From 1e5dab29eae3211f39e9654e44382c389211ebdc Mon Sep 17 00:00:00 2001
From: jun <2456868764@qq.com>
Date: Thu, 2 Nov 2023 07:56:04 +0800
Subject: [PATCH] enable gatewayapi and reduce profile structure
---
pkg/cmd/hgctl/helm/profile.go | 71 +-
pkg/cmd/hgctl/helm/render.go | 88 +-
pkg/cmd/hgctl/installer/gateway_api.go | 108 +
pkg/cmd/hgctl/installer/higress.go | 41 +-
pkg/cmd/hgctl/installer/installer.go | 10 +-
pkg/cmd/hgctl/installer/installer_k8s.go | 32 +-
pkg/cmd/hgctl/installer/istio.go | 17 +-
.../gatewayapi/experimental-install.yaml | 11763 ++++++++++++++++
pkg/cmd/hgctl/manifests/istiobase/Chart.yaml | 10 +
pkg/cmd/hgctl/manifests/istiobase/README.md | 21 +
.../manifests/istiobase/crds/crd-all.gen.yaml | 7199 ++++++++++
.../istiobase/crds/crd-operator.yaml | 48 +
.../manifests/istiobase/templates/NOTES.txt | 5 +
.../istiobase/templates/clusterrole.yaml | 181 +
.../templates/clusterrolebinding.yaml | 37 +
.../manifests/istiobase/templates/crds.yaml | 4 +
.../istiobase/templates/default.yaml | 48 +
.../istiobase/templates/endpoints.yaml | 23 +
.../templates/reader-serviceaccount.yaml | 16 +
.../manifests/istiobase/templates/role.yaml | 25 +
.../istiobase/templates/rolebinding.yaml | 21 +
.../istiobase/templates/serviceaccount.yaml | 19 +
.../istiobase/templates/services.yaml | 28 +
pkg/cmd/hgctl/manifests/istiobase/values.yaml | 29 +
pkg/cmd/hgctl/manifests/manifest.go | 2 +
pkg/cmd/hgctl/manifests/profiles/_all.yaml | 20 +-
pkg/cmd/hgctl/manifests/profiles/k8s.yaml | 16 +-
.../manifests/profiles/local-docker.yaml | 4 -
.../hgctl/manifests/profiles/local-k8s.yaml | 16 +-
29 files changed, 19763 insertions(+), 139 deletions(-)
create mode 100644 pkg/cmd/hgctl/installer/gateway_api.go
create mode 100644 pkg/cmd/hgctl/manifests/gatewayapi/experimental-install.yaml
create mode 100644 pkg/cmd/hgctl/manifests/istiobase/Chart.yaml
create mode 100644 pkg/cmd/hgctl/manifests/istiobase/README.md
create mode 100644 pkg/cmd/hgctl/manifests/istiobase/crds/crd-all.gen.yaml
create mode 100644 pkg/cmd/hgctl/manifests/istiobase/crds/crd-operator.yaml
create mode 100644 pkg/cmd/hgctl/manifests/istiobase/templates/NOTES.txt
create mode 100644 pkg/cmd/hgctl/manifests/istiobase/templates/clusterrole.yaml
create mode 100644 pkg/cmd/hgctl/manifests/istiobase/templates/clusterrolebinding.yaml
create mode 100644 pkg/cmd/hgctl/manifests/istiobase/templates/crds.yaml
create mode 100644 pkg/cmd/hgctl/manifests/istiobase/templates/default.yaml
create mode 100644 pkg/cmd/hgctl/manifests/istiobase/templates/endpoints.yaml
create mode 100644 pkg/cmd/hgctl/manifests/istiobase/templates/reader-serviceaccount.yaml
create mode 100644 pkg/cmd/hgctl/manifests/istiobase/templates/role.yaml
create mode 100644 pkg/cmd/hgctl/manifests/istiobase/templates/rolebinding.yaml
create mode 100644 pkg/cmd/hgctl/manifests/istiobase/templates/serviceaccount.yaml
create mode 100644 pkg/cmd/hgctl/manifests/istiobase/templates/services.yaml
create mode 100644 pkg/cmd/hgctl/manifests/istiobase/values.yaml
diff --git a/pkg/cmd/hgctl/helm/profile.go b/pkg/cmd/hgctl/helm/profile.go
index 38ebe9d478..c9650f4b32 100644
--- a/pkg/cmd/hgctl/helm/profile.go
+++ b/pkg/cmd/hgctl/helm/profile.go
@@ -45,25 +45,19 @@ type Profile struct {
}
type ProfileGlobal struct {
- Install InstallMode `json:"install,omitempty"`
- IngressClass string `json:"ingressClass,omitempty"`
- WatchNamespace string `json:"watchNamespace,omitempty"`
- DisableAlpnH2 bool `json:"disableAlpnH2,omitempty"`
- EnableStatus bool `json:"enableStatus,omitempty"`
- EnableIstioAPI bool `json:"enableIstioAPI,omitempty"`
- Namespace string `json:"namespace,omitempty"`
- IstioNamespace string `json:"istioNamespace,omitempty"`
+ Install InstallMode `json:"install,omitempty"`
+ IngressClass string `json:"ingressClass,omitempty"`
+ EnableIstioAPI bool `json:"enableIstioAPI,omitempty"`
+ EnableGatewayAPI bool `json:"enableGatewayAPI,omitempty"`
+ Namespace string `json:"namespace,omitempty"`
}
func (p ProfileGlobal) SetFlags(install InstallMode) ([]string, error) {
sets := make([]string, 0)
if install == InstallK8s || install == InstallLocalK8s {
sets = append(sets, fmt.Sprintf("global.ingressClass=%s", p.IngressClass))
- sets = append(sets, fmt.Sprintf("global.watchNamespace=%s", p.WatchNamespace))
- sets = append(sets, fmt.Sprintf("global.disableAlpnH2=%t", p.DisableAlpnH2))
- sets = append(sets, fmt.Sprintf("global.enableStatus=%t", p.EnableStatus))
sets = append(sets, fmt.Sprintf("global.enableIstioAPI=%t", p.EnableIstioAPI))
- sets = append(sets, fmt.Sprintf("global.istioNamespace=%s", p.IstioNamespace))
+ sets = append(sets, fmt.Sprintf("global.enableGatewayAPI=%t", p.EnableGatewayAPI))
if install == InstallLocalK8s {
sets = append(sets, fmt.Sprintf("global.local=%t", true))
}
@@ -84,38 +78,24 @@ func (p ProfileGlobal) Validate(install InstallMode) []error {
if len(p.Namespace) == 0 {
errs = append(errs, errors.New("global.namespace can't be empty"))
}
- if len(p.IstioNamespace) == 0 {
- errs = append(errs, errors.New("global.istioNamespace can't be empty"))
- }
}
return errs
}
type ProfileConsole struct {
- Port uint32 `json:"port,omitempty"`
- Replicas uint32 `json:"replicas,omitempty"`
- ServiceType string `json:"serviceType,omitempty"`
- Domain string `json:"domain,omitempty"`
- TlsSecretName string `json:"tlsSecretName,omitempty"`
- WebLoginPrompt string `json:"webLoginPrompt,omitempty"`
- AdminPasswordValue string `json:"adminPasswordValue,omitempty"`
- AdminPasswordLength uint32 `json:"adminPasswordLength,omitempty"`
- O11yEnabled bool `json:"o11YEnabled,omitempty"`
- PvcRwxSupported bool `json:"pvcRwxSupported,omitempty"`
+ Port uint32 `json:"port,omitempty"`
+ Replicas uint32 `json:"replicas,omitempty"`
+ AdminPasswordValue string `json:"adminPasswordValue,omitempty"`
}
func (p ProfileConsole) SetFlags(install InstallMode) ([]string, error) {
sets := make([]string, 0)
if install == InstallK8s || install == InstallLocalK8s {
sets = append(sets, fmt.Sprintf("higress-console.replicaCount=%d", p.Replicas))
- sets = append(sets, fmt.Sprintf("higress-console.service.type=%s", p.ServiceType))
- sets = append(sets, fmt.Sprintf("higress-console.domain=%s", p.Domain))
- sets = append(sets, fmt.Sprintf("higress-console.tlsSecretName=%s", p.TlsSecretName))
- sets = append(sets, fmt.Sprintf("higress-console.web.login.prompt=%s", p.WebLoginPrompt))
sets = append(sets, fmt.Sprintf("higress-console.admin.password.value=%s", p.AdminPasswordValue))
- sets = append(sets, fmt.Sprintf("higress-console.admin.password.length=%d", p.AdminPasswordLength))
- sets = append(sets, fmt.Sprintf("higress-console.o11y.enabled=%t", p.O11yEnabled))
- sets = append(sets, fmt.Sprintf("higress-console.pvc.rwxSupported=%t", p.PvcRwxSupported))
+ if install == InstallLocalK8s {
+ sets = append(sets, fmt.Sprintf("higress-console.o11y.enabled=%t", true))
+ }
}
return sets, nil
}
@@ -126,10 +106,6 @@ func (p ProfileConsole) Validate(install InstallMode) []error {
if p.Replicas <= 0 {
errs = append(errs, errors.New("console.replica need be large than zero"))
}
-
- if p.ServiceType != "ClusterIP" && p.ServiceType != "NodePort" && p.ServiceType != "LoadBalancer" {
- errs = append(errs, errors.New("console.serviceType can only be set to ClusterIP, NodePort or LoadBalancer"))
- }
}
if install == InstallLocalDocker {
@@ -232,7 +208,7 @@ func (p ProfileStorage) Validate(install InstallMode) []error {
}
if len(p.Username) > 0 && len(p.Password) == 0 || len(p.Username) == 0 && len(p.Password) > 0 {
- errs = append(errs, errors.New("both nacos username and password shall be provided"))
+ errs = append(errs, errors.New("both nacos username and password should be provided"))
}
}
return errs
@@ -246,7 +222,6 @@ type Chart struct {
type ProfileCharts struct {
Higress Chart `json:"higress,omitempty"`
- Istio Chart `json:"istio,omitempty"`
Standalone Chart `json:"standalone,omitempty"`
}
@@ -302,6 +277,26 @@ func (p *Profile) IstioEnabled() bool {
return false
}
+func (p *Profile) GatewayAPIEnabled() bool {
+ if (p.Global.Install == InstallK8s || p.Global.Install == InstallLocalK8s) && p.Global.EnableGatewayAPI {
+ return true
+ }
+ return false
+}
+
+func (p *Profile) GetIstioNamespace() string {
+ if valuesGlobal, ok1 := p.Values["global"]; ok1 {
+ if global, ok2 := valuesGlobal.(map[string]any); ok2 {
+ if istioNamespace, ok3 := global["istioNamespace"]; ok3 {
+ if namespace, ok4 := istioNamespace.(string); ok4 {
+ return namespace
+ }
+ }
+ }
+ }
+ return ""
+}
+
func (p *Profile) Validate() error {
errs := make([]error, 0)
errsGlobal := p.Global.Validate(p.Global.Install)
diff --git a/pkg/cmd/hgctl/helm/render.go b/pkg/cmd/hgctl/helm/render.go
index d76d583cbd..3e72184414 100644
--- a/pkg/cmd/hgctl/helm/render.go
+++ b/pkg/cmd/hgctl/helm/render.go
@@ -127,7 +127,7 @@ type RendererOptions struct {
Name string
Namespace string
- // fields for LocalRenderer
+ // fields for LocalChartRenderer and LocalFileRenderer
FS fs.FS
Dir string
@@ -174,14 +174,84 @@ func WithRepoURL(repo string) RendererOption {
}
}
-// LocalRenderer load chart from local file system
-type LocalRenderer struct {
+// LocalFileRenderer load yaml files from local file system
+type LocalFileRenderer struct {
+ Opts *RendererOptions
+ filesMap map[string]string
+ Started bool
+}
+
+func NewLocalFileRenderer(opts ...RendererOption) (Renderer, error) {
+ newOpts := &RendererOptions{}
+ for _, opt := range opts {
+ opt(newOpts)
+ }
+
+ return &LocalFileRenderer{
+ Opts: newOpts,
+ filesMap: make(map[string]string),
+ }, nil
+}
+
+func (l *LocalFileRenderer) Init() error {
+ fileNames, err := getFileNames(l.Opts.FS, l.Opts.Dir)
+ if err != nil {
+ if os.IsNotExist(err) {
+ return fmt.Errorf("chart of component %s doesn't exist", l.Opts.Name)
+ }
+ return fmt.Errorf("getFileNames err: %s", err)
+ }
+ for _, fileName := range fileNames {
+ data, err := fs.ReadFile(l.Opts.FS, fileName)
+ if err != nil {
+ return fmt.Errorf("ReadFile %s err: %s", fileName, err)
+ }
+
+ l.filesMap[fileName] = string(data)
+ }
+ l.Started = true
+ return nil
+}
+
+func (l *LocalFileRenderer) RenderManifest(valsYaml string) (string, error) {
+ if !l.Started {
+ return "", errors.New("LocalFileRenderer has not been init")
+ }
+ keys := make([]string, 0, len(l.filesMap))
+ for key := range l.filesMap {
+ keys = append(keys, key)
+ }
+ // to ensure that every manifest rendered by same values are the same
+ sort.Strings(keys)
+
+ var builder strings.Builder
+ for i := 0; i < len(keys); i++ {
+ file := l.filesMap[keys[i]]
+ file = util.ApplyFilters(file, DefaultFilters...)
+ // ignore empty manifest
+ if file == "" {
+ continue
+ }
+ if !strings.HasSuffix(file, YAMLSeparator) {
+ file += YAMLSeparator
+ }
+ builder.WriteString(file)
+ }
+ return builder.String(), nil
+}
+
+func (l *LocalFileRenderer) SetVersion(version string) {
+ l.Opts.Version = version
+}
+
+// LocalChartRenderer load chart from local file system
+type LocalChartRenderer struct {
Opts *RendererOptions
Chart *chart.Chart
Started bool
}
-func (lr *LocalRenderer) Init() error {
+func (lr *LocalChartRenderer) Init() error {
fileNames, err := getFileNames(lr.Opts.FS, lr.Opts.Dir)
if err != nil {
if os.IsNotExist(err) {
@@ -212,18 +282,18 @@ func (lr *LocalRenderer) Init() error {
return nil
}
-func (lr *LocalRenderer) RenderManifest(valsYaml string) (string, error) {
+func (lr *LocalChartRenderer) RenderManifest(valsYaml string) (string, error) {
if !lr.Started {
- return "", errors.New("LocalRenderer has not been init")
+ return "", errors.New("LocalChartRenderer has not been init")
}
return renderManifest(valsYaml, lr.Chart, true, lr.Opts, DefaultFilters...)
}
-func (lr *LocalRenderer) SetVersion(version string) {
+func (lr *LocalChartRenderer) SetVersion(version string) {
lr.Opts.Version = version
}
-func NewLocalRenderer(opts ...RendererOption) (Renderer, error) {
+func NewLocalChartRenderer(opts ...RendererOption) (Renderer, error) {
newOpts := &RendererOptions{}
for _, opt := range opts {
opt(newOpts)
@@ -232,7 +302,7 @@ func NewLocalRenderer(opts ...RendererOption) (Renderer, error) {
if err := verifyRendererOptions(newOpts); err != nil {
return nil, fmt.Errorf("verify err: %s", err)
}
- return &LocalRenderer{
+ return &LocalChartRenderer{
Opts: newOpts,
}, nil
}
diff --git a/pkg/cmd/hgctl/installer/gateway_api.go b/pkg/cmd/hgctl/installer/gateway_api.go
new file mode 100644
index 0000000000..b2bcc64de0
--- /dev/null
+++ b/pkg/cmd/hgctl/installer/gateway_api.go
@@ -0,0 +1,108 @@
+// Copyright (c) 2022 Alibaba Group Holding Ltd.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package installer
+
+import (
+ "errors"
+ "fmt"
+ "io"
+ "strings"
+
+ "github.com/alibaba/higress/pkg/cmd/hgctl/helm"
+ "github.com/alibaba/higress/pkg/cmd/hgctl/manifests"
+)
+
+const (
+ GatewayAPI ComponentName = "gatewayAPI"
+)
+
+type GatewayAPIComponent struct {
+ profile *helm.Profile
+ started bool
+ opts *ComponentOptions
+ renderer helm.Renderer
+ writer io.Writer
+}
+
+func NewGatewayAPIComponent(profile *helm.Profile, writer io.Writer, opts ...ComponentOption) (Component, error) {
+ newOpts := &ComponentOptions{}
+ for _, opt := range opts {
+ opt(newOpts)
+ }
+
+ if !strings.HasPrefix(newOpts.RepoURL, "embed://") {
+ return nil, errors.New("GatewayAPI Url need start with embed://")
+ }
+
+ chartDir := strings.TrimPrefix(newOpts.RepoURL, "embed://")
+ // GatewayAPI can only be installed by embed type
+ renderer, err := helm.NewLocalFileRenderer(
+ helm.WithName(newOpts.ChartName),
+ helm.WithNamespace(newOpts.Namespace),
+ helm.WithRepoURL(newOpts.RepoURL),
+ helm.WithVersion(newOpts.Version),
+ helm.WithFS(manifests.BuiltinOrDir("")),
+ helm.WithDir(chartDir),
+ )
+ if err != nil {
+ return nil, err
+ }
+
+ gatewayAPIComponent := &GatewayAPIComponent{
+ profile: profile,
+ renderer: renderer,
+ opts: newOpts,
+ writer: writer,
+ }
+ return gatewayAPIComponent, nil
+}
+
+func (i *GatewayAPIComponent) ComponentName() ComponentName {
+ return GatewayAPI
+}
+
+func (i *GatewayAPIComponent) Namespace() string {
+ return i.opts.Namespace
+}
+
+func (i *GatewayAPIComponent) Enabled() bool {
+ return true
+}
+
+func (i *GatewayAPIComponent) Run() error {
+ if !i.opts.Quiet {
+ fmt.Fprintf(i.writer, "🏄 Downloading GatewayAPI Yaml Files version: %s, url: %s\n", i.opts.Version, i.opts.RepoURL)
+ }
+ if err := i.renderer.Init(); err != nil {
+ return err
+ }
+ i.started = true
+ return nil
+}
+
+func (i *GatewayAPIComponent) RenderManifest() (string, error) {
+ if !i.started {
+ return "", nil
+ }
+ if !i.opts.Quiet {
+ fmt.Fprintf(i.writer, "📦 Rendering GatewayAPI Yaml Files\n")
+ }
+ values := make(map[string]any)
+ manifest, err := renderComponentManifest(values, i.renderer, false, i.ComponentName(), i.opts.Namespace)
+ if err != nil {
+ return "", err
+ }
+ return manifest, nil
+}
diff --git a/pkg/cmd/hgctl/installer/higress.go b/pkg/cmd/hgctl/installer/higress.go
index 1a2bddaafa..70a098ae6a 100644
--- a/pkg/cmd/hgctl/installer/higress.go
+++ b/pkg/cmd/hgctl/installer/higress.go
@@ -15,11 +15,10 @@
package installer
import (
+ "errors"
"fmt"
- "io"
- "os"
-
"github.com/alibaba/higress/pkg/cmd/hgctl/helm"
+ "io"
)
const (
@@ -96,29 +95,19 @@ func NewHigressComponent(profile *helm.Profile, writer io.Writer, opts ...Compon
opt(newOpts)
}
- var renderer helm.Renderer
- var err error
- if newOpts.RepoURL != "" {
- renderer, err = helm.NewRemoteRenderer(
- helm.WithName(newOpts.ChartName),
- helm.WithNamespace(newOpts.Namespace),
- helm.WithRepoURL(newOpts.RepoURL),
- helm.WithVersion(newOpts.Version),
- )
- if err != nil {
- return nil, err
- }
- } else {
- renderer, err = helm.NewLocalRenderer(
- helm.WithName(newOpts.ChartName),
- helm.WithNamespace(newOpts.Namespace),
- helm.WithVersion(newOpts.Version),
- helm.WithFS(os.DirFS(newOpts.ChartPath)),
- helm.WithDir(string(Higress)),
- )
- if err != nil {
- return nil, err
- }
+ if len(newOpts.RepoURL) == 0 {
+ return nil, errors.New("Higress helm chart url can't be empty")
+ }
+
+ // Higress can only be installed by remote type
+ renderer, err := helm.NewRemoteRenderer(
+ helm.WithName(newOpts.ChartName),
+ helm.WithNamespace(newOpts.Namespace),
+ helm.WithRepoURL(newOpts.RepoURL),
+ helm.WithVersion(newOpts.Version),
+ )
+ if err != nil {
+ return nil, err
}
higressComponent := &HigressComponent{
diff --git a/pkg/cmd/hgctl/installer/installer.go b/pkg/cmd/hgctl/installer/installer.go
index c81b7b1465..7baaacc70d 100644
--- a/pkg/cmd/hgctl/installer/installer.go
+++ b/pkg/cmd/hgctl/installer/installer.go
@@ -29,10 +29,12 @@ import (
)
const (
- HgctlHomeDirPath = ".hgctl"
- StandaloneInstalledPath = "higress-standalone"
- ProfileInstalledPath = "profiles"
- InstalledYamlFileName = "install.yaml"
+ HgctlHomeDirPath = ".hgctl"
+ StandaloneInstalledPath = "higress-standalone"
+ ProfileInstalledPath = "profiles"
+ InstalledYamlFileName = "install.yaml"
+ DefaultGatewayAPINamespace = "gateway-system"
+ DefaultIstioNamespace = "istio-system"
)
type Installer interface {
diff --git a/pkg/cmd/hgctl/installer/installer_k8s.go b/pkg/cmd/hgctl/installer/installer_k8s.go
index 661be08719..2fa606a5c5 100644
--- a/pkg/cmd/hgctl/installer/installer_k8s.go
+++ b/pkg/cmd/hgctl/installer/installer_k8s.go
@@ -250,12 +250,15 @@ func NewK8sInstaller(profile *helm.Profile, cli kubernetes.CLIClient, writer io.
components[Higress] = higressComponent
if profile.IstioEnabled() {
+ istioNamespace := profile.GetIstioNamespace()
+ if len(istioNamespace) == 0 {
+ istioNamespace = DefaultIstioNamespace
+ }
opts := []ComponentOption{
- WithComponentNamespace(profile.Global.IstioNamespace),
- WithComponentChartPath(profile.InstallPackagePath),
- WithComponentVersion(profile.Charts.Istio.Version),
- WithComponentRepoURL(profile.Charts.Istio.Url),
- WithComponentChartName(profile.Charts.Istio.Name),
+ WithComponentNamespace(istioNamespace),
+ WithComponentVersion("1.18.2"),
+ WithComponentRepoURL("embed://istiobase"),
+ WithComponentChartName("istio"),
}
if quiet {
opts = append(opts, WithQuiet())
@@ -267,6 +270,25 @@ func NewK8sInstaller(profile *helm.Profile, cli kubernetes.CLIClient, writer io.
}
components[Istio] = istioCRDComponent
}
+
+ if profile.GatewayAPIEnabled() {
+ opts := []ComponentOption{
+ WithComponentNamespace(DefaultGatewayAPINamespace),
+ WithComponentVersion("1.0.0"),
+ WithComponentRepoURL("embed://gatewayapi"),
+ WithComponentChartName("gatewayAPI"),
+ }
+ if quiet {
+ opts = append(opts, WithQuiet())
+ }
+
+ gatewayAPIComponent, err := NewGatewayAPIComponent(profile, writer, opts...)
+ if err != nil {
+ return nil, fmt.Errorf("NewGatewayAPIComponent failed, err: %s", err)
+ }
+ components[GatewayAPI] = gatewayAPIComponent
+ }
+
op := &K8sInstaller{
profile: profile,
components: components,
diff --git a/pkg/cmd/hgctl/installer/istio.go b/pkg/cmd/hgctl/installer/istio.go
index 40ee71141b..52a8744305 100644
--- a/pkg/cmd/hgctl/installer/istio.go
+++ b/pkg/cmd/hgctl/installer/istio.go
@@ -17,9 +17,10 @@ package installer
import (
"fmt"
"io"
- "os"
+ "strings"
"github.com/alibaba/higress/pkg/cmd/hgctl/helm"
+ "github.com/alibaba/higress/pkg/cmd/hgctl/manifests"
)
const (
@@ -42,23 +43,27 @@ func NewIstioCRDComponent(profile *helm.Profile, writer io.Writer, opts ...Compo
var renderer helm.Renderer
var err error
- if newOpts.RepoURL != "" {
- renderer, err = helm.NewRemoteRenderer(
+
+ // Istio can be installed by embed type or remote type
+ if strings.HasPrefix(newOpts.RepoURL, "embed://") {
+ chartDir := strings.TrimPrefix(newOpts.RepoURL, "embed://")
+ renderer, err = helm.NewLocalChartRenderer(
helm.WithName(newOpts.ChartName),
helm.WithNamespace(newOpts.Namespace),
helm.WithRepoURL(newOpts.RepoURL),
helm.WithVersion(newOpts.Version),
+ helm.WithFS(manifests.BuiltinOrDir("")),
+ helm.WithDir(chartDir),
)
if err != nil {
return nil, err
}
} else {
- renderer, err = helm.NewLocalRenderer(
+ renderer, err = helm.NewRemoteRenderer(
helm.WithName(newOpts.ChartName),
helm.WithNamespace(newOpts.Namespace),
+ helm.WithRepoURL(newOpts.RepoURL),
helm.WithVersion(newOpts.Version),
- helm.WithFS(os.DirFS(newOpts.ChartPath)),
- helm.WithDir(string(Istio)),
)
if err != nil {
return nil, err
diff --git a/pkg/cmd/hgctl/manifests/gatewayapi/experimental-install.yaml b/pkg/cmd/hgctl/manifests/gatewayapi/experimental-install.yaml
new file mode 100644
index 0000000000..bbb71f11f6
--- /dev/null
+++ b/pkg/cmd/hgctl/manifests/gatewayapi/experimental-install.yaml
@@ -0,0 +1,11763 @@
+# Copyright 2023 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+#
+# Gateway API Experimental channel install
+#
+---
+#
+# config/crd/experimental/gateway.networking.k8s.io_backendtlspolicies.yaml
+#
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/2466
+ gateway.networking.k8s.io/bundle-version: v1.0.0
+ gateway.networking.k8s.io/channel: experimental
+ creationTimestamp: null
+ labels:
+ gateway.networking.k8s.io/policy: Direct
+ name: backendtlspolicies.gateway.networking.k8s.io
+spec:
+ group: gateway.networking.k8s.io
+ names:
+ categories:
+ - gateway-api
+ kind: BackendTLSPolicy
+ listKind: BackendTLSPolicyList
+ plural: backendtlspolicies
+ shortNames:
+ - btlspolicy
+ singular: backendtlspolicy
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1alpha2
+ schema:
+ openAPIV3Schema:
+ description: BackendTLSPolicy provides a way to configure how a Gateway connects
+ to a Backend via TLS.
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Spec defines the desired state of BackendTLSPolicy.
+ properties:
+ targetRef:
+ description: "TargetRef identifies an API object to apply the policy
+ to. Only Services have Extended support. Implementations MAY support
+ additional objects, with Implementation Specific support. Note that
+ this config applies to the entire referenced resource by default,
+ but this default may change in the future to provide a more granular
+ application of the policy. \n Support: Extended for Kubernetes Service
+ \n Support: Implementation-specific for any other resource"
+ properties:
+ group:
+ description: Group is the group of the target resource.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is kind of the target resource.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the target resource.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: Namespace is the namespace of the referent. When
+ unspecified, the local namespace is inferred. Even when policy
+ targets a resource in a different namespace, it MUST only apply
+ to traffic originating from the same namespace as the policy.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ sectionName:
+ description: "SectionName is the name of a section within the
+ target resource. When unspecified, this targetRef targets the
+ entire resource. In the following resources, SectionName is
+ interpreted as the following: \n * Gateway: Listener Name *
+ Service: Port Name \n If a SectionName is specified, but does
+ not exist on the targeted object, the Policy must fail to attach,
+ and the policy implementation should record a `ResolvedRefs`
+ or similar Condition in the Policy's status."
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ required:
+ - group
+ - kind
+ - name
+ type: object
+ tls:
+ description: TLS contains backend TLS policy configuration.
+ properties:
+ caCertRefs:
+ description: "CACertRefs contains one or more references to Kubernetes
+ objects that contain a PEM-encoded TLS CA certificate bundle,
+ which is used to validate a TLS handshake between the Gateway
+ and backend Pod. \n If CACertRefs is empty or unspecified, then
+ WellKnownCACerts must be specified. Only one of CACertRefs or
+ WellKnownCACerts may be specified, not both. If CACertRefs is
+ empty or unspecified, the configuration for WellKnownCACerts
+ MUST be honored instead. \n References to a resource in a different
+ namespace are invalid for the moment, although we will revisit
+ this in the future. \n A single CACertRef to a Kubernetes ConfigMap
+ kind has \"Core\" support. Implementations MAY choose to support
+ attaching multiple certificates to a backend, but this behavior
+ is implementation-specific. \n Support: Core - An optional single
+ reference to a Kubernetes ConfigMap, with the CA certificate
+ in a key named `ca.crt`. \n Support: Implementation-specific
+ (More than one reference, or other kinds of resources)."
+ items:
+ description: "LocalObjectReference identifies an API object
+ within the namespace of the referrer. The API object must
+ be valid in the cluster; the Group and Kind must be registered
+ in the cluster for this reference to be valid. \n References
+ to objects with invalid Group and Kind are not valid, and
+ must be rejected by the implementation, with appropriate Conditions
+ set on the containing object."
+ properties:
+ group:
+ description: Group is the group of the referent. For example,
+ "gateway.networking.k8s.io". When unspecified or empty
+ string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is kind of the referent. For example "HTTPRoute"
+ or "Service".
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ required:
+ - group
+ - kind
+ - name
+ type: object
+ maxItems: 8
+ type: array
+ hostname:
+ description: "Hostname is used for two purposes in the connection
+ between Gateways and backends: \n 1. Hostname MUST be used as
+ the SNI to connect to the backend (RFC 6066). 2. Hostname MUST
+ be used for authentication and MUST match the certificate served
+ by the matching backend. \n Support: Core"
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ wellKnownCACerts:
+ description: "WellKnownCACerts specifies whether system CA certificates
+ may be used in the TLS handshake between the gateway and backend
+ pod. \n If WellKnownCACerts is unspecified or empty (\"\"),
+ then CACertRefs must be specified with at least one entry for
+ a valid configuration. Only one of CACertRefs or WellKnownCACerts
+ may be specified, not both. \n Support: Core for \"System\""
+ enum:
+ - System
+ type: string
+ required:
+ - hostname
+ type: object
+ x-kubernetes-validations:
+ - message: must not contain both CACertRefs and WellKnownCACerts
+ rule: '!(has(self.caCertRefs) && size(self.caCertRefs) > 0 && has(self.wellKnownCACerts)
+ && self.wellKnownCACerts != "")'
+ - message: must specify either CACertRefs or WellKnownCACerts
+ rule: (has(self.caCertRefs) && size(self.caCertRefs) > 0 || has(self.wellKnownCACerts)
+ && self.wellKnownCACerts != "")
+ required:
+ - targetRef
+ - tls
+ type: object
+ status:
+ description: Status defines the current state of BackendTLSPolicy.
+ properties:
+ ancestors:
+ description: "Ancestors is a list of ancestor resources (usually Gateways)
+ that are associated with the policy, and the status of the policy
+ with respect to each ancestor. When this policy attaches to a parent,
+ the controller that manages the parent and the ancestors MUST add
+ an entry to this list when the controller first sees the policy
+ and SHOULD update the entry as appropriate when the relevant ancestor
+ is modified. \n Note that choosing the relevant ancestor is left
+ to the Policy designers; an important part of Policy design is designing
+ the right object level at which to namespace this status. \n Note
+ also that implementations MUST ONLY populate ancestor status for
+ the Ancestor resources they are responsible for. Implementations
+ MUST use the ControllerName field to uniquely identify the entries
+ in this list that they are responsible for. \n Note that to achieve
+ this, the list of PolicyAncestorStatus structs MUST be treated as
+ a map with a composite key, made up of the AncestorRef and ControllerName
+ fields combined. \n A maximum of 16 ancestors will be represented
+ in this list. An empty list means the Policy is not relevant for
+ any ancestors. \n If this slice is full, implementations MUST NOT
+ add further entries. Instead they MUST consider the policy unimplementable
+ and signal that on any related resources such as the ancestor that
+ would be referenced here. For example, if this list was full on
+ BackendTLSPolicy, no additional Gateways would be able to reference
+ the Service targeted by the BackendTLSPolicy."
+ items:
+ description: "PolicyAncestorStatus describes the status of a route
+ with respect to an associated Ancestor. \n Ancestors refer to
+ objects that are either the Target of a policy or above it in
+ terms of object hierarchy. For example, if a policy targets a
+ Service, the Policy's Ancestors are, in order, the Service, the
+ HTTPRoute, the Gateway, and the GatewayClass. Almost always, in
+ this hierarchy, the Gateway will be the most useful object to
+ place Policy status on, so we recommend that implementations SHOULD
+ use Gateway as the PolicyAncestorStatus object unless the designers
+ have a _very_ good reason otherwise. \n In the context of policy
+ attachment, the Ancestor is used to distinguish which resource
+ results in a distinct application of this policy. For example,
+ if a policy targets a Service, it may have a distinct result per
+ attached Gateway. \n Policies targeting the same resource may
+ have different effects depending on the ancestors of those resources.
+ For example, different Gateways targeting the same Service may
+ have different capabilities, especially if they have different
+ underlying implementations. \n For example, in BackendTLSPolicy,
+ the Policy attaches to a Service that is used as a backend in
+ a HTTPRoute that is itself attached to a Gateway. In this case,
+ the relevant object for status is the Gateway, and that is the
+ ancestor object referred to in this status. \n Note that a parent
+ is also an ancestor, so for objects where the parent is the relevant
+ object for status, this struct SHOULD still be used. \n This struct
+ is intended to be used in a slice that's effectively a map, with
+ a composite key made up of the AncestorRef and the ControllerName."
+ properties:
+ ancestorRef:
+ description: AncestorRef corresponds with a ParentRef in the
+ spec that this PolicyAncestorStatus struct describes the status
+ of.
+ properties:
+ group:
+ default: gateway.networking.k8s.io
+ description: "Group is the group of the referent. When unspecified,
+ \"gateway.networking.k8s.io\" is inferred. To set the
+ core API group (such as for a \"Service\" kind referent),
+ Group must be explicitly set to \"\" (empty string). \n
+ Support: Core"
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Gateway
+ description: "Kind is kind of the referent. \n There are
+ two kinds of parent resources with \"Core\" support: \n
+ * Gateway (Gateway conformance profile) * Service (Mesh
+ conformance profile, experimental, ClusterIP Services
+ only) \n Support for other resources is Implementation-Specific."
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: "Name is the name of the referent. \n Support:
+ Core"
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: "Namespace is the namespace of the referent.
+ When unspecified, this refers to the local namespace of
+ the Route. \n Note that there are specific rules for ParentRefs
+ which cross namespace boundaries. Cross-namespace references
+ are only valid if they are explicitly allowed by something
+ in the namespace they are referring to. For example: Gateway
+ has the AllowedRoutes field, and ReferenceGrant provides
+ a generic way to enable any other kind of cross-namespace
+ reference. \n ParentRefs from a Route to a Service in
+ the same namespace are \"producer\" routes, which apply
+ default routing rules to inbound connections from any
+ namespace to the Service. \n ParentRefs from a Route to
+ a Service in a different namespace are \"consumer\" routes,
+ and these routing rules are only applied to outbound connections
+ originating from the same namespace as the Route, for
+ which the intended destination of the connections are
+ a Service targeted as a ParentRef of the Route. \n Support:
+ Core"
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: "Port is the network port this Route targets.
+ It can be interpreted differently based on the type of
+ parent resource. \n When the parent resource is a Gateway,
+ this targets all listeners listening on the specified
+ port that also support this kind of Route(and select this
+ Route). It's not recommended to set `Port` unless the
+ networking behaviors specified in a Route must apply to
+ a specific port as opposed to a listener(s) whose port(s)
+ may be changed. When both Port and SectionName are specified,
+ the name and port of the selected listener must match
+ both specified values. \n When the parent resource is
+ a Service, this targets a specific port in the Service
+ spec. When both Port (experimental) and SectionName are
+ specified, the name and port of the selected port must
+ match both specified values. \n Implementations MAY choose
+ to support other parent resources. Implementations supporting
+ other types of parent resources MUST clearly document
+ how/if Port is interpreted. \n For the purpose of status,
+ an attachment is considered successful as long as the
+ parent resource accepts it partially. For example, Gateway
+ listeners can restrict which Routes can attach to them
+ by Route kind, namespace, or hostname. If 1 of 2 Gateway
+ listeners accept attachment from the referencing Route,
+ the Route MUST be considered successfully attached. If
+ no Gateway listeners accept attachment from this Route,
+ the Route MUST be considered detached from the Gateway.
+ \n Support: Extended \n "
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ sectionName:
+ description: "SectionName is the name of a section within
+ the target resource. In the following resources, SectionName
+ is interpreted as the following: \n * Gateway: Listener
+ Name. When both Port (experimental) and SectionName are
+ specified, the name and port of the selected listener
+ must match both specified values. * Service: Port Name.
+ When both Port (experimental) and SectionName are specified,
+ the name and port of the selected listener must match
+ both specified values. Note that attaching Routes to Services
+ as Parents is part of experimental Mesh support and is
+ not supported for any other purpose. \n Implementations
+ MAY choose to support attaching Routes to other resources.
+ If that is the case, they MUST clearly document how SectionName
+ is interpreted. \n When unspecified (empty string), this
+ will reference the entire resource. For the purpose of
+ status, an attachment is considered successful if at least
+ one section in the parent resource accepts it. For example,
+ Gateway listeners can restrict which Routes can attach
+ to them by Route kind, namespace, or hostname. If 1 of
+ 2 Gateway listeners accept attachment from the referencing
+ Route, the Route MUST be considered successfully attached.
+ If no Gateway listeners accept attachment from this Route,
+ the Route MUST be considered detached from the Gateway.
+ \n Support: Core"
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ required:
+ - name
+ type: object
+ conditions:
+ description: Conditions describes the status of the Policy with
+ respect to the given Ancestor.
+ items:
+ description: "Condition contains details for one aspect of
+ the current state of this API Resource. --- This struct
+ is intended for direct use as an array at the field path
+ .status.conditions. For example, \n type FooStatus struct{
+ // Represents the observations of a foo's current state.
+ // Known .status.conditions.type are: \"Available\", \"Progressing\",
+ and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
+ // +listType=map // +listMapKey=type Conditions []metav1.Condition
+ `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
+ protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields
+ }"
+ properties:
+ lastTransitionTime:
+ description: lastTransitionTime is the last time the condition
+ transitioned from one status to another. This should
+ be when the underlying condition changed. If that is
+ not known, then using the time when the API field changed
+ is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: message is a human readable message indicating
+ details about the transition. This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: observedGeneration represents the .metadata.generation
+ that the condition was set based upon. For instance,
+ if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration
+ is 9, the condition is out of date with respect to the
+ current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: reason contains a programmatic identifier
+ indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected
+ values and meanings for this field, and whether the
+ values are considered a guaranteed API. The value should
+ be a CamelCase string. This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False,
+ Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ --- Many .condition.type values are consistent across
+ resources like Available, but because arbitrary conditions
+ can be useful (see .node.status.conditions), the ability
+ to deconflict is important. The regex it matches is
+ (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ maxItems: 8
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ controllerName:
+ description: "ControllerName is a domain/path string that indicates
+ the name of the controller that wrote this status. This corresponds
+ with the controllerName field on GatewayClass. \n Example:
+ \"example.net/gateway-controller\". \n The format of this
+ field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid
+ Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+ \n Controllers MUST populate this field when writing status.
+ Controllers should ensure that entries to status populated
+ with their ControllerName are cleaned up when they are no
+ longer necessary."
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
+ type: string
+ required:
+ - ancestorRef
+ - controllerName
+ type: object
+ maxItems: 16
+ type: array
+ required:
+ - ancestors
+ type: object
+ required:
+ - spec
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: null
+ storedVersions: null
+---
+#
+# config/crd/experimental/gateway.networking.k8s.io_gatewayclasses.yaml
+#
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/2466
+ gateway.networking.k8s.io/bundle-version: v1.0.0
+ gateway.networking.k8s.io/channel: experimental
+ creationTimestamp: null
+ name: gatewayclasses.gateway.networking.k8s.io
+spec:
+ group: gateway.networking.k8s.io
+ names:
+ categories:
+ - gateway-api
+ kind: GatewayClass
+ listKind: GatewayClassList
+ plural: gatewayclasses
+ shortNames:
+ - gc
+ singular: gatewayclass
+ scope: Cluster
+ versions:
+ - additionalPrinterColumns:
+ - jsonPath: .spec.controllerName
+ name: Controller
+ type: string
+ - jsonPath: .status.conditions[?(@.type=="Accepted")].status
+ name: Accepted
+ type: string
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ - jsonPath: .spec.description
+ name: Description
+ priority: 1
+ type: string
+ name: v1
+ schema:
+ openAPIV3Schema:
+ description: "GatewayClass describes a class of Gateways available to the
+ user for creating Gateway resources. \n It is recommended that this resource
+ be used as a template for Gateways. This means that a Gateway is based on
+ the state of the GatewayClass at the time it was created and changes to
+ the GatewayClass or associated parameters are not propagated down to existing
+ Gateways. This recommendation is intended to limit the blast radius of changes
+ to GatewayClass or associated parameters. If implementations choose to propagate
+ GatewayClass changes to existing Gateways, that MUST be clearly documented
+ by the implementation. \n Whenever one or more Gateways are using a GatewayClass,
+ implementations SHOULD add the `gateway-exists-finalizer.gateway.networking.k8s.io`
+ finalizer on the associated GatewayClass. This ensures that a GatewayClass
+ associated with a Gateway is not deleted while in use. \n GatewayClass is
+ a Cluster level resource."
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Spec defines the desired state of GatewayClass.
+ properties:
+ controllerName:
+ description: "ControllerName is the name of the controller that is
+ managing Gateways of this class. The value of this field MUST be
+ a domain prefixed path. \n Example: \"example.net/gateway-controller\".
+ \n This field is not mutable and cannot be empty. \n Support: Core"
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
+ type: string
+ x-kubernetes-validations:
+ - message: Value is immutable
+ rule: self == oldSelf
+ description:
+ description: Description helps describe a GatewayClass with more details.
+ maxLength: 64
+ type: string
+ parametersRef:
+ description: "ParametersRef is a reference to a resource that contains
+ the configuration parameters corresponding to the GatewayClass.
+ This is optional if the controller does not require any additional
+ configuration. \n ParametersRef can reference a standard Kubernetes
+ resource, i.e. ConfigMap, or an implementation-specific custom resource.
+ The resource can be cluster-scoped or namespace-scoped. \n If the
+ referent cannot be found, the GatewayClass's \"InvalidParameters\"
+ status condition will be true. \n Support: Implementation-specific"
+ properties:
+ group:
+ description: Group is the group of the referent.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is kind of the referent.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: Namespace is the namespace of the referent. This
+ field is required when referring to a Namespace-scoped resource
+ and MUST be unset when referring to a Cluster-scoped resource.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ required:
+ - group
+ - kind
+ - name
+ type: object
+ required:
+ - controllerName
+ type: object
+ status:
+ default:
+ conditions:
+ - lastTransitionTime: "1970-01-01T00:00:00Z"
+ message: Waiting for controller
+ reason: Waiting
+ status: Unknown
+ type: Accepted
+ description: "Status defines the current state of GatewayClass. \n Implementations
+ MUST populate status on all GatewayClass resources which specify their
+ controller name."
+ properties:
+ conditions:
+ default:
+ - lastTransitionTime: "1970-01-01T00:00:00Z"
+ message: Waiting for controller
+ reason: Pending
+ status: Unknown
+ type: Accepted
+ description: "Conditions is the current status from the controller
+ for this GatewayClass. \n Controllers should prefer to publish conditions
+ using values of GatewayClassConditionType for the type of each Condition."
+ items:
+ description: "Condition contains details for one aspect of the current
+ state of this API Resource. --- This struct is intended for direct
+ use as an array at the field path .status.conditions. For example,
+ \n type FooStatus struct{ // Represents the observations of a
+ foo's current state. // Known .status.conditions.type are: \"Available\",
+ \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
+ // +listType=map // +listMapKey=type Conditions []metav1.Condition
+ `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
+ protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
+ properties:
+ lastTransitionTime:
+ description: lastTransitionTime is the last time the condition
+ transitioned from one status to another. This should be when
+ the underlying condition changed. If that is not known, then
+ using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: message is a human readable message indicating
+ details about the transition. This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: observedGeneration represents the .metadata.generation
+ that the condition was set based upon. For instance, if .metadata.generation
+ is currently 12, but the .status.conditions[x].observedGeneration
+ is 9, the condition is out of date with respect to the current
+ state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: reason contains a programmatic identifier indicating
+ the reason for the condition's last transition. Producers
+ of specific condition types may define expected values and
+ meanings for this field, and whether the values are considered
+ a guaranteed API. The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False, Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ --- Many .condition.type values are consistent across resources
+ like Available, but because arbitrary conditions can be useful
+ (see .node.status.conditions), the ability to deconflict is
+ important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ maxItems: 8
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ supportedFeatures:
+ description: 'SupportedFeatures is the set of features the GatewayClass
+ support. It MUST be sorted in ascending alphabetical order. '
+ items:
+ description: SupportedFeature is used to describe distinct features
+ that are covered by conformance tests.
+ enum:
+ - Gateway
+ - GatewayPort8080
+ - GatewayStaticAddresses
+ - HTTPRoute
+ - HTTPRouteDestinationPortMatching
+ - HTTPRouteHostRewrite
+ - HTTPRouteMethodMatching
+ - HTTPRoutePathRedirect
+ - HTTPRoutePathRewrite
+ - HTTPRoutePortRedirect
+ - HTTPRouteQueryParamMatching
+ - HTTPRouteRequestMirror
+ - HTTPRouteRequestMultipleMirrors
+ - HTTPRouteResponseHeaderModification
+ - HTTPRouteSchemeRedirect
+ - Mesh
+ - ReferenceGrant
+ - TLSRoute
+ type: string
+ maxItems: 64
+ type: array
+ x-kubernetes-list-type: set
+ type: object
+ required:
+ - spec
+ type: object
+ served: true
+ storage: false
+ subresources:
+ status: {}
+ - additionalPrinterColumns:
+ - jsonPath: .spec.controllerName
+ name: Controller
+ type: string
+ - jsonPath: .status.conditions[?(@.type=="Accepted")].status
+ name: Accepted
+ type: string
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ - jsonPath: .spec.description
+ name: Description
+ priority: 1
+ type: string
+ name: v1beta1
+ schema:
+ openAPIV3Schema:
+ description: "GatewayClass describes a class of Gateways available to the
+ user for creating Gateway resources. \n It is recommended that this resource
+ be used as a template for Gateways. This means that a Gateway is based on
+ the state of the GatewayClass at the time it was created and changes to
+ the GatewayClass or associated parameters are not propagated down to existing
+ Gateways. This recommendation is intended to limit the blast radius of changes
+ to GatewayClass or associated parameters. If implementations choose to propagate
+ GatewayClass changes to existing Gateways, that MUST be clearly documented
+ by the implementation. \n Whenever one or more Gateways are using a GatewayClass,
+ implementations SHOULD add the `gateway-exists-finalizer.gateway.networking.k8s.io`
+ finalizer on the associated GatewayClass. This ensures that a GatewayClass
+ associated with a Gateway is not deleted while in use. \n GatewayClass is
+ a Cluster level resource."
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Spec defines the desired state of GatewayClass.
+ properties:
+ controllerName:
+ description: "ControllerName is the name of the controller that is
+ managing Gateways of this class. The value of this field MUST be
+ a domain prefixed path. \n Example: \"example.net/gateway-controller\".
+ \n This field is not mutable and cannot be empty. \n Support: Core"
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
+ type: string
+ x-kubernetes-validations:
+ - message: Value is immutable
+ rule: self == oldSelf
+ description:
+ description: Description helps describe a GatewayClass with more details.
+ maxLength: 64
+ type: string
+ parametersRef:
+ description: "ParametersRef is a reference to a resource that contains
+ the configuration parameters corresponding to the GatewayClass.
+ This is optional if the controller does not require any additional
+ configuration. \n ParametersRef can reference a standard Kubernetes
+ resource, i.e. ConfigMap, or an implementation-specific custom resource.
+ The resource can be cluster-scoped or namespace-scoped. \n If the
+ referent cannot be found, the GatewayClass's \"InvalidParameters\"
+ status condition will be true. \n Support: Implementation-specific"
+ properties:
+ group:
+ description: Group is the group of the referent.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is kind of the referent.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: Namespace is the namespace of the referent. This
+ field is required when referring to a Namespace-scoped resource
+ and MUST be unset when referring to a Cluster-scoped resource.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ required:
+ - group
+ - kind
+ - name
+ type: object
+ required:
+ - controllerName
+ type: object
+ status:
+ default:
+ conditions:
+ - lastTransitionTime: "1970-01-01T00:00:00Z"
+ message: Waiting for controller
+ reason: Waiting
+ status: Unknown
+ type: Accepted
+ description: "Status defines the current state of GatewayClass. \n Implementations
+ MUST populate status on all GatewayClass resources which specify their
+ controller name."
+ properties:
+ conditions:
+ default:
+ - lastTransitionTime: "1970-01-01T00:00:00Z"
+ message: Waiting for controller
+ reason: Pending
+ status: Unknown
+ type: Accepted
+ description: "Conditions is the current status from the controller
+ for this GatewayClass. \n Controllers should prefer to publish conditions
+ using values of GatewayClassConditionType for the type of each Condition."
+ items:
+ description: "Condition contains details for one aspect of the current
+ state of this API Resource. --- This struct is intended for direct
+ use as an array at the field path .status.conditions. For example,
+ \n type FooStatus struct{ // Represents the observations of a
+ foo's current state. // Known .status.conditions.type are: \"Available\",
+ \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
+ // +listType=map // +listMapKey=type Conditions []metav1.Condition
+ `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
+ protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
+ properties:
+ lastTransitionTime:
+ description: lastTransitionTime is the last time the condition
+ transitioned from one status to another. This should be when
+ the underlying condition changed. If that is not known, then
+ using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: message is a human readable message indicating
+ details about the transition. This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: observedGeneration represents the .metadata.generation
+ that the condition was set based upon. For instance, if .metadata.generation
+ is currently 12, but the .status.conditions[x].observedGeneration
+ is 9, the condition is out of date with respect to the current
+ state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: reason contains a programmatic identifier indicating
+ the reason for the condition's last transition. Producers
+ of specific condition types may define expected values and
+ meanings for this field, and whether the values are considered
+ a guaranteed API. The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False, Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ --- Many .condition.type values are consistent across resources
+ like Available, but because arbitrary conditions can be useful
+ (see .node.status.conditions), the ability to deconflict is
+ important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ maxItems: 8
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ supportedFeatures:
+ description: 'SupportedFeatures is the set of features the GatewayClass
+ support. It MUST be sorted in ascending alphabetical order. '
+ items:
+ description: SupportedFeature is used to describe distinct features
+ that are covered by conformance tests.
+ enum:
+ - Gateway
+ - GatewayPort8080
+ - GatewayStaticAddresses
+ - HTTPRoute
+ - HTTPRouteDestinationPortMatching
+ - HTTPRouteHostRewrite
+ - HTTPRouteMethodMatching
+ - HTTPRoutePathRedirect
+ - HTTPRoutePathRewrite
+ - HTTPRoutePortRedirect
+ - HTTPRouteQueryParamMatching
+ - HTTPRouteRequestMirror
+ - HTTPRouteRequestMultipleMirrors
+ - HTTPRouteResponseHeaderModification
+ - HTTPRouteSchemeRedirect
+ - Mesh
+ - ReferenceGrant
+ - TLSRoute
+ type: string
+ maxItems: 64
+ type: array
+ x-kubernetes-list-type: set
+ type: object
+ required:
+ - spec
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: null
+ storedVersions: null
+---
+#
+# config/crd/experimental/gateway.networking.k8s.io_gateways.yaml
+#
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/2466
+ gateway.networking.k8s.io/bundle-version: v1.0.0
+ gateway.networking.k8s.io/channel: experimental
+ creationTimestamp: null
+ name: gateways.gateway.networking.k8s.io
+spec:
+ group: gateway.networking.k8s.io
+ names:
+ categories:
+ - gateway-api
+ kind: Gateway
+ listKind: GatewayList
+ plural: gateways
+ shortNames:
+ - gtw
+ singular: gateway
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - jsonPath: .spec.gatewayClassName
+ name: Class
+ type: string
+ - jsonPath: .status.addresses[*].value
+ name: Address
+ type: string
+ - jsonPath: .status.conditions[?(@.type=="Programmed")].status
+ name: Programmed
+ type: string
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1
+ schema:
+ openAPIV3Schema:
+ description: Gateway represents an instance of a service-traffic handling
+ infrastructure by binding Listeners to a set of IP addresses.
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Spec defines the desired state of Gateway.
+ properties:
+ addresses:
+ description: "Addresses requested for this Gateway. This is optional
+ and behavior can depend on the implementation. If a value is set
+ in the spec and the requested address is invalid or unavailable,
+ the implementation MUST indicate this in the associated entry in
+ GatewayStatus.Addresses. \n The Addresses field represents a request
+ for the address(es) on the \"outside of the Gateway\", that traffic
+ bound for this Gateway will use. This could be the IP address or
+ hostname of an external load balancer or other networking infrastructure,
+ or some other address that traffic will be sent to. \n If no Addresses
+ are specified, the implementation MAY schedule the Gateway in an
+ implementation-specific manner, assigning an appropriate set of
+ Addresses. \n The implementation MUST bind all Listeners to every
+ GatewayAddress that it assigns to the Gateway and add a corresponding
+ entry in GatewayStatus.Addresses. \n Support: Extended \n "
+ items:
+ description: GatewayAddress describes an address that can be bound
+ to a Gateway.
+ oneOf:
+ - properties:
+ type:
+ enum:
+ - IPAddress
+ value:
+ anyOf:
+ - format: ipv4
+ - format: ipv6
+ - properties:
+ type:
+ not:
+ enum:
+ - IPAddress
+ properties:
+ type:
+ default: IPAddress
+ description: Type of the address.
+ maxLength: 253
+ minLength: 1
+ pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
+ type: string
+ value:
+ description: "Value of the address. The validity of the values
+ will depend on the type and support by the controller. \n
+ Examples: `1.2.3.4`, `128::1`, `my-ip-address`."
+ maxLength: 253
+ minLength: 1
+ type: string
+ required:
+ - value
+ type: object
+ x-kubernetes-validations:
+ - message: Hostname value must only contain valid characters (matching
+ ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$)
+ rule: 'self.type == ''Hostname'' ? self.value.matches(r"""^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$"""):
+ true'
+ maxItems: 16
+ type: array
+ x-kubernetes-validations:
+ - message: IPAddress values must be unique
+ rule: 'self.all(a1, a1.type == ''IPAddress'' ? self.exists_one(a2,
+ a2.type == a1.type && a2.value == a1.value) : true )'
+ - message: Hostname values must be unique
+ rule: 'self.all(a1, a1.type == ''Hostname'' ? self.exists_one(a2,
+ a2.type == a1.type && a2.value == a1.value) : true )'
+ gatewayClassName:
+ description: GatewayClassName used for this Gateway. This is the name
+ of a GatewayClass resource.
+ maxLength: 253
+ minLength: 1
+ type: string
+ infrastructure:
+ description: "Infrastructure defines infrastructure level attributes
+ about this Gateway instance. \n Support: Core \n "
+ properties:
+ annotations:
+ additionalProperties:
+ description: AnnotationValue is the value of an annotation in
+ Gateway API. This is used for validation of maps such as TLS
+ options. This roughly matches Kubernetes annotation validation,
+ although the length validation in that case is based on the
+ entire size of the annotations struct.
+ maxLength: 4096
+ minLength: 0
+ type: string
+ description: "Annotations that SHOULD be applied to any resources
+ created in response to this Gateway. \n For implementations
+ creating other Kubernetes objects, this should be the `metadata.annotations`
+ field on resources. For other implementations, this refers to
+ any relevant (implementation specific) \"annotations\" concepts.
+ \n An implementation may chose to add additional implementation-specific
+ annotations as they see fit. \n Support: Extended"
+ maxProperties: 8
+ type: object
+ labels:
+ additionalProperties:
+ description: AnnotationValue is the value of an annotation in
+ Gateway API. This is used for validation of maps such as TLS
+ options. This roughly matches Kubernetes annotation validation,
+ although the length validation in that case is based on the
+ entire size of the annotations struct.
+ maxLength: 4096
+ minLength: 0
+ type: string
+ description: "Labels that SHOULD be applied to any resources created
+ in response to this Gateway. \n For implementations creating
+ other Kubernetes objects, this should be the `metadata.labels`
+ field on resources. For other implementations, this refers to
+ any relevant (implementation specific) \"labels\" concepts.
+ \n An implementation may chose to add additional implementation-specific
+ labels as they see fit. \n Support: Extended"
+ maxProperties: 8
+ type: object
+ type: object
+ listeners:
+ description: "Listeners associated with this Gateway. Listeners define
+ logical endpoints that are bound on this Gateway's addresses. At
+ least one Listener MUST be specified. \n Each Listener in a set
+ of Listeners (for example, in a single Gateway) MUST be _distinct_,
+ in that a traffic flow MUST be able to be assigned to exactly one
+ listener. (This section uses \"set of Listeners\" rather than \"Listeners
+ in a single Gateway\" because implementations MAY merge configuration
+ from multiple Gateways onto a single data plane, and these rules
+ _also_ apply in that case). \n Practically, this means that each
+ listener in a set MUST have a unique combination of Port, Protocol,
+ and, if supported by the protocol, Hostname. \n Some combinations
+ of port, protocol, and TLS settings are considered Core support
+ and MUST be supported by implementations based on their targeted
+ conformance profile: \n HTTP Profile \n 1. HTTPRoute, Port: 80,
+ Protocol: HTTP 2. HTTPRoute, Port: 443, Protocol: HTTPS, TLS Mode:
+ Terminate, TLS keypair provided \n TLS Profile \n 1. TLSRoute, Port:
+ 443, Protocol: TLS, TLS Mode: Passthrough \n \"Distinct\" Listeners
+ have the following property: \n The implementation can match inbound
+ requests to a single distinct Listener. When multiple Listeners
+ share values for fields (for example, two Listeners with the same
+ Port value), the implementation can match requests to only one of
+ the Listeners using other Listener fields. \n For example, the following
+ Listener scenarios are distinct: \n 1. Multiple Listeners with the
+ same Port that all use the \"HTTP\" Protocol that all have unique
+ Hostname values. 2. Multiple Listeners with the same Port that use
+ either the \"HTTPS\" or \"TLS\" Protocol that all have unique Hostname
+ values. 3. A mixture of \"TCP\" and \"UDP\" Protocol Listeners,
+ where no Listener with the same Protocol has the same Port value.
+ \n Some fields in the Listener struct have possible values that
+ affect whether the Listener is distinct. Hostname is particularly
+ relevant for HTTP or HTTPS protocols. \n When using the Hostname
+ value to select between same-Port, same-Protocol Listeners, the
+ Hostname value must be different on each Listener for the Listener
+ to be distinct. \n When the Listeners are distinct based on Hostname,
+ inbound request hostnames MUST match from the most specific to least
+ specific Hostname values to choose the correct Listener and its
+ associated set of Routes. \n Exact matches must be processed before
+ wildcard matches, and wildcard matches must be processed before
+ fallback (empty Hostname value) matches. For example, `\"foo.example.com\"`
+ takes precedence over `\"*.example.com\"`, and `\"*.example.com\"`
+ takes precedence over `\"\"`. \n Additionally, if there are multiple
+ wildcard entries, more specific wildcard entries must be processed
+ before less specific wildcard entries. For example, `\"*.foo.example.com\"`
+ takes precedence over `\"*.example.com\"`. The precise definition
+ here is that the higher the number of dots in the hostname to the
+ right of the wildcard character, the higher the precedence. \n The
+ wildcard character will match any number of characters _and dots_
+ to the left, however, so `\"*.example.com\"` will match both `\"foo.bar.example.com\"`
+ _and_ `\"bar.example.com\"`. \n If a set of Listeners contains Listeners
+ that are not distinct, then those Listeners are Conflicted, and
+ the implementation MUST set the \"Conflicted\" condition in the
+ Listener Status to \"True\". \n Implementations MAY choose to accept
+ a Gateway with some Conflicted Listeners only if they only accept
+ the partial Listener set that contains no Conflicted Listeners.
+ To put this another way, implementations may accept a partial Listener
+ set only if they throw out *all* the conflicting Listeners. No picking
+ one of the conflicting listeners as the winner. This also means
+ that the Gateway must have at least one non-conflicting Listener
+ in this case, otherwise it violates the requirement that at least
+ one Listener must be present. \n The implementation MUST set a \"ListenersNotValid\"
+ condition on the Gateway Status when the Gateway contains Conflicted
+ Listeners whether or not they accept the Gateway. That Condition
+ SHOULD clearly indicate in the Message which Listeners are conflicted,
+ and which are Accepted. Additionally, the Listener status for those
+ listeners SHOULD indicate which Listeners are conflicted and not
+ Accepted. \n A Gateway's Listeners are considered \"compatible\"
+ if: \n 1. They are distinct. 2. The implementation can serve them
+ in compliance with the Addresses requirement that all Listeners
+ are available on all assigned addresses. \n Compatible combinations
+ in Extended support are expected to vary across implementations.
+ A combination that is compatible for one implementation may not
+ be compatible for another. \n For example, an implementation that
+ cannot serve both TCP and UDP listeners on the same address, or
+ cannot mix HTTPS and generic TLS listens on the same port would
+ not consider those cases compatible, even though they are distinct.
+ \n Note that requests SHOULD match at most one Listener. For example,
+ if Listeners are defined for \"foo.example.com\" and \"*.example.com\",
+ a request to \"foo.example.com\" SHOULD only be routed using routes
+ attached to the \"foo.example.com\" Listener (and not the \"*.example.com\"
+ Listener). This concept is known as \"Listener Isolation\". Implementations
+ that do not support Listener Isolation MUST clearly document this.
+ \n Implementations MAY merge separate Gateways onto a single set
+ of Addresses if all Listeners across all Gateways are compatible.
+ \n Support: Core"
+ items:
+ description: Listener embodies the concept of a logical endpoint
+ where a Gateway accepts network connections.
+ properties:
+ allowedRoutes:
+ default:
+ namespaces:
+ from: Same
+ description: "AllowedRoutes defines the types of routes that
+ MAY be attached to a Listener and the trusted namespaces where
+ those Route resources MAY be present. \n Although a client
+ request may match multiple route rules, only one rule may
+ ultimately receive the request. Matching precedence MUST be
+ determined in order of the following criteria: \n * The most
+ specific match as defined by the Route type. * The oldest
+ Route based on creation timestamp. For example, a Route with
+ a creation timestamp of \"2020-09-08 01:02:03\" is given precedence
+ over a Route with a creation timestamp of \"2020-09-08 01:02:04\".
+ * If everything else is equivalent, the Route appearing first
+ in alphabetical order (namespace/name) should be given precedence.
+ For example, foo/bar is given precedence over foo/baz. \n
+ All valid rules within a Route attached to this Listener should
+ be implemented. Invalid Route rules can be ignored (sometimes
+ that will mean the full Route). If a Route rule transitions
+ from valid to invalid, support for that Route rule should
+ be dropped to ensure consistency. For example, even if a filter
+ specified by a Route rule is invalid, the rest of the rules
+ within that Route should still be supported. \n Support: Core"
+ properties:
+ kinds:
+ description: "Kinds specifies the groups and kinds of Routes
+ that are allowed to bind to this Gateway Listener. When
+ unspecified or empty, the kinds of Routes selected are
+ determined using the Listener protocol. \n A RouteGroupKind
+ MUST correspond to kinds of Routes that are compatible
+ with the application protocol specified in the Listener's
+ Protocol field. If an implementation does not support
+ or recognize this resource type, it MUST set the \"ResolvedRefs\"
+ condition to False for this Listener with the \"InvalidRouteKinds\"
+ reason. \n Support: Core"
+ items:
+ description: RouteGroupKind indicates the group and kind
+ of a Route resource.
+ properties:
+ group:
+ default: gateway.networking.k8s.io
+ description: Group is the group of the Route.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is the kind of the Route.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ required:
+ - kind
+ type: object
+ maxItems: 8
+ type: array
+ namespaces:
+ default:
+ from: Same
+ description: "Namespaces indicates namespaces from which
+ Routes may be attached to this Listener. This is restricted
+ to the namespace of this Gateway by default. \n Support:
+ Core"
+ properties:
+ from:
+ default: Same
+ description: "From indicates where Routes will be selected
+ for this Gateway. Possible values are: \n * All: Routes
+ in all namespaces may be used by this Gateway. * Selector:
+ Routes in namespaces selected by the selector may
+ be used by this Gateway. * Same: Only Routes in the
+ same namespace may be used by this Gateway. \n Support:
+ Core"
+ enum:
+ - All
+ - Selector
+ - Same
+ type: string
+ selector:
+ description: "Selector must be specified when From is
+ set to \"Selector\". In that case, only Routes in
+ Namespaces matching this Selector will be selected
+ by this Gateway. This field is ignored for other values
+ of \"From\". \n Support: Core"
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are ANDed.
+ items:
+ description: A label selector requirement is a
+ selector that contains values, a key, and an
+ operator that relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: operator represents a key's relationship
+ to a set of values. Valid operators are
+ In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: values is an array of string
+ values. If the operator is In or NotIn,
+ the values array must be non-empty. If the
+ operator is Exists or DoesNotExist, the
+ values array must be empty. This array is
+ replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: matchLabels is a map of {key,value}
+ pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions,
+ whose key field is "key", the operator is "In",
+ and the values array contains only "value". The
+ requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: object
+ hostname:
+ description: "Hostname specifies the virtual hostname to match
+ for protocol types that define this concept. When unspecified,
+ all hostnames are matched. This field is ignored for protocols
+ that don't require hostname based matching. \n Implementations
+ MUST apply Hostname matching appropriately for each of the
+ following protocols: \n * TLS: The Listener Hostname MUST
+ match the SNI. * HTTP: The Listener Hostname MUST match the
+ Host header of the request. * HTTPS: The Listener Hostname
+ SHOULD match at both the TLS and HTTP protocol layers as described
+ above. If an implementation does not ensure that both the
+ SNI and Host header match the Listener hostname, it MUST clearly
+ document that. \n For HTTPRoute and TLSRoute resources, there
+ is an interaction with the `spec.hostnames` array. When both
+ listener and route specify hostnames, there MUST be an intersection
+ between the values for a Route to be accepted. For more information,
+ refer to the Route specific Hostnames documentation. \n Hostnames
+ that are prefixed with a wildcard label (`*.`) are interpreted
+ as a suffix match. That means that a match for `*.example.com`
+ would match both `test.example.com`, and `foo.test.example.com`,
+ but not `example.com`. \n Support: Core"
+ maxLength: 253
+ minLength: 1
+ pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ name:
+ description: "Name is the name of the Listener. This name MUST
+ be unique within a Gateway. \n Support: Core"
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ port:
+ description: "Port is the network port. Multiple listeners may
+ use the same port, subject to the Listener compatibility rules.
+ \n Support: Core"
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ protocol:
+ description: "Protocol specifies the network protocol this listener
+ expects to receive. \n Support: Core"
+ maxLength: 255
+ minLength: 1
+ pattern: ^[a-zA-Z0-9]([-a-zSA-Z0-9]*[a-zA-Z0-9])?$|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9]+$
+ type: string
+ tls:
+ description: "TLS is the TLS configuration for the Listener.
+ This field is required if the Protocol field is \"HTTPS\"
+ or \"TLS\". It is invalid to set this field if the Protocol
+ field is \"HTTP\", \"TCP\", or \"UDP\". \n The association
+ of SNIs to Certificate defined in GatewayTLSConfig is defined
+ based on the Hostname field for this listener. \n The GatewayClass
+ MUST use the longest matching SNI out of all available certificates
+ for any TLS handshake. \n Support: Core"
+ properties:
+ certificateRefs:
+ description: "CertificateRefs contains a series of references
+ to Kubernetes objects that contains TLS certificates and
+ private keys. These certificates are used to establish
+ a TLS handshake for requests that match the hostname of
+ the associated listener. \n A single CertificateRef to
+ a Kubernetes Secret has \"Core\" support. Implementations
+ MAY choose to support attaching multiple certificates
+ to a Listener, but this behavior is implementation-specific.
+ \n References to a resource in different namespace are
+ invalid UNLESS there is a ReferenceGrant in the target
+ namespace that allows the certificate to be attached.
+ If a ReferenceGrant does not allow this reference, the
+ \"ResolvedRefs\" condition MUST be set to False for this
+ listener with the \"RefNotPermitted\" reason. \n This
+ field is required to have at least one element when the
+ mode is set to \"Terminate\" (default) and is optional
+ otherwise. \n CertificateRefs can reference to standard
+ Kubernetes resources, i.e. Secret, or implementation-specific
+ custom resources. \n Support: Core - A single reference
+ to a Kubernetes Secret of type kubernetes.io/tls \n Support:
+ Implementation-specific (More than one reference or other
+ resource types)"
+ items:
+ description: "SecretObjectReference identifies an API
+ object including its namespace, defaulting to Secret.
+ \n The API object must be valid in the cluster; the
+ Group and Kind must be registered in the cluster for
+ this reference to be valid. \n References to objects
+ with invalid Group and Kind are not valid, and must
+ be rejected by the implementation, with appropriate
+ Conditions set on the containing object."
+ properties:
+ group:
+ default: ""
+ description: Group is the group of the referent. For
+ example, "gateway.networking.k8s.io". When unspecified
+ or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Secret
+ description: Kind is kind of the referent. For example
+ "Secret".
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: "Namespace is the namespace of the referenced
+ object. When unspecified, the local namespace is
+ inferred. \n Note that when a namespace different
+ than the local namespace is specified, a ReferenceGrant
+ object is required in the referent namespace to
+ allow that namespace's owner to accept the reference.
+ See the ReferenceGrant documentation for details.
+ \n Support: Core"
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ required:
+ - name
+ type: object
+ maxItems: 64
+ type: array
+ mode:
+ default: Terminate
+ description: "Mode defines the TLS behavior for the TLS
+ session initiated by the client. There are two possible
+ modes: \n - Terminate: The TLS session between the downstream
+ client and the Gateway is terminated at the Gateway. This
+ mode requires certificateRefs to be set and contain at
+ least one element. - Passthrough: The TLS session is NOT
+ terminated by the Gateway. This implies that the Gateway
+ can't decipher the TLS stream except for the ClientHello
+ message of the TLS protocol. CertificateRefs field is
+ ignored in this mode. \n Support: Core"
+ enum:
+ - Terminate
+ - Passthrough
+ type: string
+ options:
+ additionalProperties:
+ description: AnnotationValue is the value of an annotation
+ in Gateway API. This is used for validation of maps
+ such as TLS options. This roughly matches Kubernetes
+ annotation validation, although the length validation
+ in that case is based on the entire size of the annotations
+ struct.
+ maxLength: 4096
+ minLength: 0
+ type: string
+ description: "Options are a list of key/value pairs to enable
+ extended TLS configuration for each implementation. For
+ example, configuring the minimum TLS version or supported
+ cipher suites. \n A set of common keys MAY be defined
+ by the API in the future. To avoid any ambiguity, implementation-specific
+ definitions MUST use domain-prefixed names, such as `example.com/my-custom-option`.
+ Un-prefixed names are reserved for key names defined by
+ Gateway API. \n Support: Implementation-specific"
+ maxProperties: 16
+ type: object
+ type: object
+ x-kubernetes-validations:
+ - message: certificateRefs must be specified when TLSModeType
+ is Terminate
+ rule: 'self.mode == ''Terminate'' ? size(self.certificateRefs)
+ > 0 : true'
+ required:
+ - name
+ - port
+ - protocol
+ type: object
+ maxItems: 64
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ x-kubernetes-validations:
+ - message: tls must be specified for protocols ['HTTPS', 'TLS']
+ rule: 'self.all(l, l.protocol in [''HTTPS'', ''TLS''] ? has(l.tls)
+ : true)'
+ - message: tls must not be specified for protocols ['HTTP', 'TCP',
+ 'UDP']
+ rule: 'self.all(l, l.protocol in [''HTTP'', ''TCP'', ''UDP''] ?
+ !has(l.tls) : true)'
+ - message: hostname must not be specified for protocols ['TCP', 'UDP']
+ rule: 'self.all(l, l.protocol in [''TCP'', ''UDP''] ? (!has(l.hostname)
+ || l.hostname == '''') : true)'
+ - message: Listener name must be unique within the Gateway
+ rule: self.all(l1, self.exists_one(l2, l1.name == l2.name))
+ - message: Combination of port, protocol and hostname must be unique
+ for each listener
+ rule: 'self.all(l1, self.exists_one(l2, l1.port == l2.port && l1.protocol
+ == l2.protocol && (has(l1.hostname) && has(l2.hostname) ? l1.hostname
+ == l2.hostname : !has(l1.hostname) && !has(l2.hostname))))'
+ required:
+ - gatewayClassName
+ - listeners
+ type: object
+ status:
+ default:
+ conditions:
+ - lastTransitionTime: "1970-01-01T00:00:00Z"
+ message: Waiting for controller
+ reason: Pending
+ status: Unknown
+ type: Accepted
+ - lastTransitionTime: "1970-01-01T00:00:00Z"
+ message: Waiting for controller
+ reason: Pending
+ status: Unknown
+ type: Programmed
+ description: Status defines the current state of Gateway.
+ properties:
+ addresses:
+ description: "Addresses lists the network addresses that have been
+ bound to the Gateway. \n This list may differ from the addresses
+ provided in the spec under some conditions: \n * no addresses are
+ specified, all addresses are dynamically assigned * a combination
+ of specified and dynamic addresses are assigned * a specified address
+ was unusable (e.g. already in use) \n "
+ items:
+ description: GatewayStatusAddress describes a network address that
+ is bound to a Gateway.
+ oneOf:
+ - properties:
+ type:
+ enum:
+ - IPAddress
+ value:
+ anyOf:
+ - format: ipv4
+ - format: ipv6
+ - properties:
+ type:
+ not:
+ enum:
+ - IPAddress
+ properties:
+ type:
+ default: IPAddress
+ description: Type of the address.
+ maxLength: 253
+ minLength: 1
+ pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
+ type: string
+ value:
+ description: "Value of the address. The validity of the values
+ will depend on the type and support by the controller. \n
+ Examples: `1.2.3.4`, `128::1`, `my-ip-address`."
+ maxLength: 253
+ minLength: 1
+ type: string
+ required:
+ - value
+ type: object
+ x-kubernetes-validations:
+ - message: Hostname value must only contain valid characters (matching
+ ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$)
+ rule: 'self.type == ''Hostname'' ? self.value.matches(r"""^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$"""):
+ true'
+ maxItems: 16
+ type: array
+ conditions:
+ default:
+ - lastTransitionTime: "1970-01-01T00:00:00Z"
+ message: Waiting for controller
+ reason: Pending
+ status: Unknown
+ type: Accepted
+ - lastTransitionTime: "1970-01-01T00:00:00Z"
+ message: Waiting for controller
+ reason: Pending
+ status: Unknown
+ type: Programmed
+ description: "Conditions describe the current conditions of the Gateway.
+ \n Implementations should prefer to express Gateway conditions using
+ the `GatewayConditionType` and `GatewayConditionReason` constants
+ so that operators and tools can converge on a common vocabulary
+ to describe Gateway state. \n Known condition types are: \n * \"Accepted\"
+ * \"Programmed\" * \"Ready\""
+ items:
+ description: "Condition contains details for one aspect of the current
+ state of this API Resource. --- This struct is intended for direct
+ use as an array at the field path .status.conditions. For example,
+ \n type FooStatus struct{ // Represents the observations of a
+ foo's current state. // Known .status.conditions.type are: \"Available\",
+ \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
+ // +listType=map // +listMapKey=type Conditions []metav1.Condition
+ `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
+ protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
+ properties:
+ lastTransitionTime:
+ description: lastTransitionTime is the last time the condition
+ transitioned from one status to another. This should be when
+ the underlying condition changed. If that is not known, then
+ using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: message is a human readable message indicating
+ details about the transition. This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: observedGeneration represents the .metadata.generation
+ that the condition was set based upon. For instance, if .metadata.generation
+ is currently 12, but the .status.conditions[x].observedGeneration
+ is 9, the condition is out of date with respect to the current
+ state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: reason contains a programmatic identifier indicating
+ the reason for the condition's last transition. Producers
+ of specific condition types may define expected values and
+ meanings for this field, and whether the values are considered
+ a guaranteed API. The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False, Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ --- Many .condition.type values are consistent across resources
+ like Available, but because arbitrary conditions can be useful
+ (see .node.status.conditions), the ability to deconflict is
+ important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ maxItems: 8
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ listeners:
+ description: Listeners provide status for each unique listener port
+ defined in the Spec.
+ items:
+ description: ListenerStatus is the status associated with a Listener.
+ properties:
+ attachedRoutes:
+ description: "AttachedRoutes represents the total number of
+ Routes that have been successfully attached to this Listener.
+ \n Successful attachment of a Route to a Listener is based
+ solely on the combination of the AllowedRoutes field on the
+ corresponding Listener and the Route's ParentRefs field. A
+ Route is successfully attached to a Listener when it is selected
+ by the Listener's AllowedRoutes field AND the Route has a
+ valid ParentRef selecting the whole Gateway resource or a
+ specific Listener as a parent resource (more detail on attachment
+ semantics can be found in the documentation on the various
+ Route kinds ParentRefs fields). Listener or Route status does
+ not impact successful attachment, i.e. the AttachedRoutes
+ field count MUST be set for Listeners with condition Accepted:
+ false and MUST count successfully attached Routes that may
+ themselves have Accepted: false conditions. \n Uses for this
+ field include troubleshooting Route attachment and measuring
+ blast radius/impact of changes to a Listener."
+ format: int32
+ type: integer
+ conditions:
+ description: Conditions describe the current condition of this
+ listener.
+ items:
+ description: "Condition contains details for one aspect of
+ the current state of this API Resource. --- This struct
+ is intended for direct use as an array at the field path
+ .status.conditions. For example, \n type FooStatus struct{
+ // Represents the observations of a foo's current state.
+ // Known .status.conditions.type are: \"Available\", \"Progressing\",
+ and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
+ // +listType=map // +listMapKey=type Conditions []metav1.Condition
+ `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
+ protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields
+ }"
+ properties:
+ lastTransitionTime:
+ description: lastTransitionTime is the last time the condition
+ transitioned from one status to another. This should
+ be when the underlying condition changed. If that is
+ not known, then using the time when the API field changed
+ is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: message is a human readable message indicating
+ details about the transition. This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: observedGeneration represents the .metadata.generation
+ that the condition was set based upon. For instance,
+ if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration
+ is 9, the condition is out of date with respect to the
+ current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: reason contains a programmatic identifier
+ indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected
+ values and meanings for this field, and whether the
+ values are considered a guaranteed API. The value should
+ be a CamelCase string. This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False,
+ Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ --- Many .condition.type values are consistent across
+ resources like Available, but because arbitrary conditions
+ can be useful (see .node.status.conditions), the ability
+ to deconflict is important. The regex it matches is
+ (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ maxItems: 8
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ name:
+ description: Name is the name of the Listener that this status
+ corresponds to.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ supportedKinds:
+ description: "SupportedKinds is the list indicating the Kinds
+ supported by this listener. This MUST represent the kinds
+ an implementation supports for that Listener configuration.
+ \n If kinds are specified in Spec that are not supported,
+ they MUST NOT appear in this list and an implementation MUST
+ set the \"ResolvedRefs\" condition to \"False\" with the \"InvalidRouteKinds\"
+ reason. If both valid and invalid Route kinds are specified,
+ the implementation MUST reference the valid Route kinds that
+ have been specified."
+ items:
+ description: RouteGroupKind indicates the group and kind of
+ a Route resource.
+ properties:
+ group:
+ default: gateway.networking.k8s.io
+ description: Group is the group of the Route.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is the kind of the Route.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ required:
+ - kind
+ type: object
+ maxItems: 8
+ type: array
+ required:
+ - attachedRoutes
+ - conditions
+ - name
+ - supportedKinds
+ type: object
+ maxItems: 64
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ required:
+ - spec
+ type: object
+ served: true
+ storage: false
+ subresources:
+ status: {}
+ - additionalPrinterColumns:
+ - jsonPath: .spec.gatewayClassName
+ name: Class
+ type: string
+ - jsonPath: .status.addresses[*].value
+ name: Address
+ type: string
+ - jsonPath: .status.conditions[?(@.type=="Programmed")].status
+ name: Programmed
+ type: string
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1beta1
+ schema:
+ openAPIV3Schema:
+ description: Gateway represents an instance of a service-traffic handling
+ infrastructure by binding Listeners to a set of IP addresses.
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Spec defines the desired state of Gateway.
+ properties:
+ addresses:
+ description: "Addresses requested for this Gateway. This is optional
+ and behavior can depend on the implementation. If a value is set
+ in the spec and the requested address is invalid or unavailable,
+ the implementation MUST indicate this in the associated entry in
+ GatewayStatus.Addresses. \n The Addresses field represents a request
+ for the address(es) on the \"outside of the Gateway\", that traffic
+ bound for this Gateway will use. This could be the IP address or
+ hostname of an external load balancer or other networking infrastructure,
+ or some other address that traffic will be sent to. \n If no Addresses
+ are specified, the implementation MAY schedule the Gateway in an
+ implementation-specific manner, assigning an appropriate set of
+ Addresses. \n The implementation MUST bind all Listeners to every
+ GatewayAddress that it assigns to the Gateway and add a corresponding
+ entry in GatewayStatus.Addresses. \n Support: Extended \n "
+ items:
+ description: GatewayAddress describes an address that can be bound
+ to a Gateway.
+ oneOf:
+ - properties:
+ type:
+ enum:
+ - IPAddress
+ value:
+ anyOf:
+ - format: ipv4
+ - format: ipv6
+ - properties:
+ type:
+ not:
+ enum:
+ - IPAddress
+ properties:
+ type:
+ default: IPAddress
+ description: Type of the address.
+ maxLength: 253
+ minLength: 1
+ pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
+ type: string
+ value:
+ description: "Value of the address. The validity of the values
+ will depend on the type and support by the controller. \n
+ Examples: `1.2.3.4`, `128::1`, `my-ip-address`."
+ maxLength: 253
+ minLength: 1
+ type: string
+ required:
+ - value
+ type: object
+ x-kubernetes-validations:
+ - message: Hostname value must only contain valid characters (matching
+ ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$)
+ rule: 'self.type == ''Hostname'' ? self.value.matches(r"""^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$"""):
+ true'
+ maxItems: 16
+ type: array
+ x-kubernetes-validations:
+ - message: IPAddress values must be unique
+ rule: 'self.all(a1, a1.type == ''IPAddress'' ? self.exists_one(a2,
+ a2.type == a1.type && a2.value == a1.value) : true )'
+ - message: Hostname values must be unique
+ rule: 'self.all(a1, a1.type == ''Hostname'' ? self.exists_one(a2,
+ a2.type == a1.type && a2.value == a1.value) : true )'
+ gatewayClassName:
+ description: GatewayClassName used for this Gateway. This is the name
+ of a GatewayClass resource.
+ maxLength: 253
+ minLength: 1
+ type: string
+ infrastructure:
+ description: "Infrastructure defines infrastructure level attributes
+ about this Gateway instance. \n Support: Core \n "
+ properties:
+ annotations:
+ additionalProperties:
+ description: AnnotationValue is the value of an annotation in
+ Gateway API. This is used for validation of maps such as TLS
+ options. This roughly matches Kubernetes annotation validation,
+ although the length validation in that case is based on the
+ entire size of the annotations struct.
+ maxLength: 4096
+ minLength: 0
+ type: string
+ description: "Annotations that SHOULD be applied to any resources
+ created in response to this Gateway. \n For implementations
+ creating other Kubernetes objects, this should be the `metadata.annotations`
+ field on resources. For other implementations, this refers to
+ any relevant (implementation specific) \"annotations\" concepts.
+ \n An implementation may chose to add additional implementation-specific
+ annotations as they see fit. \n Support: Extended"
+ maxProperties: 8
+ type: object
+ labels:
+ additionalProperties:
+ description: AnnotationValue is the value of an annotation in
+ Gateway API. This is used for validation of maps such as TLS
+ options. This roughly matches Kubernetes annotation validation,
+ although the length validation in that case is based on the
+ entire size of the annotations struct.
+ maxLength: 4096
+ minLength: 0
+ type: string
+ description: "Labels that SHOULD be applied to any resources created
+ in response to this Gateway. \n For implementations creating
+ other Kubernetes objects, this should be the `metadata.labels`
+ field on resources. For other implementations, this refers to
+ any relevant (implementation specific) \"labels\" concepts.
+ \n An implementation may chose to add additional implementation-specific
+ labels as they see fit. \n Support: Extended"
+ maxProperties: 8
+ type: object
+ type: object
+ listeners:
+ description: "Listeners associated with this Gateway. Listeners define
+ logical endpoints that are bound on this Gateway's addresses. At
+ least one Listener MUST be specified. \n Each Listener in a set
+ of Listeners (for example, in a single Gateway) MUST be _distinct_,
+ in that a traffic flow MUST be able to be assigned to exactly one
+ listener. (This section uses \"set of Listeners\" rather than \"Listeners
+ in a single Gateway\" because implementations MAY merge configuration
+ from multiple Gateways onto a single data plane, and these rules
+ _also_ apply in that case). \n Practically, this means that each
+ listener in a set MUST have a unique combination of Port, Protocol,
+ and, if supported by the protocol, Hostname. \n Some combinations
+ of port, protocol, and TLS settings are considered Core support
+ and MUST be supported by implementations based on their targeted
+ conformance profile: \n HTTP Profile \n 1. HTTPRoute, Port: 80,
+ Protocol: HTTP 2. HTTPRoute, Port: 443, Protocol: HTTPS, TLS Mode:
+ Terminate, TLS keypair provided \n TLS Profile \n 1. TLSRoute, Port:
+ 443, Protocol: TLS, TLS Mode: Passthrough \n \"Distinct\" Listeners
+ have the following property: \n The implementation can match inbound
+ requests to a single distinct Listener. When multiple Listeners
+ share values for fields (for example, two Listeners with the same
+ Port value), the implementation can match requests to only one of
+ the Listeners using other Listener fields. \n For example, the following
+ Listener scenarios are distinct: \n 1. Multiple Listeners with the
+ same Port that all use the \"HTTP\" Protocol that all have unique
+ Hostname values. 2. Multiple Listeners with the same Port that use
+ either the \"HTTPS\" or \"TLS\" Protocol that all have unique Hostname
+ values. 3. A mixture of \"TCP\" and \"UDP\" Protocol Listeners,
+ where no Listener with the same Protocol has the same Port value.
+ \n Some fields in the Listener struct have possible values that
+ affect whether the Listener is distinct. Hostname is particularly
+ relevant for HTTP or HTTPS protocols. \n When using the Hostname
+ value to select between same-Port, same-Protocol Listeners, the
+ Hostname value must be different on each Listener for the Listener
+ to be distinct. \n When the Listeners are distinct based on Hostname,
+ inbound request hostnames MUST match from the most specific to least
+ specific Hostname values to choose the correct Listener and its
+ associated set of Routes. \n Exact matches must be processed before
+ wildcard matches, and wildcard matches must be processed before
+ fallback (empty Hostname value) matches. For example, `\"foo.example.com\"`
+ takes precedence over `\"*.example.com\"`, and `\"*.example.com\"`
+ takes precedence over `\"\"`. \n Additionally, if there are multiple
+ wildcard entries, more specific wildcard entries must be processed
+ before less specific wildcard entries. For example, `\"*.foo.example.com\"`
+ takes precedence over `\"*.example.com\"`. The precise definition
+ here is that the higher the number of dots in the hostname to the
+ right of the wildcard character, the higher the precedence. \n The
+ wildcard character will match any number of characters _and dots_
+ to the left, however, so `\"*.example.com\"` will match both `\"foo.bar.example.com\"`
+ _and_ `\"bar.example.com\"`. \n If a set of Listeners contains Listeners
+ that are not distinct, then those Listeners are Conflicted, and
+ the implementation MUST set the \"Conflicted\" condition in the
+ Listener Status to \"True\". \n Implementations MAY choose to accept
+ a Gateway with some Conflicted Listeners only if they only accept
+ the partial Listener set that contains no Conflicted Listeners.
+ To put this another way, implementations may accept a partial Listener
+ set only if they throw out *all* the conflicting Listeners. No picking
+ one of the conflicting listeners as the winner. This also means
+ that the Gateway must have at least one non-conflicting Listener
+ in this case, otherwise it violates the requirement that at least
+ one Listener must be present. \n The implementation MUST set a \"ListenersNotValid\"
+ condition on the Gateway Status when the Gateway contains Conflicted
+ Listeners whether or not they accept the Gateway. That Condition
+ SHOULD clearly indicate in the Message which Listeners are conflicted,
+ and which are Accepted. Additionally, the Listener status for those
+ listeners SHOULD indicate which Listeners are conflicted and not
+ Accepted. \n A Gateway's Listeners are considered \"compatible\"
+ if: \n 1. They are distinct. 2. The implementation can serve them
+ in compliance with the Addresses requirement that all Listeners
+ are available on all assigned addresses. \n Compatible combinations
+ in Extended support are expected to vary across implementations.
+ A combination that is compatible for one implementation may not
+ be compatible for another. \n For example, an implementation that
+ cannot serve both TCP and UDP listeners on the same address, or
+ cannot mix HTTPS and generic TLS listens on the same port would
+ not consider those cases compatible, even though they are distinct.
+ \n Note that requests SHOULD match at most one Listener. For example,
+ if Listeners are defined for \"foo.example.com\" and \"*.example.com\",
+ a request to \"foo.example.com\" SHOULD only be routed using routes
+ attached to the \"foo.example.com\" Listener (and not the \"*.example.com\"
+ Listener). This concept is known as \"Listener Isolation\". Implementations
+ that do not support Listener Isolation MUST clearly document this.
+ \n Implementations MAY merge separate Gateways onto a single set
+ of Addresses if all Listeners across all Gateways are compatible.
+ \n Support: Core"
+ items:
+ description: Listener embodies the concept of a logical endpoint
+ where a Gateway accepts network connections.
+ properties:
+ allowedRoutes:
+ default:
+ namespaces:
+ from: Same
+ description: "AllowedRoutes defines the types of routes that
+ MAY be attached to a Listener and the trusted namespaces where
+ those Route resources MAY be present. \n Although a client
+ request may match multiple route rules, only one rule may
+ ultimately receive the request. Matching precedence MUST be
+ determined in order of the following criteria: \n * The most
+ specific match as defined by the Route type. * The oldest
+ Route based on creation timestamp. For example, a Route with
+ a creation timestamp of \"2020-09-08 01:02:03\" is given precedence
+ over a Route with a creation timestamp of \"2020-09-08 01:02:04\".
+ * If everything else is equivalent, the Route appearing first
+ in alphabetical order (namespace/name) should be given precedence.
+ For example, foo/bar is given precedence over foo/baz. \n
+ All valid rules within a Route attached to this Listener should
+ be implemented. Invalid Route rules can be ignored (sometimes
+ that will mean the full Route). If a Route rule transitions
+ from valid to invalid, support for that Route rule should
+ be dropped to ensure consistency. For example, even if a filter
+ specified by a Route rule is invalid, the rest of the rules
+ within that Route should still be supported. \n Support: Core"
+ properties:
+ kinds:
+ description: "Kinds specifies the groups and kinds of Routes
+ that are allowed to bind to this Gateway Listener. When
+ unspecified or empty, the kinds of Routes selected are
+ determined using the Listener protocol. \n A RouteGroupKind
+ MUST correspond to kinds of Routes that are compatible
+ with the application protocol specified in the Listener's
+ Protocol field. If an implementation does not support
+ or recognize this resource type, it MUST set the \"ResolvedRefs\"
+ condition to False for this Listener with the \"InvalidRouteKinds\"
+ reason. \n Support: Core"
+ items:
+ description: RouteGroupKind indicates the group and kind
+ of a Route resource.
+ properties:
+ group:
+ default: gateway.networking.k8s.io
+ description: Group is the group of the Route.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is the kind of the Route.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ required:
+ - kind
+ type: object
+ maxItems: 8
+ type: array
+ namespaces:
+ default:
+ from: Same
+ description: "Namespaces indicates namespaces from which
+ Routes may be attached to this Listener. This is restricted
+ to the namespace of this Gateway by default. \n Support:
+ Core"
+ properties:
+ from:
+ default: Same
+ description: "From indicates where Routes will be selected
+ for this Gateway. Possible values are: \n * All: Routes
+ in all namespaces may be used by this Gateway. * Selector:
+ Routes in namespaces selected by the selector may
+ be used by this Gateway. * Same: Only Routes in the
+ same namespace may be used by this Gateway. \n Support:
+ Core"
+ enum:
+ - All
+ - Selector
+ - Same
+ type: string
+ selector:
+ description: "Selector must be specified when From is
+ set to \"Selector\". In that case, only Routes in
+ Namespaces matching this Selector will be selected
+ by this Gateway. This field is ignored for other values
+ of \"From\". \n Support: Core"
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are ANDed.
+ items:
+ description: A label selector requirement is a
+ selector that contains values, a key, and an
+ operator that relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: operator represents a key's relationship
+ to a set of values. Valid operators are
+ In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: values is an array of string
+ values. If the operator is In or NotIn,
+ the values array must be non-empty. If the
+ operator is Exists or DoesNotExist, the
+ values array must be empty. This array is
+ replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: matchLabels is a map of {key,value}
+ pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions,
+ whose key field is "key", the operator is "In",
+ and the values array contains only "value". The
+ requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: object
+ hostname:
+ description: "Hostname specifies the virtual hostname to match
+ for protocol types that define this concept. When unspecified,
+ all hostnames are matched. This field is ignored for protocols
+ that don't require hostname based matching. \n Implementations
+ MUST apply Hostname matching appropriately for each of the
+ following protocols: \n * TLS: The Listener Hostname MUST
+ match the SNI. * HTTP: The Listener Hostname MUST match the
+ Host header of the request. * HTTPS: The Listener Hostname
+ SHOULD match at both the TLS and HTTP protocol layers as described
+ above. If an implementation does not ensure that both the
+ SNI and Host header match the Listener hostname, it MUST clearly
+ document that. \n For HTTPRoute and TLSRoute resources, there
+ is an interaction with the `spec.hostnames` array. When both
+ listener and route specify hostnames, there MUST be an intersection
+ between the values for a Route to be accepted. For more information,
+ refer to the Route specific Hostnames documentation. \n Hostnames
+ that are prefixed with a wildcard label (`*.`) are interpreted
+ as a suffix match. That means that a match for `*.example.com`
+ would match both `test.example.com`, and `foo.test.example.com`,
+ but not `example.com`. \n Support: Core"
+ maxLength: 253
+ minLength: 1
+ pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ name:
+ description: "Name is the name of the Listener. This name MUST
+ be unique within a Gateway. \n Support: Core"
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ port:
+ description: "Port is the network port. Multiple listeners may
+ use the same port, subject to the Listener compatibility rules.
+ \n Support: Core"
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ protocol:
+ description: "Protocol specifies the network protocol this listener
+ expects to receive. \n Support: Core"
+ maxLength: 255
+ minLength: 1
+ pattern: ^[a-zA-Z0-9]([-a-zSA-Z0-9]*[a-zA-Z0-9])?$|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9]+$
+ type: string
+ tls:
+ description: "TLS is the TLS configuration for the Listener.
+ This field is required if the Protocol field is \"HTTPS\"
+ or \"TLS\". It is invalid to set this field if the Protocol
+ field is \"HTTP\", \"TCP\", or \"UDP\". \n The association
+ of SNIs to Certificate defined in GatewayTLSConfig is defined
+ based on the Hostname field for this listener. \n The GatewayClass
+ MUST use the longest matching SNI out of all available certificates
+ for any TLS handshake. \n Support: Core"
+ properties:
+ certificateRefs:
+ description: "CertificateRefs contains a series of references
+ to Kubernetes objects that contains TLS certificates and
+ private keys. These certificates are used to establish
+ a TLS handshake for requests that match the hostname of
+ the associated listener. \n A single CertificateRef to
+ a Kubernetes Secret has \"Core\" support. Implementations
+ MAY choose to support attaching multiple certificates
+ to a Listener, but this behavior is implementation-specific.
+ \n References to a resource in different namespace are
+ invalid UNLESS there is a ReferenceGrant in the target
+ namespace that allows the certificate to be attached.
+ If a ReferenceGrant does not allow this reference, the
+ \"ResolvedRefs\" condition MUST be set to False for this
+ listener with the \"RefNotPermitted\" reason. \n This
+ field is required to have at least one element when the
+ mode is set to \"Terminate\" (default) and is optional
+ otherwise. \n CertificateRefs can reference to standard
+ Kubernetes resources, i.e. Secret, or implementation-specific
+ custom resources. \n Support: Core - A single reference
+ to a Kubernetes Secret of type kubernetes.io/tls \n Support:
+ Implementation-specific (More than one reference or other
+ resource types)"
+ items:
+ description: "SecretObjectReference identifies an API
+ object including its namespace, defaulting to Secret.
+ \n The API object must be valid in the cluster; the
+ Group and Kind must be registered in the cluster for
+ this reference to be valid. \n References to objects
+ with invalid Group and Kind are not valid, and must
+ be rejected by the implementation, with appropriate
+ Conditions set on the containing object."
+ properties:
+ group:
+ default: ""
+ description: Group is the group of the referent. For
+ example, "gateway.networking.k8s.io". When unspecified
+ or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Secret
+ description: Kind is kind of the referent. For example
+ "Secret".
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: "Namespace is the namespace of the referenced
+ object. When unspecified, the local namespace is
+ inferred. \n Note that when a namespace different
+ than the local namespace is specified, a ReferenceGrant
+ object is required in the referent namespace to
+ allow that namespace's owner to accept the reference.
+ See the ReferenceGrant documentation for details.
+ \n Support: Core"
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ required:
+ - name
+ type: object
+ maxItems: 64
+ type: array
+ mode:
+ default: Terminate
+ description: "Mode defines the TLS behavior for the TLS
+ session initiated by the client. There are two possible
+ modes: \n - Terminate: The TLS session between the downstream
+ client and the Gateway is terminated at the Gateway. This
+ mode requires certificateRefs to be set and contain at
+ least one element. - Passthrough: The TLS session is NOT
+ terminated by the Gateway. This implies that the Gateway
+ can't decipher the TLS stream except for the ClientHello
+ message of the TLS protocol. CertificateRefs field is
+ ignored in this mode. \n Support: Core"
+ enum:
+ - Terminate
+ - Passthrough
+ type: string
+ options:
+ additionalProperties:
+ description: AnnotationValue is the value of an annotation
+ in Gateway API. This is used for validation of maps
+ such as TLS options. This roughly matches Kubernetes
+ annotation validation, although the length validation
+ in that case is based on the entire size of the annotations
+ struct.
+ maxLength: 4096
+ minLength: 0
+ type: string
+ description: "Options are a list of key/value pairs to enable
+ extended TLS configuration for each implementation. For
+ example, configuring the minimum TLS version or supported
+ cipher suites. \n A set of common keys MAY be defined
+ by the API in the future. To avoid any ambiguity, implementation-specific
+ definitions MUST use domain-prefixed names, such as `example.com/my-custom-option`.
+ Un-prefixed names are reserved for key names defined by
+ Gateway API. \n Support: Implementation-specific"
+ maxProperties: 16
+ type: object
+ type: object
+ x-kubernetes-validations:
+ - message: certificateRefs must be specified when TLSModeType
+ is Terminate
+ rule: 'self.mode == ''Terminate'' ? size(self.certificateRefs)
+ > 0 : true'
+ required:
+ - name
+ - port
+ - protocol
+ type: object
+ maxItems: 64
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ x-kubernetes-validations:
+ - message: tls must be specified for protocols ['HTTPS', 'TLS']
+ rule: 'self.all(l, l.protocol in [''HTTPS'', ''TLS''] ? has(l.tls)
+ : true)'
+ - message: tls must not be specified for protocols ['HTTP', 'TCP',
+ 'UDP']
+ rule: 'self.all(l, l.protocol in [''HTTP'', ''TCP'', ''UDP''] ?
+ !has(l.tls) : true)'
+ - message: hostname must not be specified for protocols ['TCP', 'UDP']
+ rule: 'self.all(l, l.protocol in [''TCP'', ''UDP''] ? (!has(l.hostname)
+ || l.hostname == '''') : true)'
+ - message: Listener name must be unique within the Gateway
+ rule: self.all(l1, self.exists_one(l2, l1.name == l2.name))
+ - message: Combination of port, protocol and hostname must be unique
+ for each listener
+ rule: 'self.all(l1, self.exists_one(l2, l1.port == l2.port && l1.protocol
+ == l2.protocol && (has(l1.hostname) && has(l2.hostname) ? l1.hostname
+ == l2.hostname : !has(l1.hostname) && !has(l2.hostname))))'
+ required:
+ - gatewayClassName
+ - listeners
+ type: object
+ status:
+ default:
+ conditions:
+ - lastTransitionTime: "1970-01-01T00:00:00Z"
+ message: Waiting for controller
+ reason: Pending
+ status: Unknown
+ type: Accepted
+ - lastTransitionTime: "1970-01-01T00:00:00Z"
+ message: Waiting for controller
+ reason: Pending
+ status: Unknown
+ type: Programmed
+ description: Status defines the current state of Gateway.
+ properties:
+ addresses:
+ description: "Addresses lists the network addresses that have been
+ bound to the Gateway. \n This list may differ from the addresses
+ provided in the spec under some conditions: \n * no addresses are
+ specified, all addresses are dynamically assigned * a combination
+ of specified and dynamic addresses are assigned * a specified address
+ was unusable (e.g. already in use) \n "
+ items:
+ description: GatewayStatusAddress describes a network address that
+ is bound to a Gateway.
+ oneOf:
+ - properties:
+ type:
+ enum:
+ - IPAddress
+ value:
+ anyOf:
+ - format: ipv4
+ - format: ipv6
+ - properties:
+ type:
+ not:
+ enum:
+ - IPAddress
+ properties:
+ type:
+ default: IPAddress
+ description: Type of the address.
+ maxLength: 253
+ minLength: 1
+ pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
+ type: string
+ value:
+ description: "Value of the address. The validity of the values
+ will depend on the type and support by the controller. \n
+ Examples: `1.2.3.4`, `128::1`, `my-ip-address`."
+ maxLength: 253
+ minLength: 1
+ type: string
+ required:
+ - value
+ type: object
+ x-kubernetes-validations:
+ - message: Hostname value must only contain valid characters (matching
+ ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$)
+ rule: 'self.type == ''Hostname'' ? self.value.matches(r"""^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$"""):
+ true'
+ maxItems: 16
+ type: array
+ conditions:
+ default:
+ - lastTransitionTime: "1970-01-01T00:00:00Z"
+ message: Waiting for controller
+ reason: Pending
+ status: Unknown
+ type: Accepted
+ - lastTransitionTime: "1970-01-01T00:00:00Z"
+ message: Waiting for controller
+ reason: Pending
+ status: Unknown
+ type: Programmed
+ description: "Conditions describe the current conditions of the Gateway.
+ \n Implementations should prefer to express Gateway conditions using
+ the `GatewayConditionType` and `GatewayConditionReason` constants
+ so that operators and tools can converge on a common vocabulary
+ to describe Gateway state. \n Known condition types are: \n * \"Accepted\"
+ * \"Programmed\" * \"Ready\""
+ items:
+ description: "Condition contains details for one aspect of the current
+ state of this API Resource. --- This struct is intended for direct
+ use as an array at the field path .status.conditions. For example,
+ \n type FooStatus struct{ // Represents the observations of a
+ foo's current state. // Known .status.conditions.type are: \"Available\",
+ \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
+ // +listType=map // +listMapKey=type Conditions []metav1.Condition
+ `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
+ protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
+ properties:
+ lastTransitionTime:
+ description: lastTransitionTime is the last time the condition
+ transitioned from one status to another. This should be when
+ the underlying condition changed. If that is not known, then
+ using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: message is a human readable message indicating
+ details about the transition. This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: observedGeneration represents the .metadata.generation
+ that the condition was set based upon. For instance, if .metadata.generation
+ is currently 12, but the .status.conditions[x].observedGeneration
+ is 9, the condition is out of date with respect to the current
+ state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: reason contains a programmatic identifier indicating
+ the reason for the condition's last transition. Producers
+ of specific condition types may define expected values and
+ meanings for this field, and whether the values are considered
+ a guaranteed API. The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False, Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ --- Many .condition.type values are consistent across resources
+ like Available, but because arbitrary conditions can be useful
+ (see .node.status.conditions), the ability to deconflict is
+ important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ maxItems: 8
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ listeners:
+ description: Listeners provide status for each unique listener port
+ defined in the Spec.
+ items:
+ description: ListenerStatus is the status associated with a Listener.
+ properties:
+ attachedRoutes:
+ description: "AttachedRoutes represents the total number of
+ Routes that have been successfully attached to this Listener.
+ \n Successful attachment of a Route to a Listener is based
+ solely on the combination of the AllowedRoutes field on the
+ corresponding Listener and the Route's ParentRefs field. A
+ Route is successfully attached to a Listener when it is selected
+ by the Listener's AllowedRoutes field AND the Route has a
+ valid ParentRef selecting the whole Gateway resource or a
+ specific Listener as a parent resource (more detail on attachment
+ semantics can be found in the documentation on the various
+ Route kinds ParentRefs fields). Listener or Route status does
+ not impact successful attachment, i.e. the AttachedRoutes
+ field count MUST be set for Listeners with condition Accepted:
+ false and MUST count successfully attached Routes that may
+ themselves have Accepted: false conditions. \n Uses for this
+ field include troubleshooting Route attachment and measuring
+ blast radius/impact of changes to a Listener."
+ format: int32
+ type: integer
+ conditions:
+ description: Conditions describe the current condition of this
+ listener.
+ items:
+ description: "Condition contains details for one aspect of
+ the current state of this API Resource. --- This struct
+ is intended for direct use as an array at the field path
+ .status.conditions. For example, \n type FooStatus struct{
+ // Represents the observations of a foo's current state.
+ // Known .status.conditions.type are: \"Available\", \"Progressing\",
+ and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
+ // +listType=map // +listMapKey=type Conditions []metav1.Condition
+ `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
+ protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields
+ }"
+ properties:
+ lastTransitionTime:
+ description: lastTransitionTime is the last time the condition
+ transitioned from one status to another. This should
+ be when the underlying condition changed. If that is
+ not known, then using the time when the API field changed
+ is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: message is a human readable message indicating
+ details about the transition. This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: observedGeneration represents the .metadata.generation
+ that the condition was set based upon. For instance,
+ if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration
+ is 9, the condition is out of date with respect to the
+ current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: reason contains a programmatic identifier
+ indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected
+ values and meanings for this field, and whether the
+ values are considered a guaranteed API. The value should
+ be a CamelCase string. This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False,
+ Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ --- Many .condition.type values are consistent across
+ resources like Available, but because arbitrary conditions
+ can be useful (see .node.status.conditions), the ability
+ to deconflict is important. The regex it matches is
+ (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ maxItems: 8
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ name:
+ description: Name is the name of the Listener that this status
+ corresponds to.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ supportedKinds:
+ description: "SupportedKinds is the list indicating the Kinds
+ supported by this listener. This MUST represent the kinds
+ an implementation supports for that Listener configuration.
+ \n If kinds are specified in Spec that are not supported,
+ they MUST NOT appear in this list and an implementation MUST
+ set the \"ResolvedRefs\" condition to \"False\" with the \"InvalidRouteKinds\"
+ reason. If both valid and invalid Route kinds are specified,
+ the implementation MUST reference the valid Route kinds that
+ have been specified."
+ items:
+ description: RouteGroupKind indicates the group and kind of
+ a Route resource.
+ properties:
+ group:
+ default: gateway.networking.k8s.io
+ description: Group is the group of the Route.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is the kind of the Route.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ required:
+ - kind
+ type: object
+ maxItems: 8
+ type: array
+ required:
+ - attachedRoutes
+ - conditions
+ - name
+ - supportedKinds
+ type: object
+ maxItems: 64
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ required:
+ - spec
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: null
+ storedVersions: null
+---
+#
+# config/crd/experimental/gateway.networking.k8s.io_grpcroutes.yaml
+#
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/2466
+ gateway.networking.k8s.io/bundle-version: v1.0.0
+ gateway.networking.k8s.io/channel: experimental
+ creationTimestamp: null
+ name: grpcroutes.gateway.networking.k8s.io
+spec:
+ group: gateway.networking.k8s.io
+ names:
+ categories:
+ - gateway-api
+ kind: GRPCRoute
+ listKind: GRPCRouteList
+ plural: grpcroutes
+ singular: grpcroute
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - jsonPath: .spec.hostnames
+ name: Hostnames
+ type: string
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1alpha2
+ schema:
+ openAPIV3Schema:
+ description: "GRPCRoute provides a way to route gRPC requests. This includes
+ the capability to match requests by hostname, gRPC service, gRPC method,
+ or HTTP/2 header. Filters can be used to specify additional processing steps.
+ Backends specify where matching requests will be routed. \n GRPCRoute falls
+ under extended support within the Gateway API. Within the following specification,
+ the word \"MUST\" indicates that an implementation supporting GRPCRoute
+ must conform to the indicated requirement, but an implementation not supporting
+ this route type need not follow the requirement unless explicitly indicated.
+ \n Implementations supporting `GRPCRoute` with the `HTTPS` `ProtocolType`
+ MUST accept HTTP/2 connections without an initial upgrade from HTTP/1.1,
+ i.e. via ALPN. If the implementation does not support this, then it MUST
+ set the \"Accepted\" condition to \"False\" for the affected listener with
+ a reason of \"UnsupportedProtocol\". Implementations MAY also accept HTTP/2
+ connections with an upgrade from HTTP/1. \n Implementations supporting `GRPCRoute`
+ with the `HTTP` `ProtocolType` MUST support HTTP/2 over cleartext TCP (h2c,
+ https://www.rfc-editor.org/rfc/rfc7540#section-3.1) without an initial upgrade
+ from HTTP/1.1, i.e. with prior knowledge (https://www.rfc-editor.org/rfc/rfc7540#section-3.4).
+ If the implementation does not support this, then it MUST set the \"Accepted\"
+ condition to \"False\" for the affected listener with a reason of \"UnsupportedProtocol\".
+ Implementations MAY also accept HTTP/2 connections with an upgrade from
+ HTTP/1, i.e. without prior knowledge."
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Spec defines the desired state of GRPCRoute.
+ properties:
+ hostnames:
+ description: "Hostnames defines a set of hostnames to match against
+ the GRPC Host header to select a GRPCRoute to process the request.
+ This matches the RFC 1123 definition of a hostname with 2 notable
+ exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed
+ with a wildcard label (`*.`). The wildcard label MUST appear by
+ itself as the first label. \n If a hostname is specified by both
+ the Listener and GRPCRoute, there MUST be at least one intersecting
+ hostname for the GRPCRoute to be attached to the Listener. For example:
+ \n * A Listener with `test.example.com` as the hostname matches
+ GRPCRoutes that have either not specified any hostnames, or have
+ specified at least one of `test.example.com` or `*.example.com`.
+ * A Listener with `*.example.com` as the hostname matches GRPCRoutes
+ that have either not specified any hostnames or have specified at
+ least one hostname that matches the Listener hostname. For example,
+ `test.example.com` and `*.example.com` would both match. On the
+ other hand, `example.com` and `test.example.net` would not match.
+ \n Hostnames that are prefixed with a wildcard label (`*.`) are
+ interpreted as a suffix match. That means that a match for `*.example.com`
+ would match both `test.example.com`, and `foo.test.example.com`,
+ but not `example.com`. \n If both the Listener and GRPCRoute have
+ specified hostnames, any GRPCRoute hostnames that do not match the
+ Listener hostname MUST be ignored. For example, if a Listener specified
+ `*.example.com`, and the GRPCRoute specified `test.example.com`
+ and `test.example.net`, `test.example.net` MUST NOT be considered
+ for a match. \n If both the Listener and GRPCRoute have specified
+ hostnames, and none match with the criteria above, then the GRPCRoute
+ MUST NOT be accepted by the implementation. The implementation MUST
+ raise an 'Accepted' Condition with a status of `False` in the corresponding
+ RouteParentStatus. \n If a Route (A) of type HTTPRoute or GRPCRoute
+ is attached to a Listener and that listener already has another
+ Route (B) of the other type attached and the intersection of the
+ hostnames of A and B is non-empty, then the implementation MUST
+ accept exactly one of these two routes, determined by the following
+ criteria, in order: \n * The oldest Route based on creation timestamp.
+ * The Route appearing first in alphabetical order by \"{namespace}/{name}\".
+ \n The rejected Route MUST raise an 'Accepted' condition with a
+ status of 'False' in the corresponding RouteParentStatus. \n Support:
+ Core"
+ items:
+ description: "Hostname is the fully qualified domain name of a network
+ host. This matches the RFC 1123 definition of a hostname with
+ 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname
+ may be prefixed with a wildcard label (`*.`). The wildcard label
+ must appear by itself as the first label. \n Hostname can be \"precise\"
+ which is a domain name without the terminating dot of a network
+ host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain
+ name prefixed with a single wildcard label (e.g. `*.example.com`).
+ \n Note that as per RFC1035 and RFC1123, a *label* must consist
+ of lower case alphanumeric characters or '-', and must start and
+ end with an alphanumeric character. No other punctuation is allowed."
+ maxLength: 253
+ minLength: 1
+ pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ maxItems: 16
+ type: array
+ parentRefs:
+ description: "ParentRefs references the resources (usually Gateways)
+ that a Route wants to be attached to. Note that the referenced parent
+ resource needs to allow this for the attachment to be complete.
+ For Gateways, that means the Gateway needs to allow attachment from
+ Routes of this kind and namespace. For Services, that means the
+ Service must either be in the same namespace for a \"producer\"
+ route, or the mesh implementation must support and allow \"consumer\"
+ routes for the referenced Service. ReferenceGrant is not applicable
+ for governing ParentRefs to Services - it is not possible to create
+ a \"producer\" route for a Service in a different namespace from
+ the Route. \n There are two kinds of parent resources with \"Core\"
+ support: \n * Gateway (Gateway conformance profile) * Service (Mesh
+ conformance profile, experimental, ClusterIP Services only) This
+ API may be extended in the future to support additional kinds of
+ parent resources. \n ParentRefs must be _distinct_. This means either
+ that: \n * They select different objects. If this is the case,
+ then parentRef entries are distinct. In terms of fields, this means
+ that the multi-part key defined by `group`, `kind`, `namespace`,
+ and `name` must be unique across all parentRef entries in the Route.
+ * They do not select different objects, but for each optional field
+ used, each ParentRef that selects the same object must set the same
+ set of optional fields to different values. If one ParentRef sets
+ a combination of optional fields, all must set the same combination.
+ \n Some examples: \n * If one ParentRef sets `sectionName`, all
+ ParentRefs referencing the same object must also set `sectionName`.
+ * If one ParentRef sets `port`, all ParentRefs referencing the same
+ object must also set `port`. * If one ParentRef sets `sectionName`
+ and `port`, all ParentRefs referencing the same object must also
+ set `sectionName` and `port`. \n It is possible to separately reference
+ multiple distinct objects that may be collapsed by an implementation.
+ For example, some implementations may choose to merge compatible
+ Gateway Listeners together. If that is the case, the list of routes
+ attached to those resources should also be merged. \n Note that
+ for ParentRefs that cross namespace boundaries, there are specific
+ rules. Cross-namespace references are only valid if they are explicitly
+ allowed by something in the namespace they are referring to. For
+ example, Gateway has the AllowedRoutes field, and ReferenceGrant
+ provides a generic way to enable other kinds of cross-namespace
+ reference. \n ParentRefs from a Route to a Service in the same
+ namespace are \"producer\" routes, which apply default routing rules
+ to inbound connections from any namespace to the Service. \n ParentRefs
+ from a Route to a Service in a different namespace are \"consumer\"
+ routes, and these routing rules are only applied to outbound connections
+ originating from the same namespace as the Route, for which the
+ intended destination of the connections are a Service targeted as
+ a ParentRef of the Route. \n "
+ items:
+ description: "ParentReference identifies an API object (usually
+ a Gateway) that can be considered a parent of this resource (usually
+ a route). There are two kinds of parent resources with \"Core\"
+ support: \n * Gateway (Gateway conformance profile) * Service
+ (Mesh conformance profile, experimental, ClusterIP Services only)
+ \n This API may be extended in the future to support additional
+ kinds of parent resources. \n The API object must be valid in
+ the cluster; the Group and Kind must be registered in the cluster
+ for this reference to be valid."
+ properties:
+ group:
+ default: gateway.networking.k8s.io
+ description: "Group is the group of the referent. When unspecified,
+ \"gateway.networking.k8s.io\" is inferred. To set the core
+ API group (such as for a \"Service\" kind referent), Group
+ must be explicitly set to \"\" (empty string). \n Support:
+ Core"
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Gateway
+ description: "Kind is kind of the referent. \n There are two
+ kinds of parent resources with \"Core\" support: \n * Gateway
+ (Gateway conformance profile) * Service (Mesh conformance
+ profile, experimental, ClusterIP Services only) \n Support
+ for other resources is Implementation-Specific."
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: "Name is the name of the referent. \n Support:
+ Core"
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: "Namespace is the namespace of the referent. When
+ unspecified, this refers to the local namespace of the Route.
+ \n Note that there are specific rules for ParentRefs which
+ cross namespace boundaries. Cross-namespace references are
+ only valid if they are explicitly allowed by something in
+ the namespace they are referring to. For example: Gateway
+ has the AllowedRoutes field, and ReferenceGrant provides a
+ generic way to enable any other kind of cross-namespace reference.
+ \n ParentRefs from a Route to a Service in the same namespace
+ are \"producer\" routes, which apply default routing rules
+ to inbound connections from any namespace to the Service.
+ \n ParentRefs from a Route to a Service in a different namespace
+ are \"consumer\" routes, and these routing rules are only
+ applied to outbound connections originating from the same
+ namespace as the Route, for which the intended destination
+ of the connections are a Service targeted as a ParentRef of
+ the Route. \n Support: Core"
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: "Port is the network port this Route targets. It
+ can be interpreted differently based on the type of parent
+ resource. \n When the parent resource is a Gateway, this targets
+ all listeners listening on the specified port that also support
+ this kind of Route(and select this Route). It's not recommended
+ to set `Port` unless the networking behaviors specified in
+ a Route must apply to a specific port as opposed to a listener(s)
+ whose port(s) may be changed. When both Port and SectionName
+ are specified, the name and port of the selected listener
+ must match both specified values. \n When the parent resource
+ is a Service, this targets a specific port in the Service
+ spec. When both Port (experimental) and SectionName are specified,
+ the name and port of the selected port must match both specified
+ values. \n Implementations MAY choose to support other parent
+ resources. Implementations supporting other types of parent
+ resources MUST clearly document how/if Port is interpreted.
+ \n For the purpose of status, an attachment is considered
+ successful as long as the parent resource accepts it partially.
+ For example, Gateway listeners can restrict which Routes can
+ attach to them by Route kind, namespace, or hostname. If 1
+ of 2 Gateway listeners accept attachment from the referencing
+ Route, the Route MUST be considered successfully attached.
+ If no Gateway listeners accept attachment from this Route,
+ the Route MUST be considered detached from the Gateway. \n
+ Support: Extended \n "
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ sectionName:
+ description: "SectionName is the name of a section within the
+ target resource. In the following resources, SectionName is
+ interpreted as the following: \n * Gateway: Listener Name.
+ When both Port (experimental) and SectionName are specified,
+ the name and port of the selected listener must match both
+ specified values. * Service: Port Name. When both Port (experimental)
+ and SectionName are specified, the name and port of the selected
+ listener must match both specified values. Note that attaching
+ Routes to Services as Parents is part of experimental Mesh
+ support and is not supported for any other purpose. \n Implementations
+ MAY choose to support attaching Routes to other resources.
+ If that is the case, they MUST clearly document how SectionName
+ is interpreted. \n When unspecified (empty string), this will
+ reference the entire resource. For the purpose of status,
+ an attachment is considered successful if at least one section
+ in the parent resource accepts it. For example, Gateway listeners
+ can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept
+ attachment from the referencing Route, the Route MUST be considered
+ successfully attached. If no Gateway listeners accept attachment
+ from this Route, the Route MUST be considered detached from
+ the Gateway. \n Support: Core"
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ required:
+ - name
+ type: object
+ maxItems: 32
+ type: array
+ x-kubernetes-validations:
+ - message: sectionName or port must be specified when parentRefs includes
+ 2 or more references to the same parent
+ rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind
+ == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__)
+ || p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__
+ == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) &&
+ p1.__namespace__ == p2.__namespace__)) ? ((!has(p1.sectionName)
+ || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName
+ == '''') && (!has(p1.port) || p1.port == 0) == (!has(p2.port)
+ || p2.port == 0)): true))'
+ - message: sectionName or port must be unique when parentRefs includes
+ 2 or more references to the same parent
+ rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind
+ == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__)
+ || p1.__namespace__ == '') && (!has(p2.__namespace__) || p2.__namespace__
+ == '')) || (has(p1.__namespace__) && has(p2.__namespace__) &&
+ p1.__namespace__ == p2.__namespace__ )) && (((!has(p1.sectionName)
+ || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName
+ == '')) || ( has(p1.sectionName) && has(p2.sectionName) && p1.sectionName
+ == p2.sectionName)) && (((!has(p1.port) || p1.port == 0) && (!has(p2.port)
+ || p2.port == 0)) || (has(p1.port) && has(p2.port) && p1.port
+ == p2.port))))
+ rules:
+ description: Rules are a list of GRPC matchers, filters and actions.
+ items:
+ description: GRPCRouteRule defines the semantics for matching a
+ gRPC request based on conditions (matches), processing it (filters),
+ and forwarding the request to an API object (backendRefs).
+ properties:
+ backendRefs:
+ description: "BackendRefs defines the backend(s) where matching
+ requests should be sent. \n Failure behavior here depends
+ on how many BackendRefs are specified and how many are invalid.
+ \n If *all* entries in BackendRefs are invalid, and there
+ are also no filters specified in this route rule, *all* traffic
+ which matches this rule MUST receive an `UNAVAILABLE` status.
+ \n See the GRPCBackendRef definition for the rules about what
+ makes a single GRPCBackendRef invalid. \n When a GRPCBackendRef
+ is invalid, `UNAVAILABLE` statuses MUST be returned for requests
+ that would have otherwise been routed to an invalid backend.
+ If multiple backends are specified, and some are invalid,
+ the proportion of requests that would otherwise have been
+ routed to an invalid backend MUST receive an `UNAVAILABLE`
+ status. \n For example, if two backends are specified with
+ equal weights, and one is invalid, 50 percent of traffic MUST
+ receive an `UNAVAILABLE` status. Implementations may choose
+ how that 50 percent is determined. \n Support: Core for Kubernetes
+ Service \n Support: Implementation-specific for any other
+ resource \n Support for weight: Core"
+ items:
+ description: "GRPCBackendRef defines how a GRPCRoute forwards
+ a gRPC request. \n Note that when a namespace different
+ than the local namespace is specified, a ReferenceGrant
+ object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details. \n
+ \n When the BackendRef points to a Kubernetes Service, implementations
+ SHOULD honor the appProtocol field if it is set for the
+ target Service Port. \n Implementations supporting appProtocol
+ SHOULD recognize the Kubernetes Standard Application Protocols
+ defined in KEP-3726. \n If a Service appProtocol isn't specified,
+ an implementation MAY infer the backend protocol through
+ its own means. Implementations MAY infer the protocol from
+ the Route type referring to the backend Service. \n If a
+ Route is not able to send traffic to the backend using the
+ specified protocol then the backend is considered invalid.
+ Implementations MUST set the \"ResolvedRefs\" condition
+ to \"False\" with the \"UnsupportedProtocol\" reason. \n
+ "
+ properties:
+ filters:
+ description: "Filters defined at this level MUST be executed
+ if and only if the request is being forwarded to the
+ backend defined here. \n Support: Implementation-specific
+ (For broader support of filters, use the Filters field
+ in GRPCRouteRule.)"
+ items:
+ description: GRPCRouteFilter defines processing steps
+ that must be completed during the request or response
+ lifecycle. GRPCRouteFilters are meant as an extension
+ point to express processing that may be done in Gateway
+ implementations. Some examples include request or
+ response modification, implementing authentication
+ strategies, rate-limiting, and traffic shaping. API
+ guarantee/conformance is defined based on the type
+ of the filter.
+ properties:
+ extensionRef:
+ description: "ExtensionRef is an optional, implementation-specific
+ extension to the \"filter\" behavior. For example,
+ resource \"myroutefilter\" in group \"networking.example.net\").
+ ExtensionRef MUST NOT be used for core and extended
+ filters. \n Support: Implementation-specific \n
+ This filter can be used multiple times within
+ the same rule."
+ properties:
+ group:
+ description: Group is the group of the referent.
+ For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API
+ group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is kind of the referent. For
+ example "HTTPRoute" or "Service".
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ required:
+ - group
+ - kind
+ - name
+ type: object
+ requestHeaderModifier:
+ description: "RequestHeaderModifier defines a schema
+ for a filter that modifies request headers. \n
+ Support: Core"
+ properties:
+ add:
+ description: "Add adds the given header(s) (name,
+ value) to the request before the action. It
+ appends to any existing values associated
+ with the header name. \n Input: GET /foo HTTP/1.1
+ my-header: foo \n Config: add: - name: \"my-header\"
+ value: \"bar,baz\" \n Output: GET /foo HTTP/1.1
+ my-header: foo,bar,baz"
+ items:
+ description: HTTPHeader represents an HTTP
+ Header name and value as defined by RFC
+ 7230.
+ properties:
+ name:
+ description: "Name is the name of the
+ HTTP Header to be matched. Name matching
+ MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+ \n If multiple entries specify equivalent
+ header names, the first entry with an
+ equivalent name MUST be considered for
+ a match. Subsequent entries with an
+ equivalent header name MUST be ignored.
+ Due to the case-insensitivity of header
+ names, \"foo\" and \"Foo\" are considered
+ equivalent."
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP
+ Header to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ remove:
+ description: "Remove the given header(s) from
+ the HTTP request before the action. The value
+ of Remove is a list of HTTP header names.
+ Note that the header names are case-insensitive
+ (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+ \n Input: GET /foo HTTP/1.1 my-header1: foo
+ my-header2: bar my-header3: baz \n Config:
+ remove: [\"my-header1\", \"my-header3\"] \n
+ Output: GET /foo HTTP/1.1 my-header2: bar"
+ items:
+ type: string
+ maxItems: 16
+ type: array
+ x-kubernetes-list-type: set
+ set:
+ description: "Set overwrites the request with
+ the given header (name, value) before the
+ action. \n Input: GET /foo HTTP/1.1 my-header:
+ foo \n Config: set: - name: \"my-header\"
+ value: \"bar\" \n Output: GET /foo HTTP/1.1
+ my-header: bar"
+ items:
+ description: HTTPHeader represents an HTTP
+ Header name and value as defined by RFC
+ 7230.
+ properties:
+ name:
+ description: "Name is the name of the
+ HTTP Header to be matched. Name matching
+ MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+ \n If multiple entries specify equivalent
+ header names, the first entry with an
+ equivalent name MUST be considered for
+ a match. Subsequent entries with an
+ equivalent header name MUST be ignored.
+ Due to the case-insensitivity of header
+ names, \"foo\" and \"Foo\" are considered
+ equivalent."
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP
+ Header to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ requestMirror:
+ description: "RequestMirror defines a schema for
+ a filter that mirrors requests. Requests are sent
+ to the specified destination, but responses from
+ that destination are ignored. \n This filter can
+ be used multiple times within the same rule. Note
+ that not all implementations will be able to support
+ mirroring to multiple backends. \n Support: Extended"
+ properties:
+ backendRef:
+ description: "BackendRef references a resource
+ where mirrored requests are sent. \n Mirrored
+ requests must be sent only to a single destination
+ endpoint within this BackendRef, irrespective
+ of how many endpoints are present within this
+ BackendRef. \n If the referent cannot be found,
+ this BackendRef is invalid and must be dropped
+ from the Gateway. The controller must ensure
+ the \"ResolvedRefs\" condition on the Route
+ status is set to `status: False` and not configure
+ this backend in the underlying implementation.
+ \n If there is a cross-namespace reference
+ to an *existing* object that is not allowed
+ by a ReferenceGrant, the controller must ensure
+ the \"ResolvedRefs\" condition on the Route
+ is set to `status: False`, with the \"RefNotPermitted\"
+ reason and not configure this backend in the
+ underlying implementation. \n In either error
+ case, the Message of the `ResolvedRefs` Condition
+ should be used to provide more detail about
+ the problem. \n Support: Extended for Kubernetes
+ Service \n Support: Implementation-specific
+ for any other resource"
+ properties:
+ group:
+ default: ""
+ description: Group is the group of the referent.
+ For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core
+ API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Service
+ description: "Kind is the Kubernetes resource
+ kind of the referent. For example \"Service\".
+ \n Defaults to \"Service\" when not specified.
+ \n ExternalName services can refer to
+ CNAME DNS records that may live outside
+ of the cluster and as such are difficult
+ to reason about in terms of conformance.
+ They also may not be safe to forward to
+ (see CVE-2021-25740 for more information).
+ Implementations SHOULD NOT support ExternalName
+ Services. \n Support: Core (Services with
+ a type other than ExternalName) \n Support:
+ Implementation-specific (Services with
+ type ExternalName)"
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: "Namespace is the namespace
+ of the backend. When unspecified, the
+ local namespace is inferred. \n Note that
+ when a namespace different than the local
+ namespace is specified, a ReferenceGrant
+ object is required in the referent namespace
+ to allow that namespace's owner to accept
+ the reference. See the ReferenceGrant
+ documentation for details. \n Support:
+ Core"
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: Port specifies the destination
+ port number to use for this resource.
+ Port is required when the referent is
+ a Kubernetes Service. In this case, the
+ port number is the service port number,
+ not the target port. For other resources,
+ destination port might be derived from
+ the referent resource or this field.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ required:
+ - name
+ type: object
+ x-kubernetes-validations:
+ - message: Must have port for Service reference
+ rule: '(size(self.group) == 0 && self.kind
+ == ''Service'') ? has(self.port) : true'
+ required:
+ - backendRef
+ type: object
+ responseHeaderModifier:
+ description: "ResponseHeaderModifier defines a schema
+ for a filter that modifies response headers. \n
+ Support: Extended"
+ properties:
+ add:
+ description: "Add adds the given header(s) (name,
+ value) to the request before the action. It
+ appends to any existing values associated
+ with the header name. \n Input: GET /foo HTTP/1.1
+ my-header: foo \n Config: add: - name: \"my-header\"
+ value: \"bar,baz\" \n Output: GET /foo HTTP/1.1
+ my-header: foo,bar,baz"
+ items:
+ description: HTTPHeader represents an HTTP
+ Header name and value as defined by RFC
+ 7230.
+ properties:
+ name:
+ description: "Name is the name of the
+ HTTP Header to be matched. Name matching
+ MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+ \n If multiple entries specify equivalent
+ header names, the first entry with an
+ equivalent name MUST be considered for
+ a match. Subsequent entries with an
+ equivalent header name MUST be ignored.
+ Due to the case-insensitivity of header
+ names, \"foo\" and \"Foo\" are considered
+ equivalent."
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP
+ Header to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ remove:
+ description: "Remove the given header(s) from
+ the HTTP request before the action. The value
+ of Remove is a list of HTTP header names.
+ Note that the header names are case-insensitive
+ (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+ \n Input: GET /foo HTTP/1.1 my-header1: foo
+ my-header2: bar my-header3: baz \n Config:
+ remove: [\"my-header1\", \"my-header3\"] \n
+ Output: GET /foo HTTP/1.1 my-header2: bar"
+ items:
+ type: string
+ maxItems: 16
+ type: array
+ x-kubernetes-list-type: set
+ set:
+ description: "Set overwrites the request with
+ the given header (name, value) before the
+ action. \n Input: GET /foo HTTP/1.1 my-header:
+ foo \n Config: set: - name: \"my-header\"
+ value: \"bar\" \n Output: GET /foo HTTP/1.1
+ my-header: bar"
+ items:
+ description: HTTPHeader represents an HTTP
+ Header name and value as defined by RFC
+ 7230.
+ properties:
+ name:
+ description: "Name is the name of the
+ HTTP Header to be matched. Name matching
+ MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+ \n If multiple entries specify equivalent
+ header names, the first entry with an
+ equivalent name MUST be considered for
+ a match. Subsequent entries with an
+ equivalent header name MUST be ignored.
+ Due to the case-insensitivity of header
+ names, \"foo\" and \"Foo\" are considered
+ equivalent."
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP
+ Header to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ type:
+ description: "Type identifies the type of filter
+ to apply. As with other API fields, types are
+ classified into three conformance levels: \n -
+ Core: Filter types and their corresponding configuration
+ defined by \"Support: Core\" in this package,
+ e.g. \"RequestHeaderModifier\". All implementations
+ supporting GRPCRoute MUST support core filters.
+ \n - Extended: Filter types and their corresponding
+ configuration defined by \"Support: Extended\"
+ in this package, e.g. \"RequestMirror\". Implementers
+ are encouraged to support extended filters. \n
+ - Implementation-specific: Filters that are defined
+ and supported by specific vendors. In the future,
+ filters showing convergence in behavior across
+ multiple implementations will be considered for
+ inclusion in extended or core conformance levels.
+ Filter-specific configuration for such filters
+ is specified using the ExtensionRef field. `Type`
+ MUST be set to \"ExtensionRef\" for custom filters.
+ \n Implementers are encouraged to define custom
+ implementation types to extend the core API with
+ implementation-specific behavior. \n If a reference
+ to a custom filter type cannot be resolved, the
+ filter MUST NOT be skipped. Instead, requests
+ that would have been processed by that filter
+ MUST receive a HTTP error response. \n "
+ enum:
+ - ResponseHeaderModifier
+ - RequestHeaderModifier
+ - RequestMirror
+ - ExtensionRef
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: filter.requestHeaderModifier must be nil
+ if the filter.type is not RequestHeaderModifier
+ rule: '!(has(self.requestHeaderModifier) && self.type
+ != ''RequestHeaderModifier'')'
+ - message: filter.requestHeaderModifier must be specified
+ for RequestHeaderModifier filter.type
+ rule: '!(!has(self.requestHeaderModifier) && self.type
+ == ''RequestHeaderModifier'')'
+ - message: filter.responseHeaderModifier must be nil
+ if the filter.type is not ResponseHeaderModifier
+ rule: '!(has(self.responseHeaderModifier) && self.type
+ != ''ResponseHeaderModifier'')'
+ - message: filter.responseHeaderModifier must be specified
+ for ResponseHeaderModifier filter.type
+ rule: '!(!has(self.responseHeaderModifier) && self.type
+ == ''ResponseHeaderModifier'')'
+ - message: filter.requestMirror must be nil if the filter.type
+ is not RequestMirror
+ rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')'
+ - message: filter.requestMirror must be specified for
+ RequestMirror filter.type
+ rule: '!(!has(self.requestMirror) && self.type ==
+ ''RequestMirror'')'
+ - message: filter.extensionRef must be nil if the filter.type
+ is not ExtensionRef
+ rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')'
+ - message: filter.extensionRef must be specified for
+ ExtensionRef filter.type
+ rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')'
+ maxItems: 16
+ type: array
+ x-kubernetes-validations:
+ - message: RequestHeaderModifier filter cannot be repeated
+ rule: self.filter(f, f.type == 'RequestHeaderModifier').size()
+ <= 1
+ - message: ResponseHeaderModifier filter cannot be repeated
+ rule: self.filter(f, f.type == 'ResponseHeaderModifier').size()
+ <= 1
+ group:
+ default: ""
+ description: Group is the group of the referent. For example,
+ "gateway.networking.k8s.io". When unspecified or empty
+ string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Service
+ description: "Kind is the Kubernetes resource kind of
+ the referent. For example \"Service\". \n Defaults to
+ \"Service\" when not specified. \n ExternalName services
+ can refer to CNAME DNS records that may live outside
+ of the cluster and as such are difficult to reason about
+ in terms of conformance. They also may not be safe to
+ forward to (see CVE-2021-25740 for more information).
+ Implementations SHOULD NOT support ExternalName Services.
+ \n Support: Core (Services with a type other than ExternalName)
+ \n Support: Implementation-specific (Services with type
+ ExternalName)"
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: "Namespace is the namespace of the backend.
+ When unspecified, the local namespace is inferred. \n
+ Note that when a namespace different than the local
+ namespace is specified, a ReferenceGrant object is required
+ in the referent namespace to allow that namespace's
+ owner to accept the reference. See the ReferenceGrant
+ documentation for details. \n Support: Core"
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: Port specifies the destination port number
+ to use for this resource. Port is required when the
+ referent is a Kubernetes Service. In this case, the
+ port number is the service port number, not the target
+ port. For other resources, destination port might be
+ derived from the referent resource or this field.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ weight:
+ default: 1
+ description: "Weight specifies the proportion of requests
+ forwarded to the referenced backend. This is computed
+ as weight/(sum of all weights in this BackendRefs list).
+ For non-zero values, there may be some epsilon from
+ the exact proportion defined here depending on the precision
+ an implementation supports. Weight is not a percentage
+ and the sum of weights does not need to equal 100. \n
+ If only one backend is specified and it has a weight
+ greater than 0, 100% of the traffic is forwarded to
+ that backend. If weight is set to 0, no traffic should
+ be forwarded for this entry. If unspecified, weight
+ defaults to 1. \n Support for this field varies based
+ on the context where used."
+ format: int32
+ maximum: 1000000
+ minimum: 0
+ type: integer
+ required:
+ - name
+ type: object
+ x-kubernetes-validations:
+ - message: Must have port for Service reference
+ rule: '(size(self.group) == 0 && self.kind == ''Service'')
+ ? has(self.port) : true'
+ maxItems: 16
+ type: array
+ filters:
+ description: "Filters define the filters that are applied to
+ requests that match this rule. \n The effects of ordering
+ of multiple behaviors are currently unspecified. This can
+ change in the future based on feedback during the alpha stage.
+ \n Conformance-levels at this level are defined based on the
+ type of filter: \n - ALL core filters MUST be supported by
+ all implementations that support GRPCRoute. - Implementers
+ are encouraged to support extended filters. - Implementation-specific
+ custom filters have no API guarantees across implementations.
+ \n Specifying the same filter multiple times is not supported
+ unless explicitly indicated in the filter. \n If an implementation
+ can not support a combination of filters, it must clearly
+ document that limitation. In cases where incompatible or unsupported
+ filters are specified and cause the `Accepted` condition to
+ be set to status `False`, implementations may use the `IncompatibleFilters`
+ reason to specify this configuration error. \n Support: Core"
+ items:
+ description: GRPCRouteFilter defines processing steps that
+ must be completed during the request or response lifecycle.
+ GRPCRouteFilters are meant as an extension point to express
+ processing that may be done in Gateway implementations.
+ Some examples include request or response modification,
+ implementing authentication strategies, rate-limiting, and
+ traffic shaping. API guarantee/conformance is defined based
+ on the type of the filter.
+ properties:
+ extensionRef:
+ description: "ExtensionRef is an optional, implementation-specific
+ extension to the \"filter\" behavior. For example,
+ resource \"myroutefilter\" in group \"networking.example.net\").
+ ExtensionRef MUST NOT be used for core and extended
+ filters. \n Support: Implementation-specific \n This
+ filter can be used multiple times within the same rule."
+ properties:
+ group:
+ description: Group is the group of the referent. For
+ example, "gateway.networking.k8s.io". When unspecified
+ or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is kind of the referent. For example
+ "HTTPRoute" or "Service".
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ required:
+ - group
+ - kind
+ - name
+ type: object
+ requestHeaderModifier:
+ description: "RequestHeaderModifier defines a schema for
+ a filter that modifies request headers. \n Support:
+ Core"
+ properties:
+ add:
+ description: "Add adds the given header(s) (name,
+ value) to the request before the action. It appends
+ to any existing values associated with the header
+ name. \n Input: GET /foo HTTP/1.1 my-header: foo
+ \n Config: add: - name: \"my-header\" value: \"bar,baz\"
+ \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz"
+ items:
+ description: HTTPHeader represents an HTTP Header
+ name and value as defined by RFC 7230.
+ properties:
+ name:
+ description: "Name is the name of the HTTP Header
+ to be matched. Name matching MUST be case
+ insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+ \n If multiple entries specify equivalent
+ header names, the first entry with an equivalent
+ name MUST be considered for a match. Subsequent
+ entries with an equivalent header name MUST
+ be ignored. Due to the case-insensitivity
+ of header names, \"foo\" and \"Foo\" are considered
+ equivalent."
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP Header
+ to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ remove:
+ description: "Remove the given header(s) from the
+ HTTP request before the action. The value of Remove
+ is a list of HTTP header names. Note that the header
+ names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+ \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2:
+ bar my-header3: baz \n Config: remove: [\"my-header1\",
+ \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2:
+ bar"
+ items:
+ type: string
+ maxItems: 16
+ type: array
+ x-kubernetes-list-type: set
+ set:
+ description: "Set overwrites the request with the
+ given header (name, value) before the action. \n
+ Input: GET /foo HTTP/1.1 my-header: foo \n Config:
+ set: - name: \"my-header\" value: \"bar\" \n Output:
+ GET /foo HTTP/1.1 my-header: bar"
+ items:
+ description: HTTPHeader represents an HTTP Header
+ name and value as defined by RFC 7230.
+ properties:
+ name:
+ description: "Name is the name of the HTTP Header
+ to be matched. Name matching MUST be case
+ insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+ \n If multiple entries specify equivalent
+ header names, the first entry with an equivalent
+ name MUST be considered for a match. Subsequent
+ entries with an equivalent header name MUST
+ be ignored. Due to the case-insensitivity
+ of header names, \"foo\" and \"Foo\" are considered
+ equivalent."
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP Header
+ to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ requestMirror:
+ description: "RequestMirror defines a schema for a filter
+ that mirrors requests. Requests are sent to the specified
+ destination, but responses from that destination are
+ ignored. \n This filter can be used multiple times within
+ the same rule. Note that not all implementations will
+ be able to support mirroring to multiple backends. \n
+ Support: Extended"
+ properties:
+ backendRef:
+ description: "BackendRef references a resource where
+ mirrored requests are sent. \n Mirrored requests
+ must be sent only to a single destination endpoint
+ within this BackendRef, irrespective of how many
+ endpoints are present within this BackendRef. \n
+ If the referent cannot be found, this BackendRef
+ is invalid and must be dropped from the Gateway.
+ The controller must ensure the \"ResolvedRefs\"
+ condition on the Route status is set to `status:
+ False` and not configure this backend in the underlying
+ implementation. \n If there is a cross-namespace
+ reference to an *existing* object that is not allowed
+ by a ReferenceGrant, the controller must ensure
+ the \"ResolvedRefs\" condition on the Route is
+ set to `status: False`, with the \"RefNotPermitted\"
+ reason and not configure this backend in the underlying
+ implementation. \n In either error case, the Message
+ of the `ResolvedRefs` Condition should be used to
+ provide more detail about the problem. \n Support:
+ Extended for Kubernetes Service \n Support: Implementation-specific
+ for any other resource"
+ properties:
+ group:
+ default: ""
+ description: Group is the group of the referent.
+ For example, "gateway.networking.k8s.io". When
+ unspecified or empty string, core API group
+ is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Service
+ description: "Kind is the Kubernetes resource
+ kind of the referent. For example \"Service\".
+ \n Defaults to \"Service\" when not specified.
+ \n ExternalName services can refer to CNAME
+ DNS records that may live outside of the cluster
+ and as such are difficult to reason about in
+ terms of conformance. They also may not be safe
+ to forward to (see CVE-2021-25740 for more information).
+ Implementations SHOULD NOT support ExternalName
+ Services. \n Support: Core (Services with a
+ type other than ExternalName) \n Support: Implementation-specific
+ (Services with type ExternalName)"
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: "Namespace is the namespace of the
+ backend. When unspecified, the local namespace
+ is inferred. \n Note that when a namespace different
+ than the local namespace is specified, a ReferenceGrant
+ object is required in the referent namespace
+ to allow that namespace's owner to accept the
+ reference. See the ReferenceGrant documentation
+ for details. \n Support: Core"
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: Port specifies the destination port
+ number to use for this resource. Port is required
+ when the referent is a Kubernetes Service. In
+ this case, the port number is the service port
+ number, not the target port. For other resources,
+ destination port might be derived from the referent
+ resource or this field.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ required:
+ - name
+ type: object
+ x-kubernetes-validations:
+ - message: Must have port for Service reference
+ rule: '(size(self.group) == 0 && self.kind == ''Service'')
+ ? has(self.port) : true'
+ required:
+ - backendRef
+ type: object
+ responseHeaderModifier:
+ description: "ResponseHeaderModifier defines a schema
+ for a filter that modifies response headers. \n Support:
+ Extended"
+ properties:
+ add:
+ description: "Add adds the given header(s) (name,
+ value) to the request before the action. It appends
+ to any existing values associated with the header
+ name. \n Input: GET /foo HTTP/1.1 my-header: foo
+ \n Config: add: - name: \"my-header\" value: \"bar,baz\"
+ \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz"
+ items:
+ description: HTTPHeader represents an HTTP Header
+ name and value as defined by RFC 7230.
+ properties:
+ name:
+ description: "Name is the name of the HTTP Header
+ to be matched. Name matching MUST be case
+ insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+ \n If multiple entries specify equivalent
+ header names, the first entry with an equivalent
+ name MUST be considered for a match. Subsequent
+ entries with an equivalent header name MUST
+ be ignored. Due to the case-insensitivity
+ of header names, \"foo\" and \"Foo\" are considered
+ equivalent."
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP Header
+ to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ remove:
+ description: "Remove the given header(s) from the
+ HTTP request before the action. The value of Remove
+ is a list of HTTP header names. Note that the header
+ names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+ \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2:
+ bar my-header3: baz \n Config: remove: [\"my-header1\",
+ \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2:
+ bar"
+ items:
+ type: string
+ maxItems: 16
+ type: array
+ x-kubernetes-list-type: set
+ set:
+ description: "Set overwrites the request with the
+ given header (name, value) before the action. \n
+ Input: GET /foo HTTP/1.1 my-header: foo \n Config:
+ set: - name: \"my-header\" value: \"bar\" \n Output:
+ GET /foo HTTP/1.1 my-header: bar"
+ items:
+ description: HTTPHeader represents an HTTP Header
+ name and value as defined by RFC 7230.
+ properties:
+ name:
+ description: "Name is the name of the HTTP Header
+ to be matched. Name matching MUST be case
+ insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+ \n If multiple entries specify equivalent
+ header names, the first entry with an equivalent
+ name MUST be considered for a match. Subsequent
+ entries with an equivalent header name MUST
+ be ignored. Due to the case-insensitivity
+ of header names, \"foo\" and \"Foo\" are considered
+ equivalent."
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP Header
+ to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ type:
+ description: "Type identifies the type of filter to apply.
+ As with other API fields, types are classified into
+ three conformance levels: \n - Core: Filter types and
+ their corresponding configuration defined by \"Support:
+ Core\" in this package, e.g. \"RequestHeaderModifier\".
+ All implementations supporting GRPCRoute MUST support
+ core filters. \n - Extended: Filter types and their
+ corresponding configuration defined by \"Support: Extended\"
+ in this package, e.g. \"RequestMirror\". Implementers
+ are encouraged to support extended filters. \n - Implementation-specific:
+ Filters that are defined and supported by specific vendors.
+ In the future, filters showing convergence in behavior
+ across multiple implementations will be considered for
+ inclusion in extended or core conformance levels. Filter-specific
+ configuration for such filters is specified using the
+ ExtensionRef field. `Type` MUST be set to \"ExtensionRef\"
+ for custom filters. \n Implementers are encouraged to
+ define custom implementation types to extend the core
+ API with implementation-specific behavior. \n If a reference
+ to a custom filter type cannot be resolved, the filter
+ MUST NOT be skipped. Instead, requests that would have
+ been processed by that filter MUST receive a HTTP error
+ response. \n "
+ enum:
+ - ResponseHeaderModifier
+ - RequestHeaderModifier
+ - RequestMirror
+ - ExtensionRef
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: filter.requestHeaderModifier must be nil if the
+ filter.type is not RequestHeaderModifier
+ rule: '!(has(self.requestHeaderModifier) && self.type !=
+ ''RequestHeaderModifier'')'
+ - message: filter.requestHeaderModifier must be specified
+ for RequestHeaderModifier filter.type
+ rule: '!(!has(self.requestHeaderModifier) && self.type ==
+ ''RequestHeaderModifier'')'
+ - message: filter.responseHeaderModifier must be nil if the
+ filter.type is not ResponseHeaderModifier
+ rule: '!(has(self.responseHeaderModifier) && self.type !=
+ ''ResponseHeaderModifier'')'
+ - message: filter.responseHeaderModifier must be specified
+ for ResponseHeaderModifier filter.type
+ rule: '!(!has(self.responseHeaderModifier) && self.type
+ == ''ResponseHeaderModifier'')'
+ - message: filter.requestMirror must be nil if the filter.type
+ is not RequestMirror
+ rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')'
+ - message: filter.requestMirror must be specified for RequestMirror
+ filter.type
+ rule: '!(!has(self.requestMirror) && self.type == ''RequestMirror'')'
+ - message: filter.extensionRef must be nil if the filter.type
+ is not ExtensionRef
+ rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')'
+ - message: filter.extensionRef must be specified for ExtensionRef
+ filter.type
+ rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')'
+ maxItems: 16
+ type: array
+ x-kubernetes-validations:
+ - message: RequestHeaderModifier filter cannot be repeated
+ rule: self.filter(f, f.type == 'RequestHeaderModifier').size()
+ <= 1
+ - message: ResponseHeaderModifier filter cannot be repeated
+ rule: self.filter(f, f.type == 'ResponseHeaderModifier').size()
+ <= 1
+ matches:
+ description: "Matches define conditions used for matching the
+ rule against incoming gRPC requests. Each match is independent,
+ i.e. this rule will be matched if **any** one of the matches
+ is satisfied. \n For example, take the following matches configuration:
+ \n ``` matches: - method: service: foo.bar headers: values:
+ version: 2 - method: service: foo.bar.v2 ``` \n For a request
+ to match against this rule, it MUST satisfy EITHER of the
+ two conditions: \n - service of foo.bar AND contains the header
+ `version: 2` - service of foo.bar.v2 \n See the documentation
+ for GRPCRouteMatch on how to specify multiple match conditions
+ to be ANDed together. \n If no matches are specified, the
+ implementation MUST match every gRPC request. \n Proxy or
+ Load Balancer routing configuration generated from GRPCRoutes
+ MUST prioritize rules based on the following criteria, continuing
+ on ties. Merging MUST not be done between GRPCRoutes and HTTPRoutes.
+ Precedence MUST be given to the rule with the largest number
+ of: \n * Characters in a matching non-wildcard hostname. *
+ Characters in a matching hostname. * Characters in a matching
+ service. * Characters in a matching method. * Header matches.
+ \n If ties still exist across multiple Routes, matching precedence
+ MUST be determined in order of the following criteria, continuing
+ on ties: \n * The oldest Route based on creation timestamp.
+ * The Route appearing first in alphabetical order by \"{namespace}/{name}\".
+ \n If ties still exist within the Route that has been given
+ precedence, matching precedence MUST be granted to the first
+ matching rule meeting the above criteria."
+ items:
+ description: "GRPCRouteMatch defines the predicate used to
+ match requests to a given action. Multiple match types are
+ ANDed together, i.e. the match will evaluate to true only
+ if all conditions are satisfied. \n For example, the match
+ below will match a gRPC request only if its service is `foo`
+ AND it contains the `version: v1` header: \n ``` matches:
+ - method: type: Exact service: \"foo\" headers: - name:
+ \"version\" value \"v1\" \n ```"
+ properties:
+ headers:
+ description: Headers specifies gRPC request header matchers.
+ Multiple match values are ANDed together, meaning, a
+ request MUST match all the specified headers to select
+ the route.
+ items:
+ description: GRPCHeaderMatch describes how to select
+ a gRPC route by matching gRPC request headers.
+ properties:
+ name:
+ description: "Name is the name of the gRPC Header
+ to be matched. \n If multiple entries specify
+ equivalent header names, only the first entry
+ with an equivalent name MUST be considered for
+ a match. Subsequent entries with an equivalent
+ header name MUST be ignored. Due to the case-insensitivity
+ of header names, \"foo\" and \"Foo\" are considered
+ equivalent."
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ type:
+ default: Exact
+ description: Type specifies how to match against
+ the value of the header.
+ enum:
+ - Exact
+ - RegularExpression
+ type: string
+ value:
+ description: Value is the value of the gRPC Header
+ to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ method:
+ description: Method specifies a gRPC request service/method
+ matcher. If this field is not specified, all services
+ and methods will match.
+ properties:
+ method:
+ description: "Value of the method to match against.
+ If left empty or omitted, will match all services.
+ \n At least one of Service and Method MUST be a
+ non-empty string."
+ maxLength: 1024
+ type: string
+ service:
+ description: "Value of the service to match against.
+ If left empty or omitted, will match any service.
+ \n At least one of Service and Method MUST be a
+ non-empty string."
+ maxLength: 1024
+ type: string
+ type:
+ default: Exact
+ description: "Type specifies how to match against
+ the service and/or method. Support: Core (Exact
+ with service and method specified) \n Support: Implementation-specific
+ (Exact with method specified but no service specified)
+ \n Support: Implementation-specific (RegularExpression)"
+ enum:
+ - Exact
+ - RegularExpression
+ type: string
+ type: object
+ x-kubernetes-validations:
+ - message: One or both of 'service' or 'method' must be
+ specified
+ rule: 'has(self.type) ? has(self.service) || has(self.method)
+ : true'
+ - message: service must only contain valid characters
+ (matching ^(?i)\.?[a-z_][a-z_0-9]*(\.[a-z_][a-z_0-9]*)*$)
+ rule: '(!has(self.type) || self.type == ''Exact'') &&
+ has(self.service) ? self.service.matches(r"""^(?i)\.?[a-z_][a-z_0-9]*(\.[a-z_][a-z_0-9]*)*$"""):
+ true'
+ - message: method must only contain valid characters (matching
+ ^[A-Za-z_][A-Za-z_0-9]*$)
+ rule: '(!has(self.type) || self.type == ''Exact'') &&
+ has(self.method) ? self.method.matches(r"""^[A-Za-z_][A-Za-z_0-9]*$"""):
+ true'
+ type: object
+ maxItems: 8
+ type: array
+ type: object
+ maxItems: 16
+ type: array
+ type: object
+ status:
+ description: Status defines the current state of GRPCRoute.
+ properties:
+ parents:
+ description: "Parents is a list of parent resources (usually Gateways)
+ that are associated with the route, and the status of the route
+ with respect to each parent. When this route attaches to a parent,
+ the controller that manages the parent must add an entry to this
+ list when the controller first sees the route and should update
+ the entry as appropriate when the route or gateway is modified.
+ \n Note that parent references that cannot be resolved by an implementation
+ of this API will not be added to this list. Implementations of this
+ API can only populate Route status for the Gateways/parent resources
+ they are responsible for. \n A maximum of 32 Gateways will be represented
+ in this list. An empty list means the route has not been attached
+ to any Gateway."
+ items:
+ description: RouteParentStatus describes the status of a route with
+ respect to an associated Parent.
+ properties:
+ conditions:
+ description: "Conditions describes the status of the route with
+ respect to the Gateway. Note that the route's availability
+ is also subject to the Gateway's own status conditions and
+ listener status. \n If the Route's ParentRef specifies an
+ existing Gateway that supports Routes of this kind AND that
+ Gateway's controller has sufficient access, then that Gateway's
+ controller MUST set the \"Accepted\" condition on the Route,
+ to indicate whether the route has been accepted or rejected
+ by the Gateway, and why. \n A Route MUST be considered \"Accepted\"
+ if at least one of the Route's rules is implemented by the
+ Gateway. \n There are a number of cases where the \"Accepted\"
+ condition may not be set due to lack of controller visibility,
+ that includes when: \n * The Route refers to a non-existent
+ parent. * The Route is of a type that the controller does
+ not support. * The Route is in a namespace the controller
+ does not have access to."
+ items:
+ description: "Condition contains details for one aspect of
+ the current state of this API Resource. --- This struct
+ is intended for direct use as an array at the field path
+ .status.conditions. For example, \n type FooStatus struct{
+ // Represents the observations of a foo's current state.
+ // Known .status.conditions.type are: \"Available\", \"Progressing\",
+ and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
+ // +listType=map // +listMapKey=type Conditions []metav1.Condition
+ `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
+ protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields
+ }"
+ properties:
+ lastTransitionTime:
+ description: lastTransitionTime is the last time the condition
+ transitioned from one status to another. This should
+ be when the underlying condition changed. If that is
+ not known, then using the time when the API field changed
+ is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: message is a human readable message indicating
+ details about the transition. This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: observedGeneration represents the .metadata.generation
+ that the condition was set based upon. For instance,
+ if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration
+ is 9, the condition is out of date with respect to the
+ current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: reason contains a programmatic identifier
+ indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected
+ values and meanings for this field, and whether the
+ values are considered a guaranteed API. The value should
+ be a CamelCase string. This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False,
+ Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ --- Many .condition.type values are consistent across
+ resources like Available, but because arbitrary conditions
+ can be useful (see .node.status.conditions), the ability
+ to deconflict is important. The regex it matches is
+ (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ maxItems: 8
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ controllerName:
+ description: "ControllerName is a domain/path string that indicates
+ the name of the controller that wrote this status. This corresponds
+ with the controllerName field on GatewayClass. \n Example:
+ \"example.net/gateway-controller\". \n The format of this
+ field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid
+ Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+ \n Controllers MUST populate this field when writing status.
+ Controllers should ensure that entries to status populated
+ with their ControllerName are cleaned up when they are no
+ longer necessary."
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
+ type: string
+ parentRef:
+ description: ParentRef corresponds with a ParentRef in the spec
+ that this RouteParentStatus struct describes the status of.
+ properties:
+ group:
+ default: gateway.networking.k8s.io
+ description: "Group is the group of the referent. When unspecified,
+ \"gateway.networking.k8s.io\" is inferred. To set the
+ core API group (such as for a \"Service\" kind referent),
+ Group must be explicitly set to \"\" (empty string). \n
+ Support: Core"
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Gateway
+ description: "Kind is kind of the referent. \n There are
+ two kinds of parent resources with \"Core\" support: \n
+ * Gateway (Gateway conformance profile) * Service (Mesh
+ conformance profile, experimental, ClusterIP Services
+ only) \n Support for other resources is Implementation-Specific."
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: "Name is the name of the referent. \n Support:
+ Core"
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: "Namespace is the namespace of the referent.
+ When unspecified, this refers to the local namespace of
+ the Route. \n Note that there are specific rules for ParentRefs
+ which cross namespace boundaries. Cross-namespace references
+ are only valid if they are explicitly allowed by something
+ in the namespace they are referring to. For example: Gateway
+ has the AllowedRoutes field, and ReferenceGrant provides
+ a generic way to enable any other kind of cross-namespace
+ reference. \n ParentRefs from a Route to a Service in
+ the same namespace are \"producer\" routes, which apply
+ default routing rules to inbound connections from any
+ namespace to the Service. \n ParentRefs from a Route to
+ a Service in a different namespace are \"consumer\" routes,
+ and these routing rules are only applied to outbound connections
+ originating from the same namespace as the Route, for
+ which the intended destination of the connections are
+ a Service targeted as a ParentRef of the Route. \n Support:
+ Core"
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: "Port is the network port this Route targets.
+ It can be interpreted differently based on the type of
+ parent resource. \n When the parent resource is a Gateway,
+ this targets all listeners listening on the specified
+ port that also support this kind of Route(and select this
+ Route). It's not recommended to set `Port` unless the
+ networking behaviors specified in a Route must apply to
+ a specific port as opposed to a listener(s) whose port(s)
+ may be changed. When both Port and SectionName are specified,
+ the name and port of the selected listener must match
+ both specified values. \n When the parent resource is
+ a Service, this targets a specific port in the Service
+ spec. When both Port (experimental) and SectionName are
+ specified, the name and port of the selected port must
+ match both specified values. \n Implementations MAY choose
+ to support other parent resources. Implementations supporting
+ other types of parent resources MUST clearly document
+ how/if Port is interpreted. \n For the purpose of status,
+ an attachment is considered successful as long as the
+ parent resource accepts it partially. For example, Gateway
+ listeners can restrict which Routes can attach to them
+ by Route kind, namespace, or hostname. If 1 of 2 Gateway
+ listeners accept attachment from the referencing Route,
+ the Route MUST be considered successfully attached. If
+ no Gateway listeners accept attachment from this Route,
+ the Route MUST be considered detached from the Gateway.
+ \n Support: Extended \n "
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ sectionName:
+ description: "SectionName is the name of a section within
+ the target resource. In the following resources, SectionName
+ is interpreted as the following: \n * Gateway: Listener
+ Name. When both Port (experimental) and SectionName are
+ specified, the name and port of the selected listener
+ must match both specified values. * Service: Port Name.
+ When both Port (experimental) and SectionName are specified,
+ the name and port of the selected listener must match
+ both specified values. Note that attaching Routes to Services
+ as Parents is part of experimental Mesh support and is
+ not supported for any other purpose. \n Implementations
+ MAY choose to support attaching Routes to other resources.
+ If that is the case, they MUST clearly document how SectionName
+ is interpreted. \n When unspecified (empty string), this
+ will reference the entire resource. For the purpose of
+ status, an attachment is considered successful if at least
+ one section in the parent resource accepts it. For example,
+ Gateway listeners can restrict which Routes can attach
+ to them by Route kind, namespace, or hostname. If 1 of
+ 2 Gateway listeners accept attachment from the referencing
+ Route, the Route MUST be considered successfully attached.
+ If no Gateway listeners accept attachment from this Route,
+ the Route MUST be considered detached from the Gateway.
+ \n Support: Core"
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - controllerName
+ - parentRef
+ type: object
+ maxItems: 32
+ type: array
+ required:
+ - parents
+ type: object
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: null
+ storedVersions: null
+---
+#
+# config/crd/experimental/gateway.networking.k8s.io_httproutes.yaml
+#
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/2466
+ gateway.networking.k8s.io/bundle-version: v1.0.0
+ gateway.networking.k8s.io/channel: experimental
+ creationTimestamp: null
+ name: httproutes.gateway.networking.k8s.io
+spec:
+ group: gateway.networking.k8s.io
+ names:
+ categories:
+ - gateway-api
+ kind: HTTPRoute
+ listKind: HTTPRouteList
+ plural: httproutes
+ singular: httproute
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - jsonPath: .spec.hostnames
+ name: Hostnames
+ type: string
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1
+ schema:
+ openAPIV3Schema:
+ description: HTTPRoute provides a way to route HTTP requests. This includes
+ the capability to match requests by hostname, path, header, or query param.
+ Filters can be used to specify additional processing steps. Backends specify
+ where matching requests should be routed.
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Spec defines the desired state of HTTPRoute.
+ properties:
+ hostnames:
+ description: "Hostnames defines a set of hostnames that should match
+ against the HTTP Host header to select a HTTPRoute used to process
+ the request. Implementations MUST ignore any port value specified
+ in the HTTP Host header while performing a match and (absent of
+ any applicable header modification configuration) MUST forward this
+ header unmodified to the backend. \n Valid values for Hostnames
+ are determined by RFC 1123 definition of a hostname with 2 notable
+ exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed
+ with a wildcard label (`*.`). The wildcard label must appear by
+ itself as the first label. \n If a hostname is specified by both
+ the Listener and HTTPRoute, there must be at least one intersecting
+ hostname for the HTTPRoute to be attached to the Listener. For example:
+ \n * A Listener with `test.example.com` as the hostname matches
+ HTTPRoutes that have either not specified any hostnames, or have
+ specified at least one of `test.example.com` or `*.example.com`.
+ * A Listener with `*.example.com` as the hostname matches HTTPRoutes
+ that have either not specified any hostnames or have specified at
+ least one hostname that matches the Listener hostname. For example,
+ `*.example.com`, `test.example.com`, and `foo.test.example.com`
+ would all match. On the other hand, `example.com` and `test.example.net`
+ would not match. \n Hostnames that are prefixed with a wildcard
+ label (`*.`) are interpreted as a suffix match. That means that
+ a match for `*.example.com` would match both `test.example.com`,
+ and `foo.test.example.com`, but not `example.com`. \n If both the
+ Listener and HTTPRoute have specified hostnames, any HTTPRoute hostnames
+ that do not match the Listener hostname MUST be ignored. For example,
+ if a Listener specified `*.example.com`, and the HTTPRoute specified
+ `test.example.com` and `test.example.net`, `test.example.net` must
+ not be considered for a match. \n If both the Listener and HTTPRoute
+ have specified hostnames, and none match with the criteria above,
+ then the HTTPRoute is not accepted. The implementation must raise
+ an 'Accepted' Condition with a status of `False` in the corresponding
+ RouteParentStatus. \n In the event that multiple HTTPRoutes specify
+ intersecting hostnames (e.g. overlapping wildcard matching and exact
+ matching hostnames), precedence must be given to rules from the
+ HTTPRoute with the largest number of: \n * Characters in a matching
+ non-wildcard hostname. * Characters in a matching hostname. \n If
+ ties exist across multiple Routes, the matching precedence rules
+ for HTTPRouteMatches takes over. \n Support: Core"
+ items:
+ description: "Hostname is the fully qualified domain name of a network
+ host. This matches the RFC 1123 definition of a hostname with
+ 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname
+ may be prefixed with a wildcard label (`*.`). The wildcard label
+ must appear by itself as the first label. \n Hostname can be \"precise\"
+ which is a domain name without the terminating dot of a network
+ host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain
+ name prefixed with a single wildcard label (e.g. `*.example.com`).
+ \n Note that as per RFC1035 and RFC1123, a *label* must consist
+ of lower case alphanumeric characters or '-', and must start and
+ end with an alphanumeric character. No other punctuation is allowed."
+ maxLength: 253
+ minLength: 1
+ pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ maxItems: 16
+ type: array
+ parentRefs:
+ description: "ParentRefs references the resources (usually Gateways)
+ that a Route wants to be attached to. Note that the referenced parent
+ resource needs to allow this for the attachment to be complete.
+ For Gateways, that means the Gateway needs to allow attachment from
+ Routes of this kind and namespace. For Services, that means the
+ Service must either be in the same namespace for a \"producer\"
+ route, or the mesh implementation must support and allow \"consumer\"
+ routes for the referenced Service. ReferenceGrant is not applicable
+ for governing ParentRefs to Services - it is not possible to create
+ a \"producer\" route for a Service in a different namespace from
+ the Route. \n There are two kinds of parent resources with \"Core\"
+ support: \n * Gateway (Gateway conformance profile) * Service (Mesh
+ conformance profile, experimental, ClusterIP Services only) This
+ API may be extended in the future to support additional kinds of
+ parent resources. \n ParentRefs must be _distinct_. This means either
+ that: \n * They select different objects. If this is the case,
+ then parentRef entries are distinct. In terms of fields, this means
+ that the multi-part key defined by `group`, `kind`, `namespace`,
+ and `name` must be unique across all parentRef entries in the Route.
+ * They do not select different objects, but for each optional field
+ used, each ParentRef that selects the same object must set the same
+ set of optional fields to different values. If one ParentRef sets
+ a combination of optional fields, all must set the same combination.
+ \n Some examples: \n * If one ParentRef sets `sectionName`, all
+ ParentRefs referencing the same object must also set `sectionName`.
+ * If one ParentRef sets `port`, all ParentRefs referencing the same
+ object must also set `port`. * If one ParentRef sets `sectionName`
+ and `port`, all ParentRefs referencing the same object must also
+ set `sectionName` and `port`. \n It is possible to separately reference
+ multiple distinct objects that may be collapsed by an implementation.
+ For example, some implementations may choose to merge compatible
+ Gateway Listeners together. If that is the case, the list of routes
+ attached to those resources should also be merged. \n Note that
+ for ParentRefs that cross namespace boundaries, there are specific
+ rules. Cross-namespace references are only valid if they are explicitly
+ allowed by something in the namespace they are referring to. For
+ example, Gateway has the AllowedRoutes field, and ReferenceGrant
+ provides a generic way to enable other kinds of cross-namespace
+ reference. \n ParentRefs from a Route to a Service in the same
+ namespace are \"producer\" routes, which apply default routing rules
+ to inbound connections from any namespace to the Service. \n ParentRefs
+ from a Route to a Service in a different namespace are \"consumer\"
+ routes, and these routing rules are only applied to outbound connections
+ originating from the same namespace as the Route, for which the
+ intended destination of the connections are a Service targeted as
+ a ParentRef of the Route. \n "
+ items:
+ description: "ParentReference identifies an API object (usually
+ a Gateway) that can be considered a parent of this resource (usually
+ a route). There are two kinds of parent resources with \"Core\"
+ support: \n * Gateway (Gateway conformance profile) * Service
+ (Mesh conformance profile, experimental, ClusterIP Services only)
+ \n This API may be extended in the future to support additional
+ kinds of parent resources. \n The API object must be valid in
+ the cluster; the Group and Kind must be registered in the cluster
+ for this reference to be valid."
+ properties:
+ group:
+ default: gateway.networking.k8s.io
+ description: "Group is the group of the referent. When unspecified,
+ \"gateway.networking.k8s.io\" is inferred. To set the core
+ API group (such as for a \"Service\" kind referent), Group
+ must be explicitly set to \"\" (empty string). \n Support:
+ Core"
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Gateway
+ description: "Kind is kind of the referent. \n There are two
+ kinds of parent resources with \"Core\" support: \n * Gateway
+ (Gateway conformance profile) * Service (Mesh conformance
+ profile, experimental, ClusterIP Services only) \n Support
+ for other resources is Implementation-Specific."
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: "Name is the name of the referent. \n Support:
+ Core"
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: "Namespace is the namespace of the referent. When
+ unspecified, this refers to the local namespace of the Route.
+ \n Note that there are specific rules for ParentRefs which
+ cross namespace boundaries. Cross-namespace references are
+ only valid if they are explicitly allowed by something in
+ the namespace they are referring to. For example: Gateway
+ has the AllowedRoutes field, and ReferenceGrant provides a
+ generic way to enable any other kind of cross-namespace reference.
+ \n ParentRefs from a Route to a Service in the same namespace
+ are \"producer\" routes, which apply default routing rules
+ to inbound connections from any namespace to the Service.
+ \n ParentRefs from a Route to a Service in a different namespace
+ are \"consumer\" routes, and these routing rules are only
+ applied to outbound connections originating from the same
+ namespace as the Route, for which the intended destination
+ of the connections are a Service targeted as a ParentRef of
+ the Route. \n Support: Core"
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: "Port is the network port this Route targets. It
+ can be interpreted differently based on the type of parent
+ resource. \n When the parent resource is a Gateway, this targets
+ all listeners listening on the specified port that also support
+ this kind of Route(and select this Route). It's not recommended
+ to set `Port` unless the networking behaviors specified in
+ a Route must apply to a specific port as opposed to a listener(s)
+ whose port(s) may be changed. When both Port and SectionName
+ are specified, the name and port of the selected listener
+ must match both specified values. \n When the parent resource
+ is a Service, this targets a specific port in the Service
+ spec. When both Port (experimental) and SectionName are specified,
+ the name and port of the selected port must match both specified
+ values. \n Implementations MAY choose to support other parent
+ resources. Implementations supporting other types of parent
+ resources MUST clearly document how/if Port is interpreted.
+ \n For the purpose of status, an attachment is considered
+ successful as long as the parent resource accepts it partially.
+ For example, Gateway listeners can restrict which Routes can
+ attach to them by Route kind, namespace, or hostname. If 1
+ of 2 Gateway listeners accept attachment from the referencing
+ Route, the Route MUST be considered successfully attached.
+ If no Gateway listeners accept attachment from this Route,
+ the Route MUST be considered detached from the Gateway. \n
+ Support: Extended \n "
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ sectionName:
+ description: "SectionName is the name of a section within the
+ target resource. In the following resources, SectionName is
+ interpreted as the following: \n * Gateway: Listener Name.
+ When both Port (experimental) and SectionName are specified,
+ the name and port of the selected listener must match both
+ specified values. * Service: Port Name. When both Port (experimental)
+ and SectionName are specified, the name and port of the selected
+ listener must match both specified values. Note that attaching
+ Routes to Services as Parents is part of experimental Mesh
+ support and is not supported for any other purpose. \n Implementations
+ MAY choose to support attaching Routes to other resources.
+ If that is the case, they MUST clearly document how SectionName
+ is interpreted. \n When unspecified (empty string), this will
+ reference the entire resource. For the purpose of status,
+ an attachment is considered successful if at least one section
+ in the parent resource accepts it. For example, Gateway listeners
+ can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept
+ attachment from the referencing Route, the Route MUST be considered
+ successfully attached. If no Gateway listeners accept attachment
+ from this Route, the Route MUST be considered detached from
+ the Gateway. \n Support: Core"
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ required:
+ - name
+ type: object
+ maxItems: 32
+ type: array
+ x-kubernetes-validations:
+ - message: sectionName or port must be specified when parentRefs includes
+ 2 or more references to the same parent
+ rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind
+ == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__)
+ || p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__
+ == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) &&
+ p1.__namespace__ == p2.__namespace__)) ? ((!has(p1.sectionName)
+ || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName
+ == '''') && (!has(p1.port) || p1.port == 0) == (!has(p2.port)
+ || p2.port == 0)): true))'
+ - message: sectionName or port must be unique when parentRefs includes
+ 2 or more references to the same parent
+ rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind
+ == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__)
+ || p1.__namespace__ == '') && (!has(p2.__namespace__) || p2.__namespace__
+ == '')) || (has(p1.__namespace__) && has(p2.__namespace__) &&
+ p1.__namespace__ == p2.__namespace__ )) && (((!has(p1.sectionName)
+ || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName
+ == '')) || ( has(p1.sectionName) && has(p2.sectionName) && p1.sectionName
+ == p2.sectionName)) && (((!has(p1.port) || p1.port == 0) && (!has(p2.port)
+ || p2.port == 0)) || (has(p1.port) && has(p2.port) && p1.port
+ == p2.port))))
+ rules:
+ default:
+ - matches:
+ - path:
+ type: PathPrefix
+ value: /
+ description: Rules are a list of HTTP matchers, filters and actions.
+ items:
+ description: HTTPRouteRule defines semantics for matching an HTTP
+ request based on conditions (matches), processing it (filters),
+ and forwarding the request to an API object (backendRefs).
+ properties:
+ backendRefs:
+ description: "BackendRefs defines the backend(s) where matching
+ requests should be sent. \n Failure behavior here depends
+ on how many BackendRefs are specified and how many are invalid.
+ \n If *all* entries in BackendRefs are invalid, and there
+ are also no filters specified in this route rule, *all* traffic
+ which matches this rule MUST receive a 500 status code. \n
+ See the HTTPBackendRef definition for the rules about what
+ makes a single HTTPBackendRef invalid. \n When a HTTPBackendRef
+ is invalid, 500 status codes MUST be returned for requests
+ that would have otherwise been routed to an invalid backend.
+ If multiple backends are specified, and some are invalid,
+ the proportion of requests that would otherwise have been
+ routed to an invalid backend MUST receive a 500 status code.
+ \n For example, if two backends are specified with equal weights,
+ and one is invalid, 50 percent of traffic must receive a 500.
+ Implementations may choose how that 50 percent is determined.
+ \n Support: Core for Kubernetes Service \n Support: Extended
+ for Kubernetes ServiceImport \n Support: Implementation-specific
+ for any other resource \n Support for weight: Core"
+ items:
+ description: "HTTPBackendRef defines how a HTTPRoute forwards
+ a HTTP request. \n Note that when a namespace different
+ than the local namespace is specified, a ReferenceGrant
+ object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details. \n
+ \n When the BackendRef points to a Kubernetes Service, implementations
+ SHOULD honor the appProtocol field if it is set for the
+ target Service Port. \n Implementations supporting appProtocol
+ SHOULD recognize the Kubernetes Standard Application Protocols
+ defined in KEP-3726. \n If a Service appProtocol isn't specified,
+ an implementation MAY infer the backend protocol through
+ its own means. Implementations MAY infer the protocol from
+ the Route type referring to the backend Service. \n If a
+ Route is not able to send traffic to the backend using the
+ specified protocol then the backend is considered invalid.
+ Implementations MUST set the \"ResolvedRefs\" condition
+ to \"False\" with the \"UnsupportedProtocol\" reason. \n
+ "
+ properties:
+ filters:
+ description: "Filters defined at this level should be
+ executed if and only if the request is being forwarded
+ to the backend defined here. \n Support: Implementation-specific
+ (For broader support of filters, use the Filters field
+ in HTTPRouteRule.)"
+ items:
+ description: HTTPRouteFilter defines processing steps
+ that must be completed during the request or response
+ lifecycle. HTTPRouteFilters are meant as an extension
+ point to express processing that may be done in Gateway
+ implementations. Some examples include request or
+ response modification, implementing authentication
+ strategies, rate-limiting, and traffic shaping. API
+ guarantee/conformance is defined based on the type
+ of the filter.
+ properties:
+ extensionRef:
+ description: "ExtensionRef is an optional, implementation-specific
+ extension to the \"filter\" behavior. For example,
+ resource \"myroutefilter\" in group \"networking.example.net\").
+ ExtensionRef MUST NOT be used for core and extended
+ filters. \n This filter can be used multiple times
+ within the same rule. \n Support: Implementation-specific"
+ properties:
+ group:
+ description: Group is the group of the referent.
+ For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API
+ group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is kind of the referent. For
+ example "HTTPRoute" or "Service".
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ required:
+ - group
+ - kind
+ - name
+ type: object
+ requestHeaderModifier:
+ description: "RequestHeaderModifier defines a schema
+ for a filter that modifies request headers. \n
+ Support: Core"
+ properties:
+ add:
+ description: "Add adds the given header(s) (name,
+ value) to the request before the action. It
+ appends to any existing values associated
+ with the header name. \n Input: GET /foo HTTP/1.1
+ my-header: foo \n Config: add: - name: \"my-header\"
+ value: \"bar,baz\" \n Output: GET /foo HTTP/1.1
+ my-header: foo,bar,baz"
+ items:
+ description: HTTPHeader represents an HTTP
+ Header name and value as defined by RFC
+ 7230.
+ properties:
+ name:
+ description: "Name is the name of the
+ HTTP Header to be matched. Name matching
+ MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+ \n If multiple entries specify equivalent
+ header names, the first entry with an
+ equivalent name MUST be considered for
+ a match. Subsequent entries with an
+ equivalent header name MUST be ignored.
+ Due to the case-insensitivity of header
+ names, \"foo\" and \"Foo\" are considered
+ equivalent."
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP
+ Header to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ remove:
+ description: "Remove the given header(s) from
+ the HTTP request before the action. The value
+ of Remove is a list of HTTP header names.
+ Note that the header names are case-insensitive
+ (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+ \n Input: GET /foo HTTP/1.1 my-header1: foo
+ my-header2: bar my-header3: baz \n Config:
+ remove: [\"my-header1\", \"my-header3\"] \n
+ Output: GET /foo HTTP/1.1 my-header2: bar"
+ items:
+ type: string
+ maxItems: 16
+ type: array
+ x-kubernetes-list-type: set
+ set:
+ description: "Set overwrites the request with
+ the given header (name, value) before the
+ action. \n Input: GET /foo HTTP/1.1 my-header:
+ foo \n Config: set: - name: \"my-header\"
+ value: \"bar\" \n Output: GET /foo HTTP/1.1
+ my-header: bar"
+ items:
+ description: HTTPHeader represents an HTTP
+ Header name and value as defined by RFC
+ 7230.
+ properties:
+ name:
+ description: "Name is the name of the
+ HTTP Header to be matched. Name matching
+ MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+ \n If multiple entries specify equivalent
+ header names, the first entry with an
+ equivalent name MUST be considered for
+ a match. Subsequent entries with an
+ equivalent header name MUST be ignored.
+ Due to the case-insensitivity of header
+ names, \"foo\" and \"Foo\" are considered
+ equivalent."
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP
+ Header to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ requestMirror:
+ description: "RequestMirror defines a schema for
+ a filter that mirrors requests. Requests are sent
+ to the specified destination, but responses from
+ that destination are ignored. \n This filter can
+ be used multiple times within the same rule. Note
+ that not all implementations will be able to support
+ mirroring to multiple backends. \n Support: Extended"
+ properties:
+ backendRef:
+ description: "BackendRef references a resource
+ where mirrored requests are sent. \n Mirrored
+ requests must be sent only to a single destination
+ endpoint within this BackendRef, irrespective
+ of how many endpoints are present within this
+ BackendRef. \n If the referent cannot be found,
+ this BackendRef is invalid and must be dropped
+ from the Gateway. The controller must ensure
+ the \"ResolvedRefs\" condition on the Route
+ status is set to `status: False` and not configure
+ this backend in the underlying implementation.
+ \n If there is a cross-namespace reference
+ to an *existing* object that is not allowed
+ by a ReferenceGrant, the controller must ensure
+ the \"ResolvedRefs\" condition on the Route
+ is set to `status: False`, with the \"RefNotPermitted\"
+ reason and not configure this backend in the
+ underlying implementation. \n In either error
+ case, the Message of the `ResolvedRefs` Condition
+ should be used to provide more detail about
+ the problem. \n Support: Extended for Kubernetes
+ Service \n Support: Implementation-specific
+ for any other resource"
+ properties:
+ group:
+ default: ""
+ description: Group is the group of the referent.
+ For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core
+ API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Service
+ description: "Kind is the Kubernetes resource
+ kind of the referent. For example \"Service\".
+ \n Defaults to \"Service\" when not specified.
+ \n ExternalName services can refer to
+ CNAME DNS records that may live outside
+ of the cluster and as such are difficult
+ to reason about in terms of conformance.
+ They also may not be safe to forward to
+ (see CVE-2021-25740 for more information).
+ Implementations SHOULD NOT support ExternalName
+ Services. \n Support: Core (Services with
+ a type other than ExternalName) \n Support:
+ Implementation-specific (Services with
+ type ExternalName)"
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: "Namespace is the namespace
+ of the backend. When unspecified, the
+ local namespace is inferred. \n Note that
+ when a namespace different than the local
+ namespace is specified, a ReferenceGrant
+ object is required in the referent namespace
+ to allow that namespace's owner to accept
+ the reference. See the ReferenceGrant
+ documentation for details. \n Support:
+ Core"
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: Port specifies the destination
+ port number to use for this resource.
+ Port is required when the referent is
+ a Kubernetes Service. In this case, the
+ port number is the service port number,
+ not the target port. For other resources,
+ destination port might be derived from
+ the referent resource or this field.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ required:
+ - name
+ type: object
+ x-kubernetes-validations:
+ - message: Must have port for Service reference
+ rule: '(size(self.group) == 0 && self.kind
+ == ''Service'') ? has(self.port) : true'
+ required:
+ - backendRef
+ type: object
+ requestRedirect:
+ description: "RequestRedirect defines a schema for
+ a filter that responds to the request with an
+ HTTP redirection. \n Support: Core"
+ properties:
+ hostname:
+ description: "Hostname is the hostname to be
+ used in the value of the `Location` header
+ in the response. When empty, the hostname
+ in the `Host` header of the request is used.
+ \n Support: Core"
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ path:
+ description: "Path defines parameters used to
+ modify the path of the incoming request. The
+ modified path is then used to construct the
+ `Location` header. When empty, the request
+ path is used as-is. \n Support: Extended"
+ properties:
+ replaceFullPath:
+ description: ReplaceFullPath specifies the
+ value with which to replace the full path
+ of a request during a rewrite or redirect.
+ maxLength: 1024
+ type: string
+ replacePrefixMatch:
+ description: "ReplacePrefixMatch specifies
+ the value with which to replace the prefix
+ match of a request during a rewrite or
+ redirect. For example, a request to \"/foo/bar\"
+ with a prefix match of \"/foo\" and a
+ ReplacePrefixMatch of \"/xyz\" would be
+ modified to \"/xyz/bar\". \n Note that
+ this matches the behavior of the PathPrefix
+ match type. This matches full path elements.
+ A path element refers to the list of labels
+ in the path split by the `/` separator.
+ When specified, a trailing `/` is ignored.
+ For example, the paths `/abc`, `/abc/`,
+ and `/abc/def` would all match the prefix
+ `/abc`, but the path `/abcd` would not.
+ \n ReplacePrefixMatch is only compatible
+ with a `PathPrefix` HTTPRouteMatch. Using
+ any other HTTPRouteMatch type on the same
+ HTTPRouteRule will result in the implementation
+ setting the Accepted Condition for the
+ Route to `status: False`. \n Request Path
+ | Prefix Match | Replace Prefix | Modified
+ Path -------------|--------------|----------------|----------
+ /foo/bar | /foo | /xyz |
+ /xyz/bar /foo/bar | /foo |
+ /xyz/ | /xyz/bar /foo/bar |
+ /foo/ | /xyz | /xyz/bar
+ /foo/bar | /foo/ | /xyz/ |
+ /xyz/bar /foo | /foo |
+ /xyz | /xyz /foo/ | /foo
+ \ | /xyz | /xyz/ /foo/bar
+ \ | /foo | |
+ /bar /foo/ | /foo | | / /foo | /foo |
+ | / /foo/ | /foo
+ \ | / | / /foo |
+ /foo | / | /"
+ maxLength: 1024
+ type: string
+ type:
+ description: "Type defines the type of path
+ modifier. Additional types may be added
+ in a future release of the API. \n Note
+ that values may be added to this enum,
+ implementations must ensure that unknown
+ values will not cause a crash. \n Unknown
+ values here must result in the implementation
+ setting the Accepted Condition for the
+ Route to `status: False`, with a Reason
+ of `UnsupportedValue`."
+ enum:
+ - ReplaceFullPath
+ - ReplacePrefixMatch
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: replaceFullPath must be specified
+ when type is set to 'ReplaceFullPath'
+ rule: 'self.type == ''ReplaceFullPath'' ?
+ has(self.replaceFullPath) : true'
+ - message: type must be 'ReplaceFullPath' when
+ replaceFullPath is set
+ rule: 'has(self.replaceFullPath) ? self.type
+ == ''ReplaceFullPath'' : true'
+ - message: replacePrefixMatch must be specified
+ when type is set to 'ReplacePrefixMatch'
+ rule: 'self.type == ''ReplacePrefixMatch''
+ ? has(self.replacePrefixMatch) : true'
+ - message: type must be 'ReplacePrefixMatch'
+ when replacePrefixMatch is set
+ rule: 'has(self.replacePrefixMatch) ? self.type
+ == ''ReplacePrefixMatch'' : true'
+ port:
+ description: "Port is the port to be used in
+ the value of the `Location` header in the
+ response. \n If no port is specified, the
+ redirect port MUST be derived using the following
+ rules: \n * If redirect scheme is not-empty,
+ the redirect port MUST be the well-known port
+ associated with the redirect scheme. Specifically
+ \"http\" to port 80 and \"https\" to port
+ 443. If the redirect scheme does not have
+ a well-known port, the listener port of the
+ Gateway SHOULD be used. * If redirect scheme
+ is empty, the redirect port MUST be the Gateway
+ Listener port. \n Implementations SHOULD NOT
+ add the port number in the 'Location' header
+ in the following cases: \n * A Location header
+ that will use HTTP (whether that is determined
+ via the Listener protocol or the Scheme field)
+ _and_ use port 80. * A Location header that
+ will use HTTPS (whether that is determined
+ via the Listener protocol or the Scheme field)
+ _and_ use port 443. \n Support: Extended"
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ scheme:
+ description: "Scheme is the scheme to be used
+ in the value of the `Location` header in the
+ response. When empty, the scheme of the request
+ is used. \n Scheme redirects can affect the
+ port of the redirect, for more information,
+ refer to the documentation for the port field
+ of this filter. \n Note that values may be
+ added to this enum, implementations must ensure
+ that unknown values will not cause a crash.
+ \n Unknown values here must result in the
+ implementation setting the Accepted Condition
+ for the Route to `status: False`, with a Reason
+ of `UnsupportedValue`. \n Support: Extended"
+ enum:
+ - http
+ - https
+ type: string
+ statusCode:
+ default: 302
+ description: "StatusCode is the HTTP status
+ code to be used in response. \n Note that
+ values may be added to this enum, implementations
+ must ensure that unknown values will not cause
+ a crash. \n Unknown values here must result
+ in the implementation setting the Accepted
+ Condition for the Route to `status: False`,
+ with a Reason of `UnsupportedValue`. \n Support:
+ Core"
+ enum:
+ - 301
+ - 302
+ type: integer
+ type: object
+ responseHeaderModifier:
+ description: "ResponseHeaderModifier defines a schema
+ for a filter that modifies response headers. \n
+ Support: Extended"
+ properties:
+ add:
+ description: "Add adds the given header(s) (name,
+ value) to the request before the action. It
+ appends to any existing values associated
+ with the header name. \n Input: GET /foo HTTP/1.1
+ my-header: foo \n Config: add: - name: \"my-header\"
+ value: \"bar,baz\" \n Output: GET /foo HTTP/1.1
+ my-header: foo,bar,baz"
+ items:
+ description: HTTPHeader represents an HTTP
+ Header name and value as defined by RFC
+ 7230.
+ properties:
+ name:
+ description: "Name is the name of the
+ HTTP Header to be matched. Name matching
+ MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+ \n If multiple entries specify equivalent
+ header names, the first entry with an
+ equivalent name MUST be considered for
+ a match. Subsequent entries with an
+ equivalent header name MUST be ignored.
+ Due to the case-insensitivity of header
+ names, \"foo\" and \"Foo\" are considered
+ equivalent."
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP
+ Header to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ remove:
+ description: "Remove the given header(s) from
+ the HTTP request before the action. The value
+ of Remove is a list of HTTP header names.
+ Note that the header names are case-insensitive
+ (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+ \n Input: GET /foo HTTP/1.1 my-header1: foo
+ my-header2: bar my-header3: baz \n Config:
+ remove: [\"my-header1\", \"my-header3\"] \n
+ Output: GET /foo HTTP/1.1 my-header2: bar"
+ items:
+ type: string
+ maxItems: 16
+ type: array
+ x-kubernetes-list-type: set
+ set:
+ description: "Set overwrites the request with
+ the given header (name, value) before the
+ action. \n Input: GET /foo HTTP/1.1 my-header:
+ foo \n Config: set: - name: \"my-header\"
+ value: \"bar\" \n Output: GET /foo HTTP/1.1
+ my-header: bar"
+ items:
+ description: HTTPHeader represents an HTTP
+ Header name and value as defined by RFC
+ 7230.
+ properties:
+ name:
+ description: "Name is the name of the
+ HTTP Header to be matched. Name matching
+ MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+ \n If multiple entries specify equivalent
+ header names, the first entry with an
+ equivalent name MUST be considered for
+ a match. Subsequent entries with an
+ equivalent header name MUST be ignored.
+ Due to the case-insensitivity of header
+ names, \"foo\" and \"Foo\" are considered
+ equivalent."
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP
+ Header to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ type:
+ description: "Type identifies the type of filter
+ to apply. As with other API fields, types are
+ classified into three conformance levels: \n -
+ Core: Filter types and their corresponding configuration
+ defined by \"Support: Core\" in this package,
+ e.g. \"RequestHeaderModifier\". All implementations
+ must support core filters. \n - Extended: Filter
+ types and their corresponding configuration defined
+ by \"Support: Extended\" in this package, e.g.
+ \"RequestMirror\". Implementers are encouraged
+ to support extended filters. \n - Implementation-specific:
+ Filters that are defined and supported by specific
+ vendors. In the future, filters showing convergence
+ in behavior across multiple implementations will
+ be considered for inclusion in extended or core
+ conformance levels. Filter-specific configuration
+ for such filters is specified using the ExtensionRef
+ field. `Type` should be set to \"ExtensionRef\"
+ for custom filters. \n Implementers are encouraged
+ to define custom implementation types to extend
+ the core API with implementation-specific behavior.
+ \n If a reference to a custom filter type cannot
+ be resolved, the filter MUST NOT be skipped. Instead,
+ requests that would have been processed by that
+ filter MUST receive a HTTP error response. \n
+ Note that values may be added to this enum, implementations
+ must ensure that unknown values will not cause
+ a crash. \n Unknown values here must result in
+ the implementation setting the Accepted Condition
+ for the Route to `status: False`, with a Reason
+ of `UnsupportedValue`."
+ enum:
+ - RequestHeaderModifier
+ - ResponseHeaderModifier
+ - RequestMirror
+ - RequestRedirect
+ - URLRewrite
+ - ExtensionRef
+ type: string
+ urlRewrite:
+ description: "URLRewrite defines a schema for a
+ filter that modifies a request during forwarding.
+ \n Support: Extended"
+ properties:
+ hostname:
+ description: "Hostname is the value to be used
+ to replace the Host header value during forwarding.
+ \n Support: Extended"
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ path:
+ description: "Path defines a path rewrite. \n
+ Support: Extended"
+ properties:
+ replaceFullPath:
+ description: ReplaceFullPath specifies the
+ value with which to replace the full path
+ of a request during a rewrite or redirect.
+ maxLength: 1024
+ type: string
+ replacePrefixMatch:
+ description: "ReplacePrefixMatch specifies
+ the value with which to replace the prefix
+ match of a request during a rewrite or
+ redirect. For example, a request to \"/foo/bar\"
+ with a prefix match of \"/foo\" and a
+ ReplacePrefixMatch of \"/xyz\" would be
+ modified to \"/xyz/bar\". \n Note that
+ this matches the behavior of the PathPrefix
+ match type. This matches full path elements.
+ A path element refers to the list of labels
+ in the path split by the `/` separator.
+ When specified, a trailing `/` is ignored.
+ For example, the paths `/abc`, `/abc/`,
+ and `/abc/def` would all match the prefix
+ `/abc`, but the path `/abcd` would not.
+ \n ReplacePrefixMatch is only compatible
+ with a `PathPrefix` HTTPRouteMatch. Using
+ any other HTTPRouteMatch type on the same
+ HTTPRouteRule will result in the implementation
+ setting the Accepted Condition for the
+ Route to `status: False`. \n Request Path
+ | Prefix Match | Replace Prefix | Modified
+ Path -------------|--------------|----------------|----------
+ /foo/bar | /foo | /xyz |
+ /xyz/bar /foo/bar | /foo |
+ /xyz/ | /xyz/bar /foo/bar |
+ /foo/ | /xyz | /xyz/bar
+ /foo/bar | /foo/ | /xyz/ |
+ /xyz/bar /foo | /foo |
+ /xyz | /xyz /foo/ | /foo
+ \ | /xyz | /xyz/ /foo/bar
+ \ | /foo | |
+ /bar /foo/ | /foo | | / /foo | /foo |
+ | / /foo/ | /foo
+ \ | / | / /foo |
+ /foo | / | /"
+ maxLength: 1024
+ type: string
+ type:
+ description: "Type defines the type of path
+ modifier. Additional types may be added
+ in a future release of the API. \n Note
+ that values may be added to this enum,
+ implementations must ensure that unknown
+ values will not cause a crash. \n Unknown
+ values here must result in the implementation
+ setting the Accepted Condition for the
+ Route to `status: False`, with a Reason
+ of `UnsupportedValue`."
+ enum:
+ - ReplaceFullPath
+ - ReplacePrefixMatch
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: replaceFullPath must be specified
+ when type is set to 'ReplaceFullPath'
+ rule: 'self.type == ''ReplaceFullPath'' ?
+ has(self.replaceFullPath) : true'
+ - message: type must be 'ReplaceFullPath' when
+ replaceFullPath is set
+ rule: 'has(self.replaceFullPath) ? self.type
+ == ''ReplaceFullPath'' : true'
+ - message: replacePrefixMatch must be specified
+ when type is set to 'ReplacePrefixMatch'
+ rule: 'self.type == ''ReplacePrefixMatch''
+ ? has(self.replacePrefixMatch) : true'
+ - message: type must be 'ReplacePrefixMatch'
+ when replacePrefixMatch is set
+ rule: 'has(self.replacePrefixMatch) ? self.type
+ == ''ReplacePrefixMatch'' : true'
+ type: object
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: filter.requestHeaderModifier must be nil
+ if the filter.type is not RequestHeaderModifier
+ rule: '!(has(self.requestHeaderModifier) && self.type
+ != ''RequestHeaderModifier'')'
+ - message: filter.requestHeaderModifier must be specified
+ for RequestHeaderModifier filter.type
+ rule: '!(!has(self.requestHeaderModifier) && self.type
+ == ''RequestHeaderModifier'')'
+ - message: filter.responseHeaderModifier must be nil
+ if the filter.type is not ResponseHeaderModifier
+ rule: '!(has(self.responseHeaderModifier) && self.type
+ != ''ResponseHeaderModifier'')'
+ - message: filter.responseHeaderModifier must be specified
+ for ResponseHeaderModifier filter.type
+ rule: '!(!has(self.responseHeaderModifier) && self.type
+ == ''ResponseHeaderModifier'')'
+ - message: filter.requestMirror must be nil if the filter.type
+ is not RequestMirror
+ rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')'
+ - message: filter.requestMirror must be specified for
+ RequestMirror filter.type
+ rule: '!(!has(self.requestMirror) && self.type ==
+ ''RequestMirror'')'
+ - message: filter.requestRedirect must be nil if the
+ filter.type is not RequestRedirect
+ rule: '!(has(self.requestRedirect) && self.type !=
+ ''RequestRedirect'')'
+ - message: filter.requestRedirect must be specified
+ for RequestRedirect filter.type
+ rule: '!(!has(self.requestRedirect) && self.type ==
+ ''RequestRedirect'')'
+ - message: filter.urlRewrite must be nil if the filter.type
+ is not URLRewrite
+ rule: '!(has(self.urlRewrite) && self.type != ''URLRewrite'')'
+ - message: filter.urlRewrite must be specified for URLRewrite
+ filter.type
+ rule: '!(!has(self.urlRewrite) && self.type == ''URLRewrite'')'
+ - message: filter.extensionRef must be nil if the filter.type
+ is not ExtensionRef
+ rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')'
+ - message: filter.extensionRef must be specified for
+ ExtensionRef filter.type
+ rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')'
+ maxItems: 16
+ type: array
+ x-kubernetes-validations:
+ - message: May specify either httpRouteFilterRequestRedirect
+ or httpRouteFilterRequestRewrite, but not both
+ rule: '!(self.exists(f, f.type == ''RequestRedirect'')
+ && self.exists(f, f.type == ''URLRewrite''))'
+ - message: May specify either httpRouteFilterRequestRedirect
+ or httpRouteFilterRequestRewrite, but not both
+ rule: '!(self.exists(f, f.type == ''RequestRedirect'')
+ && self.exists(f, f.type == ''URLRewrite''))'
+ - message: RequestHeaderModifier filter cannot be repeated
+ rule: self.filter(f, f.type == 'RequestHeaderModifier').size()
+ <= 1
+ - message: ResponseHeaderModifier filter cannot be repeated
+ rule: self.filter(f, f.type == 'ResponseHeaderModifier').size()
+ <= 1
+ - message: RequestRedirect filter cannot be repeated
+ rule: self.filter(f, f.type == 'RequestRedirect').size()
+ <= 1
+ - message: URLRewrite filter cannot be repeated
+ rule: self.filter(f, f.type == 'URLRewrite').size()
+ <= 1
+ group:
+ default: ""
+ description: Group is the group of the referent. For example,
+ "gateway.networking.k8s.io". When unspecified or empty
+ string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Service
+ description: "Kind is the Kubernetes resource kind of
+ the referent. For example \"Service\". \n Defaults to
+ \"Service\" when not specified. \n ExternalName services
+ can refer to CNAME DNS records that may live outside
+ of the cluster and as such are difficult to reason about
+ in terms of conformance. They also may not be safe to
+ forward to (see CVE-2021-25740 for more information).
+ Implementations SHOULD NOT support ExternalName Services.
+ \n Support: Core (Services with a type other than ExternalName)
+ \n Support: Implementation-specific (Services with type
+ ExternalName)"
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: "Namespace is the namespace of the backend.
+ When unspecified, the local namespace is inferred. \n
+ Note that when a namespace different than the local
+ namespace is specified, a ReferenceGrant object is required
+ in the referent namespace to allow that namespace's
+ owner to accept the reference. See the ReferenceGrant
+ documentation for details. \n Support: Core"
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: Port specifies the destination port number
+ to use for this resource. Port is required when the
+ referent is a Kubernetes Service. In this case, the
+ port number is the service port number, not the target
+ port. For other resources, destination port might be
+ derived from the referent resource or this field.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ weight:
+ default: 1
+ description: "Weight specifies the proportion of requests
+ forwarded to the referenced backend. This is computed
+ as weight/(sum of all weights in this BackendRefs list).
+ For non-zero values, there may be some epsilon from
+ the exact proportion defined here depending on the precision
+ an implementation supports. Weight is not a percentage
+ and the sum of weights does not need to equal 100. \n
+ If only one backend is specified and it has a weight
+ greater than 0, 100% of the traffic is forwarded to
+ that backend. If weight is set to 0, no traffic should
+ be forwarded for this entry. If unspecified, weight
+ defaults to 1. \n Support for this field varies based
+ on the context where used."
+ format: int32
+ maximum: 1000000
+ minimum: 0
+ type: integer
+ required:
+ - name
+ type: object
+ x-kubernetes-validations:
+ - message: Must have port for Service reference
+ rule: '(size(self.group) == 0 && self.kind == ''Service'')
+ ? has(self.port) : true'
+ maxItems: 16
+ type: array
+ filters:
+ description: "Filters define the filters that are applied to
+ requests that match this rule. \n The effects of ordering
+ of multiple behaviors are currently unspecified. This can
+ change in the future based on feedback during the alpha stage.
+ \n Conformance-levels at this level are defined based on the
+ type of filter: \n - ALL core filters MUST be supported by
+ all implementations. - Implementers are encouraged to support
+ extended filters. - Implementation-specific custom filters
+ have no API guarantees across implementations. \n Specifying
+ the same filter multiple times is not supported unless explicitly
+ indicated in the filter. \n All filters are expected to be
+ compatible with each other except for the URLRewrite and RequestRedirect
+ filters, which may not be combined. If an implementation can
+ not support other combinations of filters, they must clearly
+ document that limitation. In cases where incompatible or unsupported
+ filters are specified and cause the `Accepted` condition to
+ be set to status `False`, implementations may use the `IncompatibleFilters`
+ reason to specify this configuration error. \n Support: Core"
+ items:
+ description: HTTPRouteFilter defines processing steps that
+ must be completed during the request or response lifecycle.
+ HTTPRouteFilters are meant as an extension point to express
+ processing that may be done in Gateway implementations.
+ Some examples include request or response modification,
+ implementing authentication strategies, rate-limiting, and
+ traffic shaping. API guarantee/conformance is defined based
+ on the type of the filter.
+ properties:
+ extensionRef:
+ description: "ExtensionRef is an optional, implementation-specific
+ extension to the \"filter\" behavior. For example,
+ resource \"myroutefilter\" in group \"networking.example.net\").
+ ExtensionRef MUST NOT be used for core and extended
+ filters. \n This filter can be used multiple times within
+ the same rule. \n Support: Implementation-specific"
+ properties:
+ group:
+ description: Group is the group of the referent. For
+ example, "gateway.networking.k8s.io". When unspecified
+ or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is kind of the referent. For example
+ "HTTPRoute" or "Service".
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ required:
+ - group
+ - kind
+ - name
+ type: object
+ requestHeaderModifier:
+ description: "RequestHeaderModifier defines a schema for
+ a filter that modifies request headers. \n Support:
+ Core"
+ properties:
+ add:
+ description: "Add adds the given header(s) (name,
+ value) to the request before the action. It appends
+ to any existing values associated with the header
+ name. \n Input: GET /foo HTTP/1.1 my-header: foo
+ \n Config: add: - name: \"my-header\" value: \"bar,baz\"
+ \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz"
+ items:
+ description: HTTPHeader represents an HTTP Header
+ name and value as defined by RFC 7230.
+ properties:
+ name:
+ description: "Name is the name of the HTTP Header
+ to be matched. Name matching MUST be case
+ insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+ \n If multiple entries specify equivalent
+ header names, the first entry with an equivalent
+ name MUST be considered for a match. Subsequent
+ entries with an equivalent header name MUST
+ be ignored. Due to the case-insensitivity
+ of header names, \"foo\" and \"Foo\" are considered
+ equivalent."
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP Header
+ to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ remove:
+ description: "Remove the given header(s) from the
+ HTTP request before the action. The value of Remove
+ is a list of HTTP header names. Note that the header
+ names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+ \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2:
+ bar my-header3: baz \n Config: remove: [\"my-header1\",
+ \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2:
+ bar"
+ items:
+ type: string
+ maxItems: 16
+ type: array
+ x-kubernetes-list-type: set
+ set:
+ description: "Set overwrites the request with the
+ given header (name, value) before the action. \n
+ Input: GET /foo HTTP/1.1 my-header: foo \n Config:
+ set: - name: \"my-header\" value: \"bar\" \n Output:
+ GET /foo HTTP/1.1 my-header: bar"
+ items:
+ description: HTTPHeader represents an HTTP Header
+ name and value as defined by RFC 7230.
+ properties:
+ name:
+ description: "Name is the name of the HTTP Header
+ to be matched. Name matching MUST be case
+ insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+ \n If multiple entries specify equivalent
+ header names, the first entry with an equivalent
+ name MUST be considered for a match. Subsequent
+ entries with an equivalent header name MUST
+ be ignored. Due to the case-insensitivity
+ of header names, \"foo\" and \"Foo\" are considered
+ equivalent."
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP Header
+ to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ requestMirror:
+ description: "RequestMirror defines a schema for a filter
+ that mirrors requests. Requests are sent to the specified
+ destination, but responses from that destination are
+ ignored. \n This filter can be used multiple times within
+ the same rule. Note that not all implementations will
+ be able to support mirroring to multiple backends. \n
+ Support: Extended"
+ properties:
+ backendRef:
+ description: "BackendRef references a resource where
+ mirrored requests are sent. \n Mirrored requests
+ must be sent only to a single destination endpoint
+ within this BackendRef, irrespective of how many
+ endpoints are present within this BackendRef. \n
+ If the referent cannot be found, this BackendRef
+ is invalid and must be dropped from the Gateway.
+ The controller must ensure the \"ResolvedRefs\"
+ condition on the Route status is set to `status:
+ False` and not configure this backend in the underlying
+ implementation. \n If there is a cross-namespace
+ reference to an *existing* object that is not allowed
+ by a ReferenceGrant, the controller must ensure
+ the \"ResolvedRefs\" condition on the Route is
+ set to `status: False`, with the \"RefNotPermitted\"
+ reason and not configure this backend in the underlying
+ implementation. \n In either error case, the Message
+ of the `ResolvedRefs` Condition should be used to
+ provide more detail about the problem. \n Support:
+ Extended for Kubernetes Service \n Support: Implementation-specific
+ for any other resource"
+ properties:
+ group:
+ default: ""
+ description: Group is the group of the referent.
+ For example, "gateway.networking.k8s.io". When
+ unspecified or empty string, core API group
+ is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Service
+ description: "Kind is the Kubernetes resource
+ kind of the referent. For example \"Service\".
+ \n Defaults to \"Service\" when not specified.
+ \n ExternalName services can refer to CNAME
+ DNS records that may live outside of the cluster
+ and as such are difficult to reason about in
+ terms of conformance. They also may not be safe
+ to forward to (see CVE-2021-25740 for more information).
+ Implementations SHOULD NOT support ExternalName
+ Services. \n Support: Core (Services with a
+ type other than ExternalName) \n Support: Implementation-specific
+ (Services with type ExternalName)"
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: "Namespace is the namespace of the
+ backend. When unspecified, the local namespace
+ is inferred. \n Note that when a namespace different
+ than the local namespace is specified, a ReferenceGrant
+ object is required in the referent namespace
+ to allow that namespace's owner to accept the
+ reference. See the ReferenceGrant documentation
+ for details. \n Support: Core"
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: Port specifies the destination port
+ number to use for this resource. Port is required
+ when the referent is a Kubernetes Service. In
+ this case, the port number is the service port
+ number, not the target port. For other resources,
+ destination port might be derived from the referent
+ resource or this field.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ required:
+ - name
+ type: object
+ x-kubernetes-validations:
+ - message: Must have port for Service reference
+ rule: '(size(self.group) == 0 && self.kind == ''Service'')
+ ? has(self.port) : true'
+ required:
+ - backendRef
+ type: object
+ requestRedirect:
+ description: "RequestRedirect defines a schema for a filter
+ that responds to the request with an HTTP redirection.
+ \n Support: Core"
+ properties:
+ hostname:
+ description: "Hostname is the hostname to be used
+ in the value of the `Location` header in the response.
+ When empty, the hostname in the `Host` header of
+ the request is used. \n Support: Core"
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ path:
+ description: "Path defines parameters used to modify
+ the path of the incoming request. The modified path
+ is then used to construct the `Location` header.
+ When empty, the request path is used as-is. \n Support:
+ Extended"
+ properties:
+ replaceFullPath:
+ description: ReplaceFullPath specifies the value
+ with which to replace the full path of a request
+ during a rewrite or redirect.
+ maxLength: 1024
+ type: string
+ replacePrefixMatch:
+ description: "ReplacePrefixMatch specifies the
+ value with which to replace the prefix match
+ of a request during a rewrite or redirect. For
+ example, a request to \"/foo/bar\" with a prefix
+ match of \"/foo\" and a ReplacePrefixMatch of
+ \"/xyz\" would be modified to \"/xyz/bar\".
+ \n Note that this matches the behavior of the
+ PathPrefix match type. This matches full path
+ elements. A path element refers to the list
+ of labels in the path split by the `/` separator.
+ When specified, a trailing `/` is ignored. For
+ example, the paths `/abc`, `/abc/`, and `/abc/def`
+ would all match the prefix `/abc`, but the path
+ `/abcd` would not. \n ReplacePrefixMatch is
+ only compatible with a `PathPrefix` HTTPRouteMatch.
+ Using any other HTTPRouteMatch type on the same
+ HTTPRouteRule will result in the implementation
+ setting the Accepted Condition for the Route
+ to `status: False`. \n Request Path | Prefix
+ Match | Replace Prefix | Modified Path -------------|--------------|----------------|----------
+ /foo/bar | /foo | /xyz |
+ /xyz/bar /foo/bar | /foo | /xyz/
+ \ | /xyz/bar /foo/bar | /foo/ |
+ /xyz | /xyz/bar /foo/bar | /foo/
+ \ | /xyz/ | /xyz/bar /foo |
+ /foo | /xyz | /xyz /foo/ |
+ /foo | /xyz | /xyz/ /foo/bar
+ \ | /foo | | /bar
+ /foo/ | /foo |
+ | / /foo | /foo |
+ | / /foo/ | /foo | / |
+ / /foo | /foo | / |
+ /"
+ maxLength: 1024
+ type: string
+ type:
+ description: "Type defines the type of path modifier.
+ Additional types may be added in a future release
+ of the API. \n Note that values may be added
+ to this enum, implementations must ensure that
+ unknown values will not cause a crash. \n Unknown
+ values here must result in the implementation
+ setting the Accepted Condition for the Route
+ to `status: False`, with a Reason of `UnsupportedValue`."
+ enum:
+ - ReplaceFullPath
+ - ReplacePrefixMatch
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: replaceFullPath must be specified when
+ type is set to 'ReplaceFullPath'
+ rule: 'self.type == ''ReplaceFullPath'' ? has(self.replaceFullPath)
+ : true'
+ - message: type must be 'ReplaceFullPath' when replaceFullPath
+ is set
+ rule: 'has(self.replaceFullPath) ? self.type ==
+ ''ReplaceFullPath'' : true'
+ - message: replacePrefixMatch must be specified when
+ type is set to 'ReplacePrefixMatch'
+ rule: 'self.type == ''ReplacePrefixMatch'' ? has(self.replacePrefixMatch)
+ : true'
+ - message: type must be 'ReplacePrefixMatch' when
+ replacePrefixMatch is set
+ rule: 'has(self.replacePrefixMatch) ? self.type
+ == ''ReplacePrefixMatch'' : true'
+ port:
+ description: "Port is the port to be used in the value
+ of the `Location` header in the response. \n If
+ no port is specified, the redirect port MUST be
+ derived using the following rules: \n * If redirect
+ scheme is not-empty, the redirect port MUST be the
+ well-known port associated with the redirect scheme.
+ Specifically \"http\" to port 80 and \"https\" to
+ port 443. If the redirect scheme does not have a
+ well-known port, the listener port of the Gateway
+ SHOULD be used. * If redirect scheme is empty, the
+ redirect port MUST be the Gateway Listener port.
+ \n Implementations SHOULD NOT add the port number
+ in the 'Location' header in the following cases:
+ \n * A Location header that will use HTTP (whether
+ that is determined via the Listener protocol or
+ the Scheme field) _and_ use port 80. * A Location
+ header that will use HTTPS (whether that is determined
+ via the Listener protocol or the Scheme field) _and_
+ use port 443. \n Support: Extended"
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ scheme:
+ description: "Scheme is the scheme to be used in the
+ value of the `Location` header in the response.
+ When empty, the scheme of the request is used. \n
+ Scheme redirects can affect the port of the redirect,
+ for more information, refer to the documentation
+ for the port field of this filter. \n Note that
+ values may be added to this enum, implementations
+ must ensure that unknown values will not cause a
+ crash. \n Unknown values here must result in the
+ implementation setting the Accepted Condition for
+ the Route to `status: False`, with a Reason of `UnsupportedValue`.
+ \n Support: Extended"
+ enum:
+ - http
+ - https
+ type: string
+ statusCode:
+ default: 302
+ description: "StatusCode is the HTTP status code to
+ be used in response. \n Note that values may be
+ added to this enum, implementations must ensure
+ that unknown values will not cause a crash. \n Unknown
+ values here must result in the implementation setting
+ the Accepted Condition for the Route to `status:
+ False`, with a Reason of `UnsupportedValue`. \n
+ Support: Core"
+ enum:
+ - 301
+ - 302
+ type: integer
+ type: object
+ responseHeaderModifier:
+ description: "ResponseHeaderModifier defines a schema
+ for a filter that modifies response headers. \n Support:
+ Extended"
+ properties:
+ add:
+ description: "Add adds the given header(s) (name,
+ value) to the request before the action. It appends
+ to any existing values associated with the header
+ name. \n Input: GET /foo HTTP/1.1 my-header: foo
+ \n Config: add: - name: \"my-header\" value: \"bar,baz\"
+ \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz"
+ items:
+ description: HTTPHeader represents an HTTP Header
+ name and value as defined by RFC 7230.
+ properties:
+ name:
+ description: "Name is the name of the HTTP Header
+ to be matched. Name matching MUST be case
+ insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+ \n If multiple entries specify equivalent
+ header names, the first entry with an equivalent
+ name MUST be considered for a match. Subsequent
+ entries with an equivalent header name MUST
+ be ignored. Due to the case-insensitivity
+ of header names, \"foo\" and \"Foo\" are considered
+ equivalent."
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP Header
+ to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ remove:
+ description: "Remove the given header(s) from the
+ HTTP request before the action. The value of Remove
+ is a list of HTTP header names. Note that the header
+ names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+ \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2:
+ bar my-header3: baz \n Config: remove: [\"my-header1\",
+ \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2:
+ bar"
+ items:
+ type: string
+ maxItems: 16
+ type: array
+ x-kubernetes-list-type: set
+ set:
+ description: "Set overwrites the request with the
+ given header (name, value) before the action. \n
+ Input: GET /foo HTTP/1.1 my-header: foo \n Config:
+ set: - name: \"my-header\" value: \"bar\" \n Output:
+ GET /foo HTTP/1.1 my-header: bar"
+ items:
+ description: HTTPHeader represents an HTTP Header
+ name and value as defined by RFC 7230.
+ properties:
+ name:
+ description: "Name is the name of the HTTP Header
+ to be matched. Name matching MUST be case
+ insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+ \n If multiple entries specify equivalent
+ header names, the first entry with an equivalent
+ name MUST be considered for a match. Subsequent
+ entries with an equivalent header name MUST
+ be ignored. Due to the case-insensitivity
+ of header names, \"foo\" and \"Foo\" are considered
+ equivalent."
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP Header
+ to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ type:
+ description: "Type identifies the type of filter to apply.
+ As with other API fields, types are classified into
+ three conformance levels: \n - Core: Filter types and
+ their corresponding configuration defined by \"Support:
+ Core\" in this package, e.g. \"RequestHeaderModifier\".
+ All implementations must support core filters. \n -
+ Extended: Filter types and their corresponding configuration
+ defined by \"Support: Extended\" in this package, e.g.
+ \"RequestMirror\". Implementers are encouraged to support
+ extended filters. \n - Implementation-specific: Filters
+ that are defined and supported by specific vendors.
+ In the future, filters showing convergence in behavior
+ across multiple implementations will be considered for
+ inclusion in extended or core conformance levels. Filter-specific
+ configuration for such filters is specified using the
+ ExtensionRef field. `Type` should be set to \"ExtensionRef\"
+ for custom filters. \n Implementers are encouraged to
+ define custom implementation types to extend the core
+ API with implementation-specific behavior. \n If a reference
+ to a custom filter type cannot be resolved, the filter
+ MUST NOT be skipped. Instead, requests that would have
+ been processed by that filter MUST receive a HTTP error
+ response. \n Note that values may be added to this enum,
+ implementations must ensure that unknown values will
+ not cause a crash. \n Unknown values here must result
+ in the implementation setting the Accepted Condition
+ for the Route to `status: False`, with a Reason of `UnsupportedValue`."
+ enum:
+ - RequestHeaderModifier
+ - ResponseHeaderModifier
+ - RequestMirror
+ - RequestRedirect
+ - URLRewrite
+ - ExtensionRef
+ type: string
+ urlRewrite:
+ description: "URLRewrite defines a schema for a filter
+ that modifies a request during forwarding. \n Support:
+ Extended"
+ properties:
+ hostname:
+ description: "Hostname is the value to be used to
+ replace the Host header value during forwarding.
+ \n Support: Extended"
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ path:
+ description: "Path defines a path rewrite. \n Support:
+ Extended"
+ properties:
+ replaceFullPath:
+ description: ReplaceFullPath specifies the value
+ with which to replace the full path of a request
+ during a rewrite or redirect.
+ maxLength: 1024
+ type: string
+ replacePrefixMatch:
+ description: "ReplacePrefixMatch specifies the
+ value with which to replace the prefix match
+ of a request during a rewrite or redirect. For
+ example, a request to \"/foo/bar\" with a prefix
+ match of \"/foo\" and a ReplacePrefixMatch of
+ \"/xyz\" would be modified to \"/xyz/bar\".
+ \n Note that this matches the behavior of the
+ PathPrefix match type. This matches full path
+ elements. A path element refers to the list
+ of labels in the path split by the `/` separator.
+ When specified, a trailing `/` is ignored. For
+ example, the paths `/abc`, `/abc/`, and `/abc/def`
+ would all match the prefix `/abc`, but the path
+ `/abcd` would not. \n ReplacePrefixMatch is
+ only compatible with a `PathPrefix` HTTPRouteMatch.
+ Using any other HTTPRouteMatch type on the same
+ HTTPRouteRule will result in the implementation
+ setting the Accepted Condition for the Route
+ to `status: False`. \n Request Path | Prefix
+ Match | Replace Prefix | Modified Path -------------|--------------|----------------|----------
+ /foo/bar | /foo | /xyz |
+ /xyz/bar /foo/bar | /foo | /xyz/
+ \ | /xyz/bar /foo/bar | /foo/ |
+ /xyz | /xyz/bar /foo/bar | /foo/
+ \ | /xyz/ | /xyz/bar /foo |
+ /foo | /xyz | /xyz /foo/ |
+ /foo | /xyz | /xyz/ /foo/bar
+ \ | /foo | | /bar
+ /foo/ | /foo |
+ | / /foo | /foo |
+ | / /foo/ | /foo | / |
+ / /foo | /foo | / |
+ /"
+ maxLength: 1024
+ type: string
+ type:
+ description: "Type defines the type of path modifier.
+ Additional types may be added in a future release
+ of the API. \n Note that values may be added
+ to this enum, implementations must ensure that
+ unknown values will not cause a crash. \n Unknown
+ values here must result in the implementation
+ setting the Accepted Condition for the Route
+ to `status: False`, with a Reason of `UnsupportedValue`."
+ enum:
+ - ReplaceFullPath
+ - ReplacePrefixMatch
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: replaceFullPath must be specified when
+ type is set to 'ReplaceFullPath'
+ rule: 'self.type == ''ReplaceFullPath'' ? has(self.replaceFullPath)
+ : true'
+ - message: type must be 'ReplaceFullPath' when replaceFullPath
+ is set
+ rule: 'has(self.replaceFullPath) ? self.type ==
+ ''ReplaceFullPath'' : true'
+ - message: replacePrefixMatch must be specified when
+ type is set to 'ReplacePrefixMatch'
+ rule: 'self.type == ''ReplacePrefixMatch'' ? has(self.replacePrefixMatch)
+ : true'
+ - message: type must be 'ReplacePrefixMatch' when
+ replacePrefixMatch is set
+ rule: 'has(self.replacePrefixMatch) ? self.type
+ == ''ReplacePrefixMatch'' : true'
+ type: object
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: filter.requestHeaderModifier must be nil if the
+ filter.type is not RequestHeaderModifier
+ rule: '!(has(self.requestHeaderModifier) && self.type !=
+ ''RequestHeaderModifier'')'
+ - message: filter.requestHeaderModifier must be specified
+ for RequestHeaderModifier filter.type
+ rule: '!(!has(self.requestHeaderModifier) && self.type ==
+ ''RequestHeaderModifier'')'
+ - message: filter.responseHeaderModifier must be nil if the
+ filter.type is not ResponseHeaderModifier
+ rule: '!(has(self.responseHeaderModifier) && self.type !=
+ ''ResponseHeaderModifier'')'
+ - message: filter.responseHeaderModifier must be specified
+ for ResponseHeaderModifier filter.type
+ rule: '!(!has(self.responseHeaderModifier) && self.type
+ == ''ResponseHeaderModifier'')'
+ - message: filter.requestMirror must be nil if the filter.type
+ is not RequestMirror
+ rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')'
+ - message: filter.requestMirror must be specified for RequestMirror
+ filter.type
+ rule: '!(!has(self.requestMirror) && self.type == ''RequestMirror'')'
+ - message: filter.requestRedirect must be nil if the filter.type
+ is not RequestRedirect
+ rule: '!(has(self.requestRedirect) && self.type != ''RequestRedirect'')'
+ - message: filter.requestRedirect must be specified for RequestRedirect
+ filter.type
+ rule: '!(!has(self.requestRedirect) && self.type == ''RequestRedirect'')'
+ - message: filter.urlRewrite must be nil if the filter.type
+ is not URLRewrite
+ rule: '!(has(self.urlRewrite) && self.type != ''URLRewrite'')'
+ - message: filter.urlRewrite must be specified for URLRewrite
+ filter.type
+ rule: '!(!has(self.urlRewrite) && self.type == ''URLRewrite'')'
+ - message: filter.extensionRef must be nil if the filter.type
+ is not ExtensionRef
+ rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')'
+ - message: filter.extensionRef must be specified for ExtensionRef
+ filter.type
+ rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')'
+ maxItems: 16
+ type: array
+ x-kubernetes-validations:
+ - message: May specify either httpRouteFilterRequestRedirect
+ or httpRouteFilterRequestRewrite, but not both
+ rule: '!(self.exists(f, f.type == ''RequestRedirect'') &&
+ self.exists(f, f.type == ''URLRewrite''))'
+ - message: RequestHeaderModifier filter cannot be repeated
+ rule: self.filter(f, f.type == 'RequestHeaderModifier').size()
+ <= 1
+ - message: ResponseHeaderModifier filter cannot be repeated
+ rule: self.filter(f, f.type == 'ResponseHeaderModifier').size()
+ <= 1
+ - message: RequestRedirect filter cannot be repeated
+ rule: self.filter(f, f.type == 'RequestRedirect').size() <=
+ 1
+ - message: URLRewrite filter cannot be repeated
+ rule: self.filter(f, f.type == 'URLRewrite').size() <= 1
+ matches:
+ default:
+ - path:
+ type: PathPrefix
+ value: /
+ description: "Matches define conditions used for matching the
+ rule against incoming HTTP requests. Each match is independent,
+ i.e. this rule will be matched if **any** one of the matches
+ is satisfied. \n For example, take the following matches configuration:
+ \n ``` matches: - path: value: \"/foo\" headers: - name: \"version\"
+ value: \"v2\" - path: value: \"/v2/foo\" ``` \n For a request
+ to match against this rule, a request must satisfy EITHER
+ of the two conditions: \n - path prefixed with `/foo` AND
+ contains the header `version: v2` - path prefix of `/v2/foo`
+ \n See the documentation for HTTPRouteMatch on how to specify
+ multiple match conditions that should be ANDed together. \n
+ If no matches are specified, the default is a prefix path
+ match on \"/\", which has the effect of matching every HTTP
+ request. \n Proxy or Load Balancer routing configuration generated
+ from HTTPRoutes MUST prioritize matches based on the following
+ criteria, continuing on ties. Across all rules specified on
+ applicable Routes, precedence must be given to the match having:
+ \n * \"Exact\" path match. * \"Prefix\" path match with largest
+ number of characters. * Method match. * Largest number of
+ header matches. * Largest number of query param matches. \n
+ Note: The precedence of RegularExpression path matches are
+ implementation-specific. \n If ties still exist across multiple
+ Routes, matching precedence MUST be determined in order of
+ the following criteria, continuing on ties: \n * The oldest
+ Route based on creation timestamp. * The Route appearing first
+ in alphabetical order by \"{namespace}/{name}\". \n If ties
+ still exist within an HTTPRoute, matching precedence MUST
+ be granted to the FIRST matching rule (in list order) with
+ a match meeting the above criteria. \n When no rules matching
+ a request have been successfully attached to the parent a
+ request is coming from, a HTTP 404 status code MUST be returned."
+ items:
+ description: "HTTPRouteMatch defines the predicate used to
+ match requests to a given action. Multiple match types are
+ ANDed together, i.e. the match will evaluate to true only
+ if all conditions are satisfied. \n For example, the match
+ below will match a HTTP request only if its path starts
+ with `/foo` AND it contains the `version: v1` header: \n
+ ``` match: \n path: value: \"/foo\" headers: - name: \"version\"
+ value \"v1\" \n ```"
+ properties:
+ headers:
+ description: Headers specifies HTTP request header matchers.
+ Multiple match values are ANDed together, meaning, a
+ request must match all the specified headers to select
+ the route.
+ items:
+ description: HTTPHeaderMatch describes how to select
+ a HTTP route by matching HTTP request headers.
+ properties:
+ name:
+ description: "Name is the name of the HTTP Header
+ to be matched. Name matching MUST be case insensitive.
+ (See https://tools.ietf.org/html/rfc7230#section-3.2).
+ \n If multiple entries specify equivalent header
+ names, only the first entry with an equivalent
+ name MUST be considered for a match. Subsequent
+ entries with an equivalent header name MUST be
+ ignored. Due to the case-insensitivity of header
+ names, \"foo\" and \"Foo\" are considered equivalent.
+ \n When a header is repeated in an HTTP request,
+ it is implementation-specific behavior as to how
+ this is represented. Generally, proxies should
+ follow the guidance from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2
+ regarding processing a repeated header, with special
+ handling for \"Set-Cookie\"."
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ type:
+ default: Exact
+ description: "Type specifies how to match against
+ the value of the header. \n Support: Core (Exact)
+ \n Support: Implementation-specific (RegularExpression)
+ \n Since RegularExpression HeaderMatchType has
+ implementation-specific conformance, implementations
+ can support POSIX, PCRE or any other dialects
+ of regular expressions. Please read the implementation's
+ documentation to determine the supported dialect."
+ enum:
+ - Exact
+ - RegularExpression
+ type: string
+ value:
+ description: Value is the value of HTTP Header to
+ be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ method:
+ description: "Method specifies HTTP method matcher. When
+ specified, this route will be matched only if the request
+ has the specified method. \n Support: Extended"
+ enum:
+ - GET
+ - HEAD
+ - POST
+ - PUT
+ - DELETE
+ - CONNECT
+ - OPTIONS
+ - TRACE
+ - PATCH
+ type: string
+ path:
+ default:
+ type: PathPrefix
+ value: /
+ description: Path specifies a HTTP request path matcher.
+ If this field is not specified, a default prefix match
+ on the "/" path is provided.
+ properties:
+ type:
+ default: PathPrefix
+ description: "Type specifies how to match against
+ the path Value. \n Support: Core (Exact, PathPrefix)
+ \n Support: Implementation-specific (RegularExpression)"
+ enum:
+ - Exact
+ - PathPrefix
+ - RegularExpression
+ type: string
+ value:
+ default: /
+ description: Value of the HTTP path to match against.
+ maxLength: 1024
+ type: string
+ type: object
+ x-kubernetes-validations:
+ - message: value must be an absolute path and start with
+ '/' when type one of ['Exact', 'PathPrefix']
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? self.value.startsWith(''/'')
+ : true'
+ - message: must not contain '//' when type one of ['Exact',
+ 'PathPrefix']
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''//'')
+ : true'
+ - message: must not contain '/./' when type one of ['Exact',
+ 'PathPrefix']
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''/./'')
+ : true'
+ - message: must not contain '/../' when type one of ['Exact',
+ 'PathPrefix']
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''/../'')
+ : true'
+ - message: must not contain '%2f' when type one of ['Exact',
+ 'PathPrefix']
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''%2f'')
+ : true'
+ - message: must not contain '%2F' when type one of ['Exact',
+ 'PathPrefix']
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''%2F'')
+ : true'
+ - message: must not contain '#' when type one of ['Exact',
+ 'PathPrefix']
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''#'')
+ : true'
+ - message: must not end with '/..' when type one of ['Exact',
+ 'PathPrefix']
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.endsWith(''/..'')
+ : true'
+ - message: must not end with '/.' when type one of ['Exact',
+ 'PathPrefix']
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.endsWith(''/.'')
+ : true'
+ - message: type must be one of ['Exact', 'PathPrefix',
+ 'RegularExpression']
+ rule: self.type in ['Exact','PathPrefix'] || self.type
+ == 'RegularExpression'
+ - message: must only contain valid characters (matching
+ ^(?:[-A-Za-z0-9/._~!$&'()*+,;=:@]|[%][0-9a-fA-F]{2})+$)
+ for types ['Exact', 'PathPrefix']
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? self.value.matches(r"""^(?:[-A-Za-z0-9/._~!$&''()*+,;=:@]|[%][0-9a-fA-F]{2})+$""")
+ : true'
+ queryParams:
+ description: "QueryParams specifies HTTP query parameter
+ matchers. Multiple match values are ANDed together,
+ meaning, a request must match all the specified query
+ parameters to select the route. \n Support: Extended"
+ items:
+ description: HTTPQueryParamMatch describes how to select
+ a HTTP route by matching HTTP query parameters.
+ properties:
+ name:
+ description: "Name is the name of the HTTP query
+ param to be matched. This must be an exact string
+ match. (See https://tools.ietf.org/html/rfc7230#section-2.7.3).
+ \n If multiple entries specify equivalent query
+ param names, only the first entry with an equivalent
+ name MUST be considered for a match. Subsequent
+ entries with an equivalent query param name MUST
+ be ignored. \n If a query param is repeated in
+ an HTTP request, the behavior is purposely left
+ undefined, since different data planes have different
+ capabilities. However, it is *recommended* that
+ implementations should match against the first
+ value of the param if the data plane supports
+ it, as this behavior is expected in other load
+ balancing contexts outside of the Gateway API.
+ \n Users SHOULD NOT route traffic based on repeated
+ query params to guard themselves against potential
+ differences in the implementations."
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ type:
+ default: Exact
+ description: "Type specifies how to match against
+ the value of the query parameter. \n Support:
+ Extended (Exact) \n Support: Implementation-specific
+ (RegularExpression) \n Since RegularExpression
+ QueryParamMatchType has Implementation-specific
+ conformance, implementations can support POSIX,
+ PCRE or any other dialects of regular expressions.
+ Please read the implementation's documentation
+ to determine the supported dialect."
+ enum:
+ - Exact
+ - RegularExpression
+ type: string
+ value:
+ description: Value is the value of HTTP query param
+ to be matched.
+ maxLength: 1024
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ maxItems: 8
+ type: array
+ timeouts:
+ description: "Timeouts defines the timeouts that can be configured
+ for an HTTP request. \n Support: Extended \n "
+ properties:
+ backendRequest:
+ description: "BackendRequest specifies a timeout for an
+ individual request from the gateway to a backend. This
+ covers the time from when the request first starts being
+ sent from the gateway to when the full response has been
+ received from the backend. \n An entire client HTTP transaction
+ with a gateway, covered by the Request timeout, may result
+ in more than one call from the gateway to the destination
+ backend, for example, if automatic retries are supported.
+ \n Because the Request timeout encompasses the BackendRequest
+ timeout, the value of BackendRequest must be <= the value
+ of Request timeout. \n Support: Extended"
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ request:
+ description: "Request specifies the maximum duration for
+ a gateway to respond to an HTTP request. If the gateway
+ has not been able to respond before this deadline is met,
+ the gateway MUST return a timeout error. \n For example,
+ setting the `rules.timeouts.request` field to the value
+ `10s` in an `HTTPRoute` will cause a timeout if a client
+ request is taking longer than 10 seconds to complete.
+ \n This timeout is intended to cover as close to the whole
+ request-response transaction as possible although an implementation
+ MAY choose to start the timeout after the entire request
+ stream has been received instead of immediately after
+ the transaction is initiated by the client. \n When this
+ field is unspecified, request timeout behavior is implementation-specific.
+ \n Support: Extended"
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ type: object
+ x-kubernetes-validations:
+ - message: backendRequest timeout cannot be longer than request
+ timeout
+ rule: '!(has(self.request) && has(self.backendRequest) &&
+ duration(self.request) != duration(''0s'') && duration(self.backendRequest)
+ > duration(self.request))'
+ type: object
+ x-kubernetes-validations:
+ - message: RequestRedirect filter must not be used together with
+ backendRefs
+ rule: '(has(self.backendRefs) && size(self.backendRefs) > 0) ?
+ (!has(self.filters) || self.filters.all(f, !has(f.requestRedirect))):
+ true'
+ - message: When using RequestRedirect filter with path.replacePrefixMatch,
+ exactly one PathPrefix match must be specified
+ rule: '(has(self.filters) && self.filters.exists_one(f, has(f.requestRedirect)
+ && has(f.requestRedirect.path) && f.requestRedirect.path.type
+ == ''ReplacePrefixMatch'' && has(f.requestRedirect.path.replacePrefixMatch)))
+ ? ((size(self.matches) != 1 || !has(self.matches[0].path) ||
+ self.matches[0].path.type != ''PathPrefix'') ? false : true)
+ : true'
+ - message: When using URLRewrite filter with path.replacePrefixMatch,
+ exactly one PathPrefix match must be specified
+ rule: '(has(self.filters) && self.filters.exists_one(f, has(f.urlRewrite)
+ && has(f.urlRewrite.path) && f.urlRewrite.path.type == ''ReplacePrefixMatch''
+ && has(f.urlRewrite.path.replacePrefixMatch))) ? ((size(self.matches)
+ != 1 || !has(self.matches[0].path) || self.matches[0].path.type
+ != ''PathPrefix'') ? false : true) : true'
+ - message: Within backendRefs, when using RequestRedirect filter
+ with path.replacePrefixMatch, exactly one PathPrefix match must
+ be specified
+ rule: '(has(self.backendRefs) && self.backendRefs.exists_one(b,
+ (has(b.filters) && b.filters.exists_one(f, has(f.requestRedirect)
+ && has(f.requestRedirect.path) && f.requestRedirect.path.type
+ == ''ReplacePrefixMatch'' && has(f.requestRedirect.path.replacePrefixMatch)))
+ )) ? ((size(self.matches) != 1 || !has(self.matches[0].path)
+ || self.matches[0].path.type != ''PathPrefix'') ? false : true)
+ : true'
+ - message: Within backendRefs, When using URLRewrite filter with
+ path.replacePrefixMatch, exactly one PathPrefix match must be
+ specified
+ rule: '(has(self.backendRefs) && self.backendRefs.exists_one(b,
+ (has(b.filters) && b.filters.exists_one(f, has(f.urlRewrite)
+ && has(f.urlRewrite.path) && f.urlRewrite.path.type == ''ReplacePrefixMatch''
+ && has(f.urlRewrite.path.replacePrefixMatch))) )) ? ((size(self.matches)
+ != 1 || !has(self.matches[0].path) || self.matches[0].path.type
+ != ''PathPrefix'') ? false : true) : true'
+ maxItems: 16
+ type: array
+ type: object
+ status:
+ description: Status defines the current state of HTTPRoute.
+ properties:
+ parents:
+ description: "Parents is a list of parent resources (usually Gateways)
+ that are associated with the route, and the status of the route
+ with respect to each parent. When this route attaches to a parent,
+ the controller that manages the parent must add an entry to this
+ list when the controller first sees the route and should update
+ the entry as appropriate when the route or gateway is modified.
+ \n Note that parent references that cannot be resolved by an implementation
+ of this API will not be added to this list. Implementations of this
+ API can only populate Route status for the Gateways/parent resources
+ they are responsible for. \n A maximum of 32 Gateways will be represented
+ in this list. An empty list means the route has not been attached
+ to any Gateway."
+ items:
+ description: RouteParentStatus describes the status of a route with
+ respect to an associated Parent.
+ properties:
+ conditions:
+ description: "Conditions describes the status of the route with
+ respect to the Gateway. Note that the route's availability
+ is also subject to the Gateway's own status conditions and
+ listener status. \n If the Route's ParentRef specifies an
+ existing Gateway that supports Routes of this kind AND that
+ Gateway's controller has sufficient access, then that Gateway's
+ controller MUST set the \"Accepted\" condition on the Route,
+ to indicate whether the route has been accepted or rejected
+ by the Gateway, and why. \n A Route MUST be considered \"Accepted\"
+ if at least one of the Route's rules is implemented by the
+ Gateway. \n There are a number of cases where the \"Accepted\"
+ condition may not be set due to lack of controller visibility,
+ that includes when: \n * The Route refers to a non-existent
+ parent. * The Route is of a type that the controller does
+ not support. * The Route is in a namespace the controller
+ does not have access to."
+ items:
+ description: "Condition contains details for one aspect of
+ the current state of this API Resource. --- This struct
+ is intended for direct use as an array at the field path
+ .status.conditions. For example, \n type FooStatus struct{
+ // Represents the observations of a foo's current state.
+ // Known .status.conditions.type are: \"Available\", \"Progressing\",
+ and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
+ // +listType=map // +listMapKey=type Conditions []metav1.Condition
+ `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
+ protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields
+ }"
+ properties:
+ lastTransitionTime:
+ description: lastTransitionTime is the last time the condition
+ transitioned from one status to another. This should
+ be when the underlying condition changed. If that is
+ not known, then using the time when the API field changed
+ is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: message is a human readable message indicating
+ details about the transition. This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: observedGeneration represents the .metadata.generation
+ that the condition was set based upon. For instance,
+ if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration
+ is 9, the condition is out of date with respect to the
+ current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: reason contains a programmatic identifier
+ indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected
+ values and meanings for this field, and whether the
+ values are considered a guaranteed API. The value should
+ be a CamelCase string. This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False,
+ Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ --- Many .condition.type values are consistent across
+ resources like Available, but because arbitrary conditions
+ can be useful (see .node.status.conditions), the ability
+ to deconflict is important. The regex it matches is
+ (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ maxItems: 8
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ controllerName:
+ description: "ControllerName is a domain/path string that indicates
+ the name of the controller that wrote this status. This corresponds
+ with the controllerName field on GatewayClass. \n Example:
+ \"example.net/gateway-controller\". \n The format of this
+ field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid
+ Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+ \n Controllers MUST populate this field when writing status.
+ Controllers should ensure that entries to status populated
+ with their ControllerName are cleaned up when they are no
+ longer necessary."
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
+ type: string
+ parentRef:
+ description: ParentRef corresponds with a ParentRef in the spec
+ that this RouteParentStatus struct describes the status of.
+ properties:
+ group:
+ default: gateway.networking.k8s.io
+ description: "Group is the group of the referent. When unspecified,
+ \"gateway.networking.k8s.io\" is inferred. To set the
+ core API group (such as for a \"Service\" kind referent),
+ Group must be explicitly set to \"\" (empty string). \n
+ Support: Core"
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Gateway
+ description: "Kind is kind of the referent. \n There are
+ two kinds of parent resources with \"Core\" support: \n
+ * Gateway (Gateway conformance profile) * Service (Mesh
+ conformance profile, experimental, ClusterIP Services
+ only) \n Support for other resources is Implementation-Specific."
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: "Name is the name of the referent. \n Support:
+ Core"
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: "Namespace is the namespace of the referent.
+ When unspecified, this refers to the local namespace of
+ the Route. \n Note that there are specific rules for ParentRefs
+ which cross namespace boundaries. Cross-namespace references
+ are only valid if they are explicitly allowed by something
+ in the namespace they are referring to. For example: Gateway
+ has the AllowedRoutes field, and ReferenceGrant provides
+ a generic way to enable any other kind of cross-namespace
+ reference. \n ParentRefs from a Route to a Service in
+ the same namespace are \"producer\" routes, which apply
+ default routing rules to inbound connections from any
+ namespace to the Service. \n ParentRefs from a Route to
+ a Service in a different namespace are \"consumer\" routes,
+ and these routing rules are only applied to outbound connections
+ originating from the same namespace as the Route, for
+ which the intended destination of the connections are
+ a Service targeted as a ParentRef of the Route. \n Support:
+ Core"
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: "Port is the network port this Route targets.
+ It can be interpreted differently based on the type of
+ parent resource. \n When the parent resource is a Gateway,
+ this targets all listeners listening on the specified
+ port that also support this kind of Route(and select this
+ Route). It's not recommended to set `Port` unless the
+ networking behaviors specified in a Route must apply to
+ a specific port as opposed to a listener(s) whose port(s)
+ may be changed. When both Port and SectionName are specified,
+ the name and port of the selected listener must match
+ both specified values. \n When the parent resource is
+ a Service, this targets a specific port in the Service
+ spec. When both Port (experimental) and SectionName are
+ specified, the name and port of the selected port must
+ match both specified values. \n Implementations MAY choose
+ to support other parent resources. Implementations supporting
+ other types of parent resources MUST clearly document
+ how/if Port is interpreted. \n For the purpose of status,
+ an attachment is considered successful as long as the
+ parent resource accepts it partially. For example, Gateway
+ listeners can restrict which Routes can attach to them
+ by Route kind, namespace, or hostname. If 1 of 2 Gateway
+ listeners accept attachment from the referencing Route,
+ the Route MUST be considered successfully attached. If
+ no Gateway listeners accept attachment from this Route,
+ the Route MUST be considered detached from the Gateway.
+ \n Support: Extended \n "
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ sectionName:
+ description: "SectionName is the name of a section within
+ the target resource. In the following resources, SectionName
+ is interpreted as the following: \n * Gateway: Listener
+ Name. When both Port (experimental) and SectionName are
+ specified, the name and port of the selected listener
+ must match both specified values. * Service: Port Name.
+ When both Port (experimental) and SectionName are specified,
+ the name and port of the selected listener must match
+ both specified values. Note that attaching Routes to Services
+ as Parents is part of experimental Mesh support and is
+ not supported for any other purpose. \n Implementations
+ MAY choose to support attaching Routes to other resources.
+ If that is the case, they MUST clearly document how SectionName
+ is interpreted. \n When unspecified (empty string), this
+ will reference the entire resource. For the purpose of
+ status, an attachment is considered successful if at least
+ one section in the parent resource accepts it. For example,
+ Gateway listeners can restrict which Routes can attach
+ to them by Route kind, namespace, or hostname. If 1 of
+ 2 Gateway listeners accept attachment from the referencing
+ Route, the Route MUST be considered successfully attached.
+ If no Gateway listeners accept attachment from this Route,
+ the Route MUST be considered detached from the Gateway.
+ \n Support: Core"
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - controllerName
+ - parentRef
+ type: object
+ maxItems: 32
+ type: array
+ required:
+ - parents
+ type: object
+ required:
+ - spec
+ type: object
+ served: true
+ storage: false
+ subresources:
+ status: {}
+ - additionalPrinterColumns:
+ - jsonPath: .spec.hostnames
+ name: Hostnames
+ type: string
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1beta1
+ schema:
+ openAPIV3Schema:
+ description: HTTPRoute provides a way to route HTTP requests. This includes
+ the capability to match requests by hostname, path, header, or query param.
+ Filters can be used to specify additional processing steps. Backends specify
+ where matching requests should be routed.
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Spec defines the desired state of HTTPRoute.
+ properties:
+ hostnames:
+ description: "Hostnames defines a set of hostnames that should match
+ against the HTTP Host header to select a HTTPRoute used to process
+ the request. Implementations MUST ignore any port value specified
+ in the HTTP Host header while performing a match and (absent of
+ any applicable header modification configuration) MUST forward this
+ header unmodified to the backend. \n Valid values for Hostnames
+ are determined by RFC 1123 definition of a hostname with 2 notable
+ exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed
+ with a wildcard label (`*.`). The wildcard label must appear by
+ itself as the first label. \n If a hostname is specified by both
+ the Listener and HTTPRoute, there must be at least one intersecting
+ hostname for the HTTPRoute to be attached to the Listener. For example:
+ \n * A Listener with `test.example.com` as the hostname matches
+ HTTPRoutes that have either not specified any hostnames, or have
+ specified at least one of `test.example.com` or `*.example.com`.
+ * A Listener with `*.example.com` as the hostname matches HTTPRoutes
+ that have either not specified any hostnames or have specified at
+ least one hostname that matches the Listener hostname. For example,
+ `*.example.com`, `test.example.com`, and `foo.test.example.com`
+ would all match. On the other hand, `example.com` and `test.example.net`
+ would not match. \n Hostnames that are prefixed with a wildcard
+ label (`*.`) are interpreted as a suffix match. That means that
+ a match for `*.example.com` would match both `test.example.com`,
+ and `foo.test.example.com`, but not `example.com`. \n If both the
+ Listener and HTTPRoute have specified hostnames, any HTTPRoute hostnames
+ that do not match the Listener hostname MUST be ignored. For example,
+ if a Listener specified `*.example.com`, and the HTTPRoute specified
+ `test.example.com` and `test.example.net`, `test.example.net` must
+ not be considered for a match. \n If both the Listener and HTTPRoute
+ have specified hostnames, and none match with the criteria above,
+ then the HTTPRoute is not accepted. The implementation must raise
+ an 'Accepted' Condition with a status of `False` in the corresponding
+ RouteParentStatus. \n In the event that multiple HTTPRoutes specify
+ intersecting hostnames (e.g. overlapping wildcard matching and exact
+ matching hostnames), precedence must be given to rules from the
+ HTTPRoute with the largest number of: \n * Characters in a matching
+ non-wildcard hostname. * Characters in a matching hostname. \n If
+ ties exist across multiple Routes, the matching precedence rules
+ for HTTPRouteMatches takes over. \n Support: Core"
+ items:
+ description: "Hostname is the fully qualified domain name of a network
+ host. This matches the RFC 1123 definition of a hostname with
+ 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname
+ may be prefixed with a wildcard label (`*.`). The wildcard label
+ must appear by itself as the first label. \n Hostname can be \"precise\"
+ which is a domain name without the terminating dot of a network
+ host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain
+ name prefixed with a single wildcard label (e.g. `*.example.com`).
+ \n Note that as per RFC1035 and RFC1123, a *label* must consist
+ of lower case alphanumeric characters or '-', and must start and
+ end with an alphanumeric character. No other punctuation is allowed."
+ maxLength: 253
+ minLength: 1
+ pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ maxItems: 16
+ type: array
+ parentRefs:
+ description: "ParentRefs references the resources (usually Gateways)
+ that a Route wants to be attached to. Note that the referenced parent
+ resource needs to allow this for the attachment to be complete.
+ For Gateways, that means the Gateway needs to allow attachment from
+ Routes of this kind and namespace. For Services, that means the
+ Service must either be in the same namespace for a \"producer\"
+ route, or the mesh implementation must support and allow \"consumer\"
+ routes for the referenced Service. ReferenceGrant is not applicable
+ for governing ParentRefs to Services - it is not possible to create
+ a \"producer\" route for a Service in a different namespace from
+ the Route. \n There are two kinds of parent resources with \"Core\"
+ support: \n * Gateway (Gateway conformance profile) * Service (Mesh
+ conformance profile, experimental, ClusterIP Services only) This
+ API may be extended in the future to support additional kinds of
+ parent resources. \n ParentRefs must be _distinct_. This means either
+ that: \n * They select different objects. If this is the case,
+ then parentRef entries are distinct. In terms of fields, this means
+ that the multi-part key defined by `group`, `kind`, `namespace`,
+ and `name` must be unique across all parentRef entries in the Route.
+ * They do not select different objects, but for each optional field
+ used, each ParentRef that selects the same object must set the same
+ set of optional fields to different values. If one ParentRef sets
+ a combination of optional fields, all must set the same combination.
+ \n Some examples: \n * If one ParentRef sets `sectionName`, all
+ ParentRefs referencing the same object must also set `sectionName`.
+ * If one ParentRef sets `port`, all ParentRefs referencing the same
+ object must also set `port`. * If one ParentRef sets `sectionName`
+ and `port`, all ParentRefs referencing the same object must also
+ set `sectionName` and `port`. \n It is possible to separately reference
+ multiple distinct objects that may be collapsed by an implementation.
+ For example, some implementations may choose to merge compatible
+ Gateway Listeners together. If that is the case, the list of routes
+ attached to those resources should also be merged. \n Note that
+ for ParentRefs that cross namespace boundaries, there are specific
+ rules. Cross-namespace references are only valid if they are explicitly
+ allowed by something in the namespace they are referring to. For
+ example, Gateway has the AllowedRoutes field, and ReferenceGrant
+ provides a generic way to enable other kinds of cross-namespace
+ reference. \n ParentRefs from a Route to a Service in the same
+ namespace are \"producer\" routes, which apply default routing rules
+ to inbound connections from any namespace to the Service. \n ParentRefs
+ from a Route to a Service in a different namespace are \"consumer\"
+ routes, and these routing rules are only applied to outbound connections
+ originating from the same namespace as the Route, for which the
+ intended destination of the connections are a Service targeted as
+ a ParentRef of the Route. \n "
+ items:
+ description: "ParentReference identifies an API object (usually
+ a Gateway) that can be considered a parent of this resource (usually
+ a route). There are two kinds of parent resources with \"Core\"
+ support: \n * Gateway (Gateway conformance profile) * Service
+ (Mesh conformance profile, experimental, ClusterIP Services only)
+ \n This API may be extended in the future to support additional
+ kinds of parent resources. \n The API object must be valid in
+ the cluster; the Group and Kind must be registered in the cluster
+ for this reference to be valid."
+ properties:
+ group:
+ default: gateway.networking.k8s.io
+ description: "Group is the group of the referent. When unspecified,
+ \"gateway.networking.k8s.io\" is inferred. To set the core
+ API group (such as for a \"Service\" kind referent), Group
+ must be explicitly set to \"\" (empty string). \n Support:
+ Core"
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Gateway
+ description: "Kind is kind of the referent. \n There are two
+ kinds of parent resources with \"Core\" support: \n * Gateway
+ (Gateway conformance profile) * Service (Mesh conformance
+ profile, experimental, ClusterIP Services only) \n Support
+ for other resources is Implementation-Specific."
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: "Name is the name of the referent. \n Support:
+ Core"
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: "Namespace is the namespace of the referent. When
+ unspecified, this refers to the local namespace of the Route.
+ \n Note that there are specific rules for ParentRefs which
+ cross namespace boundaries. Cross-namespace references are
+ only valid if they are explicitly allowed by something in
+ the namespace they are referring to. For example: Gateway
+ has the AllowedRoutes field, and ReferenceGrant provides a
+ generic way to enable any other kind of cross-namespace reference.
+ \n ParentRefs from a Route to a Service in the same namespace
+ are \"producer\" routes, which apply default routing rules
+ to inbound connections from any namespace to the Service.
+ \n ParentRefs from a Route to a Service in a different namespace
+ are \"consumer\" routes, and these routing rules are only
+ applied to outbound connections originating from the same
+ namespace as the Route, for which the intended destination
+ of the connections are a Service targeted as a ParentRef of
+ the Route. \n Support: Core"
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: "Port is the network port this Route targets. It
+ can be interpreted differently based on the type of parent
+ resource. \n When the parent resource is a Gateway, this targets
+ all listeners listening on the specified port that also support
+ this kind of Route(and select this Route). It's not recommended
+ to set `Port` unless the networking behaviors specified in
+ a Route must apply to a specific port as opposed to a listener(s)
+ whose port(s) may be changed. When both Port and SectionName
+ are specified, the name and port of the selected listener
+ must match both specified values. \n When the parent resource
+ is a Service, this targets a specific port in the Service
+ spec. When both Port (experimental) and SectionName are specified,
+ the name and port of the selected port must match both specified
+ values. \n Implementations MAY choose to support other parent
+ resources. Implementations supporting other types of parent
+ resources MUST clearly document how/if Port is interpreted.
+ \n For the purpose of status, an attachment is considered
+ successful as long as the parent resource accepts it partially.
+ For example, Gateway listeners can restrict which Routes can
+ attach to them by Route kind, namespace, or hostname. If 1
+ of 2 Gateway listeners accept attachment from the referencing
+ Route, the Route MUST be considered successfully attached.
+ If no Gateway listeners accept attachment from this Route,
+ the Route MUST be considered detached from the Gateway. \n
+ Support: Extended \n "
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ sectionName:
+ description: "SectionName is the name of a section within the
+ target resource. In the following resources, SectionName is
+ interpreted as the following: \n * Gateway: Listener Name.
+ When both Port (experimental) and SectionName are specified,
+ the name and port of the selected listener must match both
+ specified values. * Service: Port Name. When both Port (experimental)
+ and SectionName are specified, the name and port of the selected
+ listener must match both specified values. Note that attaching
+ Routes to Services as Parents is part of experimental Mesh
+ support and is not supported for any other purpose. \n Implementations
+ MAY choose to support attaching Routes to other resources.
+ If that is the case, they MUST clearly document how SectionName
+ is interpreted. \n When unspecified (empty string), this will
+ reference the entire resource. For the purpose of status,
+ an attachment is considered successful if at least one section
+ in the parent resource accepts it. For example, Gateway listeners
+ can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept
+ attachment from the referencing Route, the Route MUST be considered
+ successfully attached. If no Gateway listeners accept attachment
+ from this Route, the Route MUST be considered detached from
+ the Gateway. \n Support: Core"
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ required:
+ - name
+ type: object
+ maxItems: 32
+ type: array
+ x-kubernetes-validations:
+ - message: sectionName or port must be specified when parentRefs includes
+ 2 or more references to the same parent
+ rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind
+ == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__)
+ || p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__
+ == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) &&
+ p1.__namespace__ == p2.__namespace__)) ? ((!has(p1.sectionName)
+ || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName
+ == '''') && (!has(p1.port) || p1.port == 0) == (!has(p2.port)
+ || p2.port == 0)): true))'
+ - message: sectionName or port must be unique when parentRefs includes
+ 2 or more references to the same parent
+ rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind
+ == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__)
+ || p1.__namespace__ == '') && (!has(p2.__namespace__) || p2.__namespace__
+ == '')) || (has(p1.__namespace__) && has(p2.__namespace__) &&
+ p1.__namespace__ == p2.__namespace__ )) && (((!has(p1.sectionName)
+ || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName
+ == '')) || ( has(p1.sectionName) && has(p2.sectionName) && p1.sectionName
+ == p2.sectionName)) && (((!has(p1.port) || p1.port == 0) && (!has(p2.port)
+ || p2.port == 0)) || (has(p1.port) && has(p2.port) && p1.port
+ == p2.port))))
+ rules:
+ default:
+ - matches:
+ - path:
+ type: PathPrefix
+ value: /
+ description: Rules are a list of HTTP matchers, filters and actions.
+ items:
+ description: HTTPRouteRule defines semantics for matching an HTTP
+ request based on conditions (matches), processing it (filters),
+ and forwarding the request to an API object (backendRefs).
+ properties:
+ backendRefs:
+ description: "BackendRefs defines the backend(s) where matching
+ requests should be sent. \n Failure behavior here depends
+ on how many BackendRefs are specified and how many are invalid.
+ \n If *all* entries in BackendRefs are invalid, and there
+ are also no filters specified in this route rule, *all* traffic
+ which matches this rule MUST receive a 500 status code. \n
+ See the HTTPBackendRef definition for the rules about what
+ makes a single HTTPBackendRef invalid. \n When a HTTPBackendRef
+ is invalid, 500 status codes MUST be returned for requests
+ that would have otherwise been routed to an invalid backend.
+ If multiple backends are specified, and some are invalid,
+ the proportion of requests that would otherwise have been
+ routed to an invalid backend MUST receive a 500 status code.
+ \n For example, if two backends are specified with equal weights,
+ and one is invalid, 50 percent of traffic must receive a 500.
+ Implementations may choose how that 50 percent is determined.
+ \n Support: Core for Kubernetes Service \n Support: Extended
+ for Kubernetes ServiceImport \n Support: Implementation-specific
+ for any other resource \n Support for weight: Core"
+ items:
+ description: "HTTPBackendRef defines how a HTTPRoute forwards
+ a HTTP request. \n Note that when a namespace different
+ than the local namespace is specified, a ReferenceGrant
+ object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details. \n
+ \n When the BackendRef points to a Kubernetes Service, implementations
+ SHOULD honor the appProtocol field if it is set for the
+ target Service Port. \n Implementations supporting appProtocol
+ SHOULD recognize the Kubernetes Standard Application Protocols
+ defined in KEP-3726. \n If a Service appProtocol isn't specified,
+ an implementation MAY infer the backend protocol through
+ its own means. Implementations MAY infer the protocol from
+ the Route type referring to the backend Service. \n If a
+ Route is not able to send traffic to the backend using the
+ specified protocol then the backend is considered invalid.
+ Implementations MUST set the \"ResolvedRefs\" condition
+ to \"False\" with the \"UnsupportedProtocol\" reason. \n
+ "
+ properties:
+ filters:
+ description: "Filters defined at this level should be
+ executed if and only if the request is being forwarded
+ to the backend defined here. \n Support: Implementation-specific
+ (For broader support of filters, use the Filters field
+ in HTTPRouteRule.)"
+ items:
+ description: HTTPRouteFilter defines processing steps
+ that must be completed during the request or response
+ lifecycle. HTTPRouteFilters are meant as an extension
+ point to express processing that may be done in Gateway
+ implementations. Some examples include request or
+ response modification, implementing authentication
+ strategies, rate-limiting, and traffic shaping. API
+ guarantee/conformance is defined based on the type
+ of the filter.
+ properties:
+ extensionRef:
+ description: "ExtensionRef is an optional, implementation-specific
+ extension to the \"filter\" behavior. For example,
+ resource \"myroutefilter\" in group \"networking.example.net\").
+ ExtensionRef MUST NOT be used for core and extended
+ filters. \n This filter can be used multiple times
+ within the same rule. \n Support: Implementation-specific"
+ properties:
+ group:
+ description: Group is the group of the referent.
+ For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API
+ group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is kind of the referent. For
+ example "HTTPRoute" or "Service".
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ required:
+ - group
+ - kind
+ - name
+ type: object
+ requestHeaderModifier:
+ description: "RequestHeaderModifier defines a schema
+ for a filter that modifies request headers. \n
+ Support: Core"
+ properties:
+ add:
+ description: "Add adds the given header(s) (name,
+ value) to the request before the action. It
+ appends to any existing values associated
+ with the header name. \n Input: GET /foo HTTP/1.1
+ my-header: foo \n Config: add: - name: \"my-header\"
+ value: \"bar,baz\" \n Output: GET /foo HTTP/1.1
+ my-header: foo,bar,baz"
+ items:
+ description: HTTPHeader represents an HTTP
+ Header name and value as defined by RFC
+ 7230.
+ properties:
+ name:
+ description: "Name is the name of the
+ HTTP Header to be matched. Name matching
+ MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+ \n If multiple entries specify equivalent
+ header names, the first entry with an
+ equivalent name MUST be considered for
+ a match. Subsequent entries with an
+ equivalent header name MUST be ignored.
+ Due to the case-insensitivity of header
+ names, \"foo\" and \"Foo\" are considered
+ equivalent."
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP
+ Header to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ remove:
+ description: "Remove the given header(s) from
+ the HTTP request before the action. The value
+ of Remove is a list of HTTP header names.
+ Note that the header names are case-insensitive
+ (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+ \n Input: GET /foo HTTP/1.1 my-header1: foo
+ my-header2: bar my-header3: baz \n Config:
+ remove: [\"my-header1\", \"my-header3\"] \n
+ Output: GET /foo HTTP/1.1 my-header2: bar"
+ items:
+ type: string
+ maxItems: 16
+ type: array
+ x-kubernetes-list-type: set
+ set:
+ description: "Set overwrites the request with
+ the given header (name, value) before the
+ action. \n Input: GET /foo HTTP/1.1 my-header:
+ foo \n Config: set: - name: \"my-header\"
+ value: \"bar\" \n Output: GET /foo HTTP/1.1
+ my-header: bar"
+ items:
+ description: HTTPHeader represents an HTTP
+ Header name and value as defined by RFC
+ 7230.
+ properties:
+ name:
+ description: "Name is the name of the
+ HTTP Header to be matched. Name matching
+ MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+ \n If multiple entries specify equivalent
+ header names, the first entry with an
+ equivalent name MUST be considered for
+ a match. Subsequent entries with an
+ equivalent header name MUST be ignored.
+ Due to the case-insensitivity of header
+ names, \"foo\" and \"Foo\" are considered
+ equivalent."
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP
+ Header to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ requestMirror:
+ description: "RequestMirror defines a schema for
+ a filter that mirrors requests. Requests are sent
+ to the specified destination, but responses from
+ that destination are ignored. \n This filter can
+ be used multiple times within the same rule. Note
+ that not all implementations will be able to support
+ mirroring to multiple backends. \n Support: Extended"
+ properties:
+ backendRef:
+ description: "BackendRef references a resource
+ where mirrored requests are sent. \n Mirrored
+ requests must be sent only to a single destination
+ endpoint within this BackendRef, irrespective
+ of how many endpoints are present within this
+ BackendRef. \n If the referent cannot be found,
+ this BackendRef is invalid and must be dropped
+ from the Gateway. The controller must ensure
+ the \"ResolvedRefs\" condition on the Route
+ status is set to `status: False` and not configure
+ this backend in the underlying implementation.
+ \n If there is a cross-namespace reference
+ to an *existing* object that is not allowed
+ by a ReferenceGrant, the controller must ensure
+ the \"ResolvedRefs\" condition on the Route
+ is set to `status: False`, with the \"RefNotPermitted\"
+ reason and not configure this backend in the
+ underlying implementation. \n In either error
+ case, the Message of the `ResolvedRefs` Condition
+ should be used to provide more detail about
+ the problem. \n Support: Extended for Kubernetes
+ Service \n Support: Implementation-specific
+ for any other resource"
+ properties:
+ group:
+ default: ""
+ description: Group is the group of the referent.
+ For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core
+ API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Service
+ description: "Kind is the Kubernetes resource
+ kind of the referent. For example \"Service\".
+ \n Defaults to \"Service\" when not specified.
+ \n ExternalName services can refer to
+ CNAME DNS records that may live outside
+ of the cluster and as such are difficult
+ to reason about in terms of conformance.
+ They also may not be safe to forward to
+ (see CVE-2021-25740 for more information).
+ Implementations SHOULD NOT support ExternalName
+ Services. \n Support: Core (Services with
+ a type other than ExternalName) \n Support:
+ Implementation-specific (Services with
+ type ExternalName)"
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: "Namespace is the namespace
+ of the backend. When unspecified, the
+ local namespace is inferred. \n Note that
+ when a namespace different than the local
+ namespace is specified, a ReferenceGrant
+ object is required in the referent namespace
+ to allow that namespace's owner to accept
+ the reference. See the ReferenceGrant
+ documentation for details. \n Support:
+ Core"
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: Port specifies the destination
+ port number to use for this resource.
+ Port is required when the referent is
+ a Kubernetes Service. In this case, the
+ port number is the service port number,
+ not the target port. For other resources,
+ destination port might be derived from
+ the referent resource or this field.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ required:
+ - name
+ type: object
+ x-kubernetes-validations:
+ - message: Must have port for Service reference
+ rule: '(size(self.group) == 0 && self.kind
+ == ''Service'') ? has(self.port) : true'
+ required:
+ - backendRef
+ type: object
+ requestRedirect:
+ description: "RequestRedirect defines a schema for
+ a filter that responds to the request with an
+ HTTP redirection. \n Support: Core"
+ properties:
+ hostname:
+ description: "Hostname is the hostname to be
+ used in the value of the `Location` header
+ in the response. When empty, the hostname
+ in the `Host` header of the request is used.
+ \n Support: Core"
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ path:
+ description: "Path defines parameters used to
+ modify the path of the incoming request. The
+ modified path is then used to construct the
+ `Location` header. When empty, the request
+ path is used as-is. \n Support: Extended"
+ properties:
+ replaceFullPath:
+ description: ReplaceFullPath specifies the
+ value with which to replace the full path
+ of a request during a rewrite or redirect.
+ maxLength: 1024
+ type: string
+ replacePrefixMatch:
+ description: "ReplacePrefixMatch specifies
+ the value with which to replace the prefix
+ match of a request during a rewrite or
+ redirect. For example, a request to \"/foo/bar\"
+ with a prefix match of \"/foo\" and a
+ ReplacePrefixMatch of \"/xyz\" would be
+ modified to \"/xyz/bar\". \n Note that
+ this matches the behavior of the PathPrefix
+ match type. This matches full path elements.
+ A path element refers to the list of labels
+ in the path split by the `/` separator.
+ When specified, a trailing `/` is ignored.
+ For example, the paths `/abc`, `/abc/`,
+ and `/abc/def` would all match the prefix
+ `/abc`, but the path `/abcd` would not.
+ \n ReplacePrefixMatch is only compatible
+ with a `PathPrefix` HTTPRouteMatch. Using
+ any other HTTPRouteMatch type on the same
+ HTTPRouteRule will result in the implementation
+ setting the Accepted Condition for the
+ Route to `status: False`. \n Request Path
+ | Prefix Match | Replace Prefix | Modified
+ Path -------------|--------------|----------------|----------
+ /foo/bar | /foo | /xyz |
+ /xyz/bar /foo/bar | /foo |
+ /xyz/ | /xyz/bar /foo/bar |
+ /foo/ | /xyz | /xyz/bar
+ /foo/bar | /foo/ | /xyz/ |
+ /xyz/bar /foo | /foo |
+ /xyz | /xyz /foo/ | /foo
+ \ | /xyz | /xyz/ /foo/bar
+ \ | /foo | |
+ /bar /foo/ | /foo | | / /foo | /foo |
+ | / /foo/ | /foo
+ \ | / | / /foo |
+ /foo | / | /"
+ maxLength: 1024
+ type: string
+ type:
+ description: "Type defines the type of path
+ modifier. Additional types may be added
+ in a future release of the API. \n Note
+ that values may be added to this enum,
+ implementations must ensure that unknown
+ values will not cause a crash. \n Unknown
+ values here must result in the implementation
+ setting the Accepted Condition for the
+ Route to `status: False`, with a Reason
+ of `UnsupportedValue`."
+ enum:
+ - ReplaceFullPath
+ - ReplacePrefixMatch
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: replaceFullPath must be specified
+ when type is set to 'ReplaceFullPath'
+ rule: 'self.type == ''ReplaceFullPath'' ?
+ has(self.replaceFullPath) : true'
+ - message: type must be 'ReplaceFullPath' when
+ replaceFullPath is set
+ rule: 'has(self.replaceFullPath) ? self.type
+ == ''ReplaceFullPath'' : true'
+ - message: replacePrefixMatch must be specified
+ when type is set to 'ReplacePrefixMatch'
+ rule: 'self.type == ''ReplacePrefixMatch''
+ ? has(self.replacePrefixMatch) : true'
+ - message: type must be 'ReplacePrefixMatch'
+ when replacePrefixMatch is set
+ rule: 'has(self.replacePrefixMatch) ? self.type
+ == ''ReplacePrefixMatch'' : true'
+ port:
+ description: "Port is the port to be used in
+ the value of the `Location` header in the
+ response. \n If no port is specified, the
+ redirect port MUST be derived using the following
+ rules: \n * If redirect scheme is not-empty,
+ the redirect port MUST be the well-known port
+ associated with the redirect scheme. Specifically
+ \"http\" to port 80 and \"https\" to port
+ 443. If the redirect scheme does not have
+ a well-known port, the listener port of the
+ Gateway SHOULD be used. * If redirect scheme
+ is empty, the redirect port MUST be the Gateway
+ Listener port. \n Implementations SHOULD NOT
+ add the port number in the 'Location' header
+ in the following cases: \n * A Location header
+ that will use HTTP (whether that is determined
+ via the Listener protocol or the Scheme field)
+ _and_ use port 80. * A Location header that
+ will use HTTPS (whether that is determined
+ via the Listener protocol or the Scheme field)
+ _and_ use port 443. \n Support: Extended"
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ scheme:
+ description: "Scheme is the scheme to be used
+ in the value of the `Location` header in the
+ response. When empty, the scheme of the request
+ is used. \n Scheme redirects can affect the
+ port of the redirect, for more information,
+ refer to the documentation for the port field
+ of this filter. \n Note that values may be
+ added to this enum, implementations must ensure
+ that unknown values will not cause a crash.
+ \n Unknown values here must result in the
+ implementation setting the Accepted Condition
+ for the Route to `status: False`, with a Reason
+ of `UnsupportedValue`. \n Support: Extended"
+ enum:
+ - http
+ - https
+ type: string
+ statusCode:
+ default: 302
+ description: "StatusCode is the HTTP status
+ code to be used in response. \n Note that
+ values may be added to this enum, implementations
+ must ensure that unknown values will not cause
+ a crash. \n Unknown values here must result
+ in the implementation setting the Accepted
+ Condition for the Route to `status: False`,
+ with a Reason of `UnsupportedValue`. \n Support:
+ Core"
+ enum:
+ - 301
+ - 302
+ type: integer
+ type: object
+ responseHeaderModifier:
+ description: "ResponseHeaderModifier defines a schema
+ for a filter that modifies response headers. \n
+ Support: Extended"
+ properties:
+ add:
+ description: "Add adds the given header(s) (name,
+ value) to the request before the action. It
+ appends to any existing values associated
+ with the header name. \n Input: GET /foo HTTP/1.1
+ my-header: foo \n Config: add: - name: \"my-header\"
+ value: \"bar,baz\" \n Output: GET /foo HTTP/1.1
+ my-header: foo,bar,baz"
+ items:
+ description: HTTPHeader represents an HTTP
+ Header name and value as defined by RFC
+ 7230.
+ properties:
+ name:
+ description: "Name is the name of the
+ HTTP Header to be matched. Name matching
+ MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+ \n If multiple entries specify equivalent
+ header names, the first entry with an
+ equivalent name MUST be considered for
+ a match. Subsequent entries with an
+ equivalent header name MUST be ignored.
+ Due to the case-insensitivity of header
+ names, \"foo\" and \"Foo\" are considered
+ equivalent."
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP
+ Header to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ remove:
+ description: "Remove the given header(s) from
+ the HTTP request before the action. The value
+ of Remove is a list of HTTP header names.
+ Note that the header names are case-insensitive
+ (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+ \n Input: GET /foo HTTP/1.1 my-header1: foo
+ my-header2: bar my-header3: baz \n Config:
+ remove: [\"my-header1\", \"my-header3\"] \n
+ Output: GET /foo HTTP/1.1 my-header2: bar"
+ items:
+ type: string
+ maxItems: 16
+ type: array
+ x-kubernetes-list-type: set
+ set:
+ description: "Set overwrites the request with
+ the given header (name, value) before the
+ action. \n Input: GET /foo HTTP/1.1 my-header:
+ foo \n Config: set: - name: \"my-header\"
+ value: \"bar\" \n Output: GET /foo HTTP/1.1
+ my-header: bar"
+ items:
+ description: HTTPHeader represents an HTTP
+ Header name and value as defined by RFC
+ 7230.
+ properties:
+ name:
+ description: "Name is the name of the
+ HTTP Header to be matched. Name matching
+ MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+ \n If multiple entries specify equivalent
+ header names, the first entry with an
+ equivalent name MUST be considered for
+ a match. Subsequent entries with an
+ equivalent header name MUST be ignored.
+ Due to the case-insensitivity of header
+ names, \"foo\" and \"Foo\" are considered
+ equivalent."
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP
+ Header to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ type:
+ description: "Type identifies the type of filter
+ to apply. As with other API fields, types are
+ classified into three conformance levels: \n -
+ Core: Filter types and their corresponding configuration
+ defined by \"Support: Core\" in this package,
+ e.g. \"RequestHeaderModifier\". All implementations
+ must support core filters. \n - Extended: Filter
+ types and their corresponding configuration defined
+ by \"Support: Extended\" in this package, e.g.
+ \"RequestMirror\". Implementers are encouraged
+ to support extended filters. \n - Implementation-specific:
+ Filters that are defined and supported by specific
+ vendors. In the future, filters showing convergence
+ in behavior across multiple implementations will
+ be considered for inclusion in extended or core
+ conformance levels. Filter-specific configuration
+ for such filters is specified using the ExtensionRef
+ field. `Type` should be set to \"ExtensionRef\"
+ for custom filters. \n Implementers are encouraged
+ to define custom implementation types to extend
+ the core API with implementation-specific behavior.
+ \n If a reference to a custom filter type cannot
+ be resolved, the filter MUST NOT be skipped. Instead,
+ requests that would have been processed by that
+ filter MUST receive a HTTP error response. \n
+ Note that values may be added to this enum, implementations
+ must ensure that unknown values will not cause
+ a crash. \n Unknown values here must result in
+ the implementation setting the Accepted Condition
+ for the Route to `status: False`, with a Reason
+ of `UnsupportedValue`."
+ enum:
+ - RequestHeaderModifier
+ - ResponseHeaderModifier
+ - RequestMirror
+ - RequestRedirect
+ - URLRewrite
+ - ExtensionRef
+ type: string
+ urlRewrite:
+ description: "URLRewrite defines a schema for a
+ filter that modifies a request during forwarding.
+ \n Support: Extended"
+ properties:
+ hostname:
+ description: "Hostname is the value to be used
+ to replace the Host header value during forwarding.
+ \n Support: Extended"
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ path:
+ description: "Path defines a path rewrite. \n
+ Support: Extended"
+ properties:
+ replaceFullPath:
+ description: ReplaceFullPath specifies the
+ value with which to replace the full path
+ of a request during a rewrite or redirect.
+ maxLength: 1024
+ type: string
+ replacePrefixMatch:
+ description: "ReplacePrefixMatch specifies
+ the value with which to replace the prefix
+ match of a request during a rewrite or
+ redirect. For example, a request to \"/foo/bar\"
+ with a prefix match of \"/foo\" and a
+ ReplacePrefixMatch of \"/xyz\" would be
+ modified to \"/xyz/bar\". \n Note that
+ this matches the behavior of the PathPrefix
+ match type. This matches full path elements.
+ A path element refers to the list of labels
+ in the path split by the `/` separator.
+ When specified, a trailing `/` is ignored.
+ For example, the paths `/abc`, `/abc/`,
+ and `/abc/def` would all match the prefix
+ `/abc`, but the path `/abcd` would not.
+ \n ReplacePrefixMatch is only compatible
+ with a `PathPrefix` HTTPRouteMatch. Using
+ any other HTTPRouteMatch type on the same
+ HTTPRouteRule will result in the implementation
+ setting the Accepted Condition for the
+ Route to `status: False`. \n Request Path
+ | Prefix Match | Replace Prefix | Modified
+ Path -------------|--------------|----------------|----------
+ /foo/bar | /foo | /xyz |
+ /xyz/bar /foo/bar | /foo |
+ /xyz/ | /xyz/bar /foo/bar |
+ /foo/ | /xyz | /xyz/bar
+ /foo/bar | /foo/ | /xyz/ |
+ /xyz/bar /foo | /foo |
+ /xyz | /xyz /foo/ | /foo
+ \ | /xyz | /xyz/ /foo/bar
+ \ | /foo | |
+ /bar /foo/ | /foo | | / /foo | /foo |
+ | / /foo/ | /foo
+ \ | / | / /foo |
+ /foo | / | /"
+ maxLength: 1024
+ type: string
+ type:
+ description: "Type defines the type of path
+ modifier. Additional types may be added
+ in a future release of the API. \n Note
+ that values may be added to this enum,
+ implementations must ensure that unknown
+ values will not cause a crash. \n Unknown
+ values here must result in the implementation
+ setting the Accepted Condition for the
+ Route to `status: False`, with a Reason
+ of `UnsupportedValue`."
+ enum:
+ - ReplaceFullPath
+ - ReplacePrefixMatch
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: replaceFullPath must be specified
+ when type is set to 'ReplaceFullPath'
+ rule: 'self.type == ''ReplaceFullPath'' ?
+ has(self.replaceFullPath) : true'
+ - message: type must be 'ReplaceFullPath' when
+ replaceFullPath is set
+ rule: 'has(self.replaceFullPath) ? self.type
+ == ''ReplaceFullPath'' : true'
+ - message: replacePrefixMatch must be specified
+ when type is set to 'ReplacePrefixMatch'
+ rule: 'self.type == ''ReplacePrefixMatch''
+ ? has(self.replacePrefixMatch) : true'
+ - message: type must be 'ReplacePrefixMatch'
+ when replacePrefixMatch is set
+ rule: 'has(self.replacePrefixMatch) ? self.type
+ == ''ReplacePrefixMatch'' : true'
+ type: object
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: filter.requestHeaderModifier must be nil
+ if the filter.type is not RequestHeaderModifier
+ rule: '!(has(self.requestHeaderModifier) && self.type
+ != ''RequestHeaderModifier'')'
+ - message: filter.requestHeaderModifier must be specified
+ for RequestHeaderModifier filter.type
+ rule: '!(!has(self.requestHeaderModifier) && self.type
+ == ''RequestHeaderModifier'')'
+ - message: filter.responseHeaderModifier must be nil
+ if the filter.type is not ResponseHeaderModifier
+ rule: '!(has(self.responseHeaderModifier) && self.type
+ != ''ResponseHeaderModifier'')'
+ - message: filter.responseHeaderModifier must be specified
+ for ResponseHeaderModifier filter.type
+ rule: '!(!has(self.responseHeaderModifier) && self.type
+ == ''ResponseHeaderModifier'')'
+ - message: filter.requestMirror must be nil if the filter.type
+ is not RequestMirror
+ rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')'
+ - message: filter.requestMirror must be specified for
+ RequestMirror filter.type
+ rule: '!(!has(self.requestMirror) && self.type ==
+ ''RequestMirror'')'
+ - message: filter.requestRedirect must be nil if the
+ filter.type is not RequestRedirect
+ rule: '!(has(self.requestRedirect) && self.type !=
+ ''RequestRedirect'')'
+ - message: filter.requestRedirect must be specified
+ for RequestRedirect filter.type
+ rule: '!(!has(self.requestRedirect) && self.type ==
+ ''RequestRedirect'')'
+ - message: filter.urlRewrite must be nil if the filter.type
+ is not URLRewrite
+ rule: '!(has(self.urlRewrite) && self.type != ''URLRewrite'')'
+ - message: filter.urlRewrite must be specified for URLRewrite
+ filter.type
+ rule: '!(!has(self.urlRewrite) && self.type == ''URLRewrite'')'
+ - message: filter.extensionRef must be nil if the filter.type
+ is not ExtensionRef
+ rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')'
+ - message: filter.extensionRef must be specified for
+ ExtensionRef filter.type
+ rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')'
+ maxItems: 16
+ type: array
+ x-kubernetes-validations:
+ - message: May specify either httpRouteFilterRequestRedirect
+ or httpRouteFilterRequestRewrite, but not both
+ rule: '!(self.exists(f, f.type == ''RequestRedirect'')
+ && self.exists(f, f.type == ''URLRewrite''))'
+ - message: May specify either httpRouteFilterRequestRedirect
+ or httpRouteFilterRequestRewrite, but not both
+ rule: '!(self.exists(f, f.type == ''RequestRedirect'')
+ && self.exists(f, f.type == ''URLRewrite''))'
+ - message: RequestHeaderModifier filter cannot be repeated
+ rule: self.filter(f, f.type == 'RequestHeaderModifier').size()
+ <= 1
+ - message: ResponseHeaderModifier filter cannot be repeated
+ rule: self.filter(f, f.type == 'ResponseHeaderModifier').size()
+ <= 1
+ - message: RequestRedirect filter cannot be repeated
+ rule: self.filter(f, f.type == 'RequestRedirect').size()
+ <= 1
+ - message: URLRewrite filter cannot be repeated
+ rule: self.filter(f, f.type == 'URLRewrite').size()
+ <= 1
+ group:
+ default: ""
+ description: Group is the group of the referent. For example,
+ "gateway.networking.k8s.io". When unspecified or empty
+ string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Service
+ description: "Kind is the Kubernetes resource kind of
+ the referent. For example \"Service\". \n Defaults to
+ \"Service\" when not specified. \n ExternalName services
+ can refer to CNAME DNS records that may live outside
+ of the cluster and as such are difficult to reason about
+ in terms of conformance. They also may not be safe to
+ forward to (see CVE-2021-25740 for more information).
+ Implementations SHOULD NOT support ExternalName Services.
+ \n Support: Core (Services with a type other than ExternalName)
+ \n Support: Implementation-specific (Services with type
+ ExternalName)"
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: "Namespace is the namespace of the backend.
+ When unspecified, the local namespace is inferred. \n
+ Note that when a namespace different than the local
+ namespace is specified, a ReferenceGrant object is required
+ in the referent namespace to allow that namespace's
+ owner to accept the reference. See the ReferenceGrant
+ documentation for details. \n Support: Core"
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: Port specifies the destination port number
+ to use for this resource. Port is required when the
+ referent is a Kubernetes Service. In this case, the
+ port number is the service port number, not the target
+ port. For other resources, destination port might be
+ derived from the referent resource or this field.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ weight:
+ default: 1
+ description: "Weight specifies the proportion of requests
+ forwarded to the referenced backend. This is computed
+ as weight/(sum of all weights in this BackendRefs list).
+ For non-zero values, there may be some epsilon from
+ the exact proportion defined here depending on the precision
+ an implementation supports. Weight is not a percentage
+ and the sum of weights does not need to equal 100. \n
+ If only one backend is specified and it has a weight
+ greater than 0, 100% of the traffic is forwarded to
+ that backend. If weight is set to 0, no traffic should
+ be forwarded for this entry. If unspecified, weight
+ defaults to 1. \n Support for this field varies based
+ on the context where used."
+ format: int32
+ maximum: 1000000
+ minimum: 0
+ type: integer
+ required:
+ - name
+ type: object
+ x-kubernetes-validations:
+ - message: Must have port for Service reference
+ rule: '(size(self.group) == 0 && self.kind == ''Service'')
+ ? has(self.port) : true'
+ maxItems: 16
+ type: array
+ filters:
+ description: "Filters define the filters that are applied to
+ requests that match this rule. \n The effects of ordering
+ of multiple behaviors are currently unspecified. This can
+ change in the future based on feedback during the alpha stage.
+ \n Conformance-levels at this level are defined based on the
+ type of filter: \n - ALL core filters MUST be supported by
+ all implementations. - Implementers are encouraged to support
+ extended filters. - Implementation-specific custom filters
+ have no API guarantees across implementations. \n Specifying
+ the same filter multiple times is not supported unless explicitly
+ indicated in the filter. \n All filters are expected to be
+ compatible with each other except for the URLRewrite and RequestRedirect
+ filters, which may not be combined. If an implementation can
+ not support other combinations of filters, they must clearly
+ document that limitation. In cases where incompatible or unsupported
+ filters are specified and cause the `Accepted` condition to
+ be set to status `False`, implementations may use the `IncompatibleFilters`
+ reason to specify this configuration error. \n Support: Core"
+ items:
+ description: HTTPRouteFilter defines processing steps that
+ must be completed during the request or response lifecycle.
+ HTTPRouteFilters are meant as an extension point to express
+ processing that may be done in Gateway implementations.
+ Some examples include request or response modification,
+ implementing authentication strategies, rate-limiting, and
+ traffic shaping. API guarantee/conformance is defined based
+ on the type of the filter.
+ properties:
+ extensionRef:
+ description: "ExtensionRef is an optional, implementation-specific
+ extension to the \"filter\" behavior. For example,
+ resource \"myroutefilter\" in group \"networking.example.net\").
+ ExtensionRef MUST NOT be used for core and extended
+ filters. \n This filter can be used multiple times within
+ the same rule. \n Support: Implementation-specific"
+ properties:
+ group:
+ description: Group is the group of the referent. For
+ example, "gateway.networking.k8s.io". When unspecified
+ or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is kind of the referent. For example
+ "HTTPRoute" or "Service".
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ required:
+ - group
+ - kind
+ - name
+ type: object
+ requestHeaderModifier:
+ description: "RequestHeaderModifier defines a schema for
+ a filter that modifies request headers. \n Support:
+ Core"
+ properties:
+ add:
+ description: "Add adds the given header(s) (name,
+ value) to the request before the action. It appends
+ to any existing values associated with the header
+ name. \n Input: GET /foo HTTP/1.1 my-header: foo
+ \n Config: add: - name: \"my-header\" value: \"bar,baz\"
+ \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz"
+ items:
+ description: HTTPHeader represents an HTTP Header
+ name and value as defined by RFC 7230.
+ properties:
+ name:
+ description: "Name is the name of the HTTP Header
+ to be matched. Name matching MUST be case
+ insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+ \n If multiple entries specify equivalent
+ header names, the first entry with an equivalent
+ name MUST be considered for a match. Subsequent
+ entries with an equivalent header name MUST
+ be ignored. Due to the case-insensitivity
+ of header names, \"foo\" and \"Foo\" are considered
+ equivalent."
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP Header
+ to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ remove:
+ description: "Remove the given header(s) from the
+ HTTP request before the action. The value of Remove
+ is a list of HTTP header names. Note that the header
+ names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+ \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2:
+ bar my-header3: baz \n Config: remove: [\"my-header1\",
+ \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2:
+ bar"
+ items:
+ type: string
+ maxItems: 16
+ type: array
+ x-kubernetes-list-type: set
+ set:
+ description: "Set overwrites the request with the
+ given header (name, value) before the action. \n
+ Input: GET /foo HTTP/1.1 my-header: foo \n Config:
+ set: - name: \"my-header\" value: \"bar\" \n Output:
+ GET /foo HTTP/1.1 my-header: bar"
+ items:
+ description: HTTPHeader represents an HTTP Header
+ name and value as defined by RFC 7230.
+ properties:
+ name:
+ description: "Name is the name of the HTTP Header
+ to be matched. Name matching MUST be case
+ insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+ \n If multiple entries specify equivalent
+ header names, the first entry with an equivalent
+ name MUST be considered for a match. Subsequent
+ entries with an equivalent header name MUST
+ be ignored. Due to the case-insensitivity
+ of header names, \"foo\" and \"Foo\" are considered
+ equivalent."
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP Header
+ to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ requestMirror:
+ description: "RequestMirror defines a schema for a filter
+ that mirrors requests. Requests are sent to the specified
+ destination, but responses from that destination are
+ ignored. \n This filter can be used multiple times within
+ the same rule. Note that not all implementations will
+ be able to support mirroring to multiple backends. \n
+ Support: Extended"
+ properties:
+ backendRef:
+ description: "BackendRef references a resource where
+ mirrored requests are sent. \n Mirrored requests
+ must be sent only to a single destination endpoint
+ within this BackendRef, irrespective of how many
+ endpoints are present within this BackendRef. \n
+ If the referent cannot be found, this BackendRef
+ is invalid and must be dropped from the Gateway.
+ The controller must ensure the \"ResolvedRefs\"
+ condition on the Route status is set to `status:
+ False` and not configure this backend in the underlying
+ implementation. \n If there is a cross-namespace
+ reference to an *existing* object that is not allowed
+ by a ReferenceGrant, the controller must ensure
+ the \"ResolvedRefs\" condition on the Route is
+ set to `status: False`, with the \"RefNotPermitted\"
+ reason and not configure this backend in the underlying
+ implementation. \n In either error case, the Message
+ of the `ResolvedRefs` Condition should be used to
+ provide more detail about the problem. \n Support:
+ Extended for Kubernetes Service \n Support: Implementation-specific
+ for any other resource"
+ properties:
+ group:
+ default: ""
+ description: Group is the group of the referent.
+ For example, "gateway.networking.k8s.io". When
+ unspecified or empty string, core API group
+ is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Service
+ description: "Kind is the Kubernetes resource
+ kind of the referent. For example \"Service\".
+ \n Defaults to \"Service\" when not specified.
+ \n ExternalName services can refer to CNAME
+ DNS records that may live outside of the cluster
+ and as such are difficult to reason about in
+ terms of conformance. They also may not be safe
+ to forward to (see CVE-2021-25740 for more information).
+ Implementations SHOULD NOT support ExternalName
+ Services. \n Support: Core (Services with a
+ type other than ExternalName) \n Support: Implementation-specific
+ (Services with type ExternalName)"
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: "Namespace is the namespace of the
+ backend. When unspecified, the local namespace
+ is inferred. \n Note that when a namespace different
+ than the local namespace is specified, a ReferenceGrant
+ object is required in the referent namespace
+ to allow that namespace's owner to accept the
+ reference. See the ReferenceGrant documentation
+ for details. \n Support: Core"
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: Port specifies the destination port
+ number to use for this resource. Port is required
+ when the referent is a Kubernetes Service. In
+ this case, the port number is the service port
+ number, not the target port. For other resources,
+ destination port might be derived from the referent
+ resource or this field.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ required:
+ - name
+ type: object
+ x-kubernetes-validations:
+ - message: Must have port for Service reference
+ rule: '(size(self.group) == 0 && self.kind == ''Service'')
+ ? has(self.port) : true'
+ required:
+ - backendRef
+ type: object
+ requestRedirect:
+ description: "RequestRedirect defines a schema for a filter
+ that responds to the request with an HTTP redirection.
+ \n Support: Core"
+ properties:
+ hostname:
+ description: "Hostname is the hostname to be used
+ in the value of the `Location` header in the response.
+ When empty, the hostname in the `Host` header of
+ the request is used. \n Support: Core"
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ path:
+ description: "Path defines parameters used to modify
+ the path of the incoming request. The modified path
+ is then used to construct the `Location` header.
+ When empty, the request path is used as-is. \n Support:
+ Extended"
+ properties:
+ replaceFullPath:
+ description: ReplaceFullPath specifies the value
+ with which to replace the full path of a request
+ during a rewrite or redirect.
+ maxLength: 1024
+ type: string
+ replacePrefixMatch:
+ description: "ReplacePrefixMatch specifies the
+ value with which to replace the prefix match
+ of a request during a rewrite or redirect. For
+ example, a request to \"/foo/bar\" with a prefix
+ match of \"/foo\" and a ReplacePrefixMatch of
+ \"/xyz\" would be modified to \"/xyz/bar\".
+ \n Note that this matches the behavior of the
+ PathPrefix match type. This matches full path
+ elements. A path element refers to the list
+ of labels in the path split by the `/` separator.
+ When specified, a trailing `/` is ignored. For
+ example, the paths `/abc`, `/abc/`, and `/abc/def`
+ would all match the prefix `/abc`, but the path
+ `/abcd` would not. \n ReplacePrefixMatch is
+ only compatible with a `PathPrefix` HTTPRouteMatch.
+ Using any other HTTPRouteMatch type on the same
+ HTTPRouteRule will result in the implementation
+ setting the Accepted Condition for the Route
+ to `status: False`. \n Request Path | Prefix
+ Match | Replace Prefix | Modified Path -------------|--------------|----------------|----------
+ /foo/bar | /foo | /xyz |
+ /xyz/bar /foo/bar | /foo | /xyz/
+ \ | /xyz/bar /foo/bar | /foo/ |
+ /xyz | /xyz/bar /foo/bar | /foo/
+ \ | /xyz/ | /xyz/bar /foo |
+ /foo | /xyz | /xyz /foo/ |
+ /foo | /xyz | /xyz/ /foo/bar
+ \ | /foo | | /bar
+ /foo/ | /foo |
+ | / /foo | /foo |
+ | / /foo/ | /foo | / |
+ / /foo | /foo | / |
+ /"
+ maxLength: 1024
+ type: string
+ type:
+ description: "Type defines the type of path modifier.
+ Additional types may be added in a future release
+ of the API. \n Note that values may be added
+ to this enum, implementations must ensure that
+ unknown values will not cause a crash. \n Unknown
+ values here must result in the implementation
+ setting the Accepted Condition for the Route
+ to `status: False`, with a Reason of `UnsupportedValue`."
+ enum:
+ - ReplaceFullPath
+ - ReplacePrefixMatch
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: replaceFullPath must be specified when
+ type is set to 'ReplaceFullPath'
+ rule: 'self.type == ''ReplaceFullPath'' ? has(self.replaceFullPath)
+ : true'
+ - message: type must be 'ReplaceFullPath' when replaceFullPath
+ is set
+ rule: 'has(self.replaceFullPath) ? self.type ==
+ ''ReplaceFullPath'' : true'
+ - message: replacePrefixMatch must be specified when
+ type is set to 'ReplacePrefixMatch'
+ rule: 'self.type == ''ReplacePrefixMatch'' ? has(self.replacePrefixMatch)
+ : true'
+ - message: type must be 'ReplacePrefixMatch' when
+ replacePrefixMatch is set
+ rule: 'has(self.replacePrefixMatch) ? self.type
+ == ''ReplacePrefixMatch'' : true'
+ port:
+ description: "Port is the port to be used in the value
+ of the `Location` header in the response. \n If
+ no port is specified, the redirect port MUST be
+ derived using the following rules: \n * If redirect
+ scheme is not-empty, the redirect port MUST be the
+ well-known port associated with the redirect scheme.
+ Specifically \"http\" to port 80 and \"https\" to
+ port 443. If the redirect scheme does not have a
+ well-known port, the listener port of the Gateway
+ SHOULD be used. * If redirect scheme is empty, the
+ redirect port MUST be the Gateway Listener port.
+ \n Implementations SHOULD NOT add the port number
+ in the 'Location' header in the following cases:
+ \n * A Location header that will use HTTP (whether
+ that is determined via the Listener protocol or
+ the Scheme field) _and_ use port 80. * A Location
+ header that will use HTTPS (whether that is determined
+ via the Listener protocol or the Scheme field) _and_
+ use port 443. \n Support: Extended"
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ scheme:
+ description: "Scheme is the scheme to be used in the
+ value of the `Location` header in the response.
+ When empty, the scheme of the request is used. \n
+ Scheme redirects can affect the port of the redirect,
+ for more information, refer to the documentation
+ for the port field of this filter. \n Note that
+ values may be added to this enum, implementations
+ must ensure that unknown values will not cause a
+ crash. \n Unknown values here must result in the
+ implementation setting the Accepted Condition for
+ the Route to `status: False`, with a Reason of `UnsupportedValue`.
+ \n Support: Extended"
+ enum:
+ - http
+ - https
+ type: string
+ statusCode:
+ default: 302
+ description: "StatusCode is the HTTP status code to
+ be used in response. \n Note that values may be
+ added to this enum, implementations must ensure
+ that unknown values will not cause a crash. \n Unknown
+ values here must result in the implementation setting
+ the Accepted Condition for the Route to `status:
+ False`, with a Reason of `UnsupportedValue`. \n
+ Support: Core"
+ enum:
+ - 301
+ - 302
+ type: integer
+ type: object
+ responseHeaderModifier:
+ description: "ResponseHeaderModifier defines a schema
+ for a filter that modifies response headers. \n Support:
+ Extended"
+ properties:
+ add:
+ description: "Add adds the given header(s) (name,
+ value) to the request before the action. It appends
+ to any existing values associated with the header
+ name. \n Input: GET /foo HTTP/1.1 my-header: foo
+ \n Config: add: - name: \"my-header\" value: \"bar,baz\"
+ \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz"
+ items:
+ description: HTTPHeader represents an HTTP Header
+ name and value as defined by RFC 7230.
+ properties:
+ name:
+ description: "Name is the name of the HTTP Header
+ to be matched. Name matching MUST be case
+ insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+ \n If multiple entries specify equivalent
+ header names, the first entry with an equivalent
+ name MUST be considered for a match. Subsequent
+ entries with an equivalent header name MUST
+ be ignored. Due to the case-insensitivity
+ of header names, \"foo\" and \"Foo\" are considered
+ equivalent."
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP Header
+ to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ remove:
+ description: "Remove the given header(s) from the
+ HTTP request before the action. The value of Remove
+ is a list of HTTP header names. Note that the header
+ names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+ \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2:
+ bar my-header3: baz \n Config: remove: [\"my-header1\",
+ \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2:
+ bar"
+ items:
+ type: string
+ maxItems: 16
+ type: array
+ x-kubernetes-list-type: set
+ set:
+ description: "Set overwrites the request with the
+ given header (name, value) before the action. \n
+ Input: GET /foo HTTP/1.1 my-header: foo \n Config:
+ set: - name: \"my-header\" value: \"bar\" \n Output:
+ GET /foo HTTP/1.1 my-header: bar"
+ items:
+ description: HTTPHeader represents an HTTP Header
+ name and value as defined by RFC 7230.
+ properties:
+ name:
+ description: "Name is the name of the HTTP Header
+ to be matched. Name matching MUST be case
+ insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+ \n If multiple entries specify equivalent
+ header names, the first entry with an equivalent
+ name MUST be considered for a match. Subsequent
+ entries with an equivalent header name MUST
+ be ignored. Due to the case-insensitivity
+ of header names, \"foo\" and \"Foo\" are considered
+ equivalent."
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP Header
+ to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ type:
+ description: "Type identifies the type of filter to apply.
+ As with other API fields, types are classified into
+ three conformance levels: \n - Core: Filter types and
+ their corresponding configuration defined by \"Support:
+ Core\" in this package, e.g. \"RequestHeaderModifier\".
+ All implementations must support core filters. \n -
+ Extended: Filter types and their corresponding configuration
+ defined by \"Support: Extended\" in this package, e.g.
+ \"RequestMirror\". Implementers are encouraged to support
+ extended filters. \n - Implementation-specific: Filters
+ that are defined and supported by specific vendors.
+ In the future, filters showing convergence in behavior
+ across multiple implementations will be considered for
+ inclusion in extended or core conformance levels. Filter-specific
+ configuration for such filters is specified using the
+ ExtensionRef field. `Type` should be set to \"ExtensionRef\"
+ for custom filters. \n Implementers are encouraged to
+ define custom implementation types to extend the core
+ API with implementation-specific behavior. \n If a reference
+ to a custom filter type cannot be resolved, the filter
+ MUST NOT be skipped. Instead, requests that would have
+ been processed by that filter MUST receive a HTTP error
+ response. \n Note that values may be added to this enum,
+ implementations must ensure that unknown values will
+ not cause a crash. \n Unknown values here must result
+ in the implementation setting the Accepted Condition
+ for the Route to `status: False`, with a Reason of `UnsupportedValue`."
+ enum:
+ - RequestHeaderModifier
+ - ResponseHeaderModifier
+ - RequestMirror
+ - RequestRedirect
+ - URLRewrite
+ - ExtensionRef
+ type: string
+ urlRewrite:
+ description: "URLRewrite defines a schema for a filter
+ that modifies a request during forwarding. \n Support:
+ Extended"
+ properties:
+ hostname:
+ description: "Hostname is the value to be used to
+ replace the Host header value during forwarding.
+ \n Support: Extended"
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ path:
+ description: "Path defines a path rewrite. \n Support:
+ Extended"
+ properties:
+ replaceFullPath:
+ description: ReplaceFullPath specifies the value
+ with which to replace the full path of a request
+ during a rewrite or redirect.
+ maxLength: 1024
+ type: string
+ replacePrefixMatch:
+ description: "ReplacePrefixMatch specifies the
+ value with which to replace the prefix match
+ of a request during a rewrite or redirect. For
+ example, a request to \"/foo/bar\" with a prefix
+ match of \"/foo\" and a ReplacePrefixMatch of
+ \"/xyz\" would be modified to \"/xyz/bar\".
+ \n Note that this matches the behavior of the
+ PathPrefix match type. This matches full path
+ elements. A path element refers to the list
+ of labels in the path split by the `/` separator.
+ When specified, a trailing `/` is ignored. For
+ example, the paths `/abc`, `/abc/`, and `/abc/def`
+ would all match the prefix `/abc`, but the path
+ `/abcd` would not. \n ReplacePrefixMatch is
+ only compatible with a `PathPrefix` HTTPRouteMatch.
+ Using any other HTTPRouteMatch type on the same
+ HTTPRouteRule will result in the implementation
+ setting the Accepted Condition for the Route
+ to `status: False`. \n Request Path | Prefix
+ Match | Replace Prefix | Modified Path -------------|--------------|----------------|----------
+ /foo/bar | /foo | /xyz |
+ /xyz/bar /foo/bar | /foo | /xyz/
+ \ | /xyz/bar /foo/bar | /foo/ |
+ /xyz | /xyz/bar /foo/bar | /foo/
+ \ | /xyz/ | /xyz/bar /foo |
+ /foo | /xyz | /xyz /foo/ |
+ /foo | /xyz | /xyz/ /foo/bar
+ \ | /foo | | /bar
+ /foo/ | /foo |
+ | / /foo | /foo |
+ | / /foo/ | /foo | / |
+ / /foo | /foo | / |
+ /"
+ maxLength: 1024
+ type: string
+ type:
+ description: "Type defines the type of path modifier.
+ Additional types may be added in a future release
+ of the API. \n Note that values may be added
+ to this enum, implementations must ensure that
+ unknown values will not cause a crash. \n Unknown
+ values here must result in the implementation
+ setting the Accepted Condition for the Route
+ to `status: False`, with a Reason of `UnsupportedValue`."
+ enum:
+ - ReplaceFullPath
+ - ReplacePrefixMatch
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: replaceFullPath must be specified when
+ type is set to 'ReplaceFullPath'
+ rule: 'self.type == ''ReplaceFullPath'' ? has(self.replaceFullPath)
+ : true'
+ - message: type must be 'ReplaceFullPath' when replaceFullPath
+ is set
+ rule: 'has(self.replaceFullPath) ? self.type ==
+ ''ReplaceFullPath'' : true'
+ - message: replacePrefixMatch must be specified when
+ type is set to 'ReplacePrefixMatch'
+ rule: 'self.type == ''ReplacePrefixMatch'' ? has(self.replacePrefixMatch)
+ : true'
+ - message: type must be 'ReplacePrefixMatch' when
+ replacePrefixMatch is set
+ rule: 'has(self.replacePrefixMatch) ? self.type
+ == ''ReplacePrefixMatch'' : true'
+ type: object
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: filter.requestHeaderModifier must be nil if the
+ filter.type is not RequestHeaderModifier
+ rule: '!(has(self.requestHeaderModifier) && self.type !=
+ ''RequestHeaderModifier'')'
+ - message: filter.requestHeaderModifier must be specified
+ for RequestHeaderModifier filter.type
+ rule: '!(!has(self.requestHeaderModifier) && self.type ==
+ ''RequestHeaderModifier'')'
+ - message: filter.responseHeaderModifier must be nil if the
+ filter.type is not ResponseHeaderModifier
+ rule: '!(has(self.responseHeaderModifier) && self.type !=
+ ''ResponseHeaderModifier'')'
+ - message: filter.responseHeaderModifier must be specified
+ for ResponseHeaderModifier filter.type
+ rule: '!(!has(self.responseHeaderModifier) && self.type
+ == ''ResponseHeaderModifier'')'
+ - message: filter.requestMirror must be nil if the filter.type
+ is not RequestMirror
+ rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')'
+ - message: filter.requestMirror must be specified for RequestMirror
+ filter.type
+ rule: '!(!has(self.requestMirror) && self.type == ''RequestMirror'')'
+ - message: filter.requestRedirect must be nil if the filter.type
+ is not RequestRedirect
+ rule: '!(has(self.requestRedirect) && self.type != ''RequestRedirect'')'
+ - message: filter.requestRedirect must be specified for RequestRedirect
+ filter.type
+ rule: '!(!has(self.requestRedirect) && self.type == ''RequestRedirect'')'
+ - message: filter.urlRewrite must be nil if the filter.type
+ is not URLRewrite
+ rule: '!(has(self.urlRewrite) && self.type != ''URLRewrite'')'
+ - message: filter.urlRewrite must be specified for URLRewrite
+ filter.type
+ rule: '!(!has(self.urlRewrite) && self.type == ''URLRewrite'')'
+ - message: filter.extensionRef must be nil if the filter.type
+ is not ExtensionRef
+ rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')'
+ - message: filter.extensionRef must be specified for ExtensionRef
+ filter.type
+ rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')'
+ maxItems: 16
+ type: array
+ x-kubernetes-validations:
+ - message: May specify either httpRouteFilterRequestRedirect
+ or httpRouteFilterRequestRewrite, but not both
+ rule: '!(self.exists(f, f.type == ''RequestRedirect'') &&
+ self.exists(f, f.type == ''URLRewrite''))'
+ - message: RequestHeaderModifier filter cannot be repeated
+ rule: self.filter(f, f.type == 'RequestHeaderModifier').size()
+ <= 1
+ - message: ResponseHeaderModifier filter cannot be repeated
+ rule: self.filter(f, f.type == 'ResponseHeaderModifier').size()
+ <= 1
+ - message: RequestRedirect filter cannot be repeated
+ rule: self.filter(f, f.type == 'RequestRedirect').size() <=
+ 1
+ - message: URLRewrite filter cannot be repeated
+ rule: self.filter(f, f.type == 'URLRewrite').size() <= 1
+ matches:
+ default:
+ - path:
+ type: PathPrefix
+ value: /
+ description: "Matches define conditions used for matching the
+ rule against incoming HTTP requests. Each match is independent,
+ i.e. this rule will be matched if **any** one of the matches
+ is satisfied. \n For example, take the following matches configuration:
+ \n ``` matches: - path: value: \"/foo\" headers: - name: \"version\"
+ value: \"v2\" - path: value: \"/v2/foo\" ``` \n For a request
+ to match against this rule, a request must satisfy EITHER
+ of the two conditions: \n - path prefixed with `/foo` AND
+ contains the header `version: v2` - path prefix of `/v2/foo`
+ \n See the documentation for HTTPRouteMatch on how to specify
+ multiple match conditions that should be ANDed together. \n
+ If no matches are specified, the default is a prefix path
+ match on \"/\", which has the effect of matching every HTTP
+ request. \n Proxy or Load Balancer routing configuration generated
+ from HTTPRoutes MUST prioritize matches based on the following
+ criteria, continuing on ties. Across all rules specified on
+ applicable Routes, precedence must be given to the match having:
+ \n * \"Exact\" path match. * \"Prefix\" path match with largest
+ number of characters. * Method match. * Largest number of
+ header matches. * Largest number of query param matches. \n
+ Note: The precedence of RegularExpression path matches are
+ implementation-specific. \n If ties still exist across multiple
+ Routes, matching precedence MUST be determined in order of
+ the following criteria, continuing on ties: \n * The oldest
+ Route based on creation timestamp. * The Route appearing first
+ in alphabetical order by \"{namespace}/{name}\". \n If ties
+ still exist within an HTTPRoute, matching precedence MUST
+ be granted to the FIRST matching rule (in list order) with
+ a match meeting the above criteria. \n When no rules matching
+ a request have been successfully attached to the parent a
+ request is coming from, a HTTP 404 status code MUST be returned."
+ items:
+ description: "HTTPRouteMatch defines the predicate used to
+ match requests to a given action. Multiple match types are
+ ANDed together, i.e. the match will evaluate to true only
+ if all conditions are satisfied. \n For example, the match
+ below will match a HTTP request only if its path starts
+ with `/foo` AND it contains the `version: v1` header: \n
+ ``` match: \n path: value: \"/foo\" headers: - name: \"version\"
+ value \"v1\" \n ```"
+ properties:
+ headers:
+ description: Headers specifies HTTP request header matchers.
+ Multiple match values are ANDed together, meaning, a
+ request must match all the specified headers to select
+ the route.
+ items:
+ description: HTTPHeaderMatch describes how to select
+ a HTTP route by matching HTTP request headers.
+ properties:
+ name:
+ description: "Name is the name of the HTTP Header
+ to be matched. Name matching MUST be case insensitive.
+ (See https://tools.ietf.org/html/rfc7230#section-3.2).
+ \n If multiple entries specify equivalent header
+ names, only the first entry with an equivalent
+ name MUST be considered for a match. Subsequent
+ entries with an equivalent header name MUST be
+ ignored. Due to the case-insensitivity of header
+ names, \"foo\" and \"Foo\" are considered equivalent.
+ \n When a header is repeated in an HTTP request,
+ it is implementation-specific behavior as to how
+ this is represented. Generally, proxies should
+ follow the guidance from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2
+ regarding processing a repeated header, with special
+ handling for \"Set-Cookie\"."
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ type:
+ default: Exact
+ description: "Type specifies how to match against
+ the value of the header. \n Support: Core (Exact)
+ \n Support: Implementation-specific (RegularExpression)
+ \n Since RegularExpression HeaderMatchType has
+ implementation-specific conformance, implementations
+ can support POSIX, PCRE or any other dialects
+ of regular expressions. Please read the implementation's
+ documentation to determine the supported dialect."
+ enum:
+ - Exact
+ - RegularExpression
+ type: string
+ value:
+ description: Value is the value of HTTP Header to
+ be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ method:
+ description: "Method specifies HTTP method matcher. When
+ specified, this route will be matched only if the request
+ has the specified method. \n Support: Extended"
+ enum:
+ - GET
+ - HEAD
+ - POST
+ - PUT
+ - DELETE
+ - CONNECT
+ - OPTIONS
+ - TRACE
+ - PATCH
+ type: string
+ path:
+ default:
+ type: PathPrefix
+ value: /
+ description: Path specifies a HTTP request path matcher.
+ If this field is not specified, a default prefix match
+ on the "/" path is provided.
+ properties:
+ type:
+ default: PathPrefix
+ description: "Type specifies how to match against
+ the path Value. \n Support: Core (Exact, PathPrefix)
+ \n Support: Implementation-specific (RegularExpression)"
+ enum:
+ - Exact
+ - PathPrefix
+ - RegularExpression
+ type: string
+ value:
+ default: /
+ description: Value of the HTTP path to match against.
+ maxLength: 1024
+ type: string
+ type: object
+ x-kubernetes-validations:
+ - message: value must be an absolute path and start with
+ '/' when type one of ['Exact', 'PathPrefix']
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? self.value.startsWith(''/'')
+ : true'
+ - message: must not contain '//' when type one of ['Exact',
+ 'PathPrefix']
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''//'')
+ : true'
+ - message: must not contain '/./' when type one of ['Exact',
+ 'PathPrefix']
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''/./'')
+ : true'
+ - message: must not contain '/../' when type one of ['Exact',
+ 'PathPrefix']
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''/../'')
+ : true'
+ - message: must not contain '%2f' when type one of ['Exact',
+ 'PathPrefix']
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''%2f'')
+ : true'
+ - message: must not contain '%2F' when type one of ['Exact',
+ 'PathPrefix']
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''%2F'')
+ : true'
+ - message: must not contain '#' when type one of ['Exact',
+ 'PathPrefix']
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''#'')
+ : true'
+ - message: must not end with '/..' when type one of ['Exact',
+ 'PathPrefix']
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.endsWith(''/..'')
+ : true'
+ - message: must not end with '/.' when type one of ['Exact',
+ 'PathPrefix']
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.endsWith(''/.'')
+ : true'
+ - message: type must be one of ['Exact', 'PathPrefix',
+ 'RegularExpression']
+ rule: self.type in ['Exact','PathPrefix'] || self.type
+ == 'RegularExpression'
+ - message: must only contain valid characters (matching
+ ^(?:[-A-Za-z0-9/._~!$&'()*+,;=:@]|[%][0-9a-fA-F]{2})+$)
+ for types ['Exact', 'PathPrefix']
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? self.value.matches(r"""^(?:[-A-Za-z0-9/._~!$&''()*+,;=:@]|[%][0-9a-fA-F]{2})+$""")
+ : true'
+ queryParams:
+ description: "QueryParams specifies HTTP query parameter
+ matchers. Multiple match values are ANDed together,
+ meaning, a request must match all the specified query
+ parameters to select the route. \n Support: Extended"
+ items:
+ description: HTTPQueryParamMatch describes how to select
+ a HTTP route by matching HTTP query parameters.
+ properties:
+ name:
+ description: "Name is the name of the HTTP query
+ param to be matched. This must be an exact string
+ match. (See https://tools.ietf.org/html/rfc7230#section-2.7.3).
+ \n If multiple entries specify equivalent query
+ param names, only the first entry with an equivalent
+ name MUST be considered for a match. Subsequent
+ entries with an equivalent query param name MUST
+ be ignored. \n If a query param is repeated in
+ an HTTP request, the behavior is purposely left
+ undefined, since different data planes have different
+ capabilities. However, it is *recommended* that
+ implementations should match against the first
+ value of the param if the data plane supports
+ it, as this behavior is expected in other load
+ balancing contexts outside of the Gateway API.
+ \n Users SHOULD NOT route traffic based on repeated
+ query params to guard themselves against potential
+ differences in the implementations."
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ type:
+ default: Exact
+ description: "Type specifies how to match against
+ the value of the query parameter. \n Support:
+ Extended (Exact) \n Support: Implementation-specific
+ (RegularExpression) \n Since RegularExpression
+ QueryParamMatchType has Implementation-specific
+ conformance, implementations can support POSIX,
+ PCRE or any other dialects of regular expressions.
+ Please read the implementation's documentation
+ to determine the supported dialect."
+ enum:
+ - Exact
+ - RegularExpression
+ type: string
+ value:
+ description: Value is the value of HTTP query param
+ to be matched.
+ maxLength: 1024
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ maxItems: 8
+ type: array
+ timeouts:
+ description: "Timeouts defines the timeouts that can be configured
+ for an HTTP request. \n Support: Extended \n "
+ properties:
+ backendRequest:
+ description: "BackendRequest specifies a timeout for an
+ individual request from the gateway to a backend. This
+ covers the time from when the request first starts being
+ sent from the gateway to when the full response has been
+ received from the backend. \n An entire client HTTP transaction
+ with a gateway, covered by the Request timeout, may result
+ in more than one call from the gateway to the destination
+ backend, for example, if automatic retries are supported.
+ \n Because the Request timeout encompasses the BackendRequest
+ timeout, the value of BackendRequest must be <= the value
+ of Request timeout. \n Support: Extended"
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ request:
+ description: "Request specifies the maximum duration for
+ a gateway to respond to an HTTP request. If the gateway
+ has not been able to respond before this deadline is met,
+ the gateway MUST return a timeout error. \n For example,
+ setting the `rules.timeouts.request` field to the value
+ `10s` in an `HTTPRoute` will cause a timeout if a client
+ request is taking longer than 10 seconds to complete.
+ \n This timeout is intended to cover as close to the whole
+ request-response transaction as possible although an implementation
+ MAY choose to start the timeout after the entire request
+ stream has been received instead of immediately after
+ the transaction is initiated by the client. \n When this
+ field is unspecified, request timeout behavior is implementation-specific.
+ \n Support: Extended"
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ type: object
+ x-kubernetes-validations:
+ - message: backendRequest timeout cannot be longer than request
+ timeout
+ rule: '!(has(self.request) && has(self.backendRequest) &&
+ duration(self.request) != duration(''0s'') && duration(self.backendRequest)
+ > duration(self.request))'
+ type: object
+ x-kubernetes-validations:
+ - message: RequestRedirect filter must not be used together with
+ backendRefs
+ rule: '(has(self.backendRefs) && size(self.backendRefs) > 0) ?
+ (!has(self.filters) || self.filters.all(f, !has(f.requestRedirect))):
+ true'
+ - message: When using RequestRedirect filter with path.replacePrefixMatch,
+ exactly one PathPrefix match must be specified
+ rule: '(has(self.filters) && self.filters.exists_one(f, has(f.requestRedirect)
+ && has(f.requestRedirect.path) && f.requestRedirect.path.type
+ == ''ReplacePrefixMatch'' && has(f.requestRedirect.path.replacePrefixMatch)))
+ ? ((size(self.matches) != 1 || !has(self.matches[0].path) ||
+ self.matches[0].path.type != ''PathPrefix'') ? false : true)
+ : true'
+ - message: When using URLRewrite filter with path.replacePrefixMatch,
+ exactly one PathPrefix match must be specified
+ rule: '(has(self.filters) && self.filters.exists_one(f, has(f.urlRewrite)
+ && has(f.urlRewrite.path) && f.urlRewrite.path.type == ''ReplacePrefixMatch''
+ && has(f.urlRewrite.path.replacePrefixMatch))) ? ((size(self.matches)
+ != 1 || !has(self.matches[0].path) || self.matches[0].path.type
+ != ''PathPrefix'') ? false : true) : true'
+ - message: Within backendRefs, when using RequestRedirect filter
+ with path.replacePrefixMatch, exactly one PathPrefix match must
+ be specified
+ rule: '(has(self.backendRefs) && self.backendRefs.exists_one(b,
+ (has(b.filters) && b.filters.exists_one(f, has(f.requestRedirect)
+ && has(f.requestRedirect.path) && f.requestRedirect.path.type
+ == ''ReplacePrefixMatch'' && has(f.requestRedirect.path.replacePrefixMatch)))
+ )) ? ((size(self.matches) != 1 || !has(self.matches[0].path)
+ || self.matches[0].path.type != ''PathPrefix'') ? false : true)
+ : true'
+ - message: Within backendRefs, When using URLRewrite filter with
+ path.replacePrefixMatch, exactly one PathPrefix match must be
+ specified
+ rule: '(has(self.backendRefs) && self.backendRefs.exists_one(b,
+ (has(b.filters) && b.filters.exists_one(f, has(f.urlRewrite)
+ && has(f.urlRewrite.path) && f.urlRewrite.path.type == ''ReplacePrefixMatch''
+ && has(f.urlRewrite.path.replacePrefixMatch))) )) ? ((size(self.matches)
+ != 1 || !has(self.matches[0].path) || self.matches[0].path.type
+ != ''PathPrefix'') ? false : true) : true'
+ maxItems: 16
+ type: array
+ type: object
+ status:
+ description: Status defines the current state of HTTPRoute.
+ properties:
+ parents:
+ description: "Parents is a list of parent resources (usually Gateways)
+ that are associated with the route, and the status of the route
+ with respect to each parent. When this route attaches to a parent,
+ the controller that manages the parent must add an entry to this
+ list when the controller first sees the route and should update
+ the entry as appropriate when the route or gateway is modified.
+ \n Note that parent references that cannot be resolved by an implementation
+ of this API will not be added to this list. Implementations of this
+ API can only populate Route status for the Gateways/parent resources
+ they are responsible for. \n A maximum of 32 Gateways will be represented
+ in this list. An empty list means the route has not been attached
+ to any Gateway."
+ items:
+ description: RouteParentStatus describes the status of a route with
+ respect to an associated Parent.
+ properties:
+ conditions:
+ description: "Conditions describes the status of the route with
+ respect to the Gateway. Note that the route's availability
+ is also subject to the Gateway's own status conditions and
+ listener status. \n If the Route's ParentRef specifies an
+ existing Gateway that supports Routes of this kind AND that
+ Gateway's controller has sufficient access, then that Gateway's
+ controller MUST set the \"Accepted\" condition on the Route,
+ to indicate whether the route has been accepted or rejected
+ by the Gateway, and why. \n A Route MUST be considered \"Accepted\"
+ if at least one of the Route's rules is implemented by the
+ Gateway. \n There are a number of cases where the \"Accepted\"
+ condition may not be set due to lack of controller visibility,
+ that includes when: \n * The Route refers to a non-existent
+ parent. * The Route is of a type that the controller does
+ not support. * The Route is in a namespace the controller
+ does not have access to."
+ items:
+ description: "Condition contains details for one aspect of
+ the current state of this API Resource. --- This struct
+ is intended for direct use as an array at the field path
+ .status.conditions. For example, \n type FooStatus struct{
+ // Represents the observations of a foo's current state.
+ // Known .status.conditions.type are: \"Available\", \"Progressing\",
+ and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
+ // +listType=map // +listMapKey=type Conditions []metav1.Condition
+ `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
+ protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields
+ }"
+ properties:
+ lastTransitionTime:
+ description: lastTransitionTime is the last time the condition
+ transitioned from one status to another. This should
+ be when the underlying condition changed. If that is
+ not known, then using the time when the API field changed
+ is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: message is a human readable message indicating
+ details about the transition. This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: observedGeneration represents the .metadata.generation
+ that the condition was set based upon. For instance,
+ if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration
+ is 9, the condition is out of date with respect to the
+ current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: reason contains a programmatic identifier
+ indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected
+ values and meanings for this field, and whether the
+ values are considered a guaranteed API. The value should
+ be a CamelCase string. This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False,
+ Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ --- Many .condition.type values are consistent across
+ resources like Available, but because arbitrary conditions
+ can be useful (see .node.status.conditions), the ability
+ to deconflict is important. The regex it matches is
+ (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ maxItems: 8
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ controllerName:
+ description: "ControllerName is a domain/path string that indicates
+ the name of the controller that wrote this status. This corresponds
+ with the controllerName field on GatewayClass. \n Example:
+ \"example.net/gateway-controller\". \n The format of this
+ field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid
+ Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+ \n Controllers MUST populate this field when writing status.
+ Controllers should ensure that entries to status populated
+ with their ControllerName are cleaned up when they are no
+ longer necessary."
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
+ type: string
+ parentRef:
+ description: ParentRef corresponds with a ParentRef in the spec
+ that this RouteParentStatus struct describes the status of.
+ properties:
+ group:
+ default: gateway.networking.k8s.io
+ description: "Group is the group of the referent. When unspecified,
+ \"gateway.networking.k8s.io\" is inferred. To set the
+ core API group (such as for a \"Service\" kind referent),
+ Group must be explicitly set to \"\" (empty string). \n
+ Support: Core"
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Gateway
+ description: "Kind is kind of the referent. \n There are
+ two kinds of parent resources with \"Core\" support: \n
+ * Gateway (Gateway conformance profile) * Service (Mesh
+ conformance profile, experimental, ClusterIP Services
+ only) \n Support for other resources is Implementation-Specific."
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: "Name is the name of the referent. \n Support:
+ Core"
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: "Namespace is the namespace of the referent.
+ When unspecified, this refers to the local namespace of
+ the Route. \n Note that there are specific rules for ParentRefs
+ which cross namespace boundaries. Cross-namespace references
+ are only valid if they are explicitly allowed by something
+ in the namespace they are referring to. For example: Gateway
+ has the AllowedRoutes field, and ReferenceGrant provides
+ a generic way to enable any other kind of cross-namespace
+ reference. \n ParentRefs from a Route to a Service in
+ the same namespace are \"producer\" routes, which apply
+ default routing rules to inbound connections from any
+ namespace to the Service. \n ParentRefs from a Route to
+ a Service in a different namespace are \"consumer\" routes,
+ and these routing rules are only applied to outbound connections
+ originating from the same namespace as the Route, for
+ which the intended destination of the connections are
+ a Service targeted as a ParentRef of the Route. \n Support:
+ Core"
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: "Port is the network port this Route targets.
+ It can be interpreted differently based on the type of
+ parent resource. \n When the parent resource is a Gateway,
+ this targets all listeners listening on the specified
+ port that also support this kind of Route(and select this
+ Route). It's not recommended to set `Port` unless the
+ networking behaviors specified in a Route must apply to
+ a specific port as opposed to a listener(s) whose port(s)
+ may be changed. When both Port and SectionName are specified,
+ the name and port of the selected listener must match
+ both specified values. \n When the parent resource is
+ a Service, this targets a specific port in the Service
+ spec. When both Port (experimental) and SectionName are
+ specified, the name and port of the selected port must
+ match both specified values. \n Implementations MAY choose
+ to support other parent resources. Implementations supporting
+ other types of parent resources MUST clearly document
+ how/if Port is interpreted. \n For the purpose of status,
+ an attachment is considered successful as long as the
+ parent resource accepts it partially. For example, Gateway
+ listeners can restrict which Routes can attach to them
+ by Route kind, namespace, or hostname. If 1 of 2 Gateway
+ listeners accept attachment from the referencing Route,
+ the Route MUST be considered successfully attached. If
+ no Gateway listeners accept attachment from this Route,
+ the Route MUST be considered detached from the Gateway.
+ \n Support: Extended \n "
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ sectionName:
+ description: "SectionName is the name of a section within
+ the target resource. In the following resources, SectionName
+ is interpreted as the following: \n * Gateway: Listener
+ Name. When both Port (experimental) and SectionName are
+ specified, the name and port of the selected listener
+ must match both specified values. * Service: Port Name.
+ When both Port (experimental) and SectionName are specified,
+ the name and port of the selected listener must match
+ both specified values. Note that attaching Routes to Services
+ as Parents is part of experimental Mesh support and is
+ not supported for any other purpose. \n Implementations
+ MAY choose to support attaching Routes to other resources.
+ If that is the case, they MUST clearly document how SectionName
+ is interpreted. \n When unspecified (empty string), this
+ will reference the entire resource. For the purpose of
+ status, an attachment is considered successful if at least
+ one section in the parent resource accepts it. For example,
+ Gateway listeners can restrict which Routes can attach
+ to them by Route kind, namespace, or hostname. If 1 of
+ 2 Gateway listeners accept attachment from the referencing
+ Route, the Route MUST be considered successfully attached.
+ If no Gateway listeners accept attachment from this Route,
+ the Route MUST be considered detached from the Gateway.
+ \n Support: Core"
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - controllerName
+ - parentRef
+ type: object
+ maxItems: 32
+ type: array
+ required:
+ - parents
+ type: object
+ required:
+ - spec
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: null
+ storedVersions: null
+---
+#
+# config/crd/experimental/gateway.networking.k8s.io_referencegrants.yaml
+#
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/2466
+ gateway.networking.k8s.io/bundle-version: v1.0.0
+ gateway.networking.k8s.io/channel: experimental
+ creationTimestamp: null
+ name: referencegrants.gateway.networking.k8s.io
+spec:
+ group: gateway.networking.k8s.io
+ names:
+ categories:
+ - gateway-api
+ kind: ReferenceGrant
+ listKind: ReferenceGrantList
+ plural: referencegrants
+ shortNames:
+ - refgrant
+ singular: referencegrant
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ deprecated: true
+ deprecationWarning: The v1alpha2 version of ReferenceGrant has been deprecated
+ and will be removed in a future release of the API. Please upgrade to v1beta1.
+ name: v1alpha2
+ schema:
+ openAPIV3Schema:
+ description: "ReferenceGrant identifies kinds of resources in other namespaces
+ that are trusted to reference the specified kinds of resources in the same
+ namespace as the policy. \n Each ReferenceGrant can be used to represent
+ a unique trust relationship. Additional Reference Grants can be used to
+ add to the set of trusted sources of inbound references for the namespace
+ they are defined within. \n A ReferenceGrant is required for all cross-namespace
+ references in Gateway API (with the exception of cross-namespace Route-Gateway
+ attachment, which is governed by the AllowedRoutes configuration on the
+ Gateway, and cross-namespace Service ParentRefs on a \"consumer\" mesh Route,
+ which defines routing rules applicable only to workloads in the Route namespace).
+ ReferenceGrants allowing a reference from a Route to a Service are only
+ applicable to BackendRefs. \n ReferenceGrant is a form of runtime verification
+ allowing users to assert which cross-namespace object references are permitted.
+ Implementations that support ReferenceGrant MUST NOT permit cross-namespace
+ references which have no grant, and MUST respond to the removal of a grant
+ by revoking the access that the grant allowed."
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Spec defines the desired state of ReferenceGrant.
+ properties:
+ from:
+ description: "From describes the trusted namespaces and kinds that
+ can reference the resources described in \"To\". Each entry in this
+ list MUST be considered to be an additional place that references
+ can be valid from, or to put this another way, entries MUST be combined
+ using OR. \n Support: Core"
+ items:
+ description: ReferenceGrantFrom describes trusted namespaces and
+ kinds.
+ properties:
+ group:
+ description: "Group is the group of the referent. When empty,
+ the Kubernetes core API group is inferred. \n Support: Core"
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: "Kind is the kind of the referent. Although implementations
+ may support additional resources, the following types are
+ part of the \"Core\" support level for this field. \n When
+ used to permit a SecretObjectReference: \n * Gateway \n When
+ used to permit a BackendObjectReference: \n * GRPCRoute *
+ HTTPRoute * TCPRoute * TLSRoute * UDPRoute"
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ namespace:
+ description: "Namespace is the namespace of the referent. \n
+ Support: Core"
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ required:
+ - group
+ - kind
+ - namespace
+ type: object
+ maxItems: 16
+ minItems: 1
+ type: array
+ to:
+ description: "To describes the resources that may be referenced by
+ the resources described in \"From\". Each entry in this list MUST
+ be considered to be an additional place that references can be valid
+ to, or to put this another way, entries MUST be combined using OR.
+ \n Support: Core"
+ items:
+ description: ReferenceGrantTo describes what Kinds are allowed as
+ targets of the references.
+ properties:
+ group:
+ description: "Group is the group of the referent. When empty,
+ the Kubernetes core API group is inferred. \n Support: Core"
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: "Kind is the kind of the referent. Although implementations
+ may support additional resources, the following types are
+ part of the \"Core\" support level for this field: \n * Secret
+ when used to permit a SecretObjectReference * Service when
+ used to permit a BackendObjectReference"
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent. When unspecified,
+ this policy refers to all resources of the specified Group
+ and Kind in the local namespace.
+ maxLength: 253
+ minLength: 1
+ type: string
+ required:
+ - group
+ - kind
+ type: object
+ maxItems: 16
+ minItems: 1
+ type: array
+ required:
+ - from
+ - to
+ type: object
+ type: object
+ served: true
+ storage: false
+ subresources: {}
+ - additionalPrinterColumns:
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1beta1
+ schema:
+ openAPIV3Schema:
+ description: "ReferenceGrant identifies kinds of resources in other namespaces
+ that are trusted to reference the specified kinds of resources in the same
+ namespace as the policy. \n Each ReferenceGrant can be used to represent
+ a unique trust relationship. Additional Reference Grants can be used to
+ add to the set of trusted sources of inbound references for the namespace
+ they are defined within. \n All cross-namespace references in Gateway API
+ (with the exception of cross-namespace Gateway-route attachment) require
+ a ReferenceGrant. \n ReferenceGrant is a form of runtime verification allowing
+ users to assert which cross-namespace object references are permitted. Implementations
+ that support ReferenceGrant MUST NOT permit cross-namespace references which
+ have no grant, and MUST respond to the removal of a grant by revoking the
+ access that the grant allowed."
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Spec defines the desired state of ReferenceGrant.
+ properties:
+ from:
+ description: "From describes the trusted namespaces and kinds that
+ can reference the resources described in \"To\". Each entry in this
+ list MUST be considered to be an additional place that references
+ can be valid from, or to put this another way, entries MUST be combined
+ using OR. \n Support: Core"
+ items:
+ description: ReferenceGrantFrom describes trusted namespaces and
+ kinds.
+ properties:
+ group:
+ description: "Group is the group of the referent. When empty,
+ the Kubernetes core API group is inferred. \n Support: Core"
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: "Kind is the kind of the referent. Although implementations
+ may support additional resources, the following types are
+ part of the \"Core\" support level for this field. \n When
+ used to permit a SecretObjectReference: \n * Gateway \n When
+ used to permit a BackendObjectReference: \n * GRPCRoute *
+ HTTPRoute * TCPRoute * TLSRoute * UDPRoute"
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ namespace:
+ description: "Namespace is the namespace of the referent. \n
+ Support: Core"
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ required:
+ - group
+ - kind
+ - namespace
+ type: object
+ maxItems: 16
+ minItems: 1
+ type: array
+ to:
+ description: "To describes the resources that may be referenced by
+ the resources described in \"From\". Each entry in this list MUST
+ be considered to be an additional place that references can be valid
+ to, or to put this another way, entries MUST be combined using OR.
+ \n Support: Core"
+ items:
+ description: ReferenceGrantTo describes what Kinds are allowed as
+ targets of the references.
+ properties:
+ group:
+ description: "Group is the group of the referent. When empty,
+ the Kubernetes core API group is inferred. \n Support: Core"
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: "Kind is the kind of the referent. Although implementations
+ may support additional resources, the following types are
+ part of the \"Core\" support level for this field: \n * Secret
+ when used to permit a SecretObjectReference * Service when
+ used to permit a BackendObjectReference"
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent. When unspecified,
+ this policy refers to all resources of the specified Group
+ and Kind in the local namespace.
+ maxLength: 253
+ minLength: 1
+ type: string
+ required:
+ - group
+ - kind
+ type: object
+ maxItems: 16
+ minItems: 1
+ type: array
+ required:
+ - from
+ - to
+ type: object
+ type: object
+ served: true
+ storage: true
+ subresources: {}
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: null
+ storedVersions: null
+---
+#
+# config/crd/experimental/gateway.networking.k8s.io_tcproutes.yaml
+#
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/2466
+ gateway.networking.k8s.io/bundle-version: v1.0.0
+ gateway.networking.k8s.io/channel: experimental
+ creationTimestamp: null
+ name: tcproutes.gateway.networking.k8s.io
+spec:
+ group: gateway.networking.k8s.io
+ names:
+ categories:
+ - gateway-api
+ kind: TCPRoute
+ listKind: TCPRouteList
+ plural: tcproutes
+ singular: tcproute
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1alpha2
+ schema:
+ openAPIV3Schema:
+ description: TCPRoute provides a way to route TCP requests. When combined
+ with a Gateway listener, it can be used to forward connections on the port
+ specified by the listener to a set of backends specified by the TCPRoute.
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Spec defines the desired state of TCPRoute.
+ properties:
+ parentRefs:
+ description: "ParentRefs references the resources (usually Gateways)
+ that a Route wants to be attached to. Note that the referenced parent
+ resource needs to allow this for the attachment to be complete.
+ For Gateways, that means the Gateway needs to allow attachment from
+ Routes of this kind and namespace. For Services, that means the
+ Service must either be in the same namespace for a \"producer\"
+ route, or the mesh implementation must support and allow \"consumer\"
+ routes for the referenced Service. ReferenceGrant is not applicable
+ for governing ParentRefs to Services - it is not possible to create
+ a \"producer\" route for a Service in a different namespace from
+ the Route. \n There are two kinds of parent resources with \"Core\"
+ support: \n * Gateway (Gateway conformance profile) * Service (Mesh
+ conformance profile, experimental, ClusterIP Services only) This
+ API may be extended in the future to support additional kinds of
+ parent resources. \n ParentRefs must be _distinct_. This means either
+ that: \n * They select different objects. If this is the case,
+ then parentRef entries are distinct. In terms of fields, this means
+ that the multi-part key defined by `group`, `kind`, `namespace`,
+ and `name` must be unique across all parentRef entries in the Route.
+ * They do not select different objects, but for each optional field
+ used, each ParentRef that selects the same object must set the same
+ set of optional fields to different values. If one ParentRef sets
+ a combination of optional fields, all must set the same combination.
+ \n Some examples: \n * If one ParentRef sets `sectionName`, all
+ ParentRefs referencing the same object must also set `sectionName`.
+ * If one ParentRef sets `port`, all ParentRefs referencing the same
+ object must also set `port`. * If one ParentRef sets `sectionName`
+ and `port`, all ParentRefs referencing the same object must also
+ set `sectionName` and `port`. \n It is possible to separately reference
+ multiple distinct objects that may be collapsed by an implementation.
+ For example, some implementations may choose to merge compatible
+ Gateway Listeners together. If that is the case, the list of routes
+ attached to those resources should also be merged. \n Note that
+ for ParentRefs that cross namespace boundaries, there are specific
+ rules. Cross-namespace references are only valid if they are explicitly
+ allowed by something in the namespace they are referring to. For
+ example, Gateway has the AllowedRoutes field, and ReferenceGrant
+ provides a generic way to enable other kinds of cross-namespace
+ reference. \n ParentRefs from a Route to a Service in the same
+ namespace are \"producer\" routes, which apply default routing rules
+ to inbound connections from any namespace to the Service. \n ParentRefs
+ from a Route to a Service in a different namespace are \"consumer\"
+ routes, and these routing rules are only applied to outbound connections
+ originating from the same namespace as the Route, for which the
+ intended destination of the connections are a Service targeted as
+ a ParentRef of the Route. \n "
+ items:
+ description: "ParentReference identifies an API object (usually
+ a Gateway) that can be considered a parent of this resource (usually
+ a route). There are two kinds of parent resources with \"Core\"
+ support: \n * Gateway (Gateway conformance profile) * Service
+ (Mesh conformance profile, experimental, ClusterIP Services only)
+ \n This API may be extended in the future to support additional
+ kinds of parent resources. \n The API object must be valid in
+ the cluster; the Group and Kind must be registered in the cluster
+ for this reference to be valid."
+ properties:
+ group:
+ default: gateway.networking.k8s.io
+ description: "Group is the group of the referent. When unspecified,
+ \"gateway.networking.k8s.io\" is inferred. To set the core
+ API group (such as for a \"Service\" kind referent), Group
+ must be explicitly set to \"\" (empty string). \n Support:
+ Core"
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Gateway
+ description: "Kind is kind of the referent. \n There are two
+ kinds of parent resources with \"Core\" support: \n * Gateway
+ (Gateway conformance profile) * Service (Mesh conformance
+ profile, experimental, ClusterIP Services only) \n Support
+ for other resources is Implementation-Specific."
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: "Name is the name of the referent. \n Support:
+ Core"
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: "Namespace is the namespace of the referent. When
+ unspecified, this refers to the local namespace of the Route.
+ \n Note that there are specific rules for ParentRefs which
+ cross namespace boundaries. Cross-namespace references are
+ only valid if they are explicitly allowed by something in
+ the namespace they are referring to. For example: Gateway
+ has the AllowedRoutes field, and ReferenceGrant provides a
+ generic way to enable any other kind of cross-namespace reference.
+ \n ParentRefs from a Route to a Service in the same namespace
+ are \"producer\" routes, which apply default routing rules
+ to inbound connections from any namespace to the Service.
+ \n ParentRefs from a Route to a Service in a different namespace
+ are \"consumer\" routes, and these routing rules are only
+ applied to outbound connections originating from the same
+ namespace as the Route, for which the intended destination
+ of the connections are a Service targeted as a ParentRef of
+ the Route. \n Support: Core"
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: "Port is the network port this Route targets. It
+ can be interpreted differently based on the type of parent
+ resource. \n When the parent resource is a Gateway, this targets
+ all listeners listening on the specified port that also support
+ this kind of Route(and select this Route). It's not recommended
+ to set `Port` unless the networking behaviors specified in
+ a Route must apply to a specific port as opposed to a listener(s)
+ whose port(s) may be changed. When both Port and SectionName
+ are specified, the name and port of the selected listener
+ must match both specified values. \n When the parent resource
+ is a Service, this targets a specific port in the Service
+ spec. When both Port (experimental) and SectionName are specified,
+ the name and port of the selected port must match both specified
+ values. \n Implementations MAY choose to support other parent
+ resources. Implementations supporting other types of parent
+ resources MUST clearly document how/if Port is interpreted.
+ \n For the purpose of status, an attachment is considered
+ successful as long as the parent resource accepts it partially.
+ For example, Gateway listeners can restrict which Routes can
+ attach to them by Route kind, namespace, or hostname. If 1
+ of 2 Gateway listeners accept attachment from the referencing
+ Route, the Route MUST be considered successfully attached.
+ If no Gateway listeners accept attachment from this Route,
+ the Route MUST be considered detached from the Gateway. \n
+ Support: Extended \n "
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ sectionName:
+ description: "SectionName is the name of a section within the
+ target resource. In the following resources, SectionName is
+ interpreted as the following: \n * Gateway: Listener Name.
+ When both Port (experimental) and SectionName are specified,
+ the name and port of the selected listener must match both
+ specified values. * Service: Port Name. When both Port (experimental)
+ and SectionName are specified, the name and port of the selected
+ listener must match both specified values. Note that attaching
+ Routes to Services as Parents is part of experimental Mesh
+ support and is not supported for any other purpose. \n Implementations
+ MAY choose to support attaching Routes to other resources.
+ If that is the case, they MUST clearly document how SectionName
+ is interpreted. \n When unspecified (empty string), this will
+ reference the entire resource. For the purpose of status,
+ an attachment is considered successful if at least one section
+ in the parent resource accepts it. For example, Gateway listeners
+ can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept
+ attachment from the referencing Route, the Route MUST be considered
+ successfully attached. If no Gateway listeners accept attachment
+ from this Route, the Route MUST be considered detached from
+ the Gateway. \n Support: Core"
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ required:
+ - name
+ type: object
+ maxItems: 32
+ type: array
+ x-kubernetes-validations:
+ - message: sectionName or port must be specified when parentRefs includes
+ 2 or more references to the same parent
+ rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind
+ == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__)
+ || p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__
+ == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) &&
+ p1.__namespace__ == p2.__namespace__)) ? ((!has(p1.sectionName)
+ || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName
+ == '''') && (!has(p1.port) || p1.port == 0) == (!has(p2.port)
+ || p2.port == 0)): true))'
+ - message: sectionName or port must be unique when parentRefs includes
+ 2 or more references to the same parent
+ rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind
+ == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__)
+ || p1.__namespace__ == '') && (!has(p2.__namespace__) || p2.__namespace__
+ == '')) || (has(p1.__namespace__) && has(p2.__namespace__) &&
+ p1.__namespace__ == p2.__namespace__ )) && (((!has(p1.sectionName)
+ || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName
+ == '')) || ( has(p1.sectionName) && has(p2.sectionName) && p1.sectionName
+ == p2.sectionName)) && (((!has(p1.port) || p1.port == 0) && (!has(p2.port)
+ || p2.port == 0)) || (has(p1.port) && has(p2.port) && p1.port
+ == p2.port))))
+ rules:
+ description: Rules are a list of TCP matchers and actions.
+ items:
+ description: TCPRouteRule is the configuration for a given rule.
+ properties:
+ backendRefs:
+ description: "BackendRefs defines the backend(s) where matching
+ requests should be sent. If unspecified or invalid (refers
+ to a non-existent resource or a Service with no endpoints),
+ the underlying implementation MUST actively reject connection
+ attempts to this backend. Connection rejections must respect
+ weight; if an invalid backend is requested to have 80% of
+ connections, then 80% of connections must be rejected instead.
+ \n Support: Core for Kubernetes Service \n Support: Extended
+ for Kubernetes ServiceImport \n Support: Implementation-specific
+ for any other resource \n Support for weight: Extended"
+ items:
+ description: "BackendRef defines how a Route should forward
+ a request to a Kubernetes resource. \n Note that when a
+ namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace
+ to allow that namespace's owner to accept the reference.
+ See the ReferenceGrant documentation for details. \n
+ \n When the BackendRef points to a Kubernetes Service, implementations
+ SHOULD honor the appProtocol field if it is set for the
+ target Service Port. \n Implementations supporting appProtocol
+ SHOULD recognize the Kubernetes Standard Application Protocols
+ defined in KEP-3726. \n If a Service appProtocol isn't specified,
+ an implementation MAY infer the backend protocol through
+ its own means. Implementations MAY infer the protocol from
+ the Route type referring to the backend Service. \n If a
+ Route is not able to send traffic to the backend using the
+ specified protocol then the backend is considered invalid.
+ Implementations MUST set the \"ResolvedRefs\" condition
+ to \"False\" with the \"UnsupportedProtocol\" reason. \n
+ \n Note that when the
+ BackendTLSPolicy object is enabled by the implementation,
+ there are some extra rules about validity to consider here.
+ See the fields where this struct is used for more information
+ about the exact behavior."
+ properties:
+ group:
+ default: ""
+ description: Group is the group of the referent. For example,
+ "gateway.networking.k8s.io". When unspecified or empty
+ string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Service
+ description: "Kind is the Kubernetes resource kind of
+ the referent. For example \"Service\". \n Defaults to
+ \"Service\" when not specified. \n ExternalName services
+ can refer to CNAME DNS records that may live outside
+ of the cluster and as such are difficult to reason about
+ in terms of conformance. They also may not be safe to
+ forward to (see CVE-2021-25740 for more information).
+ Implementations SHOULD NOT support ExternalName Services.
+ \n Support: Core (Services with a type other than ExternalName)
+ \n Support: Implementation-specific (Services with type
+ ExternalName)"
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: "Namespace is the namespace of the backend.
+ When unspecified, the local namespace is inferred. \n
+ Note that when a namespace different than the local
+ namespace is specified, a ReferenceGrant object is required
+ in the referent namespace to allow that namespace's
+ owner to accept the reference. See the ReferenceGrant
+ documentation for details. \n Support: Core"
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: Port specifies the destination port number
+ to use for this resource. Port is required when the
+ referent is a Kubernetes Service. In this case, the
+ port number is the service port number, not the target
+ port. For other resources, destination port might be
+ derived from the referent resource or this field.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ weight:
+ default: 1
+ description: "Weight specifies the proportion of requests
+ forwarded to the referenced backend. This is computed
+ as weight/(sum of all weights in this BackendRefs list).
+ For non-zero values, there may be some epsilon from
+ the exact proportion defined here depending on the precision
+ an implementation supports. Weight is not a percentage
+ and the sum of weights does not need to equal 100. \n
+ If only one backend is specified and it has a weight
+ greater than 0, 100% of the traffic is forwarded to
+ that backend. If weight is set to 0, no traffic should
+ be forwarded for this entry. If unspecified, weight
+ defaults to 1. \n Support for this field varies based
+ on the context where used."
+ format: int32
+ maximum: 1000000
+ minimum: 0
+ type: integer
+ required:
+ - name
+ type: object
+ x-kubernetes-validations:
+ - message: Must have port for Service reference
+ rule: '(size(self.group) == 0 && self.kind == ''Service'')
+ ? has(self.port) : true'
+ maxItems: 16
+ minItems: 1
+ type: array
+ type: object
+ maxItems: 16
+ minItems: 1
+ type: array
+ required:
+ - rules
+ type: object
+ status:
+ description: Status defines the current state of TCPRoute.
+ properties:
+ parents:
+ description: "Parents is a list of parent resources (usually Gateways)
+ that are associated with the route, and the status of the route
+ with respect to each parent. When this route attaches to a parent,
+ the controller that manages the parent must add an entry to this
+ list when the controller first sees the route and should update
+ the entry as appropriate when the route or gateway is modified.
+ \n Note that parent references that cannot be resolved by an implementation
+ of this API will not be added to this list. Implementations of this
+ API can only populate Route status for the Gateways/parent resources
+ they are responsible for. \n A maximum of 32 Gateways will be represented
+ in this list. An empty list means the route has not been attached
+ to any Gateway."
+ items:
+ description: RouteParentStatus describes the status of a route with
+ respect to an associated Parent.
+ properties:
+ conditions:
+ description: "Conditions describes the status of the route with
+ respect to the Gateway. Note that the route's availability
+ is also subject to the Gateway's own status conditions and
+ listener status. \n If the Route's ParentRef specifies an
+ existing Gateway that supports Routes of this kind AND that
+ Gateway's controller has sufficient access, then that Gateway's
+ controller MUST set the \"Accepted\" condition on the Route,
+ to indicate whether the route has been accepted or rejected
+ by the Gateway, and why. \n A Route MUST be considered \"Accepted\"
+ if at least one of the Route's rules is implemented by the
+ Gateway. \n There are a number of cases where the \"Accepted\"
+ condition may not be set due to lack of controller visibility,
+ that includes when: \n * The Route refers to a non-existent
+ parent. * The Route is of a type that the controller does
+ not support. * The Route is in a namespace the controller
+ does not have access to."
+ items:
+ description: "Condition contains details for one aspect of
+ the current state of this API Resource. --- This struct
+ is intended for direct use as an array at the field path
+ .status.conditions. For example, \n type FooStatus struct{
+ // Represents the observations of a foo's current state.
+ // Known .status.conditions.type are: \"Available\", \"Progressing\",
+ and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
+ // +listType=map // +listMapKey=type Conditions []metav1.Condition
+ `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
+ protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields
+ }"
+ properties:
+ lastTransitionTime:
+ description: lastTransitionTime is the last time the condition
+ transitioned from one status to another. This should
+ be when the underlying condition changed. If that is
+ not known, then using the time when the API field changed
+ is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: message is a human readable message indicating
+ details about the transition. This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: observedGeneration represents the .metadata.generation
+ that the condition was set based upon. For instance,
+ if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration
+ is 9, the condition is out of date with respect to the
+ current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: reason contains a programmatic identifier
+ indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected
+ values and meanings for this field, and whether the
+ values are considered a guaranteed API. The value should
+ be a CamelCase string. This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False,
+ Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ --- Many .condition.type values are consistent across
+ resources like Available, but because arbitrary conditions
+ can be useful (see .node.status.conditions), the ability
+ to deconflict is important. The regex it matches is
+ (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ maxItems: 8
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ controllerName:
+ description: "ControllerName is a domain/path string that indicates
+ the name of the controller that wrote this status. This corresponds
+ with the controllerName field on GatewayClass. \n Example:
+ \"example.net/gateway-controller\". \n The format of this
+ field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid
+ Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+ \n Controllers MUST populate this field when writing status.
+ Controllers should ensure that entries to status populated
+ with their ControllerName are cleaned up when they are no
+ longer necessary."
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
+ type: string
+ parentRef:
+ description: ParentRef corresponds with a ParentRef in the spec
+ that this RouteParentStatus struct describes the status of.
+ properties:
+ group:
+ default: gateway.networking.k8s.io
+ description: "Group is the group of the referent. When unspecified,
+ \"gateway.networking.k8s.io\" is inferred. To set the
+ core API group (such as for a \"Service\" kind referent),
+ Group must be explicitly set to \"\" (empty string). \n
+ Support: Core"
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Gateway
+ description: "Kind is kind of the referent. \n There are
+ two kinds of parent resources with \"Core\" support: \n
+ * Gateway (Gateway conformance profile) * Service (Mesh
+ conformance profile, experimental, ClusterIP Services
+ only) \n Support for other resources is Implementation-Specific."
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: "Name is the name of the referent. \n Support:
+ Core"
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: "Namespace is the namespace of the referent.
+ When unspecified, this refers to the local namespace of
+ the Route. \n Note that there are specific rules for ParentRefs
+ which cross namespace boundaries. Cross-namespace references
+ are only valid if they are explicitly allowed by something
+ in the namespace they are referring to. For example: Gateway
+ has the AllowedRoutes field, and ReferenceGrant provides
+ a generic way to enable any other kind of cross-namespace
+ reference. \n ParentRefs from a Route to a Service in
+ the same namespace are \"producer\" routes, which apply
+ default routing rules to inbound connections from any
+ namespace to the Service. \n ParentRefs from a Route to
+ a Service in a different namespace are \"consumer\" routes,
+ and these routing rules are only applied to outbound connections
+ originating from the same namespace as the Route, for
+ which the intended destination of the connections are
+ a Service targeted as a ParentRef of the Route. \n Support:
+ Core"
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: "Port is the network port this Route targets.
+ It can be interpreted differently based on the type of
+ parent resource. \n When the parent resource is a Gateway,
+ this targets all listeners listening on the specified
+ port that also support this kind of Route(and select this
+ Route). It's not recommended to set `Port` unless the
+ networking behaviors specified in a Route must apply to
+ a specific port as opposed to a listener(s) whose port(s)
+ may be changed. When both Port and SectionName are specified,
+ the name and port of the selected listener must match
+ both specified values. \n When the parent resource is
+ a Service, this targets a specific port in the Service
+ spec. When both Port (experimental) and SectionName are
+ specified, the name and port of the selected port must
+ match both specified values. \n Implementations MAY choose
+ to support other parent resources. Implementations supporting
+ other types of parent resources MUST clearly document
+ how/if Port is interpreted. \n For the purpose of status,
+ an attachment is considered successful as long as the
+ parent resource accepts it partially. For example, Gateway
+ listeners can restrict which Routes can attach to them
+ by Route kind, namespace, or hostname. If 1 of 2 Gateway
+ listeners accept attachment from the referencing Route,
+ the Route MUST be considered successfully attached. If
+ no Gateway listeners accept attachment from this Route,
+ the Route MUST be considered detached from the Gateway.
+ \n Support: Extended \n "
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ sectionName:
+ description: "SectionName is the name of a section within
+ the target resource. In the following resources, SectionName
+ is interpreted as the following: \n * Gateway: Listener
+ Name. When both Port (experimental) and SectionName are
+ specified, the name and port of the selected listener
+ must match both specified values. * Service: Port Name.
+ When both Port (experimental) and SectionName are specified,
+ the name and port of the selected listener must match
+ both specified values. Note that attaching Routes to Services
+ as Parents is part of experimental Mesh support and is
+ not supported for any other purpose. \n Implementations
+ MAY choose to support attaching Routes to other resources.
+ If that is the case, they MUST clearly document how SectionName
+ is interpreted. \n When unspecified (empty string), this
+ will reference the entire resource. For the purpose of
+ status, an attachment is considered successful if at least
+ one section in the parent resource accepts it. For example,
+ Gateway listeners can restrict which Routes can attach
+ to them by Route kind, namespace, or hostname. If 1 of
+ 2 Gateway listeners accept attachment from the referencing
+ Route, the Route MUST be considered successfully attached.
+ If no Gateway listeners accept attachment from this Route,
+ the Route MUST be considered detached from the Gateway.
+ \n Support: Core"
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - controllerName
+ - parentRef
+ type: object
+ maxItems: 32
+ type: array
+ required:
+ - parents
+ type: object
+ required:
+ - spec
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: null
+ storedVersions: null
+---
+#
+# config/crd/experimental/gateway.networking.k8s.io_tlsroutes.yaml
+#
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/2466
+ gateway.networking.k8s.io/bundle-version: v1.0.0
+ gateway.networking.k8s.io/channel: experimental
+ creationTimestamp: null
+ name: tlsroutes.gateway.networking.k8s.io
+spec:
+ group: gateway.networking.k8s.io
+ names:
+ categories:
+ - gateway-api
+ kind: TLSRoute
+ listKind: TLSRouteList
+ plural: tlsroutes
+ singular: tlsroute
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1alpha2
+ schema:
+ openAPIV3Schema:
+ description: "The TLSRoute resource is similar to TCPRoute, but can be configured
+ to match against TLS-specific metadata. This allows more flexibility in
+ matching streams for a given TLS listener. \n If you need to forward traffic
+ to a single target for a TLS listener, you could choose to use a TCPRoute
+ with a TLS listener."
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Spec defines the desired state of TLSRoute.
+ properties:
+ hostnames:
+ description: "Hostnames defines a set of SNI names that should match
+ against the SNI attribute of TLS ClientHello message in TLS handshake.
+ This matches the RFC 1123 definition of a hostname with 2 notable
+ exceptions: \n 1. IPs are not allowed in SNI names per RFC 6066.
+ 2. A hostname may be prefixed with a wildcard label (`*.`). The
+ wildcard label must appear by itself as the first label. \n If a
+ hostname is specified by both the Listener and TLSRoute, there must
+ be at least one intersecting hostname for the TLSRoute to be attached
+ to the Listener. For example: \n * A Listener with `test.example.com`
+ as the hostname matches TLSRoutes that have either not specified
+ any hostnames, or have specified at least one of `test.example.com`
+ or `*.example.com`. * A Listener with `*.example.com` as the hostname
+ matches TLSRoutes that have either not specified any hostnames or
+ have specified at least one hostname that matches the Listener hostname.
+ For example, `test.example.com` and `*.example.com` would both match.
+ On the other hand, `example.com` and `test.example.net` would not
+ match. \n If both the Listener and TLSRoute have specified hostnames,
+ any TLSRoute hostnames that do not match the Listener hostname MUST
+ be ignored. For example, if a Listener specified `*.example.com`,
+ and the TLSRoute specified `test.example.com` and `test.example.net`,
+ `test.example.net` must not be considered for a match. \n If both
+ the Listener and TLSRoute have specified hostnames, and none match
+ with the criteria above, then the TLSRoute is not accepted. The
+ implementation must raise an 'Accepted' Condition with a status
+ of `False` in the corresponding RouteParentStatus. \n Support: Core"
+ items:
+ description: "Hostname is the fully qualified domain name of a network
+ host. This matches the RFC 1123 definition of a hostname with
+ 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname
+ may be prefixed with a wildcard label (`*.`). The wildcard label
+ must appear by itself as the first label. \n Hostname can be \"precise\"
+ which is a domain name without the terminating dot of a network
+ host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain
+ name prefixed with a single wildcard label (e.g. `*.example.com`).
+ \n Note that as per RFC1035 and RFC1123, a *label* must consist
+ of lower case alphanumeric characters or '-', and must start and
+ end with an alphanumeric character. No other punctuation is allowed."
+ maxLength: 253
+ minLength: 1
+ pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ maxItems: 16
+ type: array
+ parentRefs:
+ description: "ParentRefs references the resources (usually Gateways)
+ that a Route wants to be attached to. Note that the referenced parent
+ resource needs to allow this for the attachment to be complete.
+ For Gateways, that means the Gateway needs to allow attachment from
+ Routes of this kind and namespace. For Services, that means the
+ Service must either be in the same namespace for a \"producer\"
+ route, or the mesh implementation must support and allow \"consumer\"
+ routes for the referenced Service. ReferenceGrant is not applicable
+ for governing ParentRefs to Services - it is not possible to create
+ a \"producer\" route for a Service in a different namespace from
+ the Route. \n There are two kinds of parent resources with \"Core\"
+ support: \n * Gateway (Gateway conformance profile) * Service (Mesh
+ conformance profile, experimental, ClusterIP Services only) This
+ API may be extended in the future to support additional kinds of
+ parent resources. \n ParentRefs must be _distinct_. This means either
+ that: \n * They select different objects. If this is the case,
+ then parentRef entries are distinct. In terms of fields, this means
+ that the multi-part key defined by `group`, `kind`, `namespace`,
+ and `name` must be unique across all parentRef entries in the Route.
+ * They do not select different objects, but for each optional field
+ used, each ParentRef that selects the same object must set the same
+ set of optional fields to different values. If one ParentRef sets
+ a combination of optional fields, all must set the same combination.
+ \n Some examples: \n * If one ParentRef sets `sectionName`, all
+ ParentRefs referencing the same object must also set `sectionName`.
+ * If one ParentRef sets `port`, all ParentRefs referencing the same
+ object must also set `port`. * If one ParentRef sets `sectionName`
+ and `port`, all ParentRefs referencing the same object must also
+ set `sectionName` and `port`. \n It is possible to separately reference
+ multiple distinct objects that may be collapsed by an implementation.
+ For example, some implementations may choose to merge compatible
+ Gateway Listeners together. If that is the case, the list of routes
+ attached to those resources should also be merged. \n Note that
+ for ParentRefs that cross namespace boundaries, there are specific
+ rules. Cross-namespace references are only valid if they are explicitly
+ allowed by something in the namespace they are referring to. For
+ example, Gateway has the AllowedRoutes field, and ReferenceGrant
+ provides a generic way to enable other kinds of cross-namespace
+ reference. \n ParentRefs from a Route to a Service in the same
+ namespace are \"producer\" routes, which apply default routing rules
+ to inbound connections from any namespace to the Service. \n ParentRefs
+ from a Route to a Service in a different namespace are \"consumer\"
+ routes, and these routing rules are only applied to outbound connections
+ originating from the same namespace as the Route, for which the
+ intended destination of the connections are a Service targeted as
+ a ParentRef of the Route. \n "
+ items:
+ description: "ParentReference identifies an API object (usually
+ a Gateway) that can be considered a parent of this resource (usually
+ a route). There are two kinds of parent resources with \"Core\"
+ support: \n * Gateway (Gateway conformance profile) * Service
+ (Mesh conformance profile, experimental, ClusterIP Services only)
+ \n This API may be extended in the future to support additional
+ kinds of parent resources. \n The API object must be valid in
+ the cluster; the Group and Kind must be registered in the cluster
+ for this reference to be valid."
+ properties:
+ group:
+ default: gateway.networking.k8s.io
+ description: "Group is the group of the referent. When unspecified,
+ \"gateway.networking.k8s.io\" is inferred. To set the core
+ API group (such as for a \"Service\" kind referent), Group
+ must be explicitly set to \"\" (empty string). \n Support:
+ Core"
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Gateway
+ description: "Kind is kind of the referent. \n There are two
+ kinds of parent resources with \"Core\" support: \n * Gateway
+ (Gateway conformance profile) * Service (Mesh conformance
+ profile, experimental, ClusterIP Services only) \n Support
+ for other resources is Implementation-Specific."
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: "Name is the name of the referent. \n Support:
+ Core"
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: "Namespace is the namespace of the referent. When
+ unspecified, this refers to the local namespace of the Route.
+ \n Note that there are specific rules for ParentRefs which
+ cross namespace boundaries. Cross-namespace references are
+ only valid if they are explicitly allowed by something in
+ the namespace they are referring to. For example: Gateway
+ has the AllowedRoutes field, and ReferenceGrant provides a
+ generic way to enable any other kind of cross-namespace reference.
+ \n ParentRefs from a Route to a Service in the same namespace
+ are \"producer\" routes, which apply default routing rules
+ to inbound connections from any namespace to the Service.
+ \n ParentRefs from a Route to a Service in a different namespace
+ are \"consumer\" routes, and these routing rules are only
+ applied to outbound connections originating from the same
+ namespace as the Route, for which the intended destination
+ of the connections are a Service targeted as a ParentRef of
+ the Route. \n Support: Core"
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: "Port is the network port this Route targets. It
+ can be interpreted differently based on the type of parent
+ resource. \n When the parent resource is a Gateway, this targets
+ all listeners listening on the specified port that also support
+ this kind of Route(and select this Route). It's not recommended
+ to set `Port` unless the networking behaviors specified in
+ a Route must apply to a specific port as opposed to a listener(s)
+ whose port(s) may be changed. When both Port and SectionName
+ are specified, the name and port of the selected listener
+ must match both specified values. \n When the parent resource
+ is a Service, this targets a specific port in the Service
+ spec. When both Port (experimental) and SectionName are specified,
+ the name and port of the selected port must match both specified
+ values. \n Implementations MAY choose to support other parent
+ resources. Implementations supporting other types of parent
+ resources MUST clearly document how/if Port is interpreted.
+ \n For the purpose of status, an attachment is considered
+ successful as long as the parent resource accepts it partially.
+ For example, Gateway listeners can restrict which Routes can
+ attach to them by Route kind, namespace, or hostname. If 1
+ of 2 Gateway listeners accept attachment from the referencing
+ Route, the Route MUST be considered successfully attached.
+ If no Gateway listeners accept attachment from this Route,
+ the Route MUST be considered detached from the Gateway. \n
+ Support: Extended \n "
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ sectionName:
+ description: "SectionName is the name of a section within the
+ target resource. In the following resources, SectionName is
+ interpreted as the following: \n * Gateway: Listener Name.
+ When both Port (experimental) and SectionName are specified,
+ the name and port of the selected listener must match both
+ specified values. * Service: Port Name. When both Port (experimental)
+ and SectionName are specified, the name and port of the selected
+ listener must match both specified values. Note that attaching
+ Routes to Services as Parents is part of experimental Mesh
+ support and is not supported for any other purpose. \n Implementations
+ MAY choose to support attaching Routes to other resources.
+ If that is the case, they MUST clearly document how SectionName
+ is interpreted. \n When unspecified (empty string), this will
+ reference the entire resource. For the purpose of status,
+ an attachment is considered successful if at least one section
+ in the parent resource accepts it. For example, Gateway listeners
+ can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept
+ attachment from the referencing Route, the Route MUST be considered
+ successfully attached. If no Gateway listeners accept attachment
+ from this Route, the Route MUST be considered detached from
+ the Gateway. \n Support: Core"
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ required:
+ - name
+ type: object
+ maxItems: 32
+ type: array
+ x-kubernetes-validations:
+ - message: sectionName or port must be specified when parentRefs includes
+ 2 or more references to the same parent
+ rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind
+ == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__)
+ || p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__
+ == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) &&
+ p1.__namespace__ == p2.__namespace__)) ? ((!has(p1.sectionName)
+ || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName
+ == '''') && (!has(p1.port) || p1.port == 0) == (!has(p2.port)
+ || p2.port == 0)): true))'
+ - message: sectionName or port must be unique when parentRefs includes
+ 2 or more references to the same parent
+ rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind
+ == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__)
+ || p1.__namespace__ == '') && (!has(p2.__namespace__) || p2.__namespace__
+ == '')) || (has(p1.__namespace__) && has(p2.__namespace__) &&
+ p1.__namespace__ == p2.__namespace__ )) && (((!has(p1.sectionName)
+ || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName
+ == '')) || ( has(p1.sectionName) && has(p2.sectionName) && p1.sectionName
+ == p2.sectionName)) && (((!has(p1.port) || p1.port == 0) && (!has(p2.port)
+ || p2.port == 0)) || (has(p1.port) && has(p2.port) && p1.port
+ == p2.port))))
+ rules:
+ description: Rules are a list of TLS matchers and actions.
+ items:
+ description: TLSRouteRule is the configuration for a given rule.
+ properties:
+ backendRefs:
+ description: "BackendRefs defines the backend(s) where matching
+ requests should be sent. If unspecified or invalid (refers
+ to a non-existent resource or a Service with no endpoints),
+ the rule performs no forwarding; if no filters are specified
+ that would result in a response being sent, the underlying
+ implementation must actively reject request attempts to this
+ backend, by rejecting the connection or returning a 500 status
+ code. Request rejections must respect weight; if an invalid
+ backend is requested to have 80% of requests, then 80% of
+ requests must be rejected instead. \n Support: Core for Kubernetes
+ Service \n Support: Extended for Kubernetes ServiceImport
+ \n Support: Implementation-specific for any other resource
+ \n Support for weight: Extended"
+ items:
+ description: "BackendRef defines how a Route should forward
+ a request to a Kubernetes resource. \n Note that when a
+ namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace
+ to allow that namespace's owner to accept the reference.
+ See the ReferenceGrant documentation for details. \n
+ \n When the BackendRef points to a Kubernetes Service, implementations
+ SHOULD honor the appProtocol field if it is set for the
+ target Service Port. \n Implementations supporting appProtocol
+ SHOULD recognize the Kubernetes Standard Application Protocols
+ defined in KEP-3726. \n If a Service appProtocol isn't specified,
+ an implementation MAY infer the backend protocol through
+ its own means. Implementations MAY infer the protocol from
+ the Route type referring to the backend Service. \n If a
+ Route is not able to send traffic to the backend using the
+ specified protocol then the backend is considered invalid.
+ Implementations MUST set the \"ResolvedRefs\" condition
+ to \"False\" with the \"UnsupportedProtocol\" reason. \n
+ \n Note that when the
+ BackendTLSPolicy object is enabled by the implementation,
+ there are some extra rules about validity to consider here.
+ See the fields where this struct is used for more information
+ about the exact behavior."
+ properties:
+ group:
+ default: ""
+ description: Group is the group of the referent. For example,
+ "gateway.networking.k8s.io". When unspecified or empty
+ string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Service
+ description: "Kind is the Kubernetes resource kind of
+ the referent. For example \"Service\". \n Defaults to
+ \"Service\" when not specified. \n ExternalName services
+ can refer to CNAME DNS records that may live outside
+ of the cluster and as such are difficult to reason about
+ in terms of conformance. They also may not be safe to
+ forward to (see CVE-2021-25740 for more information).
+ Implementations SHOULD NOT support ExternalName Services.
+ \n Support: Core (Services with a type other than ExternalName)
+ \n Support: Implementation-specific (Services with type
+ ExternalName)"
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: "Namespace is the namespace of the backend.
+ When unspecified, the local namespace is inferred. \n
+ Note that when a namespace different than the local
+ namespace is specified, a ReferenceGrant object is required
+ in the referent namespace to allow that namespace's
+ owner to accept the reference. See the ReferenceGrant
+ documentation for details. \n Support: Core"
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: Port specifies the destination port number
+ to use for this resource. Port is required when the
+ referent is a Kubernetes Service. In this case, the
+ port number is the service port number, not the target
+ port. For other resources, destination port might be
+ derived from the referent resource or this field.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ weight:
+ default: 1
+ description: "Weight specifies the proportion of requests
+ forwarded to the referenced backend. This is computed
+ as weight/(sum of all weights in this BackendRefs list).
+ For non-zero values, there may be some epsilon from
+ the exact proportion defined here depending on the precision
+ an implementation supports. Weight is not a percentage
+ and the sum of weights does not need to equal 100. \n
+ If only one backend is specified and it has a weight
+ greater than 0, 100% of the traffic is forwarded to
+ that backend. If weight is set to 0, no traffic should
+ be forwarded for this entry. If unspecified, weight
+ defaults to 1. \n Support for this field varies based
+ on the context where used."
+ format: int32
+ maximum: 1000000
+ minimum: 0
+ type: integer
+ required:
+ - name
+ type: object
+ x-kubernetes-validations:
+ - message: Must have port for Service reference
+ rule: '(size(self.group) == 0 && self.kind == ''Service'')
+ ? has(self.port) : true'
+ maxItems: 16
+ minItems: 1
+ type: array
+ type: object
+ maxItems: 16
+ minItems: 1
+ type: array
+ required:
+ - rules
+ type: object
+ status:
+ description: Status defines the current state of TLSRoute.
+ properties:
+ parents:
+ description: "Parents is a list of parent resources (usually Gateways)
+ that are associated with the route, and the status of the route
+ with respect to each parent. When this route attaches to a parent,
+ the controller that manages the parent must add an entry to this
+ list when the controller first sees the route and should update
+ the entry as appropriate when the route or gateway is modified.
+ \n Note that parent references that cannot be resolved by an implementation
+ of this API will not be added to this list. Implementations of this
+ API can only populate Route status for the Gateways/parent resources
+ they are responsible for. \n A maximum of 32 Gateways will be represented
+ in this list. An empty list means the route has not been attached
+ to any Gateway."
+ items:
+ description: RouteParentStatus describes the status of a route with
+ respect to an associated Parent.
+ properties:
+ conditions:
+ description: "Conditions describes the status of the route with
+ respect to the Gateway. Note that the route's availability
+ is also subject to the Gateway's own status conditions and
+ listener status. \n If the Route's ParentRef specifies an
+ existing Gateway that supports Routes of this kind AND that
+ Gateway's controller has sufficient access, then that Gateway's
+ controller MUST set the \"Accepted\" condition on the Route,
+ to indicate whether the route has been accepted or rejected
+ by the Gateway, and why. \n A Route MUST be considered \"Accepted\"
+ if at least one of the Route's rules is implemented by the
+ Gateway. \n There are a number of cases where the \"Accepted\"
+ condition may not be set due to lack of controller visibility,
+ that includes when: \n * The Route refers to a non-existent
+ parent. * The Route is of a type that the controller does
+ not support. * The Route is in a namespace the controller
+ does not have access to."
+ items:
+ description: "Condition contains details for one aspect of
+ the current state of this API Resource. --- This struct
+ is intended for direct use as an array at the field path
+ .status.conditions. For example, \n type FooStatus struct{
+ // Represents the observations of a foo's current state.
+ // Known .status.conditions.type are: \"Available\", \"Progressing\",
+ and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
+ // +listType=map // +listMapKey=type Conditions []metav1.Condition
+ `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
+ protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields
+ }"
+ properties:
+ lastTransitionTime:
+ description: lastTransitionTime is the last time the condition
+ transitioned from one status to another. This should
+ be when the underlying condition changed. If that is
+ not known, then using the time when the API field changed
+ is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: message is a human readable message indicating
+ details about the transition. This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: observedGeneration represents the .metadata.generation
+ that the condition was set based upon. For instance,
+ if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration
+ is 9, the condition is out of date with respect to the
+ current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: reason contains a programmatic identifier
+ indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected
+ values and meanings for this field, and whether the
+ values are considered a guaranteed API. The value should
+ be a CamelCase string. This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False,
+ Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ --- Many .condition.type values are consistent across
+ resources like Available, but because arbitrary conditions
+ can be useful (see .node.status.conditions), the ability
+ to deconflict is important. The regex it matches is
+ (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ maxItems: 8
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ controllerName:
+ description: "ControllerName is a domain/path string that indicates
+ the name of the controller that wrote this status. This corresponds
+ with the controllerName field on GatewayClass. \n Example:
+ \"example.net/gateway-controller\". \n The format of this
+ field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid
+ Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+ \n Controllers MUST populate this field when writing status.
+ Controllers should ensure that entries to status populated
+ with their ControllerName are cleaned up when they are no
+ longer necessary."
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
+ type: string
+ parentRef:
+ description: ParentRef corresponds with a ParentRef in the spec
+ that this RouteParentStatus struct describes the status of.
+ properties:
+ group:
+ default: gateway.networking.k8s.io
+ description: "Group is the group of the referent. When unspecified,
+ \"gateway.networking.k8s.io\" is inferred. To set the
+ core API group (such as for a \"Service\" kind referent),
+ Group must be explicitly set to \"\" (empty string). \n
+ Support: Core"
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Gateway
+ description: "Kind is kind of the referent. \n There are
+ two kinds of parent resources with \"Core\" support: \n
+ * Gateway (Gateway conformance profile) * Service (Mesh
+ conformance profile, experimental, ClusterIP Services
+ only) \n Support for other resources is Implementation-Specific."
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: "Name is the name of the referent. \n Support:
+ Core"
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: "Namespace is the namespace of the referent.
+ When unspecified, this refers to the local namespace of
+ the Route. \n Note that there are specific rules for ParentRefs
+ which cross namespace boundaries. Cross-namespace references
+ are only valid if they are explicitly allowed by something
+ in the namespace they are referring to. For example: Gateway
+ has the AllowedRoutes field, and ReferenceGrant provides
+ a generic way to enable any other kind of cross-namespace
+ reference. \n ParentRefs from a Route to a Service in
+ the same namespace are \"producer\" routes, which apply
+ default routing rules to inbound connections from any
+ namespace to the Service. \n ParentRefs from a Route to
+ a Service in a different namespace are \"consumer\" routes,
+ and these routing rules are only applied to outbound connections
+ originating from the same namespace as the Route, for
+ which the intended destination of the connections are
+ a Service targeted as a ParentRef of the Route. \n Support:
+ Core"
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: "Port is the network port this Route targets.
+ It can be interpreted differently based on the type of
+ parent resource. \n When the parent resource is a Gateway,
+ this targets all listeners listening on the specified
+ port that also support this kind of Route(and select this
+ Route). It's not recommended to set `Port` unless the
+ networking behaviors specified in a Route must apply to
+ a specific port as opposed to a listener(s) whose port(s)
+ may be changed. When both Port and SectionName are specified,
+ the name and port of the selected listener must match
+ both specified values. \n When the parent resource is
+ a Service, this targets a specific port in the Service
+ spec. When both Port (experimental) and SectionName are
+ specified, the name and port of the selected port must
+ match both specified values. \n Implementations MAY choose
+ to support other parent resources. Implementations supporting
+ other types of parent resources MUST clearly document
+ how/if Port is interpreted. \n For the purpose of status,
+ an attachment is considered successful as long as the
+ parent resource accepts it partially. For example, Gateway
+ listeners can restrict which Routes can attach to them
+ by Route kind, namespace, or hostname. If 1 of 2 Gateway
+ listeners accept attachment from the referencing Route,
+ the Route MUST be considered successfully attached. If
+ no Gateway listeners accept attachment from this Route,
+ the Route MUST be considered detached from the Gateway.
+ \n Support: Extended \n "
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ sectionName:
+ description: "SectionName is the name of a section within
+ the target resource. In the following resources, SectionName
+ is interpreted as the following: \n * Gateway: Listener
+ Name. When both Port (experimental) and SectionName are
+ specified, the name and port of the selected listener
+ must match both specified values. * Service: Port Name.
+ When both Port (experimental) and SectionName are specified,
+ the name and port of the selected listener must match
+ both specified values. Note that attaching Routes to Services
+ as Parents is part of experimental Mesh support and is
+ not supported for any other purpose. \n Implementations
+ MAY choose to support attaching Routes to other resources.
+ If that is the case, they MUST clearly document how SectionName
+ is interpreted. \n When unspecified (empty string), this
+ will reference the entire resource. For the purpose of
+ status, an attachment is considered successful if at least
+ one section in the parent resource accepts it. For example,
+ Gateway listeners can restrict which Routes can attach
+ to them by Route kind, namespace, or hostname. If 1 of
+ 2 Gateway listeners accept attachment from the referencing
+ Route, the Route MUST be considered successfully attached.
+ If no Gateway listeners accept attachment from this Route,
+ the Route MUST be considered detached from the Gateway.
+ \n Support: Core"
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - controllerName
+ - parentRef
+ type: object
+ maxItems: 32
+ type: array
+ required:
+ - parents
+ type: object
+ required:
+ - spec
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: null
+ storedVersions: null
+---
+#
+# config/crd/experimental/gateway.networking.k8s.io_udproutes.yaml
+#
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/2466
+ gateway.networking.k8s.io/bundle-version: v1.0.0
+ gateway.networking.k8s.io/channel: experimental
+ creationTimestamp: null
+ name: udproutes.gateway.networking.k8s.io
+spec:
+ group: gateway.networking.k8s.io
+ names:
+ categories:
+ - gateway-api
+ kind: UDPRoute
+ listKind: UDPRouteList
+ plural: udproutes
+ singular: udproute
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1alpha2
+ schema:
+ openAPIV3Schema:
+ description: UDPRoute provides a way to route UDP traffic. When combined with
+ a Gateway listener, it can be used to forward traffic on the port specified
+ by the listener to a set of backends specified by the UDPRoute.
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Spec defines the desired state of UDPRoute.
+ properties:
+ parentRefs:
+ description: "ParentRefs references the resources (usually Gateways)
+ that a Route wants to be attached to. Note that the referenced parent
+ resource needs to allow this for the attachment to be complete.
+ For Gateways, that means the Gateway needs to allow attachment from
+ Routes of this kind and namespace. For Services, that means the
+ Service must either be in the same namespace for a \"producer\"
+ route, or the mesh implementation must support and allow \"consumer\"
+ routes for the referenced Service. ReferenceGrant is not applicable
+ for governing ParentRefs to Services - it is not possible to create
+ a \"producer\" route for a Service in a different namespace from
+ the Route. \n There are two kinds of parent resources with \"Core\"
+ support: \n * Gateway (Gateway conformance profile) * Service (Mesh
+ conformance profile, experimental, ClusterIP Services only) This
+ API may be extended in the future to support additional kinds of
+ parent resources. \n ParentRefs must be _distinct_. This means either
+ that: \n * They select different objects. If this is the case,
+ then parentRef entries are distinct. In terms of fields, this means
+ that the multi-part key defined by `group`, `kind`, `namespace`,
+ and `name` must be unique across all parentRef entries in the Route.
+ * They do not select different objects, but for each optional field
+ used, each ParentRef that selects the same object must set the same
+ set of optional fields to different values. If one ParentRef sets
+ a combination of optional fields, all must set the same combination.
+ \n Some examples: \n * If one ParentRef sets `sectionName`, all
+ ParentRefs referencing the same object must also set `sectionName`.
+ * If one ParentRef sets `port`, all ParentRefs referencing the same
+ object must also set `port`. * If one ParentRef sets `sectionName`
+ and `port`, all ParentRefs referencing the same object must also
+ set `sectionName` and `port`. \n It is possible to separately reference
+ multiple distinct objects that may be collapsed by an implementation.
+ For example, some implementations may choose to merge compatible
+ Gateway Listeners together. If that is the case, the list of routes
+ attached to those resources should also be merged. \n Note that
+ for ParentRefs that cross namespace boundaries, there are specific
+ rules. Cross-namespace references are only valid if they are explicitly
+ allowed by something in the namespace they are referring to. For
+ example, Gateway has the AllowedRoutes field, and ReferenceGrant
+ provides a generic way to enable other kinds of cross-namespace
+ reference. \n ParentRefs from a Route to a Service in the same
+ namespace are \"producer\" routes, which apply default routing rules
+ to inbound connections from any namespace to the Service. \n ParentRefs
+ from a Route to a Service in a different namespace are \"consumer\"
+ routes, and these routing rules are only applied to outbound connections
+ originating from the same namespace as the Route, for which the
+ intended destination of the connections are a Service targeted as
+ a ParentRef of the Route. \n "
+ items:
+ description: "ParentReference identifies an API object (usually
+ a Gateway) that can be considered a parent of this resource (usually
+ a route). There are two kinds of parent resources with \"Core\"
+ support: \n * Gateway (Gateway conformance profile) * Service
+ (Mesh conformance profile, experimental, ClusterIP Services only)
+ \n This API may be extended in the future to support additional
+ kinds of parent resources. \n The API object must be valid in
+ the cluster; the Group and Kind must be registered in the cluster
+ for this reference to be valid."
+ properties:
+ group:
+ default: gateway.networking.k8s.io
+ description: "Group is the group of the referent. When unspecified,
+ \"gateway.networking.k8s.io\" is inferred. To set the core
+ API group (such as for a \"Service\" kind referent), Group
+ must be explicitly set to \"\" (empty string). \n Support:
+ Core"
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Gateway
+ description: "Kind is kind of the referent. \n There are two
+ kinds of parent resources with \"Core\" support: \n * Gateway
+ (Gateway conformance profile) * Service (Mesh conformance
+ profile, experimental, ClusterIP Services only) \n Support
+ for other resources is Implementation-Specific."
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: "Name is the name of the referent. \n Support:
+ Core"
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: "Namespace is the namespace of the referent. When
+ unspecified, this refers to the local namespace of the Route.
+ \n Note that there are specific rules for ParentRefs which
+ cross namespace boundaries. Cross-namespace references are
+ only valid if they are explicitly allowed by something in
+ the namespace they are referring to. For example: Gateway
+ has the AllowedRoutes field, and ReferenceGrant provides a
+ generic way to enable any other kind of cross-namespace reference.
+ \n ParentRefs from a Route to a Service in the same namespace
+ are \"producer\" routes, which apply default routing rules
+ to inbound connections from any namespace to the Service.
+ \n ParentRefs from a Route to a Service in a different namespace
+ are \"consumer\" routes, and these routing rules are only
+ applied to outbound connections originating from the same
+ namespace as the Route, for which the intended destination
+ of the connections are a Service targeted as a ParentRef of
+ the Route. \n Support: Core"
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: "Port is the network port this Route targets. It
+ can be interpreted differently based on the type of parent
+ resource. \n When the parent resource is a Gateway, this targets
+ all listeners listening on the specified port that also support
+ this kind of Route(and select this Route). It's not recommended
+ to set `Port` unless the networking behaviors specified in
+ a Route must apply to a specific port as opposed to a listener(s)
+ whose port(s) may be changed. When both Port and SectionName
+ are specified, the name and port of the selected listener
+ must match both specified values. \n When the parent resource
+ is a Service, this targets a specific port in the Service
+ spec. When both Port (experimental) and SectionName are specified,
+ the name and port of the selected port must match both specified
+ values. \n Implementations MAY choose to support other parent
+ resources. Implementations supporting other types of parent
+ resources MUST clearly document how/if Port is interpreted.
+ \n For the purpose of status, an attachment is considered
+ successful as long as the parent resource accepts it partially.
+ For example, Gateway listeners can restrict which Routes can
+ attach to them by Route kind, namespace, or hostname. If 1
+ of 2 Gateway listeners accept attachment from the referencing
+ Route, the Route MUST be considered successfully attached.
+ If no Gateway listeners accept attachment from this Route,
+ the Route MUST be considered detached from the Gateway. \n
+ Support: Extended \n "
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ sectionName:
+ description: "SectionName is the name of a section within the
+ target resource. In the following resources, SectionName is
+ interpreted as the following: \n * Gateway: Listener Name.
+ When both Port (experimental) and SectionName are specified,
+ the name and port of the selected listener must match both
+ specified values. * Service: Port Name. When both Port (experimental)
+ and SectionName are specified, the name and port of the selected
+ listener must match both specified values. Note that attaching
+ Routes to Services as Parents is part of experimental Mesh
+ support and is not supported for any other purpose. \n Implementations
+ MAY choose to support attaching Routes to other resources.
+ If that is the case, they MUST clearly document how SectionName
+ is interpreted. \n When unspecified (empty string), this will
+ reference the entire resource. For the purpose of status,
+ an attachment is considered successful if at least one section
+ in the parent resource accepts it. For example, Gateway listeners
+ can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept
+ attachment from the referencing Route, the Route MUST be considered
+ successfully attached. If no Gateway listeners accept attachment
+ from this Route, the Route MUST be considered detached from
+ the Gateway. \n Support: Core"
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ required:
+ - name
+ type: object
+ maxItems: 32
+ type: array
+ x-kubernetes-validations:
+ - message: sectionName or port must be specified when parentRefs includes
+ 2 or more references to the same parent
+ rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind
+ == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__)
+ || p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__
+ == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) &&
+ p1.__namespace__ == p2.__namespace__)) ? ((!has(p1.sectionName)
+ || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName
+ == '''') && (!has(p1.port) || p1.port == 0) == (!has(p2.port)
+ || p2.port == 0)): true))'
+ - message: sectionName or port must be unique when parentRefs includes
+ 2 or more references to the same parent
+ rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind
+ == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__)
+ || p1.__namespace__ == '') && (!has(p2.__namespace__) || p2.__namespace__
+ == '')) || (has(p1.__namespace__) && has(p2.__namespace__) &&
+ p1.__namespace__ == p2.__namespace__ )) && (((!has(p1.sectionName)
+ || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName
+ == '')) || ( has(p1.sectionName) && has(p2.sectionName) && p1.sectionName
+ == p2.sectionName)) && (((!has(p1.port) || p1.port == 0) && (!has(p2.port)
+ || p2.port == 0)) || (has(p1.port) && has(p2.port) && p1.port
+ == p2.port))))
+ rules:
+ description: Rules are a list of UDP matchers and actions.
+ items:
+ description: UDPRouteRule is the configuration for a given rule.
+ properties:
+ backendRefs:
+ description: "BackendRefs defines the backend(s) where matching
+ requests should be sent. If unspecified or invalid (refers
+ to a non-existent resource or a Service with no endpoints),
+ the underlying implementation MUST actively reject connection
+ attempts to this backend. Packet drops must respect weight;
+ if an invalid backend is requested to have 80% of the packets,
+ then 80% of packets must be dropped instead. \n Support: Core
+ for Kubernetes Service \n Support: Extended for Kubernetes
+ ServiceImport \n Support: Implementation-specific for any
+ other resource \n Support for weight: Extended"
+ items:
+ description: "BackendRef defines how a Route should forward
+ a request to a Kubernetes resource. \n Note that when a
+ namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace
+ to allow that namespace's owner to accept the reference.
+ See the ReferenceGrant documentation for details. \n
+ \n When the BackendRef points to a Kubernetes Service, implementations
+ SHOULD honor the appProtocol field if it is set for the
+ target Service Port. \n Implementations supporting appProtocol
+ SHOULD recognize the Kubernetes Standard Application Protocols
+ defined in KEP-3726. \n If a Service appProtocol isn't specified,
+ an implementation MAY infer the backend protocol through
+ its own means. Implementations MAY infer the protocol from
+ the Route type referring to the backend Service. \n If a
+ Route is not able to send traffic to the backend using the
+ specified protocol then the backend is considered invalid.
+ Implementations MUST set the \"ResolvedRefs\" condition
+ to \"False\" with the \"UnsupportedProtocol\" reason. \n
+ \n Note that when the
+ BackendTLSPolicy object is enabled by the implementation,
+ there are some extra rules about validity to consider here.
+ See the fields where this struct is used for more information
+ about the exact behavior."
+ properties:
+ group:
+ default: ""
+ description: Group is the group of the referent. For example,
+ "gateway.networking.k8s.io". When unspecified or empty
+ string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Service
+ description: "Kind is the Kubernetes resource kind of
+ the referent. For example \"Service\". \n Defaults to
+ \"Service\" when not specified. \n ExternalName services
+ can refer to CNAME DNS records that may live outside
+ of the cluster and as such are difficult to reason about
+ in terms of conformance. They also may not be safe to
+ forward to (see CVE-2021-25740 for more information).
+ Implementations SHOULD NOT support ExternalName Services.
+ \n Support: Core (Services with a type other than ExternalName)
+ \n Support: Implementation-specific (Services with type
+ ExternalName)"
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: "Namespace is the namespace of the backend.
+ When unspecified, the local namespace is inferred. \n
+ Note that when a namespace different than the local
+ namespace is specified, a ReferenceGrant object is required
+ in the referent namespace to allow that namespace's
+ owner to accept the reference. See the ReferenceGrant
+ documentation for details. \n Support: Core"
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: Port specifies the destination port number
+ to use for this resource. Port is required when the
+ referent is a Kubernetes Service. In this case, the
+ port number is the service port number, not the target
+ port. For other resources, destination port might be
+ derived from the referent resource or this field.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ weight:
+ default: 1
+ description: "Weight specifies the proportion of requests
+ forwarded to the referenced backend. This is computed
+ as weight/(sum of all weights in this BackendRefs list).
+ For non-zero values, there may be some epsilon from
+ the exact proportion defined here depending on the precision
+ an implementation supports. Weight is not a percentage
+ and the sum of weights does not need to equal 100. \n
+ If only one backend is specified and it has a weight
+ greater than 0, 100% of the traffic is forwarded to
+ that backend. If weight is set to 0, no traffic should
+ be forwarded for this entry. If unspecified, weight
+ defaults to 1. \n Support for this field varies based
+ on the context where used."
+ format: int32
+ maximum: 1000000
+ minimum: 0
+ type: integer
+ required:
+ - name
+ type: object
+ x-kubernetes-validations:
+ - message: Must have port for Service reference
+ rule: '(size(self.group) == 0 && self.kind == ''Service'')
+ ? has(self.port) : true'
+ maxItems: 16
+ minItems: 1
+ type: array
+ type: object
+ maxItems: 16
+ minItems: 1
+ type: array
+ required:
+ - rules
+ type: object
+ status:
+ description: Status defines the current state of UDPRoute.
+ properties:
+ parents:
+ description: "Parents is a list of parent resources (usually Gateways)
+ that are associated with the route, and the status of the route
+ with respect to each parent. When this route attaches to a parent,
+ the controller that manages the parent must add an entry to this
+ list when the controller first sees the route and should update
+ the entry as appropriate when the route or gateway is modified.
+ \n Note that parent references that cannot be resolved by an implementation
+ of this API will not be added to this list. Implementations of this
+ API can only populate Route status for the Gateways/parent resources
+ they are responsible for. \n A maximum of 32 Gateways will be represented
+ in this list. An empty list means the route has not been attached
+ to any Gateway."
+ items:
+ description: RouteParentStatus describes the status of a route with
+ respect to an associated Parent.
+ properties:
+ conditions:
+ description: "Conditions describes the status of the route with
+ respect to the Gateway. Note that the route's availability
+ is also subject to the Gateway's own status conditions and
+ listener status. \n If the Route's ParentRef specifies an
+ existing Gateway that supports Routes of this kind AND that
+ Gateway's controller has sufficient access, then that Gateway's
+ controller MUST set the \"Accepted\" condition on the Route,
+ to indicate whether the route has been accepted or rejected
+ by the Gateway, and why. \n A Route MUST be considered \"Accepted\"
+ if at least one of the Route's rules is implemented by the
+ Gateway. \n There are a number of cases where the \"Accepted\"
+ condition may not be set due to lack of controller visibility,
+ that includes when: \n * The Route refers to a non-existent
+ parent. * The Route is of a type that the controller does
+ not support. * The Route is in a namespace the controller
+ does not have access to."
+ items:
+ description: "Condition contains details for one aspect of
+ the current state of this API Resource. --- This struct
+ is intended for direct use as an array at the field path
+ .status.conditions. For example, \n type FooStatus struct{
+ // Represents the observations of a foo's current state.
+ // Known .status.conditions.type are: \"Available\", \"Progressing\",
+ and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
+ // +listType=map // +listMapKey=type Conditions []metav1.Condition
+ `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
+ protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields
+ }"
+ properties:
+ lastTransitionTime:
+ description: lastTransitionTime is the last time the condition
+ transitioned from one status to another. This should
+ be when the underlying condition changed. If that is
+ not known, then using the time when the API field changed
+ is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: message is a human readable message indicating
+ details about the transition. This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: observedGeneration represents the .metadata.generation
+ that the condition was set based upon. For instance,
+ if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration
+ is 9, the condition is out of date with respect to the
+ current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: reason contains a programmatic identifier
+ indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected
+ values and meanings for this field, and whether the
+ values are considered a guaranteed API. The value should
+ be a CamelCase string. This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False,
+ Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ --- Many .condition.type values are consistent across
+ resources like Available, but because arbitrary conditions
+ can be useful (see .node.status.conditions), the ability
+ to deconflict is important. The regex it matches is
+ (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ maxItems: 8
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ controllerName:
+ description: "ControllerName is a domain/path string that indicates
+ the name of the controller that wrote this status. This corresponds
+ with the controllerName field on GatewayClass. \n Example:
+ \"example.net/gateway-controller\". \n The format of this
+ field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid
+ Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+ \n Controllers MUST populate this field when writing status.
+ Controllers should ensure that entries to status populated
+ with their ControllerName are cleaned up when they are no
+ longer necessary."
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
+ type: string
+ parentRef:
+ description: ParentRef corresponds with a ParentRef in the spec
+ that this RouteParentStatus struct describes the status of.
+ properties:
+ group:
+ default: gateway.networking.k8s.io
+ description: "Group is the group of the referent. When unspecified,
+ \"gateway.networking.k8s.io\" is inferred. To set the
+ core API group (such as for a \"Service\" kind referent),
+ Group must be explicitly set to \"\" (empty string). \n
+ Support: Core"
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Gateway
+ description: "Kind is kind of the referent. \n There are
+ two kinds of parent resources with \"Core\" support: \n
+ * Gateway (Gateway conformance profile) * Service (Mesh
+ conformance profile, experimental, ClusterIP Services
+ only) \n Support for other resources is Implementation-Specific."
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: "Name is the name of the referent. \n Support:
+ Core"
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: "Namespace is the namespace of the referent.
+ When unspecified, this refers to the local namespace of
+ the Route. \n Note that there are specific rules for ParentRefs
+ which cross namespace boundaries. Cross-namespace references
+ are only valid if they are explicitly allowed by something
+ in the namespace they are referring to. For example: Gateway
+ has the AllowedRoutes field, and ReferenceGrant provides
+ a generic way to enable any other kind of cross-namespace
+ reference. \n ParentRefs from a Route to a Service in
+ the same namespace are \"producer\" routes, which apply
+ default routing rules to inbound connections from any
+ namespace to the Service. \n ParentRefs from a Route to
+ a Service in a different namespace are \"consumer\" routes,
+ and these routing rules are only applied to outbound connections
+ originating from the same namespace as the Route, for
+ which the intended destination of the connections are
+ a Service targeted as a ParentRef of the Route. \n Support:
+ Core"
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: "Port is the network port this Route targets.
+ It can be interpreted differently based on the type of
+ parent resource. \n When the parent resource is a Gateway,
+ this targets all listeners listening on the specified
+ port that also support this kind of Route(and select this
+ Route). It's not recommended to set `Port` unless the
+ networking behaviors specified in a Route must apply to
+ a specific port as opposed to a listener(s) whose port(s)
+ may be changed. When both Port and SectionName are specified,
+ the name and port of the selected listener must match
+ both specified values. \n When the parent resource is
+ a Service, this targets a specific port in the Service
+ spec. When both Port (experimental) and SectionName are
+ specified, the name and port of the selected port must
+ match both specified values. \n Implementations MAY choose
+ to support other parent resources. Implementations supporting
+ other types of parent resources MUST clearly document
+ how/if Port is interpreted. \n For the purpose of status,
+ an attachment is considered successful as long as the
+ parent resource accepts it partially. For example, Gateway
+ listeners can restrict which Routes can attach to them
+ by Route kind, namespace, or hostname. If 1 of 2 Gateway
+ listeners accept attachment from the referencing Route,
+ the Route MUST be considered successfully attached. If
+ no Gateway listeners accept attachment from this Route,
+ the Route MUST be considered detached from the Gateway.
+ \n Support: Extended \n "
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ sectionName:
+ description: "SectionName is the name of a section within
+ the target resource. In the following resources, SectionName
+ is interpreted as the following: \n * Gateway: Listener
+ Name. When both Port (experimental) and SectionName are
+ specified, the name and port of the selected listener
+ must match both specified values. * Service: Port Name.
+ When both Port (experimental) and SectionName are specified,
+ the name and port of the selected listener must match
+ both specified values. Note that attaching Routes to Services
+ as Parents is part of experimental Mesh support and is
+ not supported for any other purpose. \n Implementations
+ MAY choose to support attaching Routes to other resources.
+ If that is the case, they MUST clearly document how SectionName
+ is interpreted. \n When unspecified (empty string), this
+ will reference the entire resource. For the purpose of
+ status, an attachment is considered successful if at least
+ one section in the parent resource accepts it. For example,
+ Gateway listeners can restrict which Routes can attach
+ to them by Route kind, namespace, or hostname. If 1 of
+ 2 Gateway listeners accept attachment from the referencing
+ Route, the Route MUST be considered successfully attached.
+ If no Gateway listeners accept attachment from this Route,
+ the Route MUST be considered detached from the Gateway.
+ \n Support: Core"
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - controllerName
+ - parentRef
+ type: object
+ maxItems: 32
+ type: array
+ required:
+ - parents
+ type: object
+ required:
+ - spec
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: null
+ storedVersions: null
diff --git a/pkg/cmd/hgctl/manifests/istiobase/Chart.yaml b/pkg/cmd/hgctl/manifests/istiobase/Chart.yaml
new file mode 100644
index 0000000000..f5ed37d4d7
--- /dev/null
+++ b/pkg/cmd/hgctl/manifests/istiobase/Chart.yaml
@@ -0,0 +1,10 @@
+apiVersion: v1
+appVersion: 1.18.2
+description: Helm chart for deploying Istio cluster resources and CRDs
+icon: https://istio.io/latest/favicons/android-192x192.png
+keywords:
+- istio
+name: base
+sources:
+- https://github.com/istio/istio
+version: 1.18.2
diff --git a/pkg/cmd/hgctl/manifests/istiobase/README.md b/pkg/cmd/hgctl/manifests/istiobase/README.md
new file mode 100644
index 0000000000..68bf667ac9
--- /dev/null
+++ b/pkg/cmd/hgctl/manifests/istiobase/README.md
@@ -0,0 +1,21 @@
+# Istio base Helm Chart
+
+This chart installs resources shared by all Istio revisions. This includes Istio CRDs.
+
+## Setup Repo Info
+
+```console
+helm repo add istio https://istio-release.storage.googleapis.com/charts
+helm repo update
+```
+
+_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._
+
+## Installing the Chart
+
+To install the chart with the release name `istio-base`:
+
+```console
+kubectl create namespace istio-system
+helm install istio-base istio/base -n istio-system
+```
diff --git a/pkg/cmd/hgctl/manifests/istiobase/crds/crd-all.gen.yaml b/pkg/cmd/hgctl/manifests/istiobase/crds/crd-all.gen.yaml
new file mode 100644
index 0000000000..7c2948565d
--- /dev/null
+++ b/pkg/cmd/hgctl/manifests/istiobase/crds/crd-all.gen.yaml
@@ -0,0 +1,7199 @@
+# DO NOT EDIT - Generated by Cue OpenAPI generator based on Istio APIs.
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ "helm.sh/resource-policy": keep
+ labels:
+ app: istio-pilot
+ chart: istio
+ heritage: Tiller
+ release: istio
+ name: wasmplugins.extensions.istio.io
+spec:
+ group: extensions.istio.io
+ names:
+ categories:
+ - istio-io
+ - extensions-istio-io
+ kind: WasmPlugin
+ listKind: WasmPluginList
+ plural: wasmplugins
+ singular: wasmplugin
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - description: 'CreationTimestamp is a timestamp representing the server time
+ when this object was created. It is not guaranteed to be set in happens-before
+ order across separate operations. Clients may not set this value. It is represented
+ in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
+ lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Extend the functionality provided by the Istio proxy through
+ WebAssembly filters. See more details at: https://istio.io/docs/reference/config/proxy_extensions/wasm-plugin.html'
+ properties:
+ imagePullPolicy:
+ enum:
+ - UNSPECIFIED_POLICY
+ - IfNotPresent
+ - Always
+ type: string
+ imagePullSecret:
+ description: Credentials to use for OCI image pulling.
+ type: string
+ match:
+ description: Specifies the criteria to determine which traffic is
+ passed to WasmPlugin.
+ items:
+ properties:
+ mode:
+ description: Criteria for selecting traffic by their direction.
+ enum:
+ - UNDEFINED
+ - CLIENT
+ - SERVER
+ - CLIENT_AND_SERVER
+ type: string
+ ports:
+ description: Criteria for selecting traffic by their destination
+ port.
+ items:
+ properties:
+ number:
+ type: integer
+ type: object
+ type: array
+ type: object
+ type: array
+ phase:
+ description: Determines where in the filter chain this `WasmPlugin`
+ is to be injected.
+ enum:
+ - UNSPECIFIED_PHASE
+ - AUTHN
+ - AUTHZ
+ - STATS
+ type: string
+ pluginConfig:
+ description: The configuration that will be passed on to the plugin.
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ pluginName:
+ type: string
+ priority:
+ description: Determines ordering of `WasmPlugins` in the same `phase`.
+ nullable: true
+ type: integer
+ selector:
+ properties:
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ sha256:
+ description: SHA256 checksum that will be used to verify Wasm module
+ or OCI container.
+ type: string
+ url:
+ description: URL of a Wasm module or OCI container.
+ type: string
+ verificationKey:
+ type: string
+ vmConfig:
+ description: Configuration for a Wasm VM.
+ properties:
+ env:
+ description: Specifies environment variables to be injected to
+ this VM.
+ items:
+ properties:
+ name:
+ type: string
+ value:
+ description: Value for the environment variable.
+ type: string
+ valueFrom:
+ enum:
+ - INLINE
+ - HOST
+ type: string
+ type: object
+ type: array
+ type: object
+ type: object
+ status:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ "helm.sh/resource-policy": keep
+ labels:
+ app: istio-pilot
+ chart: istio
+ heritage: Tiller
+ release: istio
+ name: destinationrules.networking.istio.io
+spec:
+ group: networking.istio.io
+ names:
+ categories:
+ - istio-io
+ - networking-istio-io
+ kind: DestinationRule
+ listKind: DestinationRuleList
+ plural: destinationrules
+ shortNames:
+ - dr
+ singular: destinationrule
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - description: The name of a service from the service registry
+ jsonPath: .spec.host
+ name: Host
+ type: string
+ - description: 'CreationTimestamp is a timestamp representing the server time
+ when this object was created. It is not guaranteed to be set in happens-before
+ order across separate operations. Clients may not set this value. It is represented
+ in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
+ lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1alpha3
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Configuration affecting load balancing, outlier detection,
+ etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html'
+ properties:
+ exportTo:
+ description: A list of namespaces to which this destination rule is
+ exported.
+ items:
+ type: string
+ type: array
+ host:
+ description: The name of a service from the service registry.
+ type: string
+ subsets:
+ items:
+ properties:
+ labels:
+ additionalProperties:
+ type: string
+ type: object
+ name:
+ description: Name of the subset.
+ type: string
+ trafficPolicy:
+ description: Traffic policies that apply to this subset.
+ properties:
+ connectionPool:
+ properties:
+ http:
+ description: HTTP connection pool settings.
+ properties:
+ h2UpgradePolicy:
+ description: Specify if http1.1 connection should
+ be upgraded to http2 for the associated destination.
+ enum:
+ - DEFAULT
+ - DO_NOT_UPGRADE
+ - UPGRADE
+ type: string
+ http1MaxPendingRequests:
+ format: int32
+ type: integer
+ http2MaxRequests:
+ description: Maximum number of active requests to
+ a destination.
+ format: int32
+ type: integer
+ idleTimeout:
+ description: The idle timeout for upstream connection
+ pool connections.
+ type: string
+ maxRequestsPerConnection:
+ description: Maximum number of requests per connection
+ to a backend.
+ format: int32
+ type: integer
+ maxRetries:
+ format: int32
+ type: integer
+ useClientProtocol:
+ description: If set to true, client protocol will
+ be preserved while initiating connection to backend.
+ type: boolean
+ type: object
+ tcp:
+ description: Settings common to both HTTP and TCP upstream
+ connections.
+ properties:
+ connectTimeout:
+ description: TCP connection timeout.
+ type: string
+ maxConnectionDuration:
+ description: The maximum duration of a connection.
+ type: string
+ maxConnections:
+ description: Maximum number of HTTP1 /TCP connections
+ to a destination host.
+ format: int32
+ type: integer
+ tcpKeepalive:
+ description: If set then set SO_KEEPALIVE on the
+ socket to enable TCP Keepalives.
+ properties:
+ interval:
+ description: The time duration between keep-alive
+ probes.
+ type: string
+ probes:
+ type: integer
+ time:
+ type: string
+ type: object
+ type: object
+ type: object
+ loadBalancer:
+ description: Settings controlling the load balancer algorithms.
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - simple
+ - properties:
+ consistentHash:
+ allOf:
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ properties:
+ minimumRingSize: {}
+ required:
+ - consistentHash
+ - required:
+ - simple
+ - properties:
+ consistentHash:
+ allOf:
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ properties:
+ minimumRingSize: {}
+ required:
+ - consistentHash
+ properties:
+ consistentHash:
+ properties:
+ httpCookie:
+ description: Hash based on HTTP cookie.
+ properties:
+ name:
+ description: Name of the cookie.
+ type: string
+ path:
+ description: Path to set for the cookie.
+ type: string
+ ttl:
+ description: Lifetime of the cookie.
+ type: string
+ type: object
+ httpHeaderName:
+ description: Hash based on a specific HTTP header.
+ type: string
+ httpQueryParameterName:
+ description: Hash based on a specific HTTP query
+ parameter.
+ type: string
+ maglev:
+ description: The Maglev load balancer implements
+ consistent hashing to backend hosts.
+ properties:
+ tableSize:
+ description: The table size for Maglev hashing.
+ type: integer
+ type: object
+ minimumRingSize:
+ description: Deprecated.
+ type: integer
+ ringHash:
+ description: The ring/modulo hash load balancer
+ implements consistent hashing to backend hosts.
+ properties:
+ minimumRingSize:
+ type: integer
+ type: object
+ useSourceIp:
+ description: Hash based on the source IP address.
+ type: boolean
+ type: object
+ localityLbSetting:
+ properties:
+ distribute:
+ description: 'Optional: only one of distribute,
+ failover or failoverPriority can be set.'
+ items:
+ properties:
+ from:
+ description: Originating locality, '/' separated,
+ e.g.
+ type: string
+ to:
+ additionalProperties:
+ type: integer
+ description: Map of upstream localities to
+ traffic distribution weights.
+ type: object
+ type: object
+ type: array
+ enabled:
+ description: enable locality load balancing, this
+ is DestinationRule-level and will override mesh
+ wide settings in entirety.
+ nullable: true
+ type: boolean
+ failover:
+ description: 'Optional: only one of distribute,
+ failover or failoverPriority can be set.'
+ items:
+ properties:
+ from:
+ description: Originating region.
+ type: string
+ to:
+ type: string
+ type: object
+ type: array
+ failoverPriority:
+ description: failoverPriority is an ordered list
+ of labels used to sort endpoints to do priority
+ based load balancing.
+ items:
+ type: string
+ type: array
+ type: object
+ simple:
+ enum:
+ - UNSPECIFIED
+ - LEAST_CONN
+ - RANDOM
+ - PASSTHROUGH
+ - ROUND_ROBIN
+ - LEAST_REQUEST
+ type: string
+ warmupDurationSecs:
+ description: Represents the warmup duration of Service.
+ type: string
+ type: object
+ outlierDetection:
+ properties:
+ baseEjectionTime:
+ description: Minimum ejection duration.
+ type: string
+ consecutive5xxErrors:
+ description: Number of 5xx errors before a host is ejected
+ from the connection pool.
+ nullable: true
+ type: integer
+ consecutiveErrors:
+ format: int32
+ type: integer
+ consecutiveGatewayErrors:
+ description: Number of gateway errors before a host
+ is ejected from the connection pool.
+ nullable: true
+ type: integer
+ consecutiveLocalOriginFailures:
+ nullable: true
+ type: integer
+ interval:
+ description: Time interval between ejection sweep analysis.
+ type: string
+ maxEjectionPercent:
+ format: int32
+ type: integer
+ minHealthPercent:
+ format: int32
+ type: integer
+ splitExternalLocalOriginErrors:
+ description: Determines whether to distinguish local
+ origin failures from external errors.
+ type: boolean
+ type: object
+ portLevelSettings:
+ description: Traffic policies specific to individual ports.
+ items:
+ properties:
+ connectionPool:
+ properties:
+ http:
+ description: HTTP connection pool settings.
+ properties:
+ h2UpgradePolicy:
+ description: Specify if http1.1 connection
+ should be upgraded to http2 for the associated
+ destination.
+ enum:
+ - DEFAULT
+ - DO_NOT_UPGRADE
+ - UPGRADE
+ type: string
+ http1MaxPendingRequests:
+ format: int32
+ type: integer
+ http2MaxRequests:
+ description: Maximum number of active requests
+ to a destination.
+ format: int32
+ type: integer
+ idleTimeout:
+ description: The idle timeout for upstream
+ connection pool connections.
+ type: string
+ maxRequestsPerConnection:
+ description: Maximum number of requests per
+ connection to a backend.
+ format: int32
+ type: integer
+ maxRetries:
+ format: int32
+ type: integer
+ useClientProtocol:
+ description: If set to true, client protocol
+ will be preserved while initiating connection
+ to backend.
+ type: boolean
+ type: object
+ tcp:
+ description: Settings common to both HTTP and
+ TCP upstream connections.
+ properties:
+ connectTimeout:
+ description: TCP connection timeout.
+ type: string
+ maxConnectionDuration:
+ description: The maximum duration of a connection.
+ type: string
+ maxConnections:
+ description: Maximum number of HTTP1 /TCP
+ connections to a destination host.
+ format: int32
+ type: integer
+ tcpKeepalive:
+ description: If set then set SO_KEEPALIVE
+ on the socket to enable TCP Keepalives.
+ properties:
+ interval:
+ description: The time duration between
+ keep-alive probes.
+ type: string
+ probes:
+ type: integer
+ time:
+ type: string
+ type: object
+ type: object
+ type: object
+ loadBalancer:
+ description: Settings controlling the load balancer
+ algorithms.
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - simple
+ - properties:
+ consistentHash:
+ allOf:
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ properties:
+ minimumRingSize: {}
+ required:
+ - consistentHash
+ - required:
+ - simple
+ - properties:
+ consistentHash:
+ allOf:
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ properties:
+ minimumRingSize: {}
+ required:
+ - consistentHash
+ properties:
+ consistentHash:
+ properties:
+ httpCookie:
+ description: Hash based on HTTP cookie.
+ properties:
+ name:
+ description: Name of the cookie.
+ type: string
+ path:
+ description: Path to set for the cookie.
+ type: string
+ ttl:
+ description: Lifetime of the cookie.
+ type: string
+ type: object
+ httpHeaderName:
+ description: Hash based on a specific HTTP
+ header.
+ type: string
+ httpQueryParameterName:
+ description: Hash based on a specific HTTP
+ query parameter.
+ type: string
+ maglev:
+ description: The Maglev load balancer implements
+ consistent hashing to backend hosts.
+ properties:
+ tableSize:
+ description: The table size for Maglev
+ hashing.
+ type: integer
+ type: object
+ minimumRingSize:
+ description: Deprecated.
+ type: integer
+ ringHash:
+ description: The ring/modulo hash load balancer
+ implements consistent hashing to backend
+ hosts.
+ properties:
+ minimumRingSize:
+ type: integer
+ type: object
+ useSourceIp:
+ description: Hash based on the source IP address.
+ type: boolean
+ type: object
+ localityLbSetting:
+ properties:
+ distribute:
+ description: 'Optional: only one of distribute,
+ failover or failoverPriority can be set.'
+ items:
+ properties:
+ from:
+ description: Originating locality, '/'
+ separated, e.g.
+ type: string
+ to:
+ additionalProperties:
+ type: integer
+ description: Map of upstream localities
+ to traffic distribution weights.
+ type: object
+ type: object
+ type: array
+ enabled:
+ description: enable locality load balancing,
+ this is DestinationRule-level and will override
+ mesh wide settings in entirety.
+ nullable: true
+ type: boolean
+ failover:
+ description: 'Optional: only one of distribute,
+ failover or failoverPriority can be set.'
+ items:
+ properties:
+ from:
+ description: Originating region.
+ type: string
+ to:
+ type: string
+ type: object
+ type: array
+ failoverPriority:
+ description: failoverPriority is an ordered
+ list of labels used to sort endpoints to
+ do priority based load balancing.
+ items:
+ type: string
+ type: array
+ type: object
+ simple:
+ enum:
+ - UNSPECIFIED
+ - LEAST_CONN
+ - RANDOM
+ - PASSTHROUGH
+ - ROUND_ROBIN
+ - LEAST_REQUEST
+ type: string
+ warmupDurationSecs:
+ description: Represents the warmup duration of
+ Service.
+ type: string
+ type: object
+ outlierDetection:
+ properties:
+ baseEjectionTime:
+ description: Minimum ejection duration.
+ type: string
+ consecutive5xxErrors:
+ description: Number of 5xx errors before a host
+ is ejected from the connection pool.
+ nullable: true
+ type: integer
+ consecutiveErrors:
+ format: int32
+ type: integer
+ consecutiveGatewayErrors:
+ description: Number of gateway errors before a
+ host is ejected from the connection pool.
+ nullable: true
+ type: integer
+ consecutiveLocalOriginFailures:
+ nullable: true
+ type: integer
+ interval:
+ description: Time interval between ejection sweep
+ analysis.
+ type: string
+ maxEjectionPercent:
+ format: int32
+ type: integer
+ minHealthPercent:
+ format: int32
+ type: integer
+ splitExternalLocalOriginErrors:
+ description: Determines whether to distinguish
+ local origin failures from external errors.
+ type: boolean
+ type: object
+ port:
+ properties:
+ number:
+ type: integer
+ type: object
+ tls:
+ description: TLS related settings for connections
+ to the upstream service.
+ properties:
+ caCertificates:
+ type: string
+ clientCertificate:
+ description: REQUIRED if mode is `MUTUAL`.
+ type: string
+ credentialName:
+ type: string
+ insecureSkipVerify:
+ nullable: true
+ type: boolean
+ mode:
+ enum:
+ - DISABLE
+ - SIMPLE
+ - MUTUAL
+ - ISTIO_MUTUAL
+ type: string
+ privateKey:
+ description: REQUIRED if mode is `MUTUAL`.
+ type: string
+ sni:
+ description: SNI string to present to the server
+ during TLS handshake.
+ type: string
+ subjectAltNames:
+ items:
+ type: string
+ type: array
+ type: object
+ type: object
+ type: array
+ tls:
+ description: TLS related settings for connections to the
+ upstream service.
+ properties:
+ caCertificates:
+ type: string
+ clientCertificate:
+ description: REQUIRED if mode is `MUTUAL`.
+ type: string
+ credentialName:
+ type: string
+ insecureSkipVerify:
+ nullable: true
+ type: boolean
+ mode:
+ enum:
+ - DISABLE
+ - SIMPLE
+ - MUTUAL
+ - ISTIO_MUTUAL
+ type: string
+ privateKey:
+ description: REQUIRED if mode is `MUTUAL`.
+ type: string
+ sni:
+ description: SNI string to present to the server during
+ TLS handshake.
+ type: string
+ subjectAltNames:
+ items:
+ type: string
+ type: array
+ type: object
+ tunnel:
+ properties:
+ protocol:
+ description: Specifies which protocol to use for tunneling
+ the downstream connection.
+ type: string
+ targetHost:
+ description: Specifies a host to which the downstream
+ connection is tunneled.
+ type: string
+ targetPort:
+ description: Specifies a port to which the downstream
+ connection is tunneled.
+ type: integer
+ type: object
+ type: object
+ type: object
+ type: array
+ trafficPolicy:
+ properties:
+ connectionPool:
+ properties:
+ http:
+ description: HTTP connection pool settings.
+ properties:
+ h2UpgradePolicy:
+ description: Specify if http1.1 connection should be upgraded
+ to http2 for the associated destination.
+ enum:
+ - DEFAULT
+ - DO_NOT_UPGRADE
+ - UPGRADE
+ type: string
+ http1MaxPendingRequests:
+ format: int32
+ type: integer
+ http2MaxRequests:
+ description: Maximum number of active requests to a destination.
+ format: int32
+ type: integer
+ idleTimeout:
+ description: The idle timeout for upstream connection
+ pool connections.
+ type: string
+ maxRequestsPerConnection:
+ description: Maximum number of requests per connection
+ to a backend.
+ format: int32
+ type: integer
+ maxRetries:
+ format: int32
+ type: integer
+ useClientProtocol:
+ description: If set to true, client protocol will be preserved
+ while initiating connection to backend.
+ type: boolean
+ type: object
+ tcp:
+ description: Settings common to both HTTP and TCP upstream
+ connections.
+ properties:
+ connectTimeout:
+ description: TCP connection timeout.
+ type: string
+ maxConnectionDuration:
+ description: The maximum duration of a connection.
+ type: string
+ maxConnections:
+ description: Maximum number of HTTP1 /TCP connections
+ to a destination host.
+ format: int32
+ type: integer
+ tcpKeepalive:
+ description: If set then set SO_KEEPALIVE on the socket
+ to enable TCP Keepalives.
+ properties:
+ interval:
+ description: The time duration between keep-alive
+ probes.
+ type: string
+ probes:
+ type: integer
+ time:
+ type: string
+ type: object
+ type: object
+ type: object
+ loadBalancer:
+ description: Settings controlling the load balancer algorithms.
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - simple
+ - properties:
+ consistentHash:
+ allOf:
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ properties:
+ minimumRingSize: {}
+ required:
+ - consistentHash
+ - required:
+ - simple
+ - properties:
+ consistentHash:
+ allOf:
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ properties:
+ minimumRingSize: {}
+ required:
+ - consistentHash
+ properties:
+ consistentHash:
+ properties:
+ httpCookie:
+ description: Hash based on HTTP cookie.
+ properties:
+ name:
+ description: Name of the cookie.
+ type: string
+ path:
+ description: Path to set for the cookie.
+ type: string
+ ttl:
+ description: Lifetime of the cookie.
+ type: string
+ type: object
+ httpHeaderName:
+ description: Hash based on a specific HTTP header.
+ type: string
+ httpQueryParameterName:
+ description: Hash based on a specific HTTP query parameter.
+ type: string
+ maglev:
+ description: The Maglev load balancer implements consistent
+ hashing to backend hosts.
+ properties:
+ tableSize:
+ description: The table size for Maglev hashing.
+ type: integer
+ type: object
+ minimumRingSize:
+ description: Deprecated.
+ type: integer
+ ringHash:
+ description: The ring/modulo hash load balancer implements
+ consistent hashing to backend hosts.
+ properties:
+ minimumRingSize:
+ type: integer
+ type: object
+ useSourceIp:
+ description: Hash based on the source IP address.
+ type: boolean
+ type: object
+ localityLbSetting:
+ properties:
+ distribute:
+ description: 'Optional: only one of distribute, failover
+ or failoverPriority can be set.'
+ items:
+ properties:
+ from:
+ description: Originating locality, '/' separated,
+ e.g.
+ type: string
+ to:
+ additionalProperties:
+ type: integer
+ description: Map of upstream localities to traffic
+ distribution weights.
+ type: object
+ type: object
+ type: array
+ enabled:
+ description: enable locality load balancing, this is DestinationRule-level
+ and will override mesh wide settings in entirety.
+ nullable: true
+ type: boolean
+ failover:
+ description: 'Optional: only one of distribute, failover
+ or failoverPriority can be set.'
+ items:
+ properties:
+ from:
+ description: Originating region.
+ type: string
+ to:
+ type: string
+ type: object
+ type: array
+ failoverPriority:
+ description: failoverPriority is an ordered list of labels
+ used to sort endpoints to do priority based load balancing.
+ items:
+ type: string
+ type: array
+ type: object
+ simple:
+ enum:
+ - UNSPECIFIED
+ - LEAST_CONN
+ - RANDOM
+ - PASSTHROUGH
+ - ROUND_ROBIN
+ - LEAST_REQUEST
+ type: string
+ warmupDurationSecs:
+ description: Represents the warmup duration of Service.
+ type: string
+ type: object
+ outlierDetection:
+ properties:
+ baseEjectionTime:
+ description: Minimum ejection duration.
+ type: string
+ consecutive5xxErrors:
+ description: Number of 5xx errors before a host is ejected
+ from the connection pool.
+ nullable: true
+ type: integer
+ consecutiveErrors:
+ format: int32
+ type: integer
+ consecutiveGatewayErrors:
+ description: Number of gateway errors before a host is ejected
+ from the connection pool.
+ nullable: true
+ type: integer
+ consecutiveLocalOriginFailures:
+ nullable: true
+ type: integer
+ interval:
+ description: Time interval between ejection sweep analysis.
+ type: string
+ maxEjectionPercent:
+ format: int32
+ type: integer
+ minHealthPercent:
+ format: int32
+ type: integer
+ splitExternalLocalOriginErrors:
+ description: Determines whether to distinguish local origin
+ failures from external errors.
+ type: boolean
+ type: object
+ portLevelSettings:
+ description: Traffic policies specific to individual ports.
+ items:
+ properties:
+ connectionPool:
+ properties:
+ http:
+ description: HTTP connection pool settings.
+ properties:
+ h2UpgradePolicy:
+ description: Specify if http1.1 connection should
+ be upgraded to http2 for the associated destination.
+ enum:
+ - DEFAULT
+ - DO_NOT_UPGRADE
+ - UPGRADE
+ type: string
+ http1MaxPendingRequests:
+ format: int32
+ type: integer
+ http2MaxRequests:
+ description: Maximum number of active requests to
+ a destination.
+ format: int32
+ type: integer
+ idleTimeout:
+ description: The idle timeout for upstream connection
+ pool connections.
+ type: string
+ maxRequestsPerConnection:
+ description: Maximum number of requests per connection
+ to a backend.
+ format: int32
+ type: integer
+ maxRetries:
+ format: int32
+ type: integer
+ useClientProtocol:
+ description: If set to true, client protocol will
+ be preserved while initiating connection to backend.
+ type: boolean
+ type: object
+ tcp:
+ description: Settings common to both HTTP and TCP upstream
+ connections.
+ properties:
+ connectTimeout:
+ description: TCP connection timeout.
+ type: string
+ maxConnectionDuration:
+ description: The maximum duration of a connection.
+ type: string
+ maxConnections:
+ description: Maximum number of HTTP1 /TCP connections
+ to a destination host.
+ format: int32
+ type: integer
+ tcpKeepalive:
+ description: If set then set SO_KEEPALIVE on the
+ socket to enable TCP Keepalives.
+ properties:
+ interval:
+ description: The time duration between keep-alive
+ probes.
+ type: string
+ probes:
+ type: integer
+ time:
+ type: string
+ type: object
+ type: object
+ type: object
+ loadBalancer:
+ description: Settings controlling the load balancer algorithms.
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - simple
+ - properties:
+ consistentHash:
+ allOf:
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ properties:
+ minimumRingSize: {}
+ required:
+ - consistentHash
+ - required:
+ - simple
+ - properties:
+ consistentHash:
+ allOf:
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ properties:
+ minimumRingSize: {}
+ required:
+ - consistentHash
+ properties:
+ consistentHash:
+ properties:
+ httpCookie:
+ description: Hash based on HTTP cookie.
+ properties:
+ name:
+ description: Name of the cookie.
+ type: string
+ path:
+ description: Path to set for the cookie.
+ type: string
+ ttl:
+ description: Lifetime of the cookie.
+ type: string
+ type: object
+ httpHeaderName:
+ description: Hash based on a specific HTTP header.
+ type: string
+ httpQueryParameterName:
+ description: Hash based on a specific HTTP query
+ parameter.
+ type: string
+ maglev:
+ description: The Maglev load balancer implements
+ consistent hashing to backend hosts.
+ properties:
+ tableSize:
+ description: The table size for Maglev hashing.
+ type: integer
+ type: object
+ minimumRingSize:
+ description: Deprecated.
+ type: integer
+ ringHash:
+ description: The ring/modulo hash load balancer
+ implements consistent hashing to backend hosts.
+ properties:
+ minimumRingSize:
+ type: integer
+ type: object
+ useSourceIp:
+ description: Hash based on the source IP address.
+ type: boolean
+ type: object
+ localityLbSetting:
+ properties:
+ distribute:
+ description: 'Optional: only one of distribute,
+ failover or failoverPriority can be set.'
+ items:
+ properties:
+ from:
+ description: Originating locality, '/' separated,
+ e.g.
+ type: string
+ to:
+ additionalProperties:
+ type: integer
+ description: Map of upstream localities to
+ traffic distribution weights.
+ type: object
+ type: object
+ type: array
+ enabled:
+ description: enable locality load balancing, this
+ is DestinationRule-level and will override mesh
+ wide settings in entirety.
+ nullable: true
+ type: boolean
+ failover:
+ description: 'Optional: only one of distribute,
+ failover or failoverPriority can be set.'
+ items:
+ properties:
+ from:
+ description: Originating region.
+ type: string
+ to:
+ type: string
+ type: object
+ type: array
+ failoverPriority:
+ description: failoverPriority is an ordered list
+ of labels used to sort endpoints to do priority
+ based load balancing.
+ items:
+ type: string
+ type: array
+ type: object
+ simple:
+ enum:
+ - UNSPECIFIED
+ - LEAST_CONN
+ - RANDOM
+ - PASSTHROUGH
+ - ROUND_ROBIN
+ - LEAST_REQUEST
+ type: string
+ warmupDurationSecs:
+ description: Represents the warmup duration of Service.
+ type: string
+ type: object
+ outlierDetection:
+ properties:
+ baseEjectionTime:
+ description: Minimum ejection duration.
+ type: string
+ consecutive5xxErrors:
+ description: Number of 5xx errors before a host is ejected
+ from the connection pool.
+ nullable: true
+ type: integer
+ consecutiveErrors:
+ format: int32
+ type: integer
+ consecutiveGatewayErrors:
+ description: Number of gateway errors before a host
+ is ejected from the connection pool.
+ nullable: true
+ type: integer
+ consecutiveLocalOriginFailures:
+ nullable: true
+ type: integer
+ interval:
+ description: Time interval between ejection sweep analysis.
+ type: string
+ maxEjectionPercent:
+ format: int32
+ type: integer
+ minHealthPercent:
+ format: int32
+ type: integer
+ splitExternalLocalOriginErrors:
+ description: Determines whether to distinguish local
+ origin failures from external errors.
+ type: boolean
+ type: object
+ port:
+ properties:
+ number:
+ type: integer
+ type: object
+ tls:
+ description: TLS related settings for connections to the
+ upstream service.
+ properties:
+ caCertificates:
+ type: string
+ clientCertificate:
+ description: REQUIRED if mode is `MUTUAL`.
+ type: string
+ credentialName:
+ type: string
+ insecureSkipVerify:
+ nullable: true
+ type: boolean
+ mode:
+ enum:
+ - DISABLE
+ - SIMPLE
+ - MUTUAL
+ - ISTIO_MUTUAL
+ type: string
+ privateKey:
+ description: REQUIRED if mode is `MUTUAL`.
+ type: string
+ sni:
+ description: SNI string to present to the server during
+ TLS handshake.
+ type: string
+ subjectAltNames:
+ items:
+ type: string
+ type: array
+ type: object
+ type: object
+ type: array
+ tls:
+ description: TLS related settings for connections to the upstream
+ service.
+ properties:
+ caCertificates:
+ type: string
+ clientCertificate:
+ description: REQUIRED if mode is `MUTUAL`.
+ type: string
+ credentialName:
+ type: string
+ insecureSkipVerify:
+ nullable: true
+ type: boolean
+ mode:
+ enum:
+ - DISABLE
+ - SIMPLE
+ - MUTUAL
+ - ISTIO_MUTUAL
+ type: string
+ privateKey:
+ description: REQUIRED if mode is `MUTUAL`.
+ type: string
+ sni:
+ description: SNI string to present to the server during TLS
+ handshake.
+ type: string
+ subjectAltNames:
+ items:
+ type: string
+ type: array
+ type: object
+ tunnel:
+ properties:
+ protocol:
+ description: Specifies which protocol to use for tunneling
+ the downstream connection.
+ type: string
+ targetHost:
+ description: Specifies a host to which the downstream connection
+ is tunneled.
+ type: string
+ targetPort:
+ description: Specifies a port to which the downstream connection
+ is tunneled.
+ type: integer
+ type: object
+ type: object
+ workloadSelector:
+ properties:
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ type: object
+ status:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+ - additionalPrinterColumns:
+ - description: The name of a service from the service registry
+ jsonPath: .spec.host
+ name: Host
+ type: string
+ - description: 'CreationTimestamp is a timestamp representing the server time
+ when this object was created. It is not guaranteed to be set in happens-before
+ order across separate operations. Clients may not set this value. It is represented
+ in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
+ lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1beta1
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Configuration affecting load balancing, outlier detection,
+ etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html'
+ properties:
+ exportTo:
+ description: A list of namespaces to which this destination rule is
+ exported.
+ items:
+ type: string
+ type: array
+ host:
+ description: The name of a service from the service registry.
+ type: string
+ subsets:
+ items:
+ properties:
+ labels:
+ additionalProperties:
+ type: string
+ type: object
+ name:
+ description: Name of the subset.
+ type: string
+ trafficPolicy:
+ description: Traffic policies that apply to this subset.
+ properties:
+ connectionPool:
+ properties:
+ http:
+ description: HTTP connection pool settings.
+ properties:
+ h2UpgradePolicy:
+ description: Specify if http1.1 connection should
+ be upgraded to http2 for the associated destination.
+ enum:
+ - DEFAULT
+ - DO_NOT_UPGRADE
+ - UPGRADE
+ type: string
+ http1MaxPendingRequests:
+ format: int32
+ type: integer
+ http2MaxRequests:
+ description: Maximum number of active requests to
+ a destination.
+ format: int32
+ type: integer
+ idleTimeout:
+ description: The idle timeout for upstream connection
+ pool connections.
+ type: string
+ maxRequestsPerConnection:
+ description: Maximum number of requests per connection
+ to a backend.
+ format: int32
+ type: integer
+ maxRetries:
+ format: int32
+ type: integer
+ useClientProtocol:
+ description: If set to true, client protocol will
+ be preserved while initiating connection to backend.
+ type: boolean
+ type: object
+ tcp:
+ description: Settings common to both HTTP and TCP upstream
+ connections.
+ properties:
+ connectTimeout:
+ description: TCP connection timeout.
+ type: string
+ maxConnectionDuration:
+ description: The maximum duration of a connection.
+ type: string
+ maxConnections:
+ description: Maximum number of HTTP1 /TCP connections
+ to a destination host.
+ format: int32
+ type: integer
+ tcpKeepalive:
+ description: If set then set SO_KEEPALIVE on the
+ socket to enable TCP Keepalives.
+ properties:
+ interval:
+ description: The time duration between keep-alive
+ probes.
+ type: string
+ probes:
+ type: integer
+ time:
+ type: string
+ type: object
+ type: object
+ type: object
+ loadBalancer:
+ description: Settings controlling the load balancer algorithms.
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - simple
+ - properties:
+ consistentHash:
+ allOf:
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ properties:
+ minimumRingSize: {}
+ required:
+ - consistentHash
+ - required:
+ - simple
+ - properties:
+ consistentHash:
+ allOf:
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ properties:
+ minimumRingSize: {}
+ required:
+ - consistentHash
+ properties:
+ consistentHash:
+ properties:
+ httpCookie:
+ description: Hash based on HTTP cookie.
+ properties:
+ name:
+ description: Name of the cookie.
+ type: string
+ path:
+ description: Path to set for the cookie.
+ type: string
+ ttl:
+ description: Lifetime of the cookie.
+ type: string
+ type: object
+ httpHeaderName:
+ description: Hash based on a specific HTTP header.
+ type: string
+ httpQueryParameterName:
+ description: Hash based on a specific HTTP query
+ parameter.
+ type: string
+ maglev:
+ description: The Maglev load balancer implements
+ consistent hashing to backend hosts.
+ properties:
+ tableSize:
+ description: The table size for Maglev hashing.
+ type: integer
+ type: object
+ minimumRingSize:
+ description: Deprecated.
+ type: integer
+ ringHash:
+ description: The ring/modulo hash load balancer
+ implements consistent hashing to backend hosts.
+ properties:
+ minimumRingSize:
+ type: integer
+ type: object
+ useSourceIp:
+ description: Hash based on the source IP address.
+ type: boolean
+ type: object
+ localityLbSetting:
+ properties:
+ distribute:
+ description: 'Optional: only one of distribute,
+ failover or failoverPriority can be set.'
+ items:
+ properties:
+ from:
+ description: Originating locality, '/' separated,
+ e.g.
+ type: string
+ to:
+ additionalProperties:
+ type: integer
+ description: Map of upstream localities to
+ traffic distribution weights.
+ type: object
+ type: object
+ type: array
+ enabled:
+ description: enable locality load balancing, this
+ is DestinationRule-level and will override mesh
+ wide settings in entirety.
+ nullable: true
+ type: boolean
+ failover:
+ description: 'Optional: only one of distribute,
+ failover or failoverPriority can be set.'
+ items:
+ properties:
+ from:
+ description: Originating region.
+ type: string
+ to:
+ type: string
+ type: object
+ type: array
+ failoverPriority:
+ description: failoverPriority is an ordered list
+ of labels used to sort endpoints to do priority
+ based load balancing.
+ items:
+ type: string
+ type: array
+ type: object
+ simple:
+ enum:
+ - UNSPECIFIED
+ - LEAST_CONN
+ - RANDOM
+ - PASSTHROUGH
+ - ROUND_ROBIN
+ - LEAST_REQUEST
+ type: string
+ warmupDurationSecs:
+ description: Represents the warmup duration of Service.
+ type: string
+ type: object
+ outlierDetection:
+ properties:
+ baseEjectionTime:
+ description: Minimum ejection duration.
+ type: string
+ consecutive5xxErrors:
+ description: Number of 5xx errors before a host is ejected
+ from the connection pool.
+ nullable: true
+ type: integer
+ consecutiveErrors:
+ format: int32
+ type: integer
+ consecutiveGatewayErrors:
+ description: Number of gateway errors before a host
+ is ejected from the connection pool.
+ nullable: true
+ type: integer
+ consecutiveLocalOriginFailures:
+ nullable: true
+ type: integer
+ interval:
+ description: Time interval between ejection sweep analysis.
+ type: string
+ maxEjectionPercent:
+ format: int32
+ type: integer
+ minHealthPercent:
+ format: int32
+ type: integer
+ splitExternalLocalOriginErrors:
+ description: Determines whether to distinguish local
+ origin failures from external errors.
+ type: boolean
+ type: object
+ portLevelSettings:
+ description: Traffic policies specific to individual ports.
+ items:
+ properties:
+ connectionPool:
+ properties:
+ http:
+ description: HTTP connection pool settings.
+ properties:
+ h2UpgradePolicy:
+ description: Specify if http1.1 connection
+ should be upgraded to http2 for the associated
+ destination.
+ enum:
+ - DEFAULT
+ - DO_NOT_UPGRADE
+ - UPGRADE
+ type: string
+ http1MaxPendingRequests:
+ format: int32
+ type: integer
+ http2MaxRequests:
+ description: Maximum number of active requests
+ to a destination.
+ format: int32
+ type: integer
+ idleTimeout:
+ description: The idle timeout for upstream
+ connection pool connections.
+ type: string
+ maxRequestsPerConnection:
+ description: Maximum number of requests per
+ connection to a backend.
+ format: int32
+ type: integer
+ maxRetries:
+ format: int32
+ type: integer
+ useClientProtocol:
+ description: If set to true, client protocol
+ will be preserved while initiating connection
+ to backend.
+ type: boolean
+ type: object
+ tcp:
+ description: Settings common to both HTTP and
+ TCP upstream connections.
+ properties:
+ connectTimeout:
+ description: TCP connection timeout.
+ type: string
+ maxConnectionDuration:
+ description: The maximum duration of a connection.
+ type: string
+ maxConnections:
+ description: Maximum number of HTTP1 /TCP
+ connections to a destination host.
+ format: int32
+ type: integer
+ tcpKeepalive:
+ description: If set then set SO_KEEPALIVE
+ on the socket to enable TCP Keepalives.
+ properties:
+ interval:
+ description: The time duration between
+ keep-alive probes.
+ type: string
+ probes:
+ type: integer
+ time:
+ type: string
+ type: object
+ type: object
+ type: object
+ loadBalancer:
+ description: Settings controlling the load balancer
+ algorithms.
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - simple
+ - properties:
+ consistentHash:
+ allOf:
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ properties:
+ minimumRingSize: {}
+ required:
+ - consistentHash
+ - required:
+ - simple
+ - properties:
+ consistentHash:
+ allOf:
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ properties:
+ minimumRingSize: {}
+ required:
+ - consistentHash
+ properties:
+ consistentHash:
+ properties:
+ httpCookie:
+ description: Hash based on HTTP cookie.
+ properties:
+ name:
+ description: Name of the cookie.
+ type: string
+ path:
+ description: Path to set for the cookie.
+ type: string
+ ttl:
+ description: Lifetime of the cookie.
+ type: string
+ type: object
+ httpHeaderName:
+ description: Hash based on a specific HTTP
+ header.
+ type: string
+ httpQueryParameterName:
+ description: Hash based on a specific HTTP
+ query parameter.
+ type: string
+ maglev:
+ description: The Maglev load balancer implements
+ consistent hashing to backend hosts.
+ properties:
+ tableSize:
+ description: The table size for Maglev
+ hashing.
+ type: integer
+ type: object
+ minimumRingSize:
+ description: Deprecated.
+ type: integer
+ ringHash:
+ description: The ring/modulo hash load balancer
+ implements consistent hashing to backend
+ hosts.
+ properties:
+ minimumRingSize:
+ type: integer
+ type: object
+ useSourceIp:
+ description: Hash based on the source IP address.
+ type: boolean
+ type: object
+ localityLbSetting:
+ properties:
+ distribute:
+ description: 'Optional: only one of distribute,
+ failover or failoverPriority can be set.'
+ items:
+ properties:
+ from:
+ description: Originating locality, '/'
+ separated, e.g.
+ type: string
+ to:
+ additionalProperties:
+ type: integer
+ description: Map of upstream localities
+ to traffic distribution weights.
+ type: object
+ type: object
+ type: array
+ enabled:
+ description: enable locality load balancing,
+ this is DestinationRule-level and will override
+ mesh wide settings in entirety.
+ nullable: true
+ type: boolean
+ failover:
+ description: 'Optional: only one of distribute,
+ failover or failoverPriority can be set.'
+ items:
+ properties:
+ from:
+ description: Originating region.
+ type: string
+ to:
+ type: string
+ type: object
+ type: array
+ failoverPriority:
+ description: failoverPriority is an ordered
+ list of labels used to sort endpoints to
+ do priority based load balancing.
+ items:
+ type: string
+ type: array
+ type: object
+ simple:
+ enum:
+ - UNSPECIFIED
+ - LEAST_CONN
+ - RANDOM
+ - PASSTHROUGH
+ - ROUND_ROBIN
+ - LEAST_REQUEST
+ type: string
+ warmupDurationSecs:
+ description: Represents the warmup duration of
+ Service.
+ type: string
+ type: object
+ outlierDetection:
+ properties:
+ baseEjectionTime:
+ description: Minimum ejection duration.
+ type: string
+ consecutive5xxErrors:
+ description: Number of 5xx errors before a host
+ is ejected from the connection pool.
+ nullable: true
+ type: integer
+ consecutiveErrors:
+ format: int32
+ type: integer
+ consecutiveGatewayErrors:
+ description: Number of gateway errors before a
+ host is ejected from the connection pool.
+ nullable: true
+ type: integer
+ consecutiveLocalOriginFailures:
+ nullable: true
+ type: integer
+ interval:
+ description: Time interval between ejection sweep
+ analysis.
+ type: string
+ maxEjectionPercent:
+ format: int32
+ type: integer
+ minHealthPercent:
+ format: int32
+ type: integer
+ splitExternalLocalOriginErrors:
+ description: Determines whether to distinguish
+ local origin failures from external errors.
+ type: boolean
+ type: object
+ port:
+ properties:
+ number:
+ type: integer
+ type: object
+ tls:
+ description: TLS related settings for connections
+ to the upstream service.
+ properties:
+ caCertificates:
+ type: string
+ clientCertificate:
+ description: REQUIRED if mode is `MUTUAL`.
+ type: string
+ credentialName:
+ type: string
+ insecureSkipVerify:
+ nullable: true
+ type: boolean
+ mode:
+ enum:
+ - DISABLE
+ - SIMPLE
+ - MUTUAL
+ - ISTIO_MUTUAL
+ type: string
+ privateKey:
+ description: REQUIRED if mode is `MUTUAL`.
+ type: string
+ sni:
+ description: SNI string to present to the server
+ during TLS handshake.
+ type: string
+ subjectAltNames:
+ items:
+ type: string
+ type: array
+ type: object
+ type: object
+ type: array
+ tls:
+ description: TLS related settings for connections to the
+ upstream service.
+ properties:
+ caCertificates:
+ type: string
+ clientCertificate:
+ description: REQUIRED if mode is `MUTUAL`.
+ type: string
+ credentialName:
+ type: string
+ insecureSkipVerify:
+ nullable: true
+ type: boolean
+ mode:
+ enum:
+ - DISABLE
+ - SIMPLE
+ - MUTUAL
+ - ISTIO_MUTUAL
+ type: string
+ privateKey:
+ description: REQUIRED if mode is `MUTUAL`.
+ type: string
+ sni:
+ description: SNI string to present to the server during
+ TLS handshake.
+ type: string
+ subjectAltNames:
+ items:
+ type: string
+ type: array
+ type: object
+ tunnel:
+ properties:
+ protocol:
+ description: Specifies which protocol to use for tunneling
+ the downstream connection.
+ type: string
+ targetHost:
+ description: Specifies a host to which the downstream
+ connection is tunneled.
+ type: string
+ targetPort:
+ description: Specifies a port to which the downstream
+ connection is tunneled.
+ type: integer
+ type: object
+ type: object
+ type: object
+ type: array
+ trafficPolicy:
+ properties:
+ connectionPool:
+ properties:
+ http:
+ description: HTTP connection pool settings.
+ properties:
+ h2UpgradePolicy:
+ description: Specify if http1.1 connection should be upgraded
+ to http2 for the associated destination.
+ enum:
+ - DEFAULT
+ - DO_NOT_UPGRADE
+ - UPGRADE
+ type: string
+ http1MaxPendingRequests:
+ format: int32
+ type: integer
+ http2MaxRequests:
+ description: Maximum number of active requests to a destination.
+ format: int32
+ type: integer
+ idleTimeout:
+ description: The idle timeout for upstream connection
+ pool connections.
+ type: string
+ maxRequestsPerConnection:
+ description: Maximum number of requests per connection
+ to a backend.
+ format: int32
+ type: integer
+ maxRetries:
+ format: int32
+ type: integer
+ useClientProtocol:
+ description: If set to true, client protocol will be preserved
+ while initiating connection to backend.
+ type: boolean
+ type: object
+ tcp:
+ description: Settings common to both HTTP and TCP upstream
+ connections.
+ properties:
+ connectTimeout:
+ description: TCP connection timeout.
+ type: string
+ maxConnectionDuration:
+ description: The maximum duration of a connection.
+ type: string
+ maxConnections:
+ description: Maximum number of HTTP1 /TCP connections
+ to a destination host.
+ format: int32
+ type: integer
+ tcpKeepalive:
+ description: If set then set SO_KEEPALIVE on the socket
+ to enable TCP Keepalives.
+ properties:
+ interval:
+ description: The time duration between keep-alive
+ probes.
+ type: string
+ probes:
+ type: integer
+ time:
+ type: string
+ type: object
+ type: object
+ type: object
+ loadBalancer:
+ description: Settings controlling the load balancer algorithms.
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - simple
+ - properties:
+ consistentHash:
+ allOf:
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ properties:
+ minimumRingSize: {}
+ required:
+ - consistentHash
+ - required:
+ - simple
+ - properties:
+ consistentHash:
+ allOf:
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ properties:
+ minimumRingSize: {}
+ required:
+ - consistentHash
+ properties:
+ consistentHash:
+ properties:
+ httpCookie:
+ description: Hash based on HTTP cookie.
+ properties:
+ name:
+ description: Name of the cookie.
+ type: string
+ path:
+ description: Path to set for the cookie.
+ type: string
+ ttl:
+ description: Lifetime of the cookie.
+ type: string
+ type: object
+ httpHeaderName:
+ description: Hash based on a specific HTTP header.
+ type: string
+ httpQueryParameterName:
+ description: Hash based on a specific HTTP query parameter.
+ type: string
+ maglev:
+ description: The Maglev load balancer implements consistent
+ hashing to backend hosts.
+ properties:
+ tableSize:
+ description: The table size for Maglev hashing.
+ type: integer
+ type: object
+ minimumRingSize:
+ description: Deprecated.
+ type: integer
+ ringHash:
+ description: The ring/modulo hash load balancer implements
+ consistent hashing to backend hosts.
+ properties:
+ minimumRingSize:
+ type: integer
+ type: object
+ useSourceIp:
+ description: Hash based on the source IP address.
+ type: boolean
+ type: object
+ localityLbSetting:
+ properties:
+ distribute:
+ description: 'Optional: only one of distribute, failover
+ or failoverPriority can be set.'
+ items:
+ properties:
+ from:
+ description: Originating locality, '/' separated,
+ e.g.
+ type: string
+ to:
+ additionalProperties:
+ type: integer
+ description: Map of upstream localities to traffic
+ distribution weights.
+ type: object
+ type: object
+ type: array
+ enabled:
+ description: enable locality load balancing, this is DestinationRule-level
+ and will override mesh wide settings in entirety.
+ nullable: true
+ type: boolean
+ failover:
+ description: 'Optional: only one of distribute, failover
+ or failoverPriority can be set.'
+ items:
+ properties:
+ from:
+ description: Originating region.
+ type: string
+ to:
+ type: string
+ type: object
+ type: array
+ failoverPriority:
+ description: failoverPriority is an ordered list of labels
+ used to sort endpoints to do priority based load balancing.
+ items:
+ type: string
+ type: array
+ type: object
+ simple:
+ enum:
+ - UNSPECIFIED
+ - LEAST_CONN
+ - RANDOM
+ - PASSTHROUGH
+ - ROUND_ROBIN
+ - LEAST_REQUEST
+ type: string
+ warmupDurationSecs:
+ description: Represents the warmup duration of Service.
+ type: string
+ type: object
+ outlierDetection:
+ properties:
+ baseEjectionTime:
+ description: Minimum ejection duration.
+ type: string
+ consecutive5xxErrors:
+ description: Number of 5xx errors before a host is ejected
+ from the connection pool.
+ nullable: true
+ type: integer
+ consecutiveErrors:
+ format: int32
+ type: integer
+ consecutiveGatewayErrors:
+ description: Number of gateway errors before a host is ejected
+ from the connection pool.
+ nullable: true
+ type: integer
+ consecutiveLocalOriginFailures:
+ nullable: true
+ type: integer
+ interval:
+ description: Time interval between ejection sweep analysis.
+ type: string
+ maxEjectionPercent:
+ format: int32
+ type: integer
+ minHealthPercent:
+ format: int32
+ type: integer
+ splitExternalLocalOriginErrors:
+ description: Determines whether to distinguish local origin
+ failures from external errors.
+ type: boolean
+ type: object
+ portLevelSettings:
+ description: Traffic policies specific to individual ports.
+ items:
+ properties:
+ connectionPool:
+ properties:
+ http:
+ description: HTTP connection pool settings.
+ properties:
+ h2UpgradePolicy:
+ description: Specify if http1.1 connection should
+ be upgraded to http2 for the associated destination.
+ enum:
+ - DEFAULT
+ - DO_NOT_UPGRADE
+ - UPGRADE
+ type: string
+ http1MaxPendingRequests:
+ format: int32
+ type: integer
+ http2MaxRequests:
+ description: Maximum number of active requests to
+ a destination.
+ format: int32
+ type: integer
+ idleTimeout:
+ description: The idle timeout for upstream connection
+ pool connections.
+ type: string
+ maxRequestsPerConnection:
+ description: Maximum number of requests per connection
+ to a backend.
+ format: int32
+ type: integer
+ maxRetries:
+ format: int32
+ type: integer
+ useClientProtocol:
+ description: If set to true, client protocol will
+ be preserved while initiating connection to backend.
+ type: boolean
+ type: object
+ tcp:
+ description: Settings common to both HTTP and TCP upstream
+ connections.
+ properties:
+ connectTimeout:
+ description: TCP connection timeout.
+ type: string
+ maxConnectionDuration:
+ description: The maximum duration of a connection.
+ type: string
+ maxConnections:
+ description: Maximum number of HTTP1 /TCP connections
+ to a destination host.
+ format: int32
+ type: integer
+ tcpKeepalive:
+ description: If set then set SO_KEEPALIVE on the
+ socket to enable TCP Keepalives.
+ properties:
+ interval:
+ description: The time duration between keep-alive
+ probes.
+ type: string
+ probes:
+ type: integer
+ time:
+ type: string
+ type: object
+ type: object
+ type: object
+ loadBalancer:
+ description: Settings controlling the load balancer algorithms.
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - simple
+ - properties:
+ consistentHash:
+ allOf:
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ properties:
+ minimumRingSize: {}
+ required:
+ - consistentHash
+ - required:
+ - simple
+ - properties:
+ consistentHash:
+ allOf:
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ properties:
+ minimumRingSize: {}
+ required:
+ - consistentHash
+ properties:
+ consistentHash:
+ properties:
+ httpCookie:
+ description: Hash based on HTTP cookie.
+ properties:
+ name:
+ description: Name of the cookie.
+ type: string
+ path:
+ description: Path to set for the cookie.
+ type: string
+ ttl:
+ description: Lifetime of the cookie.
+ type: string
+ type: object
+ httpHeaderName:
+ description: Hash based on a specific HTTP header.
+ type: string
+ httpQueryParameterName:
+ description: Hash based on a specific HTTP query
+ parameter.
+ type: string
+ maglev:
+ description: The Maglev load balancer implements
+ consistent hashing to backend hosts.
+ properties:
+ tableSize:
+ description: The table size for Maglev hashing.
+ type: integer
+ type: object
+ minimumRingSize:
+ description: Deprecated.
+ type: integer
+ ringHash:
+ description: The ring/modulo hash load balancer
+ implements consistent hashing to backend hosts.
+ properties:
+ minimumRingSize:
+ type: integer
+ type: object
+ useSourceIp:
+ description: Hash based on the source IP address.
+ type: boolean
+ type: object
+ localityLbSetting:
+ properties:
+ distribute:
+ description: 'Optional: only one of distribute,
+ failover or failoverPriority can be set.'
+ items:
+ properties:
+ from:
+ description: Originating locality, '/' separated,
+ e.g.
+ type: string
+ to:
+ additionalProperties:
+ type: integer
+ description: Map of upstream localities to
+ traffic distribution weights.
+ type: object
+ type: object
+ type: array
+ enabled:
+ description: enable locality load balancing, this
+ is DestinationRule-level and will override mesh
+ wide settings in entirety.
+ nullable: true
+ type: boolean
+ failover:
+ description: 'Optional: only one of distribute,
+ failover or failoverPriority can be set.'
+ items:
+ properties:
+ from:
+ description: Originating region.
+ type: string
+ to:
+ type: string
+ type: object
+ type: array
+ failoverPriority:
+ description: failoverPriority is an ordered list
+ of labels used to sort endpoints to do priority
+ based load balancing.
+ items:
+ type: string
+ type: array
+ type: object
+ simple:
+ enum:
+ - UNSPECIFIED
+ - LEAST_CONN
+ - RANDOM
+ - PASSTHROUGH
+ - ROUND_ROBIN
+ - LEAST_REQUEST
+ type: string
+ warmupDurationSecs:
+ description: Represents the warmup duration of Service.
+ type: string
+ type: object
+ outlierDetection:
+ properties:
+ baseEjectionTime:
+ description: Minimum ejection duration.
+ type: string
+ consecutive5xxErrors:
+ description: Number of 5xx errors before a host is ejected
+ from the connection pool.
+ nullable: true
+ type: integer
+ consecutiveErrors:
+ format: int32
+ type: integer
+ consecutiveGatewayErrors:
+ description: Number of gateway errors before a host
+ is ejected from the connection pool.
+ nullable: true
+ type: integer
+ consecutiveLocalOriginFailures:
+ nullable: true
+ type: integer
+ interval:
+ description: Time interval between ejection sweep analysis.
+ type: string
+ maxEjectionPercent:
+ format: int32
+ type: integer
+ minHealthPercent:
+ format: int32
+ type: integer
+ splitExternalLocalOriginErrors:
+ description: Determines whether to distinguish local
+ origin failures from external errors.
+ type: boolean
+ type: object
+ port:
+ properties:
+ number:
+ type: integer
+ type: object
+ tls:
+ description: TLS related settings for connections to the
+ upstream service.
+ properties:
+ caCertificates:
+ type: string
+ clientCertificate:
+ description: REQUIRED if mode is `MUTUAL`.
+ type: string
+ credentialName:
+ type: string
+ insecureSkipVerify:
+ nullable: true
+ type: boolean
+ mode:
+ enum:
+ - DISABLE
+ - SIMPLE
+ - MUTUAL
+ - ISTIO_MUTUAL
+ type: string
+ privateKey:
+ description: REQUIRED if mode is `MUTUAL`.
+ type: string
+ sni:
+ description: SNI string to present to the server during
+ TLS handshake.
+ type: string
+ subjectAltNames:
+ items:
+ type: string
+ type: array
+ type: object
+ type: object
+ type: array
+ tls:
+ description: TLS related settings for connections to the upstream
+ service.
+ properties:
+ caCertificates:
+ type: string
+ clientCertificate:
+ description: REQUIRED if mode is `MUTUAL`.
+ type: string
+ credentialName:
+ type: string
+ insecureSkipVerify:
+ nullable: true
+ type: boolean
+ mode:
+ enum:
+ - DISABLE
+ - SIMPLE
+ - MUTUAL
+ - ISTIO_MUTUAL
+ type: string
+ privateKey:
+ description: REQUIRED if mode is `MUTUAL`.
+ type: string
+ sni:
+ description: SNI string to present to the server during TLS
+ handshake.
+ type: string
+ subjectAltNames:
+ items:
+ type: string
+ type: array
+ type: object
+ tunnel:
+ properties:
+ protocol:
+ description: Specifies which protocol to use for tunneling
+ the downstream connection.
+ type: string
+ targetHost:
+ description: Specifies a host to which the downstream connection
+ is tunneled.
+ type: string
+ targetPort:
+ description: Specifies a port to which the downstream connection
+ is tunneled.
+ type: integer
+ type: object
+ type: object
+ workloadSelector:
+ properties:
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ type: object
+ status:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: false
+ subresources:
+ status: {}
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ "helm.sh/resource-policy": keep
+ labels:
+ app: istio-pilot
+ chart: istio
+ heritage: Tiller
+ release: istio
+ name: envoyfilters.networking.istio.io
+spec:
+ group: networking.istio.io
+ names:
+ categories:
+ - istio-io
+ - networking-istio-io
+ kind: EnvoyFilter
+ listKind: EnvoyFilterList
+ plural: envoyfilters
+ singular: envoyfilter
+ scope: Namespaced
+ versions:
+ - name: v1alpha3
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Customizing Envoy configuration generated by Istio. See
+ more details at: https://istio.io/docs/reference/config/networking/envoy-filter.html'
+ properties:
+ configPatches:
+ description: One or more patches with match conditions.
+ items:
+ properties:
+ applyTo:
+ enum:
+ - INVALID
+ - LISTENER
+ - FILTER_CHAIN
+ - NETWORK_FILTER
+ - HTTP_FILTER
+ - ROUTE_CONFIGURATION
+ - VIRTUAL_HOST
+ - HTTP_ROUTE
+ - CLUSTER
+ - EXTENSION_CONFIG
+ - BOOTSTRAP
+ - LISTENER_FILTER
+ type: string
+ match:
+ description: Match on listener/route configuration/cluster.
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - listener
+ - required:
+ - routeConfiguration
+ - required:
+ - cluster
+ - required:
+ - listener
+ - required:
+ - routeConfiguration
+ - required:
+ - cluster
+ properties:
+ cluster:
+ description: Match on envoy cluster attributes.
+ properties:
+ name:
+ description: The exact name of the cluster to match.
+ type: string
+ portNumber:
+ description: The service port for which this cluster
+ was generated.
+ type: integer
+ service:
+ description: The fully qualified service name for this
+ cluster.
+ type: string
+ subset:
+ description: The subset associated with the service.
+ type: string
+ type: object
+ context:
+ description: The specific config generation context to match
+ on.
+ enum:
+ - ANY
+ - SIDECAR_INBOUND
+ - SIDECAR_OUTBOUND
+ - GATEWAY
+ type: string
+ listener:
+ description: Match on envoy listener attributes.
+ properties:
+ filterChain:
+ description: Match a specific filter chain in a listener.
+ properties:
+ applicationProtocols:
+ description: Applies only to sidecars.
+ type: string
+ destinationPort:
+ description: The destination_port value used by
+ a filter chain's match condition.
+ type: integer
+ filter:
+ description: The name of a specific filter to apply
+ the patch to.
+ properties:
+ name:
+ description: The filter name to match on.
+ type: string
+ subFilter:
+ properties:
+ name:
+ description: The filter name to match on.
+ type: string
+ type: object
+ type: object
+ name:
+ description: The name assigned to the filter chain.
+ type: string
+ sni:
+ description: The SNI value used by a filter chain's
+ match condition.
+ type: string
+ transportProtocol:
+ description: Applies only to `SIDECAR_INBOUND` context.
+ type: string
+ type: object
+ listenerFilter:
+ description: Match a specific listener filter.
+ type: string
+ name:
+ description: Match a specific listener by its name.
+ type: string
+ portName:
+ type: string
+ portNumber:
+ type: integer
+ type: object
+ proxy:
+ description: Match on properties associated with a proxy.
+ properties:
+ metadata:
+ additionalProperties:
+ type: string
+ type: object
+ proxyVersion:
+ type: string
+ type: object
+ routeConfiguration:
+ description: Match on envoy HTTP route configuration attributes.
+ properties:
+ gateway:
+ type: string
+ name:
+ description: Route configuration name to match on.
+ type: string
+ portName:
+ description: Applicable only for GATEWAY context.
+ type: string
+ portNumber:
+ type: integer
+ vhost:
+ properties:
+ name:
+ type: string
+ route:
+ description: Match a specific route within the virtual
+ host.
+ properties:
+ action:
+ description: Match a route with specific action
+ type.
+ enum:
+ - ANY
+ - ROUTE
+ - REDIRECT
+ - DIRECT_RESPONSE
+ type: string
+ name:
+ type: string
+ type: object
+ type: object
+ type: object
+ type: object
+ patch:
+ description: The patch to apply along with the operation.
+ properties:
+ filterClass:
+ description: Determines the filter insertion order.
+ enum:
+ - UNSPECIFIED
+ - AUTHN
+ - AUTHZ
+ - STATS
+ type: string
+ operation:
+ description: Determines how the patch should be applied.
+ enum:
+ - INVALID
+ - MERGE
+ - ADD
+ - REMOVE
+ - INSERT_BEFORE
+ - INSERT_AFTER
+ - INSERT_FIRST
+ - REPLACE
+ type: string
+ value:
+ description: The JSON config of the object being patched.
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ type: object
+ type: array
+ priority:
+ description: Priority defines the order in which patch sets are applied
+ within a context.
+ format: int32
+ type: integer
+ workloadSelector:
+ properties:
+ labels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ type: object
+ status:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ "helm.sh/resource-policy": keep
+ labels:
+ app: istio-pilot
+ chart: istio
+ heritage: Tiller
+ release: istio
+ name: gateways.networking.istio.io
+spec:
+ group: networking.istio.io
+ names:
+ categories:
+ - istio-io
+ - networking-istio-io
+ kind: Gateway
+ listKind: GatewayList
+ plural: gateways
+ shortNames:
+ - gw
+ singular: gateway
+ scope: Namespaced
+ versions:
+ - name: v1alpha3
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Configuration affecting edge load balancer. See more details
+ at: https://istio.io/docs/reference/config/networking/gateway.html'
+ properties:
+ selector:
+ additionalProperties:
+ type: string
+ type: object
+ servers:
+ description: A list of server specifications.
+ items:
+ properties:
+ bind:
+ type: string
+ defaultEndpoint:
+ type: string
+ hosts:
+ description: One or more hosts exposed by this gateway.
+ items:
+ type: string
+ type: array
+ name:
+ description: An optional name of the server, when set must be
+ unique across all servers.
+ type: string
+ port:
+ properties:
+ name:
+ description: Label assigned to the port.
+ type: string
+ number:
+ description: A valid non-negative integer port number.
+ type: integer
+ protocol:
+ description: The protocol exposed on the port.
+ type: string
+ targetPort:
+ type: integer
+ type: object
+ tls:
+ description: Set of TLS related options that govern the server's
+ behavior.
+ properties:
+ caCertificates:
+ description: REQUIRED if mode is `MUTUAL`.
+ type: string
+ cipherSuites:
+ description: 'Optional: If specified, only support the specified
+ cipher list.'
+ items:
+ type: string
+ type: array
+ credentialName:
+ type: string
+ httpsRedirect:
+ type: boolean
+ maxProtocolVersion:
+ description: 'Optional: Maximum TLS protocol version.'
+ enum:
+ - TLS_AUTO
+ - TLSV1_0
+ - TLSV1_1
+ - TLSV1_2
+ - TLSV1_3
+ type: string
+ minProtocolVersion:
+ description: 'Optional: Minimum TLS protocol version.'
+ enum:
+ - TLS_AUTO
+ - TLSV1_0
+ - TLSV1_1
+ - TLSV1_2
+ - TLSV1_3
+ type: string
+ mode:
+ enum:
+ - PASSTHROUGH
+ - SIMPLE
+ - MUTUAL
+ - AUTO_PASSTHROUGH
+ - ISTIO_MUTUAL
+ type: string
+ privateKey:
+ description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+ type: string
+ serverCertificate:
+ description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+ type: string
+ subjectAltNames:
+ items:
+ type: string
+ type: array
+ verifyCertificateHash:
+ items:
+ type: string
+ type: array
+ verifyCertificateSpki:
+ items:
+ type: string
+ type: array
+ type: object
+ type: object
+ type: array
+ type: object
+ status:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+ - name: v1beta1
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Configuration affecting edge load balancer. See more details
+ at: https://istio.io/docs/reference/config/networking/gateway.html'
+ properties:
+ selector:
+ additionalProperties:
+ type: string
+ type: object
+ servers:
+ description: A list of server specifications.
+ items:
+ properties:
+ bind:
+ type: string
+ defaultEndpoint:
+ type: string
+ hosts:
+ description: One or more hosts exposed by this gateway.
+ items:
+ type: string
+ type: array
+ name:
+ description: An optional name of the server, when set must be
+ unique across all servers.
+ type: string
+ port:
+ properties:
+ name:
+ description: Label assigned to the port.
+ type: string
+ number:
+ description: A valid non-negative integer port number.
+ type: integer
+ protocol:
+ description: The protocol exposed on the port.
+ type: string
+ targetPort:
+ type: integer
+ type: object
+ tls:
+ description: Set of TLS related options that govern the server's
+ behavior.
+ properties:
+ caCertificates:
+ description: REQUIRED if mode is `MUTUAL`.
+ type: string
+ cipherSuites:
+ description: 'Optional: If specified, only support the specified
+ cipher list.'
+ items:
+ type: string
+ type: array
+ credentialName:
+ type: string
+ httpsRedirect:
+ type: boolean
+ maxProtocolVersion:
+ description: 'Optional: Maximum TLS protocol version.'
+ enum:
+ - TLS_AUTO
+ - TLSV1_0
+ - TLSV1_1
+ - TLSV1_2
+ - TLSV1_3
+ type: string
+ minProtocolVersion:
+ description: 'Optional: Minimum TLS protocol version.'
+ enum:
+ - TLS_AUTO
+ - TLSV1_0
+ - TLSV1_1
+ - TLSV1_2
+ - TLSV1_3
+ type: string
+ mode:
+ enum:
+ - PASSTHROUGH
+ - SIMPLE
+ - MUTUAL
+ - AUTO_PASSTHROUGH
+ - ISTIO_MUTUAL
+ type: string
+ privateKey:
+ description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+ type: string
+ serverCertificate:
+ description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+ type: string
+ subjectAltNames:
+ items:
+ type: string
+ type: array
+ verifyCertificateHash:
+ items:
+ type: string
+ type: array
+ verifyCertificateSpki:
+ items:
+ type: string
+ type: array
+ type: object
+ type: object
+ type: array
+ type: object
+ status:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: false
+ subresources:
+ status: {}
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ "helm.sh/resource-policy": keep
+ labels:
+ app: istio-pilot
+ chart: istio
+ heritage: Tiller
+ release: istio
+ name: proxyconfigs.networking.istio.io
+spec:
+ group: networking.istio.io
+ names:
+ categories:
+ - istio-io
+ - networking-istio-io
+ kind: ProxyConfig
+ listKind: ProxyConfigList
+ plural: proxyconfigs
+ singular: proxyconfig
+ scope: Namespaced
+ versions:
+ - name: v1beta1
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Provides configuration for individual workloads. See more
+ details at: https://istio.io/docs/reference/config/networking/proxy-config.html'
+ properties:
+ concurrency:
+ description: The number of worker threads to run.
+ nullable: true
+ type: integer
+ environmentVariables:
+ additionalProperties:
+ type: string
+ description: Additional environment variables for the proxy.
+ type: object
+ image:
+ description: Specifies the details of the proxy image.
+ properties:
+ imageType:
+ description: The image type of the image.
+ type: string
+ type: object
+ selector:
+ description: Optional.
+ properties:
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ type: object
+ status:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ "helm.sh/resource-policy": keep
+ labels:
+ app: istio-pilot
+ chart: istio
+ heritage: Tiller
+ release: istio
+ name: serviceentries.networking.istio.io
+spec:
+ group: networking.istio.io
+ names:
+ categories:
+ - istio-io
+ - networking-istio-io
+ kind: ServiceEntry
+ listKind: ServiceEntryList
+ plural: serviceentries
+ shortNames:
+ - se
+ singular: serviceentry
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - description: The hosts associated with the ServiceEntry
+ jsonPath: .spec.hosts
+ name: Hosts
+ type: string
+ - description: Whether the service is external to the mesh or part of the mesh
+ (MESH_EXTERNAL or MESH_INTERNAL)
+ jsonPath: .spec.location
+ name: Location
+ type: string
+ - description: Service resolution mode for the hosts (NONE, STATIC, or DNS)
+ jsonPath: .spec.resolution
+ name: Resolution
+ type: string
+ - description: 'CreationTimestamp is a timestamp representing the server time
+ when this object was created. It is not guaranteed to be set in happens-before
+ order across separate operations. Clients may not set this value. It is represented
+ in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
+ lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1alpha3
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Configuration affecting service registry. See more details
+ at: https://istio.io/docs/reference/config/networking/service-entry.html'
+ properties:
+ addresses:
+ description: The virtual IP addresses associated with the service.
+ items:
+ type: string
+ type: array
+ endpoints:
+ description: One or more endpoints associated with the service.
+ items:
+ properties:
+ address:
+ type: string
+ labels:
+ additionalProperties:
+ type: string
+ description: One or more labels associated with the endpoint.
+ type: object
+ locality:
+ description: The locality associated with the endpoint.
+ type: string
+ network:
+ type: string
+ ports:
+ additionalProperties:
+ type: integer
+ description: Set of ports associated with the endpoint.
+ type: object
+ serviceAccount:
+ type: string
+ weight:
+ description: The load balancing weight associated with the endpoint.
+ type: integer
+ type: object
+ type: array
+ exportTo:
+ description: A list of namespaces to which this service is exported.
+ items:
+ type: string
+ type: array
+ hosts:
+ description: The hosts associated with the ServiceEntry.
+ items:
+ type: string
+ type: array
+ location:
+ enum:
+ - MESH_EXTERNAL
+ - MESH_INTERNAL
+ type: string
+ ports:
+ description: The ports associated with the external service.
+ items:
+ properties:
+ name:
+ description: Label assigned to the port.
+ type: string
+ number:
+ description: A valid non-negative integer port number.
+ type: integer
+ protocol:
+ description: The protocol exposed on the port.
+ type: string
+ targetPort:
+ type: integer
+ type: object
+ type: array
+ resolution:
+ description: Service resolution mode for the hosts.
+ enum:
+ - NONE
+ - STATIC
+ - DNS
+ - DNS_ROUND_ROBIN
+ type: string
+ subjectAltNames:
+ items:
+ type: string
+ type: array
+ workloadSelector:
+ description: Applicable only for MESH_INTERNAL services.
+ properties:
+ labels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ type: object
+ status:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+ - additionalPrinterColumns:
+ - description: The hosts associated with the ServiceEntry
+ jsonPath: .spec.hosts
+ name: Hosts
+ type: string
+ - description: Whether the service is external to the mesh or part of the mesh
+ (MESH_EXTERNAL or MESH_INTERNAL)
+ jsonPath: .spec.location
+ name: Location
+ type: string
+ - description: Service resolution mode for the hosts (NONE, STATIC, or DNS)
+ jsonPath: .spec.resolution
+ name: Resolution
+ type: string
+ - description: 'CreationTimestamp is a timestamp representing the server time
+ when this object was created. It is not guaranteed to be set in happens-before
+ order across separate operations. Clients may not set this value. It is represented
+ in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
+ lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1beta1
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Configuration affecting service registry. See more details
+ at: https://istio.io/docs/reference/config/networking/service-entry.html'
+ properties:
+ addresses:
+ description: The virtual IP addresses associated with the service.
+ items:
+ type: string
+ type: array
+ endpoints:
+ description: One or more endpoints associated with the service.
+ items:
+ properties:
+ address:
+ type: string
+ labels:
+ additionalProperties:
+ type: string
+ description: One or more labels associated with the endpoint.
+ type: object
+ locality:
+ description: The locality associated with the endpoint.
+ type: string
+ network:
+ type: string
+ ports:
+ additionalProperties:
+ type: integer
+ description: Set of ports associated with the endpoint.
+ type: object
+ serviceAccount:
+ type: string
+ weight:
+ description: The load balancing weight associated with the endpoint.
+ type: integer
+ type: object
+ type: array
+ exportTo:
+ description: A list of namespaces to which this service is exported.
+ items:
+ type: string
+ type: array
+ hosts:
+ description: The hosts associated with the ServiceEntry.
+ items:
+ type: string
+ type: array
+ location:
+ enum:
+ - MESH_EXTERNAL
+ - MESH_INTERNAL
+ type: string
+ ports:
+ description: The ports associated with the external service.
+ items:
+ properties:
+ name:
+ description: Label assigned to the port.
+ type: string
+ number:
+ description: A valid non-negative integer port number.
+ type: integer
+ protocol:
+ description: The protocol exposed on the port.
+ type: string
+ targetPort:
+ type: integer
+ type: object
+ type: array
+ resolution:
+ description: Service resolution mode for the hosts.
+ enum:
+ - NONE
+ - STATIC
+ - DNS
+ - DNS_ROUND_ROBIN
+ type: string
+ subjectAltNames:
+ items:
+ type: string
+ type: array
+ workloadSelector:
+ description: Applicable only for MESH_INTERNAL services.
+ properties:
+ labels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ type: object
+ status:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: false
+ subresources:
+ status: {}
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ "helm.sh/resource-policy": keep
+ labels:
+ app: istio-pilot
+ chart: istio
+ heritage: Tiller
+ release: istio
+ name: sidecars.networking.istio.io
+spec:
+ group: networking.istio.io
+ names:
+ categories:
+ - istio-io
+ - networking-istio-io
+ kind: Sidecar
+ listKind: SidecarList
+ plural: sidecars
+ singular: sidecar
+ scope: Namespaced
+ versions:
+ - name: v1alpha3
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Configuration affecting network reachability of a sidecar.
+ See more details at: https://istio.io/docs/reference/config/networking/sidecar.html'
+ properties:
+ egress:
+ items:
+ properties:
+ bind:
+ type: string
+ captureMode:
+ enum:
+ - DEFAULT
+ - IPTABLES
+ - NONE
+ type: string
+ hosts:
+ items:
+ type: string
+ type: array
+ port:
+ description: The port associated with the listener.
+ properties:
+ name:
+ description: Label assigned to the port.
+ type: string
+ number:
+ description: A valid non-negative integer port number.
+ type: integer
+ protocol:
+ description: The protocol exposed on the port.
+ type: string
+ targetPort:
+ type: integer
+ type: object
+ type: object
+ type: array
+ ingress:
+ items:
+ properties:
+ bind:
+ description: The IP(IPv4 or IPv6) to which the listener should
+ be bound.
+ type: string
+ captureMode:
+ enum:
+ - DEFAULT
+ - IPTABLES
+ - NONE
+ type: string
+ defaultEndpoint:
+ type: string
+ port:
+ description: The port associated with the listener.
+ properties:
+ name:
+ description: Label assigned to the port.
+ type: string
+ number:
+ description: A valid non-negative integer port number.
+ type: integer
+ protocol:
+ description: The protocol exposed on the port.
+ type: string
+ targetPort:
+ type: integer
+ type: object
+ tls:
+ properties:
+ caCertificates:
+ description: REQUIRED if mode is `MUTUAL`.
+ type: string
+ cipherSuites:
+ description: 'Optional: If specified, only support the specified
+ cipher list.'
+ items:
+ type: string
+ type: array
+ credentialName:
+ type: string
+ httpsRedirect:
+ type: boolean
+ maxProtocolVersion:
+ description: 'Optional: Maximum TLS protocol version.'
+ enum:
+ - TLS_AUTO
+ - TLSV1_0
+ - TLSV1_1
+ - TLSV1_2
+ - TLSV1_3
+ type: string
+ minProtocolVersion:
+ description: 'Optional: Minimum TLS protocol version.'
+ enum:
+ - TLS_AUTO
+ - TLSV1_0
+ - TLSV1_1
+ - TLSV1_2
+ - TLSV1_3
+ type: string
+ mode:
+ enum:
+ - PASSTHROUGH
+ - SIMPLE
+ - MUTUAL
+ - AUTO_PASSTHROUGH
+ - ISTIO_MUTUAL
+ type: string
+ privateKey:
+ description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+ type: string
+ serverCertificate:
+ description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+ type: string
+ subjectAltNames:
+ items:
+ type: string
+ type: array
+ verifyCertificateHash:
+ items:
+ type: string
+ type: array
+ verifyCertificateSpki:
+ items:
+ type: string
+ type: array
+ type: object
+ type: object
+ type: array
+ outboundTrafficPolicy:
+ description: Configuration for the outbound traffic policy.
+ properties:
+ egressProxy:
+ properties:
+ host:
+ description: The name of a service from the service registry.
+ type: string
+ port:
+ description: Specifies the port on the host that is being
+ addressed.
+ properties:
+ number:
+ type: integer
+ type: object
+ subset:
+ description: The name of a subset within the service.
+ type: string
+ type: object
+ mode:
+ enum:
+ - REGISTRY_ONLY
+ - ALLOW_ANY
+ type: string
+ type: object
+ workloadSelector:
+ properties:
+ labels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ type: object
+ status:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+ - name: v1beta1
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Configuration affecting network reachability of a sidecar.
+ See more details at: https://istio.io/docs/reference/config/networking/sidecar.html'
+ properties:
+ egress:
+ items:
+ properties:
+ bind:
+ type: string
+ captureMode:
+ enum:
+ - DEFAULT
+ - IPTABLES
+ - NONE
+ type: string
+ hosts:
+ items:
+ type: string
+ type: array
+ port:
+ description: The port associated with the listener.
+ properties:
+ name:
+ description: Label assigned to the port.
+ type: string
+ number:
+ description: A valid non-negative integer port number.
+ type: integer
+ protocol:
+ description: The protocol exposed on the port.
+ type: string
+ targetPort:
+ type: integer
+ type: object
+ type: object
+ type: array
+ ingress:
+ items:
+ properties:
+ bind:
+ description: The IP(IPv4 or IPv6) to which the listener should
+ be bound.
+ type: string
+ captureMode:
+ enum:
+ - DEFAULT
+ - IPTABLES
+ - NONE
+ type: string
+ defaultEndpoint:
+ type: string
+ port:
+ description: The port associated with the listener.
+ properties:
+ name:
+ description: Label assigned to the port.
+ type: string
+ number:
+ description: A valid non-negative integer port number.
+ type: integer
+ protocol:
+ description: The protocol exposed on the port.
+ type: string
+ targetPort:
+ type: integer
+ type: object
+ tls:
+ properties:
+ caCertificates:
+ description: REQUIRED if mode is `MUTUAL`.
+ type: string
+ cipherSuites:
+ description: 'Optional: If specified, only support the specified
+ cipher list.'
+ items:
+ type: string
+ type: array
+ credentialName:
+ type: string
+ httpsRedirect:
+ type: boolean
+ maxProtocolVersion:
+ description: 'Optional: Maximum TLS protocol version.'
+ enum:
+ - TLS_AUTO
+ - TLSV1_0
+ - TLSV1_1
+ - TLSV1_2
+ - TLSV1_3
+ type: string
+ minProtocolVersion:
+ description: 'Optional: Minimum TLS protocol version.'
+ enum:
+ - TLS_AUTO
+ - TLSV1_0
+ - TLSV1_1
+ - TLSV1_2
+ - TLSV1_3
+ type: string
+ mode:
+ enum:
+ - PASSTHROUGH
+ - SIMPLE
+ - MUTUAL
+ - AUTO_PASSTHROUGH
+ - ISTIO_MUTUAL
+ type: string
+ privateKey:
+ description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+ type: string
+ serverCertificate:
+ description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+ type: string
+ subjectAltNames:
+ items:
+ type: string
+ type: array
+ verifyCertificateHash:
+ items:
+ type: string
+ type: array
+ verifyCertificateSpki:
+ items:
+ type: string
+ type: array
+ type: object
+ type: object
+ type: array
+ outboundTrafficPolicy:
+ description: Configuration for the outbound traffic policy.
+ properties:
+ egressProxy:
+ properties:
+ host:
+ description: The name of a service from the service registry.
+ type: string
+ port:
+ description: Specifies the port on the host that is being
+ addressed.
+ properties:
+ number:
+ type: integer
+ type: object
+ subset:
+ description: The name of a subset within the service.
+ type: string
+ type: object
+ mode:
+ enum:
+ - REGISTRY_ONLY
+ - ALLOW_ANY
+ type: string
+ type: object
+ workloadSelector:
+ properties:
+ labels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ type: object
+ status:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: false
+ subresources:
+ status: {}
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ "helm.sh/resource-policy": keep
+ labels:
+ app: istio-pilot
+ chart: istio
+ heritage: Tiller
+ release: istio
+ name: virtualservices.networking.istio.io
+spec:
+ group: networking.istio.io
+ names:
+ categories:
+ - istio-io
+ - networking-istio-io
+ kind: VirtualService
+ listKind: VirtualServiceList
+ plural: virtualservices
+ shortNames:
+ - vs
+ singular: virtualservice
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - description: The names of gateways and sidecars that should apply these routes
+ jsonPath: .spec.gateways
+ name: Gateways
+ type: string
+ - description: The destination hosts to which traffic is being sent
+ jsonPath: .spec.hosts
+ name: Hosts
+ type: string
+ - description: 'CreationTimestamp is a timestamp representing the server time
+ when this object was created. It is not guaranteed to be set in happens-before
+ order across separate operations. Clients may not set this value. It is represented
+ in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
+ lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1alpha3
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Configuration affecting label/content routing, sni routing,
+ etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html'
+ properties:
+ exportTo:
+ description: A list of namespaces to which this virtual service is
+ exported.
+ items:
+ type: string
+ type: array
+ gateways:
+ description: The names of gateways and sidecars that should apply
+ these routes.
+ items:
+ type: string
+ type: array
+ hosts:
+ description: The destination hosts to which traffic is being sent.
+ items:
+ type: string
+ type: array
+ http:
+ description: An ordered list of route rules for HTTP traffic.
+ items:
+ properties:
+ corsPolicy:
+ description: Cross-Origin Resource Sharing policy (CORS).
+ properties:
+ allowCredentials:
+ nullable: true
+ type: boolean
+ allowHeaders:
+ items:
+ type: string
+ type: array
+ allowMethods:
+ description: List of HTTP methods allowed to access the
+ resource.
+ items:
+ type: string
+ type: array
+ allowOrigin:
+ description: The list of origins that are allowed to perform
+ CORS requests.
+ items:
+ type: string
+ type: array
+ allowOrigins:
+ description: String patterns that match allowed origins.
+ items:
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ properties:
+ exact:
+ type: string
+ prefix:
+ type: string
+ regex:
+ description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+ type: string
+ type: object
+ type: array
+ exposeHeaders:
+ items:
+ type: string
+ type: array
+ maxAge:
+ type: string
+ type: object
+ delegate:
+ properties:
+ name:
+ description: Name specifies the name of the delegate VirtualService.
+ type: string
+ namespace:
+ description: Namespace specifies the namespace where the
+ delegate VirtualService resides.
+ type: string
+ type: object
+ directResponse:
+ description: A HTTP rule can either return a direct_response,
+ redirect or forward (default) traffic.
+ properties:
+ body:
+ description: Specifies the content of the response body.
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - string
+ - required:
+ - bytes
+ - required:
+ - string
+ - required:
+ - bytes
+ properties:
+ bytes:
+ description: response body as base64 encoded bytes.
+ format: binary
+ type: string
+ string:
+ type: string
+ type: object
+ status:
+ description: Specifies the HTTP response status to be returned.
+ type: integer
+ type: object
+ fault:
+ description: Fault injection policy to apply on HTTP traffic
+ at the client side.
+ properties:
+ abort:
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - httpStatus
+ - required:
+ - grpcStatus
+ - required:
+ - http2Error
+ - required:
+ - httpStatus
+ - required:
+ - grpcStatus
+ - required:
+ - http2Error
+ properties:
+ grpcStatus:
+ description: GRPC status code to use to abort the request.
+ type: string
+ http2Error:
+ type: string
+ httpStatus:
+ description: HTTP status code to use to abort the Http
+ request.
+ format: int32
+ type: integer
+ percentage:
+ description: Percentage of requests to be aborted with
+ the error code provided.
+ properties:
+ value:
+ format: double
+ type: number
+ type: object
+ type: object
+ delay:
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - fixedDelay
+ - required:
+ - exponentialDelay
+ - required:
+ - fixedDelay
+ - required:
+ - exponentialDelay
+ properties:
+ exponentialDelay:
+ type: string
+ fixedDelay:
+ description: Add a fixed delay before forwarding the
+ request.
+ type: string
+ percent:
+ description: Percentage of requests on which the delay
+ will be injected (0-100).
+ format: int32
+ type: integer
+ percentage:
+ description: Percentage of requests on which the delay
+ will be injected.
+ properties:
+ value:
+ format: double
+ type: number
+ type: object
+ type: object
+ type: object
+ headers:
+ properties:
+ request:
+ properties:
+ add:
+ additionalProperties:
+ type: string
+ type: object
+ remove:
+ items:
+ type: string
+ type: array
+ set:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ response:
+ properties:
+ add:
+ additionalProperties:
+ type: string
+ type: object
+ remove:
+ items:
+ type: string
+ type: array
+ set:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ type: object
+ match:
+ items:
+ properties:
+ authority:
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ properties:
+ exact:
+ type: string
+ prefix:
+ type: string
+ regex:
+ description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+ type: string
+ type: object
+ gateways:
+ description: Names of gateways where the rule should be
+ applied.
+ items:
+ type: string
+ type: array
+ headers:
+ additionalProperties:
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ properties:
+ exact:
+ type: string
+ prefix:
+ type: string
+ regex:
+ description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+ type: string
+ type: object
+ type: object
+ ignoreUriCase:
+ description: Flag to specify whether the URI matching
+ should be case-insensitive.
+ type: boolean
+ method:
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ properties:
+ exact:
+ type: string
+ prefix:
+ type: string
+ regex:
+ description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+ type: string
+ type: object
+ name:
+ description: The name assigned to a match.
+ type: string
+ port:
+ description: Specifies the ports on the host that is being
+ addressed.
+ type: integer
+ queryParams:
+ additionalProperties:
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ properties:
+ exact:
+ type: string
+ prefix:
+ type: string
+ regex:
+ description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+ type: string
+ type: object
+ description: Query parameters for matching.
+ type: object
+ scheme:
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ properties:
+ exact:
+ type: string
+ prefix:
+ type: string
+ regex:
+ description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+ type: string
+ type: object
+ sourceLabels:
+ additionalProperties:
+ type: string
+ type: object
+ sourceNamespace:
+ description: Source namespace constraining the applicability
+ of a rule to workloads in that namespace.
+ type: string
+ statPrefix:
+ description: The human readable prefix to use when emitting
+ statistics for this route.
+ type: string
+ uri:
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ properties:
+ exact:
+ type: string
+ prefix:
+ type: string
+ regex:
+ description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+ type: string
+ type: object
+ withoutHeaders:
+ additionalProperties:
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ properties:
+ exact:
+ type: string
+ prefix:
+ type: string
+ regex:
+ description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+ type: string
+ type: object
+ description: withoutHeader has the same syntax with the
+ header, but has opposite meaning.
+ type: object
+ type: object
+ type: array
+ mirror:
+ properties:
+ host:
+ description: The name of a service from the service registry.
+ type: string
+ port:
+ description: Specifies the port on the host that is being
+ addressed.
+ properties:
+ number:
+ type: integer
+ type: object
+ subset:
+ description: The name of a subset within the service.
+ type: string
+ type: object
+ mirror_percent:
+ description: Percentage of the traffic to be mirrored by the
+ `mirror` field.
+ nullable: true
+ type: integer
+ mirrorPercent:
+ description: Percentage of the traffic to be mirrored by the
+ `mirror` field.
+ nullable: true
+ type: integer
+ mirrorPercentage:
+ description: Percentage of the traffic to be mirrored by the
+ `mirror` field.
+ properties:
+ value:
+ format: double
+ type: number
+ type: object
+ name:
+ description: The name assigned to the route for debugging purposes.
+ type: string
+ redirect:
+ description: A HTTP rule can either return a direct_response,
+ redirect or forward (default) traffic.
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - port
+ - required:
+ - derivePort
+ - required:
+ - port
+ - required:
+ - derivePort
+ properties:
+ authority:
+ type: string
+ derivePort:
+ enum:
+ - FROM_PROTOCOL_DEFAULT
+ - FROM_REQUEST_PORT
+ type: string
+ port:
+ description: On a redirect, overwrite the port portion of
+ the URL with this value.
+ type: integer
+ redirectCode:
+ type: integer
+ scheme:
+ description: On a redirect, overwrite the scheme portion
+ of the URL with this value.
+ type: string
+ uri:
+ type: string
+ type: object
+ retries:
+ description: Retry policy for HTTP requests.
+ properties:
+ attempts:
+ description: Number of retries to be allowed for a given
+ request.
+ format: int32
+ type: integer
+ perTryTimeout:
+ description: Timeout per attempt for a given request, including
+ the initial call and any retries.
+ type: string
+ retryOn:
+ description: Specifies the conditions under which retry
+ takes place.
+ type: string
+ retryRemoteLocalities:
+ description: Flag to specify whether the retries should
+ retry to other localities.
+ nullable: true
+ type: boolean
+ type: object
+ rewrite:
+ description: Rewrite HTTP URIs and Authority headers.
+ properties:
+ authority:
+ description: rewrite the Authority/Host header with this
+ value.
+ type: string
+ uri:
+ type: string
+ type: object
+ route:
+ description: A HTTP rule can either return a direct_response,
+ redirect or forward (default) traffic.
+ items:
+ properties:
+ destination:
+ properties:
+ host:
+ description: The name of a service from the service
+ registry.
+ type: string
+ port:
+ description: Specifies the port on the host that is
+ being addressed.
+ properties:
+ number:
+ type: integer
+ type: object
+ subset:
+ description: The name of a subset within the service.
+ type: string
+ type: object
+ headers:
+ properties:
+ request:
+ properties:
+ add:
+ additionalProperties:
+ type: string
+ type: object
+ remove:
+ items:
+ type: string
+ type: array
+ set:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ response:
+ properties:
+ add:
+ additionalProperties:
+ type: string
+ type: object
+ remove:
+ items:
+ type: string
+ type: array
+ set:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ type: object
+ weight:
+ description: Weight specifies the relative proportion
+ of traffic to be forwarded to the destination.
+ format: int32
+ type: integer
+ type: object
+ type: array
+ timeout:
+ description: Timeout for HTTP requests, default is disabled.
+ type: string
+ type: object
+ type: array
+ tcp:
+ description: An ordered list of route rules for opaque TCP traffic.
+ items:
+ properties:
+ match:
+ items:
+ properties:
+ destinationSubnets:
+ description: IPv4 or IPv6 ip addresses of destination
+ with optional subnet.
+ items:
+ type: string
+ type: array
+ gateways:
+ description: Names of gateways where the rule should be
+ applied.
+ items:
+ type: string
+ type: array
+ port:
+ description: Specifies the port on the host that is being
+ addressed.
+ type: integer
+ sourceLabels:
+ additionalProperties:
+ type: string
+ type: object
+ sourceNamespace:
+ description: Source namespace constraining the applicability
+ of a rule to workloads in that namespace.
+ type: string
+ sourceSubnet:
+ description: IPv4 or IPv6 ip address of source with optional
+ subnet.
+ type: string
+ type: object
+ type: array
+ route:
+ description: The destination to which the connection should
+ be forwarded to.
+ items:
+ properties:
+ destination:
+ properties:
+ host:
+ description: The name of a service from the service
+ registry.
+ type: string
+ port:
+ description: Specifies the port on the host that is
+ being addressed.
+ properties:
+ number:
+ type: integer
+ type: object
+ subset:
+ description: The name of a subset within the service.
+ type: string
+ type: object
+ weight:
+ description: Weight specifies the relative proportion
+ of traffic to be forwarded to the destination.
+ format: int32
+ type: integer
+ type: object
+ type: array
+ type: object
+ type: array
+ tls:
+ items:
+ properties:
+ match:
+ items:
+ properties:
+ destinationSubnets:
+ description: IPv4 or IPv6 ip addresses of destination
+ with optional subnet.
+ items:
+ type: string
+ type: array
+ gateways:
+ description: Names of gateways where the rule should be
+ applied.
+ items:
+ type: string
+ type: array
+ port:
+ description: Specifies the port on the host that is being
+ addressed.
+ type: integer
+ sniHosts:
+ description: SNI (server name indicator) to match on.
+ items:
+ type: string
+ type: array
+ sourceLabels:
+ additionalProperties:
+ type: string
+ type: object
+ sourceNamespace:
+ description: Source namespace constraining the applicability
+ of a rule to workloads in that namespace.
+ type: string
+ type: object
+ type: array
+ route:
+ description: The destination to which the connection should
+ be forwarded to.
+ items:
+ properties:
+ destination:
+ properties:
+ host:
+ description: The name of a service from the service
+ registry.
+ type: string
+ port:
+ description: Specifies the port on the host that is
+ being addressed.
+ properties:
+ number:
+ type: integer
+ type: object
+ subset:
+ description: The name of a subset within the service.
+ type: string
+ type: object
+ weight:
+ description: Weight specifies the relative proportion
+ of traffic to be forwarded to the destination.
+ format: int32
+ type: integer
+ type: object
+ type: array
+ type: object
+ type: array
+ type: object
+ status:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+ - additionalPrinterColumns:
+ - description: The names of gateways and sidecars that should apply these routes
+ jsonPath: .spec.gateways
+ name: Gateways
+ type: string
+ - description: The destination hosts to which traffic is being sent
+ jsonPath: .spec.hosts
+ name: Hosts
+ type: string
+ - description: 'CreationTimestamp is a timestamp representing the server time
+ when this object was created. It is not guaranteed to be set in happens-before
+ order across separate operations. Clients may not set this value. It is represented
+ in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
+ lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1beta1
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Configuration affecting label/content routing, sni routing,
+ etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html'
+ properties:
+ exportTo:
+ description: A list of namespaces to which this virtual service is
+ exported.
+ items:
+ type: string
+ type: array
+ gateways:
+ description: The names of gateways and sidecars that should apply
+ these routes.
+ items:
+ type: string
+ type: array
+ hosts:
+ description: The destination hosts to which traffic is being sent.
+ items:
+ type: string
+ type: array
+ http:
+ description: An ordered list of route rules for HTTP traffic.
+ items:
+ properties:
+ corsPolicy:
+ description: Cross-Origin Resource Sharing policy (CORS).
+ properties:
+ allowCredentials:
+ nullable: true
+ type: boolean
+ allowHeaders:
+ items:
+ type: string
+ type: array
+ allowMethods:
+ description: List of HTTP methods allowed to access the
+ resource.
+ items:
+ type: string
+ type: array
+ allowOrigin:
+ description: The list of origins that are allowed to perform
+ CORS requests.
+ items:
+ type: string
+ type: array
+ allowOrigins:
+ description: String patterns that match allowed origins.
+ items:
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ properties:
+ exact:
+ type: string
+ prefix:
+ type: string
+ regex:
+ description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+ type: string
+ type: object
+ type: array
+ exposeHeaders:
+ items:
+ type: string
+ type: array
+ maxAge:
+ type: string
+ type: object
+ delegate:
+ properties:
+ name:
+ description: Name specifies the name of the delegate VirtualService.
+ type: string
+ namespace:
+ description: Namespace specifies the namespace where the
+ delegate VirtualService resides.
+ type: string
+ type: object
+ directResponse:
+ description: A HTTP rule can either return a direct_response,
+ redirect or forward (default) traffic.
+ properties:
+ body:
+ description: Specifies the content of the response body.
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - string
+ - required:
+ - bytes
+ - required:
+ - string
+ - required:
+ - bytes
+ properties:
+ bytes:
+ description: response body as base64 encoded bytes.
+ format: binary
+ type: string
+ string:
+ type: string
+ type: object
+ status:
+ description: Specifies the HTTP response status to be returned.
+ type: integer
+ type: object
+ fault:
+ description: Fault injection policy to apply on HTTP traffic
+ at the client side.
+ properties:
+ abort:
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - httpStatus
+ - required:
+ - grpcStatus
+ - required:
+ - http2Error
+ - required:
+ - httpStatus
+ - required:
+ - grpcStatus
+ - required:
+ - http2Error
+ properties:
+ grpcStatus:
+ description: GRPC status code to use to abort the request.
+ type: string
+ http2Error:
+ type: string
+ httpStatus:
+ description: HTTP status code to use to abort the Http
+ request.
+ format: int32
+ type: integer
+ percentage:
+ description: Percentage of requests to be aborted with
+ the error code provided.
+ properties:
+ value:
+ format: double
+ type: number
+ type: object
+ type: object
+ delay:
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - fixedDelay
+ - required:
+ - exponentialDelay
+ - required:
+ - fixedDelay
+ - required:
+ - exponentialDelay
+ properties:
+ exponentialDelay:
+ type: string
+ fixedDelay:
+ description: Add a fixed delay before forwarding the
+ request.
+ type: string
+ percent:
+ description: Percentage of requests on which the delay
+ will be injected (0-100).
+ format: int32
+ type: integer
+ percentage:
+ description: Percentage of requests on which the delay
+ will be injected.
+ properties:
+ value:
+ format: double
+ type: number
+ type: object
+ type: object
+ type: object
+ headers:
+ properties:
+ request:
+ properties:
+ add:
+ additionalProperties:
+ type: string
+ type: object
+ remove:
+ items:
+ type: string
+ type: array
+ set:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ response:
+ properties:
+ add:
+ additionalProperties:
+ type: string
+ type: object
+ remove:
+ items:
+ type: string
+ type: array
+ set:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ type: object
+ match:
+ items:
+ properties:
+ authority:
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ properties:
+ exact:
+ type: string
+ prefix:
+ type: string
+ regex:
+ description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+ type: string
+ type: object
+ gateways:
+ description: Names of gateways where the rule should be
+ applied.
+ items:
+ type: string
+ type: array
+ headers:
+ additionalProperties:
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ properties:
+ exact:
+ type: string
+ prefix:
+ type: string
+ regex:
+ description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+ type: string
+ type: object
+ type: object
+ ignoreUriCase:
+ description: Flag to specify whether the URI matching
+ should be case-insensitive.
+ type: boolean
+ method:
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ properties:
+ exact:
+ type: string
+ prefix:
+ type: string
+ regex:
+ description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+ type: string
+ type: object
+ name:
+ description: The name assigned to a match.
+ type: string
+ port:
+ description: Specifies the ports on the host that is being
+ addressed.
+ type: integer
+ queryParams:
+ additionalProperties:
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ properties:
+ exact:
+ type: string
+ prefix:
+ type: string
+ regex:
+ description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+ type: string
+ type: object
+ description: Query parameters for matching.
+ type: object
+ scheme:
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ properties:
+ exact:
+ type: string
+ prefix:
+ type: string
+ regex:
+ description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+ type: string
+ type: object
+ sourceLabels:
+ additionalProperties:
+ type: string
+ type: object
+ sourceNamespace:
+ description: Source namespace constraining the applicability
+ of a rule to workloads in that namespace.
+ type: string
+ statPrefix:
+ description: The human readable prefix to use when emitting
+ statistics for this route.
+ type: string
+ uri:
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ properties:
+ exact:
+ type: string
+ prefix:
+ type: string
+ regex:
+ description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+ type: string
+ type: object
+ withoutHeaders:
+ additionalProperties:
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ properties:
+ exact:
+ type: string
+ prefix:
+ type: string
+ regex:
+ description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+ type: string
+ type: object
+ description: withoutHeader has the same syntax with the
+ header, but has opposite meaning.
+ type: object
+ type: object
+ type: array
+ mirror:
+ properties:
+ host:
+ description: The name of a service from the service registry.
+ type: string
+ port:
+ description: Specifies the port on the host that is being
+ addressed.
+ properties:
+ number:
+ type: integer
+ type: object
+ subset:
+ description: The name of a subset within the service.
+ type: string
+ type: object
+ mirror_percent:
+ description: Percentage of the traffic to be mirrored by the
+ `mirror` field.
+ nullable: true
+ type: integer
+ mirrorPercent:
+ description: Percentage of the traffic to be mirrored by the
+ `mirror` field.
+ nullable: true
+ type: integer
+ mirrorPercentage:
+ description: Percentage of the traffic to be mirrored by the
+ `mirror` field.
+ properties:
+ value:
+ format: double
+ type: number
+ type: object
+ name:
+ description: The name assigned to the route for debugging purposes.
+ type: string
+ redirect:
+ description: A HTTP rule can either return a direct_response,
+ redirect or forward (default) traffic.
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - port
+ - required:
+ - derivePort
+ - required:
+ - port
+ - required:
+ - derivePort
+ properties:
+ authority:
+ type: string
+ derivePort:
+ enum:
+ - FROM_PROTOCOL_DEFAULT
+ - FROM_REQUEST_PORT
+ type: string
+ port:
+ description: On a redirect, overwrite the port portion of
+ the URL with this value.
+ type: integer
+ redirectCode:
+ type: integer
+ scheme:
+ description: On a redirect, overwrite the scheme portion
+ of the URL with this value.
+ type: string
+ uri:
+ type: string
+ type: object
+ retries:
+ description: Retry policy for HTTP requests.
+ properties:
+ attempts:
+ description: Number of retries to be allowed for a given
+ request.
+ format: int32
+ type: integer
+ perTryTimeout:
+ description: Timeout per attempt for a given request, including
+ the initial call and any retries.
+ type: string
+ retryOn:
+ description: Specifies the conditions under which retry
+ takes place.
+ type: string
+ retryRemoteLocalities:
+ description: Flag to specify whether the retries should
+ retry to other localities.
+ nullable: true
+ type: boolean
+ type: object
+ rewrite:
+ description: Rewrite HTTP URIs and Authority headers.
+ properties:
+ authority:
+ description: rewrite the Authority/Host header with this
+ value.
+ type: string
+ uri:
+ type: string
+ type: object
+ route:
+ description: A HTTP rule can either return a direct_response,
+ redirect or forward (default) traffic.
+ items:
+ properties:
+ destination:
+ properties:
+ host:
+ description: The name of a service from the service
+ registry.
+ type: string
+ port:
+ description: Specifies the port on the host that is
+ being addressed.
+ properties:
+ number:
+ type: integer
+ type: object
+ subset:
+ description: The name of a subset within the service.
+ type: string
+ type: object
+ headers:
+ properties:
+ request:
+ properties:
+ add:
+ additionalProperties:
+ type: string
+ type: object
+ remove:
+ items:
+ type: string
+ type: array
+ set:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ response:
+ properties:
+ add:
+ additionalProperties:
+ type: string
+ type: object
+ remove:
+ items:
+ type: string
+ type: array
+ set:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ type: object
+ weight:
+ description: Weight specifies the relative proportion
+ of traffic to be forwarded to the destination.
+ format: int32
+ type: integer
+ type: object
+ type: array
+ timeout:
+ description: Timeout for HTTP requests, default is disabled.
+ type: string
+ type: object
+ type: array
+ tcp:
+ description: An ordered list of route rules for opaque TCP traffic.
+ items:
+ properties:
+ match:
+ items:
+ properties:
+ destinationSubnets:
+ description: IPv4 or IPv6 ip addresses of destination
+ with optional subnet.
+ items:
+ type: string
+ type: array
+ gateways:
+ description: Names of gateways where the rule should be
+ applied.
+ items:
+ type: string
+ type: array
+ port:
+ description: Specifies the port on the host that is being
+ addressed.
+ type: integer
+ sourceLabels:
+ additionalProperties:
+ type: string
+ type: object
+ sourceNamespace:
+ description: Source namespace constraining the applicability
+ of a rule to workloads in that namespace.
+ type: string
+ sourceSubnet:
+ description: IPv4 or IPv6 ip address of source with optional
+ subnet.
+ type: string
+ type: object
+ type: array
+ route:
+ description: The destination to which the connection should
+ be forwarded to.
+ items:
+ properties:
+ destination:
+ properties:
+ host:
+ description: The name of a service from the service
+ registry.
+ type: string
+ port:
+ description: Specifies the port on the host that is
+ being addressed.
+ properties:
+ number:
+ type: integer
+ type: object
+ subset:
+ description: The name of a subset within the service.
+ type: string
+ type: object
+ weight:
+ description: Weight specifies the relative proportion
+ of traffic to be forwarded to the destination.
+ format: int32
+ type: integer
+ type: object
+ type: array
+ type: object
+ type: array
+ tls:
+ items:
+ properties:
+ match:
+ items:
+ properties:
+ destinationSubnets:
+ description: IPv4 or IPv6 ip addresses of destination
+ with optional subnet.
+ items:
+ type: string
+ type: array
+ gateways:
+ description: Names of gateways where the rule should be
+ applied.
+ items:
+ type: string
+ type: array
+ port:
+ description: Specifies the port on the host that is being
+ addressed.
+ type: integer
+ sniHosts:
+ description: SNI (server name indicator) to match on.
+ items:
+ type: string
+ type: array
+ sourceLabels:
+ additionalProperties:
+ type: string
+ type: object
+ sourceNamespace:
+ description: Source namespace constraining the applicability
+ of a rule to workloads in that namespace.
+ type: string
+ type: object
+ type: array
+ route:
+ description: The destination to which the connection should
+ be forwarded to.
+ items:
+ properties:
+ destination:
+ properties:
+ host:
+ description: The name of a service from the service
+ registry.
+ type: string
+ port:
+ description: Specifies the port on the host that is
+ being addressed.
+ properties:
+ number:
+ type: integer
+ type: object
+ subset:
+ description: The name of a subset within the service.
+ type: string
+ type: object
+ weight:
+ description: Weight specifies the relative proportion
+ of traffic to be forwarded to the destination.
+ format: int32
+ type: integer
+ type: object
+ type: array
+ type: object
+ type: array
+ type: object
+ status:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: false
+ subresources:
+ status: {}
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ "helm.sh/resource-policy": keep
+ labels:
+ app: istio-pilot
+ chart: istio
+ heritage: Tiller
+ release: istio
+ name: workloadentries.networking.istio.io
+spec:
+ group: networking.istio.io
+ names:
+ categories:
+ - istio-io
+ - networking-istio-io
+ kind: WorkloadEntry
+ listKind: WorkloadEntryList
+ plural: workloadentries
+ shortNames:
+ - we
+ singular: workloadentry
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - description: 'CreationTimestamp is a timestamp representing the server time
+ when this object was created. It is not guaranteed to be set in happens-before
+ order across separate operations. Clients may not set this value. It is represented
+ in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
+ lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ - description: Address associated with the network endpoint.
+ jsonPath: .spec.address
+ name: Address
+ type: string
+ name: v1alpha3
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Configuration affecting VMs onboarded into the mesh. See
+ more details at: https://istio.io/docs/reference/config/networking/workload-entry.html'
+ properties:
+ address:
+ type: string
+ labels:
+ additionalProperties:
+ type: string
+ description: One or more labels associated with the endpoint.
+ type: object
+ locality:
+ description: The locality associated with the endpoint.
+ type: string
+ network:
+ type: string
+ ports:
+ additionalProperties:
+ type: integer
+ description: Set of ports associated with the endpoint.
+ type: object
+ serviceAccount:
+ type: string
+ weight:
+ description: The load balancing weight associated with the endpoint.
+ type: integer
+ type: object
+ status:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+ - additionalPrinterColumns:
+ - description: 'CreationTimestamp is a timestamp representing the server time
+ when this object was created. It is not guaranteed to be set in happens-before
+ order across separate operations. Clients may not set this value. It is represented
+ in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
+ lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ - description: Address associated with the network endpoint.
+ jsonPath: .spec.address
+ name: Address
+ type: string
+ name: v1beta1
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Configuration affecting VMs onboarded into the mesh. See
+ more details at: https://istio.io/docs/reference/config/networking/workload-entry.html'
+ properties:
+ address:
+ type: string
+ labels:
+ additionalProperties:
+ type: string
+ description: One or more labels associated with the endpoint.
+ type: object
+ locality:
+ description: The locality associated with the endpoint.
+ type: string
+ network:
+ type: string
+ ports:
+ additionalProperties:
+ type: integer
+ description: Set of ports associated with the endpoint.
+ type: object
+ serviceAccount:
+ type: string
+ weight:
+ description: The load balancing weight associated with the endpoint.
+ type: integer
+ type: object
+ status:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: false
+ subresources:
+ status: {}
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ labels:
+ app: istio-pilot
+ chart: istio
+ heritage: Tiller
+ release: istio
+ name: workloadgroups.networking.istio.io
+spec:
+ group: networking.istio.io
+ names:
+ categories:
+ - istio-io
+ - networking-istio-io
+ kind: WorkloadGroup
+ listKind: WorkloadGroupList
+ plural: workloadgroups
+ shortNames:
+ - wg
+ singular: workloadgroup
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - description: 'CreationTimestamp is a timestamp representing the server time
+ when this object was created. It is not guaranteed to be set in happens-before
+ order across separate operations. Clients may not set this value. It is represented
+ in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
+ lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1alpha3
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Describes a collection of workload instances. See more details
+ at: https://istio.io/docs/reference/config/networking/workload-group.html'
+ properties:
+ metadata:
+ description: Metadata that will be used for all corresponding `WorkloadEntries`.
+ properties:
+ annotations:
+ additionalProperties:
+ type: string
+ type: object
+ labels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ probe:
+ description: '`ReadinessProbe` describes the configuration the user
+ must provide for healthchecking on their workload.'
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - httpGet
+ - required:
+ - tcpSocket
+ - required:
+ - exec
+ - required:
+ - httpGet
+ - required:
+ - tcpSocket
+ - required:
+ - exec
+ properties:
+ exec:
+ description: Health is determined by how the command that is executed
+ exited.
+ properties:
+ command:
+ description: Command to run.
+ items:
+ type: string
+ type: array
+ type: object
+ failureThreshold:
+ description: Minimum consecutive failures for the probe to be
+ considered failed after having succeeded.
+ format: int32
+ type: integer
+ httpGet:
+ properties:
+ host:
+ description: Host name to connect to, defaults to the pod
+ IP.
+ type: string
+ httpHeaders:
+ description: Headers the proxy will pass on to make the request.
+ items:
+ properties:
+ name:
+ type: string
+ value:
+ type: string
+ type: object
+ type: array
+ path:
+ description: Path to access on the HTTP server.
+ type: string
+ port:
+ description: Port on which the endpoint lives.
+ type: integer
+ scheme:
+ type: string
+ type: object
+ initialDelaySeconds:
+ description: Number of seconds after the container has started
+ before readiness probes are initiated.
+ format: int32
+ type: integer
+ periodSeconds:
+ description: How often (in seconds) to perform the probe.
+ format: int32
+ type: integer
+ successThreshold:
+ description: Minimum consecutive successes for the probe to be
+ considered successful after having failed.
+ format: int32
+ type: integer
+ tcpSocket:
+ description: Health is determined by if the proxy is able to connect.
+ properties:
+ host:
+ type: string
+ port:
+ type: integer
+ type: object
+ timeoutSeconds:
+ description: Number of seconds after which the probe times out.
+ format: int32
+ type: integer
+ type: object
+ template:
+ description: Template to be used for the generation of `WorkloadEntry`
+ resources that belong to this `WorkloadGroup`.
+ properties:
+ address:
+ type: string
+ labels:
+ additionalProperties:
+ type: string
+ description: One or more labels associated with the endpoint.
+ type: object
+ locality:
+ description: The locality associated with the endpoint.
+ type: string
+ network:
+ type: string
+ ports:
+ additionalProperties:
+ type: integer
+ description: Set of ports associated with the endpoint.
+ type: object
+ serviceAccount:
+ type: string
+ weight:
+ description: The load balancing weight associated with the endpoint.
+ type: integer
+ type: object
+ type: object
+ status:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+ - additionalPrinterColumns:
+ - description: 'CreationTimestamp is a timestamp representing the server time
+ when this object was created. It is not guaranteed to be set in happens-before
+ order across separate operations. Clients may not set this value. It is represented
+ in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
+ lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1beta1
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ properties:
+ metadata:
+ description: Metadata that will be used for all corresponding `WorkloadEntries`.
+ properties:
+ annotations:
+ additionalProperties:
+ type: string
+ type: object
+ labels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ probe:
+ description: '`ReadinessProbe` describes the configuration the user
+ must provide for healthchecking on their workload.'
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - httpGet
+ - required:
+ - tcpSocket
+ - required:
+ - exec
+ - required:
+ - httpGet
+ - required:
+ - tcpSocket
+ - required:
+ - exec
+ properties:
+ exec:
+ description: Health is determined by how the command that is executed
+ exited.
+ properties:
+ command:
+ description: Command to run.
+ items:
+ type: string
+ type: array
+ type: object
+ failureThreshold:
+ description: Minimum consecutive failures for the probe to be
+ considered failed after having succeeded.
+ format: int32
+ type: integer
+ httpGet:
+ properties:
+ host:
+ description: Host name to connect to, defaults to the pod
+ IP.
+ type: string
+ httpHeaders:
+ description: Headers the proxy will pass on to make the request.
+ items:
+ properties:
+ name:
+ type: string
+ value:
+ type: string
+ type: object
+ type: array
+ path:
+ description: Path to access on the HTTP server.
+ type: string
+ port:
+ description: Port on which the endpoint lives.
+ type: integer
+ scheme:
+ type: string
+ type: object
+ initialDelaySeconds:
+ description: Number of seconds after the container has started
+ before readiness probes are initiated.
+ format: int32
+ type: integer
+ periodSeconds:
+ description: How often (in seconds) to perform the probe.
+ format: int32
+ type: integer
+ successThreshold:
+ description: Minimum consecutive successes for the probe to be
+ considered successful after having failed.
+ format: int32
+ type: integer
+ tcpSocket:
+ description: Health is determined by if the proxy is able to connect.
+ properties:
+ host:
+ type: string
+ port:
+ type: integer
+ type: object
+ timeoutSeconds:
+ description: Number of seconds after which the probe times out.
+ format: int32
+ type: integer
+ type: object
+ template:
+ description: Template to be used for the generation of `WorkloadEntry`
+ resources that belong to this `WorkloadGroup`.
+ properties:
+ address:
+ type: string
+ labels:
+ additionalProperties:
+ type: string
+ description: One or more labels associated with the endpoint.
+ type: object
+ locality:
+ description: The locality associated with the endpoint.
+ type: string
+ network:
+ type: string
+ ports:
+ additionalProperties:
+ type: integer
+ description: Set of ports associated with the endpoint.
+ type: object
+ serviceAccount:
+ type: string
+ weight:
+ description: The load balancing weight associated with the endpoint.
+ type: integer
+ type: object
+ type: object
+ status:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: false
+ subresources:
+ status: {}
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ "helm.sh/resource-policy": keep
+ labels:
+ app: istio-pilot
+ chart: istio
+ heritage: Tiller
+ istio: security
+ release: istio
+ name: authorizationpolicies.security.istio.io
+spec:
+ group: security.istio.io
+ names:
+ categories:
+ - istio-io
+ - security-istio-io
+ kind: AuthorizationPolicy
+ listKind: AuthorizationPolicyList
+ plural: authorizationpolicies
+ singular: authorizationpolicy
+ scope: Namespaced
+ versions:
+ - name: v1
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Configuration for access control on workloads. See more
+ details at: https://istio.io/docs/reference/config/security/authorization-policy.html'
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - provider
+ - required:
+ - provider
+ properties:
+ action:
+ description: Optional.
+ enum:
+ - ALLOW
+ - DENY
+ - AUDIT
+ - CUSTOM
+ type: string
+ provider:
+ description: Specifies detailed configuration of the CUSTOM action.
+ properties:
+ name:
+ description: Specifies the name of the extension provider.
+ type: string
+ type: object
+ rules:
+ description: Optional.
+ items:
+ properties:
+ from:
+ description: Optional.
+ items:
+ properties:
+ source:
+ description: Source specifies the source of a request.
+ properties:
+ ipBlocks:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ namespaces:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ notIpBlocks:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ notNamespaces:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ notPrincipals:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ notRemoteIpBlocks:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ notRequestPrincipals:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ principals:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ remoteIpBlocks:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ requestPrincipals:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ type: object
+ type: object
+ type: array
+ to:
+ description: Optional.
+ items:
+ properties:
+ operation:
+ description: Operation specifies the operation of a request.
+ properties:
+ hosts:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ methods:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ notHosts:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ notMethods:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ notPaths:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ notPorts:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ paths:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ ports:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ type: object
+ type: object
+ type: array
+ when:
+ description: Optional.
+ items:
+ properties:
+ key:
+ description: The name of an Istio attribute.
+ type: string
+ notValues:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ values:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ type: object
+ type: array
+ type: object
+ type: array
+ selector:
+ description: Optional.
+ properties:
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ type: object
+ status:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: false
+ subresources:
+ status: {}
+ - name: v1beta1
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Configuration for access control on workloads. See more
+ details at: https://istio.io/docs/reference/config/security/authorization-policy.html'
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - provider
+ - required:
+ - provider
+ properties:
+ action:
+ description: Optional.
+ enum:
+ - ALLOW
+ - DENY
+ - AUDIT
+ - CUSTOM
+ type: string
+ provider:
+ description: Specifies detailed configuration of the CUSTOM action.
+ properties:
+ name:
+ description: Specifies the name of the extension provider.
+ type: string
+ type: object
+ rules:
+ description: Optional.
+ items:
+ properties:
+ from:
+ description: Optional.
+ items:
+ properties:
+ source:
+ description: Source specifies the source of a request.
+ properties:
+ ipBlocks:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ namespaces:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ notIpBlocks:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ notNamespaces:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ notPrincipals:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ notRemoteIpBlocks:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ notRequestPrincipals:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ principals:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ remoteIpBlocks:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ requestPrincipals:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ type: object
+ type: object
+ type: array
+ to:
+ description: Optional.
+ items:
+ properties:
+ operation:
+ description: Operation specifies the operation of a request.
+ properties:
+ hosts:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ methods:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ notHosts:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ notMethods:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ notPaths:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ notPorts:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ paths:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ ports:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ type: object
+ type: object
+ type: array
+ when:
+ description: Optional.
+ items:
+ properties:
+ key:
+ description: The name of an Istio attribute.
+ type: string
+ notValues:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ values:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ type: object
+ type: array
+ type: object
+ type: array
+ selector:
+ description: Optional.
+ properties:
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ type: object
+ status:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ "helm.sh/resource-policy": keep
+ labels:
+ app: istio-pilot
+ chart: istio
+ heritage: Tiller
+ istio: security
+ release: istio
+ name: peerauthentications.security.istio.io
+spec:
+ group: security.istio.io
+ names:
+ categories:
+ - istio-io
+ - security-istio-io
+ kind: PeerAuthentication
+ listKind: PeerAuthenticationList
+ plural: peerauthentications
+ shortNames:
+ - pa
+ singular: peerauthentication
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - description: Defines the mTLS mode used for peer authentication.
+ jsonPath: .spec.mtls.mode
+ name: Mode
+ type: string
+ - description: 'CreationTimestamp is a timestamp representing the server time
+ when this object was created. It is not guaranteed to be set in happens-before
+ order across separate operations. Clients may not set this value. It is represented
+ in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
+ lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1beta1
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: PeerAuthentication defines how traffic will be tunneled (or
+ not) to the sidecar.
+ properties:
+ mtls:
+ description: Mutual TLS settings for workload.
+ properties:
+ mode:
+ description: Defines the mTLS mode used for peer authentication.
+ enum:
+ - UNSET
+ - DISABLE
+ - PERMISSIVE
+ - STRICT
+ type: string
+ type: object
+ portLevelMtls:
+ additionalProperties:
+ properties:
+ mode:
+ description: Defines the mTLS mode used for peer authentication.
+ enum:
+ - UNSET
+ - DISABLE
+ - PERMISSIVE
+ - STRICT
+ type: string
+ type: object
+ description: Port specific mutual TLS settings.
+ type: object
+ selector:
+ description: The selector determines the workloads to apply the ChannelAuthentication
+ on.
+ properties:
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ type: object
+ status:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ "helm.sh/resource-policy": keep
+ labels:
+ app: istio-pilot
+ chart: istio
+ heritage: Tiller
+ istio: security
+ release: istio
+ name: requestauthentications.security.istio.io
+spec:
+ group: security.istio.io
+ names:
+ categories:
+ - istio-io
+ - security-istio-io
+ kind: RequestAuthentication
+ listKind: RequestAuthenticationList
+ plural: requestauthentications
+ shortNames:
+ - ra
+ singular: requestauthentication
+ scope: Namespaced
+ versions:
+ - name: v1
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: RequestAuthentication defines what request authentication
+ methods are supported by a workload.
+ properties:
+ jwtRules:
+ description: Define the list of JWTs that can be validated at the
+ selected workloads' proxy.
+ items:
+ properties:
+ audiences:
+ items:
+ type: string
+ type: array
+ forwardOriginalToken:
+ description: If set to true, the original token will be kept
+ for the upstream request.
+ type: boolean
+ fromHeaders:
+ description: List of header locations from which JWT is expected.
+ items:
+ properties:
+ name:
+ description: The HTTP header name.
+ type: string
+ prefix:
+ description: The prefix that should be stripped before
+ decoding the token.
+ type: string
+ type: object
+ type: array
+ fromParams:
+ description: List of query parameters from which JWT is expected.
+ items:
+ type: string
+ type: array
+ issuer:
+ description: Identifies the issuer that issued the JWT.
+ type: string
+ jwks:
+ description: JSON Web Key Set of public keys to validate signature
+ of the JWT.
+ type: string
+ jwks_uri:
+ type: string
+ jwksUri:
+ type: string
+ outputClaimToHeaders:
+ description: This field specifies a list of operations to copy
+ the claim to HTTP headers on a successfully verified token.
+ items:
+ properties:
+ claim:
+ description: The name of the claim to be copied from.
+ type: string
+ header:
+ description: The name of the header to be created.
+ type: string
+ type: object
+ type: array
+ outputPayloadToHeader:
+ type: string
+ type: object
+ type: array
+ selector:
+ description: Optional.
+ properties:
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ type: object
+ status:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: false
+ subresources:
+ status: {}
+ - name: v1beta1
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: RequestAuthentication defines what request authentication
+ methods are supported by a workload.
+ properties:
+ jwtRules:
+ description: Define the list of JWTs that can be validated at the
+ selected workloads' proxy.
+ items:
+ properties:
+ audiences:
+ items:
+ type: string
+ type: array
+ forwardOriginalToken:
+ description: If set to true, the original token will be kept
+ for the upstream request.
+ type: boolean
+ fromHeaders:
+ description: List of header locations from which JWT is expected.
+ items:
+ properties:
+ name:
+ description: The HTTP header name.
+ type: string
+ prefix:
+ description: The prefix that should be stripped before
+ decoding the token.
+ type: string
+ type: object
+ type: array
+ fromParams:
+ description: List of query parameters from which JWT is expected.
+ items:
+ type: string
+ type: array
+ issuer:
+ description: Identifies the issuer that issued the JWT.
+ type: string
+ jwks:
+ description: JSON Web Key Set of public keys to validate signature
+ of the JWT.
+ type: string
+ jwks_uri:
+ type: string
+ jwksUri:
+ type: string
+ outputClaimToHeaders:
+ description: This field specifies a list of operations to copy
+ the claim to HTTP headers on a successfully verified token.
+ items:
+ properties:
+ claim:
+ description: The name of the claim to be copied from.
+ type: string
+ header:
+ description: The name of the header to be created.
+ type: string
+ type: object
+ type: array
+ outputPayloadToHeader:
+ type: string
+ type: object
+ type: array
+ selector:
+ description: Optional.
+ properties:
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ type: object
+ status:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ "helm.sh/resource-policy": keep
+ labels:
+ app: istio-pilot
+ chart: istio
+ heritage: Tiller
+ istio: telemetry
+ release: istio
+ name: telemetries.telemetry.istio.io
+spec:
+ group: telemetry.istio.io
+ names:
+ categories:
+ - istio-io
+ - telemetry-istio-io
+ kind: Telemetry
+ listKind: TelemetryList
+ plural: telemetries
+ shortNames:
+ - telemetry
+ singular: telemetry
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - description: 'CreationTimestamp is a timestamp representing the server time
+ when this object was created. It is not guaranteed to be set in happens-before
+ order across separate operations. Clients may not set this value. It is represented
+ in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
+ lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Telemetry configuration for workloads. See more details
+ at: https://istio.io/docs/reference/config/telemetry.html'
+ properties:
+ accessLogging:
+ description: Optional.
+ items:
+ properties:
+ disabled:
+ description: Controls logging.
+ nullable: true
+ type: boolean
+ filter:
+ description: Optional.
+ properties:
+ expression:
+ description: CEL expression for selecting when requests/connections
+ should be logged.
+ type: string
+ type: object
+ match:
+ description: Allows tailoring of logging behavior to specific
+ conditions.
+ properties:
+ mode:
+ enum:
+ - CLIENT_AND_SERVER
+ - CLIENT
+ - SERVER
+ type: string
+ type: object
+ providers:
+ description: Optional.
+ items:
+ properties:
+ name:
+ description: Required.
+ type: string
+ type: object
+ type: array
+ type: object
+ type: array
+ metrics:
+ description: Optional.
+ items:
+ properties:
+ overrides:
+ description: Optional.
+ items:
+ properties:
+ disabled:
+ description: Optional.
+ nullable: true
+ type: boolean
+ match:
+ description: Match allows provides the scope of the override.
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - metric
+ - required:
+ - customMetric
+ - required:
+ - metric
+ - required:
+ - customMetric
+ properties:
+ customMetric:
+ description: Allows free-form specification of a metric.
+ type: string
+ metric:
+ description: One of the well-known Istio Standard
+ Metrics.
+ enum:
+ - ALL_METRICS
+ - REQUEST_COUNT
+ - REQUEST_DURATION
+ - REQUEST_SIZE
+ - RESPONSE_SIZE
+ - TCP_OPENED_CONNECTIONS
+ - TCP_CLOSED_CONNECTIONS
+ - TCP_SENT_BYTES
+ - TCP_RECEIVED_BYTES
+ - GRPC_REQUEST_MESSAGES
+ - GRPC_RESPONSE_MESSAGES
+ type: string
+ mode:
+ enum:
+ - CLIENT_AND_SERVER
+ - CLIENT
+ - SERVER
+ type: string
+ type: object
+ tagOverrides:
+ additionalProperties:
+ properties:
+ operation:
+ description: Operation controls whether or not to
+ update/add a tag, or to remove it.
+ enum:
+ - UPSERT
+ - REMOVE
+ type: string
+ value:
+ description: Value is only considered if the operation
+ is `UPSERT`.
+ type: string
+ type: object
+ description: Optional.
+ type: object
+ type: object
+ type: array
+ providers:
+ description: Optional.
+ items:
+ properties:
+ name:
+ description: Required.
+ type: string
+ type: object
+ type: array
+ reportingInterval:
+ description: Optional.
+ type: string
+ type: object
+ type: array
+ selector:
+ description: Optional.
+ properties:
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ tracing:
+ description: Optional.
+ items:
+ properties:
+ customTags:
+ additionalProperties:
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - literal
+ - required:
+ - environment
+ - required:
+ - header
+ - required:
+ - literal
+ - required:
+ - environment
+ - required:
+ - header
+ properties:
+ environment:
+ description: Environment adds the value of an environment
+ variable to each span.
+ properties:
+ defaultValue:
+ description: Optional.
+ type: string
+ name:
+ description: Name of the environment variable from
+ which to extract the tag value.
+ type: string
+ type: object
+ header:
+ properties:
+ defaultValue:
+ description: Optional.
+ type: string
+ name:
+ description: Name of the header from which to extract
+ the tag value.
+ type: string
+ type: object
+ literal:
+ description: Literal adds the same, hard-coded value to
+ each span.
+ properties:
+ value:
+ description: The tag value to use.
+ type: string
+ type: object
+ type: object
+ description: Optional.
+ type: object
+ disableSpanReporting:
+ description: Controls span reporting.
+ nullable: true
+ type: boolean
+ match:
+ description: Allows tailoring of behavior to specific conditions.
+ properties:
+ mode:
+ enum:
+ - CLIENT_AND_SERVER
+ - CLIENT
+ - SERVER
+ type: string
+ type: object
+ providers:
+ description: Optional.
+ items:
+ properties:
+ name:
+ description: Required.
+ type: string
+ type: object
+ type: array
+ randomSamplingPercentage:
+ nullable: true
+ type: number
+ useRequestIdForTraceSampling:
+ nullable: true
+ type: boolean
+ type: object
+ type: array
+ type: object
+ status:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+
+---
diff --git a/pkg/cmd/hgctl/manifests/istiobase/crds/crd-operator.yaml b/pkg/cmd/hgctl/manifests/istiobase/crds/crd-operator.yaml
new file mode 100644
index 0000000000..2a80f41866
--- /dev/null
+++ b/pkg/cmd/hgctl/manifests/istiobase/crds/crd-operator.yaml
@@ -0,0 +1,48 @@
+# SYNC WITH manifests/charts/istio-operator/templates
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: istiooperators.install.istio.io
+ labels:
+ release: istio
+spec:
+ conversion:
+ strategy: None
+ group: install.istio.io
+ names:
+ kind: IstioOperator
+ listKind: IstioOperatorList
+ plural: istiooperators
+ singular: istiooperator
+ shortNames:
+ - iop
+ - io
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - description: Istio control plane revision
+ jsonPath: .spec.revision
+ name: Revision
+ type: string
+ - description: IOP current state
+ jsonPath: .status.status
+ name: Status
+ type: string
+ - description: 'CreationTimestamp is a timestamp representing the server time
+ when this object was created. It is not guaranteed to be set in happens-before
+ order across separate operations. Clients may not set this value. It is represented
+ in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
+ lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ subresources:
+ status: {}
+ name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ served: true
+ storage: true
+---
diff --git a/pkg/cmd/hgctl/manifests/istiobase/templates/NOTES.txt b/pkg/cmd/hgctl/manifests/istiobase/templates/NOTES.txt
new file mode 100644
index 0000000000..006450167a
--- /dev/null
+++ b/pkg/cmd/hgctl/manifests/istiobase/templates/NOTES.txt
@@ -0,0 +1,5 @@
+Istio base successfully installed!
+
+To learn more about the release, try:
+ $ helm status {{ .Release.Name }}
+ $ helm get all {{ .Release.Name }}
diff --git a/pkg/cmd/hgctl/manifests/istiobase/templates/clusterrole.yaml b/pkg/cmd/hgctl/manifests/istiobase/templates/clusterrole.yaml
new file mode 100644
index 0000000000..e0cbea8fe3
--- /dev/null
+++ b/pkg/cmd/hgctl/manifests/istiobase/templates/clusterrole.yaml
@@ -0,0 +1,181 @@
+# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+# DO NOT EDIT!
+# THIS IS A LEGACY CHART HERE FOR BACKCOMPAT
+# UPDATED CHART AT manifests/charts/istio-control/istio-discovery
+# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: istiod-{{ .Values.global.istioNamespace }}
+ labels:
+ app: istiod
+ release: {{ .Release.Name }}
+rules:
+ # sidecar injection controller
+ - apiGroups: ["admissionregistration.k8s.io"]
+ resources: ["mutatingwebhookconfigurations"]
+ verbs: ["get", "list", "watch", "update", "patch"]
+
+ # configuration validation webhook controller
+ - apiGroups: ["admissionregistration.k8s.io"]
+ resources: ["validatingwebhookconfigurations"]
+ verbs: ["get", "list", "watch", "update"]
+
+ # istio configuration
+ # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382)
+ # please proceed with caution
+ - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io"]
+ verbs: ["get", "watch", "list"]
+ resources: ["*"]
+{{- if .Values.global.istiod.enableAnalysis }}
+ - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io"]
+ verbs: ["update"]
+ # TODO: should be on just */status but wildcard is not supported
+ resources: ["*"]
+{{- end }}
+ - apiGroups: ["networking.istio.io"]
+ verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+ resources: [ "workloadentries" ]
+ - apiGroups: ["networking.istio.io"]
+ verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+ resources: [ "workloadentries/status" ]
+
+ # auto-detect installed CRD definitions
+ - apiGroups: ["apiextensions.k8s.io"]
+ resources: ["customresourcedefinitions"]
+ verbs: ["get", "list", "watch"]
+
+ # discovery and routing
+ - apiGroups: [""]
+ resources: ["pods", "nodes", "services", "namespaces", "endpoints"]
+ verbs: ["get", "list", "watch"]
+ - apiGroups: ["discovery.k8s.io"]
+ resources: ["endpointslices"]
+ verbs: ["get", "list", "watch"]
+
+ # ingress controller
+{{- if .Values.global.istiod.enableAnalysis }}
+ - apiGroups: ["extensions", "networking.k8s.io"]
+ resources: ["ingresses"]
+ verbs: ["get", "list", "watch"]
+ - apiGroups: ["extensions", "networking.k8s.io"]
+ resources: ["ingresses/status"]
+ verbs: ["*"]
+{{- end}}
+ - apiGroups: ["networking.k8s.io"]
+ resources: ["ingresses", "ingressclasses"]
+ verbs: ["get", "list", "watch"]
+ - apiGroups: ["networking.k8s.io"]
+ resources: ["ingresses/status"]
+ verbs: ["*"]
+
+ # required for CA's namespace controller
+ - apiGroups: [""]
+ resources: ["configmaps"]
+ verbs: ["create", "get", "list", "watch", "update"]
+
+ # Istiod and bootstrap.
+ - apiGroups: ["certificates.k8s.io"]
+ resources:
+ - "certificatesigningrequests"
+ - "certificatesigningrequests/approval"
+ - "certificatesigningrequests/status"
+ verbs: ["update", "create", "get", "delete", "watch"]
+ - apiGroups: ["certificates.k8s.io"]
+ resources:
+ - "signers"
+ resourceNames:
+ - "kubernetes.io/legacy-unknown"
+ verbs: ["approve"]
+
+ # Used by Istiod to verify the JWT tokens
+ - apiGroups: ["authentication.k8s.io"]
+ resources: ["tokenreviews"]
+ verbs: ["create"]
+
+ # Used by Istiod to verify gateway SDS
+ - apiGroups: ["authorization.k8s.io"]
+ resources: ["subjectaccessreviews"]
+ verbs: ["create"]
+
+ # Use for Kubernetes Service APIs
+ - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"]
+ resources: ["*"]
+ verbs: ["get", "watch", "list"]
+ - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"]
+ resources: ["*"] # TODO: should be on just */status but wildcard is not supported
+ verbs: ["update"]
+ - apiGroups: ["gateway.networking.k8s.io"]
+ resources: ["gatewayclasses"]
+ verbs: ["create", "update", "patch", "delete"]
+
+ # Needed for multicluster secret reading, possibly ingress certs in the future
+ - apiGroups: [""]
+ resources: ["secrets"]
+ verbs: ["get", "watch", "list"]
+
+ # Used for MCS serviceexport management
+ - apiGroups: ["multicluster.x-k8s.io"]
+ resources: ["serviceexports"]
+ verbs: ["get", "watch", "list", "create", "delete"]
+
+ # Used for MCS serviceimport management
+ - apiGroups: ["multicluster.x-k8s.io"]
+ resources: ["serviceimports"]
+ verbs: ["get", "watch", "list"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: istio-reader-{{ .Values.global.istioNamespace }}
+ labels:
+ app: istio-reader
+ release: {{ .Release.Name }}
+rules:
+ - apiGroups:
+ - "config.istio.io"
+ - "security.istio.io"
+ - "networking.istio.io"
+ - "authentication.istio.io"
+ - "rbac.istio.io"
+ resources: ["*"]
+ verbs: ["get", "list", "watch"]
+ - apiGroups: [""]
+ resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets"]
+ verbs: ["get", "list", "watch"]
+ - apiGroups: ["networking.istio.io"]
+ verbs: [ "get", "watch", "list" ]
+ resources: [ "workloadentries" ]
+ - apiGroups: ["apiextensions.k8s.io"]
+ resources: ["customresourcedefinitions"]
+ verbs: ["get", "list", "watch"]
+ - apiGroups: ["discovery.k8s.io"]
+ resources: ["endpointslices"]
+ verbs: ["get", "list", "watch"]
+ - apiGroups: ["apps"]
+ resources: ["replicasets"]
+ verbs: ["get", "list", "watch"]
+ - apiGroups: ["authentication.k8s.io"]
+ resources: ["tokenreviews"]
+ verbs: ["create"]
+ - apiGroups: ["authorization.k8s.io"]
+ resources: ["subjectaccessreviews"]
+ verbs: ["create"]
+ - apiGroups: ["multicluster.x-k8s.io"]
+ resources: ["serviceexports"]
+ verbs: ["get", "watch", "list"]
+ - apiGroups: ["multicluster.x-k8s.io"]
+ resources: ["serviceimports"]
+ verbs: ["get", "watch", "list"]
+{{- if or .Values.global.externalIstiod }}
+ - apiGroups: [""]
+ resources: ["configmaps"]
+ verbs: ["create", "get", "list", "watch", "update"]
+ - apiGroups: ["admissionregistration.k8s.io"]
+ resources: ["mutatingwebhookconfigurations"]
+ verbs: ["get", "list", "watch", "update", "patch"]
+ - apiGroups: ["admissionregistration.k8s.io"]
+ resources: ["validatingwebhookconfigurations"]
+ verbs: ["get", "list", "watch", "update"]
+{{- end}}
+---
diff --git a/pkg/cmd/hgctl/manifests/istiobase/templates/clusterrolebinding.yaml b/pkg/cmd/hgctl/manifests/istiobase/templates/clusterrolebinding.yaml
new file mode 100644
index 0000000000..d61729b291
--- /dev/null
+++ b/pkg/cmd/hgctl/manifests/istiobase/templates/clusterrolebinding.yaml
@@ -0,0 +1,37 @@
+# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+# DO NOT EDIT!
+# THIS IS A LEGACY CHART HERE FOR BACKCOMPAT
+# UPDATED CHART AT manifests/charts/istio-control/istio-discovery
+# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: istio-reader-{{ .Values.global.istioNamespace }}
+ labels:
+ app: istio-reader
+ release: {{ .Release.Name }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: istio-reader-{{ .Values.global.istioNamespace }}
+subjects:
+ - kind: ServiceAccount
+ name: istio-reader-service-account
+ namespace: {{ .Values.global.istioNamespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: istiod-{{ .Values.global.istioNamespace }}
+ labels:
+ app: istiod
+ release: {{ .Release.Name }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: istiod-{{ .Values.global.istioNamespace }}
+subjects:
+ - kind: ServiceAccount
+ name: istiod-service-account
+ namespace: {{ .Values.global.istioNamespace }}
+---
diff --git a/pkg/cmd/hgctl/manifests/istiobase/templates/crds.yaml b/pkg/cmd/hgctl/manifests/istiobase/templates/crds.yaml
new file mode 100644
index 0000000000..871ee2a6b4
--- /dev/null
+++ b/pkg/cmd/hgctl/manifests/istiobase/templates/crds.yaml
@@ -0,0 +1,4 @@
+{{- if .Values.base.enableCRDTemplates }}
+{{ .Files.Get "crds/crd-all.gen.yaml" }}
+{{ .Files.Get "crds/crd-operator.yaml" }}
+{{- end }}
diff --git a/pkg/cmd/hgctl/manifests/istiobase/templates/default.yaml b/pkg/cmd/hgctl/manifests/istiobase/templates/default.yaml
new file mode 100644
index 0000000000..f7950de2bc
--- /dev/null
+++ b/pkg/cmd/hgctl/manifests/istiobase/templates/default.yaml
@@ -0,0 +1,48 @@
+{{- if not (eq .Values.defaultRevision "") }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+ name: istiod-default-validator
+ labels:
+ app: istiod
+ release: {{ .Release.Name }}
+ istio: istiod
+ istio.io/rev: {{ .Values.defaultRevision }}
+webhooks:
+ - name: validation.istio.io
+ clientConfig:
+ {{- if .Values.base.validationURL }}
+ url: {{ .Values.base.validationURL }}
+ {{- else }}
+ service:
+ {{- if (eq .Values.defaultRevision "default") }}
+ name: istiod
+ {{- else }}
+ name: istiod-{{ .Values.defaultRevision }}
+ {{- end }}
+ namespace: {{ .Values.global.istioNamespace }}
+ path: "/validate"
+ {{- end }}
+ rules:
+ - operations:
+ - CREATE
+ - UPDATE
+ apiGroups:
+ - security.istio.io
+ - networking.istio.io
+ - telemetry.istio.io
+ - extensions.istio.io
+ {{- if .Values.base.validateGateway }}
+ - gateway.networking.k8s.io
+ {{- end }}
+ apiVersions:
+ - "*"
+ resources:
+ - "*"
+ # Fail open until the validation webhook is ready. The webhook controller
+ # will update this to `Fail` and patch in the `caBundle` when the webhook
+ # endpoint is ready.
+ failurePolicy: Ignore
+ sideEffects: None
+ admissionReviewVersions: ["v1beta1", "v1"]
+{{- end }}
diff --git a/pkg/cmd/hgctl/manifests/istiobase/templates/endpoints.yaml b/pkg/cmd/hgctl/manifests/istiobase/templates/endpoints.yaml
new file mode 100644
index 0000000000..2675b47a15
--- /dev/null
+++ b/pkg/cmd/hgctl/manifests/istiobase/templates/endpoints.yaml
@@ -0,0 +1,23 @@
+{{- if regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress }}
+# if the remotePilotAddress is an IP addr
+apiVersion: v1
+kind: Endpoints
+metadata:
+ {{- if .Values.pilot.enabled }}
+ name: istiod-remote
+ {{- else }}
+ name: istiod
+ {{- end }}
+ namespace: {{ .Release.Namespace }}
+subsets:
+- addresses:
+ - ip: {{ .Values.global.remotePilotAddress }}
+ ports:
+ - port: 15012
+ name: tcp-istiod
+ protocol: TCP
+ - port: 15017
+ name: tcp-webhook
+ protocol: TCP
+---
+{{- end }}
diff --git a/pkg/cmd/hgctl/manifests/istiobase/templates/reader-serviceaccount.yaml b/pkg/cmd/hgctl/manifests/istiobase/templates/reader-serviceaccount.yaml
new file mode 100644
index 0000000000..d9ce18c27e
--- /dev/null
+++ b/pkg/cmd/hgctl/manifests/istiobase/templates/reader-serviceaccount.yaml
@@ -0,0 +1,16 @@
+# This service account aggregates reader permissions for the revisions in a given cluster
+# Should be used for remote secret creation.
+apiVersion: v1
+kind: ServiceAccount
+ {{- if .Values.global.imagePullSecrets }}
+imagePullSecrets:
+ {{- range .Values.global.imagePullSecrets }}
+ - name: {{ . }}
+ {{- end }}
+ {{- end }}
+metadata:
+ name: istio-reader-service-account
+ namespace: {{ .Values.global.istioNamespace }}
+ labels:
+ app: istio-reader
+ release: {{ .Release.Name }}
diff --git a/pkg/cmd/hgctl/manifests/istiobase/templates/role.yaml b/pkg/cmd/hgctl/manifests/istiobase/templates/role.yaml
new file mode 100644
index 0000000000..ca1a4243f0
--- /dev/null
+++ b/pkg/cmd/hgctl/manifests/istiobase/templates/role.yaml
@@ -0,0 +1,25 @@
+# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+# DO NOT EDIT!
+# THIS IS A LEGACY CHART HERE FOR BACKCOMPAT
+# UPDATED CHART AT manifests/charts/istio-control/istio-discovery
+# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: istiod-{{ .Values.global.istioNamespace }}
+ namespace: {{ .Values.global.istioNamespace }}
+ labels:
+ app: istiod
+ release: {{ .Release.Name }}
+rules:
+# permissions to verify the webhook is ready and rejecting
+# invalid config. We use --server-dry-run so no config is persisted.
+- apiGroups: ["networking.istio.io"]
+ verbs: ["create"]
+ resources: ["gateways"]
+
+# For storing CA secret
+- apiGroups: [""]
+ resources: ["secrets"]
+ # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config
+ verbs: ["create", "get", "watch", "list", "update", "delete"]
diff --git a/pkg/cmd/hgctl/manifests/istiobase/templates/rolebinding.yaml b/pkg/cmd/hgctl/manifests/istiobase/templates/rolebinding.yaml
new file mode 100644
index 0000000000..2b591fb891
--- /dev/null
+++ b/pkg/cmd/hgctl/manifests/istiobase/templates/rolebinding.yaml
@@ -0,0 +1,21 @@
+# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+# DO NOT EDIT!
+# THIS IS A LEGACY CHART HERE FOR BACKCOMPAT
+# UPDATED CHART AT manifests/charts/istio-control/istio-discovery
+# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: istiod-{{ .Values.global.istioNamespace }}
+ namespace: {{ .Values.global.istioNamespace }}
+ labels:
+ app: istiod
+ release: {{ .Release.Name }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: istiod-{{ .Values.global.istioNamespace }}
+subjects:
+ - kind: ServiceAccount
+ name: istiod-service-account
+ namespace: {{ .Values.global.istioNamespace }}
diff --git a/pkg/cmd/hgctl/manifests/istiobase/templates/serviceaccount.yaml b/pkg/cmd/hgctl/manifests/istiobase/templates/serviceaccount.yaml
new file mode 100644
index 0000000000..ec25fd250b
--- /dev/null
+++ b/pkg/cmd/hgctl/manifests/istiobase/templates/serviceaccount.yaml
@@ -0,0 +1,19 @@
+# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+# DO NOT EDIT!
+# THIS IS A LEGACY CHART HERE FOR BACKCOMPAT
+# UPDATED CHART AT manifests/charts/istio-control/istio-discovery
+# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+apiVersion: v1
+kind: ServiceAccount
+ {{- if .Values.global.imagePullSecrets }}
+imagePullSecrets:
+ {{- range .Values.global.imagePullSecrets }}
+ - name: {{ . }}
+ {{- end }}
+ {{- end }}
+metadata:
+ name: istiod-service-account
+ namespace: {{ .Values.global.istioNamespace }}
+ labels:
+ app: istiod
+ release: {{ .Release.Name }}
diff --git a/pkg/cmd/hgctl/manifests/istiobase/templates/services.yaml b/pkg/cmd/hgctl/manifests/istiobase/templates/services.yaml
new file mode 100644
index 0000000000..2bc55e669b
--- /dev/null
+++ b/pkg/cmd/hgctl/manifests/istiobase/templates/services.yaml
@@ -0,0 +1,28 @@
+{{- if .Values.global.remotePilotAddress }}
+apiVersion: v1
+kind: Service
+metadata:
+ {{- if .Values.pilot.enabled }}
+ # when local istiod is enabled, we can't use istiod service name to reach the remote control plane
+ name: istiod-remote
+ {{- else }}
+ # when local istiod isn't enabled, we can use istiod service name to reach the remote control plane
+ name: istiod
+ {{- end }}
+ namespace: {{ .Release.Namespace }}
+spec:
+ ports:
+ - port: 15012
+ name: tcp-istiod
+ protocol: TCP
+ - port: 443
+ targetPort: 15017
+ name: tcp-webhook
+ protocol: TCP
+ {{- if not (regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress) }}
+ # if the remotePilotAddress is not an IP addr, we use ExternalName
+ type: ExternalName
+ externalName: {{ .Values.global.remotePilotAddress }}
+ {{- end }}
+---
+{{- end }}
diff --git a/pkg/cmd/hgctl/manifests/istiobase/values.yaml b/pkg/cmd/hgctl/manifests/istiobase/values.yaml
new file mode 100644
index 0000000000..96a74562e1
--- /dev/null
+++ b/pkg/cmd/hgctl/manifests/istiobase/values.yaml
@@ -0,0 +1,29 @@
+global:
+
+ # ImagePullSecrets for control plane ServiceAccount, list of secrets in the same namespace
+ # to use for pulling any images in pods that reference this ServiceAccount.
+ # Must be set for any cluster configured with private docker registry.
+ imagePullSecrets: []
+
+ # Used to locate istiod.
+ istioNamespace: istio-system
+
+ istiod:
+ enableAnalysis: false
+
+ configValidation: true
+ externalIstiod: false
+ remotePilotAddress: ""
+
+base:
+ # Used for helm2 to add the CRDs to templates.
+ enableCRDTemplates: false
+
+ # Validation webhook configuration url
+ # For example: https://$remotePilotAddress:15017/validate
+ validationURL: ""
+
+ # For istioctl usage to disable istio config crds in base
+ enableIstioConfigCRDs: true
+
+defaultRevision: "default"
diff --git a/pkg/cmd/hgctl/manifests/manifest.go b/pkg/cmd/hgctl/manifests/manifest.go
index 2549515f81..6fb65d5bfa 100644
--- a/pkg/cmd/hgctl/manifests/manifest.go
+++ b/pkg/cmd/hgctl/manifests/manifest.go
@@ -23,6 +23,8 @@ import (
// FS embeds the manifests
//
//go:embed profiles/*
+//go:embed gatewayapi/*
+//go:embed istiobase/*
var FS embed.FS
// BuiltinOrDir returns a FS for the provided directory. If no directory is passed, the compiled in
diff --git a/pkg/cmd/hgctl/manifests/profiles/_all.yaml b/pkg/cmd/hgctl/manifests/profiles/_all.yaml
index 153c319a0b..a32bd56360 100644
--- a/pkg/cmd/hgctl/manifests/profiles/_all.yaml
+++ b/pkg/cmd/hgctl/manifests/profiles/_all.yaml
@@ -11,28 +11,18 @@
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
-profile: kind
+profile: all
global:
- install: local # install mode k8s/local/docker
+ install: k8s # install mode k8s/local-k8s/local-docker/local
ingressClass: higress
- watchNamespace:
- disableAlpnH2: true
- enableStatus: true
enableIstioAPI: true
+ enableGatewayAPI: false
namespace: higress-system
- istioNamespace: istio-system
console:
port: 8080
replicas: 1
- serviceType: ClusterIP
- domain: console.higress.io
- tlsSecretName:
- webLoginPrompt:
adminPasswordValue: admin
- adminPasswordLength: 8
- o11yEnabled: false
- pvcRwxSupported: true
gateway:
replicas: 1
@@ -59,10 +49,6 @@ charts:
url: https://higress.io/helm-charts
name: higress
version: latest
- istio:
- url: https://istio-release.storage.googleapis.com/charts
- name: base
- version: 1.18.2
standalone:
url: https://higress.io/standalone/get-higress.sh
name: standalone
diff --git a/pkg/cmd/hgctl/manifests/profiles/k8s.yaml b/pkg/cmd/hgctl/manifests/profiles/k8s.yaml
index eeec5cd259..b5b32e2a4f 100644
--- a/pkg/cmd/hgctl/manifests/profiles/k8s.yaml
+++ b/pkg/cmd/hgctl/manifests/profiles/k8s.yaml
@@ -15,23 +15,13 @@ profile: k8s
global:
install: k8s # install mode k8s/local-k8s/local-docker/local
ingressClass: higress
- watchNamespace:
- disableAlpnH2: true
- enableStatus: true
enableIstioAPI: false
+ enableGatewayAPI: false
namespace: higress-system
- istioNamespace: istio-system
console:
replicas: 1
- serviceType: ClusterIP
- domain: console.higress.io
- tlsSecretName:
- webLoginPrompt:
adminPasswordValue: admin
- adminPasswordLength: 8
- o11yEnabled: false
- pvcRwxSupported: true
gateway:
replicas: 2
@@ -47,10 +37,6 @@ charts:
url: https://higress.io/helm-charts
name: higress
version: latest
- istio:
- url: https://istio-release.storage.googleapis.com/charts
- name: base
- version: 1.18.2
standalone:
url: https://higress.io/standalone/get-higress.sh
name: standalone
diff --git a/pkg/cmd/hgctl/manifests/profiles/local-docker.yaml b/pkg/cmd/hgctl/manifests/profiles/local-docker.yaml
index 69d33cccb8..f21e765145 100644
--- a/pkg/cmd/hgctl/manifests/profiles/local-docker.yaml
+++ b/pkg/cmd/hgctl/manifests/profiles/local-docker.yaml
@@ -38,10 +38,6 @@ charts:
url: https://higress.io/helm-charts
name: higress
version: latest
- istio:
- url: https://istio-release.storage.googleapis.com/charts
- name: base
- version: 1.18.2
standalone:
url: https://higress.io/standalone/get-higress.sh
name: standalone
diff --git a/pkg/cmd/hgctl/manifests/profiles/local-k8s.yaml b/pkg/cmd/hgctl/manifests/profiles/local-k8s.yaml
index f82730ee3b..54c43b4f05 100644
--- a/pkg/cmd/hgctl/manifests/profiles/local-k8s.yaml
+++ b/pkg/cmd/hgctl/manifests/profiles/local-k8s.yaml
@@ -15,23 +15,13 @@ profile: local-k8s
global:
install: local-k8s # install mode k8s/local-k8s/local-docker/local
ingressClass: higress
- watchNamespace:
- disableAlpnH2: true
- enableStatus: true
enableIstioAPI: true
+ enableGatewayAPI: true
namespace: higress-system
- istioNamespace: istio-system
console:
replicas: 1
- serviceType: ClusterIP
- domain: console.higress.io
- tlsSecretName:
- webLoginPrompt:
adminPasswordValue: admin
- adminPasswordLength: 8
- o11yEnabled: true
- pvcRwxSupported: true
gateway:
replicas: 1
@@ -47,10 +37,6 @@ charts:
url: https://higress.io/helm-charts
name: higress
version: latest
- istio:
- url: https://istio-release.storage.googleapis.com/charts
- name: base
- version: 1.18.2
standalone:
url: https://higress.io/standalone/get-higress.sh
name: standalone