API may be extended in the future to support additional kinds of parent - resources. + Support: Core + enum: + - All + - Selector + - Same + type: string + selector: + description: |- + Selector must be specified when From is set to "Selector". In that case, + only Routes in Namespaces matching this Selector will be selected by this + Gateway. This field is ignored for other values of "From". - The API object must be valid in the cluster; the Group and Kind must - be registered in the cluster for this reference to be valid. - properties: - group: - default: gateway.networking.k8s.io + Support: Core + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + type: object + hostname: description: |- - Group is the group of the referent. - When unspecified, "gateway.networking.k8s.io" is inferred. - To set the core API group (such as for a "Service" kind referent), - Group must be explicitly set to "" (empty string). + Hostname specifies the virtual hostname to match for protocol types that + define this concept. When unspecified, all hostnames are matched. This + field is ignored for protocols that don't require hostname based + matching. - Support: Core - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - default: Gateway - description: |- - Kind is kind of the referent. + Implementations MUST apply Hostname matching appropriately for each of + the following protocols: - There are two kinds of parent resources with "Core" support: + * TLS: The Listener Hostname MUST match the SNI. + * HTTP: The Listener Hostname MUST match the Host header of the request. + * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP + protocol layers as described above. If an implementation does not + ensure that both the SNI and Host header match the Listener hostname, + it MUST clearly document that. - * Gateway (Gateway conformance profile) - * Service (Mesh conformance profile, ClusterIP Services only) + For HTTPRoute and TLSRoute resources, there is an interaction with the + `spec.hostnames` array. When both listener and route specify hostnames, + there MUST be an intersection between the values for a Route to be + accepted. For more information, refer to the Route specific Hostnames + documentation. - Support for other resources is Implementation-Specific. - maxLength: 63 + Hostnames that are prefixed with a wildcard label (`*.`) are interpreted + as a suffix match. That means that a match for `*.example.com` would match + both `test.example.com`, and `foo.test.example.com`, but not `example.com`. + maxLength: 253 minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string name: description: |- - Name is the name of the referent. + Name is the name of the Listener. This name MUST be unique within a + ListenerSet. - Support: Core + Name is not required to be unique across a Gateway and ListenerSets. + Routes can attach to a Listener by having a ListenerSet as a parentRef + and setting the SectionName maxLength: 253 minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string - namespace: + port: description: |- - Namespace is the namespace of the referent. When unspecified, this refers - to the local namespace of the Route. - - Note that there are specific rules for ParentRefs which cross namespace - boundaries. Cross-namespace references are only valid if they are explicitly - allowed by something in the namespace they are referring to. For example: - Gateway has the AllowedRoutes field, and ReferenceGrant provides a - generic way to enable any other kind of cross-namespace reference. - - - ParentRefs from a Route to a Service in the same namespace are "producer" - routes, which apply default routing rules to inbound connections from - any namespace to the Service. - - ParentRefs from a Route to a Service in a different namespace are - "consumer" routes, and these routing rules are only applied to outbound - connections originating from the same namespace as the Route, for which - the intended destination of the connections are a Service targeted as a - ParentRef of the Route. - - - Support: Core - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - port: - description: |- - Port is the network port this Route targets. It can be interpreted - differently based on the type of parent resource. - - When the parent resource is a Gateway, this targets all listeners - listening on the specified port that also support this kind of Route(and - select this Route). It's not recommended to set `Port` unless the - networking behaviors specified in a Route must apply to a specific port - as opposed to a listener(s) whose port(s) may be changed. When both Port - and SectionName are specified, the name and port of the selected listener - must match both specified values. - - - When the parent resource is a Service, this targets a specific port in the - Service spec. When both Port (experimental) and SectionName are specified, - the name and port of the selected port must match both specified values. - - - Implementations MAY choose to support other parent resources. - Implementations supporting other types of parent resources MUST clearly - document how/if Port is interpreted. - - For the purpose of status, an attachment is considered successful as - long as the parent resource accepts it partially. For example, Gateway - listeners can restrict which Routes can attach to them by Route kind, - namespace, or hostname. If 1 of 2 Gateway listeners accept attachment - from the referencing Route, the Route MUST be considered successfully - attached. If no Gateway listeners accept attachment from this Route, - the Route MUST be considered detached from the Gateway. - - Support: Extended + Port is the network port. Multiple listeners may use the + same port, subject to the Listener compatibility rules. format: int32 maximum: 65535 minimum: 1 type: integer - sectionName: - description: |- - SectionName is the name of a section within the target resource. In the - following resources, SectionName is interpreted as the following: - - * Gateway: Listener name. When both Port (experimental) and SectionName - are specified, the name and port of the selected listener must match - both specified values. - * Service: Port name. When both Port (experimental) and SectionName - are specified, the name and port of the selected listener must match - both specified values. - - Implementations MAY choose to support attaching Routes to other resources. - If that is the case, they MUST clearly document how SectionName is - interpreted. - - When unspecified (empty string), this will reference the entire resource. - For the purpose of status, an attachment is considered successful if at - least one section in the parent resource accepts it. For example, Gateway - listeners can restrict which Routes can attach to them by Route kind, - namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from - the referencing Route, the Route MUST be considered successfully - attached. If no Gateway listeners accept attachment from this Route, the - Route MUST be considered detached from the Gateway. - - Support: Core - maxLength: 253 + protocol: + description: Protocol specifies the network protocol this listener + expects to receive. + maxLength: 255 minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + pattern: ^[a-zA-Z0-9]([-a-zA-Z0-9]*[a-zA-Z0-9])?$|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9]+$ type: string - required: - - name - type: object - maxItems: 32 - type: array - x-kubernetes-list-type: atomic - x-kubernetes-validations: - - message: sectionName or port must be specified when parentRefs includes - 2 or more references to the same parent - rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind - == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) - || p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__ - == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) && - p1.__namespace__ == p2.__namespace__)) ? ((!has(p1.sectionName) - || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName - == '''') && (!has(p1.port) || p1.port == 0) == (!has(p2.port) - || p2.port == 0)): true))' - - message: sectionName or port must be unique when parentRefs includes - 2 or more references to the same parent - rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind - == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) - || p1.__namespace__ == '') && (!has(p2.__namespace__) || p2.__namespace__ - == '')) || (has(p1.__namespace__) && has(p2.__namespace__) && - p1.__namespace__ == p2.__namespace__ )) && (((!has(p1.sectionName) - || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName - == '')) || ( has(p1.sectionName) && has(p2.sectionName) && p1.sectionName - == p2.sectionName)) && (((!has(p1.port) || p1.port == 0) && (!has(p2.port) - || p2.port == 0)) || (has(p1.port) && has(p2.port) && p1.port - == p2.port)))) - rules: - description: Rules are a list of TCP matchers and actions. - items: - description: TCPRouteRule is the configuration for a given rule. - properties: - backendRefs: + tls: description: |- - BackendRefs defines the backend(s) where matching requests should be - sent. If unspecified or invalid (refers to a nonexistent resource or a - Service with no endpoints), the underlying implementation MUST actively - reject connection attempts to this backend. Connection rejections must - respect weight; if an invalid backend is requested to have 80% of - connections, then 80% of connections must be rejected instead. - - Support: Core for Kubernetes Service - - Support: Extended for Kubernetes ServiceImport - - Support: Implementation-specific for any other resource - - Support for weight: Extended - items: - description: |- - BackendRef defines how a Route should forward a request to a Kubernetes - resource. + TLS is the TLS configuration for the Listener. This field is required if + the Protocol field is "HTTPS" or "TLS". It is invalid to set this field + if the Protocol field is "HTTP", "TCP", or "UDP". - Note that when a namespace different than the local namespace is specified, a - ReferenceGrant object is required in the referent namespace to allow that - namespace's owner to accept the reference. See the ReferenceGrant - documentation for details. + The association of SNIs to Certificate defined in ListenerTLSConfig is + defined based on the Hostname field for this listener. + The GatewayClass MUST use the longest matching SNI out of all + available certificates for any TLS handshake. + properties: + certificateRefs: + description: |- + CertificateRefs contains a series of references to Kubernetes objects that + contains TLS certificates and private keys. These certificates are used to + establish a TLS handshake for requests that match the hostname of the + associated listener. - When the BackendRef points to a Kubernetes Service, implementations SHOULD - honor the appProtocol field if it is set for the target Service Port. + A single CertificateRef to a Kubernetes Secret has "Core" support. + Implementations MAY choose to support attaching multiple certificates to + a Listener, but this behavior is implementation-specific. - Implementations supporting appProtocol SHOULD recognize the Kubernetes - Standard Application Protocols defined in KEP-3726. + References to a resource in different namespace are invalid UNLESS there + is a ReferenceGrant in the target namespace that allows the certificate + to be attached. If a ReferenceGrant does not allow this reference, the + "ResolvedRefs" condition MUST be set to False for this listener with the + "RefNotPermitted" reason. - If a Service appProtocol isn't specified, an implementation MAY infer the - backend protocol through its own means. Implementations MAY infer the - protocol from the Route type referring to the backend Service. + This field is required to have at least one element when the mode is set + to "Terminate" (default) and is optional otherwise. - If a Route is not able to send traffic to the backend using the specified - protocol then the backend is considered invalid. Implementations MUST set the - "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. + CertificateRefs can reference to standard Kubernetes resources, i.e. + Secret, or implementation-specific custom resources. + Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls - Note that when the BackendTLSPolicy object is enabled by the implementation, - there are some extra rules about validity to consider here. See the fields - where this struct is used for more information about the exact behavior. - properties: - group: - default: "" - description: |- - Group is the group of the referent. For example, "gateway.networking.k8s.io". - When unspecified or empty string, core API group is inferred. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - default: Service + Support: Implementation-specific (More than one reference or other resource types) + items: description: |- - Kind is the Kubernetes resource kind of the referent. For example - "Service". + SecretObjectReference identifies an API object including its namespace, + defaulting to Secret. - Defaults to "Service" when not specified. + The API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid. - ExternalName services can refer to CNAME DNS records that may live - outside of the cluster and as such are difficult to reason about in - terms of conformance. They also may not be safe to forward to (see - CVE-2021-25740 for more information). Implementations SHOULD NOT - support ExternalName Services. + References to objects with invalid Group and Kind are not valid, and must + be rejected by the implementation, with appropriate Conditions set + on the containing object. + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Secret + description: Kind is kind of the referent. For example + "Secret". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referenced object. When unspecified, the local + namespace is inferred. - Support: Core (Services with a type other than ExternalName) + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. - Support: Implementation-specific (Services with type ExternalName) - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: Name is the name of the referent. - maxLength: 253 - minLength: 1 - type: string - namespace: - description: |- - Namespace is the namespace of the backend. When unspecified, the local - namespace is inferred. + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + maxItems: 64 + type: array + x-kubernetes-list-type: atomic + mode: + default: Terminate + description: |- + Mode defines the TLS behavior for the TLS session initiated by the client. + There are two possible modes: - Note that when a namespace different than the local namespace is specified, - a ReferenceGrant object is required in the referent namespace to allow that - namespace's owner to accept the reference. See the ReferenceGrant - documentation for details. + - Terminate: The TLS session between the downstream client and the + Gateway is terminated at the Gateway. This mode requires certificates + to be specified in some way, such as populating the certificateRefs + field. + - Passthrough: The TLS session is NOT terminated by the Gateway. This + implies that the Gateway can't decipher the TLS stream except for + the ClientHello message of the TLS protocol. The certificateRefs field + is ignored in this mode. - Support: Core - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - port: - description: |- - Port specifies the destination port number to use for this resource. - Port is required when the referent is a Kubernetes Service. In this - case, the port number is the service port number, not the target port. - For other resources, destination port might be derived from the referent - resource or this field. - format: int32 - maximum: 65535 - minimum: 1 - type: integer - weight: - default: 1 + Support: Core + enum: + - Terminate + - Passthrough + type: string + options: + additionalProperties: description: |- - Weight specifies the proportion of requests forwarded to the referenced - backend. This is computed as weight/(sum of all weights in this - BackendRefs list). For non-zero values, there may be some epsilon from - the exact proportion defined here depending on the precision an - implementation supports. Weight is not a percentage and the sum of - weights does not need to equal 100. - - If only one backend is specified and it has a weight greater than 0, 100% - of the traffic is forwarded to that backend. If weight is set to 0, no - traffic should be forwarded for this entry. If unspecified, weight - defaults to 1. + AnnotationValue is the value of an annotation in Gateway API. This is used + for validation of maps such as TLS options. This roughly matches Kubernetes + annotation validation, although the length validation in that case is based + on the entire size of the annotations struct. + maxLength: 4096 + minLength: 0 + type: string + description: |- + Options are a list of key/value pairs to enable extended TLS + configuration for each implementation. For example, configuring the + minimum TLS version or supported cipher suites. - Support for this field varies based on the context where used. - format: int32 - maximum: 1000000 - minimum: 0 - type: integer - required: - - name - type: object - x-kubernetes-validations: - - message: Must have port for Service reference - rule: '(size(self.group) == 0 && self.kind == ''Service'') - ? has(self.port) : true' - maxItems: 16 - minItems: 1 - type: array - x-kubernetes-list-type: atomic - name: - description: |- - Name is the name of the route rule. This name MUST be unique within a Route if it is set. + A set of common keys MAY be defined by the API in the future. To avoid + any ambiguity, implementation-specific definitions MUST use + domain-prefixed names, such as `example.com/my-custom-option`. + Un-prefixed names are reserved for key names defined by Gateway API. - Support: Extended - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string + Support: Implementation-specific + maxProperties: 16 + type: object + type: object + x-kubernetes-validations: + - message: certificateRefs or options must be specified when + mode is Terminate + rule: 'self.mode == ''Terminate'' ? size(self.certificateRefs) + > 0 || size(self.options) > 0 : true' required: - - backendRefs + - name + - port + - protocol type: object - maxItems: 16 + maxItems: 64 minItems: 1 type: array - x-kubernetes-list-type: atomic + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map x-kubernetes-validations: - - message: Rule name must be unique within the route - rule: self.all(l1, !has(l1.name) || self.exists_one(l2, has(l2.name) - && l1.name == l2.name)) - useDefaultGateways: - description: |- - UseDefaultGateways indicates the default Gateway scope to use for this - Route. If unset (the default) or set to None, the Route will not be - attached to any default Gateway; if set, it will be attached to any - default Gateway supporting the named scope, subject to the usual rules - about which Routes a Gateway is allowed to claim. - - Think carefully before using this functionality! The set of default - Gateways supporting the requested scope can change over time without - any notice to the Route author, and in many situations it will not be - appropriate to request a default Gateway for a given Route -- for - example, a Route with specific security requirements should almost - certainly not use a default Gateway. - enum: - - All - - None - type: string + - message: tls must not be specified for protocols ['HTTP', 'TCP', + 'UDP'] + rule: 'self.all(l, l.protocol in [''HTTP'', ''TCP'', ''UDP''] ? + !has(l.tls) : true)' + - message: tls mode must be Terminate for protocol HTTPS + rule: 'self.all(l, (l.protocol == ''HTTPS'' && has(l.tls)) ? (l.tls.mode + == '''' || l.tls.mode == ''Terminate'') : true)' + - message: tls mode must be set for protocol TLS + rule: 'self.all(l, (l.protocol == ''TLS'' ? has(l.tls) && has(l.tls.mode) + && l.tls.mode != '''' : true))' + - message: hostname must not be specified for protocols ['TCP', 'UDP'] + rule: 'self.all(l, l.protocol in [''TCP'', ''UDP''] ? (!has(l.hostname) + || l.hostname == '''') : true)' + - message: Listener name must be unique within the Gateway + rule: self.all(l1, self.exists_one(l2, l1.name == l2.name)) + - message: Combination of port, protocol and hostname must be unique + for each listener + rule: 'self.all(l1, !has(l1.port) || self.exists_one(l2, has(l2.port) + && l1.port == l2.port && l1.protocol == l2.protocol && (has(l1.hostname) + && has(l2.hostname) ? l1.hostname == l2.hostname : !has(l1.hostname) + && !has(l2.hostname))))' + parentRef: + description: ParentRef references the Gateway that the listeners are + attached to. + properties: + group: + default: gateway.networking.k8s.io + description: Group is the group of the referent. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: Kind is kind of the referent. For example "Gateway". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. If not present, + the namespace of the referent is assumed to be the same as + the namespace of the referring object. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object required: - - rules + - listeners + - parentRef type: object status: - description: Status defines the current state of TCPRoute. + default: + conditions: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Programmed + description: Status defines the current state of ListenerSet. properties: - parents: + conditions: + default: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Programmed description: |- - Parents is a list of parent resources (usually Gateways) that are - associated with the route, and the status of the route with respect to - each parent. When this route attaches to a parent, the controller that - manages the parent must add an entry to this list when the controller - first sees the route and should update the entry as appropriate when the - route or gateway is modified. + Conditions describe the current conditions of the ListenerSet. - Note that parent references that cannot be resolved by an implementation - of this API will not be added to this list. Implementations of this API - can only populate Route status for the Gateways/parent resources they are - responsible for. + Implementations MUST express ListenerSet conditions using the + `ListenerSetConditionType` and `ListenerSetConditionReason` + constants so that operators and tools can converge on a common + vocabulary to describe ListenerSet state. - A maximum of 32 Gateways will be represented in this list. An empty list - means the route has not been attached to any Gateway. + Known condition types are: + + * "Accepted" + * "Programmed" items: - description: |- - RouteParentStatus describes the status of a route with respect to an - associated Parent. + description: Condition contains details for one aspect of the current + state of this API Resource. properties: - conditions: + lastTransitionTime: description: |- - Conditions describes the status of the route with respect to the Gateway. - Note that the route's availability is also subject to the Gateway's own - status conditions and listener status. - - If the Route's ParentRef specifies an existing Gateway that supports - Routes of this kind AND that Gateway's controller has sufficient access, - then that Gateway's controller MUST set the "Accepted" condition on the - Route, to indicate whether the route has been accepted or rejected by the - Gateway, and why. - - A Route MUST be considered "Accepted" if at least one of the Route's - rules is implemented by the Gateway. + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + listeners: + description: Listeners provide status for each unique listener port + defined in the Spec. + items: + description: ListenerStatus is the status associated with a Listener. + properties: + attachedRoutes: + description: |- + AttachedRoutes represents the total number of Routes that have been + successfully attached to this Listener. - There are a number of cases where the "Accepted" condition may not be set - due to lack of controller visibility, that includes when: + Successful attachment of a Route to a Listener is based solely on the + combination of the AllowedRoutes field on the corresponding Listener + and the Route's ParentRefs field. A Route is successfully attached to + a Listener when it is selected by the Listener's AllowedRoutes field + AND the Route has a valid ParentRef selecting the whole Gateway + resource or a specific Listener as a parent resource (more detail on + attachment semantics can be found in the documentation on the various + Route kinds ParentRefs fields). Listener status does not impact + successful attachment, i.e. the AttachedRoutes field count MUST be set + for Listeners, even if the Accepted condition of an individual Listener is set + to "False". The AttachedRoutes number represents the number of Routes with + the Accepted condition set to "True" that have been attached to this Listener. + Routes with any other value for the Accepted condition MUST NOT be included + in this count. - * The Route refers to a nonexistent parent. - * The Route is of a type that the controller does not support. - * The Route is in a namespace the controller does not have access to. + Uses for this field include troubleshooting Route attachment and + measuring blast radius/impact of changes to a Listener. + format: int32 + type: integer + conditions: + description: Conditions describe the current condition of this + listener. items: description: Condition contains details for one aspect of the current state of this API Resource. @@ -16461,177 +16854,60 @@ spec: - type type: object maxItems: 8 - minItems: 1 type: array x-kubernetes-list-map-keys: - type x-kubernetes-list-type: map - controllerName: - description: |- - ControllerName is a domain/path string that indicates the name of the - controller that wrote this status. This corresponds with the - controllerName field on GatewayClass. - - Example: "example.net/gateway-controller". - - The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are - valid Kubernetes names - (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). - - Controllers MUST populate this field when writing status. Controllers should ensure that - entries to status populated with their ControllerName are cleaned up when they are no - longer necessary. + name: + description: Name is the name of the Listener that this status + corresponds to. maxLength: 253 minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string - parentRef: + supportedKinds: description: |- - ParentRef corresponds with a ParentRef in the spec that this - RouteParentStatus struct describes the status of. - properties: - group: - default: gateway.networking.k8s.io - description: |- - Group is the group of the referent. - When unspecified, "gateway.networking.k8s.io" is inferred. - To set the core API group (such as for a "Service" kind referent), - Group must be explicitly set to "" (empty string). - - Support: Core - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - default: Gateway - description: |- - Kind is kind of the referent. - - There are two kinds of parent resources with "Core" support: - - * Gateway (Gateway conformance profile) - * Service (Mesh conformance profile, ClusterIP Services only) - - Support for other resources is Implementation-Specific. - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: |- - Name is the name of the referent. - - Support: Core - maxLength: 253 - minLength: 1 - type: string - namespace: - description: |- - Namespace is the namespace of the referent. When unspecified, this refers - to the local namespace of the Route. - - Note that there are specific rules for ParentRefs which cross namespace - boundaries. Cross-namespace references are only valid if they are explicitly - allowed by something in the namespace they are referring to. For example: - Gateway has the AllowedRoutes field, and ReferenceGrant provides a - generic way to enable any other kind of cross-namespace reference. - - - ParentRefs from a Route to a Service in the same namespace are "producer" - routes, which apply default routing rules to inbound connections from - any namespace to the Service. - - ParentRefs from a Route to a Service in a different namespace are - "consumer" routes, and these routing rules are only applied to outbound - connections originating from the same namespace as the Route, for which - the intended destination of the connections are a Service targeted as a - ParentRef of the Route. - - - Support: Core - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - port: - description: |- - Port is the network port this Route targets. It can be interpreted - differently based on the type of parent resource. - - When the parent resource is a Gateway, this targets all listeners - listening on the specified port that also support this kind of Route(and - select this Route). It's not recommended to set `Port` unless the - networking behaviors specified in a Route must apply to a specific port - as opposed to a listener(s) whose port(s) may be changed. When both Port - and SectionName are specified, the name and port of the selected listener - must match both specified values. - - - When the parent resource is a Service, this targets a specific port in the - Service spec. When both Port (experimental) and SectionName are specified, - the name and port of the selected port must match both specified values. - - - Implementations MAY choose to support other parent resources. - Implementations supporting other types of parent resources MUST clearly - document how/if Port is interpreted. - - For the purpose of status, an attachment is considered successful as - long as the parent resource accepts it partially. For example, Gateway - listeners can restrict which Routes can attach to them by Route kind, - namespace, or hostname. If 1 of 2 Gateway listeners accept attachment - from the referencing Route, the Route MUST be considered successfully - attached. If no Gateway listeners accept attachment from this Route, - the Route MUST be considered detached from the Gateway. - - Support: Extended - format: int32 - maximum: 65535 - minimum: 1 - type: integer - sectionName: - description: |- - SectionName is the name of a section within the target resource. In the - following resources, SectionName is interpreted as the following: - - * Gateway: Listener name. When both Port (experimental) and SectionName - are specified, the name and port of the selected listener must match - both specified values. - * Service: Port name. When both Port (experimental) and SectionName - are specified, the name and port of the selected listener must match - both specified values. - - Implementations MAY choose to support attaching Routes to other resources. - If that is the case, they MUST clearly document how SectionName is - interpreted. - - When unspecified (empty string), this will reference the entire resource. - For the purpose of status, an attachment is considered successful if at - least one section in the parent resource accepts it. For example, Gateway - listeners can restrict which Routes can attach to them by Route kind, - namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from - the referencing Route, the Route MUST be considered successfully - attached. If no Gateway listeners accept attachment from this Route, the - Route MUST be considered detached from the Gateway. + SupportedKinds is the list indicating the Kinds supported by this + listener. This MUST represent the kinds supported by an implementation for + that Listener configuration. - Support: Core - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - required: - - name - type: object + If kinds are specified in Spec that are not supported, they MUST NOT + appear in this list and an implementation MUST set the "ResolvedRefs" + condition to "False" with the "InvalidRouteKinds" reason. If both valid + and invalid Route kinds are specified, the implementation MUST + reference the valid Route kinds that have been specified. + items: + description: RouteGroupKind indicates the group and kind of + a Route resource. + properties: + group: + default: gateway.networking.k8s.io + description: Group is the group of the Route. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is the kind of the Route. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + required: + - kind + type: object + maxItems: 8 + type: array + x-kubernetes-list-type: atomic required: + - attachedRoutes - conditions - - controllerName - - parentRef + - name type: object - maxItems: 32 + maxItems: 64 type: array - x-kubernetes-list-type: atomic - required: - - parents + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map type: object required: - spec @@ -16648,41 +16924,53 @@ status: storedVersions: null --- # -# config/crd/experimental/gateway.networking.k8s.io_tlsroutes.yaml +# config/crd/experimental/gateway.networking.k8s.io_referencegrants.yaml # apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.1 + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/4530 + gateway.networking.k8s.io/bundle-version: v1.5.1 gateway.networking.k8s.io/channel: experimental - name: tlsroutes.gateway.networking.k8s.io + name: referencegrants.gateway.networking.k8s.io spec: group: gateway.networking.k8s.io names: categories: - gateway-api - kind: TLSRoute - listKind: TLSRouteList - plural: tlsroutes - singular: tlsroute + kind: ReferenceGrant + listKind: ReferenceGrantList + plural: referencegrants + shortNames: + - refgrant + singular: referencegrant scope: Namespaced versions: - additionalPrinterColumns: - jsonPath: .metadata.creationTimestamp name: Age type: date - name: v1alpha2 + name: v1 schema: openAPIV3Schema: description: |- - The TLSRoute resource is similar to TCPRoute, but can be configured - to match against TLS-specific metadata. This allows more flexibility - in matching streams for a given TLS listener. + ReferenceGrant identifies kinds of resources in other namespaces that are + trusted to reference the specified kinds of resources in the same namespace + as the policy. - If you need to forward traffic to a single target for a TLS listener, you - could choose to use a TCPRoute with a TLS listener. + Each ReferenceGrant can be used to represent a unique trust relationship. + Additional Reference Grants can be used to add to the set of trusted + sources of inbound references for the namespace they are defined within. + + All cross-namespace references in Gateway API (with the exception of cross-namespace + Gateway-route attachment) require a ReferenceGrant. + + ReferenceGrant is a form of runtime verification allowing users to assert + which cross-namespace object references are permitted. Implementations that + support ReferenceGrant MUST NOT permit cross-namespace references which have + no grant, and MUST respond to the removal of a grant by revoking the access + that the grant allowed. properties: apiVersion: description: |- @@ -16702,188 +16990,472 @@ spec: metadata: type: object spec: - description: Spec defines the desired state of TLSRoute. + description: Spec defines the desired state of ReferenceGrant. properties: - hostnames: + from: description: |- - Hostnames defines a set of SNI names that should match against the - SNI attribute of TLS ClientHello message in TLS handshake. This matches - the RFC 1123 definition of a hostname with 2 notable exceptions: - - 1. IPs are not allowed in SNI names per RFC 6066. - 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard - label must appear by itself as the first label. - - If a hostname is specified by both the Listener and TLSRoute, there - must be at least one intersecting hostname for the TLSRoute to be - attached to the Listener. For example: - - * A Listener with `test.example.com` as the hostname matches TLSRoutes - that have either not specified any hostnames, or have specified at - least one of `test.example.com` or `*.example.com`. - * A Listener with `*.example.com` as the hostname matches TLSRoutes - that have either not specified any hostnames or have specified at least - one hostname that matches the Listener hostname. For example, - `test.example.com` and `*.example.com` would both match. On the other - hand, `example.com` and `test.example.net` would not match. - - If both the Listener and TLSRoute have specified hostnames, any - TLSRoute hostnames that do not match the Listener hostname MUST be - ignored. For example, if a Listener specified `*.example.com`, and the - TLSRoute specified `test.example.com` and `test.example.net`, - `test.example.net` must not be considered for a match. - - If both the Listener and TLSRoute have specified hostnames, and none - match with the criteria above, then the TLSRoute is not accepted. The - implementation must raise an 'Accepted' Condition with a status of - `False` in the corresponding RouteParentStatus. + From describes the trusted namespaces and kinds that can reference the + resources described in "To". Each entry in this list MUST be considered + to be an additional place that references can be valid from, or to put + this another way, entries MUST be combined using OR. Support: Core items: - description: |- - Hostname is the fully qualified domain name of a network host. This matches - the RFC 1123 definition of a hostname with 2 notable exceptions: - - 1. IPs are not allowed. - 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard - label must appear by itself as the first label. - - Hostname can be "precise" which is a domain name without the terminating - dot of a network host (e.g. "foo.example.com") or "wildcard", which is a - domain name prefixed with a single wildcard label (e.g. `*.example.com`). - - Note that as per RFC1035 and RFC1123, a *label* must consist of lower case - alphanumeric characters or '-', and must start and end with an alphanumeric - character. No other punctuation is allowed. - maxLength: 253 - minLength: 1 - pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - maxItems: 16 - type: array - x-kubernetes-list-type: atomic - parentRefs: - description: |- - ParentRefs references the resources (usually Gateways) that a Route wants - to be attached to. Note that the referenced parent resource needs to - allow this for the attachment to be complete. For Gateways, that means - the Gateway needs to allow attachment from Routes of this kind and - namespace. For Services, that means the Service must either be in the same - namespace for a "producer" route, or the mesh implementation must support - and allow "consumer" routes for the referenced Service. ReferenceGrant is - not applicable for governing ParentRefs to Services - it is not possible to - create a "producer" route for a Service in a different namespace from the - Route. - - There are two kinds of parent resources with "Core" support: - - * Gateway (Gateway conformance profile) - * Service (Mesh conformance profile, ClusterIP Services only) - - This API may be extended in the future to support additional kinds of parent - resources. - - ParentRefs must be _distinct_. This means either that: - - * They select different objects. If this is the case, then parentRef - entries are distinct. In terms of fields, this means that the - multi-part key defined by `group`, `kind`, `namespace`, and `name` must - be unique across all parentRef entries in the Route. - * They do not select different objects, but for each optional field used, - each ParentRef that selects the same object must set the same set of - optional fields to different values. If one ParentRef sets a - combination of optional fields, all must set the same combination. - - Some examples: - - * If one ParentRef sets `sectionName`, all ParentRefs referencing the - same object must also set `sectionName`. - * If one ParentRef sets `port`, all ParentRefs referencing the same - object must also set `port`. - * If one ParentRef sets `sectionName` and `port`, all ParentRefs - referencing the same object must also set `sectionName` and `port`. - - It is possible to separately reference multiple distinct objects that may - be collapsed by an implementation. For example, some implementations may - choose to merge compatible Gateway Listeners together. If that is the - case, the list of routes attached to those resources should also be - merged. - - Note that for ParentRefs that cross namespace boundaries, there are specific - rules. Cross-namespace references are only valid if they are explicitly - allowed by something in the namespace they are referring to. For example, - Gateway has the AllowedRoutes field, and ReferenceGrant provides a - generic way to enable other kinds of cross-namespace reference. - - - ParentRefs from a Route to a Service in the same namespace are "producer" - routes, which apply default routing rules to inbound connections from - any namespace to the Service. - - ParentRefs from a Route to a Service in a different namespace are - "consumer" routes, and these routing rules are only applied to outbound - connections originating from the same namespace as the Route, for which - the intended destination of the connections are a Service targeted as a - ParentRef of the Route. - items: - description: |- - ParentReference identifies an API object (usually a Gateway) that can be considered - a parent of this resource (usually a route). There are two kinds of parent resources - with "Core" support: - - * Gateway (Gateway conformance profile) - * Service (Mesh conformance profile, ClusterIP Services only) - - This API may be extended in the future to support additional kinds of parent - resources. - - The API object must be valid in the cluster; the Group and Kind must - be registered in the cluster for this reference to be valid. + description: ReferenceGrantFrom describes trusted namespaces and + kinds. properties: group: - default: gateway.networking.k8s.io description: |- Group is the group of the referent. - When unspecified, "gateway.networking.k8s.io" is inferred. - To set the core API group (such as for a "Service" kind referent), - Group must be explicitly set to "" (empty string). + When empty, the Kubernetes core API group is inferred. Support: Core maxLength: 253 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string kind: - default: Gateway description: |- - Kind is kind of the referent. + Kind is the kind of the referent. Although implementations may support + additional resources, the following types are part of the "Core" + support level for this field. - There are two kinds of parent resources with "Core" support: + When used to permit a SecretObjectReference: - * Gateway (Gateway conformance profile) - * Service (Mesh conformance profile, ClusterIP Services only) + * Gateway - Support for other resources is Implementation-Specific. + When used to permit a BackendObjectReference: + + * GRPCRoute + * HTTPRoute + * TCPRoute + * TLSRoute + * UDPRoute maxLength: 63 minLength: 1 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ type: string - name: + namespace: description: |- - Name is the name of the referent. + Namespace is the namespace of the referent. Support: Core - maxLength: 253 + maxLength: 63 minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ type: string - namespace: - description: |- - Namespace is the namespace of the referent. When unspecified, this refers - to the local namespace of the Route. - - Note that there are specific rules for ParentRefs which cross namespace - boundaries. Cross-namespace references are only valid if they are explicitly - allowed by something in the namespace they are referring to. For example: - Gateway has the AllowedRoutes field, and ReferenceGrant provides a + required: + - group + - kind + - namespace + type: object + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + to: + description: |- + To describes the resources that may be referenced by the resources + described in "From". Each entry in this list MUST be considered to be an + additional place that references can be valid to, or to put this another + way, entries MUST be combined using OR. + + Support: Core + items: + description: |- + ReferenceGrantTo describes what Kinds are allowed as targets of the + references. + properties: + group: + description: |- + Group is the group of the referent. + When empty, the Kubernetes core API group is inferred. + + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: |- + Kind is the kind of the referent. Although implementations may support + additional resources, the following types are part of the "Core" + support level for this field: + + * Secret when used to permit a SecretObjectReference + * Service when used to permit a BackendObjectReference + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. When unspecified, this policy + refers to all resources of the specified Group and Kind in the local + namespace. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + type: object + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + required: + - from + - to + type: object + type: object + served: true + storage: false + subresources: {} + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: |- + ReferenceGrant identifies kinds of resources in other namespaces that are + trusted to reference the specified kinds of resources in the same namespace + as the policy. + + Each ReferenceGrant can be used to represent a unique trust relationship. + Additional Reference Grants can be used to add to the set of trusted + sources of inbound references for the namespace they are defined within. + + All cross-namespace references in Gateway API (with the exception of cross-namespace + Gateway-route attachment) require a ReferenceGrant. + + ReferenceGrant is a form of runtime verification allowing users to assert + which cross-namespace object references are permitted. Implementations that + support ReferenceGrant MUST NOT permit cross-namespace references which have + no grant, and MUST respond to the removal of a grant by revoking the access + that the grant allowed. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of ReferenceGrant. + properties: + from: + description: |- + From describes the trusted namespaces and kinds that can reference the + resources described in "To". Each entry in this list MUST be considered + to be an additional place that references can be valid from, or to put + this another way, entries MUST be combined using OR. + + Support: Core + items: + description: ReferenceGrantFrom describes trusted namespaces and + kinds. + properties: + group: + description: |- + Group is the group of the referent. + When empty, the Kubernetes core API group is inferred. + + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: |- + Kind is the kind of the referent. Although implementations may support + additional resources, the following types are part of the "Core" + support level for this field. + + When used to permit a SecretObjectReference: + + * Gateway + + When used to permit a BackendObjectReference: + + * GRPCRoute + * HTTPRoute + * TCPRoute + * TLSRoute + * UDPRoute + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + namespace: + description: |- + Namespace is the namespace of the referent. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - namespace + type: object + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + to: + description: |- + To describes the resources that may be referenced by the resources + described in "From". Each entry in this list MUST be considered to be an + additional place that references can be valid to, or to put this another + way, entries MUST be combined using OR. + + Support: Core + items: + description: |- + ReferenceGrantTo describes what Kinds are allowed as targets of the + references. + properties: + group: + description: |- + Group is the group of the referent. + When empty, the Kubernetes core API group is inferred. + + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: |- + Kind is the kind of the referent. Although implementations may support + additional resources, the following types are part of the "Core" + support level for this field: + + * Secret when used to permit a SecretObjectReference + * Service when used to permit a BackendObjectReference + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. When unspecified, this policy + refers to all resources of the specified Group and Kind in the local + namespace. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + type: object + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + required: + - from + - to + type: object + type: object + served: true + storage: true + subresources: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null +--- +# +# config/crd/experimental/gateway.networking.k8s.io_tcproutes.yaml +# +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/4530 + gateway.networking.k8s.io/bundle-version: v1.5.1 + gateway.networking.k8s.io/channel: experimental + name: tcproutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: TCPRoute + listKind: TCPRouteList + plural: tcproutes + singular: tcproute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: |- + TCPRoute provides a way to route TCP requests. When combined with a Gateway + listener, it can be used to forward connections on the port specified by the + listener to a set of backends specified by the TCPRoute. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of TCPRoute. + properties: + parentRefs: + description: |- + ParentRefs references the resources (usually Gateways) that a Route wants + to be attached to. Note that the referenced parent resource needs to + allow this for the attachment to be complete. For Gateways, that means + the Gateway needs to allow attachment from Routes of this kind and + namespace. For Services, that means the Service must either be in the same + namespace for a "producer" route, or the mesh implementation must support + and allow "consumer" routes for the referenced Service. ReferenceGrant is + not applicable for governing ParentRefs to Services - it is not possible to + create a "producer" route for a Service in a different namespace from the + Route. + + There are two kinds of parent resources with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + This API may be extended in the future to support additional kinds of parent + resources. + + ParentRefs must be _distinct_. This means either that: + + * They select different objects. If this is the case, then parentRef + entries are distinct. In terms of fields, this means that the + multi-part key defined by `group`, `kind`, `namespace`, and `name` must + be unique across all parentRef entries in the Route. + * They do not select different objects, but for each optional field used, + each ParentRef that selects the same object must set the same set of + optional fields to different values. If one ParentRef sets a + combination of optional fields, all must set the same combination. + + Some examples: + + * If one ParentRef sets `sectionName`, all ParentRefs referencing the + same object must also set `sectionName`. + * If one ParentRef sets `port`, all ParentRefs referencing the same + object must also set `port`. + * If one ParentRef sets `sectionName` and `port`, all ParentRefs + referencing the same object must also set `sectionName` and `port`. + + It is possible to separately reference multiple distinct objects that may + be collapsed by an implementation. For example, some implementations may + choose to merge compatible Gateway Listeners together. If that is the + case, the list of routes attached to those resources should also be + merged. + + Note that for ParentRefs that cross namespace boundaries, there are specific + rules. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example, + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable other kinds of cross-namespace reference. + + + ParentRefs from a Route to a Service in the same namespace are "producer" + routes, which apply default routing rules to inbound connections from + any namespace to the Service. + + ParentRefs from a Route to a Service in a different namespace are + "consumer" routes, and these routing rules are only applied to outbound + connections originating from the same namespace as the Route, for which + the intended destination of the connections are a Service targeted as a + ParentRef of the Route. + items: + description: |- + ParentReference identifies an API object (usually a Gateway) that can be considered + a parent of this resource (usually a route). There are two kinds of parent resources + with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + This API may be extended in the future to support additional kinds of parent + resources. + + The API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid. + properties: + group: + default: gateway.networking.k8s.io + description: |- + Group is the group of the referent. + When unspecified, "gateway.networking.k8s.io" is inferred. + To set the core API group (such as for a "Service" kind referent), + Group must be explicitly set to "" (empty string). + + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: |- + Kind is kind of the referent. + + There are two kinds of parent resources with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + Support for other resources is Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. When unspecified, this refers + to the local namespace of the Route. + + Note that there are specific rules for ParentRefs which cross namespace + boundaries. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example: + Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. @@ -16999,21 +17571,18 @@ spec: || p2.port == 0)) || (has(p1.port) && has(p2.port) && p1.port == p2.port)))) rules: - description: Rules are a list of TLS matchers and actions. + description: Rules are a list of TCP matchers and actions. items: - description: TLSRouteRule is the configuration for a given rule. + description: TCPRouteRule is the configuration for a given rule. properties: backendRefs: description: |- BackendRefs defines the backend(s) where matching requests should be - sent. If unspecified or invalid (refers to a nonexistent resource or - a Service with no endpoints), the rule performs no forwarding; if no - filters are specified that would result in a response being sent, the - underlying implementation must actively reject request attempts to this - backend, by rejecting the connection or returning a 500 status code. - Request rejections must respect weight; if an invalid backend is - requested to have 80% of requests, then 80% of requests must be rejected - instead. + sent. If unspecified or invalid (refers to a nonexistent resource or a + Service with no endpoints), the underlying implementation MUST actively + reject connection attempts to this backend. Connection rejections must + respect weight; if an invalid backend is requested to have 80% of + connections, then 80% of connections must be rejected instead. Support: Core for Kubernetes Service @@ -17185,7 +17754,7 @@ spec: - rules type: object status: - description: Status defines the current state of TLSRoute. + description: Status defines the current state of TCPRoute. properties: parents: description: |- @@ -17228,7 +17797,7 @@ spec: * The Route refers to a nonexistent parent. * The Route is of a type that the controller does not support. - * The Route is in a namespace the controller does not have access to. + * The Route is in a namespace to which the controller does not have access. items: description: Condition contains details for one aspect of the current state of this API Resource. @@ -17461,14 +18030,43 @@ spec: - spec type: object served: true - storage: false + storage: true subresources: status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null +--- +# +# config/crd/experimental/gateway.networking.k8s.io_tlsroutes.yaml +# +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/4530 + gateway.networking.k8s.io/bundle-version: v1.5.1 + gateway.networking.k8s.io/channel: experimental + name: tlsroutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: TLSRoute + listKind: TLSRouteList + plural: tlsroutes + singular: tlsroute + scope: Namespaced + versions: - additionalPrinterColumns: - jsonPath: .metadata.creationTimestamp name: Age type: date - name: v1alpha3 + name: v1 schema: openAPIV3Schema: description: |- @@ -17508,32 +18106,6 @@ spec: 1. IPs are not allowed in SNI hostnames per RFC 6066. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. - - If a hostname is specified by both the Listener and TLSRoute, there - must be at least one intersecting hostname for the TLSRoute to be - attached to the Listener. For example: - - * A Listener with `test.example.com` as the hostname matches TLSRoutes - that have specified at least one of `test.example.com` or - `*.example.com`. - * A Listener with `*.example.com` as the hostname matches TLSRoutes - that have specified at least one hostname that matches the Listener - hostname. For example, `test.example.com` and `*.example.com` would both - match. On the other hand, `example.com` and `test.example.net` would not - match. - - If both the Listener and TLSRoute have specified hostnames, any - TLSRoute hostnames that do not match the Listener hostname MUST be - ignored. For example, if a Listener specified `*.example.com`, and the - TLSRoute specified `test.example.com` and `test.example.net`, - `test.example.net` must not be considered for a match. - - If both the Listener and TLSRoute have specified hostnames, and none - match with the criteria above, then the TLSRoute is not accepted. The - implementation must raise an 'Accepted' Condition with a status of - `False` in the corresponding RouteParentStatus. - - Support: Core items: description: |- Hostname is the fully qualified domain name of a network host. This matches @@ -17558,6 +18130,17 @@ spec: minItems: 1 type: array x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: Hostnames cannot contain an IP + rule: self.all(h, !isIP(h)) + - message: Hostnames must be valid based on RFC-1123 + rule: 'self.all(h, !h.contains(''*'') ? h.matches(''^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*)$'') + : true)' + - message: Wildcards on hostnames must be the first label, and the + rest of hostname must be valid based on RFC-1123 + rule: 'self.all(h, h.contains(''*'') ? (h.startsWith(''*.'') && + h.substring(2).matches(''^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*)$'')) + : true)' parentRefs: description: |- ParentRefs references the resources (usually Gateways) that a Route wants @@ -17806,10 +18389,9 @@ spec: a Service with no endpoints), the rule performs no forwarding; if no filters are specified that would result in a response being sent, the underlying implementation must actively reject request attempts to this - backend, by rejecting the connection or returning a 500 status code. - Request rejections must respect weight; if an invalid backend is - requested to have 80% of requests, then 80% of requests must be rejected - instead. + backend, by rejecting the connection. Request rejections must respect + weight; if an invalid backend is requested to have 80% of requests, then + 80% of requests must be rejected instead. Support: Core for Kubernetes Service @@ -17940,10 +18522,8 @@ spec: type: array x-kubernetes-list-type: atomic name: - description: |- - Name is the name of the route rule. This name MUST be unique within a Route if it is set. - - Support: Extended + description: Name is the name of the route rule. This name MUST + be unique within a Route if it is set. maxLength: 253 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ @@ -17955,10 +18535,6 @@ spec: minItems: 1 type: array x-kubernetes-list-type: atomic - x-kubernetes-validations: - - message: Rule name must be unique within the route - rule: self.all(l1, !has(l1.name) || self.exists_one(l2, has(l2.name) - && l1.name == l2.name)) useDefaultGateways: description: |- UseDefaultGateways indicates the default Gateway scope to use for this @@ -18025,7 +18601,7 @@ spec: * The Route refers to a nonexistent parent. * The Route is of a type that the controller does not support. - * The Route is in a namespace the controller does not have access to. + * The Route is in a namespace to which the controller does not have access. items: description: Condition contains details for one aspect of the current state of this API Resource. @@ -18261,46 +18837,20 @@ spec: storage: true subresources: status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: null - storedVersions: null ---- -# -# config/crd/experimental/gateway.networking.k8s.io_udproutes.yaml -# -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.1 - gateway.networking.k8s.io/channel: experimental - name: udproutes.gateway.networking.k8s.io -spec: - group: gateway.networking.k8s.io - names: - categories: - - gateway-api - kind: UDPRoute - listKind: UDPRouteList - plural: udproutes - singular: udproute - scope: Namespaced - versions: - additionalPrinterColumns: - jsonPath: .metadata.creationTimestamp name: Age type: date + deprecated: true + deprecationWarning: The v1alpha2 version of TLSRoute has been deprecated and will + be removed in a future release of the API. Please upgrade to v1. name: v1alpha2 schema: openAPIV3Schema: description: |- - UDPRoute provides a way to route UDP traffic. When combined with a Gateway - listener, it can be used to forward traffic on the port specified by the - listener to a set of backends specified by the UDPRoute. + The TLSRoute resource is similar to TCPRoute, but can be configured + to match against TLS-specific metadata. This allows more flexibility + in matching streams for a given TLS listener. properties: apiVersion: description: |- @@ -18320,8 +18870,66 @@ spec: metadata: type: object spec: - description: Spec defines the desired state of UDPRoute. + description: Spec defines the desired state of TLSRoute. properties: + hostnames: + description: |- + Hostnames defines a set of SNI names that should match against the + SNI attribute of TLS ClientHello message in TLS handshake. This matches + the RFC 1123 definition of a hostname with 2 notable exceptions: + + 1. IPs are not allowed in SNI names per RFC 6066. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. + + If a hostname is specified by both the Listener and TLSRoute, there + must be at least one intersecting hostname for the TLSRoute to be + attached to the Listener. For example: + + * A Listener with `test.example.com` as the hostname matches TLSRoutes + that have either not specified any hostnames, or have specified at + least one of `test.example.com` or `*.example.com`. + * A Listener with `*.example.com` as the hostname matches TLSRoutes + that have either not specified any hostnames or have specified at least + one hostname that matches the Listener hostname. For example, + `test.example.com` and `*.example.com` would both match. On the other + hand, `example.com` and `test.example.net` would not match. + + If both the Listener and TLSRoute have specified hostnames, any + TLSRoute hostnames that do not match the Listener hostname MUST be + ignored. For example, if a Listener specified `*.example.com`, and the + TLSRoute specified `test.example.com` and `test.example.net`, + `test.example.net` must not be considered for a match. + + If both the Listener and TLSRoute have specified hostnames, and none + match with the criteria above, then the TLSRoute is not accepted. The + implementation must raise an 'Accepted' Condition with a status of + `False` in the corresponding RouteParentStatus. + + Support: Core + items: + description: |- + Hostname is the fully qualified domain name of a network host. This matches + the RFC 1123 definition of a hostname with 2 notable exceptions: + + 1. IPs are not allowed. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. + + Hostname can be "precise" which is a domain name without the terminating + dot of a network host (e.g. "foo.example.com") or "wildcard", which is a + domain name prefixed with a single wildcard label (e.g. `*.example.com`). + + Note that as per RFC1035 and RFC1123, a *label* must consist of lower case + alphanumeric characters or '-', and must start and end with an alphanumeric + character. No other punctuation is allowed. + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: atomic parentRefs: description: |- ParentRefs references the resources (usually Gateways) that a Route wants @@ -18559,18 +19167,20 @@ spec: || p2.port == 0)) || (has(p1.port) && has(p2.port) && p1.port == p2.port)))) rules: - description: Rules are a list of UDP matchers and actions. + description: Rules are a list of TLS matchers and actions. items: - description: UDPRouteRule is the configuration for a given rule. + description: TLSRouteRule is the configuration for a given rule. properties: backendRefs: description: |- BackendRefs defines the backend(s) where matching requests should be - sent. If unspecified or invalid (refers to a nonexistent resource or a - Service with no endpoints), the underlying implementation MUST actively - reject connection attempts to this backend. Packet drops must - respect weight; if an invalid backend is requested to have 80% of - the packets, then 80% of packets must be dropped instead. + sent. If unspecified or invalid (refers to a nonexistent resource or + a Service with no endpoints), the rule performs no forwarding; if no + filters are specified that would result in a response being sent, the + underlying implementation must actively reject request attempts to this + backend, by rejecting the connection. Request rejections must respect + weight; if an invalid backend is requested to have 80% of requests, then + 80% of requests must be rejected instead. Support: Core for Kubernetes Service @@ -18701,10 +19311,8 @@ spec: type: array x-kubernetes-list-type: atomic name: - description: |- - Name is the name of the route rule. This name MUST be unique within a Route if it is set. - - Support: Extended + description: Name is the name of the route rule. This name MUST + be unique within a Route if it is set. maxLength: 253 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ @@ -18742,7 +19350,7 @@ spec: - rules type: object status: - description: Status defines the current state of UDPRoute. + description: Status defines the current state of TLSRoute. properties: parents: description: |- @@ -18785,7 +19393,7 @@ spec: * The Route refers to a nonexistent parent. * The Route is of a type that the controller does not support. - * The Route is in a namespace the controller does not have access to. + * The Route is in a namespace to which the controller does not have access. items: description: Condition contains details for one aspect of the current state of this API Resource. @@ -19018,52 +19626,26 @@ spec: - spec type: object served: true - storage: true + storage: false subresources: status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: null - storedVersions: null ---- -# -# config/crd/experimental/gateway.networking.x-k8s.io_xbackendtrafficpolicies.yaml -# -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.1 - gateway.networking.k8s.io/channel: experimental - labels: - gateway.networking.k8s.io/policy: Direct - name: xbackendtrafficpolicies.gateway.networking.x-k8s.io -spec: - group: gateway.networking.x-k8s.io - names: - categories: - - gateway-api - kind: XBackendTrafficPolicy - listKind: XBackendTrafficPolicyList - plural: xbackendtrafficpolicies - shortNames: - - xbtrafficpolicy - singular: xbackendtrafficpolicy - scope: Namespaced - versions: - additionalPrinterColumns: - jsonPath: .metadata.creationTimestamp name: Age type: date - name: v1alpha1 + deprecated: true + deprecationWarning: The v1alpha3 version of TLSRoute has been deprecated and will + be removed in a future release of the API. Please upgrade to v1. + name: v1alpha3 schema: openAPIV3Schema: description: |- - XBackendTrafficPolicy defines the configuration for how traffic to a - target backend should be handled. + The TLSRoute resource is similar to TCPRoute, but can be configured + to match against TLS-specific metadata. This allows more flexibility + in matching streams for a given TLS listener. + + If you need to forward traffic to a single target for a TLS listener, you + could choose to use a TCPRoute with a TLS listener. properties: apiVersion: description: |- @@ -19083,320 +19665,597 @@ spec: metadata: type: object spec: - description: Spec defines the desired state of BackendTrafficPolicy. + description: Spec defines the desired state of TLSRoute. properties: - retryConstraint: + hostnames: description: |- - RetryConstraint defines the configuration for when to allow or prevent - further retries to a target backend, by dynamically calculating a 'retry - budget'. This budget is calculated based on the percentage of incoming - traffic composed of retries over a given time interval. Once the budget - is exceeded, additional retries will be rejected. - - For example, if the retry budget interval is 10 seconds, there have been - 1000 active requests in the past 10 seconds, and the allowed percentage - of requests that can be retried is 20% (the default), then 200 of those - requests may be composed of retries. Active requests will only be - considered for the duration of the interval when calculating the retry - budget. Retrying the same original request multiple times within the - retry budget interval will lead to each retry being counted towards - calculating the budget. - - Configuring a RetryConstraint in BackendTrafficPolicy is compatible with - HTTPRoute Retry settings for each HTTPRouteRule that targets the same - backend. While the HTTPRouteRule Retry stanza can specify whether a - request will be retried, and the number of retry attempts each client - may perform, RetryConstraint helps prevent cascading failures such as - retry storms during periods of consistent failures. - - After the retry budget has been exceeded, additional retries to the - backend MUST return a 503 response to the client. - - Additional configurations for defining a constraint on retries MAY be - defined in the future. - - Support: Extended - properties: - budget: - default: - interval: 10s - percent: 20 - description: Budget holds the details of the retry budget configuration. - properties: - interval: - default: 10s - description: |- - Interval defines the duration in which requests will be considered - for calculating the budget for retries. - - Support: Extended - pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ - type: string - x-kubernetes-validations: - - message: interval can not be greater than one hour or less - than one second - rule: '!(duration(self) < duration(''1s'') || duration(self) - > duration(''1h''))' - percent: - default: 20 - description: |- - Percent defines the maximum percentage of active requests that may - be made up of retries. - - Support: Extended - maximum: 100 - minimum: 0 - type: integer - type: object - minRetryRate: - default: - count: 10 - interval: 1s - description: |- - MinRetryRate defines the minimum rate of retries that will be allowable - over a specified duration of time. - - The effective overall minimum rate of retries targeting the backend - service may be much higher, as there can be any number of clients which - are applying this setting locally. + Hostnames defines a set of SNI hostnames that should match against the + SNI attribute of TLS ClientHello message in TLS handshake. This matches + the RFC 1123 definition of a hostname with 2 notable exceptions: - This ensures that requests can still be retried during periods of low - traffic, where the budget for retries may be calculated as a very low - value. + 1. IPs are not allowed in SNI hostnames per RFC 6066. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. + items: + description: |- + Hostname is the fully qualified domain name of a network host. This matches + the RFC 1123 definition of a hostname with 2 notable exceptions: - Support: Extended - properties: - count: - description: |- - Count specifies the number of requests per time interval. + 1. IPs are not allowed. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. - Support: Extended - maximum: 1000000 - minimum: 1 - type: integer - interval: - description: |- - Interval specifies the divisor of the rate of requests, the amount of - time during which the given count of requests occur. + Hostname can be "precise" which is a domain name without the terminating + dot of a network host (e.g. "foo.example.com") or "wildcard", which is a + domain name prefixed with a single wildcard label (e.g. `*.example.com`). - Support: Extended - pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ - type: string - x-kubernetes-validations: - - message: interval can not be greater than one hour - rule: '!(duration(self) == duration(''0s'') || duration(self) - > duration(''1h''))' - type: object - type: object - sessionPersistence: + Note that as per RFC1035 and RFC1123, a *label* must consist of lower case + alphanumeric characters or '-', and must start and end with an alphanumeric + character. No other punctuation is allowed. + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: Hostnames cannot contain an IP + rule: self.all(h, !isIP(h)) + - message: Hostnames must be valid based on RFC-1123 + rule: 'self.all(h, !h.contains(''*'') ? h.matches(''^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*)$'') + : true)' + - message: Wildcards on hostnames must be the first label, and the + rest of hostname must be valid based on RFC-1123 + rule: 'self.all(h, h.contains(''*'') ? (h.startsWith(''*.'') && + h.substring(2).matches(''^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*)$'')) + : true)' + parentRefs: description: |- - SessionPersistence defines and configures session persistence - for the backend. - - Support: Extended - properties: - absoluteTimeout: - description: |- - AbsoluteTimeout defines the absolute timeout of the persistent - session. Once the AbsoluteTimeout duration has elapsed, the - session becomes invalid. + ParentRefs references the resources (usually Gateways) that a Route wants + to be attached to. Note that the referenced parent resource needs to + allow this for the attachment to be complete. For Gateways, that means + the Gateway needs to allow attachment from Routes of this kind and + namespace. For Services, that means the Service must either be in the same + namespace for a "producer" route, or the mesh implementation must support + and allow "consumer" routes for the referenced Service. ReferenceGrant is + not applicable for governing ParentRefs to Services - it is not possible to + create a "producer" route for a Service in a different namespace from the + Route. - Support: Extended - pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ - type: string - cookieConfig: - description: |- - CookieConfig provides configuration settings that are specific - to cookie-based session persistence. + There are two kinds of parent resources with "Core" support: - Support: Core - properties: - lifetimeType: - default: Session - description: |- - LifetimeType specifies whether the cookie has a permanent or - session-based lifetime. A permanent cookie persists until its - specified expiry time, defined by the Expires or Max-Age cookie - attributes, while a session cookie is deleted when the current - session ends. + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) - When set to "Permanent", AbsoluteTimeout indicates the - cookie's lifetime via the Expires or Max-Age cookie attributes - and is required. + This API may be extended in the future to support additional kinds of parent + resources. - When set to "Session", AbsoluteTimeout indicates the - absolute lifetime of the cookie tracked by the gateway and - is optional. + ParentRefs must be _distinct_. This means either that: - Defaults to "Session". + * They select different objects. If this is the case, then parentRef + entries are distinct. In terms of fields, this means that the + multi-part key defined by `group`, `kind`, `namespace`, and `name` must + be unique across all parentRef entries in the Route. + * They do not select different objects, but for each optional field used, + each ParentRef that selects the same object must set the same set of + optional fields to different values. If one ParentRef sets a + combination of optional fields, all must set the same combination. - Support: Core for "Session" type + Some examples: - Support: Extended for "Permanent" type - enum: - - Permanent - - Session - type: string - type: object - idleTimeout: - description: |- - IdleTimeout defines the idle timeout of the persistent session. - Once the session has been idle for more than the specified - IdleTimeout duration, the session becomes invalid. + * If one ParentRef sets `sectionName`, all ParentRefs referencing the + same object must also set `sectionName`. + * If one ParentRef sets `port`, all ParentRefs referencing the same + object must also set `port`. + * If one ParentRef sets `sectionName` and `port`, all ParentRefs + referencing the same object must also set `sectionName` and `port`. - Support: Extended - pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ - type: string - sessionName: - description: |- - SessionName defines the name of the persistent session token - which may be reflected in the cookie or the header. Users - should avoid reusing session names to prevent unintended - consequences, such as rejection or unpredictable behavior. + It is possible to separately reference multiple distinct objects that may + be collapsed by an implementation. For example, some implementations may + choose to merge compatible Gateway Listeners together. If that is the + case, the list of routes attached to those resources should also be + merged. - Support: Implementation-specific - maxLength: 128 - type: string - type: - default: Cookie - description: |- - Type defines the type of session persistence such as through - the use a header or cookie. Defaults to cookie based session - persistence. + Note that for ParentRefs that cross namespace boundaries, there are specific + rules. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example, + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable other kinds of cross-namespace reference. - Support: Core for "Cookie" type - Support: Extended for "Header" type - enum: - - Cookie - - Header - type: string - type: object - x-kubernetes-validations: - - message: AbsoluteTimeout must be specified when cookie lifetimeType - is Permanent - rule: '!has(self.cookieConfig) || !has(self.cookieConfig.lifetimeType) - || self.cookieConfig.lifetimeType != ''Permanent'' || has(self.absoluteTimeout)' - targetRefs: - description: |- - TargetRefs identifies API object(s) to apply this policy to. - Currently, Backends (A grouping of like endpoints such as Service, - ServiceImport, or any implementation-specific backendRef) are the only - valid API target references. + ParentRefs from a Route to a Service in the same namespace are "producer" + routes, which apply default routing rules to inbound connections from + any namespace to the Service. - Currently, a TargetRef can not be scoped to a specific port on a - Service. + ParentRefs from a Route to a Service in a different namespace are + "consumer" routes, and these routing rules are only applied to outbound + connections originating from the same namespace as the Route, for which + the intended destination of the connections are a Service targeted as a + ParentRef of the Route. items: description: |- - LocalPolicyTargetReference identifies an API object to apply a direct or - inherited policy to. This should be used as part of Policy resources - that can target Gateway API resources. For more information on how this - policy attachment model works, and a sample Policy resource, refer to - the policy attachment documentation for Gateway API. + ParentReference identifies an API object (usually a Gateway) that can be considered + a parent of this resource (usually a route). There are two kinds of parent resources + with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + This API may be extended in the future to support additional kinds of parent + resources. + + The API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid. properties: group: - description: Group is the group of the target resource. + default: gateway.networking.k8s.io + description: |- + Group is the group of the referent. + When unspecified, "gateway.networking.k8s.io" is inferred. + To set the core API group (such as for a "Service" kind referent), + Group must be explicitly set to "" (empty string). + + Support: Core maxLength: 253 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string kind: - description: Kind is kind of the target resource. + default: Gateway + description: |- + Kind is kind of the referent. + + There are two kinds of parent resources with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + Support for other resources is Implementation-Specific. maxLength: 63 minLength: 1 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ type: string name: - description: Name is the name of the target resource. + description: |- + Name is the name of the referent. + + Support: Core maxLength: 253 minLength: 1 type: string - required: - - group - - kind - - name - type: object - maxItems: 16 - minItems: 1 - type: array - x-kubernetes-list-map-keys: - - group - - kind - - name - x-kubernetes-list-type: map - required: - - targetRefs - type: object - status: - description: Status defines the current state of BackendTrafficPolicy. - properties: - ancestors: - description: |- - Ancestors is a list of ancestor resources (usually Gateways) that are - associated with the policy, and the status of the policy with respect to - each ancestor. When this policy attaches to a parent, the controller that - manages the parent and the ancestors MUST add an entry to this list when - the controller first sees the policy and SHOULD update the entry as - appropriate when the relevant ancestor is modified. - - Note that choosing the relevant ancestor is left to the Policy designers; - an important part of Policy design is designing the right object level at - which to namespace this status. + namespace: + description: |- + Namespace is the namespace of the referent. When unspecified, this refers + to the local namespace of the Route. - Note also that implementations MUST ONLY populate ancestor status for - the Ancestor resources they are responsible for. Implementations MUST - use the ControllerName field to uniquely identify the entries in this list - that they are responsible for. + Note that there are specific rules for ParentRefs which cross namespace + boundaries. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example: + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable any other kind of cross-namespace reference. - Note that to achieve this, the list of PolicyAncestorStatus structs - MUST be treated as a map with a composite key, made up of the AncestorRef - and ControllerName fields combined. - A maximum of 16 ancestors will be represented in this list. An empty list - means the Policy is not relevant for any ancestors. + ParentRefs from a Route to a Service in the same namespace are "producer" + routes, which apply default routing rules to inbound connections from + any namespace to the Service. - If this slice is full, implementations MUST NOT add further entries. - Instead they MUST consider the policy unimplementable and signal that - on any related resources such as the ancestor that would be referenced - here. For example, if this list was full on BackendTLSPolicy, no - additional Gateways would be able to reference the Service targeted by - the BackendTLSPolicy. + ParentRefs from a Route to a Service in a different namespace are + "consumer" routes, and these routing rules are only applied to outbound + connections originating from the same namespace as the Route, for which + the intended destination of the connections are a Service targeted as a + ParentRef of the Route. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port is the network port this Route targets. It can be interpreted + differently based on the type of parent resource. + + When the parent resource is a Gateway, this targets all listeners + listening on the specified port that also support this kind of Route(and + select this Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to a specific port + as opposed to a listener(s) whose port(s) may be changed. When both Port + and SectionName are specified, the name and port of the selected listener + must match both specified values. + + + When the parent resource is a Service, this targets a specific port in the + Service spec. When both Port (experimental) and SectionName are specified, + the name and port of the selected port must match both specified values. + + + Implementations MAY choose to support other parent resources. + Implementations supporting other types of parent resources MUST clearly + document how/if Port is interpreted. + + For the purpose of status, an attachment is considered successful as + long as the parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: |- + SectionName is the name of a section within the target resource. In the + following resources, SectionName is interpreted as the following: + + * Gateway: Listener name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + * Service: Port name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + + Implementations MAY choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName is + interpreted. + + When unspecified (empty string), this will reference the entire resource. + For the purpose of status, an attachment is considered successful if at + least one section in the parent resource accepts it. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, the + Route MUST be considered detached from the Gateway. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: sectionName or port must be specified when parentRefs includes + 2 or more references to the same parent + rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind + == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) + || p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__ + == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__)) ? ((!has(p1.sectionName) + || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName + == '''') && (!has(p1.port) || p1.port == 0) == (!has(p2.port) + || p2.port == 0)): true))' + - message: sectionName or port must be unique when parentRefs includes + 2 or more references to the same parent + rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind + == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) + || p1.__namespace__ == '') && (!has(p2.__namespace__) || p2.__namespace__ + == '')) || (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__ )) && (((!has(p1.sectionName) + || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName + == '')) || ( has(p1.sectionName) && has(p2.sectionName) && p1.sectionName + == p2.sectionName)) && (((!has(p1.port) || p1.port == 0) && (!has(p2.port) + || p2.port == 0)) || (has(p1.port) && has(p2.port) && p1.port + == p2.port)))) + rules: + description: Rules are a list of actions. items: - description: |- - PolicyAncestorStatus describes the status of a route with respect to an - associated Ancestor. + description: TLSRouteRule is the configuration for a given rule. + properties: + backendRefs: + description: |- + BackendRefs defines the backend(s) where matching requests should be + sent. If unspecified or invalid (refers to a nonexistent resource or + a Service with no endpoints), the rule performs no forwarding; if no + filters are specified that would result in a response being sent, the + underlying implementation must actively reject request attempts to this + backend, by rejecting the connection. Request rejections must respect + weight; if an invalid backend is requested to have 80% of requests, then + 80% of requests must be rejected instead. - Ancestors refer to objects that are either the Target of a policy or above it - in terms of object hierarchy. For example, if a policy targets a Service, the - Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and - the GatewayClass. Almost always, in this hierarchy, the Gateway will be the most - useful object to place Policy status on, so we recommend that implementations - SHOULD use Gateway as the PolicyAncestorStatus object unless the designers - have a _very_ good reason otherwise. + Support: Core for Kubernetes Service - In the context of policy attachment, the Ancestor is used to distinguish which - resource results in a distinct application of this policy. For example, if a policy - targets a Service, it may have a distinct result per attached Gateway. + Support: Extended for Kubernetes ServiceImport - Policies targeting the same resource may have different effects depending on the - ancestors of those resources. For example, different Gateways targeting the same - Service may have different capabilities, especially if they have different underlying - implementations. + Support: Implementation-specific for any other resource - For example, in BackendTLSPolicy, the Policy attaches to a Service that is - used as a backend in a HTTPRoute that is itself attached to a Gateway. - In this case, the relevant object for status is the Gateway, and that is the - ancestor object referred to in this status. + Support for weight: Extended + items: + description: |- + BackendRef defines how a Route should forward a request to a Kubernetes + resource. - Note that a parent is also an ancestor, so for objects where the parent is the - relevant object for status, this struct SHOULD still be used. + Note that when a namespace different than the local namespace is specified, a + ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. - This struct is intended to be used in a slice that's effectively a map, - with a composite key made up of the AncestorRef and the ControllerName. + + When the BackendRef points to a Kubernetes Service, implementations SHOULD + honor the appProtocol field if it is set for the target Service Port. + + Implementations supporting appProtocol SHOULD recognize the Kubernetes + Standard Application Protocols defined in KEP-3726. + + If a Service appProtocol isn't specified, an implementation MAY infer the + backend protocol through its own means. Implementations MAY infer the + protocol from the Route type referring to the backend Service. + + If a Route is not able to send traffic to the backend using the specified + protocol then the backend is considered invalid. Implementations MUST set the + "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. + + + Note that when the BackendTLSPolicy object is enabled by the implementation, + there are some extra rules about validity to consider here. See the fields + where this struct is used for more information about the exact behavior. + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: |- + Kind is the Kubernetes resource kind of the referent. For example + "Service". + + Defaults to "Service" when not specified. + + ExternalName services can refer to CNAME DNS records that may live + outside of the cluster and as such are difficult to reason about in + terms of conformance. They also may not be safe to forward to (see + CVE-2021-25740 for more information). Implementations SHOULD NOT + support ExternalName Services. + + Support: Core (Services with a type other than ExternalName) + + Support: Implementation-specific (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the backend. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port specifies the destination port number to use for this resource. + Port is required when the referent is a Kubernetes Service. In this + case, the port number is the service port number, not the target port. + For other resources, destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: |- + Weight specifies the proportion of requests forwarded to the referenced + backend. This is computed as weight/(sum of all weights in this + BackendRefs list). For non-zero values, there may be some epsilon from + the exact proportion defined here depending on the precision an + implementation supports. Weight is not a percentage and the sum of + weights does not need to equal 100. + + If only one backend is specified and it has a weight greater than 0, 100% + of the traffic is forwarded to that backend. If weight is set to 0, no + traffic should be forwarded for this entry. If unspecified, weight + defaults to 1. + + Support for this field varies based on the context where used. + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind == ''Service'') + ? has(self.port) : true' + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + name: + description: Name is the name of the route rule. This name MUST + be unique within a Route if it is set. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - backendRefs + type: object + maxItems: 1 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + useDefaultGateways: + description: |- + UseDefaultGateways indicates the default Gateway scope to use for this + Route. If unset (the default) or set to None, the Route will not be + attached to any default Gateway; if set, it will be attached to any + default Gateway supporting the named scope, subject to the usual rules + about which Routes a Gateway is allowed to claim. + + Think carefully before using this functionality! The set of default + Gateways supporting the requested scope can change over time without + any notice to the Route author, and in many situations it will not be + appropriate to request a default Gateway for a given Route -- for + example, a Route with specific security requirements should almost + certainly not use a default Gateway. + enum: + - All + - None + type: string + required: + - hostnames + - rules + type: object + status: + description: Status defines the current state of TLSRoute. + properties: + parents: + description: |- + Parents is a list of parent resources (usually Gateways) that are + associated with the route, and the status of the route with respect to + each parent. When this route attaches to a parent, the controller that + manages the parent must add an entry to this list when the controller + first sees the route and should update the entry as appropriate when the + route or gateway is modified. + + Note that parent references that cannot be resolved by an implementation + of this API will not be added to this list. Implementations of this API + can only populate Route status for the Gateways/parent resources they are + responsible for. + + A maximum of 32 Gateways will be represented in this list. An empty list + means the route has not been attached to any Gateway. + items: + description: |- + RouteParentStatus describes the status of a route with respect to an + associated Parent. properties: - ancestorRef: + conditions: description: |- - AncestorRef corresponds with a ParentRef in the spec that this - PolicyAncestorStatus struct describes the status of. + Conditions describes the status of the route with respect to the Gateway. + Note that the route's availability is also subject to the Gateway's own + status conditions and listener status. + + If the Route's ParentRef specifies an existing Gateway that supports + Routes of this kind AND that Gateway's controller has sufficient access, + then that Gateway's controller MUST set the "Accepted" condition on the + Route, to indicate whether the route has been accepted or rejected by the + Gateway, and why. + + A Route MUST be considered "Accepted" if at least one of the Route's + rules is implemented by the Gateway. + + There are a number of cases where the "Accepted" condition may not be set + due to lack of controller visibility, that includes when: + + * The Route refers to a nonexistent parent. + * The Route is of a type that the controller does not support. + * The Route is in a namespace to which the controller does not have access. + items: + description: Condition contains details for one aspect of + the current state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: |- + ControllerName is a domain/path string that indicates the name of the + controller that wrote this status. This corresponds with the + controllerName field on GatewayClass. + + Example: "example.net/gateway-controller". + + The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are + valid Kubernetes names + (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + + Controllers MUST populate this field when writing status. Controllers should ensure that + entries to status populated with their ControllerName are cleaned up when they are no + longer necessary. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: |- + ParentRef corresponds with a ParentRef in the spec that this + RouteParentStatus struct describes the status of. properties: group: default: gateway.networking.k8s.io @@ -19530,105 +20389,22 @@ spec: required: - name type: object - conditions: - description: Conditions describes the status of the Policy with - respect to the given Ancestor. - items: - description: Condition contains details for one aspect of - the current state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, - Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - maxItems: 8 - minItems: 1 - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - controllerName: - description: |- - ControllerName is a domain/path string that indicates the name of the - controller that wrote this status. This corresponds with the - controllerName field on GatewayClass. - - Example: "example.net/gateway-controller". - - The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are - valid Kubernetes names - (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). - - Controllers MUST populate this field when writing status. Controllers should ensure that - entries to status populated with their ControllerName are cleaned up when they are no - longer necessary. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ - type: string required: - - ancestorRef - conditions - controllerName + - parentRef type: object - maxItems: 16 + maxItems: 32 type: array x-kubernetes-list-type: atomic required: - - ancestors + - parents type: object required: - spec type: object served: true - storage: true + storage: false subresources: status: {} status: @@ -19639,70 +20415,38 @@ status: storedVersions: null --- # -# config/crd/experimental/gateway.networking.x-k8s.io_xlistenersets.yaml +# config/crd/experimental/gateway.networking.k8s.io_udproutes.yaml # apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.1 + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/4530 + gateway.networking.k8s.io/bundle-version: v1.5.1 gateway.networking.k8s.io/channel: experimental - name: xlistenersets.gateway.networking.x-k8s.io + name: udproutes.gateway.networking.k8s.io spec: - group: gateway.networking.x-k8s.io + group: gateway.networking.k8s.io names: categories: - gateway-api - kind: XListenerSet - listKind: XListenerSetList - plural: xlistenersets - shortNames: - - lset - singular: xlistenerset + kind: UDPRoute + listKind: UDPRouteList + plural: udproutes + singular: udproute scope: Namespaced versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=="Accepted")].status - name: Accepted - type: string - - jsonPath: .status.conditions[?(@.type=="Programmed")].status - name: Programmed - type: string - jsonPath: .metadata.creationTimestamp name: Age type: date - name: v1alpha1 + name: v1alpha2 schema: openAPIV3Schema: description: |- - XListenerSet defines a set of additional listeners to attach to an existing Gateway. - This resource provides a mechanism to merge multiple listeners into a single Gateway. - - The parent Gateway must explicitly allow ListenerSet attachment through its - AllowedListeners configuration. By default, Gateways do not allow ListenerSet - attachment. - - Routes can attach to a ListenerSet by specifying it as a parentRef, and can - optionally target specific listeners using the sectionName field. - - Policy Attachment: - - Policies that attach to a ListenerSet apply to all listeners defined in that resource - - Policies do not impact listeners in the parent Gateway - - Different ListenerSets attached to the same Gateway can have different policies - - If an implementation cannot apply a policy to specific listeners, it should reject the policy - - ReferenceGrant Semantics: - - ReferenceGrants applied to a Gateway are not inherited by child ListenerSets - - ReferenceGrants applied to a ListenerSet do not grant permission to the parent Gateway's listeners - - A ListenerSet can reference secrets/backends in its own namespace without a ReferenceGrant - - Gateway Integration: - - The parent Gateway's status will include an "AttachedListenerSets" condition - - This condition will be: - - True: when AllowedListeners is set and at least one child ListenerSet is attached - - False: when AllowedListeners is set but no valid listeners are attached, or when AllowedListeners is not set or false - - Unknown: when no AllowedListeners config is present + UDPRoute provides a way to route UDP traffic. When combined with a Gateway + listener, it can be used to forward traffic on the port specified by the + listener to a set of backends specified by the UDPRoute. properties: apiVersion: description: |- @@ -19722,579 +20466,1273 @@ spec: metadata: type: object spec: - description: Spec defines the desired state of ListenerSet. + description: Spec defines the desired state of UDPRoute. properties: - listeners: + parentRefs: description: |- - Listeners associated with this ListenerSet. Listeners define - logical endpoints that are bound on this referenced parent Gateway's addresses. + ParentRefs references the resources (usually Gateways) that a Route wants + to be attached to. Note that the referenced parent resource needs to + allow this for the attachment to be complete. For Gateways, that means + the Gateway needs to allow attachment from Routes of this kind and + namespace. For Services, that means the Service must either be in the same + namespace for a "producer" route, or the mesh implementation must support + and allow "consumer" routes for the referenced Service. ReferenceGrant is + not applicable for governing ParentRefs to Services - it is not possible to + create a "producer" route for a Service in a different namespace from the + Route. - Listeners in a `Gateway` and their attached `ListenerSets` are concatenated - as a list when programming the underlying infrastructure. Each listener - name does not need to be unique across the Gateway and ListenerSets. - See ListenerEntry.Name for more details. + There are two kinds of parent resources with "Core" support: - Implementations MUST treat the parent Gateway as having the merged - list of all listeners from itself and attached ListenerSets using - the following precedence: + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) - 1. "parent" Gateway - 2. ListenerSet ordered by creation time (oldest first) - 3. ListenerSet ordered alphabetically by "{namespace}/{name}". + This API may be extended in the future to support additional kinds of parent + resources. - An implementation MAY reject listeners by setting the ListenerEntryStatus - `Accepted` condition to False with the Reason `TooManyListeners` + ParentRefs must be _distinct_. This means either that: - If a listener has a conflict, this will be reported in the - Status.ListenerEntryStatus setting the `Conflicted` condition to True. + * They select different objects. If this is the case, then parentRef + entries are distinct. In terms of fields, this means that the + multi-part key defined by `group`, `kind`, `namespace`, and `name` must + be unique across all parentRef entries in the Route. + * They do not select different objects, but for each optional field used, + each ParentRef that selects the same object must set the same set of + optional fields to different values. If one ParentRef sets a + combination of optional fields, all must set the same combination. - Implementations SHOULD be cautious about what information from the - parent or siblings are reported to avoid accidentally leaking - sensitive information that the child would not otherwise have access - to. This can include contents of secrets etc. - items: - properties: - allowedRoutes: - default: - namespaces: - from: Same - description: |- - AllowedRoutes defines the types of routes that MAY be attached to a - Listener and the trusted namespaces where those Route resources MAY be - present. + Some examples: - Although a client request may match multiple route rules, only one rule - may ultimately receive the request. Matching precedence MUST be - determined in order of the following criteria: + * If one ParentRef sets `sectionName`, all ParentRefs referencing the + same object must also set `sectionName`. + * If one ParentRef sets `port`, all ParentRefs referencing the same + object must also set `port`. + * If one ParentRef sets `sectionName` and `port`, all ParentRefs + referencing the same object must also set `sectionName` and `port`. - * The most specific match as defined by the Route type. - * The oldest Route based on creation timestamp. For example, a Route with - a creation timestamp of "2020-09-08 01:02:03" is given precedence over - a Route with a creation timestamp of "2020-09-08 01:02:04". - * If everything else is equivalent, the Route appearing first in - alphabetical order (namespace/name) should be given precedence. For - example, foo/bar is given precedence over foo/baz. + It is possible to separately reference multiple distinct objects that may + be collapsed by an implementation. For example, some implementations may + choose to merge compatible Gateway Listeners together. If that is the + case, the list of routes attached to those resources should also be + merged. - All valid rules within a Route attached to this Listener should be - implemented. Invalid Route rules can be ignored (sometimes that will mean - the full Route). If a Route rule transitions from valid to invalid, - support for that Route rule should be dropped to ensure consistency. For - example, even if a filter specified by a Route rule is invalid, the rest - of the rules within that Route should still be supported. - properties: - kinds: - description: |- - Kinds specifies the groups and kinds of Routes that are allowed to bind - to this Gateway Listener. When unspecified or empty, the kinds of Routes - selected are determined using the Listener protocol. + Note that for ParentRefs that cross namespace boundaries, there are specific + rules. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example, + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable other kinds of cross-namespace reference. - A RouteGroupKind MUST correspond to kinds of Routes that are compatible - with the application protocol specified in the Listener's Protocol field. - If an implementation does not support or recognize this resource type, it - MUST set the "ResolvedRefs" condition to False for this Listener with the - "InvalidRouteKinds" reason. - Support: Core - items: - description: RouteGroupKind indicates the group and kind - of a Route resource. - properties: - group: - default: gateway.networking.k8s.io - description: Group is the group of the Route. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - description: Kind is the kind of the Route. - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - required: - - kind - type: object - maxItems: 8 - type: array - x-kubernetes-list-type: atomic - namespaces: - default: - from: Same - description: |- - Namespaces indicates namespaces from which Routes may be attached to this - Listener. This is restricted to the namespace of this Gateway by default. + ParentRefs from a Route to a Service in the same namespace are "producer" + routes, which apply default routing rules to inbound connections from + any namespace to the Service. - Support: Core - properties: - from: - default: Same - description: |- - From indicates where Routes will be selected for this Gateway. Possible - values are: + ParentRefs from a Route to a Service in a different namespace are + "consumer" routes, and these routing rules are only applied to outbound + connections originating from the same namespace as the Route, for which + the intended destination of the connections are a Service targeted as a + ParentRef of the Route. + items: + description: |- + ParentReference identifies an API object (usually a Gateway) that can be considered + a parent of this resource (usually a route). There are two kinds of parent resources + with "Core" support: - * All: Routes in all namespaces may be used by this Gateway. - * Selector: Routes in namespaces selected by the selector may be used by - this Gateway. - * Same: Only Routes in the same namespace may be used by this Gateway. + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) - Support: Core - enum: - - All - - Selector - - Same - type: string - selector: - description: |- - Selector must be specified when From is set to "Selector". In that case, - only Routes in Namespaces matching this Selector will be selected by this - Gateway. This field is ignored for other values of "From". + This API may be extended in the future to support additional kinds of parent + resources. - Support: Core - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - type: object - hostname: + The API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid. + properties: + group: + default: gateway.networking.k8s.io description: |- - Hostname specifies the virtual hostname to match for protocol types that - define this concept. When unspecified, all hostnames are matched. This - field is ignored for protocols that don't require hostname based - matching. + Group is the group of the referent. + When unspecified, "gateway.networking.k8s.io" is inferred. + To set the core API group (such as for a "Service" kind referent), + Group must be explicitly set to "" (empty string). - Implementations MUST apply Hostname matching appropriately for each of - the following protocols: + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: |- + Kind is kind of the referent. - * TLS: The Listener Hostname MUST match the SNI. - * HTTP: The Listener Hostname MUST match the Host header of the request. - * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP - protocol layers as described above. If an implementation does not - ensure that both the SNI and Host header match the Listener hostname, - it MUST clearly document that. + There are two kinds of parent resources with "Core" support: - For HTTPRoute and TLSRoute resources, there is an interaction with the - `spec.hostnames` array. When both listener and route specify hostnames, - there MUST be an intersection between the values for a Route to be - accepted. For more information, refer to the Route specific Hostnames - documentation. + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) - Hostnames that are prefixed with a wildcard label (`*.`) are interpreted - as a suffix match. That means that a match for `*.example.com` would match - both `test.example.com`, and `foo.test.example.com`, but not `example.com`. - maxLength: 253 + Support for other resources is Implementation-Specific. + maxLength: 63 minLength: 1 - pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ type: string name: description: |- - Name is the name of the Listener. This name MUST be unique within a - ListenerSet. + Name is the name of the referent. - Name is not required to be unique across a Gateway and ListenerSets. - Routes can attach to a Listener by having a ListenerSet as a parentRef - and setting the SectionName + Support: Core maxLength: 253 minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + namespace: + description: |- + Namespace is the namespace of the referent. When unspecified, this refers + to the local namespace of the Route. + + Note that there are specific rules for ParentRefs which cross namespace + boundaries. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example: + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable any other kind of cross-namespace reference. + + + ParentRefs from a Route to a Service in the same namespace are "producer" + routes, which apply default routing rules to inbound connections from + any namespace to the Service. + + ParentRefs from a Route to a Service in a different namespace are + "consumer" routes, and these routing rules are only applied to outbound + connections originating from the same namespace as the Route, for which + the intended destination of the connections are a Service targeted as a + ParentRef of the Route. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ type: string port: - default: 0 description: |- - Port is the network port. Multiple listeners may use the - same port, subject to the Listener compatibility rules. + Port is the network port this Route targets. It can be interpreted + differently based on the type of parent resource. + + When the parent resource is a Gateway, this targets all listeners + listening on the specified port that also support this kind of Route(and + select this Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to a specific port + as opposed to a listener(s) whose port(s) may be changed. When both Port + and SectionName are specified, the name and port of the selected listener + must match both specified values. + + + When the parent resource is a Service, this targets a specific port in the + Service spec. When both Port (experimental) and SectionName are specified, + the name and port of the selected port must match both specified values. + + + Implementations MAY choose to support other parent resources. + Implementations supporting other types of parent resources MUST clearly + document how/if Port is interpreted. + + For the purpose of status, an attachment is considered successful as + long as the parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. - If the port is not set or specified as zero, the implementation will assign - a unique port. If the implementation does not support dynamic port - assignment, it MUST set `Accepted` condition to `False` with the - `UnsupportedPort` reason. + Support: Extended format: int32 maximum: 65535 - minimum: 0 + minimum: 1 type: integer - protocol: - description: Protocol specifies the network protocol this listener - expects to receive. - maxLength: 255 + sectionName: + description: |- + SectionName is the name of a section within the target resource. In the + following resources, SectionName is interpreted as the following: + + * Gateway: Listener name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + * Service: Port name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + + Implementations MAY choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName is + interpreted. + + When unspecified (empty string), this will reference the entire resource. + For the purpose of status, an attachment is considered successful if at + least one section in the parent resource accepts it. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, the + Route MUST be considered detached from the Gateway. + + Support: Core + maxLength: 253 minLength: 1 - pattern: ^[a-zA-Z0-9]([-a-zA-Z0-9]*[a-zA-Z0-9])?$|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9]+$ + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string - tls: + required: + - name + type: object + maxItems: 32 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: sectionName or port must be specified when parentRefs includes + 2 or more references to the same parent + rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind + == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) + || p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__ + == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__)) ? ((!has(p1.sectionName) + || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName + == '''') && (!has(p1.port) || p1.port == 0) == (!has(p2.port) + || p2.port == 0)): true))' + - message: sectionName or port must be unique when parentRefs includes + 2 or more references to the same parent + rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind + == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) + || p1.__namespace__ == '') && (!has(p2.__namespace__) || p2.__namespace__ + == '')) || (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__ )) && (((!has(p1.sectionName) + || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName + == '')) || ( has(p1.sectionName) && has(p2.sectionName) && p1.sectionName + == p2.sectionName)) && (((!has(p1.port) || p1.port == 0) && (!has(p2.port) + || p2.port == 0)) || (has(p1.port) && has(p2.port) && p1.port + == p2.port)))) + rules: + description: Rules are a list of UDP matchers and actions. + items: + description: UDPRouteRule is the configuration for a given rule. + properties: + backendRefs: description: |- - TLS is the TLS configuration for the Listener. This field is required if - the Protocol field is "HTTPS" or "TLS". It is invalid to set this field - if the Protocol field is "HTTP", "TCP", or "UDP". + BackendRefs defines the backend(s) where matching requests should be + sent. If unspecified or invalid (refers to a nonexistent resource or a + Service with no endpoints), the underlying implementation MUST actively + reject connection attempts to this backend. Packet drops must + respect weight; if an invalid backend is requested to have 80% of + the packets, then 80% of packets must be dropped instead. - The association of SNIs to Certificate defined in ListenerTLSConfig is - defined based on the Hostname field for this listener. + Support: Core for Kubernetes Service - The GatewayClass MUST use the longest matching SNI out of all - available certificates for any TLS handshake. - properties: - certificateRefs: - description: |- - CertificateRefs contains a series of references to Kubernetes objects that - contains TLS certificates and private keys. These certificates are used to - establish a TLS handshake for requests that match the hostname of the - associated listener. + Support: Extended for Kubernetes ServiceImport - A single CertificateRef to a Kubernetes Secret has "Core" support. - Implementations MAY choose to support attaching multiple certificates to - a Listener, but this behavior is implementation-specific. + Support: Implementation-specific for any other resource - References to a resource in different namespace are invalid UNLESS there - is a ReferenceGrant in the target namespace that allows the certificate - to be attached. If a ReferenceGrant does not allow this reference, the - "ResolvedRefs" condition MUST be set to False for this listener with the - "RefNotPermitted" reason. + Support for weight: Extended + items: + description: |- + BackendRef defines how a Route should forward a request to a Kubernetes + resource. - This field is required to have at least one element when the mode is set - to "Terminate" (default) and is optional otherwise. + Note that when a namespace different than the local namespace is specified, a + ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. - CertificateRefs can reference to standard Kubernetes resources, i.e. - Secret, or implementation-specific custom resources. - Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls + When the BackendRef points to a Kubernetes Service, implementations SHOULD + honor the appProtocol field if it is set for the target Service Port. - Support: Implementation-specific (More than one reference or other resource types) - items: - description: |- - SecretObjectReference identifies an API object including its namespace, - defaulting to Secret. + Implementations supporting appProtocol SHOULD recognize the Kubernetes + Standard Application Protocols defined in KEP-3726. - The API object must be valid in the cluster; the Group and Kind must - be registered in the cluster for this reference to be valid. + If a Service appProtocol isn't specified, an implementation MAY infer the + backend protocol through its own means. Implementations MAY infer the + protocol from the Route type referring to the backend Service. - References to objects with invalid Group and Kind are not valid, and must - be rejected by the implementation, with appropriate Conditions set - on the containing object. - properties: - group: - default: "" - description: |- - Group is the group of the referent. For example, "gateway.networking.k8s.io". - When unspecified or empty string, core API group is inferred. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - default: Secret - description: Kind is kind of the referent. For example - "Secret". - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: Name is the name of the referent. - maxLength: 253 - minLength: 1 - type: string - namespace: - description: |- - Namespace is the namespace of the referenced object. When unspecified, the local - namespace is inferred. + If a Route is not able to send traffic to the backend using the specified + protocol then the backend is considered invalid. Implementations MUST set the + "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. - Note that when a namespace different than the local namespace is specified, - a ReferenceGrant object is required in the referent namespace to allow that - namespace's owner to accept the reference. See the ReferenceGrant - documentation for details. - Support: Core - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - maxItems: 64 - type: array - x-kubernetes-list-type: atomic - mode: - default: Terminate + Note that when the BackendTLSPolicy object is enabled by the implementation, + there are some extra rules about validity to consider here. See the fields + where this struct is used for more information about the exact behavior. + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: |- + Kind is the Kubernetes resource kind of the referent. For example + "Service". + + Defaults to "Service" when not specified. + + ExternalName services can refer to CNAME DNS records that may live + outside of the cluster and as such are difficult to reason about in + terms of conformance. They also may not be safe to forward to (see + CVE-2021-25740 for more information). Implementations SHOULD NOT + support ExternalName Services. + + Support: Core (Services with a type other than ExternalName) + + Support: Implementation-specific (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the backend. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port specifies the destination port number to use for this resource. + Port is required when the referent is a Kubernetes Service. In this + case, the port number is the service port number, not the target port. + For other resources, destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: |- + Weight specifies the proportion of requests forwarded to the referenced + backend. This is computed as weight/(sum of all weights in this + BackendRefs list). For non-zero values, there may be some epsilon from + the exact proportion defined here depending on the precision an + implementation supports. Weight is not a percentage and the sum of + weights does not need to equal 100. + + If only one backend is specified and it has a weight greater than 0, 100% + of the traffic is forwarded to that backend. If weight is set to 0, no + traffic should be forwarded for this entry. If unspecified, weight + defaults to 1. + + Support for this field varies based on the context where used. + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind == ''Service'') + ? has(self.port) : true' + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + name: + description: |- + Name is the name of the route rule. This name MUST be unique within a Route if it is set. + + Support: Extended + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - backendRefs + type: object + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: Rule name must be unique within the route + rule: self.all(l1, !has(l1.name) || self.exists_one(l2, has(l2.name) + && l1.name == l2.name)) + useDefaultGateways: + description: |- + UseDefaultGateways indicates the default Gateway scope to use for this + Route. If unset (the default) or set to None, the Route will not be + attached to any default Gateway; if set, it will be attached to any + default Gateway supporting the named scope, subject to the usual rules + about which Routes a Gateway is allowed to claim. + + Think carefully before using this functionality! The set of default + Gateways supporting the requested scope can change over time without + any notice to the Route author, and in many situations it will not be + appropriate to request a default Gateway for a given Route -- for + example, a Route with specific security requirements should almost + certainly not use a default Gateway. + enum: + - All + - None + type: string + required: + - rules + type: object + status: + description: Status defines the current state of UDPRoute. + properties: + parents: + description: |- + Parents is a list of parent resources (usually Gateways) that are + associated with the route, and the status of the route with respect to + each parent. When this route attaches to a parent, the controller that + manages the parent must add an entry to this list when the controller + first sees the route and should update the entry as appropriate when the + route or gateway is modified. + + Note that parent references that cannot be resolved by an implementation + of this API will not be added to this list. Implementations of this API + can only populate Route status for the Gateways/parent resources they are + responsible for. + + A maximum of 32 Gateways will be represented in this list. An empty list + means the route has not been attached to any Gateway. + items: + description: |- + RouteParentStatus describes the status of a route with respect to an + associated Parent. + properties: + conditions: + description: |- + Conditions describes the status of the route with respect to the Gateway. + Note that the route's availability is also subject to the Gateway's own + status conditions and listener status. + + If the Route's ParentRef specifies an existing Gateway that supports + Routes of this kind AND that Gateway's controller has sufficient access, + then that Gateway's controller MUST set the "Accepted" condition on the + Route, to indicate whether the route has been accepted or rejected by the + Gateway, and why. + + A Route MUST be considered "Accepted" if at least one of the Route's + rules is implemented by the Gateway. + + There are a number of cases where the "Accepted" condition may not be set + due to lack of controller visibility, that includes when: + + * The Route refers to a nonexistent parent. + * The Route is of a type that the controller does not support. + * The Route is in a namespace to which the controller does not have access. + items: + description: Condition contains details for one aspect of + the current state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: |- + ControllerName is a domain/path string that indicates the name of the + controller that wrote this status. This corresponds with the + controllerName field on GatewayClass. + + Example: "example.net/gateway-controller". + + The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are + valid Kubernetes names + (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + + Controllers MUST populate this field when writing status. Controllers should ensure that + entries to status populated with their ControllerName are cleaned up when they are no + longer necessary. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: |- + ParentRef corresponds with a ParentRef in the spec that this + RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io description: |- - Mode defines the TLS behavior for the TLS session initiated by the client. - There are two possible modes: + Group is the group of the referent. + When unspecified, "gateway.networking.k8s.io" is inferred. + To set the core API group (such as for a "Service" kind referent), + Group must be explicitly set to "" (empty string). - - Terminate: The TLS session between the downstream client and the - Gateway is terminated at the Gateway. This mode requires certificates - to be specified in some way, such as populating the certificateRefs - field. - - Passthrough: The TLS session is NOT terminated by the Gateway. This - implies that the Gateway can't decipher the TLS stream except for - the ClientHello message of the TLS protocol. The certificateRefs field - is ignored in this mode. + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: |- + Kind is kind of the referent. + + There are two kinds of parent resources with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + Support for other resources is Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. Support: Core - enum: - - Terminate - - Passthrough + maxLength: 253 + minLength: 1 type: string - options: - additionalProperties: - description: |- - AnnotationValue is the value of an annotation in Gateway API. This is used - for validation of maps such as TLS options. This roughly matches Kubernetes - annotation validation, although the length validation in that case is based - on the entire size of the annotations struct. - maxLength: 4096 - minLength: 0 - type: string + namespace: description: |- - Options are a list of key/value pairs to enable extended TLS - configuration for each implementation. For example, configuring the - minimum TLS version or supported cipher suites. + Namespace is the namespace of the referent. When unspecified, this refers + to the local namespace of the Route. - A set of common keys MAY be defined by the API in the future. To avoid - any ambiguity, implementation-specific definitions MUST use - domain-prefixed names, such as `example.com/my-custom-option`. - Un-prefixed names are reserved for key names defined by Gateway API. + Note that there are specific rules for ParentRefs which cross namespace + boundaries. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example: + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable any other kind of cross-namespace reference. - Support: Implementation-specific - maxProperties: 16 - type: object + + ParentRefs from a Route to a Service in the same namespace are "producer" + routes, which apply default routing rules to inbound connections from + any namespace to the Service. + + ParentRefs from a Route to a Service in a different namespace are + "consumer" routes, and these routing rules are only applied to outbound + connections originating from the same namespace as the Route, for which + the intended destination of the connections are a Service targeted as a + ParentRef of the Route. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port is the network port this Route targets. It can be interpreted + differently based on the type of parent resource. + + When the parent resource is a Gateway, this targets all listeners + listening on the specified port that also support this kind of Route(and + select this Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to a specific port + as opposed to a listener(s) whose port(s) may be changed. When both Port + and SectionName are specified, the name and port of the selected listener + must match both specified values. + + + When the parent resource is a Service, this targets a specific port in the + Service spec. When both Port (experimental) and SectionName are specified, + the name and port of the selected port must match both specified values. + + + Implementations MAY choose to support other parent resources. + Implementations supporting other types of parent resources MUST clearly + document how/if Port is interpreted. + + For the purpose of status, an attachment is considered successful as + long as the parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: |- + SectionName is the name of a section within the target resource. In the + following resources, SectionName is interpreted as the following: + + * Gateway: Listener name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + * Service: Port name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + + Implementations MAY choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName is + interpreted. + + When unspecified (empty string), this will reference the entire resource. + For the purpose of status, an attachment is considered successful if at + least one section in the parent resource accepts it. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, the + Route MUST be considered detached from the Gateway. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name type: object - x-kubernetes-validations: - - message: certificateRefs or options must be specified when - mode is Terminate - rule: 'self.mode == ''Terminate'' ? size(self.certificateRefs) - > 0 || size(self.options) > 0 : true' required: - - name - - protocol + - conditions + - controllerName + - parentRef type: object - maxItems: 64 - minItems: 1 + maxItems: 32 type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - x-kubernetes-validations: - - message: tls must not be specified for protocols ['HTTP', 'TCP', - 'UDP'] - rule: 'self.all(l, l.protocol in [''HTTP'', ''TCP'', ''UDP''] ? - !has(l.tls) : true)' - - message: tls mode must be Terminate for protocol HTTPS - rule: 'self.all(l, (l.protocol == ''HTTPS'' && has(l.tls)) ? (l.tls.mode - == '''' || l.tls.mode == ''Terminate'') : true)' - - message: hostname must not be specified for protocols ['TCP', 'UDP'] - rule: 'self.all(l, l.protocol in [''TCP'', ''UDP''] ? (!has(l.hostname) - || l.hostname == '''') : true)' - - message: Listener name must be unique within the Gateway - rule: self.all(l1, self.exists_one(l2, l1.name == l2.name)) - - message: Combination of port, protocol and hostname must be unique - for each listener - rule: 'self.all(l1, !has(l1.port) || self.exists_one(l2, has(l2.port) - && l1.port == l2.port && l1.protocol == l2.protocol && (has(l1.hostname) - && has(l2.hostname) ? l1.hostname == l2.hostname : !has(l1.hostname) - && !has(l2.hostname))))' - parentRef: - description: ParentRef references the Gateway that the listeners are - attached to. + x-kubernetes-list-type: atomic + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null +--- +# +# config/crd/experimental/gateway.networking.k8s.io_vap_safeupgrades.yaml +# +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicy +metadata: + annotations: + gateway.networking.k8s.io/bundle-version: v1.5.0-dev + gateway.networking.k8s.io/channel: standard + name: "safe-upgrades.gateway.networking.k8s.io" +spec: + failurePolicy: Fail + matchConstraints: + resourceRules: + - apiGroups: ["apiextensions.k8s.io"] + apiVersions: ["v1"] + operations: ["CREATE", "UPDATE"] + resources: ["*"] + validations: + - expression: "object.spec.group != 'gateway.networking.k8s.io' || oldObject == null || ( + has(object.metadata.annotations) && object.metadata.annotations.exists(k, k == 'gateway.networking.k8s.io/channel') && + object.metadata.annotations['gateway.networking.k8s.io/channel'] == 'standard' ) || ( + oldObject != null && has(oldObject.metadata.annotations) && oldObject.metadata.annotations.exists(k, k == 'gateway.networking.k8s.io/channel') && + oldObject.metadata.annotations['gateway.networking.k8s.io/channel'] == 'experimental' )" + message: "Installing experimental CRDs on top of standard channel CRDs is prohibited by default. Uninstall ValidatingAdmissionPolicy safe-upgrades.gateway.networking.k8s.io to install experimental CRDs on top of standard channel CRDs." + reason: Invalid + - expression: "object.spec.group != 'gateway.networking.k8s.io' || + (has(object.metadata.annotations) && object.metadata.annotations.exists(k, k == 'gateway.networking.k8s.io/bundle-version') && + !matches(object.metadata.annotations['gateway.networking.k8s.io/bundle-version'], 'v1.[0-4].\\\\d+') && + !matches(object.metadata.annotations['gateway.networking.k8s.io/bundle-version'], 'v0'))" #TODO Kubernetes 1.37: Migrate to kubernetes semver library + message: "Installing CRDs with version before v1.5.0 is prohibited by default. Uninstall ValidatingAdmissionPolicy safe-upgrades.gateway.networking.k8s.io to install older versions." + reason: Invalid + +--- + +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicyBinding +metadata: + annotations: + gateway.networking.k8s.io/bundle-version: v1.5.0-dev + gateway.networking.k8s.io/channel: standard + name: safe-upgrades.gateway.networking.k8s.io +spec: + policyName: safe-upgrades.gateway.networking.k8s.io + validationActions: [Deny] + matchResources: + resourceRules: + - apiGroups: ["apiextensions.k8s.io"] + apiVersions: ["v1"] + resources: ["customresourcedefinitions"] + operations: ["CREATE", "UPDATE"] +--- +# +# config/crd/experimental/gateway.networking.x-k8s.io_xbackendtrafficpolicies.yaml +# +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/4530 + gateway.networking.k8s.io/bundle-version: v1.5.1 + gateway.networking.k8s.io/channel: experimental + labels: + gateway.networking.k8s.io/policy: Direct + name: xbackendtrafficpolicies.gateway.networking.x-k8s.io +spec: + group: gateway.networking.x-k8s.io + names: + categories: + - gateway-api + kind: XBackendTrafficPolicy + listKind: XBackendTrafficPolicyList + plural: xbackendtrafficpolicies + shortNames: + - xbtrafficpolicy + singular: xbackendtrafficpolicy + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + XBackendTrafficPolicy defines the configuration for how traffic to a + target backend should be handled. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of BackendTrafficPolicy. + properties: + retryConstraint: + description: |- + RetryConstraint defines the configuration for when to allow or prevent + further retries to a target backend, by dynamically calculating a 'retry + budget'. This budget is calculated based on the percentage of incoming + traffic composed of retries over a given time interval. Once the budget + is exceeded, additional retries will be rejected. + + For example, if the retry budget interval is 10 seconds, there have been + 1000 active requests in the past 10 seconds, and the allowed percentage + of requests that can be retried is 20% (the default), then 200 of those + requests may be composed of retries. Active requests will only be + considered for the duration of the interval when calculating the retry + budget. Retrying the same original request multiple times within the + retry budget interval will lead to each retry being counted towards + calculating the budget. + + Configuring a RetryConstraint in BackendTrafficPolicy is compatible with + HTTPRoute Retry settings for each HTTPRouteRule that targets the same + backend. While the HTTPRouteRule Retry stanza can specify whether a + request will be retried, and the number of retry attempts each client + may perform, RetryConstraint helps prevent cascading failures such as + retry storms during periods of consistent failures. + + After the retry budget has been exceeded, additional retries to the + backend MUST return a 503 response to the client. + + Additional configurations for defining a constraint on retries MAY be + defined in the future. + + Support: Extended properties: - group: - default: gateway.networking.k8s.io - description: Group is the group of the referent. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + budget: + default: + interval: 10s + percent: 20 + description: Budget holds the details of the retry budget configuration. + properties: + interval: + default: 10s + description: |- + Interval defines the duration in which requests will be considered + for calculating the budget for retries. + + Support: Extended + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + x-kubernetes-validations: + - message: interval cannot be greater than one hour or less + than one second + rule: '!(duration(self) < duration(''1s'') || duration(self) + > duration(''1h''))' + percent: + default: 20 + description: |- + Percent defines the maximum percentage of active requests that may + be made up of retries. + + Support: Extended + maximum: 100 + minimum: 0 + type: integer + type: object + minRetryRate: + default: + count: 10 + interval: 1s + description: |- + MinRetryRate defines the minimum rate of retries that will be allowable + over a specified duration of time. + + The effective overall minimum rate of retries targeting the backend + service may be much higher, as there can be any number of clients which + are applying this setting locally. + + This ensures that requests can still be retried during periods of low + traffic, where the budget for retries may be calculated as a very low + value. + + Support: Extended + properties: + count: + description: |- + Count specifies the number of requests per time interval. + + Support: Extended + maximum: 1000000 + minimum: 1 + type: integer + interval: + description: |- + Interval specifies the divisor of the rate of requests, the amount of + time during which the given count of requests occur. + + Support: Extended + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + x-kubernetes-validations: + - message: interval cannot be greater than one hour + rule: '!(duration(self) == duration(''0s'') || duration(self) + > duration(''1h''))' + type: object + type: object + sessionPersistence: + description: |- + SessionPersistence defines and configures session persistence + for the backend. + + Support: Extended + properties: + absoluteTimeout: + description: |- + AbsoluteTimeout defines the absolute timeout of the persistent + session. Once the AbsoluteTimeout duration has elapsed, the + session becomes invalid. + + Support: Extended + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string - kind: - default: Gateway - description: Kind is kind of the referent. For example "Gateway". - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + cookieConfig: + description: |- + CookieConfig provides configuration settings that are specific + to cookie-based session persistence. + + Support: Core + properties: + lifetimeType: + default: Session + description: |- + LifetimeType specifies whether the cookie has a permanent or + session-based lifetime. A permanent cookie persists until its + specified expiry time, defined by the Expires or Max-Age cookie + attributes, while a session cookie is deleted when the current + session ends. + + When set to "Permanent", AbsoluteTimeout indicates the + cookie's lifetime via the Expires or Max-Age cookie attributes + and is required. + + When set to "Session", AbsoluteTimeout indicates the + absolute lifetime of the cookie tracked by the gateway and + is optional. + + Defaults to "Session". + + Support: Core for "Session" type + + Support: Extended for "Permanent" type + enum: + - Permanent + - Session + type: string + type: object + idleTimeout: + description: |- + IdleTimeout defines the idle timeout of the persistent session. + Once the session has been idle for more than the specified + IdleTimeout duration, the session becomes invalid. + + Support: Extended + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string - name: - description: Name is the name of the referent. - maxLength: 253 - minLength: 1 + sessionName: + description: |- + SessionName defines the name of the persistent session token + which may be reflected in the cookie or the header. Users + should avoid reusing session names to prevent unintended + consequences, such as rejection or unpredictable behavior. + + Support: Implementation-specific + maxLength: 128 type: string - namespace: + type: + default: Cookie description: |- - Namespace is the namespace of the referent. If not present, - the namespace of the referent is assumed to be the same as - the namespace of the referring object. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + Type defines the type of session persistence such as through + the use of a header or cookie. Defaults to cookie based session + persistence. + + Support: Core for "Cookie" type + + Support: Extended for "Header" type + enum: + - Cookie + - Header type: string - required: - - name type: object - required: - - listeners - - parentRef - type: object - status: - default: - conditions: - - lastTransitionTime: "1970-01-01T00:00:00Z" - message: Waiting for controller - reason: Pending - status: Unknown - type: Accepted - - lastTransitionTime: "1970-01-01T00:00:00Z" - message: Waiting for controller - reason: Pending - status: Unknown - type: Programmed - description: Status defines the current state of ListenerSet. - properties: - conditions: - default: - - lastTransitionTime: "1970-01-01T00:00:00Z" - message: Waiting for controller - reason: Pending - status: Unknown - type: Accepted - - lastTransitionTime: "1970-01-01T00:00:00Z" - message: Waiting for controller - reason: Pending - status: Unknown - type: Programmed + x-kubernetes-validations: + - message: AbsoluteTimeout must be specified when cookie lifetimeType + is Permanent + rule: '!has(self.cookieConfig) || !has(self.cookieConfig.lifetimeType) + || self.cookieConfig.lifetimeType != ''Permanent'' || has(self.absoluteTimeout)' + - message: cookieConfig can only be set with type Cookie + rule: '!has(self.cookieConfig) || self.type == ''Cookie''' + targetRefs: description: |- - Conditions describe the current conditions of the ListenerSet. - - Implementations MUST express ListenerSet conditions using the - `ListenerSetConditionType` and `ListenerSetConditionReason` - constants so that operators and tools can converge on a common - vocabulary to describe ListenerSet state. - - Known condition types are: - - * "Accepted" - * "Programmed" + TargetRefs identifies API object(s) to apply this policy to. + Currently, Backends (A grouping of like endpoints such as Service, + ServiceImport, or any implementation-specific backendRef) are the only + valid API target references. + + Currently, a TargetRef cannot be scoped to a specific port on a + Service. items: - description: Condition contains details for one aspect of the current - state of this API Resource. + description: |- + LocalPolicyTargetReference identifies an API object to apply a direct or + inherited policy to. This should be used as part of Policy resources + that can target Gateway API resources. For more information on how this + policy attachment model works, and a sample Policy resource, refer to + the policy attachment documentation for Gateway API. properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 + group: + description: Group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 + kind: + description: Kind is kind of the target resource. + maxLength: 63 minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + name: + description: Name is the name of the target resource. + maxLength: 253 + minLength: 1 type: string required: - - lastTransitionTime - - message - - reason - - status - - type + - group + - kind + - name type: object - maxItems: 8 + maxItems: 16 + minItems: 1 type: array x-kubernetes-list-map-keys: - - type + - group + - kind + - name x-kubernetes-list-type: map - listeners: - description: Listeners provide status for each unique listener port - defined in the Spec. + required: + - targetRefs + type: object + status: + description: Status defines the current state of BackendTrafficPolicy. + properties: + ancestors: + description: |- + Ancestors is a list of ancestor resources (usually Gateways) that are + associated with the policy, and the status of the policy with respect to + each ancestor. When this policy attaches to a parent, the controller that + manages the parent and the ancestors MUST add an entry to this list when + the controller first sees the policy and SHOULD update the entry as + appropriate when the relevant ancestor is modified. + + Note that choosing the relevant ancestor is left to the Policy designers; + an important part of Policy design is designing the right object level at + which to namespace this status. + + Note also that implementations MUST ONLY populate ancestor status for + the Ancestor resources they are responsible for. Implementations MUST + use the ControllerName field to uniquely identify the entries in this list + that they are responsible for. + + Note that to achieve this, the list of PolicyAncestorStatus structs + MUST be treated as a map with a composite key, made up of the AncestorRef + and ControllerName fields combined. + + A maximum of 16 ancestors will be represented in this list. An empty list + means the Policy is not relevant for any ancestors. + + If this slice is full, implementations MUST NOT add further entries. + Instead they MUST consider the policy unimplementable and signal that + on any related resources such as the ancestor that would be referenced + here. For example, if this list was full on BackendTLSPolicy, no + additional Gateways would be able to reference the Service targeted by + the BackendTLSPolicy. items: - description: ListenerStatus is the status associated with a Listener. + description: |- + PolicyAncestorStatus describes the status of a route with respect to an + associated Ancestor. + + Ancestors refer to objects that are either the Target of a policy or above it + in terms of object hierarchy. For example, if a policy targets a Service, the + Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and + the GatewayClass. Almost always, in this hierarchy, the Gateway will be the most + useful object to place Policy status on, so we recommend that implementations + SHOULD use Gateway as the PolicyAncestorStatus object unless the designers + have a _very_ good reason otherwise. + + In the context of policy attachment, the Ancestor is used to distinguish which + resource results in a distinct application of this policy. For example, if a policy + targets a Service, it may have a distinct result per attached Gateway. + + Policies targeting the same resource may have different effects depending on the + ancestors of those resources. For example, different Gateways targeting the same + Service may have different capabilities, especially if they have different underlying + implementations. + + For example, in BackendTLSPolicy, the Policy attaches to a Service that is + used as a backend in a HTTPRoute that is itself attached to a Gateway. + In this case, the relevant object for status is the Gateway, and that is the + ancestor object referred to in this status. + + Note that a parent is also an ancestor, so for objects where the parent is the + relevant object for status, this struct SHOULD still be used. + + This struct is intended to be used in a slice that's effectively a map, + with a composite key made up of the AncestorRef and the ControllerName. properties: - attachedRoutes: + ancestorRef: description: |- - AttachedRoutes represents the total number of Routes that have been - successfully attached to this Listener. + AncestorRef corresponds with a ParentRef in the spec that this + PolicyAncestorStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: |- + Group is the group of the referent. + When unspecified, "gateway.networking.k8s.io" is inferred. + To set the core API group (such as for a "Service" kind referent), + Group must be explicitly set to "" (empty string). - Successful attachment of a Route to a Listener is based solely on the - combination of the AllowedRoutes field on the corresponding Listener - and the Route's ParentRefs field. A Route is successfully attached to - a Listener when it is selected by the Listener's AllowedRoutes field - AND the Route has a valid ParentRef selecting the whole Gateway - resource or a specific Listener as a parent resource (more detail on - attachment semantics can be found in the documentation on the various - Route kinds ParentRefs fields). Listener or Route status does not impact - successful attachment, i.e. the AttachedRoutes field count MUST be set - for Listeners with condition Accepted: false and MUST count successfully - attached Routes that may themselves have Accepted: false conditions. + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: |- + Kind is kind of the referent. - Uses for this field include troubleshooting Route attachment and - measuring blast radius/impact of changes to a Listener. - format: int32 - type: integer + There are two kinds of parent resources with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + Support for other resources is Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. When unspecified, this refers + to the local namespace of the Route. + + Note that there are specific rules for ParentRefs which cross namespace + boundaries. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example: + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable any other kind of cross-namespace reference. + + + ParentRefs from a Route to a Service in the same namespace are "producer" + routes, which apply default routing rules to inbound connections from + any namespace to the Service. + + ParentRefs from a Route to a Service in a different namespace are + "consumer" routes, and these routing rules are only applied to outbound + connections originating from the same namespace as the Route, for which + the intended destination of the connections are a Service targeted as a + ParentRef of the Route. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port is the network port this Route targets. It can be interpreted + differently based on the type of parent resource. + + When the parent resource is a Gateway, this targets all listeners + listening on the specified port that also support this kind of Route(and + select this Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to a specific port + as opposed to a listener(s) whose port(s) may be changed. When both Port + and SectionName are specified, the name and port of the selected listener + must match both specified values. + + + When the parent resource is a Service, this targets a specific port in the + Service spec. When both Port (experimental) and SectionName are specified, + the name and port of the selected port must match both specified values. + + + Implementations MAY choose to support other parent resources. + Implementations supporting other types of parent resources MUST clearly + document how/if Port is interpreted. + + For the purpose of status, an attachment is considered successful as + long as the parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: |- + SectionName is the name of a section within the target resource. In the + following resources, SectionName is interpreted as the following: + + * Gateway: Listener name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + * Service: Port name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + + Implementations MAY choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName is + interpreted. + + When unspecified (empty string), this will reference the entire resource. + For the purpose of status, an attachment is considered successful if at + least one section in the parent resource accepts it. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, the + Route MUST be considered detached from the Gateway. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object conditions: - description: Conditions describe the current condition of this - listener. + description: Conditions describes the status of the Policy with + respect to the given Ancestor. items: description: Condition contains details for one aspect of the current state of this API Resource. @@ -20351,69 +21789,40 @@ spec: - type type: object maxItems: 8 + minItems: 1 type: array x-kubernetes-list-map-keys: - type x-kubernetes-list-type: map - name: - description: Name is the name of the Listener that this status - corresponds to. + controllerName: + description: |- + ControllerName is a domain/path string that indicates the name of the + controller that wrote this status. This corresponds with the + controllerName field on GatewayClass. + + Example: "example.net/gateway-controller". + + The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are + valid Kubernetes names + (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + + Controllers MUST populate this field when writing status. Controllers should ensure that + entries to status populated with their ControllerName are cleaned up when they are no + longer necessary. maxLength: 253 minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ type: string - port: - description: Port is the network port the listener is configured - to listen on. - format: int32 - maximum: 65535 - minimum: 1 - type: integer - supportedKinds: - description: |- - SupportedKinds is the list indicating the Kinds supported by this - listener. This MUST represent the kinds an implementation supports for - that Listener configuration. - - If kinds are specified in Spec that are not supported, they MUST NOT - appear in this list and an implementation MUST set the "ResolvedRefs" - condition to "False" with the "InvalidRouteKinds" reason. If both valid - and invalid Route kinds are specified, the implementation MUST - reference the valid Route kinds that have been specified. - items: - description: RouteGroupKind indicates the group and kind of - a Route resource. - properties: - group: - default: gateway.networking.k8s.io - description: Group is the group of the Route. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - description: Kind is the kind of the Route. - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - required: - - kind - type: object - maxItems: 8 - type: array - x-kubernetes-list-type: atomic required: - - attachedRoutes + - ancestorRef - conditions - - name - - port - - supportedKinds + - controllerName type: object - maxItems: 64 + maxItems: 16 type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map + x-kubernetes-list-type: atomic + required: + - ancestors type: object required: - spec @@ -20436,8 +21845,8 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.1 + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/4530 + gateway.networking.k8s.io/bundle-version: v1.5.1 gateway.networking.k8s.io/channel: experimental name: xmeshes.gateway.networking.x-k8s.io spec: @@ -20682,13 +22091,13 @@ status: storedVersions: null --- -# Source: crds/generated/gateway.envoyproxy.io_backends.yaml +# Source: gateway-helm/charts/crds/crds/generated/gateway.envoyproxy.io_backends.yaml --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.18.0 + controller-gen.kubebuilder.io/version: v0.20.1 name: backends.gateway.envoyproxy.io spec: group: gateway.envoyproxy.io @@ -20926,6 +22335,8 @@ spec: description: |- Ciphers specifies the set of cipher suites supported when negotiating TLS 1.0 - 1.2. This setting has no effect for TLS 1.3. + For the list of supported ciphers, please refer to the Envoy documentation: + https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters In non-FIPS Envoy Proxy builds the default cipher list is: - [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305] - [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305] @@ -20995,6 +22406,26 @@ spec: items: type: string type: array + fingerprints: + description: |- + Fingerprints specifies TLS client fingerprinting. + When specified, a JAX fingerprint derived from the client’s TLS handshake + is generated. The fingerprint can be logged in access logs or + forwarded to upstream services using request headers. + + Fingerprinting is disabled if not specified. + + Supported values are: + - JA3 + - JA4 + items: + description: TLSFingerprintType specifies the TLS client fingerprinting + mode. + enum: + - JA3 + - JA4 + type: string + type: array insecureSkipVerify: default: false description: |- @@ -21052,8 +22483,9 @@ spec: If WellKnownCACertificates is unspecified or empty (""), then CACertificateRefs must be specified with at least one entry for a valid configuration. Only one of CACertificateRefs or WellKnownCACertificates may be specified, not both. - enum: - - System + maxLength: 253 + minLength: 1 + pattern: ^(System|([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9]))$ type: string type: object x-kubernetes-validations: @@ -21161,13 +22593,13 @@ spec: status: {} --- -# Source: crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml +# Source: gateway-helm/charts/crds/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.18.0 + controller-gen.kubebuilder.io/version: v0.20.1 name: backendtrafficpolicies.gateway.envoyproxy.io spec: group: gateway.envoyproxy.io @@ -21213,6 +22645,210 @@ spec: spec: description: spec defines the desired state of BackendTrafficPolicy. properties: + admissionControl: + description: |- + AdmissionControl defines the admission control policy to be applied. This configuration + probabilistically rejects requests based on the success rate of previous requests in a + configurable sliding time window. + properties: + maxRejectionPercent: + description: |- + MaxRejectionPercent represents the upper limit of the rejection probability, + expressed as a percentage in the range [0, 100]. Defaults to 80 if not specified. + format: int32 + maximum: 100 + minimum: 0 + type: integer + minRequestRate: + description: |- + MinRequestRate defines the minimum requests per second below which requests will + pass through the filter without rejection. Defaults to 0 if not specified. + format: int32 + minimum: 0 + type: integer + minSuccessRate: + description: |- + MinSuccessRate is the lowest request success rate, as a percentage in the + range [1, 100], at which the filter will not reject requests. Defaults to 95 if + not specified. Envoy rejects values below 1%, so values lower than 1 are not allowed. + format: int32 + maximum: 100 + minimum: 1 + type: integer + rejectionAggression: + description: |- + RejectionAggression controls how steeply the rejection probability rises + as the observed success rate falls below MinSuccessRate. A value of 1 + produces a linear curve; higher values reject more aggressively for a + given drop in success rate. Must be greater than 0; values below 1 are + clamped to 1. Defaults to 1. + format: int32 + minimum: 1 + type: integer + samplingWindow: + description: |- + SamplingWindow defines the time window over which request success rates are calculated. + Must be at least 1s; Envoy truncates the window to whole seconds and uses it as the + denominator in RPS calculations, so sub-second values would produce a zero denominator. + Defaults to 30s if not specified. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + successCriteria: + description: SuccessCriteria defines what constitutes a successful + request for both HTTP and gRPC. + properties: + grpc: + description: GRPC defines success criteria for gRPC requests. + properties: + statusCodes: + description: |- + StatusCodes defines gRPC status codes that are considered successful. + Status codes are defined in https://github.com/grpc/grpc/blob/master/doc/statuscodes.md#status-codes-and-their-use-in-grpc. + items: + description: |- + GRPCSuccessCode defines gRPC status codes as defined in + https://github.com/grpc/grpc/blob/master/doc/statuscodes.md#status-codes-and-their-use-in-grpc. + enum: + - Ok + - Cancelled + - Unknown + - InvalidArgument + - DeadlineExceeded + - NotFound + - AlreadyExists + - PermissionDenied + - ResourceExhausted + - FailedPrecondition + - Aborted + - OutOfRange + - Unimplemented + - Internal + - Unavailable + - DataLoss + - Unauthenticated + type: string + type: array + type: object + http: + description: HTTP defines success criteria for HTTP requests. + properties: + statusCodes: + description: StatusCodes defines HTTP status codes that + are considered successful. + items: + description: HTTPStatus defines the http status code. + maximum: 599 + minimum: 100 + type: integer + type: array + type: object + type: object + type: object + x-kubernetes-validations: + - message: minSuccessRate must be between 1 and 100 + rule: '!has(self.minSuccessRate) || (self.minSuccessRate >= 1 && + self.minSuccessRate <= 100)' + - message: maxRejectionPercent must be between 0 and 100 + rule: '!has(self.maxRejectionPercent) || (self.maxRejectionPercent + >= 0 && self.maxRejectionPercent <= 100)' + - message: samplingWindow must be at least 1s + rule: '!has(self.samplingWindow) || duration(self.samplingWindow) + >= duration(''1s'')' + bandwidthLimit: + description: |- + BandwidthLimit allows the user to limit the bandwidth of traffic + sent to and received from the backend. + properties: + request: + description: Request configures bandwidth limits for traffic sent + to the backend. + properties: + limit: + description: Limit specifies the bandwidth limit as a bytes-per-unit + throughput rate. + properties: + unit: + description: Unit specifies the time unit for the bandwidth + limit (e.g. Second, Minute, Hour). + enum: + - Second + - Minute + - Hour + type: string + value: + allOf: + - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: Value specifies the bandwidth limit. + x-kubernetes-int-or-string: true + required: + - unit + - value + type: object + required: + - limit + type: object + response: + description: Response configures bandwidth limits for traffic + sent from the backend. + properties: + limit: + description: Limit specifies the bandwidth limit as a bytes-per-unit + throughput rate. + properties: + unit: + description: Unit specifies the time unit for the bandwidth + limit (e.g. Second, Minute, Hour). + enum: + - Second + - Minute + - Hour + type: string + value: + allOf: + - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: Value specifies the bandwidth limit. + x-kubernetes-int-or-string: true + required: + - unit + - value + type: object + responseTrailers: + description: |- + ResponseTrailers configures the trailer headers appended to responses + when bandwidth limiting introduces delays. + properties: + prefix: + description: |- + Prefix is prepended to each trailer header name. + If not set, no prefix is added and the trailers are named as-is. + For example, setting "x-eg" produces trailers such as "x-eg-bandwidth-request-delay-ms", + while leaving it unset produces "bandwidth-request-delay-ms". + + The following four trailers can be added: + "bandwidth-request-delay-ms" is delay time in milliseconds it took for the request stream transfer + including request body transfer time and the time added by the filter. + "bandwidth-response-delay-ms" is delay time in milliseconds it took for the response stream transfer + including response body transfer time and the time added by the filter. + "bandwidth-request-filter-delay-ms" is delay time in milliseconds in request stream transfer added by the filter. + "bandwidth-response-filter-delay-ms" is delay time in milliseconds that added by the filter. + pattern: ^[^\r\n\x00]*$ + type: string + type: object + required: + - limit + type: object + type: object + x-kubernetes-validations: + - message: at least one of request or response must be specified + rule: has(self.request) || has(self.response) circuitBreaker: description: |- Circuit Breaker settings for the upstream connections and requests. @@ -21276,10 +22912,49 @@ spec: minimum: 0 type: integer type: object + retryBudget: + description: |- + RetryBudget provides settings for retry budget, which limits the number of retries in a given percentage. + RetryBudget take precedence over maxParallelRetries. + properties: + minRetryConcurrency: + description: |- + MinRetryConcurrency specifies the minimum retry concurrency allowed for the retry budget. + For example, a budget of 20% with a minimum retry concurrency of 3 + will allow 5 active retries while there are 25 active requests. + If there are 2 active requests, there are still 3 active retries + allowed because of the minimum retry concurrency. + Defaults to 3. + format: int32 + type: integer + percent: + description: |- + Percent specifies the limit on concurrent retries as a percentage [0, 100] of + the sum of active requests and active pending requests. + properties: + denominator: + default: 100 + format: int32 + minimum: 1 + type: integer + numerator: + format: int32 + minimum: 0 + type: integer + required: + - numerator + type: object + x-kubernetes-validations: + - message: numerator must be less than or equal to denominator + rule: self.numerator <= self.denominator + required: + - percent + type: object type: object compression: description: |- The compression config for the http streams. + Deprecated: Use Compressor instead. items: description: |- @@ -21473,6 +23148,8 @@ spec: description: GrpcStatus specifies the GRPC status code to be returned format: int32 + maximum: 16 + minimum: 0 type: integer httpStatus: description: StatusCode specifies the HTTP status code to @@ -21589,8 +23266,9 @@ spec: type: array hostname: description: |- - Hostname defines the HTTP host that will be requested during health checking. - Default: HTTPRoute or GRPCRoute hostname. + Hostname defines the HTTP Host header used for active HTTP health checks. + Host selection uses this order: this field, the associated Backend endpoint + hostname if available, then the effective Route hostname. maxLength: 253 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ @@ -21606,6 +23284,18 @@ spec: maxLength: 1024 minLength: 1 type: string + retriableStatuses: + description: |- + RetriableStatuses defines a list of HTTP response statuses considered retriable. + Responses matching these statuses count towards the unhealthy threshold but + do not result in the host being considered immediately unhealthy. + The expected statuses take precedence for any range overlaps with this field. + items: + description: HTTPStatus defines the http status code. + maximum: 599 + minimum: 100 + type: integer + type: array required: - path type: object @@ -21621,6 +23311,23 @@ spec: checks. pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string + overrides: + description: |- + Overrides defines the configuration of the overriding health check settings for all endpoints + in the backend cluster. This allows customization of port and other settings that may differ + from the main service configuration. + properties: + port: + description: |- + Port overrides the health check port. + If not set, the endpoint's serving port is used for health checks. + This is useful when health checks are served on a different port than + the main service port (e.g., port 443 for service, port 9090 for health checks). + format: int32 + maximum: 65535 + minimum: 1 + type: integer + type: object tcp: description: |- TCP defines the configuration of tcp health checker. @@ -21709,8 +23416,11 @@ spec: type: string unhealthyThreshold: default: 3 - description: UnhealthyThreshold defines the number of unhealthy - health checks required before a backend host is marked unhealthy. + description: |- + UnhealthyThreshold defines the number of unhealthy health checks required before a backend host is marked unhealthy. + Without RetriableStatuses configured, any health check failure results in the host being immediately + considered unhealthy. When RetriableStatuses is set, health checks returning those statuses are retried + up to this threshold before the host is marked unhealthy. format: int32 minimum: 1 type: integer @@ -21740,6 +23450,12 @@ spec: passive: description: Passive passive check configuration properties: + alwaysEjectOneEndpoint: + default: false + description: |- + AlwaysEjectOneEndpoint defines whether at least one host should be ejected, + regardless of MaxEjectionPercent. + type: boolean baseEjectionTime: default: 30s description: BaseEjectionTime defines the base duration for @@ -21784,6 +23500,8 @@ spec: description: MaxEjectionPercent sets the maximum percentage of hosts in a cluster that can be ejected. format: int32 + maximum: 100 + minimum: 0 type: integer splitExternalLocalOriginErrors: default: false @@ -21795,6 +23513,38 @@ spec: http2: description: HTTP2 provides HTTP/2 configuration for backend connections. properties: + connectionKeepalive: + description: ConnectionKeepalive configures HTTP/2 connection + keepalive using PING frames. + properties: + idleInterval: + description: IdleInterval specifies how long a connection + must be idle before a PING is sent. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + interval: + description: Interval specifies how often to send HTTP/2 PING + frames to keep the connection alive. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + intervalJitter: + description: |- + IntervalJitter specifies a random jitter percentage added to each interval. + Defaults to 15% if not specified. + format: int32 + maximum: 100 + minimum: 0 + type: integer + timeout: + description: Timeout specifies how long to wait for a PING + response before considering the connection dead. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + x-kubernetes-validations: + - message: timeout must be less than interval + rule: '!has(self.timeout) || !has(self.interval) || duration(self.timeout) + < duration(self.interval)' initialConnectionWindowSize: allOf: - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ @@ -21836,7 +23586,9 @@ spec: httpUpgrade: description: |- HTTPUpgrade defines the configuration for HTTP protocol upgrades. - If not specified, the default upgrade configuration(websocket) will be used. + If not specified, the default upgrade configuration (websocket) will be used. + However, if requestBuffer is configured, the default upgrade configuration + will be ignored. items: description: ProtocolUpgradeConfig specifies the configuration for protocol upgrades. @@ -21869,6 +23621,56 @@ spec: LoadBalancer policy to apply when routing traffic from the gateway to the backend endpoints. Defaults to `LeastRequest`. properties: + backendUtilization: + description: |- + BackendUtilization defines the configuration when the load balancer type is + set to BackendUtilization. + properties: + blackoutPeriod: + description: |- + A given endpoint must report load metrics continuously for at least this long before the endpoint weight will be used. + Default is 10s. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + errorUtilizationPenaltyPercent: + description: |- + ErrorUtilizationPenaltyPercent adjusts endpoint weights based on the error rate (eps/qps). + This is expressed as a percentage-based integer where 100 represents 1.0, 150 represents 1.5, etc. + + For example: + - 100 => 1.0x + - 120 => 1.2x + - 200 => 2.0x + + Must be non-negative. + format: int32 + minimum: 0 + type: integer + keepResponseHeaders: + default: false + description: |- + KeepResponseHeaders keeps the ORCA load report headers/trailers before sending the response to the client. + Defaults to false. + type: boolean + metricNamesForComputingUtilization: + description: |- + Metric names used to compute utilization if application_utilization is not set. + For map fields in ORCA proto, use the form ".", e.g., "named_metrics.foo". + items: + type: string + type: array + weightExpirationPeriod: + description: If a given endpoint has not reported load metrics + in this long, stop using the reported weight. Defaults to + 3m. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + weightUpdatePeriod: + description: How often endpoint weights are recalculated. + Values less than 100ms are capped at 100ms. Default 1s. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object consistentHash: description: |- ConsistentHash defines the configuration when the load balancer type is @@ -21983,6 +23785,40 @@ spec: field must be set. rule: 'self.type == ''QueryParams'' ? has(self.queryParams) : !has(self.queryParams)' + dynamicModule: + description: |- + DynamicModule defines the configuration when the load balancer type is + set to DynamicModule. The referenced module must be registered in the + EnvoyProxy resource's dynamicModules allowlist. + properties: + config: + description: |- + Config is optional configuration for the module's load balancer + implementation. This is serialized and passed to the module's + initialization function. + x-kubernetes-preserve-unknown-fields: true + lbPolicyName: + description: |- + LBPolicyName identifies a specific load balancer implementation within + the dynamic module. A single shared library can contain multiple LB + policy implementations. This value is passed to the module's + initialization function to select the appropriate implementation. + maxLength: 253 + minLength: 1 + type: string + name: + description: |- + Name references a dynamic module registered in the EnvoyProxy resource's + dynamicModules list. The referenced module must exist in the registry; + otherwise, the policy will be rejected. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([a-z0-9.-]*[a-z0-9])?$ + type: string + required: + - lbPolicyName + - name + type: object endpointOverride: description: |- EndpointOverride defines the configuration for endpoint override. @@ -22015,7 +23851,7 @@ spec: description: |- SlowStart defines the configuration related to the slow start load balancer policy. If set, during slow start window, traffic sent to the newly added hosts will gradually increase. - Currently this is only supported for RoundRobin and LeastRequest load balancers + Supported for RoundRobin, LeastRequest, and BackendUtilization load balancers. properties: window: description: |- @@ -22035,12 +23871,16 @@ spec: "ConsistentHash", "LeastRequest", "Random", - "RoundRobin". + "RoundRobin", + "BackendUtilization", + "DynamicModule". enum: - ConsistentHash - LeastRequest - Random - RoundRobin + - BackendUtilization + - DynamicModule type: string zoneAware: description: ZoneAware defines the configuration related to the @@ -22077,6 +23917,36 @@ spec: minimum: 0 type: integer type: object + weightedZones: + description: |- + WeightedZones configures weight-based traffic distribution across locality zones. + Traffic is distributed proportionally based on the sum of all zone weights. + items: + description: WeightedZoneConfig defines the weight for a + specific locality zone. + properties: + weight: + description: |- + Weight defines the weight for this locality. + Higher values receive more traffic. The actual traffic distribution + is proportional to this value relative to other localities. + format: int32 + type: integer + zone: + description: |- + Zone specifies the topology zone this weight applies to. + The value should match the topology.kubernetes.io/zone label + of the nodes where endpoints are running. + Zones not listed in the configuration receive a default weight of 1. + type: string + required: + - weight + - zone + type: object + type: array + x-kubernetes-list-map-keys: + - zone + x-kubernetes-list-type: map type: object required: - type @@ -22086,14 +23956,38 @@ spec: field needs to be set. rule: 'self.type == ''ConsistentHash'' ? has(self.consistentHash) : !has(self.consistentHash)' - - message: Currently SlowStart is only supported for RoundRobin and - LeastRequest load balancers. - rule: 'self.type in [''Random'', ''ConsistentHash''] ? !has(self.slowStart) - : true ' - - message: Currently ZoneAware is only supported for LeastRequest, - Random, and RoundRobin load balancers. - rule: 'self.type == ''ConsistentHash'' ? !has(self.zoneAware) : - true ' + - message: If LoadBalancer type is BackendUtilization, backendUtilization + field needs to be set. + rule: 'self.type == ''BackendUtilization'' ? has(self.backendUtilization) + : !has(self.backendUtilization)' + - message: If LoadBalancer type is DynamicModule, dynamicModule field + needs to be set. + rule: 'self.type == ''DynamicModule'' ? has(self.dynamicModule) + : !has(self.dynamicModule)' + - message: Currently SlowStart is only supported for RoundRobin, LeastRequest, + and BackendUtilization load balancers. + rule: 'self.type in [''Random'', ''ConsistentHash'', ''DynamicModule''] + ? !has(self.slowStart) : true' + - message: PreferLocal zone-aware routing is not supported for ConsistentHash + load balancers. Use weightedZones instead. + rule: 'self.type == ''ConsistentHash'' && has(self.zoneAware) ? + !has(self.zoneAware.preferLocal) : true' + - message: PreferLocal zone-aware routing is not currently supported + for BackendUtilization load balancers. Only WeightedZones can + be used with BackendUtilization. + rule: 'self.type == ''BackendUtilization'' && has(self.zoneAware) + ? !has(self.zoneAware.preferLocal) : true' + - message: ZoneAware routing is not supported for DynamicModule load + balancers. + rule: 'self.type == ''DynamicModule'' ? !has(self.zoneAware) : true' + - message: ZoneAware PreferLocal and WeightedZones cannot be specified + together. + rule: 'has(self.zoneAware) ? !(has(self.zoneAware.preferLocal) && + has(self.zoneAware.weightedZones)) : true' + - message: EndpointOverride is not supported for DynamicModule load + balancers. + rule: 'self.type == ''DynamicModule'' ? !has(self.endpointOverride) + : true' mergeType: description: |- MergeType determines how this configuration is merged with existing BackendTrafficPolicy @@ -22102,13 +23996,16 @@ spec: This field cannot be set when targeting a parent resource (Gateway). If unset, no merging occurs, and only the most specific configuration takes effect. type: string + x-kubernetes-validations: + - message: Replace is not a valid MergeType for BackendTrafficPolicySpec + rule: self != 'Replace' proxyProtocol: description: ProxyProtocol enables the Proxy Protocol when communicating with the backend. properties: version: description: |- - Version of ProxyProtol + Version of ProxyProtocol Valid ProxyProtocolVersion values are "V1" "V2" @@ -22205,7 +24102,7 @@ spec: required: - name type: object - maxItems: 16 + maxItems: 64 type: array methods: description: |- @@ -22310,6 +24207,12 @@ spec: description: SourceCIDR is the client IP Address range to match on. properties: + invert: + default: false + description: |- + Invert specifies whether the source range match result will be inverted. + When true, the rule matches when the client IP is not in the specified range(s). + type: boolean type: default: Exact enum: @@ -22451,6 +24354,12 @@ spec: the selected requests have reached the limit. properties: requests: + description: |- + Requests is the number of requests (or cost units, when used with + cost-based rate limiting) allowed per Unit. + format: int32 + maximum: 4294967295 + minimum: 1 type: integer unit: description: |- @@ -22483,10 +24392,19 @@ spec: If set to true, the rule is treated as a common bucket and is shared across all policy targets (xRoutes). Default: false. type: boolean + xRateLimitHeaders: + description: |- + XRateLimitHeaders controls whether X-RateLimit response headers are emitted for this rate limit rule. + When set, this overrides the global DisableRateLimitHeaders setting in ClientTrafficPolicy for this rule. + If not set, the rule inherits the listener-level setting (default behavior). + enum: + - "Off" + - DraftVersion03 + type: string required: - limit type: object - maxItems: 128 + maxItems: 256 type: array required: - rules @@ -22568,7 +24486,7 @@ spec: required: - name type: object - maxItems: 16 + maxItems: 64 type: array methods: description: |- @@ -22673,6 +24591,12 @@ spec: description: SourceCIDR is the client IP Address range to match on. properties: + invert: + default: false + description: |- + Invert specifies whether the source range match result will be inverted. + When true, the rule matches when the client IP is not in the specified range(s). + type: boolean type: default: Exact enum: @@ -22814,6 +24738,12 @@ spec: the selected requests have reached the limit. properties: requests: + description: |- + Requests is the number of requests (or cost units, when used with + cost-based rate limiting) allowed per Unit. + format: int32 + maximum: 4294967295 + minimum: 1 type: integer unit: description: |- @@ -22846,6 +24776,15 @@ spec: If set to true, the rule is treated as a common bucket and is shared across all policy targets (xRoutes). Default: false. type: boolean + xRateLimitHeaders: + description: |- + XRateLimitHeaders controls whether X-RateLimit response headers are emitted for this rate limit rule. + When set, this overrides the global DisableRateLimitHeaders setting in ClientTrafficPolicy for this rule. + If not set, the rule inherits the listener-level setting (default behavior). + enum: + - "Off" + - DraftVersion03 + type: string required: - limit type: object @@ -22853,9 +24792,7 @@ spec: type: array x-kubernetes-validations: - message: response cost is not supported for Local Rate Limits - rule: self.all(foo, !has(foo.cost) || !has(foo.cost.response)) - - message: shadow mode is not supported for Local Rate Limits - rule: self.all(foo, !has(foo.shadowMode)) + rule: self.all(r, !has(r.cost) || !has(r.cost.response)) type: object type: description: |- @@ -22878,6 +24815,9 @@ spec: When enabling this option, you should also configure your connection buffer size to account for these request buffers. There will also be an increase in memory usage for Envoy that should be accounted for in your deployment settings. + + Request buffering is incompatible with streaming APIs and protocol upgrades such as gRPC streaming and WebSocket. Do not enable this option + on routes that need those protocols, because requests can hang instead of being forwarded upstream. properties: limit: allOf: @@ -23193,8 +25133,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 + + + maxLength: 4096 minLength: 1 type: string @@ -23267,8 +25213,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 + + + maxLength: 4096 minLength: 1 type: string @@ -23291,6 +25243,17 @@ spec: If unset, does not override the status of response. type: integer type: object + source: + description: |- + Source specifies which responses this rule applies to. + Local overrides only Envoy-generated responses (e.g. auth failures). + Backend overrides only upstream responses. + All (default) overrides both. + enum: + - All + - Local + - Backend + type: string required: - match type: object @@ -23388,7 +25351,7 @@ spec: description: |- RoutingType can be set to "Service" to use the Service Cluster IP for routing to the backend, or it can be set to "Endpoint" to use Endpoint routing. - When specified, this overrides the EnvoyProxy-level setting for the relevant targeRefs. + When specified, this overrides the EnvoyProxy-level setting for the relevant targetRefs. If not specified, the EnvoyProxy-level setting is used. type: string targetRef: @@ -23547,8 +25510,86 @@ spec: additionalProperties: type: string description: MatchLabels are the set of label selectors for - identifying the targeted resource + identifying the targeted resource. + type: object + namespaces: + description: |- + Namespaces determines which namespaces are considered for target selection. + + If unspecified, only targets in the same namespace as this policy are considered. + + When specified, the effective set of namespaces is always constrained to the + namespaces watched by Envoy Gateway. + + Selecting targets across namespaces requires a ReferenceGrant in the target + namespace that allows this policy kind to reference the selected target kind. + Cross-namespace targets without a matching ReferenceGrant are ignored. + properties: + from: + default: Same + description: |- + From indicates how namespaces are selected for this target selector. + + All means all namespaces watched by Envoy Gateway. + Selector means namespaces watched by Envoy Gateway that match Selector. + enum: + - Same + - All + - Selector + type: string + selector: + description: Selector selects namespaces when From is set + to Selector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + required: + - from type: object + x-kubernetes-validations: + - message: selector must be specified when from is Selector + rule: self.from != 'Selector' || has(self.selector) required: - kind type: object @@ -23761,6 +25802,12 @@ spec: response is received from the upstream. pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string + streamIdleTimeout: + description: |2- + The stream idle timeout defines the amount of time a stream can exist without any upstream or downstream activity. + If not specified, StreamIdleTimeout is inherited from the listener-level setting, which can be configured via ClientTrafficPolicy. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string type: object tcp: description: Timeout settings for TCP. @@ -23800,6 +25847,16 @@ spec: : true ' - message: either compression or compressor can be set, not both rule: '!has(self.compression) || !has(self.compressor)' + - message: requestBuffer cannot be used together with httpUpgrade + rule: '!has(self.requestBuffer) || !has(self.httpUpgrade) || self.httpUpgrade.size() + == 0' + - message: admissionControl can only be used with HTTPRoute, GRPCRoute, + or Gateway targets + rule: '!has(self.admissionControl) || ((!has(self.targetRef) || self.targetRef.kind + in [''Gateway'', ''HTTPRoute'', ''GRPCRoute'']) && (!has(self.targetRefs) + || self.targetRefs.all(ref, ref.kind in [''Gateway'', ''HTTPRoute'', + ''GRPCRoute''])) && (!has(self.targetSelectors) || self.targetSelectors.all(sel, + sel.kind in [''Gateway'', ''HTTPRoute'', ''GRPCRoute''])))' - message: predictivePercent in preconnect policy only works with RoundRobin or Random load balancers rule: '!((has(self.connection) && has(self.connection.preconnect) && @@ -24143,13 +26200,13 @@ spec: status: {} --- -# Source: crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml +# Source: gateway-helm/charts/crds/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.18.0 + controller-gen.kubebuilder.io/version: v0.20.1 name: clienttrafficpolicies.gateway.envoyproxy.io spec: group: gateway.envoyproxy.io @@ -24359,6 +26416,21 @@ spec: Deprecated: Use ProxyProtocol instead. type: boolean + grpc: + description: GRPC provides gRPC configuration on the listener. + properties: + enableWeb: + description: |- + EnableWeb configures the gRPC-web filter on the listener. + The gRPC-web filter allows clients (typically browsers) to make gRPC calls + using HTTP/1.1 or HTTP/2. + + This is enabled by default for GRPCRoute and opt-in for HTTPRoute. + In general, gRPC traffic should be handled via GRPCRoute, but there are cases where + users want to route gRPC using HTTPRoute for its richer matching capabilities. + Therefore, we enable this behavior only when it is explicitly opted in. + type: boolean + type: object headers: description: HeaderSettings provides configuration for header management. properties: @@ -24409,8 +26481,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header to be - matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 + + + maxLength: 4096 minLength: 1 type: string @@ -24461,8 +26539,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header to be - matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 + + + maxLength: 4096 minLength: 1 type: string @@ -24568,8 +26652,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header to be - matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 + + + maxLength: 4096 minLength: 1 type: string @@ -24630,8 +26720,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header to be - matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 + + + maxLength: 4096 minLength: 1 type: string @@ -24682,8 +26778,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header to be - matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 + + + maxLength: 4096 minLength: 1 type: string @@ -24789,8 +26891,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header to be - matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 + + + maxLength: 4096 minLength: 1 type: string @@ -24810,6 +26918,7 @@ spec: PreserveXRequestID configures Envoy to keep the X-Request-ID header if passed for a request that is edge (Edge request is the request from external clients to front Envoy) and not reset it, which is the current Envoy behaviour. Defaults to false and cannot be combined with RequestID. + Deprecated: use RequestID=PreserveOrGenerate instead type: boolean requestID: @@ -24936,6 +27045,41 @@ spec: ClientTrafficPolicy invalid. type: boolean type: object + ignoredUpgradeTypes: + description: |- + IgnoredUpgradeTypes specifies a list of upgrade types for which + HTTP/1.1 Upgrade requests should be ignored by Envoy instead of being + rejected with a 403 response. When a client sends an HTTP/1.1 request + with Connection: Upgrade and an Upgrade header matching one of these + matchers, Envoy will strip the upgrade headers and process the request + as a normal HTTP/1.1 request. + + Example: To ignore TLS upgrade requests (RFC 2817), use a Prefix match with value "TLS/". + items: + description: |- + StringMatch defines how to match any strings. + This is a general purpose match condition that can be used by other EG APIs + that need to match against a string. + properties: + type: + default: Exact + description: Type specifies how to match against a string. + enum: + - Exact + - Prefix + - Suffix + - RegularExpression + type: string + value: + description: Value specifies the string value that the match + must have. + maxLength: 1024 + minLength: 1 + type: string + required: + - value + type: object + type: array preserveHeaderCase: description: |- PreserveHeaderCase defines if Envoy should preserve the letter case of headers. @@ -24945,6 +27089,38 @@ spec: http2: description: HTTP2 provides HTTP/2 configuration on the listener. properties: + connectionKeepalive: + description: ConnectionKeepalive configures HTTP/2 connection + keepalive using PING frames. + properties: + idleInterval: + description: IdleInterval specifies how long a connection + must be idle before a PING is sent. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + interval: + description: Interval specifies how often to send HTTP/2 PING + frames to keep the connection alive. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + intervalJitter: + description: |- + IntervalJitter specifies a random jitter percentage added to each interval. + Defaults to 15% if not specified. + format: int32 + maximum: 100 + minimum: 0 + type: integer + timeout: + description: Timeout specifies how long to wait for a PING + response before considering the connection dead. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + x-kubernetes-validations: + - message: timeout must be less than interval + rule: '!has(self.timeout) || !has(self.interval) || duration(self.timeout) + < duration(self.interval)' initialConnectionWindowSize: allOf: - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ @@ -25197,8 +27373,86 @@ spec: additionalProperties: type: string description: MatchLabels are the set of label selectors for - identifying the targeted resource + identifying the targeted resource. type: object + namespaces: + description: |- + Namespaces determines which namespaces are considered for target selection. + + If unspecified, only targets in the same namespace as this policy are considered. + + When specified, the effective set of namespaces is always constrained to the + namespaces watched by Envoy Gateway. + + Selecting targets across namespaces requires a ReferenceGrant in the target + namespace that allows this policy kind to reference the selected target kind. + Cross-namespace targets without a matching ReferenceGrant are ignored. + properties: + from: + default: Same + description: |- + From indicates how namespaces are selected for this target selector. + + All means all namespaces watched by Envoy Gateway. + Selector means namespaces watched by Envoy Gateway that match Selector. + enum: + - Same + - All + - Selector + type: string + selector: + description: Selector selects namespaces when From is set + to Selector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + required: + - from + type: object + x-kubernetes-validations: + - message: selector must be specified when from is Selector + rule: self.from != 'Selector' || has(self.selector) required: - kind type: object @@ -25301,6 +27555,8 @@ spec: description: |- Ciphers specifies the set of cipher suites supported when negotiating TLS 1.0 - 1.2. This setting has no effect for TLS 1.3. + For the list of supported ciphers, please refer to the Envoy documentation: + https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters In non-FIPS Envoy Proxy builds the default cipher list is: - [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305] - [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305] @@ -25468,10 +27724,22 @@ spec: required: - refs type: object + mode: + description: |- + Mode defines how the Gateway or Listener validates client certificates. + If not specified, defaults to RequireAndVerify. + enum: + - Request + - RequireAny + - VerifyIfGiven + - RequireAndVerify + type: string optional: description: |- Optional set to true accepts connections even when a client doesn't present a certificate. Defaults to false, which rejects connections without a valid client certificate. + + Deprecated: Use Mode instead. type: boolean spkiHashes: description: |- @@ -25640,6 +27908,26 @@ spec: items: type: string type: array + fingerprints: + description: |- + Fingerprints specifies TLS client fingerprinting. + When specified, a JAX fingerprint derived from the client’s TLS handshake + is generated. The fingerprint can be logged in access logs or + forwarded to upstream services using request headers. + + Fingerprinting is disabled if not specified. + + Supported values are: + - JA3 + - JA4 + items: + description: TLSFingerprintType specifies the TLS client fingerprinting + mode. + enum: + - JA3 + - JA4 + type: string + type: array maxVersion: description: |- Max specifies the maximal TLS protocol version to allow @@ -26055,13 +28343,13 @@ spec: status: {} --- -# Source: crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml +# Source: gateway-helm/charts/crds/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.18.0 + controller-gen.kubebuilder.io/version: v0.20.1 name: envoyextensionpolicies.gateway.envoyproxy.io spec: group: gateway.envoyproxy.io @@ -26104,6 +28392,56 @@ spec: spec: description: Spec defines the desired state of EnvoyExtensionPolicy. properties: + dynamicModule: + description: |- + DynamicModule is an ordered list of dynamic module HTTP filters + that should be added to the envoy filter chain. + Each module must be registered in the EnvoyProxy resource's dynamicModules + allowlist. + Order matters, as the filters will be loaded in the order they are + defined in this list. + items: + description: |- + DynamicModule defines a dynamic module HTTP filter to be loaded by Envoy. + The module must be registered in the EnvoyProxy resource's dynamicModules + allowlist by the infrastructure operator. + properties: + config: + description: |- + Config is the configuration for the dynamic module filter. + This is serialized as JSON and passed to the module's initialization function. + x-kubernetes-preserve-unknown-fields: true + filterName: + description: |- + FilterName identifies a specific filter implementation within the dynamic + module. A single shared library can contain multiple filter implementations. + This value is passed to the module's HTTP filter config init function to + select the appropriate implementation. + If not specified, defaults to an empty string. + maxLength: 253 + type: string + name: + description: |- + Name references a dynamic module registered in the EnvoyProxy resource's + dynamicModules list. The referenced module must exist in the registry; + otherwise, the policy will be rejected. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([a-z0-9.-]*[a-z0-9])?$ + type: string + terminalFilter: + default: false + description: |- + TerminalFilter indicates that this dynamic module handles requests without + requiring an upstream backend. The module is responsible for generating and + sending the response to downstream directly. + Defaults to false. + type: boolean + required: + - name + type: object + maxItems: 16 + type: array extProc: description: |- ExtProc is an ordered list of external processing filters @@ -26361,6 +28699,45 @@ spec: minimum: 0 type: integer type: object + retryBudget: + description: |- + RetryBudget provides settings for retry budget, which limits the number of retries in a given percentage. + RetryBudget take precedence over maxParallelRetries. + properties: + minRetryConcurrency: + description: |- + MinRetryConcurrency specifies the minimum retry concurrency allowed for the retry budget. + For example, a budget of 20% with a minimum retry concurrency of 3 + will allow 5 active retries while there are 25 active requests. + If there are 2 active requests, there are still 3 active retries + allowed because of the minimum retry concurrency. + Defaults to 3. + format: int32 + type: integer + percent: + description: |- + Percent specifies the limit on concurrent retries as a percentage [0, 100] of + the sum of active requests and active pending requests. + properties: + denominator: + default: 100 + format: int32 + minimum: 1 + type: integer + numerator: + format: int32 + minimum: 0 + type: integer + required: + - numerator + type: object + x-kubernetes-validations: + - message: numerator must be less than or equal + to denominator + rule: self.numerator <= self.denominator + required: + - percent + type: object type: object connection: description: Connection includes backend connection settings. @@ -26535,8 +28912,9 @@ spec: type: array hostname: description: |- - Hostname defines the HTTP host that will be requested during health checking. - Default: HTTPRoute or GRPCRoute hostname. + Hostname defines the HTTP Host header used for active HTTP health checks. + Host selection uses this order: this field, the associated Backend endpoint + hostname if available, then the effective Route hostname. maxLength: 253 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ @@ -26552,6 +28930,19 @@ spec: maxLength: 1024 minLength: 1 type: string + retriableStatuses: + description: |- + RetriableStatuses defines a list of HTTP response statuses considered retriable. + Responses matching these statuses count towards the unhealthy threshold but + do not result in the host being considered immediately unhealthy. + The expected statuses take precedence for any range overlaps with this field. + items: + description: HTTPStatus defines the http status + code. + maximum: 599 + minimum: 100 + type: integer + type: array required: - path type: object @@ -26567,6 +28958,23 @@ spec: health checks. pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string + overrides: + description: |- + Overrides defines the configuration of the overriding health check settings for all endpoints + in the backend cluster. This allows customization of port and other settings that may differ + from the main service configuration. + properties: + port: + description: |- + Port overrides the health check port. + If not set, the endpoint's serving port is used for health checks. + This is useful when health checks are served on a different port than + the main service port (e.g., port 443 for service, port 9090 for health checks). + format: int32 + maximum: 65535 + minimum: 1 + type: integer + type: object tcp: description: |- TCP defines the configuration of tcp health checker. @@ -26660,9 +29068,11 @@ spec: type: string unhealthyThreshold: default: 3 - description: UnhealthyThreshold defines the number - of unhealthy health checks required before a backend - host is marked unhealthy. + description: |- + UnhealthyThreshold defines the number of unhealthy health checks required before a backend host is marked unhealthy. + Without RetriableStatuses configured, any health check failure results in the host being immediately + considered unhealthy. When RetriableStatuses is set, health checks returning those statuses are retried + up to this threshold before the host is marked unhealthy. format: int32 minimum: 1 type: integer @@ -26692,6 +29102,12 @@ spec: passive: description: Passive passive check configuration properties: + alwaysEjectOneEndpoint: + default: false + description: |- + AlwaysEjectOneEndpoint defines whether at least one host should be ejected, + regardless of MaxEjectionPercent. + type: boolean baseEjectionTime: default: 30s description: BaseEjectionTime defines the base duration @@ -26737,6 +29153,8 @@ spec: description: MaxEjectionPercent sets the maximum percentage of hosts in a cluster that can be ejected. format: int32 + maximum: 100 + minimum: 0 type: integer splitExternalLocalOriginErrors: default: false @@ -26750,6 +29168,39 @@ spec: description: HTTP2 provides HTTP/2 configuration for backend connections. properties: + connectionKeepalive: + description: ConnectionKeepalive configures HTTP/2 connection + keepalive using PING frames. + properties: + idleInterval: + description: IdleInterval specifies how long a connection + must be idle before a PING is sent. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + interval: + description: Interval specifies how often to send + HTTP/2 PING frames to keep the connection alive. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + intervalJitter: + description: |- + IntervalJitter specifies a random jitter percentage added to each interval. + Defaults to 15% if not specified. + format: int32 + maximum: 100 + minimum: 0 + type: integer + timeout: + description: Timeout specifies how long to wait + for a PING response before considering the connection + dead. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + x-kubernetes-validations: + - message: timeout must be less than interval + rule: '!has(self.timeout) || !has(self.interval) || + duration(self.timeout) < duration(self.interval)' initialConnectionWindowSize: allOf: - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ @@ -26793,6 +29244,57 @@ spec: LoadBalancer policy to apply when routing traffic from the gateway to the backend endpoints. Defaults to `LeastRequest`. properties: + backendUtilization: + description: |- + BackendUtilization defines the configuration when the load balancer type is + set to BackendUtilization. + properties: + blackoutPeriod: + description: |- + A given endpoint must report load metrics continuously for at least this long before the endpoint weight will be used. + Default is 10s. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + errorUtilizationPenaltyPercent: + description: |- + ErrorUtilizationPenaltyPercent adjusts endpoint weights based on the error rate (eps/qps). + This is expressed as a percentage-based integer where 100 represents 1.0, 150 represents 1.5, etc. + + For example: + - 100 => 1.0x + - 120 => 1.2x + - 200 => 2.0x + + Must be non-negative. + format: int32 + minimum: 0 + type: integer + keepResponseHeaders: + default: false + description: |- + KeepResponseHeaders keeps the ORCA load report headers/trailers before sending the response to the client. + Defaults to false. + type: boolean + metricNamesForComputingUtilization: + description: |- + Metric names used to compute utilization if application_utilization is not set. + For map fields in ORCA proto, use the form ".", e.g., "named_metrics.foo". + items: + type: string + type: array + weightExpirationPeriod: + description: If a given endpoint has not reported + load metrics in this long, stop using the reported + weight. Defaults to 3m. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + weightUpdatePeriod: + description: How often endpoint weights are recalculated. + Values less than 100ms are capped at 100ms. Default + 1s. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object consistentHash: description: |- ConsistentHash defines the configuration when the load balancer type is @@ -26912,6 +29414,40 @@ spec: queryParams field must be set. rule: 'self.type == ''QueryParams'' ? has(self.queryParams) : !has(self.queryParams)' + dynamicModule: + description: |- + DynamicModule defines the configuration when the load balancer type is + set to DynamicModule. The referenced module must be registered in the + EnvoyProxy resource's dynamicModules allowlist. + properties: + config: + description: |- + Config is optional configuration for the module's load balancer + implementation. This is serialized and passed to the module's + initialization function. + x-kubernetes-preserve-unknown-fields: true + lbPolicyName: + description: |- + LBPolicyName identifies a specific load balancer implementation within + the dynamic module. A single shared library can contain multiple LB + policy implementations. This value is passed to the module's + initialization function to select the appropriate implementation. + maxLength: 253 + minLength: 1 + type: string + name: + description: |- + Name references a dynamic module registered in the EnvoyProxy resource's + dynamicModules list. The referenced module must exist in the registry; + otherwise, the policy will be rejected. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([a-z0-9.-]*[a-z0-9])?$ + type: string + required: + - lbPolicyName + - name + type: object endpointOverride: description: |- EndpointOverride defines the configuration for endpoint override. @@ -26945,7 +29481,7 @@ spec: description: |- SlowStart defines the configuration related to the slow start load balancer policy. If set, during slow start window, traffic sent to the newly added hosts will gradually increase. - Currently this is only supported for RoundRobin and LeastRequest load balancers + Supported for RoundRobin, LeastRequest, and BackendUtilization load balancers. properties: window: description: |- @@ -26965,12 +29501,16 @@ spec: "ConsistentHash", "LeastRequest", "Random", - "RoundRobin". + "RoundRobin", + "BackendUtilization", + "DynamicModule". enum: - ConsistentHash - LeastRequest - Random - RoundRobin + - BackendUtilization + - DynamicModule type: string zoneAware: description: ZoneAware defines the configuration related @@ -27009,6 +29549,36 @@ spec: minimum: 0 type: integer type: object + weightedZones: + description: |- + WeightedZones configures weight-based traffic distribution across locality zones. + Traffic is distributed proportionally based on the sum of all zone weights. + items: + description: WeightedZoneConfig defines the weight + for a specific locality zone. + properties: + weight: + description: |- + Weight defines the weight for this locality. + Higher values receive more traffic. The actual traffic distribution + is proportional to this value relative to other localities. + format: int32 + type: integer + zone: + description: |- + Zone specifies the topology zone this weight applies to. + The value should match the topology.kubernetes.io/zone label + of the nodes where endpoints are running. + Zones not listed in the configuration receive a default weight of 1. + type: string + required: + - weight + - zone + type: object + type: array + x-kubernetes-list-map-keys: + - zone + x-kubernetes-list-type: map type: object required: - type @@ -27018,21 +29588,47 @@ spec: field needs to be set. rule: 'self.type == ''ConsistentHash'' ? has(self.consistentHash) : !has(self.consistentHash)' - - message: Currently SlowStart is only supported for RoundRobin - and LeastRequest load balancers. - rule: 'self.type in [''Random'', ''ConsistentHash''] ? - !has(self.slowStart) : true ' - - message: Currently ZoneAware is only supported for LeastRequest, - Random, and RoundRobin load balancers. - rule: 'self.type == ''ConsistentHash'' ? !has(self.zoneAware) - : true ' + - message: If LoadBalancer type is BackendUtilization, backendUtilization + field needs to be set. + rule: 'self.type == ''BackendUtilization'' ? has(self.backendUtilization) + : !has(self.backendUtilization)' + - message: If LoadBalancer type is DynamicModule, dynamicModule + field needs to be set. + rule: 'self.type == ''DynamicModule'' ? has(self.dynamicModule) + : !has(self.dynamicModule)' + - message: Currently SlowStart is only supported for RoundRobin, + LeastRequest, and BackendUtilization load balancers. + rule: 'self.type in [''Random'', ''ConsistentHash'', ''DynamicModule''] + ? !has(self.slowStart) : true' + - message: PreferLocal zone-aware routing is not supported + for ConsistentHash load balancers. Use weightedZones + instead. + rule: 'self.type == ''ConsistentHash'' && has(self.zoneAware) + ? !has(self.zoneAware.preferLocal) : true' + - message: PreferLocal zone-aware routing is not currently + supported for BackendUtilization load balancers. Only + WeightedZones can be used with BackendUtilization. + rule: 'self.type == ''BackendUtilization'' && has(self.zoneAware) + ? !has(self.zoneAware.preferLocal) : true' + - message: ZoneAware routing is not supported for DynamicModule + load balancers. + rule: 'self.type == ''DynamicModule'' ? !has(self.zoneAware) + : true' + - message: ZoneAware PreferLocal and WeightedZones cannot + be specified together. + rule: 'has(self.zoneAware) ? !(has(self.zoneAware.preferLocal) + && has(self.zoneAware.weightedZones)) : true' + - message: EndpointOverride is not supported for DynamicModule + load balancers. + rule: 'self.type == ''DynamicModule'' ? !has(self.endpointOverride) + : true' proxyProtocol: description: ProxyProtocol enables the Proxy Protocol when communicating with the backend. properties: version: description: |- - Version of ProxyProtol + Version of ProxyProtocol Valid ProxyProtocolVersion values are "V1" "V2" @@ -27188,6 +29784,12 @@ spec: entire response is received from the upstream. pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string + streamIdleTimeout: + description: |2- + The stream idle timeout defines the amount of time a stream can exist without any upstream or downstream activity. + If not specified, StreamIdleTimeout is inherited from the listener-level setting, which can be configured via ClientTrafficPolicy. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string type: object tcp: description: Timeout settings for TCP. @@ -27558,8 +30160,86 @@ spec: additionalProperties: type: string description: MatchLabels are the set of label selectors for - identifying the targeted resource + identifying the targeted resource. type: object + namespaces: + description: |- + Namespaces determines which namespaces are considered for target selection. + + If unspecified, only targets in the same namespace as this policy are considered. + + When specified, the effective set of namespaces is always constrained to the + namespaces watched by Envoy Gateway. + + Selecting targets across namespaces requires a ReferenceGrant in the target + namespace that allows this policy kind to reference the selected target kind. + Cross-namespace targets without a matching ReferenceGrant are ignored. + properties: + from: + default: Same + description: |- + From indicates how namespaces are selected for this target selector. + + All means all namespaces watched by Envoy Gateway. + Selector means namespaces watched by Envoy Gateway that match Selector. + enum: + - Same + - All + - Selector + type: string + selector: + description: Selector selects namespaces when From is set + to Selector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + required: + - from + type: object + x-kubernetes-validations: + - message: selector must be specified when from is Selector + rule: self.from != 'Selector' || has(self.selector) required: - kind type: object @@ -27602,13 +30282,12 @@ spec: properties: caCertificateRef: description: |- - CACertificateRef contains a references to + CACertificateRef contains a reference to Kubernetes objects that contain TLS certificates of the Certificate Authorities that can be used as a trust anchor to validate the certificates presented by the Wasm code source. - Kubernetes ConfigMap and Kubernetes Secret are supported. - Note: The ConfigMap or Secret must be in the same namespace as the EnvoyExtensionPolicy. + Kubernetes ConfigMap, Kubernetes Secret, and Kubernetes ClusterTrustBundle are supported. properties: group: default: "" @@ -27666,9 +30345,8 @@ spec: Note that the image must be accessible from the Envoy Gateway. properties: pullSecretRef: - description: |- - PullSecretRef is a reference to the secret containing the credentials to pull the image. - Only support Kubernetes Secret resource from the same namespace. + description: PullSecretRef is a reference to the secret + containing the credentials to pull the image. properties: group: default: "" @@ -27727,13 +30405,12 @@ spec: properties: caCertificateRef: description: |- - CACertificateRef contains a references to + CACertificateRef contains a reference to Kubernetes objects that contain TLS certificates of the Certificate Authorities that can be used as a trust anchor to validate the certificates presented by the Wasm code source. - Kubernetes ConfigMap and Kubernetes Secret are supported. - Note: The ConfigMap or Secret must be in the same namespace as the EnvoyExtensionPolicy. + Kubernetes ConfigMap, Kubernetes Secret, and Kubernetes ClusterTrustBundle are supported. properties: group: default: "" @@ -28225,13 +30902,13 @@ spec: status: {} --- -# Source: crds/generated/gateway.envoyproxy.io_envoypatchpolicies.yaml +# Source: gateway-helm/charts/crds/crds/generated/gateway.envoyproxy.io_envoypatchpolicies.yaml --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.18.0 + controller-gen.kubebuilder.io/version: v0.20.1 name: envoypatchpolicies.gateway.envoyproxy.io spec: group: gateway.envoyproxy.io @@ -28738,13 +31415,13 @@ spec: status: {} --- -# Source: crds/generated/gateway.envoyproxy.io_envoyproxies.yaml +# Source: gateway-helm/charts/crds/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.18.0 + controller-gen.kubebuilder.io/version: v0.20.1 name: envoyproxies.gateway.envoyproxy.io spec: group: gateway.envoyproxy.io @@ -28814,6 +31491,8 @@ spec: description: |- Ciphers specifies the set of cipher suites supported when negotiating TLS 1.0 - 1.2. This setting has no effect for TLS 1.3. + For the list of supported ciphers, please refer to the Envoy documentation: + https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters In non-FIPS Envoy Proxy builds the default cipher list is: - [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305] - [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305] @@ -28883,6 +31562,26 @@ spec: items: type: string type: array + fingerprints: + description: |- + Fingerprints specifies TLS client fingerprinting. + When specified, a JAX fingerprint derived from the client’s TLS handshake + is generated. The fingerprint can be logged in access logs or + forwarded to upstream services using request headers. + + Fingerprinting is disabled if not specified. + + Supported values are: + - JA3 + - JA4 + items: + description: TLSFingerprintType specifies the TLS client fingerprinting + mode. + enum: + - JA3 + - JA4 + type: string + type: array maxVersion: description: |- Max specifies the maximal TLS protocol version to allow @@ -29009,6 +31708,111 @@ spec: the number of cpuset threads on the platform. format: int32 type: integer + dynamicModules: + description: |- + DynamicModules defines the set of dynamic modules that are allowed to be + used by EnvoyExtensionPolicy resources and dynamic module load balancer + policies. Each entry registers a module by a logical name and specifies + the shared library that Envoy will load. + + The EnvoyProxy owner is responsible for ensuring the module .so files are available + on the proxy container's filesystem (e.g., via init containers, custom images, + or shared volumes). + items: + description: |- + DynamicModuleEntry defines a dynamic module that is registered and allowed + for use by EnvoyExtensionPolicy resources. + properties: + doNotClose: + default: false + description: |- + DoNotClose prevents the module from being unloaded with dlclose when no + more references exist. This is useful for modules that maintain global + state that should not be destroyed on configuration updates. + Defaults to false. + type: boolean + loadGlobally: + default: false + description: |- + LoadGlobally loads the dynamic module with the RTLD_GLOBAL flag. + By default, modules are loaded with RTLD_LOCAL to avoid symbol conflicts. + Set this to true when the module needs to share symbols with other + dynamic libraries it loads. + Defaults to false. + type: boolean + name: + description: |- + Name is the logical name for this module. EnvoyExtensionPolicy resources + reference modules by this name. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([a-z0-9.-]*[a-z0-9])?$ + type: string + source: + description: Source defines where the dynamic module code is + loaded from. + properties: + local: + description: |- + Local specifies a module loaded from the proxy's local filesystem + by absolute path. + properties: + path: + description: Path is the absolute filesystem path to + the dynamic module shared library (.so file). + maxLength: 4096 + minLength: 1 + type: string + required: + - path + type: object + remote: + description: |- + Remote specifies a module fetched from a remote source. + The module binary is downloaded and cached by Envoy. + properties: + sha256: + description: SHA256 checksum that Envoy will use to + verify the downloaded module binary. + pattern: ^[a-f0-9]{64}$ + type: string + url: + description: URL is the HTTP or HTTPS URL of the dynamic + module shared library (.so file). + maxLength: 4096 + minLength: 1 + pattern: ^https?://[^/?#]+(?:[/?#].*)?$ + type: string + required: + - sha256 + - url + type: object + type: + default: Local + description: |- + Type is the type of the source of the dynamic module code. + Defaults to Local. + enum: + - Local + - Remote + type: string + type: object + x-kubernetes-validations: + - message: If type is Remote, remote field needs to be set. + rule: 'self.type == ''Remote'' ? has(self.remote) : !has(self.remote)' + - message: If type is Local, local field needs to be set. + rule: self.type != 'Local' || has(self.local) + - message: If type is Remote, local field must not be set. + rule: 'self.type == ''Remote'' ? !has(self.local) : true' + required: + - name + - source + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map extraArgs: description: |- ExtraArgs defines additional command line options that are provided to Envoy. @@ -29054,12 +31858,18 @@ spec: - envoy.filters.http.wasm + - envoy.filters.http.dynamic_modules + + - envoy.filters.http.geoip + - envoy.filters.http.rbac - envoy.filters.http.local_ratelimit - envoy.filters.http.ratelimit + - envoy.filters.http.bandwidth_limit + - envoy.filters.http.grpc_web - envoy.filters.http.grpc_stats @@ -29097,9 +31907,12 @@ spec: - envoy.filters.http.lua - envoy.filters.http.ext_proc - envoy.filters.http.wasm + - envoy.filters.http.dynamic_modules + - envoy.filters.http.geoip - envoy.filters.http.rbac - envoy.filters.http.local_ratelimit - envoy.filters.http.ratelimit + - envoy.filters.http.bandwidth_limit - envoy.filters.http.grpc_web - envoy.filters.http.grpc_stats - envoy.filters.http.credential_injector @@ -29126,9 +31939,12 @@ spec: - envoy.filters.http.lua - envoy.filters.http.ext_proc - envoy.filters.http.wasm + - envoy.filters.http.dynamic_modules + - envoy.filters.http.geoip - envoy.filters.http.rbac - envoy.filters.http.local_ratelimit - envoy.filters.http.ratelimit + - envoy.filters.http.bandwidth_limit - envoy.filters.http.grpc_web - envoy.filters.http.grpc_stats - envoy.filters.http.credential_injector @@ -29153,9 +31969,12 @@ spec: - envoy.filters.http.lua - envoy.filters.http.ext_proc - envoy.filters.http.wasm + - envoy.filters.http.dynamic_modules + - envoy.filters.http.geoip - envoy.filters.http.rbac - envoy.filters.http.local_ratelimit - envoy.filters.http.ratelimit + - envoy.filters.http.bandwidth_limit - envoy.filters.http.grpc_web - envoy.filters.http.grpc_stats - envoy.filters.http.credential_injector @@ -29172,6 +31991,130 @@ spec: rule: (has(self.before) && !has(self.after)) || (!has(self.before) && has(self.after)) type: array + geoIP: + description: GeoIP defines shared GeoIP provider configuration for + this EnvoyProxy fleet. + properties: + provider: + description: Provider defines the GeoIP provider configuration + used by GeoIP filter instances. + properties: + maxMind: + description: MaxMind configures the MaxMind provider. + properties: + anonymousIpDbSource: + description: AnonymousIPDBSource configures the Anonymous + IP database source. + properties: + local: + description: Local is a database source from a local + file. + properties: + path: + description: Path is the path to the database + file. + pattern: ^.*\.mmdb$ + type: string + required: + - path + type: object + required: + - local + type: object + asnDbSource: + description: ASNDBSource configures the ASN database source. + properties: + local: + description: Local is a database source from a local + file. + properties: + path: + description: Path is the path to the database + file. + pattern: ^.*\.mmdb$ + type: string + required: + - path + type: object + required: + - local + type: object + cityDbSource: + description: CityDBSource configures the City database + source. + properties: + local: + description: Local is a database source from a local + file. + properties: + path: + description: Path is the path to the database + file. + pattern: ^.*\.mmdb$ + type: string + required: + - path + type: object + required: + - local + type: object + countryDbSource: + description: CountryDBSource configures the Country database + source. + properties: + local: + description: Local is a database source from a local + file. + properties: + path: + description: Path is the path to the database + file. + pattern: ^.*\.mmdb$ + type: string + required: + - path + type: object + required: + - local + type: object + ispDbSource: + description: ISPDBSource configures the ISP database source. + properties: + local: + description: Local is a database source from a local + file. + properties: + path: + description: Path is the path to the database + file. + pattern: ^.*\.mmdb$ + type: string + required: + - path + type: object + required: + - local + type: object + type: object + x-kubernetes-validations: + - message: at least one MaxMind database source must be specified + rule: has(self.cityDbSource) || has(self.countryDbSource) + || has(self.asnDbSource) || has(self.ispDbSource) || has(self.anonymousIpDbSource) + type: + description: GeoIPProviderType enumerates GeoIP providers + supported by Envoy Gateway. + enum: + - MaxMind + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: maxMind must be set when type is MaxMind + rule: 'self.type == ''MaxMind'' ? has(self.maxMind) : true' + required: + - provider + type: object ipFamily: description: |- IPFamily specifies the IP family for the EnvoyProxy fleet. @@ -29226,6 +32169,17 @@ spec: This means that the port, protocol and hostname tuple must be unique for every listener. If a duplicate listener is detected, the newer listener (based on timestamp) will be rejected and its status will be updated with a "Accepted=False" condition. type: boolean + mergeType: + description: |- + MergeType controls how this EnvoyProxy merges with less specific configurations + in the hierarchy (EnvoyGateway defaults < GatewayClass < Gateway). + If unset, this EnvoyProxy completely replaces less specific settings. + Note: this field has no effect when set in EnvoyGateway's default EnvoyProxySpec. + enum: + - Replace + - StrategicMerge + - JSONMerge + type: string preserveRouteOrder: description: |- PreserveRouteOrder determines if the order of matching for HTTPRoutes is determined by Gateway-API @@ -40077,6 +43031,45 @@ spec: minimum: 0 type: integer type: object + retryBudget: + description: |- + RetryBudget provides settings for retry budget, which limits the number of retries in a given percentage. + RetryBudget take precedence over maxParallelRetries. + properties: + minRetryConcurrency: + description: |- + MinRetryConcurrency specifies the minimum retry concurrency allowed for the retry budget. + For example, a budget of 20% with a minimum retry concurrency of 3 + will allow 5 active retries while there are 25 active requests. + If there are 2 active requests, there are still 3 active retries + allowed because of the minimum retry concurrency. + Defaults to 3. + format: int32 + type: integer + percent: + description: |- + Percent specifies the limit on concurrent retries as a percentage [0, 100] of + the sum of active requests and active pending requests. + properties: + denominator: + default: 100 + format: int32 + minimum: 1 + type: integer + numerator: + format: int32 + minimum: 0 + type: integer + required: + - numerator + type: object + x-kubernetes-validations: + - message: numerator must be less + than or equal to denominator + rule: self.numerator <= self.denominator + required: + - percent + type: object type: object connection: description: Connection includes backend @@ -40261,8 +43254,9 @@ spec: type: array hostname: description: |- - Hostname defines the HTTP host that will be requested during health checking. - Default: HTTPRoute or GRPCRoute hostname. + Hostname defines the HTTP Host header used for active HTTP health checks. + Host selection uses this order: this field, the associated Backend endpoint + hostname if available, then the effective Route hostname. maxLength: 253 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ @@ -40280,6 +43274,20 @@ spec: maxLength: 1024 minLength: 1 type: string + retriableStatuses: + description: |- + RetriableStatuses defines a list of HTTP response statuses considered retriable. + Responses matching these statuses count towards the unhealthy threshold but + do not result in the host being considered immediately unhealthy. + The expected statuses take precedence for any range overlaps with this field. + items: + description: HTTPStatus + defines the http status + code. + maximum: 599 + minimum: 100 + type: integer + type: array required: - path type: object @@ -40296,6 +43304,23 @@ spec: checks. pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string + overrides: + description: |- + Overrides defines the configuration of the overriding health check settings for all endpoints + in the backend cluster. This allows customization of port and other settings that may differ + from the main service configuration. + properties: + port: + description: |- + Port overrides the health check port. + If not set, the endpoint's serving port is used for health checks. + This is useful when health checks are served on a different port than + the main service port (e.g., port 443 for service, port 9090 for health checks). + format: int32 + maximum: 65535 + minimum: 1 + type: integer + type: object tcp: description: |- TCP defines the configuration of tcp health checker. @@ -40400,10 +43425,11 @@ spec: type: string unhealthyThreshold: default: 3 - description: UnhealthyThreshold - defines the number of unhealthy - health checks required before - a backend host is marked unhealthy. + description: |- + UnhealthyThreshold defines the number of unhealthy health checks required before a backend host is marked unhealthy. + Without RetriableStatuses configured, any health check failure results in the host being immediately + considered unhealthy. When RetriableStatuses is set, health checks returning those statuses are retried + up to this threshold before the host is marked unhealthy. format: int32 minimum: 1 type: integer @@ -40440,6 +43466,12 @@ spec: description: Passive passive check configuration properties: + alwaysEjectOneEndpoint: + default: false + description: |- + AlwaysEjectOneEndpoint defines whether at least one host should be ejected, + regardless of MaxEjectionPercent. + type: boolean baseEjectionTime: default: 30s description: BaseEjectionTime @@ -40491,6 +43523,8 @@ spec: of hosts in a cluster that can be ejected. format: int32 + maximum: 100 + minimum: 0 type: integer splitExternalLocalOriginErrors: default: false @@ -40504,6 +43538,45 @@ spec: description: HTTP2 provides HTTP/2 configuration for backend connections. properties: + connectionKeepalive: + description: ConnectionKeepalive configures + HTTP/2 connection keepalive using + PING frames. + properties: + idleInterval: + description: IdleInterval specifies + how long a connection must be + idle before a PING is sent. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + interval: + description: Interval specifies + how often to send HTTP/2 PING + frames to keep the connection + alive. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + intervalJitter: + description: |- + IntervalJitter specifies a random jitter percentage added to each interval. + Defaults to 15% if not specified. + format: int32 + maximum: 100 + minimum: 0 + type: integer + timeout: + description: Timeout specifies + how long to wait for a PING + response before considering + the connection dead. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + x-kubernetes-validations: + - message: timeout must be less than + interval + rule: '!has(self.timeout) || !has(self.interval) + || duration(self.timeout) < duration(self.interval)' initialConnectionWindowSize: allOf: - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ @@ -40547,6 +43620,60 @@ spec: LoadBalancer policy to apply when routing traffic from the gateway to the backend endpoints. Defaults to `LeastRequest`. properties: + backendUtilization: + description: |- + BackendUtilization defines the configuration when the load balancer type is + set to BackendUtilization. + properties: + blackoutPeriod: + description: |- + A given endpoint must report load metrics continuously for at least this long before the endpoint weight will be used. + Default is 10s. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + errorUtilizationPenaltyPercent: + description: |- + ErrorUtilizationPenaltyPercent adjusts endpoint weights based on the error rate (eps/qps). + This is expressed as a percentage-based integer where 100 represents 1.0, 150 represents 1.5, etc. + + For example: + - 100 => 1.0x + - 120 => 1.2x + - 200 => 2.0x + + Must be non-negative. + format: int32 + minimum: 0 + type: integer + keepResponseHeaders: + default: false + description: |- + KeepResponseHeaders keeps the ORCA load report headers/trailers before sending the response to the client. + Defaults to false. + type: boolean + metricNamesForComputingUtilization: + description: |- + Metric names used to compute utilization if application_utilization is not set. + For map fields in ORCA proto, use the form ".", e.g., "named_metrics.foo". + items: + type: string + type: array + weightExpirationPeriod: + description: If a given endpoint + has not reported load metrics + in this long, stop using the + reported weight. Defaults to + 3m. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + weightUpdatePeriod: + description: How often endpoint + weights are recalculated. Values + less than 100ms are capped at + 100ms. Default 1s. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object consistentHash: description: |- ConsistentHash defines the configuration when the load balancer type is @@ -40679,6 +43806,40 @@ spec: field must be set. rule: 'self.type == ''QueryParams'' ? has(self.queryParams) : !has(self.queryParams)' + dynamicModule: + description: |- + DynamicModule defines the configuration when the load balancer type is + set to DynamicModule. The referenced module must be registered in the + EnvoyProxy resource's dynamicModules allowlist. + properties: + config: + description: |- + Config is optional configuration for the module's load balancer + implementation. This is serialized and passed to the module's + initialization function. + x-kubernetes-preserve-unknown-fields: true + lbPolicyName: + description: |- + LBPolicyName identifies a specific load balancer implementation within + the dynamic module. A single shared library can contain multiple LB + policy implementations. This value is passed to the module's + initialization function to select the appropriate implementation. + maxLength: 253 + minLength: 1 + type: string + name: + description: |- + Name references a dynamic module registered in the EnvoyProxy resource's + dynamicModules list. The referenced module must exist in the registry; + otherwise, the policy will be rejected. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([a-z0-9.-]*[a-z0-9])?$ + type: string + required: + - lbPolicyName + - name + type: object endpointOverride: description: |- EndpointOverride defines the configuration for endpoint override. @@ -40714,7 +43875,7 @@ spec: description: |- SlowStart defines the configuration related to the slow start load balancer policy. If set, during slow start window, traffic sent to the newly added hosts will gradually increase. - Currently this is only supported for RoundRobin and LeastRequest load balancers + Supported for RoundRobin, LeastRequest, and BackendUtilization load balancers. properties: window: description: |- @@ -40734,12 +43895,16 @@ spec: "ConsistentHash", "LeastRequest", "Random", - "RoundRobin". + "RoundRobin", + "BackendUtilization", + "DynamicModule". enum: - ConsistentHash - LeastRequest - Random - RoundRobin + - BackendUtilization + - DynamicModule type: string zoneAware: description: ZoneAware defines the @@ -40784,6 +43949,37 @@ spec: minimum: 0 type: integer type: object + weightedZones: + description: |- + WeightedZones configures weight-based traffic distribution across locality zones. + Traffic is distributed proportionally based on the sum of all zone weights. + items: + description: WeightedZoneConfig + defines the weight for a specific + locality zone. + properties: + weight: + description: |- + Weight defines the weight for this locality. + Higher values receive more traffic. The actual traffic distribution + is proportional to this value relative to other localities. + format: int32 + type: integer + zone: + description: |- + Zone specifies the topology zone this weight applies to. + The value should match the topology.kubernetes.io/zone label + of the nodes where endpoints are running. + Zones not listed in the configuration receive a default weight of 1. + type: string + required: + - weight + - zone + type: object + type: array + x-kubernetes-list-map-keys: + - zone + x-kubernetes-list-type: map type: object required: - type @@ -40793,16 +43989,48 @@ spec: consistentHash field needs to be set. rule: 'self.type == ''ConsistentHash'' ? has(self.consistentHash) : !has(self.consistentHash)' + - message: If LoadBalancer type is BackendUtilization, + backendUtilization field needs to + be set. + rule: 'self.type == ''BackendUtilization'' + ? has(self.backendUtilization) : !has(self.backendUtilization)' + - message: If LoadBalancer type is DynamicModule, + dynamicModule field needs to be set. + rule: 'self.type == ''DynamicModule'' + ? has(self.dynamicModule) : !has(self.dynamicModule)' - message: Currently SlowStart is only - supported for RoundRobin and LeastRequest - load balancers. - rule: 'self.type in [''Random'', ''ConsistentHash''] - ? !has(self.slowStart) : true ' - - message: Currently ZoneAware is only - supported for LeastRequest, Random, - and RoundRobin load balancers. + supported for RoundRobin, LeastRequest, + and BackendUtilization load balancers. + rule: 'self.type in [''Random'', ''ConsistentHash'', + ''DynamicModule''] ? !has(self.slowStart) + : true' + - message: PreferLocal zone-aware routing + is not supported for ConsistentHash + load balancers. Use weightedZones + instead. rule: 'self.type == ''ConsistentHash'' - ? !has(self.zoneAware) : true ' + && has(self.zoneAware) ? !has(self.zoneAware.preferLocal) + : true' + - message: PreferLocal zone-aware routing + is not currently supported for BackendUtilization + load balancers. Only WeightedZones + can be used with BackendUtilization. + rule: 'self.type == ''BackendUtilization'' + && has(self.zoneAware) ? !has(self.zoneAware.preferLocal) + : true' + - message: ZoneAware routing is not supported + for DynamicModule load balancers. + rule: 'self.type == ''DynamicModule'' + ? !has(self.zoneAware) : true' + - message: ZoneAware PreferLocal and WeightedZones + cannot be specified together. + rule: 'has(self.zoneAware) ? !(has(self.zoneAware.preferLocal) + && has(self.zoneAware.weightedZones)) + : true' + - message: EndpointOverride is not supported + for DynamicModule load balancers. + rule: 'self.type == ''DynamicModule'' + ? !has(self.endpointOverride) : true' proxyProtocol: description: ProxyProtocol enables the Proxy Protocol when communicating with @@ -40810,7 +44038,7 @@ spec: properties: version: description: |- - Version of ProxyProtol + Version of ProxyProtocol Valid ProxyProtocolVersion values are "V1" "V2" @@ -40974,6 +44202,12 @@ spec: upstream. pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string + streamIdleTimeout: + description: |2- + The stream idle timeout defines the amount of time a stream can exist without any upstream or downstream activity. + If not specified, StreamIdleTimeout is inherited from the listener-level setting, which can be configured via ClientTrafficPolicy. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string type: object tcp: description: Timeout settings for @@ -41329,6 +44563,45 @@ spec: minimum: 0 type: integer type: object + retryBudget: + description: |- + RetryBudget provides settings for retry budget, which limits the number of retries in a given percentage. + RetryBudget take precedence over maxParallelRetries. + properties: + minRetryConcurrency: + description: |- + MinRetryConcurrency specifies the minimum retry concurrency allowed for the retry budget. + For example, a budget of 20% with a minimum retry concurrency of 3 + will allow 5 active retries while there are 25 active requests. + If there are 2 active requests, there are still 3 active retries + allowed because of the minimum retry concurrency. + Defaults to 3. + format: int32 + type: integer + percent: + description: |- + Percent specifies the limit on concurrent retries as a percentage [0, 100] of + the sum of active requests and active pending requests. + properties: + denominator: + default: 100 + format: int32 + minimum: 1 + type: integer + numerator: + format: int32 + minimum: 0 + type: integer + required: + - numerator + type: object + x-kubernetes-validations: + - message: numerator must be less + than or equal to denominator + rule: self.numerator <= self.denominator + required: + - percent + type: object type: object connection: description: Connection includes backend @@ -41513,8 +44786,9 @@ spec: type: array hostname: description: |- - Hostname defines the HTTP host that will be requested during health checking. - Default: HTTPRoute or GRPCRoute hostname. + Hostname defines the HTTP Host header used for active HTTP health checks. + Host selection uses this order: this field, the associated Backend endpoint + hostname if available, then the effective Route hostname. maxLength: 253 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ @@ -41532,6 +44806,20 @@ spec: maxLength: 1024 minLength: 1 type: string + retriableStatuses: + description: |- + RetriableStatuses defines a list of HTTP response statuses considered retriable. + Responses matching these statuses count towards the unhealthy threshold but + do not result in the host being considered immediately unhealthy. + The expected statuses take precedence for any range overlaps with this field. + items: + description: HTTPStatus + defines the http status + code. + maximum: 599 + minimum: 100 + type: integer + type: array required: - path type: object @@ -41548,6 +44836,23 @@ spec: checks. pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string + overrides: + description: |- + Overrides defines the configuration of the overriding health check settings for all endpoints + in the backend cluster. This allows customization of port and other settings that may differ + from the main service configuration. + properties: + port: + description: |- + Port overrides the health check port. + If not set, the endpoint's serving port is used for health checks. + This is useful when health checks are served on a different port than + the main service port (e.g., port 443 for service, port 9090 for health checks). + format: int32 + maximum: 65535 + minimum: 1 + type: integer + type: object tcp: description: |- TCP defines the configuration of tcp health checker. @@ -41652,10 +44957,11 @@ spec: type: string unhealthyThreshold: default: 3 - description: UnhealthyThreshold - defines the number of unhealthy - health checks required before - a backend host is marked unhealthy. + description: |- + UnhealthyThreshold defines the number of unhealthy health checks required before a backend host is marked unhealthy. + Without RetriableStatuses configured, any health check failure results in the host being immediately + considered unhealthy. When RetriableStatuses is set, health checks returning those statuses are retried + up to this threshold before the host is marked unhealthy. format: int32 minimum: 1 type: integer @@ -41692,6 +44998,12 @@ spec: description: Passive passive check configuration properties: + alwaysEjectOneEndpoint: + default: false + description: |- + AlwaysEjectOneEndpoint defines whether at least one host should be ejected, + regardless of MaxEjectionPercent. + type: boolean baseEjectionTime: default: 30s description: BaseEjectionTime @@ -41743,6 +45055,8 @@ spec: of hosts in a cluster that can be ejected. format: int32 + maximum: 100 + minimum: 0 type: integer splitExternalLocalOriginErrors: default: false @@ -41756,6 +45070,45 @@ spec: description: HTTP2 provides HTTP/2 configuration for backend connections. properties: + connectionKeepalive: + description: ConnectionKeepalive configures + HTTP/2 connection keepalive using + PING frames. + properties: + idleInterval: + description: IdleInterval specifies + how long a connection must be + idle before a PING is sent. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + interval: + description: Interval specifies + how often to send HTTP/2 PING + frames to keep the connection + alive. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + intervalJitter: + description: |- + IntervalJitter specifies a random jitter percentage added to each interval. + Defaults to 15% if not specified. + format: int32 + maximum: 100 + minimum: 0 + type: integer + timeout: + description: Timeout specifies + how long to wait for a PING + response before considering + the connection dead. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + x-kubernetes-validations: + - message: timeout must be less than + interval + rule: '!has(self.timeout) || !has(self.interval) + || duration(self.timeout) < duration(self.interval)' initialConnectionWindowSize: allOf: - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ @@ -41799,6 +45152,60 @@ spec: LoadBalancer policy to apply when routing traffic from the gateway to the backend endpoints. Defaults to `LeastRequest`. properties: + backendUtilization: + description: |- + BackendUtilization defines the configuration when the load balancer type is + set to BackendUtilization. + properties: + blackoutPeriod: + description: |- + A given endpoint must report load metrics continuously for at least this long before the endpoint weight will be used. + Default is 10s. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + errorUtilizationPenaltyPercent: + description: |- + ErrorUtilizationPenaltyPercent adjusts endpoint weights based on the error rate (eps/qps). + This is expressed as a percentage-based integer where 100 represents 1.0, 150 represents 1.5, etc. + + For example: + - 100 => 1.0x + - 120 => 1.2x + - 200 => 2.0x + + Must be non-negative. + format: int32 + minimum: 0 + type: integer + keepResponseHeaders: + default: false + description: |- + KeepResponseHeaders keeps the ORCA load report headers/trailers before sending the response to the client. + Defaults to false. + type: boolean + metricNamesForComputingUtilization: + description: |- + Metric names used to compute utilization if application_utilization is not set. + For map fields in ORCA proto, use the form ".", e.g., "named_metrics.foo". + items: + type: string + type: array + weightExpirationPeriod: + description: If a given endpoint + has not reported load metrics + in this long, stop using the + reported weight. Defaults to + 3m. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + weightUpdatePeriod: + description: How often endpoint + weights are recalculated. Values + less than 100ms are capped at + 100ms. Default 1s. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object consistentHash: description: |- ConsistentHash defines the configuration when the load balancer type is @@ -41931,6 +45338,40 @@ spec: field must be set. rule: 'self.type == ''QueryParams'' ? has(self.queryParams) : !has(self.queryParams)' + dynamicModule: + description: |- + DynamicModule defines the configuration when the load balancer type is + set to DynamicModule. The referenced module must be registered in the + EnvoyProxy resource's dynamicModules allowlist. + properties: + config: + description: |- + Config is optional configuration for the module's load balancer + implementation. This is serialized and passed to the module's + initialization function. + x-kubernetes-preserve-unknown-fields: true + lbPolicyName: + description: |- + LBPolicyName identifies a specific load balancer implementation within + the dynamic module. A single shared library can contain multiple LB + policy implementations. This value is passed to the module's + initialization function to select the appropriate implementation. + maxLength: 253 + minLength: 1 + type: string + name: + description: |- + Name references a dynamic module registered in the EnvoyProxy resource's + dynamicModules list. The referenced module must exist in the registry; + otherwise, the policy will be rejected. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([a-z0-9.-]*[a-z0-9])?$ + type: string + required: + - lbPolicyName + - name + type: object endpointOverride: description: |- EndpointOverride defines the configuration for endpoint override. @@ -41966,7 +45407,7 @@ spec: description: |- SlowStart defines the configuration related to the slow start load balancer policy. If set, during slow start window, traffic sent to the newly added hosts will gradually increase. - Currently this is only supported for RoundRobin and LeastRequest load balancers + Supported for RoundRobin, LeastRequest, and BackendUtilization load balancers. properties: window: description: |- @@ -41986,12 +45427,16 @@ spec: "ConsistentHash", "LeastRequest", "Random", - "RoundRobin". + "RoundRobin", + "BackendUtilization", + "DynamicModule". enum: - ConsistentHash - LeastRequest - Random - RoundRobin + - BackendUtilization + - DynamicModule type: string zoneAware: description: ZoneAware defines the @@ -42036,6 +45481,37 @@ spec: minimum: 0 type: integer type: object + weightedZones: + description: |- + WeightedZones configures weight-based traffic distribution across locality zones. + Traffic is distributed proportionally based on the sum of all zone weights. + items: + description: WeightedZoneConfig + defines the weight for a specific + locality zone. + properties: + weight: + description: |- + Weight defines the weight for this locality. + Higher values receive more traffic. The actual traffic distribution + is proportional to this value relative to other localities. + format: int32 + type: integer + zone: + description: |- + Zone specifies the topology zone this weight applies to. + The value should match the topology.kubernetes.io/zone label + of the nodes where endpoints are running. + Zones not listed in the configuration receive a default weight of 1. + type: string + required: + - weight + - zone + type: object + type: array + x-kubernetes-list-map-keys: + - zone + x-kubernetes-list-type: map type: object required: - type @@ -42045,16 +45521,48 @@ spec: consistentHash field needs to be set. rule: 'self.type == ''ConsistentHash'' ? has(self.consistentHash) : !has(self.consistentHash)' + - message: If LoadBalancer type is BackendUtilization, + backendUtilization field needs to + be set. + rule: 'self.type == ''BackendUtilization'' + ? has(self.backendUtilization) : !has(self.backendUtilization)' + - message: If LoadBalancer type is DynamicModule, + dynamicModule field needs to be set. + rule: 'self.type == ''DynamicModule'' + ? has(self.dynamicModule) : !has(self.dynamicModule)' - message: Currently SlowStart is only - supported for RoundRobin and LeastRequest - load balancers. - rule: 'self.type in [''Random'', ''ConsistentHash''] - ? !has(self.slowStart) : true ' - - message: Currently ZoneAware is only - supported for LeastRequest, Random, - and RoundRobin load balancers. + supported for RoundRobin, LeastRequest, + and BackendUtilization load balancers. + rule: 'self.type in [''Random'', ''ConsistentHash'', + ''DynamicModule''] ? !has(self.slowStart) + : true' + - message: PreferLocal zone-aware routing + is not supported for ConsistentHash + load balancers. Use weightedZones + instead. rule: 'self.type == ''ConsistentHash'' - ? !has(self.zoneAware) : true ' + && has(self.zoneAware) ? !has(self.zoneAware.preferLocal) + : true' + - message: PreferLocal zone-aware routing + is not currently supported for BackendUtilization + load balancers. Only WeightedZones + can be used with BackendUtilization. + rule: 'self.type == ''BackendUtilization'' + && has(self.zoneAware) ? !has(self.zoneAware.preferLocal) + : true' + - message: ZoneAware routing is not supported + for DynamicModule load balancers. + rule: 'self.type == ''DynamicModule'' + ? !has(self.zoneAware) : true' + - message: ZoneAware PreferLocal and WeightedZones + cannot be specified together. + rule: 'has(self.zoneAware) ? !(has(self.zoneAware.preferLocal) + && has(self.zoneAware.weightedZones)) + : true' + - message: EndpointOverride is not supported + for DynamicModule load balancers. + rule: 'self.type == ''DynamicModule'' + ? !has(self.endpointOverride) : true' proxyProtocol: description: ProxyProtocol enables the Proxy Protocol when communicating with @@ -42062,7 +45570,7 @@ spec: properties: version: description: |- - Version of ProxyProtol + Version of ProxyProtocol Valid ProxyProtocolVersion values are "V1" "V2" @@ -42226,6 +45734,12 @@ spec: upstream. pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string + streamIdleTimeout: + description: |2- + The stream idle timeout defines the amount of time a stream can exist without any upstream or downstream activity. + If not specified, StreamIdleTimeout is inherited from the listener-level setting, which can be configured via ClientTrafficPolicy. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string type: object tcp: description: Timeout settings for @@ -42273,8 +45787,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 + + + maxLength: 4096 minLength: 1 type: string @@ -42288,12 +45808,14 @@ spec: host: description: |- Host define the extension service hostname. + Deprecated: Use BackendRefs instead. type: string port: default: 4317 description: |- Port defines the port the extension service is exposed on. + Deprecated: Use BackendRefs instead. format: int32 minimum: 0 @@ -42369,6 +45891,7 @@ spec: enum: - Listener - Route + - Upstream type: string required: - sinks @@ -42396,6 +45919,14 @@ spec: Default: `%ROUTE_KIND%/%ROUTE_NAMESPACE%/%ROUTE_NAME%/rule/%ROUTE_RULE_NUMBER%` Example: `httproute/my-ns/my-route/rule/0` type: string + enableGRPCStats: + description: |- + EnableGRPCStats enables the gRPC stats filter on listeners. + This is enabled by default for GRPCRoute and opt-in for HTTPRoute. + In general, gRPC traffic should be handled via GRPCRoute, but there are cases where + users want to route gRPC using HTTPRoute for its richer matching capabilities. + Therefore, we enable this behavior only when it is explicitly opted in. + type: boolean enablePerEndpointStats: description: |- EnablePerEndpointStats enables per endpoint envoy stats metrics. @@ -42756,6 +46287,45 @@ spec: minimum: 0 type: integer type: object + retryBudget: + description: |- + RetryBudget provides settings for retry budget, which limits the number of retries in a given percentage. + RetryBudget take precedence over maxParallelRetries. + properties: + minRetryConcurrency: + description: |- + MinRetryConcurrency specifies the minimum retry concurrency allowed for the retry budget. + For example, a budget of 20% with a minimum retry concurrency of 3 + will allow 5 active retries while there are 25 active requests. + If there are 2 active requests, there are still 3 active retries + allowed because of the minimum retry concurrency. + Defaults to 3. + format: int32 + type: integer + percent: + description: |- + Percent specifies the limit on concurrent retries as a percentage [0, 100] of + the sum of active requests and active pending requests. + properties: + denominator: + default: 100 + format: int32 + minimum: 1 + type: integer + numerator: + format: int32 + minimum: 0 + type: integer + required: + - numerator + type: object + x-kubernetes-validations: + - message: numerator must be less than + or equal to denominator + rule: self.numerator <= self.denominator + required: + - percent + type: object type: object connection: description: Connection includes backend connection @@ -42935,8 +46505,9 @@ spec: type: array hostname: description: |- - Hostname defines the HTTP host that will be requested during health checking. - Default: HTTPRoute or GRPCRoute hostname. + Hostname defines the HTTP Host header used for active HTTP health checks. + Host selection uses this order: this field, the associated Backend endpoint + hostname if available, then the effective Route hostname. maxLength: 253 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ @@ -42953,6 +46524,19 @@ spec: maxLength: 1024 minLength: 1 type: string + retriableStatuses: + description: |- + RetriableStatuses defines a list of HTTP response statuses considered retriable. + Responses matching these statuses count towards the unhealthy threshold but + do not result in the host being considered immediately unhealthy. + The expected statuses take precedence for any range overlaps with this field. + items: + description: HTTPStatus defines + the http status code. + maximum: 599 + minimum: 100 + type: integer + type: array required: - path type: object @@ -42968,6 +46552,23 @@ spec: between active health checks. pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string + overrides: + description: |- + Overrides defines the configuration of the overriding health check settings for all endpoints + in the backend cluster. This allows customization of port and other settings that may differ + from the main service configuration. + properties: + port: + description: |- + Port overrides the health check port. + If not set, the endpoint's serving port is used for health checks. + This is useful when health checks are served on a different port than + the main service port (e.g., port 443 for service, port 9090 for health checks). + format: int32 + maximum: 65535 + minimum: 1 + type: integer + type: object tcp: description: |- TCP defines the configuration of tcp health checker. @@ -43067,10 +46668,11 @@ spec: type: string unhealthyThreshold: default: 3 - description: UnhealthyThreshold defines - the number of unhealthy health checks - required before a backend host is - marked unhealthy. + description: |- + UnhealthyThreshold defines the number of unhealthy health checks required before a backend host is marked unhealthy. + Without RetriableStatuses configured, any health check failure results in the host being immediately + considered unhealthy. When RetriableStatuses is set, health checks returning those statuses are retried + up to this threshold before the host is marked unhealthy. format: int32 minimum: 1 type: integer @@ -43103,6 +46705,12 @@ spec: passive: description: Passive passive check configuration properties: + alwaysEjectOneEndpoint: + default: false + description: |- + AlwaysEjectOneEndpoint defines whether at least one host should be ejected, + regardless of MaxEjectionPercent. + type: boolean baseEjectionTime: default: 30s description: BaseEjectionTime defines @@ -43151,6 +46759,8 @@ spec: the maximum percentage of hosts in a cluster that can be ejected. format: int32 + maximum: 100 + minimum: 0 type: integer splitExternalLocalOriginErrors: default: false @@ -43164,6 +46774,42 @@ spec: description: HTTP2 provides HTTP/2 configuration for backend connections. properties: + connectionKeepalive: + description: ConnectionKeepalive configures + HTTP/2 connection keepalive using PING + frames. + properties: + idleInterval: + description: IdleInterval specifies + how long a connection must be idle + before a PING is sent. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + interval: + description: Interval specifies how + often to send HTTP/2 PING frames to + keep the connection alive. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + intervalJitter: + description: |- + IntervalJitter specifies a random jitter percentage added to each interval. + Defaults to 15% if not specified. + format: int32 + maximum: 100 + minimum: 0 + type: integer + timeout: + description: Timeout specifies how long + to wait for a PING response before + considering the connection dead. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + x-kubernetes-validations: + - message: timeout must be less than interval + rule: '!has(self.timeout) || !has(self.interval) + || duration(self.timeout) < duration(self.interval)' initialConnectionWindowSize: allOf: - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ @@ -43207,6 +46853,59 @@ spec: LoadBalancer policy to apply when routing traffic from the gateway to the backend endpoints. Defaults to `LeastRequest`. properties: + backendUtilization: + description: |- + BackendUtilization defines the configuration when the load balancer type is + set to BackendUtilization. + properties: + blackoutPeriod: + description: |- + A given endpoint must report load metrics continuously for at least this long before the endpoint weight will be used. + Default is 10s. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + errorUtilizationPenaltyPercent: + description: |- + ErrorUtilizationPenaltyPercent adjusts endpoint weights based on the error rate (eps/qps). + This is expressed as a percentage-based integer where 100 represents 1.0, 150 represents 1.5, etc. + + For example: + - 100 => 1.0x + - 120 => 1.2x + - 200 => 2.0x + + Must be non-negative. + format: int32 + minimum: 0 + type: integer + keepResponseHeaders: + default: false + description: |- + KeepResponseHeaders keeps the ORCA load report headers/trailers before sending the response to the client. + Defaults to false. + type: boolean + metricNamesForComputingUtilization: + description: |- + Metric names used to compute utilization if application_utilization is not set. + For map fields in ORCA proto, use the form ".", e.g., "named_metrics.foo". + items: + type: string + type: array + weightExpirationPeriod: + description: If a given endpoint has + not reported load metrics in this + long, stop using the reported weight. + Defaults to 3m. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + weightUpdatePeriod: + description: How often endpoint weights + are recalculated. Values less than + 100ms are capped at 100ms. Default + 1s. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object consistentHash: description: |- ConsistentHash defines the configuration when the load balancer type is @@ -43333,6 +47032,40 @@ spec: the queryParams field must be set. rule: 'self.type == ''QueryParams'' ? has(self.queryParams) : !has(self.queryParams)' + dynamicModule: + description: |- + DynamicModule defines the configuration when the load balancer type is + set to DynamicModule. The referenced module must be registered in the + EnvoyProxy resource's dynamicModules allowlist. + properties: + config: + description: |- + Config is optional configuration for the module's load balancer + implementation. This is serialized and passed to the module's + initialization function. + x-kubernetes-preserve-unknown-fields: true + lbPolicyName: + description: |- + LBPolicyName identifies a specific load balancer implementation within + the dynamic module. A single shared library can contain multiple LB + policy implementations. This value is passed to the module's + initialization function to select the appropriate implementation. + maxLength: 253 + minLength: 1 + type: string + name: + description: |- + Name references a dynamic module registered in the EnvoyProxy resource's + dynamicModules list. The referenced module must exist in the registry; + otherwise, the policy will be rejected. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([a-z0-9.-]*[a-z0-9])?$ + type: string + required: + - lbPolicyName + - name + type: object endpointOverride: description: |- EndpointOverride defines the configuration for endpoint override. @@ -43367,7 +47100,7 @@ spec: description: |- SlowStart defines the configuration related to the slow start load balancer policy. If set, during slow start window, traffic sent to the newly added hosts will gradually increase. - Currently this is only supported for RoundRobin and LeastRequest load balancers + Supported for RoundRobin, LeastRequest, and BackendUtilization load balancers. properties: window: description: |- @@ -43387,12 +47120,16 @@ spec: "ConsistentHash", "LeastRequest", "Random", - "RoundRobin". + "RoundRobin", + "BackendUtilization", + "DynamicModule". enum: - ConsistentHash - LeastRequest - Random - RoundRobin + - BackendUtilization + - DynamicModule type: string zoneAware: description: ZoneAware defines the configuration @@ -43436,6 +47173,37 @@ spec: minimum: 0 type: integer type: object + weightedZones: + description: |- + WeightedZones configures weight-based traffic distribution across locality zones. + Traffic is distributed proportionally based on the sum of all zone weights. + items: + description: WeightedZoneConfig defines + the weight for a specific locality + zone. + properties: + weight: + description: |- + Weight defines the weight for this locality. + Higher values receive more traffic. The actual traffic distribution + is proportional to this value relative to other localities. + format: int32 + type: integer + zone: + description: |- + Zone specifies the topology zone this weight applies to. + The value should match the topology.kubernetes.io/zone label + of the nodes where endpoints are running. + Zones not listed in the configuration receive a default weight of 1. + type: string + required: + - weight + - zone + type: object + type: array + x-kubernetes-list-map-keys: + - zone + x-kubernetes-list-type: map type: object required: - type @@ -43445,22 +47213,53 @@ spec: consistentHash field needs to be set. rule: 'self.type == ''ConsistentHash'' ? has(self.consistentHash) : !has(self.consistentHash)' + - message: If LoadBalancer type is BackendUtilization, + backendUtilization field needs to be set. + rule: 'self.type == ''BackendUtilization'' + ? has(self.backendUtilization) : !has(self.backendUtilization)' + - message: If LoadBalancer type is DynamicModule, + dynamicModule field needs to be set. + rule: 'self.type == ''DynamicModule'' ? has(self.dynamicModule) + : !has(self.dynamicModule)' - message: Currently SlowStart is only supported - for RoundRobin and LeastRequest load balancers. - rule: 'self.type in [''Random'', ''ConsistentHash''] - ? !has(self.slowStart) : true ' - - message: Currently ZoneAware is only supported - for LeastRequest, Random, and RoundRobin + for RoundRobin, LeastRequest, and BackendUtilization load balancers. - rule: 'self.type == ''ConsistentHash'' ? !has(self.zoneAware) - : true ' + rule: 'self.type in [''Random'', ''ConsistentHash'', + ''DynamicModule''] ? !has(self.slowStart) + : true' + - message: PreferLocal zone-aware routing is + not supported for ConsistentHash load balancers. + Use weightedZones instead. + rule: 'self.type == ''ConsistentHash'' && + has(self.zoneAware) ? !has(self.zoneAware.preferLocal) + : true' + - message: PreferLocal zone-aware routing is + not currently supported for BackendUtilization + load balancers. Only WeightedZones can be + used with BackendUtilization. + rule: 'self.type == ''BackendUtilization'' + && has(self.zoneAware) ? !has(self.zoneAware.preferLocal) + : true' + - message: ZoneAware routing is not supported + for DynamicModule load balancers. + rule: 'self.type == ''DynamicModule'' ? !has(self.zoneAware) + : true' + - message: ZoneAware PreferLocal and WeightedZones + cannot be specified together. + rule: 'has(self.zoneAware) ? !(has(self.zoneAware.preferLocal) + && has(self.zoneAware.weightedZones)) : + true' + - message: EndpointOverride is not supported + for DynamicModule load balancers. + rule: 'self.type == ''DynamicModule'' ? !has(self.endpointOverride) + : true' proxyProtocol: description: ProxyProtocol enables the Proxy Protocol when communicating with the backend. properties: version: description: |- - Version of ProxyProtol + Version of ProxyProtocol Valid ProxyProtocolVersion values are "V1" "V2" @@ -43619,6 +47418,12 @@ spec: from the upstream. pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string + streamIdleTimeout: + description: |2- + The stream idle timeout defines the amount of time a stream can exist without any upstream or downstream activity. + If not specified, StreamIdleTimeout is inherited from the listener-level setting, which can be configured via ClientTrafficPolicy. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string type: object tcp: description: Timeout settings for TCP. @@ -43662,8 +47467,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 + + + maxLength: 4096 minLength: 1 type: string @@ -43677,12 +47488,14 @@ spec: host: description: |- Host define the service hostname. + Deprecated: Use BackendRefs instead. type: string port: default: 4317 description: |- Port defines the port the service is exposed on. + Deprecated: Use BackendRefs instead. format: int32 maximum: 65535 @@ -44084,6 +47897,45 @@ spec: minimum: 0 type: integer type: object + retryBudget: + description: |- + RetryBudget provides settings for retry budget, which limits the number of retries in a given percentage. + RetryBudget take precedence over maxParallelRetries. + properties: + minRetryConcurrency: + description: |- + MinRetryConcurrency specifies the minimum retry concurrency allowed for the retry budget. + For example, a budget of 20% with a minimum retry concurrency of 3 + will allow 5 active retries while there are 25 active requests. + If there are 2 active requests, there are still 3 active retries + allowed because of the minimum retry concurrency. + Defaults to 3. + format: int32 + type: integer + percent: + description: |- + Percent specifies the limit on concurrent retries as a percentage [0, 100] of + the sum of active requests and active pending requests. + properties: + denominator: + default: 100 + format: int32 + minimum: 1 + type: integer + numerator: + format: int32 + minimum: 0 + type: integer + required: + - numerator + type: object + x-kubernetes-validations: + - message: numerator must be less than or + equal to denominator + rule: self.numerator <= self.denominator + required: + - percent + type: object type: object connection: description: Connection includes backend connection @@ -44262,8 +48114,9 @@ spec: type: array hostname: description: |- - Hostname defines the HTTP host that will be requested during health checking. - Default: HTTPRoute or GRPCRoute hostname. + Hostname defines the HTTP Host header used for active HTTP health checks. + Host selection uses this order: this field, the associated Backend endpoint + hostname if available, then the effective Route hostname. maxLength: 253 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ @@ -44280,6 +48133,19 @@ spec: maxLength: 1024 minLength: 1 type: string + retriableStatuses: + description: |- + RetriableStatuses defines a list of HTTP response statuses considered retriable. + Responses matching these statuses count towards the unhealthy threshold but + do not result in the host being considered immediately unhealthy. + The expected statuses take precedence for any range overlaps with this field. + items: + description: HTTPStatus defines the + http status code. + maximum: 599 + minimum: 100 + type: integer + type: array required: - path type: object @@ -44295,6 +48161,23 @@ spec: active health checks. pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string + overrides: + description: |- + Overrides defines the configuration of the overriding health check settings for all endpoints + in the backend cluster. This allows customization of port and other settings that may differ + from the main service configuration. + properties: + port: + description: |- + Port overrides the health check port. + If not set, the endpoint's serving port is used for health checks. + This is useful when health checks are served on a different port than + the main service port (e.g., port 443 for service, port 9090 for health checks). + format: int32 + maximum: 65535 + minimum: 1 + type: integer + type: object tcp: description: |- TCP defines the configuration of tcp health checker. @@ -44394,9 +48277,11 @@ spec: type: string unhealthyThreshold: default: 3 - description: UnhealthyThreshold defines the - number of unhealthy health checks required - before a backend host is marked unhealthy. + description: |- + UnhealthyThreshold defines the number of unhealthy health checks required before a backend host is marked unhealthy. + Without RetriableStatuses configured, any health check failure results in the host being immediately + considered unhealthy. When RetriableStatuses is set, health checks returning those statuses are retried + up to this threshold before the host is marked unhealthy. format: int32 minimum: 1 type: integer @@ -44429,6 +48314,12 @@ spec: passive: description: Passive passive check configuration properties: + alwaysEjectOneEndpoint: + default: false + description: |- + AlwaysEjectOneEndpoint defines whether at least one host should be ejected, + regardless of MaxEjectionPercent. + type: boolean baseEjectionTime: default: 30s description: BaseEjectionTime defines the @@ -44477,6 +48368,8 @@ spec: percentage of hosts in a cluster that can be ejected. format: int32 + maximum: 100 + minimum: 0 type: integer splitExternalLocalOriginErrors: default: false @@ -44490,6 +48383,41 @@ spec: description: HTTP2 provides HTTP/2 configuration for backend connections. properties: + connectionKeepalive: + description: ConnectionKeepalive configures HTTP/2 + connection keepalive using PING frames. + properties: + idleInterval: + description: IdleInterval specifies how long + a connection must be idle before a PING + is sent. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + interval: + description: Interval specifies how often + to send HTTP/2 PING frames to keep the connection + alive. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + intervalJitter: + description: |- + IntervalJitter specifies a random jitter percentage added to each interval. + Defaults to 15% if not specified. + format: int32 + maximum: 100 + minimum: 0 + type: integer + timeout: + description: Timeout specifies how long to + wait for a PING response before considering + the connection dead. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + x-kubernetes-validations: + - message: timeout must be less than interval + rule: '!has(self.timeout) || !has(self.interval) + || duration(self.timeout) < duration(self.interval)' initialConnectionWindowSize: allOf: - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ @@ -44533,6 +48461,57 @@ spec: LoadBalancer policy to apply when routing traffic from the gateway to the backend endpoints. Defaults to `LeastRequest`. properties: + backendUtilization: + description: |- + BackendUtilization defines the configuration when the load balancer type is + set to BackendUtilization. + properties: + blackoutPeriod: + description: |- + A given endpoint must report load metrics continuously for at least this long before the endpoint weight will be used. + Default is 10s. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + errorUtilizationPenaltyPercent: + description: |- + ErrorUtilizationPenaltyPercent adjusts endpoint weights based on the error rate (eps/qps). + This is expressed as a percentage-based integer where 100 represents 1.0, 150 represents 1.5, etc. + + For example: + - 100 => 1.0x + - 120 => 1.2x + - 200 => 2.0x + + Must be non-negative. + format: int32 + minimum: 0 + type: integer + keepResponseHeaders: + default: false + description: |- + KeepResponseHeaders keeps the ORCA load report headers/trailers before sending the response to the client. + Defaults to false. + type: boolean + metricNamesForComputingUtilization: + description: |- + Metric names used to compute utilization if application_utilization is not set. + For map fields in ORCA proto, use the form ".", e.g., "named_metrics.foo". + items: + type: string + type: array + weightExpirationPeriod: + description: If a given endpoint has not reported + load metrics in this long, stop using the + reported weight. Defaults to 3m. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + weightUpdatePeriod: + description: How often endpoint weights are + recalculated. Values less than 100ms are + capped at 100ms. Default 1s. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object consistentHash: description: |- ConsistentHash defines the configuration when the load balancer type is @@ -44655,6 +48634,40 @@ spec: the queryParams field must be set. rule: 'self.type == ''QueryParams'' ? has(self.queryParams) : !has(self.queryParams)' + dynamicModule: + description: |- + DynamicModule defines the configuration when the load balancer type is + set to DynamicModule. The referenced module must be registered in the + EnvoyProxy resource's dynamicModules allowlist. + properties: + config: + description: |- + Config is optional configuration for the module's load balancer + implementation. This is serialized and passed to the module's + initialization function. + x-kubernetes-preserve-unknown-fields: true + lbPolicyName: + description: |- + LBPolicyName identifies a specific load balancer implementation within + the dynamic module. A single shared library can contain multiple LB + policy implementations. This value is passed to the module's + initialization function to select the appropriate implementation. + maxLength: 253 + minLength: 1 + type: string + name: + description: |- + Name references a dynamic module registered in the EnvoyProxy resource's + dynamicModules list. The referenced module must exist in the registry; + otherwise, the policy will be rejected. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([a-z0-9.-]*[a-z0-9])?$ + type: string + required: + - lbPolicyName + - name + type: object endpointOverride: description: |- EndpointOverride defines the configuration for endpoint override. @@ -44689,7 +48702,7 @@ spec: description: |- SlowStart defines the configuration related to the slow start load balancer policy. If set, during slow start window, traffic sent to the newly added hosts will gradually increase. - Currently this is only supported for RoundRobin and LeastRequest load balancers + Supported for RoundRobin, LeastRequest, and BackendUtilization load balancers. properties: window: description: |- @@ -44709,12 +48722,16 @@ spec: "ConsistentHash", "LeastRequest", "Random", - "RoundRobin". + "RoundRobin", + "BackendUtilization", + "DynamicModule". enum: - ConsistentHash - LeastRequest - Random - RoundRobin + - BackendUtilization + - DynamicModule type: string zoneAware: description: ZoneAware defines the configuration @@ -44756,6 +48773,36 @@ spec: minimum: 0 type: integer type: object + weightedZones: + description: |- + WeightedZones configures weight-based traffic distribution across locality zones. + Traffic is distributed proportionally based on the sum of all zone weights. + items: + description: WeightedZoneConfig defines + the weight for a specific locality zone. + properties: + weight: + description: |- + Weight defines the weight for this locality. + Higher values receive more traffic. The actual traffic distribution + is proportional to this value relative to other localities. + format: int32 + type: integer + zone: + description: |- + Zone specifies the topology zone this weight applies to. + The value should match the topology.kubernetes.io/zone label + of the nodes where endpoints are running. + Zones not listed in the configuration receive a default weight of 1. + type: string + required: + - weight + - zone + type: object + type: array + x-kubernetes-list-map-keys: + - zone + x-kubernetes-list-type: map type: object required: - type @@ -44765,21 +48812,48 @@ spec: consistentHash field needs to be set. rule: 'self.type == ''ConsistentHash'' ? has(self.consistentHash) : !has(self.consistentHash)' + - message: If LoadBalancer type is BackendUtilization, + backendUtilization field needs to be set. + rule: 'self.type == ''BackendUtilization'' ? has(self.backendUtilization) + : !has(self.backendUtilization)' + - message: If LoadBalancer type is DynamicModule, + dynamicModule field needs to be set. + rule: 'self.type == ''DynamicModule'' ? has(self.dynamicModule) + : !has(self.dynamicModule)' - message: Currently SlowStart is only supported for - RoundRobin and LeastRequest load balancers. - rule: 'self.type in [''Random'', ''ConsistentHash''] - ? !has(self.slowStart) : true ' - - message: Currently ZoneAware is only supported for - LeastRequest, Random, and RoundRobin load balancers. - rule: 'self.type == ''ConsistentHash'' ? !has(self.zoneAware) - : true ' + RoundRobin, LeastRequest, and BackendUtilization + load balancers. + rule: 'self.type in [''Random'', ''ConsistentHash'', + ''DynamicModule''] ? !has(self.slowStart) : true' + - message: PreferLocal zone-aware routing is not supported + for ConsistentHash load balancers. Use weightedZones + instead. + rule: 'self.type == ''ConsistentHash'' && has(self.zoneAware) + ? !has(self.zoneAware.preferLocal) : true' + - message: PreferLocal zone-aware routing is not currently + supported for BackendUtilization load balancers. + Only WeightedZones can be used with BackendUtilization. + rule: 'self.type == ''BackendUtilization'' && has(self.zoneAware) + ? !has(self.zoneAware.preferLocal) : true' + - message: ZoneAware routing is not supported for + DynamicModule load balancers. + rule: 'self.type == ''DynamicModule'' ? !has(self.zoneAware) + : true' + - message: ZoneAware PreferLocal and WeightedZones + cannot be specified together. + rule: 'has(self.zoneAware) ? !(has(self.zoneAware.preferLocal) + && has(self.zoneAware.weightedZones)) : true' + - message: EndpointOverride is not supported for DynamicModule + load balancers. + rule: 'self.type == ''DynamicModule'' ? !has(self.endpointOverride) + : true' proxyProtocol: description: ProxyProtocol enables the Proxy Protocol when communicating with the backend. properties: version: description: |- - Version of ProxyProtol + Version of ProxyProtocol Valid ProxyProtocolVersion values are "V1" "V2" @@ -44937,6 +49011,12 @@ spec: upstream. pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string + streamIdleTimeout: + description: |2- + The stream idle timeout defines the amount of time a stream can exist without any upstream or downstream activity. + If not specified, StreamIdleTimeout is inherited from the listener-level setting, which can be configured via ClientTrafficPolicy. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string type: object tcp: description: Timeout settings for TCP. @@ -44960,6 +49040,7 @@ spec: host: description: |- Host define the provider service hostname. + Deprecated: Use BackendRefs instead. type: string openTelemetry: @@ -44989,8 +49070,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 + + + maxLength: 4096 minLength: 1 type: string @@ -45008,11 +49095,56 @@ spec: ResourceAttributes is a set of labels that describe the source of traces. It's recommended to follow semantic conventions: https://opentelemetry.io/docs/reference/specification/resource/semantic_conventions/ type: object + sampler: + description: Sampler controls whether spans are exported. + properties: + samplingPercentage: + description: |- + SamplingPercentage controls the percentage of traces to sample. + Defaults to 100% when not set. + properties: + denominator: + default: 100 + format: int32 + minimum: 1 + type: integer + numerator: + format: int32 + minimum: 0 + type: integer + required: + - numerator + type: object + x-kubernetes-validations: + - message: numerator must be less than or equal + to denominator + rule: self.numerator <= self.denominator + type: + default: AlwaysOn + description: Type is the sampler type. + enum: + - AlwaysOn + - AlwaysOff + - TraceIdRatio + - ParentBasedAlwaysOn + - ParentBasedAlwaysOff + - ParentBasedTraceIdRatio + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: samplingPercentage can only be set with + TraceIdRatio or ParentBasedTraceIdRatio + rule: 'has(self.samplingPercentage) ? (self.type + == ''TraceIdRatio'' || self.type == ''ParentBasedTraceIdRatio'') + : true' type: object port: default: 4317 description: |- Port defines the port the provider service is exposed on. + Deprecated: Use BackendRefs instead. format: int32 minimum: 0 @@ -45367,13 +49499,13 @@ spec: status: {} --- -# Source: crds/generated/gateway.envoyproxy.io_httproutefilters.yaml +# Source: gateway-helm/charts/crds/crds/generated/gateway.envoyproxy.io_httproutefilters.yaml --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.18.0 + controller-gen.kubebuilder.io/version: v0.20.1 name: httproutefilters.gateway.envoyproxy.io spec: group: gateway.envoyproxy.io @@ -45436,7 +49568,6 @@ spec: "credential", and the value should be the credential to be injected. For example, for basic authentication, the value should be "Basic ". for bearer token, the value should be "Bearer ". - Note: The secret must be in the same namespace as the HTTPRouteFilter. properties: group: default: "" @@ -45498,7 +49629,9 @@ spec: return a fixed response. properties: body: - description: Body of the direct response. + description: |- + Body of the direct response. + Supports Envoy command operators for dynamic content (see https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators). properties: inline: description: Inline contains the value as an inline string. @@ -45606,8 +49739,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header to be - matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 + + + maxLength: 4096 minLength: 1 type: string @@ -45680,8 +49819,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header to be - matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 + + + maxLength: 4096 minLength: 1 type: string @@ -45756,6 +49901,12 @@ spec: description: HTTPURLRewriteFilter define rewrites of HTTP URL components such as path and host properties: + appendXForwardedHost: + description: |- + AppendXForwardedHost controls whether the original Host header value is + appended to the X-Forwarded-Host header when hostname rewriting is configured. + Defaults to true for backward compatibility. + type: boolean hostname: description: |- Hostname is the value to be used to replace the Host header value during @@ -45844,13 +49995,13 @@ spec: subresources: {} --- -# Source: crds/generated/gateway.envoyproxy.io_securitypolicies.yaml +# Source: gateway-helm/charts/crds/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.18.0 + controller-gen.kubebuilder.io/version: v0.20.1 name: securitypolicies.gateway.envoyproxy.io spec: group: gateway.envoyproxy.io @@ -46118,6 +50269,91 @@ spec: type: string minItems: 1 type: array + clientIPGeoLocations: + description: |- + ClientIPGeoLocations authorizes the request based on geolocation metadata derived from the client IP. + This field is supported for HTTPRoute and GRPCRoute authorization. + It is not supported for TCPRoute targets. + + If multiple entries are specified, one of the ClientIPGeoLocation entries must match for the rule to match. + + The client IP is inferred from the X-Forwarded-For header or a custom header. + You can use the `ClientIPDetection` field in the `ClientTrafficPolicy` to configure the client IP detection. + items: + description: ClientIPGeoLocation specifies geolocation-based + match criteria for authorization. + properties: + anonymous: + description: Anonymous matches anonymous network + detection signals. + properties: + isAnonymous: + description: IsAnonymous matches whether the + client IP is considered anonymous. + type: boolean + isHosting: + description: IsHosting matches whether the + client IP belongs to a hosting provider. + type: boolean + isProxy: + description: IsProxy matches whether the client + IP belongs to a public proxy. + type: boolean + isTor: + description: IsTor matches whether the client + IP belongs to a Tor exit node. + type: boolean + isVPN: + description: IsVPN matches whether the client + IP is detected as VPN. + type: boolean + type: object + x-kubernetes-validations: + - message: at least one of isAnonymous, isVPN, + isHosting, isTor, or isProxy must be specified + rule: has(self.isAnonymous) || has(self.isVPN) + || has(self.isHosting) || has(self.isTor) + || has(self.isProxy) + asn: + description: ASN is the autonomous system number + associated with the client IP. + format: int32 + minimum: 1 + type: integer + city: + description: City is the city associated with + the client IP. + maxLength: 128 + minLength: 1 + type: string + country: + description: Country is the country ISO code associated + with the client IP. + maxLength: 2 + minLength: 2 + pattern: ^[A-Za-z]{2}$ + type: string + isp: + description: ISP is the internet service provider + associated with the client IP. + maxLength: 256 + minLength: 1 + type: string + region: + description: Region is the region ISO code associated + with the client IP. + maxLength: 16 + minLength: 1 + pattern: ^[A-Za-z0-9-]+$ + type: string + type: object + x-kubernetes-validations: + - message: at least one of country, region, city, + asn, isp, or anonymous must be specified + rule: has(self.country) || has(self.region) || has(self.city) + || has(self.asn) || has(self.isp) || has(self.anonymous) + minItems: 1 + type: array headers: description: |- Headers authorize the request based on user identity extracted from custom headers. @@ -46235,34 +50471,12 @@ spec: - message: at least one of claims or scopes must be specified rule: (has(self.claims) || has(self.scopes)) - sourceCIDRs: - description: |- - SourceCIDRs are the IP CIDR ranges of the source (L4 peer IP). - Valid examples are "192.168.1.0/24" or "2001:db8::/64" - - If multiple CIDR ranges are specified, one of the CIDR ranges must match - the source IP for the rule to match. - - The source IP is the IP address of the peer that connected to Envoy. - This IP is obtained from the TCP connection's peer address and is not - affected by X-Forwarded-For or other IP detection headers. - If intermediaries (load balancers, NAT) terminate or proxy TCP, - the original client IP will only be available if the intermediary - preserves the source address (for example by enabling the PROXY protocol - or avoiding SNAT). - items: - description: |- - CIDR defines a CIDR Address range. - A CIDR can be an IPv4 address range such as "192.168.1.0/24" or an IPv6 address range such as "2001:0db8:11a3:09d7::/64". - pattern: ((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([0-9]+))|((([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))\/([0-9]+)) - type: string - minItems: 1 - type: array type: object x-kubernetes-validations: - - message: at least one of clientCIDRs, jwt, or headers - must be specified - rule: (has(self.clientCIDRs) || has(self.jwt) || has(self.headers)) + - message: at least one of clientCIDRs, jwt, headers, or + clientIPGeoLocations must be specified + rule: (has(self.clientCIDRs) || has(self.jwt) || has(self.headers) + || has(self.clientIPGeoLocations)) required: - action - principal @@ -46292,8 +50506,6 @@ spec: Right now, only SHA hash algorithm is supported. Reference to https://httpd.apache.org/docs/2.4/programs/htpasswd.html for more details. - - Note: The secret must be in the same namespace as the SecurityPolicy. properties: group: default: "" @@ -46766,6 +50978,45 @@ spec: minimum: 0 type: integer type: object + retryBudget: + description: |- + RetryBudget provides settings for retry budget, which limits the number of retries in a given percentage. + RetryBudget take precedence over maxParallelRetries. + properties: + minRetryConcurrency: + description: |- + MinRetryConcurrency specifies the minimum retry concurrency allowed for the retry budget. + For example, a budget of 20% with a minimum retry concurrency of 3 + will allow 5 active retries while there are 25 active requests. + If there are 2 active requests, there are still 3 active retries + allowed because of the minimum retry concurrency. + Defaults to 3. + format: int32 + type: integer + percent: + description: |- + Percent specifies the limit on concurrent retries as a percentage [0, 100] of + the sum of active requests and active pending requests. + properties: + denominator: + default: 100 + format: int32 + minimum: 1 + type: integer + numerator: + format: int32 + minimum: 0 + type: integer + required: + - numerator + type: object + x-kubernetes-validations: + - message: numerator must be less than or equal + to denominator + rule: self.numerator <= self.denominator + required: + - percent + type: object type: object connection: description: Connection includes backend connection settings. @@ -46940,8 +51191,9 @@ spec: type: array hostname: description: |- - Hostname defines the HTTP host that will be requested during health checking. - Default: HTTPRoute or GRPCRoute hostname. + Hostname defines the HTTP Host header used for active HTTP health checks. + Host selection uses this order: this field, the associated Backend endpoint + hostname if available, then the effective Route hostname. maxLength: 253 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ @@ -46957,6 +51209,19 @@ spec: maxLength: 1024 minLength: 1 type: string + retriableStatuses: + description: |- + RetriableStatuses defines a list of HTTP response statuses considered retriable. + Responses matching these statuses count towards the unhealthy threshold but + do not result in the host being considered immediately unhealthy. + The expected statuses take precedence for any range overlaps with this field. + items: + description: HTTPStatus defines the http + status code. + maximum: 599 + minimum: 100 + type: integer + type: array required: - path type: object @@ -46972,6 +51237,23 @@ spec: active health checks. pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string + overrides: + description: |- + Overrides defines the configuration of the overriding health check settings for all endpoints + in the backend cluster. This allows customization of port and other settings that may differ + from the main service configuration. + properties: + port: + description: |- + Port overrides the health check port. + If not set, the endpoint's serving port is used for health checks. + This is useful when health checks are served on a different port than + the main service port (e.g., port 443 for service, port 9090 for health checks). + format: int32 + maximum: 65535 + minimum: 1 + type: integer + type: object tcp: description: |- TCP defines the configuration of tcp health checker. @@ -47065,9 +51347,11 @@ spec: type: string unhealthyThreshold: default: 3 - description: UnhealthyThreshold defines the number - of unhealthy health checks required before a - backend host is marked unhealthy. + description: |- + UnhealthyThreshold defines the number of unhealthy health checks required before a backend host is marked unhealthy. + Without RetriableStatuses configured, any health check failure results in the host being immediately + considered unhealthy. When RetriableStatuses is set, health checks returning those statuses are retried + up to this threshold before the host is marked unhealthy. format: int32 minimum: 1 type: integer @@ -47099,6 +51383,12 @@ spec: passive: description: Passive passive check configuration properties: + alwaysEjectOneEndpoint: + default: false + description: |- + AlwaysEjectOneEndpoint defines whether at least one host should be ejected, + regardless of MaxEjectionPercent. + type: boolean baseEjectionTime: default: 30s description: BaseEjectionTime defines the base @@ -47146,6 +51436,8 @@ spec: percentage of hosts in a cluster that can be ejected. format: int32 + maximum: 100 + minimum: 0 type: integer splitExternalLocalOriginErrors: default: false @@ -47159,6 +51451,39 @@ spec: description: HTTP2 provides HTTP/2 configuration for backend connections. properties: + connectionKeepalive: + description: ConnectionKeepalive configures HTTP/2 + connection keepalive using PING frames. + properties: + idleInterval: + description: IdleInterval specifies how long a + connection must be idle before a PING is sent. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + interval: + description: Interval specifies how often to send + HTTP/2 PING frames to keep the connection alive. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + intervalJitter: + description: |- + IntervalJitter specifies a random jitter percentage added to each interval. + Defaults to 15% if not specified. + format: int32 + maximum: 100 + minimum: 0 + type: integer + timeout: + description: Timeout specifies how long to wait + for a PING response before considering the connection + dead. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + x-kubernetes-validations: + - message: timeout must be less than interval + rule: '!has(self.timeout) || !has(self.interval) + || duration(self.timeout) < duration(self.interval)' initialConnectionWindowSize: allOf: - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ @@ -47202,6 +51527,57 @@ spec: LoadBalancer policy to apply when routing traffic from the gateway to the backend endpoints. Defaults to `LeastRequest`. properties: + backendUtilization: + description: |- + BackendUtilization defines the configuration when the load balancer type is + set to BackendUtilization. + properties: + blackoutPeriod: + description: |- + A given endpoint must report load metrics continuously for at least this long before the endpoint weight will be used. + Default is 10s. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + errorUtilizationPenaltyPercent: + description: |- + ErrorUtilizationPenaltyPercent adjusts endpoint weights based on the error rate (eps/qps). + This is expressed as a percentage-based integer where 100 represents 1.0, 150 represents 1.5, etc. + + For example: + - 100 => 1.0x + - 120 => 1.2x + - 200 => 2.0x + + Must be non-negative. + format: int32 + minimum: 0 + type: integer + keepResponseHeaders: + default: false + description: |- + KeepResponseHeaders keeps the ORCA load report headers/trailers before sending the response to the client. + Defaults to false. + type: boolean + metricNamesForComputingUtilization: + description: |- + Metric names used to compute utilization if application_utilization is not set. + For map fields in ORCA proto, use the form ".", e.g., "named_metrics.foo". + items: + type: string + type: array + weightExpirationPeriod: + description: If a given endpoint has not reported + load metrics in this long, stop using the reported + weight. Defaults to 3m. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + weightUpdatePeriod: + description: How often endpoint weights are recalculated. + Values less than 100ms are capped at 100ms. + Default 1s. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object consistentHash: description: |- ConsistentHash defines the configuration when the load balancer type is @@ -47323,6 +51699,40 @@ spec: the queryParams field must be set. rule: 'self.type == ''QueryParams'' ? has(self.queryParams) : !has(self.queryParams)' + dynamicModule: + description: |- + DynamicModule defines the configuration when the load balancer type is + set to DynamicModule. The referenced module must be registered in the + EnvoyProxy resource's dynamicModules allowlist. + properties: + config: + description: |- + Config is optional configuration for the module's load balancer + implementation. This is serialized and passed to the module's + initialization function. + x-kubernetes-preserve-unknown-fields: true + lbPolicyName: + description: |- + LBPolicyName identifies a specific load balancer implementation within + the dynamic module. A single shared library can contain multiple LB + policy implementations. This value is passed to the module's + initialization function to select the appropriate implementation. + maxLength: 253 + minLength: 1 + type: string + name: + description: |- + Name references a dynamic module registered in the EnvoyProxy resource's + dynamicModules list. The referenced module must exist in the registry; + otherwise, the policy will be rejected. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([a-z0-9.-]*[a-z0-9])?$ + type: string + required: + - lbPolicyName + - name + type: object endpointOverride: description: |- EndpointOverride defines the configuration for endpoint override. @@ -47356,7 +51766,7 @@ spec: description: |- SlowStart defines the configuration related to the slow start load balancer policy. If set, during slow start window, traffic sent to the newly added hosts will gradually increase. - Currently this is only supported for RoundRobin and LeastRequest load balancers + Supported for RoundRobin, LeastRequest, and BackendUtilization load balancers. properties: window: description: |- @@ -47376,12 +51786,16 @@ spec: "ConsistentHash", "LeastRequest", "Random", - "RoundRobin". + "RoundRobin", + "BackendUtilization", + "DynamicModule". enum: - ConsistentHash - LeastRequest - Random - RoundRobin + - BackendUtilization + - DynamicModule type: string zoneAware: description: ZoneAware defines the configuration related @@ -47422,6 +51836,36 @@ spec: minimum: 0 type: integer type: object + weightedZones: + description: |- + WeightedZones configures weight-based traffic distribution across locality zones. + Traffic is distributed proportionally based on the sum of all zone weights. + items: + description: WeightedZoneConfig defines the + weight for a specific locality zone. + properties: + weight: + description: |- + Weight defines the weight for this locality. + Higher values receive more traffic. The actual traffic distribution + is proportional to this value relative to other localities. + format: int32 + type: integer + zone: + description: |- + Zone specifies the topology zone this weight applies to. + The value should match the topology.kubernetes.io/zone label + of the nodes where endpoints are running. + Zones not listed in the configuration receive a default weight of 1. + type: string + required: + - weight + - zone + type: object + type: array + x-kubernetes-list-map-keys: + - zone + x-kubernetes-list-type: map type: object required: - type @@ -47431,21 +51875,47 @@ spec: field needs to be set. rule: 'self.type == ''ConsistentHash'' ? has(self.consistentHash) : !has(self.consistentHash)' - - message: Currently SlowStart is only supported for RoundRobin - and LeastRequest load balancers. - rule: 'self.type in [''Random'', ''ConsistentHash''] - ? !has(self.slowStart) : true ' - - message: Currently ZoneAware is only supported for LeastRequest, - Random, and RoundRobin load balancers. - rule: 'self.type == ''ConsistentHash'' ? !has(self.zoneAware) - : true ' + - message: If LoadBalancer type is BackendUtilization, + backendUtilization field needs to be set. + rule: 'self.type == ''BackendUtilization'' ? has(self.backendUtilization) + : !has(self.backendUtilization)' + - message: If LoadBalancer type is DynamicModule, dynamicModule + field needs to be set. + rule: 'self.type == ''DynamicModule'' ? has(self.dynamicModule) + : !has(self.dynamicModule)' + - message: Currently SlowStart is only supported for RoundRobin, + LeastRequest, and BackendUtilization load balancers. + rule: 'self.type in [''Random'', ''ConsistentHash'', + ''DynamicModule''] ? !has(self.slowStart) : true' + - message: PreferLocal zone-aware routing is not supported + for ConsistentHash load balancers. Use weightedZones + instead. + rule: 'self.type == ''ConsistentHash'' && has(self.zoneAware) + ? !has(self.zoneAware.preferLocal) : true' + - message: PreferLocal zone-aware routing is not currently + supported for BackendUtilization load balancers. Only + WeightedZones can be used with BackendUtilization. + rule: 'self.type == ''BackendUtilization'' && has(self.zoneAware) + ? !has(self.zoneAware.preferLocal) : true' + - message: ZoneAware routing is not supported for DynamicModule + load balancers. + rule: 'self.type == ''DynamicModule'' ? !has(self.zoneAware) + : true' + - message: ZoneAware PreferLocal and WeightedZones cannot + be specified together. + rule: 'has(self.zoneAware) ? !(has(self.zoneAware.preferLocal) + && has(self.zoneAware.weightedZones)) : true' + - message: EndpointOverride is not supported for DynamicModule + load balancers. + rule: 'self.type == ''DynamicModule'' ? !has(self.endpointOverride) + : true' proxyProtocol: description: ProxyProtocol enables the Proxy Protocol when communicating with the backend. properties: version: description: |- - Version of ProxyProtol + Version of ProxyProtocol Valid ProxyProtocolVersion values are "V1" "V2" @@ -47602,6 +52072,12 @@ spec: which entire response is received from the upstream. pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string + streamIdleTimeout: + description: |2- + The stream idle timeout defines the amount of time a stream can exist without any upstream or downstream activity. + If not specified, StreamIdleTimeout is inherited from the listener-level setting, which can be configured via ClientTrafficPolicy. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string type: object tcp: description: Timeout settings for TCP. @@ -47906,6 +52382,45 @@ spec: minimum: 0 type: integer type: object + retryBudget: + description: |- + RetryBudget provides settings for retry budget, which limits the number of retries in a given percentage. + RetryBudget take precedence over maxParallelRetries. + properties: + minRetryConcurrency: + description: |- + MinRetryConcurrency specifies the minimum retry concurrency allowed for the retry budget. + For example, a budget of 20% with a minimum retry concurrency of 3 + will allow 5 active retries while there are 25 active requests. + If there are 2 active requests, there are still 3 active retries + allowed because of the minimum retry concurrency. + Defaults to 3. + format: int32 + type: integer + percent: + description: |- + Percent specifies the limit on concurrent retries as a percentage [0, 100] of + the sum of active requests and active pending requests. + properties: + denominator: + default: 100 + format: int32 + minimum: 1 + type: integer + numerator: + format: int32 + minimum: 0 + type: integer + required: + - numerator + type: object + x-kubernetes-validations: + - message: numerator must be less than or equal + to denominator + rule: self.numerator <= self.denominator + required: + - percent + type: object type: object connection: description: Connection includes backend connection settings. @@ -48080,8 +52595,9 @@ spec: type: array hostname: description: |- - Hostname defines the HTTP host that will be requested during health checking. - Default: HTTPRoute or GRPCRoute hostname. + Hostname defines the HTTP Host header used for active HTTP health checks. + Host selection uses this order: this field, the associated Backend endpoint + hostname if available, then the effective Route hostname. maxLength: 253 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ @@ -48097,6 +52613,19 @@ spec: maxLength: 1024 minLength: 1 type: string + retriableStatuses: + description: |- + RetriableStatuses defines a list of HTTP response statuses considered retriable. + Responses matching these statuses count towards the unhealthy threshold but + do not result in the host being considered immediately unhealthy. + The expected statuses take precedence for any range overlaps with this field. + items: + description: HTTPStatus defines the http + status code. + maximum: 599 + minimum: 100 + type: integer + type: array required: - path type: object @@ -48112,6 +52641,23 @@ spec: active health checks. pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string + overrides: + description: |- + Overrides defines the configuration of the overriding health check settings for all endpoints + in the backend cluster. This allows customization of port and other settings that may differ + from the main service configuration. + properties: + port: + description: |- + Port overrides the health check port. + If not set, the endpoint's serving port is used for health checks. + This is useful when health checks are served on a different port than + the main service port (e.g., port 443 for service, port 9090 for health checks). + format: int32 + maximum: 65535 + minimum: 1 + type: integer + type: object tcp: description: |- TCP defines the configuration of tcp health checker. @@ -48205,9 +52751,11 @@ spec: type: string unhealthyThreshold: default: 3 - description: UnhealthyThreshold defines the number - of unhealthy health checks required before a - backend host is marked unhealthy. + description: |- + UnhealthyThreshold defines the number of unhealthy health checks required before a backend host is marked unhealthy. + Without RetriableStatuses configured, any health check failure results in the host being immediately + considered unhealthy. When RetriableStatuses is set, health checks returning those statuses are retried + up to this threshold before the host is marked unhealthy. format: int32 minimum: 1 type: integer @@ -48239,6 +52787,12 @@ spec: passive: description: Passive passive check configuration properties: + alwaysEjectOneEndpoint: + default: false + description: |- + AlwaysEjectOneEndpoint defines whether at least one host should be ejected, + regardless of MaxEjectionPercent. + type: boolean baseEjectionTime: default: 30s description: BaseEjectionTime defines the base @@ -48286,6 +52840,8 @@ spec: percentage of hosts in a cluster that can be ejected. format: int32 + maximum: 100 + minimum: 0 type: integer splitExternalLocalOriginErrors: default: false @@ -48299,6 +52855,39 @@ spec: description: HTTP2 provides HTTP/2 configuration for backend connections. properties: + connectionKeepalive: + description: ConnectionKeepalive configures HTTP/2 + connection keepalive using PING frames. + properties: + idleInterval: + description: IdleInterval specifies how long a + connection must be idle before a PING is sent. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + interval: + description: Interval specifies how often to send + HTTP/2 PING frames to keep the connection alive. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + intervalJitter: + description: |- + IntervalJitter specifies a random jitter percentage added to each interval. + Defaults to 15% if not specified. + format: int32 + maximum: 100 + minimum: 0 + type: integer + timeout: + description: Timeout specifies how long to wait + for a PING response before considering the connection + dead. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + x-kubernetes-validations: + - message: timeout must be less than interval + rule: '!has(self.timeout) || !has(self.interval) + || duration(self.timeout) < duration(self.interval)' initialConnectionWindowSize: allOf: - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ @@ -48342,6 +52931,57 @@ spec: LoadBalancer policy to apply when routing traffic from the gateway to the backend endpoints. Defaults to `LeastRequest`. properties: + backendUtilization: + description: |- + BackendUtilization defines the configuration when the load balancer type is + set to BackendUtilization. + properties: + blackoutPeriod: + description: |- + A given endpoint must report load metrics continuously for at least this long before the endpoint weight will be used. + Default is 10s. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + errorUtilizationPenaltyPercent: + description: |- + ErrorUtilizationPenaltyPercent adjusts endpoint weights based on the error rate (eps/qps). + This is expressed as a percentage-based integer where 100 represents 1.0, 150 represents 1.5, etc. + + For example: + - 100 => 1.0x + - 120 => 1.2x + - 200 => 2.0x + + Must be non-negative. + format: int32 + minimum: 0 + type: integer + keepResponseHeaders: + default: false + description: |- + KeepResponseHeaders keeps the ORCA load report headers/trailers before sending the response to the client. + Defaults to false. + type: boolean + metricNamesForComputingUtilization: + description: |- + Metric names used to compute utilization if application_utilization is not set. + For map fields in ORCA proto, use the form ".", e.g., "named_metrics.foo". + items: + type: string + type: array + weightExpirationPeriod: + description: If a given endpoint has not reported + load metrics in this long, stop using the reported + weight. Defaults to 3m. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + weightUpdatePeriod: + description: How often endpoint weights are recalculated. + Values less than 100ms are capped at 100ms. + Default 1s. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object consistentHash: description: |- ConsistentHash defines the configuration when the load balancer type is @@ -48463,6 +53103,40 @@ spec: the queryParams field must be set. rule: 'self.type == ''QueryParams'' ? has(self.queryParams) : !has(self.queryParams)' + dynamicModule: + description: |- + DynamicModule defines the configuration when the load balancer type is + set to DynamicModule. The referenced module must be registered in the + EnvoyProxy resource's dynamicModules allowlist. + properties: + config: + description: |- + Config is optional configuration for the module's load balancer + implementation. This is serialized and passed to the module's + initialization function. + x-kubernetes-preserve-unknown-fields: true + lbPolicyName: + description: |- + LBPolicyName identifies a specific load balancer implementation within + the dynamic module. A single shared library can contain multiple LB + policy implementations. This value is passed to the module's + initialization function to select the appropriate implementation. + maxLength: 253 + minLength: 1 + type: string + name: + description: |- + Name references a dynamic module registered in the EnvoyProxy resource's + dynamicModules list. The referenced module must exist in the registry; + otherwise, the policy will be rejected. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([a-z0-9.-]*[a-z0-9])?$ + type: string + required: + - lbPolicyName + - name + type: object endpointOverride: description: |- EndpointOverride defines the configuration for endpoint override. @@ -48496,7 +53170,7 @@ spec: description: |- SlowStart defines the configuration related to the slow start load balancer policy. If set, during slow start window, traffic sent to the newly added hosts will gradually increase. - Currently this is only supported for RoundRobin and LeastRequest load balancers + Supported for RoundRobin, LeastRequest, and BackendUtilization load balancers. properties: window: description: |- @@ -48516,12 +53190,16 @@ spec: "ConsistentHash", "LeastRequest", "Random", - "RoundRobin". + "RoundRobin", + "BackendUtilization", + "DynamicModule". enum: - ConsistentHash - LeastRequest - Random - RoundRobin + - BackendUtilization + - DynamicModule type: string zoneAware: description: ZoneAware defines the configuration related @@ -48562,6 +53240,36 @@ spec: minimum: 0 type: integer type: object + weightedZones: + description: |- + WeightedZones configures weight-based traffic distribution across locality zones. + Traffic is distributed proportionally based on the sum of all zone weights. + items: + description: WeightedZoneConfig defines the + weight for a specific locality zone. + properties: + weight: + description: |- + Weight defines the weight for this locality. + Higher values receive more traffic. The actual traffic distribution + is proportional to this value relative to other localities. + format: int32 + type: integer + zone: + description: |- + Zone specifies the topology zone this weight applies to. + The value should match the topology.kubernetes.io/zone label + of the nodes where endpoints are running. + Zones not listed in the configuration receive a default weight of 1. + type: string + required: + - weight + - zone + type: object + type: array + x-kubernetes-list-map-keys: + - zone + x-kubernetes-list-type: map type: object required: - type @@ -48571,21 +53279,47 @@ spec: field needs to be set. rule: 'self.type == ''ConsistentHash'' ? has(self.consistentHash) : !has(self.consistentHash)' - - message: Currently SlowStart is only supported for RoundRobin - and LeastRequest load balancers. - rule: 'self.type in [''Random'', ''ConsistentHash''] - ? !has(self.slowStart) : true ' - - message: Currently ZoneAware is only supported for LeastRequest, - Random, and RoundRobin load balancers. - rule: 'self.type == ''ConsistentHash'' ? !has(self.zoneAware) - : true ' + - message: If LoadBalancer type is BackendUtilization, + backendUtilization field needs to be set. + rule: 'self.type == ''BackendUtilization'' ? has(self.backendUtilization) + : !has(self.backendUtilization)' + - message: If LoadBalancer type is DynamicModule, dynamicModule + field needs to be set. + rule: 'self.type == ''DynamicModule'' ? has(self.dynamicModule) + : !has(self.dynamicModule)' + - message: Currently SlowStart is only supported for RoundRobin, + LeastRequest, and BackendUtilization load balancers. + rule: 'self.type in [''Random'', ''ConsistentHash'', + ''DynamicModule''] ? !has(self.slowStart) : true' + - message: PreferLocal zone-aware routing is not supported + for ConsistentHash load balancers. Use weightedZones + instead. + rule: 'self.type == ''ConsistentHash'' && has(self.zoneAware) + ? !has(self.zoneAware.preferLocal) : true' + - message: PreferLocal zone-aware routing is not currently + supported for BackendUtilization load balancers. Only + WeightedZones can be used with BackendUtilization. + rule: 'self.type == ''BackendUtilization'' && has(self.zoneAware) + ? !has(self.zoneAware.preferLocal) : true' + - message: ZoneAware routing is not supported for DynamicModule + load balancers. + rule: 'self.type == ''DynamicModule'' ? !has(self.zoneAware) + : true' + - message: ZoneAware PreferLocal and WeightedZones cannot + be specified together. + rule: 'has(self.zoneAware) ? !(has(self.zoneAware.preferLocal) + && has(self.zoneAware.weightedZones)) : true' + - message: EndpointOverride is not supported for DynamicModule + load balancers. + rule: 'self.type == ''DynamicModule'' ? !has(self.endpointOverride) + : true' proxyProtocol: description: ProxyProtocol enables the Proxy Protocol when communicating with the backend. properties: version: description: |- - Version of ProxyProtol + Version of ProxyProtocol Valid ProxyProtocolVersion values are "V1" "V2" @@ -48742,6 +53476,12 @@ spec: which entire response is received from the upstream. pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string + streamIdleTimeout: + description: |2- + The stream idle timeout defines the amount of time a stream can exist without any upstream or downstream activity. + If not specified, StreamIdleTimeout is inherited from the listener-level setting, which can be configured via ClientTrafficPolicy. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string type: object tcp: description: Timeout settings for TCP. @@ -48782,6 +53522,15 @@ spec: For example, if the original request path is "/hello", and the path specified here is "/auth", then the path of the authorization request will be "/auth/hello". If the path is not specified, the path of the authorization request will be "/hello". + Only one of Path or PathOverride can be set. + type: string + pathOverride: + description: |- + PathOverride replaces the original request path in the authorization request. + If set, the path will be overridden to this value during authorization. + For example, if the original request path is "/hello", and PathOverride is set to "/auth", + then the path of the authorization request will be "/auth". + Only one of Path or PathOverride can be set. type: string type: object x-kubernetes-validations: @@ -48797,6 +53546,30 @@ spec: rule: 'has(self.backendRefs) ? (self.backendRefs.all(f, f.group == "" || f.group == ''multicluster.x-k8s.io'' || f.group == ''gateway.envoyproxy.io'')) : true' + - message: only one of path or pathOverride can be specified + rule: '!(has(self.path) && has(self.pathOverride))' + includeRouteMetadata: + description: |- + IncludeRouteMetadata sends Envoy Gateway's built-in route metadata to the + external authorization service as context. + + This includes Envoy Gateway's built-in metadata for the selected route in + the "envoy-gateway" metadata namespace. + + The metadata is exposed under the "resources" field as a list of route + resource objects. For example: + + envoy-gateway: + resources: + - kind: HTTPRoute + name: backend + namespace: default + annotations: + foo: bar + + The resource object may include fields such as kind, namespace, name, + sectionName, and supported route annotations. + type: boolean recomputeRoute: description: |- RecomputeRoute clears the route cache and recalculates the routing decision. @@ -48804,6 +53577,51 @@ spec: route matching decisions. If the recomputation selects a new route, features targeting the new matched route will be applied. type: boolean + statusOnError: + description: |- + Sets the HTTP status that is returned when the authorization service returns an error + or cannot be reached. Defaults to 403 Forbidden. + Only 4xx and 5xx status codes are supported. + enum: + - 400 + - 401 + - 402 + - 403 + - 404 + - 405 + - 406 + - 407 + - 408 + - 409 + - 410 + - 411 + - 412 + - 413 + - 414 + - 415 + - 416 + - 417 + - 421 + - 422 + - 423 + - 424 + - 426 + - 428 + - 429 + - 431 + - 500 + - 501 + - 502 + - 503 + - 504 + - 505 + - 506 + - 507 + - 508 + - 510 + - 511 + format: int32 + type: integer timeout: description: |- Timeout defines the timeout for requests to the external authorization service. @@ -49243,6 +54061,45 @@ spec: minimum: 0 type: integer type: object + retryBudget: + description: |- + RetryBudget provides settings for retry budget, which limits the number of retries in a given percentage. + RetryBudget take precedence over maxParallelRetries. + properties: + minRetryConcurrency: + description: |- + MinRetryConcurrency specifies the minimum retry concurrency allowed for the retry budget. + For example, a budget of 20% with a minimum retry concurrency of 3 + will allow 5 active retries while there are 25 active requests. + If there are 2 active requests, there are still 3 active retries + allowed because of the minimum retry concurrency. + Defaults to 3. + format: int32 + type: integer + percent: + description: |- + Percent specifies the limit on concurrent retries as a percentage [0, 100] of + the sum of active requests and active pending requests. + properties: + denominator: + default: 100 + format: int32 + minimum: 1 + type: integer + numerator: + format: int32 + minimum: 0 + type: integer + required: + - numerator + type: object + x-kubernetes-validations: + - message: numerator must be less than or + equal to denominator + rule: self.numerator <= self.denominator + required: + - percent + type: object type: object connection: description: Connection includes backend connection @@ -49421,8 +54278,9 @@ spec: type: array hostname: description: |- - Hostname defines the HTTP host that will be requested during health checking. - Default: HTTPRoute or GRPCRoute hostname. + Hostname defines the HTTP Host header used for active HTTP health checks. + Host selection uses this order: this field, the associated Backend endpoint + hostname if available, then the effective Route hostname. maxLength: 253 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ @@ -49439,6 +54297,19 @@ spec: maxLength: 1024 minLength: 1 type: string + retriableStatuses: + description: |- + RetriableStatuses defines a list of HTTP response statuses considered retriable. + Responses matching these statuses count towards the unhealthy threshold but + do not result in the host being considered immediately unhealthy. + The expected statuses take precedence for any range overlaps with this field. + items: + description: HTTPStatus defines the + http status code. + maximum: 599 + minimum: 100 + type: integer + type: array required: - path type: object @@ -49454,6 +54325,23 @@ spec: active health checks. pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string + overrides: + description: |- + Overrides defines the configuration of the overriding health check settings for all endpoints + in the backend cluster. This allows customization of port and other settings that may differ + from the main service configuration. + properties: + port: + description: |- + Port overrides the health check port. + If not set, the endpoint's serving port is used for health checks. + This is useful when health checks are served on a different port than + the main service port (e.g., port 443 for service, port 9090 for health checks). + format: int32 + maximum: 65535 + minimum: 1 + type: integer + type: object tcp: description: |- TCP defines the configuration of tcp health checker. @@ -49553,10 +54441,11 @@ spec: type: string unhealthyThreshold: default: 3 - description: UnhealthyThreshold defines - the number of unhealthy health checks - required before a backend host is marked - unhealthy. + description: |- + UnhealthyThreshold defines the number of unhealthy health checks required before a backend host is marked unhealthy. + Without RetriableStatuses configured, any health check failure results in the host being immediately + considered unhealthy. When RetriableStatuses is set, health checks returning those statuses are retried + up to this threshold before the host is marked unhealthy. format: int32 minimum: 1 type: integer @@ -49589,6 +54478,12 @@ spec: passive: description: Passive passive check configuration properties: + alwaysEjectOneEndpoint: + default: false + description: |- + AlwaysEjectOneEndpoint defines whether at least one host should be ejected, + regardless of MaxEjectionPercent. + type: boolean baseEjectionTime: default: 30s description: BaseEjectionTime defines the @@ -49637,6 +54532,8 @@ spec: maximum percentage of hosts in a cluster that can be ejected. format: int32 + maximum: 100 + minimum: 0 type: integer splitExternalLocalOriginErrors: default: false @@ -49650,6 +54547,41 @@ spec: description: HTTP2 provides HTTP/2 configuration for backend connections. properties: + connectionKeepalive: + description: ConnectionKeepalive configures + HTTP/2 connection keepalive using PING frames. + properties: + idleInterval: + description: IdleInterval specifies how + long a connection must be idle before + a PING is sent. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + interval: + description: Interval specifies how often + to send HTTP/2 PING frames to keep the + connection alive. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + intervalJitter: + description: |- + IntervalJitter specifies a random jitter percentage added to each interval. + Defaults to 15% if not specified. + format: int32 + maximum: 100 + minimum: 0 + type: integer + timeout: + description: Timeout specifies how long + to wait for a PING response before considering + the connection dead. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + x-kubernetes-validations: + - message: timeout must be less than interval + rule: '!has(self.timeout) || !has(self.interval) + || duration(self.timeout) < duration(self.interval)' initialConnectionWindowSize: allOf: - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ @@ -49693,6 +54625,58 @@ spec: LoadBalancer policy to apply when routing traffic from the gateway to the backend endpoints. Defaults to `LeastRequest`. properties: + backendUtilization: + description: |- + BackendUtilization defines the configuration when the load balancer type is + set to BackendUtilization. + properties: + blackoutPeriod: + description: |- + A given endpoint must report load metrics continuously for at least this long before the endpoint weight will be used. + Default is 10s. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + errorUtilizationPenaltyPercent: + description: |- + ErrorUtilizationPenaltyPercent adjusts endpoint weights based on the error rate (eps/qps). + This is expressed as a percentage-based integer where 100 represents 1.0, 150 represents 1.5, etc. + + For example: + - 100 => 1.0x + - 120 => 1.2x + - 200 => 2.0x + + Must be non-negative. + format: int32 + minimum: 0 + type: integer + keepResponseHeaders: + default: false + description: |- + KeepResponseHeaders keeps the ORCA load report headers/trailers before sending the response to the client. + Defaults to false. + type: boolean + metricNamesForComputingUtilization: + description: |- + Metric names used to compute utilization if application_utilization is not set. + For map fields in ORCA proto, use the form ".", e.g., "named_metrics.foo". + items: + type: string + type: array + weightExpirationPeriod: + description: If a given endpoint has not + reported load metrics in this long, stop + using the reported weight. Defaults to + 3m. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + weightUpdatePeriod: + description: How often endpoint weights + are recalculated. Values less than 100ms + are capped at 100ms. Default 1s. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object consistentHash: description: |- ConsistentHash defines the configuration when the load balancer type is @@ -49816,6 +54800,40 @@ spec: the queryParams field must be set. rule: 'self.type == ''QueryParams'' ? has(self.queryParams) : !has(self.queryParams)' + dynamicModule: + description: |- + DynamicModule defines the configuration when the load balancer type is + set to DynamicModule. The referenced module must be registered in the + EnvoyProxy resource's dynamicModules allowlist. + properties: + config: + description: |- + Config is optional configuration for the module's load balancer + implementation. This is serialized and passed to the module's + initialization function. + x-kubernetes-preserve-unknown-fields: true + lbPolicyName: + description: |- + LBPolicyName identifies a specific load balancer implementation within + the dynamic module. A single shared library can contain multiple LB + policy implementations. This value is passed to the module's + initialization function to select the appropriate implementation. + maxLength: 253 + minLength: 1 + type: string + name: + description: |- + Name references a dynamic module registered in the EnvoyProxy resource's + dynamicModules list. The referenced module must exist in the registry; + otherwise, the policy will be rejected. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([a-z0-9.-]*[a-z0-9])?$ + type: string + required: + - lbPolicyName + - name + type: object endpointOverride: description: |- EndpointOverride defines the configuration for endpoint override. @@ -49850,7 +54868,7 @@ spec: description: |- SlowStart defines the configuration related to the slow start load balancer policy. If set, during slow start window, traffic sent to the newly added hosts will gradually increase. - Currently this is only supported for RoundRobin and LeastRequest load balancers + Supported for RoundRobin, LeastRequest, and BackendUtilization load balancers. properties: window: description: |- @@ -49870,12 +54888,16 @@ spec: "ConsistentHash", "LeastRequest", "Random", - "RoundRobin". + "RoundRobin", + "BackendUtilization", + "DynamicModule". enum: - ConsistentHash - LeastRequest - Random - RoundRobin + - BackendUtilization + - DynamicModule type: string zoneAware: description: ZoneAware defines the configuration @@ -49917,6 +54939,36 @@ spec: minimum: 0 type: integer type: object + weightedZones: + description: |- + WeightedZones configures weight-based traffic distribution across locality zones. + Traffic is distributed proportionally based on the sum of all zone weights. + items: + description: WeightedZoneConfig defines + the weight for a specific locality zone. + properties: + weight: + description: |- + Weight defines the weight for this locality. + Higher values receive more traffic. The actual traffic distribution + is proportional to this value relative to other localities. + format: int32 + type: integer + zone: + description: |- + Zone specifies the topology zone this weight applies to. + The value should match the topology.kubernetes.io/zone label + of the nodes where endpoints are running. + Zones not listed in the configuration receive a default weight of 1. + type: string + required: + - weight + - zone + type: object + type: array + x-kubernetes-list-map-keys: + - zone + x-kubernetes-list-type: map type: object required: - type @@ -49926,22 +54978,51 @@ spec: consistentHash field needs to be set. rule: 'self.type == ''ConsistentHash'' ? has(self.consistentHash) : !has(self.consistentHash)' + - message: If LoadBalancer type is BackendUtilization, + backendUtilization field needs to be set. + rule: 'self.type == ''BackendUtilization'' ? has(self.backendUtilization) + : !has(self.backendUtilization)' + - message: If LoadBalancer type is DynamicModule, + dynamicModule field needs to be set. + rule: 'self.type == ''DynamicModule'' ? has(self.dynamicModule) + : !has(self.dynamicModule)' - message: Currently SlowStart is only supported - for RoundRobin and LeastRequest load balancers. - rule: 'self.type in [''Random'', ''ConsistentHash''] - ? !has(self.slowStart) : true ' - - message: Currently ZoneAware is only supported - for LeastRequest, Random, and RoundRobin load - balancers. - rule: 'self.type == ''ConsistentHash'' ? !has(self.zoneAware) - : true ' + for RoundRobin, LeastRequest, and BackendUtilization + load balancers. + rule: 'self.type in [''Random'', ''ConsistentHash'', + ''DynamicModule''] ? !has(self.slowStart) : + true' + - message: PreferLocal zone-aware routing is not + supported for ConsistentHash load balancers. + Use weightedZones instead. + rule: 'self.type == ''ConsistentHash'' && has(self.zoneAware) + ? !has(self.zoneAware.preferLocal) : true' + - message: PreferLocal zone-aware routing is not + currently supported for BackendUtilization load + balancers. Only WeightedZones can be used with + BackendUtilization. + rule: 'self.type == ''BackendUtilization'' && + has(self.zoneAware) ? !has(self.zoneAware.preferLocal) + : true' + - message: ZoneAware routing is not supported for + DynamicModule load balancers. + rule: 'self.type == ''DynamicModule'' ? !has(self.zoneAware) + : true' + - message: ZoneAware PreferLocal and WeightedZones + cannot be specified together. + rule: 'has(self.zoneAware) ? !(has(self.zoneAware.preferLocal) + && has(self.zoneAware.weightedZones)) : true' + - message: EndpointOverride is not supported for + DynamicModule load balancers. + rule: 'self.type == ''DynamicModule'' ? !has(self.endpointOverride) + : true' proxyProtocol: description: ProxyProtocol enables the Proxy Protocol when communicating with the backend. properties: version: description: |- - Version of ProxyProtol + Version of ProxyProtocol Valid ProxyProtocolVersion values are "V1" "V2" @@ -50099,6 +55180,12 @@ spec: from the upstream. pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string + streamIdleTimeout: + description: |2- + The stream idle timeout defines the amount of time a stream can exist without any upstream or downstream activity. + If not specified, StreamIdleTimeout is inherited from the listener-level setting, which can be configured via ClientTrafficPolicy. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string type: object tcp: description: Timeout settings for TCP. @@ -50157,12 +55244,23 @@ spec: rule: has(self.remoteJWKS) || has(self.localJWKS) - message: remoteJWKS and localJWKS cannot both be specified. rule: '!(has(self.remoteJWKS) && has(self.localJWKS))' - maxItems: 4 + maxItems: 16 minItems: 1 type: array required: - providers type: object + mergeType: + description: |- + MergeType determines how this configuration is merged with existing SecurityPolicy + configurations targeting a parent resource. When set, this configuration will be merged + into a parent SecurityPolicy (i.e. the one targeting a Gateway or Listener). + This field cannot be set when targeting a parent resource (Gateway). + If unset, no merging occurs, and only the most specific configuration takes effect. + type: string + x-kubernetes-validations: + - message: Replace is not a valid MergeType for SecurityPolicy + rule: self != 'Replace' oidc: description: OIDC defines the configuration for the OpenID Connect (OIDC) authentication. @@ -50393,6 +55491,22 @@ spec: via the Authorization header Bearer scheme to the upstream. If not specified, defaults to false. type: boolean + forwardIDToken: + description: |- + ForwardIDToken configures forwarding of the OIDC ID token to the upstream. + + If the configured header is "Authorization", EG forwards the ID token using + the "Bearer " prefix. For any other header, EG forwards the raw token value. + If not specified, the ID token will not be forwarded. + properties: + header: + description: Header is the upstream request header that will + carry the ID token. + minLength: 1 + type: string + required: + - header + type: object logoutPath: description: |- The path to log a user out, clearing their credential cookies. @@ -50666,6 +55780,45 @@ spec: minimum: 0 type: integer type: object + retryBudget: + description: |- + RetryBudget provides settings for retry budget, which limits the number of retries in a given percentage. + RetryBudget take precedence over maxParallelRetries. + properties: + minRetryConcurrency: + description: |- + MinRetryConcurrency specifies the minimum retry concurrency allowed for the retry budget. + For example, a budget of 20% with a minimum retry concurrency of 3 + will allow 5 active retries while there are 25 active requests. + If there are 2 active requests, there are still 3 active retries + allowed because of the minimum retry concurrency. + Defaults to 3. + format: int32 + type: integer + percent: + description: |- + Percent specifies the limit on concurrent retries as a percentage [0, 100] of + the sum of active requests and active pending requests. + properties: + denominator: + default: 100 + format: int32 + minimum: 1 + type: integer + numerator: + format: int32 + minimum: 0 + type: integer + required: + - numerator + type: object + x-kubernetes-validations: + - message: numerator must be less than or equal + to denominator + rule: self.numerator <= self.denominator + required: + - percent + type: object type: object connection: description: Connection includes backend connection settings. @@ -50840,8 +55993,9 @@ spec: type: array hostname: description: |- - Hostname defines the HTTP host that will be requested during health checking. - Default: HTTPRoute or GRPCRoute hostname. + Hostname defines the HTTP Host header used for active HTTP health checks. + Host selection uses this order: this field, the associated Backend endpoint + hostname if available, then the effective Route hostname. maxLength: 253 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ @@ -50857,6 +56011,19 @@ spec: maxLength: 1024 minLength: 1 type: string + retriableStatuses: + description: |- + RetriableStatuses defines a list of HTTP response statuses considered retriable. + Responses matching these statuses count towards the unhealthy threshold but + do not result in the host being considered immediately unhealthy. + The expected statuses take precedence for any range overlaps with this field. + items: + description: HTTPStatus defines the http + status code. + maximum: 599 + minimum: 100 + type: integer + type: array required: - path type: object @@ -50872,6 +56039,23 @@ spec: active health checks. pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string + overrides: + description: |- + Overrides defines the configuration of the overriding health check settings for all endpoints + in the backend cluster. This allows customization of port and other settings that may differ + from the main service configuration. + properties: + port: + description: |- + Port overrides the health check port. + If not set, the endpoint's serving port is used for health checks. + This is useful when health checks are served on a different port than + the main service port (e.g., port 443 for service, port 9090 for health checks). + format: int32 + maximum: 65535 + minimum: 1 + type: integer + type: object tcp: description: |- TCP defines the configuration of tcp health checker. @@ -50965,9 +56149,11 @@ spec: type: string unhealthyThreshold: default: 3 - description: UnhealthyThreshold defines the number - of unhealthy health checks required before a - backend host is marked unhealthy. + description: |- + UnhealthyThreshold defines the number of unhealthy health checks required before a backend host is marked unhealthy. + Without RetriableStatuses configured, any health check failure results in the host being immediately + considered unhealthy. When RetriableStatuses is set, health checks returning those statuses are retried + up to this threshold before the host is marked unhealthy. format: int32 minimum: 1 type: integer @@ -50999,6 +56185,12 @@ spec: passive: description: Passive passive check configuration properties: + alwaysEjectOneEndpoint: + default: false + description: |- + AlwaysEjectOneEndpoint defines whether at least one host should be ejected, + regardless of MaxEjectionPercent. + type: boolean baseEjectionTime: default: 30s description: BaseEjectionTime defines the base @@ -51046,6 +56238,8 @@ spec: percentage of hosts in a cluster that can be ejected. format: int32 + maximum: 100 + minimum: 0 type: integer splitExternalLocalOriginErrors: default: false @@ -51059,6 +56253,39 @@ spec: description: HTTP2 provides HTTP/2 configuration for backend connections. properties: + connectionKeepalive: + description: ConnectionKeepalive configures HTTP/2 + connection keepalive using PING frames. + properties: + idleInterval: + description: IdleInterval specifies how long a + connection must be idle before a PING is sent. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + interval: + description: Interval specifies how often to send + HTTP/2 PING frames to keep the connection alive. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + intervalJitter: + description: |- + IntervalJitter specifies a random jitter percentage added to each interval. + Defaults to 15% if not specified. + format: int32 + maximum: 100 + minimum: 0 + type: integer + timeout: + description: Timeout specifies how long to wait + for a PING response before considering the connection + dead. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + x-kubernetes-validations: + - message: timeout must be less than interval + rule: '!has(self.timeout) || !has(self.interval) + || duration(self.timeout) < duration(self.interval)' initialConnectionWindowSize: allOf: - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ @@ -51102,6 +56329,57 @@ spec: LoadBalancer policy to apply when routing traffic from the gateway to the backend endpoints. Defaults to `LeastRequest`. properties: + backendUtilization: + description: |- + BackendUtilization defines the configuration when the load balancer type is + set to BackendUtilization. + properties: + blackoutPeriod: + description: |- + A given endpoint must report load metrics continuously for at least this long before the endpoint weight will be used. + Default is 10s. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + errorUtilizationPenaltyPercent: + description: |- + ErrorUtilizationPenaltyPercent adjusts endpoint weights based on the error rate (eps/qps). + This is expressed as a percentage-based integer where 100 represents 1.0, 150 represents 1.5, etc. + + For example: + - 100 => 1.0x + - 120 => 1.2x + - 200 => 2.0x + + Must be non-negative. + format: int32 + minimum: 0 + type: integer + keepResponseHeaders: + default: false + description: |- + KeepResponseHeaders keeps the ORCA load report headers/trailers before sending the response to the client. + Defaults to false. + type: boolean + metricNamesForComputingUtilization: + description: |- + Metric names used to compute utilization if application_utilization is not set. + For map fields in ORCA proto, use the form ".", e.g., "named_metrics.foo". + items: + type: string + type: array + weightExpirationPeriod: + description: If a given endpoint has not reported + load metrics in this long, stop using the reported + weight. Defaults to 3m. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + weightUpdatePeriod: + description: How often endpoint weights are recalculated. + Values less than 100ms are capped at 100ms. + Default 1s. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object consistentHash: description: |- ConsistentHash defines the configuration when the load balancer type is @@ -51223,6 +56501,40 @@ spec: the queryParams field must be set. rule: 'self.type == ''QueryParams'' ? has(self.queryParams) : !has(self.queryParams)' + dynamicModule: + description: |- + DynamicModule defines the configuration when the load balancer type is + set to DynamicModule. The referenced module must be registered in the + EnvoyProxy resource's dynamicModules allowlist. + properties: + config: + description: |- + Config is optional configuration for the module's load balancer + implementation. This is serialized and passed to the module's + initialization function. + x-kubernetes-preserve-unknown-fields: true + lbPolicyName: + description: |- + LBPolicyName identifies a specific load balancer implementation within + the dynamic module. A single shared library can contain multiple LB + policy implementations. This value is passed to the module's + initialization function to select the appropriate implementation. + maxLength: 253 + minLength: 1 + type: string + name: + description: |- + Name references a dynamic module registered in the EnvoyProxy resource's + dynamicModules list. The referenced module must exist in the registry; + otherwise, the policy will be rejected. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([a-z0-9.-]*[a-z0-9])?$ + type: string + required: + - lbPolicyName + - name + type: object endpointOverride: description: |- EndpointOverride defines the configuration for endpoint override. @@ -51256,7 +56568,7 @@ spec: description: |- SlowStart defines the configuration related to the slow start load balancer policy. If set, during slow start window, traffic sent to the newly added hosts will gradually increase. - Currently this is only supported for RoundRobin and LeastRequest load balancers + Supported for RoundRobin, LeastRequest, and BackendUtilization load balancers. properties: window: description: |- @@ -51276,12 +56588,16 @@ spec: "ConsistentHash", "LeastRequest", "Random", - "RoundRobin". + "RoundRobin", + "BackendUtilization", + "DynamicModule". enum: - ConsistentHash - LeastRequest - Random - RoundRobin + - BackendUtilization + - DynamicModule type: string zoneAware: description: ZoneAware defines the configuration related @@ -51322,6 +56638,36 @@ spec: minimum: 0 type: integer type: object + weightedZones: + description: |- + WeightedZones configures weight-based traffic distribution across locality zones. + Traffic is distributed proportionally based on the sum of all zone weights. + items: + description: WeightedZoneConfig defines the + weight for a specific locality zone. + properties: + weight: + description: |- + Weight defines the weight for this locality. + Higher values receive more traffic. The actual traffic distribution + is proportional to this value relative to other localities. + format: int32 + type: integer + zone: + description: |- + Zone specifies the topology zone this weight applies to. + The value should match the topology.kubernetes.io/zone label + of the nodes where endpoints are running. + Zones not listed in the configuration receive a default weight of 1. + type: string + required: + - weight + - zone + type: object + type: array + x-kubernetes-list-map-keys: + - zone + x-kubernetes-list-type: map type: object required: - type @@ -51331,21 +56677,47 @@ spec: field needs to be set. rule: 'self.type == ''ConsistentHash'' ? has(self.consistentHash) : !has(self.consistentHash)' - - message: Currently SlowStart is only supported for RoundRobin - and LeastRequest load balancers. - rule: 'self.type in [''Random'', ''ConsistentHash''] - ? !has(self.slowStart) : true ' - - message: Currently ZoneAware is only supported for LeastRequest, - Random, and RoundRobin load balancers. - rule: 'self.type == ''ConsistentHash'' ? !has(self.zoneAware) - : true ' + - message: If LoadBalancer type is BackendUtilization, + backendUtilization field needs to be set. + rule: 'self.type == ''BackendUtilization'' ? has(self.backendUtilization) + : !has(self.backendUtilization)' + - message: If LoadBalancer type is DynamicModule, dynamicModule + field needs to be set. + rule: 'self.type == ''DynamicModule'' ? has(self.dynamicModule) + : !has(self.dynamicModule)' + - message: Currently SlowStart is only supported for RoundRobin, + LeastRequest, and BackendUtilization load balancers. + rule: 'self.type in [''Random'', ''ConsistentHash'', + ''DynamicModule''] ? !has(self.slowStart) : true' + - message: PreferLocal zone-aware routing is not supported + for ConsistentHash load balancers. Use weightedZones + instead. + rule: 'self.type == ''ConsistentHash'' && has(self.zoneAware) + ? !has(self.zoneAware.preferLocal) : true' + - message: PreferLocal zone-aware routing is not currently + supported for BackendUtilization load balancers. Only + WeightedZones can be used with BackendUtilization. + rule: 'self.type == ''BackendUtilization'' && has(self.zoneAware) + ? !has(self.zoneAware.preferLocal) : true' + - message: ZoneAware routing is not supported for DynamicModule + load balancers. + rule: 'self.type == ''DynamicModule'' ? !has(self.zoneAware) + : true' + - message: ZoneAware PreferLocal and WeightedZones cannot + be specified together. + rule: 'has(self.zoneAware) ? !(has(self.zoneAware.preferLocal) + && has(self.zoneAware.weightedZones)) : true' + - message: EndpointOverride is not supported for DynamicModule + load balancers. + rule: 'self.type == ''DynamicModule'' ? !has(self.endpointOverride) + : true' proxyProtocol: description: ProxyProtocol enables the Proxy Protocol when communicating with the backend. properties: version: description: |- - Version of ProxyProtol + Version of ProxyProtocol Valid ProxyProtocolVersion values are "V1" "V2" @@ -51502,6 +56874,12 @@ spec: which entire response is received from the upstream. pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string + streamIdleTimeout: + description: |2- + The stream idle timeout defines the amount of time a stream can exist without any upstream or downstream activity. + If not specified, StreamIdleTimeout is inherited from the listener-level setting, which can be configured via ClientTrafficPolicy. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string type: object tcp: description: Timeout settings for TCP. @@ -51594,6 +56972,11 @@ spec: - message: only one of clientID or clientIDRef must be set rule: (has(self.clientID) && !has(self.clientIDRef)) || (!has(self.clientID) && has(self.clientIDRef)) + - message: forwardAccessToken cannot be true when forwardIDToken.header + is Authorization + rule: '!(has(self.forwardAccessToken) && self.forwardAccessToken + && has(self.forwardIDToken) && self.forwardIDToken.header.lowerAscii() + == ''authorization'')' targetRef: description: |- TargetRef is the name of the resource this policy is being attached to. @@ -51750,8 +57133,86 @@ spec: additionalProperties: type: string description: MatchLabels are the set of label selectors for - identifying the targeted resource + identifying the targeted resource. + type: object + namespaces: + description: |- + Namespaces determines which namespaces are considered for target selection. + + If unspecified, only targets in the same namespace as this policy are considered. + + When specified, the effective set of namespaces is always constrained to the + namespaces watched by Envoy Gateway. + + Selecting targets across namespaces requires a ReferenceGrant in the target + namespace that allows this policy kind to reference the selected target kind. + Cross-namespace targets without a matching ReferenceGrant are ignored. + properties: + from: + default: Same + description: |- + From indicates how namespaces are selected for this target selector. + + All means all namespaces watched by Envoy Gateway. + Selector means namespaces watched by Envoy Gateway that match Selector. + enum: + - Same + - All + - Selector + type: string + selector: + description: Selector selects namespaces when From is set + to Selector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + required: + - from type: object + x-kubernetes-validations: + - message: selector must be specified when from is Selector + rule: self.from != 'Selector' || has(self.selector) required: - kind type: object @@ -52124,12 +57585,12 @@ apiVersion: v1 kind: ServiceAccount metadata: name: envoy-gateway - namespace: 'tigera-gateway' + namespace: tigera-gateway labels: - helm.sh/chart: gateway-helm-v1.7.2 + helm.sh/chart: gateway-helm-v1.8.0 app.kubernetes.io/name: gateway-helm app.kubernetes.io/instance: tigera-gateway-api - app.kubernetes.io/version: "v1.7.2" + app.kubernetes.io/version: "v1.8.0" app.kubernetes.io/managed-by: Helm --- # Source: gateway-helm/templates/envoy-gateway-config.yaml @@ -52137,12 +57598,12 @@ apiVersion: v1 kind: ConfigMap metadata: name: envoy-gateway-config - namespace: 'tigera-gateway' + namespace: tigera-gateway labels: - helm.sh/chart: gateway-helm-v1.7.2 + helm.sh/chart: gateway-helm-v1.8.0 app.kubernetes.io/name: gateway-helm app.kubernetes.io/instance: tigera-gateway-api - app.kubernetes.io/version: "v1.7.2" + app.kubernetes.io/version: "v1.8.0" app.kubernetes.io/managed-by: Helm data: envoy-gateway.yaml: | @@ -52158,7 +57619,7 @@ data: kubernetes: rateLimitDeployment: container: - image: docker.io/envoyproxy/ratelimit:05c08d03 + image: docker.io/envoyproxy/ratelimit:ff287602 patch: type: StrategicMerge value: @@ -52169,7 +57630,7 @@ data: - imagePullPolicy: IfNotPresent name: envoy-ratelimit shutdownManager: - image: docker.io/envoyproxy/gateway:v1.7.2 + image: docker.io/envoyproxy/gateway:v1.8.0 type: Kubernetes --- # Source: gateway-helm/templates/envoy-gateway-rbac.yaml @@ -52178,6 +57639,12 @@ kind: ClusterRole metadata: creationTimestamp: null name: tigera-gateway-api-gateway-helm-envoy-gateway-role + labels: + helm.sh/chart: gateway-helm-v1.8.0 + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: tigera-gateway-api + app.kubernetes.io/version: "v1.8.0" + app.kubernetes.io/managed-by: Helm rules: - apiGroups: - "" @@ -52269,6 +57736,7 @@ rules: - gateway.networking.k8s.io resources: - gateways + - listenersets - grpcroutes - httproutes - referencegrants @@ -52284,6 +57752,7 @@ rules: - gateway.networking.k8s.io resources: - gateways/status + - listenersets/status - grpcroutes/status - httproutes/status - tcproutes/status @@ -52292,20 +57761,6 @@ rules: - backendtlspolicies/status verbs: - update -- apiGroups: - - gateway.networking.x-k8s.io - resources: - - xlistenersets - verbs: - - get - - list - - watch -- apiGroups: - - gateway.networking.x-k8s.io - resources: - - xlistenersets/status - verbs: - - update - apiGroups: - "" resources: @@ -52323,6 +57778,12 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: tigera-gateway-api-gateway-helm-envoy-gateway-rolebinding + labels: + helm.sh/chart: gateway-helm-v1.8.0 + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: tigera-gateway-api + app.kubernetes.io/version: "v1.8.0" + app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole @@ -52330,19 +57791,19 @@ roleRef: subjects: - kind: ServiceAccount name: 'envoy-gateway' - namespace: 'tigera-gateway' + namespace: tigera-gateway --- # Source: gateway-helm/templates/infra-manager-rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: tigera-gateway-api-gateway-helm-infra-manager - namespace: 'tigera-gateway' + namespace: tigera-gateway labels: - helm.sh/chart: gateway-helm-v1.7.2 + helm.sh/chart: gateway-helm-v1.8.0 app.kubernetes.io/name: gateway-helm app.kubernetes.io/instance: tigera-gateway-api - app.kubernetes.io/version: "v1.7.2" + app.kubernetes.io/version: "v1.8.0" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -52358,6 +57819,7 @@ rules: - delete - deletecollection - patch + - watch - apiGroups: - apps resources: @@ -52366,9 +57828,11 @@ rules: verbs: - create - get + - list - delete - deletecollection - patch + - watch - apiGroups: - autoscaling - policy @@ -52382,6 +57846,7 @@ rules: - delete - deletecollection - patch + - watch - apiGroups: - certificates.k8s.io resources: @@ -52396,12 +57861,12 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: tigera-gateway-api-gateway-helm-leader-election-role - namespace: 'tigera-gateway' + namespace: tigera-gateway labels: - helm.sh/chart: gateway-helm-v1.7.2 + helm.sh/chart: gateway-helm-v1.8.0 app.kubernetes.io/name: gateway-helm app.kubernetes.io/instance: tigera-gateway-api - app.kubernetes.io/version: "v1.7.2" + app.kubernetes.io/version: "v1.8.0" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -52441,12 +57906,12 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: tigera-gateway-api-gateway-helm-infra-manager - namespace: 'tigera-gateway' + namespace: tigera-gateway labels: - helm.sh/chart: gateway-helm-v1.7.2 + helm.sh/chart: gateway-helm-v1.8.0 app.kubernetes.io/name: gateway-helm app.kubernetes.io/instance: tigera-gateway-api - app.kubernetes.io/version: "v1.7.2" + app.kubernetes.io/version: "v1.8.0" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -52455,19 +57920,19 @@ roleRef: subjects: - kind: ServiceAccount name: 'envoy-gateway' - namespace: 'tigera-gateway' + namespace: tigera-gateway --- # Source: gateway-helm/templates/leader-election-rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: tigera-gateway-api-gateway-helm-leader-election-rolebinding - namespace: 'tigera-gateway' + namespace: tigera-gateway labels: - helm.sh/chart: gateway-helm-v1.7.2 + helm.sh/chart: gateway-helm-v1.8.0 app.kubernetes.io/name: gateway-helm app.kubernetes.io/instance: tigera-gateway-api - app.kubernetes.io/version: "v1.7.2" + app.kubernetes.io/version: "v1.8.0" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -52476,20 +57941,20 @@ roleRef: subjects: - kind: ServiceAccount name: 'envoy-gateway' - namespace: 'tigera-gateway' + namespace: tigera-gateway --- # Source: gateway-helm/templates/envoy-gateway-service.yaml apiVersion: v1 kind: Service metadata: name: envoy-gateway - namespace: 'tigera-gateway' + namespace: tigera-gateway labels: control-plane: envoy-gateway - helm.sh/chart: gateway-helm-v1.7.2 + helm.sh/chart: gateway-helm-v1.8.0 app.kubernetes.io/name: gateway-helm app.kubernetes.io/instance: tigera-gateway-api - app.kubernetes.io/version: "v1.7.2" + app.kubernetes.io/version: "v1.8.0" app.kubernetes.io/managed-by: Helm spec: type: ClusterIP @@ -52519,13 +57984,13 @@ apiVersion: apps/v1 kind: Deployment metadata: name: envoy-gateway - namespace: 'tigera-gateway' + namespace: tigera-gateway labels: control-plane: envoy-gateway - helm.sh/chart: gateway-helm-v1.7.2 + helm.sh/chart: gateway-helm-v1.8.0 app.kubernetes.io/name: gateway-helm app.kubernetes.io/instance: tigera-gateway-api - app.kubernetes.io/version: "v1.7.2" + app.kubernetes.io/version: "v1.8.0" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -52556,7 +58021,7 @@ spec: fieldPath: metadata.namespace - name: KUBERNETES_CLUSTER_DOMAIN value: cluster.local - image: docker.io/envoyproxy/gateway:v1.7.2 + image: docker.io/envoyproxy/gateway:v1.8.0 imagePullPolicy: IfNotPresent livenessProbe: httpGet: @@ -52623,12 +58088,12 @@ apiVersion: v1 kind: ServiceAccount metadata: name: tigera-gateway-api-gateway-helm-certgen - namespace: 'tigera-gateway' + namespace: tigera-gateway labels: - helm.sh/chart: gateway-helm-v1.7.2 + helm.sh/chart: gateway-helm-v1.8.0 app.kubernetes.io/name: gateway-helm app.kubernetes.io/instance: tigera-gateway-api - app.kubernetes.io/version: "v1.7.2" + app.kubernetes.io/version: "v1.8.0" app.kubernetes.io/managed-by: Helm annotations: "helm.sh/hook": pre-install, pre-upgrade @@ -52640,10 +58105,10 @@ kind: ClusterRole metadata: name: 'tigera-gateway-api-gateway-helm-certgen:tigera-gateway' labels: - helm.sh/chart: gateway-helm-v1.7.2 + helm.sh/chart: gateway-helm-v1.8.0 app.kubernetes.io/name: gateway-helm app.kubernetes.io/instance: tigera-gateway-api - app.kubernetes.io/version: "v1.7.2" + app.kubernetes.io/version: "v1.8.0" app.kubernetes.io/managed-by: Helm annotations: "helm.sh/hook": pre-install, pre-upgrade @@ -52673,10 +58138,10 @@ kind: ClusterRoleBinding metadata: name: 'tigera-gateway-api-gateway-helm-certgen:tigera-gateway' labels: - helm.sh/chart: gateway-helm-v1.7.2 + helm.sh/chart: gateway-helm-v1.8.0 app.kubernetes.io/name: gateway-helm app.kubernetes.io/instance: tigera-gateway-api - app.kubernetes.io/version: "v1.7.2" + app.kubernetes.io/version: "v1.8.0" app.kubernetes.io/managed-by: Helm annotations: "helm.sh/hook": pre-install, pre-upgrade @@ -52688,19 +58153,19 @@ roleRef: subjects: - kind: ServiceAccount name: 'tigera-gateway-api-gateway-helm-certgen' - namespace: 'tigera-gateway' + namespace: tigera-gateway --- # Source: gateway-helm/templates/certgen-rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: tigera-gateway-api-gateway-helm-certgen - namespace: 'tigera-gateway' + namespace: tigera-gateway labels: - helm.sh/chart: gateway-helm-v1.7.2 + helm.sh/chart: gateway-helm-v1.8.0 app.kubernetes.io/name: gateway-helm app.kubernetes.io/instance: tigera-gateway-api - app.kubernetes.io/version: "v1.7.2" + app.kubernetes.io/version: "v1.8.0" app.kubernetes.io/managed-by: Helm annotations: "helm.sh/hook": pre-install, pre-upgrade @@ -52720,12 +58185,12 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: tigera-gateway-api-gateway-helm-certgen - namespace: 'tigera-gateway' + namespace: tigera-gateway labels: - helm.sh/chart: gateway-helm-v1.7.2 + helm.sh/chart: gateway-helm-v1.8.0 app.kubernetes.io/name: gateway-helm app.kubernetes.io/instance: tigera-gateway-api - app.kubernetes.io/version: "v1.7.2" + app.kubernetes.io/version: "v1.8.0" app.kubernetes.io/managed-by: Helm annotations: "helm.sh/hook": pre-install, pre-upgrade @@ -52737,19 +58202,19 @@ roleRef: subjects: - kind: ServiceAccount name: 'tigera-gateway-api-gateway-helm-certgen' - namespace: 'tigera-gateway' + namespace: tigera-gateway --- # Source: gateway-helm/templates/certgen.yaml apiVersion: batch/v1 kind: Job metadata: name: tigera-gateway-api-gateway-helm-certgen - namespace: 'tigera-gateway' + namespace: tigera-gateway labels: - helm.sh/chart: gateway-helm-v1.7.2 + helm.sh/chart: gateway-helm-v1.8.0 app.kubernetes.io/name: gateway-helm app.kubernetes.io/instance: tigera-gateway-api - app.kubernetes.io/version: "v1.7.2" + app.kubernetes.io/version: "v1.8.0" app.kubernetes.io/managed-by: Helm annotations: "helm.sh/hook": pre-install, pre-upgrade @@ -52774,7 +58239,7 @@ spec: fieldPath: metadata.namespace - name: KUBERNETES_CLUSTER_DOMAIN value: cluster.local - image: docker.io/envoyproxy/gateway:v1.7.2 + image: docker.io/envoyproxy/gateway:v1.8.0 imagePullPolicy: IfNotPresent name: envoy-gateway-certgen securityContext: @@ -52804,10 +58269,10 @@ metadata: "helm.sh/hook-weight": "-1" labels: app.kubernetes.io/component: topology-injector - helm.sh/chart: gateway-helm-v1.7.2 + helm.sh/chart: gateway-helm-v1.8.0 app.kubernetes.io/name: gateway-helm app.kubernetes.io/instance: tigera-gateway-api - app.kubernetes.io/version: "v1.7.2" + app.kubernetes.io/version: "v1.8.0" app.kubernetes.io/managed-by: Helm webhooks: - name: topology.webhook.gateway.envoyproxy.io @@ -52816,7 +58281,7 @@ webhooks: clientConfig: service: name: envoy-gateway - namespace: 'tigera-gateway' + namespace: tigera-gateway path: "/inject-pod-topology" port: 9443 failurePolicy: Ignore diff --git a/pkg/render/gatewayapi/gateway_api_test.go b/pkg/render/gatewayapi/gateway_api_test.go index d6e5d7237d..fa3b769b80 100644 --- a/pkg/render/gatewayapi/gateway_api_test.go +++ b/pkg/render/gatewayapi/gateway_api_test.go @@ -235,7 +235,7 @@ var _ = Describe("Gateway API rendering tests", func() { objsToCreate, objsToDelete := gatewayComp.Objects() Expect(objsToDelete).To(HaveLen(0)) Expect(objsToCreate).NotTo(BeEmpty()) - Expect(objsToCreate).To(HaveLen(20 + len(gatewayAPI.Spec.GatewayClasses))) // 20 core objects plus one per GatewayClass + Expect(objsToCreate).To(HaveLen(22 + len(gatewayAPI.Spec.GatewayClasses))) // 22 core objects plus one per GatewayClass rtest.ExpectResources(objsToCreate, []client.Object{ &corev1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: "tigera-gateway"}}, @@ -243,6 +243,8 @@ var _ = Describe("Gateway API rendering tests", func() { &corev1.ServiceAccount{ObjectMeta: metav1.ObjectMeta{Name: "envoy-gateway", Namespace: "tigera-gateway"}}, &corev1.ConfigMap{ObjectMeta: metav1.ObjectMeta{Name: "envoy-gateway-config", Namespace: "tigera-gateway"}}, &admissionregv1.MutatingWebhookConfiguration{ObjectMeta: metav1.ObjectMeta{Name: "envoy-gateway-topology-injector.tigera-gateway"}}, + &admissionregv1.ValidatingAdmissionPolicy{ObjectMeta: metav1.ObjectMeta{Name: "safe-upgrades.gateway.networking.k8s.io"}}, + &admissionregv1.ValidatingAdmissionPolicyBinding{ObjectMeta: metav1.ObjectMeta{Name: "safe-upgrades.gateway.networking.k8s.io"}}, &rbacv1.ClusterRole{ObjectMeta: metav1.ObjectMeta{Name: "tigera-gateway-api-gateway-helm-envoy-gateway-role"}}, &rbacv1.ClusterRole{ObjectMeta: metav1.ObjectMeta{Name: "tigera-gateway-api-gateway-helm-certgen:tigera-gateway"}}, &rbacv1.ClusterRoleBinding{ObjectMeta: metav1.ObjectMeta{Name: "tigera-gateway-api-gateway-helm-envoy-gateway-rolebinding"}}, @@ -344,6 +346,8 @@ var _ = Describe("Gateway API rendering tests", func() { &corev1.ServiceAccount{ObjectMeta: metav1.ObjectMeta{Name: "envoy-gateway", Namespace: "tigera-gateway"}}, &corev1.ConfigMap{ObjectMeta: metav1.ObjectMeta{Name: "envoy-gateway-config", Namespace: "tigera-gateway"}}, &admissionregv1.MutatingWebhookConfiguration{ObjectMeta: metav1.ObjectMeta{Name: "envoy-gateway-topology-injector.tigera-gateway"}}, + &admissionregv1.ValidatingAdmissionPolicy{ObjectMeta: metav1.ObjectMeta{Name: "safe-upgrades.gateway.networking.k8s.io"}}, + &admissionregv1.ValidatingAdmissionPolicyBinding{ObjectMeta: metav1.ObjectMeta{Name: "safe-upgrades.gateway.networking.k8s.io"}}, &rbacv1.ClusterRole{ObjectMeta: metav1.ObjectMeta{Name: "tigera-gateway-api-gateway-helm-envoy-gateway-role"}}, &rbacv1.ClusterRole{ObjectMeta: metav1.ObjectMeta{Name: "tigera-gateway-api-gateway-helm-certgen:tigera-gateway"}}, &rbacv1.ClusterRoleBinding{ObjectMeta: metav1.ObjectMeta{Name: "tigera-gateway-api-gateway-helm-envoy-gateway-rolebinding"}}, @@ -437,6 +441,8 @@ var _ = Describe("Gateway API rendering tests", func() { &corev1.ServiceAccount{ObjectMeta: metav1.ObjectMeta{Name: "envoy-gateway", Namespace: "tigera-gateway"}}, &corev1.ConfigMap{ObjectMeta: metav1.ObjectMeta{Name: "envoy-gateway-config", Namespace: "tigera-gateway"}}, &admissionregv1.MutatingWebhookConfiguration{ObjectMeta: metav1.ObjectMeta{Name: "envoy-gateway-topology-injector.tigera-gateway"}}, + &admissionregv1.ValidatingAdmissionPolicy{ObjectMeta: metav1.ObjectMeta{Name: "safe-upgrades.gateway.networking.k8s.io"}}, + &admissionregv1.ValidatingAdmissionPolicyBinding{ObjectMeta: metav1.ObjectMeta{Name: "safe-upgrades.gateway.networking.k8s.io"}}, &rbacv1.ClusterRole{ObjectMeta: metav1.ObjectMeta{Name: "tigera-gateway-api-gateway-helm-envoy-gateway-role"}}, &rbacv1.ClusterRole{ObjectMeta: metav1.ObjectMeta{Name: "tigera-gateway-api-gateway-helm-certgen:tigera-gateway"}}, &rbacv1.ClusterRoleBinding{ObjectMeta: metav1.ObjectMeta{Name: "tigera-gateway-api-gateway-helm-envoy-gateway-rolebinding"}}, From 23ef7d2362a40a34564f23f579a54db727de7895 Mon Sep 17 00:00:00 2001 From: Seth Malaki Date: Wed, 20 May 2026 22:30:28 +0100 Subject: [PATCH 2/5] Update gateway_api_resources --- .../gatewayapi/gateway_api_resources.yaml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/pkg/render/gatewayapi/gateway_api_resources.yaml b/pkg/render/gatewayapi/gateway_api_resources.yaml index 31a1bc5041..b339c43c33 100644 --- a/pkg/render/gatewayapi/gateway_api_resources.yaml +++ b/pkg/render/gatewayapi/gateway_api_resources.yaml @@ -4,7 +4,7 @@ kind: Namespace metadata: name: tigera-gateway --- -# Source: gateway-helm/charts/crds/crds/gatewayapi-crds.yaml +# Source: crds/gatewayapi-crds.yaml # Copyright The Kubernetes Authors. # # Licensed under the Apache License, Version 2.0 (the "License"); @@ -22091,7 +22091,7 @@ status: storedVersions: null --- -# Source: gateway-helm/charts/crds/crds/generated/gateway.envoyproxy.io_backends.yaml +# Source: crds/generated/gateway.envoyproxy.io_backends.yaml --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -22593,7 +22593,7 @@ spec: status: {} --- -# Source: gateway-helm/charts/crds/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml +# Source: crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -26200,7 +26200,7 @@ spec: status: {} --- -# Source: gateway-helm/charts/crds/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml +# Source: crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -28343,7 +28343,7 @@ spec: status: {} --- -# Source: gateway-helm/charts/crds/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml +# Source: crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -30902,7 +30902,7 @@ spec: status: {} --- -# Source: gateway-helm/charts/crds/crds/generated/gateway.envoyproxy.io_envoypatchpolicies.yaml +# Source: crds/generated/gateway.envoyproxy.io_envoypatchpolicies.yaml --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -31415,7 +31415,7 @@ spec: status: {} --- -# Source: gateway-helm/charts/crds/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml +# Source: crds/generated/gateway.envoyproxy.io_envoyproxies.yaml --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -49499,7 +49499,7 @@ spec: status: {} --- -# Source: gateway-helm/charts/crds/crds/generated/gateway.envoyproxy.io_httproutefilters.yaml +# Source: crds/generated/gateway.envoyproxy.io_httproutefilters.yaml --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -49995,7 +49995,7 @@ spec: subresources: {} --- -# Source: gateway-helm/charts/crds/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml +# Source: crds/generated/gateway.envoyproxy.io_securitypolicies.yaml --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition From 7f0d9828cac9605342e7c0ab3f94eb7628dae9ef Mon Sep 17 00:00:00 2001 From: Seth Malaki Date: Thu, 21 May 2026 13:13:30 +0100 Subject: [PATCH 3/5] build(v1.42): bump GO_BUILD_VER to 1.26.3-llvm20.1.8-k8s1.35.4 go.mod's go directive bumped to 1.26.3 after the envoyproxy/gateway v1.8.0 upgrade pulled deps that require a newer toolchain. The previous GO_BUILD_VER (1.25.10-llvm18.1.8-k8s1.35.4) ships Go 1.25.10 and the build amd64 job fails with: go: go.mod requires go >= 1.26.3 (running go 1.25.10; GOTOOLCHAIN=local) Bumping to the matching Go 1.26.3 toolchain image. K8s minor preserved at 1.35.4 (same as release-v1.42 base) so only the Go and LLVM bases change. --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 1a679c4d4f..fd2d2b0c6d 100644 --- a/Makefile +++ b/Makefile @@ -101,7 +101,7 @@ endif REPO?=tigera/operator PACKAGE_NAME?=github.com/tigera/operator LOCAL_USER_ID?=$(shell id -u $$USER) -GO_BUILD_VER?=1.25.10-llvm18.1.8-k8s1.35.4 +GO_BUILD_VER?=1.26.3-llvm20.1.8-k8s1.35.4 CALICO_BASE_VER ?= ubi9-1771532994 CALICO_BUILD?=calico/go-build:$(GO_BUILD_VER)-$(BUILDARCH) CALICO_BASE ?= calico/base:$(CALICO_BASE_VER) From 74e13cef7f1da754d03914e730fc2d067d201494 Mon Sep 17 00:00:00 2001 From: Seth Malaki Date: Thu, 21 May 2026 13:34:33 +0100 Subject: [PATCH 4/5] style(gatewayapi): apply goimports column alignment --- pkg/render/gatewayapi/gateway_api.go | 40 ++++++++++++++-------------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/pkg/render/gatewayapi/gateway_api.go b/pkg/render/gatewayapi/gateway_api.go index fda83fcea3..2bad9d1db6 100644 --- a/pkg/render/gatewayapi/gateway_api.go +++ b/pkg/render/gatewayapi/gateway_api.go @@ -62,26 +62,26 @@ type yamlKind struct { // This struct defines all of the resources that we expect to read from the rendered Envoy Gateway // helm chart (as of the version indicated by `ENVOY_GATEWAY_VERSION` in `Makefile`). type gatewayAPIResources struct { - namespace *corev1.Namespace - k8sCRDs []*apiextenv1.CustomResourceDefinition - envoyCRDs []*apiextenv1.CustomResourceDefinition - controllerServiceAccount *corev1.ServiceAccount - envoyGatewayConfigMap *corev1.ConfigMap - envoyGatewayConfig *envoyapi.EnvoyGateway - clusterRoles []*rbacv1.ClusterRole - clusterRoleBindings []*rbacv1.ClusterRoleBinding - role *rbacv1.Role - roleBinding *rbacv1.RoleBinding - leaderElectionRole *rbacv1.Role - leaderElectionRoleBinding *rbacv1.RoleBinding - controllerService *corev1.Service - controllerDeployment *appsv1.Deployment - certgenServiceAccount *corev1.ServiceAccount - certgenRole *rbacv1.Role - certgenRoleBinding *rbacv1.RoleBinding - certgenJob *batchv1.Job - mutatingWebhookConfigurations []*admissionregv1.MutatingWebhookConfiguration - validatingAdmissionPolicies []*admissionregv1.ValidatingAdmissionPolicy + namespace *corev1.Namespace + k8sCRDs []*apiextenv1.CustomResourceDefinition + envoyCRDs []*apiextenv1.CustomResourceDefinition + controllerServiceAccount *corev1.ServiceAccount + envoyGatewayConfigMap *corev1.ConfigMap + envoyGatewayConfig *envoyapi.EnvoyGateway + clusterRoles []*rbacv1.ClusterRole + clusterRoleBindings []*rbacv1.ClusterRoleBinding + role *rbacv1.Role + roleBinding *rbacv1.RoleBinding + leaderElectionRole *rbacv1.Role + leaderElectionRoleBinding *rbacv1.RoleBinding + controllerService *corev1.Service + controllerDeployment *appsv1.Deployment + certgenServiceAccount *corev1.ServiceAccount + certgenRole *rbacv1.Role + certgenRoleBinding *rbacv1.RoleBinding + certgenJob *batchv1.Job + mutatingWebhookConfigurations []*admissionregv1.MutatingWebhookConfiguration + validatingAdmissionPolicies []*admissionregv1.ValidatingAdmissionPolicy validatingAdmissionPolicyBindings []*admissionregv1.ValidatingAdmissionPolicyBinding } From 2a5331f084f1e0a78be7b7187768ffd52d728191 Mon Sep 17 00:00:00 2001 From: Seth Malaki Date: Thu, 21 May 2026 14:00:57 +0100 Subject: [PATCH 5/5] lint(v1.42): satisfy staticcheck QF1012, use fmt.Fprintf Mirrors the static-checks portion of master commit 8d9201e0b (#4613, "Bump go to 1.26 and k8s to 1.35"). The newer GO_BUILD_VER ships an updated staticcheck that flags WriteString(fmt.Sprintf(...)) as QF1012; master cleared all 7 sites in the same go-toolchain bump but v1.42 missed the backport. Affected: - test/mainline_test.go:453-470 (6 sites in removeInstallation debug) - pkg/tls/certificatemanagement/certificatebundle.go:195 (1 site) Both strings.Builder and bytes.Buffer satisfy io.Writer, so the substitution is a direct rewrite. --- pkg/tls/certificatemanagement/certificatebundle.go | 2 +- test/mainline_test.go | 12 ++++++------ 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/pkg/tls/certificatemanagement/certificatebundle.go b/pkg/tls/certificatemanagement/certificatebundle.go index ecbdca613c..36e7c4c19a 100644 --- a/pkg/tls/certificatemanagement/certificatebundle.go +++ b/pkg/tls/certificatemanagement/certificatebundle.go @@ -192,7 +192,7 @@ func (t *trustedBundle) ConfigMap(namespace string) *corev1.ConfigMap { return certs[i].GetName() < certs[j].GetName() }) for _, cert := range certs { - pemBuf.WriteString(fmt.Sprintf("# certificate name: %s/%s\n%s\n\n", cert.GetNamespace(), cert.GetName(), string(cert.GetCertificatePEM()))) + fmt.Fprintf(&pemBuf, "# certificate name: %s/%s\n%s\n\n", cert.GetNamespace(), cert.GetName(), string(cert.GetCertificatePEM())) } pemStr := pemBuf.String() diff --git a/test/mainline_test.go b/test/mainline_test.go index 711d1ebd07..2b52536ef9 100644 --- a/test/mainline_test.go +++ b/test/mainline_test.go @@ -450,24 +450,24 @@ func removeInstallation(ctx context.Context, c client.Client, name string) { // Collect debugging information for failure message var debugInfo strings.Builder debugInfo.WriteString("Installation instance still exists:\n") - debugInfo.WriteString(fmt.Sprintf("Instance: %+v\n", instance)) + fmt.Fprintf(&debugInfo, "Instance: %+v\n", instance) // Get calico-system namespace ns := &corev1.Namespace{} if err := c.Get(ctx, client.ObjectKey{Name: "calico-system"}, ns); err != nil { - debugInfo.WriteString(fmt.Sprintf("Failed to get calico-system namespace: %v\n", err)) + fmt.Fprintf(&debugInfo, "Failed to get calico-system namespace: %v\n", err) } else { - debugInfo.WriteString(fmt.Sprintf("calico-system namespace: %+v\n", ns)) + fmt.Fprintf(&debugInfo, "calico-system namespace: %+v\n", ns) } // Get all pods in calico-system namespace pods := &corev1.PodList{} if err := c.List(ctx, pods, client.InNamespace("calico-system")); err != nil { - debugInfo.WriteString(fmt.Sprintf("Failed to list pods in calico-system namespace: %v\n", err)) + fmt.Fprintf(&debugInfo, "Failed to list pods in calico-system namespace: %v\n", err) } else { - debugInfo.WriteString(fmt.Sprintf("Pods in calico-system namespace (%d pods):\n", len(pods.Items))) + fmt.Fprintf(&debugInfo, "Pods in calico-system namespace (%d pods):\n", len(pods.Items)) for i, pod := range pods.Items { - debugInfo.WriteString(fmt.Sprintf(" Pod %d: Name=%s, Phase=%s, Ready=%v\n", i+1, pod.Name, pod.Status.Phase, pod.Status.ContainerStatuses)) + fmt.Fprintf(&debugInfo, " Pod %d: Name=%s, Phase=%s, Ready=%v\n", i+1, pod.Name, pod.Status.Phase, pod.Status.ContainerStatuses) } }